Skip to content

Commit

Permalink
ssl config option must be true if certificate authentication
Browse files Browse the repository at this point in the history
  • Loading branch information
flobz committed Oct 10, 2023
1 parent 28cf12b commit c972261
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 27 deletions.
2 changes: 1 addition & 1 deletion docs/using.rst
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ list of trusted certificates.

The clients request has:

- to have a TLS connection to the reverse proxy server
- to have a TLS connection to the reverse proxy server (`ssl` config option must be true)
- to contain the client certificate
- to have the common name of the server certificate match the server
name set in the configuration file as "hawkbit_server"
Expand Down
50 changes: 27 additions & 23 deletions src/config-file.c
Original file line number Diff line number Diff line change
Expand Up @@ -268,29 +268,6 @@ Config* load_config_file(const gchar *config_file, GError **error)

key_client_key_exists = get_key_string(ini_file, "client", "client_key", &config->client_key, NULL, NULL);

if (key_client_key_exists && key_client_cert_exists) {
client_cert_auth = TRUE;
if (g_access(config->client_cert, F_OK|R_OK)!=0) {
g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE,
"Can't read client_cert: %s",config->client_cert);
return NULL;
}
else if (g_access(config->client_key, F_OK|R_OK)!=0) {
g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE,
"Can't read client_key: %s",config->client_key);
return NULL;
}
}
if (!key_auth_token_exists && !key_gateway_token_exists && !(client_cert_auth)) {
g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, "Neither a token nor client certificate are set!");
return NULL;
}
else if (key_auth_token_exists && key_gateway_token_exists) {
g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE,
"Both 'auth_token' and 'gateway_token' set");
return NULL;
}

if (!get_key_string(ini_file, "client", "target_name", &config->controller_id, NULL,
error))
return NULL;
Expand Down Expand Up @@ -345,6 +322,33 @@ Config* load_config_file(const gchar *config_file, GError **error)
"'bundle_download_location' is required if 'stream_bundle' is disabled");
return NULL;
}
if (key_client_key_exists && key_client_cert_exists) {
client_cert_auth = TRUE;
if(!config->ssl){
g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE,
"'ssl' config option must be true for client certificate authentication");
return NULL;
}
if (g_access(config->client_cert, F_OK|R_OK)!=0) {
g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE,
"Can't read client_cert: %s",config->client_cert);
return NULL;
}
else if (g_access(config->client_key, F_OK|R_OK)!=0) {
g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE,
"Can't read client_key: %s",config->client_key);
return NULL;
}
}
if (!key_auth_token_exists && !key_gateway_token_exists && !(client_cert_auth)) {
g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, "Neither a token nor client certificate are set!");
return NULL;
}
else if (key_auth_token_exists && key_gateway_token_exists) {
g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE,
"Both 'auth_token' and 'gateway_token' set");
return NULL;
}

return g_steal_pointer(&config);
}
Expand Down
15 changes: 13 additions & 2 deletions test/test_basics.py
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,18 @@ def test_register_and_check_valid_gateway_token(hawkbit, adjust_config, trailing
assert 'MESSAGE: Checking for new software...' in out
assert err == ''

def test_config_client_cert_ssl_false(adjust_config):
"""Test config with client cert authentication but ssl false."""
file_path="/bad/file"
config = adjust_config({"client": {"client_cert": "any",
"client_key": "any",
}},
remove={'client': 'auth_token'})

out, err, exitcode = run(f'rauc-hawkbit-updater -c "{config}" -r')
assert exitcode == 4
assert f"'ssl' config option must be true for client certificate authentication" in err

@pytest.mark.parametrize("client_cert", [None, "bad_path", "good_file","empty"])
@pytest.mark.parametrize("client_key", [None, "bad_path", "good_file","empty"])
def test_config_client_cert_and_key(adjust_config,tmp_path_factory,client_cert,client_key):
Expand All @@ -111,14 +123,13 @@ def parameter_to_value(key, value):
client_cert_conf = parameter_to_value("client_cert",client_cert)
client_key_conf = parameter_to_value("client_key",client_key)

config = adjust_config({"client": {**client_cert_conf, **client_key_conf}},
config = adjust_config({"client": {**client_cert_conf, **client_key_conf, "ssl": "true"}},
remove={'client': 'auth_token'})

out, err, exitcode = run(f'rauc-hawkbit-updater -c "{config}" -r')
if "good_file" == client_key == client_cert:
assert exitcode == 1
assert 'MESSAGE: Checking for new software...' in out
assert 'WARNING: Failed to authenticate. Check client certificate and client private key' in err
elif client_key is None or client_cert is None:
assert exitcode == 4
assert err.strip() == \
Expand Down
2 changes: 1 addition & 1 deletion test/test_mtls.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import pytest

from test.helper import run
from helper import run

@pytest.mark.parametrize('mode', ('download','streaming'))
def test_install_success_mtls(hawkbit, adjust_config, bundle_assigned,
Expand Down

0 comments on commit c972261

Please sign in to comment.