open-nomad/helper/tlsutil/testdata
Tim Gross e0fddee386
Pre forwarding authentication (#15417)
Upcoming work to instrument the rate of RPC requests by consumer (and eventually
rate limit) require that we authenticate a RPC request before forwarding. Add a
new top-level `Authenticate` method to the server and have it return an
`AuthenticatedIdentity` struct. RPC handlers will use the relevant fields of
this identity for performing authorization.

This changeset includes:
* The main implementation of `Authenticate`
* Provide a new RPC `ACL.WhoAmI` for debugging authentication. This endpoint
  returns the same `AuthenticatedIdentity` that will be used by RPC handlers. At
  some point we might want to give this an equivalent HTTP endpoint but I didn't
  want to add that to our public API until some of the other Workload Identity
  work is solidified, especially if we don't need it yet.
* A full coverage test of the `Authenticate` method. This sets up two server
  nodes with mTLS and ACLs, some tokens, and some allocations with workload
  identities.
* Wire up an example of using `Authenticate` in the `Namespace.Upsert` RPC and
  see how authorization happens after forwarding.
* A new semgrep rule for `Authenticate`, which we'll need to update once we're
  ready to wire up more RPC endpoints with authorization steps.
2022-12-06 14:44:03 -05:00
..
ca-bad-csr.json
ca-bad-key.pem tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
ca-bad.csr tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
ca-bad.pem tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
ca-config.json
ca-csr.json
ca-key.pem tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
ca-whitespace.pem
ca.csr tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
ca.pem tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
global-ca.pem
global-client-key.pem
global-client.pem
global-server-key.pem
global-server.pem
nomad-bad-csr.json
nomad-bad-key.pem tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
nomad-bad.csr tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
nomad-bad.pem tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
nomad-foo-client-key.pem Pre forwarding authentication (#15417) 2022-12-06 14:44:03 -05:00
nomad-foo-client.pem Pre forwarding authentication (#15417) 2022-12-06 14:44:03 -05:00
nomad-foo-csr.json
nomad-foo-key.pem tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
nomad-foo.csr tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
nomad-foo.pem tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00
README.md tlsutil: update testing certificates close to expiry. 2021-08-13 11:09:40 +02:00

Nomad Test Certificate

Using cfssl 1.6.0

File Description
ca.pem CA certificate
ca-key.pem CA Key
nomad-foo.pem Nomad cert for foo region
nomad-foo-key.pem Nomad key for foo region
ca-bad.pem CA cert for bad region
ca-key-bad.pem CA key for bad region
nomad-bad.pem Nomad cert for bad region
nomad-bad-key.pem Nomad key for bad region
global-*.pem For global region

Generating self-signed certs

# Write defaults and update.
# NOTE: this doesn't need to be run if regenerating old certificates and
# shouldn't as it overrides non-default values.
cfssl print-defaults csr > ca-csr.json
cfssl print-defaults csr > ca-bad-csr.json
cfssl print-defaults config > ca-config.json

# Generate CA certificates and keys.
#
# 1. Generates ca.csr, ca.pem, and ca-key.pem.
# 2. Generates ca-bad.csr, ca-bad.pem, and ca-bad-key.pem.
cfssl gencert -loglevel=5 -config ca-config.json -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -loglevel=5 -config ca-config.json -initca ca-bad-csr.json | cfssljson -bare ca-bad -

# Generate certificates and keys.
#
# 1. Generates nomad-foo.csr, nomad-foo.pem, and nomad-foo-key.pem.
# 1. Generates nomad-bad.csr, nomad-bad.pem, and nomad-bad-key.pem.
cfssl gencert -loglevel=5 -ca ca.pem -ca-key ca-key.pem -config ca-config.json nomad-foo-csr.json | cfssljson -bare nomad-foo
cfssl gencert -loglevel=5 -ca ca-bad.pem -ca-key ca-bad-key.pem -config ca-config.json nomad-bad-csr.json | cfssljson -bare nomad-bad