Implement mutual TLS authentication Add a pair of flags tls_client_certificate / tls_client_key to specify a certificate and corresponding key, which allow Bazel to authenticate itself over TLS to a remote cache or remote executor. Before this change, Bazel only supports Google Cloud authentication, which requires an open network connection to Google Cloud on the client as well as on the server. I have heard from one user that they are tunneling their traffic over a VPN and then perform no client authentication in their remote caching system. I heard from another user that they have locally patched Bazel to enable mTLS (but have not upstreamed the patch). Finally, there is also a pending feature request. Compared to other authentication mechanisms, mTLS is already supported by gRPC out of the box. I added test coverage by also adding a --tls_ca_certificate to the local remote worker, and updating the existing TLS test to also run with an mTLS configuration. I had to generate a new ca cert/key pair in order to sign a new client certificate (and also re-generate the server cert/key pair); these are checked in as testdata. Note that the generator script given there already supports generating both server and client cert/key pairs, so no change to the documentation was necessary. Fixes #10735. Change-Id: I8c9fdab11d172a4cc8a2b80de43faa48086cc893 Closes #11030. Change-Id: I8c9fdab11d172a4cc8a2b80de43faa48086cc893 NOKEYCHECK=True PiperOrigin-RevId: 304041337

commit: 0a75645f03fcbdb14c6dfa54206d23e02e7edbd6 [log] [tgz]
author: Ulf Adams <ulf@engflow.com> Tue Mar 31 14:02:55 2020 -0700
committer: Copybara-Service <copybara-worker@google.com> Tue Mar 31 14:04:02 2020 -0700
tree: 0859fd7922f3e446bbc1588ddd165b53577d8055
parent: 7fe4e8e45db7bea1565d6082a9df8c46999d8b5d [diff] [blame]
diff --git a/src/test/testdata/test_tls_certificate/server.crt b/src/test/testdata/test_tls_certificate/server.crt
index 3cfae90..25a9e8a 100644
--- a/src/test/testdata/test_tls_certificate/server.crt
+++ b/src/test/testdata/test_tls_certificate/server.crt

@@ -1,27 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIEnjCCAoYCAQEwDQYJKoZIhvcNAQEFBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0
-MCAXDTE5MDQyNTA2NTcxN1oYDzI5OTkwNjI2MDY1NzE3WjAUMRIwEAYDVQQDDAls
-b2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDQJwu4CLzB
-XHkWUaiW7CpHvUyq8SP3tV3l+havZA+tkdhS+U6mo0xQOIZPSzxmj6xBk7elC42N
-0mKKFZQ9ZkErHjmBT0dy/Djlm2dEN8sCN00n74UMWR/QoBygV2hBGgHLGwQ8/9tY
-eVxXh84xikIPnCvlAzbWHd+2gN1RI6n7fz1Z0nO6mk6Q7hi5x6XtBnz2908o0VEb
-JQYSu0LRL2vu7QYmnJ/1bqM0peq5n+ellCt8qiEmcTcw23jHGqlsyTy9vrJCO0Up
-LKZ2SR9wewbAnImZAPDWytQEVpCP6eEiIdNyDvYsTeoUPECklNUi9Iy25gZPeptC
-x8YWeZGZXen/Nct416bH8VrYqmjhArXfimUiw/TdREOlvVFmcBpuvTKXKVpvuyIf
-XK9mQVg7ITRnXIvJBoapcV0EaaFykCvRMDvGqwiR05da+ZlH6TykJ74BV0y1NFY0
-XJrzhYvGPYF3nP3wDqHd4BJBNecT+26GN5Y3Z0fyBCf52nyhWKU+Cj1bXILNs9wt
-A08HL1B09vFpm8TIBYnUDbQQpYumwiN0qzlRuXOR5AfmvFJoVSFvD0BW4itX0nY+
-3ep5Zia4TRbhYOSHPPaln4RfxEWh8ERh9EU3TAPbqv/Rl0HUL4e3kN32pamRH9+8
-7j2bet8BoDngwgyHFYAtD9j/LtmEhRKSzQIDAQABMA0GCSqGSIb3DQEBBQUAA4IC
-AQBogMIcx+S+X/hZFCLcZIfGCqDjkscnrEM0pMd3xZJq34ETlwB0gnNC6jVjFgmI
-IDcY3ShezLNeMB61p3DPtDm7ILJZgtmtXFzasxuTcvvPg6YPKoz4h1hAmt7BIDDW
-nAxUVdm8mYaU1GVzxgqeWsn38tZtr02IwZxpNn4J/tirs/lCB++NnyaIY0HZUVp9
-3XVa1hPv2R4E4lr1hyqHECU5rllM/qMV8sWdg5TVw/TJa3RFmNL7wXUEGxtrlwb1
-kSVjzq+CvUSIzj6MG9EbPhghEQ/GdbmRileUBA4/LXb48eyP8KMgYhxMEX4HQGoX
-eIMaqzL2T9uod5x+IOJpc8zGFtzxinoqzr3gXXik4PkvW1UXw6GFRt0BWMxtBfyl
-nw6i6qE9D2PnrTKCVw3q/+VruasEAXTSJI9KVlx5N8FjK0tIGN80efASZZZZqRu/
-tpzb5Itt1PXzF6Vu2eKD0WwNgPKex4vkM1DaC2qjUOyDxDpW90Cca7ME20NzcZtH
-Tqh6fNqZGGJ1lqs68ktUk7TpeqWq2Na3wvxX9Vo8OOcg9PNCmtCqz4bwsrvRggZ9
-CHZCKkYKGm39+8+7Kw2lGPjI0OGnjI+H8o4UufnKQO3E7iRbNf4XqSVqdHUd5wq7
-NIcCib5W2vgxYoZ+40NXiJy+ze4zEl4Xureqp1tXjlcjMA==
+MIIEnjCCAoYCAQEwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0
+MCAXDTIwMDMyNjIwMTgxNFoYDzMwMDAwNTI4MjAxODE0WjAUMRIwEAYDVQQDDAls
+b2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEtHPdOrBR
+ZLtfRCSeYdgydj/DBZRfCoHm2uZuBblo31pP17sGoo57d/yZNw+naEZIfGVNZDWE
+teBXQyR/zi+8cHelDiV+wLxprc9sCFYgssK/XPY2+iZBx1c00Vz7isK7dGcp/VRn
+ZrypYhCnSoOmg5UmxGCHOdp5xHZdGXJznDLd5pL/PRKlszX8nLa4kKGbbMwYH/bF
+2jHoMGN9ViS+C/cAuRaF5Cj2p9OvywC/9cy1GiincYRE7auMCbBZgF0JueCCCJ7E
+By2coNVXT/Sx2X+pRwM13kV1kcrcIyt8Kt3qk/kfF0wkLkPoHmbkhDb5b4jFiSqf
+BHjzuZfqsFSQ0QLYp0tTMDPe6Jm8PbJXVxEseGfkX5MK73Pxe5pid38xWHA907K/
+K9yCPQGbnUNMNaYlAPb2aMgS0N86Pr9RJUhxX5RaksCpHiod5YA1JQQtsUf36zkq
+USWF4eApCuu2myK8zm+xtWBuI3Njllmcd91ZeMWkVb46alQfbI+n8wy6WcV/NC+E
+on9DUtUfwaetBQ2nWp7MmN1hpA2oypYa8TYDx6ZlbL8vpkW4KpBvlZdYxeE34ltF
+BwsroHL58mLBA712xZMa54GYNe3rKd4waQFhD41RAe1H9Y5PhDJpjEmAXEyTX9FL
+RcHRpAkTdcBDQLy4bLAGXmyK6/L1Bw3kWQIDAQABMA0GCSqGSIb3DQEBCwUAA4IC
+AQCzNiFaGDwv7IT+UHeY3VRuK2xyfIsIx/6lcWXIxonFfemxrWoVQs376aZnuvWO
+NKfowUWkn/OSA3y5lmU6eUOQxMUTBPpYhU5BtiIagqHOl612wBbicmN3j9gOm8tJ
+WxWVq8CV1yg7vOJwnEdkTwEDUhn3jRIDlwr0+pDVoGuB/IplsFq34GCAVjJan9DH
+c+YiJpdB16jkUAM+8N7NM4GCQm6TBfQmK7piMIxVQLAEUmp6jS/1jgYjKHo+hkkb
+qn8K7wePGCJJlRVF6kGSsCKUa12Q7gQKeLGulSA2pDaYnAZmWVKVfGIcKAs0WHr2
+9Spoku2iPSYgd6pWUmIb9rFrF+okiWTwS/xkSu30YkzERZXUp7zSyhiByfc4Z/+r
+UxZW5dbCKJiUtIkNaPmCNTEMgrMBMn4Ikl4otuN1o4BDPVbt7ww2eMz4V2t+cXuE
+FZhh0h8qegA9BX7xqwRg87fZ4pzqUkV8M2QDELCeQUHqTGtYyQJb6iAbPEhT9RUv
+81oT4lZQACVzOezEFUtvihxSg4r5HmXB+XqmWRPV9vvzSPHDQmOXAxqVy6oxAzmE
++YapQymDX7QhFHLkck6KwdGYIHftdrzyN6h9HZUEcErFfPvL/OtP8WYzgVI3a1Pg
+4UStoJkuEH+bbJyEH4c4pMZ9RkU91PN6bvs4lFK4DSQ8Qw==
 -----END CERTIFICATE-----
commit	0a75645f03fcbdb14c6dfa54206d23e02e7edbd6	[log] [tgz]
author	Ulf Adams <ulf@engflow.com>	Tue Mar 31 14:02:55 2020 -0700
committer	Copybara-Service <copybara-worker@google.com>	Tue Mar 31 14:04:02 2020 -0700
tree	0859fd7922f3e446bbc1588ddd165b53577d8055
parent	7fe4e8e45db7bea1565d6082a9df8c46999d8b5d [diff] [blame]