auth: Make luci-go services trust signatures produced by the token server.

server/auth/delegation/checker.go

 // Copyright 2016 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 package delegation
 
 import (
         "encoding/base64"
         "fmt"
         "strings"
@@ skipping 32 matching lines @@
         // verified.
         ErrUnsignedDelegationToken = errors.New("auth: unsigned delegation token")
 
         // ErrForbiddenDelegationToken is returned if token is structurally correct,
         // but some of its constraints prevents it from being used. For example, it is
         // already expired or it was minted for some other services, etc. See logs for
         // details.
         ErrForbiddenDelegationToken = errors.New("auth: forbidden delegation token")
 )
 
-// CertificatesProvider is accepted by 'CheckToken'.
+// CertificatesProvider is used by 'CheckToken', it is implemented by authdb.DB.
+//
+// It returns certificates of services trusted to sign tokens.
 type CertificatesProvider interface {
-        // GetAuthServiceCertificates returns a bundle with certificates of a primary
-        // auth service.
-        GetAuthServiceCertificates(c context.Context) (*signing.PublicCertificates, error)
+        // GetCertificates returns a bundle with certificates of a trusted signer.
+        //
+        // Returns (nil, nil) if the given signer is not trusted.
+        //
+        // Returns errors (usually transient) if the bundle can't be fetched.
+        GetCertificates(c context.Context, id identity.Identity) (*signing.PublicCertificates, error)
 }
 
-// GroupsChecker is accepted by 'CheckToken'.
+// GroupsChecker is accepted by 'CheckToken', it is implemented by authdb.DB.
 type GroupsChecker interface {
         // IsMember returns true if the given identity belongs to the given group.
         //
         // Unknown groups are considered empty. May return errors if underlying
         // datastore has issues.
         IsMember(c context.Context, id identity.Identity, group string) (bool, error)
 }
 
 // CheckTokenParams is passed to CheckToken.
 type CheckTokenParams struct {
         Token                string               // the delegation token to check
         PeerID               identity.Identity    // identity of the caller, as extracted from its credentials
-        CertificatesProvider CertificatesProvider // returns auth service certificates
+        CertificatesProvider CertificatesProvider // returns certificates with trusted keys
         GroupsChecker        GroupsChecker        // knows how to do group lookups
         OwnServiceIdentity   identity.Identity    // identity of the current service
 }
 
 // CheckToken verifies validity of a delegation token.
 //
 // If the token is valid, it returns the delegated identity (embedded in the
 // token).
 //
 // May return transient errors.
@@ skipping 35 matching lines @@
         if err = proto.Unmarshal(blob, tok); err != nil {
                 return nil, err
         }
         return tok, nil
 }
 
 // unsealToken verifies token's signature and deserializes the subtoken.
 //
 // May return transient errors.
 func unsealToken(c context.Context, tok *messages.DelegationToken, certsProvider CertificatesProvider) (*messages.Subtoken, error) {
-        // Grab the public keys of the primary auth service. It is the service that
-        // signs tokens.
-        //
-        // TODO(vadimsh): There's 'signer_id' field in the DelegationToken proto. We
-        // ignore it for now. If we ever support multiple trusted signers, we'd need
-        // to start using it to pick the correct public key. For now only the central
-        // auth service is trusted, so we just grab its certs.
-        certs, err := certsProvider.GetAuthServiceCertificates(c)
+        // Grab the public keys of the service that signed the token, if we trust it.
+        signerID, err := identity.MakeIdentity(tok.SignerId)
         if err != nil {
-                return nil, err
+                return nil, fmt.Errorf("bad signer_id %q - %s", tok.SignerId, err)
+        }
+        certs, err := certsProvider.GetCertificates(c, signerID)
+        switch {
+        case err != nil:
+                return nil, fmt.Errorf("failed to grab certificates of %q - %s", tok.SignerId, err)
+        case certs == nil:
+                return nil, fmt.Errorf("the signer %q is not trusted", tok.SignerId)
         }
 
         // Check the signature on the token.
         err = certs.CheckSignature(tok.SigningKeyId, tok.SerializedSubtoken, tok.Pkcs1Sha256Sig)
         if err != nil {
                 return nil, err
         }
 
         // The signature is correct! Deserialize the subtoken.
         msg := &messages.Subtoken{}
@@ skipping 100 matching lines @@
                         switch ok, err := checker.IsMember(c, ident, strings.TrimPrefix(aud, "group:")); {
                         case err != nil:
                                 return err // transient error during group lookup
                         case ok:
                                 return nil // success, 'ident' is in the target audience
                         }
                 }
         }
         return fmt.Errorf("%s is not allowed to use the token", ident)
 }