BUG/MEDIUM: Disable TLS verification from SPOE (#52)

ShimmerGlass · web-flow · commit f98576a933e5 · 2020-05-26T12:24:09.000+02:00
Addtionnal TLS verification done in SPOE was causing problem as the haproxy fetch methods currently do not provide the full certificate chain. Since TLS verification was already enabled on haproxy side this just removes the additional verification done in SPOE. Fixes: #11
diff --git a/haproxy/spoe.go b/haproxy/spoe.go
@@ -42,39 +42,29 @@ func (h *SPOEHandler) Handler(args []spoe.Message) ([]spoe.Action, error) {
 			return nil, errors.Wrap(err, "spoe handler")
 		}
 
-		_, err = cert.Verify(x509.VerifyOptions{
-			Roots: cfg.CAsPool,
-		})
-		if err != nil {
-			log.Warnf("connect: error validating certificate: %s", err)
-		}
-
-		authorized := err == nil
 		sourceApp := ""
 
-		if authorized {
-			certURI, err := connect.ParseCertURI(cert.URIs[0])
-			if err != nil {
-				log.Printf("connect: invalid leaf certificate URI")
-				return nil, errors.New("connect: invalid leaf certificate URI")
-			}
+		certURI, err := connect.ParseCertURI(cert.URIs[0])
+		if err != nil {
+			log.Printf("connect: invalid leaf certificate URI")
+			return nil, errors.New("connect: invalid leaf certificate URI")
+		}
 
-			// Perform AuthZ
-			resp, err := h.c.Agent().ConnectAuthorize(&api.AgentAuthorizeParams{
-				Target:           cfg.ServiceName,
-				ClientCertURI:    certURI.URI().String(),
-				ClientCertSerial: connect.HexString(cert.SerialNumber.Bytes()),
-			})
-			if err != nil {
-				return nil, errors.Wrap(err, "spoe handler: authz call failed")
-			}
+		// Perform AuthZ
+		resp, err := h.c.Agent().ConnectAuthorize(&api.AgentAuthorizeParams{
+			Target:           cfg.ServiceName,
+			ClientCertURI:    certURI.URI().String(),
+			ClientCertSerial: connect.HexString(cert.SerialNumber.Bytes()),
+		})
+		if err != nil {
+			return nil, errors.Wrap(err, "spoe handler: authz call failed")
+		}
 
-			log.Debugf("spoe: auth response from %s authorized=%v", certURI.URI().String(), resp.Authorized)
+		log.Debugf("spoe: auth response from %s authorized=%v", certURI.URI().String(), resp.Authorized)
 
-			authorized = resp.Authorized
-			if sis, ok := certURI.(*connect.SpiffeIDService); ok {
-				sourceApp = sis.Service
-			}
+		authorized := resp.Authorized
+		if sis, ok := certURI.(*connect.SpiffeIDService); ok {
+			sourceApp = sis.Service
 		}
 
 		res := 1
