[5/8] coordinator: support insecure manifests behind opt-in#2356
Conversation
4a00b00 to
657abac
Compare
552c173 to
27802b6
Compare
27802b6 to
7073c58
Compare
657abac to
41b8d92
Compare
7073c58 to
af50bbe
Compare
41b8d92 to
c596cca
Compare
72898ef to
f2897e6
Compare
af50bbe to
65b519a
Compare
f2897e6 to
91b1df7
Compare
65b519a to
891d7f0
Compare
91b1df7 to
db7cd22
Compare
6223484 to
acaa9fd
Compare
a8f6eb6 to
fd0d094
Compare
9eeeeba to
55e4947
Compare
bbf67f4 to
9da6471
Compare
21d6bec to
1cd7565
Compare
abb75b8 to
2701421
Compare
charludo
left a comment
There was a problem hiding this comment.
Thanks! Sorry review took so long. I have a couple of comments, see below; the one architectural one I want to get your opinion on is if we should allow mixed manifests. Is that something you actually require? Because if not, then I'd strongly urge to allow either all-secure, or all-insecure manifests, no mix.
9b08076 to
f13a5d2
Compare
sespiros
left a comment
There was a problem hiding this comment.
Thanks, I second Charlotte's comment about needing to decide whether we want to allow mixed manifests. My understanding was that we actually do need to do that for the benchmarking use case that triggered this PR series.
If that's the case we should at least close the impersonation gap by adding a per-policy attestation-type binding (which doesn't exist today). An attacker who controls an insecure node can produce an attestation that authenticates as any CC policy in the manifest, because meshapi.NewMeshCert does Policies[hostData] without checking which validator produced the hostData.
For example like:
type PolicyEntry struct {
SANs []string
WorkloadSecretID string
Role Role
AllowedAttestationOIDs []asn1.ObjectIdentifier `json:",omitempty"`
}f7a0675 to
c8c1132
Compare
2701421 to
6bf854e
Compare
I've thought about this for some time now, and couldn't think of a use-case we'd need a mixed manifest for. I second your opinion that it should not be allowed then. |
66d886c to
003a4ba
Compare
0743b72 to
b95c24d
Compare
|
ping, this should be ready for another round of review @burgerdev @sespiros @charludo |
sespiros
left a comment
There was a problem hiding this comment.
Thanks for the changes. We recently did a significant refactor on our validation logic so this needs to be rebased for a final clean review.
The rest of the changes lgtm.
b95c24d to
8b08799
Compare
sespiros
left a comment
There was a problem hiding this comment.
Thanks, left a few comments.
I am thinking that recovering an insecure manifest should require CONTRAST_ALLOW_INSECURE. We can check the recovered manifest in ResetState and return ErrInsecureNotAllowed when it is insecure and allowInsecure is false. We can also add a test that simulates a restart: create a Guard, call MakeInsecure, and use UpdateState to set an insecure manifest. Then create a new Guard using the same History, without calling MakeInsecure, and verify that ResetState returns ErrInsecureNotAllowed.
8b08799 to
da2a787
Compare
| // allowInsecure controls whether manifests with insecure platforms are accepted. | ||
| // It defaults to false and can be enabled via MakeInsecure. | ||
| allowInsecure bool |
There was a problem hiding this comment.
The stateguard's purpose is to store, retrieve and update state, and I tried to avoid putting unrelated business logic in here as much as possible. For example, completeness of the manifest, permission to update a manifest and recovery security are checked in userapi (we added a callback to ResetState for that). Arguably that's also not pretty, but I don't have a good alternative idea right now.
There was a problem hiding this comment.
Maybe I was not clear enough: let's move this logic out of the stateguard and into the userapi for now. Slicing the userapi into subpackages for request processing, authz and such can then be done later.
da2a787 to
72191cb
Compare
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
72191cb to
794edde
Compare
sespiros
left a comment
There was a problem hiding this comment.
Thanks for the changes, nothing more to add.
Split from #2337 as part of a stacked review series.
Depends on: #2355
This PR wires insecure manifests into the Coordinator behind explicit opt-in:
Closes CON-212