From 0171dcf29775d07625c32c1e067d3b457302e38f Mon Sep 17 00:00:00 2001
From: Michael Zimmermann <sigmaepsilon92@gmail.com>
Date: Wed, 22 Jun 2022 12:15:18 +0200
Subject: [PATCH] Implement TLS client authentication

---
 AUTHORS                       |  1 +
 README.md                     |  3 ++-
 changelog/unreleased/issue-73 |  7 +++++++
 cmd/rest-server/main.go       | 17 +++++++++++++++++
 handlers.go                   |  1 +
 5 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 changelog/unreleased/issue-73

diff --git a/AUTHORS b/AUTHORS
index bf565389..bd75f8b1 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -10,6 +10,7 @@ Kenny Keslar <r3dey3@r3dey3.com>
 Konrad Wojas <github@m.wojas.nl>
 Matthew Holt <mholt@users.noreply.github.com>
 Mebus <mebus.inbox@googlemail.com>
+Michael Zimmermann <sigmaepsilon92@gmail.com>
 Wayne Scott <wsc9tt@gmail.com>
 Zlatko Čalušić <zcalusic@bitsync.net>
 cgonzalez <chgonzalezg@gmail.com>
diff --git a/README.md b/README.md
index 0c13401c..2ff5ec40 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,7 @@ Flags:
       --prometheus-no-auth           disable auth for Prometheus /metrics endpoint
       --proxy-auth-username string   specifies the HTTP header containing the username for proxy-based authentication
       --tls                          turn on TLS support
+      --tls-ca string                TLS CA certificate path
       --tls-cert string              TLS certificate path
       --tls-key string               TLS key path
       --tls-min-ver string           TLS min version, one of (1.2|1.3) (default "1.2")
@@ -71,7 +72,7 @@ If you want to disable authentication, you must add the `--no-auth` flag. If thi
 
 NOTE: In older versions of rest-server (up to 0.9.7), this flag does not exist and the server disables authentication if `.htpasswd` is missing or cannot be opened.
 
-By default the server uses HTTP protocol.  This is not very secure since with Basic Authentication, user name and passwords will be sent in clear text in every request.  In order to enable TLS support just add the `--tls` argument and add a private and public key at the root of your persistence directory. You may also specify private and public keys by `--tls-cert` and `--tls-key` and set the minimum TLS version to 1.3 using `--tls-min-ver 1.3`.
+By default the server uses HTTP protocol.  This is not very secure since with Basic Authentication, user name and passwords will be sent in clear text in every request.  In order to enable TLS support just add the `--tls` argument and add a private and public key at the root of your persistence directory. You may also specify private and public keys by `--tls-cert` and `--tls-key` and set the minimum TLS version to 1.3 using `--tls-min-ver 1.3`. Additionally, client authentication can be enabled by passing a CA certificate to `--tls-cacert`.
 
 Signed certificate is normally required by the restic backend, but if you just want to test the feature you can generate password-less unsigned keys with the following command:
 
diff --git a/changelog/unreleased/issue-73 b/changelog/unreleased/issue-73
new file mode 100644
index 00000000..e63db362
--- /dev/null
+++ b/changelog/unreleased/issue-73
@@ -0,0 +1,7 @@
+Enhancement: TLS Client Authentication
+
+It is now possible to require clients to provide a certificate that was signed
+by a certain CA.
+
+https://github.com/restic/rest-server/issues/73
+https://github.com/restic/rest-server/pull/193
diff --git a/cmd/rest-server/main.go b/cmd/rest-server/main.go
index 83d3e50a..09c56c3d 100644
--- a/cmd/rest-server/main.go
+++ b/cmd/rest-server/main.go
@@ -3,8 +3,10 @@ package main
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -61,6 +63,7 @@ func newRestServerApp() *restServerApp {
 	flags.Int64Var(&rv.Server.MaxRepoSize, "max-size", rv.Server.MaxRepoSize, "the maximum size of the repository in bytes")
 	flags.StringVar(&rv.Server.Path, "path", rv.Server.Path, "data directory")
 	flags.BoolVar(&rv.Server.TLS, "tls", rv.Server.TLS, "turn on TLS support")
+	flags.StringVar(&rv.Server.TLSCACert, "tls-cacert", rv.Server.TLSCACert, "TLS CA certificate path")
 	flags.StringVar(&rv.Server.TLSCert, "tls-cert", rv.Server.TLSCert, "TLS certificate path")
 	flags.StringVar(&rv.Server.TLSKey, "tls-key", rv.Server.TLSKey, "TLS key path")
 	flags.StringVar(&rv.Server.TLSMinVer, "tls-min-ver", rv.Server.TLSMinVer, "TLS min version, one of (1.2|1.3)")
@@ -199,6 +202,20 @@ func (app *restServerApp) runRoot(_ *cobra.Command, _ []string) error {
 		return fmt.Errorf("Unsupported TLS min version: %s. Allowed versions are 1.2 or 1.3", app.Server.TLSMinVer)
 	}
 
+	if app.Server.TLSCACert != "" {
+		log.Printf("TLS Client Authentication enabled, CA cert %s", app.Server.TLSCACert)
+
+		caCert, err := ioutil.ReadFile(app.Server.TLSCACert)
+		if err != nil {
+			return fmt.Errorf("unable to read CA certificate: %w", err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+
+		tlscfg.ClientAuth = tls.RequireAndVerifyClientCert
+		tlscfg.ClientCAs = caCertPool
+	}
+
 	srv := &http.Server{
 		Handler:   handler,
 		TLSConfig: tlscfg,
diff --git a/handlers.go b/handlers.go
index 5938edd2..de32b86d 100644
--- a/handlers.go
+++ b/handlers.go
@@ -20,6 +20,7 @@ type Server struct {
 	Listen               string
 	Log                  string
 	CPUProfile           string
+	TLSCACert            string
 	TLSKey               string
 	TLSCert              string
 	TLSMinVer            string