Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x509 POC React #56

Closed
nimishbongale opened this issue Jul 23, 2022 · 9 comments
Closed

x509 POC React #56

nimishbongale opened this issue Jul 23, 2022 · 9 comments
Assignees
@nimishbongale
Labels
enhancement New feature or request

Comments

@nimishbongale
Copy link
Contributor

nimishbongale commented Jul 23, 2022
edited
Loading

Description

x509 auth workflow requires a selection popup window to appear, which displays any x509 certificate if present, and asks for user to choose.

Motivation

This is an essential step in dealing with the x509 auth workflow.

Change

Being a POC, we would need to survey some libraries which may already do it, or check if react has something to offer natively for this kind of functionality.
@nimishbongale nimishbongale added the enhancement New feature or request label Jul 23, 2022
@nimishbongale
Copy link
Contributor Author

nimishbongale commented Jul 23, 2022
edited
Loading

Initial findings (@maany):

  1. Will need a valid X509 cert
  2. Seems like the popup is browser inbuilt, and does not need a programmatic trigger. My guess is hitting the endpoint whilst having a valid cert installed within the browser will cause the popup to show.

Please assign this to me, thanks!

@nimishbongale nimishbongale self-assigned this Jul 25, 2022
@maany
Copy link
Member

maany commented Jul 26, 2022

So, I was able to recreate the client certificate request in Flask as follows:

  1. get access to the tls socket connection object for the wsgi request
  2. invoke the getpeercert method on the socket to request a client certificate

code: https://github.com/maany/rucio-vscode-dev-env/blob/50c8e9e99482508a586413e7cd19643f0c0c8b16/utils/rucio_ui_debug.py#L33
This in turn creates the popup on a browser for selecting a certificate

To re-create this in the new webui, we would have to get access to the socket connection, which can be done via NextJS. A good article to try out would be this

@maany
Copy link
Member

maany commented Jul 26, 2022

Take a look at the socket.io equivalent
https://socket.io/docs/v3/client-initialization/

import { io } from "socket.io-client";

const socket = io({
  withCredentials: true
});

@maany
Copy link
Member

maany commented Aug 18, 2022 

const fs = require("fs");
const server = require("https").createServer({
  cert: fs.readFileSync("./server-cert.pem"),
  key: fs.readFileSync("./server-key.pem"),
  requestCert: true,
  ca: [
    fs.readFileSync('client-cert.pem')
  ]
});
const io = require("socket.io")(server);

Let's try to trigger the certificate popup with requestCert: true

@maany
Copy link
Member

maany commented Aug 18, 2022

The function we should try to call:
socketio/socket.io#3567

@maany
Copy link
Member

maany commented Aug 18, 2022

You would have to generate a x509 certificate and install a x509 certificate to the Apple Keychain

@nimishbongale
Copy link
Contributor Author

Thanks for all the info @maany! 👍

@Andrewiski
Copy link

socketio/socket.io#3567 is resolved please see socketio/socket.io#4511 for fix using io.engine.on(connection where client cert reference is available. Also quick example of setting and using client certificate can be found at https://github.com/Andrewiski/socket.io-certificate-test

@maany
Copy link
Member

maany commented Mar 2, 2023

Closing as this is no longer relevant. x509 workflow has been implemented via #128

@maany maany closed this as completed Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nimishbongale nimishbongale

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Andrewiski @maany @nimishbongale