choria-legacy / go-security Goto Github PK

os.Geteuid always returns -1 on windows.

Relates to choria-io/go-choria#617

https://github.com/choria-io/go-security/blob/6440c9b8406c0f45440a8da5bacad016097f00f9/filesec/file_security.go#L310-L319

Limits us to just choria=bob but when using a signer service that service want to set [email protected] or whatever

Related to choria-legacy/go-network-broker#75, allow users to select a list of available ciphers at runtime.

Default to a more sensible list.

Support configuration of ECC preferences.

A use case not tested for is when the server knows the intermediate CA(s), and the client only provides a single certificate.

Add tests to cover this case.

We have rego now in mcorpc and in aaasvc, we have a fairly solid idea of how this will look for choria so we can probably extract out something generic before we take next steps:

• rego evaluation in provisioning server
• possibly in federation broker to control routing decisions

The basic things we need are:

• send in inputs in a map[string]interface{}
• query to run
• module name
• supply optional functions
• configure path to the rego file to use OR supply the rego file as bytes
• configure tracing or not

Something like:

pass, err := thing.Evaluate(inputs, logger, File(f), Trace())

or

pass, err := thing.Evaluate(inputs, logger, Policy(p), Trace())

And error I guess have to be something like rego errors with extra context associated

We'd also have a configuration Functions(f) which would take a function map to add to the rego runtime like aaasvc does.

This would be rego specific, i dont really have the appetite now to make a whole abstraction that can support other forms of policy engine.

What do you think @vjanelle

If you change the whitelists, go-security filesec will reference a cached item and not check the identity in the future.

https://github.com/choria-io/go-security/blob/6440c9b8406c0f45440a8da5bacad016097f00f9/filesec/file_security.go#L276-L282

It's typical that privilged certs are going to - when in use - be used for bulk of requests, they should be checked first

choria 0.10.

With client certificates containing a subject alternate name of email. e.g.

           X509v3 Subject Alternative Name: 
                othername:<unsupported>, email:[email protected]

the choria server always fails to parse and validate this correctly and results in

{"level":"error","msg":"Could not cache Client Certificate: certificate 'email' did not pass validation","time":"2019-04-12T17:16:28+02:00"}

https://golang.org/src/crypto/x509/verify.go line 756 all SANs are assumed to be DNSnames.

When the cert has not changed and SecurityAlwaysOverwriteCache is set we still see lines like below logged while the cert isnt actually being cached:

https://github.com/choria-io/go-security/blob/20b0225a2d5503d1a583518cea788902be351cb0/filesec/file_security.go#L685

When a user certificate exist and we're checking all possible certs check the user specific one first this way we avoid a bunch of needless privileged checks and related logging

To maintain consistency with mcollectived config, the regex string for this option should work with or without surrounding forward slashes. E.g.:

plugin.choria.security.certname_whitelist = /\.mcollective$/, /\.mco$/

or

plugin.choria.security.certname_whitelist = \.mcollective$, \.mco$

Currently only the latter works.

Support signing requests against aaasvc

Our mTLS certificates have the x509.ExtKeyUsageClientAuth field set. Crypto/TLS won't validate certificates unless told to accept it.

relates to choria-io/go-choria#344

Here:

https://github.com/choria-io/go-security/blob/45bb7647cf407fb149ecab618a57dbaf29f3686b/filesec/file_security.go#L119-L121

and here:

https://github.com/choria-io/go-security/blob/45bb7647cf407fb149ecab618a57dbaf29f3686b/puppetsec/puppet_security.go#L149-L151

errors are silently ignored

Upstream configuration key change in choria-io/go-choria#476 - Need to make go-security filesec utilize this behaviour.

It's just too slow and annoying, but retain the ability

When AlwaysOverwriteCache is set overwrites and logs should only happen when they change

In my environment, we need to use yubikeys to authenticate everywhere. Adding a pkcs11 provider would allow us to use Choria with our security model.

If your client sends a list of intermediate certificates, go-security filesec won't understand what to do with them.

This is common in our mTLS use case.

When determining if a certificate has to be cached we first check its signed by the CA then if its privileged:

https://github.com/choria-io/go-security/blob/6440c9b8406c0f45440a8da5bacad016097f00f9/filesec/file_security.go#L631-L639

Here though name would be the callerid not the name found in the certificate, we need to parse the certificate and check it using its cert.Subject.CommonName.