Merge pull request #77 from radekg/multiple-client-certs-fixes

everesio · web-flow · commit 4dfed54673f2 · 2020-12-25T12:10:08.000+01:00
Additional changes to the multiple client cert validation
diff --git a/cmd/kafka-proxy/server.go b/cmd/kafka-proxy/server.go
@@ -107,7 +107,7 @@ func initFlags() {
 	Server.Flags().StringSliceVar(&c.Proxy.TLS.ListenerCipherSuites, "proxy-listener-cipher-suites", []string{}, "List of supported cipher suites")
 	Server.Flags().StringSliceVar(&c.Proxy.TLS.ListenerCurvePreferences, "proxy-listener-curve-preferences", []string{}, "List of curve preferences")
 
-	Server.Flags().StringSliceVar(&c.Proxy.TLS.ClientCert.Subjects, "proxy-listener-tls-required-client-subject", []string{""}, "Required client certificate subject common name; example; s:/CN=[value]/C=[state]/C=[DE,PL] or r:/CN=[^val.{2}$]/C=[state]/C=[DE,PL]; check manual for more details")
+	Server.Flags().StringSliceVar(&c.Proxy.TLS.ClientCert.Subjects, "proxy-listener-tls-required-client-subject", []string{}, "Required client certificate subject common name; example; s:/CN=[value]/C=[state]/C=[DE,PL] or r:/CN=[^val.{2}$]/C=[state]/C=[DE,PL]; check manual for more details")
 
 	// local authentication plugin
 	Server.Flags().BoolVar(&c.Auth.Local.Enable, "auth-local-enable", false, "Enable local SASL/PLAIN authentication performed by listener - SASL handshake will not be passed to kafka brokers")
diff --git a/proxy/clientcertvalidate/parser.go b/proxy/clientcertvalidate/parser.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"regexp"
 	"sort"
+	"strings"
 	"unicode"
 )
 
@@ -23,7 +24,8 @@ type SubjectParser interface {
 
 // NewSubjectParser creates a new default subject parser.
 func NewSubjectParser(input string) SubjectParser {
-	runeInput := []rune(input)
+	// remove single quotes from around the string:
+	runeInput := []rune(strings.TrimPrefix(strings.TrimSuffix(input, "'"), "'"))
 	return &defaultSubjectParser{
 		input:  runeInput,
 		pos:    0,
@@ -119,20 +121,19 @@ func (p *defaultSubjectParser) Parse() (ParsedSubject, error) {
 			fieldPos := p.pos
 			field, err := p.readAlphaStringUntil('=')
 			if err != nil {
-				switch err {
-				case io.EOF:
+				if err == io.EOF {
 					// there was no key:
 					return output, &ParserUnexpectedInputError{
 						Expected: []rune("field"),
 						Found:    []rune("none"),
 						Position: fieldPos,
 					}
-				case os.ErrInvalid:
+				}
+				if err == os.ErrInvalid {
 					// there was no key:
 					return output, &ParserInvalidSubjectFieldError{ConsumedString: field}
-				default:
-					return output, &ParserUnexpectedError{Unexpected: err}
 				}
+				return output, &ParserUnexpectedError{Unexpected: err}
 			}
 
 			if _, ok := validSubjectFields[field]; !ok {
@@ -144,16 +145,14 @@ func (p *defaultSubjectParser) Parse() (ParsedSubject, error) {
 			// key has been consumed, value must be enclosed in [...]
 			nextRune, lookupErr = p.lookupOne()
 			if lookupErr != nil {
-				switch lookupErr {
-				case io.EOF:
+				if lookupErr == io.EOF {
 					return output, &ParserUnexpectedInputError{
 						Expected: []rune{'['},
 						Found:    []rune("none"),
 						Position: p.pos,
 					}
-				default:
-					return output, &ParserUnexpectedError{Unexpected: err}
 				}
+				return output, &ParserUnexpectedError{Unexpected: err}
 			}
 			if nextRune != '[' {
 				return output, &ParserUnexpectedInputError{
@@ -167,14 +166,13 @@ func (p *defaultSubjectParser) Parse() (ParsedSubject, error) {
 			valuePos := p.pos
 			values, err := p.readValues()
 			if err != nil {
-				switch err {
-				case io.EOF:
+				if err == io.EOF {
 					return output, &ParserValueInsufficientInputError{ValuePos: valuePos}
-				case errUnexpectedPattern:
+				}
+				if err == errUnexpectedPattern {
 					return output, fmt.Errorf("value starting at %d contains patterns but subject is type string", valuePos)
-				default:
-					return output, &ParserUnexpectedError{Unexpected: err}
 				}
+				return output, &ParserUnexpectedError{Unexpected: err}
 			}
 
 			regexpKVs := []*regexp.Regexp{}
