Currently, TO only accepts a UID presented directly in the Subject of a client certificate. TO MUST accept a UID presented in the Client-Cert-Subject field as well. If a client certificate with an empty UID in the Subject field is presented in a request that also contains a Client-Cert-Subject HTTP header, TO MUST use the contents of the Client-Cert-Subject header to determine the UID of the client.
## Which Traffic Control components are affected by this PR?
Traffic Ops
What is the best way to verify this PR?
Manual Testing,
Test certificates can be created using the file located at,
Running go run generate_certs.go will produce private keys and certificates for Root, Intermediate, and Client. Place the Root certificate in the directory location specified in the cdn.conf file,
In the trafficcontrol/experimental/certificate_auth/example/client.go file, uncomment the following line to set UID via Client-Cert-Subject header and change the UID value to match the user you want to authenticate,
run the client.go file to send a request to the user/login Traffic Ops with the Client and Intermediate certs along with the http header Client-Cert-Subject ,
go run client.go
Upon success, a 200 OK status code will be returned along with the following body:
jagan-parthiban
commented
3 weeks ago
Overview,
Traffic Ops needs to accept Impersonation Certificates as described in the blueprint: https://github.com/apache/trafficcontrol/blob/master/blueprints/client-certificate-auth.md#traffic-ops-impact
Currently, TO only accepts a UID presented directly in the Subject of a client certificate. TO MUST accept a UID presented in the Client-Cert-Subject field as well. If a client certificate with an empty UID in the Subject field is presented in a request that also contains a Client-Cert-Subject HTTP header, TO MUST use the contents of the Client-Cert-Subject header to determine the UID of the client.
## Which Traffic Control components are affected by this PR?
What is the best way to verify this PR?
Manual Testing,
trafficcontrol/experimental/certificate_auth/certs/generate_certs.goEnsure that the UID field is empty at line, https://github.com/apache/trafficcontrol/blob/a89223526370e10b49ba26d0e302e1f3a4617374/experimental/certificate_auth/certs/generate_certs.go#L58
uid = ""Running
go run generate_certs.gowill produce private keys and certificates for Root, Intermediate, and Client. Place the Root certificate in the directory location specified in thecdn.conffile,Launch a Traffic Ops instance.
In the
trafficcontrol/experimental/certificate_auth/example/client.gofile, uncomment the following line to set UID viaClient-Cert-Subjectheader and change theUIDvalue to match the user you want to authenticate,req.Header.Set("Client-Cert-Subject", "CN=client,OU=client,O=client,L=client,ST=client,C=US,UID=userID")client.gofile to send a request to the user/login Traffic Ops with the Client and Intermediate certs along with the http header Client-Cert-Subject ,go run client.goIf this is a bugfix, which Traffic Control versions contained the bug?
PR submission checklist