Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve error handling for MutualTlsUser. #3

Merged
merged 1 commit into from
Jul 27, 2018
Merged

Improve error handling for MutualTlsUser. #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 12 additions & 15 deletions core/http/src/tls.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,25 +57,22 @@ pub struct MutualTlsUser {
impl MutualTlsUser {
pub fn new(peer_cert: Certificate) -> Option<MutualTlsUser> {
// Generate an x509 using the certificate provided
let x509 = X509::from_der(peer_cert.as_ref());
if x509.is_err() {
return None;
}
let x509 = x509.expect("Failed to generate X509.");
let x509 = match X509::from_der(peer_cert.as_ref()) {
Ok(val) => val,
Err(_) => return None
};

// Retrieve alt names and store them into a Vec<String>
let alt_names = x509.subject_alt_names();
if alt_names.is_none() {
return None;
}
let alt_names = alt_names.expect("Alt names for certificate do not exist.");
let alt_names = match x509.subject_alt_names() {
Some(val) => val,
None => return None
};
let mut common_names = Vec::new();
for name in alt_names {
let name = name.dnsname();
if name.is_none() {
return None;
}
let name = name.expect("Name does not exist.");
let name = match name.dnsname() {
Some(val) => val,
None => return None
};
common_names.push(format!("{}", name));
}

Expand Down
62 changes: 28 additions & 34 deletions core/lib/src/request/from_request.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,56 +320,50 @@ impl <'a, 'r> FromRequest<'a, 'r> for MutualTlsUser {

fn from_request(request: &'a Request<'r>) -> Outcome<Self, Self::Error> {
// Get peer's IP address
let ip_addr = request.client_ip();
if ip_addr.is_none() {
return Forward(());
}
let ip_addr = ip_addr.expect("Client's IP address could not be determined.");
let ip_addr = match request.client_ip() {
Some(val) => val,
None => return Forward(())
};

// Reverse DNS lookup the peer's IP address
let name = lookup_addr(&ip_addr);
if name.is_err() {
return Forward(());
}
let name = name.expect("Name of the client could not be determined.");
let name = match lookup_addr(&ip_addr) {
Ok(val) => val,
Err(_) => return Forward(())
};

// Change name to DNSNameRef
let name = Input::from(name.as_bytes());
let common_name = DNSNameRef::try_from_ascii(name);
if common_name.is_err() {
return Forward(());
}
let common_name = common_name.expect("Name of the client was not a valid DNS name.");
let common_name = match DNSNameRef::try_from_ascii(name) {
Ok(val) => val,
Err(_) => return Forward(())
};

// Get certificates the peer provided
let certs = request.get_peer_certificates();
if certs.is_none() {
return Forward(());
}
let certs = certs.expect("Client did not supply any certificates.");
let certs = match request.get_peer_certificates() {
Some(val) => val,
None => return Forward(())
};

// Iterate through the client certificates
let certs_copy = certs.clone();
for (index, cert) in certs_copy.iter().enumerate() {
let cert_input = Input::from(cert.as_ref());
let end_entity = EndEntityCert::from(cert_input);
if end_entity.is_err() {
return Forward(());
}
let end_entity = end_entity.expect("EndEntityCert could not be generated from certificate.");
let end_entity = match EndEntityCert::from(cert_input) {
Ok(val) => val,
Err(_) => return Forward(())
};

// Compare certificate is valid for DNS name
let verification = end_entity.verify_is_valid_for_dns_name(common_name);
if verification.is_err() {
return Forward(());
}
let _verification = match end_entity.verify_is_valid_for_dns_name(common_name) {
Ok(val) => val,
Err(_) => return Forward(())
};

// Parse certificate
let mtls_user = MutualTlsUser::new(certs[index].clone());
if mtls_user.is_none() {
return Forward(());
}
let mtls_user = mtls_user.expect("MutualTlsUser could not be generated from the certificate provided.");
let mtls_user = match MutualTlsUser::new(certs[index].clone()) {
Some(val) => val,
None => return Forward(())
};
return Success(mtls_user);
}
Forward(())
Expand Down