fix mTLS certificate check on agent to agent RPCs (#11998)

PR #11956 implemented a new mTLS RPC check to validate the role of the certificate used in the request, but further testing revealed two flaws: 1. client-only endpoints did not accept server certificates so the request would fail when forwarded from one server to another. 2. the certificate was being checked after the request was forwarded, so the check would happen over the server certificate, not the actual source. This commit checks for the desired mTLS level, where the client level accepts both, a server or a client certificate. It also validates the cercertificate before the request is forwarded.
2026-01-01 16:05:42 +03:00 · 2022-02-04 20:35:20 -05:00
parent 3fc73896a0
commit 29ffa02683
9 changed files with 165 additions and 101 deletions
--- a/.semgrep/rpc_endpoint.yml
+++ b/.semgrep/rpc_endpoint.yml
@@ -30,26 +30,11 @@ rules:
      # Pattern used by endpoints called exclusively between agents
      # (server -> server or client -> server)
      - pattern-not-inside: |
+          ... := validateTLSCertificateLevel(...)
+          ...
          if done, err := $A.$B.forward($METHOD, ...); done {
            return err
          }
-          ...
-          ... := validateLocalClientTLSCertificate(...)
-          ...
-      - pattern-not-inside: |
-          if done, err := $A.$B.forward($METHOD, ...); done {
-            return err
-          }
-          ...
-          ... := validateLocalServerTLSCertificate(...)
-          ...
-      - pattern-not-inside: |
-          if done, err := $A.$B.forward($METHOD, ...); done {
-            return err
-          }
-          ...
-          ... := validateTLSCertificate(...)
-          ...
      # Pattern used by some Node endpoints.
      - pattern-not-inside: |
          if done, err := $A.$B.forward($METHOD, ...); done {