Merge branch 'main' into disable_http

This commit is contained in:
Ryan Richard 2022-04-05 09:00:26 -07:00
commit 25d20d4081
12 changed files with 126 additions and 181 deletions

55
.github/workflows/scorecards.yml vendored Normal file
View File

@ -0,0 +1,55 @@
name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
- cron: '29 11 * * 3'
push:
branches: [ main, release* ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
actions: read
contents: read
steps:
- name: "Checkout code"
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
with:
results_file: results.sarif
results_format: sarif
# Read-only PAT token. To create it,
# follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
# Publish the results to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`,
# regardless of the value entered here.
publish_results: true
# Upload the results as artifacts (optional).
- name: "Upload artifact"
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
with:
sarif_file: results.sarif

View File

@ -1,4 +1,4 @@
# syntax = docker/dockerfile:1.0-experimental # syntax=docker/dockerfile:1
# Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. # Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0

View File

@ -1,10 +1,15 @@
# syntax = docker/dockerfile:1.0-experimental # syntax=docker/dockerfile:1
# Copyright 2020-2022 the Pinniped contributors. All Rights Reserved. # Copyright 2022 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
# this dockerfile is used to produce a binary of Pinniped that uses # this dockerfile is used to produce a binary of Pinniped that uses
# only fips-allowable ciphers. # only fips-allowable ciphers. Note that this is provided only as
# an example. Pinniped has no official support for fips and using
# a version built from this dockerfile may have unforseen consquences.
# Please do not create issues in regards to problems encountered by
# using this dockerfile. Using this dockerfile does not convey
# any type of fips certification.
# use go-boringcrypto rather than main go # use go-boringcrypto rather than main go
FROM us-docker.pkg.dev/google.com/api-project-999119582588/go-boringcrypto/golang:1.17.8b7 as build-env FROM us-docker.pkg.dev/google.com/api-project-999119582588/go-boringcrypto/golang:1.17.8b7 as build-env
@ -13,12 +18,33 @@ WORKDIR /work
COPY . . COPY . .
ARG GOPROXY ARG GOPROXY
# Build the executable binary (CGO_ENABLED=1 is required for go boring) # Build the executable binary (CGO_ENABLED=1 is required for go boring).
# Pass in GOCACHE (build cache) and GOMODCACHE (module cache) so they # Even though we need cgo to call the boring crypto C functions, these
# can be re-used between image builds. # functions are statically linked into the binary. We also want to statically
# link any libc bits hence we pass "-linkmode=external -extldflags -static"
# to the ldflags directive. We do not pass "-s" to ldflags because we do
# not want to strip symbols - those are used to verify if we compiled correctly.
# We do not pass in GOCACHE (build cache) and GOMODCACHE (module cache)
# because there have been bugs in the Go compiler caching when using cgo
# (it will sometimes use cached artifiacts when it should not). Since we
# use gcc as the C compiler, the following warning is emitted:
# /boring/boringssl/build/../crypto/bio/socket_helper.c:55: warning:
# Using 'getaddrinfo' in statically linked applications requires at
# runtime the shared libraries from the glibc version used for linking
# This is referring to the code in
# https://github.com/google/boringssl/blob/af34f6460f0bf99dc267818f02b2936f60a30de7/crypto/bio/socket_helper.c#L55
# which calls the getaddrinfo function. This function, even when statically linked,
# uses dlopen to dynamically fetch networking config. It is safe for us to ignore
# this warning because the go boring cypto code does not create netowrking connections:
# https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/src/crypto/internal/boring/goboringcrypto.h
# The osusergo and netgo tags are used to make sure that the Go implementations of these
# standard library packages are used instead of the libc based versions.
# We want to have no reliance on any C code other than the boring crypto bits.
# Setting GOOS=linux GOARCH=amd64 is a hard requirment for boring crypto:
# https://github.com/golang/go/blob/9d6ab825f6fe125f7ce630e103b887e580403802/misc/boring/README.md?plain=1#L95
# Thus trying to compile the pinniped CLI with boring crypto is meaningless
# since we would not be able to ship windows and macOS binaries.
RUN \ RUN \
--mount=type=cache,target=/cache/gocache \
--mount=type=cache,target=/cache/gomodcache \
mkdir out && \ mkdir out && \
export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 && \ export CGO_ENABLED=1 GOOS=linux GOARCH=amd64 && \
go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \ go build -tags fips_strict,osusergo,netgo -v -trimpath -ldflags "$(hack/get-ldflags.sh) -w -linkmode=external -extldflags -static" -o /usr/local/bin/pinniped-concierge-kube-cert-agent ./cmd/pinniped-concierge-kube-cert-agent/... && \

View File

@ -10,12 +10,15 @@
package ptls package ptls
import ( import (
"C"
"crypto/tls" "crypto/tls"
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
"crypto/x509" "crypto/x509"
"runtime" "runtime"
"C" // explicitly import cgo so that runtime/cgo gets linked into the kube-cert-agent
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
"k8s.io/apiserver/pkg/server/options"
"go.pinniped.dev/internal/plog" "go.pinniped.dev/internal/plog"
) )
@ -24,10 +27,7 @@ const secureServingOptionsMinTLSVersion = "VersionTLS12"
const SecureTLSConfigMinTLSVersion = tls.VersionTLS12 const SecureTLSConfigMinTLSVersion = tls.VersionTLS12
func init() { func init() {
go func() { plog.Debug("using boring crypto in fips only mode", "go version", runtime.Version())
version := runtime.Version()
plog.Debug("using boringcrypto in fips only mode.", "go version", version)
}()
} }
func Default(rootCAs *x509.CertPool) *tls.Config { func Default(rootCAs *x509.CertPool) *tls.Config {
@ -46,6 +46,7 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
// This is all of the fips-approved ciphers. // This is all of the fips-approved ciphers.
// The list is hard-coded for convenience of testing. // The list is hard-coded for convenience of testing.
// This is kept in sync with the boring crypto compiler via TestFIPSCipherSuites.
CipherSuites: []uint16{ CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
@ -64,3 +65,7 @@ func Secure(rootCAs *x509.CertPool) *tls.Config {
func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config { func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
return Default(rootCAs) return Default(rootCAs)
} }
func secureServing(opts *options.SecureServingOptionsWithLoopback) {
defaultServing(opts)
}

View File

@ -82,11 +82,6 @@ func defaultServing(opts *options.SecureServingOptionsWithLoopback) {
opts.MinTLSVersion = defaultServingOptionsMinTLSVersion opts.MinTLSVersion = defaultServingOptionsMinTLSVersion
} }
func secureServing(opts *options.SecureServingOptionsWithLoopback) {
opts.MinTLSVersion = secureServingOptionsMinTLSVersion
opts.CipherSuites = nil
}
func secureClient(opts *options.RecommendedOptions, f RestConfigFunc) error { func secureClient(opts *options.RecommendedOptions, f RestConfigFunc) error {
inClusterClient, inClusterConfig, err := f(nil) inClusterClient, inClusterConfig, err := f(nil)
if err != nil { if err != nil {

View File

@ -9,6 +9,8 @@ package ptls
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"k8s.io/apiserver/pkg/server/options"
) )
// secureServingOptionsMinTLSVersion is the minimum tls version in the format // secureServingOptionsMinTLSVersion is the minimum tls version in the format
@ -42,3 +44,8 @@ func Secure(rootCAs *x509.CertPool) *tls.Config {
} }
return c return c
} }
func secureServing(opts *options.SecureServingOptionsWithLoopback) {
opts.MinTLSVersion = secureServingOptionsMinTLSVersion
opts.CipherSuites = nil
}

View File

@ -69,14 +69,6 @@ func RecordTLSHello(server *httptest.Server) {
func AssertTLS(t *testing.T, r *http.Request, tlsConfigFunc ptls.ConfigFunc) { func AssertTLS(t *testing.T, r *http.Request, tlsConfigFunc ptls.ConfigFunc) {
t.Helper() t.Helper()
tlsConfig := tlsConfigFunc(nil)
AssertTLSConfig(t, r, tlsConfig)
}
func AssertTLSConfig(t *testing.T, r *http.Request, tlsConfig *tls.Config) {
t.Helper()
m, ok := getCtxMap(r.Context()) m, ok := getCtxMap(r.Context())
require.True(t, ok) require.True(t, ok)
@ -86,6 +78,8 @@ func AssertTLSConfig(t *testing.T, r *http.Request, tlsConfig *tls.Config) {
info, ok := h.(*tls.ClientHelloInfo) info, ok := h.(*tls.ClientHelloInfo)
require.True(t, ok) require.True(t, ok)
tlsConfig := tlsConfigFunc(nil)
supportedVersions := []uint16{tlsConfig.MinVersion} supportedVersions := []uint16{tlsConfig.MinVersion}
ciphers := tlsConfig.CipherSuites ciphers := tlsConfig.CipherSuites

View File

@ -7,12 +7,8 @@
package integration package integration
import ( import (
"context"
"crypto/tls" "crypto/tls"
"encoding/base64"
"fmt"
"net/http" "net/http"
"strings"
"testing" "testing"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@ -23,131 +19,16 @@ import (
"go.pinniped.dev/test/testlib" "go.pinniped.dev/test/testlib"
) )
// This test mirrors securetls_test.go, but adapted for fips mode. // TestFIPSCipherSuites_Parallel ensures that if the list of default fips cipher suites changes,
// e.g. checks for only TLS 1.2 ciphers and checks for the // we will know. This is an integration test because we do not support build tags on unit tests.
// list of fips-approved ciphers above.
// TLS checks safe to run in parallel with serial tests, see main_test.go.
func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t)
t.Log("testing FIPs tls config")
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// pinniped CLI uses ptls.Secure when talking to KAS,
// although the distinction doesn't matter much in FIPs mode because
// each of the configs is a wrapper for the same base FIPs config.
secure := ptls.Secure(nil)
tlsserver.AssertTLSConfig(t, r, secure)
w.Header().Set("content-type", "application/json")
fmt.Fprint(w, `{"kind":"TokenCredentialRequest","apiVersion":"login.concierge.pinniped.dev/v1alpha1",`+
`"status":{"credential":{"token":"some-fancy-token"}}}`)
}), tlsserver.RecordTLSHello)
ca := tlsserver.TLSTestServerCA(server)
pinnipedExe := testlib.PinnipedCLIPath(t)
stdout, stderr := runPinnipedCLI(t, nil, pinnipedExe, "login", "static",
"--token", "does-not-matter",
"--concierge-authenticator-type", "webhook",
"--concierge-authenticator-name", "does-not-matter",
"--concierge-ca-bundle-data", base64.StdEncoding.EncodeToString(ca),
"--concierge-endpoint", server.URL,
"--enable-concierge",
"--credential-cache", "",
)
require.Empty(t, stderr)
require.Equal(t, `{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1",`+
`"spec":{"interactive":false},"status":{"expirationTimestamp":null,"token":"some-fancy-token"}}
`, stdout)
}
// TLS checks safe to run in parallel with serial tests, see main_test.go.
func TestSecureTLSPinnipedCLIToSupervisor_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t)
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// pinniped CLI uses ptls.Default when talking to supervisor,
// although the distinction doesn't matter much in FIPs mode because
// each of the configs is a wrapper for the same base FIPs config.
defaultTLS := ptls.Default(nil)
tlsserver.AssertTLSConfig(t, r, defaultTLS)
w.Header().Set("content-type", "application/json")
fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`)
}), tlsserver.RecordTLSHello)
ca := tlsserver.TLSTestServerCA(server)
pinnipedExe := testlib.PinnipedCLIPath(t)
stdout, stderr := runPinnipedCLI(&fakeT{T: t}, nil, pinnipedExe, "login", "oidc",
"--ca-bundle-data", base64.StdEncoding.EncodeToString(ca),
"--issuer", server.URL,
"--credential-cache", "",
"--upstream-identity-provider-flow", "cli_password",
"--upstream-identity-provider-name", "does-not-matter",
"--upstream-identity-provider-type", "oidc",
)
require.Equal(t, `Error: could not complete Pinniped login: could not perform OIDC discovery for "`+
server.URL+`": oidc: issuer did not match the issuer returned by provider, expected "`+
server.URL+`" got "https://not-a-good-issuer"
`, stderr)
require.Empty(t, stdout)
}
// TLS checks safe to run in parallel with serial tests, see main_test.go.
func TestSecureTLSConciergeAggregatedAPI_Parallel(t *testing.T) {
env := testlib.IntegrationEnv(t)
cancelCtx, cancel := context.WithCancel(context.Background())
t.Cleanup(cancel)
startKubectlPortForward(cancelCtx, t, "10446", "443", env.ConciergeAppName+"-api", env.ConciergeNamespace)
stdout, stderr := testlib.RunNmapSSLEnum(t, "127.0.0.1", 10446)
require.Empty(t, stderr)
secure := ptls.Secure(nil)
require.Contains(t, stdout, testlib.GetExpectedCiphers(secure), "stdout:\n%s", stdout)
}
func TestSecureTLSSupervisor(t *testing.T) { // does not run in parallel because of the createSupervisorDefaultTLSCertificateSecretIfNeeded call
env := testlib.IntegrationEnv(t)
ctx, cancel := context.WithCancel(context.Background())
t.Cleanup(cancel)
startKubectlPortForward(ctx, t, "10447", "443", env.SupervisorAppName+"-nodeport", env.SupervisorNamespace)
stdout, stderr := testlib.RunNmapSSLEnum(t, "127.0.0.1", 10447)
// supervisor's cert is ECDSA
defaultECDSAOnly := ptls.Default(nil)
ciphers := make([]uint16, 0, len(defaultECDSAOnly.CipherSuites)/3)
for _, id := range defaultECDSAOnly.CipherSuites {
id := id
if !strings.Contains(tls.CipherSuiteName(id), "_ECDSA_") {
continue
}
ciphers = append(ciphers, id)
}
defaultECDSAOnly.CipherSuites = ciphers
require.Empty(t, stderr)
require.Contains(t, stdout, testlib.GetExpectedCiphers(defaultECDSAOnly), "stdout:\n%s", stdout)
}
// this test ensures that if the list of default fips cipher
// suites changes, we will know.
func TestFIPSCipherSuites_Parallel(t *testing.T) { func TestFIPSCipherSuites_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t) _ = testlib.IntegrationEnv(t)
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// use the default fips config which contains a hard coded list of cipher suites // use the default fips config which contains a hard coded list of cipher suites
// that should be equal to the default list of fips cipher suites. // that should be equal to the default list of fips cipher suites.
defaultTLS := ptls.Default(nil)
// assert that the client hello response has the same tls config as this test server. // assert that the client hello response has the same tls config as this test server.
tlsserver.AssertTLSConfig(t, r, defaultTLS) tlsserver.AssertTLS(t, r, ptls.Default)
}), tlsserver.RecordTLSHello) }), tlsserver.RecordTLSHello)
ca := tlsserver.TLSTestServerCA(server) ca := tlsserver.TLSTestServerCA(server)
@ -157,7 +38,7 @@ func TestFIPSCipherSuites_Parallel(t *testing.T) {
// and therefore uses goboring's default fips ciphers. // and therefore uses goboring's default fips ciphers.
defaultConfig := &tls.Config{ defaultConfig := &tls.Config{
RootCAs: pool, RootCAs: pool,
NextProtos: ptls.Default(nil).NextProtos, NextProtos: ptls.Default(nil).NextProtos, // we do not care about field for this test, so just make it match
} }
transport := http.Transport{ transport := http.Transport{
TLSClientConfig: defaultConfig, TLSClientConfig: defaultConfig,
@ -172,20 +53,3 @@ func TestFIPSCipherSuites_Parallel(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, http.StatusOK, response.StatusCode) require.Equal(t, http.StatusOK, response.StatusCode)
} }
type fakeT struct {
*testing.T
}
func (t *fakeT) FailNow() {
t.Errorf("fakeT ignored FailNow")
}
func (t *fakeT) Errorf(format string, args ...interface{}) {
t.Cleanup(func() {
if !t.Failed() {
return
}
t.Logf("reporting previously ignored errors since main test failed:\n"+format, args...)
})
}

View File

@ -1,9 +1,6 @@
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
//go:build !fips_strict
// +build !fips_strict
package integration package integration
import ( import (
@ -27,7 +24,10 @@ func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t) _ = testlib.IntegrationEnv(t)
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
tlsserver.AssertTLS(t, r, ptls.Secure) // pinniped CLI uses ptls.Secure when talking to KAS // pinniped CLI uses ptls.Secure when talking to KAS
// in FIPs mode the distinction doesn't matter much because
// each of the configs is a wrapper for the same base FIPs config
tlsserver.AssertTLS(t, r, ptls.Secure)
w.Header().Set("content-type", "application/json") w.Header().Set("content-type", "application/json")
fmt.Fprint(w, `{"kind":"TokenCredentialRequest","apiVersion":"login.concierge.pinniped.dev/v1alpha1",`+ fmt.Fprint(w, `{"kind":"TokenCredentialRequest","apiVersion":"login.concierge.pinniped.dev/v1alpha1",`+
`"status":{"credential":{"token":"some-fancy-token"}}}`) `"status":{"credential":{"token":"some-fancy-token"}}}`)
@ -58,7 +58,10 @@ func TestSecureTLSPinnipedCLIToSupervisor_Parallel(t *testing.T) {
_ = testlib.IntegrationEnv(t) _ = testlib.IntegrationEnv(t)
server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
tlsserver.AssertTLS(t, r, ptls.Default) // pinniped CLI uses ptls.Default when talking to supervisor // pinniped CLI uses ptls.Default when talking to supervisor
// in FIPs mode the distinction doesn't matter much because
// each of the configs is a wrapper for the same base FIPs config
tlsserver.AssertTLS(t, r, ptls.Default)
w.Header().Set("content-type", "application/json") w.Header().Set("content-type", "application/json")
fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`) fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`)
}), tlsserver.RecordTLSHello) }), tlsserver.RecordTLSHello)

View File

@ -87,7 +87,7 @@ func GetExpectedCiphers(config *tls.Config) string {
} }
s.WriteString("\n") s.WriteString("\n")
} }
tls12Bit = fmt.Sprintf(tls12Base, s.String(), getCipherSuitePreference()) tls12Bit = fmt.Sprintf(tls12Base, s.String(), cipherSuitePreference)
} }
skip13 := config.MaxVersion == tls.VersionTLS12 skip13 := config.MaxVersion == tls.VersionTLS12

View File

@ -10,6 +10,4 @@ package testlib
// incorrectly shown as 'client' in some cases. // incorrectly shown as 'client' in some cases.
// in fips-only mode, it correctly shows the cipher preference // in fips-only mode, it correctly shows the cipher preference
// as 'server', while in non-fips mode it shows as 'client'. // as 'server', while in non-fips mode it shows as 'client'.
func getCipherSuitePreference() string { const cipherSuitePreference = "server"
return "server"
}

View File

@ -10,6 +10,4 @@ package testlib
// incorrectly shown as 'client' in some cases. // incorrectly shown as 'client' in some cases.
// in fips-only mode, it correctly shows the cipher preference // in fips-only mode, it correctly shows the cipher preference
// as 'server', while in non-fips mode it shows as 'client'. // as 'server', while in non-fips mode it shows as 'client'.
func getCipherSuitePreference() string { const cipherSuitePreference = "client"
return "client"
}