-
Notifications
You must be signed in to change notification settings - Fork 0
/
snapshot.go
376 lines (326 loc) · 11.9 KB
/
snapshot.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
// Copyright 2016 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package authdb
import (
"context"
"fmt"
"net"
"strings"
"time"
"github.com/TriggerMail/luci-go/auth/identity"
"github.com/TriggerMail/luci-go/common/data/caching/lazyslot"
"github.com/TriggerMail/luci-go/common/logging"
"github.com/TriggerMail/luci-go/server/auth/service/protocol"
"github.com/TriggerMail/luci-go/server/auth/signing"
)
// OAuth client_id of https://apis-explorer.appspot.com/.
const googleAPIExplorerClientID = "292824132082.apps.googleusercontent.com"
// SnapshotDB implements DB using AuthDB proto message.
//
// Use NewSnapshotDB to create new instances. Don't touch public fields
// of existing instances.
type SnapshotDB struct {
AuthServiceURL string // where it was fetched from
Rev int64 // its revision number
tokenServiceURL string // URL of the token server as provided by Auth service
clientIDs map[string]struct{} // set of allowed client IDs
groups map[string]*group // map of all known groups
assignments map[identity.Identity]string // IP whitelist assignements
whitelists map[string][]net.IPNet // IP whitelists
// Certs are loaded lazily in GetCertificates since they are used only when
// checking delegation tokens, which is relatively rare.
certs lazyslot.Slot
}
var _ DB = &SnapshotDB{}
// group is a node in a group graph. Nested groups are referenced directly via
// pointer.
type group struct {
members map[identity.Identity]struct{} // set of all members
globs []identity.Glob // list of all identity globs
nested []*group // pointers to nested groups
}
// certMap is used in GetCertificate and fetchTrustedCerts.
type certMap map[identity.Identity]*signing.PublicCertificates
// Revision returns a revision of an auth DB or 0 if it can't be determined.
//
// It's just a small helper that casts db to *SnapshotDB and extracts the
// revision from there.
func Revision(db DB) int64 {
if snap, _ := db.(*SnapshotDB); snap != nil {
return snap.Rev
}
return 0
}
// NewSnapshotDB creates new instance of SnapshotDB.
//
// It does some preprocessing to speed up subsequent checks. Return errors if
// it encounters inconsistencies.
func NewSnapshotDB(authDB *protocol.AuthDB, authServiceURL string, rev int64) (*SnapshotDB, error) {
db := &SnapshotDB{
AuthServiceURL: authServiceURL,
Rev: rev,
tokenServiceURL: authDB.GetTokenServerUrl(),
}
// Set of all allowed clientIDs.
db.clientIDs = make(map[string]struct{}, 2+len(authDB.GetOauthAdditionalClientIds()))
db.clientIDs[googleAPIExplorerClientID] = struct{}{}
if authDB.GetOauthClientId() != "" {
db.clientIDs[authDB.GetOauthClientId()] = struct{}{}
}
for _, cid := range authDB.GetOauthAdditionalClientIds() {
if cid != "" {
db.clientIDs[cid] = struct{}{}
}
}
// First pass: build all `group` nodes.
db.groups = make(map[string]*group, len(authDB.GetGroups()))
for _, g := range authDB.GetGroups() {
if db.groups[g.GetName()] != nil {
return nil, fmt.Errorf("auth: bad AuthDB, group %q is listed twice", g.GetName())
}
gr := &group{}
if len(g.GetMembers()) != 0 {
gr.members = make(map[identity.Identity]struct{}, len(g.GetMembers()))
for _, ident := range g.GetMembers() {
gr.members[identity.Identity(ident)] = struct{}{}
}
}
if len(g.GetGlobs()) != 0 {
gr.globs = make([]identity.Glob, len(g.GetGlobs()))
for i, glob := range g.GetGlobs() {
gr.globs[i] = identity.Glob(glob)
}
}
if len(g.GetNested()) != 0 {
gr.nested = make([]*group, 0, len(g.GetNested()))
}
db.groups[g.GetName()] = gr
}
// Second pass: fill in `nested` with pointers, now that we have them.
for _, g := range authDB.GetGroups() {
gr := db.groups[g.GetName()]
for _, nestedName := range g.GetNested() {
if nestedGroup := db.groups[nestedName]; nestedGroup != nil {
gr.nested = append(gr.nested, nestedGroup)
}
}
}
// Build map of IP whitelist assignments.
db.assignments = make(map[identity.Identity]string, len(authDB.GetIpWhitelistAssignments()))
for _, a := range authDB.GetIpWhitelistAssignments() {
db.assignments[identity.Identity(a.GetIdentity())] = a.GetIpWhitelist()
}
// Parse all subnets into IPNet objects.
db.whitelists = make(map[string][]net.IPNet, len(authDB.GetIpWhitelists()))
for _, w := range authDB.GetIpWhitelists() {
if len(w.GetSubnets()) == 0 {
continue
}
nets := make([]net.IPNet, len(w.GetSubnets()))
for i, subnet := range w.GetSubnets() {
_, ipnet, err := net.ParseCIDR(subnet)
if err != nil {
return nil, fmt.Errorf("auth: bad subnet %q in IP list %q - %s", subnet, w.GetName(), err)
}
nets[i] = *ipnet
}
db.whitelists[w.GetName()] = nets
}
return db, nil
}
// IsAllowedOAuthClientID returns true if given OAuth2 client_id can be used
// to authenticate access for given email.
func (db *SnapshotDB) IsAllowedOAuthClientID(c context.Context, email, clientID string) (bool, error) {
// No need to whitelist client IDs for service accounts, since email address
// uniquely identifies credentials used. Note: this is Google specific.
if strings.HasSuffix(email, ".gserviceaccount.com") {
return true, nil
}
// clientID must be set for non service accounts.
if clientID == "" {
return false, nil
}
_, ok := db.clientIDs[clientID]
return ok, nil
}
// IsMember returns true if the given identity belongs to any of the groups.
//
// Unknown groups are considered empty. May return errors if underlying
// datastore has issues.
func (db *SnapshotDB) IsMember(c context.Context, id identity.Identity, groups []string) (bool, error) {
// TODO(vadimsh): Optimize multi-group case.
for _, gr := range groups {
switch found, err := db.isMemberImpl(c, id, gr); {
case err != nil:
return false, err
case found:
return true, nil
}
}
return false, nil
}
// CheckMembership returns groups from the given list the identity belongs to.
//
// Unlike IsMember, it doesn't stop on the first hit but continues evaluating
// all groups.
//
// Unknown groups are considered empty. The order of groups in the result may
// be different from the order in 'groups'.
//
// May return errors if underlying datastore has issues.
func (db *SnapshotDB) CheckMembership(c context.Context, id identity.Identity, groups []string) (out []string, err error) {
// TODO(vadimsh): Optimize multi-group case.
for _, gr := range groups {
switch found, err := db.isMemberImpl(c, id, gr); {
case err != nil:
return nil, err
case found:
out = append(out, gr)
}
}
return
}
// isMemberImpl implements IsMember check for a single group only.
func (db *SnapshotDB) isMemberImpl(c context.Context, id identity.Identity, groupName string) (bool, error) {
// Cycle detection check uses a stack of groups currently being explored. Use
// stack allocated array as a backing store to avoid unnecessary dynamic
// allocation. If stack depth grows beyond 8, 'append' will reallocate it on
// the heap.
var backingStore [8]*group
current := backingStore[:0]
// Keep a set of all visited groups to avoid revisiting them in case of a
// diamond-like graph, e.g A -> B, A -> C, B -> D, C -> D (we don't need to
// visit D twice in this case).
visited := make(map[*group]struct{}, 10)
// isMember is used to recurse over nested groups.
var isMember func(*group) bool
isMember = func(gr *group) bool {
// 'id' is a direct member?
if _, ok := gr.members[id]; ok {
return true
}
// 'id' matches some glob?
for _, glob := range gr.globs {
if glob.Match(id) {
return true
}
}
if len(gr.nested) == 0 {
return false
}
current = append(current, gr) // popped before return
found := false
outer_loop:
for _, nested := range gr.nested {
// There should be no cycles, but do the check just in case there are,
// seg faulting with stack overflow is very bad. In case of a cycle, skip
// the offending group, but keep searching other groups.
for _, ancestor := range current {
if ancestor == nested {
logging.Errorf(c, "auth: unexpected group nesting cycle in group %q", groupName)
continue outer_loop
}
}
// Explored 'nested' already (and didn't find anything) while visiting
// some sibling branch? Skip.
if _, seen := visited[nested]; seen {
continue
}
if isMember(nested) {
found = true
break
}
}
// Note that we don't use defers here since they have non-negligible runtime
// cost. Using 'defer' here makes IsMember ~1.7x slower (1200 ns vs 700 ns),
// See BenchmarkIsMember.
current = current[:len(current)-1]
visited[gr] = struct{}{}
return found
}
if gr := db.groups[groupName]; gr != nil {
return isMember(gr), nil
}
return false, nil
}
// GetCertificates returns a bundle with certificates of a trusted signer.
func (db *SnapshotDB) GetCertificates(c context.Context, signerID identity.Identity) (*signing.PublicCertificates, error) {
mapping, err := db.certs.Get(c, func(interface{}) (interface{}, time.Duration, error) {
mapping, err := db.fetchTrustedCerts(c)
return mapping, time.Hour, err
})
if err != nil {
return nil, err
}
trustedCertsMap := mapping.(certMap)
return trustedCertsMap[signerID], nil
}
// GetWhitelistForIdentity returns name of the IP whitelist to use to check
// IP of requests from given `ident`.
//
// It's used to restrict access for certain account to certain IP subnets.
//
// Returns ("", nil) if `ident` is not IP restricted.
func (db *SnapshotDB) GetWhitelistForIdentity(c context.Context, ident identity.Identity) (string, error) {
return db.assignments[ident], nil
}
// IsInWhitelist returns true if IP address belongs to given named IP whitelist.
//
// IP whitelist is a set of IP subnets. Unknown IP whitelists are considered
// empty. May return errors if underlying datastore has issues.
func (db *SnapshotDB) IsInWhitelist(c context.Context, ip net.IP, whitelist string) (bool, error) {
for _, ipnet := range db.whitelists[whitelist] {
if ipnet.Contains(ip) {
return true, nil
}
}
return false, nil
}
// GetAuthServiceURL returns root URL ("https://<host>") of the auth service
// the snapshot was fetched from.
//
// This is needed to implement authdb.DB interface.
func (db *SnapshotDB) GetAuthServiceURL(c context.Context) (string, error) {
return db.AuthServiceURL, nil
}
// GetTokenServiceURL returns root URL ("https://<host>") of the token server.
//
// This is needed to implement authdb.DB interface.
func (db *SnapshotDB) GetTokenServiceURL(c context.Context) (string, error) {
return db.tokenServiceURL, nil
}
//// Implementation details.
// fetchTrustedCerts is called by GetCertificates to fetch certificates.
//
// We currently trust only the token server, as provided by the auth service.
func (db *SnapshotDB) fetchTrustedCerts(c context.Context) (certMap, error) {
if db.tokenServiceURL == "" {
logging.Warningf(
c, "Delegation is not supported, the token server URL is not set by %s",
db.AuthServiceURL)
return certMap{}, nil
}
certs, err := signing.FetchCertificatesFromLUCIService(c, db.tokenServiceURL)
if err != nil {
return nil, err
}
if certs.ServiceAccountName == "" {
return nil, fmt.Errorf("the token server %s didn't provide its service account name", db.tokenServiceURL)
}
id, err := identity.MakeIdentity("user:" + certs.ServiceAccountName)
if err != nil {
return nil, fmt.Errorf("invalid service_account_name %q in fetched certificates bundle - %s", certs.ServiceAccountName, err)
}
return certMap{id: certs}, nil
}