auth: Make luci-go services trust signatures produced by the token server.

server/auth/authdb/snapshot.go

 // Copyright 2016 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 package authdb
 
 import (
         "fmt"
         "net"
         "strings"
+        "sync"
+        "time"
 
         "golang.org/x/net/context"
 
+        "github.com/luci/luci-go/common/clock"
+        "github.com/luci/luci-go/common/data/caching/lazyslot"
         "github.com/luci/luci-go/common/logging"
         "github.com/luci/luci-go/server/auth/identity"
         "github.com/luci/luci-go/server/auth/service/protocol"
+        "github.com/luci/luci-go/server/auth/signing"
         "github.com/luci/luci-go/server/secrets"
 )
 
 // OAuth client_id of https://apis-explorer.appspot.com/.
 const googleAPIExplorerClientID = "292824132082.apps.googleusercontent.com"
 
 // SnapshotDB implements DB using AuthDB proto message.
 //
 // Use NewSnapshotDB to create new instances. Don't touch public fields
 // of existing instances.
 type SnapshotDB struct {
         AuthServiceURL string // where it was fetched from
         Rev            int64  // its revision number
 
         tokenServiceURL string // URL of the token server as provided by Auth service
 
         clientIDs map[string]struct{} // set of allowed client IDs
         groups    map[string]*group   // map of all known groups
         secrets   secrets.StaticStore // secrets shared by all service with this DB
 
         assignments map[identity.Identity]string // IP whitelist assignements
         whitelists  map[string][]net.IPNet       // IP whitelists
+
+        // Certs are loaded lazily in GetCertificates since they are used only when
+        // checking delegation tokens, which is relatively rare.
+        certs lazyslot.Slot
 }
 
+var _ DB = &SnapshotDB{}
+
 // group is a node in a group graph. Nested groups are referenced directly via
 // pointer.
 type group struct {
         members map[identity.Identity]struct{} // set of all members
         globs   []identity.Glob                // list of all identity globs
         nested  []*group                       // pointers to nested groups
 }
 
-var _ DB = &SnapshotDB{}
+// certMap is used in GetCertificate and fetchTrustedCerts.
+type certMap map[identity.Identity]*signing.PublicCertificates
 
 // NewSnapshotDB creates new instance of SnapshotDB.
 //
 // It does some preprocessing to speed up subsequent checks. Return errors if
 // it encounters inconsistencies.
 func NewSnapshotDB(authDB *protocol.AuthDB, authServiceURL string, rev int64) (*SnapshotDB, error) {
         db := &SnapshotDB{
                 AuthServiceURL: authServiceURL,
                 Rev:            rev,
 
                 tokenServiceURL: authDB.GetTokenServerUrl(),
         }
 
+        // Load all trusted certificates lazily and refresh each hour.
+        db.certs.Fetcher = func(c context.Context, prev lazyslot.Value) (lazyslot.Value, error) {
+                mapping, err := db.fetchTrustedCerts(c)
+                if err != nil {
+                        return lazyslot.Value{}, err
+                }
+                return lazyslot.Value{
+                        Value:      mapping,
+                        Expiration: clock.Now(c).Add(time.Hour),
+                }, nil
+        }
+
         // Set of all allowed clientIDs.
         db.clientIDs = make(map[string]struct{}, 2+len(authDB.GetOauthAdditionalClientIds()))
         db.clientIDs[googleAPIExplorerClientID] = struct{}{}
         if authDB.GetOauthClientId() != "" {
                 db.clientIDs[authDB.GetOauthClientId()] = struct{}{}
         }
         for _, cid := range authDB.GetOauthAdditionalClientIds() {
                 if cid != "" {
                         db.clientIDs[cid] = struct{}{}
                 }
@@ skipping 178 matching lines @@
 }
 
 // SharedSecrets is secrets.Store with secrets in Auth DB.
 //
 // Such secrets are usually generated on central Auth Service and are known
 // to all trusted services (so that they can use them to exchange data).
 func (db *SnapshotDB) SharedSecrets(c context.Context) (secrets.Store, error) {
         return db.secrets, nil
 }
 
+// GetCertificates returns a bundle with certificates of a trusted signer.
+func (db *SnapshotDB) GetCertificates(c context.Context, signerID identity.Identity) (*signing.PublicCertificates, error) {
+        val, err := db.certs.Get(c)
+        if err != nil {
+                return nil, err
+        }
+        trustedCertsMap := val.Value.(certMap)
+        return trustedCertsMap[signerID], nil
+}
+
 // GetWhitelistForIdentity returns name of the IP whitelist to use to check
 // IP of requests from given `ident`.
 //
 // It's used to restrict access for certain account to certain IP subnets.
 //
 // Returns ("", nil) if `ident` is not IP restricted.
 func (db *SnapshotDB) GetWhitelistForIdentity(c context.Context, ident identity.Identity) (string, error) {
         return db.assignments[ident], nil
 }
 
@@ skipping 17 matching lines @@
 func (db *SnapshotDB) GetAuthServiceURL(c context.Context) (string, error) {
         return db.AuthServiceURL, nil
 }
 
 // GetTokenServiceURL returns root URL ("https://<host>") of the token server.
 //
 // This is needed to implement authdb.DB interface.
 func (db *SnapshotDB) GetTokenServiceURL(c context.Context) (string, error) {
         return db.tokenServiceURL, nil
 }
+
+//// Implementation details.
+
+// fetchTrustedCerts is called by db.certs to fetch certificates.
+func (db *SnapshotDB) fetchTrustedCerts(c context.Context) (certMap, error) {
+        // TODO(vadimsh): Stop loading certs from AuthServiceURL when all tokens
+        // are generated by the token server.
+        var urls []string
+        if db.tokenServiceURL != "" {
+                urls = []string{db.tokenServiceURL, db.AuthServiceURL}
+        } else {
+                urls = []string{db.AuthServiceURL}
+        }
+
+        certs := make([]*signing.PublicCertificates, len(urls))
+        errs := make([]error, len(urls))
+
+        // Fetch in parallel.
+        wg := sync.WaitGroup{}
+        for i := range urls {
+                wg.Add(1)
+                go func(i int) {
+                        defer wg.Done()
+                        certs[i], errs[i] = signing.FetchCertificatesFromLUCIService(c, urls[i])
+                }(i)
+        }
+        wg.Wait()
+
+        // Each certificate bundle is available under two keys: "service:<app-id>" and
+        // "user:<service-account-name>". This is so because there's one to one
+        // association between GAE apps and corresponding @appspot.gserviceaccount.com
+        // service accounts.
+        mapping := make(certMap, 2*len(certs))
+        for i, cert := range certs {
+                if errs[i] != nil {
+                        return nil, errs[i]
+                }
+                if cert.AppID != "" {
+                        id, err := identity.MakeIdentity("service:" + cert.AppID)
+                        if err != nil {
+                                return nil, fmt.Errorf("invalid app_id %q in fetched certificates bundle - %s", cert.AppID, err)
+                        }
+                        mapping[id] = cert
+                }
+                if cert.ServiceAccountName != "" {
+                        id, err := identity.MakeIdentity("user:" + cert.ServiceAccountName)
+                        if err != nil {
+                                return nil, fmt.Errorf("invalid service_account_name %q in fetched certificates bundle - %s", cert.ServiceAccountName, err)
+                        }
+                        mapping[id] = cert
+                }
+        }
+
+        return mapping, nil
+}