Closed jeffy-mathew closed 1 month ago
API Changes
no api changes detected
β±οΈ Estimated effort to review: 4 π΅π΅π΅π΅βͺ |
π§ͺ PR contains tests |
π Security concerns - Sensitive Information Exposure: The PR deals with handling TLS certificates and private keys, which are sensitive. It is crucial to ensure that these items are handled securely, not exposed in logs, and are properly secured in memory and during transmission. - Certificate Validation: The PR adds functionality for validating client certificates against a root certificate authority. It is essential to ensure that this validation is robust and does not allow invalid or revoked certificates to be accepted. |
β‘ Key issues to review **Possible Bug:** The PR introduces a significant amount of new code related to certificate handling and mTLS, which could potentially introduce bugs or security issues if not implemented correctly. Thorough review and testing are required to ensure that the implementation correctly handles certificate validation, error handling, and edge cases. **Performance Concern:** The PR includes operations such as generating RSA keys and certificates, which are computationally expensive. It's important to ensure that these operations do not negatively impact the performance of the system, especially under load. |
Category | Suggestion | Score |
Possible bug |
Add a check for the presence of
___
**Consider checking for the presence of | 10 |
Best practice |
Use
___
**Instead of concatenating strings to form the error message, use | 8 |
Maintainability |
Refactor repeated certificate generation logic into a setup function for better test manageability___ **To improve the test's readability and maintainability, consider moving the repeatedcertificate generation logic ( generateRootCertAndKey , generateServerCertAndKeyChain , generateClientCertAndKeyChain ) into a setup function or using table-driven tests. This will reduce duplication and make the tests easier to manage.** [gateway/cert_test.go [295-333]](https://github.com/TykTechnologies/tyk/pull/6405/files#diff-481696cb18de8c3880e0ca21318fe00fd4eb89bc48994e43b7c34729ef4a7ee2R295-R333) ```diff -rootCertPEM, rootKeyPEM, err := generateRootCertAndKey(t) -assert.NoError(t, err) -serverCertPEM, serverKeyPEM, err := generateServerCertAndKeyChain(t, rootCertPEM, rootKeyPEM) -assert.NoError(t, err) -clientCertPEM, clientKeyPEM, err := generateClientCertAndKeyChain(t, rootCertPEM, rootKeyPEM) -assert.NoError(t, err) +setupCertificates := func(t *testing.T) (rootCertPEM, rootKeyPEM, serverCertPEM, serverKeyPEM, clientCertPEM, clientKeyPEM []byte) { + rootCertPEM, rootKeyPEM, err := generateRootCertAndKey(t) + assert.NoError(t, err) + serverCertPEM, serverKeyPEM, err := generateServerCertAndKeyChain(t, rootCertPEM, rootKeyPEM) + assert.NoError(t, err) + clientCertPEM, clientKeyPEM, err := generateClientCertAndKeyChain(t, rootCertPEM, rootKeyPEM) + assert.NoError(t, err) + return rootCertPEM, rootKeyPEM, serverCertPEM, serverKeyPEM, clientCertPEM, clientKeyPEM +} ``` Suggestion importance[1-10]: 7Why: Refactoring repeated logic into a setup function improves maintainability and readability, although it is not critical. This suggestion correctly identifies and addresses the improvement. | 7 |
Isolate certificate matching logic into a separate function for clarity and maintainability___ **Refactor the loop that checks for a matching certificate to a separate function.This will improve code readability and maintainability by isolating specific logic into a dedicated function, making the main validation function cleaner and easier to understand.** [internal/crypto/helpers.go [105-124]](https://github.com/TykTechnologies/tyk/pull/6405/files#diff-3d1fc755c46eaa99e9f1edf358b9e00842342ae6333902959d7a68b46d156829R105-R124) ```diff -for _, peerCertificate := range r.TLS.PeerCertificates { - certID := HexSHA256(peerCertificate.Raw) - for _, cert := range certs { - if cert == nil { - continue - } - if string(cert.Leaf.Extensions[0].Value) == certID { - if time.Now().After(cert.Leaf.NotAfter) { - return ErrCertExpired +func matchCertificate(peerCertificates []*x509.Certificate, certs []*tls.Certificate) error { + for _, peerCertificate := range peerCertificates { + certID := HexSHA256(peerCertificate.Raw) + for _, cert := range certs { + if cert == nil { + continue } - return nil + if string(cert.Leaf.Extensions[0].Value) == certID { + if time.Now().After(cert.Leaf.NotAfter) { + return ErrCertExpired + } + return nil + } } } + return errors.New("no matching certificate found") } ``` Suggestion importance[1-10]: 7Why: Isolating the certificate matching logic into a separate function improves readability and maintainability, making the main function cleaner. This suggestion correctly identifies and addresses the improvement. | 7 |
Failed conditions
C Reliability Rating on New Code (required β₯ A)
See analysis details on SonarCloud
Catch issues before they fail your Quality Gate with our IDE extension SonarLint
User description
Description
mTLS: allow validating client certificates against root certificate authority
Related Issue
Parent: https://tyktech.atlassian.net/browse/TT-1570 Subtask: https://tyktech.atlassian.net/browse/TT-12587
Motivation and Context
How This Has Been Tested
Screenshots (if appropriate)
Types of changes
Checklist
PR Type
Enhancement, Tests
Description
ValidateRequestCerts
function to handle multiple peer certificates and improved error handling.Changes walkthrough π
cert_test.go
Add mTLS validation tests and certificate generation helpers
gateway/cert_test.go
certificate authority.
certificates and keys.
scenarios.
helpers.go
Enhance certificate validation logic in mTLS
internal/crypto/helpers.go
ValidateRequestCerts
to handle multiple peer certificates.