kairos/kcrypt-challenger
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt-challenger.git synced 2025-09-12 21:22:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kairos:v0.2.1
Branches Tags
kairos:main kairos:renovate/kubernetes-go kairos:renovate/google-osv-scanner-action-2.x kairos:renovate/sigs.k8s.io-controller-runtime-0.x kairos:renovate/github.com-mudler-yip-1.x kairos:renovate/github.com-jaypipes-ghw-0.x kairos:renovate/github.com-kairos-io-kairos-sdk-0.x kairos:renovate/github.com-onsi-gomega-1.x kairos:renovate/golang-1.x kairos:renovate/major-github-artifact-actions kairos:renovate/earthly-earthly-0.x kairos:pedro-dimitris-debugging kairos:bump_kairos kairos:update_ghw kairos:ubuntu-local kairos:test_itxaka kairos:challenger
kairos:v0.11.3 kairos:v0.11.2 kairos:v0.11.1 kairos:v0.11.0 kairos:v0.10.0 kairos:v0.9.1 kairos:v0.9.0 kairos:v0.8.0 kairos:v0.7.0 kairos:v0.6.0 kairos:v0.5.0 kairos:v0.4.0 kairos:v0.3 kairos:v0.2.3 kairos:v0.2.2 kairos:v0.2.1 kairos:v0.2.0 kairos:v0.1.0
..
compare: kairos:challenger
Branches Tags
kairos:main kairos:renovate/kubernetes-go kairos:renovate/google-osv-scanner-action-2.x kairos:renovate/sigs.k8s.io-controller-runtime-0.x kairos:renovate/github.com-mudler-yip-1.x kairos:renovate/github.com-jaypipes-ghw-0.x kairos:renovate/github.com-kairos-io-kairos-sdk-0.x kairos:renovate/github.com-onsi-gomega-1.x kairos:renovate/golang-1.x kairos:renovate/major-github-artifact-actions kairos:renovate/earthly-earthly-0.x kairos:pedro-dimitris-debugging kairos:bump_kairos kairos:update_ghw kairos:ubuntu-local kairos:test_itxaka kairos:challenger
kairos:v0.11.3 kairos:v0.11.2 kairos:v0.11.1 kairos:v0.11.0 kairos:v0.10.0 kairos:v0.9.1 kairos:v0.9.0 kairos:v0.8.0 kairos:v0.7.0 kairos:v0.6.0 kairos:v0.5.0 kairos:v0.4.0 kairos:v0.3 kairos:v0.2.3 kairos:v0.2.2 kairos:v0.2.1 kairos:v0.2.0 kairos:v0.1.0

2 Commits
v0.2.1 ... challenger

Author SHA1 Message Date
mudler
7a21b879c4 WIP 2022-10-13 19:06:59 +02:00
Ettore Di Giacinto
ebe316363a WIP 2022-10-09 22:32:56 +00:00
21 changed files with 621 additions and 1196 deletions
Expand all files Collapse all files

63
.github/workflows/image.yml vendored
View File

@@ -1,63 +0,0 @@
---
name: 'build container images'
on:
push:
branches:
- main
tags:
- '*'
jobs:
docker:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Prepare
id: prep
run: |
DOCKER_IMAGE=quay.io/kairos/kcrypt-challenger
VERSION=latest
SHORTREF=${GITHUB_SHA::8}
# If this is git tag, use the tag name as a docker tag
if [[ $GITHUB_REF == refs/tags/* ]]; then
VERSION=${GITHUB_REF#refs/tags/}
fi
TAGS="${DOCKER_IMAGE}:${VERSION},${DOCKER_IMAGE}:${SHORTREF}"
# If the VERSION looks like a version number, assume that
# this is the most recent version of the image and also
# tag it 'latest'.
if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
TAGS="$TAGS,${DOCKER_IMAGE}:latest"
fi
# Set output parameters.
echo ::set-output name=tags::${TAGS}
echo ::set-output name=docker_image::${DOCKER_IMAGE}
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Login to DockerHub
if: github.event_name != 'pull_request'
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Build
uses: docker/build-push-action@v2
with:
builder: ${{ steps.buildx.outputs.name }}
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.prep.outputs.tags }}

18
.github/workflows/unit-tests.yml vendored
View File

@@ -1,18 +0,0 @@
name: Unit tests
on:
push:
branches:
- master
pull_request:
jobs:
unit-tests:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run tests
run: |
./earthly.sh +test

3
.gitignore vendored
View File

@@ -1,3 +1,4 @@
# Binaries for programs and plugins # Binaries for programs and plugins
*.exe *.exe
*.exe~ *.exe~
@@ -23,4 +24,4 @@ testbin/*
*.swo *.swo
*~ *~
/helm-chart /helm-chart

52
Earthfile
View File

@@ -1,52 +0,0 @@
VERSION 0.6
ARG BASE_IMAGE=quay.io/kairos/core-opensuse:latest
ARG OSBUILDER_IMAGE=quay.io/kairos/osbuilder-tools
ARG GO_VERSION=1.18
build-challenger:
FROM golang:alpine
COPY . /work
WORKDIR /work
RUN CGO_ENABLED=0 go build -o kcrypt-discovery-challenger ./cmd/discovery
SAVE ARTIFACT /work/kcrypt-discovery-challenger AS LOCAL kcrypt-discovery-challenger
image:
FROM $BASE_IMAGE
ARG IMAGE
COPY +build-challenger/kcrypt-discovery-challenger /system/discovery/kcrypt-discovery-challenger
SAVE IMAGE $IMAGE
iso:
ARG OSBUILDER_IMAGE
ARG ISO_NAME=challenger
FROM $OSBUILDER_IMAGE
RUN zypper in -y jq docker
WORKDIR /build
WITH DOCKER --allow-privileged --load $IMAGE=(+image --IMAGE=test)
RUN /entrypoint.sh --name $ISO_NAME --debug build-iso --date=false --local test --output /build/
END
# See: https://github.com/rancher/elemental-cli/issues/228
RUN sha256sum $ISO_NAME.iso > $ISO_NAME.iso.sha256
SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
SAVE ARTIFACT /build/$ISO_NAME.iso.sha256 kairos.iso.sha256 AS LOCAL build/$ISO_NAME.iso.sha256
test:
ARG GO_VERSION
FROM golang:$GO_VERSION
ENV CGO_ENABLED=0
WORKDIR /work
# Cache layer for modules
COPY go.mod go.sum ./
RUN go mod download && go mod verify
RUN go get github.com/onsi/gomega/...
RUN go get github.com/onsi/ginkgo/v2/ginkgo/internal@v2.1.4
RUN go get github.com/onsi/ginkgo/v2/ginkgo/generators@v2.1.4
RUN go get github.com/onsi/ginkgo/v2/ginkgo/labels@v2.1.4
RUN go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
COPY . /work
RUN PATH=$PATH:$GOPATH/bin ginkgo run --covermode=atomic --coverprofile=coverage.out -p -r pkg/challenger cmd/discovery/client
SAVE ARTIFACT coverage.out AS LOCAL coverage.out

110
README.md
View File

@@ -1,30 +1,94 @@
# kcrypt-challenger # kcrypt-controller
// TODO(user): Add simple overview of use/purpose
| :exclamation: | This is experimental! | ## Description
|-|:-| // TODO(user): An in-depth paragraph about your project and overview of use
This is the Kairos kcrypt-challenger Kubernetes Native Extension. ## Getting Started
Youll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster.
**Note:** Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows).
To install, use helm: ### Running on the cluster
1. Install Instances of Custom Resources:
```sh
kubectl apply -f config/samples/
``` ```
# Adds the kairos repo to helm
$ helm repo add kairos https://kairos-io.github.io/helm-charts
"kairos" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "kairos" chart repository
Update Complete. ⎈Happy Helming!⎈
# Install the CRD chart 2. Build and push your image to the location specified by `IMG`:
$ helm install kairos-crd kairos/kairos-crds
NAME: kairos-crd ```sh
LAST DEPLOYED: Tue Sep 6 20:35:34 2022 make docker-build docker-push IMG=<some-registry>/kcrypt-controller:tag
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
# Installs challenger
$ helm install kairos-challenger kairos/kcrypt-challenger
``` ```
3. Deploy the controller to the cluster with the image specified by `IMG`:
```sh
make deploy IMG=<some-registry>/kcrypt-controller:tag
```
### Uninstall CRDs
To delete the CRDs from the cluster:
```sh
make uninstall
```
### Undeploy controller
UnDeploy the controller to the cluster:
```sh
make undeploy
```
## Contributing
// TODO(user): Add detailed information on how you would like others to contribute to this project
### How it works
This project aims to follow the Kubernetes [Operator pattern](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
It uses [Controllers](https://kubernetes.io/docs/concepts/architecture/controller/)
which provides a reconcile function responsible for synchronizing resources untile the desired state is reached on the cluster
### Test It Out
1. Install the CRDs into the cluster:
```sh
make install
```
2. Run your controller (this will run in the foreground, so switch to a new terminal if you want to leave it running):
```sh
make run
```
**NOTE:** You can also run this in one step by running: `make install run`
### Modifying the API definitions
If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
```sh
make manifests
```
**NOTE:** Run `make --help` for more information on all potential `make` targets
More information can be found via the [Kubebuilder Documentation](https://book.kubebuilder.io/introduction.html)
## License
Copyright 2022.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

17
api/v1alpha1/sealedvolume_types.go
View File

@@ -25,19 +25,10 @@ import (
// SealedVolumeSpec defines the desired state of SealedVolume // SealedVolumeSpec defines the desired state of SealedVolume
type SealedVolumeSpec struct { type SealedVolumeSpec struct {
TPMHash string `json:"TPMHash,omitempty"` TPMHash string `json:"TPMHash,omitempty"`
Partitions []PartitionSpec `json:"partitions,omitempty"` Label string `json:"label,omitempty"`
Quarantined bool `json:"quarantined,omitempty"` Passphrase *SecretSpec `json:"passphraseRef,omitempty"`
} Quarantined bool `json:"quarantined,omitempty"`
// PartitionSpec defines a Partition. A partition can be identified using
// any of the fields: Label, DeviceName, UUID. The Secret defines the secret
// which decrypts the partition.
type PartitionSpec struct {
Label string `json:"label,omitempty"`
DeviceName string `json:"deviceName,omitempty"`
UUID string `json:"uuid,omitempty"`
Secret *SecretSpec `json:"secret,omitempty"`
} }
type SecretSpec struct { type SecretSpec struct {

30
api/v1alpha1/zz_generated.deepcopy.go
View File

@@ -25,26 +25,6 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime" runtime "k8s.io/apimachinery/pkg/runtime"
) )
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PartitionSpec) DeepCopyInto(out *PartitionSpec) {
*out = *in
if in.Secret != nil {
in, out := &in.Secret, &out.Secret
*out = new(SecretSpec)
**out = **in
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PartitionSpec.
func (in *PartitionSpec) DeepCopy() *PartitionSpec {
if in == nil {
return nil
}
out := new(PartitionSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SealedVolume) DeepCopyInto(out *SealedVolume) { func (in *SealedVolume) DeepCopyInto(out *SealedVolume) {
*out = *in *out = *in
@@ -107,12 +87,10 @@ func (in *SealedVolumeList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SealedVolumeSpec) DeepCopyInto(out *SealedVolumeSpec) { func (in *SealedVolumeSpec) DeepCopyInto(out *SealedVolumeSpec) {
*out = *in *out = *in
if in.Partitions != nil { if in.Passphrase != nil {
in, out := &in.Partitions, &out.Partitions in, out := &in.Passphrase, &out.Passphrase
*out = make([]PartitionSpec, len(*in)) *out = new(SecretSpec)
for i := range *in { **out = **in
(*in)[i].DeepCopyInto(&(*out)[i])
}
} }
} }

138
cmd/discovery/client/client.go
View File

@@ -1,138 +0,0 @@
package client
import (
"encoding/base64"
"encoding/json"
"fmt"
"os"
"time"
"github.com/jaypipes/ghw/pkg/block"
"github.com/kairos-io/kairos-challenger/pkg/constants"
"github.com/kairos-io/kairos-challenger/pkg/payload"
"github.com/kairos-io/kcrypt/pkg/bus"
"github.com/kairos-io/tpm-helpers"
"github.com/mudler/go-pluggable"
"github.com/mudler/yip/pkg/utils"
)
var errPartNotFound error = fmt.Errorf("pass for partition not found")
func NewClient() (*Client, error) {
conf, err := unmarshalConfig()
if err != nil {
return nil, err
}
return &Client{Config: conf}, nil
}
// echo '{ "data": "{ \\"label\\": \\"LABEL\\" }"}' | sudo -E WSS_SERVER="http://localhost:8082/challenge" ./challenger "discovery.password"
func (c *Client) Start() error {
factory := pluggable.NewPluginFactory()
// Input: bus.EventInstallPayload
// Expected output: map[string]string{}
factory.Add(bus.EventDiscoveryPassword, func(e *pluggable.Event) pluggable.EventResponse {
b := &block.Partition{}
err := json.Unmarshal([]byte(e.Data), b)
if err != nil {
return pluggable.EventResponse{
Error: fmt.Sprintf("failed reading partitions: %s", err.Error()),
}
}
pass, err := c.waitPass(b, 30)
if err != nil {
return pluggable.EventResponse{
Error: fmt.Sprintf("failed getting pass: %s", err.Error()),
}
}
return pluggable.EventResponse{
Data: pass,
}
})
return factory.Run(pluggable.EventType(os.Args[1]), os.Stdin, os.Stdout)
}
func (c *Client) generatePass(postEndpoint string, p *block.Partition) error {
rand := utils.RandomString(32)
pass, err := tpm.EncryptBlob([]byte(rand))
if err != nil {
return err
}
bpass := base64.RawURLEncoding.EncodeToString(pass)
opts := []tpm.Option{
tpm.WithAdditionalHeader("label", p.Label),
tpm.WithAdditionalHeader("name", p.Name),
tpm.WithAdditionalHeader("uuid", p.UUID),
}
conn, err := tpm.Connection(postEndpoint, opts...)
if err != nil {
return err
}
return conn.WriteJSON(payload.Data{Passphrase: bpass, GeneratedBy: constants.TPMSecret})
}
func (c *Client) waitPass(p *block.Partition, attempts int) (pass string, err error) {
// IF we don't have any server configured, just do local
if c.Config.Kcrypt.Challenger.Server == "" {
return localPass(c.Config)
}
challengeEndpoint := fmt.Sprintf("%s/getPass", c.Config.Kcrypt.Challenger.Server)
postEndpoint := fmt.Sprintf("%s/postPass", c.Config.Kcrypt.Challenger.Server)
for tries := 0; tries < attempts; tries++ {
var generated bool
pass, generated, err = getPass(challengeEndpoint, p)
if err == errPartNotFound {
// IF server doesn't have a pass for us, then we generate one and we set it
err = c.generatePass(postEndpoint, p)
if err != nil {
return
}
// Attempt to fetch again - validate that the server has it now
tries = 0
continue
}
if generated { // passphrase is encrypted
return c.decryptPassphrase(pass)
}
if err == nil || err == errPartNotFound { // passphrase not encrypted or not available
return
}
time.Sleep(1 * time.Second) // network errors? retry
}
return
}
// decryptPassphrase decodes (base64) and decrypts the passphrase returned
// by the challenger server.
func (c *Client) decryptPassphrase(pass string) (string, error) {
blob, err := base64.RawURLEncoding.DecodeString(pass)
if err != nil {
return "", err
}
// Decrypt and return it to unseal the LUKS volume
opts := []tpm.TPMOption{}
if c.Config.Kcrypt.Challenger.CIndex != "" {
opts = append(opts, tpm.WithIndex(c.Config.Kcrypt.Challenger.CIndex))
}
if c.Config.Kcrypt.Challenger.TPMDevice != "" {
opts = append(opts, tpm.WithDevice(c.Config.Kcrypt.Challenger.TPMDevice))
}
passBytes, err := tpm.DecryptBlob(blob, opts...)
return string(passBytes), err
}

38
cmd/discovery/client/config.go
View File

@@ -1,38 +0,0 @@
package client
import (
"github.com/kairos-io/kairos/pkg/config"
kconfig "github.com/kairos-io/kcrypt/pkg/config"
)
type Client struct {
Config Config
}
type Config struct {
Kcrypt struct {
Challenger struct {
Server string `yaml:"challenger_server,omitempty"`
// Non-volatile index memory: where we store the encrypted passphrase (offline mode)
NVIndex string `yaml:"nv_index,omitempty"`
// Certificate index: this is where the rsa pair that decrypts the passphrase lives
CIndex string `yaml:"c_index,omitempty"`
TPMDevice string `yaml:"tpm_device,omitempty"`
}
}
}
func unmarshalConfig() (Config, error) {
var result Config
c, err := config.Scan(config.Directories(kconfig.ConfigScanDirs...), config.NoLogs)
if err != nil {
return result, err
}
if err = c.Unmarshal(&result); err != nil {
return result, err
}
return result, nil
}

93
cmd/discovery/client/enc.go
View File

@@ -1,93 +0,0 @@
package client
import (
"encoding/json"
"fmt"
"strings"
"github.com/kairos-io/kairos-challenger/pkg/constants"
"github.com/kairos-io/kairos-challenger/pkg/payload"
"github.com/jaypipes/ghw/pkg/block"
"github.com/kairos-io/tpm-helpers"
"github.com/mudler/yip/pkg/utils"
"github.com/pkg/errors"
)
const DefaultNVIndex = "0x1500000"
func getPass(server string, partition *block.Partition) (string, bool, error) {
msg, err := tpm.Get(server,
tpm.WithAdditionalHeader("label", partition.Label),
tpm.WithAdditionalHeader("name", partition.Name),
tpm.WithAdditionalHeader("uuid", partition.UUID))
if err != nil {
return "", false, err
}
result := payload.Data{}
err = json.Unmarshal(msg, &result)
if err != nil {
return "", false, errors.Wrap(err, string(msg))
}
if result.HasPassphrase() {
return fmt.Sprint(result.Passphrase), result.HasBeenGenerated() && result.GeneratedBy == constants.TPMSecret, nil
} else if result.HasError() {
if strings.Contains(result.Error, "No secret found for") {
return "", false, errPartNotFound
}
return "", false, fmt.Errorf(result.Error)
}
return "", false, errPartNotFound
}
func genAndStore(k Config) (string, error) {
opts := []tpm.TPMOption{}
if k.Kcrypt.Challenger.TPMDevice != "" {
opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
}
if k.Kcrypt.Challenger.CIndex != "" {
opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex))
}
// Generate a new one, and return it to luks
rand := utils.RandomString(32)
blob, err := tpm.EncryptBlob([]byte(rand))
if err != nil {
return "", err
}
nvindex := DefaultNVIndex
if k.Kcrypt.Challenger.NVIndex != "" {
nvindex = k.Kcrypt.Challenger.NVIndex
}
opts = append(opts, tpm.WithIndex(nvindex))
return rand, tpm.StoreBlob(blob, opts...)
}
func localPass(k Config) (string, error) {
index := DefaultNVIndex
if k.Kcrypt.Challenger.NVIndex != "" {
index = k.Kcrypt.Challenger.NVIndex
}
opts := []tpm.TPMOption{tpm.WithIndex(index)}
if k.Kcrypt.Challenger.TPMDevice != "" {
opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
}
encodedPass, err := tpm.ReadBlob(opts...)
if err != nil {
// Generate if we fail to read from the assigned blob
return genAndStore(k)
}
// Decode and give it back
opts = []tpm.TPMOption{}
if k.Kcrypt.Challenger.CIndex != "" {
opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex))
}
if k.Kcrypt.Challenger.TPMDevice != "" {
opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
}
pass, err := tpm.DecryptBlob(encodedPass, opts...)
return string(pass), err
}

75
cmd/discovery/main.go
View File

@@ -1,24 +1,25 @@
package main package main
import ( import (
"encoding/json"
"fmt" "fmt"
"os" "os"
"github.com/kairos-io/kairos-challenger/cmd/discovery/client" "github.com/jaypipes/ghw/pkg/block"
"github.com/kairos-io/go-tpm"
"github.com/kairos-io/kairos/pkg/machine"
"github.com/kairos-io/kcrypt/pkg/bus" "github.com/kairos-io/kcrypt/pkg/bus"
"github.com/kairos-io/tpm-helpers" "gopkg.in/yaml.v3"
"github.com/mudler/go-pluggable"
) )
func main() { func main() {
if len(os.Args) >= 2 && bus.IsEventDefined(os.Args[1]) { if len(os.Args) >= 2 && bus.IsEventDefined(os.Args[1]) {
c, err := client.NewClient() checkErr(start())
checkErr(err)
checkErr(c.Start())
return
} }
pubhash, err := tpm.GetPubHash() pubhash, _ := tpm.GetPubHash()
checkErr(err)
fmt.Print(pubhash) fmt.Print(pubhash)
} }
@@ -27,4 +28,62 @@ func checkErr(err error) {
fmt.Println(err) fmt.Println(err)
os.Exit(1) os.Exit(1)
} }
os.Exit(0)
}
// echo '{ "data": "{ \\"label\\": \\"LABEL\\" }"}' | sudo -E WSS_SERVER="http://localhost:8082/challenge" ./challenger "discovery.password"
func start() error {
factory := pluggable.NewPluginFactory()
connectionDetails := &struct {
Server string
}{}
var server string
d, err := machine.DotToYAML("/proc/cmdline")
if err == nil { // best-effort
yaml.Unmarshal(d, connectionDetails) //nolint:errcheck
}
server = connectionDetails.Server
if os.Getenv("WSS_SERVER") != "" {
server = os.Getenv("WSS_SERVER")
}
// Input: bus.EventInstallPayload
// Expected output: map[string]string{}
factory.Add(bus.EventDiscoveryPassword, func(e *pluggable.Event) pluggable.EventResponse {
b := &block.Partition{}
err := json.Unmarshal([]byte(e.Data), b)
if err != nil {
return pluggable.EventResponse{
Error: fmt.Sprintf("failed reading partitions: %s", err.Error()),
}
}
msg, err := tpm.Get(server, tpm.WithAdditionalHeader("label", b.Label))
if err != nil {
return pluggable.EventResponse{
Error: fmt.Sprintf("failed contacting from wss server: %s", err.Error()),
}
}
result := map[string]interface{}{}
err = json.Unmarshal(msg, &result)
if err != nil {
return pluggable.EventResponse{
Error: fmt.Sprintf("failed reading from wss server: %s", err.Error()),
}
}
p, ok := result["passphrase"]
if !ok {
return pluggable.EventResponse{
Error: "not found",
}
}
return pluggable.EventResponse{
Data: fmt.Sprint(p),
}
})
return factory.Run(pluggable.EventType(os.Args[1]), os.Stdin, os.Stdout)
} }

30
config/crd/bases/keyserver.kairos.io_sealedvolumes.yaml
View File

@@ -37,27 +37,15 @@ spec:
properties: properties:
TPMHash: TPMHash:
type: string type: string
partitions: label:
items: type: string
description: 'PartitionSpec defines a Partition. A partition can passphraseRef:
be identified using any of the fields: Label, DeviceName, UUID. properties:
The Secret defines the secret which decrypts the partition.' name:
properties: type: string
deviceName: path:
type: string type: string
label: type: object
type: string
secret:
properties:
name:
type: string
path:
type: string
type: object
uuid:
type: string
type: object
type: array
quarantined: quarantined:
type: boolean type: boolean
type: object type: object

3
earthly.sh
View File

@@ -1,3 +0,0 @@
#!/bin/bash
docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v $(pwd):/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.6.21 --allow-privileged $@

8
examples/sealedvolume.yaml
View File

@@ -15,8 +15,8 @@ metadata:
namespace: default namespace: default
spec: spec:
TPMHash: "something" TPMHash: "something"
partitionSecrets: label: "label"
LABEL: passphraseRef:
name: mysecret name: mysecret
path: pass path: pass
quarantined: false quarantined: false

95
go.mod
View File

@@ -5,24 +5,19 @@ go 1.18
require ( require (
github.com/gorilla/websocket v1.5.0 github.com/gorilla/websocket v1.5.0
github.com/jaypipes/ghw v0.9.0 github.com/jaypipes/ghw v0.9.0
github.com/kairos-io/kairos v1.24.3-56.0.20230118103822-e3dbd41dddd1 github.com/kairos-io/go-tpm v0.0.0-20221007215323-700d855876c5
github.com/kairos-io/kcrypt v0.4.5-0.20230118125949-27183fbce7ea github.com/kairos-io/kairos v1.1.2
github.com/kairos-io/tpm-helpers v0.0.0-20230119140150-3fa97128ef6b github.com/kairos-io/kcrypt v0.0.0-20221006145351-cabc24dc37a7
github.com/mudler/go-pluggable v0.0.0-20220716112424-189d463e3ff3 github.com/mudler/go-pluggable v0.0.0-20220716112424-189d463e3ff3
github.com/mudler/yip v0.11.4
github.com/onsi/ginkgo v1.16.5 github.com/onsi/ginkgo v1.16.5
github.com/onsi/ginkgo/v2 v2.7.0 github.com/onsi/gomega v1.20.0
github.com/onsi/gomega v1.25.0 gopkg.in/yaml.v3 v3.0.1
github.com/pkg/errors v0.9.1
k8s.io/api v0.24.2
k8s.io/apimachinery v0.24.2 k8s.io/apimachinery v0.24.2
k8s.io/client-go v0.24.2 k8s.io/client-go v0.24.2
sigs.k8s.io/controller-runtime v0.12.2 sigs.k8s.io/controller-runtime v0.12.2
) )
require ( require (
atomicgo.dev/cursor v0.1.1 // indirect
atomicgo.dev/keyboard v0.2.9 // indirect
cloud.google.com/go v0.93.3 // indirect cloud.google.com/go v0.93.3 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.18 // indirect github.com/Azure/go-autorest/autorest v0.11.18 // indirect
@@ -30,27 +25,22 @@ require (
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.1.1 // indirect
github.com/Masterminds/sprig/v3 v3.2.2 // indirect
github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/StackExchange/wmi v1.2.1 // indirect github.com/StackExchange/wmi v1.2.1 // indirect
github.com/avast/retry-go v3.0.0+incompatible // indirect github.com/atomicgo/cursor v0.0.1 // indirect
github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59 // indirect github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59 // indirect
github.com/beorn7/perks v1.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/chuckpreslar/emission v0.0.0-20170206194824-a7ddd980baf9 // indirect github.com/chuckpreslar/emission v0.0.0-20170206194824-a7ddd980baf9 // indirect
github.com/containerd/console v1.0.3 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect
github.com/denisbrodbeck/machineid v1.0.1 // indirect github.com/denisbrodbeck/machineid v1.0.1 // indirect
github.com/emicklei/go-restful v2.9.5+incompatible // indirect github.com/emicklei/go-restful v2.9.5+incompatible // indirect
github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect
github.com/folbricht/tpmk v0.1.2-0.20230104073416-f20b20c289d7 // indirect github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
github.com/fsnotify/fsnotify v1.5.4 // indirect github.com/fsnotify/fsnotify v1.5.4 // indirect
github.com/ghodss/yaml v1.0.0 // indirect github.com/ghodss/yaml v1.0.0 // indirect
github.com/go-logr/logr v1.2.3 // indirect github.com/go-logr/logr v1.2.0 // indirect
github.com/go-logr/zapr v1.2.0 // indirect github.com/go-logr/zapr v1.2.0 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect github.com/go-ole/go-ole v1.2.6 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect
@@ -59,73 +49,68 @@ require (
github.com/gogo/protobuf v1.3.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.2 // indirect github.com/golang/protobuf v1.5.2 // indirect
github.com/google/certificate-transparency-go v1.1.4 // indirect github.com/google/certificate-transparency-go v1.1.2 // indirect
github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 // indirect github.com/google/go-attestation v0.4.3 // indirect
github.com/google/go-cmp v0.5.9 // indirect github.com/google/go-cmp v0.5.8 // indirect
github.com/google/go-tpm v0.3.3 // indirect github.com/google/go-tpm v0.3.3 // indirect
github.com/google/go-tpm-tools v0.3.10 // indirect github.com/google/go-tpm-tools v0.3.2 // indirect
github.com/google/go-tspi v0.3.0 // indirect github.com/google/go-tspi v0.2.1-0.20190423175329-115dea689aad // indirect
github.com/google/gofuzz v1.1.0 // indirect github.com/google/gofuzz v1.1.0 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/google/uuid v1.3.0 // indirect github.com/google/uuid v1.1.2 // indirect
github.com/gookit/color v1.5.2 // indirect github.com/gookit/color v1.5.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/huandu/xstrings v1.3.2 // indirect github.com/imdario/mergo v0.3.12 // indirect
github.com/imdario/mergo v0.3.13 // indirect github.com/itchyny/gojq v0.12.8 // indirect
github.com/itchyny/gojq v0.12.11 // indirect github.com/itchyny/timefmt-go v0.1.3 // indirect
github.com/itchyny/timefmt-go v0.1.5 // indirect
github.com/joho/godotenv v1.4.0 // indirect github.com/joho/godotenv v1.4.0 // indirect
github.com/josharian/intern v1.0.0 // indirect github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect github.com/json-iterator/go v1.1.12 // indirect
github.com/lithammer/fuzzysearch v1.1.5 // indirect
github.com/mailru/easyjson v0.7.6 // indirect github.com/mailru/easyjson v0.7.6 // indirect
github.com/mattn/go-isatty v0.0.17 // indirect github.com/mattn/go-isatty v0.0.14 // indirect
github.com/mattn/go-runewidth v0.0.14 // indirect github.com/mattn/go-runewidth v0.0.13 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
github.com/nxadm/tail v1.4.8 // indirect github.com/nxadm/tail v1.4.8 // indirect
github.com/prometheus/client_golang v1.13.0 // indirect github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_golang v1.12.1 // indirect
github.com/prometheus/client_model v0.2.0 // indirect github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/procfs v0.8.0 // indirect github.com/prometheus/procfs v0.7.3 // indirect
github.com/pterm/pterm v0.12.53 // indirect github.com/pterm/pterm v0.12.41 // indirect
github.com/qeesung/image2ascii v1.0.1 // indirect github.com/qeesung/image2ascii v1.0.1 // indirect
github.com/rivo/uniseg v0.4.3 // indirect github.com/rivo/uniseg v0.2.0 // indirect
github.com/shopspring/decimal v1.3.1 // indirect github.com/sirupsen/logrus v1.8.1 // indirect
github.com/spf13/cast v1.5.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/pflag v1.0.5 // indirect
github.com/twpayne/go-vfs v1.7.2 // indirect
github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect github.com/wayneashleyberry/terminal-dimensions v1.1.0 // indirect
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
go.uber.org/atomic v1.10.0 // indirect go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.8.0 // indirect go.uber.org/multierr v1.8.0 // indirect
go.uber.org/zap v1.23.0 // indirect go.uber.org/zap v1.21.0 // indirect
golang.org/x/crypto v0.5.0 // indirect golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
golang.org/x/net v0.5.0 // indirect golang.org/x/net v0.0.0-20220630215102-69896b714898 // indirect
golang.org/x/oauth2 v0.4.0 // indirect golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
golang.org/x/sys v0.4.0 // indirect golang.org/x/sys v0.0.0-20220803195053-6e608f9ce704 // indirect
golang.org/x/term v0.4.0 // indirect golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
golang.org/x/text v0.6.0 // indirect golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
google.golang.org/appengine v1.6.7 // indirect google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.28.1 // indirect google.golang.org/protobuf v1.28.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 // indirect gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
howett.net/plist v1.0.0 // indirect howett.net/plist v1.0.0 // indirect
k8s.io/api v0.24.2 // indirect
k8s.io/apiextensions-apiserver v0.24.2 // indirect k8s.io/apiextensions-apiserver v0.24.2 // indirect
k8s.io/component-base v0.24.2 // indirect k8s.io/component-base v0.24.2 // indirect
k8s.io/klog/v2 v2.80.1 // indirect k8s.io/klog/v2 v2.60.1 // indirect
k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect k8s.io/kube-openapi v0.0.0-20220328201542-3ee0da9b0b42 // indirect
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect

593
go.sum
View File

File diff suppressed because it is too large Load Diff

262
pkg/challenger/challenger.go
View File

@@ -4,44 +4,21 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"time" "time"
keyserverv1alpha1 "github.com/kairos-io/kairos-challenger/api/v1alpha1" keyserverv1alpha1 "github.com/kairos-io/kairos-challenger/api/v1alpha1"
"github.com/kairos-io/kairos-challenger/pkg/constants"
"github.com/kairos-io/kairos-challenger/pkg/payload"
"sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client"
tpm "github.com/kairos-io/go-tpm"
"github.com/kairos-io/kairos-challenger/controllers" "github.com/kairos-io/kairos-challenger/controllers"
tpm "github.com/kairos-io/tpm-helpers"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes"
"github.com/gorilla/websocket" "github.com/gorilla/websocket"
) )
// PassphraseRequestData is a struct that holds all the information needed in
// order to lookup a passphrase for a specific tpm hash.
type PassphraseRequestData struct {
TPMHash string
Label string
DeviceName string
UUID string
}
type SealedVolumeData struct {
Quarantined bool
SecretName string
SecretPath string
PartitionLabel string
VolumeName string
}
var upgrader = websocket.Upgrader{ var upgrader = websocket.Upgrader{
ReadBufferSize: 1024, ReadBufferSize: 1024,
WriteBufferSize: 1024, WriteBufferSize: 1024,
@@ -69,15 +46,6 @@ func writeRead(conn *websocket.Conn, input []byte) ([]byte, error) {
return ioutil.ReadAll(reader) return ioutil.ReadAll(reader)
} }
func getPubHash(token string) (string, error) {
ek, _, err := tpm.GetAttestationData(token)
if err != nil {
return "", err
}
return tpm.DecodePubHash(ek)
}
func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *controllers.SealedVolumeReconciler, namespace, address string) { func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *controllers.SealedVolumeReconciler, namespace, address string) {
fmt.Println("Challenger started at", address) fmt.Println("Challenger started at", address)
s := http.Server{ s := http.Server{
@@ -88,113 +56,11 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
m := http.NewServeMux() m := http.NewServeMux()
errorMessage := func(writer io.WriteCloser, errMsg string) { m.HandleFunc("/challenge", func(w http.ResponseWriter, r *http.Request) {
err := json.NewEncoder(writer).Encode(payload.Data{Error: errMsg})
if err != nil {
fmt.Println("error encoding the response to json", err.Error())
}
fmt.Println(errMsg)
}
m.HandleFunc("/postPass", func(w http.ResponseWriter, r *http.Request) {
conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
for {
fmt.Println("Receiving passphrase")
if err := tpm.AuthRequest(r, conn); err != nil {
fmt.Println("error", err.Error())
return
}
defer conn.Close()
fmt.Println("[Receiving passphrase] auth succeeded")
token := r.Header.Get("Authorization")
hashEncoded, err := getPubHash(token)
if err != nil {
fmt.Println("error decoding pubhash", err.Error())
return
}
fmt.Println("[Receiving passphrase] pubhash", hashEncoded)
label := r.Header.Get("label")
name := r.Header.Get("name")
uuid := r.Header.Get("uuid")
v := &payload.Data{}
volumeList := &keyserverv1alpha1.SealedVolumeList{}
if err := reconciler.List(ctx, volumeList, &client.ListOptions{Namespace: namespace}); err != nil {
fmt.Println("Failed listing volumes")
fmt.Println(err)
continue
}
sealedVolumeData := findVolumeFor(PassphraseRequestData{
TPMHash: hashEncoded,
Label: label,
DeviceName: name,
UUID: uuid,
}, volumeList)
if sealedVolumeData == nil {
fmt.Println("No TPM Hash found for", hashEncoded)
conn.Close()
return
}
if err := conn.ReadJSON(v); err != nil {
fmt.Println("error", err.Error())
return
}
if v.HasPassphrase() && !v.HasError() {
secretName := fmt.Sprintf("%s-%s", sealedVolumeData.VolumeName, sealedVolumeData.PartitionLabel)
secretPath := "passphrase"
if sealedVolumeData.SecretName != "" {
secretName = sealedVolumeData.SecretName
}
if sealedVolumeData.SecretPath != "" {
secretPath = sealedVolumeData.SecretPath
}
_, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
if err != nil {
if !apierrors.IsNotFound(err) {
fmt.Printf("Failed getting secret: %s\n", err.Error())
continue
}
secret := corev1.Secret{
TypeMeta: v1.TypeMeta{
Kind: "Secret",
APIVersion: "apps/v1",
},
ObjectMeta: v1.ObjectMeta{
Name: secretName,
Namespace: namespace,
},
StringData: map[string]string{
secretPath: v.Passphrase,
constants.GeneratedByKey: v.GeneratedBy,
},
Type: "Opaque",
}
_, err := kclient.CoreV1().Secrets(namespace).Create(ctx, &secret, v1.CreateOptions{})
if err != nil {
fmt.Println("failed during secret creation")
}
} else {
fmt.Println("Posted for already existing secret - ignoring")
}
} else {
fmt.Println("Invalid answer from client: doesn't contain any passphrase")
}
}
})
m.HandleFunc("/getPass", func(w http.ResponseWriter, r *http.Request) {
conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity conn, _ := upgrader.Upgrade(w, r, nil) // error ignored for sake of simplicity
for { for {
fmt.Println("Received connection") fmt.Println("Received connection")
volumeList := &keyserverv1alpha1.SealedVolumeList{} volumeList := &keyserverv1alpha1.SealedVolumeList{}
if err := reconciler.List(ctx, volumeList, &client.ListOptions{Namespace: namespace}); err != nil { if err := reconciler.List(ctx, volumeList, &client.ListOptions{Namespace: namespace}); err != nil {
@@ -205,79 +71,62 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
token := r.Header.Get("Authorization") token := r.Header.Get("Authorization")
label := r.Header.Get("label") label := r.Header.Get("label")
name := r.Header.Get("name") ek, at, err := tpm.GetAttestationData(token)
uuid := r.Header.Get("uuid") if err != nil {
fmt.Println("Failed getting tpm token")
if err := tpm.AuthRequest(r, conn); err != nil { fmt.Println("error", err.Error())
fmt.Println("error validating challenge", err.Error())
return return
} }
hashEncoded, err := getPubHash(token) hashEncoded, err := tpm.DecodePubHash(ek)
if err != nil { if err != nil {
fmt.Println("error decoding pubhash", err.Error()) fmt.Println("error decoding pubhash", err.Error())
return return
} }
sealedVolumeData := findVolumeFor(PassphraseRequestData{ found := false
TPMHash: hashEncoded, var volume keyserverv1alpha1.SealedVolume
Label: label, for _, v := range volumeList.Items {
DeviceName: name, if hashEncoded == v.Spec.TPMHash && v.Spec.Label == label {
UUID: uuid, found = true
}, volumeList) volume = v
}
}
if sealedVolumeData == nil { if !found {
writer, _ := conn.NextWriter(websocket.BinaryMessage) fmt.Println("No TPM Hash found for", hashEncoded)
errorMessage(writer, fmt.Sprintf("Invalid hash: %s", hashEncoded))
conn.Close() conn.Close()
// conn.Close()
// return
continue //will iterate until a TPM is available
}
secret, challenge, err := tpm.GenerateChallenge(ek, at)
if err != nil {
fmt.Println("error", err.Error())
return
}
resp, _ := writeRead(conn, challenge)
if err := tpm.ValidateChallenge(secret, resp); err != nil {
fmt.Println("error validating challenge", err.Error(), string(resp))
return return
} }
writer, _ := conn.NextWriter(websocket.BinaryMessage) writer, _ := conn.NextWriter(websocket.BinaryMessage)
if !sealedVolumeData.Quarantined {
secretName := fmt.Sprintf("%s-%s", sealedVolumeData.VolumeName, sealedVolumeData.PartitionLabel)
secretPath := "passphrase"
if sealedVolumeData.SecretName != "" {
secretName = sealedVolumeData.SecretName
}
if sealedVolumeData.SecretPath != "" {
secretPath = sealedVolumeData.SecretPath
}
// 1. The admin sets a specific cleartext password from Kube manager if !volume.Spec.Quarantined {
// SealedVolume -> with a secret . secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, volume.Spec.Passphrase.Name, v1.GetOptions{})
// 2. The admin just adds a SealedVolume associated with a TPM Hash ( you don't provide any passphrase )
// 3. There is no challenger server at all (offline mode)
//
secret, err := kclient.CoreV1().Secrets(namespace).Get(ctx, secretName, v1.GetOptions{})
if err == nil { if err == nil {
passphrase := secret.Data[secretPath] passphrase := secret.Data[volume.Spec.Passphrase.Path]
generatedBy := secret.Data[constants.GeneratedByKey] json.NewEncoder(writer).Encode(map[string]string{"passphrase": string(passphrase)})
p := payload.Data{Passphrase: string(passphrase), GeneratedBy: string(generatedBy)}
err = json.NewEncoder(writer).Encode(p)
if err != nil {
fmt.Println("error encoding the passphrase to json", err.Error(), string(passphrase))
}
if err = writer.Close(); err != nil {
fmt.Println("error closing the writer", err.Error())
return
}
if err = conn.Close(); err != nil {
fmt.Println("error closing the connection", err.Error())
return
}
return
} else {
errorMessage(writer, fmt.Sprintf("No secret found for %s and %s", hashEncoded, sealedVolumeData.PartitionLabel))
} }
} else { } else {
errorMessage(writer, fmt.Sprintf("quarantined: %s", sealedVolumeData.PartitionLabel)) conn.Close()
if err = conn.Close(); err != nil {
fmt.Println("error closing the connection", err.Error())
return
}
return return
} }
} }
@@ -288,7 +137,7 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
go func() { go func() {
err := s.ListenAndServe() err := s.ListenAndServe()
if err != nil && err != http.ErrServerClosed { if err != nil {
panic(err) panic(err)
} }
}() }()
@@ -298,34 +147,3 @@ func Start(ctx context.Context, kclient *kubernetes.Clientset, reconciler *contr
s.Shutdown(ctx) s.Shutdown(ctx)
}() }()
} }
func findVolumeFor(requestData PassphraseRequestData, volumeList *keyserverv1alpha1.SealedVolumeList) *SealedVolumeData {
for _, v := range volumeList.Items {
if requestData.TPMHash == v.Spec.TPMHash {
for _, p := range v.Spec.Partitions {
deviceNameMatches := requestData.DeviceName != "" && p.DeviceName == requestData.DeviceName
uuidMatches := requestData.UUID != "" && p.UUID == requestData.UUID
labelMatches := requestData.Label != "" && p.Label == requestData.Label
secretName := ""
if p.Secret != nil && p.Secret.Name != "" {
secretName = p.Secret.Name
}
secretPath := ""
if p.Secret != nil && p.Secret.Path != "" {
secretPath = p.Secret.Path
}
if labelMatches || uuidMatches || deviceNameMatches {
return &SealedVolumeData{
Quarantined: v.Spec.Quarantined,
SecretName: secretName,
SecretPath: secretPath,
VolumeName: v.Name,
PartitionLabel: p.Label,
}
}
}
}
}
return nil
}

153
pkg/challenger/challenger_test.go
View File

@@ -1,153 +0,0 @@
// [✓] Setup a cluster
// [✓] install crds on it
// - run the server locally
// - make requests to the server to see if we can get passphrases back
package challenger
import (
keyserverv1alpha1 "github.com/kairos-io/kairos-challenger/api/v1alpha1"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)
var _ = Describe("challenger", func() {
Describe("findSecretFor", func() {
var requestData PassphraseRequestData
var volumeList *keyserverv1alpha1.SealedVolumeList
BeforeEach(func() {
requestData = PassphraseRequestData{
TPMHash: "1234",
DeviceName: "/dev/sda1",
UUID: "sda1_uuid",
Label: "COS_PERSISTENT",
}
})
When("a sealedvolume matching the label exists", func() {
BeforeEach(func() {
volumeList = volumeListWithPartitionSpec(
keyserverv1alpha1.PartitionSpec{
Label: requestData.Label,
DeviceName: "not_matching",
UUID: "not_matching",
Secret: &keyserverv1alpha1.SecretSpec{
Name: "the_secret",
Path: "the_path",
}})
})
It("returns the sealed volume data", func() {
volumeData := findVolumeFor(requestData, volumeList)
Expect(volumeData).ToNot(BeNil())
Expect(volumeData.Quarantined).To(BeFalse())
Expect(volumeData.SecretName).To(Equal("the_secret"))
Expect(volumeData.SecretPath).To(Equal("the_path"))
})
})
When("a sealedvolume with empty field exists", func() {
BeforeEach(func() {
volumeList = volumeListWithPartitionSpec(
keyserverv1alpha1.PartitionSpec{
Label: "",
DeviceName: "not_matching",
UUID: "not_matching",
Secret: &keyserverv1alpha1.SecretSpec{
Name: "the_secret",
Path: "the_path",
}})
requestData = PassphraseRequestData{
TPMHash: "1234",
Label: "",
DeviceName: "/dev/sda1",
UUID: "sda1_uuid",
}
})
It("doesn't match a request with an empty field", func() {
volumeData := findVolumeFor(requestData, volumeList)
Expect(volumeData).To(BeNil())
})
})
When("a sealedvolume matching the device name exists", func() {
BeforeEach(func() {
volumeList = volumeListWithPartitionSpec(
keyserverv1alpha1.PartitionSpec{
Label: "not_matching",
DeviceName: requestData.DeviceName,
UUID: "not_matching",
Secret: &keyserverv1alpha1.SecretSpec{
Name: "the_secret",
Path: "the_path",
}})
})
It("returns the sealed volume data", func() {
volumeData := findVolumeFor(requestData, volumeList)
Expect(volumeData).ToNot(BeNil())
Expect(volumeData.Quarantined).To(BeFalse())
Expect(volumeData.SecretName).To(Equal("the_secret"))
Expect(volumeData.SecretPath).To(Equal("the_path"))
})
})
When("a sealedvolume matching the UUID exists", func() {
BeforeEach(func() {
volumeList = volumeListWithPartitionSpec(
keyserverv1alpha1.PartitionSpec{
Label: "not_matching",
DeviceName: "not_matching",
UUID: requestData.UUID,
Secret: &keyserverv1alpha1.SecretSpec{
Name: "the_secret",
Path: "the_path",
}})
})
It("returns the sealed volume data", func() {
volumeData := findVolumeFor(requestData, volumeList)
Expect(volumeData).ToNot(BeNil())
Expect(volumeData.Quarantined).To(BeFalse())
Expect(volumeData.SecretName).To(Equal("the_secret"))
Expect(volumeData.SecretPath).To(Equal("the_path"))
})
})
When("a matching sealedvolume doesn't exist", func() {
BeforeEach(func() {
volumeList = volumeListWithPartitionSpec(
keyserverv1alpha1.PartitionSpec{
Label: "not_matching",
DeviceName: "not_matching",
UUID: "not_matching",
Secret: &keyserverv1alpha1.SecretSpec{
Name: "the_secret",
Path: "the_path",
}})
})
It("returns nil sealedVolumeData", func() {
volumeData := findVolumeFor(requestData, volumeList)
Expect(volumeData).To(BeNil())
})
})
})
})
func volumeListWithPartitionSpec(partitionSpec keyserverv1alpha1.PartitionSpec) *keyserverv1alpha1.SealedVolumeList {
return &keyserverv1alpha1.SealedVolumeList{
Items: []keyserverv1alpha1.SealedVolume{
{Spec: keyserverv1alpha1.SealedVolumeSpec{
TPMHash: "1234",
Partitions: []keyserverv1alpha1.PartitionSpec{
partitionSpec,
},
Quarantined: false,
},
},
},
}
}

13
pkg/challenger/suite_test.go
View File

@@ -1,13 +0,0 @@
package challenger_test
import (
"testing"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)
func TestEpinio(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "Kcrypt challenger suite")
}

4
pkg/constants/secret.go
View File

@@ -1,4 +0,0 @@
package constants
const TPMSecret = "tpm"
const GeneratedByKey = "generated_by"

19
pkg/payload/payload.go
View File

@@ -1,19 +0,0 @@
package payload
type Data struct {
Passphrase string `json:"passphrase"`
Error string `json:"error"`
GeneratedBy string `json:"generated_by"`
}
func (d Data) HasError() bool {
return d.Error != ""
}
func (d Data) HasPassphrase() bool {
return d.Passphrase != ""
}
func (d Data) HasBeenGenerated() bool {
return d.GeneratedBy != ""
}