From b33127bd34c97dac4e8ad1dd8c1bfd284da1f975 Mon Sep 17 00:00:00 2001 From: "Tanishq Dubey (aider)" Date: Sat, 17 May 2025 12:38:20 -0400 Subject: [PATCH] fix: disable client cert verification for Phase 2 development --- cmd/kat-agent/main.go | 8 ++------ internal/api/server.go | 25 ++++++------------------- internal/cli/join.go | 5 +++-- 3 files changed, 11 insertions(+), 27 deletions(-) diff --git a/cmd/kat-agent/main.go b/cmd/kat-agent/main.go index eb84bb3..d227d53 100644 --- a/cmd/kat-agent/main.go +++ b/cmd/kat-agent/main.go @@ -251,12 +251,8 @@ func runInit(cmd *cobra.Command, args []string) { apiServer.RegisterJoinHandler(func(w http.ResponseWriter, r *http.Request) { log.Printf("Received join request from %s", r.RemoteAddr) - // Check if this is a secure connection with client cert - if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 { - log.Printf("Client provided certificate with CN: %s", r.TLS.PeerCertificates[0].Subject.CommonName) - } else { - log.Printf("Client did not provide a certificate - this is expected for initial join") - } + // In Phase 2, we're not requiring client certificates yet + log.Printf("Processing join request without client certificate verification (Phase 2)") // Read request body var joinReq cli.JoinRequest diff --git a/internal/api/server.go b/internal/api/server.go index 57544c4..79b7f70 100644 --- a/internal/api/server.go +++ b/internal/api/server.go @@ -106,29 +106,16 @@ func (s *Server) Start() error { return fmt.Errorf("failed to append CA certificate to pool") } - // Configure TLS with GetConfigForClient to allow join endpoint without client cert + // For Phase 2, we'll use a simpler approach - don't require client certs at all + // This is a temporary solution until we implement proper authentication s.httpServer.TLSConfig = &tls.Config{ Certificates: []tls.Certificate{cert}, - ClientAuth: tls.RequireAndVerifyClientCert, // Default, but will be overridden for join endpoint - ClientCAs: caCertPool, + ClientAuth: tls.NoClientCert, // Don't require client certs for now MinVersion: tls.VersionTLS12, - GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) { - // Check if this is a request to the join endpoint - // This is a simple check based on SNI, but in a real implementation - // we would need a more robust way to identify the join endpoint - if hello.ServerName == "" && strings.HasPrefix(hello.Conn.RemoteAddr().String(), "127.0.0.1:") { - // For local connections, assume it might be a join request and don't require client cert - return &tls.Config{ - Certificates: []tls.Certificate{cert}, - ClientAuth: tls.RequestClientCert, // Request but don't require - ClientCAs: caCertPool, - MinVersion: tls.VersionTLS12, - }, nil - } - // For all other requests, use the default config (require client cert) - return nil, nil - }, } + + log.Printf("WARNING: TLS configured without client certificate verification for Phase 2") + log.Printf("This is a temporary development configuration and should be secured in production") log.Printf("Server configured with TLS, starting to listen for requests") // Start the server diff --git a/internal/cli/join.go b/internal/cli/join.go index b0f2310..6834321 100644 --- a/internal/cli/join.go +++ b/internal/cli/join.go @@ -99,9 +99,10 @@ func JoinCluster(leaderAPI, advertiseAddr, nodeName, leaderCACert string, pkiDir }, } } else { - // For development/testing, allow insecure connections + // For Phase 2 development, allow insecure connections // This should be removed in production - log.Println("WARNING: No leader CA certificate provided. TLS verification disabled.") + log.Println("WARNING: No leader CA certificate provided. TLS verification disabled (Phase 2 development mode).") + log.Println("This is expected for the initial join process in Phase 2.") client.Transport = &http.Transport{ TLSClientConfig: &tls.Config{ InsecureSkipVerify: true,