security

package
v0.0.0-...-68e92cc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 18, 2024 License: Apache-2.0 Imports: 22 Imported by: 5

Documentation

Index

Constants

View Source 
const (

	// DefaultCertChainFilePath is the well-known path for an existing certificate chain file
	DefaultCertChainFilePath = "./etc/certs/cert-chain.pem"

	// DefaultKeyFilePath is the well-known path for an existing key file
	DefaultKeyFilePath = "./etc/certs/key.pem"

	// DefaultRootCertFilePath is the well-known path for an existing root certificate file
	DefaultRootCertFilePath = "./etc/certs/root-cert.pem"

	// WorkloadIdentitySocketPath is the well-known path to the Unix Domain Socket for SDS.
	WorkloadIdentitySocketPath = "./var/run/secrets/workload-spiffe-uds/socket"

	// CredentialNameSocketPath is the well-known path to the Unix Domain Socket for Credential Name.
	CredentialNameSocketPath = "./var/run/secrets/credential-uds/socket"

	// CredentialMetaDataName is the name in node meta data.
	CredentialMetaDataName = "credential"

	// SDSExternalClusterName is the name of the cluster for external SDS connections which is defined via CredentialNameSocketPath
	SDSExternalClusterName = "sds-external"

	// SDSExternalCredentialPrefix is the prefix for the credentialName which will utilize external SDS connections defined via CredentialNameSocketPath
	SDSExternalCredentialPrefix = "sds://"

	// WorkloadIdentityCredentialsPath is the well-known path to a folder with workload certificate files.
	WorkloadIdentityCredentialsPath = "./var/run/secrets/workload-spiffe-credentials"

	// WorkloadIdentityCertChainPath is the well-known path to a workload certificate chain file.
	WorkloadIdentityCertChainPath = WorkloadIdentityCredentialsPath + "/cert-chain.pem"

	// WorkloadIdentityKeyPath is the well-known path to a workload key file.
	WorkloadIdentityKeyPath = WorkloadIdentityCredentialsPath + "/key.pem"

	// WorkloadIdentityRootCertPath is the well-known path to a workload root certificate file.
	WorkloadIdentityRootCertPath = WorkloadIdentityCredentialsPath + "/root-cert.pem"

	// GkeWorkloadCertChainFilePath is the well-known path for the GKE workload certificate chain file.
	// Quoted from https://cloud.google.com/traffic-director/docs/security-proxyless-setup#create-service:
	// "On creation, each Pod gets a volume at /var/run/secrets/workload-spiffe-credentials."
	GkeWorkloadCertChainFilePath = WorkloadIdentityCredentialsPath + "/certificates.pem"

	// GkeWorkloadKeyFilePath is the well-known path for the GKE workload certificate key file
	GkeWorkloadKeyFilePath = WorkloadIdentityCredentialsPath + "/private_key.pem"

	// GkeWorkloadRootCertFilePath is the well-known path for the GKE workload root certificate file
	GkeWorkloadRootCertFilePath = WorkloadIdentityCredentialsPath + "/ca_certificates.pem"

	// SystemRootCerts is special case input for root cert configuration to use system root certificates.
	SystemRootCerts = "SYSTEM"

	// RootCertReqResourceName is resource name of discovery request for root certificate.
	RootCertReqResourceName = "ROOTCA"

	// WorkloadKeyCertResourceName is the resource name of the discovery request for workload
	// identity.
	WorkloadKeyCertResourceName = "default"

	// GCE is Credential fetcher type of Google plugin
	GCE = "GoogleComputeEngine"

	// JWT is a Credential fetcher type that reads from a JWT token file
	JWT = "JWT"

	// Mock is Credential fetcher type of mock plugin
	Mock = "Mock" // testing only

	// GoogleCAProvider uses the Google CA for workload certificate signing
	GoogleCAProvider = "GoogleCA"

	// GoogleCASProvider uses the Google certificate Authority Service to sign workload certificates
	GoogleCASProvider = "GoogleCAS"

	// GkeWorkloadCertificateProvider uses the GKE workload certificates
	GkeWorkloadCertificateProvider = "GkeWorkloadCertificate"

	// FileRootSystemCACert is a unique resource name signaling that the system CA certificate should be used
	FileRootSystemCACert = "file-root:system"
)
View Source 
const (
	BearerTokenPrefix = "Bearer "

	K8sTokenPrefix = "Istio "

	// CertSigner info
	CertSigner = "CertSigner"

	// ImpersonatedIdentity declares the identity we are requesting a certificate on behalf of.
	// This is constrained to only allow identities in CATrustedNodeAccounts, and only to impersonate identities
	// on their node.
	ImpersonatedIdentity = "ImpersonatedIdentity"
)
View Source 
const (
	ResourceSeparator = "~"
)

Variables

View Source 
var (
	// Require3PToken disables the use of K8S 1P tokens. Note that 1P tokens can be used to request
	// 3P TOKENS. A 1P token is the token automatically mounted by Kubelet and used for authentication with
	// the Apiserver.
	Require3PToken = env.Register("REQUIRE_3P_TOKEN", false,
		"Reject k8s default tokens, without audience. If false, default K8S token will be accepted")

	// TokenAudiences specifies a list of audiences for SDS trustworthy JWT. This is to make sure that the CSR requests
	// contain the JWTs intended for Citadel.
	TokenAudiences = strings.Split(env.Register("TOKEN_AUDIENCES", "istio-ca",
		"A list of comma separated audiences to check in the JWT token before issuing a certificate. "+
			"The token is accepted if it matches with one of the audiences").Get(), ",")
)

TODO: For 1.8, make sure MeshConfig is updated with those settings, they should be dynamic to allow migrations without restart. Both are critical.

View Source 
var AuthPlaintext = env.Register("XDS_AUTH_PLAINTEXT", false,
	"authenticate plain text requests - used if Istiod is running on a secure/trusted network").Get()
View Source 
var CARetryOptions = []retry.CallOption{
	retry.WithMax(5),
	retry.WithBackoff(wrapBackoffWithMetrics(retry.BackoffExponentialWithJitter(100*time.Millisecond, 0.1))),
	retry.WithCodes(codes.Canceled, codes.DeadlineExceeded, codes.ResourceExhausted, codes.Aborted, codes.Internal, codes.Unavailable),
}

CARetryOptions returns the default retry options recommended for CA calls This includes 5 retries, with backoff from 100ms -> 1.6s with jitter.

Functions

func CARetryInterceptor 

func CARetryInterceptor() grpc.DialOption

CARetryInterceptor is a grpc UnaryInterceptor that adds retry options, as a convenience wrapper around CARetryOptions. If needed to chain with other interceptors, the CARetryOptions can be used directly.

func CheckWorkloadCertificate 

func CheckWorkloadCertificate(certChainFilePath, keyFilePath, rootCertFilePath string) bool

CheckWorkloadCertificate returns true when the workload certificate files are present under the provided paths. Otherwise, return false.

func ExtractBearerToken 

func ExtractBearerToken(ctx context.Context) (string, error)

func ExtractRequestToken 

func ExtractRequestToken(req *http.Request) (string, error)

func GetConnectionAddress 

func GetConnectionAddress(ctx context.Context) string

func GetOSRootFilePath 

func GetOSRootFilePath() string

GetOSRootFilePath returns the first file path detected from a list of known CA certificate file paths. If none of the known CA certificate files are found, a warning in printed and an empty string is returned.

Types

type AuthContext 

type AuthContext struct {
	// grpc context
	GrpcContext context.Context
	// http request
	Request *http.Request
}

func (*AuthContext) Header 

func (ac *AuthContext) Header(header string) []string

Header returns the authenticated remote address from AuthContext.

func (*AuthContext) RemoteAddress 

func (ac *AuthContext) RemoteAddress() string

RemoteAddress returns the authenticated remote address from AuthContext.

type AuthSource 

type AuthSource int

AuthSource represents where authentication result is derived from. 

const (
	AuthSourceClientCertificate AuthSource = iota
	AuthSourceIDToken
)

type Authenticator 

type Authenticator interface {
	Authenticate(ctx AuthContext) (*Caller, error)
	AuthenticatorType() string
}

Authenticator determines the caller identity based on request context.

type Caller 

type Caller struct {
	AuthSource AuthSource
	Identities []string

	KubernetesInfo KubernetesInfo
}

Caller carries the identity and authentication source of a caller.

func Authenticate 

func Authenticate(ctx context.Context, authenticators []Authenticator) (*Caller, error)

Authenticate authenticates the ADS request using the configured authenticators. Returns the validated principals or an error. If no authenticators are configured, or if the request is on a non-secure stream ( 15010 ) - returns amn empty caller and no errors.

type Client 

type Client interface {
	CSRSign(csrPEM []byte, certValidTTLInSec int64) ([]string, error)
	Close()
	// Retrieve CA root certs If CA publishes API endpoint for this
	GetRootCertBundle() ([]string, error)
}

Client interface defines the clients need to implement to talk to CA for CSR. The Agent will create a key pair and a CSR, and use an implementation of this interface to get back a signed certificate. There is no guarantee that the SAN in the request will be returned - server may replace it.

type CredFetcher 

type CredFetcher interface {
	// GetPlatformCredential fetches workload credential provided by the platform.
	GetPlatformCredential() (string, error)

	// GetIdentityProvider returns the name of the IdentityProvider that can authenticate the workload credential.
	GetIdentityProvider() string

	// Stop releases resources and cleans up.
	Stop()
}

type DirectSecretManager 

type DirectSecretManager struct {
	// contains filtered or unexported fields
}

func NewDirectSecretManager 

func NewDirectSecretManager() *DirectSecretManager

func (*DirectSecretManager) GenerateSecret 

func (d *DirectSecretManager) GenerateSecret(resourceName string) (*SecretItem, error)

func (*DirectSecretManager) Set 

func (d *DirectSecretManager) Set(resourceName string, secret *SecretItem)

type FakeAuthenticator 

type FakeAuthenticator struct {
	AllowedToken string
	AllowedCert  string
	Name         string

	Successes *atomic.Int32
	Failures  *atomic.Int32
	// contains filtered or unexported fields
}

func NewFakeAuthenticator 

func NewFakeAuthenticator(name string) *FakeAuthenticator

func (*FakeAuthenticator) Authenticate 

func (f *FakeAuthenticator) Authenticate(authCtx AuthContext) (*Caller, error)

func (*FakeAuthenticator) AuthenticatorType 

func (f *FakeAuthenticator) AuthenticatorType() string

func (*FakeAuthenticator) Set 

func (f *FakeAuthenticator) Set(token string, identity string) *FakeAuthenticator

type ImpersonatedIdentityContextKey 

type ImpersonatedIdentityContextKey struct{}

type KubernetesInfo 

type KubernetesInfo struct {
	PodName           string
	PodNamespace      string
	PodUID            string
	PodServiceAccount string
}

KubernetesInfo defines Kubernetes specific information extracted from the caller. This involves additional metadata about the caller beyond just its SPIFFE identity.

func (KubernetesInfo) String 

func (k KubernetesInfo) String() string

type Options 

type Options struct {
	// CAEndpoint is the CA endpoint to which node agent sends CSR request.
	CAEndpoint string

	// CAEndpointSAN overrides the ServerName extracted from CAEndpoint.
	CAEndpointSAN string

	// The CA provider name.
	CAProviderName string

	// TrustDomain corresponds to the trust root of a system.
	// https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
	TrustDomain string

	// WorkloadRSAKeySize is the size of a private key for a workload certificate.
	WorkloadRSAKeySize int

	// Whether to generate PKCS#8 private keys.
	Pkcs8Keys bool

	// OutputKeyCertToDir is the directory for output the key and certificate
	OutputKeyCertToDir string

	// ProvCert is the directory for client to provide the key and certificate to CA server when authenticating
	// with mTLS. This is not used for workload mTLS communication, and is
	ProvCert string

	// ClusterID is the cluster where the agent resides.
	// Normally initialized from ISTIO_META_CLUSTER_ID - after a tortuous journey it
	// makes its way into the ClusterID metadata of Citadel gRPC request to create the cert.
	// Didn't find much doc - but I suspect used for 'central cluster' use cases - so should
	// match the cluster name set in the MC setup.
	ClusterID string

	// The type of Elliptical Signature algorithm to use
	// when generating private keys. Currently only ECDSA is supported.
	ECCSigAlg string

	// The type of curve to use when generating private keys with ECC. Currently only ECDSA is supported.
	ECCCurve string

	// FileMountedCerts indicates whether the proxy is using file
	// mounted certs created by a foreign CA. Refresh is managed by the external
	// CA, by updating the Secret or VM file. We will watch the file for changes
	// or check before the cert expires. This assumes the certs are in the
	// well-known ./etc/certs location.
	FileMountedCerts bool

	// PilotCertProvider is the provider of the Pilot certificate (PILOT_CERT_PROVIDER env)
	// Determines the root CA file to use for connecting to CA gRPC:
	// - istiod
	// - kubernetes
	// - custom
	// - none
	PilotCertProvider string

	// secret TTL.
	SecretTTL time.Duration

	// The ratio of cert lifetime to refresh a cert. For example, at 0.10 and 1 hour TTL,
	// we would refresh 6 minutes before expiration.
	SecretRotationGracePeriodRatio float64

	// STS port
	STSPort int

	// authentication provider specific plugins, will exchange the token
	// For example exchange long lived refresh with access tokens.
	// Used by the secret fetcher when signing CSRs.
	// Optional; if not present the token will be used directly
	TokenExchanger TokenExchanger

	// credential fetcher.
	CredFetcher CredFetcher

	// credential identity provider
	CredIdentityProvider string

	// Namespace corresponding to workload
	WorkloadNamespace string

	// Name of the Service Account
	ServiceAccount string

	// XDS auth provider
	XdsAuthProvider string

	// Token manager for the token exchange of XDS
	TokenManager TokenManager

	// Cert signer info
	CertSigner string

	// Delay in reading certificates from file after the change is detected. This is useful in cases
	// where the write operation of key and cert take longer.
	FileDebounceDuration time.Duration

	// Root Cert read from the OS
	CARootPath string

	// The path for an existing certificate chain file
	CertChainFilePath string
	// The path for an existing key file
	KeyFilePath string
	// The path for an existing root certificate bundle
	RootCertFilePath string
}

Options provides all of the configuration parameters for secret discovery service and CA configuration. Used in both Istiod and Agent. TODO: ProxyConfig should have most of those, and be passed to all components (as source of truth)

type SdsCertificateConfig 

type SdsCertificateConfig struct {
	CertificatePath   string
	PrivateKeyPath    string
	CaCertificatePath string
}

func SdsCertificateConfigFromResourceName 

func SdsCertificateConfigFromResourceName(resource string) (SdsCertificateConfig, bool)

SdsCertificateConfigFromResourceName converts the provided resource name into a SdsCertificateConfig If the resource name is not valid, false is returned.

func SdsCertificateConfigFromResourceNameForOSCACert 

func SdsCertificateConfigFromResourceNameForOSCACert(resource string) (SdsCertificateConfig, bool)

SdsCertificateConfigFromResourceNameForOSCACert converts the OS resource name into a SdsCertificateConfig

func (SdsCertificateConfig) GetResourceName 

func (s SdsCertificateConfig) GetResourceName() string

GetResourceName converts a SdsCertificateConfig to a string to be used as an SDS resource name

func (SdsCertificateConfig) GetRootResourceName 

func (s SdsCertificateConfig) GetRootResourceName() string

GetRootResourceName converts a SdsCertificateConfig to a string to be used as an SDS resource name for the root

func (SdsCertificateConfig) IsKeyCertificate 

func (s SdsCertificateConfig) IsKeyCertificate() bool

IsKeyCertificate returns true if this config represents key certificate config.

func (SdsCertificateConfig) IsRootCertificate 

func (s SdsCertificateConfig) IsRootCertificate() bool

IsRootCertificate returns true if this config represents a root certificate config.

type SecretItem 

type SecretItem struct {
	CertificateChain []byte
	PrivateKey       []byte

	RootCert []byte

	// ResourceName passed from envoy SDS discovery request.
	// "ROOTCA" for root cert request, "default" for key/cert request.
	ResourceName string

	CreatedTime time.Time

	ExpireTime time.Time
}

SecretItem is the cached item in in-memory secret store.

type SecretManager 

type SecretManager interface {
	// GenerateSecret generates new secret for the given resource.
	//
	// The current implementation also watched the generated secret and trigger a callback when it is
	// near expiry. It will constructs the SAN based on the token's 'sub' claim, expected to be in
	// the K8S format. No other JWTs are currently supported due to client logic. If JWT is
	// missing/invalid, the resourceName is used.
	GenerateSecret(resourceName string) (*SecretItem, error)
}

SecretManager defines secrets management interface which is used by SDS.

type StsRequestParameters 

type StsRequestParameters struct {
	// REQUIRED. The value "urn:ietf:params:oauth:grant-type:token- exchange"
	// indicates that a token exchange is being performed.
	GrantType string
	// OPTIONAL. Indicates the location of the target service or resource where
	// the client intends to use the requested security token.
	Resource string
	// OPTIONAL. The logical name of the target service where the client intends
	// to use the requested security token.
	Audience string
	// OPTIONAL. A list of space-delimited, case-sensitive strings, that allow
	// the client to specify the desired Scope of the requested security token in the
	// context of the service or Resource where the token will be used.
	Scope string
	// OPTIONAL. An identifier, for the type of the requested security token.
	RequestedTokenType string
	// REQUIRED. A security token that represents the identity of the party on
	// behalf of whom the request is being made.
	SubjectToken string
	// REQUIRED. An identifier, that indicates the type of the security token in
	// the "subject_token" parameter.
	SubjectTokenType string
	// OPTIONAL. A security token that represents the identity of the acting party.
	ActorToken string
	// An identifier, that indicates the type of the security token in the
	// "actor_token" parameter.
	ActorTokenType string
}

StsRequestParameters stores all STS request attributes defined in https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16#section-2.1

type TokenExchanger 

type TokenExchanger interface {
	// ExchangeToken provides a common interface to exchange an existing token for a new one.
	ExchangeToken(serviceAccountToken string) (string, error)
}

TokenExchanger provides common interfaces so that authentication providers could choose to implement their specific logic.

type TokenManager 

type TokenManager interface {
	// GenerateToken takes STS request parameters and generates token. Returns
	// StsResponseParameters in JSON.
	GenerateToken(parameters StsRequestParameters) ([]byte, error)
	// DumpTokenStatus dumps status of all generated tokens and returns status in JSON.
	DumpTokenStatus() ([]byte, error)
	// GetMetadata returns the metadata headers related to the token
	GetMetadata(forCA bool, xdsAuthProvider, token string) (map[string]string, error)
}

TokenManager contains methods for generating token.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.