TLS Auth - Support for encrypted private key

[Gabrielopesantos]

Related issue: #2435 (Also presents the problem)

Proposal:

• Allow users to pass an password field which is used to decrypt the private key; If the key is not protected/encrypted, password will be ignored.

[CLAassistant]

All committers have signed the CLA.

[mstoykov]

If we have password, shouldn't we always try to decrypt it?

[Gabrielopesantos]

If we always try decrypt, in cases were a non encrypted key is provided, since it does not a DEK header, x509.DecryptPEMBlock (https://pkg.go.dev/crypto/x509#DecryptPEMBlock) will return an error. In my opinion a good approach would be just add the warning saying that a password is not required if the key is not encrypted, as suggested below.

If both of you you agree with this, if possible, tell me how can I add a warning.

[mstoykov]

I guess that you can't log here 🤔 . But on the other hand I would argue it should be an outright error if there is a password, and it isn't encrypted. If you have a password and not DEK header ... you maybe shouldn't have password ?

[Gabrielopesantos]

Yes, I understand your point. I just thought it would confuse some users the first time they use the feature. Made the change.

[mstoykov]

confuse some users

I would argue it will be even more confusing if you add an option and nothing changes - if we at least then error out differently IMO it's better.

[oleiade]

I'm in line with @mstoykov comments.
Plus, a few nitpicks that would have made the code easier to read from my perspective 👍🏻

Waiting on comments resolution and the branch to be green to approve 🟢

[codecov-commenter]

Codecov Report

Merging #2488 (7f9bcc9) into master (42f2e60) will increase coverage by 2.72%.
The diff coverage is 67.37%.

@@            Coverage Diff             @@
##           master    #2488      +/-   ##
==========================================
+ Coverage   72.71%   75.44%   +2.72%     
==========================================
  Files         184      200      +16     
  Lines       14571    15877    +1306     
==========================================
+ Hits        10596    11978    +1382     
+ Misses       3333     3164     -169     
- Partials      642      735      +93     

Flag	Coverage Δ
ubuntu	75.33% <67.37%> (+2.68%)	⬆️
windows	75.07% <67.14%> (+2.70%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
api/common/context.go	100.00% <ø> (ø)
api/v1/client/client.go	0.00% <0.00%> (ø)
api/v1/client/metrics.go	0.00% <0.00%> (ø)
api/v1/client/status.go	0.00% <0.00%> (ø)
api/v1/group.go	54.05% <ø> (-35.01%)	⬇️
api/v1/metric.go	77.27% <ø> (-22.73%)	⬇️
api/v1/routes.go	55.31% <ø> (ø)
api/v1/status.go	100.00% <ø> (ø)
cmd/login_cloud.go	19.76% <0.00%> (+19.76%)	⬆️
cmd/login_influxdb.go	11.66% <0.00%> (+11.66%)	⬆️
... and 244 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 59a8883...7f9bcc9. Read the comment docs.

[mstoykov]

It seems like the tests aren't passing after the last changes @Gabrielopesantos, can you take a look 🙇 .

I will try to test them by hand by the end of the week and hopefully we can have this merge next week 🤞

[Gabrielopesantos]

Ok,updated the tests and also added a new tests covering the case where a user defines a password with a non encrypted.

The CI seems to still be failing, maybe adding // nolint: staticcheck solves the problem?

[mstoykov]

Yeah - you need will need to nolint this, preferably with an additional comment on why we are still using it.

[mstoykov]

Thanks a lot for working on this 🙇

LGTM - I have tried it out locally, and I don't see any problems, although I can't really make requests with it as I don't have any server that uses client certificates handy :(. That shouldn't matter though as that is handled by the stdlib - we just need to give it the certificate.

I have left one change on a comment, but I am not even certain it is all that much better than before, so we might leave it.

[oleiade]

🎉 👍🏻