Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cert auth module. #78

Merged
merged 2 commits into from
Oct 29, 2024
Merged

Add cert auth module. #78

merged 2 commits into from
Oct 29, 2024

Conversation

wa5i
Copy link
Collaborator

@wa5i wa5i commented Sep 24, 2024

No description provided.

@wa5i wa5i requested a review from InfoHunter September 24, 2024 07:18
@wa5i wa5i added the enhancement New feature or request label Sep 24, 2024
@wa5i wa5i added this to the RustyVault-0.9.0 milestone Sep 24, 2024
@wa5i wa5i linked an issue Sep 24, 2024 that may be closed by this pull request
Copy link
Member

@InfoHunter InfoHunter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A first bundle of review comments

//! CA certificates are associated with a role; role names and CRL names are normalized
//! to lower-case.
//!
//! Please note that to use this auth method, `tls_disable` and `tls_disable_client_certs` 
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a little confusing. If there is no 'cert auth' configured, can RustyVault validate a client certificate in a TLS connection?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a little confusing. If there is no 'cert auth' configured, can RustyVault validate a client certificate in a TLS connection?

It has been fixed in #79.


impl Module for CertModule {
fn name(&self) -> String {
return self.name.clone();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems CertModule.name is always a constant string through the whole lifetime of a RustyVault instance, then why don't return a referent &string instead of cloning a new string?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems CertModule.name is always a constant string through the whole lifetime of a RustyVault instance, then why don't return a referent &string instead of cloning a new string?

This field and function was originally used for debugging or logging. Using references with lifecycles is relatively complex. For simplicity, String was used. Later, let's see whether this field and function should be removed or optimized.

Comment on lines +63 to +65
let cert_backend_ref1 = Arc::clone(&self.inner);
let cert_backend_ref2 = Arc::clone(&self.inner);
let cert_backend_ref3 = Arc::clone(&self.inner);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems you can just use Arc::clone(...) in the places where they need it, thus the 3 local variables can be avoided.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems you can just use Arc::clone(...) in the places where they need it, thus the 3 local variables can be avoided.

This won't work because these variables are used by calling their member functions rather than using the variables themselves.
image

that are allowed to authenticate.

Deleting a certificate will not revoke auth for prior authenticated connections.
To do this, do a revoke on "login". If you don'log need to revoke login immediately,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: don'log -> don't

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: don'log -> don't

fixed

let data = cert_entry_data.as_object_mut().unwrap();
//TODO

Ok(Some(Response::data_response(Some(data.clone()))))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If data is not mutable, then why a clone() is needed?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If data is not mutable, then why a clone() is needed?

data is a reference and needs to clone an object.

image

Copy link
Member

@InfoHunter InfoHunter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Second bundle of review comments

Ok(verified_chains)
}

fn matches_constraints(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why there are so many constraints to be matched?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why there are so many constraints to be matched?

Vault can configure these matching items. In order to be compatible with Vault...

Comment on lines +314 to +320
&& self.matches_names(client_cert, config)
&& self.matches_common_name(client_cert, config)
&& self.matches_dns_sans(client_cert, config)
&& self.matches_email_sans(client_cert, config)
&& self.matches_uri_sans(client_cert, config)
&& self.matches_organizational_units(client_cert, config)
&& self.matches_certificate_extensions(client_cert, config);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does underlying cryptography library like OpenSSL or Tongsuo already provide such kind of functions? If so, we don't need to re-implement them again.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does underlying cryptography library like OpenSSL or Tongsuo already provide such kind of functions? If so, we don't need to re-implement them again.

There are many matching items. The underlying OpenSSL/Tongsuo does not have a corresponding interface, so regular expression matching is used.

@InfoHunter InfoHunter merged commit 6fdb04b into Tongsuo-Project:main Oct 29, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Need to support certificate login
2 participants