From f259047623c3430287b049a4647a4de83eb5d23d Mon Sep 17 00:00:00 2001 From: Yangmin Zhu Date: Mon, 11 Feb 2019 12:19:12 -0800 Subject: [PATCH 1/3] Warn user of using mTLS PERMISSIVE mode and suggest to upgrade to STRICT mode. Signed-off-by: Yangmin Zhu --- src/envoy/http/authn/peer_authenticator.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/envoy/http/authn/peer_authenticator.cc b/src/envoy/http/authn/peer_authenticator.cc index 136137fa0f9..b0f9299541c 100644 --- a/src/envoy/http/authn/peer_authenticator.cc +++ b/src/envoy/http/authn/peer_authenticator.cc @@ -40,6 +40,13 @@ bool PeerAuthenticator::run(Payload* payload) { for (const auto& method : policy_.peers()) { switch (method.params_case()) { case iaapi::PeerAuthenticationMethod::ParamsCase::kMtls: + if (method.mtls().mode() == iaapi::MutualTls_Mode_PERMISSIVE) { + ENVOY_LOG(warn, "mTLS PERMISSIVE mode is used, connection can be either " + "plaintext or TLS, and client cert can be omitted. " + "Please consider to upgrade to mTLS STRICT mode for " + "more secure that only allows TLS connection with client cert. " + "See https://istio.io/docs/tasks/security/mtls-migration/"); + } success = validateX509(method.mtls(), payload); break; case iaapi::PeerAuthenticationMethod::ParamsCase::kJwt: From c418d49e9c30ce675e6c437b2b92452f9b6b364b Mon Sep 17 00:00:00 2001 From: Yangmin Zhu Date: Mon, 11 Feb 2019 13:05:09 -0800 Subject: [PATCH 2/3] fix format --- src/envoy/http/authn/peer_authenticator.cc | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/envoy/http/authn/peer_authenticator.cc b/src/envoy/http/authn/peer_authenticator.cc index b0f9299541c..0ae67edab2d 100644 --- a/src/envoy/http/authn/peer_authenticator.cc +++ b/src/envoy/http/authn/peer_authenticator.cc @@ -41,11 +41,13 @@ bool PeerAuthenticator::run(Payload* payload) { switch (method.params_case()) { case iaapi::PeerAuthenticationMethod::ParamsCase::kMtls: if (method.mtls().mode() == iaapi::MutualTls_Mode_PERMISSIVE) { - ENVOY_LOG(warn, "mTLS PERMISSIVE mode is used, connection can be either " - "plaintext or TLS, and client cert can be omitted. " - "Please consider to upgrade to mTLS STRICT mode for " - "more secure that only allows TLS connection with client cert. " - "See https://istio.io/docs/tasks/security/mtls-migration/"); + ENVOY_LOG( + warn, + "mTLS PERMISSIVE mode is used, connection can be either " + "plaintext or TLS, and client cert can be omitted. " + "Please consider to upgrade to mTLS STRICT mode for " + "more secure that only allows TLS connection with client cert. " + "See https://istio.io/docs/tasks/security/mtls-migration/"); } success = validateX509(method.mtls(), payload); break; From 3581a84e4562c1ec19b17c1e0ca356cd4dc2a152 Mon Sep 17 00:00:00 2001 From: Yangmin Zhu Date: Mon, 11 Feb 2019 16:18:24 -0800 Subject: [PATCH 3/3] check in constructor --- src/envoy/http/authn/http_filter.cc | 21 ++++++++++++++++++++- src/envoy/http/authn/peer_authenticator.cc | 9 --------- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/src/envoy/http/authn/http_filter.cc b/src/envoy/http/authn/http_filter.cc index 717711a9edc..7751f81be4d 100644 --- a/src/envoy/http/authn/http_filter.cc +++ b/src/envoy/http/authn/http_filter.cc @@ -34,7 +34,26 @@ namespace Istio { namespace AuthN { AuthenticationFilter::AuthenticationFilter(const FilterConfig& filter_config) - : filter_config_(filter_config) {} + : filter_config_(filter_config) { + for (const auto& method : filter_config.policy().peers()) { + switch (method.params_case()) { + case iaapi::PeerAuthenticationMethod::ParamsCase::kMtls: + if (method.mtls().mode() == iaapi::MutualTls_Mode_PERMISSIVE) { + ENVOY_LOG( + warn, + "mTLS PERMISSIVE mode is used, connection can be either " + "plaintext or TLS, and client cert can be omitted. " + "Please consider to upgrade to mTLS STRICT mode for more secure " + "configuration that only allows TLS connection with client cert. " + "See https://istio.io/docs/tasks/security/mtls-migration/"); + return; + } + break; + default: + break; + } + } +} AuthenticationFilter::~AuthenticationFilter() {} diff --git a/src/envoy/http/authn/peer_authenticator.cc b/src/envoy/http/authn/peer_authenticator.cc index 0ae67edab2d..136137fa0f9 100644 --- a/src/envoy/http/authn/peer_authenticator.cc +++ b/src/envoy/http/authn/peer_authenticator.cc @@ -40,15 +40,6 @@ bool PeerAuthenticator::run(Payload* payload) { for (const auto& method : policy_.peers()) { switch (method.params_case()) { case iaapi::PeerAuthenticationMethod::ParamsCase::kMtls: - if (method.mtls().mode() == iaapi::MutualTls_Mode_PERMISSIVE) { - ENVOY_LOG( - warn, - "mTLS PERMISSIVE mode is used, connection can be either " - "plaintext or TLS, and client cert can be omitted. " - "Please consider to upgrade to mTLS STRICT mode for " - "more secure that only allows TLS connection with client cert. " - "See https://istio.io/docs/tasks/security/mtls-migration/"); - } success = validateX509(method.mtls(), payload); break; case iaapi::PeerAuthenticationMethod::ParamsCase::kJwt: