Feature: Support for mTLS

[Nils-witt]

Added logic and UI for mTLS support to communicate with the api. Issue: #70

Added:

• UI for client certificate management.
• Logic for importing and storing the identities to the application keychain.
• Logic for assigning an Identity to a specific connection.
• Logic for using the identity in the ApiRepository and preview loaders.
• UI for mTLS authentification or only connection establishment.

Tested with:

• Paperless 2.10.2
• Nginx (Proxy) 1.18.0
• Ubuntu 22.04

[paulgessinger]

Hey @Nils-witt! I'll try to go through this on the weekend.

Do you have any pointers to how to set up mTLS with Paperless, so I can test everything?

[Nils-witt]

There are different guides depending on the proxy you use. I use Nginx and for testing i build myself this docker stack (Should be enough for testing): https://github.com/Nils-witt/paperless-nginx-mtls

It´s been a while since i initially configured Nginx for it, but this looks like it should work: https://medium.com/@mahernaija/how-to-configure-mutual-tls-mtls-for-nginx-736dec9f819d

[paulgessinger]

@Nils-witt ah, so this is on top of whatever auth setup Paperless uses, just between the device and the reverse proxy?

EDIT: So looking at the code, it seems like that's not the case. This bypasses the Paperless API token completely. How does this map the certificate to the user?

[Nils-witt]

Depending on your system there is the primary function to authorize the connection to the client from the proxy. Additionally in some setups the certificate CN or similar is extracted and passed to paperless with the REMOTE_USER Header.

[paulgessinger]

@Nils-witt but is the first use case supported? If I'm reading the code correctly, if you enter the mTLS path, the app does not store a token at all. How does that work then?

[Nils-witt]

Thanks for the review I will go over it later

@Nils-witt but is the first use case supported? If I'm reading the code correctly, if you enter the mTLS path, the app does not store a token at all. How does that work then?

This should be defined by the toggle (and the var identityBasedAuth) on the LoginView If it´s not active it should follow the original flow and just add the delegate (changes to the func login, mostly l. 239ff.)

The func loginIentityBased is for the second use case.

[Nils-witt]

I´ve adapted your proposed changes.

[paulgessinger]

For future reference, it's necessary to use openssl pkcs12 -legacy when exporting a PKCS12 for iOS (or macOS, for that matter) (https://forums.developer.apple.com/forums/thread/697030)