Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature frontend cleartext #390

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions fleetspeak/src/server/components/components.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,18 @@
return nil, errors.New("mysql_data_source_name is required")
}
hcfg := cfg.HttpsConfig
if hcfg != nil && (hcfg.ListenAddress == "" || hcfg.Certificates == "" || hcfg.Key == "") {
return nil, errors.New("https_config requires listen_address, certificates and key")
if hcfg != nil {
switch {
case hcfg.GetFrontendConfig().GetCleartextHeaderConfig() != nil,
hcfg.GetFrontendConfig().GetCleartextHeaderChecksumConfig() != nil:
if hcfg.ListenAddress == "" {
return nil, errors.New("http_config requires listen_address")
}
default:
if (hcfg.ListenAddress == "" || hcfg.Certificates == "" || hcfg.Key == "") {
return nil, errors.New("https_config requires listen_address, certificates and key")
}
}
}

acfg := cfg.AdminConfig
Expand Down Expand Up @@ -92,7 +102,7 @@
return nil, fmt.Errorf("failed to listen on [%v]: %v", cfg.HttpsConfig.ListenAddress, err)
}
if cfg.ProxyProtocol {
l = &chttps.ProxyListener{l}

Check failure on line 105 in fleetspeak/src/server/components/components.go

View workflow job for this annotation

GitHub Actions / build-test-linux

github.com/google/fleetspeak/fleetspeak/src/server/components/https.ProxyListener struct literal uses unkeyed fields
}
comm, err = https.NewCommunicator(https.Params{
Listener: l,
Expand Down

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,43 @@ message HttpsHeaderChecksumConfig {
string client_certificate_checksum_header = 2;
}

// In this mode Fleetspeak runs in clear text (HTTP). This allows for
// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that
// offers a secure communications channel.
// Fleetspeak accepts a TLS connection from an intermediate actor which
// terminates the TLS protocol (typically a layer 7 load balancer).
// The intermediate actor passes the client certificate it receives from the
// original TLS connection to the frontend via an HTTP header.
// The Fleetspeak frontend uses the certificate passed in this header to
// identify the client.
message CleartextHeaderConfig {
// The name of the HTTP header set by the intermediary that contains the
// forwarded client certificate. Required.
string client_certificate_header = 1;
}

// In this mode Fleetspeak runs in clear text (HTTP). This allows for
// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that
// offers a secure communications channel.
// Fleetspeak accepts a TLS connection from an intermediate actor which
// terminates the TLS protocol (typically a layer 7 load balancer).
// The original client passes the certificate it uses for the TLS protocol to
// the frontend via an HTTP header.
// The intermediate actor passes a SHA256 checksum of client certificate it
// receives from the original TLS connection to the frontend via a second HTTP
// header.
// The Fleetspeak frontend uses the certificate passed passed from the client
// to identify it, and uses the hash from the intermediate actor to verify that
// this certificate was in fact used in the original TLS connection.
message CleartextHeaderChecksumConfig {
// The name of the HTTP header set by the client that contains the original
// client certificate. Required.
string client_certificate_header = 1;
// The name of the HTTP header set by the intermediary that contains the
// client certificate checksum. Required.
string client_certificate_checksum_header = 2;
}

// The frontend config determines how the Fleetspeak frontend communicates with
// clients and how it identifies them.
message FrontendConfig {
Expand All @@ -113,6 +150,8 @@ message FrontendConfig {
MTlsConfig mtls_config = 7;
HttpsHeaderConfig https_header_config = 8;
HttpsHeaderChecksumConfig https_header_checksum_config = 9;
CleartextHeaderConfig cleartext_header_config = 10;
CleartextHeaderChecksumConfig cleartext_header_checksum_config = 11;
}
}

Expand All @@ -124,11 +163,13 @@ message HttpsConfig {
string listen_address = 1;

// A certificate chain which identifies the server to clients. Must lead to a
// certificate known to the clients. x509 format. Required.
// certificate known to the clients. x509 format. Required, if frontend mode is
// not cleartext (ie neither CleartextHeaderConfig nor CleartextHeaderChecksumConfig)
string certificates = 2;

// The private key used to identify the server. Must match the first entry in
// certificates. x509 format. Required.
// certificates. x509 format. Required, if frontend mode is not cleartext
// (ie neither CleartextHeaderConfig nor CleartextHeaderChecksumConfig)
string key = 3;

// If set, disables long running (streaming) connections. This type of
Expand Down
13 changes: 13 additions & 0 deletions fleetspeak/src/server/https/client_certificate.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,21 @@ func GetClientCert(req *http.Request, frontendConfig *cpb.FrontendConfig) (*x509
switch {
case frontendConfig.GetMtlsConfig() != nil:
return getCertFromTLS(req)
case frontendConfig.GetCleartextHeaderConfig() != nil:
return getCertFromHeader(frontendConfig.GetCleartextHeaderConfig().GetClientCertificateHeader(), req.Header)
case frontendConfig.GetHttpsHeaderConfig() != nil:
return getCertFromHeader(frontendConfig.GetHttpsHeaderConfig().GetClientCertificateHeader(), req.Header)
case frontendConfig.GetCleartextHeaderChecksumConfig() != nil:
cert, err := getCertFromHeader(frontendConfig.GetCleartextHeaderChecksumConfig().GetClientCertificateHeader(), req.Header)
if err != nil {
return nil, err
}
err = verifyCertSha256Checksum(req.Header.Get(frontendConfig.GetCleartextHeaderChecksumConfig().GetClientCertificateHeader()),
req.Header.Get(frontendConfig.GetCleartextHeaderChecksumConfig().GetClientCertificateChecksumHeader()))
if err != nil {
return nil, err
}
return cert, nil
case frontendConfig.GetHttpsHeaderChecksumConfig() != nil:
cert, err := getCertFromHeader(frontendConfig.GetHttpsHeaderChecksumConfig().GetClientCertificateHeader(), req.Header)
if err != nil {
Expand Down
129 changes: 116 additions & 13 deletions fleetspeak/src/server/https/client_certificate_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@

sha256Binary, err := hex.DecodeString(sha256HexStr)
if err != nil {
fmt.Sprintf("error decoding hexdump: %v\n", err)

Check failure on line 52 in fleetspeak/src/server/https/client_certificate_test.go

View workflow job for this annotation

GitHub Actions / build-test-linux

result of fmt.Sprintf call not used
return ""
}

Expand All @@ -61,7 +61,7 @@
return base64EncodedStr
}

func makeTestClient(t *testing.T) (common.ClientID, *http.Client, []byte, string) {
func makeTestClient(t *testing.T, clearText bool) (common.ClientID, *http.Client, []byte, string) {
serverCert, _, err := comtesting.ServerCert()
if err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -104,20 +104,30 @@
t.Fatal(err)
}

cl := http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: cp,
Certificates: []tls.Certificate{clientCert},
InsecureSkipVerify: true,
},
httpTransport := http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: cp,
Certificates: []tls.Certificate{clientCert},
InsecureSkipVerify: true,
},
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
}
if clearText {
httpTransport = http.Transport{
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
}).Dial,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
},
}
}
cl := http.Client{
Transport: &httpTransport,
}
return id, &cl, bc, clientCertChecksum
}
Expand Down Expand Up @@ -163,7 +173,7 @@
ts.StartTLS()
defer ts.Close()

_, client, _, _ := makeTestClient(t)
_, client, _, _ := makeTestClient(t, false)

res, err := client.Get(ts.URL)
if err != nil {
Expand Down Expand Up @@ -205,7 +215,7 @@
ts.StartTLS()
defer ts.Close()

_, client, bc, _ := makeTestClient(t)
_, client, bc, _ := makeTestClient(t, false)

clientCert := url.PathEscape(string(bc))
req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
Expand Down Expand Up @@ -255,7 +265,100 @@
ts.StartTLS()
defer ts.Close()

_, client, bc, clientCertChecksum := makeTestClient(t)
_, client, bc, clientCertChecksum := makeTestClient(t, false)

clientCert := url.PathEscape(string(bc))
req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
if err != nil {
t.Fatal(err)
}
req.Header.Set(clientCertHeader, clientCert)
req.Header.Set(clientCertChecksumHeader, clientCertChecksum)

res, err := client.Do(req)
if err != nil {
t.Fatal(err)
}
defer res.Body.Close()
_, err = io.ReadAll(res.Body)
res.Body.Close()
if err != nil {
t.Fatal(err)
}
}

func TestFrontendMode_HEADER_CLEARTEXT(t *testing.T) {
clientCertHeader := "ssl-client-cert"
frontendConfig := &cpb.FrontendConfig{
FrontendMode: &cpb.FrontendConfig_CleartextHeaderConfig{
CleartextHeaderConfig: &cpb.CleartextHeaderConfig{
ClientCertificateHeader: clientCertHeader,
},
},
}
ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
// test the valid frontend mode combination of receiving the client cert in the header
cert, err := GetClientCert(req, frontendConfig)
if err != nil {
t.Fatal(err)
}
// make sure we received the client cert in the header
if cert == nil {
t.Error("Expected client certificate but received none")
}
fmt.Fprintln(w, "Testing Frontend Mode: HEADER_HEADER")
}))
ts.Start()
defer ts.Close()

_, client, bc, _:= makeTestClient(t, false)

clientCert := url.PathEscape(string(bc))
req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
if err != nil {
t.Fatal(err)
}
req.Header.Set(clientCertHeader, clientCert)

res, err := client.Do(req)
if err != nil {
t.Fatal(err)
}
defer res.Body.Close()
_, err = io.ReadAll(res.Body)
res.Body.Close()
if err != nil {
t.Fatal(err)
}
}

func TestFrontendMode_HEADER_CLEARTEXT_CHECKSUM(t *testing.T) {
clientCertHeader := "ssl-client-cert"
clientCertChecksumHeader := "ssl-client-cert-checksum"
frontendConfig := &cpb.FrontendConfig{
FrontendMode: &cpb.FrontendConfig_CleartextHeaderChecksumConfig{
CleartextHeaderChecksumConfig: &cpb.CleartextHeaderChecksumConfig{
ClientCertificateHeader: clientCertHeader,
ClientCertificateChecksumHeader: clientCertChecksumHeader,
},
},
}
ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
// test the valid frontend mode combination of receiving the client cert in the header
cert, err := GetClientCert(req, frontendConfig)
if err != nil {
t.Fatal(err)
}
// make sure we received the client cert in the header
if cert == nil {
t.Error("Expected client certificate but received none")
}
fmt.Fprintln(w, "Testing Frontend Mode: HEADER_CHECKSUM")
}))
ts.Start()
defer ts.Close()

_, client, bc, clientCertChecksum := makeTestClient(t, true)

clientCert := url.PathEscape(string(bc))
req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
Expand Down
57 changes: 33 additions & 24 deletions fleetspeak/src/server/https/https.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,39 +108,43 @@ func NewCommunicator(p Params) (*Communicator, error) {
}

mux := http.NewServeMux()
c, err := tls.X509KeyPair(p.Cert, p.Key)
if err != nil {
return nil, err
}
h := Communicator{
p: p,
hs: http.Server{
Handler: mux,
TLSConfig: &tls.Config{
ClientAuth: tls.RequestClientCert,
Certificates: []tls.Certificate{c},
CipherSuites: []uint16{
// We may as well allow only the strongest (as far as we can guess)
// ciphers. Note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is
// required by the https library.
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
// Correctly implementing session tickets means sharing and rotating a
// secret key between servers, with implications if it leaks. Simply
// disable for the moment.
SessionTicketsDisabled: true,
MinVersion: tls.VersionTLS12,
NextProtos: []string{"h2"},
},
ReadTimeout: 20 * time.Minute,
ReadHeaderTimeout: 10 * time.Second,
WriteTimeout: 20 * time.Minute,
IdleTimeout: 30 * time.Second,
},
stopping: make(chan struct{}),
}

if p.FrontendConfig.GetCleartextHeaderConfig() == nil &&
p.FrontendConfig.GetCleartextHeaderChecksumConfig() == nil {
c, err := tls.X509KeyPair(p.Cert, p.Key)
if err != nil {
return nil, err
}
h.hs.TLSConfig = &tls.Config{
ClientAuth: tls.RequestClientCert,
Certificates: []tls.Certificate{c},
CipherSuites: []uint16{
// We may as well allow only the strongest (as far as we can guess)
// ciphers. Note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is
// required by the https library.
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
// Correctly implementing session tickets means sharing and rotating a
// secret key between servers, with implications if it leaks. Simply
// disable for the moment.
SessionTicketsDisabled: true,
MinVersion: tls.VersionTLS12,
NextProtos: []string{"h2"},
}
}
mux.Handle("/message", messageServer{&h})
if p.Streaming {
mux.Handle("/streaming-message", newStreamingMessageServer(&h, p.MaxPerClientBatchProcessors))
Expand Down Expand Up @@ -171,8 +175,13 @@ func (c *Communicator) Setup(fs comms.Context) error {
}

func (c *Communicator) Start() error {
go c.serve(tls.NewListener(c.p.Listener, c.hs.TLSConfig))

switch {
case c.p.FrontendConfig.GetCleartextHeaderConfig() != nil,
c.p.FrontendConfig.GetCleartextHeaderChecksumConfig() != nil:
go c.serve(c.p.Listener)
default:
go c.serve(tls.NewListener(c.p.Listener, c.hs.TLSConfig))
}
c.runningLock.Lock()
defer c.runningLock.Unlock()
c.running = true
Expand Down
Loading
Loading