Robin Thellend | efe48ef | 2015-10-13 09:52:03 -0700 | [diff] [blame] | 1 | // Copyright 2015 The Vanadium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style |
| 3 | // license that can be found in the LICENSE file. |
| 4 | |
| 5 | // The following enables go generate to generate the doc.go file. |
| 6 | //go:generate go run $JIRI_ROOT/release/go/src/v.io/x/lib/cmdline/testdata/gendoc.go . -help |
| 7 | |
| 8 | package main |
| 9 | |
| 10 | import ( |
| 11 | "encoding/base64" |
| 12 | "io/ioutil" |
Robin Thellend | 2d05ac2 | 2015-10-28 13:37:21 -0700 | [diff] [blame] | 13 | "os" |
Robin Thellend | efe48ef | 2015-10-13 09:52:03 -0700 | [diff] [blame] | 14 | "strings" |
| 15 | |
| 16 | "v.io/v23" |
| 17 | "v.io/v23/context" |
| 18 | "v.io/v23/security" |
| 19 | "v.io/v23/vom" |
| 20 | "v.io/x/lib/cmdline" |
| 21 | lsecurity "v.io/x/ref/lib/security" |
| 22 | "v.io/x/ref/lib/signals" |
| 23 | "v.io/x/ref/lib/v23cmd" |
| 24 | "v.io/x/ref/services/agent/internal/ipc" |
| 25 | "v.io/x/ref/services/agent/internal/server" |
| 26 | "v.io/x/ref/services/cluster" |
| 27 | |
Asim Shankar | c7fafb4 | 2015-11-17 15:23:03 -0800 | [diff] [blame] | 28 | _ "v.io/x/ref/runtime/factories/roaming" |
Robin Thellend | efe48ef | 2015-10-13 09:52:03 -0700 | [diff] [blame] | 29 | ) |
| 30 | |
| 31 | var ( |
| 32 | clusterAgent string |
| 33 | socketPath string |
| 34 | secretKeyFile string |
| 35 | rootBlessings string |
| 36 | ) |
| 37 | |
| 38 | func main() { |
| 39 | cmdPodAgentD.Flags.StringVar(&clusterAgent, "agent", "", "The address of the cluster agent.") |
| 40 | cmdPodAgentD.Flags.StringVar(&socketPath, "socket-path", "", "The path of the unix socket to listen on.") |
| 41 | cmdPodAgentD.Flags.StringVar(&secretKeyFile, "secret-key-file", "", "The name of the file that contains the secret key.") |
| 42 | cmdPodAgentD.Flags.StringVar(&rootBlessings, "root-blessings", "", "A comma-separated list of the root blessings to trust, base64-encoded VOM-encoded.") |
| 43 | |
| 44 | cmdline.HideGlobalFlagsExcept() |
| 45 | cmdline.Main(cmdPodAgentD) |
| 46 | } |
| 47 | |
| 48 | var cmdPodAgentD = &cmdline.Command{ |
| 49 | Runner: v23cmd.RunnerFunc(runPodAgentD), |
| 50 | Name: "pod_agentd", |
| 51 | Short: "Holds the principal of a kubernetes pod", |
| 52 | Long: ` |
| 53 | Command pod_agentd runs a security agent daemon, which holds a private key in |
| 54 | memory and makes it available to the kubernetes pod in which it is running. |
| 55 | `, |
| 56 | } |
| 57 | |
| 58 | func runPodAgentD(ctx *context.T, env *cmdline.Env, args []string) error { |
| 59 | p, err := lsecurity.NewPrincipal() |
| 60 | if err != nil { |
| 61 | return err |
| 62 | } |
| 63 | if ctx, err = v23.WithPrincipal(ctx, p); err != nil { |
| 64 | return err |
| 65 | } |
| 66 | if rootBlessings != "" { |
| 67 | addRoot(ctx, rootBlessings) |
| 68 | } |
| 69 | |
| 70 | secret, err := ioutil.ReadFile(secretKeyFile) |
| 71 | if err != nil { |
| 72 | return err |
| 73 | } |
| 74 | |
| 75 | // Fetch blessings from cluster agent. |
| 76 | ca := cluster.ClusterAgentClient(clusterAgent) |
| 77 | blessings, err := ca.SeekBlessings(ctx, string(secret)) |
| 78 | if err != nil { |
| 79 | return err |
| 80 | } |
| 81 | if err = p.BlessingStore().SetDefault(blessings); err != nil { |
| 82 | return err |
| 83 | } |
| 84 | if _, err = p.BlessingStore().Set(blessings, security.AllPrincipals); err != nil { |
| 85 | return err |
| 86 | } |
Asim Shankar | 17d0c82 | 2015-10-14 19:54:46 -0700 | [diff] [blame] | 87 | if err = security.AddToRoots(p, blessings); err != nil { |
Robin Thellend | efe48ef | 2015-10-13 09:52:03 -0700 | [diff] [blame] | 88 | return err |
| 89 | } |
| 90 | |
| 91 | // Run the server. |
| 92 | i := ipc.NewIPC() |
| 93 | defer i.Close() |
| 94 | if err = server.ServeAgent(i, lsecurity.NewImmutablePrincipal(p)); err != nil { |
| 95 | return err |
| 96 | } |
Robin Thellend | 2d05ac2 | 2015-10-28 13:37:21 -0700 | [diff] [blame] | 97 | if _, err := os.Stat(socketPath); err == nil { |
| 98 | os.Remove(socketPath) |
| 99 | } |
Robin Thellend | efe48ef | 2015-10-13 09:52:03 -0700 | [diff] [blame] | 100 | if err = i.Listen(socketPath); err != nil { |
| 101 | return err |
| 102 | } |
Robin Thellend | 3c90544 | 2015-12-07 13:47:16 -0800 | [diff] [blame] | 103 | // Make the socket available to all users so that the application can |
| 104 | // run with a non-root UID. |
| 105 | // The socket's parent directory is mounted only in the containers that |
| 106 | // should have access to it. So, this doesn't change who has access to |
| 107 | // the socket. |
| 108 | if err = os.Chmod(socketPath, 0666); err != nil { |
| 109 | return err |
| 110 | } |
Robin Thellend | efe48ef | 2015-10-13 09:52:03 -0700 | [diff] [blame] | 111 | <-signals.ShutdownOnSignals(ctx) |
| 112 | return nil |
| 113 | } |
| 114 | |
| 115 | func addRoot(ctx *context.T, flagRoots string) { |
| 116 | p := v23.GetPrincipal(ctx) |
| 117 | for _, b64 := range strings.Split(flagRoots, ",") { |
| 118 | // We use URLEncoding to be compatible with the principal |
| 119 | // command. |
| 120 | vomBlessings, err := base64.URLEncoding.DecodeString(b64) |
| 121 | if err != nil { |
| 122 | ctx.Fatalf("unable to decode the base64 blessing roots: %v", err) |
| 123 | } |
| 124 | var blessings security.Blessings |
| 125 | if err := vom.Decode(vomBlessings, &blessings); err != nil { |
| 126 | ctx.Fatalf("unable to decode the vom blessing roots: %v", err) |
| 127 | } |
Asim Shankar | 17d0c82 | 2015-10-14 19:54:46 -0700 | [diff] [blame] | 128 | if err := security.AddToRoots(p, blessings); err != nil { |
Robin Thellend | efe48ef | 2015-10-13 09:52:03 -0700 | [diff] [blame] | 129 | ctx.Fatalf("unable to add blessing roots: %v", err) |
| 130 | } |
| 131 | } |
| 132 | } |