From d35f47a4e50feeb2b54c1621d0c2f5b15cd275eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 28 Feb 2017 11:47:32 +0100
Subject: [PATCH 85/90] secrets: allow to configure certificate check
Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.
This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key
Resolves:
https://pagure.io/SSSD/sssd/issue/3192
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417)
---
src/config/SSSDConfig/__init__.py.in | 6 +++
src/config/cfg_rules.ini | 6 +++
src/config/etc/sssd.api.conf | 6 +++
src/man/sssd-secrets.5.xml | 76 ++++++++++++++++++++++++++++++++++++
src/responder/secrets/proxy.c | 55 ++++++++++++++++++++++++++
5 files changed, 149 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 211338778e81c1c60ffb3cdbc67c9619343d7798..75515ab5c68822538728900482296b9159e1547e 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -137,6 +137,12 @@ option_strings = {
'forward_headers': _('The list of the headers to forward to the Custodia server together with the request'),
'username': _('The username to use when authenticating to a Custodia server using basic_auth'),
'password': _('The password to use when authenticating to a Custodia server using basic_auth'),
+ 'verify_peer': _('If true peer\'s certificate is verified if proxy_url uses https protocol'),
+ 'verify_host': _('If false peer\'s certificate may contain different hostname then proxy_url when https protocol is used'),
+ 'capath': _('Path to directory where certificate authority certificates are stored'),
+ 'cacert': _('Path to file containing server\'s CA certificate'),
+ 'cert': _('Path to file containing client\'s certificate'),
+ 'key': _('Path to file containing client\'s private key'),
# [provider]
'id_provider' : _('Identity provider'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 1a749db754cedd87f263f7ae596d6f8238bb4357..e47ff33242d6a9e5979fe0eb8eea14c2af28685a 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -265,6 +265,12 @@ option = auth_header_value
option = forward_headers
option = username
option = password
+option = verify_peer
+option = verify_host
+option = capath
+option = cacert
+option = cert
+option = key
# KCM responder
[rule/allowed_kcm_options]
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index a1a0c2992925a4c7df86832117eec2a0cf7894c9..f86589ecefa0b9e046aba781ded107f8e94395d6 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -114,6 +114,12 @@ auth_header_value = str, None, false
forward_headers = list, None, false
username = str, None, false
password = str, None, false
+verify_peer = bool, None, false
+verify_host = bool, None, false
+capath = str, None, false
+cacert = str, None, false
+cert = str, None, false
+key = str, None, false
[provider]
#Available provider types
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
index 80e9c405921e1fb46a3d172d9873deebfa5ed2ce..44a86c3fb56a8bdebebd01e9f49ad171986282a4 100644
--- a/src/man/sssd-secrets.5.xml
+++ b/src/man/sssd-secrets.5.xml
@@ -273,6 +273,82 @@ systemctl enable sssd-secrets.service
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>verify_peer (boolean)</term>
+ <listitem>
+ <para>
+ Whether peer's certificate should be verified and valid
+ if HTTPS protocol is used with the proxy provider.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>verify_host (boolean)</term>
+ <listitem>
+ <para>
+ Whether peer's hostname must match with hostname in
+ its certificate if HTTPS protocol is used with the
+ proxy provider.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>capath (string)</term>
+ <listitem>
+ <para>
+ Path to directory containing stored certificate authority
+ certificates. System default path is used if this option is
+ not set.
+ </para>
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>cacert (string)</term>
+ <listitem>
+ <para>
+ Path to file containing server's certificate authority
+ certificate. If this option is not set then the CA's
+ certificate is looked up in <quote>capath</quote>.
+ </para>
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>cert (string)</term>
+ <listitem>
+ <para>
+ Path to file containing client's certificate if required
+ by the server. This file may also contain private key or
+ the private key may be in separate file set with
+ <quote>key</quote>.
+ </para>
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>key (string)</term>
+ <listitem>
+ <para>
+ Path to file containing client's private key.
+ </para>
+ <para>
+ Default: not set
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1 id='restapi'>
diff --git a/src/responder/secrets/proxy.c b/src/responder/secrets/proxy.c
index 3c495716010ac468c9e2f1fb6356529a8dbdc614..240a1de1e431d511a1eca24d8b463c37ba893e7b 100644
--- a/src/responder/secrets/proxy.c
+++ b/src/responder/secrets/proxy.c
@@ -59,6 +59,13 @@ struct proxy_cfg {
struct pat_basic_auth basic;
struct pat_header header;
} auth;
+
+ char *key;
+ char *cert;
+ char *cacert;
+ char *capath;
+ bool verify_peer;
+ bool verify_host;
};
static int proxy_get_config_string(struct proxy_context *pctx,
@@ -129,6 +136,38 @@ static int proxy_sec_get_cfg(struct proxy_context *pctx,
}
}
+ ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_peer",
+ true, &cfg->verify_peer);
+ if (ret) goto done;
+ DEBUG(SSSDBG_CONF_SETTINGS, "verify_peer: %s\n",
+ (&cfg->verify_peer ? "true" : "false"));
+
+ ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_host",
+ true, &cfg->verify_host);
+ if (ret) goto done;
+ DEBUG(SSSDBG_CONF_SETTINGS, "verify_host: %s\n",
+ (&cfg->verify_host ? "true" : "false"));
+
+ ret = proxy_get_config_string(pctx, cfg, false, secreq,
+ "capath", &cfg->capath);
+ if (ret) goto done;
+ DEBUG(SSSDBG_CONF_SETTINGS, "capath: %s\n", cfg->capath);
+
+ ret = proxy_get_config_string(pctx, cfg, false, secreq,
+ "cacert", &cfg->cacert);
+ if (ret) goto done;
+ DEBUG(SSSDBG_CONF_SETTINGS, "cacert: %s\n", cfg->cacert);
+
+ ret = proxy_get_config_string(pctx, cfg, false, secreq,
+ "cert", &cfg->cert);
+ if (ret) goto done;
+ DEBUG(SSSDBG_CONF_SETTINGS, "cert: %s\n", cfg->cert);
+
+ ret = proxy_get_config_string(pctx, cfg, false, secreq,
+ "key", &cfg->key);
+ if (ret) goto done;
+ DEBUG(SSSDBG_CONF_SETTINGS, "key: %s\n", cfg->key);
+
ret = confdb_get_string_as_list(pctx->cdb, cfg, secreq->cfg_section,
"forward_headers", &cfg->fwd_headers);
if ((ret != 0) && (ret != ENOENT)) goto done;
@@ -385,6 +424,22 @@ static errno_t proxy_http_create_request(TALLOC_CTX *mem_ctx,
goto done;
}
+ /* Set TLS settings to verify peer.
+ * This has no effect for HTTP protocol so we can set it anyway. */
+ ret = tcurl_req_verify_peer(tcurl_req, pcfg->capath, pcfg->cacert,
+ pcfg->verify_peer, pcfg->verify_host);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ /* Set client's certificate if required. */
+ if (pcfg->cert != NULL) {
+ ret = tcurl_req_set_client_cert(tcurl_req, pcfg->cert, pcfg->key);
+ if (ret != EOK) {
+ goto done;
+ }
+ }
+
talloc_steal(tcurl_req, body);
*_tcurl_req = talloc_steal(mem_ctx, tcurl_req);
--
2.9.3