feat(tls): Secure master-admin with TLS layer (#748)

This change introduces a TLS layer to encrypt traffic between the master
and the saunafs-admin binary, protecting data in transit and mitigating
on-path attacks. For that goal, an optional TLS configuration file path
option has been added on all commands for saunafs-admin.

Also, this change allows the shadow metadata servers to start a TLS
connection request, which is needed for some saunafs-admin binary
to securely communicate to it.

Signed-off-by: Rolando Sánchez Ramos <rolysr@leil.io>

Author: rolysr

src/admin/chunk_health_command.cc

@@ -44,6 +44,7 @@ SaunaFsAdminCommand::SupportedOptions ChunksHealthCommand::supportedOptions() co
 		{kOptionAvailability, "Print report about availability of chunks."},
 		{kOptionReplication,  "Print report about about number of chunks that need replication."},
 		{kOptionDeletion,     "Print report about about number of chunks that need deletion."},
+		{kTlsMode,            kTlsModeDescription},
 	};
 }
 
@@ -76,7 +77,10 @@ void ChunksHealthCommand::run(const Options& options) const {
 		throw WrongUsageException("Expected <master ip> and <master port> for " + name() + '\n');
 	}
 
-	ServerConnection connection(options.argument(0), options.argument(1));
+	auto tlsCfg =
+	    options.getValue<std::string>("--tlsconfigfile", std::string(TlsSession::kNoFile));
+
+	ServerConnection connection(options.argument(0), options.argument(1), tlsCfg);
 	bool regularOnly = false;
 	auto request = cltoma::chunksHealth::build(regularOnly);
 	auto response = connection.sendAndReceive(request, SAU_MATOCL_CHUNKS_HEALTH);

src/admin/delete_sessions_command.cc

@@ -31,12 +31,21 @@ void DeleteSessionsCommand::usage() const {
 	std::cerr << "    Deletes the specified session." << std::endl;
 }
 
+SaunaFsAdminCommand::SupportedOptions DeleteSessionsCommand::supportedOptions() const {
+	return {
+	    {kTlsMode, kTlsModeDescription},
+	};
+}
+
 void DeleteSessionsCommand::run(const Options& options) const {
 	if (options.arguments().size() != 3) {
 		throw WrongUsageException("Expected <master ip>, <master port>, and <session_id> for " + name());
 	}
 
-	ServerConnection connection(options.argument(0), options.argument(1));
+	auto tlsCfg =
+	    options.getValue<std::string>("--tlsconfigfile", std::string(TlsSession::kNoFile));
+
+	ServerConnection connection(options.argument(0), options.argument(1), tlsCfg);
 	uint64_t sessionId = std::stoull(options.argument(2));
 
 	auto request = cltoma::deleteSession::build(sessionId);

src/admin/delete_sessions_command.h

@@ -24,4 +24,5 @@ class DeleteSessionsCommand : public SaunaFsAdminCommand {
 	std::string name() const final;
 	void usage() const final;
 	void run(const Options& options) const final;
+	virtual SupportedOptions supportedOptions() const;
 };

src/admin/dump_config_command.cc

@@ -44,6 +44,9 @@ SaunaFsAdminCommand::SupportedOptions DumpConfigurationCommand::supportedOptions
 			defaultsMode,
 			    "Return default values as well. This is informational and may "
 			    "not be correct in all cases."
+		},
+		{
+			kTlsMode, kTlsModeDescription
 		}
 	};
 }
@@ -54,8 +57,10 @@ void DumpConfigurationCommand::run(const Options &options) const {
 		    "Expected <master ip> and <master port> for " + name());
 	}
 
-	auto connection = RegisteredAdminConnection::create(options.argument(0),
-	                                                    options.argument(1));
+	auto tlsCfg =
+	    options.getValue<std::string>("--tlsconfigfile", std::string(TlsSession::kNoFile));
+
+	auto connection = RegisteredAdminConnection::create(options.argument(0), options.argument(1), tlsCfg);
 	auto adminResponse = connection->sendAndReceive(
 	    cltoma::adminDumpConfiguration::build(), SAU_MATOCL_ADMIN_DUMP_CONFIG);
 

src/admin/info_command.cc

@@ -35,6 +35,7 @@ std::string InfoCommand::name() const {
 SaunaFsAdminCommand::SupportedOptions InfoCommand::supportedOptions() const {
 	return {
 		{kPorcelainMode, kPorcelainModeDescription},
+		{kTlsMode, kTlsModeDescription},
 	};
 }
 
@@ -48,7 +49,11 @@ void InfoCommand::run(const Options& options) const {
 		throw WrongUsageException("Expected <master ip> and <master port> for " + name());
 	}
 
-	ServerConnection connection(options.argument(0), options.argument(1));
+	const std::string host = options.argument(0);
+	const std::string port = options.argument(1);
+	auto tlsCfg =
+	    options.getValue<std::string>("--tlsconfigfile", std::string(TlsSession::kNoFile));
+	ServerConnection connection(host, port, tlsCfg);
 	std::vector<uint8_t> request, response;
 	serializeLegacyPacket(request, CLTOMA_INFO);
 	response = connection.sendAndReceive(request, MATOCL_INFO);

src/admin/io_limits_status_command.cc

@@ -37,15 +37,18 @@ void IoLimitsStatusCommand::usage() const {
 }
 
 SaunaFsAdminCommand::SupportedOptions IoLimitsStatusCommand::supportedOptions() const {
-	return { {kPorcelainMode, kPorcelainModeDescription} };
+	return {{kPorcelainMode, kPorcelainModeDescription}, {kTlsMode, kTlsModeDescription}};
 }
 
 void IoLimitsStatusCommand::run(const Options& options) const {
 	if (options.arguments().size() != 2) {
 		throw WrongUsageException("Expected <master ip> and <master port> for " + name());
 	}
 
-	ServerConnection connection(options.argument(0), options.argument(1));
+	auto tlsCfg =
+	    options.getValue<std::string>("--tlsconfigfile", std::string(TlsSession::kNoFile));
+
+	ServerConnection connection(options.argument(0), options.argument(1), tlsCfg);
 	auto request = cltoma::iolimitsStatus::build(1);
 	auto response = connection.sendAndReceive(request, SAU_MATOCL_IOLIMITS_STATUS);
 

src/admin/list_chunkservers_command.cc

@@ -37,6 +37,7 @@ std::string ListChunkserversCommand::name() const {
 SaunaFsAdminCommand::SupportedOptions ListChunkserversCommand::supportedOptions() const {
 	return {
 		{kPorcelainMode, kPorcelainModeDescription},
+		{kTlsMode, kTlsModeDescription},
 	};
 }
 
@@ -49,7 +50,11 @@ void ListChunkserversCommand::run(const Options& options) const {
 	if (options.arguments().size() != 2) {
 		throw WrongUsageException("Expected <master ip> and <master port> for " + name());
 	}
-	for (const auto& cs : getChunkserversList(options.argument(0), options.argument(1))) {
+
+	auto tlsCfg =
+	    options.getValue<std::string>("--tlsconfigfile", std::string(TlsSession::kNoFile));
+
+	for (const auto& cs : getChunkserversList(options.argument(0), options.argument(1), tlsCfg)) {
 		auto address = NetworkAddress(cs.servip, cs.servport);
 		if (cs.version == kDisconnectedChunkserverVersion) {
 			if (options.isSet(kPorcelainMode)) {
@@ -89,8 +94,8 @@ void ListChunkserversCommand::run(const Options& options) const {
 }
 
 std::vector<ChunkserverListEntry> ListChunkserversCommand::getChunkserversList (
-		const std::string& masterHost, const std::string& masterPort) {
-	ServerConnection connection(masterHost, masterPort);
+		const std::string& masterHost, const std::string& masterPort, const std::string& tlsCfg) {
+	ServerConnection connection(masterHost, masterPort, tlsCfg);
 	auto request = cltoma::cservList::build(true);
 	auto response = connection.sendAndReceive(request, SAU_MATOCL_CSERV_LIST);
 	std::vector<ChunkserverListEntry> result;

src/admin/list_chunkservers_command.h

@@ -35,6 +35,7 @@ class ListChunkserversCommand : public SaunaFsAdminCommand {
 	virtual void usage() const;
 	virtual void run(const Options& options) const;
 
-	static std::vector<ChunkserverListEntry> getChunkserversList (
-			const std::string& masterHost, const std::string& masterPort);
+	static std::vector<ChunkserverListEntry> getChunkserversList(const std::string &masterHost,
+	                                                             const std::string &masterPort,
+	                                                             const std::string &tlsCfg);
 };

src/admin/list_defective_files_command.cc

@@ -48,6 +48,7 @@ void ListDefectiveFilesCommand::usage() const {
 SaunaFsAdminCommand::SupportedOptions ListDefectiveFilesCommand::supportedOptions() const {
 	return {
 		{kPorcelainMode, kPorcelainModeDescription},
+		{kTlsMode, kTlsModeDescription},
 		{"--unavailable", "Print unavailable files"},
 		{"--undergoal", "Print files with undergoal chunks"},
 		{"--structure-error", "Print files/directories with structure error"},
@@ -80,7 +81,10 @@ void ListDefectiveFilesCommand::run(const Options &options) const {
 		throw WrongUsageException("Expected <master ip> and <master port> for " + name());
 	}
 
-	ServerConnection connection(options.argument(0), options.argument(1));
+	auto tlsCfg =
+	    options.getValue<std::string>("--tlsconfigfile", std::string(TlsSession::kNoFile));
+
+	ServerConnection connection(options.argument(0), options.argument(1), tlsCfg);
 	uint8_t flags_set = 0;
 	if (options.isSet("--unavailable")) {
 		flags_set |= kChunkUnavailable;

src/admin/list_disk_groups_command.cc

@@ -29,6 +29,12 @@
 
 std::string ListDiskGroupsCommand::name() const { return "list-disk-groups"; }
 
+SaunaFsAdminCommand::SupportedOptions ListDiskGroupsCommand::supportedOptions() const {
+	return {
+	    {kTlsMode, kTlsModeDescription},
+	};
+}
+
 void ListDiskGroupsCommand::usage() const {
 	std::cerr << name() << " <master ip> <master port>\n";
 	std::cerr << "    Prints disk groups configuration in chunkservers.\n";
@@ -40,8 +46,11 @@ void ListDiskGroupsCommand::run(const Options &options) const {
 		    "Expected <master ip> and <master port> for " + name());
 	}
 
+	auto tlsCfg =
+	    options.getValue<std::string>("--tlsconfigfile", std::string(TlsSession::kNoFile));
+
 	auto chunkservers = ListChunkserversCommand::getChunkserversList(
-	    options.argument(0), options.argument(1));
+	    options.argument(0), options.argument(1), tlsCfg);
 
 	YAML::Emitter yaml;
 	yaml << YAML::BeginMap;  // start root map