Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 07541ae311e9477cf1e5a20af82a81ee77840afe / . / metropolis / node / core / rpc / client.go
blob: 4b64654986479d7cdc1b74c3533389a3d03914da [file] [log] [blame]
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]1package rpc
2
3import (
4 "context"
5 "crypto/ed25519"
6 "crypto/rand"
7 "crypto/tls"
8 "crypto/x509"
9 "fmt"
10 "math/big"
11 "time"
12
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]13 "google.golang.org/grpc/credentials"
Serge Bazanski636032e2022-01-26 14:21:33 +0100[diff] [blame]14 "google.golang.org/grpc/status"
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]15
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]16 "source.monogon.dev/metropolis/node/core/identity"
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]17 apb "source.monogon.dev/metropolis/proto/api"
18)
19
Serge Bazanski4ac71122023-07-24 13:08:34 +0200[diff] [blame]20// UnknownNotAfter is a copy of //metroplis/pkg/pki.UnknownNotAfter.
21//
22// We copy it so that we can decouple the rpc package from the pki package, the
23// former being used by metroctl (and thus needing to be portable), the latter
24// having a dependency on fileargs (which isn't portable). The correct solution
25// here is to clarify portability policy of each workspace path, and apply it.
26// But this will do for now.
27//
28// TODO(issues/252): clean up and merge this back.
29var UnknownNotAfter = time.Unix(253402300799, 0)
30
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]31type verifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
32
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]33func verifyClusterCertificateAndNodeID(ca *x509.Certificate, nodeID string) verifyPeerCertificate {
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]34 return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
35 if len(rawCerts) != 1 {
36 return fmt.Errorf("server presented %d certificates, wanted exactly one", len(rawCerts))
37 }
38 serverCert, err := x509.ParseCertificate(rawCerts[0])
39 if err != nil {
40 return fmt.Errorf("server presented unparseable certificate: %w", err)
41 }
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]42 pkey, err := identity.VerifyNodeInCluster(serverCert, ca)
43 if err != nil {
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]44 return fmt.Errorf("node certificate verification failed: %w", err)
45 }
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]46 if nodeID != "" {
47 id := identity.NodeID(pkey)
48 if id != nodeID {
49 return fmt.Errorf("wanted to reach node %q, got %q", nodeID, id)
50 }
51 }
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]52
53 return nil
54 }
55}
56
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]57func verifyFail(err error) verifyPeerCertificate {
58 return func(_ [][]byte, _ [][]*x509.Certificate) error {
59 return err
60 }
61}
62
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]63// NewEphemeralCredentials returns gRPC TransportCredentials that can be used to
64// dial a cluster without authenticating with a certificate, but instead
65// authenticating by proving the possession of a private key, via an ephemeral
66// self-signed certificate.
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]67//
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]68// Currently these credentials are used in two flows:
69//
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]70// 1. Registration of nodes into a cluster, after which a node receives a proper
71// node certificate
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]72//
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]73// 2. Escrow of initial owner credentials into a proper manager
74// certificate
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]75//
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]76// The given opts can be used to lock down the remote side of the connection, eg.
77// expecting a given cluster CA certificate or disabling remote side verification
78// by using WantInsecure().
79func NewEphemeralCredentials(private ed25519.PrivateKey, opts ...CredentialsOpt) (credentials.TransportCredentials, error) {
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]80 template := x509.Certificate{
81 SerialNumber: big.NewInt(1),
82 NotBefore: time.Now(),
Serge Bazanski4ac71122023-07-24 13:08:34 +0200[diff] [blame]83 NotAfter: UnknownNotAfter,
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]84
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]85 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]86 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
87 BasicConstraintsValid: true,
88 }
89 certificateBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, private.Public(), private)
90 if err != nil {
91 return nil, fmt.Errorf("when generating self-signed certificate: %w", err)
92 }
93 certificate := tls.Certificate{
94 Certificate: [][]byte{certificateBytes},
95 PrivateKey: private,
96 }
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]97 return NewAuthenticatedCredentials(certificate, opts...), nil
98}
99
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]100// CredentialsOpt are created using WantXXX functions and used in
101// NewCredentials.
102type CredentialsOpt struct {
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]103 wantCA *x509.Certificate
104 wantNodeID string
105 insecureOkay bool
106}
107
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]108func (a *CredentialsOpt) merge(o *CredentialsOpt) {
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]109 if a.wantNodeID == "" && o.wantNodeID != "" {
110 a.wantNodeID = o.wantNodeID
111 }
112 if a.wantCA == nil && o.wantCA != nil {
113 a.wantCA = o.wantCA
114 }
115 if !a.insecureOkay && o.insecureOkay {
116 a.insecureOkay = o.insecureOkay
117 }
118}
119
120// WantRemoteCluster enables the verification of the remote cluster identity when
121// using NewAuthanticatedCredentials. If the connection is not terminated at a
122// cluster with the given CA certificate, an error will be returned.
123//
124// This is the bare minimum option required to implement secure connections to
125// clusters.
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]126func WantRemoteCluster(ca *x509.Certificate) CredentialsOpt {
127 return CredentialsOpt{
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]128 wantCA: ca,
129 }
130}
131
132// WantRemoteNode enables the verification of the remote node identity when using
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]133// NewCredentials. If the connection is not terminated at the node
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]134// ID 'id', an error will be returned. For this function to work,
135// WantRemoteCluster must also be set.
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]136func WantRemoteNode(id string) CredentialsOpt {
137 return CredentialsOpt{
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]138 wantNodeID: id,
139 }
140}
141
142// WantInsecure disables the verification of the remote side of the connection
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]143// via NewCredentials. This is unsafe.
144func WantInsecure() CredentialsOpt {
145 return CredentialsOpt{
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]146 insecureOkay: true,
147 }
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]148}
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]149
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]150// NewAuthenticatedCredentials returns gRPC TransportCredentials that can be used
151// to dial a cluster with a given TLS certificate (from node or manager
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]152// credentials).
153//
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]154// The provided CredentialsOpt specify the verification of the remote side of the
155// connection. When connecting to a cluster (any node), use WantRemoteCluster. If
156// you also want to verify the connection to a particular node, specify
157// WantRemoteNode alongside it. If no verification should be performed use
158// WantInsecure.
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]159//
160// The given options are parsed on a first-wins basis.
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]161func NewAuthenticatedCredentials(cert tls.Certificate, opts ...CredentialsOpt) credentials.TransportCredentials {
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]162 config := &tls.Config{
163 Certificates: []tls.Certificate{cert},
164 InsecureSkipVerify: true,
165 }
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]166
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]167 var merged CredentialsOpt
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]168 for _, o := range opts {
169 merged.merge(&o)
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]170 }
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]171
172 if merged.insecureOkay {
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]173 if merged.wantNodeID != "" {
174 config.VerifyPeerCertificate = verifyFail(fmt.Errorf("WantInsecure specified alongside WantRemoteNode"))
175 } else if merged.wantCA != nil {
176 config.VerifyPeerCertificate = verifyFail(fmt.Errorf("WantInsecure specified alongside WantRemoteCluster"))
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]177 }
178 } else {
179 switch {
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame]180 case merged.wantNodeID == "" && merged.wantCA == nil:
181 config.VerifyPeerCertificate = verifyFail(fmt.Errorf("WantRemoteNode/WantRemoteCluster/WantInsecure not specified"))
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]182 case merged.wantNodeID != "" && merged.wantCA == nil:
183 config.VerifyPeerCertificate = verifyFail(fmt.Errorf("WantRemoteNode also requires WantRemoteCluster"))
184 case merged.wantCA == nil:
185 config.VerifyPeerCertificate = verifyFail(fmt.Errorf("no AuthenticaedCreentialsOpts specified"))
186 default:
187 config.VerifyPeerCertificate = verifyClusterCertificateAndNodeID(merged.wantCA, merged.wantNodeID)
188 }
189 }
190
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]191 return credentials.NewTLS(config)
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]192}
193
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]194// RetrieveOwnerCertificate uses AAA.Escrow to retrieve a cluster manager
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]195// certificate for the initial owner of the cluster, authenticated by the
196// public/private key set in the clusters NodeParameters.ClusterBoostrap.
197//
198// The retrieved certificate can be used to dial further cluster RPCs.
199func RetrieveOwnerCertificate(ctx context.Context, aaa apb.AAAClient, private ed25519.PrivateKey) (*tls.Certificate, error) {
200 srv, err := aaa.Escrow(ctx)
201 if err != nil {
Serge Bazanski636032e2022-01-26 14:21:33 +0100[diff] [blame]202 if st, ok := status.FromError(err); ok {
203 return nil, status.Errorf(st.Code(), "Escrow call failed: %s", st.Message())
204 }
205 return nil, err
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]206 }
207 if err := srv.Send(&apb.EscrowFromClient{
208 Parameters: &apb.EscrowFromClient_Parameters{
209 RequestedIdentityName: "owner",
210 PublicKey: private.Public().(ed25519.PublicKey),
211 },
212 }); err != nil {
213 return nil, fmt.Errorf("when sending client parameters: %w", err)
214 }
215 resp, err := srv.Recv()
216 if err != nil {
217 return nil, fmt.Errorf("when receiving server message: %w", err)
218 }
219 if len(resp.EmittedCertificate) == 0 {
220 return nil, fmt.Errorf("expected certificate, instead got needed proofs: %+v", resp.Needed)
221 }
222
223 return &tls.Certificate{
224 Certificate: [][]byte{resp.EmittedCertificate},
225 PrivateKey: private,
226 }, nil
227}