Skip to content

Commit

Permalink
Add header for client root ca DN (ssl_c_r_dn) (#659)
Browse files Browse the repository at this point in the history 
* feat(haproxy): add header for client root ca DN

* fix(haproxy): delete headers when non-mtls

* test: fix unit tests

* test: fix acceptance tests
  • Loading branch information
@Mrizwanshaik
Mrizwanshaik authored May 7, 2024
1 parent ed2d099 commit a98372d
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 0 deletions.
2 changes: 2 additions & 0 deletions acceptance-tests/xfcc_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ var _ = Describe("forwarded_client_cert", func() {
"X-SSL-Client-Subject-Cn": "app.mycert.com",
"X-SSL-Client-Issuer-Dn": "ACME inc, USA",
"X-SSL-Client-Issuer-Cn": "mycert.com",
"X-SSL-Client-Root-CA-DN": "/C=Palau/O=Pete's Café",
"X-SSL-Client-Notbefore": "Wednesday",
"X-SSL-Client-Notafter": "Thursday",
"X-SSL-Client-Cert": "ABC",
Expand Down Expand Up @@ -304,6 +305,7 @@ func checkXFCCHeadersMatchCert(expectedCert *x509.Certificate, headers http.Head
Expect(base64Decode(headers.Get("X-SSL-Client-Subject-Dn"))).To(Equal("/C=Vatican City/O=Víkî's Vergnügungspark/CN=haproxy.client"))
Expect(base64Decode(headers.Get("X-SSL-Client-Subject-CN"))).To(Equal("haproxy.client"))
Expect(base64Decode(headers.Get("X-SSL-Client-Issuer-Dn"))).To(Equal("/C=Palau/O=Pete's Café"))
Expect(base64Decode(headers.Get("X-SSL-Client-Root-CA-DN"))).To(Equal("/C=Palau/O=Pete's Café"))
Expect(headers.Get("X-SSL-Client-Notbefore")).To(Equal(expectedCert.NotBefore.UTC().Format("060102150405Z"))) //YYMMDDhhmmss[Z]
Expect(headers.Get("X-SSL-Client-Notafter")).To(Equal(expectedCert.NotAfter.UTC().Format("060102150405Z"))) //YYMMDDhhmmss[Z]

Expand Down
2 changes: 2 additions & 0 deletions jobs/haproxy/spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -410,6 +410,8 @@ properties:

- X-SSL-Client-Issuer-DN: Contains the base64-encoded issuer distinguished name of the client certificate

- X-SSL-Client-Root-CA-DN: X-SSL-Client-Root-CA-DN: Contains base64-encoded subject DN of the root CA which signed the client certificate

- X-SSL-Client-NotBefore: Contains the start date of the client certificate in YYMMDDhhmmss[Z] format.

- X-SSL-Client-NotAfter: Contains the expiration date of the client certificate in YYMMDDhhmmss[Z] format.
Expand Down
10 changes: 10 additions & 0 deletions jobs/haproxy/templates/haproxy.config.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -530,6 +530,7 @@ frontend https-in
http-request del-header X-SSL-Client-Issuer-DN
http-request del-header X-SSL-Client-NotBefore
http-request del-header X-SSL-Client-NotAfter
http-request del-header X-SSL-Client-Root-CA-DN
<%- when :non_mtls_only -%>
http-request del-header X-Forwarded-Client-Cert if ! { ssl_c_used }
http-request del-header X-SSL-Client if ! { ssl_c_used }
Expand All @@ -540,6 +541,7 @@ frontend https-in
http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }
http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }
<%- when :non_route_service_only -%>
acl route_service_request hdr(X-Cf-Proxy-Signature) -m found
http-request del-header X-Forwarded-Client-Cert if !route_service_request
Expand All @@ -551,6 +553,7 @@ frontend https-in
http-request del-header X-SSL-Client-Issuer-DN if !route_service_request
http-request del-header X-SSL-Client-NotBefore if !route_service_request
http-request del-header X-SSL-Client-NotAfter if !route_service_request
http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request
<%- end -%>

<%- if write_mtls_headers -%>
Expand All @@ -564,10 +567,12 @@ frontend https-in
http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }
http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }
http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }
http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }
<%- else %>
http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }
<%- end %>
<%- end -%>

Expand Down Expand Up @@ -683,6 +688,7 @@ frontend wss-in
http-request del-header X-SSL-Client-Issuer-DN
http-request del-header X-SSL-Client-NotBefore
http-request del-header X-SSL-Client-NotAfter
http-request del-header X-SSL-Client-Root-CA-DN
<%- when :non_mtls_only -%>
http-request del-header X-Forwarded-Client-Cert if ! { ssl_c_used }
http-request del-header X-SSL-Client if ! { ssl_c_used }
Expand All @@ -693,6 +699,7 @@ frontend wss-in
http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }
http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }
http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }
<%- when :non_route_service_only -%>
acl route_service_request hdr(X-Cf-Proxy-Signature) -m found
http-request del-header X-Forwarded-Client-Cert if !route_service_request
Expand All @@ -704,6 +711,7 @@ frontend wss-in
http-request del-header X-SSL-Client-Issuer-DN if !route_service_request
http-request del-header X-SSL-Client-NotBefore if !route_service_request
http-request del-header X-SSL-Client-NotAfter if !route_service_request
http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request
<%- end -%>

<%- if write_mtls_headers -%>
Expand All @@ -717,10 +725,12 @@ frontend wss-in
http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }
http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }
http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }
http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }
<%- else %>
http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }
http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }
<%- end %>
<%- end -%>

Expand Down
10 changes: 10 additions & 0 deletions spec/haproxy/templates/haproxy_config/frontend_https_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'does not add mTLS headers' do
Expand All @@ -214,6 +215,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }')
end

it 'does not add mTLS headers' do
Expand All @@ -234,6 +236,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'does not add mTLS headers' do
Expand All @@ -256,6 +259,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'writes mTLS headers when mTLS is used' do
Expand All @@ -268,6 +272,7 @@
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }')
end

context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
Expand All @@ -279,6 +284,7 @@
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }')
end
end
end
Expand All @@ -300,6 +306,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
end

it 'does not add mTLS headers' do
Expand All @@ -326,6 +333,7 @@
expect(frontend_https).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
expect(frontend_https).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
end

it 'overwrites mTLS headers when mTLS is used' do
Expand All @@ -338,6 +346,7 @@
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }')
end

context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
Expand All @@ -353,6 +362,7 @@
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }')
expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }')
end
end
end
Expand Down
11 changes: 11 additions & 0 deletions spec/haproxy/templates/haproxy_config/frontend_wss_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_wss).not_to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'does not add mTLS headers' do
Expand All @@ -187,6 +188,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'does not add mTLS headers' do
Expand All @@ -212,6 +214,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if ! { ssl_c_used }')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if ! { ssl_c_used }')
end

it 'does not add mTLS headers' do
Expand All @@ -232,6 +235,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'does not add mTLS headers' do
Expand All @@ -254,6 +258,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN')
end

it 'writes mTLS headers when mTLS is used' do
Expand All @@ -266,6 +271,7 @@
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }')
end

context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
Expand All @@ -277,6 +283,7 @@
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }')
end
end
end
Expand All @@ -298,6 +305,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
end

it 'does not add mTLS headers' do
Expand All @@ -324,6 +332,7 @@
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Issuer-DN if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotBefore if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-NotAfter if !route_service_request')
expect(frontend_wss).to include('http-request del-header X-SSL-Client-Root-CA-DN if !route_service_request')
end

it 'overwrites mTLS headers when mTLS is used' do
Expand All @@ -336,6 +345,7 @@
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64] if { ssl_c_used }')
end

context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
Expand All @@ -351,6 +361,7 @@
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn] if { ssl_c_used }')
expect(frontend_wss).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn] if { ssl_c_used }')
end
end
end
Expand Down

0 comments on commit a98372d

Please sign in to comment.