feat: add mTLS to CNS (#2751)

jackieluc · web-flow · commit de225e4d34f8 · 2024-06-07T22:26:49.000Z
* feat: add UseMTLS config

* feat: add mTLS auth for CNS

* test: add testdata for mTLS tests

* chore: add logs on TLS config retrieval

* lint: in tests

* refactor: use CNS logger, not ACN logger

* refactor: add guards to mtlsRootCAsFromCertificate and unit tests

* lint: fix lint errors

* test: include HTTP listener tests for when TLS/mTLS is enabled

* chore: add log for stopping the TLS listener

* test: add test helper to create certificates for testing instead of using hardcoded pem file

* test: assert non-TLS service has no TLSSettings

* test: refactor TestMtlsRootCAsFromCertificate to table-based tests

* refactor: pull listener addresses from listener and remove redundant struct field for tls address
diff --git a/cns/configuration/cns_config.json b/cns/configuration/cns_config.json
@@ -20,6 +20,7 @@
     "TLSPort": "10091",
     "TLSSubjectName": "",
     "UseHTTPS": false,
+    "UseMTLS": false,
     "WireserverIP": "168.63.129.16",
     "KeyVaultSettings": {
         "URL": "",
diff --git a/cns/configuration/configuration.go b/cns/configuration/configuration.go
@@ -55,6 +55,7 @@ type CNSConfig struct {
 	TLSSubjectName              string
 	TelemetrySettings           TelemetrySettings
 	UseHTTPS                    bool
+	UseMTLS                     bool
 	WatchPods                   bool `json:"-"`
 	WireserverIP                string
 }
diff --git a/cns/configuration/configuration_test.go b/cns/configuration/configuration_test.go
@@ -87,6 +87,7 @@ func TestReadConfigFromFile(t *testing.T) {
 					PopulateHomeAzCacheRetryIntervalSecs: 60,
 				},
 				UseHTTPS:     true,
+				UseMTLS:      true,
 				WireserverIP: "168.63.129.16",
 			},
 			wantErr: false,
diff --git a/cns/configuration/testdata/good.json b/cns/configuration/testdata/good.json
@@ -30,6 +30,7 @@
         "TelemetryBatchSizeBytes": 16384
     },
     "UseHTTPS": true,
+    "UseMTLS": true,
     "WireserverIP": "168.63.129.16",
     "AZRSettings": {
         "PopulateHomeAzCacheRetryIntervalSecs": 60
diff --git a/cns/service.go b/cns/service.go
@@ -6,6 +6,7 @@ package cns
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@@ -190,6 +191,18 @@ func getTLSConfigFromFile(tlsSettings localtls.TlsSettings) (*tls.Config, error)
 		},
 	}
 
+	if tlsSettings.UseMTLS {
+		rootCAs, err := mtlsRootCAsFromCertificate(&tlsCert)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get root CAs for configuring mTLS")
+		}
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+		tlsConfig.ClientCAs = rootCAs
+		tlsConfig.RootCAs = rootCAs
+	}
+
+	logger.Debugf("TLS configured successfully from file: %+v", tlsSettings)
+
 	return tlsConfig, nil
 }
 
@@ -224,9 +237,51 @@ func getTLSConfigFromKeyVault(tlsSettings localtls.TlsSettings, errChan chan<- e
 		},
 	}
 
+	if tlsSettings.UseMTLS {
+		tlsCert := cr.GetCertificate()
+		rootCAs, err := mtlsRootCAsFromCertificate(tlsCert)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to get root CAs for configuring mTLS")
+		}
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+		tlsConfig.ClientCAs = rootCAs
+		tlsConfig.RootCAs = rootCAs
+	}
+
+	logger.Debugf("TLS configured successfully from KV: %+v", tlsSettings)
+
 	return &tlsConfig, nil
 }
 
+// Given a TLS cert, return the root CAs
+func mtlsRootCAsFromCertificate(tlsCert *tls.Certificate) (*x509.CertPool, error) {
+	switch {
+	case tlsCert == nil || len(tlsCert.Certificate) == 0:
+		return nil, errors.New("no certificate provided")
+	case len(tlsCert.Certificate) == 1:
+		certs := x509.NewCertPool()
+		cert, err := x509.ParseCertificate(tlsCert.Certificate[0])
+		if err != nil {
+			return nil, errors.Wrap(err, "parsing self signed cert")
+		}
+		certs.AddCert(cert)
+
+		return certs, nil
+	default:
+		certs := x509.NewCertPool()
+		// given a fullchain cert, we skip leaf cert at index 0 because
+		// we only want intermediate and root certs in the cert pool for mTLS
+		for _, certBytes := range tlsCert.Certificate[1:] {
+			cert, err := x509.ParseCertificate(certBytes)
+			if err != nil {
+				return nil, errors.Wrap(err, "parsing root certs")
+			}
+			certs.AddCert(cert)
+		}
+		return certs, nil
+	}
+}
+
 func (service *Service) StartListener(config *common.ServiceConfig) error {
 	log.Debugf("[Azure CNS] Going to start listener: %+v", config)
 
diff --git a/cns/service/main.go b/cns/service/main.go
@@ -786,6 +786,7 @@ func main() {
 				KeyVaultCertificateName:            cnsconfig.KeyVaultSettings.CertificateName,
 				MSIResourceID:                      cnsconfig.MSISettings.ResourceID,
 				KeyVaultCertificateRefreshInterval: time.Duration(cnsconfig.KeyVaultSettings.RefreshIntervalInHrs) * time.Hour,
+				UseMTLS:                            cnsconfig.UseMTLS,
 			}
 		}
 
diff --git a/cns/service_test.go b/cns/service_test.go
diff --git a/common/listener.go b/common/listener.go
diff --git a/server/tls/tlscertificate_retriever.go b/server/tls/tlscertificate_retriever.go

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,7 @@ type CNSConfig struct {`
`55`	`55`	`TLSSubjectName string`
`56`	`56`	`TelemetrySettings TelemetrySettings`
`57`	`57`	`UseHTTPS bool`
	`58`	`+ UseMTLS bool`
`58`	`59`	WatchPods bool `json:"-"`
`59`	`60`	`WireserverIP string`
`60`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -786,6 +786,7 @@ func main() {`
`786`	`786`	`KeyVaultCertificateName: cnsconfig.KeyVaultSettings.CertificateName,`
`787`	`787`	`MSIResourceID: cnsconfig.MSISettings.ResourceID,`
`788`	`788`	`KeyVaultCertificateRefreshInterval: time.Duration(cnsconfig.KeyVaultSettings.RefreshIntervalInHrs) * time.Hour,`
	`789`	`+ UseMTLS: cnsconfig.UseMTLS,`
`789`	`790`	`}`
`790`	`791`	`}`
`791`	`792`