Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

client/pkg/transport: Support SAN URIs in TLS peer verification #13445

Closed
wants to merge 7 commits into from
Closed

client/pkg/transport: Support SAN URIs in TLS peer verification #13445

wants to merge 7 commits into from

Conversation

LINKIWI
Copy link

@LINKIWI LINKIWI commented Oct 27, 2021

This change proposes the addition of a config struct field AllowedURI, set at runtime via --client-cert-allowed-uri and --peer-cert-allowed-uri, to implement peer TLS verification based on the URIs specified in the peer certificate's subject alternative names.

This provides an alternative to the existing peer verification mechanisms based on CN and SAN DNS names. This change is primarily motivated by achieving compatibility with deployment environments that rely on SPIFFE validation.

I added an e2e test (with a corresponding new test fixture certificate with a SAN URI, which required regenerating all existing certs), though I'm not able to get it to run locally. I also plan to do some more manual testing, the results of which I'll paste in once they are ready.

@hexfusion
Copy link
Contributor

Thanks for the contribution is there a design doc you can reference that gives the full details of SPIFFE validation?

@LINKIWI
Copy link
Author

LINKIWI commented Oct 27, 2021

Thanks for taking a look. I don't have a design doc. SPIFFE validation is just one example use case; the patch itself is agnostic to whatever convention (or lack of convention) might be in place.

This change mostly aims to replicate the existing logic for CN and SAN DNS validation, but for URI field(s) as well.

Edit: To clarify, SPIFFE validation is not an objective of this PR.

@LINKIWI
Copy link
Author

LINKIWI commented Nov 2, 2021

@hexfusion Is this feature something that would be desirable for etcd? If so, any feedback on the general direction would be appreciated before I investigate the e2e test breakage. Thanks.

@hexfusion
Copy link
Contributor

I will try to take a look more this weekend but might take longer. We had issues in the past with CN SAN validation and our internal RBAC auth.

cc @mitake

@mitake
Copy link
Contributor

mitake commented Nov 4, 2021

@hexfusion got it, I'll also take a look during this weekend 👍

Copy link
Contributor

@mitake mitake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your PR! I have 2 small comments, it's great if you can take a look @LINKIWI . I'll also take a look at test code changes later.

client/pkg/transport/listener.go Show resolved Hide resolved
}
switch {
case definedRestrictions > 1:
return nil, errors.New("exactly one of AllowedCN, AllowedHostname, or AllowedURI can be defined")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think error message like exactly one of --peer-cert-allowed-cn, --peer-cert-allowed-hostname, or --peer-cert-allowed-uri can be defined might be clearer for users.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be confusing for embedded etcd users since they would not be interfacing with any command line parameters. I'm happy to change it either way though.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LINKIWI got it, then I think it's fine

@LINKIWI
Copy link
Author

LINKIWI commented Nov 7, 2021

Thanks for your PR! I have 2 small comments, it's great if you can take a look @LINKIWI . I'll also take a look at test code changes later.

Thanks for the review. I pushed up some new commits to address the suggestions and also fixed the e2e test case (it is at least passing in my local environment now).

@mitake
Copy link
Contributor

mitake commented Nov 10, 2021

thanks for updating, let me check again later this week

@LINKIWI
Copy link
Author

LINKIWI commented Nov 30, 2021

@mitake Wondering if you'd had a chance to make another pass through the change. Thanks

@mitake
Copy link
Contributor

mitake commented Dec 5, 2021

@LINKIWI sorry for my late update, I think the change should be fine if the existing tests are fine. I started the CIs.

Copy link
Contributor

@mitake mitake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! defer to @hexfusion

@mitake
Copy link
Contributor

mitake commented Dec 13, 2021

@hexfusion could you cross check when you have a time?

@mitake
Copy link
Contributor

mitake commented Jan 20, 2022

@hexfusion kindly ping?

@LINKIWI
Copy link
Author

LINKIWI commented Feb 13, 2022

@mitake @hexfusion Any chance we can get this merged? Thanks.

@stale
Copy link

stale bot commented Jun 11, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jun 11, 2022
@fcantournet
Copy link

We're (Datadog) interested in upstreaming this PR.
We have a generic PKI for all services to get client certs with URI SANs (SPIFFE), and this would be very useful to us.
@LINKIWI can you re-open this ?

@LINKIWI
Copy link
Author

LINKIWI commented Sep 15, 2023

Hi, we had an identical motivation for this PR. Unfortunately, we were unable to get further attention on this change from the maintainers as you can see above.

I don't work at the company anymore where we needed this; at this point I've lost context and the ability to verify this end-to-end. I believe we might have ended up just patching this in a fork. Please feel free to submit a new PR with this patch.

badouralix added a commit to DataDog/etcd that referenced this pull request Sep 22, 2023
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
nyodas pushed a commit to DataDog/etcd that referenced this pull request Jun 10, 2024
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
nyodas added a commit to DataDog/etcd that referenced this pull request Jun 10, 2024
Follow up on the Cherry-pick of [etcd-io#13445](etcd-io#13445)
Allowing the config file of the security config to use multi allowedCN and multi Allowed Hostnames

This won't be cross compatible, if we want to upstream this we need to allow for both AllowedCN and AllowedCNs
nyodas added a commit to DataDog/etcd that referenced this pull request Jun 10, 2024
Follow up on the Cherry-pick of [etcd-io#13445](etcd-io#13445)
Allowing the config file of the security config to use multi allowedCN and multi Allowed Hostnames

This won't be cross compatible, if we want to upstream this we need to allow for both AllowedCN and AllowedCNs
nyodas pushed a commit to DataDog/etcd that referenced this pull request Jul 16, 2024
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
nyodas added a commit to DataDog/etcd that referenced this pull request Jul 16, 2024
Follow up on the Cherry-pick of [etcd-io#13445](etcd-io#13445)
Allowing the config file of the security config to use multi allowedCN and multi Allowed Hostnames

This won't be cross compatible, if we want to upstream this we need to allow for both AllowedCN and AllowedCNs
aneesh1 added a commit to DataDog/etcd that referenced this pull request Sep 25, 2024
etcd-io#13445 was cherry-picked manually,
but we made some changes to support multiple values for allowed client
and peer URIs.
aneesh1 added a commit to DataDog/etcd that referenced this pull request Sep 25, 2024
etcd-io#13445 was cherry-picked manually,
but we made some changes to support multiple values for allowed client
and peer URIs.
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Sep 25, 2024
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Sep 25, 2024
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Oct 1, 2024
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Oct 8, 2024
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Oct 9, 2024
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Oct 16, 2024
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Nov 13, 2024
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Jan 7, 2025
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Jan 9, 2025
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
aneesh1 pushed a commit to DataDog/etcd that referenced this pull request Jan 9, 2025
Cherry-pick etcd-io#13445 manually because
the remote repository has been deleted, and add support for multiple
values for allowed client and peer URIs

Signed-off-by: Ayaz Badouraly <[email protected]>
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging this pull request may close these issues.

4 participants