Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Feature: pgp flux app signer #1212

Open
wants to merge 18 commits into
base: development
Choose a base branch
from
Open

[WIP] Feature: pgp flux app signer #1212

wants to merge 18 commits into from

Conversation

MorningLightMountain713
Copy link
Contributor

@MorningLightMountain713 MorningLightMountain713 commented Feb 9, 2024
edited
Loading

This ones a pretty big deal in my opinon. Mostly done - just need a bit more real world testing and some unittests. (and check the networking)

Allows Flux apps to validate each other. So you can be sure that the inbound / outbound sockets are authenticated between apps.

Background:

Flux has an issue whereby you want to inject private data into running apps, like databases, secrets etc. This in the past has been done by FluxVault. When the app starts up, FluxVault connects to it and gives it some config. This is reliant on the public ip address, and more importantly, there is no secure way for a node to reach out to the vault and identify itself.

Now you can!

It means you can seed a FluxApp once - and then nodes can go to other nodes to get their config / secrets!

What this pull does:

Adds a service that is available to flux docker networks on the hostname http://app.identity.service:80 where applications can request a message signed by the node.

The cleartext message and encrypted message are returned to the flux application. The encrypted message contains the appname (based off container source IP by inspecting docker networks) so it is authentication on a per app basis per fluxnode.

There is also an endpoint to decrypt a message - the other end would use this, then send the cleartext message back to prove that they are part of the "app group"

This app signer service has 3 endpoints:

  • getnodeidentity (gets the nodes confirmation txid)
  • createchallenge - returns the challenge message in cleartext and an encrypted version to be sent
  • decryptchallenge - decrypts the message and returns the cleartext if the container ip matches the network for the message.

Suggested mesage flow for an app:

  • GetNodeIdentity | NodeBApp -> NodeB (so other end can get public pgp key)
  • NodeIdentitySent | NodeBApp -> NodeAApp
  • ChallengeRequest | NodeAApp -> NodeA (contains target ip, apiport via identity)
  • ChallengeCreated | NodeA (Gets pgp pubkey from ip apiport)
  • ChallengeSent | NodeAApp -> NodeBApp
  • ChallengeDecryptRequest | NodeBApp -> NodeB
  • ChallengeDecrypted | NodeB
  • DecryptedSent | NodeBApp -> NodeAApp
  • Verified | NodeAApp has now verified NodeBApp

I will edit this writeup and expand a bit... just want to get this pull in.

I was going to pre fetch / cache all the pgp keys for any apps that are deployed on a node, but I'm not sure if this will actually benefit as I'm not sure how fast the application started messages are broadcast. I.e. will a new docker app spin up before the message has reached the target node. I'll do some more testing / thinking around this.

  • Adds an Automatic Private IP Addressing (APIPA) to the loopback adaptor (169.254.42.42)
  • Allows connections from flux docker networks to this endpoint
  • Denies all other traffic (security in layers) so the host can't access this unless they source their traffic from 172.23.x.x
  • Spins up an http server on this loopback address on port 80 (app signer service) (name tbd)

@MorningLightMountain713 MorningLightMountain713 mentioned this pull request Feb 9, 2024
Open
@MorningLightMountain713
Copy link
Contributor Author

addresses #1128

@MorningLightMountain713
Copy link
Contributor Author

MorningLightMountain713 commented Feb 10, 2024
edited
Loading

Here is an example on an app on one of my nodes:

You would normally get the identity on one node and send it to the other, they would create the challenge and send it back to you, then you decrypt and send the response back to prove you are who you say you are.

/app # curl -s app.identity.service/nodeidentity | jq .
{
  "status": "success",
  "data": {
    "txhash": "nodetxhashhere",
    "outidx": 0
  }
}
/app # curl -s -H 'Content-Type: application/json' app.identity.service/createchallenge --data '{"identity": "nodetxhashhere"}' | jq .
{
  "status": "success",
  "data": {
    "message": "7ac2b1e60bf96fd8524c38d330b4e3f5",
    "encrypted": "-----BEGIN PGP MESSAGE-----\n\nwV4Dc/5AJeD9oo8SAQdAumMrrbMtBGlO8VhsvnvgsGxOEJPtYYQXLCteMuKA\nrlIwUxMhRm38MjaDL75VJi1EPrxuz3gOvdkasmQ+C6+pWSiLiRMxwBwZcoUG\nuiTeSFRF0ncB5Ia99+3wWhD+97xsE9YqExvNDzeqKX4Z4byozDUpoA1dq8J7\np5FlkmFS6ErV/VzBot/Jg1a7VFYp2dGZUsmnlpoOcZUENbAXJCxn/yyLYUL9\n6xNfV/+zg/6/5UiSLyC4rEIeOkWfHtE27M/UOLfNSdcd3/8r0A==\n=WuFO\n-----END PGP MESSAGE-----\n"
  }
}
/app # curl -s -H 'Content-Type: application/json' app.identity.service/decryptchallenge --data '{"encrypted": "-----BEGIN PGP MESSAGE-----\n\
nwV4Dc/5AJeD9oo8SAQdAumMrrbMtBGlO8VhsvnvgsGxOEJPtYYQXLCteMuKA\nrlIwUxMhRm38MjaDL75VJi1EPrxuz3gOvdkasmQ+C6+pWSiLiRMxwBwZcoUG\nuiTeSFRF0ncB5Ia99
+3wWhD+97xsE9YqExvNDzeqKX4Z4byozDUpoA1dq8J7\np5FlkmFS6ErV/VzBot/Jg1a7VFYp2dGZUsmnlpoOcZUENbAXJCxn/yyLYUL9\n6xNfV/+zg/6/5UiSLyC4rEIeOkWfHtE27M/
UOLfNSdcd3/8r0A==\n=WuFO\n-----END PGP MESSAGE-----\n"}' | jq .
{
  "status": "success",
  "data": "7ac2b1e60bf96fd8524c38d330b4e3f5"
}
/app #

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@MorningLightMountain713