Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 woggioni
|
15084baa70
|
||
|
woggioni
|
6b783bceeb
|
||
|
woggioni
|
f2f7c9024c
|
||
|
woggioni
|
6a2e53bc00
|
@@ -16,6 +16,9 @@ jobs:
|
|||||||
- name: Get project version
|
- name: Get project version
|
||||||
id: retrieve-version
|
id: retrieve-version
|
||||||
run: ./gradlew -q version >> "$GITHUB_OUTPUT"
|
run: ./gradlew -q version >> "$GITHUB_OUTPUT"
|
||||||
|
- name: Get project version 2
|
||||||
|
id: retrieve-version-2
|
||||||
|
run: ./gradlew -q version
|
||||||
- name: Login to Gitea container registry
|
- name: Login to Gitea container registry
|
||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
|
|||||||
@@ -16,6 +16,9 @@ jobs:
|
|||||||
- name: Get project version
|
- name: Get project version
|
||||||
id: retrieve-version
|
id: retrieve-version
|
||||||
run: ./gradlew -q version >> "$GITHUB_OUTPUT"
|
run: ./gradlew -q version >> "$GITHUB_OUTPUT"
|
||||||
|
- name: Get project version 2
|
||||||
|
id: retrieve-version-2
|
||||||
|
run: ./gradlew -q version
|
||||||
- name: Login to Gitea container registry
|
- name: Login to Gitea container registry
|
||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
@@ -32,8 +35,8 @@ jobs:
|
|||||||
push: true
|
push: true
|
||||||
pull: true
|
pull: true
|
||||||
tags: |
|
tags: |
|
||||||
gitea.woggioni.net/woggioni/rbcs:latest
|
gitea.woggioni.net/woggioni/rbcs:vanilla
|
||||||
gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}
|
gitea.woggioni.net/woggioni/rbcs:vanilla-${{ steps.retrieve-version.outputs.VERSION }}
|
||||||
target: release-vanilla
|
target: release-vanilla
|
||||||
-
|
-
|
||||||
name: Build rbcs memcache Docker image
|
name: Build rbcs memcache Docker image
|
||||||
@@ -45,8 +48,10 @@ jobs:
|
|||||||
push: true
|
push: true
|
||||||
pull: true
|
pull: true
|
||||||
tags: |
|
tags: |
|
||||||
|
gitea.woggioni.net/woggioni/rbcs:latest
|
||||||
|
gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}
|
||||||
gitea.woggioni.net/woggioni/rbcs:memcache
|
gitea.woggioni.net/woggioni/rbcs:memcache
|
||||||
gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}-memcache
|
gitea.woggioni.net/woggioni/rbcs:memcache-${{ steps.retrieve-version.outputs.VERSION }}
|
||||||
target: release-memcache
|
target: release-memcache
|
||||||
-
|
-
|
||||||
name: Build rbcs redis Docker image
|
name: Build rbcs redis Docker image
|
||||||
@@ -58,8 +63,10 @@ jobs:
|
|||||||
push: true
|
push: true
|
||||||
pull: true
|
pull: true
|
||||||
tags: |
|
tags: |
|
||||||
|
gitea.woggioni.net/woggioni/rbcs:latest
|
||||||
|
gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}
|
||||||
gitea.woggioni.net/woggioni/rbcs:redis
|
gitea.woggioni.net/woggioni/rbcs:redis
|
||||||
gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}-redis
|
gitea.woggioni.net/woggioni/rbcs:redis-${{ steps.retrieve-version.outputs.VERSION }}
|
||||||
target: release-redis
|
target: release-redis
|
||||||
-
|
-
|
||||||
name: Build rbcs native Docker image
|
name: Build rbcs native Docker image
|
||||||
@@ -72,7 +79,7 @@ jobs:
|
|||||||
pull: true
|
pull: true
|
||||||
tags: |
|
tags: |
|
||||||
gitea.woggioni.net/woggioni/rbcs:native
|
gitea.woggioni.net/woggioni/rbcs:native
|
||||||
gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}-native
|
gitea.woggioni.net/woggioni/rbcs:native-${{ steps.retrieve-version.outputs.VERSION }}
|
||||||
target: release-native
|
target: release-native
|
||||||
-
|
-
|
||||||
name: Build rbcs jlink Docker image
|
name: Build rbcs jlink Docker image
|
||||||
@@ -85,7 +92,7 @@ jobs:
|
|||||||
pull: true
|
pull: true
|
||||||
tags: |
|
tags: |
|
||||||
gitea.woggioni.net/woggioni/rbcs:jlink
|
gitea.woggioni.net/woggioni/rbcs:jlink
|
||||||
gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}-jlink
|
gitea.woggioni.net/woggioni/rbcs:jlink-${{ steps.retrieve-version.outputs.VERSION }}-jlink
|
||||||
target: release-jlink
|
target: release-jlink
|
||||||
- name: Publish artifacts
|
- name: Publish artifacts
|
||||||
env:
|
env:
|
||||||
|
|||||||
+1
-1
@@ -2,7 +2,7 @@ org.gradle.configuration-cache=false
|
|||||||
org.gradle.parallel=true
|
org.gradle.parallel=true
|
||||||
org.gradle.caching=true
|
org.gradle.caching=true
|
||||||
|
|
||||||
rbcs.version = 0.4.0
|
rbcs.version = 0.3.8
|
||||||
|
|
||||||
lys.version = 2026.03.26
|
lys.version = 2026.03.26
|
||||||
|
|
||||||
|
|||||||
@@ -136,13 +136,6 @@ public class Configuration {
|
|||||||
TlsCertificateExtractor groupExtractor;
|
TlsCertificateExtractor groupExtractor;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Value
|
|
||||||
public static class ForwardedClientCertificateAuthentication implements Authentication {
|
|
||||||
String headerName;
|
|
||||||
TlsCertificateExtractor userExtractor;
|
|
||||||
TlsCertificateExtractor groupExtractor;
|
|
||||||
}
|
|
||||||
|
|
||||||
public interface Cache {
|
public interface Cache {
|
||||||
CacheHandlerFactory materialize();
|
CacheHandlerFactory materialize();
|
||||||
String getNamespaceURI();
|
String getNamespaceURI();
|
||||||
|
|||||||
@@ -155,59 +155,6 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Sharable
|
|
||||||
private class ForwardedClientCertificateAuthenticator(
|
|
||||||
authorizer: Authorizer,
|
|
||||||
private val anonymousUserGroups: Set<Configuration.Group>?,
|
|
||||||
private val subjectDnUserExtractor: SubjectDnExtractor?,
|
|
||||||
private val subjectDnGroupExtractor: SubjectDnExtractor?,
|
|
||||||
private val headerName: String,
|
|
||||||
private val trustedProxyIPs: List<Cidr>,
|
|
||||||
private val users: Map<String, Configuration.User>,
|
|
||||||
private val groups: Map<String, Configuration.Group>,
|
|
||||||
) : AbstractNettyHttpAuthenticator(authorizer) {
|
|
||||||
|
|
||||||
companion object {
|
|
||||||
private val log = createLogger<ForwardedClientCertificateAuthenticator>()
|
|
||||||
}
|
|
||||||
|
|
||||||
override fun authenticate(ctx: ChannelHandlerContext, req: HttpRequest): AuthenticationResult? {
|
|
||||||
val clientIp = ctx.channel().attr(clientIp).get()
|
|
||||||
if (clientIp == null || trustedProxyIPs.none { it.contains(clientIp.address) }) {
|
|
||||||
log.debug(ctx) {
|
|
||||||
"Rejecting forwarded client certificate authentication from untrusted address: $clientIp"
|
|
||||||
}
|
|
||||||
return null
|
|
||||||
}
|
|
||||||
val subjectDn = req.headers()[headerName]
|
|
||||||
?: return anonymousUserGroups?.let { AuthenticationResult(null, it) }
|
|
||||||
val ldapName = try {
|
|
||||||
LdapName(subjectDn)
|
|
||||||
} catch (e: Exception) {
|
|
||||||
log.debug(ctx) {
|
|
||||||
"Invalid subject DN in header $headerName: $subjectDn"
|
|
||||||
}
|
|
||||||
return anonymousUserGroups?.let { AuthenticationResult(null, it) }
|
|
||||||
}
|
|
||||||
val user = subjectDnUserExtractor?.extract(ldapName)?.let { userName ->
|
|
||||||
users[userName] ?: throw RuntimeException("Failed to extract user '$userName'")
|
|
||||||
}
|
|
||||||
val group = subjectDnGroupExtractor?.extract(ldapName)?.let { groupName ->
|
|
||||||
groups[groupName] ?: throw RuntimeException("Failed to extract group '$groupName'")
|
|
||||||
}
|
|
||||||
val allGroups = ((user?.groups ?: emptySet()).asSequence() + sequenceOf(group).filterNotNull()).toSet()
|
|
||||||
return AuthenticationResult(user, allGroups)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private data class SubjectDnExtractor(val rdnType: String, val pattern: Pattern) {
|
|
||||||
fun extract(ldapName: LdapName): String? {
|
|
||||||
return ldapName.rdns.find { it.type == rdnType }
|
|
||||||
?.let { pattern.matcher(it.value.toString()) }
|
|
||||||
?.takeIf(Matcher::matches)?.group(1)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Sharable
|
@Sharable
|
||||||
private class NettyHttpBasicAuthenticator(
|
private class NettyHttpBasicAuthenticator(
|
||||||
private val users: Map<String, Configuration.User>, authorizer: Authorizer
|
private val users: Map<String, Configuration.User>, authorizer: Authorizer
|
||||||
@@ -314,23 +261,6 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
is Configuration.ForwardedClientCertificateAuthentication -> {
|
|
||||||
ForwardedClientCertificateAuthenticator(
|
|
||||||
RoleAuthorizer(),
|
|
||||||
cfg.users[""]?.groups,
|
|
||||||
auth.userExtractor?.let { extractor ->
|
|
||||||
SubjectDnExtractor(extractor.rdnType, Pattern.compile(extractor.pattern))
|
|
||||||
},
|
|
||||||
auth.groupExtractor?.let { extractor ->
|
|
||||||
SubjectDnExtractor(extractor.rdnType, Pattern.compile(extractor.pattern))
|
|
||||||
},
|
|
||||||
auth.headerName,
|
|
||||||
cfg.trustedProxyIPs,
|
|
||||||
cfg.users,
|
|
||||||
cfg.groups,
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
else -> null
|
else -> null
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -12,18 +12,15 @@ import io.netty.handler.codec.http.HttpRequest
|
|||||||
import io.netty.handler.codec.http.HttpResponseStatus
|
import io.netty.handler.codec.http.HttpResponseStatus
|
||||||
import io.netty.handler.codec.http.HttpVersion
|
import io.netty.handler.codec.http.HttpVersion
|
||||||
import io.netty.util.ReferenceCountUtil
|
import io.netty.util.ReferenceCountUtil
|
||||||
import java.net.InetSocketAddress
|
|
||||||
import net.woggioni.rbcs.api.Configuration
|
import net.woggioni.rbcs.api.Configuration
|
||||||
import net.woggioni.rbcs.api.Configuration.Group
|
import net.woggioni.rbcs.api.Configuration.Group
|
||||||
import net.woggioni.rbcs.api.Role
|
import net.woggioni.rbcs.api.Role
|
||||||
import net.woggioni.rbcs.common.createLogger
|
|
||||||
import net.woggioni.rbcs.server.RemoteBuildCacheServer
|
import net.woggioni.rbcs.server.RemoteBuildCacheServer
|
||||||
|
|
||||||
|
|
||||||
abstract class AbstractNettyHttpAuthenticator(private val authorizer: Authorizer) : ChannelInboundHandlerAdapter() {
|
abstract class AbstractNettyHttpAuthenticator(private val authorizer: Authorizer) : ChannelInboundHandlerAdapter() {
|
||||||
|
|
||||||
companion object {
|
companion object {
|
||||||
private val log = createLogger<AbstractNettyHttpAuthenticator>()
|
|
||||||
|
|
||||||
private val AUTHENTICATION_FAILED: FullHttpResponse = DefaultFullHttpResponse(
|
private val AUTHENTICATION_FAILED: FullHttpResponse = DefaultFullHttpResponse(
|
||||||
HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED, Unpooled.EMPTY_BUFFER
|
HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED, Unpooled.EMPTY_BUFFER
|
||||||
).apply {
|
).apply {
|
||||||
@@ -56,16 +53,6 @@ abstract class AbstractNettyHttpAuthenticator(private val authorizer: Authorizer
|
|||||||
result.groups.asSequence().flatMap { it.roles.asSequence() }
|
result.groups.asSequence().flatMap { it.roles.asSequence() }
|
||||||
).toSet()
|
).toSet()
|
||||||
val authorized = authorizer.authorize(roles, msg)
|
val authorized = authorizer.authorize(roles, msg)
|
||||||
if(log.isTraceEnabled) {
|
|
||||||
val authorizedMessage = if(authorized) { "Authorized" } else { "Forbidden" }
|
|
||||||
val clientAddress = ctx.channel().attr<InetSocketAddress>(RemoteBuildCacheServer.clientIp).get()
|
|
||||||
val roleString = "[" + roles.asSequence().map { "\"" + it + "\""}.joinToString(", ") + "]"
|
|
||||||
result.user?.let { user ->
|
|
||||||
log.trace("$authorizedMessage ${msg.method()} request from user $user with address $clientAddress, granted roles $roleString")
|
|
||||||
} ?: {
|
|
||||||
log.trace("$authorizedMessage anonymous ${msg.method()} request with address $clientAddress, granted roles $roleString")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (authorized) {
|
if (authorized) {
|
||||||
super.channelRead(ctx, msg)
|
super.channelRead(ctx, msg)
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@@ -8,7 +8,6 @@ import net.woggioni.rbcs.api.Configuration.Authentication
|
|||||||
import net.woggioni.rbcs.api.Configuration.BasicAuthentication
|
import net.woggioni.rbcs.api.Configuration.BasicAuthentication
|
||||||
import net.woggioni.rbcs.api.Configuration.Cache
|
import net.woggioni.rbcs.api.Configuration.Cache
|
||||||
import net.woggioni.rbcs.api.Configuration.ClientCertificateAuthentication
|
import net.woggioni.rbcs.api.Configuration.ClientCertificateAuthentication
|
||||||
import net.woggioni.rbcs.api.Configuration.ForwardedClientCertificateAuthentication
|
|
||||||
import net.woggioni.rbcs.api.Configuration.Group
|
import net.woggioni.rbcs.api.Configuration.Group
|
||||||
import net.woggioni.rbcs.api.Configuration.KeyStore
|
import net.woggioni.rbcs.api.Configuration.KeyStore
|
||||||
import net.woggioni.rbcs.api.Configuration.Tls
|
import net.woggioni.rbcs.api.Configuration.Tls
|
||||||
@@ -78,28 +77,6 @@ object Parser {
|
|||||||
}
|
}
|
||||||
authentication = ClientCertificateAuthentication(tlsExtractorUser, tlsExtractorGroup)
|
authentication = ClientCertificateAuthentication(tlsExtractorUser, tlsExtractorGroup)
|
||||||
}
|
}
|
||||||
|
|
||||||
"forwarded-client-certificate" -> {
|
|
||||||
val headerName = gchild.renderAttribute("header-name") ?: "X-Client-Cert-Subject-DN"
|
|
||||||
var tlsExtractorUser: TlsCertificateExtractor? = null
|
|
||||||
var tlsExtractorGroup: TlsCertificateExtractor? = null
|
|
||||||
for (ggchild in gchild.asIterable()) {
|
|
||||||
when (ggchild.localName) {
|
|
||||||
"group-extractor" -> {
|
|
||||||
val attrName = ggchild.renderAttribute("attribute-name")
|
|
||||||
val pattern = ggchild.renderAttribute("pattern")
|
|
||||||
tlsExtractorGroup = TlsCertificateExtractor(attrName, pattern)
|
|
||||||
}
|
|
||||||
|
|
||||||
"user-extractor" -> {
|
|
||||||
val attrName = ggchild.renderAttribute("attribute-name")
|
|
||||||
val pattern = ggchild.renderAttribute("pattern")
|
|
||||||
tlsExtractorUser = TlsCertificateExtractor(attrName, pattern)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
authentication = ForwardedClientCertificateAuthentication(headerName, tlsExtractorUser, tlsExtractorGroup)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -165,23 +165,6 @@ object Serializer {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
is Configuration.ForwardedClientCertificateAuthentication -> {
|
|
||||||
node("forwarded-client-certificate") {
|
|
||||||
attr("header-name", authentication.headerName)
|
|
||||||
authentication.groupExtractor?.let { extractor ->
|
|
||||||
node("group-extractor") {
|
|
||||||
attr("attribute-name", extractor.rdnType)
|
|
||||||
attr("pattern", extractor.pattern)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
authentication.userExtractor?.let { extractor ->
|
|
||||||
node("user-extractor") {
|
|
||||||
attr("attribute-name", extractor.rdnType)
|
|
||||||
attr("pattern", extractor.pattern)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -311,45 +311,6 @@
|
|||||||
</xs:sequence>
|
</xs:sequence>
|
||||||
</xs:complexType>
|
</xs:complexType>
|
||||||
|
|
||||||
<xs:complexType name="forwardedClientCertificateAuthorizationType">
|
|
||||||
<xs:annotation>
|
|
||||||
<xs:documentation>
|
|
||||||
Authenticate clients based on a custom HTTP header containing the client TLS certificate
|
|
||||||
subject DN, forwarded by a reverse proxy that performs TLS termination. The proxy must be
|
|
||||||
listed in the trusted-proxies configuration for the header to be accepted.
|
|
||||||
</xs:documentation>
|
|
||||||
</xs:annotation>
|
|
||||||
<xs:sequence>
|
|
||||||
<xs:element name="group-extractor" type="rbcs:X500NameExtractorType" minOccurs="0">
|
|
||||||
<xs:annotation>
|
|
||||||
<xs:documentation>
|
|
||||||
A regex based extractor that will be used to determine which group the client belongs to,
|
|
||||||
based on the X.500 name of the subject DN forwarded by the reverse proxy.
|
|
||||||
When this is set RBAC works even if the user isn't listed in the <users/> section as
|
|
||||||
the client will be assigned role solely based on the group he is found to belong to.
|
|
||||||
Note that this does not allow for a client to be part of multiple groups.
|
|
||||||
</xs:documentation>
|
|
||||||
</xs:annotation>
|
|
||||||
</xs:element>
|
|
||||||
<xs:element name="user-extractor" type="rbcs:X500NameExtractorType" minOccurs="0">
|
|
||||||
<xs:annotation>
|
|
||||||
<xs:documentation>
|
|
||||||
A regex based extractor that will be used to assign a user to a connected client,
|
|
||||||
based on the X.500 name of the subject DN forwarded by the reverse proxy.
|
|
||||||
</xs:documentation>
|
|
||||||
</xs:annotation>
|
|
||||||
</xs:element>
|
|
||||||
</xs:sequence>
|
|
||||||
<xs:attribute name="header-name" type="xs:token">
|
|
||||||
<xs:annotation>
|
|
||||||
<xs:documentation>
|
|
||||||
Name of the HTTP header containing the client certificate subject DN
|
|
||||||
forwarded by the reverse proxy. Defaults to "X-Client-Cert-Subject-DN".
|
|
||||||
</xs:documentation>
|
|
||||||
</xs:annotation>
|
|
||||||
</xs:attribute>
|
|
||||||
</xs:complexType>
|
|
||||||
|
|
||||||
<xs:complexType name="X500NameExtractorType">
|
<xs:complexType name="X500NameExtractorType">
|
||||||
<xs:annotation>
|
<xs:annotation>
|
||||||
<xs:documentation>
|
<xs:documentation>
|
||||||
@@ -419,15 +380,6 @@
|
|||||||
</xs:documentation>
|
</xs:documentation>
|
||||||
</xs:annotation>
|
</xs:annotation>
|
||||||
</xs:element>
|
</xs:element>
|
||||||
<xs:element name="forwarded-client-certificate" type="rbcs:forwardedClientCertificateAuthorizationType">
|
|
||||||
<xs:annotation>
|
|
||||||
<xs:documentation>
|
|
||||||
Enable forwarded client certificate authentication. Authenticates clients based on
|
|
||||||
a custom HTTP header containing the client certificate subject DN, forwarded by a
|
|
||||||
reverse proxy that performs TLS termination. Requires trusted-proxies to be configured.
|
|
||||||
</xs:documentation>
|
|
||||||
</xs:annotation>
|
|
||||||
</xs:element>
|
|
||||||
<xs:element name="none">
|
<xs:element name="none">
|
||||||
<xs:annotation>
|
<xs:annotation>
|
||||||
<xs:documentation>
|
<xs:documentation>
|
||||||
|
|||||||
Reference in New Issue
Block a user