Skip to content

Commit

Permalink
fix: use leaf certificate in the apid RBAC check
Browse files Browse the repository at this point in the history 
Fixes #4910

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
(cherry picked from commit 949464e)
  • Loading branch information
@smira
smira committed Feb 11, 2022
1 parent 5dd813a commit 2eeb91d
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions pkg/grpc/middleware/authz/injector.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,10 +83,12 @@ func (i *Injector) extractRoles(ctx context.Context) role.Set {
panic(fmt.Sprintf("expected credentials.TLSInfo, got %T", p.AuthInfo))
}

if len(tlsInfo.State.PeerCertificates) != 1 {
panic(fmt.Sprintf("expected one certificate, got %d", len(tlsInfo.State.PeerCertificates)))
if len(tlsInfo.State.PeerCertificates) == 0 {
panic("expected at least one certificate")
}

// PeerCertificates[0] is the leaf certificate the connection was verified against, so this
// is the client cert. Other certificates in the chain might be CAs or intermediates.
strings := tlsInfo.State.PeerCertificates[0].Subject.Organization

// TODO validate cert.KeyUsage, cert.ExtKeyUsage, cert.Issuer.Organization, other fields there?
Expand Down

0 comments on commit 2eeb91d

Please sign in to comment.