Add configuration for custom path segment

To support SCEP clients that expect a specific path segment in
a SCEP URL, a new "customPath" option was added to the SCEP
provisioner configuration. The configuration can be used to set
a specific path (segment) that the SCEP provisioner will respond to.
This commit is contained in:
Herman Slatman 2022-03-07 13:16:53 +01:00
parent ea454f9dfc
commit a3cda9c3d7
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
2 changed files with 27 additions and 4 deletions

View file

@ -27,6 +27,14 @@ type SCEP struct {
// at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63 // at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63
// Defaults to 0, being DES-CBC // Defaults to 0, being DES-CBC
EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier,omitempty"` EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier,omitempty"`
// CustomPath is used to specify a custom path on which the SCEP provisioner will be made
// available. By default a SCEP provisioner is available at
// https://<address>:<port>/scep/<provisionerName> and requests performed looking similar
// to https://<address>:<port>/scep/<provisionerName>?operations=GetCACert. When CustomPath
// is set, the SCEP URL will be https://<address>:<port>/scep/<provisionerName>/<customPath>,
// resulting in SCEP clients that expect a specific path, such as "/pkiclient.exe", to be
// able to interact with the SCEP provisioner.
CustomPath string `json:"customPath,omitempty"`
Options *Options `json:"options,omitempty"` Options *Options `json:"options,omitempty"`
Claims *Claims `json:"claims,omitempty"` Claims *Claims `json:"claims,omitempty"`
claimer *Claimer claimer *Claimer

View file

@ -66,7 +66,9 @@ func New(scepAuth scep.Interface) api.RouterHandler {
// Route traffic and implement the Router interface. // Route traffic and implement the Router interface.
func (h *Handler) Route(r api.Router) { func (h *Handler) Route(r api.Router) {
getLink := h.Auth.GetLinkExplicit getLink := h.Auth.GetLinkExplicit
r.MethodFunc(http.MethodGet, getLink("{provisionerName}/{customPath}*", false, nil), h.lookupProvisioner(h.Get))
r.MethodFunc(http.MethodGet, getLink("{provisionerName}", false, nil), h.lookupProvisioner(h.Get)) r.MethodFunc(http.MethodGet, getLink("{provisionerName}", false, nil), h.lookupProvisioner(h.Get))
r.MethodFunc(http.MethodPost, getLink("{provisionerName}/{customPath}*", false, nil), h.lookupProvisioner(h.Post))
r.MethodFunc(http.MethodPost, getLink("{provisionerName}", false, nil), h.lookupProvisioner(h.Post)) r.MethodFunc(http.MethodPost, getLink("{provisionerName}", false, nil), h.lookupProvisioner(h.Post))
} }
@ -191,6 +193,13 @@ func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP {
return return
} }
customPathParam := chi.URLParam(r, "customPath")
customPath, err := url.PathUnescape(customPathParam)
if err != nil {
api.WriteError(w, err)
return
}
p, err := h.Auth.LoadProvisionerByName(provisionerName) p, err := h.Auth.LoadProvisionerByName(provisionerName)
if err != nil { if err != nil {
api.WriteError(w, err) api.WriteError(w, err)
@ -203,6 +212,12 @@ func (h *Handler) lookupProvisioner(next nextHTTP) nextHTTP {
return return
} }
configuredCustomPath := strings.Trim(prov.CustomPath, "/")
if customPath != configuredCustomPath {
api.WriteError(w, errors.Errorf("custom path requested '%s' is not the expected path '%s'", customPath, configuredCustomPath))
return
}
ctx := r.Context() ctx := r.Context()
ctx = context.WithValue(ctx, scep.ProvisionerContextKey, scep.Provisioner(prov)) ctx = context.WithValue(ctx, scep.ProvisionerContextKey, scep.Provisioner(prov))
next(w, r.WithContext(ctx)) next(w, r.WithContext(ctx))