Add renewal token verification (#20)

brenoafb · web-flow · commit b3673b399e95 · 2023-03-27T19:06:11.000-03:00
* Add renewal token verification

* Add tests

* Add renew_identity claim to the root cert

* fix

* Update cert and privkey

* Add negative test
diff --git a/api/signing.pb.go b/api/signing.pb.go
diff --git a/api/signing.proto b/api/signing.proto
@@ -48,6 +48,12 @@ enum FlagClaim {
   // Cert has the authority to sign GovalToken messages that can prove identity.
   IDENTITY = 5;
 
+  // Cert has ability to mint Repl Identity tokens
+  RENEW_IDENTITY = 7;
+
+  // Cert has ability to mint Repl KV tokens
+  RENEW_KV = 8;
+
   // Cert has the authority to sign GovalToken messages that authorizes the
   // bearer to use Ghostwriter.
   GHOSTWRITER = 6;
diff --git a/identity_test.go b/identity_test.go
@@ -60,3 +60,57 @@ func Example() {
 		replIdentity.Aud,
 	)
 }
+
+func ExampleRenew() {
+	identity := os.Getenv("REPL_RENEWAL")
+	if identity == "" {
+		fmt.Println("Sorry, this repl does not yet have an identity (anonymous run?).")
+		return
+	}
+	identityKey := os.Getenv("REPL_RENEWAL_KEY")
+	if identity == "" {
+		fmt.Println("Sorry, this repl does not yet have an identity (anonymous run?).")
+		return
+	}
+
+	// This should be set to the Repl ID of the repl you want to prove your
+	// identity to.
+	targetRepl := "target_repl"
+
+	// Create a signing authority that is authorized to emit tokens for the
+	// current repl.
+	signingAuthority, err := replidentity.NewSigningAuthority(
+		string(identityKey),
+		identity,
+		os.Getenv("REPL_ID"),
+		replidentity.ReadPublicKeyFromEnv,
+	)
+	if err != nil {
+		panic(err)
+	}
+
+	signedToken, err := signingAuthority.Sign(targetRepl)
+	if err != nil {
+		panic(err)
+	}
+
+	// Verify the signed token, pretending we are the target repl.
+	replIdentity, err := replidentity.VerifyRenewIdentity(
+		signedToken,
+		targetRepl,
+		replidentity.ReadPublicKeyFromEnv,
+	)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Println()
+	fmt.Printf("The identity in the repl's token (%d bytes) is:\n", len(identity))
+	fmt.Printf(
+		"repl id: %s\n   user: %s\n   slug: %s  audience: %s\n",
+		replIdentity.Replid,
+		replIdentity.User,
+		replIdentity.Slug,
+		replIdentity.Aud,
+	)
+}
diff --git a/sign_test.go b/sign_test.go
@@ -21,8 +21,8 @@ import (
 const (
 	developmentKeyID     = "dev:1"
 	developmentPublicKey = "on0FkSmEC+ce40V9Vc4QABXSx6TXo+lhp99b6Ka0gro="
-	conmanPrivateKey     = "jF/ctKF4x9mL+s8e8bLe2R0Dmzr4FQ+hwBIm6U7TuBRrujSaTKHTWbXSoUc2Y0uQ3mm2YqOmQeR/isCd0qJrVw=="
-	conmanCertificate    = "GAEiBmNvbm1hbhK7AnYyLnB1YmxpYy5RMmQzU1hoMUsyZHNaMWxSZFdVM2NXNVJSVk5FUVdwV01YRlhiRUpvUkdRclpYRmtRVkp2UTBkQlJXRkJhR2RHUjJkSldVRm9iME5IUVUxaFFXaG5SVWxxVm5KTmFUVjNaRmRLYzJGWFRYVlpWR1IyVFVjeGNtVlhaM2ROVnpCNFRVaEdSMU5GTlhSVWEzaHlWR3BXZDJSSE1VeGhia0p5VTBkMGJVNUlTa0ppYlZKTVlWZEZlRmwzUFQxX1g4OVJiVDhTQlhLUUVpVzZfLXBFYUtUX2l1T3lnalB1QVhxajRZSDNHT1FiRlVSY08ydTRFZWF2SUJWU09oRHV4VF82NHFwZG4ydWkxcGo2RjRzTy5SMEZGYVVKdFRuWmliVEZvWW1kdlJscEhWakpQYWtVOQ=="
+	conmanPrivateKey     = "iRnuDeX+Dxum5UR8KMZbhtgUQ55PNOHzhJ5/RwqtiQw8AO6GbqzhvRRPB6SfYrev568iOAyJsiVgtdyiOB6YTQ=="
+	conmanCertificate    = "GAEiBmNvbm1hbhLGAnYyLnB1YmxpYy5RMmR6U1d4bWRVaHZVVmxST1RaeVdsbFNTVXhEUzFScGFreEJSMFZLUTNneVYwVmhRV2huUWtkblNWbENVbTlEUjBGallVRm9aMGxIWjBsWlFXaHZRMGRCVFdGQmFHZEZTV3BXY2sxcE5YZGtWMHB6WVZkTmRWVkZSa1ZrVjJoMFRtNU5NRmxxUWxaV1NHUnNZVEkwZVZONlRubE1WMVl5VTFkd2JsUlhiR2xUVjNoYVZFWm9hbUl5Y0c1YVZ6RkdUVUU5UFhaTklYOURrRFlocGk0SE9jMng2V2lNdV9qY3Y3MEFQd3A2Q2ZpbU1oejVjYWJoU0wzckdqQjN1cDBaSVp5M0tzWW9NelJSNjRtNTFLRmZqbVFNQkFvLlIwRkZhVUp0VG5aaWJURm9ZbWR2UmxwSFZqSlBha1U5"
 )
 
 func generateIntermediateCert(
@@ -98,6 +98,23 @@ func identityToken(
 	)
 }
 
+func renewalToken(
+	replID string,
+	user string,
+	slug string,
+) (ed25519.PrivateKey, string, error) {
+	return tokenWithClaims(
+		replID,
+		user,
+		slug,
+		[]*api.CertificateClaim{
+			{Claim: &api.CertificateClaim_Flag{Flag: api.FlagClaim_RENEW_IDENTITY}},
+			{Claim: &api.CertificateClaim_Replid{Replid: replID}},
+			{Claim: &api.CertificateClaim_User{User: user}},
+		},
+	)
+}
+
 func tokenWithClaims(
 	replID string,
 	user string,
@@ -232,6 +249,7 @@ func identityTokenAnyRepl(
 		&conmanAuthority,
 		[]*api.CertificateClaim{
 			{Claim: &api.CertificateClaim_Flag{Flag: api.FlagClaim_IDENTITY}},
+			{Claim: &api.CertificateClaim_Flag{Flag: api.FlagClaim_RENEW_IDENTITY}},
 			{Claim: &api.CertificateClaim_Flag{Flag: api.FlagClaim_ANY_REPLID}},
 			{Claim: &api.CertificateClaim_User{User: replIdentity.User}},
 		},
@@ -579,3 +597,83 @@ func TestAnyReplIDIdentity(t *testing.T) {
 	assert.Equal(t, "slug", replIdentity.Slug)
 	assert.Equal(t, int64(1), replIdentity.UserId)
 }
+
+func TestRenew(t *testing.T) {
+	privkey, identity, err := renewalToken("repl", "user", "slug")
+	require.NoError(t, err)
+
+	getPubKey := func(keyid, issuer string) (ed25519.PublicKey, error) {
+		if keyid != developmentKeyID {
+			return nil, nil
+		}
+		keyBytes, err := base64.StdEncoding.DecodeString(developmentPublicKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse public key as base64: %w", err)
+		}
+
+		return ed25519.PublicKey(keyBytes), nil
+	}
+
+	signingAuthority, err := NewSigningAuthority(
+		string(paserk.PrivateKeyToPASERKSecret(privkey)),
+		identity,
+		"repl",
+		getPubKey,
+	)
+	require.NoError(t, err)
+	forwarded, err := signingAuthority.Sign("testing")
+	require.NoError(t, err)
+
+	replIdentity, err := VerifyRenewIdentity(
+		forwarded,
+		"testing",
+		getPubKey,
+	)
+	require.NoError(t, err)
+
+	assert.Equal(t, "repl", replIdentity.Replid)
+	assert.Equal(t, "user", replIdentity.User)
+	assert.Equal(t, "slug", replIdentity.Slug)
+}
+
+func TestRenewNoClaim(t *testing.T) {
+	privkey, identity, err := tokenWithClaims(
+		"replid",
+		"user",
+		"slug",
+		[]*api.CertificateClaim{
+			{Claim: &api.CertificateClaim_Replid{Replid: "replid"}},
+			{Claim: &api.CertificateClaim_User{User: "user"}},
+		},
+	)
+	require.NoError(t, err)
+
+	getPubKey := func(keyid, issuer string) (ed25519.PublicKey, error) {
+		if keyid != developmentKeyID {
+			return nil, nil
+		}
+		keyBytes, err := base64.StdEncoding.DecodeString(developmentPublicKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse public key as base64: %w", err)
+		}
+
+		return ed25519.PublicKey(keyBytes), nil
+	}
+
+	signingAuthority, err := NewSigningAuthority(
+		string(paserk.PrivateKeyToPASERKSecret(privkey)),
+		identity,
+		"replid",
+		getPubKey,
+	)
+	require.NoError(t, err)
+	forwarded, err := signingAuthority.Sign("testing")
+	require.NoError(t, err)
+
+	_, err = VerifyRenewIdentity(
+		forwarded,
+		"testing",
+		getPubKey,
+	)
+	require.Error(t, err)
+}
diff --git a/verify.go b/verify.go
@@ -259,6 +259,23 @@ func VerifyIdentity(message string, audience string, getPubKey PubKeySource, opt
 	return VerifyToken(opts)
 }
 
+// VerifyRenewIdentity verifies that the given `REPL_RENEWAL` value is in fact
+// signed by Goval's chain of authority, addressed to the provided audience
+// (the `REPL_ID` of the recipient), and has the capability to renew the
+// identity.
+//
+// The optional options allow specifying additional verifications on the identity.
+func VerifyRenewIdentity(message string, audience string, getPubKey PubKeySource, options ...VerifyOption) (*api.GovalReplIdentity, error) {
+	opts := VerifyTokenOpts{
+		Message:   message,
+		Audience:  audience,
+		GetPubKey: getPubKey,
+		Options:   options,
+		Flags:     []api.FlagClaim{api.FlagClaim_RENEW_IDENTITY},
+	}
+	return VerifyToken(opts)
+}
+
 type VerifyTokenOpts struct {
 	Message   string
 	Audience  string
