Add support for GCP identity tokens.

This commit is contained in:
Mariano Cano 2019-04-17 17:28:21 -07:00
parent 6af1e95c5b
commit f794dbeb93
5 changed files with 345 additions and 10 deletions

View file

@ -70,13 +70,17 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
if err := token.UnsafeClaimsWithoutVerification(&payload); err != nil {
return nil, false
}
// audience is required
// Audience is required
if len(payload.Audience) == 0 {
return nil, false
}
// Try with azp (OIDC)
if len(payload.AuthorizedParty) > 0 {
return c.Load(payload.AuthorizedParty)
if p, ok := c.Load(payload.AuthorizedParty); ok {
return p, ok
}
}
// Fallback to aud (GCP)
return c.Load(payload.Audience[0])
}

View file

@ -0,0 +1,233 @@
package provisioner
import (
"bytes"
"crypto/sha256"
"crypto/x509"
"encoding/hex"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"strings"
"time"
"github.com/pkg/errors"
"github.com/smallstep/cli/jose"
)
// gcpPayload extends jwt.Claims with custom GCP attributes.
type gcpPayload struct {
jose.Claims
AuthorizedParty string `json:"azp"`
Email string `json:"email"`
EmailVerified bool `json:"email_verified"`
Google gcpGooglePayload `json:"google"`
}
type gcpGooglePayload struct {
ComputeEngine gcpComputeEnginePayload `json:"compute_engine"`
}
type gcpComputeEnginePayload struct {
InstanceID string `json:"instance_id"`
InstanceName string `json:"instance_name"`
InstanceCreationTimestamp *jose.NumericDate `json:"instance_creation_timestamp"`
ProjectID string `json:"project_id"`
ProjectNumber int64 `json:"project_number"`
Zone string `json:"zone"`
LicenseID []string `json:"license_id"`
}
// GCP is the provisioner that supports identity tokens created by the Google
// Cloud Platform metadata API.
type GCP struct {
Type string `json:"type"`
Name string `json:"name"`
ServiceAccounts []string `json:"serviceAccounts"`
Claims *Claims `json:"claims,omitempty"`
claimer *Claimer
certStore *keyStore
}
// GetID returns the provisioner unique identifier. The name should uniquely
// identify any GCP provisioner.
func (p *GCP) GetID() string {
return "gcp:" + p.Name
}
// GetTokenID returns the identifier of the token. For GCP this is the sha256 of
// "instance_id.iat.exp".
func (p *GCP) GetTokenID(token string) (string, error) {
jwt, err := jose.ParseSigned(token)
if err != nil {
return "", errors.Wrap(err, "error parsing token")
}
// Get claims w/out verification.
var claims gcpPayload
if err = jwt.UnsafeClaimsWithoutVerification(&claims); err != nil {
return "", errors.Wrap(err, "error verifying claims")
}
unique := fmt.Sprintf("%s.%d.%d", claims.Google.ComputeEngine.InstanceID, claims.IssuedAt, claims.Expiry)
sum := sha256.Sum256([]byte(unique))
return strings.ToLower(hex.EncodeToString(sum[:])), nil
}
// GetName returns the name of the provisioner.
func (p *GCP) GetName() string {
return p.Name
}
// GetType returns the type of provisioner.
func (p *GCP) GetType() Type {
return TypeGCP
}
// GetEncryptedKey is not available in a GCP provisioner.
func (p *GCP) GetEncryptedKey() (kid string, key string, ok bool) {
return "", "", false
}
// Init validates and initializes the GCP provider.
func (p *GCP) Init(config Config) error {
var err error
switch {
case p.Type == "":
return errors.New("provisioner type cannot be empty")
case p.Name == "":
return errors.New("provisioner name cannot be empty")
}
// Update claims with global ones
if p.claimer, err = NewClaimer(p.Claims, config.Claims); err != nil {
return err
}
// Initialize certificate store
p.certStore, err = newCertificateStore("https://www.googleapis.com/oauth2/v1/certs")
if err != nil {
return err
}
return nil
}
// AuthorizeSign validates the given token and returns the sign options that
// will be used on certificate creation.
func (p *GCP) AuthorizeSign(token string) ([]SignOption, error) {
claims, err := p.authorizeToken(token)
if err != nil {
return nil, err
}
ce := claims.Google.ComputeEngine
dnsNames := []string{
fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
}
return []SignOption{
commonNameValidator(ce.InstanceName),
dnsNamesValidator(dnsNames),
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
newProvisionerExtensionOption(TypeGCP, p.Name, claims.AuthorizedParty),
newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
}, nil
}
// AuthorizeRenewal returns an error if the renewal is disabled.
func (p *GCP) AuthorizeRenewal(cert *x509.Certificate) error {
if p.claimer.IsDisableRenewal() {
return errors.Errorf("renew is disabled for provisioner %s", p.GetID())
}
return nil
}
// AuthorizeRevoke returns an error if the provisioner does not have rights to
// revoke a certificate.
func (p *GCP) AuthorizeRevoke(token string) error {
_, err := p.authorizeToken(token)
return err
}
// GetIdentityURL returns the url that generates the GCP token.
func (p *GCP) GetIdentityURL() string {
audience := url.QueryEscape(p.GetID())
return fmt.Sprintf("http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=%s&format=full&licenses=FALSE", audience)
}
// GetIdentityToken does an HTTP request to the identity url.
func (p *GCP) GetIdentityToken() (string, error) {
req, err := http.NewRequest("GET", p.GetIdentityURL(), http.NoBody)
if err != nil {
return "", errors.Wrap(err, "error creating identity request")
}
req.Header.Set("Metadata-Flavor", "Google")
resp, err := http.DefaultClient.Do(req)
if err != nil {
return "", errors.Wrap(err, "error doing identity request, are you in a GCP VM?")
}
defer resp.Body.Close()
b, err := ioutil.ReadAll(resp.Body)
if err != nil {
return "", errors.Wrap(err, "error reading identity request response")
}
return string(bytes.TrimSpace(b)), nil
}
// authorizeToken performs common jwt authorization actions and returns the
// claims for case specific downstream parsing.
// e.g. a Sign request will auth/validate different fields than a Revoke request.
func (p *GCP) authorizeToken(token string) (*gcpPayload, error) {
jwt, err := jose.ParseSigned(token)
if err != nil {
return nil, errors.Wrapf(err, "error parsing token")
}
if len(jwt.Headers) == 0 {
return nil, errors.New("error parsing token: header is missing")
}
kid := jwt.Headers[0].KeyID
cert := p.certStore.GetCertificate(kid)
if cert == nil {
return nil, errors.Errorf("failed to validate payload: cannot find certificate for kid %s", kid)
}
var claims gcpPayload
if err = jwt.Claims(cert.PublicKey, &claims); err != nil {
return nil, errors.Wrap(err, "error parsing claims")
}
// According to "rfc7519 JSON Web Token" acceptable skew should be no
// more than a few minutes.
if err = claims.ValidateWithLeeway(jose.Expected{
Issuer: "https://accounts.google.com",
Time: time.Now().UTC(),
Audience: []string{p.GetID()},
}, time.Minute); err != nil {
return nil, errors.Wrapf(err, "invalid token")
}
// validate authorized party
if len(p.ServiceAccounts) > 0 {
var found bool
for _, sa := range p.ServiceAccounts {
if sa == claims.AuthorizedParty {
found = true
break
}
}
if !found {
return nil, errors.New("invalid token: invalid authorized party claim (azp)")
}
}
switch {
case claims.Google.ComputeEngine.InstanceID == "":
return nil, errors.New("token google.compute_engine.instance_id cannot be empty")
case claims.Google.ComputeEngine.ProjectID == "":
return nil, errors.New("token google.compute_engine.project_id cannot be empty")
case claims.Google.ComputeEngine.Zone == "":
return nil, errors.New("token google.compute_engine.zone cannot be empty")
}
return &claims, nil
}

View file

@ -33,7 +33,6 @@ func (p *JWK) GetID() string {
return p.Name + ":" + p.Key.KeyID
}
//
// GetTokenID returns the identifier of the token.
func (p *JWK) GetTokenID(ott string) (string, error) {
// Validate payload

View file

@ -1,7 +1,9 @@
package provisioner
import (
"crypto/x509"
"encoding/json"
"encoding/pem"
"math/rand"
"net/http"
"regexp"
@ -20,10 +22,29 @@ const (
var maxAgeRegex = regexp.MustCompile("max-age=([0-9]*)")
type oauth2Certificate struct {
ID string
Certificate *x509.Certificate
}
type oauth2CertificateSet struct {
Certificates []oauth2Certificate
}
func (s oauth2CertificateSet) Get(id string) *x509.Certificate {
for _, c := range s.Certificates {
if c.ID == id {
return c.Certificate
}
}
return nil
}
type keyStore struct {
sync.RWMutex
uri string
keySet jose.JSONWebKeySet
certSet oauth2CertificateSet
timer *time.Timer
expiry time.Time
jitter time.Duration
@ -45,6 +66,22 @@ func newKeyStore(uri string) (*keyStore, error) {
return ks, nil
}
func newCertificateStore(uri string) (*keyStore, error) {
certs, age, err := getOauth2Certificates(uri)
if err != nil {
return nil, err
}
ks := &keyStore{
uri: uri,
certSet: certs,
expiry: getExpirationTime(age),
jitter: getCacheJitter(age),
}
next := ks.nextReloadDuration(age)
ks.timer = time.AfterFunc(next, ks.reloadCertificates)
return ks, nil
}
func (ks *keyStore) Close() {
ks.timer.Stop()
}
@ -62,6 +99,19 @@ func (ks *keyStore) Get(kid string) (keys []jose.JSONWebKey) {
return
}
func (ks *keyStore) GetCertificate(kid string) (cert *x509.Certificate) {
ks.RLock()
// Force reload if expiration has passed
if time.Now().After(ks.expiry) {
ks.RUnlock()
ks.reloadCertificates()
ks.RLock()
}
cert = ks.certSet.Get(kid)
ks.RUnlock()
return
}
func (ks *keyStore) reload() {
var next time.Duration
keys, age, err := getKeysFromJWKsURI(ks.uri)
@ -81,6 +131,25 @@ func (ks *keyStore) reload() {
ks.Unlock()
}
func (ks *keyStore) reloadCertificates() {
var next time.Duration
certs, age, err := getOauth2Certificates(ks.uri)
if err != nil {
next = ks.nextReloadDuration(ks.jitter / 2)
} else {
ks.Lock()
ks.certSet = certs
ks.expiry = getExpirationTime(age)
ks.jitter = getCacheJitter(age)
next = ks.nextReloadDuration(age)
ks.Unlock()
}
ks.Lock()
ks.timer.Reset(next)
ks.Unlock()
}
func (ks *keyStore) nextReloadDuration(age time.Duration) time.Duration {
n := rand.Int63n(int64(ks.jitter))
age -= time.Duration(n)
@ -103,6 +172,34 @@ func getKeysFromJWKsURI(uri string) (jose.JSONWebKeySet, time.Duration, error) {
return keys, getCacheAge(resp.Header.Get("cache-control")), nil
}
func getOauth2Certificates(uri string) (oauth2CertificateSet, time.Duration, error) {
var certs oauth2CertificateSet
resp, err := http.Get(uri)
if err != nil {
return certs, 0, errors.Wrapf(err, "failed to connect to %s", uri)
}
defer resp.Body.Close()
m := make(map[string]string)
if err := json.NewDecoder(resp.Body).Decode(&m); err != nil {
return certs, 0, errors.Wrapf(err, "error reading %s", uri)
}
for k, v := range m {
block, _ := pem.Decode([]byte(v))
if block == nil || block.Type != "CERTIFICATE" {
return certs, 0, errors.Wrapf(err, "error parsing certificate %s from %s", k, uri)
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return certs, 0, errors.Wrapf(err, "error parsing certificate %s from %s", k, uri)
}
certs.Certificates = append(certs.Certificates, oauth2Certificate{
ID: k,
Certificate: cert,
})
}
return certs, getCacheAge(resp.Header.Get("cache-control")), nil
}
func getCacheAge(cacheControl string) time.Duration {
age := defaultCacheAge
if len(cacheControl) > 0 {

View file

@ -37,12 +37,12 @@ type Type int
const (
noopType Type = 0
// TypeJWK is used to indicate the JWK provisioners.
TypeJWK Type = 1
// TypeOIDC is used to indicate the OIDC provisioners.
TypeOIDC Type = 2
// TypeGCP is used to indicate the GCP provisioners.
TypeGCP Type = 3
// RevokeAudienceKey is the key for the 'revoke' audiences in the audiences map.
RevokeAudienceKey = "revoke"
@ -86,6 +86,8 @@ func (l *List) UnmarshalJSON(data []byte) error {
p = &JWK{}
case "oidc":
p = &OIDC{}
case "gcp":
p = &GCP{}
default:
return errors.Errorf("provisioner type %s not supported", typ.Type)
}