Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Fine-grained access control for TLS clients #14099

Draft
wants to merge 28 commits into
base: main
Choose a base branch
from
Draft

Auth: Fine-grained access control for TLS clients #14099

wants to merge 28 commits into from

Commits on Sep 16, 2024

  1. api: Add identity_management API extension. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    16f202f View commit details
    Browse the repository at this point in the history

  2. lxd: Separate identity handlers by auth method. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    cd6fd48 View commit details
    Browse the repository at this point in the history

  3. shared/api: Add metadata to identity API response. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    f26e54a View commit details
    Browse the repository at this point in the history

  4. lxd/db/cluster: Add metadata to identity API response. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    bd77f49 View commit details
    Browse the repository at this point in the history

  5. lxd: Add metadata to identity API response. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    ccb7d21 View commit details
    Browse the repository at this point in the history

  6. shared/api: Add pending and fine-grained TLS certificate identity types. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    a772e1f View commit details
    Browse the repository at this point in the history

  7. lxd/db/cluster: Add pending and fine-grained TLS certificate identity… 

    … types.

Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    f8090bb View commit details
    Browse the repository at this point in the history

  8. lxd/db/cluster: Add pending TLS identity metadata type and method. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    978f055 View commit details
    Browse the repository at this point in the history

  9. lxd/db/cluster: Add method to unpend a TLS certificate. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    51ede48 View commit details
    Browse the repository at this point in the history

  10. lxd/db/cluster: Omit pending TLS identity metadata from API responses. 

    We should never expose the secret except in the issued token.

Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    9e02957 View commit details
    Browse the repository at this point in the history

  11. lxd/identity: Add pending and fine-grained TLS identity types. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    64be20d View commit details
    Browse the repository at this point in the history

  12. lxd/auth/drivers: Handle fine-grained TLS clients in OpenFGA driver. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    d7708eb View commit details
    Browse the repository at this point in the history

  13. lxd: Move CA check into certificateValidate method. 

    Whether a new client is being trusted via secret, or if an
administrator is adding or updating the certificate directly,
the certificate must be signed by the CA if set.

Note that this is *not* a security issue, because we validate
that client certificates have been signed by the CA when authenticating.
This just meant that it was possible for an admin to create a certificate
that would be invalid.

Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    4f3e3ff View commit details
    Browse the repository at this point in the history

  14. lxd: Don't show fine-grained or pending TLS certificates in certifica… 

    …tes API.

Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    3a1aa81 View commit details
    Browse the repository at this point in the history

  15. lxd: Allow fine-grained TLS identities to authenticate. 

    Adds the fine-grained TLS identity type to the list of candidate
identity types for client authentication.

Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    02a39e0 View commit details
    Browse the repository at this point in the history

  16. lxd: Allow fine-grained TLS identities list resources in any project. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    5392127 View commit details
    Browse the repository at this point in the history

  17. shared/api: Add API structs for identity creation. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    477f32d View commit details
    Browse the repository at this point in the history

  18. shared/api: Add field to CertificateAddToken. 

    This field indicates to the CLI which API to use when adding a remote.
If `Identity` is true, then `POST /1.0/auth/identities/tls` will be used.
Otherwise, `POST /1.0/certificates` will be used.

Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    983213a View commit details
    Browse the repository at this point in the history

  19. lxd: Add POST /1.0/auth/identities/tls. 

    If a token is requested, a pending TLS identity is created
whose identifier is a UUID, and whose metadata contains a
secret and an expiry.

If a token is supplied, the pending TLS identities are enumerated
and if a matching secret is found (that has not expired), the pending
identity is updated with the TLS certificate that the client sent during
the TLS handshake.

If a certificate is supplied directly, then an identity of type
`Client certificate` is created.

Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    239adc7 View commit details
    Browse the repository at this point in the history

  20. lxd: Add DELETE /1.0/auth/identities/{tls,oidc}/{nameOrIdentifier}. 

    Deletes the identity. For mTLS authentication this revokes trust entirely. For
OIDC this does not revoke trust but will revoke any locally configured group
membership (and therefore revoke access). If group membership has been configured via
identity provider groups then this will do nothing.

Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    1c944d1 View commit details
    Browse the repository at this point in the history

  21. lxd: Allow fine-grained TLS identities to be added to groups. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    1be1ecd View commit details
    Browse the repository at this point in the history

  22. lxd: Omit pending TLS identities when updating the identity cache. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    f46f652 View commit details
    Browse the repository at this point in the history

  23. lxd: Skip server certificates that cannot be converted to a valid type. 

    On updating the certificate cache, it was possible (programmatically)
to append a nil certificate to the list of local server certificates.

Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    8d6693a View commit details
    Browse the repository at this point in the history

  24. client: Add client methods for creation and deletion of identities. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    3c68d15 View commit details
    Browse the repository at this point in the history

  25. lxc/remote: Update remote add to handle tokens issued by identities… 

    … API.

Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    c76cb94 View commit details
    Browse the repository at this point in the history

  26. lxc/auth: Add commands for creating and deleting identities. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    5ae3497 View commit details
    Browse the repository at this point in the history

  27. doc: Run make update-api. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    29bcbf8 View commit details
    Browse the repository at this point in the history

  28. i18n: Update translations. 

    Signed-off-by: Mark Laing <[email protected]>
    @markylaing
    markylaing committed Sep 16, 2024
    Configuration menu
    Copy the full SHA
    e1fc039 View commit details
    Browse the repository at this point in the history