Currently, TO only accepts a UID presented directly in the Subject of a client certificate. TO MUST accept a UID presented in the Client-Cert-Subject field as well. If a client certificate with an empty UID in the Subject field is presented in a request that also contains a Client-Cert-Subject HTTP header, TO MUST use the contents of the Client-Cert-Subject header to determine the UID of the client.
## Which Traffic Control components are affected by this PR?
Traffic Ops
What is the best way to verify this PR?
Manual Testing,
Test certificates can be created using the file located at,
Running go run generate_certs.go will produce private keys and certificates for Root, Intermediate, and Client. Place the Root certificate in the directory location specified in the cdn.conf file,
In the trafficcontrol/experimental/certificate_auth/example/client.go file, uncomment the following line to set UID via Client-Cert-Subject header and change the UID value to match the user you want to authenticate,
run the client.go file to send a request to the user/login Traffic Ops with the Client and Intermediate certs along with the http header Client-Cert-Subject ,
go run client.go
Upon success, a 200 OK status code will be returned along with the following body:
Overview,
Traffic Ops needs to accept Impersonation Certificates as described in the blueprint: https://github.com/apache/trafficcontrol/blob/master/blueprints/client-certificate-auth.md#traffic-ops-impact
Currently, TO only accepts a UID presented directly in the Subject of a client certificate. TO MUST accept a UID presented in the Client-Cert-Subject field as well. If a client certificate with an empty UID in the Subject field is presented in a request that also contains a Client-Cert-Subject HTTP header, TO MUST use the contents of the Client-Cert-Subject header to determine the UID of the client.
## Which Traffic Control components are affected by this PR?
What is the best way to verify this PR?
Manual Testing,
trafficcontrol/experimental/certificate_auth/certs/generate_certs.go
Ensure that the UID field is empty at line, https://github.com/apache/trafficcontrol/blob/a89223526370e10b49ba26d0e302e1f3a4617374/experimental/certificate_auth/certs/generate_certs.go#L58
uid = ""
Running
go run generate_certs.go
will produce private keys and certificates for Root, Intermediate, and Client. Place the Root certificate in the directory location specified in thecdn.conf
file,Launch a Traffic Ops instance.
In the
trafficcontrol/experimental/certificate_auth/example/client.go
file, uncomment the following line to set UID viaClient-Cert-Subject
header and change theUID
value to match the user you want to authenticate,req.Header.Set("Client-Cert-Subject", "CN=client,OU=client,O=client,L=client,ST=client,C=US,UID=userID")
client.go
file to send a request to the user/login Traffic Ops with the Client and Intermediate certs along with the http header Client-Cert-Subject ,go run client.go
If this is a bugfix, which Traffic Control versions contained the bug?
PR submission checklist