|
|
bb7cd1 |
From d35f47a4e50feeb2b54c1621d0c2f5b15cd275eb Mon Sep 17 00:00:00 2001
|
|
|
bb7cd1 |
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
|
bb7cd1 |
Date: Tue, 28 Feb 2017 11:47:32 +0100
|
|
|
bb7cd1 |
Subject: [PATCH 85/90] secrets: allow to configure certificate check
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
Some users may want to use TLS with unverified peer (for example if
|
|
|
bb7cd1 |
they use self-signed certificate) or if unverified hostname (if
|
|
|
bb7cd1 |
certificate hostname does not match with the real hostname). On the
|
|
|
bb7cd1 |
other side it may be useful to point to a directory containing custom
|
|
|
bb7cd1 |
certificate authorities.
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
This patch add three new options to secrets responder:
|
|
|
bb7cd1 |
verify_peer => peer's certificate must be valid
|
|
|
bb7cd1 |
verify_host => hostnames must match
|
|
|
bb7cd1 |
capath => path to directory containing CA certs
|
|
|
bb7cd1 |
cacert => ca certificate
|
|
|
bb7cd1 |
cert => client certificate
|
|
|
bb7cd1 |
key => client private key
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
Resolves:
|
|
|
bb7cd1 |
https://pagure.io/SSSD/sssd/issue/3192
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
bb7cd1 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
bb7cd1 |
(cherry picked from commit 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417)
|
|
|
bb7cd1 |
---
|
|
|
bb7cd1 |
src/config/SSSDConfig/__init__.py.in | 6 +++
|
|
|
bb7cd1 |
src/config/cfg_rules.ini | 6 +++
|
|
|
bb7cd1 |
src/config/etc/sssd.api.conf | 6 +++
|
|
|
bb7cd1 |
src/man/sssd-secrets.5.xml | 76 ++++++++++++++++++++++++++++++++++++
|
|
|
bb7cd1 |
src/responder/secrets/proxy.c | 55 ++++++++++++++++++++++++++
|
|
|
bb7cd1 |
5 files changed, 149 insertions(+)
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
|
bb7cd1 |
index 211338778e81c1c60ffb3cdbc67c9619343d7798..75515ab5c68822538728900482296b9159e1547e 100644
|
|
|
bb7cd1 |
--- a/src/config/SSSDConfig/__init__.py.in
|
|
|
bb7cd1 |
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
|
bb7cd1 |
@@ -137,6 +137,12 @@ option_strings = {
|
|
|
bb7cd1 |
'forward_headers': _('The list of the headers to forward to the Custodia server together with the request'),
|
|
|
bb7cd1 |
'username': _('The username to use when authenticating to a Custodia server using basic_auth'),
|
|
|
bb7cd1 |
'password': _('The password to use when authenticating to a Custodia server using basic_auth'),
|
|
|
bb7cd1 |
+ 'verify_peer': _('If true peer\'s certificate is verified if proxy_url uses https protocol'),
|
|
|
bb7cd1 |
+ 'verify_host': _('If false peer\'s certificate may contain different hostname then proxy_url when https protocol is used'),
|
|
|
bb7cd1 |
+ 'capath': _('Path to directory where certificate authority certificates are stored'),
|
|
|
bb7cd1 |
+ 'cacert': _('Path to file containing server\'s CA certificate'),
|
|
|
bb7cd1 |
+ 'cert': _('Path to file containing client\'s certificate'),
|
|
|
bb7cd1 |
+ 'key': _('Path to file containing client\'s private key'),
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
# [provider]
|
|
|
bb7cd1 |
'id_provider' : _('Identity provider'),
|
|
|
bb7cd1 |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
bb7cd1 |
index 1a749db754cedd87f263f7ae596d6f8238bb4357..e47ff33242d6a9e5979fe0eb8eea14c2af28685a 100644
|
|
|
bb7cd1 |
--- a/src/config/cfg_rules.ini
|
|
|
bb7cd1 |
+++ b/src/config/cfg_rules.ini
|
|
|
bb7cd1 |
@@ -265,6 +265,12 @@ option = auth_header_value
|
|
|
bb7cd1 |
option = forward_headers
|
|
|
bb7cd1 |
option = username
|
|
|
bb7cd1 |
option = password
|
|
|
bb7cd1 |
+option = verify_peer
|
|
|
bb7cd1 |
+option = verify_host
|
|
|
bb7cd1 |
+option = capath
|
|
|
bb7cd1 |
+option = cacert
|
|
|
bb7cd1 |
+option = cert
|
|
|
bb7cd1 |
+option = key
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
# KCM responder
|
|
|
bb7cd1 |
[rule/allowed_kcm_options]
|
|
|
bb7cd1 |
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
|
bb7cd1 |
index a1a0c2992925a4c7df86832117eec2a0cf7894c9..f86589ecefa0b9e046aba781ded107f8e94395d6 100644
|
|
|
bb7cd1 |
--- a/src/config/etc/sssd.api.conf
|
|
|
bb7cd1 |
+++ b/src/config/etc/sssd.api.conf
|
|
|
bb7cd1 |
@@ -114,6 +114,12 @@ auth_header_value = str, None, false
|
|
|
bb7cd1 |
forward_headers = list, None, false
|
|
|
bb7cd1 |
username = str, None, false
|
|
|
bb7cd1 |
password = str, None, false
|
|
|
bb7cd1 |
+verify_peer = bool, None, false
|
|
|
bb7cd1 |
+verify_host = bool, None, false
|
|
|
bb7cd1 |
+capath = str, None, false
|
|
|
bb7cd1 |
+cacert = str, None, false
|
|
|
bb7cd1 |
+cert = str, None, false
|
|
|
bb7cd1 |
+key = str, None, false
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
[provider]
|
|
|
bb7cd1 |
#Available provider types
|
|
|
bb7cd1 |
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
|
|
|
bb7cd1 |
index 80e9c405921e1fb46a3d172d9873deebfa5ed2ce..44a86c3fb56a8bdebebd01e9f49ad171986282a4 100644
|
|
|
bb7cd1 |
--- a/src/man/sssd-secrets.5.xml
|
|
|
bb7cd1 |
+++ b/src/man/sssd-secrets.5.xml
|
|
|
bb7cd1 |
@@ -273,6 +273,82 @@ systemctl enable sssd-secrets.service
|
|
|
bb7cd1 |
</para>
|
|
|
bb7cd1 |
</listitem>
|
|
|
bb7cd1 |
</varlistentry>
|
|
|
bb7cd1 |
+ <varlistentry>
|
|
|
bb7cd1 |
+ <term>verify_peer (boolean)</term>
|
|
|
bb7cd1 |
+ <listitem>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Whether peer's certificate should be verified and valid
|
|
|
bb7cd1 |
+ if HTTPS protocol is used with the proxy provider.
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Default: true
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ </listitem>
|
|
|
bb7cd1 |
+ </varlistentry>
|
|
|
bb7cd1 |
+ <varlistentry>
|
|
|
bb7cd1 |
+ <term>verify_host (boolean)</term>
|
|
|
bb7cd1 |
+ <listitem>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Whether peer's hostname must match with hostname in
|
|
|
bb7cd1 |
+ its certificate if HTTPS protocol is used with the
|
|
|
bb7cd1 |
+ proxy provider.
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Default: true
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ </listitem>
|
|
|
bb7cd1 |
+ </varlistentry>
|
|
|
bb7cd1 |
+ <varlistentry>
|
|
|
bb7cd1 |
+ <term>capath (string)</term>
|
|
|
bb7cd1 |
+ <listitem>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Path to directory containing stored certificate authority
|
|
|
bb7cd1 |
+ certificates. System default path is used if this option is
|
|
|
bb7cd1 |
+ not set.
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Default: not set
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ </listitem>
|
|
|
bb7cd1 |
+ </varlistentry>
|
|
|
bb7cd1 |
+ <varlistentry>
|
|
|
bb7cd1 |
+ <term>cacert (string)</term>
|
|
|
bb7cd1 |
+ <listitem>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Path to file containing server's certificate authority
|
|
|
bb7cd1 |
+ certificate. If this option is not set then the CA's
|
|
|
bb7cd1 |
+ certificate is looked up in <quote>capath</quote>.
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Default: not set
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ </listitem>
|
|
|
bb7cd1 |
+ </varlistentry>
|
|
|
bb7cd1 |
+ <varlistentry>
|
|
|
bb7cd1 |
+ <term>cert (string)</term>
|
|
|
bb7cd1 |
+ <listitem>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Path to file containing client's certificate if required
|
|
|
bb7cd1 |
+ by the server. This file may also contain private key or
|
|
|
bb7cd1 |
+ the private key may be in separate file set with
|
|
|
bb7cd1 |
+ <quote>key</quote>.
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Default: not set
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ </listitem>
|
|
|
bb7cd1 |
+ </varlistentry>
|
|
|
bb7cd1 |
+ <varlistentry>
|
|
|
bb7cd1 |
+ <term>key (string)</term>
|
|
|
bb7cd1 |
+ <listitem>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Path to file containing client's private key.
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ <para>
|
|
|
bb7cd1 |
+ Default: not set
|
|
|
bb7cd1 |
+ </para>
|
|
|
bb7cd1 |
+ </listitem>
|
|
|
bb7cd1 |
+ </varlistentry>
|
|
|
bb7cd1 |
</variablelist>
|
|
|
bb7cd1 |
</refsect1>
|
|
|
bb7cd1 |
<refsect1 id='restapi'>
|
|
|
bb7cd1 |
diff --git a/src/responder/secrets/proxy.c b/src/responder/secrets/proxy.c
|
|
|
bb7cd1 |
index 3c495716010ac468c9e2f1fb6356529a8dbdc614..240a1de1e431d511a1eca24d8b463c37ba893e7b 100644
|
|
|
bb7cd1 |
--- a/src/responder/secrets/proxy.c
|
|
|
bb7cd1 |
+++ b/src/responder/secrets/proxy.c
|
|
|
bb7cd1 |
@@ -59,6 +59,13 @@ struct proxy_cfg {
|
|
|
bb7cd1 |
struct pat_basic_auth basic;
|
|
|
bb7cd1 |
struct pat_header header;
|
|
|
bb7cd1 |
} auth;
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ char *key;
|
|
|
bb7cd1 |
+ char *cert;
|
|
|
bb7cd1 |
+ char *cacert;
|
|
|
bb7cd1 |
+ char *capath;
|
|
|
bb7cd1 |
+ bool verify_peer;
|
|
|
bb7cd1 |
+ bool verify_host;
|
|
|
bb7cd1 |
};
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
static int proxy_get_config_string(struct proxy_context *pctx,
|
|
|
bb7cd1 |
@@ -129,6 +136,38 @@ static int proxy_sec_get_cfg(struct proxy_context *pctx,
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+ ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_peer",
|
|
|
bb7cd1 |
+ true, &cfg->verify_peer);
|
|
|
bb7cd1 |
+ if (ret) goto done;
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_CONF_SETTINGS, "verify_peer: %s\n",
|
|
|
bb7cd1 |
+ (&cfg->verify_peer ? "true" : "false"));
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_host",
|
|
|
bb7cd1 |
+ true, &cfg->verify_host);
|
|
|
bb7cd1 |
+ if (ret) goto done;
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_CONF_SETTINGS, "verify_host: %s\n",
|
|
|
bb7cd1 |
+ (&cfg->verify_host ? "true" : "false"));
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ ret = proxy_get_config_string(pctx, cfg, false, secreq,
|
|
|
bb7cd1 |
+ "capath", &cfg->capath);
|
|
|
bb7cd1 |
+ if (ret) goto done;
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_CONF_SETTINGS, "capath: %s\n", cfg->capath);
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ ret = proxy_get_config_string(pctx, cfg, false, secreq,
|
|
|
bb7cd1 |
+ "cacert", &cfg->cacert);
|
|
|
bb7cd1 |
+ if (ret) goto done;
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_CONF_SETTINGS, "cacert: %s\n", cfg->cacert);
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ ret = proxy_get_config_string(pctx, cfg, false, secreq,
|
|
|
bb7cd1 |
+ "cert", &cfg->cert);
|
|
|
bb7cd1 |
+ if (ret) goto done;
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_CONF_SETTINGS, "cert: %s\n", cfg->cert);
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ ret = proxy_get_config_string(pctx, cfg, false, secreq,
|
|
|
bb7cd1 |
+ "key", &cfg->key);
|
|
|
bb7cd1 |
+ if (ret) goto done;
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_CONF_SETTINGS, "key: %s\n", cfg->key);
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
ret = confdb_get_string_as_list(pctx->cdb, cfg, secreq->cfg_section,
|
|
|
bb7cd1 |
"forward_headers", &cfg->fwd_headers);
|
|
|
bb7cd1 |
if ((ret != 0) && (ret != ENOENT)) goto done;
|
|
|
bb7cd1 |
@@ -385,6 +424,22 @@ static errno_t proxy_http_create_request(TALLOC_CTX *mem_ctx,
|
|
|
bb7cd1 |
goto done;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+ /* Set TLS settings to verify peer.
|
|
|
bb7cd1 |
+ * This has no effect for HTTP protocol so we can set it anyway. */
|
|
|
bb7cd1 |
+ ret = tcurl_req_verify_peer(tcurl_req, pcfg->capath, pcfg->cacert,
|
|
|
bb7cd1 |
+ pcfg->verify_peer, pcfg->verify_host);
|
|
|
bb7cd1 |
+ if (ret != EOK) {
|
|
|
bb7cd1 |
+ goto done;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ /* Set client's certificate if required. */
|
|
|
bb7cd1 |
+ if (pcfg->cert != NULL) {
|
|
|
bb7cd1 |
+ ret = tcurl_req_set_client_cert(tcurl_req, pcfg->cert, pcfg->key);
|
|
|
bb7cd1 |
+ if (ret != EOK) {
|
|
|
bb7cd1 |
+ goto done;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
talloc_steal(tcurl_req, body);
|
|
|
bb7cd1 |
*_tcurl_req = talloc_steal(mem_ctx, tcurl_req);
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
--
|
|
|
bb7cd1 |
2.9.3
|
|
|
bb7cd1 |
|