From d35f47a4e50feeb2b54c1621d0c2f5b15cd275eb Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>

Date: Tue, 28 Feb 2017 11:47:32 +0100

Subject: [PATCH 85/90] secrets: allow to configure certificate check

Some users may want to use TLS with unverified peer (for example if

they use self-signed certificate) or if unverified hostname (if

certificate hostname does not match with the real hostname). On the

other side it may be useful to point to a directory containing custom

certificate authorities.

This patch add three new options to secrets responder:

verify_peer => peer's certificate must be valid

verify_host => hostnames must match

capath => path to directory containing CA certs

cacert => ca certificate

cert => client certificate

key => client private key

Resolves:

https://pagure.io/SSSD/sssd/issue/3192

Reviewed-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

(cherry picked from commit 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417)

---

 src/config/SSSDConfig/__init__.py.in |  6 +++

 src/config/cfg_rules.ini             |  6 +++

 src/config/etc/sssd.api.conf         |  6 +++

 src/man/sssd-secrets.5.xml           | 76 ++++++++++++++++++++++++++++++++++++

 src/responder/secrets/proxy.c        | 55 ++++++++++++++++++++++++++

 5 files changed, 149 insertions(+)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in

index 211338778e81c1c60ffb3cdbc67c9619343d7798..75515ab5c68822538728900482296b9159e1547e 100644

--- a/src/config/SSSDConfig/__init__.py.in

+++ b/src/config/SSSDConfig/__init__.py.in

@@ -137,6 +137,12 @@ option_strings = {

     'forward_headers': _('The list of the headers to forward to the Custodia server together with the request'),

     'username': _('The username to use when authenticating to a Custodia server using basic_auth'),

     'password': _('The password to use when authenticating to a Custodia server using basic_auth'),

+    'verify_peer': _('If true peer\'s certificate is verified if proxy_url uses https protocol'),

+    'verify_host': _('If false peer\'s certificate may contain different hostname then proxy_url when https protocol is used'),

+    'capath': _('Path to directory where certificate authority certificates are stored'),

+    'cacert': _('Path to file containing server\'s CA certificate'),

+    'cert': _('Path to file containing client\'s certificate'),

+    'key': _('Path to file containing client\'s private key'),

     # [provider]

     'id_provider' : _('Identity provider'),

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini

index 1a749db754cedd87f263f7ae596d6f8238bb4357..e47ff33242d6a9e5979fe0eb8eea14c2af28685a 100644

--- a/src/config/cfg_rules.ini

+++ b/src/config/cfg_rules.ini

@@ -265,6 +265,12 @@ option = auth_header_value

 option = forward_headers

 option = username

 option = password

+option = verify_peer

+option = verify_host

+option = capath

+option = cacert

+option = cert

+option = key

 # KCM responder

 [rule/allowed_kcm_options]

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf

index a1a0c2992925a4c7df86832117eec2a0cf7894c9..f86589ecefa0b9e046aba781ded107f8e94395d6 100644

--- a/src/config/etc/sssd.api.conf

+++ b/src/config/etc/sssd.api.conf

@@ -114,6 +114,12 @@ auth_header_value = str, None, false

 forward_headers = list, None, false

 username = str, None, false

 password = str, None, false

+verify_peer = bool, None, false

+verify_host = bool, None, false

+capath = str, None, false

+cacert = str, None, false

+cert = str, None, false

+key = str, None, false

 [provider]

 #Available provider types

diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml

index 80e9c405921e1fb46a3d172d9873deebfa5ed2ce..44a86c3fb56a8bdebebd01e9f49ad171986282a4 100644

--- a/src/man/sssd-secrets.5.xml

+++ b/src/man/sssd-secrets.5.xml

@@ -273,6 +273,82 @@ systemctl enable sssd-secrets.service

                 </para>

                 </listitem>

             </varlistentry>

+            <varlistentry>

+                <term>verify_peer (boolean)</term>

+                <listitem>

+                <para>

+                    Whether peer's certificate should be verified and valid

+                    if HTTPS protocol is used with the proxy provider.

+                </para>

+                <para>

+                    Default: true

+                </para>

+                </listitem>

+            </varlistentry>

+            <varlistentry>

+                <term>verify_host (boolean)</term>

+                <listitem>

+                <para>

+                    Whether peer's hostname must match with hostname in

+                    its certificate if HTTPS protocol is used with the

+                    proxy provider.

+                </para>

+                <para>

+                    Default: true

+                </para>

+                </listitem>

+            </varlistentry>

+            <varlistentry>

+                <term>capath (string)</term>

+                <listitem>

+                <para>

+                    Path to directory containing stored certificate authority

+                    certificates. System default path is used if this option is

+                    not set.

+                </para>

+                <para>

+                    Default: not set

+                </para>

+                </listitem>

+            </varlistentry>

+            <varlistentry>

+                <term>cacert (string)</term>

+                <listitem>

+                <para>

+                    Path to file containing server's certificate authority

+                    certificate. If this option is not set then the CA's

+                    certificate is looked up in <quote>capath</quote>.

+                </para>

+                <para>

+                    Default: not set

+                </para>

+                </listitem>

+            </varlistentry>

+            <varlistentry>

+                <term>cert (string)</term>

+                <listitem>

+                <para>

+                    Path to file containing client's certificate if required

+                    by the server. This file may also contain private key or

+                    the private key may be in separate file set with

+                    <quote>key</quote>.

+                </para>

+                <para>

+                    Default: not set

+                </para>

+                </listitem>

+            </varlistentry>

+            <varlistentry>

+                <term>key (string)</term>

+                <listitem>

+                <para>

+                    Path to file containing client's private key.

+                </para>

+                <para>

+                    Default: not set

+                </para>

+                </listitem>

+            </varlistentry>

         </variablelist>

     </refsect1>

     <refsect1 id='restapi'>

diff --git a/src/responder/secrets/proxy.c b/src/responder/secrets/proxy.c

index 3c495716010ac468c9e2f1fb6356529a8dbdc614..240a1de1e431d511a1eca24d8b463c37ba893e7b 100644

--- a/src/responder/secrets/proxy.c

+++ b/src/responder/secrets/proxy.c

@@ -59,6 +59,13 @@ struct proxy_cfg {

         struct pat_basic_auth basic;

         struct pat_header header;

     } auth;

+

+    char *key;

+    char *cert;

+    char *cacert;

+    char *capath;

+    bool verify_peer;

+    bool verify_host;

 };

 static int proxy_get_config_string(struct proxy_context *pctx,

@@ -129,6 +136,38 @@ static int proxy_sec_get_cfg(struct proxy_context *pctx,

         }

     }

+    ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_peer",

+                          true, &cfg->verify_peer);

+    if (ret) goto done;

+    DEBUG(SSSDBG_CONF_SETTINGS, "verify_peer: %s\n",

+          (&cfg->verify_peer ? "true" : "false"));

+

+    ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_host",

+                          true, &cfg->verify_host);

+    if (ret) goto done;

+    DEBUG(SSSDBG_CONF_SETTINGS, "verify_host: %s\n",

+          (&cfg->verify_host ? "true" : "false"));

+

+    ret = proxy_get_config_string(pctx, cfg, false, secreq,

+                                  "capath", &cfg->capath);

+    if (ret) goto done;

+    DEBUG(SSSDBG_CONF_SETTINGS, "capath: %s\n", cfg->capath);

+

+    ret = proxy_get_config_string(pctx, cfg, false, secreq,

+                                  "cacert", &cfg->cacert);

+    if (ret) goto done;

+    DEBUG(SSSDBG_CONF_SETTINGS, "cacert: %s\n", cfg->cacert);

+

+    ret = proxy_get_config_string(pctx, cfg, false, secreq,

+                                  "cert", &cfg->cert);

+    if (ret) goto done;

+    DEBUG(SSSDBG_CONF_SETTINGS, "cert: %s\n", cfg->cert);

+

+    ret = proxy_get_config_string(pctx, cfg, false, secreq,

+                                  "key", &cfg->key);

+    if (ret) goto done;

+    DEBUG(SSSDBG_CONF_SETTINGS, "key: %s\n", cfg->key);

+

     ret = confdb_get_string_as_list(pctx->cdb, cfg, secreq->cfg_section,

                                     "forward_headers", &cfg->fwd_headers);

     if ((ret != 0) && (ret != ENOENT)) goto done;

@@ -385,6 +424,22 @@ static errno_t proxy_http_create_request(TALLOC_CTX *mem_ctx,

         goto done;

     }

+    /* Set TLS settings to verify peer.

+     * This has no effect for HTTP protocol so we can set it anyway. */

+    ret = tcurl_req_verify_peer(tcurl_req, pcfg->capath, pcfg->cacert,

+                                pcfg->verify_peer, pcfg->verify_host);

+    if (ret != EOK) {

+        goto done;

+    }

+

+    /* Set client's certificate if required. */

+    if (pcfg->cert != NULL) {

+        ret = tcurl_req_set_client_cert(tcurl_req, pcfg->cert, pcfg->key);

+        if (ret != EOK) {

+            goto done;

+        }

+    }

+

     talloc_steal(tcurl_req, body);

     *_tcurl_req = talloc_steal(mem_ctx, tcurl_req);

-- 

2.9.3