#gpowerd - Add build targets for auth These are used for unit tests in g3 only. Most of the same unit tests are run in the gBMC docker already. PiperOrigin-RevId: 724471150 Change-Id: I94b016038635a4fdd701371b3c999d8f576a0fca
diff --git a/bmc/auth.cc b/bmc/auth.cc index a87cebe..870822b 100644 --- a/bmc/auth.cc +++ b/bmc/auth.cc
@@ -3,81 +3,75 @@ // actuating power cycles on the machine. #include "bmc/auth.h" -#include <gmi/machine_identity.pb.h> #include <gpowerd_build_config.h> -#include <grpcpp/grpcpp.h> +#include <filesystem> // NOLINT(build/c++17) +#include <memory> #include <string> -#include <string_view> -#include <filesystem> // NOLINT +#include <system_error> // NOLINT(build/c++11) +#include <utility> + +#include "bmc/auth_loas3.h" #include "bmc/gmi_reader.h" +#include "absl/log/log.h" +#include "absl/status/status.h" +#include "absl/status/statusor.h" +#include "absl/strings/str_format.h" +#include "grpc/grpc_security_constants.h" +#include "grpcpp/security/authorization_policy_provider.h" #include "grpcpp/security/server_credentials.h" #include "grpcpp/security/tls_certificate_provider.h" #include "grpcpp/security/tls_certificate_verifier.h" #include "grpcpp/security/tls_credentials_options.h" -#include "grpcpp/ext/proto_server_reflection_plugin.h" -#include "grpcpp/health_check_service_interface.h" -#include "absl/base/log_severity.h" -#include "absl/log/log.h" -#include "absl/strings/str_format.h" -#include "absl/status/statusor.h" +#include "grpcpp/server_builder.h" +#include "grpcpp/support/status.h" #include "zatar/generate_self_signed_cert.h" -#include "bmc/auth_loas3.h" - namespace auth { -using ::grpc::experimental::TlsCustomVerificationCheckRequest; +using ::grpc::experimental::AuthorizationPolicyProviderInterface; using ::grpc::experimental::ExternalCertificateVerifier; -using ::grpc::ServerBuilder; +using ::grpc::experimental::FileWatcherAuthorizationPolicyProvider; using ::grpc::experimental::FileWatcherCertificateProvider; using ::grpc::experimental::TlsServerCredentials; using ::grpc::experimental::TlsServerCredentialsOptions; -using ::grpc::experimental::AuthorizationPolicyProviderInterface; using ::milotic::authn::SelfSignedCertOptions; -using ::grpc::experimental::FileWatcherAuthorizationPolicyProvider; - -absl::StatusOr<std::shared_ptr<grpc::ServerCredentials>> GetCredsInfo() -{ - #ifdef LOAS3_AUTH +absl::StatusOr<std::shared_ptr<grpc::ServerCredentials>> GetCredsInfo() { +#ifdef LOAS3_AUTH SetupLoas3(); - #else +#else LOG(WARNING) << "LOAS3 is not enabled"; - #endif +#endif std::error_code file_error; bool file_exist = std::filesystem::exists(kZatarCertFilePath, file_error); - if (file_error) - { + if (file_error) { return absl::NotFoundError("tls file path error: " + file_error.message() + - "file path: "+ std::string(kZatarCertFilePath)); + "file path: " + std::string(kZatarCertFilePath)); } std::string keypair_path; - if (file_exist) - { + if (file_exist) { keypair_path = std::string(kZatarCertFilePath); } else { - // cert is not present (self sign a cert) + // cert is not present (self sign a cert) keypair_path = absl::StrFormat("/tmp/gpowerd_self_signed_%d.pem", getpid()); - absl::StatusOr<std::string> host_name = gmi_reader::ReadGmiHostName();; - { - absl::Status errStatus = host_name.status(); - return absl::NotFoundError("unable to read gmi host name: " + - std::string(errStatus.message())); + absl::StatusOr<std::string> host_name = gmi_reader::ReadGmiHostName(); + if (!host_name.ok()) { + LOG(ERROR) << "unable to read gmi host name: " << host_name.status(); + return host_name.status(); } SelfSignedCertOptions option; option.server_fqdn = *host_name; if (absl::Status status = GenerateSelfSignedCertAndDump(keypair_path, option); - !status.ok()) - { - return absl::UnavailableError("unable to write self signed cert: " + - std::string(status.message())); + !status.ok()) { + LOG(ERROR) << "unable to write self signed cert: " << status; + return status; } } auto certificateProvider = std::make_shared<FileWatcherCertificateProvider>( - keypair_path, keypair_path, std::string(kTrustBundleFilePath), + keypair_path, keypair_path, std::string(kTrustBundleFilePath), /* refresh_interval_sec */ 30); TlsServerCredentialsOptions options(certificateProvider); @@ -86,37 +80,32 @@ options.watch_identity_key_cert_pairs(); options.set_cert_request_type( GRPC_SSL_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY); - #ifdef LOAS3_AUTH +#ifdef LOAS3_AUTH auto cert_verifier = ExternalCertificateVerifier::Create<PeerVerifier>(); options.set_certificate_verifier(std::move(cert_verifier)); - #endif +#endif std::shared_ptr<grpc::ServerCredentials> tlsServerCredentials = - TlsServerCredentials(options); - if (tlsServerCredentials == nullptr) - { - LOG(ERROR) << "tls Server Credentials error:"; + TlsServerCredentials(options); + if (tlsServerCredentials == nullptr) { + LOG(ERROR) << "tls Server Credentials error:"; return absl::NotFoundError("tls Server Credentials error"); } return tlsServerCredentials; } absl::StatusOr<std::shared_ptr<AuthorizationPolicyProviderInterface>> - GetAuthPolicy() -{ - grpc::Status policy_status; - std::shared_ptr<AuthorizationPolicyProviderInterface> policy = - FileWatcherAuthorizationPolicyProvider::Create( - std::string(kGpowerDCertAuthZPolicy), - /* policy refresh_interval_sec = 30 */ 30, &policy_status); - if (!policy_status.ok()) - { - return absl::NotFoundError("failed to load policy file error: " + - policy_status.error_message() + - "file path:" + - std::string(kGpowerDCertAuthZPolicy)); - } - return policy; +GetAuthPolicy() { + grpc::Status policy_status; + std::shared_ptr<AuthorizationPolicyProviderInterface> policy = + FileWatcherAuthorizationPolicyProvider::Create( + std::string(kGpowerDCertAuthZPolicy), + /* policy refresh_interval_sec = 30 */ 30, &policy_status); + if (!policy_status.ok()) { + return absl::NotFoundError( + "failed to load policy file error: " + policy_status.error_message() + + "file path:" + std::string(kGpowerDCertAuthZPolicy)); + } + return policy; } } // namespace auth -
diff --git a/bmc/auth.h b/bmc/auth.h index 2fed7bc..fcfa9c9 100644 --- a/bmc/auth.h +++ b/bmc/auth.h
@@ -1,36 +1,28 @@ #ifndef PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_H_ #define PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_H_ -#include <grpcpp/grpcpp.h> +#include <memory> -#include <string> -#include <string_view> - +#include "absl/status/statusor.h" +#include "absl/strings/string_view.h" +#include "grpcpp/security/authorization_policy_provider.h" #include "grpcpp/security/server_credentials.h" -#include "grpcpp/security/tls_certificate_provider.h" -#include "grpcpp/security/tls_certificate_verifier.h" -#include "grpcpp/security/tls_credentials_options.h" -#include "grpcpp/ext/proto_server_reflection_plugin.h" -#include "grpcpp/health_check_service_interface.h" namespace auth { -using ::grpc::experimental::AuthorizationPolicyProviderInterface; +constexpr absl::string_view kZatarCertFilePath = + "/var/volatile/prodid/server.pem"; +constexpr absl::string_view kGpowerDCertAuthZPolicy = + "/var/google/authz_policies/gpowerd_authz_policy.json"; +constexpr absl::string_view kTrustBundleFilePath = + "/var/google/trust_bundle/trust_bundle.pem"; -constexpr absl::string_view kZatarCertFilePath - = "/var/volatile/prodid/server.pem"; -constexpr absl::string_view kGpowerDCertAuthZPolicy - = "/var/google/authz_policies/gpowerd_authz_policy.json"; -constexpr absl::string_view kTrustBundleFilePath - = "/var/google/trust_bundle/trust_bundle.pem"; +absl::StatusOr<std::shared_ptr<grpc::ServerCredentials>> GetCredsInfo(); -absl::StatusOr<std::shared_ptr<grpc::ServerCredentials> > GetCredsInfo(); - -absl::StatusOr<std::shared_ptr<AuthorizationPolicyProviderInterface> > - GetAuthPolicy(); +absl::StatusOr< + std::shared_ptr<::grpc::experimental::AuthorizationPolicyProviderInterface>> +GetAuthPolicy(); } // namespace auth - - #endif // PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_H_
diff --git a/bmc/auth_loas3.h b/bmc/auth_loas3.h index 2efb89a..78b68a2 100644 --- a/bmc/auth_loas3.h +++ b/bmc/auth_loas3.h
@@ -1,81 +1,73 @@ #ifndef PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_LOAS3_H_ #define PRODUCTION_SUSHID_SAFEPOWER_AGENT_BMC_AUTH_LOAS3_H_ +// THIS FILE IS NOT SUPPORTED BY THE gbmc-docker UT ENVIRONMENT +#ifdef LOAS3_AUTH -// THIS FILE IS NOT SUPPORTED BY THE UT ENVIRONMENT -#if LOAS3_AUTH +#include <cstddef> +#include <functional> +#include <ostream> +#include <vector> + +#include "absl/strings/str_cat.h" +#include "absl/strings/string_view.h" +#include "grpcpp/support/status.h" +#include "grpcpp/support/string_ref.h" // this file is not supported by the gBMC unit test framework, -// but it is supported by the bitbake firmaware builds +// but it is supported by the bitbake firmware builds #include <gpowerd_build_config.h> -#include <grpcpp/grpcpp.h> -#include <string> -#include <string_view> -#include "bmc/gmi_reader.h" -#include "grpcpp/security/server_credentials.h" -#include "grpcpp/security/tls_certificate_provider.h" #include "grpcpp/security/tls_certificate_verifier.h" -#include "grpcpp/security/tls_credentials_options.h" -#include "grpcpp/ext/proto_server_reflection_plugin.h" -#include "absl/base/log_severity.h" #include "absl/log/log.h" -// This header does not exist in the ut environment +// This header does not exist in the gBMC unit test framework ut environment #include "security/zatar/loas3_validation/validation/validation.h" - namespace auth { -using ::grpc::experimental::TlsCustomVerificationCheckRequest; using ::grpc::experimental::ExternalCertificateVerifier; +using ::grpc::experimental::TlsCustomVerificationCheckRequest; -void SetupLoas3(){ +static inline void SetupLoas3() { LOG(INFO) << "Setting up LOAS3"; security::SetCertificateAuthorityPolicyFilePath( - "/var/google/loas3/policy.pb"); + "/var/google/loas3/policy.pb"); } -std::vector<std::string_view> - ToStringViewVector(const std::vector<grpc::string_ref>& string_refs) -{ - std::vector<std::string_view> strs(string_refs.size()); - for (size_t i = 0; i < string_refs.size(); ++i) - { - strs[i] = - std::string_view(string_refs[i].data(), string_refs[i].size()); - } - return strs; +static std::vector<absl::string_view> ToStringViewVector( + const std::vector<grpc::string_ref>& string_refs) { + std::vector<absl::string_view> strs(string_refs.size()); + for (size_t i = 0; i < string_refs.size(); ++i) { + strs[i] = absl::string_view(string_refs[i].data(), string_refs[i].size()); + } + return strs; } -class PeerVerifier : public ExternalCertificateVerifier -{ +class PeerVerifier : public ExternalCertificateVerifier { public: - PeerVerifier() = default; - ~PeerVerifier() override = default; - bool Verify([[maybe_unused]] TlsCustomVerificationCheckRequest* request, - std::function<void(grpc::Status)>, - grpc::Status* sync_status) override - { - std::vector<std::string_view> peer_uri_names = - ToStringViewVector(request->uri_names()); - std::vector<std::string_view> peer_dns_names = - ToStringViewVector(request->dns_names()); - absl::Status status = security::ValidatePeer( - peer_uri_names, peer_dns_names, - request->verified_root_cert_subject().data()); - if (!status.ok()) - { - *sync_status = - grpc::Status(grpc::StatusCode::PERMISSION_DENIED, - // This is from Federation policy check - absl::StrCat("From Federation policy check: ", - status.message())); - LOG(ERROR) << status.message() << std::endl; - } - return true; + PeerVerifier() = default; + ~PeerVerifier() override = default; + bool Verify([[maybe_unused]] TlsCustomVerificationCheckRequest* request, + std::function<void(grpc::Status)>, + grpc::Status* sync_status) override { + std::vector<absl::string_view> peer_uri_names = + ToStringViewVector(request->uri_names()); + std::vector<absl::string_view> peer_dns_names = + ToStringViewVector(request->dns_names()); + absl::Status status = + security::ValidatePeer(peer_uri_names, peer_dns_names, + request->verified_root_cert_subject().data()); + if (!status.ok()) { + *sync_status = grpc::Status( + grpc::StatusCode::PERMISSION_DENIED, + // This is from Federation policy check + absl::StrCat("From Federation policy check: ", status.message())); + LOG(ERROR) << status.message() << std::endl; } - void Cancel(TlsCustomVerificationCheckRequest*) override {} + return true; + } + void Cancel(TlsCustomVerificationCheckRequest*) override {} }; } // namespace auth