Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes 500 error when using PKI authentication with an incomplete certificate chain #86700

Merged
merged 5 commits into from
Jan 6, 2021
Merged

Fixes 500 error when using PKI authentication with an incomplete certificate chain #86700

merged 5 commits into from
Jan 6, 2021

Conversation

jportner
Copy link
Contributor

Fixes #77121.

@jportner jportner marked this pull request as ready for review December 22, 2020 15:20
@jportner jportner requested a review from a team as a code owner December 22, 2020 15:20
@azasypkin
Copy link
Member

ACK: will review tomorrow

@azasypkin azasypkin self-requested a review December 28, 2020 14:08
azasypkin
azasypkin reviewed Dec 29, 2020
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, but I didn't manage to reproduce this issue in 7.9.3 locally (either I messed up with the certificates somehow or the behavior is different on Linux). Would you mind sharing the temp certificates you used to test this?

x-pack/plugins/security/server/authentication/providers/pki.ts Outdated
valid_to: validTo,
} = peerCertificate;

let issuerCertType: string;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: would you mind adding a comment here explaining why we do this and what every "type" means?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in f2c3f3c.

FWIW, I don't think there is ever a case where a peer certificate has a null issuerCertificate value. At least, I haven't been able to reproduce that locally.

However, the way the getCertificateChain method was written previously, if the authentication process made it to this step and the peer certificate was valid but had a null issuerCertificate value, Kibana would allow the authentication attempt to proceed. I didn't want to change that behavior and potentially introduce a regression, but I can't be sure if we would encounter a null value or not, seeing as we are encountering undefined values when we shouldn't be.

x-pack/plugins/security/server/authentication/providers/pki.ts Outdated Show resolved Hide resolved
@jportner
Copy link
Contributor Author

jportner commented Jan 5, 2021

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Distributable file count

id before after diff
default 47253 48013 +760

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

azasypkin
azasypkin approved these changes Jan 6, 2021
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks! Used your certificates to confirm the error in 7.9 and that the issue doesn't happen now.

x-pack/plugins/security/server/authentication/providers/pki.ts
valid_to: validTo,
} = peerCertificate;

// The issuerCertificate field can be three different values:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

@jportner jportner merged commit e68d9f3 into elastic:master Jan 6, 2021
@jportner jportner deleted the issue-77121-improve-delegated-pki branch January 6, 2021 14:00
This was referenced Jan 6, 2021
Merged
Merged
jportner added a commit to jportner/kibana that referenced this pull request Jan 6, 2021
@jportner
Fixes 500 error when using PKI authentication with an incomplete cert…
d6fee25 
…ificate chain (elastic#86700)
@jportner jportner mentioned this pull request Jan 6, 2021
Merged
jportner added a commit to jportner/kibana that referenced this pull request Jan 6, 2021
@jportner
Fixes 500 error when using PKI authentication with an incomplete cert…
1a18025 
…ificate chain (elastic#86700)

# Conflicts:
#	x-pack/plugins/security/server/authentication/providers/pki.ts
jportner added a commit that referenced this pull request Jan 6, 2021
@jportner
Fixes 500 error when using PKI authentication with an incomplete cert…
b2795b7 
…ificate chain (#86700) (#87490)
jportner added a commit that referenced this pull request Jan 6, 2021
@jportner
Fixes 500 error when using PKI authentication with an incomplete cert…
e9d08f1 
…ificate chain (#86700) (#87487)
jportner added a commit that referenced this pull request Jan 6, 2021
@jportner
Fixes 500 error when using PKI authentication with an incomplete cert…
be6ec7d 
…ificate chain (#86700) (#87486)
@jportner jportner mentioned this pull request Jan 12, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azasypkin azasypkin azasypkin approved these changes

Assignees
No one assigned
Labels
backported release_note:fix v7.10.2 v7.11.0 v7.12.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make delegated PKI authentication more robust
3 participants
@jportner @azasypkin @kibanamachine