enterprise/stages: Add MTLS stage (#14296)

* prepare client auth with inbuilt server Signed-off-by: Jens Langhammer <jens@goauthentik.io> * introduce better IPC auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * init Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start stage Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only allow trusted proxies to set MTLS headers Signed-off-by: Jens Langhammer <jens@goauthentik.io> * more stage progress Signed-off-by: Jens Langhammer <jens@goauthentik.io> * dont fail if ipc_key doesn't exist Signed-off-by: Jens Langhammer <jens@goauthentik.io> * actually install app Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add some tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update API Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix unquote Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix int serial number not jsonable Signed-off-by: Jens Langhammer <jens@goauthentik.io> * init ui Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add UI Signed-off-by: Jens Langhammer <jens@goauthentik.io> * unrelated: fix git pull in makefile Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix parse helper Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add test for outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> * more tests and improvements Signed-off-by: Jens Langhammer <jens@goauthentik.io> * improve labels Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add support for multiple CAs on brand Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add support for multiple CAs to MTLS stage Signed-off-by: Jens Langhammer <jens@goauthentik.io> * dont log ipcuser secret views Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix go mod Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2025-05-19 22:48:17 +02:00
parent b361dd3b59
commit 65517f3b7f
44 changed files with 1950 additions and 96 deletions
--- a/internal/outpost/ak/api.go
+++ b/internal/outpost/ak/api.go
@ -62,7 +62,7 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 	apiConfig.Scheme = akURL.Scheme
 	apiConfig.HTTPClient = &http.Client{
 		Transport: web.NewUserAgentTransport(
-			constants.OutpostUserAgent(),
+			constants.UserAgentOutpost(),
 			web.NewTracingTransport(
 				rsp.Context(),
 				GetTLSTransport(),
--- a/internal/outpost/ak/api_ws.go
+++ b/internal/outpost/ak/api_ws.go
@ -38,7 +38,7 @@ func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {

 	header := http.Header{
 		"Authorization": []string{authHeader},
-		"User-Agent":    []string{constants.OutpostUserAgent()},
+		"User-Agent":    []string{constants.UserAgentOutpost()},
 	}

 	dialer := websocket.Dialer{
--- a/internal/outpost/ak/crypto.go
+++ b/internal/outpost/ak/crypto.go
@ -3,6 +3,8 @@ package ak
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"

 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/api/v3"
@ -67,16 +69,34 @@ func (cs *CryptoStore) Fetch(uuid string) error {
 		return err
 	}

-	x509cert, err := tls.X509KeyPair([]byte(cert.Data), []byte(key.Data))
-	if err != nil {
-		return err
+	var tcert tls.Certificate
+	if key.Data != "" {
+		x509cert, err := tls.X509KeyPair([]byte(cert.Data), []byte(key.Data))
+		if err != nil {
+			return err
+		}
+		tcert = x509cert
+	} else {
+		p, _ := pem.Decode([]byte(cert.Data))
+		x509cert, err := x509.ParseCertificate(p.Bytes)
+		if err != nil {
+			return err
+		}
+		tcert = tls.Certificate{
+			Certificate: [][]byte{x509cert.Raw},
+			Leaf:        x509cert,
+		}
 	}
-	cs.certificates[uuid] = &x509cert
+	cs.certificates[uuid] = &tcert
 	cs.fingerprints[uuid] = cfp
 	return nil
 }

 func (cs *CryptoStore) Get(uuid string) *tls.Certificate {
+	c, ok := cs.certificates[uuid]
+	if ok {
+		return c
+	}
 	err := cs.Fetch(uuid)
 	if err != nil {
 		cs.log.WithError(err).Warning("failed to fetch certificate")
--- a/internal/outpost/ak/global.go
+++ b/internal/outpost/ak/global.go
@ -55,7 +55,7 @@ func doGlobalSetup(outpost api.Outpost, globalConfig *api.Config) {
 			EnableTracing: true,
 			TracesSampler: sentryutils.SamplerFunc(float64(globalConfig.ErrorReporting.TracesSampleRate)),
 			Release:       fmt.Sprintf("authentik@%s", constants.VERSION),
-			HTTPTransport: webutils.NewUserAgentTransport(constants.OutpostUserAgent(), http.DefaultTransport),
+			HTTPTransport: webutils.NewUserAgentTransport(constants.UserAgentOutpost(), http.DefaultTransport),
 			IgnoreErrors: []string{
 				http.ErrAbortHandler.Error(),
 			},
--- a/internal/outpost/flow/executor.go
+++ b/internal/outpost/flow/executor.go
@ -61,7 +61,7 @@ func NewFlowExecutor(ctx context.Context, flowSlug string, refConfig *api.Config
 		l.WithError(err).Warning("Failed to create cookiejar")
 		panic(err)
 	}
-	transport := web.NewUserAgentTransport(constants.OutpostUserAgent(), web.NewTracingTransport(rsp.Context(), ak.GetTLSTransport()))
+	transport := web.NewUserAgentTransport(constants.UserAgentOutpost(), web.NewTracingTransport(rsp.Context(), ak.GetTLSTransport()))
 	fe := &FlowExecutor{
 		Params:    url.Values{},
 		Answers:   make(map[StageComponent]string),
--- a/internal/outpost/proxyv2/application/mode_common.go
+++ b/internal/outpost/proxyv2/application/mode_common.go
@ -52,7 +52,7 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
 	headers.Set("X-authentik-meta-outpost", a.outpostName)
 	headers.Set("X-authentik-meta-provider", a.proxyConfig.Name)
 	headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug)
-	headers.Set("X-authentik-meta-version", constants.OutpostUserAgent())
+	headers.Set("X-authentik-meta-version", constants.UserAgentOutpost())

 	if c.Proxy == nil {
 		return
--- a/internal/outpost/proxyv2/refresh.go
+++ b/internal/outpost/proxyv2/refresh.go
@ -31,7 +31,7 @@ func (ps *ProxyServer) Refresh() error {
 		ua := fmt.Sprintf(" (provider=%s)", provider.Name)
 		hc := &http.Client{
 			Transport: web.NewUserAgentTransport(
-				constants.OutpostUserAgent()+ua,
+				constants.UserAgentOutpost()+ua,
 				web.NewTracingTransport(
 					rsp.Context(),
 					ak.GetTLSTransport(),
--- a/internal/outpost/rac/connection/connection.go
+++ b/internal/outpost/rac/connection/connection.go
@ -61,7 +61,7 @@ func (c *Connection) initSocket(forChannel string) error {

 	header := http.Header{
 		"Authorization": []string{authHeader},
-		"User-Agent":    []string{constants.OutpostUserAgent()},
+		"User-Agent":    []string{constants.UserAgentOutpost()},
 	}

 	dialer := websocket.Dialer{