From 0e373b53f81fc1720050571755ecfcdc6dd9ba9b Mon Sep 17 00:00:00 2001 From: Marco Kawajiri Date: Tue, 31 Oct 2023 13:36:58 -0700 Subject: mutual-tls: Add support for Meta certificates Meta Inc's client certificates use an internal Subject CN format which AFAIK is specific to Meta and don't adhere to a known standard: Subject: CN = :/ Commit adds the `mutual-tls-common-name-parsing=meta` option to, on Meta builds, parse the Subject CN field and map either the to a local user. The field determines what kind of client identity the cert represents. Only type="user" is supported for now with being the unixname of a Meta employee. For example, the Subject CN string below maps to a local BMC user named "kawmarco": Subject CN = "user:kawmarco/dev123.facebook.com" Tested: Unit tests, built and tested on romulus using the script below: https://gist.github.com/kawmarco/87170a8250020023d913ed5f7ed5c01f Flags used in meta-ibm/meta-romulus/conf/layer.conf : ``` -Dbmcweb-logging='enabled' -Dmutual-tls-common-name-parsing='meta' ``` Change-Id: I35ee9b92d163ce56815a5bd9cce5296ba1a44eef Signed-off-by: Marco Kawajiri --- meson_options.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'meson_options.txt') diff --git a/meson_options.txt b/meson_options.txt index 017c16bd68..584ca7024c 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -184,6 +184,20 @@ option( this option to take effect.''' ) +option( + 'mutual-tls-common-name-parsing', + type: 'combo', + choices: ['username', 'meta'], + value: 'username', + description: '''Sets logic to map the Subject Common Name field to a user + in client TLS certificates. + - username: Use the Subject CN field as a BMC username + (default) + - meta: Parses the Subject CN in the format used by + Meta Inc (see mutual_tls_meta.cpp for details) + ''' +) + option( 'ibm-management-console', type: 'feature', -- cgit v1.2.3