Merge pull request #283 from hug-dev/spiffe

Add a JWT-SVID authenticator

Author: hug-dev

Cargo.lock

@@ -18,7 +18,6 @@ name = "parsec"
 path = "src/bin/main.rs"
 
 [dependencies]
-# Set to the newest interface version before releasing
 parsec-interface = "0.21.0"
 rand = { version = "0.7.3", features = ["small_rng"], optional = true }
 base64 = "0.12.3"
@@ -45,6 +44,8 @@ picky-asn1-x509 = { version = "0.3.2", optional = true }
 users = "0.10.0"
 libc = "0.2.77"
 anyhow = "1.0.32"
+# Using a fork until the JWT support is merged into the main rust-spiffe repository
+spiffe = { git = "https://github.com/hug-dev/rust-spiffe", branch = "refactor-jwt" }
 
 [dev-dependencies]
 rand = { version = "0.7.3", features = ["small_rng"] }

Cargo.toml

@@ -107,6 +107,24 @@ if [ "$PROVIDER_NAME" = "pkcs11" ] || [ "$PROVIDER_NAME" = "all" ]; then
     popd
 fi
 
+if [ "$PROVIDER_NAME" = "all" ]; then
+    # Start SPIRE server and agent
+    pushd /tmp/spire-0.11.1
+    ./bin/spire-server run -config conf/server/server.conf &
+    sleep 2
+    TOKEN=`bin/spire-server token generate -spiffeID spiffe://example.org/myagent | cut -d ' ' -f 2`
+    ./bin/spire-agent run -config conf/agent/agent.conf -joinToken $TOKEN &
+    sleep 2
+	# Register parsec-client-1
+    ./bin/spire-server entry create -parentID spiffe://example.org/myagent \
+		    -spiffeID spiffe://example.org/parsec-client-1 -selector unix:uid:$(id -u parsec-client-1)
+	# Register parsec-client-2
+    ./bin/spire-server entry create -parentID spiffe://example.org/myagent \
+		    -spiffeID spiffe://example.org/parsec-client-2 -selector unix:uid:$(id -u parsec-client-2)
+    sleep 5
+    popd
+fi
+
 echo "Build test"
 RUST_BACKTRACE=1 cargo build $FEATURES
 
@@ -139,16 +157,31 @@ if [ "$PROVIDER_NAME" = "all" ]; then
     RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml all_providers::normal
 
     echo "Execute all-providers multi-tenancy tests"
-    su -c "RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-1 all_providers::multitenancy::client1_before" parsec-client-1
-    su -c "RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-2 all_providers::multitenancy::client2" parsec-client-2
-    su -c "RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-1 all_providers::multitenancy::client1_after" parsec-client-1
+    # Needed because parsec-client-1 and 2 write to those locations owned by root
+    chmod 777 /tmp/parsec/e2e_tests
+    chmod 777 /tmp/
+    export SPIFFE_ENDPOINT_SOCKET="unix:///tmp/agent.sock"
+
+    # PATH is defined before each command for user to use their own version of the Rust toolchain
+    su -c "PATH=\"/home/parsec-client-1/.cargo/bin:${PATH}\";RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-1 all_providers::multitenancy::client1_before" parsec-client-1
+    su -c "PATH=\"/home/parsec-client-2/.cargo/bin:${PATH}\";RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-2 all_providers::multitenancy::client2" parsec-client-2
+    su -c "PATH=\"/home/parsec-client-1/.cargo/bin:${PATH}\";RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-1 all_providers::multitenancy::client1_after" parsec-client-1
     # Change the authentication method
     sed -i 's/^\(auth_type\s*=\s*\).*$/\1\"UnixPeerCredentials\"/' $CONFIG_PATH
     pkill -SIGHUP parsec
     sleep 5
-    su -c "RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-1 all_providers::multitenancy::client1_before" parsec-client-1
-    su -c "RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-2 all_providers::multitenancy::client2" parsec-client-2
-    su -c "RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-1 all_providers::multitenancy::client1_after" parsec-client-1
+    su -c "PATH=\"/home/parsec-client-1/.cargo/bin:${PATH}\";RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-1 all_providers::multitenancy::client1_before" parsec-client-1
+    su -c "PATH=\"/home/parsec-client-2/.cargo/bin:${PATH}\";RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-2 all_providers::multitenancy::client2" parsec-client-2
+    su -c "PATH=\"/home/parsec-client-1/.cargo/bin:${PATH}\";RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-1 all_providers::multitenancy::client1_after" parsec-client-1
+
+    # Change the authentication method
+    sed -i 's/^\(auth_type\s*=\s*\).*$/\1\"JwtSvid\"/' $CONFIG_PATH
+    sed -i 's@#workload_endpoint@workload_endpoint@' $CONFIG_PATH
+    pkill -SIGHUP parsec
+    sleep 5
+    su -c "PATH=\"/home/parsec-client-1/.cargo/bin:${PATH}\";RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-1 all_providers::multitenancy::client1_before" parsec-client-1
+    su -c "PATH=\"/home/parsec-client-2/.cargo/bin:${PATH}\";RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-2 all_providers::multitenancy::client2" parsec-client-2
+    su -c "PATH=\"/home/parsec-client-1/.cargo/bin:${PATH}\";RUST_BACKTRACE=1 cargo test $TEST_FEATURES --manifest-path ./e2e_tests/Cargo.toml --target-dir /home/parsec-client-1 all_providers::multitenancy::client1_after" parsec-client-1
 
     # Last test as it changes the service configuration
     echo "Execute all-providers config tests"

ci.sh

@@ -58,12 +58,18 @@ timeout = 200 # in milliseconds
 [authenticator]
 # (Required) Type of authenticator that will be used to authenticate clients' authentication
 # payloads.
-# Possible values: "Direct" and "UnixPeerCredentials".
+# Possible values: "Direct", "UnixPeerCredentials" and "JwtSvid".
 # WARNING: The "Direct" authenticator is only secure under specific requirements. Please make sure
 # to read the Recommendations on a Secure Parsec Deployment at
 # https://parallaxsecond.github.io/parsec-book/parsec_security/secure_deployment.html
 auth_type = "UnixPeerCredentials"
 
+# (Required only for JwtSvid) Location of the Workload API endpoint
+# WARNING: only use this authenticator if the Workload API socket is TRUSTED. A malicious entity
+# owning that socket would have access to all the keys owned by clients using this authentication
+# method. This path *must* be trusted for as long as Parsec is running.
+#workload_endpoint="unix:///tmp/agent.sock"
+
 # (Required) Configuration for the components managing key info for providers.
 # Defined as an array of tables: https://github.com/toml-lang/toml#user-content-array-of-tables
 [[key_manager]]

config.toml

@@ -14,13 +14,13 @@ publish = false
 
 [dependencies]
 serde = { version = "1.0.115", features = ["derive"] }
-parsec-client = { version = "0.11.0", features = ["testing"] }
+parsec-client = { git = "https://github.com/parallaxsecond/parsec-client-rust.git", features = ["testing", "spiffe-auth"] }
 log = "0.4.11"
 rand = "0.7.3"
+env_logger = "0.7.1"
 
 [dev-dependencies]
 ring = "0.16.15"
-env_logger = "0.7.1"
 rsa = "0.3.0"
 picky-asn1-x509 = "0.3.2"
 base64 = "0.12.3"

e2e_tests/Cargo.toml

@@ -6,9 +6,7 @@ RUN apt-get update && \
 	apt-get install -y git make gcc python3 python curl wget cmake && \
 	apt-get install -y automake autoconf libtool pkg-config libssl-dev libgcc1 && \
 	# These libraries are needed for bindgen as it uses libclang.so
-	apt-get install -y clang libclang-dev libc6-dev-i386 && \
-	# Install cargo globally to not have to install it for each user for multitenancy tests
-	apt-get install -y cargo
+	apt-get install -y clang libclang-dev libc6-dev-i386
 
 WORKDIR /tmp
 RUN wget https://github.com/ARMmbed/mbed-crypto/archive/mbedcrypto-2.0.0.tar.gz
@@ -55,3 +53,17 @@ RUN softhsm2-util --init-token --slot 0 --label "Parsec Tests" --pin 123456 --so
 # Add users for multitenancy tests
 RUN useradd -m parsec-client-1
 RUN useradd -m parsec-client-2
+
+USER parsec-client-1
+RUN curl https://sh.rustup.rs -sSf | bash -s -- -y
+
+USER parsec-client-2
+RUN curl https://sh.rustup.rs -sSf | bash -s -- -y
+
+# Install Rust toolchain for root
+USER root
+RUN curl https://sh.rustup.rs -sSf | bash -s -- -y
+ENV PATH="/root/.cargo/bin:${PATH}"
+
+# Download the SPIRE server and agent
+RUN curl -s -N -L https://github.com/spiffe/spire/releases/download/v0.11.1/spire-0.11.1-linux-x86_64-glibc.tar.gz | tar xz

e2e_tests/provider_cfg/all/Dockerfile

@@ -14,6 +14,7 @@ socket_path = "/tmp/parsec.sock"
 
 [authenticator]
 auth_type = "Direct"
+#workload_endpoint="unix:///tmp/agent.sock"
 
 [[key_manager]]
 name = "on-disk-manager"

e2e_tests/provider_cfg/all/config.toml

@@ -2,6 +2,9 @@ FROM tpm2software/tpm2-tss:ubuntu-18.04
 
 ENV PKG_CONFIG_PATH /usr/local/lib/pkgconfig
 
+RUN apt-get update && \
+	apt-get install -y cmake
+
 # Download and install TSS 2.0
 RUN git clone https://github.com/tpm2-software/tpm2-tss.git --branch 2.3.3
 RUN cd tpm2-tss \

e2e_tests/provider_cfg/tpm/Dockerfile

@@ -52,6 +52,9 @@ fn convert_error(err: Error) -> ResponseStatus {
 impl TestClient {
     /// Creates a TestClient instance.
     pub fn new() -> TestClient {
+        // As this method is called in test, it will be called more than once per application.
+        if let Err(_) = env_logger::try_init() {};
+
         let mut basic_client = BasicClient::new_naked();
 
         let ipc_handler = unix_socket::Handler::new(TEST_SOCKET_PATH.into(), Some(TEST_TIMEOUT));

e2e_tests/src/lib.rs

@@ -5,8 +5,6 @@ use std::time::Duration;
 
 #[test]
 fn stress_test() {
-    env_logger::init();
-
     let config = StressTestConfig {
         no_threads: num_cpus::get(),
         req_per_thread: 250,

e2e_tests/tests/per_provider/stress_test.rs

@@ -0,0 +1,71 @@
+// Copyright 2020 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+//! JWT SVID authenticator
+
+use super::ApplicationName;
+use super::Authenticate;
+use crate::front::listener::ConnectionMetadata;
+use log::error;
+use parsec_interface::operations::list_authenticators;
+use parsec_interface::requests::request::RequestAuth;
+use parsec_interface::requests::Result;
+use parsec_interface::requests::{AuthType, ResponseStatus};
+use parsec_interface::secrecy::ExposeSecret;
+use spiffe::svid::jwt::Jwt;
+use spiffe::workload::jwt::JWTClient;
+use std::str;
+
+/// JWT SVID authenticator
+#[allow(missing_debug_implementations)]
+pub struct JwtSvidAuthenticator {
+    jwt_client: JWTClient,
+}
+
+impl JwtSvidAuthenticator {
+    /// Create a new JWT-SVID authenticator with a specific path to the Workload API socket.
+    pub fn new(workload_endpoint: String) -> Self {
+        JwtSvidAuthenticator {
+            jwt_client: JWTClient::new(&workload_endpoint, None, None),
+        }
+    }
+}
+
+impl Authenticate for JwtSvidAuthenticator {
+    fn describe(&self) -> Result<list_authenticators::AuthenticatorInfo> {
+        Ok(list_authenticators::AuthenticatorInfo {
+            description: String::from(
+                "Authenticator validating a JWT SPIFFE Verifiable Identity Document",
+            ),
+            version_maj: 0,
+            version_min: 1,
+            version_rev: 0,
+            id: AuthType::JwtSvid,
+        })
+    }
+
+    fn authenticate(
+        &self,
+        auth: &RequestAuth,
+        _: Option<ConnectionMetadata>,
+    ) -> Result<ApplicationName> {
+        let svid = Jwt::new(
+            str::from_utf8(auth.buffer.expose_secret())
+                .map_err(|e| {
+                    error!(
+                        "The authentication buffer can not be parsed into a UTF-8 string ({}).",
+                        e
+                    );
+                    ResponseStatus::InvalidEncoding
+                })?
+                .to_string(),
+        );
+        let audience = String::from("parsec");
+
+        let validate_response = self.jwt_client.validate(audience, svid).map_err(|e| {
+            error!("The validation of the JWT-SVID failed ({}).", e);
+            ResponseStatus::AuthenticationError
+        })?;
+
+        Ok(ApplicationName(validate_response.spiffe_id().to_string()))
+    }
+}

src/authenticators/jwt_svid_authenticator/mod.rs

@@ -13,6 +13,8 @@ pub mod direct_authenticator;
 
 pub mod unix_peer_credentials_authenticator;
 
+pub mod jwt_svid_authenticator;
+
 use crate::front::listener::ConnectionMetadata;
 use parsec_interface::operations::list_authenticators;
 use parsec_interface::requests::request::RequestAuth;
@@ -68,12 +70,17 @@ impl std::fmt::Display for ApplicationName {
 }
 
 /// Authenticator configuration structure
-#[derive(Copy, Clone, Deserialize, Debug, Zeroize)]
+#[derive(Deserialize, Debug, Zeroize)]
 #[zeroize(drop)]
 #[serde(tag = "auth_type")]
 pub enum AuthenticatorConfig {
     /// Direct authentication
     Direct,
     /// Unix Peer Credenditals authentication
     UnixPeerCredentials,
+    /// JWT-SVID
+    JwtSvid {
+        /// Path to the Workload API socket
+        workload_endpoint: String,
+    },
 }

src/authenticators/mod.rs

@@ -6,6 +6,7 @@
 //! provided configuration.
 use super::global_config::GlobalConfigBuilder;
 use crate::authenticators::direct_authenticator::DirectAuthenticator;
+use crate::authenticators::jwt_svid_authenticator::JwtSvidAuthenticator;
 use crate::authenticators::unix_peer_credentials_authenticator::UnixPeerCredentialsAuthenticator;
 use crate::authenticators::{Authenticate, AuthenticatorConfig};
 use crate::back::{
@@ -383,6 +384,10 @@ fn build_authenticators(config: &AuthenticatorConfig) -> Vec<(AuthType, Authenti
             AuthType::UnixPeerCredentials,
             Box::from(UnixPeerCredentialsAuthenticator {}),
         )),
+        AuthenticatorConfig::JwtSvid { workload_endpoint } => authenticators.push((
+            AuthType::JwtSvid,
+            Box::from(JwtSvidAuthenticator::new(workload_endpoint.to_string())),
+        )),
     };
 
     authenticators