Implement TLS client authentication

Author: M1cha

AUTHORS

@@ -10,6 +10,7 @@ Kenny Keslar <r3dey3@r3dey3.com>
 Konrad Wojas <github@m.wojas.nl>
 Matthew Holt <mholt@users.noreply.github.com>
 Mebus <mebus.inbox@googlemail.com>
+Michael Zimmermann <sigmaepsilon92@gmail.com>
 Wayne Scott <wsc9tt@gmail.com>
 Zlatko Čalušić <zcalusic@bitsync.net>
 cgonzalez <chgonzalezg@gmail.com>

README.md

@@ -32,6 +32,7 @@ Usage:
   rest-server [flags]
 
 Flags:
+<<<<<<< HEAD
       --append-only                  enable append only mode
       --cpu-profile string           write CPU profile to file
       --debug                        output debug messages
@@ -53,6 +54,27 @@ Flags:
       --tls-key string               TLS key path
       --tls-min-ver string           TLS min version, one of (1.2|1.3) (default "1.2")
   -v, --version                      version for rest-server
+=======
+      --append-only            enable append only mode
+      --cpu-profile string     write CPU profile to file
+      --debug                  output debug messages
+  -h, --help                   help for rest-server
+      --htpasswd-file string   location of .htpasswd file (default: "<data directory>/.htpasswd")
+      --listen string          listen address (default ":8000")
+      --log filename           write HTTP requests in the combined log format to the specified filename
+      --max-size int           the maximum size of the repository in bytes
+      --no-auth                disable .htpasswd authentication
+      --no-verify-upload       do not verify the integrity of uploaded data. DO NOT enable unless the rest-server runs on a very low-power device
+      --path string            data directory (default "/tmp/restic")
+      --private-repos          users can only access their private repo
+      --prometheus             enable Prometheus metrics
+      --prometheus-no-auth     disable auth for Prometheus /metrics endpoint
+      --tls                    turn on TLS support
+      --tls-ca string          TLS CA certificate path
+      --tls-cert string        TLS certificate path
+      --tls-key string         TLS key path
+  -v, --version                version for rest-server
+>>>>>>> a806291 (Implement TLS client authentication)
 ```
 
 By default the server persists backup data in the OS temporary directory (`/tmp/restic` on Linux/BSD and others, in `%TEMP%\\restic` in Windows, etc). **If `rest-server` is launched using the default path, all backups will be lost**. To start the server with a custom persistence directory and with authentication disabled:
@@ -71,7 +93,7 @@ If you want to disable authentication, you must add the `--no-auth` flag. If thi
 
 NOTE: In older versions of rest-server (up to 0.9.7), this flag does not exist and the server disables authentication if `.htpasswd` is missing or cannot be opened.
 
-By default the server uses HTTP protocol.  This is not very secure since with Basic Authentication, user name and passwords will be sent in clear text in every request.  In order to enable TLS support just add the `--tls` argument and add a private and public key at the root of your persistence directory. You may also specify private and public keys by `--tls-cert` and `--tls-key` and set the minimum TLS version to 1.3 using `--tls-min-ver 1.3`.
+By default the server uses HTTP protocol.  This is not very secure since with Basic Authentication, user name and passwords will be sent in clear text in every request.  In order to enable TLS support just add the `--tls` argument and add a private and public key at the root of your persistence directory. You may also specify private and public keys by `--tls-cert` and `--tls-key` and set the minimum TLS version to 1.3 using `--tls-min-ver 1.3`. Additionally, client authentication can be enabled by passing a CA certificate to `--tls-cacert`.
 
 Signed certificate is normally required by the restic backend, but if you just want to test the feature you can generate password-less unsigned keys with the following command:
 

changelog/unreleased/issue-73

@@ -0,0 +1,7 @@
+Enhancement: TLS Client Authentication
+
+It is now possible to require clients to provide a certificate that was signed
+by a certain CA.
+
+https://github.com/restic/rest-server/issues/73
+https://github.com/restic/rest-server/pull/193

cmd/rest-server/main.go

@@ -3,8 +3,10 @@ package main
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -61,6 +63,7 @@ func newRestServerApp() *restServerApp {
 	flags.Int64Var(&rv.Server.MaxRepoSize, "max-size", rv.Server.MaxRepoSize, "the maximum size of the repository in bytes")
 	flags.StringVar(&rv.Server.Path, "path", rv.Server.Path, "data directory")
 	flags.BoolVar(&rv.Server.TLS, "tls", rv.Server.TLS, "turn on TLS support")
+	flags.StringVar(&rv.Server.TLSCACert, "tls-cacert", rv.Server.TLSCACert, "TLS CA certificate path")
 	flags.StringVar(&rv.Server.TLSCert, "tls-cert", rv.Server.TLSCert, "TLS certificate path")
 	flags.StringVar(&rv.Server.TLSKey, "tls-key", rv.Server.TLSKey, "TLS key path")
 	flags.StringVar(&rv.Server.TLSMinVer, "tls-min-ver", rv.Server.TLSMinVer, "TLS min version, one of (1.2|1.3)")
@@ -199,6 +202,20 @@ func (app *restServerApp) runRoot(_ *cobra.Command, _ []string) error {
 		return fmt.Errorf("Unsupported TLS min version: %s. Allowed versions are 1.2 or 1.3", app.Server.TLSMinVer)
 	}
 
+	if app.Server.TLSCACert != "" {
+		log.Printf("TLS Client Authentication enabled, CA cert %s", app.Server.TLSCACert)
+
+		caCert, err := ioutil.ReadFile(app.Server.TLSCACert)
+		if err != nil {
+			return fmt.Errorf("unable to read CA certificate: %w", err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+
+		tlscfg.ClientAuth = tls.RequireAndVerifyClientCert
+		tlscfg.ClientCAs = caCertPool
+	}
+
 	srv := &http.Server{
 		Handler:   handler,
 		TLSConfig: tlscfg,

handlers.go

@@ -20,6 +20,7 @@ type Server struct {
 	Listen               string
 	Log                  string
 	CPUProfile           string
+	TLSCACert            string
 	TLSKey               string
 	TLSCert              string
 	TLSMinVer            string