Skip to content

Commit

Permalink
change cert logic to set a trust of 1000 if any parseable peer certif…
Browse files Browse the repository at this point in the history
…icates are presented
  • Loading branch information
johnabass committed Nov 20, 2024
1 parent bf64eaa commit 40ab59f
Showing 1 changed file with 6 additions and 31 deletions.
37 changes: 6 additions & 31 deletions token/claimBuilder.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ package token

import (
"context"
"crypto/x509"
"errors"
"fmt"
"net/http"
Expand Down Expand Up @@ -179,48 +178,25 @@ func newRemoteClaimBuilder(client xhttpclient.Interface, metadata map[string]int
return &remoteClaimBuilder{endpoint: c.Endpoint(), url: r.URL, extra: metadata}, nil
}

// enforcePeerCertificate is a ClaimsBuilderFunc that overrides trust as necessary
// given the TLS peer certificates (if any)
// enforcePeerCertificate sets a trust of 1000 if and only if at least (1) peer certificate
// was supplied.
func enforcePeerCertificate(_ context.Context, r *Request, target map[string]interface{}) error {
if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
target[ClaimTrust] = 1000
} else {
target[ClaimTrust] = 0
}

return nil
}

// verifyPeerChain verifies that any peer certificate has a certificate in the system
// bundle as part of its chain.
func verifyPeerChain(_ context.Context, r *Request, target map[string]interface{}) error {
if r.TLS == nil {
return nil // still support non-TLS use cases
}

vo := x509.VerifyOptions{
KeyUsages: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
},
}

for _, pc := range r.TLS.PeerCertificates {
if _, err := pc.Verify(vo); err == nil {
// at least (1) cert passed, so we can stop
return nil
}
}

// no certificates were part of any CA chain that we trust
target[ClaimTrust] = 0
return nil
}

// NewClaimBuilders constructs a ClaimBuilders from configuration. The returned instance is typically
// used in configuration a token Factory. It can be used as a standalone service component with an endpoint.
//
// The returned builders do not include those claims derived from HTTP requests. Claims derived from HTTP
// requests are handled by NewRequestBuilders and DecodeServerRequest.
func NewClaimBuilders(n random.Noncer, client xhttpclient.Interface, o Options) (ClaimBuilders, error) {
var ( // at a minimum, the claims from the request will be copied
var (
builders = ClaimBuilders{requestClaimBuilder{}}
staticClaimBuilder = make(staticClaimBuilder)
)
Expand Down Expand Up @@ -295,7 +271,6 @@ func NewClaimBuilders(n random.Noncer, client xhttpclient.Interface, o Options)
builders = append(
builders,
ClaimBuilderFunc(enforcePeerCertificate),
ClaimBuilderFunc(verifyPeerChain),
)

return builders, nil
Expand Down

0 comments on commit 40ab59f

Please sign in to comment.