blob: 73fe27637103e34ecf02be2239c7859e80ae10e6 [file] [log] [blame]
// Copyright 2015 The Vanadium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package server
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/sha512"
"crypto/x509"
"encoding/base64"
"fmt"
"os"
"path/filepath"
"sync"
"v.io/v23/security"
"v.io/v23/verror"
vsecurity "v.io/x/ref/lib/security"
"v.io/x/ref/services/agent"
"v.io/x/ref/services/agent/internal/ipc"
)
const pkgPath = "v.io/x/ref/services/agent/internal/server"
// Errors
var (
errStoragePathRequired = verror.Register(pkgPath+".errStoragePathRequired",
verror.NoRetry, "{1:}{2:} RunKeyManager: storage path is required")
errNotMultiKeyMode = verror.Register(pkgPath+".errNotMultiKeyMode",
verror.NoRetry, "{1:}{2:} Not running in multi-key mode")
)
type agentd struct {
ipc *ipc.IPC
principal security.Principal
mu sync.RWMutex
}
type keyData struct {
p security.Principal
agent *ipc.IPC
}
type keymgr struct {
path string
passphrase []byte
cache map[[agent.PrincipalHandleByteSize]byte]keyData
mu sync.Mutex
}
// ServeAgent registers the agent server with 'ipc'.
// It will respond to requests using 'principal'.
// Must be called before ipc.Listen or ipc.Connect.
func ServeAgent(i *ipc.IPC, principal security.Principal) (err error) {
server := &agentd{ipc: i, principal: principal}
return i.Serve(server)
}
func newKeyManager(path string, passphrase []byte) (*keymgr, error) {
if path == "" {
return nil, verror.New(errStoragePathRequired, nil)
}
mgr := &keymgr{path: path, passphrase: passphrase, cache: make(map[[agent.PrincipalHandleByteSize]byte]keyData)}
if err := os.MkdirAll(filepath.Join(mgr.path, "keys"), 0700); err != nil {
return nil, err
}
if err := os.MkdirAll(filepath.Join(mgr.path, "creds"), 0700); err != nil {
return nil, err
}
return mgr, nil
}
type localKeymgr struct {
*keymgr
}
func NewLocalKeyManager(path string, passphrase []byte) (agent.KeyManager, error) {
m, err := newKeyManager(path, passphrase)
return localKeymgr{m}, err
}
func (l localKeymgr) Close() error {
defer l.mu.Unlock()
l.mu.Lock()
for _, data := range l.cache {
if data.agent != nil {
data.agent.Close()
}
}
return nil
}
// ServeKeyManager registers key manager server with 'ipc'.
// It will persist principals in 'path' using 'passphrase'.
// Must be called before ipc.Listen or ipc.Connect.
func ServeKeyManager(i *ipc.IPC, path string, passphrase []byte) error {
mgr, err := newKeyManager(path, passphrase)
if err != nil {
return err
}
return i.Serve(mgr)
}
func (a *keymgr) readKey(handle [agent.PrincipalHandleByteSize]byte) (keyData, error) {
{
a.mu.Lock()
cached, ok := a.cache[handle]
a.mu.Unlock()
if ok {
return cached, nil
}
}
var nodata keyData
filename := base64.URLEncoding.EncodeToString(handle[:])
in, err := os.Open(filepath.Join(a.path, "keys", filename))
if err != nil {
return nodata, fmt.Errorf("unable to open key file: %v", err)
}
defer in.Close()
key, err := vsecurity.LoadPEMKey(in, a.passphrase)
if err != nil {
return nodata, fmt.Errorf("unable to load key in %q: %v", in.Name(), err)
}
state, err := vsecurity.NewPrincipalStateSerializer(filepath.Join(a.path, "creds", filename))
if err != nil {
return nodata, fmt.Errorf("unable to create persisted state serializer: %v", err)
}
principal, err := vsecurity.NewPrincipalFromSigner(security.NewInMemoryECDSASigner(key.(*ecdsa.PrivateKey)), state)
if err != nil {
return nodata, fmt.Errorf("unable to load principal: %v", err)
}
data := keyData{p: principal}
a.mu.Lock()
if cachedData, ok := a.cache[handle]; ok {
data = cachedData
} else {
a.cache[handle] = data
}
a.mu.Unlock()
return data, nil
}
func (a *agentd) Bless(key []byte, with security.Blessings, extension string, caveat security.Caveat, additionalCaveats []security.Caveat) (security.Blessings, error) {
pkey, err := security.UnmarshalPublicKey(key)
if err != nil {
return security.Blessings{}, err
}
return a.principal.Bless(pkey, with, extension, caveat, additionalCaveats...)
}
func (a *agentd) BlessSelf(name string, caveats []security.Caveat) (security.Blessings, error) {
return a.principal.BlessSelf(name, caveats...)
}
func (a *agentd) Sign(message []byte) (security.Signature, error) {
return a.principal.Sign(message)
}
func (a *agentd) MintDischarge(forCaveat, caveatOnDischarge security.Caveat, additionalCaveatsOnDischarge []security.Caveat) (security.Discharge, error) {
return a.principal.MintDischarge(forCaveat, caveatOnDischarge, additionalCaveatsOnDischarge...)
}
func (a *keymgr) NewPrincipal(in_memory bool) (handle [agent.PrincipalHandleByteSize]byte, err error) {
if a.path == "" {
return handle, verror.New(errNotMultiKeyMode, nil)
}
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return handle, err
}
if handle, err = keyid(key); err != nil {
return handle, err
}
signer := security.NewInMemoryECDSASigner(key)
var p security.Principal
if in_memory {
if p, err = vsecurity.NewPrincipalFromSigner(signer, nil); err != nil {
return handle, err
}
} else {
filename := base64.URLEncoding.EncodeToString(handle[:])
out, err := os.OpenFile(filepath.Join(a.path, "keys", filename), os.O_WRONLY|os.O_CREATE, 0600)
if err != nil {
return handle, err
}
defer out.Close()
err = vsecurity.SavePEMKey(out, key, a.passphrase)
if err != nil {
return handle, err
}
state, err := vsecurity.NewPrincipalStateSerializer(filepath.Join(a.path, "creds", filename))
if err != nil {
return handle, err
}
p, err = vsecurity.NewPrincipalFromSigner(signer, state)
if err != nil {
return handle, err
}
}
data := keyData{p: p}
a.mu.Lock()
if _, ok := a.cache[handle]; !ok {
a.cache[handle] = data
}
a.mu.Unlock()
return handle, nil
}
func keyid(key *ecdsa.PrivateKey) (handle [agent.PrincipalHandleByteSize]byte, err error) {
slice, err := x509.MarshalPKIXPublicKey(&key.PublicKey)
if err != nil {
return
}
return sha512.Sum512(slice), nil
}
func (a *agentd) unlock() {
a.mu.Unlock()
for _, conn := range a.ipc.Connections() {
go conn.Call("FlushAllCaches", nil)
}
}
func (a *agentd) PublicKey() ([]byte, error) {
return a.principal.PublicKey().MarshalBinary()
}
func (a *agentd) BlessingStoreSet(blessings security.Blessings, forPeers security.BlessingPattern) (security.Blessings, error) {
defer a.unlock()
a.mu.Lock()
return a.principal.BlessingStore().Set(blessings, forPeers)
}
func (a *agentd) BlessingStoreForPeer(peerBlessings []string) (security.Blessings, error) {
defer a.mu.RUnlock()
a.mu.RLock()
return a.principal.BlessingStore().ForPeer(peerBlessings...), nil
}
func (a *agentd) BlessingStoreSetDefault(blessings security.Blessings) error {
defer a.unlock()
a.mu.Lock()
return a.principal.BlessingStore().SetDefault(blessings)
}
func (a *agentd) BlessingStorePeerBlessings() (map[security.BlessingPattern]security.Blessings, error) {
defer a.mu.RUnlock()
a.mu.RLock()
return a.principal.BlessingStore().PeerBlessings(), nil
}
func (a *agentd) BlessingStoreDebugString() (string, error) {
defer a.mu.RUnlock()
a.mu.RLock()
return a.principal.BlessingStore().DebugString(), nil
}
func (a *agentd) BlessingStoreDefault() (security.Blessings, error) {
defer a.mu.RUnlock()
a.mu.RLock()
return a.principal.BlessingStore().Default(), nil
}
func (a *agentd) BlessingStoreCacheDischarge(discharge security.Discharge, caveat security.Caveat, impetus security.DischargeImpetus) error {
defer a.mu.Unlock()
a.mu.Lock()
a.principal.BlessingStore().CacheDischarge(discharge, caveat, impetus)
return nil
}
func (a *agentd) BlessingStoreClearDischarges(discharges []security.Discharge) error {
defer a.mu.Unlock()
a.mu.Lock()
a.principal.BlessingStore().ClearDischarges(discharges...)
return nil
}
func (a *agentd) BlessingStoreDischarge(caveat security.Caveat, impetus security.DischargeImpetus) (security.Discharge, error) {
defer a.mu.Unlock()
a.mu.Lock()
return a.principal.BlessingStore().Discharge(caveat, impetus), nil
}
func (a *agentd) BlessingRootsAdd(root []byte, pattern security.BlessingPattern) error {
defer a.unlock()
a.mu.Lock()
return a.principal.Roots().Add(root, pattern)
}
func (a *agentd) BlessingRootsRecognized(root []byte, blessing string) error {
defer a.mu.RUnlock()
a.mu.RLock()
return a.principal.Roots().Recognized(root, blessing)
}
func (a *agentd) BlessingRootsDump() (map[security.BlessingPattern][][]byte, error) {
ret := make(map[security.BlessingPattern][][]byte)
defer a.mu.RUnlock()
a.mu.RLock()
for p, keys := range a.principal.Roots().Dump() {
for _, key := range keys {
marshaledKey, err := key.MarshalBinary()
if err != nil {
return nil, err
}
ret[p] = append(ret[p], marshaledKey)
}
}
return ret, nil
}
func (a *agentd) BlessingRootsDebugString() (string, error) {
defer a.mu.RUnlock()
a.mu.RLock()
return a.principal.Roots().DebugString(), nil
}
func (m *keymgr) ServePrincipal(handle [agent.PrincipalHandleByteSize]byte, path string) error {
if maxLen := GetMaxSockPathLen(); len(path) > maxLen {
return fmt.Errorf("socket path (%s) exceeds maximum allowed socket path length (%d)", path, maxLen)
}
if _, err := m.readKey(handle); err != nil {
return err
}
defer m.mu.Unlock()
m.mu.Lock()
data, ok := m.cache[handle]
if !ok {
return fmt.Errorf("key deleted")
}
if data.agent != nil {
return verror.NewErrExist(nil)
}
ipc := ipc.NewIPC()
if err := ServeAgent(ipc, data.p); err != nil {
return err
}
if err := ipc.Listen(path); err != nil {
return err
}
data.agent = ipc
m.cache[handle] = data
return nil
}
func (m *keymgr) StopServing(handle [agent.PrincipalHandleByteSize]byte) error {
if _, err := m.readKey(handle); err != nil {
return err
}
defer m.mu.Unlock()
m.mu.Lock()
data, ok := m.cache[handle]
if !ok {
return fmt.Errorf("key deleted")
}
if data.agent == nil {
return verror.NewErrNoExist(nil)
}
data.agent.Close()
data.agent = nil
m.cache[handle] = data
return nil
}
func (m *keymgr) DeletePrincipal(handle [agent.PrincipalHandleByteSize]byte) error {
defer m.mu.Unlock()
m.mu.Lock()
data, cached := m.cache[handle]
if cached {
if data.agent != nil {
data.agent.Close()
}
delete(m.cache, handle)
}
filename := base64.URLEncoding.EncodeToString(handle[:])
keyErr := os.Remove(filepath.Join(m.path, "keys", filename))
credErr := os.RemoveAll(filepath.Join(m.path, "creds", filename))
if os.IsNotExist(keyErr) && !cached {
return verror.NewErrNoExist(nil)
} else if keyErr != nil {
return keyErr
}
return credErr
}