add temporary feature flag ha_proxy.legacy_xfcc_header_mapping to dis…

…able base64 encoding of XFCC headers
cloudfoundry · Oct 19, 2021 · c51125f · c51125f
1 parent 16a116a
commit c51125f
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 1 deletion.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -28,7 +28,7 @@ RSpec/MultipleMemoizedHelpers:
   Enabled: false
 
 RSpec/NestedGroups:
-  Max: 4
+  Max: 5
 
 RSpec/MultipleExpectations:
   Enabled: false

diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec
@@ -411,6 +411,9 @@ properties:
           This option is only secure if Gorouter is deployed behind Haproxy to validate that X-Cf-Proxy-Signature is coming from a route service.
     default: sanitize_set
 
+  ha_proxy.legacy_xfcc_header_mapping:
+    default: false
+
   ha_proxy.client_ca_file:
     description: "path for CA certs to validate client certificate"
     example: |

diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb
@@ -433,9 +433,15 @@ frontend https-in
     http-request set-header X-SSL-Client-Verify     %[ssl_c_verify]              if { ssl_c_used }
     http-request set-header X-SSL-Client-NotBefore  %{+Q}[ssl_c_notbefore]       if { ssl_c_used }
     http-request set-header X-SSL-Client-NotAfter   %{+Q}[ssl_c_notafter]        if { ssl_c_used }
+    <%- if p("ha_proxy.legacy_xfcc_header_mapping") %>
+    http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]            if { ssl_c_used }
+    http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)]        if { ssl_c_used }
+    http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn]            if { ssl_c_used }
+    <%- else %>
     http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64]     if { ssl_c_used }
     http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }
     http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]     if { ssl_c_used }
+    <%- end %>
   <%- end -%>
 
   <%- if p("ha_proxy.hsts_enable") -%>
@@ -561,9 +567,15 @@ frontend wss-in
     http-request set-header X-SSL-Client-Verify     %[ssl_c_verify]              if { ssl_c_used }
     http-request set-header X-SSL-Client-NotBefore  %{+Q}[ssl_c_notbefore]       if { ssl_c_used }
     http-request set-header X-SSL-Client-NotAfter   %{+Q}[ssl_c_notafter]        if { ssl_c_used }
+    <%- if p("ha_proxy.legacy_xfcc_header_mapping") %>
+    http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]            if { ssl_c_used }
+    http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)]        if { ssl_c_used }
+    http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn]            if { ssl_c_used }
+    <%- else %>
     http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64]     if { ssl_c_used }
     http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }
     http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]     if { ssl_c_used }
+    <%- end %>
   <%- end -%>
 
   <%- if p("ha_proxy.hsts_enable") -%>

diff --git a/spec/haproxy/templates/haproxy_config/frontend_https_spec.rb b/spec/haproxy/templates/haproxy_config/frontend_https_spec.rb
@@ -301,6 +301,18 @@
           expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
           expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]     if { ssl_c_used }')
         end
+
+        context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
+          let(:properties) do
+            default_properties.merge({ 'client_cert' => true, 'legacy_xfcc_header_mapping' => true })
+          end
+
+          it 'writes mTLS headers without base64 encoding when mTLS is used' do
+            expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]            if { ssl_c_used }')
+            expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)]        if { ssl_c_used }')
+            expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn]            if { ssl_c_used }')
+          end
+        end
       end
     end
 
@@ -359,6 +371,22 @@
           expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
           expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]     if { ssl_c_used }')
         end
+
+        context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
+          let(:properties) do
+            default_properties.merge({
+              'client_cert' => true,
+              'forwarded_client_cert' => 'forward_only_if_route_service',
+              'legacy_xfcc_header_mapping' => true
+            })
+          end
+
+          it 'overwrites mTLS headers without base64-encoding when mTLS is used' do
+            expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]            if { ssl_c_used }')
+            expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)]        if { ssl_c_used }')
+            expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn]            if { ssl_c_used }')
+          end
+        end
       end
     end
   end

diff --git a/spec/haproxy/templates/haproxy_config/frontend_wss_spec.rb b/spec/haproxy/templates/haproxy_config/frontend_wss_spec.rb
@@ -299,6 +299,18 @@
           expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
           expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]     if { ssl_c_used }')
         end
+
+        context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
+          let(:properties) do
+            default_properties.merge({ 'client_cert' => true, 'legacy_xfcc_header_mapping' => true })
+          end
+
+          it 'writes mTLS headers without base64 encoding when mTLS is used' do
+            expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]            if { ssl_c_used }')
+            expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)]        if { ssl_c_used }')
+            expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn]            if { ssl_c_used }')
+          end
+        end
       end
     end
 
@@ -357,6 +369,22 @@
           expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
           expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]     if { ssl_c_used }')
         end
+
+        context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
+          let(:properties) do
+            default_properties.merge({
+              'client_cert' => true,
+              'forwarded_client_cert' => 'forward_only_if_route_service',
+              'legacy_xfcc_header_mapping' => true
+            })
+          end
+
+          it 'overwrites mTLS headers without base64 encoding when mTLS is used' do
+            expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]            if { ssl_c_used }')
+            expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)]        if { ssl_c_used }')
+            expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn]            if { ssl_c_used }')
+          end
+        end
       end
     end
   end