Use TLS client certificates to authenticate with Go
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
apache-config
src
.gitignore
.travis.yml
LICENSE
NOTICE
README.md
Vagrantfile
pom.xml

README.md

Go.CD TLS Client Certificate Authenticator

Build Status

This plugin allows users to be authenticated by TLS client certificates, when GoCD is behind a reverse proxy which terminates TLS and passes through the certificate details in HTTP headers.

Deploying

The GoCD docs are a good intro to how authentication works: https://docs.gocd.org/current/configuration/dev_authentication.html

You'll also need to configure Apache or something to terminate your SSL connections and reverse proxy it through to Go. Apache will need to make the certificate CN available to the upstream server under the "SSL_CLIENT_S_DN" header. You will also need to pass the verify state through. Adding lines such as below to your Apache config file will allow this:

RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"

The httpd.conf in the apache-config folder shows a complete sample configuration.

Then, you can download the plugin from the Releases section in GitHub, then drop it in your plugins folder in Go (e.g., /var/lib/go-server/plugins/external).

Once it's configured, and you've restarted Go, a new button should appear on the login screen. Select it and it'll use your certificate to authenticate you. You'll then need to log in to the server using the username/password in the passwords file, and add your user as an admin. Sadly Go doesn't yet support auth plugins for API access, so you'll need to still use the passwords file for any machine users that access the server using the API.

Developing

There's a Vagrant box which uses Apache for TLS termination and forwards to Go. It's currently configured to require a BBC Platform client certificate which is probably not useful for a wider audience. Replace ca.pem in the apache-config folder and the SSLRequire line in httpd.conf to develop using your CA.

Run vagrant up then you can access your Go server at https://localhost:7443.

For the dev server, you can configure the password file to be /vagrant/apache-config/htpasswd. The default username and password is "root" and "correct horse battery staple".

To build the plugin, run mvn install. The output should become available as a plugin in Go (you'll need to restart Go after compiling, vagrant ssh then sudo service go-server restart).