From bf9d0d8291dc71ecbfb2690612954e1a298154b2 Mon Sep 17 00:00:00 2001
From: Sam Batschelet <sbatsche@redhat.com>
Date: Wed, 2 Jan 2019 15:54:40 -0500
Subject: [PATCH] auth: disable CommonName auth for gRPC-gateway

Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
---
 auth/store.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/auth/store.go b/auth/store.go
index b3e346b92..2e95e0c16 100644
--- a/auth/store.go
+++ b/auth/store.go
@@ -1166,6 +1166,27 @@ func (as *authStore) AuthInfoFromTLS(ctx context.Context) (ai *AuthInfo) {
 			Username: chains[0].Subject.CommonName,
 			Revision: as.Revision(),
 		}
+		md, ok := metadata.FromIncomingContext(ctx)
+		if !ok {
+			return nil
+		}
+
+		// gRPC-gateway proxy request to etcd server includes Grpcgateway-Accept
+		// header. The proxy uses etcd client server certificate. If the certificate
+		// has a CommonName we should never use this for authentication.
+		if gw := md["grpcgateway-accept"]; len(gw) > 0 {
+			if as.lg != nil {
+				as.lg.Warn(
+					"ignoring common name in gRPC-gateway proxy request",
+					zap.String("common-name", ai.Username),
+					zap.String("user-name", ai.Username),
+					zap.Uint64("revision", ai.Revision),
+				)
+			} else {
+				plog.Warningf("ignoring common name in gRPC-gateway proxy request %s", ai.Username)
+			}
+			return nil
+		}
 		if as.lg != nil {
 			as.lg.Debug(
 				"found command name",