blob: 4ec30ee05a3589a2dfd412b22c3d8f92cef1e893 [file] [log] [blame]
// Copyright 2016 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package machine implements authentication based on LUCI machine tokens.
package machine
import (
"context"
"encoding/base64"
"fmt"
"net/http"
"time"
"github.com/golang/protobuf/proto"
"go.chromium.org/luci/auth/identity"
"go.chromium.org/luci/common/clock"
"go.chromium.org/luci/common/errors"
"go.chromium.org/luci/common/logging"
"go.chromium.org/luci/common/retry/transient"
"go.chromium.org/luci/server/auth"
"go.chromium.org/luci/server/auth/signing"
"go.chromium.org/luci/tokenserver/api"
)
const (
// MachineTokenHeader is an HTTP header that carries the machine token.
MachineTokenHeader = "X-Luci-Machine-Token"
// TokenServersGroup is name of a group with trusted token servers.
//
// This group should contain service account emails of token servers we trust.
TokenServersGroup = "auth-token-servers"
// allowedClockDrift is how much clock difference we tolerate.
allowedClockDrift = 10 * time.Second
)
var (
// ErrBadToken is returned if the supplied machine token is not valid.
//
// See app logs for more details.
ErrBadToken = errors.New("bad machine token")
)
// MachineTokenAuthMethod implements auth.Method by verifying machine tokens.
//
// It looks at X-Luci-Machine-Token header and verifies that it contains a valid
// non-expired machine token issued by some trusted token server instance.
//
// A list of trusted token servers is specified in 'auth-token-servers' group.
//
// If the token is valid, the request will be authenticated as coming from
// 'bot:<machine_fqdn>', where <machine_fqdn> is extracted from the token. It is
// lowercase FQDN of a machine (as specified in the certificate used to mint the
// token).
type MachineTokenAuthMethod struct {
// certsFetcher is mocked in unit tests.
//
// In prod it is based on signing.FetchCertificatesForServiceAccount.
certsFetcher func(c context.Context, email string) (*signing.PublicCertificates, error)
}
// Authenticate extracts peer's identity from the incoming request.
//
// It logs detailed errors in log, but returns only generic "bad credential"
// error to the caller, to avoid leaking unnecessary information.
func (m *MachineTokenAuthMethod) Authenticate(c context.Context, r *http.Request) (*auth.User, error) {
token := r.Header.Get(MachineTokenHeader)
if token == "" {
return nil, nil // no token -> the auth method is not applicable
}
// Deserialize both envelope and the body.
envelope, body, err := deserialize(token)
if err != nil {
logTokenError(c, r, body, err, "Failed to deserialize the token")
return nil, ErrBadToken
}
// Construct an identity of a token server that signed the token to check that
// it belongs to "auth-token-servers" group.
signerServiceAccount, err := identity.MakeIdentity("user:" + body.IssuedBy)
if err != nil {
logTokenError(c, r, body, err, "Bad issued_by field - %q", body.IssuedBy)
return nil, ErrBadToken
}
// Reject tokens from unknown token servers right away.
db, err := auth.GetDB(c)
if err != nil {
return nil, transient.Tag.Apply(err)
}
ok, err := db.IsMember(c, signerServiceAccount, []string{TokenServersGroup})
if err != nil {
return nil, transient.Tag.Apply(err)
}
if !ok {
logTokenError(c, r, body, nil, "Unknown token issuer - %q", body.IssuedBy)
return nil, ErrBadToken
}
// Check the expiration time before doing any heavier checks.
if err = checkExpiration(body, clock.Now(c)); err != nil {
logTokenError(c, r, body, err, "Token has expired or not yet valid")
return nil, ErrBadToken
}
// Check the token was actually signed by the server.
if err = m.checkSignature(c, body.IssuedBy, envelope); err != nil {
if transient.Tag.In(err) {
return nil, err
}
logTokenError(c, r, body, err, "Bad signature")
return nil, ErrBadToken
}
// The token is valid. Construct the bot identity.
botIdent, err := identity.MakeIdentity("bot:" + body.MachineFqdn)
if err != nil {
logTokenError(c, r, body, err, "Bad machine_fqdn - %q", body.MachineFqdn)
return nil, ErrBadToken
}
return &auth.User{Identity: botIdent}, nil
}
// logTokenError adds a warning-level log entry with details about the request.
func logTokenError(c context.Context, r *http.Request, tok *tokenserver.MachineTokenBody, err error, msg string, args ...string) {
fields := logging.Fields{"remoteAddr": r.RemoteAddr}
if tok != nil {
// Note that if token wasn't properly signed, these fields may contain
// garbage.
fields["machineFqdn"] = tok.MachineFqdn
fields["issuedBy"] = tok.IssuedBy
fields["issuedAt"] = tok.IssuedAt
fields["lifetime"] = tok.Lifetime
fields["caId"] = tok.CaId
fields["certSn"] = tok.CertSn
}
if err != nil {
fields[logging.ErrorKey] = err
}
fields.Warningf(c, msg, args)
}
// deserialize parses MachineTokenEnvelope and MachineTokenBody.
func deserialize(token string) (*tokenserver.MachineTokenEnvelope, *tokenserver.MachineTokenBody, error) {
tokenBinBlob, err := base64.RawStdEncoding.DecodeString(token)
if err != nil {
return nil, nil, err
}
envelope := &tokenserver.MachineTokenEnvelope{}
if err := proto.Unmarshal(tokenBinBlob, envelope); err != nil {
return nil, nil, err
}
body := &tokenserver.MachineTokenBody{}
if err := proto.Unmarshal(envelope.TokenBody, body); err != nil {
return envelope, nil, err
}
return envelope, body, nil
}
// checkExpiration returns nil if the token is non-expired yet.
//
// Allows some clock drift, see allowedClockDrift.
func checkExpiration(body *tokenserver.MachineTokenBody, now time.Time) error {
notBefore := time.Unix(int64(body.IssuedAt), 0)
notAfter := notBefore.Add(time.Duration(body.Lifetime) * time.Second)
if now.Before(notBefore.Add(-allowedClockDrift)) {
diff := notBefore.Sub(now)
return fmt.Errorf("token is not valid yet, will be valid in %s", diff)
}
if now.After(notAfter.Add(allowedClockDrift)) {
diff := now.Sub(notAfter)
return fmt.Errorf("token expired %s ago", diff)
}
return nil
}
// checkSignature verifies the token signature.
func (m *MachineTokenAuthMethod) checkSignature(c context.Context, signerEmail string, envelope *tokenserver.MachineTokenEnvelope) error {
// Note that FetchCertificatesForServiceAccount implements caching inside.
fetcher := m.certsFetcher
if fetcher == nil {
fetcher = signing.FetchCertificatesForServiceAccount
}
certs, err := fetcher(c, signerEmail)
if err != nil {
return transient.Tag.Apply(err)
}
return certs.CheckSignature(envelope.KeyId, envelope.TokenBody, envelope.RsaSha256)
}