mutualAuth not working as expected

[jbackman]

Expected behaviour

connection missing a client certificate should be rejected

Actual behaviour

requester gets the response without presenting a certificate

Steps to reproduce

use following config:

{
  "port": 443,
  "protocol": "https",
  "name": "test",
  "mutualAuth": true,
  "defaultResponse": {
    "statusCode": 400,
    "body": "Bad Request",
    "headers": {}
  },
  "stubs": [
    {
      "predicates": [
        {
          "matches": {
            "path": "/API/ID/\\d+/"
          }
        }
      ],
      "responses": [
        {
          "is": {
            "body": {
              "password": [
                "password123"
              ],
              "id": "$ID[1]",
              "success": true
            }
          },
          "headers": {
            "Content-Type": "application/json"
          },
          "behaviors": [
            {
              "copy": {
                "from": "path",
                "into": "$ID",
                "using": {
                  "method": "regex",
                  "selector": "(\\d+)/?$"
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Software versions used

OS         : RHEL 7.6
mountebank : 2.4.0
node.js    :  14.17
Installation method : npm

Log contents in mb.log when running mb --loglevel debug

test_1         | debug: [https:443 test-env] ::ffff:10.1.0.3:52492 ESTABLISHED
test_1         | info: [https:443 test-env] ::ffff:10.1.0.3:52492 => GET /API/ID/123456/
test_1         | debug: [https:443 test-env] ::ffff:10.1.0.3:52492 => {"requestFrom":"::ffff:10.1.0.3:52492","method":"GET","path":"/API/ID/123456/","query":{},"headers":{"User-Agent":"curl/7.29.0","Host":"test-env","Accept":"*/*"},"body":"","ip":"::ffff:10.1.0.3"}
test_1         | debug: [https:443 test-env] using predicate match: [{"matches":{"path":"/API/ID/\\d+/"}}]
test_1         | debug: [https:443 test-env] generating response from {"is":{"body":{"password":["password123"],"id":"$ID[1]","success":true}},"headers":{"Content-Type":"application/json"},"behaviors":[{"copy":{"from":"path","into":"$ID","using":{"method":"regex","selector":"(\\d+)/?$"}}}]}
test_1         | debug: [https:443 test-env] using stub response behavior [{"copy":{"from":"path","into":"$ID","using":{"method":"regex","selector":"(\\d+)/?$"}}}]
test_1         | debug: [https:443 test-env] Replacing "$ID[0]" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[1]" with "123456"
test_1         | debug: [https:443 test-env] Replacing "$ID" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[0]" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[1]" with "123456"
test_1         | debug: [https:443 test-env] Replacing "$ID" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[0]" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[1]" with "123456"
test_1         | debug: [https:443 test-env] Replacing "$ID" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[0]" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[1]" with "123456"
test_1         | debug: [https:443 test-env] Replacing "$ID" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[0]" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[1]" with "123456"
test_1         | debug: [https:443 test-env] Replacing "$ID" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[0]" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[1]" with "123456"
test_1         | debug: [https:443 test-env] Replacing "$ID" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[0]" with "123456/"
test_1         | debug: [https:443 test-env] Replacing "$ID[1]" with "123456"
test_1         | debug: [https:443 test-env] Replacing "$ID" with "123456/"
test_1         | debug: [https:443 test-env] ::ffff:10.1.0.3:52492 <= {"statusCode":400,"headers":{"Connection":"close"},"body":"{\n    \"password\": [\n        \"password123\"\n    ],\n    \"id\": \"123456\",\n    \"success\": true\n}","_mode":"text"}
test_1         | debug: [https:443 test-env] ::ffff:10.1.0.3:52492 CLOSED

[bbyars]

See https://groups.google.com/g/mountebank-discuss/c/33guz5g7GGs/m/-sMGZxJgAgAJ for details

[everettcomstock]

@bbyars, do you have any recommendations regarding a path forward with this issue? My organization absolutely must have this feature in place... I'm happy to contribute if I can, but I wanted to see if you're aware of any work arounds or working configurations? Thanks vey much!

[bbyars]

Hi there, I'm unaware of any other contributors looking to solve this issue (and I'm certainly struggling with some near-term bandwidth constraints). If you have the interest / time in making a contribution, I'm happy to support and merge. LMK if you need some pointers.

On Fri, Aug 26, 2022 at 9:40 AM everettcomstock @.***> wrote:

@bbyars https://github.com/bbyars, do you have any recommendations regarding a path forward with this issue? My organization absolutely must have this feature in place... I'm happy to contribute if I can, but I wanted to see if you're aware of any work arounds or working configurations? Thanks vey much!

— Reply to this email directly, view it on GitHub https://github.com/bbyars/mountebank/issues/620#issuecomment-1228576237, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAARFP666C5O5ECEGYLEGZ3V3DJMJANCNFSM45N7FQCQ . You are receiving this because you were mentioned.Message ID: @.***>

[everettcomstock]

Thanks for the quick reply. I'm going to discuss with my team and see if we can carve out some time.

[everettcomstock]

@bbyars , one of my guys submitted a PR to start chipping away at some updates. We'd appreciate any guidance or feedback:

https://github.com/bbyars/mountebank/pull/694

Thanks!