Add multihop auth support (#32)

4 years ago · ab4d542fad
parent 8579a248d4
commit ab4d542fad
10 changed files with 91 additions and 13 deletions
--- a/go.mod
+++ b/go.mod
@ -6,6 +6,8 @@ replace github.com/hashicorp/boundary/api => ./api

 replace github.com/hashicorp/boundary/sdk => ./sdk

+replace github.com/hashicorp/nodeenrollment => ../nodeenrollment
+
 require (
 	github.com/armon/go-metrics v0.3.9 // indirect
 	github.com/fatih/color v1.13.0
@ -87,7 +89,7 @@ require (

 require github.com/hashicorp/go-dbw v0.0.0-20211215222256-2ff0d37184ff // this is a branch and should be updated before merging

-require github.com/hashicorp/nodeenrollment v0.0.0-20220427165109-a2f5dad593c7
+require github.com/hashicorp/nodeenrollment v0.0.0-20220503175646-9114ff4a40e9

 require (
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
--- a/go.sum
+++ b/go.sum
@ -425,8 +425,6 @@ github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+l
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/nodeenrollment v0.0.0-20220427165109-a2f5dad593c7 h1:pOKDBZ6t9IZCL4xXWt0hJw0TM6Mn0BrRk4NAu7sJKS4=
-github.com/hashicorp/nodeenrollment v0.0.0-20220427165109-a2f5dad593c7/go.mod h1:yOOykLWw4G7O1Z7+6X3gzXcQCb/5au1Zna4d1nlQLmM=
 github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO2aRM=
 github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw=
 github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
--- a/internal/servers/controller/controller.go
+++ b/internal/servers/controller/controller.go
@ -38,7 +38,7 @@ import (
 	"github.com/hashicorp/go-secure-stdlib/pluginutil/v2"
 	"github.com/hashicorp/nodeenrollment/noderegistration"
 	nodeefile "github.com/hashicorp/nodeenrollment/nodestorage/file"
-	"github.com/hashicorp/nodeenrollment/nodetypes"
+	"github.com/hashicorp/nodeenrollment/rotation"
 	ua "go.uber.org/atomic"
 	"google.golang.org/grpc"
 )
@ -322,7 +322,7 @@ func (c *Controller) Start() error {
 	if err != nil {
 		return err
 	}
-	_, err = nodetypes.RotateRootCertificates(c.baseContext, c.NodeeFileStorage)
+	_, err = rotation.RotateRootCertificates(c.baseContext, c.NodeeFileStorage)
 	if err != nil {
 		return err
 	}
--- a/internal/servers/controller/handler.go
+++ b/internal/servers/controller/handler.go
@ -573,12 +573,24 @@ func handleNodes(c *Controller) http.Handler {
 			}
 			var err error
 			var currVals vals
-			currVals.WaitingNodes, err = c.NodeeFileStorage.List(c.baseContext, (*nodetypes.NodeInformation)(nil))
+			waitingNodes, err := c.NodeeFileStorage.List(c.baseContext, (*nodetypes.NodeInformation)(nil))
 			if err != nil {
 				_, _ = w.Write([]byte(err.Error()))
 				w.WriteHeader(500)
 				return
 			}
+			for _, keyId := range waitingNodes {
+				ni, err := nodetypes.LoadNodeInformation(c.baseContext, c.NodeeFileStorage, keyId)
+				if err != nil {
+					_, _ = w.Write([]byte(err.Error()))
+					w.WriteHeader(500)
+					return
+				}
+				if ni.Authorized {
+					continue
+				}
+				currVals.WaitingNodes = append(currVals.WaitingNodes, keyId)
+			}
 			ret, err := json.Marshal(currVals)
 			if err != nil {
 				_, _ = w.Write([]byte(err.Error()))
--- a/internal/servers/controller/handlers/workers/multihop_service.go
+++ b/internal/servers/controller/handlers/workers/multihop_service.go
@ -7,6 +7,7 @@ import (
 	pbs "github.com/hashicorp/nodeenrollment/multihop"
 	"github.com/hashicorp/nodeenrollment/nodeauth"
 	"github.com/hashicorp/nodeenrollment/noderegistration"
+	"github.com/hashicorp/nodeenrollment/nodetls"
 	"github.com/hashicorp/nodeenrollment/nodetypes"
 )

@ -41,5 +42,5 @@ func (m *multihopServiceServer) GenerateServerCertificates(ctx context.Context,
 	if err != nil {
 		return nil, fmt.Errorf("%s: error getting current parameters: %w", op, err)
 	}
-	return noderegistration.GenerateServerCertificates(ctx, storage, req, opt...)
+	return nodetls.GenerateServerCertificates(ctx, storage, req, opt...)
 }
--- a/internal/servers/controller/handlers/workers/worker_proxy_service.go
+++ b/internal/servers/controller/handlers/workers/worker_proxy_service.go
@ -0,0 +1,59 @@
+package workers
+
+import (
+	"context"
+	"sync/atomic"
+
+	pbs "github.com/hashicorp/boundary/internal/gen/controller/servers/services"
+)
+
+type workerProxyServiceServer struct {
+	pbs.UnimplementedServerCoordinationServiceServer
+	pbs.UnimplementedSessionServiceServer
+
+	scsClient *atomic.Value
+	ssClient  *atomic.Value
+}
+
+func NewWorkerProxyServiceServer(
+	scsClient *atomic.Value,
+	ssClient *atomic.Value,
+) *workerProxyServiceServer {
+	return &workerProxyServiceServer{
+		scsClient: scsClient,
+		ssClient:  ssClient,
+	}
+}
+
+var (
+	_ pbs.ServerCoordinationServiceServer = &workerProxyServiceServer{}
+	_ pbs.SessionServiceServer            = &workerProxyServiceServer{}
+)
+
+func (ws *workerProxyServiceServer) Status(ctx context.Context, req *pbs.StatusRequest) (*pbs.StatusResponse, error) {
+	return ws.scsClient.Load().(pbs.ServerCoordinationServiceClient).Status(ctx, req)
+}
+
+func (ws *workerProxyServiceServer) LookupSession(ctx context.Context, req *pbs.LookupSessionRequest) (*pbs.LookupSessionResponse, error) {
+	return ws.ssClient.Load().(pbs.SessionServiceClient).LookupSession(ctx, req)
+}
+
+func (ws *workerProxyServiceServer) CancelSession(ctx context.Context, req *pbs.CancelSessionRequest) (*pbs.CancelSessionResponse, error) {
+	return ws.ssClient.Load().(pbs.SessionServiceClient).CancelSession(ctx, req)
+}
+
+func (ws *workerProxyServiceServer) ActivateSession(ctx context.Context, req *pbs.ActivateSessionRequest) (*pbs.ActivateSessionResponse, error) {
+	return ws.ssClient.Load().(pbs.SessionServiceClient).ActivateSession(ctx, req)
+}
+
+func (ws *workerProxyServiceServer) AuthorizeConnection(ctx context.Context, req *pbs.AuthorizeConnectionRequest) (*pbs.AuthorizeConnectionResponse, error) {
+	return ws.ssClient.Load().(pbs.SessionServiceClient).AuthorizeConnection(ctx, req)
+}
+
+func (ws *workerProxyServiceServer) ConnectConnection(ctx context.Context, req *pbs.ConnectConnectionRequest) (*pbs.ConnectConnectionResponse, error) {
+	return ws.ssClient.Load().(pbs.SessionServiceClient).ConnectConnection(ctx, req)
+}
+
+func (ws *workerProxyServiceServer) CloseConnection(ctx context.Context, req *pbs.CloseConnectionRequest) (*pbs.CloseConnectionResponse, error) {
+	return ws.ssClient.Load().(pbs.SessionServiceClient).CloseConnection(ctx, req)
+}
--- a/internal/servers/worker/listeners.go
+++ b/internal/servers/worker/listeners.go
@ -13,6 +13,7 @@ import (
 	"time"

 	"github.com/hashicorp/boundary/internal/cmd/base"
+	pbs "github.com/hashicorp/boundary/internal/gen/controller/servers/services"
 	"github.com/hashicorp/boundary/internal/observability/event"
 	"github.com/hashicorp/boundary/internal/servers/controller/handlers/workers"
 	"github.com/hashicorp/go-multierror"
@ -139,6 +140,9 @@ func (w *Worker) configureForWorker(ln *base.ServerListener, logger *log.Logger)
 		nodeauth.MakeCurrentParametersFactory(w.baseContext, nodee.NopTransactionStorage(w.NodeeFileStorage)),
 	)
 	multihop.RegisterMultihopServiceServer(downstreamServer, multihopService)
+	statusSessionService := workers.NewWorkerProxyServiceServer(w.controllerStatusConn, w.controllerSessionConn)
+	pbs.RegisterServerCoordinationServiceServer(downstreamServer, statusSessionService)
+	pbs.RegisterSessionServiceServer(downstreamServer, statusSessionService)

 	ln.GrpcServer = downstreamServer

--- a/internal/servers/worker/worker.go
+++ b/internal/servers/worker/worker.go
@ -26,9 +26,10 @@ import (
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/base62"
 	"github.com/hashicorp/go-secure-stdlib/mlock"
+	nodee "github.com/hashicorp/nodeenrollment"
 	"github.com/hashicorp/nodeenrollment/nodeauth"
-	"github.com/hashicorp/nodeenrollment/noderegistration"
 	nodeefile "github.com/hashicorp/nodeenrollment/nodestorage/file"
+	"github.com/hashicorp/nodeenrollment/nodetypes"
 	ua "go.uber.org/atomic"
 	"google.golang.org/grpc/resolver"
 	"google.golang.org/grpc/resolver/manual"
@ -184,10 +185,11 @@ func (w *Worker) Start() error {
 		return err
 	}

-	w.NodeeKeyId, err = noderegistration.GenerateNodeCredentialsForRegistration(w.baseContext, w.NodeeFileStorage)
-	if err != nil {
+	var nodeCreds nodetypes.NodeCredentials
+	if err := nodeCreds.GenerateRegistrationParameters(w.baseContext, w.NodeeFileStorage); err != nil {
 		return err
 	}
+	w.NodeeKeyId = nodee.KeyIdFromPkix(nodeCreds.CertificatePublicKeyPkix)

 	if err := w.startControllerConnections(); err != nil {
 		return fmt.Errorf("error making controller connections: %w", err)
--- a/internal/session/repository_connection.go
+++ b/internal/session/repository_connection.go
@ -359,9 +359,9 @@ type CloseConnectionsForDeadWorkersResult struct {
 // The only input to the method is the grace period, in seconds.
 func (r *ConnectionRepository) CloseConnectionsForDeadWorkers(ctx context.Context, gracePeriod time.Duration) ([]CloseConnectionsForDeadWorkersResult, error) {
 	const op = "session.(ConnectionRepository).CloseConnectionsForDeadWorkers"
-	if gracePeriod < r.deadWorkerConnCloseMinGrace {
+	if gracePeriod < deadWorkerConnCloseMinGrace {
 		return nil, errors.New(ctx,
-			errors.InvalidParameter, op, fmt.Sprintf("gracePeriod must be at least %s", r.deadWorkerConnCloseMinGrace))
+			errors.InvalidParameter, op, fmt.Sprintf("gracePeriod must be at least %s", deadWorkerConnCloseMinGrace))
 	}

 	args := []interface{}{
--- a/internal/session/session_cleanup_job.go
+++ b/internal/session/session_cleanup_job.go
@ -20,7 +20,7 @@ import (
 const deadWorkerConnCloseMinGrace = servers.DefaultLiveness

 type closeConnectionsForDeadWorkersResult struct {
-	ServerId                string
+	WorkerId                string
 	LastUpdateTime          time.Time
 	NumberConnectionsClosed int
 }