098cbc9c67
all of the packages and tests work with both grpc and drpc. we'll probably need to do some jenkins pipelines to run the tests with drpc as well. most of the changes are really due to a bit of cleanup of the pkg/transport.Client api into an rpc.Dialer in the spirit of a net.Dialer. now that we don't need observers, we can pass around stateless configuration to everything rather than stateful things that issue observations. it also adds a DialAddressID for the case where we don't have a pb.Node, but we do have an address and want to assert some ID. this happened pretty frequently, and now there's no more weird contortions creating custom tls options, etc. a lot of the other changes are being consistent/using the abstractions in the rpc package to do rpc style things like finding peer information, or checking status codes. Change-Id: Ief62875e21d80a21b3c56a5a37f45887679f9412
277 lines
7.1 KiB
Go
277 lines
7.1 KiB
Go
// Copyright (C) 2019 Storj Labs, Inc.
|
|
// See LICENSE for copying information.
|
|
|
|
package main
|
|
|
|
import (
|
|
"crypto/x509/pkix"
|
|
"encoding/json"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"github.com/spf13/cobra"
|
|
"github.com/zeebo/errs"
|
|
"go.uber.org/zap"
|
|
|
|
"storj.io/storj/internal/fpath"
|
|
"storj.io/storj/internal/version"
|
|
"storj.io/storj/pkg/certificate/certificateclient"
|
|
"storj.io/storj/pkg/cfgstruct"
|
|
"storj.io/storj/pkg/identity"
|
|
"storj.io/storj/pkg/peertls/extensions"
|
|
"storj.io/storj/pkg/peertls/tlsopts"
|
|
"storj.io/storj/pkg/pkcrypto"
|
|
"storj.io/storj/pkg/process"
|
|
"storj.io/storj/pkg/revocation"
|
|
"storj.io/storj/pkg/rpc"
|
|
)
|
|
|
|
const (
|
|
defaultSignerAddress = "certs.alpha.storj.io:8888"
|
|
)
|
|
|
|
var (
|
|
rootCmd = &cobra.Command{
|
|
Use: "identity",
|
|
Short: "Identity management",
|
|
}
|
|
|
|
newServiceCmd = &cobra.Command{
|
|
Use: "create <service>",
|
|
Short: "Create a new full identity for a service",
|
|
Args: cobra.ExactArgs(1),
|
|
RunE: cmdNewService,
|
|
Annotations: map[string]string{"type": "setup"},
|
|
}
|
|
|
|
authorizeCmd = &cobra.Command{
|
|
Use: "authorize <service> <auth-token>",
|
|
Short: "Send a certificate signing request for a service's CA certificate",
|
|
Args: cobra.ExactArgs(2),
|
|
RunE: cmdAuthorize,
|
|
Annotations: map[string]string{"type": "setup"},
|
|
}
|
|
|
|
//nolint
|
|
config struct {
|
|
Difficulty uint64 `default:"30" help:"minimum difficulty for identity generation"`
|
|
Concurrency uint `default:"4" help:"number of concurrent workers for certificate authority generation"`
|
|
ParentCertPath string `help:"path to the parent authority's certificate chain"`
|
|
ParentKeyPath string `help:"path to the parent authority's private key"`
|
|
Signer certificateclient.Config
|
|
// TODO: ideally the default is the latest version; can't interpolate struct tags
|
|
IdentityVersion uint `default:"0" help:"identity version to use when creating an identity or CA"`
|
|
|
|
Version version.Config
|
|
}
|
|
|
|
identityDir, configDir string
|
|
defaultIdentityDir = fpath.ApplicationDir("storj", "identity")
|
|
defaultConfigDir = fpath.ApplicationDir("storj", "identity")
|
|
)
|
|
|
|
func init() {
|
|
rootCmd.AddCommand(newServiceCmd)
|
|
rootCmd.AddCommand(authorizeCmd)
|
|
|
|
process.Bind(newServiceCmd, &config, defaults, cfgstruct.ConfDir(defaultConfigDir), cfgstruct.IdentityDir(defaultIdentityDir))
|
|
process.Bind(authorizeCmd, &config, defaults, cfgstruct.ConfDir(defaultConfigDir), cfgstruct.IdentityDir(defaultIdentityDir))
|
|
}
|
|
|
|
func main() {
|
|
process.Exec(rootCmd)
|
|
}
|
|
|
|
func serviceDirectory(serviceName string) string {
|
|
return filepath.Join(identityDir, serviceName)
|
|
}
|
|
|
|
func cmdNewService(cmd *cobra.Command, args []string) error {
|
|
ctx, _ := process.Ctx(cmd)
|
|
|
|
err := version.CheckProcessVersion(ctx, zap.L(), config.Version, version.Build, "Identity")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
serviceDir := serviceDirectory(args[0])
|
|
|
|
caCertPath := filepath.Join(serviceDir, "ca.cert")
|
|
caKeyPath := filepath.Join(serviceDir, "ca.key")
|
|
identCertPath := filepath.Join(serviceDir, "identity.cert")
|
|
identKeyPath := filepath.Join(serviceDir, "identity.key")
|
|
|
|
caConfig := identity.CASetupConfig{
|
|
CertPath: caCertPath,
|
|
KeyPath: caKeyPath,
|
|
Difficulty: config.Difficulty,
|
|
Concurrency: config.Concurrency,
|
|
ParentCertPath: config.ParentCertPath,
|
|
ParentKeyPath: config.ParentKeyPath,
|
|
VersionNumber: config.IdentityVersion,
|
|
}
|
|
|
|
status, err := caConfig.Status()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if status != identity.NoCertNoKey {
|
|
return errs.New("CA certificate and/or key already exists, NOT overwriting!")
|
|
}
|
|
|
|
identConfig := identity.SetupConfig{
|
|
CertPath: identCertPath,
|
|
KeyPath: identKeyPath,
|
|
}
|
|
|
|
status, err = identConfig.Status()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if status != identity.NoCertNoKey {
|
|
return errs.New("Identity certificate and/or key already exists, NOT overwriting!")
|
|
}
|
|
|
|
ca, caerr := caConfig.Create(ctx, os.Stdout)
|
|
if caerr != nil {
|
|
return caerr
|
|
}
|
|
|
|
_, iderr := identConfig.Create(ca)
|
|
if iderr != nil {
|
|
return iderr
|
|
}
|
|
|
|
fmt.Printf("Unsigned identity is located in %q\n", serviceDir)
|
|
fmt.Println("Please *move* CA key to secure storage - it is only needed for identity management!")
|
|
fmt.Printf("\t%s\n", caConfig.KeyPath)
|
|
return nil
|
|
}
|
|
|
|
func cmdAuthorize(cmd *cobra.Command, args []string) (err error) {
|
|
ctx, _ := process.Ctx(cmd)
|
|
|
|
err = version.CheckProcessVersion(ctx, zap.L(), config.Version, version.Build, "Identity")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
serviceDir := serviceDirectory(args[0])
|
|
|
|
authToken := args[1]
|
|
|
|
caCertPath := filepath.Join(serviceDir, "ca.cert")
|
|
caConfig := identity.PeerCAConfig{
|
|
CertPath: caCertPath,
|
|
}
|
|
identCertPath := filepath.Join(serviceDir, "identity.cert")
|
|
identKeyPath := filepath.Join(serviceDir, "identity.key")
|
|
identConfig := identity.Config{
|
|
CertPath: identCertPath,
|
|
KeyPath: identKeyPath,
|
|
}
|
|
|
|
ca, err := caConfig.Load()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
ident, err := identConfig.Load()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if config.Signer.Address == "" {
|
|
config.Signer.Address = defaultSignerAddress
|
|
}
|
|
|
|
// Ensure we dont enforce a signed Peer Identity
|
|
config.Signer.TLS.UsePeerCAWhitelist = false
|
|
|
|
revocationDB, err := revocation.NewDBFromCfg(config.Signer.TLS)
|
|
if err != nil {
|
|
return errs.New("error creating revocation database: %+v", err)
|
|
}
|
|
defer func() {
|
|
err = errs.Combine(err, revocationDB.Close())
|
|
}()
|
|
|
|
tlsOptions, err := tlsopts.NewOptions(ident, config.Signer.TLS, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
client, err := certificateclient.New(ctx, rpc.NewDefaultDialer(tlsOptions), config.Signer.Address)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer func() { err = errs.Combine(err, client.Close()) }()
|
|
|
|
signedChainBytes, err := client.Sign(ctx, authToken)
|
|
if err != nil {
|
|
return errs.New("error occurred while signing certificate: %s\n(identity files were still generated and saved, if you try again existing files will be loaded)", err)
|
|
}
|
|
|
|
signedChain, err := pkcrypto.CertsFromDER(signedChainBytes)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
|
|
err = caConfig.SaveBackup(ca)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// NB: signedChain is this identity's CA + signer chain.
|
|
ca.Cert = signedChain[0]
|
|
ca.RestChain = signedChain[1:]
|
|
err = caConfig.Save(ca)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = identConfig.PeerConfig().SaveBackup(ident.PeerIdentity())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
ident.RestChain = signedChain[1:]
|
|
ident.CA = ca.Cert
|
|
err = identConfig.PeerConfig().Save(ident.PeerIdentity())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
fmt.Println("Identity successfully authorized using single use authorization token.")
|
|
fmt.Printf("Please back-up \"%s\" to a safe location.\n", serviceDir)
|
|
return nil
|
|
}
|
|
|
|
func printExtensions(cert []byte, exts []pkix.Extension) error {
|
|
hash := pkcrypto.SHA256Hash(cert)
|
|
b64Hash, err := json.Marshal(hash)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
fmt.Printf("Cert hash: %s\n", b64Hash)
|
|
fmt.Println("Extensions:")
|
|
for _, e := range exts {
|
|
var data interface{}
|
|
if e.Id.Equal(extensions.RevocationExtID) {
|
|
var rev extensions.Revocation
|
|
if err := rev.Unmarshal(e.Value); err != nil {
|
|
return err
|
|
}
|
|
data = rev
|
|
} else {
|
|
data = e.Value
|
|
}
|
|
out, err := json.MarshalIndent(data, "", " ")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
fmt.Printf("\t%s: %s\n", e.Id, out)
|
|
}
|
|
return nil
|
|
}
|