From eb6a4f96c8cdf3e159384d4279f3994e69f6dd80 Mon Sep 17 00:00:00 2001 From: johnabass Date: Wed, 20 Nov 2024 22:52:55 -0800 Subject: [PATCH] allow sane default trust levels --- token/claimBuilder.go | 4 ++-- token/options.go | 47 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 48 insertions(+), 3 deletions(-) diff --git a/token/claimBuilder.go b/token/claimBuilder.go index c171fc6..60f572a 100644 --- a/token/claimBuilder.go +++ b/token/claimBuilder.go @@ -186,7 +186,7 @@ func newClientCertificateClaimBuiler(cc *ClientCertificates) (cb *clientCertific } cb = &clientCertificateClaimBuilder{ - trust: cc.Trust, + trust: cc.Trust.enforceDefaults(), } if len(cc.RootCAFile) > 0 { @@ -206,7 +206,7 @@ type clientCertificateClaimBuilder struct { trust Trust } -func (cb *clientCertificateClaimBuilder) getTrust(r *Request, target map[string]interface{}) (err error) { +func (cb *clientCertificateClaimBuilder) AddClaims(_ context.Context, r *Request, target map[string]interface{}) (err error) { // simplest case: this didn't come from a TLS connection, or it did but the client gave no certificates if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 { target[ClaimTrust] = cb.trust.NoCertificates diff --git a/token/options.go b/token/options.go index 70eed16..172cdbd 100644 --- a/token/options.go +++ b/token/options.go @@ -9,6 +9,14 @@ import ( "github.com/xmidt-org/themis/key" ) +const ( + DefaultTrustLevelNoCertificates = 0 + DefaultTrustLevelExpiredUntrusted = 100 + DefaultTrustLevelExpiredTrusted = 1000 + DefaultTrustLevelUntrusted = 1000 + DefaultTrustLevelTrusted = 1000 +) + // RemoteClaims describes a remote HTTP endpoint that can produce claims given the // metadata from a token request. type RemoteClaims struct { @@ -97,31 +105,68 @@ type PartnerID struct { // certificate state. type Trust struct { // NoCertificates is the trust level to set when no client certificates are present. - // This value has no default. If unset, the trust value is zero (0). + // If unset, DefaultTrustLevelNoCertificates is used. NoCertificates int // ExpiredUntrusted is the trust level to set when a certificate has both expired // and is within an CA chain that we do not trust. + // + // If unset, DefaultTrustLevelExpiredTrusted is used. ExpiredUntrusted int // ExpiredTrusted is the trust level to set when a certificate has both expired // and IS within a trusted CA chain. + // + // If unset, DefaultTrustLevelExpiredTrusted is used. ExpiredTrusted int // Untrusted is the trust level to set when a client has an otherwise valid // certificate, but that certificate is part of an untrusted chain. + // + // If unset, DefaultTrustLevelUntrusted is used. Untrusted int // Trusted is the trust level to set when a client certificate is part of + // + // If unset, DefaultTrustLevelTrusted is used. // a trusted CA chain. Trusted int } +// enforceDefaults returns a Trust that has ensures any unset values are +// set to their defaults. +func (t Trust) enforceDefaults() (other Trust) { + other = t + if other.NoCertificates <= 0 { + other.NoCertificates = DefaultTrustLevelNoCertificates + } + + if other.ExpiredUntrusted <= 0 { + other.ExpiredUntrusted = DefaultTrustLevelExpiredUntrusted + } + + if other.ExpiredTrusted <= 0 { + other.ExpiredTrusted = DefaultTrustLevelExpiredTrusted + } + + if other.Untrusted <= 0 { + other.Untrusted = DefaultTrustLevelUntrusted + } + + if other.Trusted <= 0 { + other.Trusted = DefaultTrustLevelTrusted + } + + return +} + // ClientCertificates describes how peer certificates are to be handled when // it comes to issuing tokens. type ClientCertificates struct { // RootCAFile is the PEM bundle of certificates used for client certificate verification. // If unset, the system verifier and/or bundle is used. + // + // Generally, this value should be the same as the the mtls.clientCACertificateFile. RootCAFile string // IntermediatesFile is the PEM bundle of certificates used for client certificate verification.