ipc,naming,security: Use blessing names in endpoint for server
authorization.
Servers now export "v4" formatted endpoints which contain the
blessing names that will be presented by the server. These endpoints
make their way into the mounttable.
This commit makes client use these blessing names to authorize servers
and prevent man-in-the-middle attacks.
This replaces the older scheme where the mounttable would explicitly
track blessings for each mounted server, separate from the endpoint.
Code for that (naming.MountedServer.BlessingPattern and related code)
will be removed in a follow-up change.
MultiPart: 1/2
Change-Id: Ib9f8fb3d5e6fe4ae1b87a8eb9755666f4f3e18ff
diff --git a/services/mgmt/device/impl/impl_test.go b/services/mgmt/device/impl/impl_test.go
index c2cdca1..080f1d6 100644
--- a/services/mgmt/device/impl/impl_test.go
+++ b/services/mgmt/device/impl/impl_test.go
@@ -908,7 +908,7 @@
// Unclaimed devices cannot do anything but be claimed.
// TODO(ashankar,caprita): The line below will currently fail with
// ErrUnclaimedDevice != NotTrusted. NotTrusted can be avoided by
- // passing options.SkipResolveAuthorization{} to the "Install" RPC.
+ // passing options.SkipServerEndpointAuthorization{} to the "Install" RPC.
// Refactor the helper function to make this possible.
//installAppExpectError(t, octx, impl.ErrUnclaimedDevice.ID)
@@ -921,9 +921,10 @@
// the devicemanager.
appID := installApp(t, claimantCtx)
- // octx will not install the app now since it doesn't recognize
- // the device's blessings.
- installAppExpectError(t, octx, verror.ErrNotTrusted.ID)
+ // octx will not install the app now since it doesn't recognize the
+ // device's blessings. The error returned will be ErrNoServers as that
+ // is what the IPC stack does when there are no authorized servers.
+ installAppExpectError(t, octx, verror.ErrNoServers.ID)
// Even if it does recognize the device (by virtue of recognizing the
// claimant), the device will not allow it to install.
if err := v23.GetPrincipal(octx).AddToRoots(v23.GetPrincipal(claimantCtx).BlessingStore().Default()); err != nil {
@@ -1360,15 +1361,18 @@
t.Fatal(err)
}
- // By default, the two processes (selfCtx and octx) will have blessings generated based on
- // the username/machine name running this process. Since these blessings
- // will appear in AccessLists, give them recognizable names.
+ // By default, the two processes (selfCtx and octx) will have blessings
+ // generated based on the username/machine name running this process.
+ // Since these blessings will appear in AccessLists, give them
+ // recognizable names.
idp := tsecurity.NewIDProvider("root")
- selfCtx := ctx
- if err := idp.Bless(v23.GetPrincipal(selfCtx), "self"); err != nil {
- t.Fatal(err)
- }
+ selfCtx := ctxWithNewPrincipal(t, ctx, idp, "self")
otherCtx := ctxWithNewPrincipal(t, selfCtx, idp, "other")
+ // Both the "external" processes must recognize the root mounttable's
+ // blessings, otherwise they will not talk to it.
+ for _, c := range []*context.T{selfCtx, otherCtx} {
+ v23.GetPrincipal(c).AddToRoots(v23.GetPrincipal(ctx).BlessingStore().Default())
+ }
dmh := mgmttest.RunCommand(t, sh, nil, deviceManagerCmd, "dm", root, "unused_helper", "unused_app_repo_name", "unused_curr_link")
pid := mgmttest.ReadPID(t, dmh)
@@ -1382,7 +1386,7 @@
}
// self claims the device manager.
- claimDevice(t, ctx, "dm", "alice", noPairingToken)
+ claimDevice(t, selfCtx, "dm", "alice", noPairingToken)
vlog.VI(2).Info("Verify that associations start out empty.")
listAndVerifyAssociations(t, selfCtx, deviceStub, []device.Association(nil))
diff --git a/services/mgmt/device/impl/util_test.go b/services/mgmt/device/impl/util_test.go
index 78f8e2d..bab9d57 100644
--- a/services/mgmt/device/impl/util_test.go
+++ b/services/mgmt/device/impl/util_test.go
@@ -94,7 +94,7 @@
func claimDevice(t *testing.T, ctx *context.T, name, extension, pairingToken string) {
// Setup blessings to be granted to the claimed device
g := &granter{p: v23.GetPrincipal(ctx), extension: extension}
- s := options.SkipResolveAuthorization{}
+ s := options.SkipServerEndpointAuthorization{}
// Call the Claim RPC: Skip server authorization because the unclaimed
// device presents nothing that can be used to recognize it.
if err := device.ClaimableClient(name).Claim(ctx, pairingToken, g, s); err != nil {
@@ -120,7 +120,7 @@
func claimDeviceExpectError(t *testing.T, ctx *context.T, name, extension, pairingToken string, errID verror.ID) {
// Setup blessings to be granted to the claimed device
g := &granter{p: v23.GetPrincipal(ctx), extension: extension}
- s := options.SkipResolveAuthorization{}
+ s := options.SkipServerEndpointAuthorization{}
// Call the Claim RPC
if err := device.ClaimableClient(name).Claim(ctx, pairingToken, g, s); !verror.Is(err, errID) {
t.Fatalf(testutil.FormatLogLine(2, "%q.Claim(%q) expected to fail with %v, got %v [%v]", name, pairingToken, errID, verror.ErrorID(err), err))
diff --git a/services/wsprd/app/app_test.go b/services/wsprd/app/app_test.go
index aa9c8ee..54ba33d 100644
--- a/services/wsprd/app/app_test.go
+++ b/services/wsprd/app/app_test.go
@@ -427,6 +427,9 @@
// Get the client that is relevant to the controller so it talks
// to the right mounttable.
client := v23.GetClient(rt.controller.Context())
+ // And have the client recognize the server, otherwise it won't
+ // authorize calls to it.
+ v23.GetPrincipal(rt.controller.Context()).AddToRoots(v23.GetPrincipal(ctx).BlessingStore().Default())
if err != nil {
t.Fatalf("unable to create client: %v", err)
