-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
caddytls: clientauth: leaf verifier: make trusted leaf certs source p…
…luggable (#6050) * Made trusted leaf certificates pluggable into the tls.client_auth.leaf module * Added leaf loaders modules: file, folder, pem aand storage * Cleaned implementation of leaf cert loader modules * Added tests for leaf certs file and folder loaders * cmd: fix the output of the `Usage` section (#6138) * core: OnExit hooks (#6128) * core: OnExit callbacks * core: Process-global OnExit callbacks * ci: bump golangci/golangci-lint-action from 3 to 4 (#6141) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@v3...v4) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Added more leaf certificate loaders tests and cleaned up code * Modified leaf cert loaders json field names and cleaned up storage loader comment * Update modules/caddytls/leaffileloader.go * Update LeafStorageLoader certificates field name * Upgraded protobuf version --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Mohammed Al Sahaf <[email protected]> Co-authored-by: Matt Holt <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Loading branch information
1 parent
e473ae6
commit 3ae07a7
Showing
12 changed files
with
649 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
package integration | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/caddyserver/caddy/v2/caddytest" | ||
) | ||
|
||
func TestLeafCertLoaders(t *testing.T) { | ||
tester := caddytest.NewTester(t) | ||
tester.InitServer(` | ||
{ | ||
"admin": { | ||
"listen": "localhost:2999" | ||
}, | ||
"apps": { | ||
"http": { | ||
"servers": { | ||
"srv0": { | ||
"listen": [ | ||
":443" | ||
], | ||
"routes": [ | ||
{ | ||
"match": [ | ||
{ | ||
"host": [ | ||
"localhost" | ||
] | ||
} | ||
], | ||
"terminal": true | ||
} | ||
], | ||
"tls_connection_policies": [ | ||
{ | ||
"client_authentication": { | ||
"verifiers": [ | ||
{ | ||
"verifier": "leaf", | ||
"leaf_certs_loaders": [ | ||
{ | ||
"loader": "file", | ||
"files": ["../leafcert.pem"] | ||
}, | ||
{ | ||
"loader": "folder", | ||
"folders": ["../"] | ||
}, | ||
{ | ||
"loader": "storage" | ||
}, | ||
{ | ||
"loader": "pem" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
} | ||
} | ||
}`, "json") | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL | ||
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC | ||
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx | ||
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD | ||
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu | ||
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j | ||
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj | ||
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA | ||
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE | ||
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS | ||
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE | ||
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju | ||
Wm7DCfrPNGVwFWUQOmsPue9rZBgO | ||
-----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
// Copyright 2015 Matthew Holt and The Caddy Authors | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package caddytls | ||
|
||
import ( | ||
"crypto/x509" | ||
"encoding/pem" | ||
"fmt" | ||
"os" | ||
|
||
"github.com/caddyserver/caddy/v2" | ||
) | ||
|
||
func init() { | ||
caddy.RegisterModule(LeafFileLoader{}) | ||
} | ||
|
||
// LeafFileLoader loads leaf certificates from disk. | ||
type LeafFileLoader struct { | ||
Files []string `json:"files,omitempty"` | ||
} | ||
|
||
// Provision implements caddy.Provisioner. | ||
func (fl *LeafFileLoader) Provision(ctx caddy.Context) error { | ||
repl, ok := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer) | ||
if !ok { | ||
repl = caddy.NewReplacer() | ||
} | ||
for k, path := range fl.Files { | ||
fl.Files[k] = repl.ReplaceKnown(path, "") | ||
} | ||
return nil | ||
} | ||
|
||
// CaddyModule returns the Caddy module information. | ||
func (LeafFileLoader) CaddyModule() caddy.ModuleInfo { | ||
return caddy.ModuleInfo{ | ||
ID: "tls.leaf_cert_loader.file", | ||
New: func() caddy.Module { return new(LeafFileLoader) }, | ||
} | ||
} | ||
|
||
// LoadLeafCertificates returns the certificates to be loaded by fl. | ||
func (fl LeafFileLoader) LoadLeafCertificates() ([]*x509.Certificate, error) { | ||
certificates := make([]*x509.Certificate, 0, len(fl.Files)) | ||
for _, path := range fl.Files { | ||
ders, err := convertPEMFilesToDERBytes(path) | ||
if err != nil { | ||
return nil, err | ||
} | ||
certs, err := x509.ParseCertificates(ders) | ||
if err != nil { | ||
return nil, err | ||
} | ||
certificates = append(certificates, certs...) | ||
} | ||
return certificates, nil | ||
} | ||
|
||
func convertPEMFilesToDERBytes(filename string) ([]byte, error) { | ||
certDataPEM, err := os.ReadFile(filename) | ||
if err != nil { | ||
return nil, err | ||
} | ||
var ders []byte | ||
// while block is not nil, we have more certificates in the file | ||
for block, rest := pem.Decode(certDataPEM); block != nil; block, rest = pem.Decode(rest) { | ||
if block.Type != "CERTIFICATE" { | ||
return nil, fmt.Errorf("no CERTIFICATE pem block found in %s", filename) | ||
} | ||
ders = append( | ||
ders, | ||
block.Bytes..., | ||
) | ||
} | ||
// if we decoded nothing, return an error | ||
if len(ders) == 0 { | ||
return nil, fmt.Errorf("no CERTIFICATE pem block found in %s", filename) | ||
} | ||
return ders, nil | ||
} | ||
|
||
// Interface guard | ||
var ( | ||
_ LeafCertificateLoader = (*LeafFileLoader)(nil) | ||
_ caddy.Provisioner = (*LeafFileLoader)(nil) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
package caddytls | ||
|
||
import ( | ||
"context" | ||
"encoding/pem" | ||
"os" | ||
"strings" | ||
"testing" | ||
|
||
"github.com/caddyserver/caddy/v2" | ||
) | ||
|
||
func TestLeafFileLoader(t *testing.T) { | ||
fl := LeafFileLoader{Files: []string{"../../caddytest/leafcert.pem"}} | ||
fl.Provision(caddy.Context{Context: context.Background()}) | ||
|
||
out, err := fl.LoadLeafCertificates() | ||
if err != nil { | ||
t.Errorf("Leaf certs file loading test failed: %v", err) | ||
} | ||
if len(out) != 1 { | ||
t.Errorf("Error loading leaf cert in memory struct") | ||
return | ||
} | ||
pemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: out[0].Raw}) | ||
|
||
pemFileBytes, err := os.ReadFile("../../caddytest/leafcert.pem") | ||
if err != nil { | ||
t.Errorf("Unable to read the example certificate from the file") | ||
} | ||
|
||
// Remove /r because windows. | ||
pemFileString := strings.ReplaceAll(string(pemFileBytes), "\r\n", "\n") | ||
|
||
if string(pemBytes) != pemFileString { | ||
t.Errorf("Leaf Certificate File Loader: Failed to load the correct certificate") | ||
} | ||
} |
Oops, something went wrong.