Initial spiffe implementation

compile-pb.sh

@@ -4,7 +4,7 @@ set -o nounset
 set -o errexit
 set -o pipefail
 
-protoc --elixir_out=gen_descriptors=true,plugins=grpc:./lib/spawn/grpc --proto_path=priv/protos/grpc/ priv/protos/grpc/reflection/v1alpha/reflection.proto
+#protoc --elixir_out=gen_descriptors=true,plugins=grpc:./lib/spawn/grpc --proto_path=priv/protos/grpc/ priv/protos/grpc/reflection/v1alpha/reflection.proto
 
 # protoc --elixir_out=gen_descriptors=true:./lib/spawn/google/protobuf --proto_path=priv/protos/google/protobuf priv/protos/google/protobuf/any.proto
 # protoc --elixir_out=gen_descriptors=true:./lib/spawn/google/protobuf --proto_path=priv/protos/google/protobuf priv/protos/google/protobuf/empty.proto
@@ -26,29 +26,31 @@ protoc --elixir_out=gen_descriptors=true,plugins=grpc:./lib/spawn/grpc --proto_p
 
 #protoc --elixir_out=gen_descriptors=true:./lib/spawn/cloudevents --proto_path=priv/protos/io/cloudevents/v1 priv/protos/io/cloudevents/v1/spec.proto
 
-PROTOS=("
-    priv/protos/eigr/functions/protocol/actors/extensions.proto 
-    priv/protos/eigr/functions/protocol/actors/actor.proto 
-    priv/protos/eigr/functions/protocol/actors/protocol.proto 
-    priv/protos/eigr/functions/protocol/actors/state.proto 
-    priv/protos/eigr/functions/protocol/actors/healthcheck.proto
-")
-
-BASE_PATH=`pwd`
-
-echo "Base protobuf path is: $BASE_PATH/priv/protos"
-
-for file in $PROTOS; do
-  echo "Compiling file $BASE_PATH/$file..."
-
-  mix protobuf.generate \
-    --output-path=./lib/spawn/actors \
-    --include-docs=true \
-    --generate-descriptors=true \
-    --include-path=$BASE_PATH/priv/protos/ \
-    --include-path=./priv/protos/google/protobuf \
-    --include-path=./priv/protos/google/api \
-    --plugins=ProtobufGenerate.Plugins.GRPCWithOptions \
-    --one-file-per-module \
-    $BASE_PATH/$file
-done
+protoc --elixir_out=gen_descriptors=true,plugins=grpc:./lib/actors/security/spiffe/workload --proto_path=priv/protos priv/protos/spiffe/workload.proto
+
+# PROTOS=("
+#     priv/protos/eigr/functions/protocol/actors/extensions.proto 
+#     priv/protos/eigr/functions/protocol/actors/actor.proto 
+#     priv/protos/eigr/functions/protocol/actors/protocol.proto 
+#     priv/protos/eigr/functions/protocol/actors/state.proto 
+#     priv/protos/eigr/functions/protocol/actors/healthcheck.proto
+# ")
+
+# BASE_PATH=`pwd`
+
+# echo "Base protobuf path is: $BASE_PATH/priv/protos"
+
+# for file in $PROTOS; do
+#   echo "Compiling file $BASE_PATH/$file..."
+
+#   mix protobuf.generate \
+#     --output-path=./lib/spawn/actors \
+#     --include-docs=true \
+#     --generate-descriptors=true \
+#     --include-path=$BASE_PATH/priv/protos/ \
+#     --include-path=./priv/protos/google/protobuf \
+#     --include-path=./priv/protos/google/api \
+#     --plugins=ProtobufGenerate.Plugins.GRPCWithOptions \
+#     --one-file-per-module \
+#     $BASE_PATH/$file
+# done

k8s/componentes/spire-spiffe/manifests/agent-configmap.yaml → k8s/components/spire-spiffe/manifests/agent-configmap.yaml

@@ -19,7 +19,7 @@ data:
       NodeAttestor "k8s_sat" {
         plugin_data {
           # NOTE: Change this to your cluster name
-          cluster = "demo-cluster"
+          cluster = "k3d-eigr-spawn"
         }
       }
 

k8s/componentes/spire-spiffe/manifests/server-configmap.yaml → k8s/components/spire-spiffe/manifests/server-configmap.yaml

@@ -34,7 +34,7 @@ data:
         plugin_data {
           clusters = {
             # NOTE: Change this to your cluster name
-            "demo-cluster" = {
+            "k3d-eigr-spawn" = {
               use_token_review_api_validation = true
               service_account_allow_list = ["spire:spire-agent"]
             }

lib/actors/config/persistent_term_config.ex

@@ -80,6 +80,9 @@ if Code.ensure_loaded?(:persistent_term) do
       {:ship_interval, "2"},
       {:ship_debounce, "2"},
       {:sync_interval, "2"},
+      {:security_idp_spire_enabled, "true"},
+      {:security_idp_spire_server_address, "spire-server.spire.svc.cluster.local"},
+      {:security_idp_spire_server_port, "8081"},
       {:state_handoff_controller_adapter, "crdt"},
       {:state_handoff_manager_pool_size, "20"},
       {:state_handoff_manager_call_timeout, "60000"},
@@ -674,6 +677,33 @@ if Code.ensure_loaded?(:persistent_term) do
       value
     end
 
+    defp load_env({:security_idp_spire_enabled, default}) do
+      value =
+        env("SPAWN_IDP_SPIRE_ENABLED", default)
+        |> to_bool()
+
+      :persistent_term.put({__MODULE__, :security_idp_spire_enabled}, value)
+
+      value
+    end
+
+    defp load_env({:security_idp_spire_server_address, default}) do
+      value = env("SPAWN_IDP_SPIRE_ADDRESS", default)
+      :persistent_term.put({__MODULE__, :security_idp_spire_server_address}, value)
+
+      value
+    end
+
+    defp load_env({:security_idp_spire_server_port, default}) do
+      value =
+        env("SPAWN_IDP_SPIRE_PORT", default)
+        |> String.to_integer()
+
+      :persistent_term.put({__MODULE__, :security_idp_spire_server_port}, value)
+
+      value
+    end
+
     defp load_env({:ship_interval, default}) do
       value =
         env("SPAWN_CRDT_SHIP_INTERVAL", default)

lib/actors/security/spiffe/client.ex

@@ -0,0 +1,93 @@
+defmodule Actors.Security.Spiffe.Client do
+  use GRPC.Stub, service: SpiffeWorkloadAPI.Service
+  require Logger
+
+  alias Actors.Config.PersistentTermConfig, as: Config
+
+  alias JWTSVIDRequest
+  alias X509SVIDRequest
+  alias ValidateJWTSVIDRequest
+
+  alias SpiffeWorkloadAPI.Stub, as: SpiffeStub
+
+  def fetch_x509_svid() do
+    with {:build_url, url} <- {:build_url, build_url()},
+         {:connect, {:ok, channel}} <- {:connect, connect(url)},
+         {:build_request, request} <- {:build_request, %X509SVIDRequest{}} do
+      case SpiffeStub.fetch_x509_svid(channel, request) do
+        {:ok, res_stream} ->
+          Enum.map(res_stream, fn item ->
+            IO.inspect(item)
+          end)
+
+        {:error, error} ->
+          Logger.error("Error during request. Detail: #{inspect(error)}")
+          {:error, error}
+      end
+    else
+      {:connect, error} ->
+        Logger.error("Error to obtain a connection. Detail: #{inspect(error)}")
+        {:error, error}
+
+      {:build_request, error} ->
+        Logger.error("Error during request. Detail: #{inspect(error)}")
+        {:error, error}
+    end
+  end
+
+  def fetch_jwt_svid(audience, spiffe_id \\ nil) do
+    with {:build_url, url} <- {:build_url, build_url()},
+         {:connect, {:ok, channel}} <- {:connect, connect(url)},
+         {:build_request, request} <-
+           {:build_request, %JWTSVIDRequest{audience: audience, spiffe_id: spiffe_id}} do
+      SpiffeStub.fetch_jwtsvid(channel, request)
+    else
+      {:connect, error} ->
+        {:error, error}
+
+      {:build_request, error} ->
+        {:error, error}
+    end
+  end
+
+  def validate_jwt_svid(audience, svid) do
+    with {:build_url, url} <- {:build_url, build_url()},
+         {:connect, {:ok, channel}} <- {:connect, connect(url)},
+         {:build_request, request} <-
+           {:build_request, %ValidateJWTSVIDRequest{audience: audience, svid: svid}} do
+      SpiffeStub.validate_jwtsvid(channel, request)
+    else
+      {:connect, error} ->
+        {:error, error}
+
+      {:build_request, error} ->
+        {:error, error}
+    end
+  end
+
+  defp connect(url) do
+    GRPC.Stub.connect(url,
+      adapter: GRPC.Client.Adapters.Mint,
+      headers: [{"workload.spiffe.io", "true"}],
+      adapter_opts: [
+        http2_opts: %{settings_timeout: :infinity},
+        retry: 5,
+        retry_fun: &retry_fun/2
+      ],
+      client_settings: [
+        initial_window_size: 8_000_000,
+        max_frame_size: 8_000_000
+      ],
+      transport_opts: [timeout: :infinity],
+      interceptors: [{Actors.Security.Spiffe.LoggerInterceptor, level: :debug}]
+    )
+  end
+
+  defp build_url(),
+    do:
+      "http://#{Config.get(:security_idp_spire_server_address)}:#{Config.get(:security_idp_spire_server_port)}"
+
+  defp retry_fun(_reason, _attempt) do
+    :ok
+  end
+end

lib/actors/security/spiffe/logger_interceptor.ex

@@ -0,0 +1,66 @@
+defmodule Actors.Security.Spiffe.LoggerInterceptor do
+  @moduledoc """
+  Print log around client rpc calls, like
+
+      17:13:33.021 [info]  Call say_hello of helloworld.Greeter
+      17:13:33.079 [info]  Got :ok in 58ms
+
+  ## Options
+
+    * `:level` - the desired log level. Defaults to `:info`
+
+  ## Usage
+
+      {:ok, channel} = GRPC.Stub.connect("localhost:50051", interceptors: [GRPC.Client.Interceptors.Logger])
+
+  ## Usage with custom level
+
+      {:ok, channel} = GRPC.Stub.connect("localhost:50051", interceptors: [{GRPC.Client.Interceptors.Logger, level: :warning}])
+  """
+
+  require Logger
+
+  @behaviour GRPC.Client.Interceptor
+
+  @impl true
+  def init(opts) do
+    level = Keyword.get(opts, :level) || :info
+    [level: level]
+  end
+
+  @impl true
+  def call(%{grpc_type: grpc_type} = stream, req, next, opts) do
+    level = Keyword.fetch!(opts, :level)
+
+    if Logger.compare_levels(level, Logger.level()) != :lt do
+      Logger.log(level, fn ->
+        [
+          "Call ",
+          to_string(elem(stream.rpc, 0)),
+          " of ",
+          stream.service_name,
+          " with request: ",
+          inspect(req)
+        ]
+      end)
+
+      start = System.monotonic_time()
+      result = next.(stream, req)
+      stop = System.monotonic_time()
+
+      if grpc_type == :unary do
+        status = elem(result, 0)
+
+        Logger.log(level, fn ->
+          diff = System.convert_time_unit(stop - start, :native, :microsecond)
+
+          ["Got ", inspect(status), " in ", GRPC.Server.Interceptors.Logger.formatted_diff(diff)]
+        end)
+      end
+
+      result
+    else
+      next.(stream, req)
+    end
+  end
+end