gURL always allow default auth challenge

102 views
Skip to first unread message

Zach Botterman

unread,
Sep 19, 2024, 3:30:31 PMSep 19
to munki-dev
Hello! 

Tldr
I recently ran into an issue when attempting to route Munki requests through a proxy. If authenticationMethod is NSURLAuthenticationMethodClientCertificate and no matching certificate is found the request is cancelled.

Proxy background
The proxy is used to authenticate requests to internal resources when not on an internal network. The proxy validates the client in different ways, one of which is a client cert, but the other is through some information we can check in the request headers.

Proposed solution
Before cancelling requests that have a specific authentication challenge, allow the default handler to run.
I found that instead of outright cancelling the request I could try to allow the default handler run NSURLSessionAuthChallengePerformDefaultHandling. This fixed my issue since the server still has another option to validate the request using the header information.

I have a fork I made the change in the one area that fixes my issue but this could maybe be used in other branches as well?

We should feel comfortable relying on the server to outright deny illegitimate requests and I don't believe this opens up any large security risk.

Happy to hear thoughts/feedback on this!

Rob Renstrom

unread,
Sep 19, 2024, 5:38:28 PMSep 19
to munki-dev
I use clients certs and tested this proposed change, and can confirm it doesn't break client cert authentication, since it will never hit that code path if a matching cert identity is found, so seems it would be a harmless change.

This is really an edge case where the server is configured to request a client cert, but Munki isn't configured to offer one, similar to https://github.com/munki/munki/issues/1095 where the server was misconfigured.

I'd suggest adding the following before the NSURLSessionAuthChallengePerformDefaultHandling call, so the log reflects what's happening.

 self.log('Allowing OS to handle authentication request')

If the server wasn't configured to request a client cert, it would have handled it with NSURLSessionAuthChallengePerformDefaultHandling, so this change essentially does the same as what happens here https://github.com/munki/munki/blob/main/code/client/munkilib/gurl.py#L743

-rob

Zach Botterman

unread,
Sep 19, 2024, 6:24:50 PMSep 19
to munki-dev
Thanks Rob for your thoughts and testing it out.

Yes, an edge case for sure. This allows us to use our proxy to expose certain internal endpoints with client certs (through a browser) or like in this case with auth information in the request headers.

I added the log to make sure we know what's happening, good call out.

I will fill out CLA so I can create a PR. Where should I send back this CLA?

Thanks!
Reply all
Reply to author
Forward
0 new messages