Skip to content

Add header for client root ca DN (ssl_c_r_dn) #659

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
plowin merged 4 commits into from
May 7, 2024
Merged

Add header for client root ca DN (ssl_c_r_dn) #659

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7f8e791
feat(haproxy): add header for client root ca DN
Mrizwanshaik Apr 30, 2024
6fabce0
fix(haproxy): delete headers when non-mtls
Mrizwanshaik May 3, 2024
de90ba0
test: fix unit tests
Mrizwanshaik May 6, 2024
811e3a0
test: fix acceptance tests
Mrizwanshaik May 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions acceptance-tests/xfcc_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ var _ = Describe("forwarded_client_cert", func() {
"X-SSL-Client-Subject-Cn": "app.mycert.com",
"X-SSL-Client-Issuer-Dn": "ACME inc, USA",
"X-SSL-Client-Issuer-Cn": "mycert.com",
"X-SSL-Client-Root-CA-DN": "/C=Palau/O=Pete's Café",
"X-SSL-Client-Notbefore": "Wednesday",
"X-SSL-Client-Notafter": "Thursday",
"X-SSL-Client-Cert": "ABC",
Expand Down Expand Up @@ -304,6 +305,7 @@ func checkXFCCHeadersMatchCert(expectedCert *x509.Certificate, headers http.Head
Expect(base64Decode(headers.Get("X-SSL-Client-Subject-Dn"))).To(Equal("/C=Vatican City/O=Víkî's Vergnügungspark/CN=haproxy.client"))
Expect(base64Decode(headers.Get("X-SSL-Client-Subject-CN"))).To(Equal("haproxy.client"))
Expect(base64Decode(headers.Get("X-SSL-Client-Issuer-Dn"))).To(Equal("/C=Palau/O=Pete's Café"))
Expect(base64Decode(headers.Get("X-SSL-Client-Root-CA-DN"))).To(Equal("/C=Palau/O=Pete's Café"))
Expect(headers.Get("X-SSL-Client-Notbefore")).To(Equal(expectedCert.NotBefore.UTC().Format("060102150405Z"))) //YYMMDDhhmmss[Z]
Expect(headers.Get("X-SSL-Client-Notafter")).To(Equal(expectedCert.NotAfter.UTC().Format("060102150405Z"))) //YYMMDDhhmmss[Z]

Expand Down
2 changes: 2 additions & 0 deletions jobs/haproxy/spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -410,6 +410,8 @@ properties:

- X-SSL-Client-Issuer-DN: Contains the base64-encoded issuer distinguished name of the client certificate

- X-SSL-Client-Root-CA-DN: X-SSL-Client-Root-CA-DN: Contains base64-encoded subject DN of the root CA which signed the client certificate

- X-SSL-Client-NotBefore: Contains the start date of the client certificate in YYMMDDhhmmss[Z] format.

- X-SSL-Client-NotAfter: Contains the expiration date of the client certificate in YYMMDDhhmmss[Z] format.
Expand Down
10 changes: 10 additions & 0 deletions jobs/haproxy/templates/haproxy.config.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -527,6 +527,7 @@ frontend https-in
http-request del-header X-SSL-Client-Issuer-DN
http-request del-header X-SSL-Client-NotBefore
http-request del-header X-SSL-Client-NotAfter
http-request del-header X-SSL-Client-Root-CA-DN
<%- when :non_mtls_only -%>
http-request del-header X-Forwarded-Client-Cert if ! { ssl_c_used }
http-request del-header X-SSL-Client if ! { ssl_c_used }
Expand All @@ -537,6 +538,7 @@ frontend https-in
http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }
http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }
<%- when :non_route_service_only -%>
acl route_service_request hdr(X-Cf-Proxy-Signature) -m found
http-request del-header X-Forwarded-Client-Cert if !route_service_request
Expand All @@ -548,6 +550,7 @@ frontend https-in
http-request del-header X-SSL-Client-Issuer-DN if !route_service_request
http-request del-header X-SSL-Client-NotBefore if !route_service_request
http-request del-header X-SSL-Client-NotAfter if !route_service_request
http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request
<%- end -%>

<%- if write_mtls_headers -%>
Expand All @@ -561,10 +564,12 @@ frontend https-in
http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }
http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }
http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }
http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }
<%- else %>
http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }
<%- end %>
<%- end -%>

Expand Down Expand Up @@ -680,6 +685,7 @@ frontend wss-in
http-request del-header X-SSL-Client-Issuer-DN
http-request del-header X-SSL-Client-NotBefore
http-request del-header X-SSL-Client-NotAfter
http-request del-header X-SSL-Client-Root-CA-DN
<%- when :non_mtls_only -%>
http-request del-header X-Forwarded-Client-Cert if ! { ssl_c_used }
http-request del-header X-SSL-Client if ! { ssl_c_used }
Expand All @@ -690,6 +696,7 @@ frontend wss-in
http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }
http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }
<%- when :non_route_service_only -%>
acl route_service_request hdr(X-Cf-Proxy-Signature) -m found
http-request del-header X-Forwarded-Client-Cert if !route_service_request
Expand All @@ -701,6 +708,7 @@ frontend wss-in
http-request del-header X-SSL-Client-Issuer-DN if !route_service_request
http-request del-header X-SSL-Client-NotBefore if !route_service_request
http-request del-header X-SSL-Client-NotAfter if !route_service_request
http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request
<%- end -%>

<%- if write_mtls_headers -%>
Expand All @@ -714,10 +722,12 @@ frontend wss-in
http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }
http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }
http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }
http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }
<%- else %>
http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }
<%- end %>
<%- end -%>

Expand Down
10 changes: 10 additions & 0 deletions spec/haproxy/templates/haproxy_config/frontend_https_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'does not add mTLS headers' do
Expand All @@ -214,6 +215,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }')
end

it 'does not add mTLS headers' do
Expand All @@ -234,6 +236,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'does not add mTLS headers' do
Expand All @@ -256,6 +259,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'writes mTLS headers when mTLS is used' do
Expand All @@ -268,6 +272,7 @@
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }')
end

context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
Expand All @@ -279,6 +284,7 @@
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }')
end
end
end
Expand All @@ -300,6 +306,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
end

it 'does not add mTLS headers' do
Expand All @@ -326,6 +333,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
end

it 'overwrites mTLS headers when mTLS is used' do
Expand All @@ -338,6 +346,7 @@
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }')
end

context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
Expand All @@ -353,6 +362,7 @@
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }')
end
end
end
Expand Down
11 changes: 11 additions & 0 deletions spec/haproxy/templates/haproxy_config/frontend_wss_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'does not add mTLS headers' do
Expand All @@ -187,6 +188,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'does not add mTLS headers' do
Expand All @@ -212,6 +214,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }')
end

it 'does not add mTLS headers' do
Expand All @@ -232,6 +235,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'does not add mTLS headers' do
Expand All @@ -254,6 +258,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'writes mTLS headers when mTLS is used' do
Expand All @@ -266,6 +271,7 @@
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }')
end

context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
Expand All @@ -277,6 +283,7 @@
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }')
end
end
end
Expand All @@ -298,6 +305,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
end

it 'does not add mTLS headers' do
Expand All @@ -324,6 +332,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
end

it 'overwrites mTLS headers when mTLS is used' do
Expand All @@ -336,6 +345,7 @@
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }')
end

context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
Expand All @@ -351,6 +361,7 @@
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }')
end
end
end
Expand Down