sssd/0088-secrets-allow-to-configure-certificate-check.patch

From 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 28 Feb 2017 11:47:32 +0100
Subject: [PATCH 88/97] secrets: allow to configure certificate check

Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.

This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key

Resolves:
https://pagure.io/SSSD/sssd/issue/3192

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/config/SSSDConfig/__init__.py.in |  6 +++
 src/config/cfg_rules.ini             |  6 +++
 src/config/etc/sssd.api.conf         |  6 +++
 src/man/sssd-secrets.5.xml           | 76 ++++++++++++++++++++++++++++++++++++
 src/responder/secrets/proxy.c        | 55 ++++++++++++++++++++++++++
 5 files changed, 149 insertions(+)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index a29d51e0ddffc520107a309d862346fb4d4f5f80..54ad722f07ef91a13a0df278ffd2b1c166bc8d36 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -137,6 +137,12 @@ option_strings = {
     'forward_headers': _('The list of the headers to forward to the Custodia server together with the request'),
     'username': _('The username to use when authenticating to a Custodia server using basic_auth'),
     'password': _('The password to use when authenticating to a Custodia server using basic_auth'),
+    'verify_peer': _('If true peer\'s certificate is verified if proxy_url uses https protocol'),
+    'verify_host': _('If false peer\'s certificate may contain different hostname then proxy_url when https protocol is used'),
+    'capath': _('Path to directory where certificate authority certificates are stored'),
+    'cacert': _('Path to file containing server\'s CA certificate'),
+    'cert': _('Path to file containing client\'s certificate'),
+    'key': _('Path to file containing client\'s private key'),
 
     # [provider]
     'id_provider' : _('Identity provider'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 1a749db754cedd87f263f7ae596d6f8238bb4357..e47ff33242d6a9e5979fe0eb8eea14c2af28685a 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -265,6 +265,12 @@ option = auth_header_value
 option = forward_headers
 option = username
 option = password
+option = verify_peer
+option = verify_host
+option = capath
+option = cacert
+option = cert
+option = key
 
 # KCM responder
 [rule/allowed_kcm_options]
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index a1a0c2992925a4c7df86832117eec2a0cf7894c9..f86589ecefa0b9e046aba781ded107f8e94395d6 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -114,6 +114,12 @@ auth_header_value = str, None, false
 forward_headers = list, None, false
 username = str, None, false
 password = str, None, false
+verify_peer = bool, None, false
+verify_host = bool, None, false
+capath = str, None, false
+cacert = str, None, false
+cert = str, None, false
+key = str, None, false
 
 [provider]
 #Available provider types
diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
index 80e9c405921e1fb46a3d172d9873deebfa5ed2ce..44a86c3fb56a8bdebebd01e9f49ad171986282a4 100644
--- a/src/man/sssd-secrets.5.xml
+++ b/src/man/sssd-secrets.5.xml
@@ -273,6 +273,82 @@ systemctl enable sssd-secrets.service
                 </para>
                 </listitem>
             </varlistentry>
+            <varlistentry>
+                <term>verify_peer (boolean)</term>
+                <listitem>
+                <para>
+                    Whether peer's certificate should be verified and valid
+                    if HTTPS protocol is used with the proxy provider.
+                </para>
+                <para>
+                    Default: true
+                </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>verify_host (boolean)</term>
+                <listitem>
+                <para>
+                    Whether peer's hostname must match with hostname in
+                    its certificate if HTTPS protocol is used with the
+                    proxy provider.
+                </para>
+                <para>
+                    Default: true
+                </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>capath (string)</term>
+                <listitem>
+                <para>
+                    Path to directory containing stored certificate authority
+                    certificates. System default path is used if this option is
+                    not set.
+                </para>
+                <para>
+                    Default: not set
+                </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>cacert (string)</term>
+                <listitem>
+                <para>
+                    Path to file containing server's certificate authority
+                    certificate. If this option is not set then the CA's
+                    certificate is looked up in <quote>capath</quote>.
+                </para>
+                <para>
+                    Default: not set
+                </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>cert (string)</term>
+                <listitem>
+                <para>
+                    Path to file containing client's certificate if required
+                    by the server. This file may also contain private key or
+                    the private key may be in separate file set with
+                    <quote>key</quote>.
+                </para>
+                <para>
+                    Default: not set
+                </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>key (string)</term>
+                <listitem>
+                <para>
+                    Path to file containing client's private key.
+                </para>
+                <para>
+                    Default: not set
+                </para>
+                </listitem>
+            </varlistentry>
         </variablelist>
     </refsect1>
     <refsect1 id='restapi'>
diff --git a/src/responder/secrets/proxy.c b/src/responder/secrets/proxy.c
index 3c495716010ac468c9e2f1fb6356529a8dbdc614..240a1de1e431d511a1eca24d8b463c37ba893e7b 100644
--- a/src/responder/secrets/proxy.c
+++ b/src/responder/secrets/proxy.c
@@ -59,6 +59,13 @@ struct proxy_cfg {
         struct pat_basic_auth basic;
         struct pat_header header;
     } auth;
+
+    char *key;
+    char *cert;
+    char *cacert;
+    char *capath;
+    bool verify_peer;
+    bool verify_host;
 };
 
 static int proxy_get_config_string(struct proxy_context *pctx,
@@ -129,6 +136,38 @@ static int proxy_sec_get_cfg(struct proxy_context *pctx,
         }
     }
 
+    ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_peer",
+                          true, &cfg->verify_peer);
+    if (ret) goto done;
+    DEBUG(SSSDBG_CONF_SETTINGS, "verify_peer: %s\n",
+          (&cfg->verify_peer ? "true" : "false"));
+
+    ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_host",
+                          true, &cfg->verify_host);
+    if (ret) goto done;
+    DEBUG(SSSDBG_CONF_SETTINGS, "verify_host: %s\n",
+          (&cfg->verify_host ? "true" : "false"));
+
+    ret = proxy_get_config_string(pctx, cfg, false, secreq,
+                                  "capath", &cfg->capath);
+    if (ret) goto done;
+    DEBUG(SSSDBG_CONF_SETTINGS, "capath: %s\n", cfg->capath);
+
+    ret = proxy_get_config_string(pctx, cfg, false, secreq,
+                                  "cacert", &cfg->cacert);
+    if (ret) goto done;
+    DEBUG(SSSDBG_CONF_SETTINGS, "cacert: %s\n", cfg->cacert);
+
+    ret = proxy_get_config_string(pctx, cfg, false, secreq,
+                                  "cert", &cfg->cert);
+    if (ret) goto done;
+    DEBUG(SSSDBG_CONF_SETTINGS, "cert: %s\n", cfg->cert);
+
+    ret = proxy_get_config_string(pctx, cfg, false, secreq,
+                                  "key", &cfg->key);
+    if (ret) goto done;
+    DEBUG(SSSDBG_CONF_SETTINGS, "key: %s\n", cfg->key);
+
     ret = confdb_get_string_as_list(pctx->cdb, cfg, secreq->cfg_section,
                                     "forward_headers", &cfg->fwd_headers);
     if ((ret != 0) && (ret != ENOENT)) goto done;
@@ -385,6 +424,22 @@ static errno_t proxy_http_create_request(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    /* Set TLS settings to verify peer.
+     * This has no effect for HTTP protocol so we can set it anyway. */
+    ret = tcurl_req_verify_peer(tcurl_req, pcfg->capath, pcfg->cacert,
+                                pcfg->verify_peer, pcfg->verify_host);
+    if (ret != EOK) {
+        goto done;
+    }
+
+    /* Set client's certificate if required. */
+    if (pcfg->cert != NULL) {
+        ret = tcurl_req_set_client_cert(tcurl_req, pcfg->cert, pcfg->key);
+        if (ret != EOK) {
+            goto done;
+        }
+    }
+
     talloc_steal(tcurl_req, body);
     *_tcurl_req = talloc_steal(mem_ctx, tcurl_req);
 
-- 
2.12.2