embed: requests for grpc gateway must have empty CN if --client-cert-auth is passed

This commit lets grpc gateway return a correct error to clients. Even if a client has a cert with non empty CN, current gateway returns an error like below: ``` $ curl --cacert ./integration/fixtures/ca.crt --cert ./integration/fixtures/server.crt --key ./integration/fixtures/server.key.insecure https://localhost:2379/v3/kv/put -X POST -d '{"key": "fromcurl", "value": "test"}' {"error":"etcdserver: user name is empty","code":3} ``` This is because etcd ignores CN from gateway connection. The error will be like this: ``` $ curl --cacert ./integration/fixtures/ca.crt --cert ./integration/fixtures/server.crt --key ./integration/fixtures/server.key.insecure https://localhost:2379/v3/kv/put -X POST -d '{"key": "fromcurl", "value": "test"}' CommonName of client sending a request against gateway will be ignored and not used as expected ``` The error will be returned if the server is enabling auth and gRPC gateway.
2024-09-27 06:25:44 +00:00 · 2019-01-03 19:36:37 +09:00 · 2019-01-03 19:36:37 +09:00 · 11fb62ecb4
commit 11fb62ecb4
parent 72dd4a18c5
1 changed files with 11 additions and 0 deletions
--- a/embed/serve.go
+++ b/embed/serve.go
@ -331,6 +331,17 @@ func (ac *accessController) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 			http.Error(rw, errCVE20185702(host), 421)
 			return
 		}
+	} else if ac.s.Cfg.ClientCertAuthEnabled && ac.s.Cfg.EnableGRPCGateway &&
+		ac.s.AuthStore().IsAuthEnabled() && strings.HasPrefix(req.URL.Path, "/v3/") {
+		for _, chains := range req.TLS.VerifiedChains {
+			if len(chains) < 1 {
+				continue
+			}
+			if len(chains[0].Subject.CommonName) != 0 {
+				http.Error(rw, "CommonName of client sending a request against gateway will be ignored and not used as expected", 400)
+				return
+			}
+		}
 	}

 	// Write CORS header.