Add path exclusion support to mTLS authentication

Signed-off-by: Kacper Rzetelski <[email protected]>

Author: rzetelskik

web/authentication/x509/testdata/client2_selfsigned.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB3DCCAWGgAwIBAgIUJVN8KehL1MmccvLb/mHthSMfnnswCgYIKoZIzj0EAwIw
+EDEOMAwGA1UEAwwFdGVzdDMwIBcNMjMwMTEwMTgxMTAwWhgPMjEyMjEyMTcxODEx
+MDBaMBAxDjAMBgNVBAMMBXRlc3QzMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEf8wC
+qU9e4lPZZqJMA4nJ84rLPdfryoUI8tquBAHtae4yfXP3z6Hz92XdPaS4ZAFDjTLt
+Jsl45KYixNb7y9dtbVoNxNxdDC4ywaoklqkpBGY0I9GEpNzaBll/4DIJvGcgo3ow
+eDAdBgNVHQ4EFgQUvyvu/TnJyRS7OGdujTbWM/W07yMwHwYDVR0jBBgwFoAUvyvu
+/TnJyRS7OGdujTbWM/W07yMwDwYDVR0TAQH/BAUwAwEB/zAQBgNVHREECTAHggV0
+ZXN0MzATBgNVHSUEDDAKBggrBgEFBQcDAjAKBggqhkjOPQQDAgNpADBmAjEAt7HK
+knE2MzwZ2B2dgn1/q3ikWDiO20Hbd97jo3tmv87FcF2vMqqJpHjcldJqplfsAjEA
+sfAz49y6Sf6LNlNS+Fc/lbOOwcrlzC+J5GJ8OmNoQPsvvDvhzGbwFiVw1M2uMqtG
+-----END CERTIFICATE-----

web/authentication/x509/testdata/client_selfsigned.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxzCCAU2gAwIBAgIUGCNnsX0qd0HD7UaQsx67ze0UaNowCgYIKoZIzj0EAwIw
+DzENMAsGA1UEAwwEdGVzdDAgFw0yMTA4MjAxNDQ5MTRaGA8yMTIxMDcyNzE0NDkx
+NFowDzENMAsGA1UEAwwEdGVzdDB2MBAGByqGSM49AgEGBSuBBAAiA2IABLFRLjQB
+XViHUAEIsKglwb0HxPC/+CDa1TTOp1b0WErYW7Xcx5mRNEksVWAXOWYKPej10hfy
+JSJE/2NiRAbrAcPjiRv01DgDt+OzwM4A0ZYqBj/3qWJKH/Kc8oKhY41bzKNoMGYw
+HQYDVR0OBBYEFPRbKtRBgw+AZ0b6T8oWw/+QoyjaMB8GA1UdIwQYMBaAFPRbKtRB
+gw+AZ0b6T8oWw/+QoyjaMA8GA1UdEwEB/wQFMAMBAf8wEwYDVR0lBAwwCgYIKwYB
+BQUHAwIwCgYIKoZIzj0EAwIDaAAwZQIwZqwXMJiTycZdmLN+Pwk/8Sb7wQazbocb
+16Zw5mZXqFJ4K+74OQMZ33i82hYohtE/AjEAn0a8q8QupgiXpr0I/PvGTRKqLQRM
+0mptBvpn/DcB2p3Hi80GJhtchz9Z0OqbMX4S
+-----END CERTIFICATE-----

web/authentication/x509/x509.go

@@ -0,0 +1,117 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package x509
+
+import (
+	"crypto/x509"
+	"encoding/hex"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/prometheus/exporter-toolkit/web/authentication"
+)
+
+type RequireClientCertsFunc func() bool
+
+type VerifyOptionsFunc func() x509.VerifyOptions
+
+type VerifyPeerCertificateFunc func([][]byte, [][]*x509.Certificate) error
+
+type X509Authenticator struct {
+	requireClientCertsFn    RequireClientCertsFunc
+	verifyOptionsFn         VerifyOptionsFunc
+	verifyPeerCertificateFn VerifyPeerCertificateFunc
+}
+
+func columnSeparatedHex(d []byte) string {
+	h := strings.ToUpper(hex.EncodeToString(d))
+	var sb strings.Builder
+	for i, r := range h {
+		sb.WriteRune(r)
+		if i%2 == 1 && i != len(h)-1 {
+			sb.WriteRune(':')
+		}
+	}
+	return sb.String()
+}
+
+func certificateIdentifier(c *x509.Certificate) string {
+	return fmt.Sprintf(
+		"SN=%d, SKID=%s, AKID=%s",
+		c.SerialNumber,
+		columnSeparatedHex(c.SubjectKeyId),
+		columnSeparatedHex(c.AuthorityKeyId),
+	)
+}
+
+func (x *X509Authenticator) Authenticate(r *http.Request) (bool, string, error) {
+	if r.TLS == nil {
+		return false, "No TLS connection state in request", nil
+	}
+
+	if len(r.TLS.PeerCertificates) == 0 && x.requireClientCertsFn() {
+		return false, "A certificate is required to be sent by the client.", nil
+	}
+
+	var verifiedChains [][]*x509.Certificate
+	if len(r.TLS.PeerCertificates) > 0 && x.verifyOptionsFn != nil {
+		opts := x.verifyOptionsFn()
+		if opts.Intermediates == nil && len(r.TLS.PeerCertificates) > 1 {
+			opts.Intermediates = x509.NewCertPool()
+			for _, cert := range r.TLS.PeerCertificates[1:] {
+				opts.Intermediates.AddCert(cert)
+			}
+		}
+
+		chains, err := r.TLS.PeerCertificates[0].Verify(opts)
+		if err != nil {
+			return false, fmt.Sprintf("verifying certificate %s failed: %v", certificateIdentifier(r.TLS.PeerCertificates[0]), err), nil
+		}
+
+		verifiedChains = chains
+	}
+
+	if x.verifyPeerCertificateFn != nil {
+		rawCerts := make([][]byte, 0, len(r.TLS.PeerCertificates))
+		for _, c := range r.TLS.PeerCertificates {
+			rawCerts = append(rawCerts, c.Raw)
+		}
+
+		err := x.verifyPeerCertificateFn(rawCerts, verifiedChains)
+		if err != nil {
+			return false, fmt.Sprintf("verifying peer certificate failed: %v", err), nil
+		}
+	}
+
+	return true, "", nil
+}
+
+func NewX509Authenticator(requireClientCertsFn RequireClientCertsFunc, verifyOptionsFn VerifyOptionsFunc, verifyPeerCertificateFn VerifyPeerCertificateFunc) authentication.Authenticator {
+	return &X509Authenticator{
+		requireClientCertsFn:    requireClientCertsFn,
+		verifyOptionsFn:         verifyOptionsFn,
+		verifyPeerCertificateFn: verifyPeerCertificateFn,
+	}
+}
+
+var _ authentication.Authenticator = &X509Authenticator{}
+
+// DefaultVerifyOptions returns VerifyOptions that use the system root certificates, current time,
+// and requires certificates to be valid for client auth (x509.ExtKeyUsageClientAuth)
+func DefaultVerifyOptions() x509.VerifyOptions {
+	return x509.VerifyOptions{
+		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+	}
+}

web/authentication/x509/x509_test.go

@@ -0,0 +1,241 @@
+// Copyright 2023 The Prometheus Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package x509
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	_ "embed"
+	"encoding/pem"
+	"errors"
+	"testing"
+
+	"github.com/prometheus/exporter-toolkit/web/authentication/testhelpers"
+)
+
+//go:embed testdata/client_selfsigned.pem
+var clientSelfsignedPEM []byte
+
+//go:embed testdata/client2_selfsigned.pem
+var client2SelfsignedPEM []byte
+
+func TestX509Authenticator_Authenticate(t *testing.T) {
+	t.Parallel()
+
+	tt := []struct {
+		Name string
+
+		RequireClientCertsFn    RequireClientCertsFunc
+		VerifyOptionsFn         VerifyOptionsFunc
+		VerifyPeerCertificateFn VerifyPeerCertificateFunc
+
+		Certs []*x509.Certificate
+
+		ExpectAuthenticated bool
+		ExpectedReason      string
+		ExpectedError       error
+	}{
+		{
+			Name: "Certs not required, certs not provided",
+			RequireClientCertsFn: func() bool {
+				return false
+			},
+			ExpectAuthenticated: true,
+			ExpectedError:       nil,
+		},
+		{
+			Name: "Certs required, certs not provided",
+			RequireClientCertsFn: func() bool {
+				return true
+			},
+			ExpectAuthenticated: false,
+			ExpectedReason:      "A certificate is required to be sent by the client.",
+			ExpectedError:       nil,
+		},
+		{
+			Name: "Certs not required, no verify, selfsigned cert provided",
+			RequireClientCertsFn: func() bool {
+				return false
+			},
+			Certs:               getCerts(t, clientSelfsignedPEM),
+			ExpectAuthenticated: true,
+			ExpectedError:       nil,
+		},
+		{
+			Name: "Certs required, no verify, selfsigned cert provided",
+			RequireClientCertsFn: func() bool {
+				return true
+			},
+			Certs:               getCerts(t, clientSelfsignedPEM),
+			ExpectAuthenticated: true,
+			ExpectedError:       nil,
+		},
+		{
+			Name: "Certs not required, verify, selfsigned cert provided",
+			RequireClientCertsFn: func() bool {
+				return false
+			},
+			VerifyOptionsFn: func() x509.VerifyOptions {
+				opts := DefaultVerifyOptions()
+				opts.Roots = getCertPool(t, clientSelfsignedPEM)
+				return opts
+			},
+			Certs:               getCerts(t, clientSelfsignedPEM),
+			ExpectAuthenticated: true,
+			ExpectedError:       nil,
+		},
+		{
+			Name: "Certs not required, verify, no certs provided",
+			RequireClientCertsFn: func() bool {
+				return false
+			},
+			VerifyOptionsFn: func() x509.VerifyOptions {
+				opts := DefaultVerifyOptions()
+				opts.Roots = getCertPool(t, clientSelfsignedPEM)
+				return opts
+			},
+			ExpectAuthenticated: true,
+			ExpectedError:       nil,
+		},
+		{
+			Name: "Certs required, verify, selfsigned cert provided",
+			RequireClientCertsFn: func() bool {
+				return true
+			},
+			VerifyOptionsFn: func() x509.VerifyOptions {
+				opts := DefaultVerifyOptions()
+				opts.Roots = getCertPool(t, clientSelfsignedPEM)
+				return opts
+			},
+			Certs:               getCerts(t, clientSelfsignedPEM),
+			ExpectAuthenticated: true,
+			ExpectedError:       nil,
+		},
+		{
+			Name: "Certs required, verify, invalid selfsigned cert provided",
+			RequireClientCertsFn: func() bool {
+				return true
+			},
+			VerifyOptionsFn: func() x509.VerifyOptions {
+				opts := DefaultVerifyOptions()
+				opts.Roots = getCertPool(t, clientSelfsignedPEM)
+				return opts
+			},
+			Certs:               getCerts(t, client2SelfsignedPEM),
+			ExpectAuthenticated: false,
+			ExpectedReason: "verifying certificate SN=213094436555767319277040831510558969429548310139," +
+				" SKID=BF:2B:EE:FD:39:C9:C9:14:BB:38:67:6E:8D:36:D6:33:F5:B4:EF:23," +
+				" AKID=BF:2B:EE:FD:39:C9:C9:14:BB:38:67:6E:8D:36:D6:33:F5:B4:EF:23" +
+				" failed: x509: certificate signed by unknown authority",
+			ExpectedError: nil,
+		},
+		{
+			Name: "Certs required, verify, selfsigned cert provided, invalid peer certificate",
+			RequireClientCertsFn: func() bool {
+				return true
+			},
+			VerifyOptionsFn: func() x509.VerifyOptions {
+				opts := DefaultVerifyOptions()
+				opts.Roots = getCertPool(t, clientSelfsignedPEM)
+				return opts
+			},
+			VerifyPeerCertificateFn: func(_ [][]byte, _ [][]*x509.Certificate) error {
+				return errors.New("invalid peer certificate")
+			},
+			Certs:               getCerts(t, clientSelfsignedPEM),
+			ExpectAuthenticated: false,
+			ExpectedReason:      "verifying peer certificate failed: invalid peer certificate",
+			ExpectedError:       nil,
+		},
+		{
+			Name: "RequireAndVerifyClientCert, selfsigned certs, valid peer certificate",
+			RequireClientCertsFn: func() bool {
+				return true
+			},
+			VerifyOptionsFn: func() x509.VerifyOptions {
+				opts := DefaultVerifyOptions()
+				opts.Roots = getCertPool(t, clientSelfsignedPEM)
+				return opts
+			},
+			VerifyPeerCertificateFn: func(_ [][]byte, _ [][]*x509.Certificate) error {
+				return nil
+			},
+			Certs:               getCerts(t, clientSelfsignedPEM),
+			ExpectAuthenticated: true,
+			ExpectedError:       nil,
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.Name, func(t *testing.T) {
+			t.Parallel()
+
+			req := testhelpers.MakeDefaultRequest(t)
+			req.TLS = &tls.ConnectionState{
+				PeerCertificates: tc.Certs,
+			}
+
+			a := NewX509Authenticator(tc.RequireClientCertsFn, tc.VerifyOptionsFn, tc.VerifyPeerCertificateFn)
+			authenticated, reason, err := a.Authenticate(req)
+
+			if err != nil && tc.ExpectedError == nil {
+				t.Errorf("Got unexpected error: %v", err)
+			}
+
+			if err == nil && tc.ExpectedError != nil {
+				t.Errorf("Expected error %v, got none", tc.ExpectedError)
+			}
+
+			if err != nil && tc.ExpectedError != nil && !errors.Is(err, tc.ExpectedError) {
+				t.Errorf("Expected error %v, got %v", tc.ExpectedError, err)
+			}
+
+			if tc.ExpectedReason != reason {
+				t.Errorf("Expected reason %v, got %v", tc.ExpectedReason, reason)
+			}
+
+			if tc.ExpectAuthenticated != authenticated {
+				t.Errorf("Expected authenticated %v, got %v", tc.ExpectAuthenticated, authenticated)
+			}
+		})
+	}
+}
+
+func getCertPool(t *testing.T, pemData ...[]byte) *x509.CertPool {
+	t.Helper()
+
+	pool := x509.NewCertPool()
+	certs := getCerts(t, pemData...)
+	for _, c := range certs {
+		pool.AddCert(c)
+	}
+
+	return pool
+}
+
+func getCerts(t *testing.T, pemData ...[]byte) []*x509.Certificate {
+	t.Helper()
+
+	certs := make([]*x509.Certificate, 0)
+	for _, pd := range pemData {
+		pemBlock, _ := pem.Decode(pd)
+		cert, err := x509.ParseCertificate(pemBlock.Bytes)
+		if err != nil {
+			t.Fatalf("Error parsing cert: %v", err)
+		}
+		certs = append(certs, cert)
+	}
+
+	return certs
+}

web/testdata/tls_config_noAuth.requireandverifyclientcert.authexcludedpaths.good.yml

@@ -0,0 +1,8 @@
+tls_server_config:
+  cert_file: "server.crt"
+  key_file: "server.key"
+  client_auth_type: "RequireAndVerifyClientCert"
+  client_ca_file: "client_selfsigned.pem"
+
+auth_excluded_paths:
+- "/somepath"