DRKey ported from the old SCIONLab (scionproto#77)

* Drkey feature PR1 (#3) * lib drkey files * Epoch based on Validity period https://github.com/scionproto/scion/pull/2842/files * added test for secret value derivation * embed Validity in Epoch * Replacing RawBytes by byte slice, using xtest to parse hex string suite.go moved out to package exchange Added Equal to DRkey added dep in BUILD.bazel * add bazel for exchange pkg * Drkey feature PR2 (#4) * lib drkey protocol files * adding AS->Host, Host->Host to standard UI + minor changes * Replacing RawBytes by byte slice * Added suite.go UT * mending protocol BUILD.bazel * using testify in suite.go UT * refactoring testify protocol_test.go * Drkey feature PR3 (#5) * Initial commit lib drkey drkeysqlite files * refactor to Epoch based on Validity * minor changes out of revision * refactoring db_test with testify * Drkey port pr4 (#7) * proto/sciond.capnp added drkey data + proto/drkey_mgmt.capnp + auto-generated files + inital go/lib/ctrl/drkey_mgmnt * adapted lvl2_rep to Epoch based Validity * replaced RawBytes by byte slice replaced some missed RawBytes * Use scrpyto.Version in Lvl1Rep.CrtVerDst * added drkey in ctrl/union.go * solving some golint warning in drkey_mgmt * replacing RawBytes in Lvl2req * Drkey port pr5 (#11) * inital commit drkeystorage pkg * testify refactoring config_test.go * Drkey feature pr6 (#19) * cppki validity refactoring * Drkey protobuf * changes in drkeystorage: - Modified ServiceStore interface - Added mock * added DRKey cp requests * Added package go/pkg/cs/drkey: - ServiceStore adapted to use new Fetcher - Prefetcher and SecretValueStore * Added ValitadePeerWithCert function: - This function might help validating authentication information from peer in DRKey exchanges. * added package go/pkg/cs/drkey/grpc: - DRKeyService which handles both Lvl1 and Lvl2 request. - DRKeyFetcher which fetches Lvl1 keys from some remote CS. * added drkey CS config: - added DRKey and DRKeyDB configuration files * Refactoring drkey protobuf * trust: added ClientTransportCredentials: ClientTransportCredentials is used as a wrapper around TLS credentials so that the certificate and server name can be check within the grpc dialing. - Lvl1KeyFetching test is adapted to use ClientTransportCredentials. * mending test to pass * small fixings and explicit implements * refactoring pkg/cs UT * protobuf: Refactoring protobuf Lvl1Response and added UTo * added test inner function to prefectch keys + fixing error checking in drkey_service * deleting unnecessary callOption in drkey_fetcher * improving tests * fixing lint errors * Drkey feature pr7 (#20) * move DRKey requests/responses to their own package * add protobuf DRKey RPC in sciond * added DRKey feature to go/pkg/sciond package: - Implemented RPC interface to serve Lvl2Key request to scionD. - Implemented Fetcher to fetch Lvl2Key from local CS. - Added ClientStore which encompases the logic to handle DRKeyLvl2 feature. - Added UTs. * fixing lint errors * fixing error with serverName in transport_credentials * fixing bugs in drkey fetchers * DRKey feature pr8 (#21) * fix bug in Lvl2reqToProtoRequest * add go/lib/sciond * fixing serverName handling in verifyConnection * fixing validateLvl2Req * fixing concurrency in prefetcher * fixing log messages and config in go/pkg/sciond * added TLSQUIC stack in go/lib/infra/: - QUICStack in infraenv.go is modified so that it also returns a separate QUIC stack. - Added TLSQUICDialer which redirects requests to the TLSQUIC stack. - Added new svc transport. * plugging in DRKey in scionD and CS * fixing lint and tests * added sciond mock * remove exchange suite * remove capnp drkey from go/lib/ctrl * minor changes in cs.go and drkey config * moving out aux code from cs.go to trustlib + minor changes * fixed comment Co-authored-by: JordiSubira <jordi.subira.nieto@gmail.com>
juagargi · Dec 17, 2020 · 707a5e6 · 707a5e6
1 parent 865d74a
commit 707a5e6
Show file tree

Hide file tree

Showing 140 changed files with 8,005 additions and 307 deletions.
diff --git a/go/cs/BUILD.bazel b/go/cs/BUILD.bazel
@@ -22,13 +22,15 @@ go_library(
         "//go/lib/addr:go_default_library",
         "//go/lib/common:go_default_library",
         "//go/lib/config:go_default_library",
+        "//go/lib/drkeystorage:go_default_library",
         "//go/lib/env:go_default_library",
         "//go/lib/fatal:go_default_library",
         "//go/lib/infra/infraenv:go_default_library",
         "//go/lib/infra/messenger:go_default_library",
         "//go/lib/infra/modules/itopo:go_default_library",
         "//go/lib/infra/modules/segfetcher/grpc:go_default_library",
         "//go/lib/infra/modules/seghandler:go_default_library",
+        "//go/lib/keyconf:go_default_library",
         "//go/lib/log:go_default_library",
         "//go/lib/metrics:go_default_library",
         "//go/lib/pathdb:go_default_library",
@@ -40,6 +42,8 @@ go_library(
         "//go/lib/topology:go_default_library",
         "//go/pkg/command:go_default_library",
         "//go/pkg/cs:go_default_library",
+        "//go/pkg/cs/drkey:go_default_library",
+        "//go/pkg/cs/drkey/grpc:go_default_library",
         "//go/pkg/cs/trust:go_default_library",
         "//go/pkg/cs/trust/grpc:go_default_library",
         "//go/pkg/cs/trust/metrics:go_default_library",
@@ -54,9 +58,12 @@ go_library(
         "//go/pkg/trust/metrics:go_default_library",
         "//go/pkg/trust/renewal:go_default_library",
         "@com_github_grpc_ecosystem_go_grpc_prometheus//:go_default_library",
+        "@com_github_grpc_ecosystem_grpc_opentracing//go/otgrpc:go_default_library",
+        "@com_github_opentracing_opentracing_go//:go_default_library",
         "@com_github_spf13_cobra//:go_default_library",
         "@in_gopkg_yaml_v2//:go_default_library",
         "@org_golang_google_grpc//:go_default_library",
+        "@org_golang_google_grpc//credentials:go_default_library",
         "@org_golang_google_grpc//health:go_default_library",
         "@org_golang_google_grpc//health/grpc_health_v1:go_default_library",
     ],

diff --git a/go/cs/config/BUILD.bazel b/go/cs/config/BUILD.bazel
@@ -5,14 +5,17 @@ go_library(
     srcs = [
         "bs_sample.go",
         "config.go",
+        "drkey.go",
         "sample.go",
     ],
     importpath = "github.com/scionproto/scion/go/cs/config",
     visibility = ["//visibility:public"],
     deps = [
+        "//go/lib/addr:go_default_library",
         "//go/lib/common:go_default_library",
         "//go/lib/config:go_default_library",
         "//go/lib/ctrl/path_mgmt:go_default_library",
+        "//go/lib/drkey/protocol:go_default_library",
         "//go/lib/env:go_default_library",
         "//go/lib/log:go_default_library",
         "//go/lib/serrors:go_default_library",
@@ -24,15 +27,21 @@ go_library(
 
 go_test(
     name = "go_default_test",
-    srcs = ["config_test.go"],
+    srcs = [
+        "config_test.go",
+        "drkey_test.go",
+    ],
     embed = [":go_default_library"],
     deps = [
         "//go/lib/ctrl/path_mgmt:go_default_library",
         "//go/lib/env/envtest:go_default_library",
         "//go/lib/log/logtest:go_default_library",
         "//go/lib/util:go_default_library",
+        "//go/pkg/storage:go_default_library",
         "//go/pkg/storage/test:go_default_library",
+        "@com_github_burntsushi_toml//:go_default_library",
         "@com_github_pelletier_go_toml//:go_default_library",
         "@com_github_stretchr_testify//assert:go_default_library",
+        "@com_github_stretchr_testify//require:go_default_library",
     ],
 )
diff --git a/go/cs/config/config.go b/go/cs/config/config.go
@@ -83,6 +83,7 @@ type Config struct {
 	PS          PSConfig           `toml:"path,omitempty"`
 	CA          CA                 `toml:"ca,omitempty"`
 	TrustEngine trustengine.Config `toml:"trustengine,omitempty"`
+	DRKey       DRKeyConfig        `toml:"drkey,omitempty"`
 }
 
 // InitDefaults initializes the default values for all parts of the config.
@@ -101,6 +102,7 @@ func (cfg *Config) InitDefaults() {
 		&cfg.PS,
 		&cfg.CA,
 		&cfg.TrustEngine,
+		&cfg.DRKey,
 	)
 }
 
@@ -119,6 +121,7 @@ func (cfg *Config) Validate() error {
 		&cfg.PS,
 		&cfg.CA,
 		&cfg.TrustEngine,
+		&cfg.DRKey,
 	)
 }
 
@@ -163,6 +166,7 @@ func (cfg *Config) Sample(dst io.Writer, path config.Path, _ config.CtxMap) {
 		&cfg.PS,
 		&cfg.CA,
 		&cfg.TrustEngine,
+		&cfg.DRKey,
 	)
 }
 

diff --git a/go/cs/config/drkey.go b/go/cs/config/drkey.go
@@ -0,0 +1,161 @@
+// Copyright 2019 ETH Zurich
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package config
+
+import (
+	"io"
+	"time"
+
+	"github.com/scionproto/scion/go/lib/addr"
+	"github.com/scionproto/scion/go/lib/config"
+	"github.com/scionproto/scion/go/lib/drkey/protocol"
+	"github.com/scionproto/scion/go/lib/serrors"
+	"github.com/scionproto/scion/go/lib/util"
+	"github.com/scionproto/scion/go/pkg/storage"
+)
+
+const (
+	// DefaultEpochDuration is the default duration for the drkey SV and derived keys
+	DefaultEpochDuration = 24 * time.Hour
+)
+
+var _ (config.Config) = (*DRKeyConfig)(nil)
+
+// DRKeyConfig is the configuration for the connection to the trust database.
+type DRKeyConfig struct {
+	// enabled is set to true if we find all the required fields in the configuration.
+	enabled bool
+	// DRKeyDB contains the DRKey DB configuration.
+	DRKeyDB storage.DBConfig `toml:"drkey_db,omitempty"`
+	// EpochDuration is the duration of the keys in this CS.
+	EpochDuration util.DurWrap `toml:"epoch_duration,omitempty"`
+	// AuthorizedDelegations is the DelegationList for this CS.
+	Delegation DelegationList `toml:"delegation,omitempty"`
+
+	//TLS config
+	CertFile string `toml:"cert_file,omitempty"`
+	KeyFile  string `toml:"key_file,omitempty"`
+}
+
+// NewDRKeyConfig returns a pointer to a valid, empty configuration.
+func NewDRKeyConfig() *DRKeyConfig {
+	c := DRKeyConfig{
+		DRKeyDB:    storage.DBConfig{},
+		Delegation: DelegationList{},
+	}
+	return &c
+}
+
+// InitDefaults initializes values of unset keys and determines if the configuration enables DRKey.
+func (cfg *DRKeyConfig) InitDefaults() {
+	cfg.enabled = true
+	if cfg.EpochDuration.Duration == 0 {
+		cfg.EpochDuration.Duration = DefaultEpochDuration
+	}
+	config.InitAll(&cfg.Delegation)
+}
+
+// Enabled returns true if DRKey is configured. False otherwise.
+func (cfg *DRKeyConfig) Enabled() bool {
+	if cfg.DRKeyDB.Connection == "" {
+		return false
+	}
+	return true
+}
+
+// Validate validates that all values are parsable.
+func (cfg *DRKeyConfig) Validate() error {
+	return config.ValidateAll(&cfg.DRKeyDB, &cfg.Delegation)
+}
+
+// Sample writes a config sample to the writer.
+func (cfg *DRKeyConfig) Sample(dst io.Writer, path config.Path, ctx config.CtxMap) {
+	config.WriteString(dst, drkeySample)
+	config.WriteSample(dst, path,
+		config.CtxMap{config.ID: idSample},
+		config.OverrideName(
+			config.FormatData(
+				&cfg.DRKeyDB,
+				storage.SetID(storage.SampleDRKeyDB, idSample).Connection,
+			),
+			"drkey_db",
+		),
+		&cfg.Delegation,
+	)
+}
+
+// ConfigName is the key in the toml file.
+func (cfg *DRKeyConfig) ConfigName() string {
+	return "drkey"
+}
+
+// DelegationList configures which endhosts can get delegation secrets, per protocol.
+type DelegationList map[string][]string
+
+var _ (config.Config) = (*DelegationList)(nil)
+
+// InitDefaults will not add or modify any entry in the config.
+func (cfg *DelegationList) InitDefaults() {
+	if *cfg == nil {
+		*cfg = make(DelegationList)
+	}
+}
+
+// Validate validates that the protocols exist, and their addresses are parsable.
+func (cfg *DelegationList) Validate() error {
+	for proto, list := range *cfg {
+		if _, found := protocol.KnownDerivations[proto]; !found {
+			return serrors.New("Configured protocol not found", "protocol", proto)
+		}
+		for _, ip := range list {
+			if h := addr.HostFromIPStr(ip); h == nil {
+				return serrors.New("Syntax error: not a valid address", "ip", ip)
+			}
+		}
+	}
+	return nil
+}
+
+// Sample writes a config sample to the writer.
+func (cfg *DelegationList) Sample(dst io.Writer, path config.Path, ctx config.CtxMap) {
+	config.WriteString(dst, drkeyDelegationListSample)
+}
+
+// ConfigName is the key in the toml file.
+func (cfg *DelegationList) ConfigName() string {
+	return "delegation"
+}
+
+// ToMapPerHost will return map where there is a set of supported protocols per host.
+func (cfg *DelegationList) ToMapPerHost() map[[16]byte]map[string]struct{} {
+	m := make(map[[16]byte]map[string]struct{})
+	for proto, ipList := range *cfg {
+		for _, ip := range ipList {
+			host := addr.HostFromIPStr(ip)
+			if host == nil {
+				continue
+			}
+			var rawHost [16]byte
+			copy(rawHost[:], host.IP().To16())
+			protoSet := m[rawHost]
+			if protoSet == nil {
+				protoSet = make(map[string]struct{})
+			}
+			protoSet[proto] = struct{}{}
+			m[rawHost] = protoSet
+		}
+	}
+	return m
+}