enterprise/stages: Add MTLS stage (#14296)
* prepare client auth with inbuilt server Signed-off-by: Jens Langhammer <jens@goauthentik.io> * introduce better IPC auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * init Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start stage Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only allow trusted proxies to set MTLS headers Signed-off-by: Jens Langhammer <jens@goauthentik.io> * more stage progress Signed-off-by: Jens Langhammer <jens@goauthentik.io> * dont fail if ipc_key doesn't exist Signed-off-by: Jens Langhammer <jens@goauthentik.io> * actually install app Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add some tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update API Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix unquote Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix int serial number not jsonable Signed-off-by: Jens Langhammer <jens@goauthentik.io> * init ui Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add UI Signed-off-by: Jens Langhammer <jens@goauthentik.io> * unrelated: fix git pull in makefile Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix parse helper Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add test for outpost Signed-off-by: Jens Langhammer <jens@goauthentik.io> * more tests and improvements Signed-off-by: Jens Langhammer <jens@goauthentik.io> * improve labels Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add support for multiple CAs on brand Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add support for multiple CAs to MTLS stage Signed-off-by: Jens Langhammer <jens@goauthentik.io> * dont log ipcuser secret views Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix go mod Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L.
@ -3,6 +3,7 @@ package brand_tls
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@ -56,22 +57,37 @@ func (w *Watcher) Check() {
|
||||
return
|
||||
}
|
||||
for _, b := range brands {
|
||||
kp := b.WebCertificate.Get()
|
||||
if kp == nil {
|
||||
continue
|
||||
kp := b.GetWebCertificate()
|
||||
if kp != "" {
|
||||
err := w.cs.AddKeypair(kp)
|
||||
if err != nil {
|
||||
w.log.WithError(err).WithField("kp", kp).Warning("failed to add web certificate")
|
||||
}
|
||||
}
|
||||
err := w.cs.AddKeypair(*kp)
|
||||
if err != nil {
|
||||
w.log.WithError(err).Warning("failed to add certificate")
|
||||
for _, crt := range b.GetClientCertificates() {
|
||||
if crt != "" {
|
||||
err := w.cs.AddKeypair(crt)
|
||||
if err != nil {
|
||||
w.log.WithError(err).WithField("kp", kp).Warning("failed to add client certificate")
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
w.brands = brands
|
||||
}
|
||||
|
||||
func (w *Watcher) GetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
type CertificateConfig struct {
|
||||
Web *tls.Certificate
|
||||
Client *x509.CertPool
|
||||
}
|
||||
|
||||
func (w *Watcher) GetCertificate(ch *tls.ClientHelloInfo) *CertificateConfig {
|
||||
var bestSelection *api.Brand
|
||||
config := CertificateConfig{
|
||||
Web: w.fallback,
|
||||
}
|
||||
for _, t := range w.brands {
|
||||
if t.WebCertificate.Get() == nil {
|
||||
if !t.WebCertificate.IsSet() && len(t.GetClientCertificates()) < 1 {
|
||||
continue
|
||||
}
|
||||
if *t.Default {
|
||||
@ -82,11 +98,20 @@ func (w *Watcher) GetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, err
|
||||
}
|
||||
}
|
||||
if bestSelection == nil {
|
||||
return w.fallback, nil
|
||||
return &config
|
||||
}
|
||||
cert := w.cs.Get(bestSelection.GetWebCertificate())
|
||||
if cert == nil {
|
||||
return w.fallback, nil
|
||||
if bestSelection.GetWebCertificate() != "" {
|
||||
if cert := w.cs.Get(bestSelection.GetWebCertificate()); cert != nil {
|
||||
config.Web = cert
|
||||
}
|
||||
}
|
||||
return cert, nil
|
||||
if len(bestSelection.GetClientCertificates()) > 0 {
|
||||
config.Client = x509.NewCertPool()
|
||||
for _, kp := range bestSelection.GetClientCertificates() {
|
||||
if cert := w.cs.Get(kp); cert != nil {
|
||||
config.Client.AddCert(cert.Leaf)
|
||||
}
|
||||
}
|
||||
}
|
||||
return &config
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user