[THREESCALE-10156] Configure ssl_verify_client per product

CHANGELOG.md

@@ -31,6 +31,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 - Added the `APICAST_PROXY_BUFFER_SIZE` variable to allow configuration of the buffer size for handling response from the proxied servers. [PR #1473](https://github.com/3scale/APIcast/pull/1473), [THREESCALE-8410](https://issues.redhat.com/browse/THREESCALE-8410)
 
+- Added the `APICAST_HTTPS_VERIFY_CLIENT` variable to allow configuration of the `ssl_verify_client` directive. [PR #1491](https://github.com/3scale/APIcast/pull/1491) [THREESCALE-10156](https://issues.redhat.com/browse/THREESCALE-10156)
+
 ## [3.15.0] 2024-04-04
 
 ### Fixed

doc/parameters.md

@@ -402,6 +402,15 @@ Path to a file with the X.509 certificate secret key in the PEM format.
 Defines the maximum length of the client certificate chain.
 If this parameter has `1` as its value, it is possible to include an additional certificate in the client certificate chain. For example, root certificate authority.
 
+### `APICAST_HTTPS_VERIFY_CLIENT`
+
+**Default:** `optional_no_ca`
+**Values:**
+- `off`: Don't request client certificates and don't do client certificate verification.
+- `optional_no_ca`: Requests the client certificate, but does not fail the request when the client certificate is not signed by a trusted CA certificate.
+
+Enables verification of client certificates. The client certificates can be verified with TLS Client Certificate Validation policy
+
 ### `all_proxy`, `ALL_PROXY`
 
 **Default:** no value

gateway/http.d/apicast.conf.liquid

@@ -110,7 +110,7 @@ server {
     {{ "conf/server.key" | filesystem | first }}
   {%- endif %};
 
-  ssl_verify_client optional_no_ca;
+  ssl_verify_client {{ env.APICAST_HTTPS_VERIFY_CLIENT | default: "optional_no_ca" }};
   ssl_certificate_by_lua_block { require('apicast.executor'):ssl_certificate() }
   ssl_verify_depth {{ env.APICAST_HTTPS_VERIFY_DEPTH | default: 1 }};
   {%- endif %}

gateway/src/apicast/policy/tls_validation/README.md

@@ -5,3 +5,26 @@ This policy can validate TLS Client Certificate against a whitelist.
 Whitelist expects PEM formatted CA or Client certificates.
 It is not necessary to have the full certificate chain, just partial matches are allowed.
 For example you can add to the whitelist just leaf client certificates without the whole bundle with a CA certificate.
+
+## Configuration
+
+For this policy to work, APIcast need to be setup to listen for TLS connection.
+
+By default, client certificates are requested during the TLS handshake, however, APIcast will not verify the certificate or terminate the request unless a TLS Validation Policy is in the chain. In most cases, the client not presenting a client certificate will not affect a service that does not have TLS Validation policy configured. The only exception is when the service is used by a browser or front-end application, which will cause the browser to always prompt the end user to select a client certificate to send if they have ANY client certificates configured when browsing the service.
+
+To work around this, the environment variable `APICAST_HTTPS_VERIFY_CLIENT` can be set to `off` to instruct APIcast to request a client certificate ONLY when the policy is in the chain.
+
+NOTE: This policy is not compatible with `APICAST_PATH_ROUTING` or `APICAST_PATH_ROUTING_ONLY` when `APICAST_HTTPS_VERIFY_CLIENT` is set to `off`.
+
+## Example
+
+```
+{
+  "name": "apicast.policy.tls_validation",
+  "configuration": {
+    "whitelist": [
+      { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"}
+    ]
+  }
+}
+```

gateway/src/apicast/policy/tls_validation/tls_validation.lua

@@ -4,6 +4,7 @@
 local _M = policy.new('tls_validation')
 local X509_STORE = require('resty.openssl.x509.store')
 local X509 = require('resty.openssl.x509')
+local ngx_ssl = require "ngx.ssl"
 
 local ipairs = ipairs
 local tostring = tostring
@@ -45,19 +46,40 @@
   return self
 end
 
+function _M:ssl_certificate()
+  -- Request client certificate
+  --
+  -- We don't validate the certificate during the handshake, thus set `depth` to 0 (default is 1)
+  -- value here in order to save CPU cycles
+  --
+  -- TODO:
+  -- provide ca_certs: See https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#verify_client
+  -- handle verify_depth
+  --
+  return ngx_ssl.verify_client()
+end
+
 function _M:access()
   local cert = X509.parse_pem_cert(ngx.var.ssl_client_raw_cert)
+  if not cert then
+    ngx.status = self.error_status
+    ngx.say("No required TLS certificate was sent")
+    return ngx.exit(ngx.status)
+  end
+
   local store = self.x509_store
 
-  local ok, err = store:validate_cert(cert)
+  -- err is printed inside validate_cert method
+  -- so no need capture the err here
+  local ok, _ = store:validate_cert(cert)
 
   if not ok then
     ngx.status = self.error_status
-    ngx.say(err)
+    ngx.say("TLS certificate validation failed")
     return ngx.exit(ngx.status)
   end
 
-  return ok, err
+  return ok, nil
 end
 
 return _M

gateway/src/resty/openssl/x509/store.lua

@@ -1,6 +1,7 @@
 local base = require('resty.openssl.base')
 local X509_STORE_CTX = require('resty.openssl.x509.store.ctx')
 local ffi = require('ffi')
+local ffi_gc = ffi.gc
 
 ffi.cdef([[
 // https://www.openssl.org/docs/man1.1.0/crypto/X509_STORE_new.html
@@ -45,7 +46,7 @@ local function X509_VERIFY_PARAM(flags)
   -- https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_get_depth.html#example
   ffi_assert(C.X509_VERIFY_PARAM_set_flags(verify_param, flags))
 
-  return ffi.gc(verify_param, C.X509_VERIFY_PARAM_free)
+  return ffi_gc(verify_param, C.X509_VERIFY_PARAM_free)
 end
 
 local _M = {}
@@ -73,9 +74,8 @@ end
 
 function _M.new()
   local store = ffi_assert(C.X509_STORE_new())
+  ffi_gc(store, C.X509_STORE_free)
 
-  -- @TODO cleanup here
-  -- ffi_gc(store, C.X509_STORE_free)
   -- enabling partial chains allows us to trust leaf certificates
   local verify_param = X509_VERIFY_PARAM(X509_V_FLAG_PARTIAL_CHAIN)
 

spec/policy/tls_validation/tls_validation_spec.lua

@@ -33,7 +33,7 @@ describe('tls_validation policy', function()
       policy:access()
 
       assert.stub(ngx.exit).was_called_with(400)
-      assert.stub(ngx.say).was_called_with('unable to get local issuer certificate')
+      assert.stub(ngx.say).was_called_with([[TLS certificate validation failed]])
     end)
 
     it('rejects certificates that are not valid yet', function()
@@ -43,7 +43,8 @@ describe('tls_validation policy', function()
 
       policy:access()
 
-      assert.stub(ngx.say).was_called_with('certificate is not yet valid')
+      assert.stub(ngx.exit).was_called_with(400)
+      assert.stub(ngx.say).was_called_with([[TLS certificate validation failed]])
     end)
 
     it('rejects certificates that are not longer valid', function()
@@ -53,7 +54,8 @@ describe('tls_validation policy', function()
 
       policy:access()
 
-      assert.stub(ngx.say).was_called_with([[certificate has expired]])
+      assert.stub(ngx.exit).was_called_with(400)
+      assert.stub(ngx.say).was_called_with([[TLS certificate validation failed]])
     end)
 
     it('accepts whitelisted certificate', function()

t/apicast-policy-tls_validation.t

@@ -119,7 +119,7 @@ proxy_pass https://$server_addr:$apicast_port/t;
 proxy_set_header Host test;
 log_by_lua_block { collectgarbage() }
 --- response_body
-unable to get local issuer certificate
+TLS certificate validation failed
 --- error_code: 400
 --- no_error_log
 [error]
@@ -154,7 +154,7 @@ proxy_pass https://$server_addr:$apicast_port/t;
 proxy_set_header Host test;
 log_by_lua_block { collectgarbage() }
 --- response_body
-Invalid certificate verification context
+No required TLS certificate was sent
 --- error_code: 400
 --- no_error_log
 [error]
@@ -201,3 +201,155 @@ GET /t HTTP/1.0
 --- no_error_log
 [error]
 --- user_files fixture=CA/files.pl eval
+
+
+
+=== TEST 6: TLS Client Certificate request client certificate when "APICAST_HTTPS_VERIFY_CLIENT: off"
+and the policy is in the chain
+--- configuration eval
+use JSON qw(to_json);
+use File::Slurp qw(read_file);
+
+to_json({
+  services => [{
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.tls_validation',
+            configuration => {
+              whitelist => [
+                { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) }
+              ]
+            }
+          },
+          { name => 'apicast.policy.echo' },
+        ]
+    }
+  }]
+});
+--- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
+proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt;
+proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key;
+proxy_pass https://$server_addr:$apicast_port/t;
+proxy_set_header Host test;
+log_by_lua_block { collectgarbage() }
+--- response_body
+GET /t HTTP/1.0
+--- error_code: 200
+--- no_error_log
+[error]
+--- user_files fixture=CA/files.pl eval
+
+
+
+=== TEST 7: TLS Client Certificate request client certificate with path routing enabled
+--- env eval
+('APICAST_PATH_ROUTING' => '1')
+--- configuration eval
+use JSON qw(to_json);
+use File::Slurp qw(read_file);
+
+to_json({
+  services => [{
+    id => 2,
+    backend_version => 1,
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.tls_validation',
+            configuration => {
+              whitelist => [
+                { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) }
+              ]
+            }
+          },
+          { name => 'apicast.policy.echo' },
+        ]
+      }
+  }, {
+    id => 3,
+    backend_version => 1,
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.echo', configuration => { status => 404 }}
+        ]
+      }
+  }]
+});
+--- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
+proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt;
+proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key;
+proxy_pass https://$server_addr:$apicast_port/t;
+proxy_set_header Host test;
+log_by_lua_block { collectgarbage() }
+--- response_body
+GET /t HTTP/1.0
+--- error_code: 200
+--- no_error_log
+[error]
+--- user_files fixture=CA/files.pl eval
+
+
+
+=== TEST 8: TLS Client Certificate request client certificate with "APICAST_HTTPS_VERIFY_CLIENT: off"
+and path routing enabled
+When path routing is enabled, APIcast will not able to select the correct service and build the
+corresponding policy chain during the TLS handshake. It will then fallback to the setting defined by
+`ssl_client_verify` and with `APICAST_HTTPS_VERIFY_CLIENT` is set to `off`, no client certificate will
+be requested.
+--- env eval
+(
+  'APICAST_PATH_ROUTING' => '1',
+  'APICAST_HTTPS_VERIFY_CLIENT' => 'off'
+)
+--- configuration eval
+use JSON qw(to_json);
+use File::Slurp qw(read_file);
+
+to_json({
+  services => [{
+    id => 2,
+    backend_version => 1,
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.tls_validation',
+            configuration => {
+              whitelist => [
+                { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) }
+              ]
+            }
+          },
+          { name => 'apicast.policy.echo' },
+        ]
+      }
+  }, {
+    id => 3,
+    backend_version => 1,
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.echo', configuration => { status => 404 }}
+        ]
+      }
+  }]
+});
+--- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
+proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt;
+proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key;
+proxy_pass https://$server_addr:$apicast_port/t;
+proxy_set_header Host test;
+log_by_lua_block { collectgarbage() }
+--- response_body
+No required TLS certificate was sent
+--- error_code: 400
+--- no_error_log
+[error]
+--- user_files fixture=CA/files.pl eval