Skip to content

Commit

Permalink
enforce TLS peer certificate presence for trust
Browse files Browse the repository at this point in the history
  • Loading branch information
@johnabass
johnabass committed Nov 15, 2024
1 parent d3de698 commit ef6cb59
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 6 deletions.
33 changes: 33 additions & 0 deletions token/claimBuilder.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ import (
kithttp "github.com/go-kit/kit/transport/http"
)

const (
// ClaimTrust is the name of the trust value within JWT claims issued
// by themis. This claim will be overridden based upon TLS connection state.
ClaimTrust = "trust"
)

var (
ErrRemoteURLRequired = errors.New("A URL for the remote claimer is required")
ErrMissingKey = errors.New("A key is required for all claims and metadata values")
Expand Down Expand Up @@ -172,6 +178,16 @@ func newRemoteClaimBuilder(client xhttpclient.Interface, metadata map[string]int
return &remoteClaimBuilder{endpoint: c.Endpoint(), url: r.URL, extra: metadata}, nil
}

// enforcePeerCertificate is a ClaimsBuilderFunc that overrides trust as necessary
// given the TLS peer certificates (if any)
func enforcePeerCertificate(_ context.Context, r *Request, target map[string]interface{}) error {
if len(r.ConnectionState.PeerCertificates) == 0 {
target[ClaimTrust] = 0
}

return nil
}

// NewClaimBuilders constructs a ClaimBuilders from configuration. The returned instance is typically
// used in configuration a token Factory. It can be used as a standalone service component with an endpoint.
//
Expand All @@ -182,6 +198,7 @@ func NewClaimBuilders(n random.Noncer, client xhttpclient.Interface, o Options)
builders = ClaimBuilders{requestClaimBuilder{}}
staticClaimBuilder = make(staticClaimBuilder)
)

if o.Remote != nil { // scan the metadata looking for static values that should be applied when invoking the remote server
metadata := make(map[string]interface{})
for _, value := range o.Metadata {
Expand All @@ -200,34 +217,44 @@ func NewClaimBuilders(n random.Noncer, client xhttpclient.Interface, o Options)
metadata[value.Key] = msg
}
}

remoteClaimBuilder, err := newRemoteClaimBuilder(client, metadata, o.Remote)
if err != nil {
return nil, err
}

builders = append(builders, remoteClaimBuilder)
}

for _, value := range o.Claims {
switch {
case len(value.Key) == 0:
return nil, ErrMissingKey

case value.IsFromHTTP():
continue

case !value.IsStatic():
return nil, fmt.Errorf("A value is required for the static claim: %s", value.Key)

default:
msg, err := value.RawMessage()
if err != nil {
return nil, err
}

staticClaimBuilder[value.Key] = msg
}
}

if len(staticClaimBuilder) > 0 {
builders = append(builders, staticClaimBuilder)
}

if o.Nonce && n != nil {
builders = append(builders, nonceClaimBuilder{n: n})
}

if !o.DisableTime {
builders = append(
builders,
Expand All @@ -238,5 +265,11 @@ func NewClaimBuilders(n random.Noncer, client xhttpclient.Interface, o Options)
notBeforeDelta: o.NotBeforeDelta,
})
}

builders = append(
builders,
ClaimBuilderFunc(enforcePeerCertificate),
)

return builders, nil
}
6 changes: 0 additions & 6 deletions token/transport.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,6 @@ import (
"go.uber.org/multierr"
)

const (
// ClaimTrust is the name of the trust value within JWT claims issued
// by themis.
ClaimTrust = "trust"
)

var (
ErrVariableNotAllowed = errors.New("Either header/parameter or variable can specified, but not all three")
)
Expand Down

0 comments on commit ef6cb59

Please sign in to comment.