move the TUF trust store to the database #8488
Conversation
|
TODO:
|
| // Tests that ".." paths are disallowed by dropshot. | ||
| #[tokio::test] | ||
| async fn test_download_with_dots_fails() { | ||
| let cptestctx = | ||
| test_setup::<omicron_nexus::Server>("test_download_with_dots_fails", 0) | ||
| .await; | ||
| let client = &cptestctx.internal_client; | ||
|
|
||
| let filename = "hey/can/you/look/../../../../up/the/directory/tree"; | ||
| let artifact_get_url = format!("/artifacts/{}", filename); |
There was a problem hiding this comment.
I removed this test because we already test for directory traversal rejection in the console API integration tests:
omicron/nexus/tests/integration_tests/console_api.rs
Lines 375 to 385 in cbae98c
The /artifacts/{..path} internal API is long gone.
nexus/db-model/src/tuf_repo.rs
Outdated
| #[diesel(embed)] | ||
| pub identity: TufTrustRootIdentity, | ||
| pub time_deleted: Option<DateTime<Utc>>, | ||
| pub root_role: serde_json::Value, |
There was a problem hiding this comment.
I'm pretty worried about the format of this value.
The problem, as always: how do we avoid accidentally changing the format in a way that only breaks at upgrade-time at a customer site?
I'm kind of thinking of this as two separate problems:
- how do we avoid adding stuff to this structure in some release and then expecting it to be there in all the rows we find, even if they were written in earlier releases
- how do we ensure more generally that we can continue reading older structures
One idea is to just store it as a String. This solves (1) because we'd be treating it as opaque. It seems like we only use the stringified value anyway, right? One downside though is that if we ever do want to use the parsed version in the future, we'll have an annoying database migration to deal with because we might fail to deserialize each row. Also, this doesn't solve (2). If tough evolves its structure incompatibly, we wouldn't notice until we deployed this to a system that had roots written with an older release.
Another idea to solve (1) while still giving us future flexibility is to create a newtype around the underlying tough type. When we insert it, we serialize it as a JSON value. When we read a row, we deserialize it into the newtype. (I think you can probably impl some Diesel trait for this, but you can also just do it inline at insert/read time.) This prevents us from adding our own stuff to it without considering compatibility, but still makes sure what's in the database is valid JSON, but it doesn't solve (2).
A way we usually solve (2) is to add an expectorate test on the JSON schema, but that doesn't seem possible here without changing tough to impl JsonSchema.
We could define our own copy of the tough type for this that does impl JsonSchema, do the newtype thing, and add an expectorate test.
Last idea: if the format is really simple, we could hardcode some specific JSON that we believe is representative and then have a test that we can deserialize those. This is easy but a little brittle: it wouldn't catch cases where some future release added something (not covered by the test) and then that then got ripped out in a later release.
Of course, the other option is to define a proper schema for the whole object and store it directly. That might actually be the least work of these.
There was a problem hiding this comment.
We discussed this a bit on this morning's update watercooler call.
In terms of the DB representation, we settled on keeping it stored as JSON. I had brought up that it seems unfortunate to either require a nested JSON string or a base64 representation of an artifact that should be trivially visible to a customer so they can check if it matches what we provide elsewhere. In order to ensure the GET paths always work, it makes sense to store the underlying data as JSON so that there's a guarantee that whatever's in the database can actually be serialized out as part of a JSON response.
In terms of avoiding adding stuff to the structure, we settled on adding a newtype to the db-macros crate that implements Deserialize and Serialize, so that the format of a trust root is completely opaque to Nexus or any other code. This will probably be a newtype around serde_json::Value as opposed to the tough Signed<Root>, in case we decide to add any top-level fields to the signature envelope later (either for identification or cross-signing from another PKI); such things would still be opaque to Nexus and would likely be implemented in Tufaceous.
I'll also add a simple test to verify that we can still generate a repository with a hardcoded root (and its associated signing key) to help prevent being surprised by an incompatible change to tough. When we have a real updates PKI we should also add tests for those trust roots.
| ) -> ListResultVec<TufTrustRoot> { | ||
| use nexus_db_schema::schema::tuf_trust_root::dsl; | ||
|
|
||
| opctx.authorize(authz::Action::Read, &authz::FLEET).await?; |
There was a problem hiding this comment.
nit and not a big deal: I'd suggest creating a little synthetic resource for the list of TUF trust roots.
There was a problem hiding this comment.
I'm not sure what that means, particularly in the context of db-queries code?
There was a problem hiding this comment.
I mean that in general, it's slightly better to have the authorize() calls use the actual resource that you're operating on ("list of TUF trust roots") and let the policy decide what that means in terms of roles ("you can add to the list of TUF trust roots if you can modify the fleet") than it is to bake the policy choice in the authorize() call. So for a bunch of resources, we create what we call a synthetic resource (which just means that it doesn't correspond to something in the database).
There's a paragraph of docs here:
omicron/nexus/auth/src/authz/omicron.polar
Lines 339 to 348 in c16f14f
and there's an example here:
omicron/nexus/auth/src/authz/omicron.polar
Lines 452 to 468 in c16f14f
the other half is the Rust part:
omicron/nexus/auth/src/authz/api_resources.rs
Lines 518 to 568 in c16f14f
Hopefully that's all there is to it. The advantages are: it's easier to write and also validate the authz checks (because you check exactly the action you're doing on the resource you're doing it to) and it also means it shows up in places like this:
omicron/nexus/db-queries/tests/output/authz-roles.out
Lines 155 to 167 in c16f14f
but in the end, it's not a big deal -- the behavior is the same.
| /// Upload update repository | ||
| /// | ||
| /// Update repositories are verified by the update system trust store. |
There was a problem hiding this comment.
I think @ahl had some thoughts on nomenclature here.
I often find it confusing when we use "update" as a noun, but it might be unavoidable.
| @@ -2985,6 +2987,58 @@ pub trait NexusExternalApi { | |||
| path_params: Path<params::UpdatesGetRepositoryParams>, | |||
| ) -> Result<HttpResponseOk<TufRepoGetResponse>, HttpError>; | |||
|
|
|||
| /// List root roles in the update system trust store | |||
| /// | |||
| /// Root roles are a JSON document describing the keys trusted to sign | |||
There was a problem hiding this comment.
| /// Root roles are a JSON document describing the keys trusted to sign | |
| /// Root roles are JSON documents describing the security keys that are trusted to sign |
| #[endpoint { | ||
| method = GET, | ||
| path = "/v1/system/update/trust-roots", | ||
| tags = ["experimental"], // ["system/update"], |
There was a problem hiding this comment.
this is going to generate CLI commands, right?
nexus/src/app/update.rs
Outdated
| opctx: &OpContext, | ||
| trust_root: serde_json::Value, | ||
| ) -> Result<TufTrustRoot, HttpError> { | ||
| opctx.authorize(authz::Action::Modify, &authz::FLEET).await?; |
There was a problem hiding this comment.
I think this belongs in the DataStore, and if you have it there, I wouldn't keep it here.
That goes for all the functions here.
| @@ -25,16 +32,27 @@ impl super::Nexus { | |||
| ) -> Result<TufRepoInsertResponse, HttpError> { | |||
| opctx.authorize(authz::Action::Modify, &authz::FLEET).await?; | |||
|
|
|||
| // XXX: this needs to validate against the trusted root! | |||
| TrustStore(&'a [Vec<u8>]), | ||
| /// Blindly trust the root role present in the repository (but still perform | ||
| /// signature checks using that root role). | ||
| BlindlyTrustAnything, |
There was a problem hiding this comment.
I regret that this exists but I gather we need it for MUPdate and also use it in reconfigurator-cli.
There was a problem hiding this comment.
Yeah. I think eventually we'll add some sort of trust to Wicket but we should design what we want there.
Closes #3578
Depends on oxidecomputer/tufaceous#30
This removes the
[updates]section of the Nexus config, instead opting to allow operators to configure which TUF root roles they trust via the API. See RFD 447.This deliberately punts on a few choices: any identifying information about the roots themselves; which trusted root was used to verify a repository is not recorded; deleting a trusted root does not impact any uploaded repositories; synchronizing the Nexus trust store to Wicket; whether to automatically add new versions of roots to the trust store (or possibly replace the older version, to allow for a real key rotation scenario). A future RFD and implementation PR should cover these.