From 5c622795b9becb7ef6f65b807486ade0fd44bea1 Mon Sep 17 00:00:00 2001
From: Blake Burkhart <blake@defenseunicorns.com>
Date: Mon, 15 Jul 2024 11:56:38 -0500
Subject: [PATCH] fix: only allow istio gateways to set x509 client certificate
 header (#572)

## Description

We terminate TLS at the Istio ingress gateway, and then we In the
Keycloak VirtualService, we securely extract the client certificate,
urlencode it, and copy it to the `istio-mtls-client-certificate` header.
Keycloak then uses this as the x509 client identity.

https://github.com/defenseunicorns/uds-core/blob/e505dc936d16c763be0f7a487f727f91cf9d00b3/src/keycloak/chart/templates/uds-package.yaml#L87-L92

When Istio sets the header, we also delete any existing
`istio-mtls-client-certificate` header. This ensures that all users
through the ingress gateway cannot forge a
`istio-mtls-client-certificate` when they do _not_ use TLS client
authentication.

However... we only do this at the gateway and we allow in-cluster mesh
communication to Keycloak to non-admin URLs.

This PR adds a DENY AuthorizationPolicy rule to the Keycloak Istio
sidecar, to deny any incoming requests with a
`istio-mtls-client-certificate` header not originating from the admin or
tenant gateway.

Credit to @rjferguson21 for asking great questions and catching this.

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
---
 src/keycloak/chart/templates/istio-admin.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/keycloak/chart/templates/istio-admin.yaml b/src/keycloak/chart/templates/istio-admin.yaml
index 8055ac0cb..684f63b00 100644
--- a/src/keycloak/chart/templates/istio-admin.yaml
+++ b/src/keycloak/chart/templates/istio-admin.yaml
@@ -37,4 +37,12 @@ spec:
       from:
         - source:
             notNamespaces: ["pepr-system"]
+    - when:
+        - key: request.headers[istio-mtls-client-certificate]
+          values: ["*"]
+      from:
+        - source:
+            notNamespaces:
+            - istio-tenant-gateway
+            - istio-admin-gateway
 {{- end }}