G-Research · suprjinx · Sep 13, 2024 · Sep 10, 2024 · Sep 10, 2024 · Sep 10, 2024
diff --git a/.devcontainer/app_reg_db.json b/.devcontainer/app_reg_db.json
@@ -0,0 +1,18 @@
+{
+  "domain-names": [
+    {
+	"id": "example.com",
+	"fullyQualifiedDomainName": "example.com",
+	"ownerDelegatedRequestsToTeam": true,
+	"autoApprovedGroups": "group1",
+	"autoApprovedServiceAccounts": "[email protected]"
+     },
+     {
+	"id": "example2.com",
+	"fullyQualifiedDomainName": "example2.com",
+	"ownerDelegatedRequestsToTeam": true,
+	"autoApprovedGroups": "group1",
+	"autoApprovedServiceAccounts": "[email protected]"
+     }
+  ]
+}
diff --git a/.devcontainer/app_reg_routes.json b/.devcontainer/app_reg_routes.json
@@ -0,0 +1,3 @@
+{
+	"/api/v1beta1/*": "/$1"
+}
diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
@@ -19,6 +19,8 @@ services:
       VAULT_ADDR: http://10.1.10.100:8200
       VAULT_TOKEN: root_token
       JWT_SIGNING_KEY: jwt_secret
+      APP_REGISTRY_ADDR: http://10.1.10.150:8800
+      APP_REGISTRY_TOKEN: app_reg_token
 
   vault:
     image: hashicorp/vault:latest
@@ -32,6 +34,20 @@ services:
       astral:
         ipv4_address: "10.1.10.100"
 
+  app_registry:
+    image: node:latest
+    restart: unless-stopped
+    ports:
+      - 8800:8800
+    volumes:
+      - .:/data
+    networks:
+      astral:
+        ipv4_address: "10.1.10.150"
+    command: >
+      sh -c "npm install -g [email protected] &&
+             json-server /data/app_reg_db.json --routes /data/app_reg_routes.json --port 8800 --host 0.0.0.0"
+
 networks:
   astral:
     ipam:

diff --git a/Gemfile b/Gemfile
@@ -6,8 +6,7 @@ gem "rails", "~> 7.2.1"
 gem "sqlite3", ">= 1.4"
 # Use the Puma web server [https://github.com/puma/puma]
 gem "puma", ">= 5.0"
-# Build JSON APIs with ease [https://github.com/rails/jbuilder]
-# gem "jbuilder"
+
 # Use Redis adapter to run Action Cable in production
 # gem "redis", ">= 4.0.1"
 
@@ -38,9 +37,13 @@ gem "vault"
 # Use the jwt gem to decode access tokens
 gem "jwt"
 
-# Use the jbuilder gem
+# Use the jbuilder gem to render JSON views
 gem "jbuilder"
 
+# Use the faraday gem for http client operations
+gem "faraday"
+gem "faraday-retry"
+
 group :development, :test do
   # See https://guides.rubyonrails.org/debugging_rails_applications.html#debugging-with-the-debug-gem
   gem "debug", platforms: %i[ mri mswin ], require: "debug/prelude"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -91,6 +91,13 @@ GEM
       reline (>= 0.3.8)
     drb (2.2.1)
     erubi (1.13.0)
+    faraday (2.11.0)
+      faraday-net_http (>= 2.0, < 3.4)
+      logger
+    faraday-net_http (3.3.0)
+      net-http
+    faraday-retry (2.2.1)
+      faraday (~> 2.0)
     globalid (1.2.1)
       activesupport (>= 6.1)
     i18n (1.14.5)
@@ -120,6 +127,8 @@ GEM
     mini_mime (1.1.5)
     minitest (5.25.1)
     msgpack (1.7.2)
+    net-http (0.4.1)
+      uri
     net-imap (0.4.14)
       date
       net-protocol
@@ -245,6 +254,7 @@ GEM
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.5.0)
+    uri (0.13.1)
     useragent (0.16.10)
     vault (0.18.2)
       aws-sigv4
@@ -274,6 +284,8 @@ DEPENDENCIES
   bootsnap
   brakeman
   debug
+  faraday
+  faraday-retry
   interactor (~> 3.0)
   jbuilder
   jwt

diff --git a/app/interactors/authorize_request.rb b/app/interactors/authorize_request.rb
@@ -3,6 +3,13 @@ class AuthorizeRequest
   include FailOnError
 
   def call
-    Services::DomainOwnershipService.new.authorize!(context.identity, context.request)
+    context.request.fqdns.each do |fqdn|
+      domain = Domain.where(fqdn: fqdn).first
+      raise AuthError.new("Common or alt name not recognized") unless domain
+      raise AuthError.new("No subject or group authorization") unless
+        domain.users_array.include?(context.identity.subject) ||
+        (domain.group_delegation? && (domain.groups_array & context.identity.groups).any?)
+    end
+    nil
   end
 end
diff --git a/app/interactors/fail_on_error.rb b/app/interactors/fail_on_error.rb
@@ -4,7 +4,10 @@ module FailOnError
   included do
     around do |interactor|
       interactor.call
+    rescue Interactor::Failure => e
+      raise e
     rescue => e
+      Rails.logger.error("Error in #{self.class.name}: #{e.class.name} - #{e.message}")
       context.fail!(error: e)
     end
   end

diff --git a/app/interactors/issue_cert.rb b/app/interactors/issue_cert.rb
@@ -1,5 +1,6 @@
 class IssueCert
   include Interactor::Organizer
+  include FailOnError
 
-  organize AuthorizeRequest, ObtainCert, Log
+  organize RefreshDomain, AuthorizeRequest, ObtainCert, Log
 end
diff --git a/app/interactors/refresh_domain.rb b/app/interactors/refresh_domain.rb
@@ -0,0 +1,20 @@
+class RefreshDomain
+  include Interactor
+
+  def call
+    domain_info = Services::DomainOwnershipService.new.get_domain_info(context.request.common_name)
+    domain_record = Domain.find_or_create_by!(fqdn: context.request.common_name)
+    if !domain_info
+      domain_record.destroy!
+      return
+    end
+
+    domain_record.update!(
+      group_delegation: domain_info.group_delegation,
+      groups: domain_info.groups,
+      users: domain_info.users
+    )
+  rescue => e
+    Rails.logger.warn("Continuing after error in #{self.class.name}: #{e.class.name}: #{e.message}")
+  end
+end
diff --git a/app/lib/services/auth_service.rb b/app/lib/services/auth_service.rb
@@ -19,7 +19,7 @@ def authorize!(identity, cert_issue_req)
 
     def decode(token)
       # Decode a JWT access token using the configured base.
-      body = JWT.decode(token, Rails.application.config.astral[:jwt_signing_key])[0]
+      body = JWT.decode(token, Rails.configuration.astral[:jwt_signing_key])[0]
       Identity.new(body)
     rescue => e
       Rails.logger.warn "Unable to decode token: #{e}"

diff --git a/app/lib/services/domain_ownership_service.rb b/app/lib/services/domain_ownership_service.rb
@@ -1,14 +1,53 @@
 module Services
   class DomainOwnershipService
-    def authorize!(identity, cert_req)
-      cert_req.fqdns.each do |fqdn|
-        domain = Domain.where(fqdn: fqdn).first
-        raise AuthError unless domain.present? &&
-                               (domain.owner == identity.subject ||
-                               (domain.group_delegation &&
-                               (domain.groups & identity.groups).any?))
+    attr_reader :client
+
+    def initialize
+      @client = Faraday.new(ssl: ssl_opts, url: Rails.configuration.astral[:app_registry_addr]) do |faraday|
+        faraday.request :authorization, "Bearer", -> { Rails.configuration.astral[:app_registry_token] }
+        faraday.request :retry, retry_opts
+        faraday.response :json
+        faraday.response :raise_error, include_request: true
       end
+    end
+
+    def get_domain_info(fqdn)
+      rslt = client.get("/api/v1beta1/domain-names/#{fqdn}").body
+      convert(rslt)
+    rescue Faraday::ResourceNotFound => e
       nil
     end
+
+    private
+
+    def convert(domain_info)
+      if !domain_info || domain_info["isDeleted"]
+        return nil
+      end
+
+      OpenStruct.new(
+        fqdn: domain_info["fullyQualifiedDomainName"],
+        group_delegation: domain_info["ownerDelegatedRequestsToTeam"],
+        groups: domain_info["autoApprovedGroups"],
+        users: domain_info["autoApprovedServiceAccounts"]
+      )
+    end
+
+    def ssl_opts
+      {
+        ca_file: Rails.configuration.astral[:app_registry_ca_file],
+        client_cert: Rails.configuration.astral[:app_registry_client_cert],
+        client_key: Rails.configuration.astral[:app_registry_client_key]
+      }
+    end
+
+    def retry_opts
+      {
+        max: 3,
+        interval: 0.05,
+        interval_randomness: 0.5,
+        backoff_factor: 2
+      }
+    end
   end
 end
diff --git a/app/lib/services/vault_service.rb b/app/lib/services/vault_service.rb
@@ -3,15 +3,15 @@ class VaultService
     def initialize
       # TODO create a new token for use in the session
       @client = Vault::Client.new(
-        address: Rails.application.config.astral[:vault_addr],
-        token: Rails.application.config.astral[:vault_token]
+        address: Rails.configuration.astral[:vault_addr],
+        token: Rails.configuration.astral[:vault_token]
       )
     end
 
     def issue_cert(cert_issue_request)
       opts = cert_issue_request.attributes
       # Generate the TLS certificate using the intermediate CA
-      tls_cert = @client.logical.write(Rails.application.config.astral[:vault_cert_path], opts)
+      tls_cert = @client.logical.write(Rails.configuration.astral[:vault_cert_path], opts)
       OpenStruct.new tls_cert.data
     end
   end

diff --git a/app/models/domain.rb b/app/models/domain.rb
@@ -1,10 +1,11 @@
 class Domain < ApplicationRecord
-  serialize :groups, coder: YAML, type: Array
-  before_save :clean_groups
+  validates :fqdn, presence: true
 
-  validates :fqdn, :owner, presence: true
+  def groups_array
+    (groups || "").split(",").sort.uniq
+  end
 
-  def clean_groups
-    self.groups = groups.sort.uniq
+  def users_array
+    (users || "").split(",").sort.uniq
   end
 end
diff --git a/config/astral.yml b/config/astral.yml
@@ -4,6 +4,11 @@ shared:
   vault_cert_path: "pki_int/issue/learn"
   jwt_signing_key: <%= ENV["JWT_SIGNING_KEY"] %>
   cert_ttl: <%= ENV["CERT_TTL"] %>
+  app_registry_addr: <%= ENV["APP_REGISTRY_ADDR"] %>
+  app_registry_token: <%= ENV["APP_REGISTRY_TOKEN"] %>
+  app_registry_ca_file: <%= ENV["APP_REGISTRY_CA_FILE"] %>
+  app_registry_client_cert: <%= ENV["APP_REGISTRY_CLIENT_CERT"] %>
+  app_registry_client_key: <%= ENV["APP_REGISTRY_CLIENT_KEY"] %>
 
 test:
   cert_ttl: <%= 24.hours.in_seconds %>

diff --git a/db/migrate/20240904175652_create_domains.rb b/db/migrate/20240904175652_create_domains.rb
@@ -1,12 +1,11 @@
 class CreateDomains < ActiveRecord::Migration[7.2]
   def change
     create_table :domains do |t|
-      t.string :fqdn, null: false
-      t.string :owner, null: false
+      t.string :fqdn, null: false, index: { unique: true }
+      t.text :users
       t.text :groups
       t.boolean :group_delegation, default: false
       t.timestamps
-      t.index :fqdn, unique: true
     end
   end
 end
diff --git a/db/schema.rb b/db/schema.rb
diff --git a/db/seeds.rb b/db/seeds.rb
@@ -10,5 +10,5 @@
 
 # this seed is for development only
 if Rails.env.development?
-  Domain.first_or_create!(fqdn: "example.com", owner: "[email protected]")
+  Domain.find_or_create_by!(fqdn: "example.com", users: "[email protected]")
 end
diff --git a/test/fixtures/domains.yml b/test/fixtures/domains.yml
@@ -1,18 +1,16 @@
 owner_match:
   fqdn: example.com
-  owner: [email protected]
+  users: john.doe@example.com,some.other@example.com
   group_delegation: false
 
 group_match:
   fqdn: example2.com
-  owner: [email protected]
+  users: [email protected]
   group_delegation: true
-  groups:
-    - "group1"
+  groups: group1,group2
 
 no_match:
   fqdn: example3.com
-  owner: [email protected]
+  users: some.other@example2.com,yet.another@example2.com
   group_delegation: true
-  groups:
-    - "group3"
+  groups: group3,group4