Traffic Ops client certificate authentication (#7392)

* initial client certificate auth code for login * Add intermediate cert for chain testing. Add LDAP check for UID parsed from cert * Add nil check for client TLS connection state * Update cdn.conf to include Root cert location. Remove test certs * Remove filesystem tests for root cert * Use long descriptive form in JSON for cdn.conf * Add checks for config values. Update example logic * Initial documentation commit instead of stash * Moved client.go and server.go to separate folders because they are both main functions * Add Apache license to example server+client * Remove commented code lines * Use JWT constanswconstants instead of string literals * Refactor so `goto` is unnecessary * Lowercase error messages * Use separte PKI directory for TO root certificates * Reject certs that are group or world-writable * Do not fully bail on unpocessable files * - Reject certificate subjects with multiple UIDs - Only fail when the UID is empty if no UID was found * Use %s for error in format string * Track github.com/apache/trafficcontrol/lib/go-rfc/ldap * Use %s for error type --------- Co-authored-by: Taylor Frey <[email protected]>
apache · May 8, 2023 · 688d057 · 688d057
1 parent 818408b
commit 688d057
Show file tree

Hide file tree

Showing 16 changed files with 1,374 additions and 119 deletions.
diff --git a/docs/source/admin/quick_howto/client_cert_auth.rst b/docs/source/admin/quick_howto/client_cert_auth.rst
@@ -0,0 +1,25 @@
+..
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+..     http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+..
+
+.. _client-cert-auth:
+
+**************************************
+Client Certificates for Authentication
+**************************************
+
+An alternative mechanism for providing credentials and authenticating access.
+
+There are multiple mechanisms, specifically within Traffic Ops, that provide a means for authentication.
+
diff --git a/docs/source/admin/traffic_ops.rst b/docs/source/admin/traffic_ops.rst
@@ -320,6 +320,12 @@ This file deals with the configuration parameters of running Traffic Ops itself.
 	:renew_days_before_expiration: Set the number of days before expiration date to renew certificates.
 	:summary_email: The email address to use for summarizing certificate expiration and renewal status. If it is blank, no email will be sent.
 
+:client_certificate_authentication: This is an optional section of configurations client provided certificate based authentication. However, if ``"ClientAuth" : "1"``` is enabled in the ``tls_config`` section in ``traffic_ops_golang``, then this field is required.
+
+	.. versionadded:: 7.0
+
+	:root_certificates_directory: A string representing the absolute path of the directory where Root CA certificates are located. These Root CA certificates are used for verifying the certificate provided by the client.
+
 :default_certificate_info: This is an optional object to define default values when generating a self signed certificate when an HTTPS delivery service is created or updated. If this is an empty object or not present in the :ref:`cdn.conf` then the term "Placeholder" will be used for all fields.
 
  	:business_unit: An optional field which, if present, will represent the business unit for which the SSL certificate was generated
@@ -517,7 +523,6 @@ This file deals with the configuration parameters of running Traffic Ops itself.
 
 	.. versionadded:: 7.0
 
-
 Example cdn.conf
 ''''''''''''''''
 .. include:: ../../../traffic_ops/app/conf/cdn.conf