diff options
| author | Marco Kawajiri <kawajiri@meta.com> | 2023-10-31 23:36:58 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2023-12-09 01:59:39 +0300 |
| commit | 0e373b53f81fc1720050571755ecfcdc6dd9ba9b (patch) | |
| tree | 2aef16a7aca2a2bc12e7b086ebdde17b178daf14 /test | |
| parent | 23f1c96e6bc9060b54ff08a6b4d6cf8b8e0c3b23 (diff) | |
| download | bmcweb-0e373b53f81fc1720050571755ecfcdc6dd9ba9b.tar.xz | |
mutual-tls: Add support for Meta certificates
Meta Inc's client certificates use an internal Subject CN format
which AFAIK is specific to Meta and don't adhere to a known standard:
Subject: CN = <type>:<entity>/<hostname>
Commit adds the `mutual-tls-common-name-parsing=meta` option to, on
Meta builds, parse the Subject CN field and map either the <entity>
to a local user.
The <type> field determines what kind of client identity the cert
represents. Only type="user" is supported for now with <entity> being
the unixname of a Meta employee. For example, the Subject CN string
below maps to a local BMC user named "kawmarco":
Subject CN = "user:kawmarco/dev123.facebook.com"
Tested: Unit tests, built and tested on romulus using the script below:
https://gist.github.com/kawmarco/87170a8250020023d913ed5f7ed5c01f
Flags used in meta-ibm/meta-romulus/conf/layer.conf :
```
-Dbmcweb-logging='enabled'
-Dmutual-tls-common-name-parsing='meta'
```
Change-Id: I35ee9b92d163ce56815a5bd9cce5296ba1a44eef
Signed-off-by: Marco Kawajiri <kawajiri@meta.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/http/mutual_tls_meta.cpp | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/test/http/mutual_tls_meta.cpp b/test/http/mutual_tls_meta.cpp new file mode 100644 index 0000000000..5f32cb54a1 --- /dev/null +++ b/test/http/mutual_tls_meta.cpp @@ -0,0 +1,49 @@ +#include "http/mutual_tls_meta.hpp" + +#include <gtest/gtest.h> // IWYU pragma: keep + +namespace redfish +{ +namespace +{ + +TEST(MetaParseSslUser, userTest) +{ + std::string sslUser = "user:kawajiri/hostname.facebook.com"; + EXPECT_EQ(mtlsMetaParseSslUser(sslUser), "kawajiri"); +} + +TEST(MetaParseSslUser, userNohostnameTest) +{ + // hostname is optional + std::string sslUser = "user:kawajiri"; + EXPECT_EQ(mtlsMetaParseSslUser(sslUser), "kawajiri"); +} + +TEST(MetaParseSslUser, invalidUsers) +{ + std::vector<std::string> invalidSslUsers = { + "", + ":", + ":/", + "ijslakd", + "user:", + "user:/", + "user:/hostname.facebook.com", + "user:/hostname.facebook.c om", + "user: space/hostname.facebook.com", + "svc:", + "svc:/", + "svc:/hostname.facebook.com", + "host:/", + "host:unexpected_user/", + }; + + for (const std::string& sslUser : invalidSslUsers) + { + EXPECT_EQ(mtlsMetaParseSslUser(sslUser), std::nullopt); + } +} + +} // namespace +} // namespace redfish |