Add a util function to check if a transport is secure enough to transfer CallCredentials

[yihuazhang]

This PR adds a util function that checks if the security level of transport is higher than or equal to that of CallCredentials. The util function is called GoogleAuthLibraryCallCredentials and FileBasedPluginCredential for which I believe privacy+integrity should be required for the transport. After this PR gets merged, I will update the internal CallCredentials implementation to call the util function (for the auditing purpose).

gRFC for security level negotiation: grpc/proposal#167

[sanjaypujare]

So this is currently used for SDS which is over an UDS channel. Will this check now break the SDS communication or is UDS considered at SecurityLevel.PRIVACY_AND_INTEGRITY ?

[yihuazhang]

UDS should be considered secure (i.e., SecurityLevel.PRIVACY_AND_INTEGRITY). Do you know if the security level is correctly set for the UDS channel?

[sanjaypujare]

Don't know. If not, we will have to do that before merging this change to ensure this feature doesn't break. Let me know if you want to discuss

[yihuazhang]

Agreed. If I read the code correctly, it seems UDS channel is implemented as a Netty plaintext channel whose security level is NONE and I believe it is the cause of test failure. Is it possible to associate the security level PRIVACY_AND_INTEGRITY to the plaintext channel when used for UDS? Let me schedule a meeting to discuss about it if it is not trivial.

[yihuazhang]

First of all, is it appropriate to associate PRIVACY_AND_INTEGRITY to FileBasedPluginCredential?

[sanjaypujare]

I believe that's the only way to use UDS in grpc-java/Netty. Not sure about your question "Is it possible to associate the security level PRIVACY_AND_INTEGRITY to the plaintext channel when used for UDS?" but I suppose it should be possible. CC @ejona86

[sanjaypujare]

First of all, is it appropriate to associate PRIVACY_AND_INTEGRITY to FileBasedPluginCredential?

Good question. This FileBasedPluginCredential mimics Envoy's similar credential https://github.com/envoyproxy/envoy/blob/master/source/extensions/grpc_credentials/file_based_metadata/config.cc which is received by Istio Node Agent (https://github.com/istio/istio/blob/master/security/pkg/nodeagent/sds/sdsservice.go#L509:6) . I think this is loaded from a secure and privileged file location so it is fair to assume it needs a secure channel (but we need to think about it).

[sanjaypujare]

One test failed:

io.grpc.xds.sds.SdsClientUdsFileBasedMetadataTest > testSecretWatcher_tlsCertificate FAILED
    expected to be true
        at io.grpc.xds.sds.SdsClientUdsFileBasedMetadataTest.testSecretWatcher_tlsCertificate(SdsClientUdsFileBasedMetadataTest.java:105)

This indicates the code change will also break prod behavior. Did the test pass in your testing?

[ejona86]

check makes it seem like this will throw. Maybe name it allowedSecurityLevel or fulfullsSecurityLevel or similar that makes it more obvious it returns a boolean?

CC @jiangtaoli2016

[ejona86]

static?

[yihuazhang]

@ejona86 @sanjaypujare

Is it POR for using a plaintext channel for UDS? If that's the case, I have a following plan to associate the security level PRIVACY_AND_INTEGRITY to a UDS channel. PLMK what you think.

• Add a new NegotiationType - UDS.
• In usePlaintext(), check if the server's SocketAddress is an instance of DomainSocketAddress and if it is, set the negotiation type to UDS. We do not allow users to specify if the channel is UDS or not and by doing that, we can avoid their intentional (or unintentional) mistakes.
• Create a new API - uds() in ProtocolNegotiator and add a new constructor for PlaintextProtocolNegotiator - PlaintextProtocolNegotiator(SecurityLevel). For UDS, the security level will be PRIVACY_AND_INTEGRITY.
• Update security level attribute accordingly.

[sanjaypujare]

@ejona86 @sanjaypujare

Is it POR for using a plaintext channel for UDS?

This is dictated by the other end - the SDS server (Citadel agent) only supports UDS based plaintext channel. See https://istio.io/docs/tasks/security/citadel-config/auth-sds/#securing-sds-with-pod-security-policies (instead of Envoy sidecar, read it as proxyless gRPC client).

If that's the case, I have a following plan to associate the security level PRIVACY_AND_INTEGRITY to a UDS channel. PLMK what you think.

Comments below:

• Add a new NegotiationType - UDS.

NegotiationType is meant to indicate 'negotiation used for starting up HTTP/2' so it is not appropriate to include transport characteristics here.

• In usePlaintext(), check if the server's SocketAddress is an instance of DomainSocketAddress and if it is, set the negotiation type to UDS. We do not allow users to specify if the channel is UDS or not and by doing that, we can avoid their intentional (or unintentional) mistakes.

What if user called forTarget so there is no directServerAddress (SocketAddress) set? You might be able to check unix: prefix in the target string but the bigger problem is using negotiationType to convey transport.

• Create a new API - uds() in ProtocolNegotiator and add a new constructor for PlaintextProtocolNegotiator - PlaintextProtocolNegotiator(SecurityLevel). For UDS, the security level will be PRIVACY_AND_INTEGRITY.
• Update security level attribute accordingly.

Looking at this attribute code it might be better to use the ChannelHandlerContext that is passed in fireProtocolNegotiationEvent (for example) and you call ChannelHandlerContext.channel() and on that channel get remoteAddress() to see what kind of server address it is. This is better than overloading NegotiationType .

[ejona86]

Add a new NegotiationType - UDS.

No, I don't think we want to do that. It would be strictly better to check for DomainSocketAddress at NettyChannelBuilder.createProtocolNegotiatorByType(). We can either pass in the SocketAddress to the function or make it non-static.

That said, I'd really prefer a solution that works with a future UnixNameResolver. We can move the DomainSocketAddress check to PlaintextProtocolNegotiator. Unfortunately, it wouldn't be guaranteed to be authenticated in that case, since maybe a MyCustomNameResolver returns unauthenticated DomainSocketAddresses. We could require the filename also matches the authority (and use INSECURE if it is not).

[jiangtaoli2016]

@yihuazhang Could you please resolve the conflict

[yihuazhang]

@ejona86 @sanjaypujare PTALA

[ejona86]

Thinking about it more, let's make this protected. Only extending classes will need to call this. It wouldn't really hurt anything by having it public, but pollutes what consumers of CallCredentials would see.

[larry-safran]

@yihuazhang Would you please sign the EasyCLA so that this can be merged?