| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Hide all nitty-gritty details of how capabilities map to internal
bit set positions by making more of Capability private and only
allowing CapabilitySet to see how the sausages are made. Move all
bit set functionality to CapabilitySet, where it really belongs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds the following:
* Named capabilities and capability sets that represent (respectively)
a single Vespa access API (such as Document API, search API etc)
or a concrete subset of individual capabilities that make up a
particular Vespa service (such as a content node).
* A new `capabilities` array field to the mTLS authorization policies
that allows for constraining what requests sent over a particular
connection are allowed to actually do. Capabilities are referenced
by name and may include any combination of capability sets and
individual capabilities. If multiple capabilities/sets are configured,
the resulting set of capabilities is the union set of all of them.
* An FRT RPC-level access filter that can be set up as part of RPC
method definitions. If set, filters are invoked prior to RPC methods.
* A new `PERMISSION_DENIED` error code to FRT RPC that is invoked if
an access filter denies a request.
This also GCs the unused `AssumedRoles` concept which is now deprecated
in favor of capabilities.
Note: this is **not yet** a public or stable API, and capability
names/semantics may change at any time.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Exposes the following information via the OpenSSL-backed CryptoCodec:
* Credentials retrieved from authenticated peer certificate.
* Union set of assumed roles from all peer authorization rules that
matched the peer certificate.
Note that this does not add parsing of any mTLS config file role fields,
nor any FNET/FRT wiring required for RPC requests to be associated with
a particular peer authz context. Syntax and semantics etc still pending.
|
| | |
|
| |
|
|
|
|
|
| |
This is much like the DNS_SAN matching, but with two major differences:
* Implicit delimiting around `/` characters instead of `.` characters.
* Only wildcard `*` globbing is supported. `?` may be present in a valid
URI and is matched as a literal character instead of _any_ single char.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Adds extraction of X509 URI peer credentials during the handshake
process as well as a new SAN_URI field to the transport security
options peer policy section.
This implementation is NOT conformant with RFC 2459 since we don't
currently support case insensitive matching of scheme, host etc.,
but it's good enough for our purposes for now.
|
| |
|
|
| |
- Now it is only vespalib::Monitor left
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This introduces guaranteed upper bounds for memory usage and
CPU time during regex evaluation. Most importantly, it removes
the danger of catastrophic backtracking that is currrently
present in GCC's std::regex implementation.
With this commit, RE2 will be used instead of std::regex for:
* Document selection regex/glob operators
* Attribute regex search
* Evaluation of mTLS authorization rules
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently offers only the following functionality:
* Generate P-256 EC private keys and export to PEM
* Generate X509 certificates and export to PEM
Instead of using hardcoded private key/certs for unit tests, use crypto
utility code to generate new credentials once per test process. Since
these certs now use a SAN of `localhost` it also means we no longer need
to disable hostname validation for networked unit tests.
|
| |
|
|
|
|
|
|
|
|
| |
Also adds `disable-hostname-validation` config entry to TLS JSON
config file parsing in C++.
For the time being, hostname validation is implicitly disabled
unless explicitly specified in the config file. This will be
gradually changed over to be implicitly enabled by default.
SNI is always sent when a valid connection spec is provided.
|
| |
|
|
|
| |
send spec for client connections to enable SNI as well as server name
verification
|
| | |
|
| |
|
|
|
|
|
|
| |
this is to increase portability to platforms not implementing the
close-convention for (server) sockets.
also set all accepted sockets to blocking mode to avoid issues related
to maybe inheriting this setting from the server socket.
|
| |
|
|
|
| |
Buffer emitted log messages on the peer's IP address to avoid log flooding
in the case of a misbehaving client that keeps sending bogus requests.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Separates handshaking into lightweight `handshake()` and potentially
CPU-heavy `do_handshake_work()` functions. Intended to enable asynchronous
processing of handshake work in separate threads further down the line.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Since the TLS config file uses IANA cipher names but OpenSSL uses
its own cipher spec format internally, we explicitly remap the
provided names. We only support a modern subset of ciphers.
The default cipher suite contains ciphers that work across both
TLSv1.2 and TLSv1.3.
|
| |
|
|
|
| |
TLSv1.3 completes in fewer roundtrips and may therefore seemingly not
observe that a server has rejected it as part of the handshake itself.
|
| |
|
|
| |
Now without unused expiry time extraction.
|
| | |
|
| |
|
|
|
| |
Also add functionality for extracting "notAfter" expiration time from
current certificate, which may later be added as an expiry metric.
|
| | |
|
| |
|
|
| |
Also add instructions on how to regenerate keys/certs for tests.
|
| |
|
|
|
|
|
|
|
| |
By default reloads every 60 minutes. This also reloads all peer
authorization rules. Files referenced by the TLS config are reloaded
transitively.
If reloading fails a warning will be logged and the existing config
will continue to be in effect until the next reload time.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Extends TLS config JSON file with an `allowed-peers` object, which
if non-empty specifies a set of policies that a peer may match. If
at least one policy exists a peer must match all requirements in
any single policy to be allowed to connect. I.e. it's sufficient
to match 1 policy out of many.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Specified as part of `TransportSecurityOptions` and will default
to a callback accepting all pre-verified certificates if not given.
Callback is provided with certificate subject Common Name and
DNS Subject Alternate Name entries.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Also support creating non-authenticated clients in case the codec will
be used for non-RPC purposes at some point.
|
| | |
|
