Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added TLS Inlet support #8227

Merged
merged 2 commits into from
Sep 13, 2024
Merged

Added TLS Inlet support #8227

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fa5707b
feat(rust): added `TLS` inlet support
davide-baldo Jun 27, 2024
a550c80
chore(rust): hidden `TLS` inlets parameters
davide-baldo Jul 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions implementations/rust/ockam/ockam_api/src/authenticator/direct/direct_authenticator.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ pub const OCKAM_ROLE_ATTRIBUTE_KEY: &str = "ockam-role";
/// the corresponding key is [`OCKAM_ROLE_ATTRIBUTE_KEY`]
pub const OCKAM_ROLE_ATTRIBUTE_ENROLLER_VALUE: &str = "enroller";

/// Identity attribute key that indicates the privileges to access the project TLS certificate
pub const OCKAM_TLS_ATTRIBUTE_KEY: &str = "ockam-tls-certificate";

pub struct DirectAuthenticatorError(pub String);

pub type DirectAuthenticatorResult<T> = Either<T, DirectAuthenticatorError>;
Expand Down
1 change: 1 addition & 0 deletions implementations/rust/ockam/ockam_api/src/kafka/inlet_controller.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ impl KafkaInletController {
None,
false,
false,
None,
)
.await?;

Expand Down
12 changes: 10 additions & 2 deletions implementations/rust/ockam/ockam_api/src/nodes/models/portal.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,12 @@ pub struct CreateInlet {
/// If not set, the node's identifier will be used.
#[n(10)] pub(crate) secure_channel_identifier: Option<Identifier>,
/// Enable UDP NAT puncture.
#[n(11)] pub enable_udp_puncture: bool,
#[n(11)] pub(crate) enable_udp_puncture: bool,
/// Disable fallback to TCP.
/// TCP won't be used to transfer data between the Inlet and the Outlet.
#[n(12)] pub disable_tcp_fallback: bool,
#[n(12)] pub(crate) disable_tcp_fallback: bool,
/// TLS certificate provider route.
#[n(13)] pub(crate) tls_certificate_provider: Option<MultiAddr>,
}

impl CreateInlet {
Expand Down Expand Up @@ -85,6 +87,7 @@ impl CreateInlet {
secure_channel_identifier: None,
enable_udp_puncture,
disable_tcp_fallback,
tls_certificate_provider: None,
}
}

Expand Down Expand Up @@ -113,9 +116,14 @@ impl CreateInlet {
secure_channel_identifier: None,
enable_udp_puncture,
disable_tcp_fallback,
tls_certificate_provider: None,
}
}

pub fn set_tls_certificate_provider(&mut self, provider: MultiAddr) {
self.tls_certificate_provider = Some(provider);
}

pub fn set_wait_ms(&mut self, ms: u64) {
self.wait_for_outlet_duration = Some(Duration::from_millis(ms))
}
Expand Down
1 change: 1 addition & 0 deletions implementations/rust/ockam/ockam_api/src/nodes/service.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ pub mod tcp_outlets;
mod transport;
pub mod workers;

mod certificate_provider;
mod http;
mod manager;
mod trust;
Expand Down
143 changes: 143 additions & 0 deletions implementations/rust/ockam/ockam_api/src/nodes/service/certificate_provider.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
use crate::nodes::NodeManager;
use minicbor::{Decode, Decoder, Encode};
use ockam_core::errcode::{Kind, Origin};
use ockam_core::{Any, NeutralMessage, Routed};
use ockam_multiaddr::MultiAddr;
use ockam_node::{Context, MessageSendReceiveOptions};
use ockam_transport_tcp::{TlsCertificate, TlsCertificateProvider};
use std::fmt::{Debug, Display, Formatter};
use std::sync::Weak;
use std::time::Duration;
use tonic::async_trait;

#[derive(Clone)]
pub(crate) struct ProjectCertificateProvider {
node_manager: Weak<NodeManager>,
to: MultiAddr,
}

impl Debug for ProjectCertificateProvider {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
write!(f, "ProjectCertificateProvider {{ to: {:?} }}", self.to)
}
}

impl ProjectCertificateProvider {
pub fn new(node_manager: Weak<NodeManager>, to: MultiAddr) -> Self {
Self { node_manager, to }
}
}

impl Display for ProjectCertificateProvider {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
write!(f, "certificate retrieval from: {}", self.to)
}
}

#[derive(Encode, Decode)]
struct CertificateRequest {}

#[derive(Debug, Encode, Decode)]
#[rustfmt::skip]
#[cbor(map)]
struct CertificateResponse {
#[n(1)] kind: ReplyKind,
#[n(2)] certificate: Option<TlsCertificate>,
}

#[derive(Debug, Encode, Decode, PartialEq)]
#[rustfmt::skip]
#[cbor(index_only)]
enum ReplyKind {
#[n(0)] Ready,
#[n(1)] NotReady,
#[n(2)] Unsupported,
}

#[async_trait]
impl TlsCertificateProvider for ProjectCertificateProvider {
async fn get_certificate(&self, context: &Context) -> ockam_core::Result<TlsCertificate> {
debug!("requesting TLS certificate from: {}", self.to);
let node_manager = self.node_manager.upgrade().ok_or_else(|| {
ockam_core::Error::new(Origin::Transport, Kind::Invalid, "NodeManager shut down")
})?;
let connection = {
node_manager
.make_connection(
context,
&self.to,
node_manager.node_identifier.clone(),
None,
None,
)
.await?
};

let options = MessageSendReceiveOptions::new().with_timeout(Duration::from_secs(30));

let payload = {
let mut buffer = Vec::new();
minicbor::Encoder::new(&mut buffer).encode(&CertificateRequest {})?;
buffer
};

let reply: Routed<Any> = context
.send_and_receive_extended(connection.route()?, NeutralMessage::from(payload), options)
.await?;

let payload = reply.into_payload();
let reply: CertificateResponse = Decoder::new(&payload).decode()?;

match reply.kind {
ReplyKind::Ready => {
if let Some(certificate) = reply.certificate {
Ok(certificate)
} else {
Err(ockam_core::Error::new(
Origin::Transport,
Kind::Invalid,
"invalid reply from certificate provider",
))
}
}
ReplyKind::Unsupported => Err(ockam_core::Error::new(
Origin::Transport,
Kind::NotReady,
"certificate",
)),
ReplyKind::NotReady => Err(ockam_core::Error::new(
Origin::Transport,
Kind::NotReady,
"certificate",
)),
}
}
}

#[cfg(test)]
mod test {
use super::*;

#[test]
fn check_orchestrator_encoding_not_ready() {
let payload = hex::decode("A10101").unwrap();
let reply: CertificateResponse = Decoder::new(&payload).decode().unwrap();
assert_eq!(reply.kind, ReplyKind::NotReady);
assert!(reply.certificate.is_none());
}

#[test]
fn check_orchestrator_encoding_ready() {
let payload =
hex::decode("a2010002a2014a66756c6c5f636861696e024b707269766174655f6b6579").unwrap();
let reply: CertificateResponse = Decoder::new(&payload).decode().unwrap();
assert_eq!(reply.kind, ReplyKind::Ready);
assert_eq!(
reply.certificate,
Some(TlsCertificate {
full_chain_pem: "full_chain".as_bytes().to_vec(),
private_key_pem: "private_key".as_bytes().to_vec()
})
);
}
}
1 change: 1 addition & 0 deletions implementations/rust/ockam/ockam_api/src/nodes/service/kafka_services.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,7 @@ impl InMemoryNode {
None,
false,
false,
None,
)
.await?;

Expand Down
4 changes: 4 additions & 0 deletions implementations/rust/ockam/ockam_api/src/nodes/service/tcp_inlets/background_node_client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ impl Inlets for BackgroundNodeClient {
secure_channel_identifier: &Option<Identifier>,
enable_udp_puncture: bool,
disable_tcp_fallback: bool,
tls_certificate_provider: &Option<MultiAddr>,
) -> miette::Result<Reply<InletStatus>> {
let request = {
let via_project = outlet_addr.matches(0, &[ProjectProto::CODE.into()]);
Expand Down Expand Up @@ -60,6 +61,9 @@ impl Inlets for BackgroundNodeClient {
if let Some(identifier) = secure_channel_identifier {
payload.set_secure_channel_identifier(identifier.clone())
}
if let Some(tls_provider) = tls_certificate_provider {
payload.set_tls_certificate_provider(tls_provider.clone())
}
payload.set_wait_ms(wait_for_outlet_timeout.as_millis() as u64);
Request::post("/node/inlet").body(payload)
};
Expand Down
2 changes: 2 additions & 0 deletions implementations/rust/ockam/ockam_api/src/nodes/service/tcp_inlets/in_memory_node.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ impl InMemoryNode {
secure_channel_identifier: Option<Identifier>,
enable_udp_puncture: bool,
disable_tcp_fallback: bool,
tls_certificate_provider: Option<MultiAddr>,
) -> Result<InletStatus> {
self.node_manager
.create_inlet(
Expand All @@ -44,6 +45,7 @@ impl InMemoryNode {
secure_channel_identifier,
enable_udp_puncture,
disable_tcp_fallback,
tls_certificate_provider,
)
.await
}
Expand Down
1 change: 1 addition & 0 deletions implementations/rust/ockam/ockam_api/src/nodes/service/tcp_inlets/inlets_trait.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ pub trait Inlets {
secure_channel_identifier: &Option<Identifier>,
enable_udp_puncture: bool,
disable_tcp_fallback: bool,
tls_certificate_provider: &Option<MultiAddr>,
) -> miette::Result<Reply<InletStatus>>;

async fn show_inlet(&self, ctx: &Context, alias: &str) -> miette::Result<Reply<InletStatus>>;
Expand Down
2 changes: 2 additions & 0 deletions implementations/rust/ockam/ockam_api/src/nodes/service/tcp_inlets/node_manager.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ impl NodeManager {
enable_udp_puncture: bool,
// TODO: Introduce mode enum
disable_tcp_fallback: bool,
tls_certificate_provider: Option<MultiAddr>,
) -> Result<InletStatus> {
info!("Handling request to create inlet portal");
debug! {
Expand Down Expand Up @@ -118,6 +119,7 @@ impl NodeManager {
policy_expression,
secure_channel_identifier,
disable_tcp_fallback,
tls_certificate_provider,
inlet: None,
connection: None,
main_route: None,
Expand Down
2 changes: 2 additions & 0 deletions implementations/rust/ockam/ockam_api/src/nodes/service/tcp_inlets/node_manager_worker.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ impl NodeManagerWorker {
secure_channel_identifier,
enable_udp_puncture,
disable_tcp_fallback,
tls_certificate_provider,
} = create_inlet;
match self
.node_manager
Expand All @@ -47,6 +48,7 @@ impl NodeManagerWorker {
secure_channel_identifier,
enable_udp_puncture,
disable_tcp_fallback,
tls_certificate_provider,
)
.await
{
Expand Down
11 changes: 11 additions & 0 deletions implementations/rust/ockam/ockam_api/src/nodes/service/tcp_inlets/session_replacer.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
use crate::nodes::service::certificate_provider::ProjectCertificateProvider;
use ockam_transport_tcp::new_certificate_provider_cache;
use std::sync::{Arc, Weak};
use std::time::Duration;

Expand Down Expand Up @@ -39,6 +41,7 @@ pub(super) struct InletSessionReplacer {
pub(super) policy_expression: Option<PolicyExpression>,
pub(super) secure_channel_identifier: Option<Identifier>,
pub(super) disable_tcp_fallback: bool,
pub(super) tls_certificate_provider: Option<MultiAddr>,

// current status
pub(super) inlet: Option<Arc<TcpInlet>>,
Expand Down Expand Up @@ -111,6 +114,14 @@ impl InletSessionReplacer {
options
};

let options = if let Some(tls_provider) = &self.tls_certificate_provider {
options.with_tls_certificate_provider(new_certificate_provider_cache(Arc::new(
ProjectCertificateProvider::new(self.node_manager.clone(), tls_provider.clone()),
)))
} else {
options
};

Ok(options)
}

Expand Down
1 change: 1 addition & 0 deletions implementations/rust/ockam/ockam_api/tests/latency.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ pub fn measure_buffer_latency_two_nodes_portal() {
None,
false,
false,
None,
)
.await?;

Expand Down
5 changes: 5 additions & 0 deletions implementations/rust/ockam/ockam_api/tests/portals.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ async fn inlet_outlet_local_successful(context: &mut Context) -> ockam::Result<(
None,
false,
false,
None,
)
.await?;

Expand Down Expand Up @@ -132,6 +133,7 @@ fn portal_node_goes_down_reconnect() {
None,
false,
false,
None,
)
.await?;

Expand Down Expand Up @@ -286,6 +288,7 @@ fn portal_low_bandwidth_connection_keep_working_for_60s() {
None,
false,
false,
None,
)
.await?;

Expand Down Expand Up @@ -397,6 +400,7 @@ fn portal_heavy_load_exchanged() {
None,
false,
false,
None,
)
.await?;

Expand Down Expand Up @@ -547,6 +551,7 @@ fn test_portal_payload_transfer(outgoing_disruption: Disruption, incoming_disrup
None,
false,
false,
None,
)
.await?;

Expand Down
1 change: 1 addition & 0 deletions implementations/rust/ockam/ockam_app_lib/src/incoming_services/commands.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,7 @@ impl AppState {
&None,
false,
false,
&None,
)
.await
.map_err(|err| {
Expand Down
Loading
Loading