SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 18:15:42 +01:00
Code Issues Releases Activity Actions

Improve tls client cert handling

Browse source 
* Improve nginx setup to transfer auth information to the fcgiwrap
 backend.
 * Add instructions for creating client certs for testing.
 * Add debug output to see if and which client cert has been used when
   calling the csaf_provider.go .
This commit is contained in:
Bernhard Reiter 2022-02-15 18:20:24 +01:00
parent a71f490999
commit 2905a30cc0
No known key found for this signature in database
GPG key ID: 2B7BA3BF9BC3A554
4 changed files with 98 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

19
cmd/csaf_provider/controller.go
View file

@ -14,6 +14,7 @@ import (
"html/template"
"log"
"net/http"
"os"
"strings"
)
@ -69,15 +70,21 @@ func (c *controller) bind(pim *pathInfoMux) {
func (c *controller) auth(
fn func(http.ResponseWriter, *http.Request),
) func(http.ResponseWriter, *http.Request) {
if c.cfg.Password == nil {
return fn
}
return func(rw http.ResponseWriter, r *http.Request) {
hash := r.Header.Get("X-CSAF-PROVIDER-AUTH")
if !c.cfg.checkPassword(hash) {
log.Printf("SSL_CLIENT_VERIFY: %s\n", os.Getenv("SSL_CLIENT_VERIFY"))
if os.Getenv("SSL_CLIENT_VERIFY") == "SUCCESS" {
log.Printf("user: %s\n", os.Getenv("SSL_CLIENT_S_DN"))
log.Printf("ca: %s\n", os.Getenv("SSL_CLIENT_I_DN"))
} else if c.cfg.Password == nil {
log.Printf("No password set, declining access.")
http.Error(rw, http.StatusText(http.StatusForbidden), http.StatusForbidden)
return
} else {
hash := r.Header.Get("X-CSAF-PROVIDER-AUTH")
if !c.cfg.checkPassword(hash) {
http.Error(rw, http.StatusText(http.StatusForbidden), http.StatusForbidden)
return
}
}
fn(rw, r)
}