[aux] Add CAs endpoint (#1194)

Author: the-glu

deploy/operations/certificates-management/ca_pool.py

@@ -74,6 +74,7 @@ def regenerate_ca_files(cluster):
         f.write("\n\n".join(CAs))
 
     shutil.copy(cluster.ca_pool_ca, cluster.client_ca)
+    shutil.copy(cluster.ca_cert_file, cluster.client_instance_ca)
 
     for node_type in ["master", "tserver"]:
         shutil.copy(cluster.ca_pool_ca, getattr(cluster, f"{node_type}_ca"))

deploy/operations/certificates-management/cluster.py

@@ -51,6 +51,10 @@ def client_certs_dir(self):
     def client_ca(self):
         return os.path.join(self.client_certs_dir, "root.crt")
 
+    @property
+    def client_instance_ca(self):
+        return os.path.join(self.client_certs_dir, "ca-instance.crt")
+
     @property
     def master_certs_dir(self):
         return os.path.join(self.directory, "masters")

deploy/services/helm-charts/dss/templates/_volumes.tpl

@@ -13,6 +13,9 @@
 - mountPath: /opt/yugabyte-certs/ca.crt
   name: ca-certs
   subPath: root.crt
+- mountPath: /opt/yugabyte-certs/ca-instance.crt
+  name: ca-certs
+  subPath: ca-instance.crt
 {{- end -}}
 {{- end -}}
 {{- define "client-certs:volume" -}}

interfaces/aux_/aux_.yaml

@@ -84,6 +84,15 @@ components:
       - timestamp
       - source
 
+    CAsResponse:
+      type: object
+      properties:
+        CAs:
+          description: A list of certificates, each in PEM format.
+          type: array
+          items:
+            type: string
+
 paths:
   /aux/v1/version:
     get:
@@ -208,6 +217,44 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ErrorResponse'
+  /aux/v1/configuration/accepted_ca_certs:
+    get:
+      summary: Current certificates of certificate authorities (CAs) that this DSS instance accepts as legitimate signers of node certificates for the pool of DSS instances constituting the DSS Airspace Representation.
+      operationId: getAcceptedCAs
+      tags: [ dss ]
+      responses:
+        '200':
+          description: The information is successfully returned.
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/CAsResponse'
+        '501':
+          description: >-
+            The server has not implemented this operation.
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+  /aux/v1/configuration/ca_certs:
+    get:
+      summary: Current certificates of certificate authorities (CAs) that signed the node certificates for this DSS instance. May return more that one certificate (e.g. for rotations).  Other DSS instances in the pool should accept node certificates signed by these CAs.
+      operationId: getInstanceCAs
+      tags: [ dss ]
+      responses:
+        '200':
+          description: The information is successfully returned.
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/CAsResponse'
+        '501':
+          description: >-
+            The server has not implemented this operation.
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
 security:
   - Auth:
       - dss.read.identification_service_areas

pkg/api/auxv1/interface.gen.go

@@ -7,9 +7,9 @@ import (
 )
 
 var (
+	InterussPoolStatusReadScope             = api.RequiredScope("interuss.pool_status.read")
 	DssWriteIdentificationServiceAreasScope = api.RequiredScope("dss.write.identification_service_areas")
 	DssReadIdentificationServiceAreasScope  = api.RequiredScope("dss.read.identification_service_areas")
-	InterussPoolStatusReadScope             = api.RequiredScope("interuss.pool_status.read")
 	GetVersionSecurity                      = []api.AuthorizationOption{}
 	ValidateOauthSecurity                   = []api.AuthorizationOption{
 		{
@@ -29,6 +29,8 @@ var (
 			"Auth": {InterussPoolStatusReadScope},
 		},
 	}
+	GetAcceptedCAsSecurity = []api.AuthorizationOption{}
+	GetInstanceCAsSecurity = []api.AuthorizationOption{}
 )
 
 type GetVersionRequest struct {
@@ -106,6 +108,36 @@ type GetDSSInstancesResponseSet struct {
 	Response500 *api.InternalServerErrorBody
 }
 
+type GetAcceptedCAsRequest struct {
+	// The result of attempting to authorize this request
+	Auth api.AuthorizationResult
+}
+type GetAcceptedCAsResponseSet struct {
+	// The information is successfully returned.
+	Response200 *CAsResponse
+
+	// The server has not implemented this operation.
+	Response501 *ErrorResponse
+
+	// Auto-generated internal server error response
+	Response500 *api.InternalServerErrorBody
+}
+
+type GetInstanceCAsRequest struct {
+	// The result of attempting to authorize this request
+	Auth api.AuthorizationResult
+}
+type GetInstanceCAsResponseSet struct {
+	// The information is successfully returned.
+	Response200 *CAsResponse
+
+	// The server has not implemented this operation.
+	Response501 *ErrorResponse
+
+	// Auto-generated internal server error response
+	Response500 *api.InternalServerErrorBody
+}
+
 type Implementation interface {
 	// Queries the version of the DSS.
 	GetVersion(ctx context.Context, req *GetVersionRequest) GetVersionResponseSet
@@ -118,4 +150,10 @@ type Implementation interface {
 
 	// Queries the current information for DSS instances participating in the pool.
 	GetDSSInstances(ctx context.Context, req *GetDSSInstancesRequest) GetDSSInstancesResponseSet
+
+	// Current certificates of certificate authorities (CAs) that this DSS instance accepts as legitimate signers of node certificates for the pool of DSS instances constituting the DSS Airspace Representation.
+	GetAcceptedCAs(ctx context.Context, req *GetAcceptedCAsRequest) GetAcceptedCAsResponseSet
+
+	// Current certificates of certificate authorities (CAs) that signed the node certificates for this DSS instance. May return more that one certificate (e.g. for rotations).  Other DSS instances in the pool should accept node certificates signed by these CAs.
+	GetInstanceCAs(ctx context.Context, req *GetInstanceCAsRequest) GetInstanceCAsResponseSet
 }

pkg/api/auxv1/server.gen.go

@@ -157,8 +157,62 @@ func (s *APIRouter) GetDSSInstances(exp *regexp.Regexp, w http.ResponseWriter, r
 	api.WriteJSON(w, 500, api.InternalServerErrorBody{ErrorMessage: "Handler implementation did not set a response"})
 }
 
+func (s *APIRouter) GetAcceptedCAs(exp *regexp.Regexp, w http.ResponseWriter, r *http.Request) {
+	var req GetAcceptedCAsRequest
+
+	// Authorize request
+	req.Auth = s.Authorizer.Authorize(w, r, GetAcceptedCAsSecurity)
+
+	// Call implementation
+	ctx, cancel := context.WithCancel(r.Context())
+	defer cancel()
+	response := s.Implementation.GetAcceptedCAs(ctx, &req)
+
+	// Write response to client
+	if response.Response200 != nil {
+		api.WriteJSON(w, 200, response.Response200)
+		return
+	}
+	if response.Response501 != nil {
+		api.WriteJSON(w, 501, response.Response501)
+		return
+	}
+	if response.Response500 != nil {
+		api.WriteJSON(w, 500, response.Response500)
+		return
+	}
+	api.WriteJSON(w, 500, api.InternalServerErrorBody{ErrorMessage: "Handler implementation did not set a response"})
+}
+
+func (s *APIRouter) GetInstanceCAs(exp *regexp.Regexp, w http.ResponseWriter, r *http.Request) {
+	var req GetInstanceCAsRequest
+
+	// Authorize request
+	req.Auth = s.Authorizer.Authorize(w, r, GetInstanceCAsSecurity)
+
+	// Call implementation
+	ctx, cancel := context.WithCancel(r.Context())
+	defer cancel()
+	response := s.Implementation.GetInstanceCAs(ctx, &req)
+
+	// Write response to client
+	if response.Response200 != nil {
+		api.WriteJSON(w, 200, response.Response200)
+		return
+	}
+	if response.Response501 != nil {
+		api.WriteJSON(w, 501, response.Response501)
+		return
+	}
+	if response.Response500 != nil {
+		api.WriteJSON(w, 500, response.Response500)
+		return
+	}
+	api.WriteJSON(w, 500, api.InternalServerErrorBody{ErrorMessage: "Handler implementation did not set a response"})
+}
+
 func MakeAPIRouter(impl Implementation, auth api.Authorizer) APIRouter {
-	router := APIRouter{Implementation: impl, Authorizer: auth, Routes: make([]*api.Route, 4)}
+	router := APIRouter{Implementation: impl, Authorizer: auth, Routes: make([]*api.Route, 6)}
 
 	pattern := regexp.MustCompile("^/aux/v1/version$")
 	router.Routes[0] = &api.Route{Method: http.MethodGet, Pattern: pattern, Handler: router.GetVersion}
@@ -172,5 +226,11 @@ func MakeAPIRouter(impl Implementation, auth api.Authorizer) APIRouter {
 	pattern = regexp.MustCompile("^/aux/v1/pool/dss_instances$")
 	router.Routes[3] = &api.Route{Method: http.MethodGet, Pattern: pattern, Handler: router.GetDSSInstances}
 
+	pattern = regexp.MustCompile("^/aux/v1/configuration/accepted_ca_certs$")
+	router.Routes[4] = &api.Route{Method: http.MethodGet, Pattern: pattern, Handler: router.GetAcceptedCAs}
+
+	pattern = regexp.MustCompile("^/aux/v1/configuration/ca_certs$")
+	router.Routes[5] = &api.Route{Method: http.MethodGet, Pattern: pattern, Handler: router.GetInstanceCAs}
+
 	return router
 }

pkg/api/auxv1/types.gen.go

@@ -44,3 +44,8 @@ type Heartbeat struct {
 	// The time by which a new heartbeat should be registered for this DSS instance if the DSS instance operator's system is behaving correctly.
 	NextHeartbeatExpectedBefore *string `json:"next_heartbeat_expected_before,omitempty"`
 }
+
+type CAsResponse struct {
+	// A list of certificates, each in PEM format.
+	Cas *[]string `json:"CAs,omitempty"`
+}

pkg/api/ridv1/interface.gen.go

@@ -7,8 +7,8 @@ import (
 )
 
 var (
-	DssWriteIdentificationServiceAreasScope  = api.RequiredScope("dss.write.identification_service_areas")
 	DssReadIdentificationServiceAreasScope   = api.RequiredScope("dss.read.identification_service_areas")
+	DssWriteIdentificationServiceAreasScope  = api.RequiredScope("dss.write.identification_service_areas")
 	SearchIdentificationServiceAreasSecurity = []api.AuthorizationOption{
 		{
 			"AuthFromAuthorizationAuthority": {DssReadIdentificationServiceAreasScope},

pkg/api/scdv1/interface.gen.go

@@ -8,10 +8,10 @@ import (
 
 var (
 	UtmAvailabilityArbitrationScope          = api.RequiredScope("utm.availability_arbitration")
-	UtmStrategicCoordinationScope            = api.RequiredScope("utm.strategic_coordination")
+	UtmConstraintProcessingScope             = api.RequiredScope("utm.constraint_processing")
 	UtmConstraintManagementScope             = api.RequiredScope("utm.constraint_management")
+	UtmStrategicCoordinationScope            = api.RequiredScope("utm.strategic_coordination")
 	UtmConformanceMonitoringSaScope          = api.RequiredScope("utm.conformance_monitoring_sa")
-	UtmConstraintProcessingScope             = api.RequiredScope("utm.constraint_processing")
 	QueryOperationalIntentReferencesSecurity = []api.AuthorizationOption{
 		{
 			"Authority": {UtmStrategicCoordinationScope},

pkg/aux_/accepted_ca_certs.go

@@ -0,0 +1,43 @@
+package aux
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	restapi "github.com/interuss/dss/pkg/api/auxv1"
+	"github.com/interuss/dss/pkg/datastore/flags"
+)
+
+func (a *Server) GetAcceptedCAs(ctx context.Context, req *restapi.GetAcceptedCAsRequest) restapi.GetAcceptedCAsResponseSet {
+
+	connectParameters := flags.ConnectParameters()
+
+	CAFile := connectParameters.GetCAFile()
+
+	if CAFile == "" {
+		return restapi.GetAcceptedCAsResponseSet{Response200: &restapi.CAsResponse{}}
+	}
+
+	data, err := os.ReadFile(CAFile)
+
+	if err != nil {
+		msg := fmt.Sprintf("Unable to read CA certificate file for accepted CAs, did try to read '%s', got: %s", CAFile, err)
+		return restapi.GetAcceptedCAsResponseSet{Response501: &restapi.ErrorResponse{Message: &msg}}
+	}
+
+	var CAs []string
+
+	for _, CA := range strings.Split(string(data), START_OF_CERTIFICATE) {
+		CA = strings.Trim(CA, "\r\n")
+
+		if CA != "" {
+			// Re-add the start mark that was removed by Split()
+			CA = START_OF_CERTIFICATE + "\n" + CA
+			CAs = append(CAs, CA)
+		}
+	}
+
+	return restapi.GetAcceptedCAsResponseSet{Response200: &restapi.CAsResponse{Cas: &CAs}}
+}