Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add XFCC request authorization support #22

Merged
merged 11 commits into from
Oct 31, 2024
Merged

Add XFCC request authorization support #22

merged 11 commits into from
Oct 31, 2024

Conversation

tsaarni
Copy link
Collaborator

@tsaarni tsaarni commented Oct 25, 2024
edited
Loading

This change introduces new command line parameter for ensuring that only authorized clients can send XFCC header.

Authorization is configured by specifying the expected list of X509 subject names in the client certificate chain:

--spi-x509cert-lookup-envoy-cert-path-verify="[ [ <leaf-cert>, <intermediate-cert>, ... ], ... ]"

For example:

--spi-x509cert-lookup-envoy-cert-path-verify='[["CN=envoy, O=example.com", "CN=intermediate, O=example.com"]]'

This ensures that the XFCC header is accepted only from clients presenting a certificate chain that matches the specified subject names.

The configuration is provided as a JSON array of arrays. Multiple chains of subject names can be specified. Each inner array represents a certificate chain, where the first element is the subject name of the leaf certificate, followed by the intermediate certificates. The subject name of the root certificate is not included.

If the specified path has fewer subject names than the client certificate chain, the client chain is compared only up to the length of the specified path, and the remaining certificates are ignored during the authorization check.

Fixes #19

@tsaarni tsaarni force-pushed the xfcc-authorization branch from 0a22818 to 307b5b1 Compare October 25, 2024 12:59
@tsaarni
Copy link
Collaborator Author

tsaarni commented Oct 28, 2024
edited
Loading

In older Keycloak versions, when using --spi-x509cert-lookup-envoy-cert-path-verify=xyz, the kc.sh script did not quote the user-provided parameters before calling eval, which led to issues with parameters containing e.g. spaces and quotes. This was resolved by keycloak/keycloak#22585 in Keycloak 23.0.0.

For earlier versions, applying the following minimal patch to kc.sh will address the issue:

diff --git a/quarkus/dist/src/main/content/bin/kc.sh b/quarkus/dist/src/main/content/bin/kc.sh
old mode 100644
new mode 100755
index 80ed3e80e3..305641bb06
--- a/quarkus/dist/src/main/content/bin/kc.sh
+++ b/quarkus/dist/src/main/content/bin/kc.sh
@@ -48,6 +48,10 @@ DEBUG_SUSPEND="${DEBUG_SUSPEND:-n}"
CONFIG_ARGS=${CONFIG_ARGS:-""}
+esceval() {
+    printf '%s\n' "$1" | sed "s/'/'\\\\''/g; 1 s/^/'/; $ s/$/'/"
+}
+
while [ "$#" -gt 0 ]
do
     case "$1" in
@@ -67,7 +71,7 @@ do
             if [[ "$1" = "start-dev" ]]; then
               CONFIG_ARGS="$CONFIG_ARGS --profile=dev $1"
             else
-              CONFIG_ARGS="$CONFIG_ARGS $1"
+              CONFIG_ARGS="$CONFIG_ARGS $(esceval "$1")"
             fi
           else
             SERVER_OPTS="$SERVER_OPTS $1"

This patch applies at least on Keycloak 22.

@tsaarni tsaarni force-pushed the xfcc-authorization branch 3 times, most recently from cb59375 to d4bb3f8 Compare October 31, 2024 06:59
@tsaarni tsaarni force-pushed the xfcc-authorization branch from e01a866 to 29724dd Compare October 31, 2024 08:28
@tsaarni tsaarni merged commit d839ea7 into main Oct 31, 2024
3 checks passed
@tsaarni tsaarni deleted the xfcc-authorization branch October 31, 2024 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature request: support X509 clients inside the proxy perimeter
1 participant
@tsaarni