Router support for mutual tls authentication

[ramr]

Changes as per RFE: https://bugzilla.redhat.com/show_bug.cgi?id=1477349

Adds mutual tls authentication support. Verification is via client-side certificates and its
use can be mandated to be either required or optional.
Additionally, an env variable ROUTER_MUTUAL_TLS_AUTH_CN provides more fine-grain
control on access based on certificate common names.

Usage:
Start the router with the new command line options to specify the mutual tls options.
Example:

$ oc adm router --latest-images=true  --mutual-tls-auth=required  \
       --mutual-tls-auth-ca=_ramr/nodejs-header-echo/config/CA/cacert.pem  \
       --mutual-tls-auth-filter='^/CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3$'

In the above example, the regular expression for mutual-tls-auth-filter forces an exact match with a certificate's subject.

To Test:

curl -insecure --cert-type pem --cert  _ramr/nodejs-header-echo/config/cert.pem  \
       --key _ramr/nodejs-header-echo/config/key.pem  -k -vvv  \
       --resolve reencrypt.header.test:443:127.0.0.1 https://reencrypt.header.test/

And test without the certificate/key to check that access is not allowed.
Other test scenarios can use different combinations of the filter (and/or --mutual-tls-auth flag) to test access.

@knobunc PTAL Thx

Edited Updated usage and tests

[mrogers950]

cc @openshift/sig-security

[simo5]

nits

[simo5]

Please specify exactly what name the cert needs to match

[ramr]

Common Name ... will update this to make this clearer.

[simo5]

I am not asking what CN is, I am asking what it should match, it is not clear to me what you have to set CN to.

[ramr]

So to make it a wee bit clearer:

1. If the DN set to /CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3.
2. A couple (example set) of the headers set in the request sent to the backend would be:
   X-SSL-Client-DN=/CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3
X-SSL-Client-CN=header.test

And the ROUTER_MUTUAL_TLS_AUTH_CN environment variable value allows you to "filter" requests based on that CN value (header.test).

Example:
A. For ROUTER_MUTUAL_TLS_AUTH_CN=der.test or ROUTER_MUTUAL_TLS_AUTH_CN=header.te would match the value and the request would be sent to the backend.
B. For ROUTER_MUTUAL_TLS_AUTH_CN=MyClient, the request would be rejected.

[simo5]

This sounds wrong, we should probably have a ROUTER_MUTUAL_TLS_AUTH_DN variable and match the exact subject as a default.
In what case matching a substring of a random CN in the subject is useful ?

[ramr]

That's what the customer was using/asking - ref: https://bugzilla.redhat.com/show_bug.cgi?id=1477349

In any case, this is moot because I just changed this to be an auth filter (see latest commit) to filter based on the subject (substring) so you can run a router ala:

oc adm router --latest-images=true  --mutual-tls-auth=optional  \
              --mutual-tls-auth-ca=_ramr/nodejs-header-echo/config/CA/cacert.pem  \
              --mutual-tls-auth-filter="CN=header.test"

As re: an exact match, see the other comment re: filtering on organizations or OUs.

[simo5]

same as above

[simo5]

It would be nice to have access to the whole client cert, is it possible via env vars ?

[ramr]

Ok will do - there's a ssl_c_der that gives the client cert in DER format (will convert to base64 if possible [otherwise hex] as it is in binary form).

[simo5]

Given we default to no mutual TLS, it may be nice to specify a field with the Subject the cert need to match so that we do not need custom templates but a simple configuration change.

[ramr]

Hmm, ok - let me check with @knobunc on today's call on that.
Reason is that I felt the ROUTER_MUTUAL_TLS_AUTH_CN might not even be needed.
For the specific customer use case, they need to add/remove custom headers, so they would need a custom template to filter on the CN and then do the custom header magic anyway.

[ramr]

Hmm, am not sure doing this based on the subject may be possible. I did just briefly glance at the haproxy docs (ref: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.4) and didn't see a way to get at the subject field easily.

[simo5]

The subject is in SSL_CLIENT_S_DN

[simo5]

Or ssl_c_s_dn in haproxy

[ramr]

Okay, will rework this a bit later this afternoon to pass that filtering value as a command line option. And to do a substring match on that field ssl_c_s_dn. Thx

[simo5]

you probably want an exact match

[ramr]

so the existing RFE from https://bugzilla.redhat.com/show_bug.cgi?id=1477349 which the customer has uses a substring match.
In general, an exact match will be too restrictive if for example you want to filter on just say organizations, departments/units in an organization etc.

[simo5]

May as well also drop string after namespace if we are into reordering arguments

[ramr]

Doh!! Thanks for catching that.

[mrogers950]

Does it use the system store if the CA flag is not set? Otherwise it should be required when mTLS is enabled

[ramr]

The defaults section in the haproxy-config.template sets the default ca-base to the system store which gets used if one is not specified on the bind directive.

[lihongan]

(ala client certificates) ala a typo ?

[ramr]

Meaning as an example but I will "rework" that text along with any other new review comments. Thx

[knobunc]

ala is fine, but slightly obscure -- https://en.wiktionary.org/wiki/ala#Etymology_2

Might be better to say i.e.

[knobunc]

/hold
Until master opens for new features

[knobunc]

Can you give an example showing that "head" would also match? And if you can anchor it so that it is an exact match? Thanks

[knobunc]

Let's just lose these examples and refer them to the examples above?

[ramr]

Done and referred to the examples above.

[knobunc]

ala is fine, but slightly obscure -- https://en.wiktionary.org/wiki/ala#Etymology_2

Might be better to say i.e.

[knobunc]

/retest

[acomabon]

Any news about this merge?

[enj]

Master is frozen from anything but critical fixes until the release-3.10 branch is cut.

[knobunc]

/lgtm

[knobunc]

/hold cancel

[pravisankar]

/lgtm

[lihongan]

Are these headers required for edge routes which use plain http backend ? seems just re-encrypt route need them.

[ramr]

No strong opinion either way. But the headers do reflect information about the connection as it was handled on the edge by the router, so it is still relevant request info (irrespective of the type of backend/route) much like the [X-]Forwarded[-*] and Via headers.

[knobunc]

@juanvallejo @soltysh @enj -- Can someone approve the completion changes please.

[simo5]

I still do not think this should be a substring match.
In what case would you want to match only part of a cert without explicitly specifying which part at least ?
Unless there is a very specific reason to use a substring match we should only do an exact match.
Otherwise we risk opening up users to easy attacks.

[ramr]

The intent here is to restrict an already validated set of requests. It is important to note here that the connections are already filtered based on the CA signing the certificate (and/or any revoked certificates).

So the ROUTER_MUTUAL_TLS_AUTH_CA and ROUTER_MUTUAL_TLS_AUTH_CRL control the first pass of which connections (or certificates) are allowed and the substring match here is the second pass that is restricting that first block of connections to a smaller subset.

If we restrict that to specific match, then we can really only allow one single certifying authority per router. Multiple orgs/depts/units cannot be serviced by a single router instance.

This allows us flexibility to support that and if you really wanted a further locked down environment, you could just as well make the substring match more restrictive ala:
ROUTER_MUTUAL_TLS_AUTH_FILTER="/CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3" which effectively becomes a specific match.

[simo5]

Won't this match also: /CN=blah/CN=blah/CN=more-blah/CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3 ?

[ramr]

Yes, it would string substring match that. But that said, is that a valid DN/subject?
From the looks of it the / is a separator in the subject, correct?
So shouldn't that be escaped if someone forces that into an input field? Otherwise, there's potential of other issues, no?

[ramr]

@simo5 also pertinent here is the fact that the ROUTER_MUTUAL_TLS_AUTH_FILTER is optional. Meaning if its not specified, we don't do any restrictive checks. This is a secondary check.

But if this is still a sticking point for you, we could potentially change the substring match to a regular expression ... so you could potentially do a ^<escaped-text>$ kind of expression for an exact match.
That said, it does make the user interface a bit more awkward as it requires the user to specify a regular expression. Not a back breaker though!
And it is worth noting that a regular expression without the positional anchor ... ala CN=foo would still match a /CN=blah/CN=foo/CN=blah/ string.

@knobunc / @ironcladlou any issues with that?

[simo5]

You can have as many CN elements as you want in a DN.
Changing it to a regular expression would be definitely better and I would accept as a solution because then you can do exact matches if you want or anything.

An example with exact match and one with subfiltering should be provided as doc then.

[juanvallejo]

completions lgtm

[juanvallejo]

/approve

for completions

[ramr]

@simo5 changed to use a regular expression. Commit sha: 06615ab

No changes to the usage/command line except that the string is now a regular expression ala:

$ oc adm router --latest-images=true  --mutual-tls-auth=required   \
     --mutual-tls-auth-ca=_ramr/nodejs-header-echo/config/CA/cacert.pem  \
     --mutual-tls-auth-filter='^/CN=header.test/ST=CA/C=US/O=Security/OU=OpenShift3$'

The mutual-tls-auth-filter is a regular expression representing an exact match for the certificate subject.

[ramr]

@juanvallejo completions didn't change but in case you want to re-verify - the last commit only changed the command line option help text. Thx

[ramr]

Rebased with upstream to fix conflict in images/router/haproxy/conf/haproxy-config.template.

[ramr]

/retest

[simo5]

please squash commits and I'll apply lgtm

[ramr]

@simo5 squashed the commits.

[knobunc]

/lgtm

[knobunc]

@simo5 -- Over to you

[simo5]

/lgtm

[simo5]

/retest

[ramr]

Opened new issue - test flake #20295

[ramr]

/retest

[ramr]

@knobunc may need a new /lgtm as there was a conflict in router.go after the --extended-logging option PR merged. So I had to rebase (and fix the conflict and squash) this PR. Thx

[simo5]

/lgtm

[simo5]

/retest

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juanvallejo, knobunc, pravisankar, ramr, simo5

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• contrib/completions/OWNERS [juanvallejo]
• images/router/OWNERS [knobunc]
• pkg/oc/admin/router/OWNERS [knobunc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[knobunc]

/retest

[openshift-ci-robot]

@ramr: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/unit	770687a	link	/test unit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[ramr]

/test unit
/test end_to_end