allow sane default trust levels

xmidt-org · Nov 21, 2024 · eb6a4f9 · eb6a4f9
1 parent 4a1ff44
commit eb6a4f9
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 3 deletions.
diff --git a/token/claimBuilder.go b/token/claimBuilder.go
@@ -186,7 +186,7 @@ func newClientCertificateClaimBuiler(cc *ClientCertificates) (cb *clientCertific
 	}
 
 	cb = &clientCertificateClaimBuilder{
-		trust: cc.Trust,
+		trust: cc.Trust.enforceDefaults(),
 	}
 
 	if len(cc.RootCAFile) > 0 {
@@ -206,7 +206,7 @@ type clientCertificateClaimBuilder struct {
 	trust         Trust
 }
 
-func (cb *clientCertificateClaimBuilder) getTrust(r *Request, target map[string]interface{}) (err error) {
+func (cb *clientCertificateClaimBuilder) AddClaims(_ context.Context, r *Request, target map[string]interface{}) (err error) {
 	// simplest case: this didn't come from a TLS connection, or it did but the client gave no certificates
 	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
 		target[ClaimTrust] = cb.trust.NoCertificates

diff --git a/token/options.go b/token/options.go
@@ -9,6 +9,14 @@ import (
 	"github.com/xmidt-org/themis/key"
 )
 
+const (
+	DefaultTrustLevelNoCertificates   = 0
+	DefaultTrustLevelExpiredUntrusted = 100
+	DefaultTrustLevelExpiredTrusted   = 1000
+	DefaultTrustLevelUntrusted        = 1000
+	DefaultTrustLevelTrusted          = 1000
+)
+
 // RemoteClaims describes a remote HTTP endpoint that can produce claims given the
 // metadata from a token request.
 type RemoteClaims struct {
@@ -97,31 +105,68 @@ type PartnerID struct {
 // certificate state.
 type Trust struct {
 	// NoCertificates is the trust level to set when no client certificates are present.
-	// This value has no default. If unset, the trust value is zero (0).
+	// If unset, DefaultTrustLevelNoCertificates is used.
 	NoCertificates int
 
 	// ExpiredUntrusted is the trust level to set when a certificate has both expired
 	// and is within an CA chain that we do not trust.
+	//
+	// If unset, DefaultTrustLevelExpiredTrusted is used.
 	ExpiredUntrusted int
 
 	// ExpiredTrusted is the trust level to set when a certificate has both expired
 	// and IS within a trusted CA chain.
+	//
+	// If unset, DefaultTrustLevelExpiredTrusted is used.
 	ExpiredTrusted int
 
 	// Untrusted is the trust level to set when a client has an otherwise valid
 	// certificate, but that certificate is part of an untrusted chain.
+	//
+	// If unset, DefaultTrustLevelUntrusted is used.
 	Untrusted int
 
 	// Trusted is the trust level to set when a client certificate is part of
+	//
+	// If unset, DefaultTrustLevelTrusted is used.
 	// a trusted CA chain.
 	Trusted int
 }
 
+// enforceDefaults returns a Trust that has ensures any unset values are
+// set to their defaults.
+func (t Trust) enforceDefaults() (other Trust) {
+	other = t
+	if other.NoCertificates <= 0 {
+		other.NoCertificates = DefaultTrustLevelNoCertificates
+	}
+
+	if other.ExpiredUntrusted <= 0 {
+		other.ExpiredUntrusted = DefaultTrustLevelExpiredUntrusted
+	}
+
+	if other.ExpiredTrusted <= 0 {
+		other.ExpiredTrusted = DefaultTrustLevelExpiredTrusted
+	}
+
+	if other.Untrusted <= 0 {
+		other.Untrusted = DefaultTrustLevelUntrusted
+	}
+
+	if other.Trusted <= 0 {
+		other.Trusted = DefaultTrustLevelTrusted
+	}
+
+	return
+}
+
 // ClientCertificates describes how peer certificates are to be handled when
 // it comes to issuing tokens.
 type ClientCertificates struct {
 	// RootCAFile is the PEM bundle of certificates used for client certificate verification.
 	// If unset, the system verifier and/or bundle is used.
+	//
+	// Generally, this value should be the same as the the mtls.clientCACertificateFile.
 	RootCAFile string
 
 	// IntermediatesFile is the PEM bundle of certificates used for client certificate verification.