scaffold some basic match -> broker comms with net/rpc

Author: brianm

README.md

@@ -43,6 +43,43 @@ Actually, interestingly, we might be able to use openssh's ssh-agent to do this,
 
 We should consider destination constraining the target host for these agents. Need to think about abuse vectors if we don't do that.
 
+## Notes
+```mermaid
+sequenceDiagram
+    box ssh invocation on a client
+        participant ssh
+        participant match
+        participant broker
+    end
+
+    box out on the internet
+        participant ca
+        participant policy
+    end
+
+    ssh ->> match: Match exec ...
+    match ->> broker: {matchdata}
+
+    create participant auth
+    broker ->> auth: {state}
+
+    destroy auth
+    auth ->> broker: {token, state, error}
+
+    broker ->> ca: {token, pubkey}
+    ca ->> policy: {token, pubkey}
+    policy ->> ca: {cert-params}
+    ca ->> broker: {cert}
+
+    create participant agent
+    broker ->> agent: create agent
+    broker ->> match: {true/false, error}
+    match ->> ssh: {true/false}
+    ssh ->> agent: list keys
+    agent ->> ssh: {cert, pubkey}
+    ssh ->> agent: sign-with-cert
+```
+
 ## TODO
 
 - **Implement a less strict netstring parser**: The current auth plugin protocol uses the `markdingo/netstring` library which strictly rejects whitespace between netstrings. This makes debugging auth plugins difficult since developers can't use `println()` for debugging output. We should implement a custom netstring parser that tolerates whitespace (spaces, tabs, `\n`, `\r`) between netstrings while still being strict about the netstring format itself. This would maintain protocol compatibility while significantly improving developer experience when writing auth plugins.

cmd/epithet/agent.go

@@ -5,12 +5,13 @@ import (
 )
 
 type AgentCLI struct {
-	Match []string `help:"Match patterns" short:"m" required:"true"`
-	CaURL string   `help:"CA URL" name:"ca-url" short:"c" required:"true"`
-	Auth  string   `help:"Authentication command" short:"a" required:"true"`
+	Match  []string `help:"Match patterns" short:"m" required:"true"`
+	CaURL  string   `help:"CA URL" name:"ca-url" short:"c" required:"true"`
+	Auth   string   `help:"Authentication command" short:"a" required:"true"`
+	Broker string   `help:"Broker socket path" short:"b" require:"true"`
 }
 
 func (a *AgentCLI) Run(logger *slog.Logger) error {
-	logger.Debug("agent command received", "match", a.Match, "ca-url", a.CaURL, "auth", a.Auth)
+	logger.Debug("agent command received", "agent", a)
 	return nil
 }

pkg/agent/agent.go

@@ -143,13 +143,13 @@ func (a *Agent) startAgentListener() error {
 		return fmt.Errorf("unable to set permissions on agent socket: %w", err)
 	}
 	a.agentListener = agentListener
-	go a.listenAndServeAgent(agentListener)
+	go a.listenAndServeAgent()
 	return nil
 }
 
-func (a *Agent) listenAndServeAgent(listener net.Listener) {
+func (a *Agent) listenAndServeAgent() {
 	for a.Running() {
-		conn, err := listener.Accept()
+		conn, err := a.agentListener.Accept()
 		if err != nil {
 			if conn != nil {
 				conn.Close()

pkg/broker/auth.go

@@ -33,8 +33,8 @@ type Auth struct {
 	state   []byte
 }
 
-// New creates a new Auth with an unparsed command line.
-func New(cmdLine string) *Auth {
+// NewAuth creates a new Auth with an unparsed command line.
+func NewAuth(cmdLine string) *Auth {
 	return &Auth{
 		cmdLine: cmdLine,
 		state:   []byte{},

pkg/broker/auth_test.go

@@ -176,7 +176,7 @@ func TestDecodeAuthOutput_NeitherTokenNorError(t *testing.T) {
 }
 
 func TestAuth_New(t *testing.T) {
-	auth := New("my-auth-command --flag")
+	auth := NewAuth("my-auth-command --flag")
 	require.NotNil(t, auth)
 	require.Equal(t, "my-auth-command --flag", auth.cmdLine)
 	require.Empty(t, auth.state)
@@ -192,7 +192,7 @@ cat > /dev/null
 printf '%s' "11:tmy-token-1,"
 `)
 
-	auth := New(script)
+	auth := NewAuth(script)
 	token, err := auth.Run(nil)
 	require.NoError(t, err)
 	require.Equal(t, "my-token-1", token)
@@ -209,7 +209,7 @@ printf '%s' "11:tmy-token-2,"
 printf '%s' "18:s{\"refresh\":\"xyz\"},"
 `)
 
-	auth := New(script)
+	auth := NewAuth(script)
 	token, err := auth.Run(nil)
 	require.NoError(t, err)
 	require.Equal(t, "my-token-2", token)
@@ -224,7 +224,7 @@ printf '%s' "6:ttoken,"
 printf '%s' "12:s{\"count\":1},"
 `)
 
-	auth := New(script1)
+	auth := NewAuth(script1)
 	token, err := auth.Run(nil)
 	require.NoError(t, err)
 	require.Equal(t, "token", token)
@@ -255,7 +255,7 @@ cat > /dev/null
 printf '%s' "22:eAuthentication failed,"
 `)
 
-	auth := New(script)
+	auth := NewAuth(script)
 	_, err := auth.Run(nil)
 	require.Error(t, err)
 	require.Equal(t, "Authentication failed", err.Error())
@@ -267,7 +267,7 @@ echo "Something went wrong" >&2
 exit 1
 `)
 
-	auth := New(script)
+	auth := NewAuth(script)
 	_, err := auth.Run(nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "auth command failed")
@@ -280,7 +280,7 @@ cat > /dev/null
 printf '%s' "not a valid netstring"
 `)
 
-	auth := New(script)
+	auth := NewAuth(script)
 	_, err := auth.Run(nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "failed to decode auth output")
@@ -289,14 +289,14 @@ printf '%s' "not a valid netstring"
 func TestAuth_Run_MustacheTemplateRendering(t *testing.T) {
 	// Test that mustache template is rendered in command line
 	// Template renders "ok" (2 chars) so "token-ok" is 8 chars, plus 't' key = 9 total
-	auth := New(`printf '%s' "9:ttoken-{{host}},"`)
+	auth := NewAuth(`printf '%s' "9:ttoken-{{host}},"`)
 	token, err := auth.Run(map[string]string{"host": "ok"})
 	require.NoError(t, err)
 	require.Equal(t, "token-ok", token)
 }
 
 func TestAuth_Run_MustacheTemplateError(t *testing.T) {
-	auth := New("echo {{unclosed}")
+	auth := NewAuth("echo {{unclosed}")
 	_, err := auth.Run(nil)
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "failed to render command template")
@@ -311,7 +311,7 @@ printf '%s' "6:ttoken,"
 printf '%s' "12:s{\"count\":1},"
 `)
 
-	auth := New(script)
+	auth := NewAuth(script)
 
 	// Run two calls concurrently
 	done := make(chan bool, 2)
@@ -355,7 +355,7 @@ else
 fi
 `)
 
-	auth := New(script)
+	auth := NewAuth(script)
 	token, err := auth.Run(nil)
 	require.NoError(t, err)
 	require.Equal(t, "first-call-token", token)
@@ -369,7 +369,7 @@ printf '%s' "6:ttoken,"
 # No state field - should clear existing state
 `)
 
-	auth := New(script)
+	auth := NewAuth(script)
 	auth.state = []byte("old-state") // Set some initial state
 
 	token, err := auth.Run(nil)
@@ -418,7 +418,7 @@ else
 fi
 `)
 
-	auth := New(script1)
+	auth := NewAuth(script1)
 	token, err := auth.Run(map[string]string{"user": "alice"})
 	require.NoError(t, err)
 	require.Equal(t, "initial-auth-token", token)

pkg/broker/broker.go

@@ -1,11 +1,96 @@
 package broker
 
-import "sync"
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"net"
+	"net/rpc"
+	"os"
+	"sync"
+)
 
 type Broker struct {
 	lock      sync.Mutex
 	done      chan struct{}
 	closeOnce sync.Once
+	log       slog.Logger
+
+	brokerSocketPath string
+	brokerListener   net.Listener
+	auth             *Auth
+}
+
+type MatchRequest struct {
+	LocalHost      string
+	LocalUser      string
+	RemoteHost     string
+	RemoteUser     string
+	ConnectionHash string
+	// TODO fill in the rest of the %C fields
+}
+
+type MatchResponse struct {
+	// Should the `Match exec` actually match?
+	Allow bool
+
+	// Error contains any error which should be reported to the user on stderr
+	Error string
+}
+
+func New(ctx context.Context, log slog.Logger, socketPath string, authCommand string) (*Broker, error) {
+	b := Broker{
+		auth:             NewAuth(authCommand),
+		brokerSocketPath: socketPath,
+		done:             make(chan struct{}),
+	}
+
+	err := b.startBrokerListener()
+	if err != nil {
+		return nil, fmt.Errorf("Unable to start broker socket: %w", err)
+	}
+
+	context.AfterFunc(ctx, func() {
+		b.Close()
+	})
+	return &b, nil
+}
+
+func (b *Broker) startBrokerListener() error {
+	_ = os.Remove(b.brokerSocketPath) // Remove socket if it exists
+	brokerListener, err := net.Listen("unix", b.brokerSocketPath)
+	if err != nil {
+		return fmt.Errorf("unable to start broker listener: %w", err)
+	}
+
+	b.brokerListener = brokerListener
+	go b.listenAndServe()
+	return nil
+}
+
+// Match is invoked via rpc from `epithet match` invocations
+func (b *Broker) Match(input MatchRequest, output *MatchResponse) error {
+	output.Allow = true
+	return nil
+}
+
+func (b *Broker) listenAndServe() {
+	server := rpc.NewServer()
+	server.Register(b)
+	for {
+		conn, err := b.brokerListener.Accept()
+		if err != nil {
+			b.log.Warn("Unable to accept connection", "error", err)
+			if b.Running() {
+				continue
+			} else {
+				// shutting down, just exit
+				return
+			}
+		}
+		defer conn.Close()
+		go server.ServeConn(conn)
+	}
 }
 
 func (b *Broker) Done() <-chan struct{} {
@@ -14,6 +99,7 @@ func (b *Broker) Done() <-chan struct{} {
 
 func (b *Broker) Close() {
 	b.closeOnce.Do(func() {
+		_ = b.brokerListener.Close()
 		close(b.done)
 	})
 }

pkg/broker/broker_test.go

@@ -0,0 +1,39 @@
+package broker
+
+import (
+	"log/slog"
+	"net/rpc"
+	"testing"
+
+	"github.com/lmittmann/tint"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_RpcBasics(t *testing.T) {
+	ctx := t.Context()
+	authCommand := "echo '6:thello,'"
+	b, err := New(
+		ctx,
+		*testLogger(t),
+		"/tmp/foooo", // TODO replace with a tempfile location which we cleanup
+		authCommand)
+	require.NoError(t, err)
+	defer b.Close()
+
+	client, err := rpc.Dial("unix", "/tmp/foooo")
+	require.NoError(t, err)
+
+	resp := MatchResponse{}
+	err = client.Call("Broker.Match", MatchRequest{}, &resp)
+	require.NoError(t, err)
+
+	require.True(t, resp.Allow)
+}
+
+func testLogger(t *testing.T) *slog.Logger {
+	logger := slog.New(tint.NewHandler(t.Output(), &tint.Options{
+		Level:      slog.LevelDebug,
+		TimeFormat: "15:04:05",
+	}))
+	return logger
+}