-
Notifications
You must be signed in to change notification settings - Fork 1.9k
/
server.go
201 lines (174 loc) · 7.56 KB
/
server.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
/*
Copyright 2023 The Dapr Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package server
import (
"context"
"crypto/x509"
"encoding/pem"
"fmt"
"net"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/timestamppb"
sentryv1pb "github.com/dapr/dapr/pkg/proto/sentry/v1"
"github.com/dapr/dapr/pkg/security"
secpem "github.com/dapr/dapr/pkg/security/pem"
"github.com/dapr/dapr/pkg/sentry/monitoring"
"github.com/dapr/dapr/pkg/sentry/server/ca"
"github.com/dapr/dapr/pkg/sentry/server/validator"
"github.com/dapr/kit/logger"
)
var log = logger.NewLogger("dapr.sentry.server")
// Options is the configuration for the server.
type Options struct {
// Port is the port that the server will listen on.
Port int
// Security is the security handler for the server.
Security security.Handler
// Validator are the client authentication validator.
Validators map[sentryv1pb.SignCertificateRequest_TokenValidator]validator.Validator
// Name of the default validator to use if the request doesn't specify one.
DefaultValidator sentryv1pb.SignCertificateRequest_TokenValidator
// CA is the certificate authority which signs client certificates.
CA ca.Signer
}
// server is the gRPC server for the Sentry service.
type server struct {
vals map[sentryv1pb.SignCertificateRequest_TokenValidator]validator.Validator
defaultValidator sentryv1pb.SignCertificateRequest_TokenValidator
ca ca.Signer
}
// Start starts the server. Blocks until the context is cancelled.
func Start(ctx context.Context, opts Options) error {
lis, err := net.Listen("tcp", fmt.Sprintf(":%d", opts.Port))
if err != nil {
return fmt.Errorf("could not listen on port %d: %w", opts.Port, err)
}
// No client auth because we auth based on the client SignCertificateRequest.
srv := grpc.NewServer(opts.Security.GRPCServerOptionNoClientAuth())
s := &server{
vals: opts.Validators,
defaultValidator: opts.DefaultValidator,
ca: opts.CA,
}
sentryv1pb.RegisterCAServer(srv, s)
errCh := make(chan error, 1)
go func() {
log.Infof("Running gRPC server on port %d", opts.Port)
if err := srv.Serve(lis); err != nil {
errCh <- fmt.Errorf("failed to serve: %w", err)
return
}
errCh <- nil
}()
<-ctx.Done()
log.Info("Shutting down gRPC server")
srv.GracefulStop()
return <-errCh
}
// SignCertificate implements the SignCertificate gRPC method.
func (s *server) SignCertificate(ctx context.Context, req *sentryv1pb.SignCertificateRequest) (*sentryv1pb.SignCertificateResponse, error) {
monitoring.CertSignRequestReceived()
resp, err := s.signCertificate(ctx, req)
if err != nil {
monitoring.CertSignFailed("sign")
return nil, err
}
monitoring.CertSignSucceed()
return resp, nil
}
func (s *server) signCertificate(ctx context.Context, req *sentryv1pb.SignCertificateRequest) (*sentryv1pb.SignCertificateResponse, error) {
validator := s.defaultValidator
if req.GetTokenValidator() != sentryv1pb.SignCertificateRequest_UNKNOWN && req.GetTokenValidator().String() != "" {
validator = req.GetTokenValidator()
}
namespace := req.GetNamespace()
if validator == sentryv1pb.SignCertificateRequest_UNKNOWN {
log.Debugf("Validator '%s' is not known for %s/%s", validator.String(), namespace, req.GetId())
return nil, status.Error(codes.InvalidArgument, "a validator name must be specified in this environment")
}
if _, ok := s.vals[validator]; !ok {
log.Debugf("Validator '%s' is not enabled for %s/%s", validator.String(), namespace, req.GetId())
return nil, status.Error(codes.InvalidArgument, "the requested validator is not enabled")
}
log.Debugf("Processing SignCertificate request for %s/%s (validator: %s)", namespace, req.GetId(), validator.String())
trustDomain, overrideDuration, err := s.vals[validator].Validate(ctx, req)
if err != nil {
log.Debugf("Failed to validate request for %s/%s: %s", namespace, req.GetId(), err)
return nil, status.Error(codes.PermissionDenied, err.Error())
}
der, _ := pem.Decode(req.GetCertificateSigningRequest())
if der == nil {
log.Debugf("Invalid CSR: PEM block is nil for %s/%s", namespace, req.GetId())
return nil, status.Error(codes.InvalidArgument, "invalid certificate signing request")
}
// TODO: @joshvanl: Before v1.12, daprd was sending CSRs with the PEM block type "CERTIFICATE"
// After 1.14, allow only "CERTIFICATE REQUEST"
if der.Type != "CERTIFICATE REQUEST" && der.Type != "CERTIFICATE" {
log.Debugf("Invalid CSR: PEM block type is invalid for %s/%s: %s", namespace, req.GetId(), der.Type)
return nil, status.Error(codes.InvalidArgument, "invalid certificate signing request")
}
csr, err := x509.ParseCertificateRequest(der.Bytes)
if err != nil {
log.Debugf("Failed to parse CSR for %s/%s: %v", namespace, req.GetId(), err)
return nil, status.Errorf(codes.InvalidArgument, "failed to parse certificate signing request: %v", err)
}
if csr.CheckSignature() != nil {
log.Debugf("Invalid CSR: invalid signature for %s/%s", namespace, req.GetId())
return nil, status.Error(codes.InvalidArgument, "invalid signature")
}
// TODO: @joshvanl: before v1.12, daprd was matching on
// `<app-id>.<namespace>.svc.cluster.local` DNS SAN name so without this,
// daprd->daprd connections would fail. This is no longer the case since we
// now match with SPIFFE URI SAN, but we need to keep this here for backwards
// compatibility. Remove after v1.14.
var dns []string
switch {
case namespace == security.CurrentNamespace() && req.GetId() == "dapr-injector":
dns = []string{fmt.Sprintf("dapr-sidecar-injector.%s.svc", namespace)}
case namespace == security.CurrentNamespace() && req.GetId() == "dapr-operator":
// TODO: @joshvanl: before v1.12, daprd was matching on the operator server
// having `cluster.local` as a DNS SAN name. Remove after v1.13.
dns = []string{"cluster.local", fmt.Sprintf("dapr-webhook.%s.svc", namespace)}
case namespace == security.CurrentNamespace() && req.GetId() == "dapr-placement":
dns = []string{"cluster.local"}
default:
dns = []string{fmt.Sprintf("%s.%s.svc.cluster.local", req.GetId(), namespace)}
}
chain, err := s.ca.SignIdentity(ctx, &ca.SignRequest{
PublicKey: csr.PublicKey,
SignatureAlgorithm: csr.SignatureAlgorithm,
TrustDomain: trustDomain.String(),
Namespace: namespace,
AppID: req.GetId(),
DNS: dns,
}, overrideDuration)
if err != nil {
log.Errorf("Error signing identity: %v", err)
return nil, status.Error(codes.Internal, "failed to sign certificate")
}
chainPEM, err := secpem.EncodeX509Chain(chain)
if err != nil {
log.Errorf("Error encoding certificate chain: %v", err)
return nil, status.Error(codes.Internal, "failed to encode certificate chain")
}
log.Debugf("Successfully signed certificate for %s/%s", namespace, req.GetId())
return &sentryv1pb.SignCertificateResponse{
WorkloadCertificate: chainPEM,
// We only populate the trust chain and valid until for clients pre-1.12.
// TODO: Remove fields in 1.14.
TrustChainCertificates: [][]byte{s.ca.TrustAnchors()},
ValidUntil: timestamppb.New(chain[0].NotAfter),
}, nil
}