Organization List Feature in Server AWS Node Attester Plugin "aws_iid"

[rushi47]

Pull Request check list

• Commit conforms to CONTRIBUTING.md?
• Proper tests/regressions included?
• Documentation updated?

Affected functionality
This PR adds new feature to AWS Node Attester Plugin. It's optional feature, if its enabled it provides additional check executed at very first step during node attestation. It verifies, if node's aws account id is part of AWS Organization or not. If it's not part of organization, attestation request will be rejected.

More on this feature can be read in the issue

Description of change

• Adds new functionality in AWS Node Attester Plugin

Which issue this PR fixes
Fixes : issue

[rushi47]

Details about the feature are being discussed on : #4770

[evan2645]

Thanks so much for this contribution @rushi47 ❤️

I took a pass on it and I think it will need one or two more. I started with some high level comments on config shape, docs, etc. I'll make another pass over the logic shortly

[evan2645]

For consistency, I suggest:

Suggested change

	org_account_role = "spire-server-org-role"
	assume_org_role = "spire-server-org-role"

Can it default to the value of assume_role? Is it something you need right now?

[rushi47]

This role needs to be created in management account, so using the value of default assume role, might conflict. So I was hoping to keep it configurable.

[evan2645]

Must this always be the management account? Should we name it management_account_id or similar?

[rushi47]

Must this always be the management account? Should we name it management_account_id or similar?

From the docs it looks like yes, it always need to management account id as it can list all the organization under. Yeah i guess its better to name it management account id

[evan2645]

Is it required? There doesn't seem to be any regionality in any of the AWS Organization docs. Can we hardcode a region?

[rushi47]

Ugh no sorry i slipped outside this was required for calling internal function, refactored.

[evan2645]

I'd prefer to see this hardcoded on the first pass .. if/when we know more about what values to use in what circumstances, we can make better decisions on the behavior or configurability

[rushi47]

The way currently its written it already defaults to 3m if its not explicitly passed. So it's optional param.

I was thinking we can keep the way it is rn as there is support for default and its already written but I will let you make the final call. Update the doc to reflect the defaults.

[evan2645]

My feeling is that we should not capture details about the implementation here (e.g. org list caching, refresh semantics, etc). They are likely to change in the future and we'll forget to update the docs. Folks interested in that level of detail can go look at the code. Instead, we should document any gotchas or requirements on the user. For example, what IAM permissions are needed.

[rushi47]

Ack. removed this and added example of permission policy

[evan2645]

We should have mock clock hooks for testing, and tests to go with it 🙏

[rushi47]

Noted, will come back to this at testing.

[rushi47]

Thanks so much for this contribution @rushi47 ❤️

I took a pass on it and I think it will need one or two more. I started with some high level comments on config shape, docs, etc. I'll make another pass over the logic shortly

Thank you @evan2645 for review ❤️.
I will wait for your review on logic as well, before I push new commits to resolve above comments.

[evan2645]

Thanks again @rushi47 for this contribution. As requested, I did another review pass on the logic bits. It was a little hard for me to review due to 1) unsure on how prior comments will change the implementation, and 2) code structure and naming. Most of my latest comments focus on the second point .. there are several other spots where I wanted to leave comments but refrained because I think it is likely to change in your next commit. Happy to jump on a quick zoom if helpful just let me know!

[evan2645]

Are all of these bumps required? Looks like a lot more than what would be needed for the changes in this PR

[rushi47]

Noted. Will come back to this at the end.

[evan2645]

Should this config validation live in iid.go where the config is actually parsed? Either that, or we should call this method from inside our constructor/configure method here. Feels weird to parse in iid.go and then call a private function in this file to validate

[rushi47]

Should this config validation live in iid.go where the config is actually parsed? Either that, or we should call this method from inside our constructor/configure method here. Feels weird to parse in iid.go and then call a private function in this file to validate

Yeah make sense moved it to iid.go file

[evan2645]

The code here should be factored such that locking is consistent. IMO, the closer to the relevant call site we can take the lock, the better (i.e. getRetries over decrRetries). As is, it's really hard to read and tell if a lock is missing or not.

[rushi47]

Done refactored.

[evan2645]

I think this struct and its related config would benefit from a different name, e.g. "orgValidator"

[rushi47]

Done 👌

[evan2645]

This function feels like it should be newOrgValidator instead. No need to have the error free constructor to hook into New, we can call this from the Configure method instead and handle the errors as needed.

[rushi47]

Lmk Evan if I understand the question correctly you are suggestion this function should be call inside Configure ? If yes, that's the way currently implemented its called inside configure. The validation part is done before that.

[evan2645]

is this needed? Can we include logger on config struct instead? Seems like a lock is missing, but moot point if we remove it.

[rushi47]

I was hooking into existing implementation. And that implementation is missing lock, the way I was thinking is if we add the lock in the existing implementation that would protect all the members, that means in turn protecting orgvalidation logger.

Why we needed, this was my thought - I guess spire when invokes the plugin it makes call for setting up logger so i thought we needed this to change the log level or even propagate logger.

But lmk if my understanding isn't correct.

[evan2645]

Perhaps IsMemberAccount or IsChildAccount?

[rushi47]

Changed it to IsMemberAccount

[evan2645]

Feels like this would benefit from some refactoring - for example, we probably only need one call site here that simply returns the latest up-to-date list, whether it be from cache or recently reloaded ... e.g. o.memberAccounts

[evan2645]

Is this lazy loading of the account list an attempt to optimize the total number of steady state calls to these API endpoints? At first I thought it was a simplicity decision, but the more I read the more I wonder if a goroutine with ticker-based refresh would be even simpler.

[rushi47]

Feels like this would benefit from some refactoring - for example, we probably only need one call site here that simply returns the latest up-to-date list, whether it be from cache or recently reloaded ... e.g. o.memberAccounts

Refactored the code and added function which act as middle ware, and handle this part.

Is this lazy loading of the account list an attempt to optimize the total number of steady state calls to these API endpoints? At first I thought it was a simplicity decision, but the more I read the more I wonder if a goroutine with ticker-based refresh would be even simpler.

Well this will not be lazy loading as its main flow of request, and cache is updated before response is returned. With ticker based refresh I am not very confident if it will solve the problem, as it will refresh the cache in particular time but it arises the same issue of having cache with particular ttl.

Maybe we can jump on call to discuss this.

[evan2645]

There should probably be dedicated functions for these kinds of things, like o.reloadAccountList and o.cacheMiss(), where the latter can conditionally call the former.

[rushi47]

Got it, added new function to handle this.

[evan2645]

What are the other possible states?

[rushi47]

Could be suspended or pending closure. More can be found here. Tried to capture this in test cases as well.

[MarcosDY]

time.Now().UTC().Sub(o.orgListAccountMapCreationTime) <= time.Duration(o.orgAccountListCacheTTL is used in multiple places, may we move to a function?

and can you add some unit tests for this code?

[rushi47]

Done, moved to function.

and can you add some unit tests for this code?

Created new file for unit testing organization all together.

[rushi47]

Done moved to function. And added tests for it. As this is private function, let me know if its not acceptable in the way I wrote tests for this as well as other functions in this file.

[MarcosDY]

Suggested change

	return nil, fmt.Errorf("issue while getting list of accounts: %v", err)
	return nil, fmt.Errorf("issue while getting list of accounts: %w", err)

[MarcosDY]

Suggested change

	return nil, fmt.Errorf("issue while getting list of accounts in pagination: %v", err)
	return nil, fmt.Errorf("issue while getting list of accounts in pagination: %w", err)

[rushi47]

Hello @MarcosDY
Thank you so much for reviewing and adding comments. Will work on this changes.

[rushi47]

Hey @MarcosDY Thank you so much for your review again ❤️ . I have replied to comments and made changes with best of my knowledge, I might need your help to confirm few things.

[rushi47]

@MarcosDY so i added new variable so that I dont touch existing code too much.
In this case i didnt want to spoil client config
function. As struct is copied in configure function, we will need to perform empty check against the struct and it will look something like below, please lmk which one you prefer or if there is better way to write this validation. And I will change accordingly.

func (cc *clientsCache) configure(config SessionConfig, orgConfig orgValidationConfig) {
	cc.mtx.Lock()
	cc.clients = make(map[string]*cacheEntry)
	cc.config = &config
	
	orgConf := &orgValidationConfig{}
	if orgConf != &orgConfig {
		orgConf = &orgConfig
	}
	cc.orgConfig = orgConf

	cc.mtx.Unlock()
}

[rushi47]

That sounds way nicer 😅
Refactored with some tweak

"Please ensure that %q if configured, it should be in duration and is suffixed with required 'm' for time duration in minute ex. '5m'. Otherwise, remove the: %q, in the block. Default TTL will be: %q"

[rushi47]

Hmm this was confusing. Well i refactored the logic, I think there was no point in using err in method : checkIfOrgAccountListIsStale as it is simple comparison and error was always nil.

So now this is how it happens

• First it will check if it is stale
• If stale : it will reload the account list and return true
• else simple false.

Does this look ok ?

[rushi47]

Retry is resetted here at the end of function when new accounts are fetched.

[rushi47]

why is it required to return an empty list when there are no retries?

Before retrying we check if account id exist in our cache/map or not. If it doesnt exist we go for retries, now if the retries are exhausted either we can return the cache/map we have already checked before or we can return the empty map. So I went with later one.

can no we get into a situation where we start to return empty maps always?

For this condition to happen we need two scenarios

one: account id is not part of existing cache.
second: our retries are exhausted.

I am thinking we can get into the scenario when there is malicious attestation request trying to validate. That will exhaust the retries and it will return the empty map. But in that case as well we are not overwriting the main cache, we are just returning empty map for that particular request.

Not overwriting the main cache is kind of guard rail, which will reduce blast radius to per request even if it returns the empty map.

Am unable to think of scenario which would bypass this condition, but please lmk if you have anything specific case in mind.

[rushi47]

Done, moved to function.

and can you add some unit tests for this code?

Created new file for unit testing organization all together.

[rushi47]

Done moved to function. And added tests for it. As this is private function, let me know if its not acceptable in the way I wrote tests for this as well as other functions in this file.

[rushi47]

Without 0 it fails on mac m1 golang/go#65568

[MarcosDY]

can you replace with 1.22.2?