Merge pull request #2 from jsiebens/id_token

feat: use wip tailscale id token

Author: jsiebens

cmd/agent/tailscale_attestor/main.go

@@ -1,35 +1,13 @@
 package main
 
 import (
+	"github.com/jsiebens/spire-tailscale-plugin/pkg/agent/plugin/nodeattestor/ts"
 	"github.com/spiffe/spire-plugin-sdk/pluginmain"
 	nodeattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/nodeattestor/v1"
-	"tailscale.com/client/tailscale"
 )
 
-type Plugin struct {
-	nodeattestorv1.UnimplementedNodeAttestorServer
-}
-
-func (p *Plugin) AidAttestation(stream nodeattestorv1.NodeAttestor_AidAttestationServer) error {
-	status, err := tailscale.Status(stream.Context())
-	if err != nil {
-		return err
-	}
-
-	payload, err := status.Self.PublicKey.MarshalText()
-	if err != nil {
-		return err
-	}
-
-	return stream.Send(&nodeattestorv1.PayloadOrChallengeResponse{
-		Data: &nodeattestorv1.PayloadOrChallengeResponse_Payload{
-			Payload: payload,
-		},
-	})
-}
-
 func main() {
-	plugin := new(Plugin)
+	plugin := ts.New()
 	pluginmain.Serve(
 		nodeattestorv1.NodeAttestorPluginServer(plugin),
 	)

cmd/server/tailscale_attestor/main.go

@@ -1,141 +1,14 @@
 package main
 
 import (
-	"context"
-	"fmt"
-	"github.com/hashicorp/hcl"
-	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	"github.com/jsiebens/spire-tailscale-plugin/pkg/server/plugin/nodeattestor/ts"
 	"github.com/spiffe/spire-plugin-sdk/pluginmain"
 	nodeattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/nodeattestor/v1"
 	configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-	"sync"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/types/key"
 )
 
-const (
-	PluginName = "ts"
-)
-
-type Config struct {
-	trustDomain spiffeid.TrustDomain
-}
-
-// Plugin implements the NodeAttestor plugin
-type Plugin struct {
-	nodeattestorv1.UnimplementedNodeAttestorServer
-	configv1.UnimplementedConfigServer
-
-	configMtx sync.RWMutex
-	config    *Config
-}
-
-func (p *Plugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error {
-	req, err := stream.Recv()
-	if err != nil {
-		return err
-	}
-
-	c, err := p.getConfig()
-	if err != nil {
-		return err
-	}
-
-	payload := req.GetPayload()
-
-	clientKey := key.NodePublic{}
-	if err := clientKey.UnmarshalText(payload); err != nil {
-		return err
-	}
-
-	tsStatus, err := tailscale.Status(stream.Context())
-	if err != nil {
-		return fmt.Errorf("failed to query local tailscaled status: %w", err)
-	}
-
-	var node *ipnstate.PeerStatus
-
-	if clientKey == tsStatus.Self.PublicKey {
-		node = tsStatus.Self
-	}
-
-	if p, exists := tsStatus.Peer[clientKey]; exists {
-		node = p
-	}
-
-	if node == nil {
-		return fmt.Errorf("unable to find provided client key")
-	}
-
-	id, err := agentID(c.trustDomain, fmt.Sprintf("/%s/%s", PluginName, node.DNSName))
-	if err != nil {
-		return err
-	}
-
-	return stream.Send(&nodeattestorv1.AttestResponse{
-		Response: &nodeattestorv1.AttestResponse_AgentAttributes{
-			AgentAttributes: &nodeattestorv1.AgentAttributes{
-				SpiffeId: id.String(),
-			},
-		},
-	})
-}
-
-func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) (*configv1.ConfigureResponse, error) {
-	hclConfig := new(Config)
-	if err := hcl.Decode(hclConfig, req.HclConfiguration); err != nil {
-		return nil, status.Errorf(codes.InvalidArgument, "unable to decode configuration: %v", err)
-	}
-
-	if req.CoreConfiguration == nil {
-		return nil, status.Error(codes.InvalidArgument, "global configuration is required")
-	}
-
-	if req.CoreConfiguration.TrustDomain == "" {
-		return nil, status.Error(codes.InvalidArgument, "trust_domain is required")
-	}
-
-	trustDomain, err := spiffeid.TrustDomainFromString(req.CoreConfiguration.TrustDomain)
-	if err != nil {
-		return nil, status.Errorf(codes.InvalidArgument, "trust_domain is invalid: %v", err)
-	}
-
-	hclConfig.trustDomain = trustDomain
-
-	p.setConfig(hclConfig)
-	return &configv1.ConfigureResponse{}, nil
-}
-
-func (p *Plugin) setConfig(config *Config) {
-	p.configMtx.Lock()
-	p.config = config
-	p.configMtx.Unlock()
-}
-
-func (p *Plugin) getConfig() (*Config, error) {
-	p.configMtx.RLock()
-	defer p.configMtx.RUnlock()
-	if p.config == nil {
-		return nil, status.Error(codes.FailedPrecondition, "not configured")
-	}
-	return p.config, nil
-}
-
-func agentID(td spiffeid.TrustDomain, suffix string) (spiffeid.ID, error) {
-	if td.IsZero() {
-		return spiffeid.ID{}, fmt.Errorf("cannot create agent ID with suffix %q for empty trust domain", suffix)
-	}
-	if err := spiffeid.ValidatePath(suffix); err != nil {
-		return spiffeid.ID{}, fmt.Errorf("invalid agent path suffix %q: %w", suffix, err)
-	}
-	return spiffeid.FromPath(td, "/spire/agent"+suffix)
-}
-
 func main() {
-	plugin := new(Plugin)
+	plugin := ts.New()
 	pluginmain.Serve(
 		nodeattestorv1.NodeAttestorPluginServer(plugin),
 		configv1.ConfigServiceServer(plugin),

go.mod

@@ -3,6 +3,7 @@ module github.com/jsiebens/spire-tailscale-plugin
 go 1.18
 
 require (
+	github.com/coreos/go-oidc/v3 v3.1.0
 	github.com/hashicorp/hcl v1.0.0
 	github.com/spiffe/go-spiffe/v2 v2.0.0
 	github.com/spiffe/spire-plugin-sdk v1.2.2
@@ -33,11 +34,14 @@ require (
 	go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37 // indirect
 	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
 	golang.org/x/net v0.0.0-20220407224826-aac1ed45d8e3 // indirect
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.zx2c4.com/wireguard/windows v0.4.10 // indirect
+	google.golang.org/appengine v1.4.0 // indirect
 	google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6 // indirect
 )

go.sum

@@ -18,6 +18,8 @@ github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/coreos/go-oidc/v3 v3.1.0 h1:6avEvcdvTa1qYsOZ6I5PRkSYHzpTNWgKYmaJfaYbrRw=
+github.com/coreos/go-oidc/v3 v3.1.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -154,6 +156,7 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200505041828-1ed23360d12c/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -163,6 +166,7 @@ golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220407224826-aac1ed45d8e3 h1:EN5+DfgmRMvRUrMGERW2gQl3Vc+Z7ZMnI/xdEpPSf0c=
 golang.org/x/net v0.0.0-20220407224826-aac1ed45d8e3/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -218,6 +222,7 @@ golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfM
 golang.zx2c4.com/wireguard/windows v0.4.10 h1:HmjzJnb+G4NCdX+sfjsQlsxGPuYaThxRbZUZFLyR0/s=
 golang.zx2c4.com/wireguard/windows v0.4.10/go.mod h1:v7w/8FC48tTBm1IzScDVPEEb0/GjLta+T0ybpP9UWRg=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
@@ -258,6 +263,8 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
+gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/agent/plugin/nodeattestor/ts/nodeattestor.go

@@ -0,0 +1,34 @@
+package ts
+
+import (
+	"github.com/jsiebens/spire-tailscale-plugin/pkg/common/plugin/ts"
+	nodeattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/nodeattestor/v1"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"tailscale.com/client/tailscale"
+)
+
+const (
+	tokenAudience = ts.TokenAudience
+)
+
+type TSAttestorPlugin struct {
+	nodeattestorv1.UnimplementedNodeAttestorServer
+}
+
+func New() *TSAttestorPlugin {
+	return &TSAttestorPlugin{}
+}
+
+func (p *TSAttestorPlugin) AidAttestation(stream nodeattestorv1.NodeAttestor_AidAttestationServer) error {
+	token, err := tailscale.IDToken(stream.Context(), tokenAudience)
+	if err != nil {
+		return status.Errorf(codes.Internal, "unable to retrieve valid identity token: %v", err)
+	}
+
+	return stream.Send(&nodeattestorv1.PayloadOrChallengeResponse{
+		Data: &nodeattestorv1.PayloadOrChallengeResponse_Payload{
+			Payload: []byte(token.IDToken),
+		},
+	})
+}

pkg/common/plugin/ts/common.go

@@ -0,0 +1,11 @@
+package ts
+
+const (
+	PluginName    = "tailscale"
+	TokenAudience = "spire-tailscale-node-attestor"
+)
+
+type TailscaleClaims struct {
+	Node   string `json:"node"`
+	Domain string `json:"domain"`
+}