From 782d653e5906e788e572dc949b0f2d06bdf4fc41 Mon Sep 17 00:00:00 2001 From: Fadi Abbud Date: Thu, 24 Mar 2022 16:46:47 +0100 Subject: [PATCH] Issuer documentation * Documentation for the "issuer" option of the provider. * More info of the format of the accepted file * Print out the value of `SSL_CLIENT_I_DN` also when it is not match the issuer. --- cmd/csaf_provider/controller.go | 2 +- docs/client-certificate-setup.md | 1 + docs/provider-setup.md | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cmd/csaf_provider/controller.go b/cmd/csaf_provider/controller.go index 11330ee..54be92f 100644 --- a/cmd/csaf_provider/controller.go +++ b/cmd/csaf_provider/controller.go @@ -82,11 +82,11 @@ func (c *controller) auth( verify := os.Getenv("SSL_CLIENT_VERIFY") log.Printf("SSL_CLIENT_VERIFY: %s\n", verify) + log.Printf("ca: %s\n", os.Getenv("SSL_CLIENT_I_DN")) switch { case verify == "SUCCESS" && (c.cfg.Issuer == nil || *c.cfg.Issuer == os.Getenv("SSL_CLIENT_I_DN")): log.Printf("user: %s\n", os.Getenv("SSL_CLIENT_S_DN")) - log.Printf("ca: %s\n", os.Getenv("SSL_CLIENT_I_DN")) case c.cfg.Password == nil: log.Println("No password set, declining access.") http.Error(rw, http.StatusText(http.StatusForbidden), http.StatusForbidden) diff --git a/docs/client-certificate-setup.md b/docs/client-certificate-setup.md index a1219ca..3bbe8de 100644 --- a/docs/client-certificate-setup.md +++ b/docs/client-certificate-setup.md @@ -38,6 +38,7 @@ each which a single `if` that matches the `$ssl_client_i_dn` variable to CAs that you would want to allow for that location. If you want to restrict the access to the web-interface of the `csaf_provider` for only some TLS client certificates, the CA issuer of these certificates should be assigned to the `issuer` key in the `/user/lib/csaf/config.toml` file e.g. `issuer = "C=DE,O=CSAF Tools Development (internal),CN=Tester" `. +To inspect the accepted format for this field you can check the value of the `ca:` in the nginx log file `/var/log/nginx/error.log`. Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx` on Debian or Ubuntu.) diff --git a/docs/provider-setup.md b/docs/provider-setup.md index aa72a00..929e9ba 100644 --- a/docs/provider-setup.md +++ b/docs/provider-setup.md @@ -132,3 +132,4 @@ Provider has many config options described as following: - dynamic_provider_metadata: Take the publisher from the CSAF document. Default: `false`. - publisher: Set the publisher. Default: `{"category"= "vendor", "name"= "Example", "namespace"= "https://example.com"}`. - upload_limit: Set the upload limit size of the file. Default: `50 MiB`. + - issuer: The issuer of the CA, which if set, restricts the writing permission and the accessing to the web-interface to only the client certificates signed with this CA.