[Security] Add support for SPIFFE Bundle Maps in XDS bundles #8180
Conversation
gtcooke94
added
Type: Security
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #8180 +/- ##
==========================================
- Coverage 82.42% 82.12% -0.31%
==========================================
Files 393 410 +17
Lines 39162 40371 +1209
==========================================
+ Hits 32280 33154 +874
- Misses 5571 5855 +284
- Partials 1311 1362 +51
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
We need an entry for this in testdata/spiffe/README.md?
testdata/spiffe_end2end/README.md
Outdated
| @@ -0,0 +1,32 @@ | |||
| All of the following files in this directory except `server_spiffebundle.json` and `client_spiffebundle.json` are generated with the `generate.sh` and `generate_intermediate.sh` script in this directory. | |||
There was a problem hiding this comment.
Nit: Wrap .md files at 80-cols?
testdata/spiffe_end2end/README.md
Outdated
| The SPIFFE trust bundle map files (*_spiffebundle.json) are manually created for | ||
| end to end testing. The server_spiffebundle.json contains the "foo.bar.com" | ||
| trust domain (only this entry is used in e2e tests) matching URI SAN of | ||
| client_spiffe.pem, and the CA certificate is ca.pem. The client |
There was a problem hiding this comment.
Some file names have backticks, while some don't. Can we make them consistent please.
testdata/spiffe_end2end/README.md
Outdated
| can be done in golang with the following codeblock: ``` func | ||
| GetBase64ModulusFromPublicKey(key *rsa.PublicKey) string { return | ||
| base64.RawURLEncoding.EncodeToString(key.N.Bytes()) } | ||
|
|
||
| block, _ := pem.Decode(rawPemCert) cert, _ := x509.ParseCertificate(block.Bytes) | ||
| publicKey := cert.PublicKey.(*rsa.PublicKey) | ||
| fmt.Println(GetBase64ModulusFromPublicKey(publicKey)) ``` |
There was a problem hiding this comment.
This code block doesn't render properly. Please ensure that the markdown file renders as you expect it to.
There was a problem hiding this comment.
Looks like some auto formatting messed it up, fixed
|
|
||
| // IDFromCert parses the SPIFFE ID from the x509.Certificate. If the certificate | ||
| // does not have a valid SPIFFE ID, returns an error. | ||
| func IDFromCert(cert *x509.Certificate) (*spiffeid.ID, error) { |
There was a problem hiding this comment.
Does this function have to be exported? I see it only being called from here and from tests.
There was a problem hiding this comment.
Good call, changed
| cfg := fmt.Sprintf(`{ | ||
| "certificate_file": "%s", | ||
| "private_key_file": "%s", | ||
| "spiffe_trust_bundle_map_file": "%s" | ||
| }`, | ||
| testdata.Path("spiffe_end2end/client_spiffe.pem"), | ||
| testdata.Path("spiffe_end2end/client.key"), | ||
| testdata.Path("spiffe_end2end/client_spiffebundle.json")) |
There was a problem hiding this comment.
Discussion in other comment
| if _, err = client.EmptyCall(ctx, &testpb.Empty{}); err == nil { | ||
| t.Errorf("EmptyCall(): got success. want failure") | ||
| } | ||
| wantErr := "spiffe: no bundle found for peer certificates" |
| t.Errorf("EmptyCall(): got success. want failure") | ||
| } | ||
| wantErr := "spiffe: no bundle found for peer certificates" | ||
| if !strings.Contains(err.Error(), wantErr) { |
There was a problem hiding this comment.
Also check the status code?
| @@ -96,3 +102,79 @@ func (s) TestFailingProvider(t *testing.T) { | |||
| t.Errorf("EmptyCall() got err: %s, want err to contain: %s", err, wantErr) | |||
| } | |||
| } | |||
|
|
|||
| func (s) TestSPIFFEVerifyFuncMismatchedCert(t *testing.T) { | |||
| wantErrContains := "spiffe: x509 certificate Verify failed" | |||
| @@ -96,3 +102,79 @@ func (s) TestFailingProvider(t *testing.T) { | |||
| t.Errorf("EmptyCall() got err: %s, want err to contain: %s", err, wantErr) | |||
| } | |||
| } | |||
|
|
|||
| func (s) TestSPIFFEVerifyFuncMismatchedCert(t *testing.T) { | |||
There was a problem hiding this comment.
Can/Should these tests be e2e style as well? That way, we can actually verify that the error returned to the user (as part of the RPC) has enough details in it for the user to take meaningful action.
There was a problem hiding this comment.
You mean should we replicate these tests in bundle_ext_test.go and actually do the client/server call rather than just this inner call? We have one failure case test where there is no bundle for the peer certificates trust domain, I can expand and add these cases?
There was a problem hiding this comment.
I went on and expanded the end2end tests, PTAL
This adds support for configuring SPIFFE Bundle Maps inside of credentials via xds bundles.
See the gRFC for more detail grpc/proposal#462
RELEASE NOTES: N/A