Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Fine-grained access control for TLS clients #14099

Draft
wants to merge 28 commits into
base: main
Choose a base branch
from
Draft

Auth: Fine-grained access control for TLS clients #14099

wants to merge 28 commits into from

Conversation

markylaing
Copy link
Contributor

@markylaing markylaing commented Sep 13, 2024
edited
Loading

This PR adds:

  • The ability to create TLS identities via lxc auth identity create [<remote>:]tls/<name> [<path_to_cert_file>]. If a file is provided, the certificate is sent as a base64 encoded, PEM encoded certificate in the request body. If a file is not provided, an identity of type Client certificate (pending) is created, whose identifier is a UUID. The pending client certificate identity works like a certificate add operation - it's metadata contains a secret and an expiry time.
  • The ability for untrusted clients to update their pending client certificate to a Client certificate, with a valid token.
  • Updates to lxd remote add to handle these cases.
  • The ability to delete TLS and OIDC identities.
  • Restrictions to /1.0/certificates so that the API does not show the new TLS identity type.
  • The ability to add these new TLS identities to groups.

Here are some examples:

$ lxc auth group create my-group
Group my-group created
$ lxc auth group permission add my-group project default operator
$ lxc auth identity create tls/jane-doe
eyJjbGllbnRfbmFtZSI6ImphbmUtZG9lIiwiZmluZ2VycHJpbnQiOiI1MGYxZWUwYTUxYjRmNzQ0MDcyODAwNTJiMGQ5YzM3MzFkNGIzNjE2ZDE0ZWYwMjMzOTNhZjAzMGRmYzEyMjdhIiwiYWRkcmVzc2VzIjpbIjEyNy4wLjAuMTo4NDQzIl0sInNlY3JldCI6ImMxNjgzYzljYmNlOThhMmZjOTk3MmQwYWNhZTI1MDg5NTU1OWM5YjVkMmZhZDc5MDU5OWY2NTQ3OGYwMTRiMTkiLCJleHBpcmVzX2F0IjoiMDAwMS0wMS0wMVQwMDowMDowMFoiLCJpZGVudGl0eV90eXBlIjoiQ2xpZW50IGNlcnRpZmljYXRlIn0=
$ lxc remote add tls eyJjbGllbnRfbmFtZSI6ImphbmUtZG9lIiwiZmluZ2VycHJpbnQiOiI1MGYxZWUwYTUxYjRmNzQ0MDcyODAwNTJiMGQ5YzM3MzFkNGIzNjE2ZDE0ZWYwMjMzOTNhZjAzMGRmYzEyMjdhIiwiYWRkcmVzc2VzIjpbIjEyNy4wLjAuMTo4NDQzIl0sInNlY3JldCI6ImMxNjgzYzljYmNlOThhMmZjOTk3MmQwYWNhZTI1MDg5NTU1OWM5YjVkMmZhZDc5MDU5OWY2NTQ3OGYwMTRiMTkiLCJleHBpcmVzX2F0IjoiMDAwMS0wMS0wMVQwMDowMDowMFoiLCJpZGVudGl0eV90eXBlIjoiQ2xpZW50IGNlcnRpZmljYXRlIn0=
$ lxc auth identity info tls:
authentication_method: tls
type: Client certificate
id: 1a44a4e3c4ec4613ddb1ac383b07efb3a1627d618f078189f16c0d3d737f41e0
name: jane-doe
groups: []
metadata:
  certificate: |
    -----BEGIN CERTIFICATE-----
    MIIBtjCCATygAwIBAgIQEV92p1vA4XDQyc4kL7NEhjAKBggqhkjOPQQDAzAjMQww
    CgYDVQQKEwNMWEQxEzARBgNVBAMMCm1hcmtAUlVCSVgwHhcNMjQwNzEwMDcxNTMy
    WhcNMzQwNzA4MDcxNTMyWjAjMQwwCgYDVQQKEwNMWEQxEzARBgNVBAMMCm1hcmtA
    UlVCSVgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARNj0210EtFuNYPGHnxm4/RwUH4
    qKRn3+N8FBq+Ovk5y1ltQQFlt+484K2YBkCfIFtW5zogyRKDdih2yPLYIevSglpS
    XaHcwqNVfle5VyDNjSOIZJgh/4tu+6qJ2eTIjpejNTAzMA4GA1UdDwEB/wQEAwIF
    oDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMAoGCCqGSM49BAMD
    A2gAMGUCMQCaybZKv5IsWJBm8IG4ovZYrmr6qXWFqHFd1vlv2jCHw5TNgN153KH7
    QJ2rsF9qEDsCMEKgALok7EsW6kWmrVmDm2p6u625u6Pp5CsYzOLo9vemmFfhgZzn
    g3EPW18D+PUd+w==
    -----END CERTIFICATE-----
effective_groups: []
effective_permissions: []
$ lxc auth identity group add tls/jane-doe my-group
$ lxc project list tls:
+-------------------+--------+----------+-----------------+-----------------+----------+---------------+---------------------+---------+
|       NAME        | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS | NETWORK ZONES |     DESCRIPTION     | USED BY |
+-------------------+--------+----------+-----------------+-----------------+----------+---------------+---------------------+---------+
| default (current) | YES    | YES      | YES             | YES             | YES      | YES           | Default LXD project | 8       |
+-------------------+--------+----------+-----------------+-----------------+----------+---------------+---------------------+---------+
$ lxc project create tls:foo
Error: Forbidden
$ lxc auth identity list
+-----------------------+--------------------+----------+------------------------------------------------------------------+----------+
| AUTHENTICATION METHOD |        TYPE        |   NAME   |                            IDENTIFIER                            |  GROUPS  |
+-----------------------+--------------------+----------+------------------------------------------------------------------+----------+
| tls                   | Client certificate | jane-doe | 1a44a4e3c4ec4613ddb1ac383b07efb3a1627d618f078189f16c0d3d737f41e0 | my-group |
+-----------------------+--------------------+----------+------------------------------------------------------------------+----------+
$ lxc auth identity create tls/foo
eyJjbGllbnRfbmFtZSI6ImZvbyIsImZpbmdlcnByaW50IjoiNTBmMWVlMGE1MWI0Zjc0NDA3MjgwMDUyYjBkOWMzNzMxZDRiMzYxNmQxNGVmMDIzMzkzYWYwMzBkZmMxMjI3YSIsImFkZHJlc3NlcyI6WyIxMjcuMC4wLjE6ODQ0MyJdLCJzZWNyZXQiOiI3ZTA0OTg5MTEzMTY0N2NjZTkwNzQxMjFjZDAzYWNmNTQ5NGVlNjg2ODgyODgyZDkzMTA4MTAwNDhiOGI0MzE1IiwiZXhwaXJlc19hdCI6IjAwMDEtMDEtMDFUMDA6MDA6MDBaIiwiaWRlbnRpdHlfdHlwZSI6IkNsaWVudCBjZXJ0aWZpY2F0ZSJ9
$ lxc auth identity list
+-----------------------+------------------------------+----------+------------------------------------------------------------------+----------+
| AUTHENTICATION METHOD |             TYPE             |   NAME   |                            IDENTIFIER                            |  GROUPS  |
+-----------------------+------------------------------+----------+------------------------------------------------------------------+----------+
| tls                   | Client certificate           | jane-doe | 1a44a4e3c4ec4613ddb1ac383b07efb3a1627d618f078189f16c0d3d737f41e0 | my-group |
+-----------------------+------------------------------+----------+------------------------------------------------------------------+----------+
| tls                   | Client certificate (pending) | foo      | 3bec59ec-40f8-457c-9d24-5dd9616ea0fe                             |          |
+-----------------------+------------------------------+----------+------------------------------------------------------------------+----------+
$ lxc config trust list
+------+------+-------------+-------------+------------+-------------+
| TYPE | NAME | COMMON NAME | FINGERPRINT | ISSUE DATE | EXPIRY DATE |
+------+------+-------------+-------------+------------+-------------+

Closes #13149

@github-actions github-actions bot added Documentation Documentation needs updating API Changes to the REST API labels Sep 13, 2024
@github-actions GitHub Actions
Copy link

Heads up @mionaalex - the "Documentation" label was applied to this issue.

@markylaing
api: Add identity_management API extension.
16f202f 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Separate identity handlers by auth method.
cd6fd48 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
shared/api: Add metadata to identity API response.
f26e54a 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/db/cluster: Add metadata to identity API response.
bd77f49 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Add metadata to identity API response.
ccb7d21 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
shared/api: Add pending and fine-grained TLS certificate identity types.
a772e1f 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/db/cluster: Add pending and fine-grained TLS certificate identity…
f8090bb 
… types.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/db/cluster: Add pending TLS identity metadata type and method.
978f055 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/db/cluster: Add method to unpend a TLS certificate.
51ede48 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/db/cluster: Omit pending TLS identity metadata from API responses.
9e02957 
We should never expose the secret except in the issued token.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/identity: Add pending and fine-grained TLS identity types.
64be20d 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/auth/drivers: Handle fine-grained TLS clients in OpenFGA driver.
d7708eb 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Move CA check into certificateValidate method.
4f3e3ff 
Whether a new client is being trusted via secret, or if an
administrator is adding or updating the certificate directly,
the certificate must be signed by the CA if set.

Note that this is *not* a security issue, because we validate
that client certificates have been signed by the CA when authenticating.
This just meant that it was possible for an admin to create a certificate
that would be invalid.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Don't show fine-grained or pending TLS certificates in certifica…
3a1aa81 
…tes API.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Allow fine-grained TLS identities to authenticate.
02a39e0 
Adds the fine-grained TLS identity type to the list of candidate
identity types for client authentication.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Allow fine-grained TLS identities list resources in any project.
5392127 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
shared/api: Add API structs for identity creation.
477f32d 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
shared/api: Add field to CertificateAddToken.
983213a 
This field indicates to the CLI which API to use when adding a remote.
If `Identity` is true, then `POST /1.0/auth/identities/tls` will be used.
Otherwise, `POST /1.0/certificates` will be used.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Add POST /1.0/auth/identities/tls.
239adc7 
If a token is requested, a pending TLS identity is created
whose identifier is a UUID, and whose metadata contains a
secret and an expiry.

If a token is supplied, the pending TLS identities are enumerated
and if a matching secret is found (that has not expired), the pending
identity is updated with the TLS certificate that the client sent during
the TLS handshake.

If a certificate is supplied directly, then an identity of type
`Client certificate` is created.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Add DELETE /1.0/auth/identities/{tls,oidc}/{nameOrIdentifier}.
1c944d1 
Deletes the identity. For mTLS authentication this revokes trust entirely. For
OIDC this does not revoke trust but will revoke any locally configured group
membership (and therefore revoke access). If group membership has been configured via
identity provider groups then this will do nothing.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Allow fine-grained TLS identities to be added to groups.
1be1ecd 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Omit pending TLS identities when updating the identity cache.
f46f652 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Skip server certificates that cannot be converted to a valid type.
8d6693a 
On updating the certificate cache, it was possible (programmatically)
to append a nil certificate to the list of local server certificates.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
client: Add client methods for creation and deletion of identities.
3c68d15 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxc/remote: Update remote add to handle tokens issued by identities…
c76cb94 
… API.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxc/auth: Add commands for creating and deleting identities.
5ae3497 
Signed-off-by: Mark Laing <[email protected]>
@markylaing markylaing self-assigned this Sep 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@markylaing markylaing

Labels
API Changes to the REST API Documentation Documentation needs updating
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Auth: Remove OIDC identities
1 participant
@markylaing