storj/certificate/endpoint.go

// Copyright (C) 2019 Storj Labs, Inc.
// See LICENSE for copying information.

package certificate

import (
	"context"

	"go.uber.org/zap"

	"storj.io/common/identity"
	"storj.io/common/rpc/rpcpeer"
	"storj.io/common/rpc/rpcstatus"
	"storj.io/storj/certificate/authorization"
	"storj.io/storj/certificate/certificatepb"
	"storj.io/storj/certificate/rpcerrs"
)

// Endpoint implements pb.CertificatesServer.
type Endpoint struct {
	certificatepb.DRPCCertificatesUnimplementedServer

	rpclog          *rpcerrs.Log
	log             *zap.Logger
	ca              *identity.FullCertificateAuthority
	authorizationDB *authorization.DB
	minDifficulty   uint16
}

// NewEndpoint creates a new certificate signing server.
func NewEndpoint(log *zap.Logger, ca *identity.FullCertificateAuthority, authorizationDB *authorization.DB, minDifficulty uint16) *Endpoint {
	rpclog := rpcerrs.NewLog(&Error, log, rpcerrs.StatusMap{
		&authorization.ErrNotFound:       rpcstatus.Unauthenticated,
		&authorization.ErrInvalidClaim:   rpcstatus.InvalidArgument,
		&authorization.ErrInvalidToken:   rpcstatus.InvalidArgument,
		&authorization.ErrAlreadyClaimed: rpcstatus.AlreadyExists,
	})

	return &Endpoint{
		rpclog:          rpclog,
		log:             log,
		ca:              ca,
		authorizationDB: authorizationDB,
		minDifficulty:   minDifficulty,
	}
}

// Sign signs the CA certificate of the remote peer's identity with the `certs.ca` certificate.
// Returns a certificate chain consisting of the remote peer's CA followed by the CA chain.
func (endpoint Endpoint) Sign(ctx context.Context, req *certificatepb.SigningRequest) (_ *certificatepb.SigningResponse, err error) {
	defer mon.Task()(&ctx)(&err)
	peer, err := rpcpeer.FromContext(ctx)
	if err != nil {
		msg := "error getting peer from context"
		return nil, endpoint.rpclog.Error(msg, err)
	}

	peerIdent, err := identity.PeerIdentityFromPeer(peer)
	if err != nil {
		msg := "error getting peer identity"
		return nil, endpoint.rpclog.Error(msg, err)
	}

	signedPeerCA, err := endpoint.ca.Sign(peerIdent.CA)
	if err != nil {
		msg := "error signing peer CA"
		return nil, endpoint.rpclog.Error(msg, err)
	}

	signedChainBytes := [][]byte{signedPeerCA.Raw, endpoint.ca.Cert.Raw}
	signedChainBytes = append(signedChainBytes, endpoint.ca.RawRestChain()...)
	err = endpoint.authorizationDB.Claim(ctx, &authorization.ClaimOpts{
		Req:           req,
		Peer:          peer,
		ChainBytes:    signedChainBytes,
		MinDifficulty: endpoint.minDifficulty,
	})
	if err != nil {
		msg := "error claiming authorization"
		return nil, endpoint.rpclog.Error(msg, err)
	}

	difficulty, err := peerIdent.ID.Difficulty()
	if err != nil {
		msg := "error checking difficulty"
		return nil, endpoint.rpclog.Error(msg, err)
	}
	token, err := authorization.ParseToken(req.AuthToken)
	if err != nil {
		msg := "error parsing auth token"
		return nil, endpoint.rpclog.Error(msg, err)
	}
	tokenFormatter := authorization.Authorization{
		Token: *token,
	}
	endpoint.log.Info("certificate successfully signed",
		zap.Stringer("Node ID", peerIdent.ID),
		zap.Uint16("difficulty", difficulty),
		zap.Stringer("truncated token", tokenFormatter),
	)

	return &certificatepb.SigningResponse{
		Chain: signedChainBytes,
	}, nil
}
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`// Copyright (C) 2019 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

			`package certificate`

			`import (`
			`"context"`

			`"go.uber.org/zap"`

common: separate repository Change-Id: Ibb89c42060450e3839481a7e495bbe3ad940610a 2019-12-27 11:48:47 +00:00			`"storj.io/common/identity"`
			`"storj.io/common/rpc/rpcpeer"`
			`"storj.io/common/rpc/rpcstatus"`
pkg/certificates: move certificate package to root (#3107) 2019-09-26 17:11:05 +01:00			`"storj.io/storj/certificate/authorization"`
certificate: move protobuf to storj/storj repository Change-Id: I4689318304b54121a65e28860430d39d94ac5bd6 2021-03-29 12:45:27 +01:00			`"storj.io/storj/certificate/certificatepb"`
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`"storj.io/storj/certificate/rpcerrs"`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`)`

			`// Endpoint implements pb.CertificatesServer.`
			`type Endpoint struct {`
certificate: move protobuf to storj/storj repository Change-Id: I4689318304b54121a65e28860430d39d94ac5bd6 2021-03-29 12:45:27 +01:00			`certificatepb.DRPCCertificatesUnimplementedServer`
pb: use *UnimplementedServer to avoid breaking API changes Change-Id: I99a34eeb37ac4453411f273511710562a519f57a 2021-03-29 09:58:04 +01:00
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`rpclog *rpcerrs.Log`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`log *zap.Logger`
			`ca *identity.FullCertificateAuthority`
			`authorizationDB *authorization.DB`
			`minDifficulty uint16`
			`}`

all: remove grpc It seems everyone has migrated to drpc. Change-Id: Ica6b2d0bdef68c6603083f2963458843eca71e9e 2020-05-06 11:54:14 +01:00			`// NewEndpoint creates a new certificate signing server.`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`func NewEndpoint(log zap.Logger, ca identity.FullCertificateAuthority, authorizationDB authorization.DB, minDifficulty uint16) Endpoint {`
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`rpclog := rpcerrs.NewLog(&Error, log, rpcerrs.StatusMap{`
{certificates,pkg/rpcstatus}: improve error logging (#3475) 2019-11-13 10:07:21 +00:00			`&authorization.ErrNotFound: rpcstatus.Unauthenticated,`
			`&authorization.ErrInvalidClaim: rpcstatus.InvalidArgument,`
			`&authorization.ErrInvalidToken: rpcstatus.InvalidArgument,`
			`&authorization.ErrAlreadyClaimed: rpcstatus.AlreadyExists,`
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`})`
{certificates,pkg/rpcstatus}: improve error logging (#3475) 2019-11-13 10:07:21 +00:00
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`return &Endpoint{`
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`rpclog: rpclog,`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`log: log,`
			`ca: ca,`
			`authorizationDB: authorizationDB,`
			`minDifficulty: minDifficulty,`
			`}`
			`}`

			// Sign signs the CA certificate of the remote peer's identity with the `certs.ca` certificate.
			`// Returns a certificate chain consisting of the remote peer's CA followed by the CA chain.`
certificate: move protobuf to storj/storj repository Change-Id: I4689318304b54121a65e28860430d39d94ac5bd6 2021-03-29 12:45:27 +01:00			`func (endpoint Endpoint) Sign(ctx context.Context, req certificatepb.SigningRequest) (_ certificatepb.SigningResponse, err error) {`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`defer mon.Task()(&ctx)(&err)`
all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`peer, err := rpcpeer.FromContext(ctx)`
			`if err != nil {`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`msg := "error getting peer from context"`
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`return nil, endpoint.rpclog.Error(msg, err)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`}`

all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`peerIdent, err := identity.PeerIdentityFromPeer(peer)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`if err != nil {`
			`msg := "error getting peer identity"`
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`return nil, endpoint.rpclog.Error(msg, err)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`}`

			`signedPeerCA, err := endpoint.ca.Sign(peerIdent.CA)`
			`if err != nil {`
			`msg := "error signing peer CA"`
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`return nil, endpoint.rpclog.Error(msg, err)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`}`

			`signedChainBytes := [][]byte{signedPeerCA.Raw, endpoint.ca.Cert.Raw}`
			`signedChainBytes = append(signedChainBytes, endpoint.ca.RawRestChain()...)`
			`err = endpoint.authorizationDB.Claim(ctx, &authorization.ClaimOpts{`
			`Req: req,`
all: use pkg/rpc instead of pkg/transport all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412 2019-09-19 05:46:39 +01:00			`Peer: peer,`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`ChainBytes: signedChainBytes,`
			`MinDifficulty: endpoint.minDifficulty,`
			`})`
			`if err != nil {`
{certificates,pkg/rpcstatus}: improve error logging (#3475) 2019-11-13 10:07:21 +00:00			`msg := "error claiming authorization"`
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`return nil, endpoint.rpclog.Error(msg, err)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`}`

			`difficulty, err := peerIdent.ID.Difficulty()`
			`if err != nil {`
{certificates,pkg/rpcstatus}: improve error logging (#3475) 2019-11-13 10:07:21 +00:00			`msg := "error checking difficulty"`
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`return nil, endpoint.rpclog.Error(msg, err)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`}`
			`token, err := authorization.ParseToken(req.AuthToken)`
			`if err != nil {`
{certificates,pkg/rpcstatus}: improve error logging (#3475) 2019-11-13 10:07:21 +00:00			`msg := "error parsing auth token"`
certificate/rpcerrs: move logging sanitizer into certificate Currently that is the only place using it and it's tied to zap implementation. We don't want to have zap in common to reduce common dependencies. Change-Id: I72c064008f83ad3a8a3aa21944753208d4844c85 2020-10-14 12:11:36 +01:00			`return nil, endpoint.rpclog.Error(msg, err)`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`}`
			`tokenFormatter := authorization.Authorization{`
			`Token: *token,`
			`}`
			`endpoint.log.Info("certificate successfully signed",`
logging: unify logging around satellite ID, node ID and piece ID (#3491) * logging: unify logging around satellite ID, node ID and piece ID * unify segment index 2019-11-05 21:04:07 +00:00			`zap.Stringer("Node ID", peerIdent.ID),`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`zap.Uint16("difficulty", difficulty),`
			`zap.Stringer("truncated token", tokenFormatter),`
			`)`

certificate: move protobuf to storj/storj repository Change-Id: I4689318304b54121a65e28860430d39d94ac5bd6 2021-03-29 12:45:27 +01:00			`return &certificatepb.SigningResponse{`
{cmd,pkg}/certificates: service refactor (#2938) 2019-09-05 16:11:21 +01:00			`Chain: signedChainBytes,`
			`}, nil`
			`}`