Re: [PR] Update TO to handle Client-Cert-Subject HTTP header for client cert authentication. [trafficcontrol]

Thu, 30 May 2024 14:28:35 -0700 


ericholguin commented on code in PR #8013:
URL: https://github.com/apache/trafficcontrol/pull/8013#discussion_r1621442369


##########
traffic_ops/traffic_ops_golang/login/login.go:
##########
@@ -171,18 +183,27 @@ func LoginHandler(db *sqlx.DB, cfg config.Config) 
http.HandlerFunc {
                // Attempt to perform client certificate authentication. If 
fails, goto standard form auth. If the
                // certificate was verified, has a UID, and the UID matches an 
existing user we consider this to
                // be a successful login.
-               authenticated = clientCertAuthentication(w, r, db, cfg, dbCtx, 
cancelTx, &form, authenticated)
+               triedAuthentication, authenticated = 
clientCertAuthentication(w, r, db, cfg, dbCtx, cancelTx, &form, authenticated)
+
+               // skipped certificate-based auth, log and continue
+               if !triedAuthentication {
+                       log.Infof("skipped certificate-based auth because 
either no certs provided by the client or no configuration is set")

Review Comment:
   We should remove this otherwise it will fill up our logs every time someone 
tries to authenticate



##########
traffic_ops/traffic_ops_golang/login/login.go:
##########
@@ -171,18 +183,27 @@ func LoginHandler(db *sqlx.DB, cfg config.Config) 
http.HandlerFunc {
                // Attempt to perform client certificate authentication. If 
fails, goto standard form auth. If the
                // certificate was verified, has a UID, and the UID matches an 
existing user we consider this to
                // be a successful login.
-               authenticated = clientCertAuthentication(w, r, db, cfg, dbCtx, 
cancelTx, &form, authenticated)
+               triedAuthentication, authenticated = 
clientCertAuthentication(w, r, db, cfg, dbCtx, cancelTx, &form, authenticated)
+
+               // skipped certificate-based auth, log and continue
+               if !triedAuthentication {
+                       log.Infof("skipped certificate-based auth because 
either no certs provided by the client or no configuration is set")
+               }
 
                // Failed certificate-based auth, perform standard form auth
-               if !authenticated {
-                       log.Infof("user %s could not be successfully 
authenticated using client certificates", form.Username)
+               if triedAuthentication && !authenticated {

Review Comment:
   In the case that cert authentication isn't tried (triedAuthentication = 
false) the code will not enter this conditional, which means form auth wont 
work unless a user tries to authenticate with a certificate.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to