Skip to content

Commit

Permalink
incusd/auth: Fix handling of trusted certs in CA mode
Browse files Browse the repository at this point in the history 
Closes #218

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
  • Loading branch information
@stgraber
stgraber committed Nov 5, 2023
1 parent 70d13eb commit d2bb0d8
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions internal/server/auth/driver_tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"net/http"

"github.com/lxc/incus/internal/server/certificate"
internalUtil "github.com/lxc/incus/internal/util"
"github.com/lxc/incus/shared/api"
"github.com/lxc/incus/shared/logger"
"github.com/lxc/incus/shared/util"
Expand Down Expand Up @@ -172,5 +173,11 @@ func (t *tls) certificateDetails(fingerprint string) (certificate.Type, bool, []
return certificate.TypeMetrics, false, nil, nil
}

// If we're in a CA environment, it's possible for a certificate to be trusted despite not being present in the trust store.
// We rely on the validation of the certificate (and its potential revocation) having been done in CheckTrustState.
if util.PathExists(internalUtil.VarPath("server.ca")) {
return certificate.TypeClient, true, nil, nil
}

return -1, false, nil, api.StatusErrorf(http.StatusForbidden, "Client certificate not found")
}

0 comments on commit d2bb0d8

Please sign in to comment.