Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide certificate-based authentication through middleware #39

Closed
tomkerkhove opened this issue Apr 27, 2019 · 1 comment
Closed

Provide certificate-based authentication through middleware #39

tomkerkhove opened this issue Apr 27, 2019 · 1 comment
Labels
area:security All issues related to security feature All issues related to new features specs-required All issues where the specifications are still being defined and implementation should be halted
Milestone
v0.2

Comments

@tomkerkhove
Copy link
Contributor

Is your feature request related to a problem? Please describe.
Quite often we need to enforce tight security on an API where certificates are often used.

Describe the solution you'd like
A declarative way to configure client certificates that are allowed by using middleware which enforces this on all endpoints.

Additional context
This relates to #31 which will provide attribute-based decoration which will be very similar. Both of these should use the same shared core.
@tomkerkhove tomkerkhove added feature All issues related to new features specs-required All issues where the specifications are still being defined and implementation should be halted labels Apr 27, 2019
@tomkerkhove tomkerkhove added this to the v0.1 milestone Apr 27, 2019
@tomkerkhove tomkerkhove mentioned this issue Apr 27, 2019
Closed
@tomkerkhove tomkerkhove added the area:security All issues related to security label Apr 27, 2019
@tomkerkhove tomkerkhove changed the title Provide certificate-based authentication through attributes Provide certificate-based authentication through middleware Apr 27, 2019
@tomkerkhove tomkerkhove modified the milestones: v0.1, v0.2 May 10, 2019
stijnmoreels pushed a commit to stijnmoreels/arcus.webapi that referenced this issue May 26, 2019
FEAT: add certificate based authentication filter & attribute
ec10d11 
One requires a easy way to allow only a certain amount of client certificates on global and local level. This commit provides this way by using a global filter and a local attribute.

arcus-azure#31
arcus-azure#39
@stijnmoreels stijnmoreels mentioned this issue Jun 12, 2019
Merged
tomkerkhove pushed a commit that referenced this issue Jul 9, 2019
@stijnmoreels @tomkerkhove
FEAT: add certificate based authentication filter & attribute (#43)
68fa606 
* FEAT: add certificate based authentication filter & attribute

One requires a easy way to allow only a certain amount of client certificates on global and local level. This commit provides this way by using a global filter and a local attribute.

#31
#39

* TEST: certificate issuername and combined validation

* PR-ADD: use private class for the client certificate configuration

* TEST: correct subject/issuer name generation for self-signed certificate

* TEST: global certificate based authentication

* PR-SUG: extract inner-class in TestApiServer to configure the TLS client certificate

* PR-SUG: rename 'X509Validation' to 'X509ValidationRequirement'

* PR-STYLE: update the certificate authentication filter to pass-along multiple certificate requirements at once

* PR-TEST: certificate authentication with thumbprint testing

* PR-SUG: add logging via 'ILoggerFactory' given via HttpContext

* PR-SUG: use configuration keys i.o. actual values for setting certificate authentication

* PR-SUG:  use 'ISecretProvider' as basis for configurable certificate property values

* PR-DOC: add docs for certificate authentication

* PR-DEL: remove the configuration keys addition in the TestApiServer

* PR-FIX: alter the guard predicate & message for the configuration keys

* Update docs/features/certificate-authentication.md

Co-Authored-By: Tom Kerkhove <kerkhove.tom@gmail.com>

* PR-DOC: move authentication mechanisems to '/features/auth'

* PR-SUG: rename 'IsAllowedCertificate' > 'IsCertificateAllowed'

* PR-SUG: provide way to configure each requirement via diff validation location

* PR-DOC: update docs with new certificate validation location setup

* PR-DOC: add line break in introduction text

* PR-DOC: remove '-authentication' of certificate auth. doc

* PR-SUG: restructure private methods in order to have less arguments

* PR-SUG: extract 'GetLoggerOrDefault' in authentication filter

* PR-SUG: extract 'GetLoggerOrDefault' in authentication filter

* PR-FIX: guard against miss-implementations of certificate locations

* PR-FIX: guard against miss-client.certificates

* PR-DOC: rename and document more the members with XML docs

* PR-FIX: rename with 'ExpectedValue' in location signature

* PR-SUG: use dedicated config object to set and retrieve the expected cert. values

* PR-ADD: reconsider guards on every public/internal member

* PR-DOC: update certificate authentication docs with new authentication config approach

* PR-DEL: remove vscode cache

* PR-FIX: make validation requirement internal

* PR-SUG: use 'if' statement instead of expression-based null-check

* PR-SUG: extract lamdba function that switches between all certificate requirements

* PR-SUG: introduce textbook builder pattern

* PR-ADD: add remarks about registration of certificate validator

* PR-ADD: extra guard against invalid values in the validation location
@tomkerkhove
Copy link
Contributor Author

Closed via #43

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:security All issues related to security feature All issues related to new features specs-required All issues where the specifications are still being defined and implementation should be halted
Projects
None yet
Milestone
v0.2
Development

No branches or pull requests
1 participant
@tomkerkhove