feat: multiple client CA.

Updates the policy server to allow loading multiple CA to validate the
certificate used by client in a mTLS scenario.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

Author: jvanz

src/cli.rs

@@ -95,6 +95,7 @@ pub(crate) fn build_cli() -> Command {
 
         Arg::new("client-ca-file")
             .long("client-ca-file")
+            .value_delimiter(',')
             .value_name("CLIENT_CA_FILE")
             .env("KUBEWARDEN_CLIENT_CA_FILE")
             .help("Path to an CA certificate file that issued the client certificate. Required to enable mTLS"),

src/config.rs

@@ -54,7 +54,7 @@ pub struct Config {
 pub struct TlsConfig {
     pub cert_file: String,
     pub key_file: String,
-    pub client_ca_file: Option<String>,
+    pub client_ca_file: Vec<PathBuf>,
 }
 
 impl Config {
@@ -192,14 +192,20 @@ fn readiness_probe_bind_address(matches: &clap::ArgMatches) -> Result<SocketAddr
 fn build_tls_config(matches: &clap::ArgMatches) -> Result<Option<TlsConfig>> {
     let cert_file = matches.get_one::<String>("cert-file").cloned();
     let key_file = matches.get_one::<String>("key-file").cloned();
-    let client_ca_file = matches.get_one::<String>("client-ca-file").cloned();
+    let client_ca_file = matches.get_many::<String>("client-ca-file");
 
     match (cert_file, key_file, &client_ca_file) {
-        (Some(cert_file), Some(key_file), _) => Ok(Some(TlsConfig {
-            cert_file,
-            key_file,
-            client_ca_file,
-        })),
+        (Some(cert_file), Some(key_file), _) => {
+            let client_ca_file = client_ca_file
+                .unwrap_or_default()
+                .map(PathBuf::from)
+                .collect();
+            Ok(Some(TlsConfig {
+                cert_file,
+                key_file,
+                client_ca_file,
+            }))
+        }
         // No TLS configuration provided
         (None, None, None) => Ok(None),
         // Client CA certificate provided without server certificate and key

src/lib.rs

@@ -332,11 +332,19 @@ async fn build_tls_server_config(tls_config: &TlsConfig) -> Result<rustls::Serve
     let key = PrivateKeyDer::try_from(key_vec.pop().unwrap())
         .map_err(|e| anyhow!("Cannot parse server key: {e}"))?;
 
-    if let Some(client_ca_file) = tls_config.client_ca_file.clone() {
+    if tls_config.client_ca_file.is_empty() {
+        return Ok(ServerConfig::builder()
+            .with_no_client_auth()
+            .with_single_cert(cert, key)?);
+    }
+
+    let mut store = RootCertStore::empty();
+
+    //mTLS enabled
+    for client_ca_file in tls_config.client_ca_file.clone() {
         // we have the client CA. Therefore, we should enable mTLS.
         let client_ca_reader = &mut BufReader::new(File::open(client_ca_file)?);
 
-        let mut store = RootCertStore::empty();
         let client_ca_certs: Vec<_> = rustls_pemfile::certs(client_ca_reader)
             .filter_map(|it| {
                 if let Err(ref e) = it {
@@ -351,15 +359,10 @@ async fn build_tls_server_config(tls_config: &TlsConfig) -> Result<rustls::Serve
             client_ca_certs_ignored = cert_ignored,
             "Loaded client CA certificates"
         );
-        let client_verifier = WebPkiClientVerifier::builder(Arc::new(store)).build()?;
-
-        return Ok(ServerConfig::builder()
-            .with_client_cert_verifier(client_verifier)
-            .with_single_cert(cert, key)?);
     }
-
+    let client_verifier = WebPkiClientVerifier::builder(Arc::new(store)).build()?;
     Ok(ServerConfig::builder()
-        .with_no_client_auth()
+        .with_client_cert_verifier(client_verifier)
         .with_single_cert(cert, key)?)
 }
 
@@ -385,11 +388,12 @@ async fn create_tls_config_and_watch_certificate_changes(
 ) -> Result<RustlsConfig> {
     use ::tracing::error;
 
-    let config = build_tls_server_config(&tls_config).await?;
-
-    let rust_config = RustlsConfig::from_config(Arc::new(config));
+    // Build initial TLS configuration
+    let initial_config = build_tls_server_config(&tls_config).await?;
+    let rust_config = RustlsConfig::from_config(Arc::new(initial_config));
     let reloadable_rust_config = rust_config.clone();
 
+    // Init inotify to watch for changes in the certificate files
     let inotify =
         inotify::Inotify::init().map_err(|e| anyhow!("Cannot initialize inotify: {e}"))?;
     let cert_watch = inotify
@@ -404,15 +408,18 @@ async fn create_tls_config_and_watch_certificate_changes(
         .add(tls_config.key_file.clone(), inotify::WatchMask::CLOSE_WRITE)
         .map_err(|e| anyhow!("Cannot watch key file: {e}"))?;
 
-    let mut client_cert_watch = None;
-    if let Some(ref client_ca_file) = tls_config.client_ca_file {
-        client_cert_watch = Some(
+    let client_cert_watches = tls_config
+        .client_ca_file
+        .clone()
+        .into_iter()
+        .map(|path| {
             inotify
                 .watches()
-                .add(client_ca_file, inotify::WatchMask::CLOSE_WRITE)
-                .map_err(|e| anyhow!("Cannot watch client certificate file: {e}"))?,
-        );
-    }
+                .add(path, inotify::WatchMask::CLOSE_WRITE)
+                .map_err(|e| anyhow!("Cannot watch client certificate file: {e}"))
+                .unwrap()
+        })
+        .collect::<Vec<_>>();
 
     let buffer = [0; 1024];
     let stream = inotify
@@ -442,7 +449,8 @@ async fn create_tls_config_and_watch_certificate_changes(
                 info!("TLS key file has been modified");
                 key_changed = true;
             }
-            if let Some(ref client_cert_watch) = client_cert_watch {
+
+            for client_cert_watch in client_cert_watches.iter() {
                 if event.wd == *client_cert_watch {
                     info!("TLS client certificate file has been modified");
                     client_cert_changed = true;
@@ -454,11 +462,12 @@ async fn create_tls_config_and_watch_certificate_changes(
             if (key_changed && cert_changed)
                 || (client_cert_changed && (key_changed == cert_changed))
             {
-                info!("reloading TLS certificates");
+                info!("Reloading TLS certificates");
 
                 cert_changed = false;
                 key_changed = false;
                 client_cert_changed = false;
+
                 let server_config = build_tls_server_config(&tls_config).await;
                 if let Err(e) = server_config {
                     error!("Failed to reload TLS certificate: {}", e);
@@ -468,7 +477,6 @@ async fn create_tls_config_and_watch_certificate_changes(
             }
         }
     });
-
     Ok(rust_config)
 }
 

tests/integration_test.rs

@@ -674,21 +674,24 @@ async fn test_detect_certificate_rotation() {
     let certs_dir = tempfile::tempdir().unwrap();
     let cert_file = certs_dir.path().join("policy-server.pem");
     let key_file = certs_dir.path().join("policy-server-key.pem");
-    let client_ca = certs_dir.path().join("client_cert.pem");
+    let first_client_ca = certs_dir.path().join("client_cert1.pem");
+    let second_client_ca = certs_dir.path().join("client_cert2.pem");
 
     let hostname1 = "cert1.example.com";
     let tls_data1 = create_cert(hostname1);
-    let tls_data_client = create_cert(hostname1);
+    let first_tls_data_client = create_cert(hostname1);
+    let second_tls_data_client = create_cert(hostname1);
 
     std::fs::write(&cert_file, tls_data1.cert).unwrap();
     std::fs::write(&key_file, tls_data1.key).unwrap();
-    std::fs::write(&client_ca, tls_data_client.cert.clone()).unwrap();
+    std::fs::write(&first_client_ca, first_tls_data_client.cert.clone()).unwrap();
+    std::fs::write(&second_client_ca, second_tls_data_client.cert.clone()).unwrap();
 
     let mut config = default_test_config();
     config.tls_config = Some(policy_server::config::TlsConfig {
         cert_file: cert_file.to_str().unwrap().to_owned(),
         key_file: key_file.to_str().unwrap().to_owned(),
-        client_ca_file: Some(client_ca.to_str().unwrap().to_owned()),
+        client_ca_file: vec![first_client_ca.clone(), second_client_ca.clone()],
     });
     config.policies = HashMap::new();
 
@@ -745,6 +748,22 @@ async fn test_detect_certificate_rotation() {
     check_tls_san_name(&host, &port, hostname2)
         .await
         .expect("certificate hasn't been reloaded");
+
+    let first_tls_data_client2 = create_cert(hostname2);
+
+    // write only the cert file
+    std::fs::write(&first_client_ca, first_tls_data_client2.cert).unwrap();
+
+    // give inotify some time to ensure it detected the cert change
+    tokio::time::sleep(std::time::Duration::from_secs(4)).await;
+
+    let second_tls_data_client2 = create_cert(hostname2);
+
+    // write only the cert file
+    std::fs::write(&second_client_ca, second_tls_data_client2.cert).unwrap();
+
+    // give inotify some time to ensure it detected the cert change
+    tokio::time::sleep(std::time::Duration::from_secs(4)).await;
 }
 
 #[tokio::test]
@@ -954,11 +973,11 @@ fn generate_tls_certs() -> (String, String, String) {
 #[case::with_server_tls_config(Some(certificate_reload_helpers::create_cert("127.0.0.1")), None)]
 #[case::mtls_config(
     Some(certificate_reload_helpers::create_cert("127.0.0.1")),
-    Some(certificate_reload_helpers::create_cert("127.0.0.1"))
+    Some(vec![certificate_reload_helpers::create_cert("127.0.0.1")])
 )]
 async fn test_tls(
     #[case] server_tls_data: Option<certificate_reload_helpers::TlsData>,
-    #[case] client_tls_data: Option<certificate_reload_helpers::TlsData>,
+    #[case] client_tls_data: Option<Vec<certificate_reload_helpers::TlsData>>,
 ) {
     use certificate_reload_helpers::*;
 
@@ -967,35 +986,49 @@ async fn test_tls(
     let certs_dir = tempfile::tempdir().unwrap();
     let cert_file = certs_dir.path().join("policy-server.pem");
     let key_file = certs_dir.path().join("policy-server-key.pem");
-    let client_ca = certs_dir.path().join("client_cert.pem");
 
-    let server_cert = if let Some(ref tls_data) = server_tls_data {
+    if let Some(ref tls_data) = server_tls_data {
         std::fs::write(&cert_file, tls_data.cert.clone()).unwrap();
         std::fs::write(&key_file, tls_data.key.clone()).unwrap();
-        tls_data.cert.clone()
-    } else {
-        String::new()
-    };
+    }
 
-    let (client_cert, client_key) = if let Some(ref tls_data) = client_tls_data {
-        std::fs::write(&client_ca, tls_data.cert.clone()).unwrap();
-        (tls_data.cert.clone(), tls_data.key.clone())
-    } else {
-        (String::new(), String::new())
-    };
+    // Client CA pem file, cert data and key data
+    let clients_cas_info: Vec<(PathBuf, String, String)> =
+        if let Some(ref tls_data) = client_tls_data {
+            tls_data
+                .iter()
+                .enumerate()
+                .into_iter()
+                .map(|(i, tls_data)| {
+                    let client_ca = certs_dir
+                        .path()
+                        .join(format!("client_cert_{}.pem", i))
+                        .to_owned();
+                    std::fs::write(&client_ca, tls_data.cert.clone())
+                        .expect("failed to write client CA file");
+                    (client_ca, tls_data.cert.clone(), tls_data.key.clone())
+                })
+                .collect()
+        } else {
+            vec![]
+        };
 
     let mut config = default_test_config();
     config.tls_config = match (server_tls_data.as_ref(), client_tls_data.as_ref()) {
         (None, None) => None,
         (Some(_), Some(_)) => Some(policy_server::config::TlsConfig {
             cert_file: cert_file.to_str().unwrap().to_owned(),
             key_file: key_file.to_str().unwrap().to_owned(),
-            client_ca_file: Some(client_ca.to_str().unwrap().to_owned()),
+            client_ca_file: clients_cas_info
+                .clone()
+                .into_iter()
+                .map(|it| it.0)
+                .collect(),
         }),
         (Some(_), None) => Some(policy_server::config::TlsConfig {
             cert_file: cert_file.to_str().unwrap().to_owned(),
             key_file: key_file.to_str().unwrap().to_owned(),
-            client_ca_file: None,
+            client_ca_file: vec![],
         }),
         _ => {
             panic!("Invalid test case")
@@ -1028,38 +1061,71 @@ async fn test_tls(
     .expect("policy server is not ready");
     assert_eq!(status_code, reqwest::StatusCode::OK);
 
-    // Validate TLS communication
-    let mut builder = reqwest::Client::builder();
+    // Test sending request to policy server using each of the client CA certificates
+    let client_to_test = match client_tls_data {
+        Some(_) => clients_cas_info
+            .iter()
+            .map(|(_, client_cert, client_key)| {
+                build_request_client(
+                    server_tls_data.as_ref(),
+                    Some(client_cert.to_owned()),
+                    Some(client_key.to_owned()),
+                )
+            })
+            .collect(),
+        _ => vec![build_request_client(server_tls_data.as_ref(), None, None)],
+    };
 
-    if server_tls_data.is_some() {
-        let certificate = reqwest::Certificate::from_pem(server_cert.as_bytes())
-            .expect("Invalid policy server certificate");
-        builder = builder.add_root_certificate(certificate);
+    for client in client_to_test {
+        let response =
+            send_validate_request(&client, format!("{host}:{port}"), server_tls_data.as_ref());
+        assert_eq!(response.await.status(), reqwest::StatusCode::OK);
     }
+}
 
-    if client_tls_data.is_some() {
-        let identity =
-            reqwest::Identity::from_pem(format!("{}\n{}", client_cert, client_key).as_bytes())
-                .expect("successfull pem parsing");
-        builder = builder.identity(identity);
-    };
-    let client = builder.build().unwrap();
-
+async fn send_validate_request(
+    client: &reqwest::Client,
+    address: String,
+    server_tls_data: Option<&certificate_reload_helpers::TlsData>,
+) -> reqwest::Response {
     let prefix = if server_tls_data.is_some() {
         "https"
     } else {
         "http"
     };
-    let url =
-        reqwest::Url::parse(&format!("{prefix}://{host}:{port}/validate/pod-privileged")).unwrap();
-    let response = client
-        .post(url)
+    let url = reqwest::Url::parse(&format!("{prefix}://{address}/validate/pod-privileged"))
+        .expect("failed to format url");
+    client
+        .post(url.clone())
         .header(header::CONTENT_TYPE, "application/json")
         .body(include_str!("data/pod_without_privileged_containers.json"))
         .send()
-        .await;
-    assert_eq!(
-        response.expect("successfull request").status(),
-        reqwest::StatusCode::OK
-    );
+        .await
+        .expect("successfull request")
+}
+
+fn build_request_client(
+    server_tls_data: Option<&certificate_reload_helpers::TlsData>,
+    client_cert: Option<String>,
+    client_key: Option<String>,
+) -> reqwest::Client {
+    // Validate TLS communication
+    let mut builder = reqwest::Client::builder();
+
+    if let Some(server_tls_data) = server_tls_data {
+        let certificate = reqwest::Certificate::from_pem(server_tls_data.cert.clone().as_bytes())
+            .expect("Invalid policy server certificate");
+        builder = builder.add_root_certificate(certificate);
+    }
+
+    match (client_cert, client_key) {
+        (Some(client_cert), Some(client_key)) => {
+            let identity =
+                reqwest::Identity::from_pem(format!("{}\n{}", client_cert, client_key).as_bytes())
+                    .expect("successfull pem parsing");
+            builder = builder.identity(identity)
+        }
+        _ => {}
+    }
+    builder.build().expect("failed to build client")
 }