choria-legacy / go-security Goto Github PK
View Code? Open in Web Editor NEWAbstraction over various security systems Choria supports
License: Apache License 2.0
Abstraction over various security systems Choria supports
License: Apache License 2.0
os.Geteuid always returns -1 on windows.
Relates to choria-io/go-choria#617
Limits us to just choria=bob
but when using a signer service that service want to set [email protected]
or whatever
Related to choria-legacy/go-network-broker#75, allow users to select a list of available ciphers at runtime.
Default to a more sensible list.
Support configuration of ECC preferences.
A use case not tested for is when the server knows the intermediate CA(s), and the client only provides a single certificate.
Add tests to cover this case.
We have rego now in mcorpc and in aaasvc, we have a fairly solid idea of how this will look for choria so we can probably extract out something generic before we take next steps:
The basic things we need are:
map[string]interface{}
Something like:
pass, err := thing.Evaluate(inputs, logger, File(f), Trace())
or
pass, err := thing.Evaluate(inputs, logger, Policy(p), Trace())
And error I guess have to be something like rego errors with extra context associated
We'd also have a configuration Functions(f)
which would take a function map to add to the rego runtime like aaasvc does.
This would be rego specific, i dont really have the appetite now to make a whole abstraction that can support other forms of policy engine.
What do you think @vjanelle
If you change the whitelists, go-security filesec will reference a cached item and not check the identity in the future.
It's typical that privilged certs are going to - when in use - be used for bulk of requests, they should be checked first
choria 0.10.
With client certificates containing a subject alternate name of email. e.g.
X509v3 Subject Alternative Name:
othername:<unsupported>, email:[email protected]
the choria server always fails to parse and validate this correctly and results in
{"level":"error","msg":"Could not cache Client Certificate: certificate 'email' did not pass validation","time":"2019-04-12T17:16:28+02:00"}
https://golang.org/src/crypto/x509/verify.go line 756 all SANs are assumed to be DNSnames.
When the cert has not changed and SecurityAlwaysOverwriteCache is set we still see lines like below logged while the cert isnt actually being cached:
When a user certificate exist and we're checking all possible certs check the user specific one first this way we avoid a bunch of needless privileged checks and related logging
To maintain consistency with mcollectived config, the regex string for this option should work with or without surrounding forward slashes. E.g.:
plugin.choria.security.certname_whitelist = /\.mcollective$/, /\.mco$/
or
plugin.choria.security.certname_whitelist = \.mcollective$, \.mco$
Currently only the latter works.
Support signing requests against aaasvc
Our mTLS certificates have the x509.ExtKeyUsageClientAuth field set. Crypto/TLS won't validate certificates unless told to accept it.
relates to choria-io/go-choria#344
Upstream configuration key change in choria-io/go-choria#476 - Need to make go-security filesec utilize this behaviour.
It's just too slow and annoying, but retain the ability
When AlwaysOverwriteCache is set overwrites and logs should only happen when they change
In my environment, we need to use yubikeys to authenticate everywhere. Adding a pkcs11 provider would allow us to use Choria with our security model.
If your client sends a list of intermediate certificates, go-security filesec won't understand what to do with them.
This is common in our mTLS use case.
When determining if a certificate has to be cached we first check its signed by the CA then if its privileged:
Here though name
would be the callerid not the name found in the certificate, we need to parse the certificate and check it using its cert.Subject.CommonName
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.