2016-11-10 22:56:29 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package authtls
|
|
|
|
|
|
|
|
|
|
import (
|
2022-01-10 00:29:12 +00:00
|
|
|
"fmt"
|
2023-08-31 07:36:48 +00:00
|
|
|
"regexp"
|
2022-04-15 19:59:10 +00:00
|
|
|
|
2021-08-21 20:42:00 +00:00
|
|
|
networking "k8s.io/api/networking/v1"
|
2016-11-16 18:24:26 +00:00
|
|
|
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
|
|
|
|
|
ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/resolver"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/k8s"
|
2016-11-10 22:56:29 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
2017-11-08 20:58:57 +00:00
|
|
|
defaultAuthTLSDepth = 1
|
|
|
|
|
defaultAuthVerifyClient = "on"
|
2023-07-22 03:32:07 +00:00
|
|
|
|
|
|
|
|
annotationAuthTLSSecret = "auth-tls-secret" //#nosec G101
|
|
|
|
|
annotationAuthTLSVerifyClient = "auth-tls-verify-client"
|
|
|
|
|
annotationAuthTLSVerifyDepth = "auth-tls-verify-depth"
|
|
|
|
|
annotationAuthTLSErrorPage = "auth-tls-error-page"
|
|
|
|
|
annotationAuthTLSPassCertToUpstream = "auth-tls-pass-certificate-to-upstream" //#nosec G101
|
|
|
|
|
annotationAuthTLSMatchCN = "auth-tls-match-cn"
|
2017-10-05 11:26:07 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`)
|
2023-08-31 07:36:48 +00:00
|
|
|
redirectRegex = regexp.MustCompile(`^((https?://)?[A-Za-z0-9\-.]*(:\d+)?/[A-Za-z0-9\-.]*)?$`)
|
2016-11-10 22:56:29 +00:00
|
|
|
)
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
var authTLSAnnotations = parser.Annotation{
|
|
|
|
|
Group: "authentication",
|
|
|
|
|
Annotations: parser.AnnotationFields{
|
|
|
|
|
annotationAuthTLSSecret: {
|
2023-08-31 07:36:48 +00:00
|
|
|
Validator: parser.ValidateRegex(parser.BasicCharsRegex, true),
|
2023-07-22 03:32:07 +00:00
|
|
|
Scope: parser.AnnotationScopeLocation,
|
|
|
|
|
Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars
|
|
|
|
|
Documentation: `This annotation defines the secret that contains the certificate chain of allowed certs`,
|
|
|
|
|
},
|
|
|
|
|
annotationAuthTLSVerifyClient: {
|
2023-08-31 07:36:48 +00:00
|
|
|
Validator: parser.ValidateRegex(authVerifyClientRegex, true),
|
2023-07-22 03:32:07 +00:00
|
|
|
Scope: parser.AnnotationScopeLocation,
|
|
|
|
|
Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars
|
|
|
|
|
Documentation: `This annotation enables verification of client certificates. Can be "on", "off", "optional" or "optional_no_ca"`,
|
|
|
|
|
},
|
|
|
|
|
annotationAuthTLSVerifyDepth: {
|
|
|
|
|
Validator: parser.ValidateInt,
|
|
|
|
|
Scope: parser.AnnotationScopeLocation,
|
|
|
|
|
Risk: parser.AnnotationRiskLow,
|
|
|
|
|
Documentation: `This annotation defines validation depth between the provided client certificate and the Certification Authority chain.`,
|
|
|
|
|
},
|
|
|
|
|
annotationAuthTLSErrorPage: {
|
2023-08-31 07:36:48 +00:00
|
|
|
Validator: parser.ValidateRegex(redirectRegex, true),
|
2023-07-22 03:32:07 +00:00
|
|
|
Scope: parser.AnnotationScopeLocation,
|
|
|
|
|
Risk: parser.AnnotationRiskHigh,
|
|
|
|
|
Documentation: `This annotation defines the URL/Page that user should be redirected in case of a Certificate Authentication Error`,
|
|
|
|
|
},
|
|
|
|
|
annotationAuthTLSPassCertToUpstream: {
|
|
|
|
|
Validator: parser.ValidateBool,
|
|
|
|
|
Scope: parser.AnnotationScopeLocation,
|
|
|
|
|
Risk: parser.AnnotationRiskLow,
|
|
|
|
|
Documentation: `This annotation defines if the received certificates should be passed or not to the upstream server in the header "ssl-client-cert"`,
|
|
|
|
|
},
|
|
|
|
|
annotationAuthTLSMatchCN: {
|
2024-01-04 14:56:57 +00:00
|
|
|
Validator: parser.CommonNameAnnotationValidator,
|
2023-07-22 03:32:07 +00:00
|
|
|
Scope: parser.AnnotationScopeLocation,
|
|
|
|
|
Risk: parser.AnnotationRiskHigh,
|
|
|
|
|
Documentation: `This annotation adds a sanity check for the CN of the client certificate that is sent over using a string / regex starting with "CN="`,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-31 06:18:08 +00:00
|
|
|
// Config contains the AuthSSLCert used for mutual authentication
|
2017-02-06 18:16:36 +00:00
|
|
|
// and the configured ValidationDepth
|
2017-11-07 16:36:51 +00:00
|
|
|
type Config struct {
|
2017-08-22 20:16:59 +00:00
|
|
|
resolver.AuthSSLCert
|
2017-11-18 00:28:45 +00:00
|
|
|
VerifyClient string `json:"verify_client"`
|
|
|
|
|
ValidationDepth int `json:"validationDepth"`
|
|
|
|
|
ErrorPage string `json:"errorPage"`
|
|
|
|
|
PassCertToUpstream bool `json:"passCertToUpstream"`
|
2022-04-15 19:59:10 +00:00
|
|
|
MatchCN string `json:"matchCN"`
|
2018-02-25 20:20:14 +00:00
|
|
|
AuthTLSError string
|
2016-12-29 20:02:06 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-07 16:36:51 +00:00
|
|
|
// Equal tests for equality between two Config types
|
|
|
|
|
func (assl1 *Config) Equal(assl2 *Config) bool {
|
2017-06-14 21:33:12 +00:00
|
|
|
if assl1 == assl2 {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
if assl1 == nil || assl2 == nil {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2017-06-14 23:40:25 +00:00
|
|
|
if !(&assl1.AuthSSLCert).Equal(&assl2.AuthSSLCert) {
|
2017-06-14 21:33:12 +00:00
|
|
|
return false
|
|
|
|
|
}
|
2017-10-05 11:26:07 +00:00
|
|
|
if assl1.VerifyClient != assl2.VerifyClient {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2017-06-14 21:33:12 +00:00
|
|
|
if assl1.ValidationDepth != assl2.ValidationDepth {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2017-09-03 20:12:03 +00:00
|
|
|
if assl1.ErrorPage != assl2.ErrorPage {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2017-11-18 00:28:45 +00:00
|
|
|
if assl1.PassCertToUpstream != assl2.PassCertToUpstream {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2024-07-01 20:48:24 +00:00
|
|
|
if assl1.MatchCN != assl2.MatchCN {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2017-11-18 00:28:45 +00:00
|
|
|
|
2017-06-14 21:33:12 +00:00
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-29 20:02:06 +00:00
|
|
|
// NewParser creates a new TLS authentication annotation parser
|
2023-08-31 07:36:48 +00:00
|
|
|
func NewParser(r resolver.Resolver) parser.IngressAnnotation {
|
2023-07-22 03:32:07 +00:00
|
|
|
return authTLS{
|
2023-08-31 07:36:48 +00:00
|
|
|
r: r,
|
2023-07-22 03:32:07 +00:00
|
|
|
annotationConfig: authTLSAnnotations,
|
|
|
|
|
}
|
2016-12-29 20:02:06 +00:00
|
|
|
}
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
type authTLS struct {
|
2023-07-22 03:32:07 +00:00
|
|
|
r resolver.Resolver
|
|
|
|
|
annotationConfig parser.Annotation
|
2017-02-06 18:16:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse parses the annotations contained in the ingress
|
|
|
|
|
// rule used to use a Certificate as authentication method
|
2019-06-09 22:49:59 +00:00
|
|
|
func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {
|
2018-11-30 22:56:11 +00:00
|
|
|
var err error
|
|
|
|
|
config := &Config{}
|
2017-02-06 18:16:36 +00:00
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
tlsauthsecret, err := parser.GetStringAnnotation(annotationAuthTLSSecret, ing, a.annotationConfig.Annotations)
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2017-11-07 16:36:51 +00:00
|
|
|
return &Config{}, err
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
ns, _, err := k8s.ParseNameNS(tlsauthsecret)
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2017-11-07 16:36:51 +00:00
|
|
|
return &Config{}, ing_errors.NewLocationDenied(err.Error())
|
2017-02-06 18:16:36 +00:00
|
|
|
}
|
2023-07-22 03:32:07 +00:00
|
|
|
if ns == "" {
|
|
|
|
|
ns = ing.Namespace
|
|
|
|
|
}
|
|
|
|
|
secCfg := a.r.GetSecurityConfiguration()
|
|
|
|
|
// We don't accept different namespaces for secrets.
|
|
|
|
|
if !secCfg.AllowCrossNamespaceResources && ns != ing.Namespace {
|
|
|
|
|
return &Config{}, ing_errors.NewLocationDenied("cross namespace secrets are not supported")
|
|
|
|
|
}
|
2017-02-06 18:16:36 +00:00
|
|
|
|
2017-11-08 20:58:57 +00:00
|
|
|
authCert, err := a.r.GetAuthCertificate(tlsauthsecret)
|
2017-01-12 22:00:42 +00:00
|
|
|
if err != nil {
|
2022-01-10 00:29:12 +00:00
|
|
|
e := fmt.Errorf("error obtaining certificate: %w", err)
|
2023-08-31 07:36:48 +00:00
|
|
|
return &Config{}, ing_errors.LocationDeniedError{Reason: e}
|
2017-01-12 22:00:42 +00:00
|
|
|
}
|
2018-11-30 22:56:11 +00:00
|
|
|
config.AuthSSLCert = *authCert
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.VerifyClient, err = parser.GetStringAnnotation(annotationAuthTLSVerifyClient, ing, a.annotationConfig.Annotations)
|
|
|
|
|
// We can set a default value here in case of validation error
|
2018-11-30 22:56:11 +00:00
|
|
|
if err != nil || !authVerifyClientRegex.MatchString(config.VerifyClient) {
|
|
|
|
|
config.VerifyClient = defaultAuthVerifyClient
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.ValidationDepth, err = parser.GetIntAnnotation(annotationAuthTLSVerifyDepth, ing, a.annotationConfig.Annotations)
|
|
|
|
|
// We can set a default value here in case of validation error
|
2018-11-30 22:56:11 +00:00
|
|
|
if err != nil || config.ValidationDepth == 0 {
|
|
|
|
|
config.ValidationDepth = defaultAuthTLSDepth
|
|
|
|
|
}
|
2017-01-12 22:00:42 +00:00
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.ErrorPage, err = parser.GetStringAnnotation(annotationAuthTLSErrorPage, ing, a.annotationConfig.Annotations)
|
2018-12-02 18:35:12 +00:00
|
|
|
if err != nil {
|
2023-07-22 03:32:07 +00:00
|
|
|
if ing_errors.IsValidationError(err) {
|
|
|
|
|
return &Config{}, err
|
|
|
|
|
}
|
2018-11-30 22:56:11 +00:00
|
|
|
config.ErrorPage = ""
|
2017-09-03 20:12:03 +00:00
|
|
|
}
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.PassCertToUpstream, err = parser.GetBoolAnnotation(annotationAuthTLSPassCertToUpstream, ing, a.annotationConfig.Annotations)
|
2017-11-18 00:28:45 +00:00
|
|
|
if err != nil {
|
2023-07-22 03:32:07 +00:00
|
|
|
if ing_errors.IsValidationError(err) {
|
|
|
|
|
return &Config{}, err
|
|
|
|
|
}
|
2018-11-30 22:56:11 +00:00
|
|
|
config.PassCertToUpstream = false
|
2017-11-18 00:28:45 +00:00
|
|
|
}
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.MatchCN, err = parser.GetStringAnnotation(annotationAuthTLSMatchCN, ing, a.annotationConfig.Annotations)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if ing_errors.IsValidationError(err) {
|
|
|
|
|
return &Config{}, err
|
|
|
|
|
}
|
2022-04-15 19:59:10 +00:00
|
|
|
config.MatchCN = ""
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-30 22:56:11 +00:00
|
|
|
return config, nil
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
2023-07-22 03:32:07 +00:00
|
|
|
|
|
|
|
|
func (a authTLS) GetDocumentation() parser.AnnotationFields {
|
|
|
|
|
return a.annotationConfig.Annotations
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a authTLS) Validate(anns map[string]string) error {
|
|
|
|
|
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
|
|
|
|
return parser.CheckAnnotationRisk(anns, maxrisk, authTLSAnnotations.Annotations)
|
|
|
|
|
}
|
