Merge pull request PelicanPlatform#1563 from bbockelm/use_client_x509

Selectively enable client X509 authentication
jhiemstrawisc · Aug 19, 2024 · 212f1e5 · 212f1e5
2 parents 836f84f + 9e4dfd2
commit 212f1e5
Show file tree

Hide file tree

Showing 9 changed files with 33 additions and 3 deletions.
diff --git a/config/resources/osdf.yaml b/config/resources/osdf.yaml
@@ -26,3 +26,8 @@ Federation:
 Registry:
   RequireCacheApproval: true
   RequireOriginApproval: true
+Director:
+  X509ClientAuthenticationPrefixes:
+  - /xenon/PROTECTED/
+  - /user/ligo/
+  - /igwn/
diff --git a/director/director.go b/director/director.go
@@ -798,6 +798,13 @@ func redirectToOrigin(ginCtx *gin.Context) {
 			ginCtx.Header("X-Pelican-Broker", brokerUrl.String())
 		}
 
+		for _, prefix := range param.Director_X509ClientAuthenticationPrefixes.GetStringSlice() {
+			if strings.HasPrefix(reqPath, prefix) {
+				ginCtx.Writer.Header().Add("X-Osdf-X509", "true")
+				break
+			}
+		}
+
 		// See note in RedirectToCache as to why we only add the authz query parameter to this URL,
 		// not those in the `Link`.
 		ginCtx.Redirect(http.StatusTemporaryRedirect, getFinalRedirectURL(redirectURL, reqParams))

diff --git a/director/prom_query.go b/director/prom_query.go
@@ -147,7 +147,7 @@ func parsePromRes(res promQLRes) (promParsed promQLParsed, err error) {
 		ResultType: data.ResultType,
 	}
 
-	if data.Result != nil && len(data.Result) > 0 {
+	if len(data.Result) > 0 {
 		switch data.Result[0].(type) {
 		case float64: // result: [unixtime, value]
 			if len(data.Result) == 2 && (data.ResultType == "scalar" || data.ResultType == "string") {

diff --git a/docs/parameters.yaml b/docs/parameters.yaml
@@ -1402,6 +1402,19 @@ type: bool
 default: false
 components: ["director"]
 ---
+name: Director.X509ClientAuthenticationPrefixes
+description: |+
+  A list of object prefixes where the origin uses X.509 client authentication.
+
+  If a cache requests an object starting with one of these prefixes, then it will be instructed by the director
+  to use X.509 client authentication if available.
+
+  This setting allows for compatibility with specific legacy OSDF origins and is not needed for new origins.
+type: stringSlice
+default: none
+components: ["director"]
+hidden: true
+---
 ############################
 #  Registry-level configs  #
 ############################

diff --git a/local_cache/local_cache.go b/local_cache/local_cache.go
@@ -803,7 +803,7 @@ func (cr *cacheReader) peekError(ctx context.Context) (err error) {
 }
 
 func (cr *cacheReader) Read(p []byte) (n int, err error) {
-	if cr.buf != nil && len(cr.buf) > 0 {
+	if len(cr.buf) > 0 {
 		bytesCopied := copy(p, cr.buf)
 		if len(cr.buf) > bytesCopied {
 			cr.buf = cr.buf[bytesCopied:]

diff --git a/param/parameters.go b/param/parameters.go
diff --git a/param/parameters_struct.go b/param/parameters_struct.go
diff --git a/registry/custom_reg_fields.go b/registry/custom_reg_fields.go
@@ -282,7 +282,7 @@ func InitCustomRegistrationFields() error {
 			return errors.New(fmt.Sprintf("Bad custom registration field, unsupported field type: %q with %q", conf.Name, conf.Type))
 		}
 		if conf.Type == "enum" {
-			if (conf.Options == nil || len(conf.Options) == 0) && conf.OptionsUrl == "" {
+			if len(conf.Options) == 0 && conf.OptionsUrl == "" {
 				return errors.New(fmt.Sprintf("Bad custom registration field, 'enum' type field does not have options or optionsUrl set: %q", conf.Name))
 			}
 		}

diff --git a/xrootd/launch.go b/xrootd/launch.go
@@ -84,6 +84,8 @@ func makeUnprivilegedXrootdLauncher(daemonName string, configPath string, isCach
 			"XRD_PELICANBROKERSOCKET=" + filepath.Join(xrootdRun, "cache-reversal.sock"),
 			"XRD_PLUGINCONFDIR=" + filepath.Join(xrootdRun, "cache-client.plugins.d"),
 			"X509_CERT_FILE=" + filepath.Join(xrootdRun, "ca-bundle.crt"),
+			"XRD_PELICANCLIENTCERTFILE=" + filepath.Join(xrootdRun, "copied-tls-creds.crt"),
+			"XRD_PELICANCLIENTKEYFILE=" + filepath.Join(xrootdRun, "copied-tls-creds.crt"),
 		}
 	}
 	return