Skip to content

Commit

Permalink
v0.0.5-beta (#14)
Browse files Browse the repository at this point in the history
* v0.0.5-beta

* v0.0.5-beta
  • Loading branch information
yangkenneth authored Dec 15, 2023
1 parent aa9c144 commit 11d5ec3
Show file tree
Hide file tree
Showing 73 changed files with 2,157 additions and 1,571 deletions.
3 changes: 1 addition & 2 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
config/*.yml
docs/
examples/
pkg/
test/
terraform/
.github/

*.md
.dockerignore
.git
.gitignore
.github/
32 changes: 16 additions & 16 deletions .github/workflows/release_build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}


jobs:
build:

Expand All @@ -21,40 +20,41 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v3

# Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx
uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
# QEMU
- name: QEMU
uses: docker/setup-qemu-action@v3

# Setup Docker BuildX
- name: Setup Docker BuildX
uses: docker/setup-buildx-action@v3

# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
# Login Docker Registry
- name: Log Registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
# Extract Metadata for Docker
- name: Extract Docker Metadata
id: meta
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=tag
type=sha
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
# Build and Push Docker Image with BuildX
- name: Build and Push Docker Image
id: build-and-push
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
cache-to: type=gha,mode=max
25 changes: 21 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,24 +1,41 @@
# Build Image
FROM golang:1.20 as builder
FROM golang:1.21 as builder

# Docker BuildX Target Architecture
ARG TARGETARCH

ENV CGO_ENABLED=0
WORKDIR /baseca
COPY . /baseca
RUN apt update && apt clean && make build

# Build ARM64 or AMD64 Binary
RUN apt update && apt clean && \
if [ "$TARGETARCH" = "amd64" ]; then \
make build_amd64; \
elif [ "$TARGETARCH" = "arm64" ]; then \
make build_arm64; \
else \
echo "Unsupported Architecture [$TARGETARCH]"; \
exit 1; \
fi

# Deploy Image
FROM alpine:3.17

# Non-Root User
RUN adduser --home /home/baseca baseca --gecos "baseca" --disabled-password && \
apk --no-cache add ca-certificates && \
rm -rf /var/cache/apk/*

# Copy Binary and Configuration from Build Image
COPY --from=builder /baseca/target/bin/linux/baseca /home/baseca/baseca
COPY --from=builder /baseca/config /home/baseca/config

# Permissions for Non-Root User
RUN chown -R baseca:baseca /home/baseca

# Switch to Non-Root User
USER baseca
WORKDIR /home/baseca

CMD ["/home/baseca/baseca"]
# Execute coinbase/baseca
CMD ["/home/baseca/baseca"]
10 changes: 9 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,17 @@ test: info clean dependencies

.PHONY: build
build: info clean
@ GOOS=darwin GOARCH=amd64 go build $(LDFLAGS) -o $(BIN)/darwin/$(SERVICE) cmd/baseca/server.go
@ GOOS=darwin GOARCH=amd64 go build $(LDFLAGS) -o $(BIN)/amd64/$(SERVICE) cmd/baseca/server.go
@ GOOS=darwin GOARCH=arm64 go build $(LDFLAGS) -o $(BIN)/arm64/$(SERVICE) cmd/baseca/server.go

.PHONY: build_amd64
build_amd64: info clean
@ GOOS=linux GOARCH=amd64 go build $(LDFLAGS) -o $(BIN)/linux/$(SERVICE) cmd/baseca/server.go

.PHONY: build_arm64
build_arm64: info clean
@ GOOS=linux GOARCH=arm64 go build $(LDFLAGS) -o $(BIN)/linux/$(SERVICE) cmd/baseca/server.go

.PHONY: sqlc
sqlc:
@ sqlc generate -f db/sqlc.yaml
Expand Down
19 changes: 19 additions & 0 deletions config/aws/ec2.amazonaws.com.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw
FgYDVQQKEw9BbWF6b24uY29tIEluYy4xGjAYBgNVBAMTEWVjMi5hbWF6b25hd3Mu
Y29tMB4XDTE0MDYwNTE0MjgwMloXDTI0MDYwNTE0MjgwMlowajELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAWBgNV
BAoTD0FtYXpvbi5jb20gSW5jLjEaMBgGA1UEAxMRZWMyLmFtYXpvbmF3cy5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIe9GN//SRK2knbjySG0ho3yqQM3
e2TDhWO8D2e8+XZqck754gFSo99AbT2RmXClambI7xsYHZFapbELC4H91ycihvrD
jbST1ZjkLQgga0NE1q43eS68ZeTDccScXQSNivSlzJZS8HJZjgqzBlXjZftjtdJL
XeE4hwvo0sD4f3j9AgMBAAGjgc8wgcwwHQYDVR0OBBYEFCXWzAgVyrbwnFncFFIs
77VBdlE4MIGcBgNVHSMEgZQwgZGAFCXWzAgVyrbwnFncFFIs77VBdlE4oW6kbDBq
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh
dHRsZTEYMBYGA1UEChMPQW1hem9uLmNvbSBJbmMuMRowGAYDVQQDExFlYzIuYW1h
em9uYXdzLmNvbYIJAKnL4UEDMN/FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAFYcz1OgEhQBXIwIdsgCOS8vEtiJYF+j9uO6jz7VOmJqO+pRlAbRlvY8T
C1haGgSI/A1uZUKs/Zfnph0oEI0/hu1IIJ/SKBDtN5lvmZ/IzbOPIJWirlsllQIQ
7zvWbGd9c9+Rm3p04oTvhup99la7kZqevJK0QRdD/6NpCKsqP/0=
-----END CERTIFICATE-----
File renamed without changes.
13 changes: 2 additions & 11 deletions db/sqlc/common.go
Original file line number Diff line number Diff line change
@@ -1,25 +1,16 @@
package db

import "github.com/coinbase/baseca/internal/types"

type CertificateResponseData struct {
Certificate string `json:"certificate"`
IntermediateCertificateChain string `json:"intermediate_certificate_chain,omitempty"`
RootCertificateChain string `json:"root_certificate_chain,omitempty"`
Metadata types.CertificateMetadata `json:"metadata"`
}

type DatabaseEndpoints struct {
Writer Store
Reader Store
}

type CachedServiceAccount struct {
type ServiceAccountAttestation struct {
ServiceAccount Account `json:"service_account"`
AwsIid AwsAttestation `json:"aws_iid"`
}

type CachedProvisionerAccount struct {
type ProvisionerAccountAttestation struct {
ProvisionerAccount Provisioner `json:"provisioner_account"`
AwsIid AwsAttestation `json:"aws_iid"`
}
3 changes: 2 additions & 1 deletion db/sqlc/tx_provisioner_account.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package db
import (
"context"

"github.com/coinbase/baseca/internal/types"
"github.com/google/uuid"
)

Expand All @@ -19,7 +20,7 @@ func (store *SQLStore) TxCreateProvisionerAccount(ctx context.Context, arg Creat

for _, node_attestation := range arg.NodeAttestation {
switch node_attestation {
case "AWS_IID":
case types.AWS_IID.String():
// Add to AWS_IID Database
_, err = store.StoreInstanceIdentityDocument(ctx, iid)
if err != nil {
Expand Down
3 changes: 2 additions & 1 deletion db/sqlc/tx_service_account.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package db
import (
"context"

"github.com/coinbase/baseca/internal/types"
"github.com/google/uuid"
)

Expand All @@ -19,7 +20,7 @@ func (store *SQLStore) TxCreateServiceAccount(ctx context.Context, arg CreateSer

for _, node_attestation := range arg.NodeAttestation {
switch node_attestation {
case "AWS_IID":
case types.AWS_IID.String():
// Add to AWS_IID Database
_, err = store.StoreInstanceIdentityDocument(ctx, iid)
if err != nil {
Expand Down
16 changes: 8 additions & 8 deletions db/sqlc/tx_update_account.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,19 +26,19 @@ func (store *SQLStore) TxUpdateServiceAccount(ctx context.Context, arg Account,
NodeAttestation: arg.NodeAttestation,
}

raw_message, err := validator.MapToNullRawMessage(attestation.AWSInstanceIdentityDocument.InstanceTags)
raw_message, err := validator.MapToNullRawMessage(attestation.EC2NodeAttestation.InstanceTags)
if err != nil {
return nil, err
}

iid := StoreInstanceIdentityDocumentParams{
ClientID: arg.ClientID,
RoleArn: sql.NullString{String: attestation.AWSInstanceIdentityDocument.RoleArn, Valid: len(attestation.AWSInstanceIdentityDocument.RoleArn) != 0},
AssumeRole: sql.NullString{String: attestation.AWSInstanceIdentityDocument.AssumeRole, Valid: len(attestation.AWSInstanceIdentityDocument.AssumeRole) != 0},
SecurityGroupID: attestation.AWSInstanceIdentityDocument.SecurityGroups,
Region: sql.NullString{String: attestation.AWSInstanceIdentityDocument.Region, Valid: len(attestation.AWSInstanceIdentityDocument.Region) != 0},
InstanceID: sql.NullString{String: attestation.AWSInstanceIdentityDocument.InstanceID, Valid: len(attestation.AWSInstanceIdentityDocument.InstanceID) != 0},
ImageID: sql.NullString{String: attestation.AWSInstanceIdentityDocument.ImageID, Valid: len(attestation.AWSInstanceIdentityDocument.ImageID) != 0},
RoleArn: sql.NullString{String: attestation.EC2NodeAttestation.RoleArn, Valid: len(attestation.EC2NodeAttestation.RoleArn) != 0},
AssumeRole: sql.NullString{String: attestation.EC2NodeAttestation.AssumeRole, Valid: len(attestation.EC2NodeAttestation.AssumeRole) != 0},
SecurityGroupID: attestation.EC2NodeAttestation.SecurityGroups,
Region: sql.NullString{String: attestation.EC2NodeAttestation.Region, Valid: len(attestation.EC2NodeAttestation.Region) != 0},
InstanceID: sql.NullString{String: attestation.EC2NodeAttestation.InstanceID, Valid: len(attestation.EC2NodeAttestation.InstanceID) != 0},
ImageID: sql.NullString{String: attestation.EC2NodeAttestation.ImageID, Valid: len(attestation.EC2NodeAttestation.ImageID) != 0},
InstanceTags: raw_message,
}

Expand All @@ -52,7 +52,7 @@ func (store *SQLStore) TxUpdateServiceAccount(ctx context.Context, arg Account,

for _, node_attestation := range arg.NodeAttestation {
switch node_attestation {
case types.Attestation.AWS_IID:
case types.AWS_IID.String():
// Add to AWS_IID Database
_, err = store.StoreInstanceIdentityDocument(ctx, iid)
if err != nil {
Expand Down
10 changes: 4 additions & 6 deletions docs/GETTING_STARTED.md
Original file line number Diff line number Diff line change
Expand Up @@ -221,13 +221,11 @@ ssl_mode: disable
Compile the Golang Binary `baseca`

```sh
# Darwin AMD64
GOOS=darwin GOARCH=amd64 go build -o target/bin/darwin/baseca cmd/baseca/server.go
database_credentials=secret ./target/bin/darwin/baseca
cd /path/to/baseca
make build
# Linux AMD64
GOOS=linux GOARCH=amd64 go build -o target/bin/linux/baseca cmd/baseca/server.go
database_credentials=secret ./target/bin/linux/baseca
# Update Path Based on AMD64 or ARM64 Architecture
database_credentials=secret ./target/bin/arm64/baseca
```

## Signing x.509 Certificate
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ package examples

import (
"crypto/x509"
"fmt"
"log"
"os"

baseca "github.com/coinbase/baseca/pkg/client"
Expand All @@ -22,12 +22,12 @@ func CodeSign() {

client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
if err != nil {
fmt.Println(err)
log.Fatal(err)
}

metadata := baseca.CertificateRequest{
CommonName: "sandbox.coinbase.com",
SubjectAlternateNames: []string{"sandbox.coinbase.com"},
CommonName: "example.coinbase.com",
SubjectAlternateNames: []string{"example.coinbase.com"},
SigningAlgorithm: x509.ECDSAWithSHA384,
PublicKeyAlgorithm: x509.ECDSA,
KeySize: 256,
Expand All @@ -45,28 +45,33 @@ func CodeSign() {
}

data, _ := os.ReadFile("/bin/chmod")
signature, chain, err := client.GenerateSignature(metadata, data)
signature, chain, err := client.GenerateSignature(metadata, &data)
if err != nil {
panic(err)
log.Fatal(err)
}

// Validation Happens on Different Server
manifest := types.Manifest{
CertificateChain: chain,
Signature: *signature,
Data: data,
SigningAlgorithm: x509.SHA256WithRSA,
Signature: signature,
SigningAlgorithm: x509.ECDSAWithSHA512,
Data: types.Data{
Path: types.Path{
File: "/bin/chmod",
Buffer: 4096,
},
},
}

tc := types.TrustChain{
CommonName: "sandbox.coinbase.com",
CertificateAuthorityFiles: []string{"/path/to/intermediate.pem"},
CertificateAuthorityFiles: []string{"/path/to/intermediate_ca.crt"},
}

err = client.ValidateSignature(tc, manifest)
err = baseca.ValidateSignature(tc, manifest)
if err != nil {
panic(err)
log.Fatal(err)
}

fmt.Println("Signature Verified")
log.Print("Signature Verified")
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package examples

import (
"crypto/x509"
"fmt"
"log"

apiv1 "github.com/coinbase/baseca/gen/go/baseca/v1"
Expand All @@ -22,7 +21,7 @@ func OperationsSignCSR() {

client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
if err != nil {
fmt.Println(err)
log.Fatal(err)
}

certAuth := apiv1.CertificateAuthorityParameter{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package examples

import (
"crypto/x509"
"fmt"
"log"

baseca "github.com/coinbase/baseca/pkg/client"
Expand All @@ -21,15 +20,15 @@ func SignCSR() {

client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
if err != nil {
fmt.Println(err)
log.Fatal(err)
}

metadata := baseca.CertificateRequest{
CommonName: "sandbox.coinbase.com",
SubjectAlternateNames: []string{"sandbox.coinbase.com"},
SigningAlgorithm: x509.SHA384WithRSA,
PublicKeyAlgorithm: x509.RSA,
KeySize: 4096,
CommonName: "example.coinbase.com",
SubjectAlternateNames: []string{"example.coinbase.com"},
SigningAlgorithm: x509.ECDSAWithSHA384,
PublicKeyAlgorithm: x509.ECDSA,
KeySize: 256,
DistinguishedName: baseca.DistinguishedName{
Organization: []string{"Coinbase"},
// Additional Fields
Expand Down
Loading

0 comments on commit 11d5ec3

Please sign in to comment.