util: Add client type for verification

TheThingsNetwork · Jun 20, 2024 · 952f5d5 · 952f5d5
1 parent 7d70a65
commit 952f5d5
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 12 deletions.
diff --git a/pkg/auth/mtls/mtls.go b/pkg/auth/mtls/mtls.go
@@ -25,6 +25,15 @@ import (
 	"gopkg.in/yaml.v2"
 )
 
+// ClientType represents the type of the client.
+type ClientType int
+
+// Client types.
+const (
+	ClientTypeUnspecified ClientType = iota
+	ClientTypeGateway
+)
+
 // CAStore is a store of CA Certs.
 type CAStore struct {
 	commonPool *x509.CertPool
@@ -81,26 +90,24 @@ func NewCAStore(_ context.Context, fetcher fetch.Interface) (*CAStore, error) {
 	return s, nil
 }
 
-func (c CAStore) certPools(_ context.Context) []*x509.CertPool {
-	var res []*x509.CertPool
-	if c.commonPool != nil {
-		res = append(res, c.commonPool)
-	}
+func (c CAStore) certPool(_ context.Context, _ ClientType) *x509.CertPool {
+	res := c.commonPool.Clone()
 	return res
 }
 
-// Verify verifies the certificate against the list of configured certificate pools.
-// The function also checks that common name in the certificate matches the provided value.
-func (c *CAStore) Verify(ctx context.Context, cn string, cert *x509.Certificate) error {
+// Verify verifies the certificate against the certificate pool for the client type.
+// The common pool is always used. If the client type is unspecified, only the common certificate pool is used.
+// The method also checks that common name in the certificate matches the provided value.
+func (c *CAStore) Verify(ctx context.Context, clientType ClientType, cn string, cert *x509.Certificate) error {
 	if cert.Subject.CommonName != cn {
 		return errCommonNameMismatch.WithAttributes(
 			"exp", cn,
 			"got", cert.Subject.CommonName,
 		)
 	}
 
-	certPools := c.certPools(ctx)
-	if len(certPools) == 0 {
+	certPool := c.certPool(ctx, clientType)
+	if certPool.Equal(x509.NewCertPool()) {
 		return errNoCAPool.New()
 	}
 	opts := x509.VerifyOptions{

diff --git a/pkg/auth/mtls/mtls_test.go b/pkg/auth/mtls/mtls_test.go
@@ -104,7 +104,7 @@ enSyC2URWEsszHuPDCO9J0KAdbMbyIgq6w7as6ZeE1z90YC8H3Y8OA==
 	a.So(block.Type, should.Equal, "CERTIFICATE")
 	invalidTestCert, err := x509.ParseCertificate(block.Bytes)
 	a.So(err, should.BeNil)
-	err = caStore.Verify(ctx, "1111111111111111", invalidTestCert)
+	err = caStore.Verify(ctx, mtls.ClientTypeUnspecified, "1111111111111111", invalidTestCert)
 	a.So(errors.IsInvalidArgument(err), should.BeTrue)
 
 	// Generate a valid certificate
@@ -116,7 +116,7 @@ enSyC2URWEsszHuPDCO9J0KAdbMbyIgq6w7as6ZeE1z90YC8H3Y8OA==
 	a.So(block, should.NotBeNil)
 	validGatewayCertificate, err := x509.ParseCertificate(block.Bytes)
 	a.So(err, should.BeNil)
-	err = caStore.Verify(ctx, "2222222222222222", validGatewayCertificate)
+	err = caStore.Verify(ctx, mtls.ClientTypeUnspecified, "2222222222222222", validGatewayCertificate)
 	a.So(err, should.BeNil)
 
 	// Context