2022-04-12 08:24:36 -04:00
|
|
|
package keyservice
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"errors"
|
2022-04-11 08:25:19 -04:00
|
|
|
"net"
|
2022-04-12 08:24:36 -04:00
|
|
|
"sync"
|
|
|
|
"time"
|
|
|
|
|
2022-06-29 10:17:23 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/cloud/metadata"
|
2022-06-28 12:33:27 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/constants"
|
2022-06-13 05:40:27 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/grpc/atlscredentials"
|
2022-06-28 10:51:30 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/logger"
|
2022-06-21 11:59:12 -04:00
|
|
|
"github.com/edgelesssys/constellation/internal/oid"
|
2022-06-29 10:17:23 -04:00
|
|
|
"github.com/edgelesssys/constellation/kms/kmsproto"
|
2022-04-11 08:25:19 -04:00
|
|
|
"github.com/edgelesssys/constellation/state/keyservice/keyproto"
|
2022-06-28 10:51:30 -04:00
|
|
|
"go.uber.org/zap"
|
2022-04-12 08:24:36 -04:00
|
|
|
"google.golang.org/grpc"
|
2022-04-11 08:25:19 -04:00
|
|
|
"google.golang.org/grpc/codes"
|
2022-04-12 08:24:36 -04:00
|
|
|
"google.golang.org/grpc/credentials"
|
2022-04-11 08:25:19 -04:00
|
|
|
"google.golang.org/grpc/status"
|
2022-04-12 08:24:36 -04:00
|
|
|
)
|
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
// KeyAPI is the interface called by the Coordinator or an admin during restart of a node.
|
|
|
|
type KeyAPI struct {
|
2022-06-28 10:51:30 -04:00
|
|
|
log *logger.Logger
|
2022-04-12 08:24:36 -04:00
|
|
|
mux sync.Mutex
|
2022-06-29 10:17:23 -04:00
|
|
|
metadata metadata.InstanceLister
|
2022-06-21 11:59:12 -04:00
|
|
|
issuer QuoteIssuer
|
2022-04-12 08:24:36 -04:00
|
|
|
key []byte
|
2022-04-11 08:25:19 -04:00
|
|
|
keyReceived chan struct{}
|
2022-04-12 08:24:36 -04:00
|
|
|
timeout time.Duration
|
2022-04-11 08:25:19 -04:00
|
|
|
keyproto.UnimplementedAPIServer
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
// New initializes a KeyAPI with the given parameters.
|
2022-06-29 10:17:23 -04:00
|
|
|
func New(log *logger.Logger, issuer QuoteIssuer, metadata metadata.InstanceLister, timeout time.Duration) *KeyAPI {
|
2022-04-11 08:25:19 -04:00
|
|
|
return &KeyAPI{
|
2022-06-28 10:51:30 -04:00
|
|
|
log: log,
|
2022-04-11 08:25:19 -04:00
|
|
|
metadata: metadata,
|
|
|
|
issuer: issuer,
|
|
|
|
keyReceived: make(chan struct{}, 1),
|
|
|
|
timeout: timeout,
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
// PushStateDiskKeyRequest is the rpc to push state disk decryption keys to a restarting node.
|
|
|
|
func (a *KeyAPI) PushStateDiskKey(ctx context.Context, in *keyproto.PushStateDiskKeyRequest) (*keyproto.PushStateDiskKeyResponse, error) {
|
|
|
|
a.mux.Lock()
|
|
|
|
defer a.mux.Unlock()
|
|
|
|
if len(a.key) != 0 {
|
|
|
|
return nil, status.Error(codes.FailedPrecondition, "node already received a passphrase")
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
2022-06-28 12:33:27 -04:00
|
|
|
if len(in.StateDiskKey) != constants.RNGLengthDefault {
|
|
|
|
return nil, status.Errorf(codes.InvalidArgument, "received invalid passphrase: expected length: %d, but got: %d", constants.RNGLengthDefault, len(in.StateDiskKey))
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
2022-04-11 08:25:19 -04:00
|
|
|
|
|
|
|
a.key = in.StateDiskKey
|
|
|
|
a.keyReceived <- struct{}{}
|
|
|
|
return &keyproto.PushStateDiskKeyResponse{}, nil
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// WaitForDecryptionKey notifies the Coordinator to send a decryption key and waits until a key is received.
|
2022-04-11 08:25:19 -04:00
|
|
|
func (a *KeyAPI) WaitForDecryptionKey(uuid, listenAddr string) ([]byte, error) {
|
2022-04-12 08:24:36 -04:00
|
|
|
if uuid == "" {
|
|
|
|
return nil, errors.New("received no disk UUID")
|
|
|
|
}
|
|
|
|
|
2022-06-13 05:40:27 -04:00
|
|
|
creds := atlscredentials.New(a.issuer, nil)
|
|
|
|
server := grpc.NewServer(grpc.Creds(creds))
|
2022-04-11 08:25:19 -04:00
|
|
|
keyproto.RegisterAPIServer(server, a)
|
|
|
|
listener, err := net.Listen("tcp", listenAddr)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
2022-04-11 08:25:19 -04:00
|
|
|
defer listener.Close()
|
2022-04-12 08:24:36 -04:00
|
|
|
|
2022-06-28 10:51:30 -04:00
|
|
|
a.log.Infof("Waiting for decryption key. Listening on: %s", listener.Addr().String())
|
2022-04-11 08:25:19 -04:00
|
|
|
go server.Serve(listener)
|
|
|
|
defer server.GracefulStop()
|
|
|
|
|
|
|
|
if err := a.requestKeyLoop(uuid); err != nil {
|
2022-04-12 08:24:36 -04:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
return a.key, nil
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
// ResetKey resets a previously set key.
|
|
|
|
func (a *KeyAPI) ResetKey() {
|
|
|
|
a.key = nil
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
// requestKeyLoop continuously requests decryption keys from all available Coordinators, until the KeyAPI receives a key.
|
|
|
|
func (a *KeyAPI) requestKeyLoop(uuid string, opts ...grpc.DialOption) error {
|
|
|
|
// we do not perform attestation, since the restarting node does not need to care about notifying the correct Coordinator
|
|
|
|
// if an incorrect key is pushed by a malicious actor, decrypting the disk will fail, and the node will not start
|
2022-06-13 05:40:27 -04:00
|
|
|
creds := atlscredentials.New(nil, nil)
|
2022-04-11 08:25:19 -04:00
|
|
|
// set up for the select statement to immediately request a key, skipping the initial delay caused by using a ticker
|
|
|
|
firstReq := make(chan struct{}, 1)
|
|
|
|
firstReq <- struct{}{}
|
2022-04-12 08:24:36 -04:00
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
ticker := time.NewTicker(a.timeout)
|
|
|
|
defer ticker.Stop()
|
|
|
|
for {
|
|
|
|
select {
|
|
|
|
// return if a key was received
|
|
|
|
// a key can be send by
|
|
|
|
// - a Coordinator, after the request rpc was received
|
|
|
|
// - by a Constellation admin, at any time this loop is running on a node during boot
|
|
|
|
case <-a.keyReceived:
|
|
|
|
return nil
|
|
|
|
case <-ticker.C:
|
2022-06-13 05:40:27 -04:00
|
|
|
a.requestKey(uuid, creds, opts...)
|
2022-04-11 08:25:19 -04:00
|
|
|
case <-firstReq:
|
2022-06-13 05:40:27 -04:00
|
|
|
a.requestKey(uuid, creds, opts...)
|
2022-04-11 08:25:19 -04:00
|
|
|
}
|
|
|
|
}
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
|
|
|
|
2022-06-13 05:40:27 -04:00
|
|
|
func (a *KeyAPI) requestKey(uuid string, credentials credentials.TransportCredentials, opts ...grpc.DialOption) {
|
2022-04-11 08:25:19 -04:00
|
|
|
// list available Coordinators
|
2022-06-29 10:17:23 -04:00
|
|
|
endpoints, _ := metadata.KMSEndpoints(context.Background(), a.metadata)
|
2022-04-11 08:25:19 -04:00
|
|
|
|
2022-06-28 10:51:30 -04:00
|
|
|
a.log.With(zap.Strings("endpoints", endpoints)).Infof("Sending a key request to available Coordinators")
|
2022-04-11 08:25:19 -04:00
|
|
|
// notify all available Coordinators to send a key to the node
|
|
|
|
// any errors encountered here will be ignored, and the calls retried after a timeout
|
|
|
|
for _, endpoint := range endpoints {
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), a.timeout)
|
2022-06-13 05:40:27 -04:00
|
|
|
conn, err := grpc.DialContext(ctx, endpoint, append(opts, grpc.WithTransportCredentials(credentials))...)
|
2022-04-11 08:25:19 -04:00
|
|
|
if err == nil {
|
2022-06-29 10:17:23 -04:00
|
|
|
client := kmsproto.NewAPIClient(conn)
|
|
|
|
_, _ = client.GetDataKey(ctx, &kmsproto.GetDataKeyRequest{DataKeyId: uuid, Length: constants.StateDiskKeyLength})
|
2022-04-11 08:25:19 -04:00
|
|
|
conn.Close()
|
|
|
|
}
|
2022-04-12 08:24:36 -04:00
|
|
|
|
2022-04-11 08:25:19 -04:00
|
|
|
cancel()
|
|
|
|
}
|
2022-04-12 08:24:36 -04:00
|
|
|
}
|
2022-06-21 11:59:12 -04:00
|
|
|
|
|
|
|
// QuoteValidator validates quotes.
|
|
|
|
type QuoteValidator interface {
|
|
|
|
oid.Getter
|
|
|
|
// Validate validates a quote and returns the user data on success.
|
|
|
|
Validate(attDoc []byte, nonce []byte) ([]byte, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
// QuoteIssuer issues quotes.
|
|
|
|
type QuoteIssuer interface {
|
|
|
|
oid.Getter
|
|
|
|
// Issue issues a quote for remote attestation for a given message
|
|
|
|
Issue(userData []byte, nonce []byte) (quote []byte, err error)
|
|
|
|
}
|