Skip to content

feat(auth): mTLS client-certificate authentication for the management plane#18

Merged
Bugs5382 merged 6 commits into
mainfrom
feat/17-client-cert-auth
Jul 14, 2026
Merged

feat(auth): mTLS client-certificate authentication for the management plane#18
Bugs5382 merged 6 commits into
mainfrom
feat/17-client-cert-auth

Conversation

@Bugs5382

Copy link
Copy Markdown
Contributor

What and why

Slice A of productionize. Replaces the dev auth stub with real mTLS client-cert auth: when authBypass is false the manager serves HTTPS with RequireAndVerifyClientCert against the operator CA, derives the operator identity + access level from the presented certificate, and exposes it via WhoAmI. The authBypass dev path (h2c) is preserved.

  • config: tlsCert / tlsKey / operatorCAPath, required when authBypass is false.
  • authz: Identity{CN,Serial,Level} on the request context; ClientCertMiddleware (401 no peer cert, 403 cert without the access-level extension) and BypassMiddleware (dev identity). Auth is HTTP middleware, not a Connect interceptor, because only the HTTP layer sees the TLS peer certificate.
  • cmd/manager: TLS listener (RequireAndVerifyClientCert + operator-CA pool + server cert); h2c kept for authBypass. The old Bypass() interceptor is retired.
  • fleet.WhoAmI: echoes the verified identity (Unauthenticated if absent).
  • Bumps the api dependency to the merged WhoAmI revision.

Builds on the A0 access-level codec (#16) and api WhoAmI (CryptOS-PKI/api#44), both merged.

Closes #17

Verification

  • Lint clean (gofmt / go vet / golangci-lint 0)
  • Tests pass (config validation; authz identity + middleware incl. 401/403 paths; buildTLSConfig incl. bad-CA; WhoAmI echo + Unauthenticated)
  • Build succeeds (every commit; api bump + handler land together)
  • License headers (task license 0 changed)

How this was verified

Whole-branch review confirmed no anonymous path (single mux behind ClientCertMiddleware, RequireAndVerifyClientCert, bypass reachable only when authBypass true and validation forces trust material otherwise), identity derived solely from the verified peer cert, and no broken intermediate commit. Live cert-in-browser verification is the runbook step at deploy (docs/operator-pki.md).

@Bugs5382 Bugs5382 self-assigned this Jul 14, 2026
@github-actions github-actions Bot added the enhancement New feature (feat). Minor version bump. label Jul 14, 2026
@Bugs5382
Bugs5382 merged commit a1e8981 into main Jul 14, 2026
12 checks passed
@Bugs5382
Bugs5382 deleted the feat/17-client-cert-auth branch July 14, 2026 12:56
@Bugs5382 Bugs5382 added this to the v1.0.0 milestone Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature (feat). Minor version bump.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(auth): mTLS client-certificate authentication for the management plane

1 participant