zrhoffman commented on code in PR #7392:
URL: https://github.com/apache/trafficcontrol/pull/7392#discussion_r1175308347
##########
traffic_ops/traffic_ops_golang/login/login.go:
##########
@@ -108,135 +108,187 @@ Subject: {{.InstanceName}} Password Reset Request` +
"\r\n\r" + `
</html>
`))
+func clientCertAuthentication(w http.ResponseWriter, r *http.Request, db
*sqlx.DB, cfg config.Config, dbCtx context.Context, cancelTx
context.CancelFunc, form auth.PasswordForm, authenticated bool) bool {
+ // No certs provided by the client. Skip to form authentication
+ if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
+ return false
+ }
+
+ // If no configuration is set, skip to form auth
+ if cfg.ClientCertAuth == nil || len(cfg.ClientCertAuth.RootCertsDir) ==
0 {
+ return false
+ }
+
+ // Perform certificate verification to ensure it is valid against Root
CAs
+ err := auth.VerifyClientCertificate(r, cfg.ClientCertAuth.RootCertsDir)
+ if err != nil {
+ log.Warnf("client cert auth: error attempting to verify client
provided TLS certificate. err: %s\n", err)
+ return false
+ }
+
+ // Client provided a verified certificate. Extract UID value.
+ form.Username =
auth.ParseClientCertificateUID(r.TLS.PeerCertificates[0])
+ if len(form.Username) == 0 {
Review Comment:
Returning `(string, error)` from `ParseClientCertificateUID` and chacking
the error value there in d5fc5e3401
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
