Skip to content

Commit 24c5284

Browse files
philipgoughphilipgough
committed
Remove redundant MW function
1 parent cbec1ef commit 24c5284

1 file changed

Lines changed: 0 additions & 79 deletions

File tree

authentication/mtls.go

Lines changed: 0 additions & 79 deletions
Original file line numberDiff line numberDiff line change
@@ -193,82 +193,3 @@ func (a MTLSAuthenticator) Handler() (string, http.Handler) {
193193
return "", nil
194194
}
195195

196-
// PathAwareMiddleware creates a middleware that only enforces mTLS on matching paths
197-
func (a MTLSAuthenticator) PathAwareMiddleware(pathMatchers []*regexp.Regexp) Middleware {
198-
return func(next http.Handler) http.Handler {
199-
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
200-
// Check if the request path matches any of the configured patterns
201-
pathMatches := false
202-
for _, matcher := range pathMatchers {
203-
if matcher.MatchString(r.URL.Path) {
204-
pathMatches = true
205-
break
206-
}
207-
}
208-
209-
// If no path matches, skip mTLS enforcement
210-
if !pathMatches {
211-
next.ServeHTTP(w, r)
212-
return
213-
}
214-
215-
// Path matches, enforce mTLS
216-
if r.TLS == nil {
217-
httperr.PrometheusAPIError(w, "mTLS required but no TLS connection", http.StatusBadRequest)
218-
return
219-
}
220-
221-
caPool := x509.NewCertPool()
222-
for _, ca := range a.config.CAs {
223-
caPool.AddCert(ca)
224-
}
225-
226-
if len(r.TLS.PeerCertificates) == 0 {
227-
httperr.PrometheusAPIError(w, "client certificate required for this path", http.StatusUnauthorized)
228-
return
229-
}
230-
231-
opts := x509.VerifyOptions{
232-
Roots: caPool,
233-
Intermediates: x509.NewCertPool(),
234-
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
235-
}
236-
237-
if len(r.TLS.PeerCertificates) > 1 {
238-
for _, cert := range r.TLS.PeerCertificates[1:] {
239-
opts.Intermediates.AddCert(cert)
240-
}
241-
}
242-
243-
if _, err := r.TLS.PeerCertificates[0].Verify(opts); err != nil {
244-
if errors.Is(err, x509.CertificateInvalidError{}) {
245-
httperr.PrometheusAPIError(w, err.Error(), http.StatusUnauthorized)
246-
return
247-
}
248-
httperr.PrometheusAPIError(w, err.Error(), http.StatusInternalServerError)
249-
return
250-
}
251-
252-
var sub string
253-
switch {
254-
case len(r.TLS.PeerCertificates[0].EmailAddresses) > 0:
255-
sub = r.TLS.PeerCertificates[0].EmailAddresses[0]
256-
case len(r.TLS.PeerCertificates[0].URIs) > 0:
257-
sub = r.TLS.PeerCertificates[0].URIs[0].String()
258-
case len(r.TLS.PeerCertificates[0].DNSNames) > 0:
259-
sub = r.TLS.PeerCertificates[0].DNSNames[0]
260-
case len(r.TLS.PeerCertificates[0].IPAddresses) > 0:
261-
sub = r.TLS.PeerCertificates[0].IPAddresses[0].String()
262-
default:
263-
httperr.PrometheusAPIError(w, "could not determine subject", http.StatusBadRequest)
264-
return
265-
}
266-
ctx := context.WithValue(r.Context(), subjectKey, sub)
267-
268-
// Add organizational units as groups.
269-
ctx = context.WithValue(ctx, groupsKey, r.TLS.PeerCertificates[0].Subject.OrganizationalUnit)
270-
271-
next.ServeHTTP(w, r.WithContext(ctx))
272-
})
273-
}
274-
}

0 commit comments

Comments
 (0)