From ab9c21f31533e1bba6953a59202323f6b4935efe Mon Sep 17 00:00:00 2001 From: Vivek Saini Date: Thu, 31 Mar 2022 14:15:03 -0400 Subject: [PATCH] Changed term whitelist to allowlist (#54) --- keydb.conf | 10 ++++----- src/config.cpp | 8 +++---- src/server.h | 4 ++-- src/tls.cpp | 20 +++++++++--------- tests/unit/tls-name-validation.tcl | 34 +++++++++++++++--------------- 5 files changed, 38 insertions(+), 38 deletions(-) diff --git a/keydb.conf b/keydb.conf index 4ac16f73a..4aa1c6083 100644 --- a/keydb.conf +++ b/keydb.conf @@ -262,18 +262,18 @@ tcp-keepalive 300 # # tls-rotation no -# Setup a whitelist of allowed Common Names (CNs)/Subject Alternative Names (SANs) +# Setup a allowlist of allowed Common Names (CNs)/Subject Alternative Names (SANs) # that are allowed to connect to this server. This includes both normal clients as # well as other servers connected for replication/clustering purposes. If nothing is -# specified, then no whitelist is used. Supports IPv4, DNS, RFC822, and URI SAN types. +# specified, then no allowlist is used. Supports IPv4, DNS, RFC822, and URI SAN types. # You can opt to either put all of the names on one line as follows: # -# tls-whitelist ... +# tls-allowlist ... # # or place then all on their own seperate line (or a combination of the two): # -# tls-whitelist -# tls-whitelist +# tls-allowlist +# tls-allowlist # ... # # This configuration also allows for wildcard characters with glob style formatting diff --git a/src/config.cpp b/src/config.cpp index 08da538be..a7a3133ef 100644 --- a/src/config.cpp +++ b/src/config.cpp @@ -741,11 +741,11 @@ void loadServerConfigFromString(char *config) { g_pserver->fActiveReplica = CONFIG_DEFAULT_ACTIVE_REPLICA; err = "argument must be 'yes' or 'no'"; goto loaderr; } - } else if (!strcasecmp(argv[0], "tls-whitelist")) { - if (!g_pserver->tls_whitelist_enabled) - g_pserver->tls_whitelist_enabled = true; + } else if (!strcasecmp(argv[0], "tls-allowlist")) { + if (!g_pserver->tls_allowlist_enabled) + g_pserver->tls_allowlist_enabled = true; for (int i = 1; i < argc; i++) - g_pserver->tls_whitelist.insert(zstrdup(argv[i])); + g_pserver->tls_allowlist.insert(zstrdup(argv[i])); } else if (!strcasecmp(argv[0], "version-override") && argc == 2) { KEYDB_SET_VERSION = zstrdup(argv[1]); serverLog(LL_WARNING, "Warning version is overriden to: %s\n", KEYDB_SET_VERSION); diff --git a/src/server.h b/src/server.h index 1a051caac..05cceed86 100644 --- a/src/server.h +++ b/src/server.h @@ -2612,8 +2612,8 @@ struct redisServer { int tls_auth_clients; int tls_rotation; - int tls_whitelist_enabled; - std::unordered_set tls_whitelist; + int tls_allowlist_enabled; + std::unordered_set tls_allowlist; redisTLSContextConfig tls_ctx_config; /* cpu affinity */ diff --git a/src/tls.cpp b/src/tls.cpp index fda7e2afc..d914f3d7e 100644 --- a/src/tls.cpp +++ b/src/tls.cpp @@ -478,13 +478,13 @@ typedef struct tls_connection { aeEventLoop *el; } tls_connection; -/* Check to see if a given client name matches against our whitelist. +/* Check to see if a given client name matches against our allowlist. * Return true if it does */ -bool tlsCheckAgainstWhitelist(const char * client){ +bool tlsCheckAgainstAllowlist(const char * client){ /* Because of wildcard matching, we need to iterate over the entire set. * If we were doing simply straight matching, we could just directly * check to see if the client name is in the set in O(1) time */ - for (char * client_pattern: g_pserver->tls_whitelist){ + for (char * client_pattern: g_pserver->tls_allowlist){ if (stringmatchlen(client_pattern, strlen(client_pattern), client, strlen(client), 1)) return true; } @@ -497,7 +497,7 @@ bool tlsValidateCertificateName(tls_connection* conn){ X509_NAME_ENTRY * ne = X509_NAME_get_entry(X509_get_subject_name(cert), X509_NAME_get_index_by_NID(X509_get_subject_name(cert), NID_commonName, -1)); const char * commonName = reinterpret_cast(ASN1_STRING_get0_data(X509_NAME_ENTRY_get_data(ne))); - if (tlsCheckAgainstWhitelist(commonName)) + if (tlsCheckAgainstAllowlist(commonName)) return true; /* If that fails, check through the subject alternative names (SANs) as well */ @@ -511,19 +511,19 @@ bool tlsValidateCertificateName(tls_connection* conn){ switch (generalName->type) { case GEN_EMAIL: - if (tlsCheckAgainstWhitelist(reinterpret_cast(ASN1_STRING_get0_data(generalName->d.rfc822Name)))){ + if (tlsCheckAgainstAllowlist(reinterpret_cast(ASN1_STRING_get0_data(generalName->d.rfc822Name)))){ sk_GENERAL_NAME_pop_free(subjectAltNames, GENERAL_NAME_free); return true; } break; case GEN_DNS: - if (tlsCheckAgainstWhitelist(reinterpret_cast(ASN1_STRING_get0_data(generalName->d.dNSName)))){ + if (tlsCheckAgainstAllowlist(reinterpret_cast(ASN1_STRING_get0_data(generalName->d.dNSName)))){ sk_GENERAL_NAME_pop_free(subjectAltNames, GENERAL_NAME_free); return true; } break; case GEN_URI: - if (tlsCheckAgainstWhitelist(reinterpret_cast(ASN1_STRING_get0_data(generalName->d.uniformResourceIdentifier)))){ + if (tlsCheckAgainstAllowlist(reinterpret_cast(ASN1_STRING_get0_data(generalName->d.uniformResourceIdentifier)))){ sk_GENERAL_NAME_pop_free(subjectAltNames, GENERAL_NAME_free); return true; } @@ -534,7 +534,7 @@ bool tlsValidateCertificateName(tls_connection* conn){ if (ipLen == 4){ //IPv4 case char addr[INET_ADDRSTRLEN]; inet_ntop(AF_INET, ASN1_STRING_get0_data(generalName->d.iPAddress), addr, INET_ADDRSTRLEN); - if (tlsCheckAgainstWhitelist(addr)){ + if (tlsCheckAgainstAllowlist(addr)){ sk_GENERAL_NAME_pop_free(subjectAltNames, GENERAL_NAME_free); return true; } @@ -554,7 +554,7 @@ bool tlsValidateCertificateName(tls_connection* conn){ conn->c.last_errno = 0; if (conn->ssl_error) zfree(conn->ssl_error); conn->ssl_error = (char*)zmalloc(512); - snprintf(conn->ssl_error, 512, "Client CN (%s) and SANs not found in whitelist.", commonName); + snprintf(conn->ssl_error, 512, "Client CN (%s) and SANs not found in allowlist.", commonName); return false; } @@ -776,7 +776,7 @@ void tlsHandleEvent(tls_connection *conn, int mask) { conn->c.state = CONN_STATE_ERROR; } else { /* Validate name */ - if (g_pserver->tls_whitelist_enabled && !tlsValidateCertificateName(conn)){ + if (g_pserver->tls_allowlist_enabled && !tlsValidateCertificateName(conn)){ conn->c.state = CONN_STATE_ERROR; } else { conn->c.state = CONN_STATE_CONNECTED; diff --git a/tests/unit/tls-name-validation.tcl b/tests/unit/tls-name-validation.tcl index 2f3e34d53..f0569b028 100644 --- a/tests/unit/tls-name-validation.tcl +++ b/tests/unit/tls-name-validation.tcl @@ -1,110 +1,110 @@ -test {TLS: Able to connect with no whitelist} { +test {TLS: Able to connect with no allowlist} { start_server {tags {"tls"}} { catch {r PING} e assert_match {PONG} $e } } -test {TLS: Able to connect with whitelist '*'} { - start_server {tags {"tls"} overrides {tls-whitelist *}} { +test {TLS: Able to connect with allowlist '*'} { + start_server {tags {"tls"} overrides {tls-allowlist *}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to connect with matching CN} { - start_server {tags {"tls"} overrides {tls-whitelist client.keydb.dev}} { + start_server {tags {"tls"} overrides {tls-allowlist client.keydb.dev}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to connect with matching SAN} { - start_server {tags {"tls"} overrides {tls-whitelist san1.keydb.dev}} { + start_server {tags {"tls"} overrides {tls-allowlist san1.keydb.dev}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to connect with matching CN with wildcard} { - start_server {tags {"tls"} overrides {tls-whitelist client*.dev}} { + start_server {tags {"tls"} overrides {tls-allowlist client*.dev}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to connect with matching SAN with wildcard} { - start_server {tags {"tls"} overrides {tls-whitelist san*.dev}} { + start_server {tags {"tls"} overrides {tls-allowlist san*.dev}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to connect while with CN having a comprehensive list} { - start_server {tags {"tls"} overrides {tls-whitelist {dummy.keydb.dev client.keydb.dev other.keydb.dev}}} { + start_server {tags {"tls"} overrides {tls-allowlist {dummy.keydb.dev client.keydb.dev other.keydb.dev}}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to connect while with SAN having a comprehensive list} { - start_server {tags {"tls"} overrides {tls-whitelist {dummy.keydb.dev san2.keydb.dev other.keydb.dev}}} { + start_server {tags {"tls"} overrides {tls-allowlist {dummy.keydb.dev san2.keydb.dev other.keydb.dev}}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to connect while with CN having a comprehensive list with wildcards} { - start_server {tags {"tls"} overrides {tls-whitelist {dummy.* client*.dev other.*}}} { + start_server {tags {"tls"} overrides {tls-allowlist {dummy.* client*.dev other.*}}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to connect while with SAN having a comprehensive list with wildcards} { - start_server {tags {"tls"} overrides {tls-whitelist {dummy.* san*.dev other.*}}} { + start_server {tags {"tls"} overrides {tls-allowlist {dummy.* san*.dev other.*}}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Not matching CN or SAN rejected} { - start_server {tags {"tls"} overrides {tls-whitelist {client.keydb.dev}}} { + start_server {tags {"tls"} overrides {tls-allowlist {client.keydb.dev}}} { catch {set r2 [redis_client_tls -keyfile "$::tlsdir/client2.key" -certfile "$::tlsdir/client2.crt" -require 1 -cafile "$::tlsdir/ca.crt"]} e assert_match {*I/O error reading reply*} $e } } test {TLS: Able to match against DNS SAN} { - start_server {tags {"tls"} overrides {tls-whitelist {san1.keydb.dev}}} { + start_server {tags {"tls"} overrides {tls-allowlist {san1.keydb.dev}}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to match against email SAN} { - start_server {tags {"tls"} overrides {tls-whitelist {someone@keydb.dev}}} { + start_server {tags {"tls"} overrides {tls-allowlist {someone@keydb.dev}}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to match against IPv4 SAN} { - start_server {tags {"tls"} overrides {tls-whitelist {192.168.0.1}}} { + start_server {tags {"tls"} overrides {tls-allowlist {192.168.0.1}}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to match against IPv4 with a wildcard} { - start_server {tags {"tls"} overrides {tls-whitelist {192.*}}} { + start_server {tags {"tls"} overrides {tls-allowlist {192.*}}} { catch {r PING} e assert_match {PONG} $e } } test {TLS: Able to match against URI SAN} { - start_server {tags {"tls"} overrides {tls-whitelist {https://keydb.dev}}} { + start_server {tags {"tls"} overrides {tls-allowlist {https://keydb.dev}}} { catch {r PING} e assert_match {PONG} $e }