fix: disable client cert verification for Phase 2 development

2025-05-17 12:38:20 -04:00 · 2025-05-17 12:38:20 -04:00 · b33127bd34
commit b33127bd34
parent c07f389996
3 changed files with 11 additions and 27 deletions
--- a/cmd/kat-agent/main.go
+++ b/cmd/kat-agent/main.go
@ -251,12 +251,8 @@ func runInit(cmd *cobra.Command, args []string) {
 				apiServer.RegisterJoinHandler(func(w http.ResponseWriter, r *http.Request) {
 					log.Printf("Received join request from %s", r.RemoteAddr)
 					
-					// Check if this is a secure connection with client cert
-					if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
-						log.Printf("Client provided certificate with CN: %s", r.TLS.PeerCertificates[0].Subject.CommonName)
-					} else {
-						log.Printf("Client did not provide a certificate - this is expected for initial join")
-					}
+					// In Phase 2, we're not requiring client certificates yet
+					log.Printf("Processing join request without client certificate verification (Phase 2)")
 					
 					// Read request body
 					var joinReq cli.JoinRequest
--- a/internal/api/server.go
+++ b/internal/api/server.go
@ -106,29 +106,16 @@ func (s *Server) Start() error {
 		return fmt.Errorf("failed to append CA certificate to pool")
 	}

-	// Configure TLS with GetConfigForClient to allow join endpoint without client cert
+	// For Phase 2, we'll use a simpler approach - don't require client certs at all
+	// This is a temporary solution until we implement proper authentication
 	s.httpServer.TLSConfig = &tls.Config{
 		Certificates: []tls.Certificate{cert},
-		ClientAuth:   tls.RequireAndVerifyClientCert, // Default, but will be overridden for join endpoint
-		ClientCAs:    caCertPool,
+		ClientAuth:   tls.NoClientCert, // Don't require client certs for now
 		MinVersion:   tls.VersionTLS12,
-		GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
-			// Check if this is a request to the join endpoint
-			// This is a simple check based on SNI, but in a real implementation
-			// we would need a more robust way to identify the join endpoint
-			if hello.ServerName == "" && strings.HasPrefix(hello.Conn.RemoteAddr().String(), "127.0.0.1:") {
-				// For local connections, assume it might be a join request and don't require client cert
-				return &tls.Config{
-					Certificates: []tls.Certificate{cert},
-					ClientAuth:   tls.RequestClientCert, // Request but don't require
-					ClientCAs:    caCertPool,
-					MinVersion:   tls.VersionTLS12,
-				}, nil
-			}
-			// For all other requests, use the default config (require client cert)
-			return nil, nil
-		},
 	}
+	
+	log.Printf("WARNING: TLS configured without client certificate verification for Phase 2")
+	log.Printf("This is a temporary development configuration and should be secured in production")

 	log.Printf("Server configured with TLS, starting to listen for requests")
 	// Start the server
--- a/internal/cli/join.go
+++ b/internal/cli/join.go
@ -99,9 +99,10 @@ func JoinCluster(leaderAPI, advertiseAddr, nodeName, leaderCACert string, pkiDir
 			},
 		}
 	} else {
-		// For development/testing, allow insecure connections
+		// For Phase 2 development, allow insecure connections
 		// This should be removed in production
-		log.Println("WARNING: No leader CA certificate provided. TLS verification disabled.")
+		log.Println("WARNING: No leader CA certificate provided. TLS verification disabled (Phase 2 development mode).")
+		log.Println("This is expected for the initial join process in Phase 2.")
 		client.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: true,