New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent to change Server's trust domain #644
Prevent to change Server's trust domain #644
Conversation
…t domains Signed-off-by: Marcos Yacob <marcos@scytale.io>
Signed-off-by: Marcos Yacob <marcos@scytale.io>
@@ -26,9 +26,22 @@ import ( | |||
"github.com/spiffe/spire/pkg/server/svid" | |||
"google.golang.org/grpc" | |||
|
|||
"errors" | |||
|
|||
"github.com/spiffe/spire/proto/server/datastore" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: looks like these imports ended up in the wrong place
pkg/server/server.go
Outdated
const ( | ||
invalidTrustDomainAttestedNode = "An attested node with trust domain '%v' has been detected, " + | ||
"which does not match the configured trust domain of '%v'. If you want to change the trust domain, " + | ||
"please delete all existing attested nodes" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is currently possible? #27 is related
pkg/server/server.go
Outdated
fetchResponse, err := ds.ListRegistrationEntries(ctx, &datastore.ListRegistrationEntriesRequest{}) | ||
if err != nil { | ||
s.config.Log.Error(err) | ||
return errors.New("error trying to fetch entries") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not return the error here instead of logging it and returning a different one? Or something like this
return fmt.Errorf("check existing entries: %v", err)
pkg/server/server.go
Outdated
func (s *Server) validateTrustDomain(ctx context.Context, ds datastore.DataStore) error { | ||
trustDomain := s.config.TrustDomain.Host | ||
|
||
fetchResponse, err := ds.ListRegistrationEntries(ctx, &datastore.ListRegistrationEntriesRequest{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this will be problematic for production deployments, since we will be scanning the whole table every time we start/restart... we should add a pagination option or something (perhaps as part of a separate PR/Issue?)
pkg/server/server.go
Outdated
func validateSpiffeId(spiffeId string, trustDomain string, errMsg string) error { | ||
id, err := url.Parse(spiffeId) | ||
if err != nil { | ||
return fmt.Errorf("could not parse SPIFFE ID: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it would be good if we could include more information here... that it is a registration entry that is bad, and perhaps the entry ID so the user can inspect it/delete it
…s a node with different trust domain Signed-off-by: Marcos Yacob <marcos@scytale.io>
Signed-off-by: Marcos Yacob <marcos@scytale.io>
Signed-off-by: Marcos Yacob <marcos@scytale.io>
@@ -189,14 +189,21 @@ message BySelectors { | |||
MatchBehavior match = 2; | |||
} | |||
|
|||
message Pagination { | |||
uint32 token = 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think a string "token" is more flexible... what do others think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree that was my first approach too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My only gripe is that the sql plugin code is a little pointier when this is a string because we have to convert it and check for errors in a spot that would otherwise be error-free
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, I added a parser, to prevent it to happens, basically parse to int and put that int into select, and an error is returned in case parse is not valid
if err := entryTx.Where(entryIDs).Find(&models).Error; err != nil { | ||
return nil, sqlError.Wrap(err) | ||
db := entryTx.Where(entryIDs) | ||
if err := findRegisteredEntries(req, db, &models); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think this is less confusing with a functional approach:
models, pagination, err := findRegisteredEntries(db, req.Pagination)
if err != nil {
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
} | ||
|
||
// update pagination token based in last result in returned list | ||
func updatePaginationToken(p *datastore.Pagination, entries *[]RegisteredEntry) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's seems weird to take a pointer to a slice...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
pkg/server/server_test.go
Outdated
"io/ioutil" | ||
"net/url" | ||
"os" | ||
"testing" | ||
|
||
"fmt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"fmt" and "bytes" should be grouped with the rest of the std
imports
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -347,6 +347,19 @@ func (s *DataStore) ListRegistrationEntries(ctx context.Context, | |||
s.mu.Lock() | |||
defer s.mu.Unlock() | |||
|
|||
// no pagination allow for this fake, for now it return only one page |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we implement pagination in the fake datastore so the server startup code that paginates entries for trust domain validation can be tested?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added
…aginate entries Signed-off-by: Marcos Yacob <marcos@scytale.io>
Signed-off-by: Marcos Yacob <marcos@scytale.io>
Signed-off-by: Marcos Yacob <marcos@scytale.io>
pkg/server/server.go
Outdated
trustDomain := s.config.TrustDomain.Host | ||
|
||
var token string | ||
// Repeat until no more results are returned |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need to iterate over all the entries... perhaps we just make the request with PageSize 1 and call it a day? Same for attested nodes
@@ -189,14 +189,21 @@ message BySelectors { | |||
MatchBehavior match = 2; | |||
} | |||
|
|||
message Pagination { | |||
uint32 token = 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My only gripe is that the sql plugin code is a little pointier when this is a string because we have to convert it and check for errors in a spot that would otherwise be error-free
Signed-off-by: Marcos Yacob <marcos@scytale.io>
@@ -656,8 +666,14 @@ func listAttestedNodes(tx *gorm.DB, req *datastore.ListAttestedNodesRequest) (*d | |||
return nil, sqlError.Wrap(err) | |||
} | |||
|
|||
if p != nil && p.PageSize > 0 && len(models) > 0 { | |||
lastEntry := (models)[len(models)-1] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: () on (models) is unnecessary
Signed-off-by: Marcos Yacob <marcos@scytale.io>
Validate Server's trust domain using persisted attestation nodes and registration entries