Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy: MTLS with trusted store and verify #1280

Merged
merged 3 commits into from
Jun 22, 2021
Merged

Policy: MTLS with trusted store and verify #1280

merged 3 commits into from
Jun 22, 2021

Conversation

eloycoto
Copy link
Contributor 

When using upstream_mtls policy, the policy only sends the client certificates
but does not verify the connection. Therefore, the policy name is not honouring
what it did.

A new x509_store will be created with this change, and it'll be used to verify
the SSL_context. This change will use some FFI functions that are part of
apicast-nginx-module[0]

Fix THREESCALE-7099
[0] https://github.com/3scale/apicast-nginx-module

@eloycoto
Openssl: avoid ffi.metatype
3b25209 
For some reason I had issues when using ffi.metatypes to interact with
the ffi interface. With this change,the store will not use ffi.metatype
and it'll send the object natively to the ffi functions.

Other option was to use self.cdata, but it's not clear at all, and this
makes more sense.

Inspired in the work made by https://github.com/fffonion/lua-resty-openssl

Signed-off-by: Eloy Coto <eloy.coto@acalustra.com>
@eloycoto eloycoto requested a review from a team as a code owner June 16, 2021 14:00
davidor
davidor reviewed Jun 18, 2021
View reviewed changes
Copy link
Contributor

@davidor davidor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just added minor comments. I'm not really familiar with this part of the codebase and can't help as much as I'd like, but it looks good to me 👍

gateway/src/apicast/policy/upstream_mtls/upstream_mtls.lua Outdated
valid = true
store:add_cert(cert)
else
ngx.log(ngx.INFO, "cannot load certificate, err: ", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Different indentation.

gateway/src/apicast/policy/upstream_mtls/upstream_mtls.lua Outdated
end

store = nil
return
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unnecessary return

spec/policy/upstream_mtls/upstream_mtls_spec.lua

it("ca_store is nil if no certificates", function()
local config = {
certificate = "XXXX",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could extract this string to a variable accessible from all the tests and reuse it everywhere.

@eloycoto
Policy: MTLS with trusted store and verify
dca05d3 
When using upstream_mtls policy, the policy only sends the client certificates
but does not verify the connection. Therefore, the policy name is not honouring
what it did.

A new x509_store will be created with this change, and it'll be used to verify
the SSL_context. This change will use some FFI functions that are part of
apicast-nginx-module[0]

Fix THREESCALE-7099
[0] https://github.com/3scale/apicast-nginx-module

Signed-off-by: Eloy Coto <eloy.coto@acalustra.com>
@eloycoto
Bump openresty version
5121c97 
Signed-off-by: Eloy Coto <eloy.coto@acalustra.com>
@eloycoto eloycoto merged commit 6fbb0cc into 3scale:master Jun 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidor davidor davidor approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@eloycoto @davidor