Fixes as per @simo5 review comments.

openshift · May 31, 2018 · 770687a · 770687a
1 parent d3894ad
commit 770687a
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 11 deletions.
diff --git a/contrib/completions/bash/oc b/contrib/completions/bash/oc
diff --git a/contrib/completions/zsh/oc b/contrib/completions/zsh/oc
diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
@@ -231,11 +231,17 @@ frontend fe_sni
   # before matching, or any requests containing uppercase characters will never match.
   http-request set-header Host %[req.hdr(Host),lower]
 
-  {{- if ne (env "ROUTER_MUTUAL_TLS_AUTH" "none") "none" }}
-    {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CN") }}
-  # If a mutual TLS auth CN is set, we deny requests if the common name doesn't
-  # match. A custom template can change this behavior (e.g. set custom headers).
-  acl cert_cn_matches ssl_c_s_dn(CN) -m sub {{.}}
+  {{ if ne (env "ROUTER_MUTUAL_TLS_AUTH" "none") "none" }}
+    {{- with (env "ROUTER_MUTUAL_TLS_AUTH_FILTER") }}
+  # If a mutual TLS auth subject filter environment variable is set, we deny
+  # requests if the DN field in the client certificate doesn't match that value.
+  # Please note that this match is a subset (substring) match.
+  # Example: For DN set to: /CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3,
+  #          A. ROUTER_MUTUAL_TLS_AUTH_FILTER="header.test" would match the
+  #             DN field and the request will be passed on to the backend.
+  #          B. ROUTER_MUTUAL_TLS_AUTH_FILTER="legacy-web-client", the request
+  #             will be rejected.
+  acl cert_cn_matches ssl_c_s_dn -m sub {{.}}
   http-request deny unless cert_cn_matches
     {{- end }}
 
@@ -250,6 +256,7 @@ frontend fe_sni
   http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
   http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
   http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]
+  http-request set-header X-SSL-Client-DER       %{+Q}[ssl_c_der,base64]
   {{- end }}
 
   # map to backend
@@ -290,11 +297,17 @@ frontend fe_no_sni
   # before matching, or any requests containing uppercase characters will never match.
   http-request set-header Host %[req.hdr(Host),lower]
 
-  {{- if ne (env "ROUTER_MUTUAL_TLS_AUTH" "none") "none" }}
-    {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CN") }}
-  # If a mutual TLS auth CN is set, we deny requests if the common name doesn't
-  # match. A custom template can change this behavior (e.g. set custom headers).
-  acl cert_cn_matches ssl_c_s_dn(CN) -m sub {{.}}
+  {{ if ne (env "ROUTER_MUTUAL_TLS_AUTH" "none") "none" }}
+    {{- with (env "ROUTER_MUTUAL_TLS_AUTH_FILTER") }}
+  # If a mutual TLS auth subject filter environment variable is set, we deny
+  # requests if the DN field in the client certificate doesn't match that value.
+  # Please note that this match is a subset (substring) match.
+  # Example: For DN set to: /CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3,
+  #          A. ROUTER_MUTUAL_TLS_AUTH_FILTER="header.test" would match the
+  #             DN field and the request will be passed on to the backend.
+  #          B. ROUTER_MUTUAL_TLS_AUTH_FILTER="legacy-web-client", the request
+  #             will be rejected.
+  acl cert_cn_matches ssl_c_s_dn -m sub {{.}}
   http-request deny unless cert_cn_matches
     {{- end }}
 
@@ -309,6 +322,7 @@ frontend fe_no_sni
   http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
   http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
   http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]
+  http-request set-header X-SSL-Client-DER       %{+Q}[ssl_c_der,base64]
   {{- end }}
 
   # map to backend

diff --git a/pkg/oc/admin/router/router.go b/pkg/oc/admin/router/router.go
@@ -248,6 +248,10 @@ type RouterConfig struct {
 	// MutualTLSAuthCRL contains the certificate revocation list used to
 	// verify a client's certificate.
 	MutualTLSAuthCRL string
+
+	// MutualTLSAuthFilter contains the value to filter requests based on
+	// a client certificate subject field substring match.
+	MutualTLSAuthFilter string
 }
 
 const (
@@ -333,6 +337,7 @@ func NewCmdRouter(f *clientcmd.Factory, parentName, name string, out, errout io.
 	cmd.Flags().StringVar(&cfg.MutualTLSAuth, "mutual-tls-auth", cfg.MutualTLSAuth, "Controls access to the router using mutually agreed upon TLS configuration (ala client certificates). You can choose one of 'required', 'optional', or 'none'. The default is none.")
 	cmd.Flags().StringVar(&cfg.MutualTLSAuthCA, "mutual-tls-auth-ca", cfg.MutualTLSAuthCA, "Optional path to a file containing one or more CA certificates used for mutual TLS authentication. The CA certificate[s] are used by the router to verify a client's certificate.")
 	cmd.Flags().StringVar(&cfg.MutualTLSAuthCRL, "mutual-tls-auth-crl", cfg.MutualTLSAuthCRL, "Optional path to a file containing the certificate revocation list used for mutual TLS authentication. The certificate revocation list is used by the router to verify a client's certificate.")
+	cmd.Flags().StringVar(&cfg.MutualTLSAuthFilter, "mutual-tls-auth-filter", cfg.MutualTLSAuthFilter, "Optional value to filter the client certificates. If the client certificate subject field does _not_ contain (substring match) this value, requests will be rejected by the router.")
 
 	cfg.Action.BindForOutput(cmd.Flags())
 	cmd.Flags().String("output-version", "", "The preferred API versions of the output objects")
@@ -347,7 +352,7 @@ func generateMutualTLSSecretName(prefix string) string {
 
 // generateSecretsConfig generates any Secret and Volume objects, such
 // as SSH private keys, that are necessary for the router container.
-func generateSecretsConfig(cfg *RouterConfig, namespace string, certName string, defaultCert, mtlsAuthCA, mtlsAuthCRL []byte) ([]*kapi.Secret, []kapi.Volume, []kapi.VolumeMount, error) {
+func generateSecretsConfig(cfg *RouterConfig, namespace, certName string, defaultCert, mtlsAuthCA, mtlsAuthCRL []byte) ([]*kapi.Secret, []kapi.Volume, []kapi.VolumeMount, error) {
 	var secrets []*kapi.Secret
 	var volumes []kapi.Volume
 	var mounts []kapi.VolumeMount
@@ -782,6 +787,9 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write
 		if len(mtlsAuthCRL) > 0 {
 			env["ROUTER_MUTUAL_TLS_AUTH_CRL"] = path.Join(clientCertConfigDir, clientCertConfigCRL)
 		}
+		if len(cfg.MutualTLSAuthFilter) > 0 {
+			env["ROUTER_MUTUAL_TLS_AUTH_FILTER"] = strings.Replace(cfg.MutualTLSAuthFilter, " ", "\\ ", -1)
+		}
 	}
 
 	env.Add(secretEnv)