auth: add server-only ACL #18715
Merged
auth: add server-only ACL #18715
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tgross
force-pushed
the
no-nil-acls-server-auth
branch
from
d04d8ae to
1299565
Compare
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By using `nil` as a sentinel value, we have the risk of nil pointer exceptions and improper handling of `nil` when returned from our various auth methods that can lead to privilege escalation bugs. This is the second in a series to eliminate the use of `nil` ACLs as a sentinel value for when ACLs are disabled. This patch involves creating a new "virtual" ACL object for checking permissions on server operations and a matching `AuthenticateServerOnly` method for server-only RPCs that can produce that ACL. Ref: hashicorp/nomad-enterprise#1218 Ref: #18703
tgross
force-pushed
the
no-nil-acls-server-auth
branch
from
1299565 to
b2d799f
Compare
jrasell
approved these changes
Oct 11, 2023
| // The attribute below is avirtual policy that we never expose directly to | ||
| // the end user | ||
| server string | ||
| isLeader bool |
There was a problem hiding this comment.
Just checking my logic that currently this value will always be false, and this is expected?
There was a problem hiding this comment.
Yeah there's a LeaderACL object in nomad/structs that'll be used in one of the following PRs. My intent was not to have anything in these PRs that wasn't yet in use to avoid confusion, but I missed this one.
Co-authored-by: James Rasell <[email protected]>
lgfa29
approved these changes
Oct 11, 2023
Comment on lines
+252
to
+269
| // validateCertificateForName returns true if the certificate is valid | ||
| // for the given domain name. | ||
| func validateCertificateForName(cert *x509.Certificate, expectedName string) (bool, error) { | ||
| if cert == nil { | ||
| return false, nil | ||
| } | ||
|
|
||
| validNames := []string{cert.Subject.CommonName} | ||
| validNames = append(validNames, cert.DNSNames...) | ||
| for _, valid := range validNames { | ||
| if expectedName == valid { | ||
| return true, nil | ||
| } | ||
| } | ||
|
|
||
| return false, fmt.Errorf("invalid certificate, %s not in %s", | ||
| expectedName, strings.Join(validNames, ",")) | ||
| } |
There was a problem hiding this comment.
Is the idea for this function to replace ctx.ValidateCertificateForName()? Since we have a ctx above we could use it directly?
Lines 127 to 148 in 635afee
There was a problem hiding this comment.
You're seeing a bit of an artifact of breaking this work into multiple PRs. We only need the (*RPCContext).ValidateCertificateForName method to exist because we haven't done the "auth: add client-only ACL" PR.
When we've completed that, the only callers for this logic will exist encapsulated in the nomad/auth package so there's no reason to keep it in nomad/rpc.go anymore. That allows us to have all the code that tests it in the nomad/auth package without having to copy the logic into a ValidateCertificateForName method on the testContext struct (at which point we'd be testing the mock context logic and not the production code).
Comment on lines
-115
to
119
| // we need to allow both humans with management tokens and | ||
| // non-leader servers to list keys, in order to support | ||
| // replication | ||
| err := validateTLSCertificateLevel(k.srv, k.ctx, tlsCertificateLevelServer) | ||
| if err != nil { | ||
| if aclObj, err := k.srv.ResolveACL(args); err != nil { | ||
| return err | ||
| } else if aclObj != nil && !aclObj.IsManagement() { | ||
| return structs.ErrPermissionDenied | ||
| } | ||
| if aclObj, err := k.srv.ResolveACL(args); err != nil { | ||
| return err | ||
| } else if aclObj != nil && !aclObj.IsManagement() { | ||
| return structs.ErrPermissionDenied | ||
| } |
There was a problem hiding this comment.
When servers call this endpoint do they pass an aclObj?
There was a problem hiding this comment.
As it turns out, servers don't call this Keyring.List endpoint at all! I think we originally had this to support keyring replication between leader and followers, but the followers just read the metadata from the state store and then Keyring.Get the actually key material.
tgross
added a commit
that referenced
this pull request
Oct 11, 2023
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By using `nil` as a sentinel value, we have the risk of nil pointer exceptions and improper handling of `nil` when returned from our various auth methods that can lead to privilege escalation bugs. This is the third in a series to eliminate the use of `nil` ACLs as a sentinel value for when ACLs are disabled. This patch involves creating a new "virtual" ACL object for checking permissions on client operations and a matching `AuthenticateClientOnly` method for client-only RPCs that can produce that ACL. Unlike the server ACLs PR, this also includes a special case for "legacy" client RPCs where the client was not previously sending the secret as it should (leaning on mTLS only). Those client RPCs were fixed in Nomad 1.6.0, but it'll take a while before we can guarantee they'll be present during upgrades. Ref: hashicorp/nomad-enterprise#1218 Ref: #18703 Ref: #18715 Ref: #16799
tgross
added a commit
that referenced
this pull request
Oct 12, 2023
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By using `nil` as a sentinel value, we have the risk of nil pointer exceptions and improper handling of `nil` when returned from our various auth methods that can lead to privilege escalation bugs. This is the third in a series to eliminate the use of `nil` ACLs as a sentinel value for when ACLs are disabled. This patch involves creating a new "virtual" ACL object for checking permissions on client operations and a matching `AuthenticateClientOnly` method for client-only RPCs that can produce that ACL. Unlike the server ACLs PR, this also includes a special case for "legacy" client RPCs where the client was not previously sending the secret as it should (leaning on mTLS only). Those client RPCs were fixed in Nomad 1.6.0, but it'll take a while before we can guarantee they'll be present during upgrades. Ref: hashicorp/nomad-enterprise#1218 Ref: #18703 Ref: #18715 Ref: #16799
tgross
added a commit
that referenced
this pull request
Oct 12, 2023
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By using `nil` as a sentinel value, we have the risk of nil pointer exceptions and improper handling of `nil` when returned from our various auth methods that can lead to privilege escalation bugs. This is the third in a series to eliminate the use of `nil` ACLs as a sentinel value for when ACLs are disabled. This patch involves leveraging the refactored `auth` package to remove the weird "mixed auth" helper functions that only support the Variables read/list RPC handlers. Instead, pass the ACL object and claim together into the `AllowVariableOperations` method in the usual `acl` package. Ref: hashicorp/nomad-enterprise#1218 Ref: #18703 Ref: #18715 Ref: #16799 Ref: #18730 Fixes: #15875
tgross
added a commit
that referenced
this pull request
Oct 12, 2023
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By using `nil` as a sentinel value, we have the risk of nil pointer exceptions and improper handling of `nil` when returned from our various auth methods that can lead to privilege escalation bugs. This is the third in a series to eliminate the use of `nil` ACLs as a sentinel value for when ACLs are disabled. This patch involves leveraging the refactored `auth` package to remove the weird "mixed auth" helper functions that only support the Variables read/list RPC handlers. Instead, pass the ACL object and claim together into the `AllowVariableOperations` method in the usual `acl` package. Ref: hashicorp/nomad-enterprise#1218 Ref: #18703 Ref: #18715 Ref: #16799 Ref: #18730 Fixes: #15875
tgross
added a commit
that referenced
this pull request
Oct 13, 2023
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By using `nil` as a sentinel value, we have the risk of nil pointer exceptions and improper handling of `nil` when returned from our various auth methods that can lead to privilege escalation bugs. This is the final patch in a series to eliminate the use of `nil` ACLs as a sentinel value for when ACLs are disabled. This patch adds a new virtual ACL policy field for when ACLs are disabled and updates our authentication logic to use it. Included: * Extends auth package tests to demonstrate that nil ACLs are treated as failed auth and disabled ACLs succeed auth. * Adds a new `AllowDebug` ACL check for the weird special casing we have for pprof debugging when ACLs are disabled. * Removes the remaining unexported methods (and repeated tests) from the `nomad/acl.go` file. * Update the semgrep rules to detect improper nil ACL checking and remove the old invalid ACL checks. * Update the contributing guide for RPC authentication. Ref: hashicorp/nomad-enterprise#1218 Ref: #18703 Ref: #18715 Ref: #16799 Ref: #18730 Ref: #18744
tgross
added a commit
that referenced
this pull request
Oct 16, 2023
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By using `nil` as a sentinel value, we have the risk of nil pointer exceptions and improper handling of `nil` when returned from our various auth methods that can lead to privilege escalation bugs. This is the final patch in a series to eliminate the use of `nil` ACLs as a sentinel value for when ACLs are disabled. This patch adds a new virtual ACL policy field for when ACLs are disabled and updates our authentication logic to use it. Included: * Extends auth package tests to demonstrate that nil ACLs are treated as failed auth and disabled ACLs succeed auth. * Adds a new `AllowDebug` ACL check for the weird special casing we have for pprof debugging when ACLs are disabled. * Removes the remaining unexported methods (and repeated tests) from the `nomad/acl.go` file. * Update the semgrep rules to detect improper nil ACL checking and remove the old invalid ACL checks. * Update the contributing guide for RPC authentication. Ref: hashicorp/nomad-enterprise#1218 Ref: #18703 Ref: #18715 Ref: #16799 Ref: #18730 Ref: #18744
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The RPC handlers expect to see
nilACL objects whenever ACLs are disabled. By usingnilas a sentinel value, we have the risk of nil pointer exceptions and improper handling ofnilwhen returned from our various auth methods that can lead to privilege escalation bugs. This is the second in a series to eliminate the use ofnilACLs as a sentinel value for when ACLs are disabled.This patch involves creating a new "virtual" ACL object for checking permissions on server operations and a matching
AuthenticateServerOnlymethod for server-only RPCs that can produce that ACL.Ref: https://github.com/hashicorp/nomad-enterprise/pull/1218
Ref: #18703