Skip to content

Commit fc22eac

Browse files
philipgoughphilipgough
authored
Merge pull request #41 from philipgough/mtls-spike
Support path based matching for authenticators
2 parents d7e30d3 + 24c5284 commit fc22eac

6 files changed

Lines changed: 1193 additions & 18 deletions

File tree

authentication/mtls.go

Lines changed: 39 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import (
88
"fmt"
99
"net/http"
1010
"os"
11+
"regexp"
1112

1213
"github.com/go-kit/log"
1314
grpc_middleware_auth "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth"
@@ -28,9 +29,11 @@ func init() {
2829
}
2930

3031
type mTLSConfig struct {
31-
RawCA []byte `json:"ca"`
32-
CAPath string `json:"caPath"`
33-
CAs []*x509.Certificate
32+
RawCA []byte `json:"ca"`
33+
CAPath string `json:"caPath"`
34+
PathPatterns []string `json:"pathPatterns"`
35+
CAs []*x509.Certificate
36+
pathMatchers []*regexp.Regexp
3437
}
3538

3639
type MTLSAuthenticator struct {
@@ -83,6 +86,15 @@ func newMTLSAuthenticator(c map[string]interface{}, tenant string, registrationR
8386
config.CAs = cas
8487
}
8588

89+
// Compile path patterns
90+
for _, pattern := range config.PathPatterns {
91+
matcher, err := regexp.Compile(pattern)
92+
if err != nil {
93+
return nil, fmt.Errorf("failed to compile mTLS path pattern %q: %v", pattern, err)
94+
}
95+
config.pathMatchers = append(config.pathMatchers, matcher)
96+
}
97+
8698
return MTLSAuthenticator{
8799
tenant: tenant,
88100
logger: logger,
@@ -93,6 +105,29 @@ func newMTLSAuthenticator(c map[string]interface{}, tenant string, registrationR
93105
func (a MTLSAuthenticator) Middleware() Middleware {
94106
return func(next http.Handler) http.Handler {
95107
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
108+
// Check if mTLS is required for this path
109+
if len(a.config.pathMatchers) > 0 {
110+
pathMatches := false
111+
for _, matcher := range a.config.pathMatchers {
112+
if matcher.MatchString(r.URL.Path) {
113+
pathMatches = true
114+
break
115+
}
116+
}
117+
118+
// If path doesn't match, skip mTLS enforcement
119+
if !pathMatches {
120+
next.ServeHTTP(w, r)
121+
return
122+
}
123+
}
124+
125+
// Path matches or no paths configured, enforce mTLS
126+
if r.TLS == nil {
127+
httperr.PrometheusAPIError(w, "mTLS required but no TLS connection", http.StatusBadRequest)
128+
return
129+
}
130+
96131
caPool := x509.NewCertPool()
97132
for _, ca := range a.config.CAs {
98133
caPool.AddCert(ca)
@@ -157,3 +192,4 @@ func (a MTLSAuthenticator) GRPCMiddleware() grpc.StreamServerInterceptor {
157192
func (a MTLSAuthenticator) Handler() (string, http.Handler) {
158193
return "", nil
159194
}
195+

0 commit comments

Comments
 (0)