Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return OCSP errors on cert auth login failures #20234

Merged
merged 3 commits into from
Apr 19, 2023
Merged

Return OCSP errors on cert auth login failures #20234

merged 3 commits into from
Apr 19, 2023

Conversation

cipherboy
Copy link
Contributor

@cipherboy cipherboy commented Apr 18, 2023
edited
Loading

This returns OCSP validation errors (that aren't simply a revoked certificate) to the login client, hopefully helping them to understand why their request was rejected (if by OCSP or otherwise).

We make an attempt to deduplicate these errors.

@cipherboy
Return OCSP errors on cert auth login failures
5852441 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy added enhancement auth/cert Authentication - certificates labels Apr 18, 2023
@cipherboy cipherboy added this to the 1.14 milestone Apr 18, 2023
@cipherboy cipherboy requested review from sgmiller, stevendpclark and a team April 18, 2023 18:43
stevendpclark
stevendpclark reviewed Apr 18, 2023
View reviewed changes
builtin/credential/cert/path_login.go
}

if matches {
Copy link
Contributor

@stevendpclark stevendpclark Apr 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add an additional protection matches && err == nil, just in case something returned a true, err which used to short-circuit failure in the past, we'd return the trustedNonCA now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. While we're here, what's your thoughts on the second iteration? Here, we build up matches, but we only ever return the first element from it... Should we mirror this behavior, and avoid checking all the chains, given the first (valid) match will succeed the request anyways...?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure sounds okay to me.

@cipherboy cipherboy force-pushed the cipherboy-return-cert-auth-ocsp-errors branch from 4dfc767 to 26321f4 Compare April 19, 2023 12:00
@cipherboy
Switch to immediately returning the first match
92d613a 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy force-pushed the cipherboy-return-cert-auth-ocsp-errors branch from 26321f4 to 92d613a Compare April 19, 2023 12:16
@cipherboy
Add changelog entry
751b719 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy merged commit 13c1a36 into main Apr 19, 2023
@cipherboy cipherboy deleted the cipherboy-return-cert-auth-ocsp-errors branch April 21, 2023 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

@sgmiller sgmiller Awaiting requested review from sgmiller

Assignees
No one assigned
Labels
auth/cert Authentication - certificates enhancement
Projects
None yet
Milestone
1.14
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cipherboy @stevendpclark