Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 9ffa1f9577003ab70a6b483475874f3552d1ccc3^! / . / metropolis / node / core / cluster / node.go
commit9ffa1f9577003ab70a6b483475874f3552d1ccc3[log] [tgz]
authorSerge Bazanski <serge@monogon.tech>Wed Sep 01 15:42:23 2021 +0200
committerSergiusz Bazanski <serge@monogon.tech>Thu Sep 02 10:38:15 2021 +0000
treea688d02424e8601ed830d12021b5867688d31438
parent6bd415920b84bd695038caeb386f1e97184f0c51 [diff] [blame]
m/n/core/curator: authenticated RPC

This adds authentication middleware (server interceptors) for gRPC
services running on the public curator listener.

Most of this code is testing harnesses to start up just the curator
listener with enough of a PKI infrastructure copy from a real Metropolis
cluster to be able to start running tests against GetRegisterTicket.

Change-Id: I429ff29e3c1233d74e8da619ddb543d56bc051b9
Reviewed-on: https://review.monogon.dev/c/monogon/+/311
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>

diff --git a/metropolis/node/core/cluster/node.go b/metropolis/node/core/cluster/node.go
index 0e3c29a..af5b654 100644
--- a/metropolis/node/core/cluster/node.go
+++ b/metropolis/node/core/cluster/node.go

@@ -7,8 +7,6 @@
 	"crypto/x509"
 	"fmt"
 
-	"google.golang.org/grpc/credentials"
-
 	"source.monogon.dev/metropolis/node/core/curator"
 	"source.monogon.dev/metropolis/node/core/localstorage"
 )
@@ -20,6 +18,12 @@
 	ca   *x509.Certificate
 }
 
+// ClusterCA returns the CA certificate of the cluster for which this
+// NodeCertificate is emitted.
+func (n *NodeCertificate) ClusterCA() *x509.Certificate {
+	return n.ca
+}
+
 // NodeCredentials are the public and private part of the credentials of a node.
 //
 // It represents all the data necessary for a node to authenticate over mTLS to
@@ -142,21 +146,9 @@
 	return curator.NodeID(nc.PublicKey())
 }
 
-// PublicGRPCServerCredentials returns gRPC TransportCredentials that should be
-// used by this node to run public gRPC services (ie. the AAA service and any
-// other management/user services).
-//
-// SECURITY: The returned TransportCredentials accepts _any_ client certificate
-// served by the client and does not perform any verification. The gRPC service
-// instance (via per-method checks or middleware) should perform user
-// authentication/authorization.
-func (nc *NodeCredentials) PublicGRPCServerCredentials() credentials.TransportCredentials {
-	tlsCert := tls.Certificate{
+func (nc *NodeCredentials) TLSCredentials() tls.Certificate {
+	return tls.Certificate{
 		Certificate: [][]byte{nc.node.Raw},
 		PrivateKey:  nc.private,
 	}
-	return credentials.NewTLS(&tls.Config{
-		Certificates: []tls.Certificate{tlsCert},
-		ClientAuth:   tls.RequireAnyClientCert,
-	})
 }