-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(server): fixes mtls authentication
- properly inspect client certificate to determine principal id - refactor grpc server interceptors to be more clear - refactor boundaries between authorization and authentication
- Loading branch information
1 parent
0b88663
commit 1531e1d
Showing
21 changed files
with
197 additions
and
131 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 0 additions & 19 deletions
19
server/src/main/java/io/littlehorse/server/auth/InsecureServerAuthorizer.java
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 0 additions & 29 deletions
29
server/src/main/java/io/littlehorse/server/auth/MTLSServerAuthorizer.java
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 0 additions & 18 deletions
18
server/src/main/java/io/littlehorse/server/auth/RequestSanitizer.java
This file was deleted.
Oops, something went wrong.
26 changes: 26 additions & 0 deletions
26
server/src/main/java/io/littlehorse/server/auth/authenticators/InsecureAuthenticator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
package io.littlehorse.server.auth.authenticators; | ||
|
||
import io.grpc.Metadata; | ||
import io.grpc.ServerCall; | ||
import io.grpc.ServerCall.Listener; | ||
import io.grpc.ServerCallHandler; | ||
import io.littlehorse.common.LHConstants; | ||
import io.littlehorse.server.auth.LHServerInterceptor; | ||
|
||
/** | ||
* Authenticator for insecure server listeners. Sets the principal id to `anonymous` for all requests. | ||
*/ | ||
public class InsecureAuthenticator implements LHServerInterceptor { | ||
|
||
@Override | ||
public <ReqT, RespT> Listener<ReqT> interceptCall( | ||
ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) { | ||
|
||
headers.put(CLIENT_ID, LHConstants.ANONYMOUS_PRINCIPAL); | ||
return next.startCall(call, headers); | ||
} | ||
|
||
public static InsecureAuthenticator create() { | ||
return new InsecureAuthenticator(); | ||
} | ||
} |
73 changes: 73 additions & 0 deletions
73
server/src/main/java/io/littlehorse/server/auth/authenticators/MTLSAuthenticator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
package io.littlehorse.server.auth.authenticators; | ||
|
||
import io.grpc.Grpc; | ||
import io.grpc.Metadata; | ||
import io.grpc.ServerCall; | ||
import io.grpc.ServerCall.Listener; | ||
import io.grpc.ServerCallHandler; | ||
import io.grpc.Status; | ||
import io.littlehorse.common.LHConstants; | ||
import io.littlehorse.server.auth.LHServerInterceptor; | ||
import java.security.Principal; | ||
import java.util.List; | ||
import javax.naming.InvalidNameException; | ||
import javax.naming.ldap.LdapName; | ||
import javax.naming.ldap.Rdn; | ||
import javax.net.ssl.SSLPeerUnverifiedException; | ||
import javax.net.ssl.SSLSession; | ||
import lombok.extern.slf4j.Slf4j; | ||
|
||
/** | ||
* Authenticator for requests on MTLS listeners. Sets the principal id to the common name of the client | ||
* certificate. | ||
*/ | ||
@Slf4j | ||
public class MTLSAuthenticator implements LHServerInterceptor { | ||
|
||
@Override | ||
public <ReqT, RespT> Listener<ReqT> interceptCall( | ||
ServerCall<ReqT, RespT> call, Metadata headers, ServerCallHandler<ReqT, RespT> next) { | ||
|
||
SSLSession clientTlsInfo = call.getAttributes().get(Grpc.TRANSPORT_ATTR_SSL_SESSION); | ||
|
||
if (clientTlsInfo == null) { | ||
throw new IllegalStateException( | ||
"MTLSAuthenticator should only be used on MTLS ports, so SSLSession should be present"); | ||
} | ||
|
||
String commonName; | ||
try { | ||
// Determine commonName from the client certificate | ||
Principal peerPrincipal = clientTlsInfo.getPeerPrincipal(); // NOT a littlehorse Principal | ||
|
||
LdapName ln = new LdapName(peerPrincipal.getName()); | ||
|
||
List<String> commonNames = ln.getRdns().stream() | ||
.filter(rdn -> rdn.getType().equalsIgnoreCase("CN")) | ||
.map(Rdn::getValue) | ||
.map(Object::toString) | ||
.toList(); | ||
|
||
if (commonNames.size() == 0) { | ||
// This happens when the client certificate does not have a CommonName. | ||
// Note that the interceptor wouldn't even be called if the SSL handshake failed, | ||
// so we know at this point that the client presented a valid certificate. | ||
// | ||
// Since they did not set a commonName on the certificate, we treat them as | ||
// anonymous. | ||
commonName = LHConstants.ANONYMOUS_PRINCIPAL; | ||
} else { | ||
commonName = commonNames.get(0); | ||
} | ||
|
||
headers.put(CLIENT_ID, commonName); | ||
log.trace("Got common name from client certificate: {}", commonName); | ||
return next.startCall(call, headers); | ||
} catch (InvalidNameException | SSLPeerUnverifiedException e) { | ||
// close the call as unauthenticated | ||
log.trace("Closing the call as unauthenticated due to certiciate exception", e); | ||
call.close(Status.UNAUTHENTICATED.withDescription("Invalid certificate"), new Metadata()); | ||
return new ServerCall.Listener<>() {}; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 changes: 7 additions & 1 deletion
8
.../server/auth/InternalCallCredentials.java → ...internalport/InternalCallCredentials.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.