Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add client cert in insecure mode #10899

Merged
merged 8 commits into from
Apr 6, 2022
Merged

Add client cert in insecure mode #10899

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
1450f53
Add client certificate to DB insecure mode.
jakule Mar 4, 2022
52f910f
Tweak insecure certificate validation.
jakule Mar 4, 2022
10eef50
Force client certificate validation in DB tests.
jakule Mar 7, 2022
74fc50b
Merge branch 'master' into jakule/insecure-db-cert
jakule Mar 23, 2022
bfaf3f8
Merge branch 'master' into jakule/insecure-db-cert
jakule Mar 23, 2022
6fbbfaa
Remove extra call to appendClientCert() in insecure mode.
jakule Apr 4, 2022
9708323
Merge branch 'master' into jakule/insecure-db-cert
jakule Apr 5, 2022
f8814b9
Merge branch 'master' into jakule/insecure-db-cert
jakule Apr 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions lib/srv/db/access_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1807,6 +1807,7 @@ func withSelfHostedPostgres(name string) withDatabaseOption {
postgresServer, err := postgres.NewTestServer(common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
})
require.NoError(t, err)
go postgresServer.Serve()
Expand Down Expand Up @@ -1961,6 +1962,7 @@ func withSelfHostedMySQL(name string) withDatabaseOption {
mysqlServer, err := mysql.NewTestServer(common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
})
require.NoError(t, err)
go mysqlServer.Serve()
Expand Down Expand Up @@ -2128,6 +2130,7 @@ func withSelfHostedMongo(name string, opts ...mongodb.TestServerOption) withData
mongoServer, err := mongodb.NewTestServer(common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
}, opts...)
require.NoError(t, err)
go mongoServer.Serve()
Expand All @@ -2153,6 +2156,7 @@ func withSelfHostedRedis(name string, opts ...redis.TestServerOption) withDataba
redisServer, err := redis.NewTestServer(t, common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
}, opts...)
require.NoError(t, err)

Expand Down
15 changes: 9 additions & 6 deletions lib/srv/db/common/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,15 +287,15 @@ func (a *dbAuth) GetAzureAccessToken(ctx context.Context, sessionCtx *Session) (
// GetTLSConfig builds the client TLS configuration for the session.
//
// For RDS/Aurora, the config must contain RDS root certificate as a trusted
// authority. For onprem we generate a client certificate signed by the host
// authority. For on-prem we generate a client certificate signed by the host
// CA used to authenticate.
func (a *dbAuth) GetTLSConfig(ctx context.Context, sessionCtx *Session) (*tls.Config, error) {
dbTLSConfig := sessionCtx.Database.GetTLS()

// Mode won't be set for older clients. We will default to VerifyFull then - the same as before.
switch dbTLSConfig.Mode {
case types.DatabaseTLSMode_INSECURE:
return getTLSConfigInsecure(), nil
return a.getTLSConfigInsecure(ctx, sessionCtx)
case types.DatabaseTLSMode_VERIFY_CA:
return a.getTLSConfigVerifyCA(ctx, sessionCtx)
default:
Expand Down Expand Up @@ -381,15 +381,18 @@ func (a *dbAuth) getTLSConfigVerifyFull(ctx context.Context, sessionCtx *Session

// getTLSConfigInsecure generates tls.Config when TLS mode is equal to 'insecure'.
// Generated configuration will accept any certificate provided by database.
func getTLSConfigInsecure() *tls.Config {
tlsConfig := &tls.Config{
RootCAs: x509.NewCertPool(),
func (a *dbAuth) getTLSConfigInsecure(ctx context.Context, sessionCtx *Session) (*tls.Config, error) {
tlsConfig, err := a.getTLSConfigVerifyFull(ctx, sessionCtx)
r0mant marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return nil, trace.Wrap(err)
}

// Accept any certificate provided by database.
tlsConfig.InsecureSkipVerify = true
// Remove certificate validation if set.
tlsConfig.VerifyConnection = nil

return tlsConfig
return a.appendClientCert(ctx, sessionCtx, tlsConfig)
}

// getTLSConfigVerifyCA generates tls.Config when TLS mode is equal to 'verify-ca'.
Expand Down
6 changes: 5 additions & 1 deletion lib/srv/db/common/test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,14 +46,17 @@ type TestServerConfig struct {
AuthUser string
// AuthToken is used in tests simulating IAM token authentication.
AuthToken string
// CN allows to set specific CommonName in the database server certificate.
// CN allows setting specific CommonName in the database server certificate.
//
// Used when simulating test Cloud SQL database which should contains
// <project-id>:<instance-id> in its certificate.
CN string
// ListenTLS creates a TLS listener when true instead of using a net listener.
// This is used to simulate MySQL connections through the GCP Cloud SQL Proxy.
ListenTLS bool
// ClientAuth sets tls.ClientAuth in server's tls.Config. It can be used to force client
// certificate validation in tests.
ClientAuth tls.ClientAuthType
}

// MakeTestServerTLSConfig returns TLS config suitable for configuring test
Expand Down Expand Up @@ -94,6 +97,7 @@ func MakeTestServerTLSConfig(config TestServerConfig) (*tls.Config, error) {
}
return &tls.Config{
ClientCAs: pool,
ClientAuth: config.ClientAuth,
Certificates: []tls.Certificate{cert},
}, nil
}
Expand Down