-
Notifications
You must be signed in to change notification settings - Fork 484
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add taint upstream authority #5340
Add taint upstream authority #5340
Conversation
7b19089
to
a429675
Compare
} | ||
|
||
func toProtoFields(jwtKey JWTKey) (string, []byte, int64, error) { | ||
func toProtoFields(jwtKey JWTKey) (string, []byte, int64, bool, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's becoming more difficult to guess what each return value means in this function. I think that it would be good to have named return values as an easy way to document the meaning of each of them.
if req.AuthorityId != "" { | ||
log = log.WithField(telemetry.LocalAuthorityID, req.AuthorityId) | ||
} | ||
|
||
if s.ca.IsUpstreamAuthority() { | ||
return nil, api.MakeErr(log, codes.FailedPrecondition, "local authority can't be tainted if there is an upstream authorit", nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return nil, api.MakeErr(log, codes.FailedPrecondition, "local authority can't be tainted if there is an upstream authorit", nil) | |
return nil, api.MakeErr(log, codes.FailedPrecondition, "local authority can't be tainted if there is an upstream authority", nil) |
pkg/common/telemetry/names.go
Outdated
@@ -541,6 +541,9 @@ const ( | |||
// with other tags to add clarity | |||
Subject = "subject" | |||
|
|||
// Subject tags a certificate subject key ID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Subject tags a certificate subject key ID | |
// SubjectKeyID tags a certificate subject key ID |
} | ||
|
||
rpccontext.AuditRPC(ctx) | ||
log.Info("X.509 upstream authority revoked successfully") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log.Info("X.509 upstream authority revoked successfully") | |
log.Info("X.509 upstream authority successfully revoked") |
return "", nil, err | ||
nextSlot := s.ca.GetNextX509CASlot() | ||
if subjectKeyIDRequest != nextSlot.UpstreamAuthorityID() { | ||
return errors.New("upstream authority is not signing Old local authority") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return errors.New("upstream authority is not signing Old local authority") | |
return errors.New("upstream authority didn't sign the old local authority") |
bundle.X509TaintedKeys = append(bundle.X509TaintedKeys, &common.X509TaintedKey{PublicKey: pKey}) | ||
if !found { | ||
return status.Errorf(codes.NotFound, "no ca found with provided subject key ID") | ||
} | ||
|
||
_, err = updateBundle(tx, bundle, nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that we should increment bundle.SequenceNumber before calling updateBundle, otherwise SequenceNumber will remain the same.
if !keyFound { | ||
return status.Error(codes.NotFound, "no root CA found with provided subject key ID") | ||
} | ||
|
||
bundle.RootCas = rootCAs | ||
|
||
if _, err := updateBundle(tx, bundle, nil); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that we should increment bundle.SequenceNumber before calling updateBundle, otherwise SequenceNumber will remain the same.
// No able to revoke untainted bundles | ||
err = s.ds.RevokeX509CA(ctx, "spiffe://foo", s.cert.PublicKey) | ||
spiretest.RequireGRPCStatus(t, err, codes.InvalidArgument, "it is not possible to revoke an untainted root CA") | ||
t.Run("Unable to revoke untainted bundles", func(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to check that the sequence number of the bundle remains the same for those cases that fail.
{PublicKey: certPublicKeyRaw}, | ||
} | ||
require.Equal(t, expectedTaintedKeys, fetchedBundle.X509TaintedKeys) | ||
t.Run("no bundle with provided skID", func(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to check that the sequence number of the bundle remains the same for those cases that fail.
|
||
fetchedBundle, err := s.ds.FetchBundle(ctx, "spiffe://foo") | ||
require.NoError(t, err) | ||
t.Run("Revoke successfully", func(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to check that the sequence number of the bundle is incremented on successful operations.
It's looking great! I think that we are missing propagating the tainted bit in some places: |
TestCommonBundleFromProto should capture the proper propagation of the tainted bit. |
Signed-off-by: Marcos Yacob <[email protected]>
client Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
Signed-off-by: Marcos Yacob <[email protected]>
ae61b82
to
ed3ef5a
Compare
we discuss to add that propagation as part of #5394 to reduce changes to apply in this PR and it is not required for current PR functionality |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉 🚀
Pull Request check list
Affected functionality
no actual functionalities are affected
Description of change
To taint a local authority that is using an upstream authority, we need a way to taint the upstream authority itself and rotate intermediates + SVIDs using that tainted upstream authority.
This PR aims to add a new RPC that allows tainting an upstream authority using SKID as the identifier, update the datastore with that information, and propagate it to downstream servers.
This PR is not forcing rotation but only propagating tainted authorities. Forcing rotations will happen in other PRs.
Changes to the SDK can be found here.
Which issue this PR fixes
fixes #3899, #3893, #3900