diff --git a/go.mod b/go.mod index 141a4d2d..27c53ddb 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,6 @@ require ( github.com/prometheus/client_golang v1.19.1 github.com/rivo/tview v0.0.0-20240625185742-b0a7293b8130 github.com/rs/cors v1.11.0 - github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce github.com/transparency-dev/formats v0.0.0-20240715203801-9ff9b9e3905f github.com/transparency-dev/merkle v0.0.2 golang.org/x/exp v0.0.0-20231006140011-7918f672742d diff --git a/go.sum b/go.sum index 55cb0525..2c1a580d 100644 --- a/go.sum +++ b/go.sum @@ -968,8 +968,6 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc= -github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= github.com/transparency-dev/formats v0.0.0-20240715203801-9ff9b9e3905f h1:NKx8BtgVYeC75VJqlsdn1DAcbmSSDQCeDw8by0m6sbA= github.com/transparency-dev/formats v0.0.0-20240715203801-9ff9b9e3905f/go.mod h1:D/QMvgv1kz9Q1TfUcDnUcDPsiSbtLV8q8LvTCdcvygw= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= diff --git a/personalities/sctfe/cert_quota.go b/personalities/sctfe/cert_quota.go deleted file mode 100644 index d4d916cc..00000000 --- a/personalities/sctfe/cert_quota.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2018 Google LLC. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package sctfe - -import ( - "crypto/sha256" - "encoding/hex" - "fmt" - "strings" - - "github.com/google/certificate-transparency-go/x509" -) - -// CertificateQuotaUserPrefix is prepended to all User quota ids association -// with intermediate certificates. -const CertificateQuotaUserPrefix = "@intermediate" - -// QuotaUserForCert returns a User quota id string for the passed in -// certificate. -// This is intended to be used for quota limiting by intermediate certificates, -// but the function does not enforce anything about the passed in cert. -// -// Format returned is: -// -// "CertificateQuotaUserPrefix Subject hex(SHA256(SubjectPublicKeyInfo)[0:5])" -// -// See tests for examples. -func QuotaUserForCert(c *x509.Certificate) string { - spkiHash := sha256.Sum256(c.RawSubjectPublicKeyInfo) - return fmt.Sprintf("%s %s %s", CertificateQuotaUserPrefix, strings.ReplaceAll(c.Subject.String(), "/", "%2F"), hex.EncodeToString(spkiHash[0:5])) -} diff --git a/personalities/sctfe/cert_quota_test.go b/personalities/sctfe/cert_quota_test.go deleted file mode 100644 index d9614e5e..00000000 --- a/personalities/sctfe/cert_quota_test.go +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright 2018 Google LLC. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package sctfe - -import ( - "testing" - - "github.com/google/certificate-transparency-go/x509" - "github.com/google/certificate-transparency-go/x509util" - "github.com/transparency-dev/trillian-tessera/personalities/sctfe/testdata" -) - -func mustDePEM(t *testing.T, pem string) *x509.Certificate { - t.Helper() - c, err := x509util.CertificateFromPEM([]byte(pem)) - if x509.IsFatal(err) { - t.Fatalf("Failed to parse PEM: %v", err) - } - return c -} - -func TestQuotaUserForCert(t *testing.T) { - for _, test := range []struct { - desc string - cert *x509.Certificate - want string - }{ - { - desc: "cacert", - cert: mustDePEM(t, testdata.CACertPEM), - want: "@intermediate O=Certificate Transparency CA,L=Erw Wen,ST=Wales,C=GB 02adddca08", - }, - { - desc: "intermediate", - cert: mustDePEM(t, testdata.FakeIntermediateCertPEM), - want: "@intermediate CN=FakeIntermediateAuthority,OU=Eng,O=Google,L=London,ST=London,C=GB 6e62e56f67", - }, - } { - t.Run(test.desc, func(t *testing.T) { - if got := QuotaUserForCert(test.cert); got != test.want { - t.Fatalf("QuotaUserForCert() = %q, want %q", got, test.want) - } - }) - } -} diff --git a/personalities/sctfe/ct_server_gcp/main.go b/personalities/sctfe/ct_server_gcp/main.go index 1aedd8b2..1ef7bf30 100644 --- a/personalities/sctfe/ct_server_gcp/main.go +++ b/personalities/sctfe/ct_server_gcp/main.go @@ -40,7 +40,6 @@ import ( "github.com/google/trillian/monitoring/prometheus" "github.com/prometheus/client_golang/prometheus/promhttp" "github.com/rs/cors" - "github.com/tomasen/realip" tessera "github.com/transparency-dev/trillian-tessera" "github.com/transparency-dev/trillian-tessera/personalities/sctfe" "github.com/transparency-dev/trillian-tessera/personalities/sctfe/configpb" @@ -62,13 +61,9 @@ var ( tracing = flag.Bool("tracing", false, "If true opencensus Stackdriver tracing will be enabled. See https://opencensus.io/.") tracingProjectID = flag.String("tracing_project_id", "", "project ID to pass to stackdriver. Can be empty for GCP, consult docs for other platforms.") tracingPercent = flag.Int("tracing_percent", 0, "Percent of requests to be traced. Zero is a special case to use the DefaultSampler") - quotaRemote = flag.Bool("quota_remote", true, "Enable requesting of quota for IP address sending incoming requests") - quotaIntermediate = flag.Bool("quota_intermediate", true, "Enable requesting of quota for intermediate certificates in submitted chains") pkcs11ModulePath = flag.String("pkcs11_module_path", "", "Path to the PKCS#11 module to use for keys that use the PKCS#11 interface") ) -const unknownRemoteUser = "UNKNOWN_REMOTE" - // nolint:staticcheck func main() { klog.InitFlags(nil) @@ -252,20 +247,6 @@ func setupAndRegister(ctx context.Context, deadline time.Duration, vCfg *sctfe.V RequestLog: new(sctfe.DefaultRequestLog), MaskInternalErrors: maskInternalErrors, } - if *quotaRemote { - klog.Info("Enabling quota for requesting IP") - opts.RemoteQuotaUser = func(r *http.Request) string { - var remoteUser = realip.FromRequest(r) - if len(remoteUser) == 0 { - return unknownRemoteUser - } - return remoteUser - } - } - if *quotaIntermediate { - klog.Info("Enabling quota for intermediate certificates") - opts.CertificateQuotaUser = sctfe.QuotaUserForCert - } switch vCfg.Config.StorageConfig.(type) { case *configpb.LogConfig_Gcp: diff --git a/personalities/sctfe/instance.go b/personalities/sctfe/instance.go index 20ce38f8..c44c1763 100644 --- a/personalities/sctfe/instance.go +++ b/personalities/sctfe/instance.go @@ -20,13 +20,11 @@ import ( "crypto/ecdsa" "errors" "fmt" - "net/http" "strconv" "strings" "time" "github.com/google/certificate-transparency-go/asn1" - "github.com/google/certificate-transparency-go/x509" "github.com/google/certificate-transparency-go/x509util" "github.com/google/trillian/crypto/keys" "github.com/google/trillian/monitoring" @@ -48,20 +46,7 @@ type InstanceOptions struct { // a boolean to indicate whether the conversion succeeded. ErrorMapper func(error) (int, bool) // RequestLog provides structured logging of CTFE requests. - RequestLog RequestLog - // RemoteUser returns a string representing the originating host for the - // given request. This string will be used as a User quota key. - // If unset, no quota will be requested for remote users. - RemoteQuotaUser func(*http.Request) string - // CertificateQuotaUser returns a string representing the passed in - // intermediate certificate. This string will be user as a User quota key for - // the cert. Quota will be requested for each intermediate in an - // add-[pre]-chain request so as to allow individual issuers to be rate - // limited. If unset, no quota will be requested for intermediate - // certificates. - CertificateQuotaUser func(*x509.Certificate) string - // MaskInternalErrors indicates if internal server errors should be masked - // or returned to the user containing the full error message. + RequestLog RequestLog MaskInternalErrors bool }