Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

linkerd_identity: split linkerd_identity::Id into DNS and URI variants #2538

Merged
merged 6 commits into from
Dec 8, 2023
Merged

linkerd_identity: split linkerd_identity::Id into DNS and URI variants #2538

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ca41400
split tls id into DNS and URI variants
zaharidichev Nov 28, 2023
d2242f6
feedback
zaharidichev Nov 29, 2023
3e31ee8
make authz fns private again
zaharidichev Nov 29, 2023
0359465
feedback
zaharidichev Dec 7, 2023
a187e19
allow two versions of idna
zaharidichev Dec 7, 2023
2defa19
feedback
zaharidichev Dec 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 21 additions & 8 deletions Cargo.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -582,9 +582,9 @@ checksum = "aa9a19cbb55df58761df49b23516a86d432839add4af60fc256da840f66ed35b"

[[package]]
name = "form_urlencoded"
version = "1.1.0"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a9c384f161156f5260c24a097c56119f9be8c798586aecc13afbcbe7b7e26bf8"
checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
dependencies = [
"percent-encoding",
]
Expand Down Expand Up @@ -899,6 +899,16 @@ dependencies = [
"unicode-normalization",
]

[[package]]
name = "idna"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6"
dependencies = [
"unicode-bidi",
"unicode-normalization",
]

[[package]]
name = "indexmap"
version = "1.9.3"
Expand Down Expand Up @@ -1198,6 +1208,7 @@ dependencies = [
"linkerd-app-test",
"linkerd-http-access-log",
"linkerd-http-metrics",
"linkerd-identity",
"linkerd-idle-cache",
"linkerd-io",
"linkerd-meshtls",
Expand Down Expand Up @@ -1514,6 +1525,8 @@ version = "0.1.0"
dependencies = [
"linkerd-dns-name",
"linkerd-error",
"thiserror",
"url",
]

[[package]]
Expand Down Expand Up @@ -2452,9 +2465,9 @@ dependencies = [

[[package]]
name = "percent-encoding"
version = "2.2.0"
version = "2.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "478c572c3d73181ff3c2539045f6eb99e5491218eae919370993b890cdbdd98e"
checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"

[[package]]
name = "petgraph"
Expand Down Expand Up @@ -3458,7 +3471,7 @@ dependencies = [
"futures-channel",
"futures-io",
"futures-util",
"idna",
"idna 0.2.3",
"ipnet",
"lazy_static",
"rand",
Expand Down Expand Up @@ -3537,12 +3550,12 @@ checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"

[[package]]
name = "url"
version = "2.3.0"
version = "2.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "22fe195a4f217c25b25cb5058ced57059824a678474874038dc88d211bf508d3"
checksum = "31e6302e3bb753d46e83516cae55ae196fc0c309407cf11ab35cc51a4c2a4633"
dependencies = [
"form_urlencoded",
"idna",
"idna 0.5.0",
"percent-encoding",
]

Expand Down
2 changes: 2 additions & 0 deletions deny.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,8 @@ skip = [
# https://github.com/hawkw/matchers/pull/4
{ name = "regex-automata", version = "0.1" },
{ name = "regex-syntax", version = "0.6" },
# `trust-dns-proto`, depends on `idna` v0.2.3 while `url` depends on v0.5.0
{ name = "idna" },
Comment on lines +82 to +83
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked into this and (1) it appears that trust-dns has rebranded as hickory-dns, so we're going to have to be aware of that when we upgrade trust-dns; (2) and the latest version is on idna v0.4.

Normally, we'd follow up this PR with an upstream PR to update hickory-dns to idna 0.5 so that we can be sure to resolve this when we take the next hickory udpate.

These exceptions are fine temporarily, but each skip here means we're double-building dependencies. We try to keep this overhead manageable over time.

]
skip-tree = [
# right now we have a mix of versions of this crate in the ecosystem
Expand Down
1 change: 1 addition & 0 deletions linkerd/app/inbound/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ linkerd-meshtls-rustls = { path = "../../meshtls/rustls", optional = true }
linkerd-proxy-client-policy = { path = "../../proxy/client-policy" }
linkerd-tonic-watch = { path = "../../tonic-watch" }
linkerd2-proxy-api = { version = "0.12", features = ["inbound"] }
linkerd-identity = { path = "../../identity" }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shouldn't be necessary: app-inbound and app-outbound pick up the vast majority of their dependencies via reexport from app-core:

linkerd2-proxy/linkerd/app/core/src/lib.rs

Lines 50 to 54 in 31b2aea

pub mod identity {
pub use linkerd_identity::*;
pub use linkerd_meshtls::*;
pub use linkerd_proxy_identity_client as client;
}

once_cell = "1"
parking_lot = "0.12"
rangemap = "1"
Expand Down
150 changes: 137 additions & 13 deletions linkerd/app/inbound/src/policy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ use linkerd_app_core::{
tls,
transport::{ClientAddr, OrigDstAddr, Remote},
};
use linkerd_identity as id;
use linkerd_idle_cache::Cached;
pub use linkerd_proxy_server_policy::{
authz::Suffix,
Expand Down Expand Up @@ -150,15 +151,7 @@ impl AllowPolicy {
}
}

fn is_authorized(
authz: &Authorization,
client_addr: Remote<ClientAddr>,
tls: &tls::ConditionalServerTls,
) -> bool {
if !authz.networks.iter().any(|n| n.contains(&client_addr.ip())) {
return false;
}

fn is_tls_authorized(tls: &tls::ConditionalServerTls, authz: &Authorization) -> bool {
match authz.authentication {
Authentication::Unauthenticated => true,

Expand All @@ -176,15 +169,30 @@ fn is_authorized(
tls::ConditionalServerTls::Some(tls::ServerTls::Established {
client_id: Some(tls::server::ClientId(ref id)),
..
}) => {
identities.contains(&*id.to_str())
|| suffixes.iter().any(|s| s.contains(&id.to_str()))
}
}) => match id {
id::Id::Uri(_) => identities.contains(&*id.to_str()),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does that make sense for now ?

id::Id::Dns(_) => {
identities.contains(&*id.to_str())
|| suffixes.iter().any(|s| s.contains(&id.to_str()))
}
},
_ => false,
},
}
}

fn is_authorized(
authz: &Authorization,
client_addr: Remote<ClientAddr>,
tls: &tls::ConditionalServerTls,
) -> bool {
if !authz.networks.iter().any(|n| n.contains(&client_addr.ip())) {
return false;
}

is_tls_authorized(tls, authz)
}

// === impl Permit ===

impl ServerPermit {
Expand All @@ -199,3 +207,119 @@ impl ServerPermit {
}
}
}

#[cfg(test)]
mod tests {
use super::is_tls_authorized;
use super::Meta;
use super::Suffix;
use super::{Authentication, Authorization};
use linkerd_app_core::tls;
use std::collections::BTreeSet;
use std::str::FromStr;
use std::sync::Arc;

fn authorization(identities: BTreeSet<String>, suffixes: Vec<Suffix>) -> Authorization {
Authorization {
networks: vec![],
meta: Arc::new(Meta::Default {
name: "name".into(),
}),
authentication: Authentication::TlsAuthenticated {
identities,
suffixes,
},
}
}

fn server_tls(identity: &str) -> tls::ConditionalServerTls {
let client_id = tls::ClientId::from_str(identity).expect("should parse id");
tls::ConditionalServerTls::Some(tls::ServerTls::Established {
client_id: Some(client_id),
negotiated_protocol: None,
})
}

#[test]
fn is_authorized_for_matching_spiffe_ids() {
let tls = server_tls("spiffe://some-root/some-workload");
let authz = authorization(
BTreeSet::from(["spiffe://some-root/some-workload".into()]),
vec![],
);
assert!(is_tls_authorized(&tls, &authz))
}

#[test]
fn is_not_authorized_for_non_matching_spiffe_ids() {
let tls = server_tls("spiffe://some-root/some-workload-1");
let authz = authorization(
BTreeSet::from(["spiffe://some-root/some-workload-2".into()]),
vec![],
);
assert!(!is_tls_authorized(&tls, &authz))
}

#[test]
fn is_authorized_for_matching_dns_ids() {
let tls = server_tls("some.id.local");
let authz = authorization(BTreeSet::from(["some.id.local".into()]), vec![]);
assert!(is_tls_authorized(&tls, &authz))
}

#[test]
fn is_not_authorized_for_non_matching_dns_ids() {
let tls = server_tls("some.id.local.one");
let authz = authorization(BTreeSet::from(["some.id.local.two".into()]), vec![]);
assert!(!is_tls_authorized(&tls, &authz))
}

#[test]
fn is_authorized_for_matching_dns_suffixes_ids() {
let tls = server_tls("some.id.local");
let authz = authorization(BTreeSet::new(), vec![Suffix::new("id.local")]);
assert!(is_tls_authorized(&tls, &authz))
}

#[test]
fn is_not_authorized_for_non_matching_suffixes_ids() {
let tls = server_tls("some.id.local");
let authz = authorization(BTreeSet::new(), vec![Suffix::new("another-id.local")]);
assert!(!is_tls_authorized(&tls, &authz))
}

#[test]
fn is_not_authorized_for_suffixes_and_spiffe_id() {
let tls = server_tls("spiffe://some-root/some-workload-1");
let authz = authorization(BTreeSet::new(), vec![Suffix::new("some-workload-1")]);
assert!(!is_tls_authorized(&tls, &authz))
}

#[test]
fn is_authorized_for_one_matching_spiffe_id() {
let tls = server_tls("spiffe://some-root/some-workload-1");
let authz = authorization(
BTreeSet::from([
"spiffe://some-root/some-workload-1".into(),
"some.workload.one".into(),
"some.workload.two".into(),
]),
vec![],
);
assert!(is_tls_authorized(&tls, &authz))
}

#[test]
fn is_authorized_for_one_matching_dns_id() {
let tls = server_tls("some.workload.one");
let authz = authorization(
BTreeSet::from([
"spiffe://some-root/some-workload-1".into(),
"some.workload.one".into(),
"some.workload.two".into(),
]),
vec![],
);
assert!(is_tls_authorized(&tls, &authz))
}
}
9 changes: 7 additions & 2 deletions linkerd/app/outbound/src/http/concrete.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,14 +353,19 @@
self.metadata
.identity()
.cloned()
.map(move |server_id| {
.map(move |client_tls| {
let alpn = if use_transport_header {
use linkerd_app_core::transport_header::PROTOCOL;
Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
} else {
None
};
tls::ConditionalClientTls::Some(tls::ClientTls::new(server_id, alpn))

tls::ConditionalClientTls::Some(tls::ClientTls::new(
client_tls.server_id,
client_tls.server_name,
alpn,

Check warning on line 367 in linkerd/app/outbound/src/http/concrete.rs

View check run for this annotation

Codecov / codecov/patch

linkerd/app/outbound/src/http/concrete.rs#L364-L367 

Added lines #L364 - L367 were not covered by tests
))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tioli

           .map(move |mut client_tls| {
                client_tls.alpn = if use_transport_header {
                    use linkerd_app_core::transport_header::PROTOCOL;
                    Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
                } else {
                    None
                };

                tls::ConditionalClientTls::Some(client_tls)

Copy link
Member

@olix0r olix0r Dec 8, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alternately -- we could add a ClientTls::with_alpn(self, alpn: Option<AlpnProtocols>) -> ClientTls if you wanted to avoid the mut, so this would end up

           .map(move |client_tls| {
                tls::ConditionalClientTls::Some(client_tls.with_alpn(if use_transport_header {
                    use linkerd_app_core::transport_header::PROTOCOL;
                    Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
                } else {
                    None
                }))

})
.unwrap_or(tls::ConditionalClientTls::None(
tls::NoClientTls::NotProvidedByServiceDiscovery,
Expand Down
5 changes: 2 additions & 3 deletions linkerd/app/outbound/src/http/require_id_header.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use futures::{future, TryFutureExt};
use linkerd_app_core::{dns, identity, svc, tls, Conditional, Error};
use linkerd_app_core::{identity, svc, tls, Conditional, Error};
use std::task::{Context, Poll};
use thiserror::Error;
use tracing::{debug, trace};
Expand Down Expand Up @@ -59,8 +59,7 @@ impl<S> RequireIdentity<S> {
#[inline]
fn extract_id<B>(req: &mut http::Request<B>) -> Option<identity::Id> {
let v = req.headers_mut().remove(HEADER_NAME)?;
let n = v.to_str().ok()?.parse::<dns::Name>().ok()?;
Some(n.into())
v.to_str().ok()?.parse::<identity::Id>().ok()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tioli -- the explicit annotation is no longer needed because we're not using an intermediate type.

Suggested change
v.to_str().ok()?.parse::<identity::Id>().ok()
v.to_str().ok()?.parse().ok()

}
}

Expand Down
8 changes: 6 additions & 2 deletions linkerd/app/outbound/src/opaq/concrete.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,14 +283,18 @@
self.metadata
.identity()
.cloned()
.map(move |server_id| {
.map(move |client_tls| {
let alpn = if use_transport_header {
use linkerd_app_core::transport_header::PROTOCOL;
Some(tls::client::AlpnProtocols(vec![PROTOCOL.into()]))
} else {
None
};
tls::ConditionalClientTls::Some(tls::ClientTls::new(server_id, alpn))
tls::ConditionalClientTls::Some(tls::ClientTls::new(
zaharidichev marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same suggestion as above could apply here

client_tls.server_id,
client_tls.server_name,
alpn,

Check warning on line 296 in linkerd/app/outbound/src/opaq/concrete.rs

View check run for this annotation

Codecov / codecov/patch

linkerd/app/outbound/src/opaq/concrete.rs#L293-L296 

Added lines #L293 - L296 were not covered by tests
))
})
.unwrap_or(tls::ConditionalClientTls::None(
tls::NoClientTls::NotProvidedByServiceDiscovery,
Expand Down
Loading
Loading