From c63d7126e75eab5737e2c54951af3a2505a3d831 Mon Sep 17 00:00:00 2001 From: cm Date: Tue, 10 May 2022 12:35:17 +0200 Subject: [PATCH] AB#1943 Extract KMS package (#56) * Extract kmsapi from coordinator * Add kmsapi cmd server --- cli/proto/client.go | 2 +- coordinator/coordinator_test.go | 2 +- coordinator/core/core.go | 2 +- coordinator/core/core_test.go | 2 +- coordinator/core/legacy_test.go | 2 +- coordinator/core/reinitialize_test.go | 2 +- coordinator/pubapi/coord_test.go | 2 +- coordinator/pubapi/core.go | 2 +- coordinator/pubapi/core_test.go | 2 +- coordinator/storewrapper/storewrapper.go | 2 +- go.mod | 6 + go.sum | 9 +- internal/constants/constants.go | 5 +- .../kms/cluster/cluster.go | 2 +- .../kms/cluster/cluster_test.go | 2 +- kms/server/cmd/main.go | 52 ++++ kms/server/kmsapi/kmsapi.go | 46 ++++ kms/server/kmsapi/kmsapi_test.go | 58 +++++ kms/server/kmsapi/kmsproto/kmsapi.pb.go | 226 ++++++++++++++++++ kms/server/kmsapi/kmsproto/kmsapi.proto | 18 ++ kms/server/kmsapi/kmsproto/kmsapi_grpc.pb.go | 101 ++++++++ .../kms => kms/server/setup}/setup.go | 5 +- .../kms => kms/server/setup}/setup_test.go | 2 +- proto/Dockerfile.gen-proto | 6 + test/coordinator_integration_test.go | 2 +- 25 files changed, 539 insertions(+), 21 deletions(-) rename coordinator/kms/clusterkms.go => kms/kms/cluster/cluster.go (98%) rename coordinator/kms/clusterkms_test.go => kms/kms/cluster/cluster_test.go (98%) create mode 100644 kms/server/cmd/main.go create mode 100644 kms/server/kmsapi/kmsapi.go create mode 100644 kms/server/kmsapi/kmsapi_test.go create mode 100644 kms/server/kmsapi/kmsproto/kmsapi.pb.go create mode 100644 kms/server/kmsapi/kmsproto/kmsapi.proto create mode 100644 kms/server/kmsapi/kmsproto/kmsapi_grpc.pb.go rename {coordinator/kms => kms/server/setup}/setup.go (98%) rename {coordinator/kms => kms/server/setup}/setup_test.go (99%) diff --git a/cli/proto/client.go b/cli/proto/client.go index b7f9c748a..3a948ce6a 100644 --- a/cli/proto/client.go +++ b/cli/proto/client.go @@ -6,9 +6,9 @@ import ( "io" "github.com/edgelesssys/constellation/coordinator/atls" - "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/pubapi/pubproto" "github.com/edgelesssys/constellation/coordinator/state" + kms "github.com/edgelesssys/constellation/kms/server/setup" "golang.zx2c4.com/wireguard/wgctrl/wgtypes" "google.golang.org/grpc" "google.golang.org/grpc/credentials" diff --git a/coordinator/coordinator_test.go b/coordinator/coordinator_test.go index e66a2b1ec..bf112b42e 100644 --- a/coordinator/coordinator_test.go +++ b/coordinator/coordinator_test.go @@ -12,7 +12,6 @@ import ( "github.com/edgelesssys/constellation/coordinator/atls" "github.com/edgelesssys/constellation/coordinator/attestation/simulator" "github.com/edgelesssys/constellation/coordinator/core" - "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/peer" "github.com/edgelesssys/constellation/coordinator/pubapi" "github.com/edgelesssys/constellation/coordinator/pubapi/pubproto" @@ -22,6 +21,7 @@ import ( "github.com/edgelesssys/constellation/coordinator/util/testdialer" "github.com/edgelesssys/constellation/coordinator/vpnapi" "github.com/edgelesssys/constellation/coordinator/vpnapi/vpnproto" + kms "github.com/edgelesssys/constellation/kms/server/setup" "github.com/spf13/afero" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/coordinator/core/core.go b/coordinator/core/core.go index 5d1302e2f..299f24bb4 100644 --- a/coordinator/core/core.go +++ b/coordinator/core/core.go @@ -12,7 +12,6 @@ import ( "github.com/edgelesssys/constellation/cli/file" "github.com/edgelesssys/constellation/coordinator/attestation/vtpm" "github.com/edgelesssys/constellation/coordinator/config" - kmsSetup "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/nodestate" "github.com/edgelesssys/constellation/coordinator/role" "github.com/edgelesssys/constellation/coordinator/state" @@ -20,6 +19,7 @@ import ( "github.com/edgelesssys/constellation/coordinator/storewrapper" "github.com/edgelesssys/constellation/coordinator/util" "github.com/edgelesssys/constellation/kms/kms" + kmsSetup "github.com/edgelesssys/constellation/kms/server/setup" "go.uber.org/zap" "google.golang.org/grpc" ) diff --git a/coordinator/core/core_test.go b/coordinator/core/core_test.go index 4ab01d0c1..da8781e76 100644 --- a/coordinator/core/core_test.go +++ b/coordinator/core/core_test.go @@ -9,7 +9,6 @@ import ( "github.com/edgelesssys/constellation/cli/file" "github.com/edgelesssys/constellation/coordinator/attestation/simulator" "github.com/edgelesssys/constellation/coordinator/attestation/vtpm" - "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/nodestate" "github.com/edgelesssys/constellation/coordinator/peer" "github.com/edgelesssys/constellation/coordinator/role" @@ -17,6 +16,7 @@ import ( "github.com/edgelesssys/constellation/coordinator/store" "github.com/edgelesssys/constellation/coordinator/util/grpcutil" "github.com/edgelesssys/constellation/coordinator/util/testdialer" + kms "github.com/edgelesssys/constellation/kms/server/setup" "github.com/spf13/afero" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/coordinator/core/legacy_test.go b/coordinator/core/legacy_test.go index fde2eeb78..a68419f79 100644 --- a/coordinator/core/legacy_test.go +++ b/coordinator/core/legacy_test.go @@ -12,13 +12,13 @@ import ( "github.com/edgelesssys/constellation/cli/file" "github.com/edgelesssys/constellation/coordinator/atls" "github.com/edgelesssys/constellation/coordinator/attestation/simulator" - "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/pubapi" "github.com/edgelesssys/constellation/coordinator/pubapi/pubproto" "github.com/edgelesssys/constellation/coordinator/state" "github.com/edgelesssys/constellation/coordinator/util/grpcutil" "github.com/edgelesssys/constellation/coordinator/vpnapi" "github.com/edgelesssys/constellation/coordinator/vpnapi/vpnproto" + kms "github.com/edgelesssys/constellation/kms/server/setup" "github.com/spf13/afero" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/coordinator/core/reinitialize_test.go b/coordinator/core/reinitialize_test.go index 557578d34..5a73710df 100644 --- a/coordinator/core/reinitialize_test.go +++ b/coordinator/core/reinitialize_test.go @@ -7,12 +7,12 @@ import ( "github.com/edgelesssys/constellation/cli/file" "github.com/edgelesssys/constellation/coordinator/atls" - "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/peer" "github.com/edgelesssys/constellation/coordinator/pubapi/pubproto" "github.com/edgelesssys/constellation/coordinator/role" "github.com/edgelesssys/constellation/coordinator/util/grpcutil" "github.com/edgelesssys/constellation/coordinator/util/testdialer" + kms "github.com/edgelesssys/constellation/kms/server/setup" "github.com/spf13/afero" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/coordinator/pubapi/coord_test.go b/coordinator/pubapi/coord_test.go index b2cadb20b..4837a3880 100644 --- a/coordinator/pubapi/coord_test.go +++ b/coordinator/pubapi/coord_test.go @@ -12,7 +12,6 @@ import ( "github.com/edgelesssys/constellation/coordinator/atls" "github.com/edgelesssys/constellation/coordinator/attestation/vtpm" "github.com/edgelesssys/constellation/coordinator/core" - "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/oid" "github.com/edgelesssys/constellation/coordinator/peer" "github.com/edgelesssys/constellation/coordinator/pubapi/pubproto" @@ -20,6 +19,7 @@ import ( "github.com/edgelesssys/constellation/coordinator/state" "github.com/edgelesssys/constellation/coordinator/util/grpcutil" "github.com/edgelesssys/constellation/coordinator/util/testdialer" + kms "github.com/edgelesssys/constellation/kms/server/setup" "github.com/edgelesssys/constellation/state/keyservice/keyproto" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/coordinator/pubapi/core.go b/coordinator/pubapi/core.go index 2f023e4ec..28676576a 100644 --- a/coordinator/pubapi/core.go +++ b/coordinator/pubapi/core.go @@ -3,10 +3,10 @@ package pubapi import ( "context" - "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/peer" "github.com/edgelesssys/constellation/coordinator/role" "github.com/edgelesssys/constellation/coordinator/state" + kms "github.com/edgelesssys/constellation/kms/server/setup" kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" ) diff --git a/coordinator/pubapi/core_test.go b/coordinator/pubapi/core_test.go index 334556425..0a77d9684 100644 --- a/coordinator/pubapi/core_test.go +++ b/coordinator/pubapi/core_test.go @@ -5,10 +5,10 @@ import ( "errors" "net/netip" - "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/peer" "github.com/edgelesssys/constellation/coordinator/role" "github.com/edgelesssys/constellation/coordinator/state" + kms "github.com/edgelesssys/constellation/kms/server/setup" kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" ) diff --git a/coordinator/storewrapper/storewrapper.go b/coordinator/storewrapper/storewrapper.go index 33a3d9c51..bdd10bb61 100644 --- a/coordinator/storewrapper/storewrapper.go +++ b/coordinator/storewrapper/storewrapper.go @@ -8,10 +8,10 @@ import ( "strconv" "strings" - "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/peer" "github.com/edgelesssys/constellation/coordinator/state" "github.com/edgelesssys/constellation/coordinator/store" + kms "github.com/edgelesssys/constellation/kms/server/setup" kubeadm "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3" ) diff --git a/go.mod b/go.mod index d0df0358f..abf190ac1 100644 --- a/go.mod +++ b/go.mod @@ -103,6 +103,12 @@ require ( sigs.k8s.io/yaml v1.3.0 ) +require ( + github.com/fsnotify/fsnotify v1.5.1 // indirect + github.com/onsi/ginkgo v1.16.5 // indirect + github.com/onsi/gomega v1.17.0 // indirect +) + require ( cloud.google.com/go v0.100.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v0.9.1 // indirect diff --git a/go.sum b/go.sum index 0d28efc41..ddcc26fc7 100644 --- a/go.sum +++ b/go.sum @@ -595,8 +595,9 @@ github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVB github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI= +github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM= github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZUCkZIqFxsQf1o= @@ -1150,8 +1151,9 @@ github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.13.0/go.mod h1:+REjRxOmWfHCjfv9TTWB1jD1Frx4XydAD3zm1lskyM0= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= -github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= +github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -1161,8 +1163,9 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc= -github.com/onsi/gomega v1.15.0 h1:WjP/FQ/sk43MRmnEcT+MlDw2TFvkrXlprrPST/IudjU= github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0= +github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE= +github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= diff --git a/internal/constants/constants.go b/internal/constants/constants.go index c3f4e4936..4e1e8a927 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -33,7 +33,8 @@ const ( // // Cryptographic constants. // - StateDiskKeyLength = 32 + StateDiskKeyLength = 32 + DerivedKeyLengthDefault = 32 // // CLI. @@ -47,7 +48,7 @@ const ( // // KubernetesVersion installed by kubeadm. - KubernetesVersion = "stable-1.23" + KubernetesVersion = "stable-1.23" KubernetesJoinTokenTTL = 15 * time.Minute ) diff --git a/coordinator/kms/clusterkms.go b/kms/kms/cluster/cluster.go similarity index 98% rename from coordinator/kms/clusterkms.go rename to kms/kms/cluster/cluster.go index 597a44cb3..be201781c 100644 --- a/coordinator/kms/clusterkms.go +++ b/kms/kms/cluster/cluster.go @@ -1,4 +1,4 @@ -package kms +package cluster import ( "context" diff --git a/coordinator/kms/clusterkms_test.go b/kms/kms/cluster/cluster_test.go similarity index 98% rename from coordinator/kms/clusterkms_test.go rename to kms/kms/cluster/cluster_test.go index 0d5021957..1148f290b 100644 --- a/coordinator/kms/clusterkms_test.go +++ b/kms/kms/cluster/cluster_test.go @@ -1,4 +1,4 @@ -package kms +package cluster import ( "context" diff --git a/kms/server/cmd/main.go b/kms/server/cmd/main.go new file mode 100644 index 000000000..a086df91c --- /dev/null +++ b/kms/server/cmd/main.go @@ -0,0 +1,52 @@ +package main + +import ( + "context" + "flag" + "log" + "net" + + "github.com/edgelesssys/constellation/coordinator/util" + "github.com/edgelesssys/constellation/kms/server/kmsapi" + "github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto" + "github.com/edgelesssys/constellation/kms/server/setup" + "go.uber.org/zap" + + "google.golang.org/grpc" +) + +func main() { + port := flag.String("p", "9000", "Port gRPC server listens on") + flag.Parse() + + // TODO: Get masterSecret from Constellation CLI / after activation from cluster. + masterKey, err := util.GenerateRandomBytes(32) + if err != nil { + log.Fatalf("Failed to generate key: %v", err) + } + + conKMS, err := setup.SetUpKMS(context.Background(), setup.NoStoreURI, setup.ClusterKMSURI) + if err != nil { + log.Fatalf("Failed to setup KMS: %v", err) + } + + if err := conKMS.CreateKEK(context.Background(), "Constellation", masterKey); err != nil { + log.Fatalf("Failed to create KMS KEK from MasterKey: %v", err) + } + + lis, err := net.Listen("tcp", net.JoinHostPort("0.0.0.0", *port)) + if err != nil { + log.Fatalf("Failed to listen: %v", err) + } + + srv := kmsapi.New(&zap.Logger{}, conKMS) + + // TODO: Launch server with aTLS to allow attestation for clients. + grpcServer := grpc.NewServer() + + kmsproto.RegisterAPIServer(grpcServer, srv) + + if err := grpcServer.Serve(lis); err != nil { + log.Fatalf("Failed to serve: %s", err) + } +} diff --git a/kms/server/kmsapi/kmsapi.go b/kms/server/kmsapi/kmsapi.go new file mode 100644 index 000000000..cbbb54005 --- /dev/null +++ b/kms/server/kmsapi/kmsapi.go @@ -0,0 +1,46 @@ +// Package kmsapi implements an API to manage encryption keys. +package kmsapi + +import ( + "context" + + "github.com/edgelesssys/constellation/kms/kms" + "github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto" + "go.uber.org/zap" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +// API resembles an encryption key management api server through logger, CloudKMS and proto-unimplemented server. +type API struct { + logger *zap.Logger + conKMS kms.CloudKMS + kmsproto.UnimplementedAPIServer +} + +// New creates a new API. +func New(logger *zap.Logger, conKMS kms.CloudKMS) *API { + return &API{ + logger: logger, + conKMS: conKMS, + } +} + +// GetDataKey returns a data key. +func (a *API) GetDataKey(ctx context.Context, in *kmsproto.GetDataKeyRequest) (*kmsproto.GetDataKeyResponse, error) { + // Error on 0 key length + if in.Length == 0 { + return nil, status.Error(codes.InvalidArgument, "can't derive key with length zero") + } + + // Error on empty DataKeyId + if in.DataKeyId == "" { + return nil, status.Error(codes.InvalidArgument, "no data key id specified") + } + + key, err := a.conKMS.GetDEK(ctx, "Constellation", "key-"+in.DataKeyId, int(in.Length)) + if err != nil { + return nil, status.Errorf(codes.Internal, "%v", err) + } + return &kmsproto.GetDataKeyResponse{DataKey: key}, nil +} diff --git a/kms/server/kmsapi/kmsapi_test.go b/kms/server/kmsapi/kmsapi_test.go new file mode 100644 index 000000000..145b92f97 --- /dev/null +++ b/kms/server/kmsapi/kmsapi_test.go @@ -0,0 +1,58 @@ +package kmsapi + +import ( + "context" + "errors" + "testing" + + "github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap/zaptest" +) + +func TestGetDataKey(t *testing.T) { + assert := assert.New(t) + require := require.New(t) + + kms := &stubKMS{derivedKey: []byte{0x0, 0x1, 0x2, 0x3, 0x4, 0x5}} + api := New(zaptest.NewLogger(t), kms) + + res, err := api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) + require.NoError(err) + assert.Equal(kms.derivedKey, res.DataKey) + + // Test no data key id + res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{Length: 32}) + require.Error(err) + assert.Nil(res) + + // Test no / zero key length + res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1"}) + require.Error(err) + assert.Nil(res) + + // Test derive key error + api = New(zaptest.NewLogger(t), &stubKMS{deriveKeyErr: errors.New("error")}) + res, err = api.GetDataKey(context.Background(), &kmsproto.GetDataKeyRequest{DataKeyId: "1", Length: 32}) + assert.Error(err) + assert.Nil(res) +} + +type stubKMS struct { + masterKey []byte + derivedKey []byte + deriveKeyErr error +} + +func (c *stubKMS) CreateKEK(ctx context.Context, keyID string, kek []byte) error { + c.masterKey = kek + return nil +} + +func (c *stubKMS) GetDEK(ctx context.Context, kekID string, dekID string, dekSize int) ([]byte, error) { + if c.deriveKeyErr != nil { + return nil, c.deriveKeyErr + } + return c.derivedKey, nil +} diff --git a/kms/server/kmsapi/kmsproto/kmsapi.pb.go b/kms/server/kmsapi/kmsproto/kmsapi.pb.go new file mode 100644 index 000000000..bc7fa74ed --- /dev/null +++ b/kms/server/kmsapi/kmsproto/kmsapi.pb.go @@ -0,0 +1,226 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.25.0-devel +// protoc v3.14.0 +// source: kmsproto/kmsapi.proto + +package kmsproto + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type GetDataKeyRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DataKeyId string `protobuf:"bytes,1,opt,name=data_key_id,json=dataKeyId,proto3" json:"data_key_id,omitempty"` + Length uint32 `protobuf:"varint,2,opt,name=length,proto3" json:"length,omitempty"` +} + +func (x *GetDataKeyRequest) Reset() { + *x = GetDataKeyRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_kmsproto_kmsapi_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetDataKeyRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetDataKeyRequest) ProtoMessage() {} + +func (x *GetDataKeyRequest) ProtoReflect() protoreflect.Message { + mi := &file_kmsproto_kmsapi_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetDataKeyRequest.ProtoReflect.Descriptor instead. +func (*GetDataKeyRequest) Descriptor() ([]byte, []int) { + return file_kmsproto_kmsapi_proto_rawDescGZIP(), []int{0} +} + +func (x *GetDataKeyRequest) GetDataKeyId() string { + if x != nil { + return x.DataKeyId + } + return "" +} + +func (x *GetDataKeyRequest) GetLength() uint32 { + if x != nil { + return x.Length + } + return 0 +} + +type GetDataKeyResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + DataKey []byte `protobuf:"bytes,1,opt,name=data_key,json=dataKey,proto3" json:"data_key,omitempty"` +} + +func (x *GetDataKeyResponse) Reset() { + *x = GetDataKeyResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_kmsproto_kmsapi_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *GetDataKeyResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetDataKeyResponse) ProtoMessage() {} + +func (x *GetDataKeyResponse) ProtoReflect() protoreflect.Message { + mi := &file_kmsproto_kmsapi_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetDataKeyResponse.ProtoReflect.Descriptor instead. +func (*GetDataKeyResponse) Descriptor() ([]byte, []int) { + return file_kmsproto_kmsapi_proto_rawDescGZIP(), []int{1} +} + +func (x *GetDataKeyResponse) GetDataKey() []byte { + if x != nil { + return x.DataKey + } + return nil +} + +var File_kmsproto_kmsapi_proto protoreflect.FileDescriptor + +var file_kmsproto_kmsapi_proto_rawDesc = []byte{ + 0x0a, 0x15, 0x6b, 0x6d, 0x73, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x6b, 0x6d, 0x73, 0x61, 0x70, + 0x69, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x22, + 0x4b, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x12, 0x1e, 0x0a, 0x0b, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, + 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x64, 0x61, 0x74, 0x61, 0x4b, + 0x65, 0x79, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x22, 0x2f, 0x0a, 0x12, + 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x64, 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x32, 0x4a, 0x0a, + 0x03, 0x41, 0x50, 0x49, 0x12, 0x43, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, + 0x65, 0x79, 0x12, 0x19, 0x2e, 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x44, + 0x61, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1a, 0x2e, + 0x70, 0x75, 0x62, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x61, 0x74, 0x61, 0x4b, 0x65, + 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x41, 0x5a, 0x3f, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, + 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x2f, 0x6b, 0x6d, 0x73, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x6b, 0x6d, 0x73, + 0x61, 0x70, 0x69, 0x2f, 0x6b, 0x6d, 0x73, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_kmsproto_kmsapi_proto_rawDescOnce sync.Once + file_kmsproto_kmsapi_proto_rawDescData = file_kmsproto_kmsapi_proto_rawDesc +) + +func file_kmsproto_kmsapi_proto_rawDescGZIP() []byte { + file_kmsproto_kmsapi_proto_rawDescOnce.Do(func() { + file_kmsproto_kmsapi_proto_rawDescData = protoimpl.X.CompressGZIP(file_kmsproto_kmsapi_proto_rawDescData) + }) + return file_kmsproto_kmsapi_proto_rawDescData +} + +var file_kmsproto_kmsapi_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_kmsproto_kmsapi_proto_goTypes = []interface{}{ + (*GetDataKeyRequest)(nil), // 0: pubapi.GetDataKeyRequest + (*GetDataKeyResponse)(nil), // 1: pubapi.GetDataKeyResponse +} +var file_kmsproto_kmsapi_proto_depIdxs = []int32{ + 0, // 0: pubapi.API.GetDataKey:input_type -> pubapi.GetDataKeyRequest + 1, // 1: pubapi.API.GetDataKey:output_type -> pubapi.GetDataKeyResponse + 1, // [1:2] is the sub-list for method output_type + 0, // [0:1] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_kmsproto_kmsapi_proto_init() } +func file_kmsproto_kmsapi_proto_init() { + if File_kmsproto_kmsapi_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_kmsproto_kmsapi_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetDataKeyRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_kmsproto_kmsapi_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*GetDataKeyResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_kmsproto_kmsapi_proto_rawDesc, + NumEnums: 0, + NumMessages: 2, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_kmsproto_kmsapi_proto_goTypes, + DependencyIndexes: file_kmsproto_kmsapi_proto_depIdxs, + MessageInfos: file_kmsproto_kmsapi_proto_msgTypes, + }.Build() + File_kmsproto_kmsapi_proto = out.File + file_kmsproto_kmsapi_proto_rawDesc = nil + file_kmsproto_kmsapi_proto_goTypes = nil + file_kmsproto_kmsapi_proto_depIdxs = nil +} diff --git a/kms/server/kmsapi/kmsproto/kmsapi.proto b/kms/server/kmsapi/kmsproto/kmsapi.proto new file mode 100644 index 000000000..96d0d3498 --- /dev/null +++ b/kms/server/kmsapi/kmsproto/kmsapi.proto @@ -0,0 +1,18 @@ +syntax = "proto3"; + +package kmsapi; + +option go_package = "github.com/edgelesssys/constellation/kms/server/kmsapi/kmsproto"; + +service API { + rpc GetDataKey(GetDataKeyRequest) returns (GetDataKeyResponse); +} + +message GetDataKeyRequest { + string data_key_id = 1; + uint32 length = 2; +} + +message GetDataKeyResponse { + bytes data_key = 1; +} diff --git a/kms/server/kmsapi/kmsproto/kmsapi_grpc.pb.go b/kms/server/kmsapi/kmsproto/kmsapi_grpc.pb.go new file mode 100644 index 000000000..5659ef1be --- /dev/null +++ b/kms/server/kmsapi/kmsproto/kmsapi_grpc.pb.go @@ -0,0 +1,101 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. + +package kmsproto + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.32.0 or later. +const _ = grpc.SupportPackageIsVersion7 + +// APIClient is the client API for API service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type APIClient interface { + GetDataKey(ctx context.Context, in *GetDataKeyRequest, opts ...grpc.CallOption) (*GetDataKeyResponse, error) +} + +type aPIClient struct { + cc grpc.ClientConnInterface +} + +func NewAPIClient(cc grpc.ClientConnInterface) APIClient { + return &aPIClient{cc} +} + +func (c *aPIClient) GetDataKey(ctx context.Context, in *GetDataKeyRequest, opts ...grpc.CallOption) (*GetDataKeyResponse, error) { + out := new(GetDataKeyResponse) + err := c.cc.Invoke(ctx, "/pubapi.API/GetDataKey", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// APIServer is the server API for API service. +// All implementations must embed UnimplementedAPIServer +// for forward compatibility +type APIServer interface { + GetDataKey(context.Context, *GetDataKeyRequest) (*GetDataKeyResponse, error) + mustEmbedUnimplementedAPIServer() +} + +// UnimplementedAPIServer must be embedded to have forward compatible implementations. +type UnimplementedAPIServer struct { +} + +func (UnimplementedAPIServer) GetDataKey(context.Context, *GetDataKeyRequest) (*GetDataKeyResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetDataKey not implemented") +} +func (UnimplementedAPIServer) mustEmbedUnimplementedAPIServer() {} + +// UnsafeAPIServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to APIServer will +// result in compilation errors. +type UnsafeAPIServer interface { + mustEmbedUnimplementedAPIServer() +} + +func RegisterAPIServer(s grpc.ServiceRegistrar, srv APIServer) { + s.RegisterService(&API_ServiceDesc, srv) +} + +func _API_GetDataKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetDataKeyRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(APIServer).GetDataKey(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/pubapi.API/GetDataKey", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(APIServer).GetDataKey(ctx, req.(*GetDataKeyRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// API_ServiceDesc is the grpc.ServiceDesc for API service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var API_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "pubapi.API", + HandlerType: (*APIServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "GetDataKey", + Handler: _API_GetDataKey_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "kmsproto/kmsapi.proto", +} diff --git a/coordinator/kms/setup.go b/kms/server/setup/setup.go similarity index 98% rename from coordinator/kms/setup.go rename to kms/server/setup/setup.go index d8527ba11..bfb067496 100644 --- a/coordinator/kms/setup.go +++ b/kms/server/setup/setup.go @@ -1,4 +1,4 @@ -package kms +package setup import ( "context" @@ -9,6 +9,7 @@ import ( "github.com/edgelesssys/constellation/kms/kms" "github.com/edgelesssys/constellation/kms/kms/aws" "github.com/edgelesssys/constellation/kms/kms/azure" + "github.com/edgelesssys/constellation/kms/kms/cluster" "github.com/edgelesssys/constellation/kms/kms/gcp" "github.com/edgelesssys/constellation/kms/storage" kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1" @@ -122,7 +123,7 @@ func getKMS(ctx context.Context, kmsURI string, store kms.Storage) (kms.CloudKMS return gcp.New(ctx, project, location, keyRing, store, kmspb.ProtectionLevel(protectionLvl)) case "cluster-kms": - return &ClusterKMS{}, nil + return &cluster.ClusterKMS{}, nil default: return nil, fmt.Errorf("unknown KMS type: %s", uri.Host) diff --git a/coordinator/kms/setup_test.go b/kms/server/setup/setup_test.go similarity index 99% rename from coordinator/kms/setup_test.go rename to kms/server/setup/setup_test.go index 32ee6310e..893e71162 100644 --- a/coordinator/kms/setup_test.go +++ b/kms/server/setup/setup_test.go @@ -1,4 +1,4 @@ -package kms +package setup import ( "context" diff --git a/proto/Dockerfile.gen-proto b/proto/Dockerfile.gen-proto index 422f30c44..96705d629 100644 --- a/proto/Dockerfile.gen-proto +++ b/proto/Dockerfile.gen-proto @@ -44,9 +44,15 @@ WORKDIR /service COPY debugd/service/*.proto /service RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto +## key management +WORKDIR /kms +COPY kms/server/kmsapi/kmsproto/*.proto /kms +RUN protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative *.proto + FROM scratch as export COPY --from=build /pubapi/*.go coordinator/pubapi/pubproto/ COPY --from=build /vpnapi/*.go coordinator/vpnapi/vpnproto/ COPY --from=build /disk-mapper/*.go state/keyservice/keyproto/ COPY --from=build /service/*.go debugd/service/ +COPY --from=build /kms/*.go kms/server/kmsproto/ diff --git a/test/coordinator_integration_test.go b/test/coordinator_integration_test.go index 657185b4a..76dc0e72a 100644 --- a/test/coordinator_integration_test.go +++ b/test/coordinator_integration_test.go @@ -23,11 +23,11 @@ import ( "github.com/docker/go-connections/nat" "github.com/edgelesssys/constellation/coordinator/atls" "github.com/edgelesssys/constellation/coordinator/core" - "github.com/edgelesssys/constellation/coordinator/kms" "github.com/edgelesssys/constellation/coordinator/pubapi/pubproto" "github.com/edgelesssys/constellation/coordinator/role" "github.com/edgelesssys/constellation/coordinator/store" "github.com/edgelesssys/constellation/coordinator/storewrapper" + kms "github.com/edgelesssys/constellation/kms/server/setup" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/goleak"