Support Out-Of-the-Box mTLS auth for interoperator broker. #1464
Conversation
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/180226462 The labels on this github issue will be updated when the story is started. |
Pooja-08
force-pushed
the
oob_mtls_support
branch
from
cf0bc61 to
62ccb35
Compare
Codecov Report
@@ Coverage Diff @@
## master #1464 +/- ##
==========================================
- Coverage 73.07% 72.84% -0.24%
==========================================
Files 45 45
Lines 4290 4290
==========================================
- Hits 3135 3125 -10
- Misses 825 832 +7
- Partials 330 333 +3 |
Pooja-08
force-pushed
the
oob_mtls_support
branch
from
62ccb35 to
0a99ee0
Compare
|
Validation on k8s cluster: n failed. |
|
Validation on k8s cluster: n-2 failed. |
|
Validation on k8s cluster: n-1 failed. |
|
Validation on k8s cluster: n+n+n failed. |
Pooja-08
force-pushed
the
oob_mtls_support
branch
from
0a99ee0 to
a07dec9
Compare
Pull Request Test Coverage Report for Build 5709
💛 - Coveralls |
| } | ||
| next(); | ||
| } else { | ||
| return next(new Unauthorized()); |
There was a problem hiding this comment.
Hi @Pooja-08 , a logger before return statement with message stating expected subject pattern not defined would be good to have. Since this is a config parameter, there are high changes teams will forget to add and we might get generic unAuthorized error.
docs/Interoperator-authentication.md
Outdated
| - mTLS Authentication: validates the client certificate's subject pattern. | ||
|
|
||
| ## Basic Authentication | ||
| To use Basic Authentication, the username and password should be provided during the registration of the broker in the Service Manager. |
There was a problem hiding this comment.
Hi @Pooja-08, This document is specific to SAP and SAP's service manager... might be you can move service manager related mentions to internal github page?
| const clientCertificate = req.headers['ssl-client-cert']; | ||
| if (!clientCertificate) { | ||
| logger.error('clientCertificate not found in the request headers: ', req.headers); | ||
| next(new Unauthorized()); |
There was a problem hiding this comment.
| next(new Unauthorized()); | |
| next(new Unauthorized('Client certificate not found in the request headers')); |
I feel it will be more informative to the user if we pass the cause of the error. This message will be part of the response. The default message is 'The request requires user authentication'.
| let subjectDN = req.headers['ssl-client-subject-dn']; | ||
| if (!subjectDN || !verifySubjectDN(subjectDN, smCertSubjectPattern)) { | ||
| logger.error('subject DN doesnt match the sm_certificate_subject_pattern, subjectDN: ', subjectDN, ' sm_certificate_subject_pattern: ', smCertSubjectPattern); | ||
| return next(new Unauthorized()); |
There was a problem hiding this comment.
| return next(new Unauthorized()); | |
| return next(new Unauthorized('Subject DN in the request header doesn't match the configured sm_certificate_subject_pattern')); |
| logger.error('clientCertificate not found in the request headers: ', req.headers); | ||
| next(new Unauthorized()); | ||
| } else { | ||
| const smCertSubjectPattern = config.smConnectionSettings.sm_certificate_subject_pattern; |
There was a problem hiding this comment.
| const smCertSubjectPattern = config.smConnectionSettings.sm_certificate_subject_pattern; | |
| const smCertSubjectPattern = _.get(config, 'smConnectionSettings.sm_certificate_subject_pattern'); |
I think there may be chances that smConnectionSettings might be commented out in the settings.yml which may lead to panic. lodash.get takes care of this.
Pooja-08
force-pushed
the
oob_mtls_support
branch
2 times, most recently
from
f9f0d57 to
7680dfa
Compare
|
@saud89 @anoopjb thanks for providing the comments. Addressed. Please review. https://github.wdf.sap.corp/servicefabrik/interoperator-deployment-component/pull/44 |
docs/Interoperator-authentication.md
Outdated
|
|
||
| ## Basic Authentication | ||
| To use Basic Authentication, the username and password should be provided during the registration of the broker. | ||
| This is relevant for both subaccount-scoped registration done by smctl, and global registration done by the Cross Registration Service (xRS) API. |
There was a problem hiding this comment.
| This is relevant for both subaccount-scoped registration done by smctl, and global registration done by the Cross Registration Service (xRS) API. |
The subaccount-scoped registration and the Cross Registration Service (xRS) API is specific to SAP. I feel we can skip this sentence.
docs/Interoperator-authentication.md
Outdated
| ## Out-Of-The-Box mTLS Authentication | ||
| Interoperator broker currently supports the Out-Of-The-Box mTLS authentication. |
There was a problem hiding this comment.
| ## Out-Of-The-Box mTLS Authentication | |
| Interoperator broker currently supports the Out-Of-The-Box mTLS authentication. | |
| ## mTLS Authentication | |
| Interoperator broker currently supports mTLS authentication using Nginx ingress annotations. |
I think the "Out-Of-The-Box" catch word is from SAP Service Manager 😄 I could not find documents with Out-Of-The-Box mTLS when I did a quick search. This may lead to confusion.
docs/Interoperator-authentication.md
Outdated
| The "sm_certificate_subject_pattern" value must be set to the client certificate's subject, for the authentication to succeed. | ||
| The subject header in the client certificate must contain comma(',') separated values, while the sm_certificate_subject_pattern must contain '/' separated values. | ||
|
|
||
| Ref: https://wiki.wdf.sap.corp/wiki/display/CPC15N/Develop#Develop-2.a.ProvideYourOwnmTLS-BasedCertificate |
There was a problem hiding this comment.
| Ref: https://wiki.wdf.sap.corp/wiki/display/CPC15N/Develop#Develop-2.a.ProvideYourOwnmTLS-BasedCertificate |
We may need to remove this internal wiki link.
docs/Interoperator-authentication.md
Outdated
| - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" | ||
| Must be set to "on" to enable verification of client certificates. When this annotation is set to "on", it requests a client certificate that must be signed by a certificate that is included in the secret key ca.crt of the secret specified by "nginx.ingress.kubernetes.io/auth-tls-secret" | ||
| - nginx.ingress.kubernetes.io/auth-tls-secret: namespace/secretName | ||
| This secret must have a file named ca.crt containing the full Certificate Authority chain ca.crt that is enabled to authenticate against this Ingress. | ||
| - nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: true | ||
| when set to true, passes the received certificates to the upstream server in the header ssl-client-cert. For mTLS auth, this annotation must be set to true. |
There was a problem hiding this comment.
| - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" | |
| Must be set to "on" to enable verification of client certificates. When this annotation is set to "on", it requests a client certificate that must be signed by a certificate that is included in the secret key ca.crt of the secret specified by "nginx.ingress.kubernetes.io/auth-tls-secret" | |
| - nginx.ingress.kubernetes.io/auth-tls-secret: namespace/secretName | |
| This secret must have a file named ca.crt containing the full Certificate Authority chain ca.crt that is enabled to authenticate against this Ingress. | |
| - nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: true | |
| when set to true, passes the received certificates to the upstream server in the header ssl-client-cert. For mTLS auth, this annotation must be set to true. | |
| - `nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"` <br> | |
| Must be set to "on" to enable verification of client certificates. When this annotation is set to "on", it requests a client certificate that must be signed by a certificate that is included in the secret key ca.crt of the secret specified by "nginx.ingress.kubernetes.io/auth-tls-secret" | |
| - `nginx.ingress.kubernetes.io/auth-tls-secret: namespace/secretName` <br> | |
| This secret must have a file named ca.crt containing the full Certificate Authority chain ca.crt that is enabled to authenticate against this Ingress. | |
| - `nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: true` <br> | |
| when set to true, passes the received certificates to the upstream server in the header ssl-client-cert. For mTLS auth, this annotation must be set to true. |
Minor formatting suggestion. 😸
<br> helps to print its following sentence to a new line.
| @@ -0,0 +1,22 @@ | |||
| # Service Fabrik Inter-operator Authentication | |||
There was a problem hiding this comment.
This looks like a redundant document since the content is similar to docs/Interoperator-authentication.md
Pooja-08
force-pushed
the
oob_mtls_support
branch
from
7680dfa to
a8b86e1
Compare
Pooja-08
force-pushed
the
oob_mtls_support
branch
from
a8b86e1 to
0185814
Compare
…dry#1464) * Add support for mTLS auth in broker * Add documentation for authentication.
…dry#1464) * Add support for mTLS auth in broker * Add documentation for authentication.
No description provided.