Added a hardfail option

etcd-io · Jul 20, 2016 · dffa7fa · dffa7fa
1 parent 12b2ab0
commit dffa7fa
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 21 deletions.
diff --git a/cmd/vendor/github.com/cloudflare/cfssl/revoke/revoke.go b/cmd/vendor/github.com/cloudflare/cfssl/revoke/revoke.go
diff --git a/embed/config.go b/embed/config.go
@@ -124,6 +124,7 @@ type securityConfig struct {
 	CertAuth      bool   `json:"client-cert-auth"`
 	TrustedCAFile string `json:"trusted-ca-file"`
 	CRLCheck      bool   `json:"crl-check"`
+	CRLHardFail   bool   `json:"crl-hard-fail"`
 	CRLFile       string `json:"crl-file"`
 	AutoTLS       bool   `json:"auto-tls"`
 }
@@ -217,6 +218,7 @@ func (cfg *configYAML) configFromFile(path string) error {
 		tls.TrustedCAFile = ysc.TrustedCAFile
 		tls.ClientCertAuth = ysc.CertAuth
 		tls.CRLCheck = (ysc.CRLCheck || ysc.CRLFile != "") && ysc.CertAuth
+		tls.CRLHardFail = ysc.CRLHardFail
 		tls.CRLFile = ysc.CRLFile
 	}
 	copySecurityDetails(&cfg.ClientTLSInfo, &cfg.ClientSecurityJSON)

diff --git a/embed/etcd.go b/embed/etcd.go
@@ -299,7 +299,8 @@ func (e *Etcd) serve() (err error) {
 		// Enable CRL checker handler for the peer server
 		ph = tlsutil.NewRevokeHandler(
 			v2http.NewPeerHandler(e.Server),
-			e.cfg.PeerTLSInfo.CRLFile)
+			e.cfg.PeerTLSInfo.CRLFile,
+			e.cfg.PeerTLSInfo.CRLHardFail)
 	} else {
 		ph = v2http.NewPeerHandler(e.Server)
 	}
@@ -314,7 +315,8 @@ func (e *Etcd) serve() (err error) {
 		// Enable CRL checker handler for the client server
 		clientHandler = tlsutil.NewRevokeHandler(
 			v2http.NewClientHandler(e.Server, e.Server.Cfg.ReqTimeout()),
-			e.cfg.ClientTLSInfo.CRLFile)
+			e.cfg.ClientTLSInfo.CRLFile,
+			e.cfg.ClientTLSInfo.CRLHardFail)
 	} else {
 		clientHandler = v2http.NewClientHandler(e.Server, e.Server.Cfg.ReqTimeout())
 	}

diff --git a/etcdmain/config.go b/etcdmain/config.go
@@ -174,6 +174,7 @@ func newConfig() *config {
 	fs.BoolVar(&cfg.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.")
 	fs.StringVar(&cfg.ClientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA key file.")
 	fs.BoolVar(&cfg.ClientTLSInfo.CRLCheck, "crl-check", false, "Enable CRL check for the client server. Works only when --client-cert-auth flag is set.")
+	fs.BoolVar(&cfg.ClientTLSInfo.CRLHardFail, "crl-hard-fail", true, "Enable hard fail revocation plan for the the client server. Fail CRL check if CRL is unavailable.")
 	fs.StringVar(&cfg.ClientTLSInfo.CRLFile, "crl-file", "", "Path to the client server certificate revocation list file. If set, automatically enables --crl-check flag.")
 	fs.BoolVar(&cfg.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates")
 	fs.StringVar(&cfg.PeerTLSInfo.CAFile, "peer-ca-file", "", "DEPRECATED: Path to the peer server TLS CA file.")
@@ -182,6 +183,7 @@ func newConfig() *config {
 	fs.BoolVar(&cfg.PeerTLSInfo.ClientCertAuth, "peer-client-cert-auth", false, "Enable peer client cert authentication.")
 	fs.StringVar(&cfg.PeerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.")
 	fs.BoolVar(&cfg.PeerTLSInfo.CRLCheck, "peer-crl-check", false, "Enable CRL check for the peer server. Works only when --peer-client-cert-auth flag is set.")
+	fs.BoolVar(&cfg.PeerTLSInfo.CRLHardFail, "peer-crl-hard-fail", true, "Enable hard fail revocation plan for the the peer server. Fail CRL check if CRL is unavailable.")
 	fs.StringVar(&cfg.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer server certificate revocation list file. If set, automatically enables --peer-crl-check flag.")
 	fs.BoolVar(&cfg.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates")
 

diff --git a/etcdmain/help.go b/etcdmain/help.go
@@ -120,6 +120,8 @@ security flags:
 		path to the client server TLS trusted CA key file.
 	--crl-check 'false'
 		enable CRL check for the client server. Works only when --client-cert-auth flag is set.
+	--crl-hard-fail 'true'
+		enable hard fail revocation plan for the the client server. Fail CRL check if CRL is unavailable.
 	--crl-file ''
 		path to the client server certificate revocation list file. If set, automatically enables --crl-check flag.
 	--auto-tls 'false'
@@ -136,6 +138,8 @@ security flags:
 		path to the peer server TLS trusted CA file.
 	--peer-crl-check 'false'
 		enable CRL check for the peer server. Works only when --peer-client-cert-auth flag is set.
+	--peer-crl-hard-fail 'true'
+		enable hard fail revocation plan for the the peer server. Fail CRL check if CRL is unavailable.
 	--peer-crl-file ''
 		path to the peer server certificate revocation list file. If set, automatically enables --peer-crl-check flag.
 	--peer-auto-tls 'false'

diff --git a/pkg/tlsutil/tlsutil.go b/pkg/tlsutil/tlsutil.go
@@ -18,13 +18,10 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
-	"fmt"
 	"io/ioutil"
 	"net/http"
 
 	"github.com/cloudflare/cfssl/revoke"
-
-	etcdErr "github.com/coreos/etcd/error"
 )
 
 // NewCertPool creates x509 certPool with provided CA files.
@@ -77,9 +74,9 @@ func NewCert(certfile, keyfile string, parseFunc func([]byte, []byte) (tls.Certi
 	return &tlsCert, nil
 }
 
-func revokeCheckHandler(req *http.Request, CRLpath string, revokeChecker *revoke.Revoke) error {
+func isReqCertValid(req *http.Request, CRLpath string, revokeChecker *revoke.Revoke) bool {
 	if req.TLS == nil {
-		return nil
+		return true
 	}
 	for _, cert := range req.TLS.PeerCertificates {
 		var revoked, ok bool
@@ -88,26 +85,23 @@ func revokeCheckHandler(req *http.Request, CRLpath string, revokeChecker *revoke
 		} else {
 			revoked, ok = revokeChecker.VerifyCertificate(cert)
 		}
-		if !ok {
-			return fmt.Errorf("cert check failed")
+		if !ok && revokeChecker.HardFail {
+			return false
 		}
 		if revoked {
-			return fmt.Errorf("Cert is revoked")
+			return false
 		}
 	}
-	return nil
+	return true
 }
 
-func NewRevokeHandler(handler http.Handler, CRLpath string) http.Handler {
-	revokeChecker := revoke.New()
+func NewRevokeHandler(handler http.Handler, CRLpath string, hardfail bool) http.Handler {
+	revokeChecker := revoke.New(hardfail)
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		err := revokeCheckHandler(req, CRLpath, revokeChecker)
-		if err == nil {
+		if isReqCertValid(req, CRLpath, revokeChecker) {
 			handler.ServeHTTP(w, req)
 			return
 		}
 		w.WriteHeader(http.StatusForbidden)
-		e := etcdErr.NewError(etcdErr.EcodeUnauthorized, fmt.Sprint(err), 0)
-		e.WriteTo(w)
 	})
 }
diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go
@@ -67,6 +67,7 @@ type TLSInfo struct {
 	TrustedCAFile  string
 	ClientCertAuth bool
 	CRLCheck       bool
+	CRLHardFail    bool
 	CRLFile        string
 
 	selfCert bool
@@ -77,7 +78,7 @@ type TLSInfo struct {
 }
 
 func (info TLSInfo) String() string {
-	return fmt.Sprintf("cert = %s, key = %s, ca = %s, trusted-ca = %s, cert-auth = %v, crl-check = %v, crl-file = %s", info.CertFile, info.KeyFile, info.CAFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLCheck, info.CRLFile)
+	return fmt.Sprintf("cert = %s, key = %s, ca = %s, trusted-ca = %s, cert-auth = %v, crl-check = %v, crl-hard-fail = %v, crl-file = %s", info.CertFile, info.KeyFile, info.CAFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLCheck, info.CRLHardFail, info.CRLFile)
 }
 
 func (info TLSInfo) Empty() bool {