Commit graph

23429 commits

Author SHA1 Message Date
Michele Degges 8c10f47679
[CI-only] Support fossa scanning (#13649) 2022-07-11 13:44:00 -07:00
Phil Renaud aa2aa9891f
Adds sort, show/hide, and copy functionality to Variable pages (#13680)
* Sortable header added to variable page

* Showhide and copyable
2022-07-11 16:43:03 -04:00
Phil Renaud e9219a1ae0
Allow wildcard for Evaluations API (#13530)
* Failing test and TODO for wildcard

* Alias the namespace query parameter for Evals

* eval: fix list when using ACLs and * namespace

Apply the same verification process as in job, allocs and scaling
policy list endpoints to handle the eval list when using an ACL token
with limited namespace support but querying using the `*` wildcard
namespace.

* changelog: add entry for #13530

* ui: set namespace when querying eval

Evals have a unique UUID as ID, but when querying them the Nomad API
still expects a namespace query param, otherwise it assumes `default`.

Co-authored-by: Luiz Aoqui <luiz@hashicorp.com>
2022-07-11 16:42:17 -04:00
Luiz Aoqui 674c0ae08b
changelog: add entry for #13659 (#13691) 2022-07-11 16:07:33 -04:00
Tim Gross 60cea967d2
Merge pull request #13000 from hashicorp/secure-variables
Secure Variables (feature branch)
2022-07-11 14:41:02 -04:00
Tim Gross d49ff0175c
docs: move operator subcommands under their own trees (#13677)
The sidebar navigation tree for the `operator` sub-sub commands is
getting cluttered and we have a new set of commands coming to support
secure variables keyring as well. Move these all under their own
subtrees.
2022-07-11 14:00:24 -04:00
Tim Gross a5a9eedc81 core job for secure variables re-key (#13440)
When the `Full` flag is passed for key rotation, we kick off a core
job to decrypt and re-encrypt all the secure variables so that they
use the new key.
2022-07-11 13:34:06 -04:00
Phil Renaud 8ea97f267b Link Variables to Jobs (#13627)
* Related entities scaffolded

* Added hint on edit

* Re-classic'd

* Dont create entities when path goes beyond task level

* only show the related entities hint for new vars, not edited ones

* Unit tests for pathLinkedEntities

* Acceptance tests for linked entities

* Add hint on creation

* Will be vs Is on @new boolean flag

* Link styles and namespaces on links

* Unused component class

* Delog

* Defensive shouldShowLinked

* Properly instantiating the accessibilty check test
2022-07-11 13:34:06 -04:00
Phil Renaud 837c693b73 Handling createTime and modifyTime through serialization now that they contain nanoseconds (#13620) 2022-07-11 13:34:06 -04:00
Charlie Voiselle a8145ba7b8 SV: GO API: Secure Variables Go API (#13502) 2022-07-11 13:34:06 -04:00
Jai b81adc6f69 ui: create variable permission logic (#13447)
* ui:  inject router service into Variable ability to compute path

* ui:  test create secure variable ability

* refact:  update templates to properly check create ability

* chore:  update token factory to enable 1 path to have create ability

* refact:  remove router service injection for path variable

* refact:  update mirage factory for edit and delete perms on  path for testing

* ui:  handle path matching (#13474)

* test:  write specifications for nearestPath computation

* ui:  write logic for getting all paths

* ui:  nearestPathMatching algorithm

* test:  nearestPathMatching algorithm test

* ui:  handle namespace filtering for capabilities check (#13475)

* ui: add namespace handling

* refact:  add logical OR operator to handle unstructured  object.

* ui:  acceptance test for create flow in secure variables (#13500)

* test:  write happy path test for creating variable

* refact:  add missing data-test attributes

* test:  sad path for disabled button

* fix:  move comment in  file

* test:  acceptance test for editing a variable (#13529)

* refact:  add data-test variable

* test:  happy path and sad path for edit flow

* refact:  update test language to say disabled

* ui:  glob matching algorithm (#13533)

* ui: compute length difference (#13542)

* ui: compute length difference

* refact:  use glob matching and sorting algos in `nearestMatchingPath` (#13544)

* refact:  use const in compute

* ui:  smallest difference logic

* refact:  use glob matching and sorting algo in _nearestPathPath helper

* ui:  add can edit to variable capabilities (#13545)

* ui:  create edit capabilities getter

* ui:  add ember-can check for edit button

* refact:  update test to mock edit capabilities in policy

* fix:  remove unused var

* Edit capabilities for variables depend on Create

Co-authored-by: Phil Renaud <phil@riotindustries.com>

Co-authored-by: Phil Renaud <phil@riotindustries.com>

Co-authored-by: Phil Renaud <phil@riotindustries.com>

* refact:  update token factory (#13596)

* refact:  update rulesJSON in token factory to reflect schema update

* refact:  update capability names (#13597)

* refact:  update rules to match rulesJSON

* refact:  update create to write

* ui:  add `canDestroy` permissions (#13598)

* refact:  update rulesJSON in token factory to reflect schema update

* refact:  update rules to match rulesJSON

* refact:  update create to write

* ui:  add canDestroy capability

* test:  unit test for canDestroy

* ui:  add permission check to template

* test:  acceptance test for delete flow

* refact:  update test to use correct capability name

* refact:  update tests to reflect rulesJSON schema change

* ui:  update path matching logic to account for schema change (#13605)

* refact:  update path matching logic

* refact:  update tests to reflect rulesJSON change

Co-authored-by: Phil Renaud <phil@riotindustries.com>

Co-authored-by: Phil Renaud <phil@riotindustries.com>
2022-07-11 13:34:06 -04:00
Phil Renaud c8455d34d4 Edit Secure Variables as JSON (#13461)
* Toying with insert and update helpers before translation func

* Working prototype that lets you switch between json and tabular

* No longer add the bonus items row in json mode

* Trimmed the ivy from the codemirror (#13503)

* Trimmed the ivy from the codemirror

* editedJSONItems removal

* De-debugger

* Replaced other instances of IvyCodeMirror throughout the app (#13528)

* Replaced other instances of IvyCodeMirror throughout the app

* PR requests for codemirror modifier

* Screen reader setting as param

* Trying a simpler codemirror test helper

* Lint removal

* Screen Reader Label added for a11y

* JSONViewer cleanup

* JSON editor added to /new and all variables stringified before save or translate

* Give users a foothold when editing an empty item in JSON mode

* Copy the empty KV

* No duplicate keys in KV

* Better handling of cursor snapping in json edit field

* Catch formatting errors on the fly

* Basic tests for JSON to Table and Table to JSON in form
2022-07-11 13:34:06 -04:00
Charlie Voiselle 555ac432cd SV: CAS: Implement Check and Set for Delete and Upsert (#13429)
* SV: CAS
    * Implement Check and Set for Delete and Upsert
    * Reading the conflict from the state store
    * Update endpoint for new error text
    * Updated HTTP api tests
    * Conflicts to the HTTP api

* SV: structs: Update SV time to UnixNanos
    * update mock to UnixNano; refactor

* SV: encrypter: quote KeyID in error
* SV: mock: add mock for namespace w/ SV
2022-07-11 13:34:06 -04:00
Tim Gross 8a50d2c3e8 implement quota tracking for secure variablees (#13453)
We need to track per-namespace storage usage for secure variables even
in Nomad OSS so that a cluster can be seamlessly upgraded from OSS to
ENT without having to re-calculate quota usage.

Provide a hook in the upsert RPC for enforcement of quotas in
ENT. This will be a no-op in Nomad OSS.
2022-07-11 13:34:06 -04:00
Tim Gross 530bc55e80 additional ACL Policy tests (#13464)
This changeset includes some additional unit tests for secure
variables ACL policies, so that we have explicit coverage of edge
cases we're discussing with the UI folks.
2022-07-11 13:34:06 -04:00
Tim Gross eaf430bfd5 secure variable server configuration (#13307)
Add fields for configuring root key garbage collection and automatic
rotation. Fix the keystore path so that we write to a tempdir when in
dev mode.
2022-07-11 13:34:06 -04:00
Phil Renaud 9043512f03 Secure Variables: JSON view (#13439)
* JSON view init

* Overeager config history reverted

* Set as query parameter

* border added to copy button

* More robust stringifyObject helper

* Testing for stringify-object helper
2022-07-11 13:34:06 -04:00
Jai b2d703b53c dx: update canCreate logic and token generation for secure var dev environment (#13438)
* ui:  add logic for create permission computed property

* ui:  update token factory and variable ability to simulate create permissions for dev env
2022-07-11 13:34:06 -04:00
Phil Renaud 7ddbd36443 Append an empty item when editing an existing Secure Variable (#13436)
* Did-insert modifier to add an extra row when editing

* Defensive logic on model existing

* Defensive pattern on copy keyValues
2022-07-11 13:34:06 -04:00
Phil Renaud 7de6301054 Throw an error if you try to save a Secure Variable with no items (#13424)
* Error thrown if you have no KVs on save

* Acceptance tests for flash messages and no-key-value adds

* Post-hoc accounting for new variable path routing

* Trim on key before validating it as existing
2022-07-11 13:34:06 -04:00
Tim Gross 6300427228 core job for key rotation (#13309)
Extend the GC job to support periodic key rotation.

Update the GC process to safely support signed workload identity. We
can't GC any key used to sign a workload identity. Finding which key
was used to sign every allocation will be expensive, but there are not
that many keys. This lets us take a conservative approach: find the
oldest live allocation and ensure that we don't GC any key older than
that key.
2022-07-11 13:34:06 -04:00
Tim Gross 4d011d4c53 move gossip keyring command to their own subcommands (#13383)
Move all the gossip keyring and key generation commands under
`operator gossip keyring` subcommands to align with the new `operator
secure-variables keyring` subcommands. Deprecate the `operator keyring`
and `operator keygen` commands.
2022-07-11 13:34:06 -04:00
Phil Renaud 4a8463595b Secure Variables: show file metadata on list pages (#13423)
* Add modified times and namespaces to layout

* Undo typing change

* Post-hoc accounting for new variable path routing
2022-07-11 13:34:06 -04:00
Tim Gross 350fe3495c fix blocking query for Keyring.List RPC (#13384)
The blocking query for `Keyring.List` appended the keys for each pass
through the blocking query to the response. This results in mulitple
copies of keys in the response. Overwrite the `reply.Keys` field on
each pass through the blocking query to ensure we only get the
expected page of responses.
2022-07-11 13:34:05 -04:00
Tim Gross 83dc3ec758 secure variables ACL policies (#13294)
Adds a new policy block inside namespaces to control access to secure
variables on the basis of path, with support for globbing.

Splits out VerifyClaim from ResolveClaim.
The ServiceRegistration RPC only needs to be able to verify that a
claim is valid for some allocation in the store; it doesn't care about
implicit policies or capabilities. Split this out to its own method on
the server so that the SecureVariables RPC can reuse it as a separate
step from resolving policies (see next commit).

Support implicit policies based on workload identity
2022-07-11 13:34:05 -04:00
Tim Gross 160ad9b64f implement Encrypt/Decrypt methods of encrypter (#13375)
The `Encrypt` method generates an appropriately-sized nonce and uses
that buffer as the prefix for the ciphertext. This keeps the
ciphertext and nonce together for decryption, and reuses the buffer as
much as possible without presenting the temptation to reuse the
cleartext buffer owned by the caller.

We include the key ID as the "additional data" field that's used as an
extra input to the authentication signature, to provide additional
protection that a ciphertext originated with that key.

Refactors the locking for the keyring so that the public methods are
generally (with one commented exception) responsible for taking the
lock and then inner methods are assumed locked.
2022-07-11 13:34:05 -04:00
Charlie Voiselle 1fe080c6de Implement HTTP search API for Variables (#13257)
* Add Path only index for SecureVariables
* Add GetSecureVariablesByPrefix; refactor tests
* Add search for SecureVariables
* Add prefix search for secure variables
2022-07-11 13:34:05 -04:00
Jai 48679fdf99 ui: make eye toggles only toggle on/off for their respective row (#13406)
* chore:  update tests to handle invidual toggle responsibility

* chore:  prettify secure-variable-form template

* ui:  extract input group markup into seperate component
2022-07-11 13:34:05 -04:00
Jai 9f02c23e2f ui: update component api to accept callback fns to be fired on cancel/prompt (#13414)
* ui:  update  component api to accept callback fns to be fired on cancel/prompt

* refact:  cancel callback should fire with outside click handler not on idle

* refact:  rename action to be more specific
2022-07-11 13:34:05 -04:00
Phil Renaud 9e9ad106ba Toast-style global notification state (#13341)
* toast style notification init

* Notificatino styles and messaging for variable save

* pre-PR cleanup

* Typo fix and 5sec timeout

* Prevent text from overlapping the close button
2022-07-11 13:34:05 -04:00
Phil Renaud 4c58356af1 Path Tree compaction refactor (#13415)
* Bones of a just-in-time compaction pathTree

* wooo got compaction going in sub-ms times

* PR cleanup

* Path compaction tests

* lint fix to equal instead of .ok()

* Name prop specifically being equality checked
2022-07-11 13:34:05 -04:00
Charlie Voiselle 06c6a950c4 Secure Variables: Seperate Encrypted and Decrypted structs (#13355)
This PR splits SecureVariable into SecureVariableDecrypted and
SecureVariableEncrypted in order to use the type system to help
verify that cleartext secret material is not committed to file.

* Make Encrypt function return KeyID
* Split SecureVariable

Co-authored-by: Tim Gross <tgross@hashicorp.com>
2022-07-11 13:34:05 -04:00
Tim Gross 56deb6f8cc keyring CLI: refactor to use subcommands (#13351)
Split the flag options for the `secure-variables keyring` into their
own subcommands. The gossip keyring CLI will be similarly refactored
and the old version will be deprecated.
2022-07-11 13:34:05 -04:00
Phil Renaud 7eb462454b Secure Variables form validation improvements (#13335)
* Validation tests for secure variables form: duplicate path error

* Validation for dot in key name

* Defensive pattern on copy keyValues
2022-07-11 13:34:05 -04:00
Phil Renaud 311d9d1cda variable index header and deletion hook (#13302)
* variable index header and deletion hook

* Some visual improvements to edit header and back button

* Mirage fixtures for variables

* Deletion flow test

* Account for disabled state of add-more button

* Transition destination changes after design chat

* Simplified parent folder path by adding to variable model

* Lint cleanup

* test update to reflect path redirect on delete

* No longer have to re-traverse to a deleted var folder after deletion, tests updated
2022-07-11 13:34:05 -04:00
Tim Gross bfcbc00f4e workload identity (#13223)
In order to support implicit ACL policies for tasks to get their own
secrets, each task would need to have its own ACL token. This would
add extra raft overhead as well as new garbage collection jobs for
cleaning up task-specific ACL tokens. Instead, Nomad will create a
workload Identity Claim for each task.

An Identity Claim is a JSON Web Token (JWT) signed by the server’s
private key and attached to an Allocation at the time a plan is
applied. The encoded JWT can be submitted as the X-Nomad-Token header
to replace ACL token secret IDs for the RPCs that support identity
claims.

Whenever a key is is added to a server’s keyring, it will use the key
as the seed for a Ed25519 public-private private keypair. That keypair
will be used for signing the JWT and for verifying the JWT.

This implementation is a ruthlessly minimal approach to support the
secure variables feature. When a JWT is verified, the allocation ID
will be checked against the Nomad state store, and non-existent or
terminal allocation IDs will cause the validation to be rejected. This
is sufficient to support the secure variables feature at launch
without requiring implementation of a background process to renew
soon-to-expire tokens.
2022-07-11 13:34:05 -04:00
Phil Renaud e79fea2b4e Notify a user if they try to make a variable with an existing path (#13278)
* Notify a user if they try to make a variable with an existing path

* Stylize error fade

* Bugfix: if you click the dupe link to a variable you havent previously loaded, you lack its keyvalues

* rename and typefix for duplicate path warning
2022-07-11 13:34:04 -04:00
Phil Renaud e58999d62b Disable path input when model is not new (#13273)
* Disable path input when model is not new

* isDisabled tests for secure variables path
2022-07-11 13:34:04 -04:00
Tim Gross 81b0c4fd36 keyring command line (#13169)
Co-authored-by: Charlie Voiselle <464492+angrycub@users.noreply.github.com>
2022-07-11 13:34:04 -04:00
Charlie Voiselle 619e0cbafd Don't write a SecureVariable with no Items (#13258) 2022-07-11 13:34:04 -04:00
Tim Gross 7055ce89b1 keyring replication (#13167)
Replication for the secure variables keyring. Because only key
metadata is stored in raft, we need to distribute key material
out-of-band from raft replication. A goroutine runs on each server and
watches for changes to the `RootKeyMeta`. When a new key is received,
attempt to fetch the key from the leader. If the leader doesn't have
the key (which may happen if a key is rotated right before a leader
transition), try to get the key from any peer.
2022-07-11 13:34:04 -04:00
Phil Renaud da4cb6422e Secure Variables: Build a path tree and traverse it at /variables/*path (#13202)
* Recursive trie-building with variable paths

* tree structure applied to new path routes and a new util class

* Breadcrumbs for SV paths and prompt when nothing exists at a path

* Lint and test cleanup

* Pre-review cleanup

* lintfix

* Abstracted pathtree each-ins into a new component class

* Path tree component styles

* Types added and PR feedback addressed

* Path tree to variable paths

* Slightly simpler path QP mods

* More pr feedback handling

* Trim moved into a function on variable model

* Traversal and compaction tests for PathTree

* Trim Path tests

* Variable-paths component tests

* Lint fixup for tests
2022-07-11 13:34:04 -04:00
Tim Gross d5a214484c core job for root key GC (#13199)
Inactive and unused keys older than a threshold will be periodically
garbage collected.
2022-07-11 13:34:04 -04:00
Tim Gross 5a85d96322 remove end-user algorithm selection (#13190)
After internal design review, we decided to remove exposing algorithm
choice to the end-user for the initial release. We'll solve nonce
rotation by forcing rotations automatically on key GC (in a core job,
not included in this changeset). Default to AES-256 GCM for the
following criteria:

* faster implementation when hardware acceleration is available
* FIPS compliant
* implementation in pure go
* post-quantum resistance

Also fixed a bug in the decoding from keystore and switched to a 
harder-to-misuse encoding method.
2022-07-11 13:34:04 -04:00
Tim Gross 973b474b3c provide state store query for variables by key ID (#13195)
The core jobs to garbage collect unused keys and perform full key
rotations will need to be able to query secure variables by key ID for
efficiency. Add an index to the state store and associated query
function and test.
2022-07-11 13:34:04 -04:00
Tim Gross f2ee585830 bootstrap keyring (#13124)
When a server becomes leader, it will check if there are any keys in
the state store, and create one if there is not. The key metadata will
be replicated via raft to all followers, who will then get the key
material via key replication (not implemented in this changeset).
2022-07-11 13:34:04 -04:00
Phil Renaud a628e2969a Secure Variables UI: /variables/new and /variables/*path (#13069)
* variables.new initialized

* Hacky but savey

* Variable wildcard route and multiple creatable at a time

* multiple KVs per variable

* PR Prep cleanup and lintfix

* Delog

* Data mocking in mirage for variables

* Linting fixes

* Re-implement absent params

* Adapter and model tests

* Moves the path-as-id logic to a serializer instead of adapter

* Classic to serializer and lint cleanup

* Pluralized save button (#13140)

* Autofocus modifier and better Add More button UX (#13145)

* Secure Variables: show/hide functionality when adding new values (#13137)

* Flight Icons added and show hide functionality

* PR cleanup

* Linting cleanup

* Position of icon moved to the right of input

* PR feedback addressed

* Delete button and stylistic changes to show hide

* Hmm, eslint doesnt like jsdoc-usage as only reason for import

* More closely match the button styles and delete test

* Simplified new.js model

* Secure Variables: /variables/*path/edit route and functionality (#13170)

* Variable edit page init

* Significant change to where we house model methods

* Lintfix

* Edit a variable tests

* Remove redundant tests

* Asserts expected

* Mirage factory updated to reflect model state
2022-07-11 13:34:04 -04:00
Charlie Voiselle 3717688f3e Secure Variables: Variables - State store, FSM, RPC (#13098)
* Secure Variables: State Store
* Secure Variables: FSM
* Secure Variables: RPC
* Secure Variables: HTTP API

Co-authored-by: Tim Gross <tgross@hashicorp.com>
2022-07-11 13:34:04 -04:00
Tim Gross 05eef2b95c keystore serialization (#13106)
This changeset implements the keystore serialization/deserialization:

* Adds a JSON serialization extension for the `RootKey` struct, along with a metadata stub. When we serialize RootKey to the on-disk keystore, we want to base64 encode the key material but also exclude any frequently-changing fields which are stored in raft.
* Implements methods for loading/saving keys to the keystore.
* Implements methods for restoring the whole keystore from disk.
* Wires it all up with the `Keyring` RPC handlers and fixes up any fallout on tests.
2022-07-11 13:34:04 -04:00
Tim Gross c6929a6c1e keyring HTTP API (#13077) 2022-07-11 13:34:04 -04:00