commit 7eeef0f448a4ec1737e2e63961f24f51eec5deae
author Serge Bazanski <serge@monogon.tech> Mon Feb 05 14:40:15 2024 +0100
committer Serge Bazanski <serge@monogon.tech> Thu Feb 08 11:10:07 2024 +0000
tree 690afce7d61fed7284991d3622d2b4b7f5948c14
parent 925ec3de7a8562ef478216c77dff68c8235aeabd

m/c/metroctl: implement TOFU for CA certificates

This implements trust-on-first-use (TOFU) for connecting to a Metropolis
cluster.

If no locally persisted CA is available, one will be retrieved from the
cluster. If it is then accepted, it will be persisted for future use.

To retrieve the Cluster CA certificate we implement a new
unauthenticated call in the CuratorLocal service. The alternative would
be to include the CA certificate in the served TLS chain, but that would
likely cause some backwards compatibility problems with existing client
software.

Full TOFU (with an SSH style prompt) will be performed when the user
first takes ownership of a cluster. Otherwise, user credentials
including a certificate will be present, which allows the process to be
simplified by just retrieving a remote CA and checking it against the
signature of the credentials.

Change-Id: I20002399935c2f13adc4526f5cceddad84b36a8f
Reviewed-on: https://review.monogon.dev/c/monogon/+/2743
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

metropolis/cli/metroctl/main.go

diff --git a/metropolis/cli/metroctl/main.go b/metropolis/cli/metroctl/main.go
index 698dbbc..e3ae92b 100644
--- a/metropolis/cli/metroctl/main.go
+++ b/metropolis/cli/metroctl/main.go
@@ -1,6 +1,8 @@
 package main
 
 import (
+	"context"
+	"crypto/x509"
 	"log"
 	"path/filepath"
 
@@ -35,6 +37,10 @@
 	// output is an optional output file path the resulting data will be saved
 	// at. If unspecified, the data will be written to stdout.
 	output string
+	// acceptAnyCA will persist the first encountered (while connecting) CA
+	// certificate of the cluster as the trusted CA certificate for this cluster.
+	// This is unsafe and should only be used for testing.
+	acceptAnyCA bool
 }
 
 var flags metroctlFlags
@@ -47,6 +53,7 @@
 	rootCmd.PersistentFlags().StringVar(&flags.format, "format", "plaintext", "Data output format")
 	rootCmd.PersistentFlags().StringVar(&flags.filter, "filter", "", "The object filter applied to the output data")
 	rootCmd.PersistentFlags().StringVarP(&flags.output, "output", "o", "", "Redirects output to the specified file")
+	rootCmd.PersistentFlags().BoolVar(&flags.acceptAnyCA, "insecure-accept-and-persist-first-encountered-ca", false, "Accept the first encountered CA while connecting as the trusted CA for future metroctl connections with this config path. This is very insecure and should only be used for testing.")
 }
 
 // rpcLogger passes through the cluster resolver logs, if "--verbose" flag was
@@ -61,13 +68,24 @@
 	cobra.CheckErr(rootCmd.Execute())
 }
 
+type acceptall struct{}
+
+func (a *acceptall) Ask(ctx context.Context, _ *core.ConnectOptions, _ *x509.Certificate) (bool, error) {
+	return true, nil
+}
+
 // connectOptions returns core.ConnectOptions as defined by the metroctl flags
 // currently set.
 func connectOptions() *core.ConnectOptions {
+	var tofu core.CertificateTOFU
+	if flags.acceptAnyCA {
+		tofu = &acceptall{}
+	}
 	return &core.ConnectOptions{
 		ConfigPath:     flags.configPath,
 		ProxyServer:    flags.proxyAddr,
 		Endpoints:      flags.clusterEndpoints,
 		ResolverLogger: rpcLogger,
+		TOFU:           tofu,
 	}
 }