Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement downgrading privilege for user principals authenticated over gRPC / HTTP #1452

Closed
tiziano88 opened this issue Sep 9, 2020 · 8 comments
Closed

Implement downgrading privilege for user principals authenticated over gRPC / HTTP #1452

tiziano88 opened this issue Sep 9, 2020 · 8 comments
Assignees
@rbehjati
Labels
P0
Milestone
IFC v0

Comments

@tiziano88
Copy link
Collaborator

Once the challenge-response mechanism is implemented (as per #1357), the Oak Runtime should then use the result of the authentication step to determine the downgrading privilege of the client connecting to it.

The most elegant way of doing this would be to create a sort of "virtual" node per invocation that has exactly the downgrading privilege corresponding to the provided authenticated client.

For instance:

  • client connects over gRPC
  • client obtains challenge from Oak Runtime over gRPC
  • client signs challenge with its private key
  • client sends data to the Application over gRPC
    • data is labelled with an arbitrary label, which is independent of the authentication
    • additionally, the client provides the signed challenge as an extra metadata field, to prove its own identity (and does this for any subsequent invocation over the same connection)
  • Runtime receives the request, validates the signed challenge (if any is provided)
  • if one is provided and it matches the public key, then it creates a new pseudo-Node dedicated to that invocation, with the privilege to declassify the principal corresponding to the public key of the provided signed challenge (more details are needed here, I'm handwaving for now)
@tiziano88 tiziano88 added the P0 label Sep 9, 2020
@tiziano88 tiziano88 added this to the IFC v0 milestone Sep 9, 2020
This was referenced Sep 9, 2020
Closed
Closed
@tiziano88 tiziano88 mentioned this issue Oct 13, 2020
Merged
6 tasks
@rbehjati
Copy link
Contributor

In the case of the HttpServerNode this requires replacing the Pipe with the virtual node as follows:

  1. After receiving a request from the user, the HttpServerNode creates a channel for communication with the virtual node.

  2. The HttpServerNode creates the virtual node, setting its privilege to the user's identity.

  3. The HttpServerNode sends a NodeMessage, containing the user's request as the data, the invocation_channel (between the HttpServerNode and the actual server node) as one handle, and an outer_response_writer as another handle.

  4. The virtual node creates request_reader and response_writer channels with correct tags as in Set the user's identity as the confidentiality tag in invocation channels for HTTP and gRPC server nodes #1428 (this is currently done inside Pipe):

    oak/oak_runtime/src/node/http/mod.rs

    Lines 349 to 354 in a6e6294

    struct Pipe {
    request_writer: oak_abi::Handle,
    request_reader: oak_abi::Handle,
    response_writer: oak_abi::Handle,
    response_reader: oak_abi::Handle,
    }

  5. The virtual node send the request over the request_reader channel.

  6. The virtual node then bundles the the read-half of the request_reader, and the write half of the response_writer in an invocation and sends that over the invocation_channel to the actual server node.

  7. The virtual node waits for receiving the response on the read-half of the response_writer, declassifies it and sends a NodeMessage with the HTTP response, back to the HttpServerNode on the outer_response_writer channel to the HTTP server p-N.

@tiziano88 Does this make sense? This basically doubles the number of channels that we create per request.

@rbehjati
Copy link
Contributor

Actually maybe I can merge steps 2 and 3 above, so the HttpServerNode includes the HttpRequest, the invocation_channel, and the outer_response_writer in the config that it uses for creating the virtual node.

@tiziano88
Copy link
Collaborator Author

Thanks for the writeup @rbehjati , it makes sense to me, we can start with that, and then we may explore ways of trying to unify some of the channels or structs in the future, once we have something up and running.

@tiziano88
Copy link
Collaborator Author

cc @daviddrysdale in case he has any suggestions or comments upfront

@rbehjati
Copy link
Contributor

Thanks. BTW, my second suggestion is not that interesting as it would require adding HttpRequest to the application config protobuf, which does not sound like a nice design. So, I am going with my original suggestion.

@rbehjati rbehjati mentioned this issue Oct 21, 2020
Closed
6 tasks
@tiziano88
Copy link
Collaborator Author

@rbehjati I believe this is already on your plate, let me know if I am mistaken.

@rbehjati
Copy link
Contributor

rbehjati commented Nov 3, 2020

Yes. But I think we need to discuss it further :) I'll get back to it when I am done with the first increment of the challenge-response authentication for HTTP and gRPC.

@tiziano88 tiziano88 mentioned this issue Nov 16, 2020
Closed
@rbehjati
Copy link
Contributor

This can be closed for now, since the stated functionality is supported via the top privilege in the gRPC and HTTP nodes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rbehjati rbehjati

Labels
P0
Projects
None yet
Milestone
IFC v0
Development

No branches or pull requests
2 participants
@tiziano88 @rbehjati