Enable TLS in vault

agroal · Aug 4, 2024 · d8e2346 · d8e2346
1 parent bb3253a
commit d8e2346
Show file tree

Hide file tree

Showing 11 changed files with 336 additions and 77 deletions.
diff --git a/doc/VAULT.md b/doc/VAULT.md
@@ -41,6 +41,10 @@ The available keys and their accepted values are reported in the table below.
 | log_connections | `off` | Bool | No | Log connects |
 | log_disconnections | `off` | Bool | No | Log disconnects |
 | hugepage | `try` | String | No | Huge page support (`off`, `try`, `on`) |
+| tls | `off` | Bool | No | Enable Transport Layer Security (TLS) |
+| tls_cert_file | | String | No | Certificate file for TLS. This file must be owned by either the user running pgagroal or root. |
+| tls_key_file | | String | No | Private key file for TLS. This file must be owned by either the user running pgagroal or root. Additionally permissions must be at least `0640` when owned by root or `0600` otherwise. |
+| tls_ca_file | | String | No | Certificate Authority (CA) file for TLS. This file must be owned by either the user running pgagroal or root.  |
 
 ## [main]
 

diff --git a/doc/man/pgagroal_vault.conf.5.rst b/doc/man/pgagroal_vault.conf.5.rst
@@ -89,6 +89,18 @@ authentication_timeout
 hugepage
   Huge page support. Default is try
 
+tls
+  Enable Transport Layer Security (TLS). Default is false. Changes require restart in the server section.
+
+tls_cert_file
+  Certificate file for TLS. Changes require restart in the server section.
+
+tls_key_file
+  Private key file for TLS. Changes require restart in the server section.
+
+tls_ca_file
+  Certificate Authority (CA) file for TLS. Changes require restart in the server section.
+
 The options for the main section are
 
 host

diff --git a/doc/manual/user-12-vault.md b/doc/manual/user-12-vault.md
@@ -43,6 +43,10 @@ The available keys and their accepted values are reported in the table below.
 | log_disconnections | `off` | Bool | No | Log disconnects |
 | authentication_timeout | 5 | Int | No | The number of seconds the process will wait for valid credentials |
 | hugepage | `try` | String | No | Huge page support (`off`, `try`, `on`) |
+| tls | `off` | Bool | No | Enable Transport Layer Security (TLS) |
+| tls_cert_file | | String | No | Certificate file for TLS. This file must be owned by either the user running pgagroal or root. |
+| tls_key_file | | String | No | Private key file for TLS. This file must be owned by either the user running pgagroal or root. Additionally permissions must be at least `0640` when owned by root or `0600` otherwise. |
+| tls_ca_file | | String | No | Certificate Authority (CA) file for TLS. This file must be owned by either the user running pgagroal or root.  |
 
 ## [main]
 

diff --git a/doc/tutorial/06_tls.md b/doc/tutorial/06_tls.md
@@ -0,0 +1,122 @@
+## Creating Certificates
+
+This tutorial will show you how to create self-signed certificate for the server, valid for 365 days, use the following OpenSSL command, replacing `dbhost.yourdomain.com` with the server's host name, here `localhost`:
+
+```
+openssl req -new -x509 -days 365 -nodes -text -out server.crt \
+  -keyout server.key -subj "/CN=dbhost.yourdomain.com"
+```
+
+then do -
+
+```
+chmod og-rwx server.key
+```
+
+because the server will reject the file if its permissions are more liberal than this. For more details on how to create your server private key and certificate, refer to the OpenSSL documentation.
+
+For the purpose of this tutorial we will assume the client certificate and key same as the server certificate and server key and therefore, these equations always holds -
+
+`</path/to/client.crt>` = `</path/to/server.crt>` \
+`</path/to/client.key>` = `</path/to/server.key>` \
+`</path/to/server_root_ca.crt>` = `</path/to/server.crt>` \
+`</path/to/client_root_ca.crt>` = `</path/to/server_root_ca.crt>`
+
+## TLS in `pgagroal`
+
+This tutorial will show you how to enable tls between `client` and [**pgagroal**](https://github.com/agroal/pgagroal).
+
+### Preface
+
+This tutorial assumes that you have already an installation of PostgreSQL 12 (or higher) and [**pgagroal**](https://github.com/agroal/pgagroal).
+
+In particular, this tutorial refers to the configuration done in [Install pgagroal](https://github.com/pgagroal/pgagroal/blob/master/doc/tutorial/01_install.md).
+
+### Modify the `pgagroal` configuration
+
+It is now time to modify the [pgagroal] section of configration file `/etc/pgagroal/pgagroal_vault.conf`, with your editor of choice by adding the following lines in the [pgagroal] section.
+
+```
+tls = on
+tls_cert_file = </path/to/server.crt>
+tls_key_file = </path/to/server.key>
+```
+
+#### Only Server Authentication
+
+If you wish to do only server authentication the aforementioned configuration suffice.
+
+**Client Request**
+
+```
+PGSSLMODE=verify-full PGSSLROOTCERT=</path/to/server_root_ca.crt> psql -h localhost -p 2345 -U <postgres_user> <postgres_database>
+```
+
+
+#### Full Client and Server Authentication
+
+TO enable server to request for client certificates add another configuration line below the tls 
+
+```
+tls = on
+tls_cert_file = </path/to/server.crt>
+tls_key_file = </path/to/server.key>
+tls_ca_file = </path/to/client_root_ca.crt>
+```
+
+**Client Request**
+
+```
+PGSSLMODE=verify-full PGSSLCERT=</path/to/client.crt> PGSSLKEY=</path/to/client.key> PGSSLROOTCERT=</path/to/server_root_ca.crt> psql -h localhost -p 2345 -U <postgres_user> <postgres_database>
+```
+
+## TLS in `pgagroal-vault`
+
+This tutorial will show you how to enable tls between [**pgagroal-vault**](https://github.com/agroal/pgagroal) and the client (`curl`).
+
+### Preface
+
+This tutorial assumes that you have already an installation of PostgreSQL 12 (or higher) and [**pgagroal**](https://github.com/agroal/pgagroal).
+
+This tutorial aslo assumes that you have a functional [**pgagroal-vault**](https://github.com/agroal/pgagroal)
+
+In particular, this tutorial refers to the configuration done in [Install pgagroal](https://github.com/pgagroal/pgagroal/blob/master/doc/tutorial/01_install.md) and the configuration done in [Setup pgagroal-vault](https://github.com/pgagroal/pgagroal/blob/master/doc/tutorial/07_vault.md).
+
+### Modify the `pgagroal-vault` configuration
+
+It is now time to modify the [pgagroal-vault] section of configration file `/etc/pgagroal/pgagroal_vault.conf`, with your editor of choice by adding the following lines in the [pgagroal-vault] section.
+
+```
+tls = on
+tls_cert_file = </path/to/server.crt>
+tls_key_file = </path/to/server.key>
+```
+
+This will add TLS support to the server alongside the standard `http` endpoint, allowing clients to make requests to either the `https` or `http` endpoint.
+
+#### Only Server Authentication
+
+If you wish to do only server authentication the aforementioned configuration suffice.
+
+**Client Request**
+
+```
+curl --cacert </path/to/server_root_ca.crt> -i https://localhost:2500/users/<frontend_user>
+```
+
+#### Full Client and Server Authentication
+
+TO enable server to request for client certificates add another configuration line below the tls 
+
+```
+tls = on
+tls_cert_file = </path/to/server.crt>
+tls_key_file = </path/to/server.key>
+tls_ca_file = </path/to/client_root_ca.crt>
+```
+
+**Client Request**
+
+```
+curl --cert </path/to/client.crt> --key </path/to/client.key> --cacert </path/to/server_root_ca.crt> -i https://localhost:2500/users/<frontend_user>
+```
diff --git a/doc/tutorial/06_vault.md → doc/tutorial/07_vault.md b/doc/tutorial/06_vault.md → doc/tutorial/07_vault.md
diff --git a/src/include/pgagroal.h b/src/include/pgagroal.h
@@ -463,6 +463,11 @@ struct configuration
    atomic_schar log_lock;              /**< The logging lock */
    char default_log_path[MISC_LENGTH]; /**< The default logging path */
 
+   // TLS support
+   bool tls;                        /**< Is TLS enabled */
+   char tls_cert_file[MISC_LENGTH]; /**< TLS certificate path */
+   char tls_key_file[MISC_LENGTH];  /**< TLS key path */
+   char tls_ca_file[MISC_LENGTH];   /**< TLS CA certificate path */
    // Prometheus
    unsigned char hugepage;              /**< Huge page support */
    int metrics;                         /**< The metrics port */
@@ -508,11 +513,6 @@ struct main_configuration
 
    bool authquery; /**< Is authentication query enabled */
 
-   bool tls;                        /**< Is TLS enabled */
-   char tls_cert_file[MISC_LENGTH]; /**< TLS certificate path */
-   char tls_key_file[MISC_LENGTH];  /**< TLS key path */
-   char tls_ca_file[MISC_LENGTH];   /**< TLS CA certificate path */
-
    atomic_ushort active_connections; /**< The active number of connections */
    int max_connections;              /**< The maximum number of connections */
    bool allow_unknown_users;         /**< Allow unknown users */

diff --git a/src/include/security.h b/src/include/security.h
@@ -147,6 +147,16 @@ pgagroal_tls_valid(void);
 int
 pgagroal_generate_password(int password_length, char** password);
 
+/**
+ * @brief Accept the SSL connection for the vault from client (curl)
+ * @param config the vault configuration
+ * @param client_fd the descriptor
+ * @param c_ssl the client SSL context
+ * @return 0 if success, otherwise 1
+ */
+int
+accept_ssl_vault(struct vault_configuration* config, int client_fd, SSL** c_ssl);
+
 /**
  * @brief Initialize RNG
  *