forked from TrueCloudLab/certificates
259e95947c
The claimer, audiences and custom callback methods are now managed by the provisioner controller in an uniform way.
455 lines
13 KiB
Go
455 lines
13 KiB
Go
package provisioner
|
|
|
|
import (
|
|
"context"
|
|
"crypto/ed25519"
|
|
"crypto/x509"
|
|
"encoding/base64"
|
|
"net"
|
|
"time"
|
|
|
|
"github.com/pkg/errors"
|
|
nebula "github.com/slackhq/nebula/cert"
|
|
"github.com/smallstep/certificates/errs"
|
|
"go.step.sm/crypto/jose"
|
|
"go.step.sm/crypto/sshutil"
|
|
"go.step.sm/crypto/x25519"
|
|
"go.step.sm/crypto/x509util"
|
|
"golang.org/x/crypto/ssh"
|
|
)
|
|
|
|
const (
|
|
// NebulaCertHeader is the token header that contains a Nebula certificate.
|
|
NebulaCertHeader jose.HeaderKey = "nebula"
|
|
)
|
|
|
|
// Nebula is a provisioner that verifies tokens signed using Nebula private
|
|
// keys. The tokens contain a Nebula certificate in the header, which can be
|
|
// used to verify the token signature. The certificates are themselves verified
|
|
// using the Nebula CA certificates encoded in Roots. The verification process
|
|
// is similar to the process for X5C tokens.
|
|
//
|
|
// Because Nebula "leaf" certificates use X25519 keys, the tokens are signed
|
|
// using XEd25519 defined at
|
|
// https://signal.org/docs/specifications/xeddsa/#xeddsa and implemented by
|
|
// go.step.sm/crypto/x25519.
|
|
type Nebula struct {
|
|
ID string `json:"-"`
|
|
Type string `json:"type"`
|
|
Name string `json:"name"`
|
|
Roots []byte `json:"roots"`
|
|
Claims *Claims `json:"claims,omitempty"`
|
|
Options *Options `json:"options,omitempty"`
|
|
caPool *nebula.NebulaCAPool
|
|
ctl *Controller
|
|
}
|
|
|
|
// Init verifies and initializes the Nebula provisioner.
|
|
func (p *Nebula) Init(config Config) (err error) {
|
|
switch {
|
|
case p.Type == "":
|
|
return errors.New("provisioner type cannot be empty")
|
|
case p.Name == "":
|
|
return errors.New("provisioner name cannot be empty")
|
|
case len(p.Roots) == 0:
|
|
return errors.New("provisioner root(s) cannot be empty")
|
|
}
|
|
|
|
p.caPool, err = nebula.NewCAPoolFromBytes(p.Roots)
|
|
if err != nil {
|
|
return errs.InternalServer("failed to create ca pool: %v", err)
|
|
}
|
|
|
|
config.Audiences = config.Audiences.WithFragment(p.GetIDForToken())
|
|
p.ctl, err = NewController(p, p.Claims, config)
|
|
return
|
|
}
|
|
|
|
// GetID returns the provisioner id.
|
|
func (p *Nebula) GetID() string {
|
|
if p.ID != "" {
|
|
return p.ID
|
|
}
|
|
return p.GetIDForToken()
|
|
}
|
|
|
|
// GetIDForToken returns an identifier that will be used to load the provisioner
|
|
// from a token.
|
|
func (p *Nebula) GetIDForToken() string {
|
|
return "nebula/" + p.Name
|
|
}
|
|
|
|
// GetTokenID returns the identifier of the token.
|
|
func (p *Nebula) GetTokenID(token string) (string, error) {
|
|
// Validate payload
|
|
t, err := jose.ParseSigned(token)
|
|
if err != nil {
|
|
return "", errors.Wrap(err, "error parsing token")
|
|
}
|
|
|
|
// Get claims w/out verification. We need to look up the provisioner
|
|
// key in order to verify the claims and we need the issuer from the claims
|
|
// before we can look up the provisioner.
|
|
var claims jose.Claims
|
|
if err = t.UnsafeClaimsWithoutVerification(&claims); err != nil {
|
|
return "", errors.Wrap(err, "error verifying claims")
|
|
}
|
|
return claims.ID, nil
|
|
}
|
|
|
|
// GetName returns the name of the provisioner.
|
|
func (p *Nebula) GetName() string {
|
|
return p.Name
|
|
}
|
|
|
|
// GetType returns the type of provisioner.
|
|
func (p *Nebula) GetType() Type {
|
|
return TypeNebula
|
|
}
|
|
|
|
// GetEncryptedKey returns the base provisioner encrypted key if it's defined.
|
|
func (p *Nebula) GetEncryptedKey() (kid, key string, ok bool) {
|
|
return "", "", false
|
|
}
|
|
|
|
// AuthorizeSign returns the list of SignOption for a Sign request.
|
|
func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
|
|
crt, claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
sans := claims.SANs
|
|
if len(sans) == 0 {
|
|
sans = make([]string, len(crt.Details.Ips)+1)
|
|
sans[0] = crt.Details.Name
|
|
for i, ipnet := range crt.Details.Ips {
|
|
sans[i+1] = ipnet.IP.String()
|
|
}
|
|
}
|
|
|
|
data := x509util.CreateTemplateData(claims.Subject, sans)
|
|
if v, err := unsafeParseSigned(token); err == nil {
|
|
data.SetToken(v)
|
|
}
|
|
|
|
// The Nebula certificate will be available using the template variable
|
|
// AuthorizationCrt. For example {{ .AuthorizationCrt.Details.Groups }} can
|
|
// be used to get all the groups.
|
|
data.SetAuthorizationCertificate(crt)
|
|
|
|
templateOptions, err := TemplateOptions(p.Options, data)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return []SignOption{
|
|
templateOptions,
|
|
// modifiers / withOptions
|
|
newProvisionerExtensionOption(TypeNebula, p.Name, ""),
|
|
profileLimitDuration{
|
|
def: p.ctl.Claimer.DefaultTLSCertDuration(),
|
|
notBefore: crt.Details.NotBefore,
|
|
notAfter: crt.Details.NotAfter,
|
|
},
|
|
// validators
|
|
commonNameValidator(claims.Subject),
|
|
nebulaSANsValidator{
|
|
Name: crt.Details.Name,
|
|
IPs: crt.Details.Ips,
|
|
},
|
|
defaultPublicKeyValidator{},
|
|
newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
|
|
}, nil
|
|
}
|
|
|
|
// AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
|
|
// Currently the Nebula provisioner only grants host SSH certificates.
|
|
func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
|
|
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
|
return nil, errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
|
|
}
|
|
|
|
crt, claims, err := p.authorizeToken(token, p.ctl.Audiences.SSHSign)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Default template attributes.
|
|
keyID := claims.Subject
|
|
principals := make([]string, len(crt.Details.Ips)+1)
|
|
principals[0] = crt.Details.Name
|
|
for i, ipnet := range crt.Details.Ips {
|
|
principals[i+1] = ipnet.IP.String()
|
|
}
|
|
|
|
var signOptions []SignOption
|
|
// If step ssh options are given, validate them and set key id, principals
|
|
// and validity.
|
|
if claims.Step != nil && claims.Step.SSH != nil {
|
|
opts := claims.Step.SSH
|
|
|
|
// Check that the token only contains valid principals.
|
|
v := nebulaPrincipalsValidator{
|
|
Name: crt.Details.Name,
|
|
IPs: crt.Details.Ips,
|
|
}
|
|
if err := v.Valid(*opts); err != nil {
|
|
return nil, err
|
|
}
|
|
// Check that the cert type is a valid one.
|
|
if opts.CertType != "" && opts.CertType != SSHHostCert {
|
|
return nil, errs.Forbidden("ssh certificate type does not match - got %v, want %v", opts.CertType, SSHHostCert)
|
|
}
|
|
|
|
signOptions = []SignOption{
|
|
// validate is a host certificate and users's KeyID is the subject.
|
|
sshCertOptionsValidator(SignSSHOptions{
|
|
CertType: SSHHostCert,
|
|
KeyID: claims.Subject,
|
|
}),
|
|
// validates user's SSHOptions with the ones in the token
|
|
sshCertOptionsValidator(*opts),
|
|
}
|
|
|
|
// Use options in the token.
|
|
if opts.KeyID != "" {
|
|
keyID = opts.KeyID
|
|
}
|
|
if len(opts.Principals) > 0 {
|
|
principals = opts.Principals
|
|
}
|
|
|
|
// Add modifiers from custom claims
|
|
t := now()
|
|
if !opts.ValidAfter.IsZero() {
|
|
signOptions = append(signOptions, sshCertValidAfterModifier(opts.ValidAfter.RelativeTime(t).Unix()))
|
|
}
|
|
if !opts.ValidBefore.IsZero() {
|
|
signOptions = append(signOptions, sshCertValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix()))
|
|
}
|
|
}
|
|
|
|
// Certificate templates.
|
|
data := sshutil.CreateTemplateData(sshutil.HostCert, keyID, principals)
|
|
if v, err := unsafeParseSigned(token); err == nil {
|
|
data.SetToken(v)
|
|
}
|
|
|
|
// The Nebula certificate will be available using the template variable Crt.
|
|
// For example {{ .AuthorizationCrt.Details.Groups }} can be used to get all the groups.
|
|
data.SetAuthorizationCertificate(crt)
|
|
|
|
templateOptions, err := TemplateSSHOptions(p.Options, data)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return append(signOptions,
|
|
templateOptions,
|
|
// Checks the validity bounds, and set the validity if has not been set.
|
|
&sshLimitDuration{p.ctl.Claimer, crt.Details.NotAfter},
|
|
// Validate public key.
|
|
&sshDefaultPublicKeyValidator{},
|
|
// Validate the validity period.
|
|
&sshCertValidityValidator{p.ctl.Claimer},
|
|
// Require all the fields in the SSH certificate
|
|
&sshCertDefaultValidator{},
|
|
), nil
|
|
}
|
|
|
|
// AuthorizeRenew returns an error if the renewal is disabled.
|
|
func (p *Nebula) AuthorizeRenew(ctx context.Context, crt *x509.Certificate) error {
|
|
if p.ctl.Claimer.IsDisableRenewal() {
|
|
return errs.Unauthorized("renew is disabled for nebula provisioner '%s'", p.GetName())
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// AuthorizeRevoke returns an error if the token is not valid.
|
|
func (p *Nebula) AuthorizeRevoke(ctx context.Context, token string) error {
|
|
return p.validateToken(token, p.ctl.Audiences.Revoke)
|
|
}
|
|
|
|
// AuthorizeSSHRevoke returns an error if SSH is disabled or the token is invalid.
|
|
func (p *Nebula) AuthorizeSSHRevoke(ctx context.Context, token string) error {
|
|
if !p.ctl.Claimer.IsSSHCAEnabled() {
|
|
return errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
|
|
}
|
|
if _, _, err := p.authorizeToken(token, p.ctl.Audiences.SSHRevoke); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// AuthorizeSSHRenew returns an unauthorized error.
|
|
func (p *Nebula) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) {
|
|
return nil, errs.Unauthorized("nebula provisioner does not support SSH renew")
|
|
}
|
|
|
|
// AuthorizeSSHRekey returns an unauthorized error.
|
|
func (p *Nebula) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) {
|
|
return nil, nil, errs.Unauthorized("nebula provisioner does not support SSH rekey")
|
|
}
|
|
|
|
func (p *Nebula) validateToken(token string, audiences []string) error {
|
|
_, _, err := p.authorizeToken(token, audiences)
|
|
return err
|
|
}
|
|
|
|
func (p *Nebula) authorizeToken(token string, audiences []string) (*nebula.NebulaCertificate, *jwtPayload, error) {
|
|
jwt, err := jose.ParseSigned(token)
|
|
if err != nil {
|
|
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token"))
|
|
}
|
|
|
|
// Extract Nebula certificate
|
|
h, ok := jwt.Headers[0].ExtraHeaders[NebulaCertHeader]
|
|
if !ok {
|
|
return nil, nil, errs.Unauthorized("failed to parse token: nebula header is missing")
|
|
}
|
|
s, ok := h.(string)
|
|
if !ok {
|
|
return nil, nil, errs.Unauthorized("failed to parse token: nebula header is not valid")
|
|
}
|
|
b, err := base64.StdEncoding.DecodeString(s)
|
|
if err != nil {
|
|
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse token: nebula header is not valid"))
|
|
}
|
|
c, err := nebula.UnmarshalNebulaCertificate(b)
|
|
if err != nil {
|
|
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("failed to parse nebula certificate: nebula header is not valid"))
|
|
}
|
|
|
|
// Validate nebula certificate against CAs
|
|
if valid, err := c.Verify(now(), p.caPool); !valid {
|
|
if err != nil {
|
|
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("token is not valid: failed to verify certificate against configured CA"))
|
|
}
|
|
return nil, nil, errs.Unauthorized("token is not valid: failed to verify certificate against configured CA")
|
|
}
|
|
|
|
var pub interface{}
|
|
if c.Details.IsCA {
|
|
pub = ed25519.PublicKey(c.Details.PublicKey)
|
|
} else {
|
|
pub = x25519.PublicKey(c.Details.PublicKey)
|
|
}
|
|
|
|
// Validate token with public key
|
|
var claims jwtPayload
|
|
if err := jose.Verify(jwt, pub, &claims); err != nil {
|
|
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("token is not valid: signature does not match"))
|
|
}
|
|
|
|
// According to "rfc7519 JSON Web Token" acceptable skew should be no
|
|
// more than a few minutes.
|
|
if err = claims.ValidateWithLeeway(jose.Expected{
|
|
Issuer: p.Name,
|
|
Time: now(),
|
|
}, time.Minute); err != nil {
|
|
return nil, nil, errs.UnauthorizedErr(err, errs.WithMessage("token is not valid: invalid claims"))
|
|
}
|
|
// Validate token and subject too.
|
|
if !matchesAudience(claims.Audience, audiences) {
|
|
return nil, nil, errs.Unauthorized("token is not valid: invalid claims")
|
|
}
|
|
if claims.Subject == "" {
|
|
return nil, nil, errs.Unauthorized("token is not valid: subject cannot be empty")
|
|
}
|
|
|
|
return c, &claims, nil
|
|
}
|
|
|
|
type nebulaSANsValidator struct {
|
|
Name string
|
|
IPs []*net.IPNet
|
|
}
|
|
|
|
// Valid verifies that the SANs stored in the validator are contained with those
|
|
// requested in the x509 certificate request.
|
|
func (v nebulaSANsValidator) Valid(req *x509.CertificateRequest) error {
|
|
dnsNames, ips, emails, uris := x509util.SplitSANs([]string{v.Name})
|
|
if len(req.DNSNames) > 0 {
|
|
if err := dnsNamesValidator(dnsNames).Valid(req); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if len(req.EmailAddresses) > 0 {
|
|
if err := emailAddressesValidator(emails).Valid(req); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if len(req.URIs) > 0 {
|
|
if err := urisValidator(uris).Valid(req); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if len(req.IPAddresses) > 0 {
|
|
for _, ip := range req.IPAddresses {
|
|
var valid bool
|
|
// Check ip in name
|
|
for _, ipInName := range ips {
|
|
if ip.Equal(ipInName) {
|
|
valid = true
|
|
break
|
|
}
|
|
}
|
|
// Check ip network
|
|
if !valid {
|
|
for _, ipNet := range v.IPs {
|
|
if ip.Equal(ipNet.IP) {
|
|
valid = true
|
|
break
|
|
}
|
|
}
|
|
}
|
|
if !valid {
|
|
for _, ipNet := range v.IPs {
|
|
ips = append(ips, ipNet.IP)
|
|
}
|
|
return errs.Forbidden("certificate request contains invalid IP addresses - got %v, want %v", req.IPAddresses, ips)
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
type nebulaPrincipalsValidator struct {
|
|
Name string
|
|
IPs []*net.IPNet
|
|
}
|
|
|
|
// Valid checks that the SignSSHOptions principals contains only names in the
|
|
// Nebula certificate.
|
|
func (v nebulaPrincipalsValidator) Valid(got SignSSHOptions) error {
|
|
for _, p := range got.Principals {
|
|
var valid bool
|
|
if p == v.Name {
|
|
valid = true
|
|
}
|
|
if !valid {
|
|
if ip := net.ParseIP(p); ip != nil {
|
|
for _, ipnet := range v.IPs {
|
|
if ip.Equal(ipnet.IP) {
|
|
valid = true
|
|
break
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if !valid {
|
|
ips := make([]net.IP, len(v.IPs))
|
|
for i, ipNet := range v.IPs {
|
|
ips[i] = ipNet.IP
|
|
}
|
|
return errs.Forbidden(
|
|
"ssh certificate principals contains invalid name or IP addresses - got %v, want %s or %v",
|
|
got.Principals, v.Name, ips,
|
|
)
|
|
}
|
|
}
|
|
return nil
|
|
}
|