Feature frontend cleartext

fleetspeak/src/server/components/components.go

@@ -56,8 +56,18 @@
 		return nil, errors.New("mysql_data_source_name is required")
 	}
 	hcfg := cfg.HttpsConfig
-	if hcfg != nil && (hcfg.ListenAddress == "" || hcfg.Certificates == "" || hcfg.Key == "") {
-		return nil, errors.New("https_config requires listen_address, certificates and key")
+	if hcfg != nil {
+		switch {
+		case hcfg.GetFrontendConfig().GetCleartextHeaderConfig() != nil,
+		     hcfg.GetFrontendConfig().GetCleartextHeaderChecksumConfig() != nil:
+			if hcfg.ListenAddress == "" {
+				return nil, errors.New("http_config requires listen_address")
+			}
+		default:
+			if (hcfg.ListenAddress == "" || hcfg.Certificates == "" || hcfg.Key == "") {
+				return nil, errors.New("https_config requires listen_address, certificates and key")
+			}
+		}
 	}
 
 	acfg := cfg.AdminConfig
@@ -92,7 +102,7 @@
 			return nil, fmt.Errorf("failed to listen on [%v]: %v", cfg.HttpsConfig.ListenAddress, err)
 		}
 		if cfg.ProxyProtocol {
 			l = &chttps.ProxyListener{l}
 		}
 		comm, err = https.NewCommunicator(https.Params{
 			Listener:       l,

fleetspeak/src/server/components/proto/fleetspeak_components/config.proto

@@ -101,6 +101,43 @@ message HttpsHeaderChecksumConfig {
   string client_certificate_checksum_header = 2;
 }
 
+// In this mode Fleetspeak runs in clear text (HTTP). This allows for
+// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that
+// offers a secure communications channel.
+// Fleetspeak accepts a TLS connection from an intermediate actor which
+// terminates the TLS protocol (typically a layer 7 load balancer).
+// The intermediate actor passes the client certificate it receives from the
+// original TLS connection to the frontend via an HTTP header.
+// The Fleetspeak frontend uses the certificate passed in this header to
+// identify the client.
+message CleartextHeaderConfig {
+  // The name of the HTTP header set by the intermediary that contains the
+  // forwarded client certificate. Required.
+  string client_certificate_header = 1;
+}
+
+// In this mode Fleetspeak runs in clear text (HTTP). This allows for
+// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that
+// offers a secure communications channel.
+// Fleetspeak accepts a TLS connection from an intermediate actor which
+// terminates the TLS protocol (typically a layer 7 load balancer).
+// The original client passes the certificate it uses for the TLS protocol to
+// the frontend via an HTTP header.
+// The intermediate actor passes a SHA256 checksum of client certificate it
+// receives from the original TLS connection to the frontend via a second HTTP
+// header.
+// The Fleetspeak frontend uses the certificate passed passed from the client
+// to identify it, and uses the hash from the intermediate actor to verify that
+// this certificate was in fact used in the original TLS connection.
+message CleartextHeaderChecksumConfig {
+  // The name of the HTTP header set by the client that contains the original
+  // client certificate. Required.
+  string client_certificate_header = 1;
+  // The name of the HTTP header set by the intermediary that contains the
+  // client certificate checksum. Required.
+  string client_certificate_checksum_header = 2;
+}
+
 // The frontend config determines how the Fleetspeak frontend communicates with
 // clients and how it identifies them.
 message FrontendConfig {
@@ -113,6 +150,8 @@ message FrontendConfig {
     MTlsConfig mtls_config = 7;
     HttpsHeaderConfig https_header_config = 8;
     HttpsHeaderChecksumConfig https_header_checksum_config = 9;
+    CleartextHeaderConfig cleartext_header_config = 10;
+    CleartextHeaderChecksumConfig cleartext_header_checksum_config = 11;
   }
 }
 
@@ -124,11 +163,13 @@ message HttpsConfig {
   string listen_address = 1;
 
   // A certificate chain which identifies the server to clients. Must lead to a
-  // certificate known to the clients. x509 format. Required.
+  // certificate known to the clients. x509 format. Required, if frontend mode is
+  // not cleartext (ie neither CleartextHeaderConfig nor CleartextHeaderChecksumConfig)
   string certificates = 2;
 
   // The private key used to identify the server. Must match the first entry in
-  // certificates. x509 format. Required.
+  // certificates. x509 format. Required, if frontend mode is not cleartext
+  // (ie neither CleartextHeaderConfig nor CleartextHeaderChecksumConfig)
   string key = 3;
 
   // If set, disables long running (streaming) connections. This type of

fleetspeak/src/server/https/client_certificate.go

@@ -26,8 +26,21 @@ func GetClientCert(req *http.Request, frontendConfig *cpb.FrontendConfig) (*x509
 	switch {
 	case frontendConfig.GetMtlsConfig() != nil:
 		return getCertFromTLS(req)
+	case frontendConfig.GetCleartextHeaderConfig() != nil:
+		return getCertFromHeader(frontendConfig.GetCleartextHeaderConfig().GetClientCertificateHeader(), req.Header)
 	case frontendConfig.GetHttpsHeaderConfig() != nil:
 		return getCertFromHeader(frontendConfig.GetHttpsHeaderConfig().GetClientCertificateHeader(), req.Header)
+	case frontendConfig.GetCleartextHeaderChecksumConfig() != nil:
+		cert, err := getCertFromHeader(frontendConfig.GetCleartextHeaderChecksumConfig().GetClientCertificateHeader(), req.Header)
+		if err != nil {
+			return nil, err
+		}
+		err = verifyCertSha256Checksum(req.Header.Get(frontendConfig.GetCleartextHeaderChecksumConfig().GetClientCertificateHeader()),
+			req.Header.Get(frontendConfig.GetCleartextHeaderChecksumConfig().GetClientCertificateChecksumHeader()))
+		if err != nil {
+			return nil, err
+		}
+		return cert, nil
 	case frontendConfig.GetHttpsHeaderChecksumConfig() != nil:
 		cert, err := getCertFromHeader(frontendConfig.GetHttpsHeaderChecksumConfig().GetClientCertificateHeader(), req.Header)
 		if err != nil {

fleetspeak/src/server/https/client_certificate_test.go

@@ -49,7 +49,7 @@
 
 	sha256Binary, err := hex.DecodeString(sha256HexStr)
 	if err != nil {
 		fmt.Sprintf("error decoding hexdump: %v\n", err)
 		return ""
 	}
 
@@ -61,7 +61,7 @@
 	return base64EncodedStr
 }
 
-func makeTestClient(t *testing.T) (common.ClientID, *http.Client, []byte, string) {
+func makeTestClient(t *testing.T, clearText bool) (common.ClientID, *http.Client, []byte, string) {
 	serverCert, _, err := comtesting.ServerCert()
 	if err != nil {
 		t.Fatal(err)
@@ -104,20 +104,30 @@
 		t.Fatal(err)
 	}
 
-	cl := http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				RootCAs:            cp,
-				Certificates:       []tls.Certificate{clientCert},
-				InsecureSkipVerify: true,
-			},
+	httpTransport := http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs:            cp,
+			Certificates:       []tls.Certificate{clientCert},
+			InsecureSkipVerify: true,
+		},
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+	if clearText {
+		httpTransport = http.Transport{
 			Dial: (&net.Dialer{
 				Timeout:   30 * time.Second,
 				KeepAlive: 30 * time.Second,
 			}).Dial,
-			TLSHandshakeTimeout:   10 * time.Second,
 			ExpectContinueTimeout: 1 * time.Second,
-		},
+		}
+	}
+	cl := http.Client{
+		Transport: &httpTransport,
 	}
 	return id, &cl, bc, clientCertChecksum
 }
@@ -163,7 +173,7 @@
 		ts.StartTLS()
 		defer ts.Close()
 
-		_, client, _, _ := makeTestClient(t)
+		_, client, _, _ := makeTestClient(t, false)
 
 		res, err := client.Get(ts.URL)
 		if err != nil {
@@ -205,7 +215,7 @@
 	ts.StartTLS()
 	defer ts.Close()
 
-	_, client, bc, _ := makeTestClient(t)
+	_, client, bc, _ := makeTestClient(t, false)
 
 	clientCert := url.PathEscape(string(bc))
 	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
@@ -255,7 +265,100 @@
 	ts.StartTLS()
 	defer ts.Close()
 
-	_, client, bc, clientCertChecksum := makeTestClient(t)
+	_, client, bc, clientCertChecksum := makeTestClient(t, false)
+
+	clientCert := url.PathEscape(string(bc))
+	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	req.Header.Set(clientCertHeader, clientCert)
+	req.Header.Set(clientCertChecksumHeader, clientCertChecksum)
+
+	res, err := client.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer res.Body.Close()
+	_, err = io.ReadAll(res.Body)
+	res.Body.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFrontendMode_HEADER_CLEARTEXT(t *testing.T) {
+	clientCertHeader := "ssl-client-cert"
+	frontendConfig := &cpb.FrontendConfig{
+		FrontendMode: &cpb.FrontendConfig_CleartextHeaderConfig{
+			CleartextHeaderConfig: &cpb.CleartextHeaderConfig{
+				ClientCertificateHeader: clientCertHeader,
+			},
+		},
+	}
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		// test the valid frontend mode combination of receiving the client cert in the header
+		cert, err := GetClientCert(req, frontendConfig)
+		if err != nil {
+			t.Fatal(err)
+		}
+		// make sure we received the client cert in the header
+		if cert == nil {
+			t.Error("Expected client certificate but received none")
+		}
+		fmt.Fprintln(w, "Testing Frontend Mode: HEADER_HEADER")
+	}))
+	ts.Start()
+	defer ts.Close()
+
+	_, client, bc, _:= makeTestClient(t, false)
+
+	clientCert := url.PathEscape(string(bc))
+	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	req.Header.Set(clientCertHeader, clientCert)
+
+	res, err := client.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer res.Body.Close()
+	_, err = io.ReadAll(res.Body)
+	res.Body.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestFrontendMode_HEADER_CLEARTEXT_CHECKSUM(t *testing.T) {
+	clientCertHeader := "ssl-client-cert"
+	clientCertChecksumHeader := "ssl-client-cert-checksum"
+	frontendConfig := &cpb.FrontendConfig{
+		FrontendMode: &cpb.FrontendConfig_CleartextHeaderChecksumConfig{
+			CleartextHeaderChecksumConfig: &cpb.CleartextHeaderChecksumConfig{
+				ClientCertificateHeader:         clientCertHeader,
+				ClientCertificateChecksumHeader: clientCertChecksumHeader,
+			},
+		},
+	}
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		// test the valid frontend mode combination of receiving the client cert in the header
+		cert, err := GetClientCert(req, frontendConfig)
+		if err != nil {
+			t.Fatal(err)
+		}
+		// make sure we received the client cert in the header
+		if cert == nil {
+			t.Error("Expected client certificate but received none")
+		}
+		fmt.Fprintln(w, "Testing Frontend Mode: HEADER_CHECKSUM")
+	}))
+	ts.Start()
+	defer ts.Close()
+
+	_, client, bc, clientCertChecksum := makeTestClient(t, true)
 
 	clientCert := url.PathEscape(string(bc))
 	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)

fleetspeak/src/server/https/https.go

@@ -108,39 +108,43 @@ func NewCommunicator(p Params) (*Communicator, error) {
 	}
 
 	mux := http.NewServeMux()
-	c, err := tls.X509KeyPair(p.Cert, p.Key)
-	if err != nil {
-		return nil, err
-	}
 	h := Communicator{
 		p: p,
 		hs: http.Server{
 			Handler: mux,
-			TLSConfig: &tls.Config{
-				ClientAuth:   tls.RequestClientCert,
-				Certificates: []tls.Certificate{c},
-				CipherSuites: []uint16{
-					// We may as well allow only the strongest (as far as we can guess)
-					// ciphers. Note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is
-					// required by the https library.
-					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
-				// Correctly implementing session tickets means sharing and rotating a
-				// secret key between servers, with implications if it leaks. Simply
-				// disable for the moment.
-				SessionTicketsDisabled: true,
-				MinVersion:             tls.VersionTLS12,
-				NextProtos:             []string{"h2"},
-			},
 			ReadTimeout:       20 * time.Minute,
 			ReadHeaderTimeout: 10 * time.Second,
 			WriteTimeout:      20 * time.Minute,
 			IdleTimeout:       30 * time.Second,
 		},
 		stopping: make(chan struct{}),
 	}
+
+	if p.FrontendConfig.GetCleartextHeaderConfig() == nil &&
+	   p.FrontendConfig.GetCleartextHeaderChecksumConfig() == nil {
+		c, err := tls.X509KeyPair(p.Cert, p.Key)
+		if err != nil {
+			return nil, err
+		}
+		h.hs.TLSConfig = &tls.Config{
+			ClientAuth:   tls.RequestClientCert,
+			Certificates: []tls.Certificate{c},
+			CipherSuites: []uint16{
+				// We may as well allow only the strongest (as far as we can guess)
+				// ciphers. Note that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is
+				// required by the https library.
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			// Correctly implementing session tickets means sharing and rotating a
+			// secret key between servers, with implications if it leaks. Simply
+			// disable for the moment.
+			SessionTicketsDisabled: true,
+			MinVersion:             tls.VersionTLS12,
+			NextProtos:             []string{"h2"},
+		}
+	}
 	mux.Handle("/message", messageServer{&h})
 	if p.Streaming {
 		mux.Handle("/streaming-message", newStreamingMessageServer(&h, p.MaxPerClientBatchProcessors))
@@ -171,8 +175,13 @@ func (c *Communicator) Setup(fs comms.Context) error {
 }
 
 func (c *Communicator) Start() error {
-	go c.serve(tls.NewListener(c.p.Listener, c.hs.TLSConfig))
-
+	switch {
+	case c.p.FrontendConfig.GetCleartextHeaderConfig() != nil,
+	     c.p.FrontendConfig.GetCleartextHeaderChecksumConfig() != nil:
+		go c.serve(c.p.Listener)
+	default:
+		go c.serve(tls.NewListener(c.p.Listener, c.hs.TLSConfig))
+	}
 	c.runningLock.Lock()
 	defer c.runningLock.Unlock()
 	c.running = true