Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

[mender-gateway] Optimize client certificate authorization flow

Description

The mTLS feature in the mender-gateway is sending a Preauthorize request on every authentication request received from the client. This behavior could be optimized by forwarding request with a verified client certificate and only authorize the device if it receives a 401 response.

Acceptance criteria:

  • Update the certificate verification process

    • If certificate is authorized: forward the request

    • If deviceauth returns 401 - send a preauth request with the force-flag set

  • Update the deviceauth preauthorize force behavior

    • Change database insert operation to an “upsert” operation

Affects versions

None

Environment

None

Activity

Show:

Peter GrzybowskiMay 21, 2024 at 12:15 PM

okey I failed due to significant amount of free days in Norway. I will try to get it out of band.

Peter GrzybowskiMay 18, 2024 at 9:13 AM
Edited

it has the patch: holding the majority of the changes required. it is in review :> lets not pull it in the sprint for now – I will try to push for it before Sprint review nad Planning.

eystein.maloy.stenbergMay 14, 2024 at 10:50 PM

is this good to go? I wanted to wrap the remaining tasks here on the next sprint.

Alf-Rune SiqvelandApril 12, 2024 at 8:46 AM

  • Update the deviceauth preauthorize force behavior

    • Change database insert operation to an “upsert” operation

Another option would be: Add a parameter to the Device Authentication API (e.g a HTTP header) that prevents deviceauth from creating the pending authset and instead return 401 earlier.

Fixed

Details

Assignee

Reporter

Labels

Story Points

Remaining Story Points

3

Priority

Days in progress

0

Fix versions

Sprint

Backlog

yes

Zendesk Support

Checklist

Created April 12, 2024 at 8:30 AM
Updated July 11, 2024 at 9:42 AM
Resolved June 4, 2024 at 4:53 PM