bundle-server: add client cert verification

Add a '--client-ca' option to 'git-bundle-web-server' that, when specified,
loads a PEM-formatted certificate file and uses the cert(s) within to verify
client requests to the bundle web server. If the bundle server has been
configured with this option and the client does not send an appropriate
certificate, the TLS handshake will fail and the client will be unable to
connect.

Configuring both server TLS hosting (via the '--cert' and '--key' options)
and client cert validation (via '--client-ca') sets up mutual TLS (mTLS)
authentication on the bundle web server.

Signed-off-by: Victoria Dye <[email protected]>

Author: vdye

cmd/git-bundle-server/web-server.go

@@ -77,7 +77,7 @@ func (w *webServerCmd) startServer(ctx context.Context, args []string) error {
 	parser.Visit(func(f *flag.Flag) {
 		if webServerFlags.Lookup(f.Name) != nil {
 			value := f.Value.String()
-			if f.Name == "cert" || f.Name == "key" {
+			if f.Name == "cert" || f.Name == "key" || f.Name == "client-ca" {
 				// Need the absolute value of the path
 				value, err = filepath.Abs(value)
 				if err != nil {

cmd/git-bundle-web-server/bundle-server.go

@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
 	"os"
@@ -32,7 +33,8 @@ func NewBundleWebServer(logger log.TraceLogger,
 	port string,
 	certFile string, keyFile string,
 	tlsMinVersion uint16,
-) *bundleWebServer {
+	clientCAFile string,
+) (*bundleWebServer, error) {
 	bundleServer := &bundleWebServer{
 		logger:          logger,
 		serverWaitGroup: &sync.WaitGroup{},
@@ -49,7 +51,7 @@ func NewBundleWebServer(logger log.TraceLogger,
 	// No TLS configuration to be done, return
 	if certFile == "" {
 		bundleServer.listenAndServeFunc = func() error { return bundleServer.server.ListenAndServe() }
-		return bundleServer
+		return bundleServer, nil
 	}
 
 	// Configure for TLS
@@ -59,7 +61,18 @@ func NewBundleWebServer(logger log.TraceLogger,
 	bundleServer.server.TLSConfig = tlsConfig
 	bundleServer.listenAndServeFunc = func() error { return bundleServer.server.ListenAndServeTLS(certFile, keyFile) }
 
-	return bundleServer
+	if clientCAFile != "" {
+		caBytes, err := os.ReadFile(clientCAFile)
+		if err != nil {
+			return nil, err
+		}
+		certPool := x509.NewCertPool()
+		certPool.AppendCertsFromPEM(caBytes)
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+		tlsConfig.ClientCAs = certPool
+	}
+
+	return bundleServer, nil
 }
 
 func (b *bundleWebServer) parseRoute(ctx context.Context, path string) (string, string, string, error) {

cmd/git-bundle-web-server/main.go

@@ -27,13 +27,18 @@ func main() {
 		cert := utils.GetFlagValue[string](parser, "cert")
 		key := utils.GetFlagValue[string](parser, "key")
 		tlsMinVersion := utils.GetFlagValue[uint16](parser, "tls-version")
+		clientCA := utils.GetFlagValue[string](parser, "client-ca")
 
 		// Configure the server
-		bundleServer := NewBundleWebServer(logger,
+		bundleServer, err := NewBundleWebServer(logger,
 			port,
 			cert, key,
 			tlsMinVersion,
+			clientCA,
 		)
+		if err != nil {
+			logger.Fatal(ctx, err)
+		}
 
 		// Start the server asynchronously
 		bundleServer.StartServerAsync(ctx)

cmd/utils/common-args.go

@@ -85,6 +85,7 @@ func WebServerFlags(parser argParser) (*flag.FlagSet, func(context.Context)) {
 	key := f.String("key", "", "The path to the certificate's private key")
 	tlsVersion := tlsVersionValue(tls.VersionTLS12)
 	f.Var(&tlsVersion, "tls-version", "The minimum TLS version the server will accept")
+	f.String("client-ca", "", "The path to the client authentication certificate authority PEM")
 
 	// Function to call for additional arg validation (may exit with 'Usage()')
 	validationFunc := func(ctx context.Context) {

docs/man/git-bundle-server.adoc

@@ -163,12 +163,12 @@ Generate an incremental bundle with latest updates to rust-lang/rust:
 $ git-bundle-server update rust-lang/rust
 ----
 
-Start an HTTPS web server on port 443 with certificate 'server.crt' and private
-key 'server.key':
+Start an HTTPS web server with mTLS authentication (given files 'ca.pem',
+'server.crt', 'server.key'):
 
 [source,console]
 ----
-$ git-bundle-server web-server start --force --port 443 --cert server.crt --key server.key
+$ git-bundle-server web-server start --force --port 443 --client-ca ca.pem --cert server.crt --key server.key
 ----
 
 == SEE ALSO

docs/man/server-options.asc

@@ -23,4 +23,9 @@
 +
 These strings match those used in the *http.sslVersion* Git config setting
 (see man:git-config[1]). The default value is *tlsv1.2*. If the server is not
-configured for TLS, this option is a no-op.
+configured for TLS, this option is a no-op.
+
+*--client-ca* _path_:::
+  Require that requests to the bundle server include a client certificate that
+  can be validated by the certificate authority file at the specified _path_.
+  No-op if *--cert* and *--key* are not configured.