mutual-tls: Add support for Meta certificates
Meta Inc's client certificates use an internal Subject CN format
which AFAIK is specific to Meta and don't adhere to a known standard:
Subject: CN = <type>:<entity>/<hostname>
Commit adds the `mutual-tls-common-name-parsing=meta` option to, on
Meta builds, parse the Subject CN field and map either the <entity>
to a local user.
The <type> field determines what kind of client identity the cert
represents. Only type="user" is supported for now with <entity> being
the unixname of a Meta employee. For example, the Subject CN string
below maps to a local BMC user named "kawmarco":
Subject CN = "user:kawmarco/dev123.facebook.com"
Tested: Unit tests, built and tested on romulus using the script below:
https://gist.github.com/kawmarco/87170a8250020023d913ed5f7ed5c01f
Flags used in meta-ibm/meta-romulus/conf/layer.conf :
```
-Dbmcweb-logging='enabled'
-Dmutual-tls-common-name-parsing='meta'
```
Change-Id: I35ee9b92d163ce56815a5bd9cce5296ba1a44eef
Signed-off-by: Marco Kawajiri <kawajiri@meta.com>
diff --git a/http/mutual_tls.hpp b/http/mutual_tls.hpp
index 64bcd49..1620054 100644
--- a/http/mutual_tls.hpp
+++ b/http/mutual_tls.hpp
@@ -1,6 +1,7 @@
#pragma once
#include "logging.hpp"
+#include "mutual_tls_meta.hpp"
#include "persistent_data.hpp"
#include <openssl/crypto.h>
@@ -88,6 +89,19 @@
return nullptr;
}
sslUser.resize(lastChar);
+
+ // Meta Inc. CommonName parsing
+ if (bmcwebMTLSCommonNameParsingMeta)
+ {
+ std::optional<std::string_view> sslUserMeta =
+ mtlsMetaParseSslUser(sslUser);
+ if (!sslUserMeta)
+ {
+ return nullptr;
+ }
+ sslUser = *sslUserMeta;
+ }
+
std::string unsupportedClientId;
return persistent_data::SessionStore::getInstance().generateUserSession(
sslUser, clientIp, unsupportedClientId,