Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 0e373b53f81fc1720050571755ecfcdc6dd9ba9b^! / . / test / http / mutual_tls_meta.cpp
commit0e373b53f81fc1720050571755ecfcdc6dd9ba9b[log] [tgz]
authorMarco Kawajiri <kawajiri@meta.com>Tue Oct 31 13:36:58 2023 -0700
committerEd Tanous <ed@tanous.net>Fri Dec 08 22:59:39 2023 +0000
tree2aef16a7aca2a2bc12e7b086ebdde17b178daf14
parent23f1c96e6bc9060b54ff08a6b4d6cf8b8e0c3b23 [diff] [blame]
mutual-tls: Add support for Meta certificates

Meta Inc's client certificates use an internal Subject CN format
which AFAIK is specific to Meta and don't adhere to a known standard:

  Subject: CN = <type>:<entity>/<hostname>

Commit adds the `mutual-tls-common-name-parsing=meta` option to, on
Meta builds, parse the Subject CN field and map either the <entity>
to a local user.

The <type> field determines what kind of client identity the cert
represents. Only type="user" is supported for now with <entity> being
the unixname of a Meta employee. For example, the Subject CN string
below maps to a local BMC user named "kawmarco":

   Subject CN =  "user:kawmarco/dev123.facebook.com"

Tested: Unit tests, built and tested on romulus using the script below:
https://gist.github.com/kawmarco/87170a8250020023d913ed5f7ed5c01f

Flags used in meta-ibm/meta-romulus/conf/layer.conf :
```
-Dbmcweb-logging='enabled'
-Dmutual-tls-common-name-parsing='meta'
```

Change-Id: I35ee9b92d163ce56815a5bd9cce5296ba1a44eef
Signed-off-by: Marco Kawajiri <kawajiri@meta.com>

diff --git a/test/http/mutual_tls_meta.cpp b/test/http/mutual_tls_meta.cpp
new file mode 100644
index 0000000..5f32cb5
--- /dev/null
+++ b/test/http/mutual_tls_meta.cpp

@@ -0,0 +1,49 @@
+#include "http/mutual_tls_meta.hpp"
+
+#include <gtest/gtest.h> // IWYU pragma: keep
+
+namespace redfish
+{
+namespace
+{
+
+TEST(MetaParseSslUser, userTest)
+{
+    std::string sslUser = "user:kawajiri/hostname.facebook.com";
+    EXPECT_EQ(mtlsMetaParseSslUser(sslUser), "kawajiri");
+}
+
+TEST(MetaParseSslUser, userNohostnameTest)
+{
+    // hostname is optional
+    std::string sslUser = "user:kawajiri";
+    EXPECT_EQ(mtlsMetaParseSslUser(sslUser), "kawajiri");
+}
+
+TEST(MetaParseSslUser, invalidUsers)
+{
+    std::vector<std::string> invalidSslUsers = {
+        "",
+        ":",
+        ":/",
+        "ijslakd",
+        "user:",
+        "user:/",
+        "user:/hostname.facebook.com",
+        "user:/hostname.facebook.c om",
+        "user: space/hostname.facebook.com",
+        "svc:",
+        "svc:/",
+        "svc:/hostname.facebook.com",
+        "host:/",
+        "host:unexpected_user/",
+    };
+
+    for (const std::string& sslUser : invalidSslUsers)
+    {
+        EXPECT_EQ(mtlsMetaParseSslUser(sslUser), std::nullopt);
+    }
+}
+
+} // namespace
+} // namespace redfish