Add server-side `tpm` joining implementation by strideynet · Pull Request #40512 · gravitational/teleport

strideynet · 2024-04-12T09:22:34Z

Closes #38558
As per RFD #38613
Depends on #40647

Example config:

kind: token
version: v2
metadata:
  name: tpm-gcp
spec:
  roles: [Bot]
  join_method: tpm
  bot_name: my-bot
  tpm:
    allow:
      - ek_public_hash: 2eb1eadc5cd11802862a7729abfd3bb1c37221605a0ba9c115cf2eee66cf8eff
      - ek_certificate_serial: 5e:cd:5f:8e
    ekcert_allowed_cas:
      - |
        -----BEGIN CERTIFICATE-----
        MIIFszCCA5ugAwIBAgIEcZxUUTANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJE
        RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJP
        UFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkg
        UlNBIFJvb3QgQ0EwHhcNMjMwMjA4MTUyODE1WhcNNDMwMjA4MTUyODE1WjCBgzEL
        MAkGA1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEa
        MBgGA1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9Q
        VElHQShUTSkgUlNBIE1hbnVmYWN0dXJpbmcgQ0EgMDM2MIIBIjANBgkqhkiG9w0B
        AQEFAAOCAQ8AMIIBCgKCAQEAq1qEAbBxprGQ7XTXh8d3RrKOdllPtAZPdXzwBe5O
        si9D9xwhVnl5Yer77KU0HKIrymZMIxd7LiJ11+GLFIqPeTwQr/w4o48QHmalQMCa
        9/ESj03T5v1yDe4l8O8vycmkGGlP59MIFpWC41j4TrhVYrBskeU2zsH7kBEUSzNR
        5Z585sx+PvM9f/s06d2FcjihBe7zXZPMeMtGhIp8J9nXEITnYwZzJ+RsW4kALwBV
        lZp1HXuvGjH3IhTUhXIIEvYdJ7KOd4XhtPq348oOrScyMjxQXkw+kcgzDuL39MB/
        fwqo7YQ3qi+8hsnqlZE1Uds+ILiGiK0EHQ8ixJQND/nDDQIDAQABo4IBODCCATQw
        VwYIKwYBBQUHAQEESzBJMEcGCCsGAQUFBzAChjtodHRwOi8vcGtpLmluZmluZW9u
        LmNvbS9PcHRpZ2FSc2FSb290Q0EvT3B0aWdhUnNhUm9vdENBLmNydDAdBgNVHQ4E
        FgQUfLS3jmiGFL5EIcWFjxW5bV6rUe4wDgYDVR0PAQH/BAQDAgAGMBIGA1UdEwEB
        /wQIMAYBAf8CAQAwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3BraS5pbmZpbmVv
        bi5jb20vT3B0aWdhUnNhUm9vdENBL09wdGlnYVJzYVJvb3RDQS5jcmwwFQYDVR0g
        BA4wDDAKBggqghQARAEUATAfBgNVHSMEGDAWgBTcu1ar8Rj8ppp1ERBlhBKe1UGS
        uTAQBgNVHSUECTAHBgVngQUIATANBgkqhkiG9w0BAQsFAAOCAgEAWdA0NJ9dRChh
        X/lTPHbPtSJnOAOC+sKQtRK/FW56xODZV+VM9UgBEniRF/ate6SvAvkdYnyx8RWd
        Ydvp9DB6Rp3FmUpyesRvYfV9hya5d0j1ZCd1TQIHDKNHXlrCe/mEZ6tSwhHAZgQb
        bStE4GDUxLOqsC0USTQdLwZhnt/ujoCe/FZhETWsuBfaPXdo9S9Fq+cJTElwwpP5
        uSIZSOttCjpkW8bxaasKd6yUg0hwopjvPAS1v85RYTwzUclcUYPT7VDRGX78A00L
        6fTRtJwN/QPYs6yUr21y/CkpAgNQ0cYpiFqkhZaL/dU7ZGlSmtVcRpDfKOhZeElZ
        53il/l4HrXXGCkXb4hZwhvWEaADAwkOdytv0KgMVVSrC8bXcznd9IhkYcn7Maecy
        vbP+l9asCmFLdifL1LU4mr6EeRktYenV8FdxA3P1HQXv1PI13q/orQv+2T3jIqlN
        tWwYH9I2N7p5Xqry+atAJbMNP3XI+/XG6308RFt5PJXRJ5+XH3xgxavqMSHW7zjz
        DRDPBlmzkZ/EwiV3rLROyOyp3UFVlQnFDyxon8a9dCWl66nVeicK27Iq0X2hcY2I
        A+n5XjJkr+sYi0rjQiL3dkURh4JmGraRZLR4XiLj6s81cktvvYs8BP0pevg92FRd
        9ghUwcVG76g3T2MXKoOBXRIb33/CYbU=
        -----END CERTIFICATE-----

Manually tested on:

GCP GCE VM - Ubuntu 22.10 - No EKCert
Home Rig - Ubuntu 22.10 - EKCert with CA

changelog: Introduces the tpm join method, which allows for secure joining in on-prem environments without the need for a shared secret.

strideynet · 2024-04-15T17:25:20Z

Join succeeded:

{
  "attributes": {
    "ek_cert_serial": "",
    "ek_cert_verified": false,
    "ek_pub_hash": "2eb1eadc5cd11802862a7729abfd3bb1c37221605a0ba9c115cf2eee66cf8eff"
  },
  "bot_name": "github",
  "cluster_name": "leaf.tele.ottr.sh",
  "code": "TJ001I",
  "ei": 0,
  "event": "bot.join",
  "method": "tpm",
  "success": true,
  "time": "2024-04-15T17:24:20.764Z",
  "token_name": "tpm-gcp",
  "uid": "dddd0874-ba38-4d99-a143-8929ad39d2dd",
  "user_name": "bot-github"
}

strideynet · 2024-04-15T19:17:32Z

Join with EKCert and CA enforcement:

{
  "attributes": {
    "ek_cert_serial": "5e:cd:5f:8e",
    "ek_cert_verified": true,
    "ek_pub_hash": "6c5aada1c5abee6d869369a02f0ea298cd2beb41c850d3f0227f029c4fffc4ba"
  },
  "bot_name": "github",
  "cluster_name": "leaf.tele.ottr.sh",
  "code": "TJ001I",
  "ei": 0,
  "event": "bot.join",
  "method": "tpm",
  "success": true,
  "time": "2024-04-15T19:15:47.471Z",
  "token_name": "tpm-gcp",
  "uid": "5bb21e95-c179-440b-b427-281cc5d9469f",
  "user_name": "bot-github"
}

codingllama

Sorry for the delay in the initial reply.

This is a big PR - 1k lines without generated code, touching around 7 different packages. Do you think you could split it into smaller parts? (Feel free to assign me to the parts, I don't mind reviewing it all.)

strideynet · 2024-04-18T08:54:40Z

Sorry for the delay in the initial reply.
This is a big PR - 1k lines without generated code, touching around 7 different packages. Do you think you could split it into smaller parts? (Feel free to assign me to the parts, I don't mind reviewing it all.)

Apologies - I'd already broken it into three and this was the largest remaining chunk. I'll see if there's anything meaningful I can extract.

strideynet · 2024-04-18T09:36:48Z

Split out the client element PR - #40647

codingllama

Sending some comments now, I'll take a closer look at the tests a bit later.

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

…ing-service

public-teleport-github-review-bot · 2024-04-23T12:49:53Z

@strideynet See the table below for backport results.

Branch	Result
branch/v14	Failed
branch/v15	Create PR

* Add clientside elements of TPM joining * Update lib/auth/register.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update api/client/joinservice.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update lib/auth/register.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Tidy up RegisterUsingTPMMethod method * Add default case * Rename CheckAndSetDefaults to validate * Add basic success test for JoinServiceClient_RegisterUsingTPMMethod * Add final touches to client joinservice test * Add license header to joinservice_test.go * Add server-side elements of TPM joining * Turn SAN extension code into helper func * Add `ok` check to provision token casting * Improve test name * Update lib/auth/join_tpm.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update lib/auth/join_tpm.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Unexported registerUsingTPMMethod * Refactor enterprise error * tidy up test * Update lib/tpm/validate.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update lib/auth/join_tpm.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Update lib/auth/join_tpm_test.go Co-authored-by: Alan Parra <alan.parra@goteleport.com> * Fix StripSANExtensionOIDs and add test * Improve joinserver.go, use simpler proto getter methods and use slog * Tidy up join_tpm_test.go * Tidy up joinserver_test * Add join failure audit event --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com>

* Add clientside elements of TPM joining * Update lib/auth/register.go * Update api/client/joinservice.go * Update lib/auth/register.go * Tidy up RegisterUsingTPMMethod method * Add default case * Rename CheckAndSetDefaults to validate * Add basic success test for JoinServiceClient_RegisterUsingTPMMethod * Add final touches to client joinservice test * Add license header to joinservice_test.go * Add server-side elements of TPM joining * Turn SAN extension code into helper func * Add `ok` check to provision token casting * Improve test name * Update lib/auth/join_tpm.go * Update lib/auth/join_tpm.go * Unexported registerUsingTPMMethod * Refactor enterprise error * tidy up test * Update lib/tpm/validate.go * Update lib/auth/join_tpm.go * Update lib/auth/join_tpm_test.go * Fix StripSANExtensionOIDs and add test * Improve joinserver.go, use simpler proto getter methods and use slog * Tidy up join_tpm_test.go * Tidy up joinserver_test * Add join failure audit event --------- Co-authored-by: Alan Parra <alan.parra@goteleport.com>

strideynet changed the title ~~Add tpm joining implementation to Auth Server~~ Add tpm joining implementation for Auth Server and Client Apr 12, 2024

strideynet force-pushed the strideynet/tpm-joining-service branch from cebb009 to e74cc44 Compare April 15, 2024 11:59

strideynet added backport/branch/v14 labels Apr 15, 2024

strideynet force-pushed the strideynet/tpm-joining-service branch from 51bd20b to ee968a0 Compare April 15, 2024 16:13

strideynet marked this pull request as ready for review April 16, 2024 16:52

github-actions Bot requested review from lxea and tigrato April 16, 2024 16:53

github-actions Bot added machine-id size/lg labels Apr 16, 2024

strideynet requested a review from codingllama April 16, 2024 16:55

strideynet mentioned this pull request Apr 17, 2024

Machine ID: Document tpm joining #40611

Closed

codingllama reviewed Apr 17, 2024

View reviewed changes

strideynet force-pushed the strideynet/tpm-joining-service branch 2 times, most recently from 45aaca1 to d36cdd8 Compare April 18, 2024 09:30

strideynet changed the base branch from master to strideynet/tpm-joining-clientside April 18, 2024 09:31

Add clientside elements of TPM joining

8071b7f

strideynet force-pushed the strideynet/tpm-joining-clientside branch from 99cf5e5 to 8071b7f Compare April 18, 2024 09:33

strideynet force-pushed the strideynet/tpm-joining-service branch from d36cdd8 to aa8a8f2 Compare April 18, 2024 09:34

strideynet changed the title ~~Add tpm joining implementation for Auth Server and Client~~ Add server-side tpm joining implementation Apr 18, 2024

strideynet mentioned this pull request Apr 18, 2024

Add clientside elements of TPM joining #40647

Merged

codingllama reviewed Apr 18, 2024

View reviewed changes

strideynet and others added 3 commits April 18, 2024 17:41

Update lib/auth/register.go

e5b4bd0

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

Update api/client/joinservice.go

338caa3

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

Update lib/auth/register.go

71b55b1

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

codingllama reviewed Apr 18, 2024

View reviewed changes

strideynet and others added 14 commits April 23, 2024 09:26

Add ok check to provision token casting

c4560ed

Improve test name

64a7fee

Update lib/auth/join_tpm.go

a0392f2

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

Update lib/auth/join_tpm.go

f0a111b

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

Unexported registerUsingTPMMethod

a2dfa3e

Refactor enterprise error

bad75f7

tidy up test

3e181e1

Update lib/tpm/validate.go

487d367

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

Update lib/auth/join_tpm.go

1774b1b

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

Update lib/auth/join_tpm_test.go

20afee1

Co-authored-by: Alan Parra <alan.parra@goteleport.com>

Fix StripSANExtensionOIDs and add test

ea25e88

Improve joinserver.go, use simpler proto getter methods and use slog

d9b7b73

Tidy up join_tpm_test.go

c74da87

Tidy up joinserver_test

39ad9bf

strideynet force-pushed the strideynet/tpm-joining-service branch from c3e2564 to 39ad9bf Compare April 23, 2024 08:26

tigrato approved these changes Apr 23, 2024

View reviewed changes

public-teleport-github-review-bot Bot removed the request for review from lxea April 23, 2024 10:14

Base automatically changed from strideynet/tpm-joining-clientside to master April 23, 2024 11:36

strideynet added 2 commits April 23, 2024 13:07

Merge remote-tracking branch 'origin/master' into strideynet/tpm-join…

3bd65c2

…ing-service

Add join failure audit event

5a10a17

strideynet enabled auto-merge April 23, 2024 12:13

strideynet added this pull request to the merge queue Apr 23, 2024

Merged via the queue into master with commit d56ed2c Apr 23, 2024

strideynet deleted the strideynet/tpm-joining-service branch April 23, 2024 12:48

strideynet mentioned this pull request Apr 23, 2024

[v15] Add server-side tpm joining implementation #40823

Merged

strideynet mentioned this pull request Apr 24, 2024

[v14] Add server-side tpm joining implementation (#40512) #40875

Merged

Conversation

strideynet commented Apr 12, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

strideynet commented Apr 15, 2024

Uh oh!

strideynet commented Apr 15, 2024

Uh oh!

codingllama left a comment

Choose a reason for hiding this comment

Uh oh!

strideynet commented Apr 18, 2024

Uh oh!

strideynet commented Apr 18, 2024

Uh oh!

codingllama left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

public-teleport-github-review-bot Bot commented Apr 23, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

strideynet commented Apr 12, 2024 •

edited

Loading