Add taint upstream authority #5340
Conversation
MarcosDY
force-pushed
the
poc-taint-upstream-authority
branch
2 times, most recently
from
7b19089
to
a429675
Compare
MarcosDY
changed the title
MarcosDY
requested review from
evan2645,
amartinezfayo,
azdagron and
rturner3
as code owners
| } | ||
|
|
||
| func toProtoFields(jwtKey JWTKey) (string, []byte, int64, error) { | ||
| func toProtoFields(jwtKey JWTKey) (string, []byte, int64, bool, error) { |
There was a problem hiding this comment.
It's becoming more difficult to guess what each return value means in this function. I think that it would be good to have named return values as an easy way to document the meaning of each of them.
| if req.AuthorityId != "" { | ||
| log = log.WithField(telemetry.LocalAuthorityID, req.AuthorityId) | ||
| } | ||
|
|
||
| if s.ca.IsUpstreamAuthority() { | ||
| return nil, api.MakeErr(log, codes.FailedPrecondition, "local authority can't be tainted if there is an upstream authorit", nil) |
There was a problem hiding this comment.
| return nil, api.MakeErr(log, codes.FailedPrecondition, "local authority can't be tainted if there is an upstream authorit", nil) | |
| return nil, api.MakeErr(log, codes.FailedPrecondition, "local authority can't be tainted if there is an upstream authority", nil) |
pkg/common/telemetry/names.go
Outdated
| @@ -541,6 +541,9 @@ const ( | |||
| // with other tags to add clarity | |||
| Subject = "subject" | |||
|
|
|||
| // Subject tags a certificate subject key ID | |||
There was a problem hiding this comment.
| // Subject tags a certificate subject key ID | |
| // SubjectKeyID tags a certificate subject key ID |
| } | ||
|
|
||
| rpccontext.AuditRPC(ctx) | ||
| log.Info("X.509 upstream authority revoked successfully") |
There was a problem hiding this comment.
| log.Info("X.509 upstream authority revoked successfully") | |
| log.Info("X.509 upstream authority successfully revoked") |
| return "", nil, err | ||
| nextSlot := s.ca.GetNextX509CASlot() | ||
| if subjectKeyIDRequest != nextSlot.UpstreamAuthorityID() { | ||
| return errors.New("upstream authority is not signing Old local authority") |
There was a problem hiding this comment.
| return errors.New("upstream authority is not signing Old local authority") | |
| return errors.New("upstream authority didn't sign the old local authority") |
| bundle.X509TaintedKeys = append(bundle.X509TaintedKeys, &common.X509TaintedKey{PublicKey: pKey}) | ||
| if !found { | ||
| return status.Errorf(codes.NotFound, "no ca found with provided subject key ID") | ||
| } | ||
|
|
||
| _, err = updateBundle(tx, bundle, nil) |
There was a problem hiding this comment.
I think that we should increment bundle.SequenceNumber before calling updateBundle, otherwise SequenceNumber will remain the same.
| if !keyFound { | ||
| return status.Error(codes.NotFound, "no root CA found with provided subject key ID") | ||
| } | ||
|
|
||
| bundle.RootCas = rootCAs | ||
|
|
||
| if _, err := updateBundle(tx, bundle, nil); err != nil { |
There was a problem hiding this comment.
I think that we should increment bundle.SequenceNumber before calling updateBundle, otherwise SequenceNumber will remain the same.
| // No able to revoke untainted bundles | ||
| err = s.ds.RevokeX509CA(ctx, "spiffe://foo", s.cert.PublicKey) | ||
| spiretest.RequireGRPCStatus(t, err, codes.InvalidArgument, "it is not possible to revoke an untainted root CA") | ||
| t.Run("Unable to revoke untainted bundles", func(t *testing.T) { |
There was a problem hiding this comment.
It would be good to check that the sequence number of the bundle remains the same for those cases that fail.
| {PublicKey: certPublicKeyRaw}, | ||
| } | ||
| require.Equal(t, expectedTaintedKeys, fetchedBundle.X509TaintedKeys) | ||
| t.Run("no bundle with provided skID", func(t *testing.T) { |
There was a problem hiding this comment.
It would be good to check that the sequence number of the bundle remains the same for those cases that fail.
|
|
||
| fetchedBundle, err := s.ds.FetchBundle(ctx, "spiffe://foo") | ||
| require.NoError(t, err) | ||
| t.Run("Revoke successfully", func(t *testing.T) { |
There was a problem hiding this comment.
It would be good to check that the sequence number of the bundle is incremented on successful operations.
|
It's looking great! I think that we are missing propagating the tainted bit in some places: |
|
TestCommonBundleFromProto should capture the proper propagation of the tainted bit. |
Signed-off-by: Marcos Yacob <[email protected]>
client Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
MarcosDY
force-pushed
the
poc-taint-upstream-authority
branch
from
ae61b82
to
ed3ef5a
Compare
|
we discuss to add that propagation as part of #5394 to reduce changes to apply in this PR and it is not required for current PR functionality |
Pull Request check list
Affected functionality
no actual functionalities are affected
Description of change
To taint a local authority that is using an upstream authority, we need a way to taint the upstream authority itself and rotate intermediates + SVIDs using that tainted upstream authority.
This PR aims to add a new RPC that allows tainting an upstream authority using SKID as the identifier, update the datastore with that information, and propagate it to downstream servers.
This PR is not forcing rotation but only propagating tainted authorities. Forcing rotations will happen in other PRs.
Changes to the SDK can be found here.
Which issue this PR fixes
fixes #3899, #3893, #3900