Start extracting out the trust bundle fetching code

Signed-off-by: Kevin Fox <[email protected]>
spiffe · Feb 24, 2025 · 19dd73f · 19dd73f
1 parent 2962b75
commit 19dd73f
Show file tree

Hide file tree

Showing 6 changed files with 187 additions and 118 deletions.
diff --git a/cmd/spire-agent/cli/run/run.go b/cmd/spire-agent/cli/run/run.go
@@ -2,13 +2,11 @@ package run
 
 import (
 	"context"
-	"crypto/x509"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"net"
-	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
@@ -26,18 +24,16 @@ import (
 	"github.com/imdario/mergo"
 	"github.com/mitchellh/cli"
 	"github.com/sirupsen/logrus"
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/agent"
+	"github.com/spiffe/spire/pkg/agent/trustbundlesources"
 	"github.com/spiffe/spire/pkg/agent/workloadkey"
-	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/config"
 	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/health"
 	"github.com/spiffe/spire/pkg/common/idutil"
 	"github.com/spiffe/spire/pkg/common/log"
-	"github.com/spiffe/spire/pkg/common/pemutil"
 	"github.com/spiffe/spire/pkg/common/telemetry"
 	"github.com/spiffe/spire/pkg/common/tlspolicy"
 )
@@ -370,86 +366,18 @@ func mergeInput(fileInput *Config, cliInput *agentConfig) (*Config, error) {
 	return c, nil
 }
 
-func parseTrustBundle(bundleBytes []byte, trustBundleContentType string) ([]*x509.Certificate, error) {
-	switch trustBundleContentType {
-	case bundleFormatPEM:
-		bundle, err := pemutil.ParseCertificates(bundleBytes)
-		if err != nil {
-			return nil, err
-		}
-		return bundle, nil
-	case bundleFormatSPIFFE:
-		bundle, err := bundleutil.Unmarshal(spiffeid.TrustDomain{}, bundleBytes)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse SPIFFE trust bundle: %w", err)
-		}
-		return bundle.X509Authorities(), nil
-	}
-
-	return nil, fmt.Errorf("unknown trust bundle format: %s", trustBundleContentType)
-}
-
-func downloadTrustBundle(trustBundleURL string) ([]byte, error) {
-	// Download the trust bundle URL from the user specified URL
-	// We use gosec -- the annotation below will disable a security check that URLs are not tainted
-	/* #nosec G107 */
-	resp, err := http.Get(trustBundleURL)
-	if err != nil {
-		return nil, fmt.Errorf("unable to fetch trust bundle URL %s: %w", trustBundleURL, err)
-	}
-
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("error downloading trust bundle: %s", resp.Status)
-	}
-	pemBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("unable to read from trust bundle URL %s: %w", trustBundleURL, err)
-	}
-
-	return pemBytes, nil
-}
-
+/*
+FIXME KMF
 func setupTrustBundle(ac *agent.Config, c *Config) error {
 	// Either download the trust bundle if TrustBundleURL is set, or read it
 	// from disk if TrustBundlePath is set
 	ac.InsecureBootstrap = c.Agent.InsecureBootstrap
 
-	var bundleBytes []byte
-	var err error
-
-	switch {
-	case c.Agent.TrustBundleURL != "":
-		bundleBytes, err = downloadTrustBundle(c.Agent.TrustBundleURL)
-		if err != nil {
-			return err
-		}
-	case c.Agent.TrustBundlePath != "":
-		bundleBytes, err = loadTrustBundle(c.Agent.TrustBundlePath)
-		if err != nil {
-			return fmt.Errorf("could not parse trust bundle: %w", err)
-		}
-	default:
-		// If InsecureBootstrap is configured, the bundle is not required
-		if ac.InsecureBootstrap {
-			return nil
-		}
-	}
-
-	bundle, err := parseTrustBundle(bundleBytes, c.Agent.TrustBundleFormat)
-	if err != nil {
-		return err
-	}
-
-	if len(bundle) == 0 {
-		return errors.New("no certificates found in trust bundle")
-	}
-
-	ac.TrustBundle = bundle
+	ac.BootstrapTrustBundle = bundle
 
 	return nil
 }
+*/
 
 func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool) (*agent.Config, error) {
 	ac := &agent.Config{}
@@ -538,7 +466,23 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 	}
 	ac.DisableSPIFFECertValidation = c.Agent.SDS.DisableSPIFFECertValidation
 
-	err = setupTrustBundle(ac, c)
+	ts := &trustbundlesources.Config {
+		InsecureBootstrap: c.Agent.InsecureBootstrap,
+		TrustBundleFormat: c.Agent.TrustBundleFormat,
+		TrustBundlePath:   c.Agent.TrustBundlePath,
+		TrustBundleURL:    c.Agent.TrustBundleURL,
+		TrustDomain:       c.Agent.TrustDomain,
+		ServerAddress:     c.Agent.ServerAddress,
+		ServerPort:        c.Agent.ServerPort,
+	}
+
+	//FIXME store this in ac rather then the TrustBundle
+	tbss := trustbundlesources.New(ts)
+
+	ac.InsecureBootstrap = c.Agent.InsecureBootstrap
+
+	//FIXME move this to when its first needed.
+	ac.BootstrapTrustBundle, err = tbss.GetBundle(trustbundlesources.UseBootstrap, 0, time.Now())
 	if err != nil {
 		return nil, err
 	}
@@ -700,12 +644,3 @@ func defaultConfig() *Config {
 
 	return c
 }
-
-func loadTrustBundle(path string) ([]byte, error) {
-	bundleBytes, err := os.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	return bundleBytes, nil
-}
diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go
@@ -16,6 +16,7 @@ import (
 	admin_api "github.com/spiffe/spire/pkg/agent/api"
 	node_attestor "github.com/spiffe/spire/pkg/agent/attestor/node"
 	workload_attestor "github.com/spiffe/spire/pkg/agent/attestor/workload"
+	"github.com/spiffe/spire/pkg/agent/trustbundlesources"
 	"github.com/spiffe/spire/pkg/agent/catalog"
 	"github.com/spiffe/spire/pkg/agent/endpoints"
 	"github.com/spiffe/spire/pkg/agent/manager"
@@ -45,6 +46,9 @@ const (
 	bootstrapBackoffMaxElapsedTime = 1 * time.Minute
 )
 
+//FIXME
+var bundleThing trustbundlesources.Config = trustbundlesources.Config{}
+
 type Agent struct {
 	c *Config
 }
@@ -114,6 +118,7 @@ a.c.RetryBootstrap=true
 		//FIXME KMF configurable
 		rebootstrapTimeoutSeconds := 10
 		rebootstrapTimeoutUSconds := time.Duration(float64(rebootstrapTimeoutSeconds) * float64(time.Second))
+		rebootstrapCount := 0
 
 		attBackoffClock := clock.New()
 		attBackoff := backoff.NewBackoff(
@@ -132,17 +137,17 @@ a.c.RetryBootstrap=true
 			if x509util.IsUnknownAuthorityError(err) {
 				if rebootstrapTime.IsZero() {
 					rebootstrapTime = time.Now()
+					rebootstrapCount = 0
 				}
 				seconds := time.Now().Sub(rebootstrapTime)
 				if seconds < rebootstrapTimeoutUSconds {
 					fmt.Printf("Trust Bandle and Server dont agree.... Ignoring for now. Rebootstrap timeout left: %s\n", rebootstrapTimeoutUSconds - seconds)
 				} else {
-					//FIXME loop and keep retrying syncronize... first with timeout, and then after passed timeout, add clearing bundle and deletesvid.
-					//FIXME double check... if this mechanism work with online update too... its sharing most of the code?
 					fmt.Printf("Trust Bandle and Server dont agree.... rebootstrapping")
-					a.c.TrustBundle = nil
+					a.c.BootstrapTrustBundle = nil
 					sto.StoreBundle(nil)
 					err = nil
+					rebootstrapCount++
 				}
 			}
 
@@ -278,17 +283,17 @@ func (a *Agent) setupProfiling(ctx context.Context) (stop func()) {
 
 func (a *Agent) attest(ctx context.Context, sto storage.Storage, cat catalog.Catalog, metrics telemetry.Metrics, na nodeattestor.NodeAttestor) (*node_attestor.AttestationResult, error) {
 	config := node_attestor.Config{
-		Catalog:           cat,
-		Metrics:           metrics,
-		JoinToken:         a.c.JoinToken,
-		TrustDomain:       a.c.TrustDomain,
-		TrustBundle:       a.c.TrustBundle,
-		InsecureBootstrap: a.c.InsecureBootstrap,
-		Storage:           sto,
-		Log:               a.c.Log.WithField(telemetry.SubsystemName, telemetry.Attestor),
-		ServerAddress:     a.c.ServerAddress,
-		NodeAttestor:      na,
-		TLSPolicy:         a.c.TLSPolicy,
+		Catalog:              cat,
+		Metrics:              metrics,
+		JoinToken:            a.c.JoinToken,
+		TrustDomain:          a.c.TrustDomain,
+		BootstrapTrustBundle: a.c.BootstrapTrustBundle,
+		InsecureBootstrap:    a.c.InsecureBootstrap,
+		Storage:              sto,
+		Log:                  a.c.Log.WithField(telemetry.SubsystemName, telemetry.Attestor),
+		ServerAddress:        a.c.ServerAddress,
+		NodeAttestor:         na,
+		TLSPolicy:            a.c.TLSPolicy,
 	}
 	return node_attestor.New(&config).Attest(ctx)
 }
@@ -329,7 +334,7 @@ a.c.RetryBootstrap=true
 			initBackoffClock,
 			bootstrapBackoffInterval,
 			backoff.WithMaxElapsedTime(bootstrapBackoffMaxElapsedTime),
-			//KMF how to ignore max time if rebootstrapping
+			//FIXME KMF how to ignore max time if rebootstrapping
 		)
 
 		for {
@@ -345,11 +350,10 @@ a.c.RetryBootstrap=true
 				if seconds < rebootstrapTimeoutUSconds {
 					fmt.Printf("Trust Bandle and Server dont agree.... Ignoring for now. Rebootstrap timeout left: %s\n", rebootstrapTimeoutUSconds - seconds)
 				} else {
-					//FIXME loop and keep retrying syncronize... first with timeout, and then after passed timeout, add clearing bundle and deletesvid.
-					//FIXME double check... if this mechanism work with online update too... its sharing most of the code?
 					fmt.Printf("Trust Bandle and Server dont agree.... rebootstrapping")
 					sto.DeleteSVID()
 					sto.StoreBundle(nil)
+					//FIXME load in updated a.c.TrustBundle from plugin
 					return nil, errors.New("Agent needs to rebootstrap. shutting down")
 
 				}

diff --git a/pkg/agent/attestor/node/node.go b/pkg/agent/attestor/node/node.go
@@ -48,17 +48,17 @@ type Attestor interface {
 }
 
 type Config struct {
-	Catalog           catalog.Catalog
-	Metrics           telemetry.Metrics
-	JoinToken         string
-	TrustDomain       spiffeid.TrustDomain
-	TrustBundle       []*x509.Certificate
-	InsecureBootstrap bool
-	Storage           storage.Storage
-	Log               logrus.FieldLogger
-	ServerAddress     string
-	NodeAttestor      nodeattestor.NodeAttestor
-	TLSPolicy         tlspolicy.Policy
+	Catalog              catalog.Catalog
+	Metrics              telemetry.Metrics
+	JoinToken            string
+	TrustDomain          spiffeid.TrustDomain
+	BootstrapTrustBundle []*x509.Certificate
+	InsecureBootstrap    bool
+	Storage              storage.Storage
+	Log                  logrus.FieldLogger
+	ServerAddress        string
+	NodeAttestor         nodeattestor.NodeAttestor
+	TLSPolicy            tlspolicy.Policy
 }
 
 type attestor struct {
@@ -157,12 +157,12 @@ func (a *attestor) loadBundle() (*spiffebundle.Bundle, error) {
 	bundle, err := a.c.Storage.LoadBundle()
 	if errors.Is(err, storage.ErrNotCached) {
 		if a.c.InsecureBootstrap {
-			if len(a.c.TrustBundle) > 0 {
+			if len(a.c.BootstrapTrustBundle) > 0 {
 				a.c.Log.Warn("Trust bundle will be ignored; performing insecure bootstrap")
 			}
 			return nil, nil
 		}
-		bundle = a.c.TrustBundle
+		bundle = a.c.BootstrapTrustBundle
 	} else if err != nil {
 		return nil, fmt.Errorf("load bundle: %w", err)
 	}

diff --git a/pkg/agent/config.go b/pkg/agent/config.go
@@ -75,7 +75,9 @@ type Config struct {
 
 	// Trust domain and associated CA bundle
 	TrustDomain spiffeid.TrustDomain
-	TrustBundle []*x509.Certificate
+
+	// Bundle to use when bootstrapping
+	BootstrapTrustBundle []*x509.Certificate
 
 	// Join token to use for attestation, if needed
 	JoinToken string