feat: Control API uses automatic cross-pinning mTLS (Closes #119)

. kapow server generates on startup a pair of certificates that will use to secure communications to its control server. It will communicate the server and client certificates as well as the client private key to the init programs it launches, via environment variables. . kapow server now understands a new flag --control-reachable-addr which accepts either a IP address or a DNS name, that can be used to ensure that the generated server certificate will be appropiate in case the control server must be accessed from something other than localhost. Co-authored-by: Roberto Abdelkader Martínez Pérez <robertomartinezp@gmail.com>
BBVA · Mar 12, 2021 · 1e63f3c · 1e63f3c
1 parent ab50721
commit 1e63f3c
Show file tree

Hide file tree

Showing 18 changed files with 325 additions and 103 deletions.
diff --git a/README.md b/README.md
@@ -62,10 +62,9 @@ You can find the complete documentation and examples [here](https://kapow.readth
 
 ## Security
 
-Please consider the following security caveats **before** using *Kapow!*
-
-- [Issue #119](https://github.com/BBVA/kapow/issues/119)
-- [Security Concerns](https://kapow.readthedocs.io/en/stable/the_project/security.html#security-concerns)
+Please consider the following
+[Security Concerns](https://kapow.readthedocs.io/en/stable/the_project/security.html#security-concerns)
+**before** using *Kapow!*
 
 If you are not 100% sure about what you are doing we recommend not using *Kapow!*
 

diff --git a/docs/source/concepts/interfaces.rst b/docs/source/concepts/interfaces.rst
@@ -16,16 +16,20 @@ By default it binds to address ``0.0.0.0`` and port ``8080``, but that can be
 changed via the ``--bind`` flag.
 
 
-.. _http-control-interface:
+.. _https-control-interface:
 
-HTTP Control Interface
-----------------------
+HTTPS Control Interface
+-----------------------
 
-The `HTTP Control Interface` is used by the command ``kapow route`` to
+The `HTTPS Control Interface` is used by the command ``kapow route`` to
 administer the list of system routes.
 
+This interface uses mTLS by default (double-pinned autogenerated certs).
+
 By default it binds to address ``127.0.0.1`` and port ``8081``, but that can be
-changed via the ``--control-bind`` flag.
+changed via the ``--control-bind`` flag.  If this is the case, consider
+also ``--control-reachable-addr`` which will configure the autogenerated
+certificate to match that address.
 
 
 .. _http-data-interface:

diff --git a/docs/source/concepts/request_life_cycle.rst b/docs/source/concepts/request_life_cycle.rst
@@ -30,8 +30,8 @@ The spawned entrypoint is run with the following variables added to its
 environment:
 
 - :envvar:`KAPOW_HANDLER_ID`: Containing the `HANDLER_ID`
-- :envvar:`KAPOW_DATAAPI_URL`: With the URL of the :ref:`http-data-interface`
-- :envvar:`KAPOW_CONTROLAPI_URL`: With the URL of the :ref:`http-control-interface`
+- :envvar:`KAPOW_DATA_URL`: With the URL of the :ref:`http-data-interface`
+- :envvar:`KAPOW_CONTROL_URL`: With the URL of the :ref:`https-control-interface`
 
 
 3. ``kapow set /response/body banana``

diff --git a/docs/source/examples/managing_routes.rst b/docs/source/examples/managing_routes.rst
@@ -100,7 +100,7 @@ Or, if you want human-readable output, you can use :program:`jq`:
 
 .. note::
 
-   *Kapow!* has a :ref:`http-control-interface`, bound by default to
+   *Kapow!* has a :ref:`https-control-interface`, bound by default to
    ``localhost:8081``.
 
 

diff --git a/internal/certs/certs.go b/internal/certs/certs.go
@@ -0,0 +1,99 @@
+package certs
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"time"
+
+	"github.com/BBVA/kapow/internal/logger"
+)
+
+type Cert struct {
+	X509Cert   *x509.Certificate
+	PrivKey    crypto.PrivateKey
+	SignedCert []byte
+}
+
+func (c Cert) SignedCertPEMBytes() []byte {
+
+	PEM := new(bytes.Buffer)
+	err := pem.Encode(PEM, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: c.SignedCert,
+	})
+	if err != nil {
+		logger.L.Fatal(err)
+	}
+
+	return PEM.Bytes()
+}
+
+func (c Cert) PrivateKeyPEMBytes() []byte {
+	PEM := new(bytes.Buffer)
+	err := pem.Encode(PEM, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(c.PrivKey.(*rsa.PrivateKey)),
+	})
+	if err != nil {
+		logger.L.Fatal(err)
+	}
+
+	return PEM.Bytes()
+}
+
+func GenCert(name, altName string, isServer bool) Cert {
+
+	usage := x509.ExtKeyUsageClientAuth
+	if isServer {
+		usage = x509.ExtKeyUsageServerAuth
+	}
+
+	var dnsNames []string
+	var ipAddresses []net.IP
+	if altName != "" {
+		if ipAddr := net.ParseIP(altName); ipAddr != nil {
+			ipAddresses = []net.IP{ipAddr}
+		} else {
+			dnsNames = []string{altName}
+		}
+	}
+
+	cert := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		DNSNames:     dnsNames,
+		IPAddresses:  ipAddresses,
+		Subject: pkix.Name{
+			CommonName: name,
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().AddDate(10, 0, 0),
+		IsCA:                  false,
+		BasicConstraintsValid: true,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			usage,
+		},
+	}
+
+	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		logger.L.Fatal(err)
+	}
+
+	certBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, &certPrivKey.PublicKey, certPrivKey)
+	if err != nil {
+		logger.L.Fatal(err)
+	}
+
+	return Cert{
+		X509Cert:   cert,
+		PrivKey:    certPrivKey,
+		SignedCert: certBytes,
+	}
+}
diff --git a/internal/client/client_test.go b/internal/client/client_test.go
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2019 Banco Bilbao Vizcaya Argentaria, S.A.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package client
+
+import (
+	"os"
+	"testing"
+
+	"github.com/BBVA/kapow/internal/http"
+)
+
+func TestMain(m *testing.M) {
+	http.ControlClientGenerator = nil
+	os.Exit(m.Run())
+}
diff --git a/internal/client/get.go b/internal/client/get.go
@@ -25,5 +25,5 @@ import (
 // GetData will perform the request and write the results on the provided writer
 func GetData(host, id, path string, w io.Writer) error {
 	url := host + "/handlers/" + id + path
-	return http.Get(url, "", nil, w)
+	return http.Get(url, nil, w, nil)
 }
diff --git a/internal/client/route_add.go b/internal/client/route_add.go
@@ -36,5 +36,5 @@ func AddRoute(host, path, method, entrypoint, command string, w io.Writer) error
 		payload["entrypoint"] = entrypoint
 	}
 	body, _ := json.Marshal(payload)
-	return http.Post(url, "application/json", bytes.NewReader(body), w)
+	return http.Post(url, bytes.NewReader(body), w, http.ControlClientGenerator, http.AsJSON)
 }
diff --git a/internal/client/route_list.go b/internal/client/route_list.go
@@ -25,5 +25,5 @@ import (
 // ListRoutes queries the kapow! instance for the routes that are registered
 func ListRoutes(host string, w io.Writer) error {
 	url := host + "/routes"
-	return http.Get(url, "", nil, w)
+	return http.Get(url, nil, w, http.ControlClientGenerator)
 }
diff --git a/internal/client/route_remove.go b/internal/client/route_remove.go
@@ -23,5 +23,5 @@ import (
 // RemoveRoute removes a registered route in Kapow! server
 func RemoveRoute(host, id string) error {
 	url := host + "/routes/" + id
-	return http.Delete(url, "", nil, nil)
+	return http.Delete(url, nil, nil, http.ControlClientGenerator)
 }
diff --git a/internal/client/set.go b/internal/client/set.go
@@ -24,5 +24,5 @@ import (
 
 func SetData(host, handlerID, path string, r io.Reader) error {
 	url := host + "/handlers/" + handlerID + path
-	return http.Put(url, "", r, nil)
+	return http.Put(url, r, nil, nil)
 }
diff --git a/internal/cmd/route.go b/internal/cmd/route.go
@@ -43,7 +43,7 @@ func init() {
 			}
 		},
 	}
-	routeListCmd.Flags().String("control-url", getEnv("KAPOW_CONTROL_URL", "http://localhost:8081"), "Kapow! control interface URL")
+	routeListCmd.Flags().String("control-url", getEnv("KAPOW_CONTROL_URL", "https://localhost:8081"), "Kapow! control interface URL")
 
 	// TODO: Manage args for url_pattern and command_file (2 exact args)
 	var routeAddCmd = &cobra.Command{
@@ -78,7 +78,7 @@ func init() {
 		},
 	}
 	// TODO: Add default values for flags and remove path flag
-	routeAddCmd.Flags().String("control-url", getEnv("KAPOW_CONTROL_URL", "http://localhost:8081"), "Kapow! control interface URL")
+	routeAddCmd.Flags().String("control-url", getEnv("KAPOW_CONTROL_URL", "https://localhost:8081"), "Kapow! control interface URL")
 	routeAddCmd.Flags().StringP("method", "X", "GET", "HTTP method to accept")
 	routeAddCmd.Flags().StringP("entrypoint", "e", "", "Command to execute")
 	routeAddCmd.Flags().StringP("command", "c", "", "Command to pass to the shell")
@@ -95,7 +95,7 @@ func init() {
 			}
 		},
 	}
-	routeRemoveCmd.Flags().String("control-url", getEnv("KAPOW_CONTROL_URL", "http://localhost:8081"), "Kapow! control interface URL")
+	routeRemoveCmd.Flags().String("control-url", getEnv("KAPOW_CONTROL_URL", "https://localhost:8081"), "Kapow! control interface URL")
 
 	RouteCmd.AddCommand(routeListCmd)
 	RouteCmd.AddCommand(routeAddCmd)

diff --git a/internal/cmd/server.go b/internal/cmd/server.go
@@ -19,16 +19,40 @@ package cmd
 import (
 	"bufio"
 	"errors"
+	"fmt"
 	"io"
 	"os"
+	"strings"
 	"sync"
 
 	"github.com/spf13/cobra"
 
+	"github.com/BBVA/kapow/internal/certs"
 	"github.com/BBVA/kapow/internal/logger"
 	"github.com/BBVA/kapow/internal/server"
 )
 
+func banner() {
+	fmt.Fprintln(os.Stderr, `
+                                                              %%  %%%%
+                                                            %%%   %%%
+                                                %%         %%%    %%%
+                                       %%%%%%% %%%    %%%  %%%    %%%
+                            *%%     %%%%%%%%%%%%%%%  %%%% %%%     %%
+                   %%   %%%%%%%%%. %%%     %%%% %%% %%%%%%%%
+                 %%%%   %%%   %%% %%%       %%% %%%%%%  %%%%
+   %%%   %%%    %%%%%%  %%% %%%%  %%%      %%%%  %%%%   %%%      %%%
+   %%%  %%%     %%  %%% %%%%%    %%%%%    %%%%   %%%
+   %%% %%%     %% %%%%%%%%%       %%%%%%%%%%
+   %%%%%%     %%%    %%%%%%         %%%
+   %%% %%%%%  %%     %%%%%%
+   %%%   %%%%%%%
+   %%%%
+    %           If you can script it, you can HTTP it.
+
+	`)
+}
+
 // ServerCmd is the command line interface for kapow server
 var ServerCmd = &cobra.Command{
 	Use:   "server [optional flags] [optional init program(s)]",
@@ -42,36 +66,60 @@ var ServerCmd = &cobra.Command{
 		sConf.ControlBindAddr, _ = cmd.Flags().GetString("control-bind")
 		sConf.DataBindAddr, _ = cmd.Flags().GetString("data-bind")
 
+		controlReachableAddr, _ := cmd.Flags().GetString("control-reachable-addr")
+
 		sConf.CertFile, _ = cmd.Flags().GetString("certfile")
 		sConf.KeyFile, _ = cmd.Flags().GetString("keyfile")
 
 		sConf.ClientAuth, _ = cmd.Flags().GetBool("clientauth")
 		sConf.ClientCaFile, _ = cmd.Flags().GetString("clientcafile")
 		sConf.Debug, _ = cmd.Flags().GetBool("debug")
 
+		sConf.ControlServerCert = certs.GenCert("control_server", extractHost(controlReachableAddr), true)
+		sConf.ControlClientCert = certs.GenCert("control_client", "", false)
+
 		// Set environment variables KAPOW_DATA_URL and KAPOW_CONTROL_URL only if they aren't set so we don't overwrite user's preferences
 		if _, exist := os.LookupEnv("KAPOW_DATA_URL"); !exist {
 			os.Setenv("KAPOW_DATA_URL", "http://"+sConf.DataBindAddr)
 		}
 		if _, exist := os.LookupEnv("KAPOW_CONTROL_URL"); !exist {
-			os.Setenv("KAPOW_CONTROL_URL", "http://"+sConf.ControlBindAddr)
+			os.Setenv("KAPOW_CONTROL_URL", "https://"+controlReachableAddr)
 		}
+		banner()
 
 		server.StartServer(sConf)
 
 		for _, path := range args {
-			go Run(path, sConf.Debug)
+			go Run(
+				path,
+				sConf.Debug,
+				sConf.ControlServerCert.SignedCertPEMBytes(),
+				sConf.ControlClientCert.SignedCertPEMBytes(),
+				sConf.ControlClientCert.PrivateKeyPEMBytes(),
+			)
 		}
 
 		select {}
 	},
 }
 
+func extractHost(s string) string {
+	i := strings.LastIndex(s, ":")
+	s = s[:i]
+	l := len(s) - 1
+	if s[0] == '[' && s[l] == ']' {
+		s = s[1:l]
+	}
+	return s
+}
+
 func init() {
 	ServerCmd.Flags().String("bind", "0.0.0.0:8080", "IP address and port to bind the user interface to")
 	ServerCmd.Flags().String("control-bind", "localhost:8081", "IP address and port to bind the control interface to")
 	ServerCmd.Flags().String("data-bind", "localhost:8082", "IP address and port to bind the data interface to")
 
+	ServerCmd.Flags().String("control-reachable-addr", "localhost:8081", "address (incl. port) through which the control interface can be reached (from the client's point of view)")
+
 	ServerCmd.Flags().String("certfile", "", "Cert file to serve thru https")
 	ServerCmd.Flags().String("keyfile", "", "Key file to serve thru https")
 
@@ -100,10 +148,19 @@ func validateServerCommandArguments(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func Run(path string, debug bool) {
+func Run(
+	path string,
+	debug bool,
+	controlServerCertPEM,
+	controlClientCertPEM,
+	controlClientCertPrivKeyPEM []byte,
+) {
 	logger.L.Printf("Running init program %+q", path)
 	cmd := BuildCmd(path)
 	cmd.Env = os.Environ()
+	cmd.Env = append(cmd.Env, fmt.Sprintf("KAPOW_CONTROL_SERVER_CERT=%s", controlServerCertPEM))
+	cmd.Env = append(cmd.Env, fmt.Sprintf("KAPOW_CONTROL_CLIENT_CERT=%s", controlClientCertPEM))
+	cmd.Env = append(cmd.Env, fmt.Sprintf("KAPOW_CONTROL_CLIENT_KEY=%s", controlClientCertPrivKeyPEM))
 
 	var wg sync.WaitGroup
 	if debug {