ContainerImage.Pinniped/internal/dynamiccert/provider.go

// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package dynamiccert

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"sync"

	"k8s.io/apiserver/pkg/server/dynamiccertificates"

	"go.pinniped.dev/internal/plog"
)

type Provider interface {
	Private
	Public
}

type Private interface {
	dynamiccertificates.CertKeyContentProvider
	SetCertKeyContent(certPEM, keyPEM []byte) error
	UnsetCertKeyContent()

	notifier
}

type Public interface {
	dynamiccertificates.CAContentProvider

	notifier
}

type notifier interface {
	dynamiccertificates.Notifier
	dynamiccertificates.ControllerRunner // we do not need this today, but it could grow and change in the future
}

var _ Provider = &provider{}

type provider struct {
	// these fields are constant after struct initialization and thus do not need locking
	name string
	isCA bool

	// mutex guards all the fields below it
	mutex     sync.RWMutex
	certPEM   []byte
	keyPEM    []byte
	listeners []dynamiccertificates.Listener
}

// NewServingCert returns a Private that is go routine safe.
// It can only hold key pairs that have IsCA=false.
func NewServingCert(name string) Private {
	return struct {
		Private
	}{
		Private: &provider{name: name},
	}
}

// NewCA returns a Provider that is go routine safe.
// It can only hold key pairs that have IsCA=true.
func NewCA(name string) Provider {
	return &provider{name: name, isCA: true}
}

func (p *provider) Name() string {
	return p.name
}

func (p *provider) CurrentCertKeyContent() (cert []byte, key []byte) {
	p.mutex.RLock()
	defer p.mutex.RUnlock()

	return p.certPEM, p.keyPEM
}

func (p *provider) SetCertKeyContent(certPEM, keyPEM []byte) error {
	// always make sure that we have valid PEM data, otherwise
	// dynamiccertificates.NewUnionCAContentProvider.VerifyOptions will panic
	cert, err := tls.X509KeyPair(certPEM, keyPEM)
	if err != nil {
		return fmt.Errorf("%s: attempt to set invalid key pair: %w", p.name, err)
	}

	// these checks should always pass if tls.X509KeyPair did not error
	if len(cert.Certificate) == 0 {
		return fmt.Errorf("%s: key pair has empty cert slice", p.name)
	}
	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
	if err != nil {
		return fmt.Errorf("%s: failed to parse key pair as x509 cert: %w", p.name, err)
	}

	// confirm that we are not trying to use a CA as a serving cert and vice versa
	if p.isCA != x509Cert.IsCA {
		return fmt.Errorf("%s: attempt to set x509 cert with unexpected IsCA=%v", p.name, x509Cert.IsCA)
	}

	p.setCertKeyContent(certPEM, keyPEM)

	return nil
}

func (p *provider) UnsetCertKeyContent() {
	p.setCertKeyContent(nil, nil)
}

func (p *provider) setCertKeyContent(certPEM, keyPEM []byte) {
	p.mutex.Lock()
	defer p.mutex.Unlock()

	p.certPEM = certPEM
	p.keyPEM = keyPEM

	// technically this only reads a read lock but we already have the write lock
	for _, listener := range p.listeners {
		listener.Enqueue()
	}
}

func (p *provider) CurrentCABundleContent() []byte {
	if !p.isCA {
		panic("*provider from NewServingCert was cast into wrong CA interface")
	}

	ca, _ := p.CurrentCertKeyContent()
	return ca
}

func (p *provider) VerifyOptions() (x509.VerifyOptions, bool) {
	if !p.isCA {
		panic("*provider from NewServingCert was cast into wrong CA interface")
	}

	plog.Warning("unexpected call to *provider.VerifyOptions; CA union logic is broken")
	return x509.VerifyOptions{}, false // assume we are unioned via dynamiccertificates.NewUnionCAContentProvider
}

func (p *provider) AddListener(listener dynamiccertificates.Listener) {
	p.mutex.Lock()
	defer p.mutex.Unlock()

	p.listeners = append(p.listeners, listener)
}

func (p *provider) RunOnce(_ context.Context) error {
	return nil // no-op, but we want to make sure to stay in sync with dynamiccertificates.ControllerRunner
}

func (p *provider) Run(_ context.Context, workers int) {
	// no-op, but we want to make sure to stay in sync with dynamiccertificates.ControllerRunner
}
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3 Several API changes in Kube required changes in Pinniped code. Signed-off-by: Monis Khan <mok@vmware.com> 2022-06-06 21:37:22 +00:00			`// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.`
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`package dynamiccert`

			`import (`
Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3 Several API changes in Kube required changes in Pinniped code. Signed-off-by: Monis Khan <mok@vmware.com> 2022-06-06 21:37:22 +00:00			`"context"`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`"crypto/tls"`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`"crypto/x509"`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`"fmt"`
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`"sync"`

			`"k8s.io/apiserver/pkg/server/dynamiccertificates"`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00
			`"go.pinniped.dev/internal/plog"`
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`)`

			`type Provider interface {`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`Private`
			`Public`
			`}`

			`type Private interface {`
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`dynamiccertificates.CertKeyContentProvider`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`SetCertKeyContent(certPEM, keyPEM []byte) error`
			`UnsetCertKeyContent()`

			`notifier`
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`}`

Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`type Public interface {`
			`dynamiccertificates.CAContentProvider`

			`notifier`
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`}`

Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`type notifier interface {`
			`dynamiccertificates.Notifier`
			`dynamiccertificates.ControllerRunner // we do not need this today, but it could grow and change in the future`
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`}`

dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`var _ Provider = &provider{}`

Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`type provider struct {`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`// these fields are constant after struct initialization and thus do not need locking`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`name string`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`isCA bool`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00
			`// mutex guards all the fields below it`
			`mutex sync.RWMutex`
			`certPEM []byte`
			`keyPEM []byte`
			`listeners []dynamiccertificates.Listener`
			`}`

dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`// NewServingCert returns a Private that is go routine safe.`
			`// It can only hold key pairs that have IsCA=false.`
			`func NewServingCert(name string) Private {`
dynamiccert: prevent misuse of NewServingCert The Kube API server code that we use will cast inputs in an attempt to see if they implement optional interfaces. This change adds a simple wrapper struct to prevent such casts from causing us any issues. Signed-off-by: Monis Khan <mok@vmware.com> 2021-08-17 01:30:02 +00:00			`return struct {`
			`Private`
			`}{`
			`Private: &provider{name: name},`
			`}`
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`}`

dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`// NewCA returns a Provider that is go routine safe.`
			`// It can only hold key pairs that have IsCA=true.`
			`func NewCA(name string) Provider {`
			`return &provider{name: name, isCA: true}`
			`}`

internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`func (p *provider) Name() string {`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`return p.name`
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`}`

			`func (p *provider) CurrentCertKeyContent() (cert []byte, key []byte) {`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`p.mutex.RLock()`
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`defer p.mutex.RUnlock()`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00
internal/provider -> internal/dynamiccert 3 main reasons: - The cert and key that we store in this object are not always used for TLS. - The package name "provider" was a little too generic. - dynamiccert.Provider reads more go-ish than provider.DynamicCertProvider. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-09-23 12:26:59 +00:00			`return p.certPEM, p.keyPEM`
			`}`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`func (p *provider) SetCertKeyContent(certPEM, keyPEM []byte) error {`
			`// always make sure that we have valid PEM data, otherwise`
			`// dynamiccertificates.NewUnionCAContentProvider.VerifyOptions will panic`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`cert, err := tls.X509KeyPair(certPEM, keyPEM)`
			`if err != nil {`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`return fmt.Errorf("%s: attempt to set invalid key pair: %w", p.name, err)`
			`}`

dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`// these checks should always pass if tls.X509KeyPair did not error`
			`if len(cert.Certificate) == 0 {`
			`return fmt.Errorf("%s: key pair has empty cert slice", p.name)`
			`}`
			`x509Cert, err := x509.ParseCertificate(cert.Certificate[0])`
			`if err != nil {`
			`return fmt.Errorf("%s: failed to parse key pair as x509 cert: %w", p.name, err)`
			`}`

			`// confirm that we are not trying to use a CA as a serving cert and vice versa`
			`if p.isCA != x509Cert.IsCA {`
			`return fmt.Errorf("%s: attempt to set x509 cert with unexpected IsCA=%v", p.name, x509Cert.IsCA)`
			`}`

Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`p.setCertKeyContent(certPEM, keyPEM)`

			`return nil`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`}`

Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`func (p *provider) UnsetCertKeyContent() {`
			`p.setCertKeyContent(nil, nil)`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`}`

Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`func (p *provider) setCertKeyContent(certPEM, keyPEM []byte) {`
			`p.mutex.Lock()`
			`defer p.mutex.Unlock()`

			`p.certPEM = certPEM`
			`p.keyPEM = keyPEM`

dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`// technically this only reads a read lock but we already have the write lock`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`for _, listener := range p.listeners {`
			`listener.Enqueue()`
			`}`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`}`

Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`func (p *provider) CurrentCABundleContent() []byte {`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`if !p.isCA {`
			`panic("*provider from NewServingCert was cast into wrong CA interface")`
			`}`

Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`ca, _ := p.CurrentCertKeyContent()`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`return ca`
			`}`

Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`func (p *provider) VerifyOptions() (x509.VerifyOptions, bool) {`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`if !p.isCA {`
			`panic("*provider from NewServingCert was cast into wrong CA interface")`
			`}`

			`plog.Warning("unexpected call to *provider.VerifyOptions; CA union logic is broken")`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`return x509.VerifyOptions{}, false // assume we are unioned via dynamiccertificates.NewUnionCAContentProvider`
			`}`

Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`func (p *provider) AddListener(listener dynamiccertificates.Listener) {`
			`p.mutex.Lock()`
			`defer p.mutex.Unlock()`

			`p.listeners = append(p.listeners, listener)`
			`}`

Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3 Several API changes in Kube required changes in Pinniped code. Signed-off-by: Monis Khan <mok@vmware.com> 2022-06-06 21:37:22 +00:00			`func (p *provider) RunOnce(_ context.Context) error {`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`return nil // no-op, but we want to make sure to stay in sync with dynamiccertificates.ControllerRunner`
			`}`

Bump project deps, including kube 0.23.6->0.24.1 and Go 1.18.1->1.18.3 Several API changes in Kube required changes in Pinniped code. Signed-off-by: Monis Khan <mok@vmware.com> 2022-06-06 21:37:22 +00:00			`func (p *provider) Run(_ context.Context, workers int) {`
Implement all optional methods in dynamic certs provider Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-11 21:20:25 +00:00			`// no-op, but we want to make sure to stay in sync with dynamiccertificates.ControllerRunner`
			`}`