Commit Graph

51 Commits

Author SHA1 Message Date
hc-github-team-nomad-core 0400ec6df4
backport of commit 8cabda5ec5c1d0dd3290ece4789cd8fea1ca3f5c (#18043)
This pull request was automerged via backport-assistant
2023-07-24 04:44:15 -05:00
Lance Haig 0455389534
Add the ability to customise the details of the CA (#17309)
Co-authored-by: James Rasell <jrasell@users.noreply.github.com>
2023-07-11 08:53:09 +01:00
Lance Haig 568da5918b
cli: tls certs not created with correct SANs (#16959)
The `nomad tls cert` command did not create certificates with the correct SANs for
them to work with non default domain and region names. This changset updates the
code to support non default domains and regions in the certificates.
2023-05-22 09:31:56 -04:00
hashicorp-copywrite[bot] 005636afa0 [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
Tim Gross e0fddee386
Pre forwarding authentication (#15417)
Upcoming work to instrument the rate of RPC requests by consumer (and eventually
rate limit) require that we authenticate a RPC request before forwarding. Add a
new top-level `Authenticate` method to the server and have it return an
`AuthenticatedIdentity` struct. RPC handlers will use the relevant fields of
this identity for performing authorization.

This changeset includes:
* The main implementation of `Authenticate`
* Provide a new RPC `ACL.WhoAmI` for debugging authentication. This endpoint
  returns the same `AuthenticatedIdentity` that will be used by RPC handlers. At
  some point we might want to give this an equivalent HTTP endpoint but I didn't
  want to add that to our public API until some of the other Workload Identity
  work is solidified, especially if we don't need it yet.
* A full coverage test of the `Authenticate` method. This sets up two server
  nodes with mTLS and ACLs, some tokens, and some allocations with workload
  identities.
* Wire up an example of using `Authenticate` in the `Namespace.Upsert` RPC and
  see how authorization happens after forwarding.
* A new semgrep rule for `Authenticate`, which we'll need to update once we're
  ready to wire up more RPC endpoints with authorization steps.
2022-12-06 14:44:03 -05:00
Lance Haig 0263e7af34
Add command "nomad tls" (#14296) 2022-11-22 14:12:07 -05:00
Seth Hoenig 2631659551 ci: swap ci parallelization for unconstrained gomaxprocs 2022-03-15 12:58:52 -05:00
Mahmood Ali 583b9f2506
Merge pull request #11089 from hashicorp/b-cve-2021-37218
Apply authZ for nomad Raft RPC layer
2021-10-05 08:49:21 -04:00
James Rasell b6813f1221
chore: fix incorrect docstring formatting. 2021-08-30 11:08:12 +02:00
Mahmood Ali ff7c1ca79b Apply authZ for nomad Raft RPC layer
When mTLS is enabled, only nomad servers of the region should access the
Raft RPC layer. Clients and servers in other regions should only use the
Nomad RPC endpoints.

Co-authored-by: Michael Schurter <mschurter@hashicorp.com>
Co-authored-by: Seth Hoenig <shoenig@hashicorp.com>
2021-08-26 15:10:07 -04:00
James Rasell 54d6785bcc
tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
Kris Hicks 0a3a748053
Add gosimple linter (#9590) 2020-12-09 11:05:18 -08:00
Michael Schurter 401ed92847 config: accept CA PEM files with extra whitespace
Previously we did a validation pass over CA PEM files before calling
Go's CertPool.AppendCertsFromPEM to provide more detailed error messages
than the stdlib provides.

Unfortunately our validation was overly strict and rejected valid CA
files. This is actually the reason the stdlib PEM parser doesn't return
meaningful errors: PEM files are extremely permissive and it's difficult
to tell the difference between invalid data and valid metadata.

This PR removes our custom validation as it would reject valid data and
the extra error messages were not useful in diagnosing the error
encountered.
2018-09-06 11:38:56 -07:00
Michael Schurter 6def5bc4f9 client: set host name when migrating over tls
Not setting the host name led the Go HTTP client to expect a certificate
with a DNS-resolvable name. Since Nomad uses `${role}.${region}.nomad`
names ephemeral dir migrations were broken when TLS was enabled.

Added an e2e test to ensure this doesn't break again as it's very
difficult to test and the TLS configuration is very easy to get wrong.
2018-09-05 17:24:17 -07:00
Alex Dadgar c6576ddac1 Fix make check errors 2018-09-04 16:03:52 -07:00
Chelsea Holland Komlo f5e631886f add signature algorithm to error message 2018-08-13 16:21:18 -04:00
Chelsea Holland Komlo ed21481ca1 rename signature algorithm type per code review feedback 2018-08-13 16:11:49 -04:00
Chelsea Holland Komlo 16ffb2e412 extract functionality for determining signature algorithm per code review feedback 2018-08-13 16:08:23 -04:00
Chelsea Holland Komlo 91edec5bf4 change string repr of signature algorithms to constants 2018-08-10 12:37:21 -04:00
Chelsea Holland Komlo 4b228b1919 remove redundant nil check 2018-08-10 12:37:21 -04:00
Chelsea Holland Komlo 3f1d54f628 add default case for empty TLS structs 2018-08-10 12:37:21 -04:00
Chelsea Holland Komlo 4755a65978 add comments 2018-08-10 12:37:21 -04:00
Chelsea Holland Komlo 86103d41d4 type safety for string keys 2018-08-10 12:37:21 -04:00
Chelsea Holland Komlo 31d6d00381 add simple getter for certificate 2018-08-10 12:37:21 -04:00
Chelsea Holland Komlo 568564f63f refactor to use golang built in api for certs 2018-08-10 12:37:21 -04:00
Chelsea Holland Komlo bb6c30ee3c add functionality to check if signature algorithm is supported in cipher suites 2018-08-10 12:37:21 -04:00
Chelsea Holland Komlo b92098fd08 change function signature to take entire tls config object 2018-08-10 12:37:21 -04:00
Chelsea Holland Komlo da712f4f47 fixup! more specific test assertion 2018-06-13 09:58:40 -04:00
Chelsea Holland Komlo dca7235ca5 add tests and improve should reload logic 2018-06-08 15:10:10 -04:00
Chelsea Holland Komlo de03ce8070 move logic to determine whether to reload tls configuration to tlsutil helper 2018-06-08 14:33:58 -04:00
Chelsea Holland Komlo 914d2257ef enable more tls 1.2 ciphers 2018-06-07 17:49:57 -04:00
Alex Dadgar 446fc64850
Merge branch 'master' into f-tls-parse-certs 2018-05-30 17:25:50 +00:00
Chelsea Holland Komlo 3edf309096 fixup! clearify docs and group similar TLS fields 2018-05-29 21:30:49 -04:00
Chelsea Holland Komlo 498b57036d refactor to remove duplication 2018-05-29 18:47:25 -04:00
Chelsea Holland Komlo 1dc14d8e0d handle parsing multiple certificates in a pem file 2018-05-29 18:25:43 -04:00
Chelsea Holland Komlo 9156556555 remove unnecessary type conversation 2018-05-29 17:07:38 -04:00
Chelsea Holland Komlo 521f8d3fb4 parse CA certificate to catch more specific errors 2018-05-25 18:14:32 -04:00
Chelsea Holland Komlo 19e4a5489b add support for tls PreferServerCipherSuites
add further tests for tls configuration
2018-05-25 13:20:00 -04:00
Chelsea Holland Komlo 38f611a7f2 refactor NewTLSConfiguration to pass in verifyIncoming/verifyOutgoing
add missing fields to TLS merge method
2018-05-23 18:35:30 -04:00
Chelsea Holland Komlo 44f536f18e add support for configurable TLS minimum version 2018-05-09 18:07:12 -04:00
Chelsea Holland Komlo 796bae6f1b allow configurable cipher suites
disallow 3DES and RC4 ciphers

add documentation for tls_cipher_suites
2018-05-09 17:15:31 -04:00
Chelsea Holland Komlo 649f86f094 refactor creating a new tls configuration 2018-01-16 08:02:39 -05:00
Chelsea Komlo 2dfda33703 Nomad agent reload TLS configuration on SIGHUP (#3479)
* Allow server TLS configuration to be reloaded via SIGHUP

* dynamic tls reloading for nomad agents

* code cleanup and refactoring

* ensure keyloader is initialized, add comments

* allow downgrading from TLS

* initalize keyloader if necessary

* integration test for tls reload

* fix up test to assert success on reloaded TLS configuration

* failure in loading a new TLS config should remain at current

Reload only the config if agent is already using TLS

* reload agent configuration before specific server/client

lock keyloader before loading/caching a new certificate

* introduce a get-or-set method for keyloader

* fixups from code review

* fix up linting errors

* fixups from code review

* add lock for config updates; improve copy of tls config

* GetCertificate only reloads certificates dynamically for the server

* config updates/copies should be on agent

* improve http integration test

* simplify agent reloading storing a local copy of config

* reuse the same keyloader when reloading

* Test that server and client get reloaded but keep keyloader

* Keyloader exposes GetClientCertificate as well for outgoing connections

* Fix spelling

* correct changelog style
2017-11-14 17:53:23 -08:00
Alex Dadgar 5be806a3df Fix vet script and fix vet problems
This PR fixes our vet script and fixes all the missed vet changes.

It also fixes pointers being printed in `nomad stop <job>` and `nomad
node-status <node>`.
2017-02-27 16:00:19 -08:00
Michael Schurter d36d716bf9 Add docs for generating example certificates 2016-11-15 17:22:54 -08:00
Michael Schurter 345a2640dc Fix tlsutil tests 2016-11-10 12:18:13 -08:00
Alex Dadgar 5fba85c092 get tlsutil tests to compile - need to regenerate the certificates 2016-11-09 14:41:08 -08:00
Michael Schurter ae680c9c81 Remove incorrectly committed line and wrong comment 2016-11-01 15:57:21 -07:00
Michael Schurter 536c2921e9 Remove ServerName because we verify based on region 2016-11-01 14:17:31 -07:00
Diptanu Choudhury 1a8fa8c8d5 Making Nomad TLS configs region aware 2016-11-01 11:55:29 -07:00