ContainerImage.Pinniped/internal/certauthority/dynamiccertauthority/dynamiccertauthority.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package dynamiccertauthority implements a x509 certificate authority capable of issuing
// certificates from a dynamically updating CA keypair.
package dynamiccertauthority

import (
	"time"

	"k8s.io/apiserver/pkg/server/dynamiccertificates"

	"go.pinniped.dev/internal/certauthority"
	"go.pinniped.dev/internal/issuer"
)

// ca is a type capable of issuing certificates.
type ca struct {
	provider dynamiccertificates.CertKeyContentProvider
}

// New creates a ClientCertIssuer, ready to issue certs whenever
// the given CertKeyContentProvider has a keypair to provide.
func New(provider dynamiccertificates.CertKeyContentProvider) issuer.ClientCertIssuer {
	return &ca{
		provider: provider,
	}
}

func (c *ca) Name() string {
	return c.provider.Name()
}

// IssueClientCertPEM issues a new client certificate for the given identity and duration, returning it as a
// pair of PEM-formatted byte slices for the certificate and private key.
func (c *ca) IssueClientCertPEM(username string, groups []string, ttl time.Duration) ([]byte, []byte, error) {
	caCrtPEM, caKeyPEM := c.provider.CurrentCertKeyContent()
	// in the future we could split dynamiccert.Private into two interfaces (Private and PrivateRead)
	// and have this code take PrivateRead as input.  We would then add ourselves as a listener to
	// the PrivateRead.  This would allow us to only reload the CA contents when they actually change.
	ca, err := certauthority.Load(string(caCrtPEM), string(caKeyPEM))
	if err != nil {
		return nil, nil, err
	}

	return ca.IssueClientCertPEM(username, groups, ttl)
}
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`// Package dynamiccertauthority implements a x509 certificate authority capable of issuing`
			`// certificates from a dynamically updating CA keypair.`
			`package dynamiccertauthority`

			`import (`
			`"time"`

Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`"k8s.io/apiserver/pkg/server/dynamiccertificates"`

internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`"go.pinniped.dev/internal/certauthority"`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`"go.pinniped.dev/internal/issuer"`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`)`

dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`// ca is a type capable of issuing certificates.`
			`type ca struct {`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`provider dynamiccertificates.CertKeyContentProvider`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`}`

dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`// New creates a ClientCertIssuer, ready to issue certs whenever`
			`// the given CertKeyContentProvider has a keypair to provide.`
			`func New(provider dynamiccertificates.CertKeyContentProvider) issuer.ClientCertIssuer {`
			`return &ca{`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`provider: provider,`
			`}`
			`}`

dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`func (c *ca) Name() string {`
			`return c.provider.Name()`
			`}`

certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`// IssueClientCertPEM issues a new client certificate for the given identity and duration, returning it as a`
dynamiccertauthority: fix cert expiration test failure Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-23 19:34:25 +00:00			`// pair of PEM-formatted byte slices for the certificate and private key.`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`func (c *ca) IssueClientCertPEM(username string, groups []string, ttl time.Duration) ([]byte, []byte, error) {`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`caCrtPEM, caKeyPEM := c.provider.CurrentCertKeyContent()`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`// in the future we could split dynamiccert.Private into two interfaces (Private and PrivateRead)`
			`// and have this code take PrivateRead as input. We would then add ourselves as a listener to`
			`// the PrivateRead. This would allow us to only reload the CA contents when they actually change.`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`ca, err := certauthority.Load(string(caCrtPEM), string(caKeyPEM))`
			`if err != nil {`
			`return nil, nil, err`
			`}`

certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`return ca.IssueClientCertPEM(username, groups, ttl)`
internal/certauthority/dynamiccertauthority: add new dynamic cert issuer This thing is supposed to be used to help our CredentialRequest handler issue certs with a dynamic CA keypair. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 13:53:21 +00:00			`}`