Add explicit trust establishment

.github/workflows/tests.yml

@@ -158,7 +158,7 @@ jobs:
         run: |
           sudo add-apt-repository ppa:dqlite/dev -y --no-update
           sudo apt-get update
-          sudo apt-get install --no-install-recommends -y libdqlite-dev pkg-config
+          sudo apt-get install --no-install-recommends -y libdqlite-dev pkg-config openvswitch-switch
 
       - name: Build
         run: |

Makefile

@@ -1,4 +1,4 @@
-GOMIN=1.22.5
+GOMIN=1.22.6
 
 .PHONY: default
 default: build

api/services.go

@@ -23,7 +23,7 @@ var ServicesCmd = func(sh *service.Handler) rest.Endpoint {
 		Name:              "services",
 		Path:              "services",
 
-		Put: rest.EndpointAction{Handler: authHandler(sh, servicesPut), AllowUntrusted: true, ProxyTarget: true},
+		Put: rest.EndpointAction{Handler: authHandlerMTLS(sh, servicesPut), ProxyTarget: true},
 	}
 }
 

api/services_auth.go

@@ -1,12 +1,14 @@
 package api
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 
 	"github.com/canonical/lxd/lxd/response"
 	"github.com/canonical/lxd/lxd/util"
 	"github.com/canonical/lxd/shared/logger"
+	"github.com/canonical/lxd/shared/trust"
 	"github.com/canonical/microcluster/v2/state"
 
 	"github.com/canonical/microcloud/microcloud/service"
@@ -15,8 +17,8 @@ import (
 // endpointHandler is just a convenience for writing clean return types.
 type endpointHandler func(state.State, *http.Request) response.Response
 
-// authHandler ensures a request has been authenticated with the mDNS broadcast secret.
-func authHandler(sh *service.Handler, f endpointHandler) endpointHandler {
+// authHandlerMTLS ensures a request has been authenticated using mTLS.
+func authHandlerMTLS(sh *service.Handler, f endpointHandler) endpointHandler {
 	return func(s state.State, r *http.Request) response.Response {
 		if r.RemoteAddr == "@" {
 			logger.Debug("Allowing unauthenticated request through unix socket")
@@ -25,27 +27,64 @@ func authHandler(sh *service.Handler, f endpointHandler) endpointHandler {
 		}
 
 		// Use certificate based authentication between cluster members.
-		if r.TLS != nil && r.Host == s.Address().URL.Host {
+		if r.TLS != nil {
 			trustedCerts := s.Remotes().CertificatesNative()
 			for _, cert := range r.TLS.PeerCertificates {
+				// First evaluate the permanent turst store.
 				trusted, _ := util.CheckMutualTLS(*cert, trustedCerts)
 				if trusted {
 					return f(s, r)
 				}
+
+				// Second evaluate the temporary trust store.
+				// This is the fallback during the forming of the cluster.
+				trusted, _ = util.CheckMutualTLS(*cert, sh.TemporaryTrustStore())
+				if trusted {
+					return f(s, r)
+				}
 			}
 		}
 
-		secret := r.Header.Get("X-MicroCloud-Auth")
-		if secret == "" {
-			return response.BadRequest(fmt.Errorf("No auth secret in response"))
-		}
+		return response.Forbidden(fmt.Errorf("Failed to authenticate using mTLS"))
+	}
+}
+
+// authHandlerHMAC ensures a request has been authenticated using the HMAC in the Authorization header.
+func authHandlerHMAC(sh *service.Handler, f endpointHandler) endpointHandler {
+	return func(s state.State, r *http.Request) response.Response {
+		sessionFunc := func(session *service.Session) error {
+			h, err := trust.NewHMACArgon2([]byte(session.Passphrase()), nil, trust.NewDefaultHMACConf(HMACMicroCloud10))
+			if err != nil {
+				return err
+			}
+
+			err = trust.HMACEqual(h, r)
+			if err != nil {
+				attemptErr := session.RegisterFailedAttempt()
+				if attemptErr != nil {
+					errorCause := errors.New("Stopping session after too many failed attempts")
+
+					// Immediately stop the session to not allow further join attempts.
+					stopErr := session.Stop(errorCause)
+					if stopErr != nil {
+						return fmt.Errorf("Cannot stop session after too many failed attempts: %w", stopErr)
+					}
+
+					// Log the error and return it to the caller
+					logger.Warn(errorCause.Error())
+					return errorCause
+				}
+
+				return err
+			}
 
-		if sh.AuthSecret == "" {
-			return response.BadRequest(fmt.Errorf("No generated auth secret"))
+			return nil
 		}
 
-		if sh.AuthSecret != secret {
-			return response.SmartError(fmt.Errorf("Request secret does not match, ignoring request"))
+		// Run a r/w transaction against the session as we might stop it due to too many failed attempts.
+		err := sh.SessionTransaction(false, sessionFunc)
+		if err != nil {
+			return response.SmartError(err)
 		}
 
 		return f(s, r)

api/services_cluster.go

@@ -24,7 +24,7 @@ var ServicesClusterCmd = func(sh *service.Handler) rest.Endpoint {
 		Name:              "services/cluster/{name}",
 		Path:              "services/cluster/{name}",
 
-		Delete: rest.EndpointAction{Handler: authHandler(sh, removeClusterMember), AllowUntrusted: true},
+		Delete: rest.EndpointAction{Handler: authHandlerMTLS(sh, removeClusterMember)},
 	}
 }
 

api/services_proxy.go

@@ -47,11 +47,11 @@ func proxy(sh *service.Handler, name, path string, handler endpointHandler) rest
 		Name:              name,
 		Path:              path,
 
-		Get:    rest.EndpointAction{Handler: authHandler(sh, handler), AllowUntrusted: true, ProxyTarget: true},
-		Put:    rest.EndpointAction{Handler: authHandler(sh, handler), AllowUntrusted: true, ProxyTarget: true},
-		Post:   rest.EndpointAction{Handler: authHandler(sh, handler), AllowUntrusted: true, ProxyTarget: true},
-		Patch:  rest.EndpointAction{Handler: authHandler(sh, handler), AllowUntrusted: true, ProxyTarget: true},
-		Delete: rest.EndpointAction{Handler: authHandler(sh, handler), AllowUntrusted: true, ProxyTarget: true},
+		Get:    rest.EndpointAction{Handler: authHandlerMTLS(sh, handler), ProxyTarget: true},
+		Put:    rest.EndpointAction{Handler: authHandlerMTLS(sh, handler), ProxyTarget: true},
+		Post:   rest.EndpointAction{Handler: authHandlerMTLS(sh, handler), ProxyTarget: true},
+		Patch:  rest.EndpointAction{Handler: authHandlerMTLS(sh, handler), ProxyTarget: true},
+		Delete: rest.EndpointAction{Handler: authHandlerMTLS(sh, handler), ProxyTarget: true},
 	}
 }
 

api/services_tokens.go

@@ -22,7 +22,7 @@ var ServiceTokensCmd = func(sh *service.Handler) rest.Endpoint {
 		Name:              "services/{serviceType}/tokens",
 		Path:              "services/{serviceType}/tokens",
 
-		Post: rest.EndpointAction{Handler: authHandler(sh, serviceTokensPost), AllowUntrusted: true, ProxyTarget: true},
+		Post: rest.EndpointAction{Handler: authHandlerMTLS(sh, serviceTokensPost), ProxyTarget: true},
 	}
 }