Merge pull request #201 from ARGOeu/devel

Version 1.3.0

argo-api-authn.spec

@@ -3,7 +3,7 @@
 
 Name: argo-api-authn
 Summary: ARGO Authentication API. Map X509, OICD to token.
-Version: 1.2.0
+Version: 1.3.0
 Release: 1%{?dist}
 License: ASL 2.0
 Buildroot: %{_tmppath}/%{name}-buildroot
@@ -60,8 +60,10 @@ go install -buildmode=pie -ldflags "-s -w -linkmode=external -extldflags '-z rel
 %attr(0644,root,root) /usr/lib/systemd/system/argo-api-authn.service
 
 %changelog
+* Wed Jan 24 2024 Agelos Tsalapatis  <[email protected]> - 1.3.0-1%{?dist}
+- Release of argo-api-authn version 1.3.0
 * Tue Dec 19 2023 Agelos Tsalapatis  <[email protected]> - 1.2.0-1%{?dist}
-- Release of argo-api-authn version 1.1.0
+- Release of argo-api-authn version 1.2.0
 * Tue Sep 26 2023 Agelos Tsalapatis  <[email protected]> - 1.1.0-1%{?dist}
 - Release of argo-api-authn version 1.1.0
 * Mon Oct 10 2022 Agelos Tsalapatis  <[email protected]> - 1.0.0-1%{?dist}

auth/revoke.go

@@ -20,7 +20,7 @@ func CRLCheckRevokedCert(ctx context.Context, cert *x509.Certificate) error {
 
 	var err error
 	var goMaxP, psi, csi int
-	var crtList x509.RevocationList
+	var revokedCertificatesList []pkix.RevokedCertificate
 	var errChan = make(chan error)
 	var doneChan = make(chan bool, 1)
 
@@ -49,7 +49,7 @@ func CRLCheckRevokedCert(ctx context.Context, cert *x509.Certificate) error {
 			// count how much time it takes to fetch a crl
 			t1 := time.Now()
 			// grab the crl
-			if crtList, err = FetchCRL(ctx, crlURL); err != nil {
+			if revokedCertificatesList, err = FetchCRL(ctx, crlURL); err != nil {
 				errChan <- err
 			}
 
@@ -70,7 +70,7 @@ func CRLCheckRevokedCert(ctx context.Context, cert *x509.Certificate) error {
 			// representing the previous index where we sliced the revoked certificate list
 			psi = 0
 
-			rvkCrtListLen := len(crtList.RevokedCertificates)
+			rvkCrtListLen := len(revokedCertificatesList)
 			log.WithFields(
 				log.Fields{
 					"trace_id":        ctx.Value("trace_id"),
@@ -90,13 +90,13 @@ func CRLCheckRevokedCert(ctx context.Context, cert *x509.Certificate) error {
 			for j := 1; j <= goMaxP; j++ {
 
 				csi = psi + rvkCrtListLen/goMaxP
-				if len(crtList.RevokedCertificates[psi:])/goMaxP < 2 {
+				if len(revokedCertificatesList[psi:])/goMaxP < 2 {
 					wg.Add(1)
-					go SynchronizedCheckInCRL(doneChan, errChan, crtList.RevokedCertificates[psi:], cert.SerialNumber, wg)
+					go SynchronizedCheckInCRL(doneChan, errChan, revokedCertificatesList[psi:], cert.SerialNumber, wg)
 					break
 				}
 				wg.Add(1)
-				go SynchronizedCheckInCRL(doneChan, errChan, crtList.RevokedCertificates[psi:csi], cert.SerialNumber, wg)
+				go SynchronizedCheckInCRL(doneChan, errChan, revokedCertificatesList[psi:csi], cert.SerialNumber, wg)
 				psi = csi
 			}
 		}(doneChan, errChan, wg, crlURL)
@@ -156,8 +156,8 @@ loop:
 	defer wg.Done()
 }
 
-// FetchCRL fetches the CRL
-func FetchCRL(ctx context.Context, url string) (x509.RevocationList, error) {
+// FetchCRLV2 fetches the CRL using the V2 x509 version
+func FetchCRLV2(ctx context.Context, url string) ([]pkix.RevokedCertificate, error) {
 
 	var err error
 	var resp *http.Response
@@ -178,7 +178,7 @@ func FetchCRL(ctx context.Context, url string) (x509.RevocationList, error) {
 			},
 		).Error("CRL Request error")
 		err = utils.APIGenericInternalError(fmt.Sprintf("Could not access CRL %v", url))
-		return x509.RevocationList{}, err
+		return []pkix.RevokedCertificate{}, err
 	}
 
 	// read the response
@@ -193,7 +193,7 @@ func FetchCRL(ctx context.Context, url string) (x509.RevocationList, error) {
 			},
 		).Error("Unable to read CRL data")
 		err = utils.APIGenericInternalError("Unable to read CRL Data")
-		return x509.RevocationList{}, err
+		return []pkix.RevokedCertificate{}, err
 	}
 
 	defer resp.Body.Close()
@@ -210,8 +210,68 @@ func FetchCRL(ctx context.Context, url string) (x509.RevocationList, error) {
 			},
 		).Error("Unable to parse CRL data")
 		err = utils.APIGenericInternalError("Unable to parse CRL Data")
-		return x509.RevocationList{}, err
+		return []pkix.RevokedCertificate{}, err
+	}
+
+	return crtList.RevokedCertificates, err
+}
+
+// FetchCRL fetches the CRL
+func FetchCRL(ctx context.Context, url string) ([]pkix.RevokedCertificate, error) {
+
+	var err error
+	var resp *http.Response
+	var crlBytes []byte
+
+	var crtList = &pkix.CertificateList{}
+
+	// initialize the client and perform a get request to grab the crl
+	client := &http.Client{Timeout: time.Duration(30 * time.Second)}
+	if resp, err = client.Get(url); err != nil {
+		log.WithFields(
+			log.Fields{
+				"trace_id":        ctx.Value("trace_id"),
+				"type":            "backend_log",
+				"backend_service": "crl",
+				"backend_hosts":   url,
+				"details":         err.Error(),
+			},
+		).Error("CRL Request error")
+		err = utils.APIGenericInternalError(fmt.Sprintf("Could not access CRL %v", url))
+		return []pkix.RevokedCertificate{}, err
+	}
+
+	// read the response
+	if crlBytes, err = io.ReadAll(resp.Body); err != nil {
+		log.WithFields(
+			log.Fields{
+				"trace_id":        ctx.Value("trace_id"),
+				"type":            "backend_log",
+				"backend_service": "crl",
+				"backend_hosts":   url,
+				"details":         err.Error(),
+			},
+		).Error("Unable to read CRL data")
+		err = utils.APIGenericInternalError("Unable to read CRL Data")
+		return []pkix.RevokedCertificate{}, err
+	}
+
+	defer resp.Body.Close()
+
+	// create the crl from the byte slice
+	if crtList, err = x509.ParseCRL(crlBytes); err != nil {
+		log.WithFields(
+			log.Fields{
+				"trace_id":        ctx.Value("trace_id"),
+				"type":            "backend_log",
+				"backend_service": "crl",
+				"backend_hosts":   url,
+				"details":         err.Error(),
+			},
+		).Error("Unable to parse CRL data")
+		err = utils.APIGenericInternalError("Unable to parse CRL Data")
+		return []pkix.RevokedCertificate{}, err
 	}
 
-	return *crtList, err
+	return crtList.TBSCertList.RevokedCertificates, err
 }

handlers/certificate_handlers.go

@@ -40,6 +40,16 @@ func AuthViaCert(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	log.WithFields(
+		log.Fields{
+			"trace_id":     rCTX.Value("trace_id"),
+			"type":         "service_log",
+			"service_type": serviceType.Name,
+			"host":         vars["host"],
+			"certificate":  r.TLS.PeerCertificates[0].Subject.String(),
+		},
+	).Info("New Certificate request")
+
 	// validate the certificate
 	if cfg.VerifyCertificate {
 		err = auth.ValidateClientCertificate(rCTX, r.TLS.PeerCertificates[0], r.RemoteAddr, cfg.ClientCertHostVerification)
@@ -74,19 +84,10 @@ func AuthViaCert(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Find the binding associated with the provided certificate
+	// If all checks have passed, extract the RDN sequence
 	rdnSequence := auth.ExtractEnhancedRDNSequenceToString(r.TLS.PeerCertificates[0])
 
-	log.WithFields(
-		log.Fields{
-			"trace_id":     rCTX.Value("trace_id"),
-			"type":         "service_log",
-			"rdn":          rdnSequence,
-			"service_type": serviceType.Name,
-			"host":         vars["host"],
-		},
-	).Info("New Certificate request")
-
+	// Find the binding associated with the provided certificate
 	if binding, err = bindings.FindBindingByAuthID(rCTX, rdnSequence, serviceType.UUID, vars["host"], "x509", store); err != nil {
 		utils.RespondError(rCTX, w, err)
 		return

version/version.go

@@ -10,7 +10,7 @@ import (
 
 var (
 	// Release version of the service. Bump it up during new version release
-	Release = "1.2.0"
+	Release = "1.3.0"
 	// Commit hash provided during build
 	Commit = "Unknown"
 	// BuildTime provided during build