Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v9] Add client cert in insecure mode #11758

Merged
merged 5 commits into from
Apr 8, 2022
Merged

[v9] Add client cert in insecure mode #11758

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
637c445
Add client cert in insecure mode (#10899)
jakule Apr 6, 2022
1b03537
Merge branch 'branch/v9' into jakule/v9/db-insecure
jakule Apr 7, 2022
4ff8261
Merge branch 'branch/v9' into jakule/v9/db-insecure
jakule Apr 7, 2022
2ae9d97
Merge branch 'branch/v9' into jakule/v9/db-insecure
jakule Apr 7, 2022
fd16ed7
Merge branch 'branch/v9' into jakule/v9/db-insecure
jakule Apr 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions lib/srv/db/access_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1803,6 +1803,7 @@ func withSelfHostedPostgres(name string) withDatabaseOption {
postgresServer, err := postgres.NewTestServer(common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
})
require.NoError(t, err)
go postgresServer.Serve()
Expand Down Expand Up @@ -1957,6 +1958,7 @@ func withSelfHostedMySQL(name string) withDatabaseOption {
mysqlServer, err := mysql.NewTestServer(common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
})
require.NoError(t, err)
go mysqlServer.Serve()
Expand Down Expand Up @@ -2124,6 +2126,7 @@ func withSelfHostedMongo(name string, opts ...mongodb.TestServerOption) withData
mongoServer, err := mongodb.NewTestServer(common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
}, opts...)
require.NoError(t, err)
go mongoServer.Serve()
Expand All @@ -2149,6 +2152,7 @@ func withSelfHostedRedis(name string, opts ...redis.TestServerOption) withDataba
redisServer, err := redis.NewTestServer(t, common.TestServerConfig{
Name: name,
AuthClient: testCtx.authClient,
ClientAuth: tls.RequireAndVerifyClientCert,
}, opts...)
require.NoError(t, err)

Expand Down
15 changes: 9 additions & 6 deletions lib/srv/db/common/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,15 +287,15 @@ func (a *dbAuth) GetAzureAccessToken(ctx context.Context, sessionCtx *Session) (
// GetTLSConfig builds the client TLS configuration for the session.
//
// For RDS/Aurora, the config must contain RDS root certificate as a trusted
// authority. For onprem we generate a client certificate signed by the host
// authority. For on-prem we generate a client certificate signed by the host
// CA used to authenticate.
func (a *dbAuth) GetTLSConfig(ctx context.Context, sessionCtx *Session) (*tls.Config, error) {
dbTLSConfig := sessionCtx.Database.GetTLS()

// Mode won't be set for older clients. We will default to VerifyFull then - the same as before.
switch dbTLSConfig.Mode {
case types.DatabaseTLSMode_INSECURE:
return getTLSConfigInsecure(), nil
return a.getTLSConfigInsecure(ctx, sessionCtx)
case types.DatabaseTLSMode_VERIFY_CA:
return a.getTLSConfigVerifyCA(ctx, sessionCtx)
default:
Expand Down Expand Up @@ -381,15 +381,18 @@ func (a *dbAuth) getTLSConfigVerifyFull(ctx context.Context, sessionCtx *Session

// getTLSConfigInsecure generates tls.Config when TLS mode is equal to 'insecure'.
// Generated configuration will accept any certificate provided by database.
func getTLSConfigInsecure() *tls.Config {
tlsConfig := &tls.Config{
RootCAs: x509.NewCertPool(),
func (a *dbAuth) getTLSConfigInsecure(ctx context.Context, sessionCtx *Session) (*tls.Config, error) {
tlsConfig, err := a.getTLSConfigVerifyFull(ctx, sessionCtx)
if err != nil {
return nil, trace.Wrap(err)
}

// Accept any certificate provided by database.
tlsConfig.InsecureSkipVerify = true
// Remove certificate validation if set.
tlsConfig.VerifyConnection = nil

return tlsConfig
return tlsConfig, nil
}

// getTLSConfigVerifyCA generates tls.Config when TLS mode is equal to 'verify-ca'.
Expand Down
6 changes: 5 additions & 1 deletion lib/srv/db/common/test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,14 +46,17 @@ type TestServerConfig struct {
AuthUser string
// AuthToken is used in tests simulating IAM token authentication.
AuthToken string
// CN allows to set specific CommonName in the database server certificate.
// CN allows setting specific CommonName in the database server certificate.
//
// Used when simulating test Cloud SQL database which should contains
// <project-id>:<instance-id> in its certificate.
CN string
// ListenTLS creates a TLS listener when true instead of using a net listener.
// This is used to simulate MySQL connections through the GCP Cloud SQL Proxy.
ListenTLS bool
// ClientAuth sets tls.ClientAuth in server's tls.Config. It can be used to force client
// certificate validation in tests.
ClientAuth tls.ClientAuthType
}

// MakeTestServerTLSConfig returns TLS config suitable for configuring test
Expand Down Expand Up @@ -94,6 +97,7 @@ func MakeTestServerTLSConfig(config TestServerConfig) (*tls.Config, error) {
}
return &tls.Config{
ClientCAs: pool,
ClientAuth: config.ClientAuth,
Certificates: []tls.Certificate{cert},
}, nil
}
Expand Down