Initial commit

strideynet · strideynet · commit 474f26bf3e1c · 2024-08-30T13:23:39.000+01:00
diff --git a/README.md b/README.md
@@ -1,2 +1,33 @@
 # spiffe-pinger
-Small binary for testing the SPIFFE Workload API and using SPIFFE for mTLS with gRPC
+
+Small utility for testing SPIFFE functionality.
+
+The service:
+
+- Connects to a SPIFFE Workload API to retrieve an X509 SVID
+- Spins up a gRPC server that listens on a TCP address, and is protected by TLS
+  using the X509 SVID
+- Spins up a loop that pings a gRPC server using the X509 SVID as a client
+  certificate
+
+Spin up two of these and point them at one another e.g
+
+```shell
+SPIFFE_ENDPOINT_SOCKET=unix:///tmp/workload-socket-a.sock LISTEN=127.0.0.1:1338 TARGET=127.0.0.1:1337 go run ./main.go
+```
+
+```shell
+SPIFFE_ENDPOINT_SOCKET=unix:///tmp/workload-socket-b.sock LISTEN=127.0.0.1:1337 TARGET=127.0.0.1:1338 go run ./main.go
+```
+
+The logs will indicate the identity of the service itself, and the identity of
+any client which connects to it:
+
+```shell
+2024/08/30 13:12:36 INFO Sent message me=spiffe://leaf.tele.ottr.sh/example component=client
+2024/08/30 13:12:37 INFO Received request me=spiffe://leaf.tele.ottr.sh/example component=server from=spiffe://spire.tele.ottr.sh/macbook/noah
+2024/08/30 13:12:41 INFO Sent message me=spiffe://leaf.tele.ottr.sh/example component=client
+2024/08/30 13:12:42 INFO Received request me=spiffe://leaf.tele.ottr.sh/example component=server from=spiffe://spire.tele.ottr.sh/macbook/noah
+2024/08/30 13:12:46 INFO Sent message me=spiffe://leaf.tele.ottr.sh/example component=client
+2024/08/30 13:12:47 INFO Received request me=spiffe://leaf.tele.ottr.sh/example component=server from=spiffe://spire.tele.ottr.sh/macbook/noah
+```
diff --git a/go.mod b/go.mod
@@ -0,0 +1,22 @@
+module github.com/strideynet/spiffe-pinger
+
+go 1.23.0
+
+require (
+	github.com/spiffe/go-spiffe/v2 v2.3.0
+	golang.org/x/sync v0.8.0
+	google.golang.org/grpc v1.66.0
+	google.golang.org/grpc/examples v0.0.0-20240829213413-845f62caf49a
+)
+
+require (
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/zeebo/errs v1.3.0 // indirect
+	golang.org/x/crypto v0.26.0 // indirect
+	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/sys v0.24.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -0,0 +1,36 @@
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8=
+github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
+github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
+golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/grpc v1.66.0 h1:DibZuoBznOxbDQxRINckZcUvnCEvrW9pcWIE2yF9r1c=
+google.golang.org/grpc v1.66.0/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/grpc/examples v0.0.0-20240829213413-845f62caf49a h1:QKnUKSrAlVuW9jhTk7vcVa8bA82nW36VJjxgFdWfuq4=
+google.golang.org/grpc/examples v0.0.0-20240829213413-845f62caf49a/go.mod h1:eU5SdK0I2UOcKBHSSunTStQLQ1EJGCHKskH7zg51D5Y=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/main.go b/main.go
@@ -0,0 +1,122 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"net"
+	"os"
+	"time"
+
+	"github.com/spiffe/go-spiffe/v2/spiffegrpc/grpccredentials"
+	"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
+	"github.com/spiffe/go-spiffe/v2/workloadapi"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	pb "google.golang.org/grpc/examples/helloworld/helloworld"
+)
+
+// server is used to implement helloworld.GreeterServer.
+type server struct {
+	pb.UnimplementedGreeterServer
+	log *slog.Logger
+}
+
+// SayHello implements helloworld.GreeterServer
+func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloReply, error) {
+	peer, ok := grpccredentials.PeerIDFromContext(ctx)
+	if !ok {
+		s.log.Info("Failed to get peer ID")
+	} else {
+		s.log.Info("Received request", "from", peer.String())
+	}
+	return &pb.HelloReply{Message: "Pong"}, nil
+}
+
+func main() {
+	if err := run(context.Background()); err != nil {
+		slog.Error("encountered fatal error", "error", err)
+		os.Exit(1)
+	}
+}
+
+func run(ctx context.Context) error {
+	socketPath := os.Getenv("SPIFFE_ENDPOINT_SOCKET")
+	if socketPath == "" {
+		return fmt.Errorf("SPIFFE_ENDPOINT_SOCKET is not defined")
+	}
+	listen := os.Getenv("LISTEN")
+	if listen == "" {
+		return fmt.Errorf("LISTEN is not defined")
+	}
+	target := os.Getenv("TARGET")
+	if target == "" {
+		return fmt.Errorf("TARGET is not defined")
+	}
+
+	source, err := workloadapi.NewX509Source(ctx, workloadapi.WithClientOptions(workloadapi.WithAddr(socketPath)))
+	if err != nil {
+		return fmt.Errorf("unable to create X509Source: %w", err)
+	}
+	defer source.Close()
+
+	svid, err := source.GetX509SVID()
+	if err != nil {
+		return fmt.Errorf("unable to get X509SVID: %w", err)
+	}
+
+	log := slog.With("me", svid.ID.String())
+
+	eg, egCtx := errgroup.WithContext(ctx)
+	eg.Go(func() error {
+		// Create a server with credentials that do mTLS and verify that the presented certificate has SPIFFE ID `spiffe://example.org/client`
+		s := grpc.NewServer(grpc.Creds(
+			grpccredentials.MTLSServerCredentials(source, source, tlsconfig.AuthorizeAny()),
+		))
+
+		lis, err := net.Listen("tcp", listen)
+		if err != nil {
+			return fmt.Errorf("error creating listener: %w", err)
+		}
+
+		pb.RegisterGreeterServer(s, &server{
+			log: log.With("component", "server"),
+		})
+		stop := context.AfterFunc(egCtx, s.Stop)
+		defer stop()
+		if err := s.Serve(lis); err != nil {
+			return fmt.Errorf("failed to serve: %w", err)
+		}
+		return nil
+	})
+	eg.Go(func() error {
+		log := log.With("component", "client")
+		s, err := grpc.NewClient(target, grpc.WithTransportCredentials(
+			grpccredentials.MTLSClientCredentials(source, source, tlsconfig.AuthorizeAny()),
+		))
+		if err != nil {
+			return fmt.Errorf("failed to create client: %w", err)
+		}
+		defer s.Close()
+
+		greeterClient := pb.NewGreeterClient(s)
+
+		for {
+			_, err := greeterClient.SayHello(egCtx, &pb.HelloRequest{Name: "Ping"})
+			if err != nil {
+				log.Error("Received error", "error", err)
+			} else {
+				log.Info("Sent message")
+			}
+
+			select {
+			case <-egCtx.Done():
+				return nil
+			case <-time.After(5 * time.Second):
+
+			}
+		}
+	})
+
+	return eg.Wait()
+}
