tokenserver/appengine/impl/machinetoken/rpc_mint_machine_token.go - infra/luci/luci-go - Git at Google

 // Copyright 2016 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package machinetoken

 import (
 	"context"
 	"crypto/x509"
 	"fmt"
 	"time"

 	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"go.chromium.org/luci/common/clock"
 	"go.chromium.org/luci/common/logging"
 	"go.chromium.org/luci/common/retry/transient"
 	"go.chromium.org/luci/server/auth"
 	"go.chromium.org/luci/server/auth/signing"

 	tokenserver "go.chromium.org/luci/tokenserver/api"
 	"go.chromium.org/luci/tokenserver/api/admin/v1"
 	"go.chromium.org/luci/tokenserver/api/minter/v1"

 	"go.chromium.org/luci/tokenserver/appengine/impl/certchecker"
 	"go.chromium.org/luci/tokenserver/appengine/impl/certconfig"
 	"go.chromium.org/luci/tokenserver/appengine/impl/utils"
 )

 // MintMachineTokenRPC implements TokenMinter.MintMachineToken RPC method.
 type MintMachineTokenRPC struct {
 	// Signer is mocked in tests.
 	//
 	// In prod it is the default server signer that uses server's service account.
 	Signer signing.Signer

 	// CheckCertificate is mocked in tests.
 	//
 	// In prod it is certchecker.CheckCertificate.
 	CheckCertificate func(c context.Context, cert *x509.Certificate) (*certconfig.CA, error)

 	// LogToken is mocked in tests.
 	//
 	// In prod it is produced by NewTokenLogger.
 	LogToken TokenLogger
 }

 // MintMachineToken generates a new token for an authenticated machine.
 func (r *MintMachineTokenRPC) MintMachineToken(c context.Context, req *minter.MintMachineTokenRequest) (*minter.MintMachineTokenResponse, error) {
 	// Parse serialized portion of the request and do minimal validation before
 	// checking the signature to reject obviously bad requests.
 	if len(req.SerializedTokenRequest) == 0 {
 		return nil, status.Errorf(codes.InvalidArgument, "empty request")
 	}
 	tokenReq := minter.MachineTokenRequest{}
 	if err := proto.Unmarshal(req.SerializedTokenRequest, &tokenReq); err != nil {
 		return nil, status.Errorf(codes.InvalidArgument, "failed to unmarshal TokenRequest - %s", err)
 	}

 	switch tokenReq.TokenType {
 	case tokenserver.MachineTokenType_LUCI_MACHINE_TOKEN:
 		// supported
 	default:
 		return r.mintingErrorResponse(
 			c, minter.ErrorCode_UNSUPPORTED_TOKEN_TYPE,
 			"token_type %s is not supported", tokenReq.TokenType)
 	}

 	// Timestamp is required.
 	issuedAt := tokenReq.IssuedAt.AsTime()
 	if issuedAt.IsZero() {
 		return r.mintingErrorResponse(c, minter.ErrorCode_BAD_TIMESTAMP, "issued_at is required")
 	}

 	// It should be within acceptable range.
 	now := clock.Now(c)
 	notBefore := now.Add(-10 * time.Minute)
 	notAfter := now.Add(10 * time.Minute)
 	if issuedAt.Before(notBefore) || issuedAt.After(notAfter) {
 		return r.mintingErrorResponse(
 			c, minter.ErrorCode_BAD_TIMESTAMP,
 			"issued_at timestamp is not within acceptable range, check your clock")
 	}

 	// The certificate must be valid.
 	cert, err := x509.ParseCertificate(tokenReq.Certificate)
 	if err != nil {
 		return r.mintingErrorResponse(
 			c, minter.ErrorCode_BAD_CERTIFICATE_FORMAT,
 			"failed to parse the certificate (expecting x509 cert DER)")
 	}

 	// Check the signature before proceeding. Use switch when picking an algo
 	// as a reminder to add a new branch if new signature scheme is added.
 	var algo x509.SignatureAlgorithm
 	switch tokenReq.SignatureAlgorithm {
 	case minter.SignatureAlgorithm_SHA256_RSA_ALGO:
 		algo = x509.SHA256WithRSA
 	default:
 		return r.mintingErrorResponse(
 			c, minter.ErrorCode_UNSUPPORTED_SIGNATURE,
 			"signature_algorithm %s is not supported", tokenReq.SignatureAlgorithm)
 	}
 	err = cert.CheckSignature(algo, req.SerializedTokenRequest, req.Signature)
 	if err != nil {
 		return r.mintingErrorResponse(
 			c, minter.ErrorCode_BAD_SIGNATURE,
 			"signature verification failed - %s", err)
 	}

 	// At this point we know the request was signed by the holder of a private key
 	// that matches the certificate.
 	//
 	// Let's make sure the token server knows about that key, i.e. the certificate
 	// itself is signed by some trusted CA, it is valid (not expired), and it
 	// hasn't been revoked yet. CheckCertificate does these checks.
 	ca, err := r.CheckCertificate(c, cert)

 	// Recognize error codes related to CA cert checking. Everything else is
 	// transient errors.
 	if err != nil {
 		if certchecker.IsCertInvalidError(err) {
 			return r.mintingErrorResponse(c, minter.ErrorCode_UNTRUSTED_CERTIFICATE, "%s", err)
 		}
 		return nil, status.Errorf(codes.Internal, "failed to check the certificate - %s", err)
 	}

 	// At this point we trust what's in MachineTokenRequest, proceed with
 	// generating the token.
 	args := mintTokenArgs{
 		Config:  ca.ParsedConfig,
 		Cert:    cert,
 		Request: &tokenReq,
 	}
 	switch tokenReq.TokenType {
 	case tokenserver.MachineTokenType_LUCI_MACHINE_TOKEN:
 		resp, body, err := r.mintLuciMachineToken(c, args)
 		switch {
 		case err != nil: // grpc-level error
 			return nil, err
 		case resp == nil: // should not happen
 			panic("both resp and err can't be nil")
 		case resp.ErrorCode != 0: // logic-level error
 			if resp.TokenResponse != nil {
 				panic("TokenResponse must be nil if ErrorCode != 0")
 			}
 			return resp, nil
 		}
 		if resp.TokenResponse == nil {
 			panic("TokenResponse must not be nil if ErrorCode == 0")
 		}
 		if r.LogToken != nil {
 			// Errors during logging are considered not fatal. We have a monitoring
 			// counter that tracks number of errors, so they are not totally
 			// invisible.
 			tokInfo := MintedTokenInfo{
 				Request:   &tokenReq,
 				Response:  resp.TokenResponse,
 				TokenBody: body,
 				CA:        ca,
 				PeerIP:    auth.GetState(c).PeerIP(),
 				RequestID: trace.SpanContextFromContext(c).TraceID().String(),
 			}
 			if logErr := r.LogToken(c, &tokInfo); logErr != nil {
 				logging.WithError(logErr).Errorf(c, "Failed to insert the machine token into BigQuery log")
 			}
 		}
 		return resp, nil
 	default:
 		panic("impossible") // there's a check above
 	}
 }

 type mintTokenArgs struct {
 	Config  *admin.CertificateAuthorityConfig
 	Cert    *x509.Certificate
 	Request *minter.MachineTokenRequest
 }

 func (r *MintMachineTokenRPC) mintLuciMachineToken(c context.Context, args mintTokenArgs) (*minter.MintMachineTokenResponse, *tokenserver.MachineTokenBody, error) {
 	// Validate FQDN and whether it is allowed by config. The FQDN is extracted
 	// from the cert.
 	params := MintParams{
 		Cert:   args.Cert,
 		Config: args.Config,
 		Signer: r.Signer,
 	}
 	if err := params.Validate(); err != nil {
 		resp, err := r.mintingErrorResponse(c, minter.ErrorCode_BAD_TOKEN_ARGUMENTS, "%s", err)
 		return resp, nil, err
 	}

 	serviceVer, err := utils.ServiceVersion(c, r.Signer)
 	if err != nil {
 		return nil, nil, status.Errorf(codes.Internal, "can't grab service version - %s", err)
 	}

 	// Make the token.
 	switch body, signedToken, err := Mint(c, &params); {
 	case err == nil:
 		expiry := time.Unix(int64(body.IssuedAt), 0).Add(time.Duration(body.Lifetime) * time.Second)
 		return &minter.MintMachineTokenResponse{
 			ServiceVersion: serviceVer,
 			TokenResponse: &minter.MachineTokenResponse{
 				ServiceVersion: serviceVer,
 				TokenType: &minter.MachineTokenResponse_LuciMachineToken{
 					LuciMachineToken: &minter.LuciMachineToken{
 						MachineToken: signedToken,
 						Expiry:       timestamppb.New(expiry),
 					},
 				},
 			},
 		}, body, nil
 	case transient.Tag.In(err):
 		return nil, nil, status.Errorf(codes.Internal, "failed to generate machine token - %s", err)
 	default:
 		resp, err := r.mintingErrorResponse(c, minter.ErrorCode_MACHINE_TOKEN_MINTING_ERROR, "%s", err)
 		return resp, nil, err
 	}
 }

 func (r *MintMachineTokenRPC) mintingErrorResponse(c context.Context, code minter.ErrorCode, msg string, args ...any) (*minter.MintMachineTokenResponse, error) {
 	serviceVer, err := utils.ServiceVersion(c, r.Signer)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "can't grab service version - %s", err)
 	}
 	return &minter.MintMachineTokenResponse{
 		ErrorCode:      code,
 		ErrorMessage:   fmt.Sprintf(msg, args...),
 		ServiceVersion: serviceVer,
 	}, nil
 }
	// Copyright 2016 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package machinetoken

	import (
	"context"
	"crypto/x509"
	"fmt"
	"time"

	"go.opentelemetry.io/otel/trace"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"
	"google.golang.org/protobuf/proto"
	"google.golang.org/protobuf/types/known/timestamppb"

	"go.chromium.org/luci/common/clock"
	"go.chromium.org/luci/common/logging"
	"go.chromium.org/luci/common/retry/transient"
	"go.chromium.org/luci/server/auth"
	"go.chromium.org/luci/server/auth/signing"

	tokenserver "go.chromium.org/luci/tokenserver/api"
	"go.chromium.org/luci/tokenserver/api/admin/v1"
	"go.chromium.org/luci/tokenserver/api/minter/v1"

	"go.chromium.org/luci/tokenserver/appengine/impl/certchecker"
	"go.chromium.org/luci/tokenserver/appengine/impl/certconfig"
	"go.chromium.org/luci/tokenserver/appengine/impl/utils"
	)

	// MintMachineTokenRPC implements TokenMinter.MintMachineToken RPC method.
	type MintMachineTokenRPC struct {
	// Signer is mocked in tests.
	//
	// In prod it is the default server signer that uses server's service account.
	Signer signing.Signer

	// CheckCertificate is mocked in tests.
	//
	// In prod it is certchecker.CheckCertificate.
	CheckCertificate func(c context.Context, cert x509.Certificate) (certconfig.CA, error)

	// LogToken is mocked in tests.
	//
	// In prod it is produced by NewTokenLogger.
	LogToken TokenLogger
	}

	// MintMachineToken generates a new token for an authenticated machine.
	func (r MintMachineTokenRPC) MintMachineToken(c context.Context, req minter.MintMachineTokenRequest) (*minter.MintMachineTokenResponse, error) {
	// Parse serialized portion of the request and do minimal validation before
	// checking the signature to reject obviously bad requests.
	if len(req.SerializedTokenRequest) == 0 {
	return nil, status.Errorf(codes.InvalidArgument, "empty request")
	}
	tokenReq := minter.MachineTokenRequest{}
	if err := proto.Unmarshal(req.SerializedTokenRequest, &tokenReq); err != nil {
	return nil, status.Errorf(codes.InvalidArgument, "failed to unmarshal TokenRequest - %s", err)
	}

	switch tokenReq.TokenType {
	case tokenserver.MachineTokenType_LUCI_MACHINE_TOKEN:
	// supported
	default:
	return r.mintingErrorResponse(
	c, minter.ErrorCode_UNSUPPORTED_TOKEN_TYPE,
	"token_type %s is not supported", tokenReq.TokenType)
	}

	// Timestamp is required.
	issuedAt := tokenReq.IssuedAt.AsTime()
	if issuedAt.IsZero() {
	return r.mintingErrorResponse(c, minter.ErrorCode_BAD_TIMESTAMP, "issued_at is required")
	}

	// It should be within acceptable range.
	now := clock.Now(c)
	notBefore := now.Add(-10 * time.Minute)
	notAfter := now.Add(10 * time.Minute)
	if issuedAt.Before(notBefore) \|\| issuedAt.After(notAfter) {
	return r.mintingErrorResponse(
	c, minter.ErrorCode_BAD_TIMESTAMP,
	"issued_at timestamp is not within acceptable range, check your clock")
	}

	// The certificate must be valid.
	cert, err := x509.ParseCertificate(tokenReq.Certificate)
	if err != nil {
	return r.mintingErrorResponse(
	c, minter.ErrorCode_BAD_CERTIFICATE_FORMAT,
	"failed to parse the certificate (expecting x509 cert DER)")
	}

	// Check the signature before proceeding. Use switch when picking an algo
	// as a reminder to add a new branch if new signature scheme is added.
	var algo x509.SignatureAlgorithm
	switch tokenReq.SignatureAlgorithm {
	case minter.SignatureAlgorithm_SHA256_RSA_ALGO:
	algo = x509.SHA256WithRSA
	default:
	return r.mintingErrorResponse(
	c, minter.ErrorCode_UNSUPPORTED_SIGNATURE,
	"signature_algorithm %s is not supported", tokenReq.SignatureAlgorithm)
	}
	err = cert.CheckSignature(algo, req.SerializedTokenRequest, req.Signature)
	if err != nil {
	return r.mintingErrorResponse(
	c, minter.ErrorCode_BAD_SIGNATURE,
	"signature verification failed - %s", err)
	}

	// At this point we know the request was signed by the holder of a private key
	// that matches the certificate.
	//
	// Let's make sure the token server knows about that key, i.e. the certificate
	// itself is signed by some trusted CA, it is valid (not expired), and it
	// hasn't been revoked yet. CheckCertificate does these checks.
	ca, err := r.CheckCertificate(c, cert)

	// Recognize error codes related to CA cert checking. Everything else is
	// transient errors.
	if err != nil {
	if certchecker.IsCertInvalidError(err) {
	return r.mintingErrorResponse(c, minter.ErrorCode_UNTRUSTED_CERTIFICATE, "%s", err)
	}
	return nil, status.Errorf(codes.Internal, "failed to check the certificate - %s", err)
	}

	// At this point we trust what's in MachineTokenRequest, proceed with
	// generating the token.
	args := mintTokenArgs{
	Config: ca.ParsedConfig,
	Cert: cert,
	Request: &tokenReq,
	}
	switch tokenReq.TokenType {
	case tokenserver.MachineTokenType_LUCI_MACHINE_TOKEN:
	resp, body, err := r.mintLuciMachineToken(c, args)
	switch {
	case err != nil: // grpc-level error
	return nil, err
	case resp == nil: // should not happen
	panic("both resp and err can't be nil")
	case resp.ErrorCode != 0: // logic-level error
	if resp.TokenResponse != nil {
	panic("TokenResponse must be nil if ErrorCode != 0")
	}
	return resp, nil
	}
	if resp.TokenResponse == nil {
	panic("TokenResponse must not be nil if ErrorCode == 0")
	}
	if r.LogToken != nil {
	// Errors during logging are considered not fatal. We have a monitoring
	// counter that tracks number of errors, so they are not totally
	// invisible.
	tokInfo := MintedTokenInfo{
	Request: &tokenReq,
	Response: resp.TokenResponse,
	TokenBody: body,
	CA: ca,
	PeerIP: auth.GetState(c).PeerIP(),
	RequestID: trace.SpanContextFromContext(c).TraceID().String(),
	}
	if logErr := r.LogToken(c, &tokInfo); logErr != nil {
	logging.WithError(logErr).Errorf(c, "Failed to insert the machine token into BigQuery log")
	}
	}
	return resp, nil
	default:
	panic("impossible") // there's a check above
	}
	}

	type mintTokenArgs struct {
	Config *admin.CertificateAuthorityConfig
	Cert *x509.Certificate
	Request *minter.MachineTokenRequest
	}

	func (r MintMachineTokenRPC) mintLuciMachineToken(c context.Context, args mintTokenArgs) (minter.MintMachineTokenResponse, *tokenserver.MachineTokenBody, error) {
	// Validate FQDN and whether it is allowed by config. The FQDN is extracted
	// from the cert.
	params := MintParams{
	Cert: args.Cert,
	Config: args.Config,
	Signer: r.Signer,
	}
	if err := params.Validate(); err != nil {
	resp, err := r.mintingErrorResponse(c, minter.ErrorCode_BAD_TOKEN_ARGUMENTS, "%s", err)
	return resp, nil, err
	}

	serviceVer, err := utils.ServiceVersion(c, r.Signer)
	if err != nil {
	return nil, nil, status.Errorf(codes.Internal, "can't grab service version - %s", err)
	}

	// Make the token.
	switch body, signedToken, err := Mint(c, &params); {
	case err == nil:
	expiry := time.Unix(int64(body.IssuedAt), 0).Add(time.Duration(body.Lifetime) * time.Second)
	return &minter.MintMachineTokenResponse{
	ServiceVersion: serviceVer,
	TokenResponse: &minter.MachineTokenResponse{
	ServiceVersion: serviceVer,
	TokenType: &minter.MachineTokenResponse_LuciMachineToken{
	LuciMachineToken: &minter.LuciMachineToken{
	MachineToken: signedToken,
	Expiry: timestamppb.New(expiry),
	},
	},
	},
	}, body, nil
	case transient.Tag.In(err):
	return nil, nil, status.Errorf(codes.Internal, "failed to generate machine token - %s", err)
	default:
	resp, err := r.mintingErrorResponse(c, minter.ErrorCode_MACHINE_TOKEN_MINTING_ERROR, "%s", err)
	return resp, nil, err
	}
	}

	func (r MintMachineTokenRPC) mintingErrorResponse(c context.Context, code minter.ErrorCode, msg string, args ...any) (minter.MintMachineTokenResponse, error) {
	serviceVer, err := utils.ServiceVersion(c, r.Signer)
	if err != nil {
	return nil, status.Errorf(codes.Internal, "can't grab service version - %s", err)
	}
	return &minter.MintMachineTokenResponse{
	ErrorCode: code,
	ErrorMessage: fmt.Sprintf(msg, args...),
	ServiceVersion: serviceVer,
	}, nil
	}