Add path exclusion to mTLS and BasicAuth authentication #151
Conversation
Signed-off-by: Kacper Rzetelski <kacper.rzetelski@scylladb.com>
Signed-off-by: Kacper Rzetelski <kacper.rzetelski@scylladb.com>
rzetelskik
force-pushed
the
path-exclusion-auth
branch
from
9705f1a
to
ab8e6f5
Compare
|
@roidelapluie @SuperQ any chance to have someone review it? |
|
I don't know much about mTLS, but the title and description seem way too small for a +1200-line change. |
|
@bboreham I've added a section on implementation details, I hope it's clear enough. Also bear in mind that a bulk of that code are unit tests - I've tried to cover the changes quite extensively. The actual essence of these changes is only about 200-300 LoC, although I wouldn't really consider LoC a good indicator of complexity... |
Why? Maybe you are doing a large-scale refactoring? Please explain. It seems possible that this line should go higher up in the explanation:
|
Good point. I changed the main part of the description to include this.
I'm not sure I understand what your question is here. Why is the
I don't think I'm doing much refactoring in this PR besides moving the code responsible for basic auth authentication to a middleware, but I've explained above the reasons for doing so. Other than that I've tried to keep the changes in the existing code minimal, so I don't understand where this is coming from. |
OK, we have a different view on that. The whole project is currently 1823 lines. Thank you, the rationale to create a middleware and chain makes sense, it just wasn't in the description first time around. |
|
ping @SuperQ @roidelapluie |
1 similar comment
|
ping @SuperQ @roidelapluie |
|
I do not feel confident writing TLS code ourselves is benefitting for the project. |
|
First and foremost, I don't agree that this approach includes "writing TLS code" at all. As explained in the PR description, all it does is it lowers certificate requirements on handshake and delegates the required certificate verification to a middleware. And for the verification itself it uses functions from a standard library, which is nowhere near to actually implementing the protocol. And even the code used to verify the certificates comes from the stdlib implementation: https://cs.opensource.google/go/go/+/master:src/crypto/tls/handshake_server.go;l=858. Having said that, I believe you @roidelapluie were the one to suggest extending path exclusion to mTLS in one of the previous attempts to do so: #106 (comment), so I'd be happy to hear the approach you had in mind. |
|
@roidelapluie ping |
1 similar comment
|
@roidelapluie ping |
|
any update on this one ? |
My team still needs this for prometheus-operator and I'm happy to work on merging this. As you can see, the maintainers don't seem particularly interested though. |
|
any update ? |
|
I have added this for discussion at a future Prometheus Dev Summit |
|
Thanks @bboreham! The use cases behind it: [3], [4]. [1] - prometheus/prometheus#9166 |
This PR introduces support for path exclusion from authentication for both mTLS and BasicAuth.
The main issue here was allowing for excluding the requests, which request a URL matching an excepted path, from
mTLS authentication. This PR achieves this by lowering the requirements in TLSConfig and delegating the certificate verification to a dedicated middleware - an approach heavily based on how kubernetes/apiserver handles authentication and authorization. To match this approach and allow for path exclusion for both types of authentication, basic authentication is also moved to a dedicated middleware.
As discussed in prometheus/prometheus#9166, the need for this comes from kubelet, the Kubernetes node agent, not allowing the use of certificates or safely providing credentials for liveness/readiness probes. See also prometheus-operator/prometheus-operator#5419.
This PR also takes into account the comments in the previous attempts to add support for this: #106 and #70.
Fixes prometheus/prometheus#9166
Edit:
Some implementation details, as requested by @bboreham :
This PR introduces an
Authenticatorinterface.The
Authenticatemethod takes an*http.Requestand decides whether the given request passes authentication.The
func WithAuthentication(handler http.Handler, authenticator Authenticator, logger log.Logger) http.Handlermiddleware is also introduced. It authenticates every request and passes it to the next handler on success.The
ChainAuthenticatoris also implemented to conjunct multiple Authenticators. Its implementation ofAuthenticatefails to authenticate the request unless it authenticates against all chained Authenticators successfully.There are two instantiations of the interface implemented in this PR:
BasicAuthAuthenticatorandX509Authenticator.BasicAuthAuthenticatorisolates all the code responsible for basic auth authentication that was there before inwebHandlerwithout any changes to the logic.X509Authenticatorimplements the part of mTLS server handshake that is normally executed for connections withClientAuthhigher thanVerifyClientCertIfGiven(https://cs.opensource.google/go/go/+/master:src/crypto/tls/handshake_server.go;l=878).The crux of this PR is the following: one can't just exclude certain URLs from mTLS authentication. There's simply no access to this information at that level of encapsulation. Therefore
ClientAuthin tlsConfig is always capped atRequestClientCert, and the actual certificate verification is delegated to the x509 middleware (ab8e6f5#diff-ee4d3f619ee85cfe4114c969b9777f1936391e90d3198df35fc6f0145077badeR246).For the actual path exclusion an
Exceptorinterface is introduced.func WithExceptor(handler http.Handler, authenticator Authenticator, exceptor Exceptor, logger log.Logger) http.Handlermiddleware callsIsExceptedand checks, based on a requested URL, whether a request is excepted from authentication. If so, it passes it directly to the provided handler, otherwise the handler is preceded with the authenticator.