Skip to content

Commit

Permalink
use issuer aws account or gcp project for launch authorization (#2614)
Browse files Browse the repository at this point in the history
Signed-off-by: Abhijeet V <31417623+abvaidya@users.noreply.github.com>
  • Loading branch information
abvaidya authored May 16, 2024
1 parent e74c7a9 commit 9587969
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@ public interface InstanceProvider {
String ZTS_INSTANCE_CERT_ISSUER_DN = "certIssuerDn";
String ZTS_INSTANCE_CLOUD = "instanceCloud";
String ZTS_INSTANCE_UNATTESTED_ISSUER = "unattestedIssuer";
String ZTS_INSTANCE_ISSUER_AWS_ACCOUNT = "issuerAwsAccount";
String ZTS_INSTANCE_ISSUER_GCP_PROJECT = "issuerGcpProject";
/**
* Host cert specific attribute names
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -139,10 +139,13 @@ public String validateIssuer(InstanceConfirmation confirmation, IdTokenAttestati
}

if (useIamRoleForIssuerValidation()) {
if (!verifyIssuerPresenceInDomainAWSAccount(issuer,
confirmation.getAttributes().get(ZTS_INSTANCE_AWS_ACCOUNT))) {
String awsAccount = confirmation.getAttributes().get(ZTS_INSTANCE_AWS_ACCOUNT);
if (!verifyIssuerPresenceInDomainAWSAccount(issuer, awsAccount)) {
return null;
}
// If the issuer is present in the same AWS account as the requested identity
// then we should use the same for the launch authorization
confirmation.getAttributes().put(ZTS_INSTANCE_ISSUER_AWS_ACCOUNT, awsAccount);
} else {
if (attrValidator != null) {
confirmation.getAttributes().put(ZTS_INSTANCE_UNATTESTED_ISSUER, issuer);
Expand All @@ -155,8 +158,9 @@ public String validateIssuer(InstanceConfirmation confirmation, IdTokenAttestati

final String domainName = confirmation.getDomain();
final String serviceName = confirmation.getService();
final String resource = String.format("%s:%s:%s", domainName, serviceName,
confirmation.getAttributes().get(ZTS_INSTANCE_AWS_ACCOUNT));
// attribute set after iam role validation or attribute validation
final String issuerAwsAccount = confirmation.getAttributes().get(ZTS_INSTANCE_ISSUER_AWS_ACCOUNT);
final String resource = String.format("%s:%s:%s", domainName, serviceName, issuerAwsAccount);

Principal principal = SimplePrincipal.create(domainName, serviceName, (String) null);
boolean accessCheck = authorizer.access(ACTION_LAUNCH, resource, principal, null);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -103,11 +103,16 @@ public String validateIssuer(InstanceConfirmation confirmation, IdTokenAttestati
errMsg.append("Issuer is not present in the GCP project associated with the domain");
return null;
}
} else {
// issuer exists in the same GCP project as the requested identity
confirmation.getAttributes().put(ZTS_INSTANCE_ISSUER_GCP_PROJECT, gcpProject);
}

final String domainName = confirmation.getDomain();
final String serviceName = confirmation.getService();
final String resource = String.format("%s:%s:%s", domainName, serviceName, gcpProject);
// attribute set after verification above or attribute validation
final String issuerGcpProject = confirmation.getAttributes().get(ZTS_INSTANCE_ISSUER_GCP_PROJECT);
final String resource = String.format("%s:%s:%s", domainName, serviceName, issuerGcpProject);

Principal principal = SimplePrincipal.create(domainName, serviceName, (String) null);
boolean accessCheck = authorizer.access(ACTION_LAUNCH, resource, principal, null);
Expand Down
11 changes: 11 additions & 0 deletions servers/zts/conf/zts.properties
Original file line number Diff line number Diff line change
Expand Up @@ -742,3 +742,14 @@ athenz.zts.k8s_provider_distribution_validator_factory_class=com.yahoo.athenz.in
# the host's private IP address (as specified by the provider) and
# the client IP address from the connection request object.
#athenz.zts.ssh_cert_validate_ip=false

# This property configures the InstanceK8SProvider to use AWS IAM to authorize the OIDC issuer
# issuing id_token which is used by the provider as attestation data
#athenz.zts.k8s_provider_aws_attestation_using_iam_role=true

# If AWS IAM is configured to authorize the OIDC issuer then this property specifies the IAM role name
#athenz.zts.k8s_provider_attestation_aws_assume_role_name=oidc-issuers-reader

# This property configures the factory providing internal implementation of the AttributeValidator interface
# as a plugin to validate the identity attributes in the request
# athenz.zts.k8s_provider_aws_attr_validator_factory_class=
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,6 @@ InstanceProvider getClassProvider(String className, String providerName, SSLCont
LOGGER.error("Unable to get new instance for provider {}", className, ex);
return null;
}
provider.initialize(providerName, className, context, keyStore);
provider.setHostnameResolver(hostnameResolver);
provider.setRolesProvider(dataStore);
provider.setExternalCredentialsProvider(new InstanceExternalCredentialsProvider(providerName, ztsHandler));
Expand All @@ -180,6 +179,8 @@ InstanceProvider getClassProvider(String className, String providerName, SSLCont
if (ZTS_PROVIDER.equals(providerName)) {
provider.setPrivateKey(serverPrivateKey.getKey(), serverPrivateKey.getId(), serverPrivateKey.getAlgorithm());
}
// initialize provider after setting all the fields so that the initialize code can use them
provider.initialize(providerName, className, context, keyStore);

providerMap.put(classKey, provider);
return provider;
Expand Down

0 comments on commit 9587969

Please sign in to comment.