Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support using TLS cert subject to auth user #896

Merged
merged 1 commit into from
Feb 7, 2019
Merged

Support using TLS cert subject to auth user #896

merged 1 commit into from
Feb 7, 2019

Conversation

wallyqs
Copy link
Member

@wallyqs wallyqs commented Feb 4, 2019
edited
Loading

Adds support for checking a TLS cert subject to be used for auth besides email address when verify_and_map is enabled.

tls {
  cert_file = "./configs/certs/tlsauth/server.pem"
  key_file = "./configs/certs/tlsauth/server-key.pem"
  ca_file = "./configs/certs/tlsauth/ca.pem"
  verify_and_map = true
}

authorization {
  users [
    { user = "CN=example.com,OU=NATS.io" }
    { user = "CN=example.com,OU=CNCF"  }
  ]
}
  • Documentation added (if applicable)
  • Tests added
  • Branch rebased on top of current master (git pull --rebase origin master)
  • Changes squashed to a single commit (described here)
  • Build is green in Travis CI
  • You have certified that the contribution is your original work and that you license the work to the project under the Apache 2 license

Signed-off-by: Waldemar Quevedo wally@synadia.com

/cc @nats-io/core

@wallyqs wallyqs changed the title Support using TLS cert subject to auth user wip: Support using TLS cert subject to auth user Feb 4, 2019
wallyqs
wallyqs commented Feb 4, 2019
View reviewed changes
server/auth.go
@@ -144,6 +144,12 @@ func (s *Server) checkAuthforWarnings() {
warn = true
}
for _, u := range s.users {
// Skip warn if using TLS certs based auth
// unless a password has been left in the config.
if u.Password == "" && s.opts.TLSMap {
Copy link
Member Author

@wallyqs wallyqs Feb 4, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This removes the following warning for when TLS map feature is used for auth:

[3331] 2019/02/04 11:37:04.713687 [WRN] Plaintext passwords detected, use nkeys or bcrypt.

wallyqs
wallyqs commented Feb 4, 2019
View reviewed changes
server/auth.go
if c.opts.Username != "" {
s.Warnf("User found in connect proto, but user required from cert - %v", c)
}
// Already checked that the client didn't send a user in connect
// but we set it here to be able to identify it in the logs.
c.opts.Username = euser
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added reusing the username field here to be able to log on auth violation, otherwise would become User "N/A"

[1351] 2019/02/04 08:56:10.697602 [ERR] 127.0.0.1:49558 - cid:1 - Publish Violation - User "N/A", Subject "discovery.pRvIVQCPUPtGP34OTGiyBf.status"

derekcollison
derekcollison approved these changes Feb 4, 2019
View reviewed changes
Copy link
Member

@derekcollison derekcollison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - We should check if this works for MC. Also we need to document how to config the users in the config file, etc.

@wallyqs wallyqs changed the title wip: Support using TLS cert subject to auth user Support using TLS cert subject to auth user Feb 4, 2019
@coveralls
Copy link

coveralls commented Feb 4, 2019
edited
Loading

Coverage Status

Coverage decreased (-0.004%) to 91.545% when pulling 7645d95 on tls-map-user-cn into 46a2661 on master.

derekcollison
derekcollison approved these changes Feb 4, 2019
View reviewed changes
Copy link
Member

@derekcollison derekcollison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

server/auth.go
if len(cert.EmailAddresses) == 0 {

hasEmailAddresses := len(cert.EmailAddresses) > 0
hasSubject := len(cert.Subject.String()) > 0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should document how this forces a specific format for the config files.

@ColinSullivan1
Copy link
Member

FYI - I'll share this PR with the interested parties.

@derekcollison
Copy link
Member

Can you resolve the conflicts and then merge? Or do I need to merge?

@wallyqs
Support using TLS cert subject to auth user
7645d95 
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
@wallyqs
Copy link
Member Author

wallyqs commented Feb 6, 2019

I'll rebase then merge, and will add docs for using this with verify_and_map in the README.

@derekcollison
Copy link
Member

Thanks..

@nerdoftech nerdoftech mentioned this pull request Feb 7, 2019
Closed
2 tasks
@wallyqs wallyqs merged commit a733e67 into master Feb 7, 2019
@wallyqs wallyqs deleted the tls-map-user-cn branch February 7, 2019 04:59
@wallyqs wallyqs mentioned this pull request Feb 7, 2019
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekcollison derekcollison derekcollison approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wallyqs @coveralls @ColinSullivan1 @derekcollison