-
Notifications
You must be signed in to change notification settings - Fork 457
/
reg.go
118 lines (100 loc) · 3.74 KB
/
reg.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package reg
import (
"bytes"
"context"
stdx509 "crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"log"
"github.com/cosi-project/runtime/pkg/resource"
"github.com/cosi-project/runtime/pkg/safe"
"github.com/cosi-project/runtime/pkg/state"
"github.com/siderolabs/crypto/x509"
"github.com/siderolabs/gen/xslices"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/peer"
"google.golang.org/grpc/status"
securityapi "github.com/siderolabs/talos/pkg/machinery/api/security"
"github.com/siderolabs/talos/pkg/machinery/resources/secrets"
)
// Registrator is the concrete type that implements the factory.Registrator and
// securityapi.SecurityServiceServer interfaces.
type Registrator struct {
securityapi.UnimplementedSecurityServiceServer
Resources state.State
}
// Register implements the factory.Registrator interface.
//
//nolint:interfacer
func (r *Registrator) Register(s *grpc.Server) {
securityapi.RegisterSecurityServiceServer(s, r)
}
// Certificate implements the securityapi.SecurityServer interface.
//
// This API is called by Talos worker nodes to request a server certificate for apid running on the node.
// Control plane nodes generate certificates (client and server) directly from machine config PKI.
func (r *Registrator) Certificate(ctx context.Context, in *securityapi.CertificateRequest) (resp *securityapi.CertificateResponse, err error) {
remotePeer, ok := peer.FromContext(ctx)
if !ok {
return nil, status.Error(codes.PermissionDenied, "peer not found")
}
osRoot, err := safe.StateGet[*secrets.OSRoot](ctx, r.Resources, resource.NewMetadata(secrets.NamespaceName, secrets.OSRootType, secrets.OSRootID, resource.VersionUndefined))
if err != nil {
return nil, err
}
// decode and validate CSR
csrPemBlock, _ := pem.Decode(in.Csr)
if csrPemBlock == nil {
return nil, status.Errorf(codes.InvalidArgument, "failed to decode CSR")
}
request, err := stdx509.ParseCertificateRequest(csrPemBlock.Bytes)
if err != nil {
return nil, status.Errorf(codes.InvalidArgument, "failed to parse CSR: %s", err)
}
log.Printf("received CSR signing request from %s: subject %s dns names %s addresses %s", remotePeer.Addr, request.Subject, request.DNSNames, request.IPAddresses)
// allow only server auth certificates
x509Opts := []x509.Option{
x509.KeyUsage(stdx509.KeyUsageDigitalSignature),
x509.ExtKeyUsage([]stdx509.ExtKeyUsage{stdx509.ExtKeyUsageServerAuth}),
}
// don't allow any certificates which can be used for client authentication
//
// we don't return an error here, as otherwise workers running old versions of Talos
// will fail to provision client certificate and will never launch apid
//
// instead, the returned certificate will be rejected when being used
if len(request.Subject.Organization) > 0 {
log.Printf("removing client auth organization from CSR: %s", request.Subject.Organization)
x509Opts = append(x509Opts, x509.OverrideSubject(func(subject *pkix.Name) {
subject.Organization = nil
}))
}
// TODO: Verify that the request is coming from the IP address declared in
// the CSR.
signed, err := x509.NewCertificateFromCSRBytes(
osRoot.TypedSpec().IssuingCA.Crt,
osRoot.TypedSpec().IssuingCA.Key,
in.Csr,
x509Opts...,
)
if err != nil {
return nil, status.Errorf(codes.Internal, "failed to sign CSR: %s", err)
}
resp = &securityapi.CertificateResponse{
Ca: bytes.Join(
xslices.Map(
osRoot.TypedSpec().AcceptedCAs,
func(cert *x509.PEMEncodedCertificate) []byte {
return cert.Crt
},
),
nil,
),
Crt: signed.X509CertificatePEM,
}
return resp, nil
}