Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add: client authorization on endpoints #1521

Merged
merged 2 commits into from
Nov 6, 2023
Merged

Add: client authorization on endpoints #1521

merged 2 commits into from
Nov 6, 2023

Conversation

nichtsfrei
Copy link
Member

@nichtsfrei nichtsfrei commented Oct 31, 2023
edited
Loading

To prevent that a registered client can see results
or scan of another client a differentiation factor
is introduces.

The scans and results will now be stored as an u64->information and the
key is either calculated by the used client certificate or, when openvasd
is started without client certifactes, by the used API key.

When client certificates and the API key is configured than the client
certificates are getting used.

When neither is configured the scans endpoints are unreachable.

SC-949 SC-950

@nichtsfrei nichtsfrei force-pushed the rs-mtls-authenticator branch 2 times, most recently from 6f9f409 to 7c85b84 Compare October 31, 2023 20:49
@nichtsfrei nichtsfrei changed the title WIP: Add: client authorization on endpoints Add: client authorization on endpoints Oct 31, 2023
@nichtsfrei nichtsfrei force-pushed the rs-mtls-authenticator branch 4 times, most recently from 23121ff to bccfe22 Compare November 2, 2023 14:06
@nichtsfrei nichtsfrei marked this pull request as ready for review November 2, 2023 14:07
@nichtsfrei nichtsfrei requested a review from a team as a code owner November 2, 2023 14:07
@nichtsfrei nichtsfrei force-pushed the rs-mtls-authenticator branch 3 times, most recently from 6c1828c to 7f82b92 Compare November 3, 2023 11:07
@nichtsfrei
Add: client authorization on endpoints
b606c95 
To prevent that a registered client can see results
or scan of another client a differentiation factor
is introduces.

The scans and results will now be stored as an u64->information and the
key is either calculated by the used client certificate or, when openvasd
is started without client certifactes, by the used API key.

When client certificates and the API key is configured than the client
certificates are getting used.

When neither is configured the scans endpoints are unreachable.
@nichtsfrei nichtsfrei force-pushed the rs-mtls-authenticator branch from 7f82b92 to b606c95 Compare November 3, 2023 11:13
@nichtsfrei
Fix: bypass of client verification when using API-Key
720e3f1 
When client certificates are enabled than it must no be possible to
test a network by using the API-Key.

To disable that the API-Key is disabled when client certificates are
enabled and a warning is printed.
@nichtsfrei nichtsfrei merged commit 6af3aab into main Nov 6, 2023
28 checks passed
@nichtsfrei nichtsfrei deleted the rs-mtls-authenticator branch November 6, 2023 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kraemii Kraemii Kraemii approved these changes

@jjnicola jjnicola jjnicola approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nichtsfrei @jjnicola @Kraemii