initial work for the relay server and client (#1164)

* VSecM Relay Client and Server: WIP

* initial work for relay service and also change of links in assets

app/relay-client/cmd/main.go

@@ -0,0 +1,113 @@
+package main
+
+import (
+ "context"
+ "fmt"
+ "io/ioutil"
+ "net/http"
+ "time"
+
+ "github.com/spiffe/go-spiffe/v2/spiffeid"
+ "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
+ "github.com/spiffe/go-spiffe/v2/workloadapi"
+ "github.com/vmware-tanzu/secrets-manager/core/crypto"
+ "github.com/vmware-tanzu/secrets-manager/core/env"
+ log "github.com/vmware-tanzu/secrets-manager/core/log/std"
+ "github.com/vmware-tanzu/secrets-manager/core/validation"
+)
+
+func main() {
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ cid := crypto.Id()
+
+ source, err := workloadapi.NewX509Source(
+ ctx,
+ workloadapi.WithClientOptions(
+ workloadapi.WithAddr(env.SpiffeSocketUrl()),
+ ),
+ )
+
+ if err != nil {
+ log.FatalLn(&cid, "Unable to fetch X.509 Bundle", err.Error())
+ return
+ }
+
+ if source == nil {
+ log.FatalLn(&cid, "Could not find source")
+ return
+ }
+
+ svid, err := source.GetX509SVID()
+ if err != nil {
+ log.FatalLn(&cid, "Unable to get X.509 SVID from source bundle", err.Error())
+ return
+ }
+
+ if svid == nil {
+ log.FatalLn(&cid, "Could not find SVID in source bundle")
+ return
+ }
+
+ svidId := svid.ID
+ if !validation.IsRelayClient(svidId.String()) {
+ log.FatalLn(
+ &cid,
+ "SpiffeId check: RelayClient:bootstrap: I don't know you, and it's crazy:",
+ svidId.String(),
+ )
+ return
+ }
+
+ authorizer := tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
+ if validation.IsRelayServer(id.String()) {
+ return nil
+ }
+
+ return fmt.Errorf(
+ "TLS Config: I don't know you, and it's crazy '%s'", id.String(),
+ )
+ })
+
+ tlsConfig := tlsconfig.MTLSClientConfig(source, source, authorizer)
+ client := &http.Client{
+ Transport: &http.Transport{
+ TLSClientConfig: tlsConfig,
+ },
+ }
+
+ serverURL := env.RelayServerUrl()
+
+ for {
+ err := sendPostRequest(client, serverURL, cid)
+ if err != nil {
+ log.WarnLn(&cid, "Failed to send POST request:", err.Error())
+ }
+
+ time.Sleep(30 * time.Second) // Wait for 30 seconds before sending the next request
+ }
+}
+
+func sendPostRequest(client *http.Client, url string, cid string) error {
+ req, err := http.NewRequest("POST", url, nil)
+ if err != nil {
+ return fmt.Errorf("failed to create request: %v", err)
+ }
+
+ resp, err := client.Do(req)
+ if err != nil {
+ return fmt.Errorf("failed to send request: %v", err)
+ }
+ defer resp.Body.Close()
+
+ body, err := ioutil.ReadAll(resp.Body)
+ if err != nil {
+ return fmt.Errorf("failed to read response body: %v", err)
+ }
+
+ log.DebugLn(&cid, "Response status:", resp.Status)
+ log.DebugLn(&cid, "Response body:", string(body))
+
+ return nil
+}

app/relay-server/cmd/main.go

@@ -0,0 +1,130 @@
+package main
+
+import (
+ "context"
+ "fmt"
+ "github.com/spiffe/go-spiffe/v2/spiffeid"
+ "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
+ "github.com/spiffe/go-spiffe/v2/workloadapi"
+ "github.com/vmware-tanzu/secrets-manager/core/env"
+ "github.com/vmware-tanzu/secrets-manager/core/validation"
+ s "github.com/vmware-tanzu/secrets-manager/lib/spiffe"
+ "io"
+ "net/http"
+
+ "github.com/vmware-tanzu/secrets-manager/core/crypto"
+ log "github.com/vmware-tanzu/secrets-manager/core/log/std"
+)
+
+func fallback(
+ cid string, r *http.Request, w http.ResponseWriter,
+) {
+ log.DebugLn(&cid, "Handler: route mismatch:", r.RequestURI)
+
+ w.WriteHeader(http.StatusBadRequest)
+ _, err := io.WriteString(w, "")
+ if err != nil {
+ log.WarnLn(&cid, "Problem writing response:", err.Error())
+ }
+}
+
+func success(
+ cid string, r *http.Request, w http.ResponseWriter,
+) {
+ w.WriteHeader(http.StatusOK)
+ _, err := io.WriteString(w, "OK "+r.URL.Path)
+ if err != nil {
+ log.WarnLn(&cid, "Problem writing response:", err.Error())
+ }
+}
+
+func main() {
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ cid := crypto.Id()
+
+ source, err := workloadapi.NewX509Source(
+ ctx,
+ workloadapi.WithClientOptions(
+ workloadapi.WithAddr(env.SpiffeSocketUrl()),
+ ),
+ )
+
+ if err != nil {
+ log.FatalLn(&cid, "Unable to fetch X.509 Bundle", err.Error())
+ return
+ }
+
+ if source == nil {
+ log.FatalLn(&cid, "Could not find source")
+ return
+ }
+
+ svid, err := source.GetX509SVID()
+ if err != nil {
+ log.FatalLn(&cid, "Unable to get X.509 SVID from source bundle", err.Error())
+ return
+ }
+
+ if svid == nil {
+ log.FatalLn(&cid, "Could not find SVID in source bundle")
+ return
+ }
+
+ svidId := svid.ID
+ if !validation.IsRelayServer(svidId.String()) {
+ log.FatalLn(
+ &cid,
+ "SpiffeId check: RelayServer:bootstrap: I don't know you, and it's crazy:",
+ svidId.String(),
+ )
+ return
+ }
+
+ http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+ cid := crypto.Id()
+
+ validation.EnsureRelayServer(source)
+
+ id, err := s.IdFromRequest(r)
+
+ if err != nil {
+ log.WarnLn(&cid, "Handler: blocking insecure svid", id, err)
+
+ fallback(cid, r, w)
+
+ return
+ }
+
+ sid := s.IdAsString(r)
+
+ p := r.URL.Path
+ m := r.Method
+ log.DebugLn(
+ &cid,
+ "Handler: got svid:", sid, "path", p, "method", m)
+
+ success(cid, r, w)
+ })
+
+ authorizer := tlsconfig.AdaptMatcher(func(id spiffeid.ID) error {
+ if validation.IsRelayClient(id.String()) {
+ return nil
+ }
+
+ return fmt.Errorf(
+ "TLS Config: I don't know you, and it's crazy '%s'", id.String(),
+ )
+ })
+
+ tlsConfig := tlsconfig.MTLSServerConfig(source, source, authorizer)
+ server := &http.Server{
+ Addr: env.TlsPort(),
+ TLSConfig: tlsConfig,
+ }
+
+ if err := server.ListenAndServeTLS("", ""); err != nil {
+ log.FatalLn(&cid, "Failed to listen and serve", err.Error())
+ }
+}

community/README.md

@@ -7,5 +7,5 @@
 <>/ keep your secrets... secret
 ```
 
-See <https://vsecm.com/docs/community/> for information about the **VMware
+See <https://vsecm.com/community/hello//> for information about the **VMware
 Secrets Manager** community, public events, meetings, and more.

core/constants/env/env.go

@@ -59,6 +59,8 @@ const VSecMSentinelInitCommandPath VarName = "VSECM_SENTINEL_INIT_COMMAND_PATH"
 const VSecMSentinelInitCommandWaitAfterInitComplete VarName = "VSECM_SENTINEL_INIT_COMMAND_WAIT_AFTER_INIT_COMPLETE"
 const VSecMSentinelInitCommandWaitBeforeExec VarName = "VSECM_SENTINEL_INIT_COMMAND_WAIT_BEFORE_EXEC"
 
+const VSecMRelayServerUrl VarName = "VSECM_RELAY_SERVER_URL"
+
 // See ADR-0017 for a discussion about important security considerations when
 // using OIDC.
 
@@ -73,6 +75,8 @@ const VSecMSidecarMaxPollInterval VarName = "VSECM_SIDECAR_MAX_POLL_INTERVAL"
 const VSecMSidecarPollInterval VarName = "VSECM_SIDECAR_POLL_INTERVAL"
 const VSecMSidecarSecretsPath VarName = "VSECM_SIDECAR_SECRETS_PATH"
 const VSecMSidecarSuccessThreshold VarName = "VSECM_SIDECAR_SUCCESS_THRESHOLD"
+const VSecMSpiffeIdPrefixRelayClient VarName = "VSECM_SPIFFEID_PREFIX_RELAY_CLIENT"
+const VSecMSpiffeIdPrefixRelayServer VarName = "VSECM_SPIFFEID_PREFIX_RELAY_SERVER"
 const VSecMSpiffeIdPrefixSafe VarName = "VSECM_SPIFFEID_PREFIX_SAFE"
 const VSecMSpiffeIdPrefixSentinel VarName = "VSECM_SPIFFEID_PREFIX_SENTINEL"
 const VSecMSpiffeIdPrefixWorkload VarName = "VSECM_SPIFFEID_PREFIX_WORKLOAD"
@@ -115,11 +119,15 @@ const VSecMSidecarMaxPollIntervalDefault VarValue = "300000"
 const VSecMSidecarPollIntervalDefault VarValue = "20000"
 const VSecMSidecarSecretsPathDefault VarValue = "/opt/vsecm/secrets.json"
 const VSecMSidecarSuccessThresholdDefault VarValue = "3"
+const VSecMSpiffeIdPrefixRelayClientDefault VarValue = "^spiffe://[^/]/workload/vsecm-relay-client/ns/vsecm-system/sa/vsecm-relay-client/n/[^/]+$"
+const VSecMSpiffeIdPrefixRelayServerDefault VarValue = "^spiffe://[^/]/workload/vsecm-relay-server/ns/vsecm-system/sa/vsecm-relay-server/n/[^/]+$"
 const VSecMSpiffeIdPrefixSafeDefault VarValue = "^spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/[^/]+$"
 const VSecMSpiffeIdPrefixSentinelDefault VarValue = "^spiffe://vsecm.com/workload/vsecm-sentinel/ns/vsecm-system/sa/vsecm-sentinel/n/[^/]+$"
 const VSecMSpiffeIdPrefixWorkloadDefault VarValue = "^spiffe://vsecm.com/workload/[^/]+/ns/[^/]+/sa/[^/]+/n/[^/]+$"
 const VSecMNameRegExpForWorkloadDefault VarValue = "^spiffe://vsecm.com/workload/([^/]+)/ns/[^/]+/sa/[^/]+/n/[^/]+$"
 
+const VSecMRelayServerUrlDefault VarValue = "https://vsecm-relay.vsecm-system.svc.cluster.local:443/"
+
 type Namespace string
 
 const Default Namespace = "default"

core/env/spiffeid.go

@@ -38,6 +38,22 @@ func SpiffeIdPrefixForSafe() string {
  return p
 }
 
+func SpiffeIdPrefixForRelayServer() string {
+ p := env.Value(env.VSecMSpiffeIdPrefixRelayServer)
+ if p == "" {
+ p = string(env.VSecMSpiffeIdPrefixRelayServerDefault)
+ }
+ return p
+}
+
+func SpiffeIdPrefixForRelayClient() string {
+ p := env.Value(env.VSecMSpiffeIdPrefixRelayClient)
+ if p == "" {
+ p = string(env.VSecMSpiffeIdPrefixRelayClientDefault)
+ }
+ return p
+}
+
 // SpiffeIdPrefixForWorkload returns the prefix for the Workload's SPIFFE ID.
 // The prefix is obtained from the environment variable
 // VSECM_SPIFFEID_PREFIX_WORKLOAD.

core/env/tls.go

@@ -24,3 +24,11 @@ func TlsPort() string {
  }
  return p
 }
+
+func RelayServerUrl() string {
+ u := env.Value(env.VSecMRelayServerUrl)
+ if u == "" {
+ u = string(env.VSecMRelayServerUrlDefault)
+ }
+ return u
+}