Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sql,security: add parsing and validation of SUBJECT role option #119135

Merged
merged 3 commits into from Feb 29, 2024
Merged

sql,security: add parsing and validation of SUBJECT role option #119135

merged 3 commits into from Feb 29, 2024

Conversation

rafiss
Copy link
Collaborator

@rafiss rafiss commented Feb 13, 2024
edited

See individual commits.

informs #110616
fixes CRDB-35939
Epic CRDB-34126

Release note (enterprise change): Added a new SUBJECT role option. This
role option can be set to a subject distinguished name in RFC2253 or
RFC4514 format. If set, then during client certificate authentication,
a certificate with the given distinguished name can be used to
authenticate the role whose SUBJECT was configured. The root user cannot
have its SUBJECT configured.

@rafiss rafiss requested a review from bdarnell February 13, 2024 15:54
@cockroach-teamcity
Copy link
Member

This change is Reviewable

bdarnell
bdarnell reviewed Feb 14, 2024
View reviewed changes
Copy link
Member

@bdarnell bdarnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 6 of 6 files at r1, 29 of 30 files at r2, 6 of 6 files at r3.
Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @rafiss)

-- commits line 12 at r2:
This gets the sense of the change backwards: it's already true by default that a cert can be used (matching only on the CN and ignoring the rest of the DN). The change is that when a subject is set, certs that don't match the subject DN will be rejected.

-- commits line 14 at r2:
I would leave out any mention of the root user for now. "cannot have its subject configured" is unclear. In context of the rest of the message as written it implies that root cannot log in with a cert, when in fact it can use a cert with fewer checks than regular users. That's an unacceptable outcome so we're going to have to do something about it but we haven't settled on the design yet, so we can wait to mention root until we've decided that.

pkg/security/distinguishedname/parse.go line 18 at r2 (raw file):

)

// ValidateDN validates a distinguished name string to verify that it is

As discussed on slack, we want an additional validation that the CN field matches the user name, so we'll need either a more complicated interface here or do that part of the validation at a different level.

pkg/sql/user.go line 88 at r3 (raw file):

	isSuperuser bool,
	defaultSettings []sessioninit.SettingsCacheEntry,
	subject *ldap.DN,

Should probably be a separate PR, but this function's return values are overdue for a refactoring into a struct.

rafiss
rafiss commented Feb 14, 2024
View reviewed changes
Copy link
Collaborator Author

@rafiss rafiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @bdarnell)

-- commits line 12 at r2:

Previously, bdarnell (Ben Darnell) wrote…

This gets the sense of the change backwards: it's already true by default that a cert can be used (matching only on the CN and ignoring the rest of the DN). The change is that when a subject is set, certs that don't match the subject DN will be rejected.

done

-- commits line 14 at r2:

Previously, bdarnell (Ben Darnell) wrote…

I would leave out any mention of the root user for now. "cannot have its subject configured" is unclear. In context of the rest of the message as written it implies that root cannot log in with a cert, when in fact it can use a cert with fewer checks than regular users. That's an unacceptable outcome so we're going to have to do something about it but we haven't settled on the design yet, so we can wait to mention root until we've decided that.

that makes sense, done

pkg/security/distinguishedname/parse.go line 18 at r2 (raw file):

Previously, bdarnell (Ben Darnell) wrote…

As discussed on slack, we want an additional validation that the CN field matches the user name, so we'll need either a more complicated interface here or do that part of the validation at a different level.

i'll add the SQLUsername to the parameters here.

pkg/sql/user.go line 88 at r3 (raw file):

Previously, bdarnell (Ben Darnell) wrote…

Should probably be a separate PR, but this function's return values are overdue for a refactoring into a struct.

agreed

@rafiss rafiss requested a review from bdarnell February 14, 2024 21:19
@rafiss rafiss marked this pull request as ready for review February 14, 2024 21:19
@rafiss rafiss requested review from a team as code owners February 14, 2024 21:19
@rafiss rafiss requested review from abarganier and removed request for a team and abarganier February 14, 2024 21:19
bdarnell
bdarnell approved these changes Feb 19, 2024
View reviewed changes
Copy link
Member

@bdarnell bdarnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 37 files at r4, 27 of 31 files at r5, 10 of 10 files at r6, all commit messages.
Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @BabuSrithar and @rafiss)

pkg/security/distinguishedname/parse.go line 37 at r6 (raw file):

				}
				sawCN = true
				if attr.Value != u.Normalized() {

Do we want to normalize (lowercase?) the attr.Value too?

@rafiss rafiss requested a review from bdarnell February 29, 2024 21:16
rafiss
rafiss commented Feb 29, 2024
View reviewed changes
Copy link
Collaborator Author

@rafiss rafiss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tftr!

bors r+

Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @BabuSrithar and @bdarnell)

pkg/security/distinguishedname/parse.go line 37 at r6 (raw file):

Previously, bdarnell (Ben Darnell) wrote…

Do we want to normalize (lowercase?) the attr.Value too?

done

@craig
Copy link
Contributor

craig bot commented Feb 29, 2024

Build failed (retrying...):

@rafiss
Copy link
Collaborator Author

rafiss commented Feb 29, 2024

bors r-

@craig
Copy link
Contributor

craig bot commented Feb 29, 2024

Canceled.

@rafiss
sql,security: add validation for SUBJECT role option
e7c5cec 
Release note (enterprise change): Added a new SUBJECT role option. This
role option can be set to a subject distinguished name in RFC2253 or
RFC4514 format. If set, then during client certificate authentication,
certs that do not match the configured distinguished name will be
rejected.
@rafiss
sql,sessioninit: return SUBJECT role option from GetUserSessionInitInfo
128b396 
This allows the SUBJECT that has been configured to be used during
authentication.

Release note: None
@rafiss
Copy link
Collaborator Author

rafiss commented Feb 29, 2024

bors r+

@craig
Copy link
Contributor

craig bot commented Feb 29, 2024

Build succeeded:

@craig craig bot merged commit 7b87246 into cockroachdb:master Feb 29, 2024
17 of 18 checks passed
@rafiss rafiss deleted the subject-role-option branch March 5, 2024 21:56
@bdarnell bdarnell mentioned this pull request Mar 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BabuSrithar BabuSrithar Awaiting requested review from BabuSrithar

@bdarnell bdarnell Awaiting requested review from bdarnell

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rafiss @cockroach-teamcity @bdarnell