From f3c28b2781798c577f68664409c4d20048ce45d2 Mon Sep 17 00:00:00 2001
From: saroshali-dbx <saroshali@dropbox.com>
Date: Mon, 6 Jun 2022 11:26:37 -0500
Subject: [PATCH 1/4] add common-name verification

Signed-off-by: saroshali-dbx <saroshali@dropbox.com>
---
 .../web_config.auth_client_common_name.good.yaml  |  6 ++++++
 .../web_config_auth_client_common_name.bad.yaml   |  6 ++++++
 web/tls_config.go                                 | 15 ++++++++++++++-
 web/tls_config_test.go                            | 15 +++++++++++++++
 4 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 web/testdata/web_config.auth_client_common_name.good.yaml
 create mode 100644 web/testdata/web_config_auth_client_common_name.bad.yaml

diff --git a/web/testdata/web_config.auth_client_common_name.good.yaml b/web/testdata/web_config.auth_client_common_name.good.yaml
new file mode 100644
index 00000000..b2892b1f
--- /dev/null
+++ b/web/testdata/web_config.auth_client_common_name.good.yaml
@@ -0,0 +1,6 @@
+tls_server_config:
+  cert_file: "server.crt"
+  key_file: "server.key"
+  client_auth_type: "RequireAndVerifyClientCert"
+  client_ca_file: "client_selfsigned.pem",
+  client_cert_allowed_cn: "prometheus.example.com"
diff --git a/web/testdata/web_config_auth_client_common_name.bad.yaml b/web/testdata/web_config_auth_client_common_name.bad.yaml
new file mode 100644
index 00000000..5ddaecc3
--- /dev/null
+++ b/web/testdata/web_config_auth_client_common_name.bad.yaml
@@ -0,0 +1,6 @@
+tls_server_config:
+  cert_file: "server.crt"
+  key_file: "server.key"
+  client_auth_type: "RequireAndVerifyClientCert"
+  client_ca_file: "client_selfsigned.pem"
+  client_cert_allowed_cn: "bad.example.com"
\ No newline at end of file
diff --git a/web/tls_config.go b/web/tls_config.go
index 328c5e0e..de6a63b4 100644
--- a/web/tls_config.go
+++ b/web/tls_config.go
@@ -26,7 +26,6 @@ import (
 	"github.com/go-kit/log/level"
 	"github.com/pkg/errors"
 	config_util "github.com/prometheus/common/config"
-	"gopkg.in/yaml.v2"
 )
 
 var (
@@ -49,6 +48,7 @@ type TLSStruct struct {
 	MinVersion               tlsVersion `yaml:"min_version"`
 	MaxVersion               tlsVersion `yaml:"max_version"`
 	PreferServerCipherSuites bool       `yaml:"prefer_server_cipher_suites"`
+	ClientCertAllowedCN      string     `yaml:"client_cert_allowed_cn"`
 }
 
 // SetDirectory joins any relative file paths with dir.
@@ -155,6 +155,19 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
 		cfg.ClientCAs = clientCAPool
 	}
 
+	if c.ClientCertAllowedCN != "" {
+		cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+			for _, chains := range verifiedChains {
+				if len(chains) != 0 {
+					if c.ClientCertAllowedCN == chains[0].Subject.CommonName {
+						return nil
+					}
+				}
+			}
+			return errors.New("CommonName authentication failed")
+		}
+	}
+
 	switch c.ClientAuth {
 	case "RequestClientCert":
 		cfg.ClientAuth = tls.RequestClientCert
diff --git a/web/tls_config_test.go b/web/tls_config_test.go
index 52f74676..8d745bbe 100644
--- a/web/tls_config_test.go
+++ b/web/tls_config_test.go
@@ -57,6 +57,7 @@ var (
 		"Bad certificate":              regexp.MustCompile(`bad certificate`),
 		"Invalid value":                regexp.MustCompile(`invalid value for`),
 		"Invalid header":               regexp.MustCompile(`HTTP header ".*" can not be configured`),
+		"Invalid common-name":          regexp.MustCompile(`CommonName authentication failed`),
 	}
 )
 
@@ -337,6 +338,20 @@ func TestServerBehaviour(t *testing.T) {
 			ClientCertificate: "client2_selfsigned",
 			ExpectedError:     ErrorMap["Bad certificate"],
 		},
+		{
+			Name:              `valid tls config yml with all curves`,
+			YAMLConfigPath:    "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",
+			UseTLSClient:      true,
+			ClientCertificate: "client_selfsigned",
+			ExpectedError:     nil,
+		},
+		{
+			Name:              `valid tls config yml and tls client with RequireAndVerifyClientCert (present wrong certificate)`,
+			YAMLConfigPath:    "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",
+			UseTLSClient:      true,
+			ClientCertificate: "client2_selfsigned",
+			ExpectedError:     ErrorMap["Invalid common-name"],
+		},
 	}
 	for _, testInputs := range testTables {
 		t.Run(testInputs.Name, testInputs.Test)

From fefab48ac7bfbd16bf42c903ad075aaa0dc0b18f Mon Sep 17 00:00:00 2001
From: saroshali-dbx <saroshali@dropbox.com>
Date: Mon, 6 Jun 2022 11:29:53 -0500
Subject: [PATCH 2/4] fix tests

Signed-off-by: saroshali-dbx <saroshali@dropbox.com>
---
 web/tls_config_test.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/web/tls_config_test.go b/web/tls_config_test.go
index 8d745bbe..39cd3b8d 100644
--- a/web/tls_config_test.go
+++ b/web/tls_config_test.go
@@ -339,17 +339,17 @@ func TestServerBehaviour(t *testing.T) {
 			ExpectedError:     ErrorMap["Bad certificate"],
 		},
 		{
-			Name:              `valid tls config yml with all curves`,
-			YAMLConfigPath:    "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",
+			Name:              `valid tls config yml and tls client with VerifyPeerCertificate (present good common-name)`,
+			YAMLConfigPath:    "testdata/web_config_auth_client_common_name.good.yaml",
 			UseTLSClient:      true,
 			ClientCertificate: "client_selfsigned",
 			ExpectedError:     nil,
 		},
 		{
-			Name:              `valid tls config yml and tls client with RequireAndVerifyClientCert (present wrong certificate)`,
-			YAMLConfigPath:    "testdata/tls_config_noAuth.requireandverifyclientcert.good.yml",
+			Name:              `valid tls config yml and tls client with VerifyPeerCertificate (present invalid common-name)`,
+			YAMLConfigPath:    "testdata/web_config_auth_client_common_name.bad.yaml",
 			UseTLSClient:      true,
-			ClientCertificate: "client2_selfsigned",
+			ClientCertificate: "client_selfsigned",
 			ExpectedError:     ErrorMap["Invalid common-name"],
 		},
 	}

From d123494f107baae0bad32c3444e822300472ca08 Mon Sep 17 00:00:00 2001
From: saroshali-dbx <saroshali@dropbox.com>
Date: Mon, 6 Jun 2022 11:32:09 -0500
Subject: [PATCH 3/4] missing import

Signed-off-by: saroshali-dbx <saroshali@dropbox.com>
---
 web/tls_config.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/web/tls_config.go b/web/tls_config.go
index de6a63b4..b97fd040 100644
--- a/web/tls_config.go
+++ b/web/tls_config.go
@@ -26,6 +26,7 @@ import (
 	"github.com/go-kit/log/level"
 	"github.com/pkg/errors"
 	config_util "github.com/prometheus/common/config"
+	"gopkg.in/yaml.v2"
 )
 
 var (

From 69f5c39925dbaa54aea98edc2cb4f104ce0b7eff Mon Sep 17 00:00:00 2001
From: saroshali-dbx <saroshali@dropbox.com>
Date: Thu, 9 Jun 2022 09:27:12 -0700
Subject: [PATCH 4/4] Fix tests

Signed-off-by: saroshali-dbx <saroshali@dropbox.com>
---
 web/testdata/web_config_auth_client_common_name.bad.yaml      | 2 +-
 ...good.yaml => web_config_auth_client_common_name.good.yaml} | 4 ++--
 web/tls_config_test.go                                        | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)
 rename web/testdata/{web_config.auth_client_common_name.good.yaml => web_config_auth_client_common_name.good.yaml} (55%)

diff --git a/web/testdata/web_config_auth_client_common_name.bad.yaml b/web/testdata/web_config_auth_client_common_name.bad.yaml
index 5ddaecc3..8ff979f3 100644
--- a/web/testdata/web_config_auth_client_common_name.bad.yaml
+++ b/web/testdata/web_config_auth_client_common_name.bad.yaml
@@ -3,4 +3,4 @@ tls_server_config:
   key_file: "server.key"
   client_auth_type: "RequireAndVerifyClientCert"
   client_ca_file: "client_selfsigned.pem"
-  client_cert_allowed_cn: "bad.example.com"
\ No newline at end of file
+  client_cert_allowed_cn: "bad"
\ No newline at end of file
diff --git a/web/testdata/web_config.auth_client_common_name.good.yaml b/web/testdata/web_config_auth_client_common_name.good.yaml
similarity index 55%
rename from web/testdata/web_config.auth_client_common_name.good.yaml
rename to web/testdata/web_config_auth_client_common_name.good.yaml
index b2892b1f..54f636e2 100644
--- a/web/testdata/web_config.auth_client_common_name.good.yaml
+++ b/web/testdata/web_config_auth_client_common_name.good.yaml
@@ -2,5 +2,5 @@ tls_server_config:
   cert_file: "server.crt"
   key_file: "server.key"
   client_auth_type: "RequireAndVerifyClientCert"
-  client_ca_file: "client_selfsigned.pem",
-  client_cert_allowed_cn: "prometheus.example.com"
+  client_ca_file: "client_selfsigned.pem"
+  client_cert_allowed_cn: "test"
\ No newline at end of file
diff --git a/web/tls_config_test.go b/web/tls_config_test.go
index 39cd3b8d..9544a87c 100644
--- a/web/tls_config_test.go
+++ b/web/tls_config_test.go
@@ -57,7 +57,7 @@ var (
 		"Bad certificate":              regexp.MustCompile(`bad certificate`),
 		"Invalid value":                regexp.MustCompile(`invalid value for`),
 		"Invalid header":               regexp.MustCompile(`HTTP header ".*" can not be configured`),
-		"Invalid common-name":          regexp.MustCompile(`CommonName authentication failed`),
+		"Invalid common-name":          regexp.MustCompile(`bad certificate`),
 	}
 )