Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 0c2801516b5191472bd4bc1a07ab6f414a805b27 / . / metropolis / node / core / rpc / client.go
blob: 8619d194b88f194ab8561f7dcdb71b0f4b6cde89 [file] [log] [blame]
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]1package rpc
2
3import (
4 "context"
5 "crypto/ed25519"
6 "crypto/rand"
7 "crypto/tls"
8 "crypto/x509"
9 "fmt"
10 "math/big"
11 "time"
12
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]13 "google.golang.org/grpc/credentials"
Serge Bazanski636032e2022-01-26 14:21:33 +0100[diff] [blame]14 "google.golang.org/grpc/status"
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]15
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]16 "source.monogon.dev/metropolis/node/core/identity"
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]17 apb "source.monogon.dev/metropolis/proto/api"
18)
19
Serge Bazanski4ac71122023-07-24 13:08:34 +0200[diff] [blame]20// UnknownNotAfter is a copy of //metroplis/pkg/pki.UnknownNotAfter.
21//
22// We copy it so that we can decouple the rpc package from the pki package, the
23// former being used by metroctl (and thus needing to be portable), the latter
24// having a dependency on fileargs (which isn't portable). The correct solution
25// here is to clarify portability policy of each workspace path, and apply it.
26// But this will do for now.
27//
28// TODO(issues/252): clean up and merge this back.
29var UnknownNotAfter = time.Unix(253402300799, 0)
30
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]31type verifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
32
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]33func verifyClusterCertificateAndNodeID(ca *x509.Certificate, nodeID string) verifyPeerCertificate {
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]34 return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
35 if len(rawCerts) != 1 {
36 return fmt.Errorf("server presented %d certificates, wanted exactly one", len(rawCerts))
37 }
38 serverCert, err := x509.ParseCertificate(rawCerts[0])
39 if err != nil {
40 return fmt.Errorf("server presented unparseable certificate: %w", err)
41 }
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]42 pkey, err := identity.VerifyNodeInCluster(serverCert, ca)
43 if err != nil {
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]44 return fmt.Errorf("node certificate verification failed: %w", err)
45 }
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]46 if nodeID != "" {
47 id := identity.NodeID(pkey)
48 if id != nodeID {
49 return fmt.Errorf("wanted to reach node %q, got %q", nodeID, id)
50 }
51 }
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]52
53 return nil
54 }
55}
56
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]57func verifyFail(err error) verifyPeerCertificate {
58 return func(_ [][]byte, _ [][]*x509.Certificate) error {
59 return err
60 }
61}
62
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]63// NewEphemeralCredentials returns gRPC TransportCredentials that can be used to
64// dial a cluster without authenticating with a certificate, but instead
65// authenticating by proving the possession of a private key, via an ephemeral
66// self-signed certificate.
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]67//
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]68// Currently these credentials are used in two flows:
69//
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]70// 1. Registration of nodes into a cluster, after which a node receives a proper
71// node certificate
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]72//
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]73// 2. Escrow of initial owner credentials into a proper manager
74// certificate
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]75//
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]76// The given opts can be used to lock down the remote side of the connection, eg.
77// expecting a given cluster CA certificate or disabling remote side verification
78// by using WantInsecure().
79func NewEphemeralCredentials(private ed25519.PrivateKey, opts ...CredentialsOpt) (credentials.TransportCredentials, error) {
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]80 template := x509.Certificate{
81 SerialNumber: big.NewInt(1),
82 NotBefore: time.Now(),
Serge Bazanski4ac71122023-07-24 13:08:34 +0200[diff] [blame]83 NotAfter: UnknownNotAfter,
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]84
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]85 KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]86 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
87 BasicConstraintsValid: true,
88 }
89 certificateBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, private.Public(), private)
90 if err != nil {
91 return nil, fmt.Errorf("when generating self-signed certificate: %w", err)
92 }
93 certificate := tls.Certificate{
94 Certificate: [][]byte{certificateBytes},
95 PrivateKey: private,
96 }
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]97 opts = append(opts)
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]98 return NewAuthenticatedCredentials(certificate, opts...), nil
99}
100
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]101// CredentialsOpt are created using WantXXX functions and used in
102// NewCredentials.
103type CredentialsOpt struct {
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]104 wantCA *x509.Certificate
105 wantNodeID string
106 insecureOkay bool
107}
108
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]109func (a *CredentialsOpt) merge(o *CredentialsOpt) {
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]110 if a.wantNodeID == "" && o.wantNodeID != "" {
111 a.wantNodeID = o.wantNodeID
112 }
113 if a.wantCA == nil && o.wantCA != nil {
114 a.wantCA = o.wantCA
115 }
116 if !a.insecureOkay && o.insecureOkay {
117 a.insecureOkay = o.insecureOkay
118 }
119}
120
121// WantRemoteCluster enables the verification of the remote cluster identity when
122// using NewAuthanticatedCredentials. If the connection is not terminated at a
123// cluster with the given CA certificate, an error will be returned.
124//
125// This is the bare minimum option required to implement secure connections to
126// clusters.
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]127func WantRemoteCluster(ca *x509.Certificate) CredentialsOpt {
128 return CredentialsOpt{
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]129 wantCA: ca,
130 }
131}
132
133// WantRemoteNode enables the verification of the remote node identity when using
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]134// NewCredentials. If the connection is not terminated at the node
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]135// ID 'id', an error will be returned. For this function to work,
136// WantRemoteCluster must also be set.
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]137func WantRemoteNode(id string) CredentialsOpt {
138 return CredentialsOpt{
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]139 wantNodeID: id,
140 }
141}
142
143// WantInsecure disables the verification of the remote side of the connection
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]144// via NewCredentials. This is unsafe.
145func WantInsecure() CredentialsOpt {
146 return CredentialsOpt{
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]147 insecureOkay: true,
148 }
Serge Bazanski3379a5d2021-09-09 12:56:40 +0200[diff] [blame]149}
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]150
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]151// NewAuthenticatedCredentials returns gRPC TransportCredentials that can be used
152// to dial a cluster with a given TLS certificate (from node or manager
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]153// credentials).
154//
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]155// The provided CredentialsOpt specify the verification of the remote side of the
156// connection. When connecting to a cluster (any node), use WantRemoteCluster. If
157// you also want to verify the connection to a particular node, specify
158// WantRemoteNode alongside it. If no verification should be performed use
159// WantInsecure.
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]160//
161// The given options are parsed on a first-wins basis.
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]162func NewAuthenticatedCredentials(cert tls.Certificate, opts ...CredentialsOpt) credentials.TransportCredentials {
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]163 config := &tls.Config{
164 Certificates: []tls.Certificate{cert},
165 InsecureSkipVerify: true,
166 }
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]167
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]168 var merged CredentialsOpt
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]169 for _, o := range opts {
170 merged.merge(&o)
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]171 }
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]172
173 if merged.insecureOkay {
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]174 if merged.wantNodeID != "" {
175 config.VerifyPeerCertificate = verifyFail(fmt.Errorf("WantInsecure specified alongside WantRemoteNode"))
176 } else if merged.wantCA != nil {
177 config.VerifyPeerCertificate = verifyFail(fmt.Errorf("WantInsecure specified alongside WantRemoteCluster"))
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]178 }
179 } else {
180 switch {
Serge Bazanski0c280152024-02-05 14:33:19 +0100[diff] [blame^]181 case merged.wantNodeID == "" && merged.wantCA == nil:
182 config.VerifyPeerCertificate = verifyFail(fmt.Errorf("WantRemoteNode/WantRemoteCluster/WantInsecure not specified"))
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]183 case merged.wantNodeID != "" && merged.wantCA == nil:
184 config.VerifyPeerCertificate = verifyFail(fmt.Errorf("WantRemoteNode also requires WantRemoteCluster"))
185 case merged.wantCA == nil:
186 config.VerifyPeerCertificate = verifyFail(fmt.Errorf("no AuthenticaedCreentialsOpts specified"))
187 default:
188 config.VerifyPeerCertificate = verifyClusterCertificateAndNodeID(merged.wantCA, merged.wantNodeID)
189 }
190 }
191
Serge Bazanski399ce552022-03-29 12:52:42 +0200[diff] [blame]192 return credentials.NewTLS(config)
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]193}
194
Serge Bazanski8535cb52023-03-29 14:15:08 +0200[diff] [blame]195// RetrieveOwnerCertificate uses AAA.Escrow to retrieve a cluster manager
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]196// certificate for the initial owner of the cluster, authenticated by the
197// public/private key set in the clusters NodeParameters.ClusterBoostrap.
198//
199// The retrieved certificate can be used to dial further cluster RPCs.
200func RetrieveOwnerCertificate(ctx context.Context, aaa apb.AAAClient, private ed25519.PrivateKey) (*tls.Certificate, error) {
201 srv, err := aaa.Escrow(ctx)
202 if err != nil {
Serge Bazanski636032e2022-01-26 14:21:33 +0100[diff] [blame]203 if st, ok := status.FromError(err); ok {
204 return nil, status.Errorf(st.Code(), "Escrow call failed: %s", st.Message())
205 }
206 return nil, err
Serge Bazanskid7d6e022021-09-01 15:03:06 +0200[diff] [blame]207 }
208 if err := srv.Send(&apb.EscrowFromClient{
209 Parameters: &apb.EscrowFromClient_Parameters{
210 RequestedIdentityName: "owner",
211 PublicKey: private.Public().(ed25519.PublicKey),
212 },
213 }); err != nil {
214 return nil, fmt.Errorf("when sending client parameters: %w", err)
215 }
216 resp, err := srv.Recv()
217 if err != nil {
218 return nil, fmt.Errorf("when receiving server message: %w", err)
219 }
220 if len(resp.EmittedCertificate) == 0 {
221 return nil, fmt.Errorf("expected certificate, instead got needed proofs: %+v", resp.Needed)
222 }
223
224 return &tls.Certificate{
225 Certificate: [][]byte{resp.EmittedCertificate},
226 PrivateKey: private,
227 }, nil
228}