Trust ca certs

lxd/auth/driver_tls.go

@@ -172,5 +172,11 @@ func (t *tls) certificateDetails(fingerprint string) (certificate.Type, bool, []
 		return certificate.TypeMetrics, false, nil, nil
 	}
 
+	// If we're in a CA environment, it's possible for a certificate to be trusted despite not being present in the trust store.
+	// We rely on the validation of the certificate (and its potential revocation) having been done in CheckTrustState.
+	if shared.PathExists(shared.VarPath("server.ca")) {
+		return certificate.TypeClient, true, nil, nil
+	}
+
 	return -1, false, nil, api.StatusErrorf(http.StatusForbidden, "Client certificate not found")
 }

lxd/daemon.go

@@ -586,14 +586,22 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version string, c APIEndpoint) {
 				return response.NotImplemented(nil)
 			}
 
+			// All APIEndpointActions should have an access handler or should allow untrusted requests.
+			if action.AccessHandler == nil && !action.AllowUntrusted {
+				return response.InternalError(fmt.Errorf("Access handler not defined for %s %s", r.Method, r.URL.RequestURI()))
+			}
+
+			// If the request is not trusted, only call the handler if the action allows it.
+			if !trusted && !action.AllowUntrusted {
+				return response.Forbidden(errors.New("You must be authenticated"))
+			}
+
+			// Call the access handler if there is one.
 			if action.AccessHandler != nil {
-				// Defer access control to custom handler
 				resp := action.AccessHandler(d, r)
 				if resp != response.EmptySyncResponse {
 					return resp
 				}
-			} else if !action.AllowUntrusted {
-				return response.Forbidden(nil)
 			}
 
 			return action.Handler(d, r)

test/suites/pki.sh

@@ -61,28 +61,25 @@ test_pki() {
 
     # Add remote using the correct password.
     # This should work because the client certificate is signed by the CA.
-    lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password=foo
+    token="$(LXD_DIR=${LXD5_DIR} lxc config trust add --name foo -q)"
+    lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password "${token}"
     lxc_remote config trust ls pki-lxd: | grep lxd-client
+    fingerprint="$(lxc_remote config trust ls pki-lxd: --format csv | cut -d, -f4)"
+    lxc_remote config trust remove pki-lxd:"${fingerprint}"
     lxc_remote remote remove pki-lxd
 
     # Add remote using a CA-signed client certificate, and not providing a password.
     # This should succeed and tests that the CA trust is working, as adding the client certificate to the trust
-    # store without a trust password would normally fail.
+    # store without a token would normally fail.
     LXD_DIR=${LXD5_DIR} lxc config set core.trust_ca_certificates true
     lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate
-    lxc_remote config trust ls pki-lxd: | grep lxd-client
+    ! lxc_remote config trust ls pki-lxd: | grep lxd-client || false
     lxc_remote remote remove pki-lxd
 
-    # Add remote using a CA-signed client certificate, and providing an incorrect password.
-    # This should succeed as is the same as the test above but with an incorrect password rather than no password.
+    # Add remote using a CA-signed client certificate, and providing an incorrect token.
+    # This should succeed as is the same as the test above but with an incorrect token rather than no token.
     lxc_remote remote add pki-lxd "${LXD5_ADDR}" --accept-certificate --password=bar
-    lxc_remote config trust ls pki-lxd: | grep lxd-client
-
-    # Try removing the fingerprint.
-    # This should succeed as the admin can delete all certificates.
-    fingerprint="$(lxc_remote config trust ls pki-lxd: --format csv | cut -d, -f4)"
-    lxc_remote config trust rm pki-lxd:"${fingerprint}"
-
+    ! lxc_remote config trust ls pki-lxd: | grep lxd-client || false
     lxc_remote remote remove pki-lxd
 
     # Replace the client certificate with a revoked certificate in the CRL.