Add documentation

Signed-off-by: chodges15 <[email protected]>
prometheus · Mar 1, 2023 · f58eb40 · f58eb40
1 parent 7e1d1b8
commit f58eb40
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.8.2 / 2023-02-28
+
+* [FEATURE] Add configuration for verifying the presence of an address in the Subject Alternate Name of the TLS cert provided by the client. #126
+
 ## 0.8.1 / 2022-10-21
 
 * [BUGFIX] Fix systemd activation flag when using a custom kingpin app. #118

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.8.1
+0.8.2
diff --git a/docs/web-configuration.md b/docs/web-configuration.md
@@ -38,6 +38,11 @@ tls_server_config:
   # CA certificate for client certificate authentication to the server.
   [ client_ca_file: <filename> ]
 
+  # Verify that the client certificate has a Subject Alternate Name (SAN) which includes the following
+  # regex pattern, else terminate connection. SAN match can be one or multiple of the following:
+  # DNS, IP, e-mail, or URI address from https://pkg.go.dev/crypto/x509#Certificate.
+  [ client_allowed_san_regex: <string> | default ""]
+
   # Minimum TLS version that is acceptable.
   [ min_version: <string> | default = "TLS12" ]
 

diff --git a/web/tls_config.go b/web/tls_config.go
@@ -93,8 +93,6 @@ func (t *TLSConfig) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]
 		}
 	}
 
-	//todo: check other fields of the cert
-
 	return fmt.Errorf("could not find configured SAN in client cert: %s", t.ClientAllowedSanRegex)
 }
-Original file line number
+Diff line change
@@ Expand Up @@
     		}
     	}
-    	//todo: check other fields of the cert
     	return fmt.Errorf("could not find configured SAN in client cert: %s", t.ClientAllowedSanRegex)
     }
@@ Expand Down @@