plugins/common/tls/config.go: Filter client certs by dns names

Signed-off-by: Josef Johansson <[email protected]>
influxdata · Oct 14, 2021 · b63d5dd · b63d5dd
1 parent 4321f8a
commit b63d5dd
Showing 1 changed file with 38 additions and 8 deletions.
diff --git a/plugins/common/tls/config.go b/plugins/common/tls/config.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"github.com/influxdata/telegraf/internal/choice"
 	"os"
 	"strings"
 )
@@ -24,12 +25,13 @@ type ClientConfig struct {
 
 // ServerConfig represents the standard server TLS config.
 type ServerConfig struct {
-	TLSCert           string   `toml:"tls_cert"`
-	TLSKey            string   `toml:"tls_key"`
-	TLSAllowedCACerts []string `toml:"tls_allowed_cacerts"`
-	TLSCipherSuites   []string `toml:"tls_cipher_suites"`
-	TLSMinVersion     string   `toml:"tls_min_version"`
-	TLSMaxVersion     string   `toml:"tls_max_version"`
+	TLSCert            string   `toml:"tls_cert"`
+	TLSKey             string   `toml:"tls_key"`
+	TLSAllowedCACerts  []string `toml:"tls_allowed_cacerts"`
+	TLSCipherSuites    []string `toml:"tls_cipher_suites"`
+	TLSMinVersion      string   `toml:"tls_min_version"`
+	TLSMaxVersion      string   `toml:"tls_max_version"`
+	TLSAllowedDNSNames []string `toml:"tls_allowed_dns_names"`
 }
 
 // TLSConfig returns a tls.Config, may be nil without error if TLS is not
@@ -141,6 +143,12 @@ func (c *ServerConfig) TLSConfig() (*tls.Config, error) {
 			"tls min version %q can't be greater than tls max version %q", tlsConfig.MinVersion, tlsConfig.MaxVersion)
 	}
 
+	// Since clientAuth is tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+	// there must be certs to validate.
+	if len(c.TLSAllowedCACerts) > 0 && len(c.TLSAllowedDNSNames) > 0 {
+		tlsConfig.VerifyPeerCertificate = c.verifyPeerCertificate
+	}
+
 	return tlsConfig, nil
 }
 
@@ -152,8 +160,7 @@ func makeCertPool(certFiles []string) (*x509.CertPool, error) {
 			return nil, fmt.Errorf(
 				"could not read certificate %q: %v", certFile, err)
 		}
-		ok := pool.AppendCertsFromPEM(pem)
-		if !ok {
+		if !pool.AppendCertsFromPEM(pem) {
 			return nil, fmt.Errorf(
 				"could not parse any PEM certificates %q: %v", certFile, err)
 		}
@@ -172,3 +179,26 @@ func loadCertificate(config *tls.Config, certFile, keyFile string) error {
 	config.BuildNameToCertificate()
 	return nil
 }
+
+func (c *ServerConfig) verifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+	// The certificate chain is client + intermediate + root.
+	// Let's review the client certificate.
+	cert, err := x509.ParseCertificate(rawCerts[0])
+	if err != nil {
+		return fmt.Errorf("could not validate peer certificate: %v", err)
+	}
+
+	allowed := false
+	for _, name := range cert.DNSNames {
+		if choice.Contains(name, c.TLSAllowedDNSNames) {
+			allowed = true
+		}
+	}
+
+	if !allowed {
+		return fmt.Errorf(
+			"peer certificate not in allowed DNS Name list: %v", cert.DNSNames)
+	}
+
+	return nil
+}