github.com/sl1pm4t/consul@v1.4.5-0.20190325224627-74c31c540f9c/agent/structs/connect_ca.go (about)

     1  package structs
     2  
     3  import (
     4  	"fmt"
     5  	"reflect"
     6  	"time"
     7  
     8  	"github.com/mitchellh/mapstructure"
     9  )
    10  
    11  // IndexedCARoots is the list of currently trusted CA Roots.
    12  type IndexedCARoots struct {
    13  	// ActiveRootID is the ID of a root in Roots that is the active CA root.
    14  	// Other roots are still valid if they're in the Roots list but are in
    15  	// the process of being rotated out.
    16  	ActiveRootID string
    17  
    18  	// TrustDomain is the identification root for this Consul cluster. All
    19  	// certificates signed by the cluster's CA must have their identifying URI in
    20  	// this domain.
    21  	//
    22  	// This does not include the protocol (currently spiffe://) since we may
    23  	// implement other protocols in future with equivalent semantics. It should be
    24  	// compared against the "authority" section of a URI (i.e. host:port).
    25  	//
    26  	// We need to support migrating a cluster between trust domains to support
    27  	// Multi-DC migration in Enterprise. In this case the current trust domain is
    28  	// here but entries in Roots may also have ExternalTrustDomain set to a
    29  	// non-empty value implying they were previous roots that are still trusted
    30  	// but under a different trust domain.
    31  	//
    32  	// Note that we DON'T validate trust domain during AuthZ since it causes
    33  	// issues of loss of connectivity during migration between trust domains. The
    34  	// only time the additional validation adds value is where the cluster shares
    35  	// an external root (e.g. organization-wide root) with another distinct Consul
    36  	// cluster or PKI system. In this case, x509 Name Constraints can be added to
    37  	// enforce that Consul's CA can only validly sign or trust certs within the
    38  	// same trust-domain. Name constraints as enforced by TLS handshake also allow
    39  	// seamless rotation between trust domains thanks to cross-signing.
    40  	TrustDomain string
    41  
    42  	// Roots is a list of root CA certs to trust.
    43  	Roots []*CARoot
    44  
    45  	// QueryMeta contains the meta sent via a header. We ignore for JSON
    46  	// so this whole structure can be returned.
    47  	QueryMeta `json:"-"`
    48  }
    49  
    50  // CARoot represents a root CA certificate that is trusted.
    51  type CARoot struct {
    52  	// ID is a globally unique ID (UUID) representing this CA root.
    53  	ID string
    54  
    55  	// Name is a human-friendly name for this CA root. This value is
    56  	// opaque to Consul and is not used for anything internally.
    57  	Name string
    58  
    59  	// SerialNumber is the x509 serial number of the certificate.
    60  	SerialNumber uint64
    61  
    62  	// SigningKeyID is the ID of the public key that corresponds to the private
    63  	// key used to sign the certificate. Is is the HexString format of the raw
    64  	// AuthorityKeyID bytes.
    65  	SigningKeyID string
    66  
    67  	// ExternalTrustDomain is the trust domain this root was generated under. It
    68  	// is usually empty implying "the current cluster trust-domain". It is set
    69  	// only in the case that a cluster changes trust domain and then all old roots
    70  	// that are still trusted have the old trust domain set here.
    71  	//
    72  	// We currently DON'T validate these trust domains explicitly anywhere, see
    73  	// IndexedRoots.TrustDomain doc. We retain this information for debugging and
    74  	// future flexibility.
    75  	ExternalTrustDomain string
    76  
    77  	// Time validity bounds.
    78  	NotBefore time.Time
    79  	NotAfter  time.Time
    80  
    81  	// RootCert is the PEM-encoded public certificate.
    82  	RootCert string
    83  
    84  	// IntermediateCerts is a list of PEM-encoded intermediate certs to
    85  	// attach to any leaf certs signed by this CA.
    86  	IntermediateCerts []string
    87  
    88  	// SigningCert is the PEM-encoded signing certificate and SigningKey
    89  	// is the PEM-encoded private key for the signing certificate. These
    90  	// may actually be empty if the CA plugin in use manages these for us.
    91  	SigningCert string `json:",omitempty"`
    92  	SigningKey  string `json:",omitempty"`
    93  
    94  	// Active is true if this is the current active CA. This must only
    95  	// be true for exactly one CA. For any method that modifies roots in the
    96  	// state store, tests should be written to verify that multiple roots
    97  	// cannot be active.
    98  	Active bool
    99  
   100  	// RotatedOutAt is the time at which this CA was removed from the state.
   101  	// This will only be set on roots that have been rotated out from being the
   102  	// active root.
   103  	RotatedOutAt time.Time `json:"-"`
   104  
   105  	RaftIndex
   106  }
   107  
   108  // CARoots is a list of CARoot structures.
   109  type CARoots []*CARoot
   110  
   111  // CASignRequest is the request for signing a service certificate.
   112  type CASignRequest struct {
   113  	// Datacenter is the target for this request.
   114  	Datacenter string
   115  
   116  	// CSR is the PEM-encoded CSR.
   117  	CSR string
   118  
   119  	// WriteRequest is a common struct containing ACL tokens and other
   120  	// write-related common elements for requests.
   121  	WriteRequest
   122  }
   123  
   124  // RequestDatacenter returns the datacenter for a given request.
   125  func (q *CASignRequest) RequestDatacenter() string {
   126  	return q.Datacenter
   127  }
   128  
   129  // IssuedCert is a certificate that has been issued by a Connect CA.
   130  type IssuedCert struct {
   131  	// SerialNumber is the unique serial number for this certificate.
   132  	// This is encoded in standard hex separated by :.
   133  	SerialNumber string
   134  
   135  	// CertPEM and PrivateKeyPEM are the PEM-encoded certificate and private
   136  	// key for that cert, respectively. This should not be stored in the
   137  	// state store, but is present in the sign API response.
   138  	CertPEM       string `json:",omitempty"`
   139  	PrivateKeyPEM string `json:",omitempty"`
   140  
   141  	// Service is the name of the service for which the cert was issued.
   142  	// ServiceURI is the cert URI value.
   143  	Service    string
   144  	ServiceURI string
   145  
   146  	// ValidAfter and ValidBefore are the validity periods for the
   147  	// certificate.
   148  	ValidAfter  time.Time
   149  	ValidBefore time.Time
   150  
   151  	RaftIndex
   152  }
   153  
   154  // CAOp is the operation for a request related to intentions.
   155  type CAOp string
   156  
   157  const (
   158  	CAOpSetRoots            CAOp = "set-roots"
   159  	CAOpSetConfig           CAOp = "set-config"
   160  	CAOpSetProviderState    CAOp = "set-provider-state"
   161  	CAOpDeleteProviderState CAOp = "delete-provider-state"
   162  	CAOpSetRootsAndConfig   CAOp = "set-roots-config"
   163  )
   164  
   165  // CARequest is used to modify connect CA data. This is used by the
   166  // FSM (agent/consul/fsm) to apply changes.
   167  type CARequest struct {
   168  	// Op is the type of operation being requested. This determines what
   169  	// other fields are required.
   170  	Op CAOp
   171  
   172  	// Datacenter is the target for this request.
   173  	Datacenter string
   174  
   175  	// Index is used by CAOpSetRoots and CAOpSetConfig for a CAS operation.
   176  	Index uint64
   177  
   178  	// Roots is a list of roots. This is used for CAOpSet. One root must
   179  	// always be active.
   180  	Roots []*CARoot
   181  
   182  	// Config is the configuration for the current CA plugin.
   183  	Config *CAConfiguration
   184  
   185  	// ProviderState is the state for the builtin CA provider.
   186  	ProviderState *CAConsulProviderState
   187  
   188  	// WriteRequest is a common struct containing ACL tokens and other
   189  	// write-related common elements for requests.
   190  	WriteRequest
   191  }
   192  
   193  // RequestDatacenter returns the datacenter for a given request.
   194  func (q *CARequest) RequestDatacenter() string {
   195  	return q.Datacenter
   196  }
   197  
   198  const (
   199  	ConsulCAProvider = "consul"
   200  	VaultCAProvider  = "vault"
   201  )
   202  
   203  // CAConfiguration is the configuration for the current CA plugin.
   204  type CAConfiguration struct {
   205  	// ClusterID is a unique identifier for the cluster
   206  	ClusterID string `json:"-"`
   207  
   208  	// Provider is the CA provider implementation to use.
   209  	Provider string
   210  
   211  	// Configuration is arbitrary configuration for the provider. This
   212  	// should only contain primitive values and containers (such as lists
   213  	// and maps).
   214  	Config map[string]interface{}
   215  
   216  	RaftIndex
   217  }
   218  
   219  func (c *CAConfiguration) GetCommonConfig() (*CommonCAProviderConfig, error) {
   220  	if c == nil {
   221  		return nil, fmt.Errorf("config map was nil")
   222  	}
   223  
   224  	var config CommonCAProviderConfig
   225  
   226  	// Set Defaults
   227  	config.CSRMaxPerSecond = 50 // See doc comment for rationale here.
   228  
   229  	decodeConf := &mapstructure.DecoderConfig{
   230  		DecodeHook:       ParseDurationFunc(),
   231  		Result:           &config,
   232  		WeaklyTypedInput: true,
   233  	}
   234  
   235  	decoder, err := mapstructure.NewDecoder(decodeConf)
   236  	if err != nil {
   237  		return nil, err
   238  	}
   239  
   240  	if err := decoder.Decode(c.Config); err != nil {
   241  		return nil, fmt.Errorf("error decoding config: %s", err)
   242  	}
   243  
   244  	return &config, nil
   245  }
   246  
   247  type CommonCAProviderConfig struct {
   248  	LeafCertTTL time.Duration
   249  
   250  	SkipValidate bool
   251  
   252  	// CSRMaxPerSecond is a rate limit on processing Connect Certificate Signing
   253  	// Requests on the servers. It applies to all CA providers so can be used to
   254  	// limit rate to an external CA too. 0 disables the rate limit. Defaults to 50
   255  	// which is low enough to prevent overload of a reasonably sized production
   256  	// server while allowing a cluster with 1000 service instances to complete a
   257  	// rotation in 20 seconds. For reference a quad-core 2017 MacBook pro can
   258  	// process 100 signing RPCs a second while using less than half of one core.
   259  	// For large clusters with powerful servers it's advisable to increase this
   260  	// rate or to disable this limit and instead rely on CSRMaxConcurrent to only
   261  	// consume a subset of the server's cores.
   262  	CSRMaxPerSecond float32
   263  
   264  	// CSRMaxConcurrent is a limit on how many concurrent CSR signing requests
   265  	// will be processed in parallel. New incoming signing requests will try for
   266  	// `consul.csrSemaphoreWait` (currently 500ms) for a slot before being
   267  	// rejected with a "rate limited" backpressure response. This effectively sets
   268  	// how many CPU cores can be occupied by Connect CA signing activity and
   269  	// should be a (small) subset of your server's available cores to allow other
   270  	// tasks to complete when a barrage of CSRs come in (e.g. after a CA root
   271  	// rotation). Setting to 0 disables the limit, attempting to sign certs
   272  	// immediately in the RPC goroutine. This is 0 by default and CSRMaxPerSecond
   273  	// is used. This is ignored if CSRMaxPerSecond is non-zero.
   274  	CSRMaxConcurrent int
   275  }
   276  
   277  func (c CommonCAProviderConfig) Validate() error {
   278  	if c.SkipValidate {
   279  		return nil
   280  	}
   281  
   282  	if c.LeafCertTTL < time.Hour {
   283  		return fmt.Errorf("leaf cert TTL must be greater than 1h")
   284  	}
   285  
   286  	if c.LeafCertTTL > 365*24*time.Hour {
   287  		return fmt.Errorf("leaf cert TTL must be less than 1 year")
   288  	}
   289  
   290  	return nil
   291  }
   292  
   293  type ConsulCAProviderConfig struct {
   294  	CommonCAProviderConfig `mapstructure:",squash"`
   295  
   296  	PrivateKey     string
   297  	RootCert       string
   298  	RotationPeriod time.Duration
   299  }
   300  
   301  // CAConsulProviderState is used to track the built-in Consul CA provider's state.
   302  type CAConsulProviderState struct {
   303  	ID               string
   304  	PrivateKey       string
   305  	RootCert         string
   306  	IntermediateCert string
   307  
   308  	RaftIndex
   309  }
   310  
   311  type VaultCAProviderConfig struct {
   312  	CommonCAProviderConfig `mapstructure:",squash"`
   313  
   314  	Address             string
   315  	Token               string
   316  	RootPKIPath         string
   317  	IntermediatePKIPath string
   318  
   319  	CAFile        string
   320  	CAPath        string
   321  	CertFile      string
   322  	KeyFile       string
   323  	TLSServerName string
   324  	TLSSkipVerify bool
   325  }
   326  
   327  // CALeafOp is the operation for a request related to leaf certificates.
   328  type CALeafOp string
   329  
   330  const (
   331  	CALeafOpIncrementIndex CALeafOp = "increment-index"
   332  )
   333  
   334  // CALeafRequest is used to modify connect CA leaf data. This is used by the
   335  // FSM (agent/consul/fsm) to apply changes.
   336  type CALeafRequest struct {
   337  	// Op is the type of operation being requested. This determines what
   338  	// other fields are required.
   339  	Op CALeafOp
   340  
   341  	// Datacenter is the target for this request.
   342  	Datacenter string
   343  
   344  	// WriteRequest is a common struct containing ACL tokens and other
   345  	// write-related common elements for requests.
   346  	WriteRequest
   347  }
   348  
   349  // RequestDatacenter returns the datacenter for a given request.
   350  func (q *CALeafRequest) RequestDatacenter() string {
   351  	return q.Datacenter
   352  }
   353  
   354  // ParseDurationFunc is a mapstructure hook for decoding a string or
   355  // []uint8 into a time.Duration value.
   356  func ParseDurationFunc() mapstructure.DecodeHookFunc {
   357  	return func(
   358  		f reflect.Type,
   359  		t reflect.Type,
   360  		data interface{}) (interface{}, error) {
   361  		var v time.Duration
   362  		if t != reflect.TypeOf(v) {
   363  			return data, nil
   364  		}
   365  
   366  		switch {
   367  		case f.Kind() == reflect.String:
   368  			if dur, err := time.ParseDuration(data.(string)); err != nil {
   369  				return nil, err
   370  			} else {
   371  				v = dur
   372  			}
   373  			return v, nil
   374  		case f == reflect.SliceOf(reflect.TypeOf(uint8(0))):
   375  			s := Uint8ToString(data.([]uint8))
   376  			if dur, err := time.ParseDuration(s); err != nil {
   377  				return nil, err
   378  			} else {
   379  				v = dur
   380  			}
   381  			return v, nil
   382  		default:
   383  			return data, nil
   384  		}
   385  	}
   386  }
   387  
   388  func Uint8ToString(bs []uint8) string {
   389  	b := make([]byte, len(bs))
   390  	for i, v := range bs {
   391  		b[i] = byte(v)
   392  	}
   393  	return string(b)
   394  }