albatross/tls/vmm_tls.ml

(* (c) 2018 Hannes Mehnert, all rights reserved *)

open Rresult
open Rresult.R.Infix
open X509

(* we skip all non-albatross certificates *)
let cert_name cert =
  match Extension.(find (Unsupported Vmm_asn.oid) (Certificate.extensions cert)) with
  | None -> Ok None
  | Some (_, data) ->
    match X509.(Distinguished_name.common_name (Certificate.subject cert)) with
    | Some name -> Ok (Some name)
    | None -> match Vmm_asn.of_cert_extension data with
      | Error (`Msg _) -> Error (`Msg "couldn't parse albatross extension")
      | Ok (_, `Policy_cmd pc) ->
        begin match pc with
          | `Policy_add _ -> Error (`Msg "policy add may not have an empty name")
          | `Policy_remove -> Error (`Msg "policy remove may not have an empty name")
          | `Policy_info -> Ok None
        end
      | Ok (_, `Block_cmd bc) ->
        begin match bc with
          | `Block_add _ -> Error (`Msg "block add may not have an empty name")
          | `Block_remove -> Error (`Msg "block remove may not have an empty name")
          | `Block_info -> Ok None
        end
      | _ -> Ok None

let name chain =
  List.fold_left (fun acc cert ->
      match acc, cert_name cert with
      | Error e, _ -> Error e
      | _, Error e -> Error e
      | Ok acc, Ok None -> Ok acc
      | Ok acc, Ok (Some data) -> Vmm_core.Name.append data acc)
    (Ok Vmm_core.Name.root) chain

(* this separates the leaf and top-level certificate from the chain,
   and also reverses the intermediates (to be (leaf, CA -> subCA -> subCA')
   in which subCA' signed leaf *)
let separate_chain = function
  | [] -> Error (`Msg "empty chain")
  | [ leaf ] -> Ok (leaf, [])
  | leaf :: xs -> Ok (leaf, List.rev xs)

let wire_command_of_cert cert =
  match Extension.(find (Unsupported Vmm_asn.oid) (Certificate.extensions cert)) with
  | None -> Error `Not_present
  | Some (_, data) ->
    Vmm_asn.of_cert_extension data >>= fun (v, wire) ->
    if not Vmm_commands.(is_current v) then
      Logs.warn (fun m -> m "version mismatch, received %a current %a"
                    Vmm_commands.pp_version v
                    Vmm_commands.pp_version Vmm_commands.current);
    Ok (v, wire)

let extract_policies chain =
  List.fold_left (fun acc cert ->
      match acc, wire_command_of_cert cert with
      | Error e, _ -> Error e
      | Ok acc, Error `Not_present -> Ok acc
      | Ok _, Error (`Msg msg) -> Error (`Msg msg)
      | Ok (prefix, acc), Ok (_, `Policy_cmd `Policy_add p) ->
        (cert_name cert >>= function
          | None -> Ok prefix
          | Some x -> Vmm_core.Name.prepend x prefix) >>| fun name ->
        (name, (name, p) :: acc)
      | _, Ok wire ->
        R.error_msgf "unexpected wire %a" Vmm_commands.pp (snd wire))
    (Ok (Vmm_core.Name.root, [])) chain

let handle chain =
  (if List.length chain < 10 then
     Ok ()
   else
     Error (`Msg "certificate chain too long")) >>= fun () ->
  separate_chain chain >>= fun (leaf, rest) ->
  (* use subject common names of intermediate certs as prefix *)
  name rest >>= fun name' ->
  (* and subject common name of leaf certificate -- allowing dots in CN -- as postfix *)
  (cert_name leaf >>= function
    | None | Some "." -> Ok name'
    | Some x ->
      Vmm_core.Name.of_string x >>| fun post ->
      Vmm_core.Name.concat name' post) >>= fun name ->
  Logs.debug (fun m -> m "name is %a leaf is %a, chain %a"
                 Vmm_core.Name.pp name Certificate.pp leaf
                 Fmt.(list ~sep:(unit " -> ") Certificate.pp) rest);
  extract_policies rest >>= fun (_, policies) ->
  (* TODO: logging let login_hdr, login_ev = Log.hdr name, `Login addr in *)
  match wire_command_of_cert leaf with
  | Error `Msg p -> Error (`Msg p)
  | Error `Not_present ->
    Error (`Msg "leaf certificate does not contain an albatross extension")
  | Ok (v, wire) ->
    (* we only allow some commands via certificate *)
    match wire with
    | `Console_cmd (`Console_subscribe _)
    | `Stats_cmd `Stats_subscribe
    | `Log_cmd (`Log_subscribe _)
    | `Unikernel_cmd _
    | `Policy_cmd `Policy_info -> Ok (name, policies, v, wire)
    | _ -> Error (`Msg "unexpected command")
copyright 2018-10-23 22:13:47 +00:00			`(* (c) 2018 Hannes Mehnert, all rights reserved *)`

move stuff around 2018-10-25 14:55:54 +00:00			`open Rresult`
move more stuff around 2018-10-23 22:10:08 +00:00			`open Rresult.R.Infix`
adapt to X509 0.7.0 API, minor comment and doc tweaks 2019-05-03 18:57:09 +00:00			`open X509`
initial 2017-05-26 14:30:34 +00:00
wip: vmmc_bistro 2018-10-28 00:03:27 +00:00			`(* we skip all non-albatross certificates *)`
issue policy_add commands by vmmd_tls for certificate chain 2018-10-28 19:50:10 +00:00			`let cert_name cert =`
adapt to X509 0.7.0 API, minor comment and doc tweaks 2019-05-03 18:57:09 +00:00			`match Extension.(find (Unsupported Vmm_asn.oid) (Certificate.extensions cert)) with`
vmm_tls: ensure that add_policy commands carry a non-empty name 2018-10-28 21:29:45 +00:00			`\| None -> Ok None`
			`\| Some (_, data) ->`
x509 API upgrade to 0.8.0 2019-10-06 21:38:13 +00:00			`match X509.(Distinguished_name.common_name (Certificate.subject cert)) with`
adapt to X509 0.7.0 API, minor comment and doc tweaks 2019-05-03 18:57:09 +00:00			`\| Some name -> Ok (Some name)`
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			`\| None -> match Vmm_asn.of_cert_extension data with`
vmm_tls: ensure that add_policy commands carry a non-empty name 2018-10-28 21:29:45 +00:00			\| Error (`Msg _) -> Error (`Msg "couldn't parse albatross extension")
rename Vmm_core.id to Vmm_core.Name.t and make it private - also check constructors to fit into 20 chars ldh (and in Vmm_tls max depth = 10) 2018-11-11 00:21:12 +00:00			\| Ok (_, `Policy_cmd pc) ->
			`begin match pc with`
			\| `Policy_add _ -> Error (`Msg "policy add may not have an empty name")
			\| `Policy_remove -> Error (`Msg "policy remove may not have an empty name")
			\| `Policy_info -> Ok None
			`end`
			\| Ok (_, `Block_cmd bc) ->
			`begin match bc with`
			\| `Block_add _ -> Error (`Msg "block add may not have an empty name")
			\| `Block_remove -> Error (`Msg "block remove may not have an empty name")
			\| `Block_info -> Ok None
			`end`
minor fixes from testing: do not require vm to be present for force-create, fix id generation in vmm_tls, use 32mb memory for unikernels by default 2018-10-28 22:06:15 +00:00			`\| _ -> Ok None`
issue policy_add commands by vmmd_tls for certificate chain 2018-10-28 19:50:10 +00:00
wip: vmmc_bistro 2018-10-28 00:03:27 +00:00			`let name chain =`
			`List.fold_left (fun acc cert ->`
vmm_tls: ensure that add_policy commands carry a non-empty name 2018-10-28 21:29:45 +00:00			`match acc, cert_name cert with`
			`\| Error e, _ -> Error e`
			`\| _, Error e -> Error e`
			`\| Ok acc, Ok None -> Ok acc`
revise naming freedom: multiple labels are allowed in certificate common names influx may drop topmost label (if --drop-label provided) 2019-11-09 01:44:31 +00:00			`\| Ok acc, Ok (Some data) -> Vmm_core.Name.append data acc)`
			`(Ok Vmm_core.Name.root) chain`
move stuff around 2018-10-25 14:55:54 +00:00
			`(* this separates the leaf and top-level certificate from the chain,`
			`and also reverses the intermediates (to be (leaf, CA -> subCA -> subCA')`
			`in which subCA' signed leaf *)`
			`let separate_chain = function`
			\| [] -> Error (`Msg "empty chain")
			`\| [ leaf ] -> Ok (leaf, [])`
			`\| leaf :: xs -> Ok (leaf, List.rev xs)`

versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			`let wire_command_of_cert cert =`
adapt to X509 0.7.0 API, minor comment and doc tweaks 2019-05-03 18:57:09 +00:00			`match Extension.(find (Unsupported Vmm_asn.oid) (Certificate.extensions cert)) with`
issue policy_add commands by vmmd_tls for certificate chain 2018-10-28 19:50:10 +00:00			\| None -> Error `Not_present
move stuff around 2018-10-25 14:55:54 +00:00			`\| Some (_, data) ->`
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			`Vmm_asn.of_cert_extension data >>= fun (v, wire) ->`
			`if not Vmm_commands.(is_current v) then`
			`Logs.warn (fun m -> m "version mismatch, received %a current %a"`
			`Vmm_commands.pp_version v`
			`Vmm_commands.pp_version Vmm_commands.current);`
			`Ok (v, wire)`
initial 2017-05-26 14:30:34 +00:00
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			`let extract_policies chain =`
issue policy_add commands by vmmd_tls for certificate chain 2018-10-28 19:50:10 +00:00			`List.fold_left (fun acc cert ->`
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			`match acc, wire_command_of_cert cert with`
issue policy_add commands by vmmd_tls for certificate chain 2018-10-28 19:50:10 +00:00			`\| Error e, _ -> Error e`
			\| Ok acc, Error `Not_present -> Ok acc
adapt to X509 0.7.0 API, minor comment and doc tweaks 2019-05-03 18:57:09 +00:00			\| Ok _, Error (`Msg msg) -> Error (`Msg msg)
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			\| Ok (prefix, acc), Ok (_, `Policy_cmd `Policy_add p) ->
rename Vmm_core.id to Vmm_core.Name.t and make it private - also check constructors to fit into 20 chars ldh (and in Vmm_tls max depth = 10) 2018-11-11 00:21:12 +00:00			`(cert_name cert >>= function`
			`\| None -> Ok prefix`
			`\| Some x -> Vmm_core.Name.prepend x prefix) >>\| fun name ->`
vmm_tls: ensure that add_policy commands carry a non-empty name 2018-10-28 21:29:45 +00:00			`(name, (name, p) :: acc)`
issue policy_add commands by vmmd_tls for certificate chain 2018-10-28 19:50:10 +00:00			`\| _, Ok wire ->`
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			`R.error_msgf "unexpected wire %a" Vmm_commands.pp (snd wire))`
rename Vmm_core.id to Vmm_core.Name.t and make it private - also check constructors to fit into 20 chars ldh (and in Vmm_tls max depth = 10) 2018-11-11 00:21:12 +00:00			`(Ok (Vmm_core.Name.root, [])) chain`
issue policy_add commands by vmmd_tls for certificate chain 2018-10-28 19:50:10 +00:00
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			`let handle chain =`
revise naming freedom: multiple labels are allowed in certificate common names influx may drop topmost label (if --drop-label provided) 2019-11-09 01:44:31 +00:00			`(if List.length chain < 10 then`
			`Ok ()`
			`else`
			Error (`Msg "certificate chain too long")) >>= fun () ->
wip: vmmc_bistro 2018-10-28 00:03:27 +00:00			`separate_chain chain >>= fun (leaf, rest) ->`
revise naming freedom: multiple labels are allowed in certificate common names influx may drop topmost label (if --drop-label provided) 2019-11-09 01:44:31 +00:00			`(* use subject common names of intermediate certs as prefix *)`
			`name rest >>= fun name' ->`
			`(* and subject common name of leaf certificate -- allowing dots in CN -- as postfix *)`
			`(cert_name leaf >>= function`
albatross tls: re-allow root in leaf certificate (i.e. root) to fix log and info commands via tls this is an interaction of 057dbbf14700699f4fd6a193c35084835918c5eb (allow multiple labels in leaf certificates) and a579a8e1434150915eb65acf3f73ae10a525e54f (print root as "." instead of "") 2019-11-11 21:30:53 +00:00			`\| None \| Some "." -> Ok name'`
revise naming freedom: multiple labels are allowed in certificate common names influx may drop topmost label (if --drop-label provided) 2019-11-09 01:44:31 +00:00			`\| Some x ->`
			`Vmm_core.Name.of_string x >>\| fun post ->`
			`Vmm_core.Name.concat name' post) >>= fun name ->`
			`Logs.debug (fun m -> m "name is %a leaf is %a, chain %a"`
			`Vmm_core.Name.pp name Certificate.pp leaf`
adapt to X509 0.7.0 API, minor comment and doc tweaks 2019-05-03 18:57:09 +00:00			`Fmt.(list ~sep:(unit " -> ") Certificate.pp) rest);`
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			`extract_policies rest >>= fun (_, policies) ->`
move more stuff around 2018-10-23 22:10:08 +00:00			(* TODO: logging let login_hdr, login_ev = Log.hdr name, `Login addr in *)
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			`match wire_command_of_cert leaf with`
			\| Error `Msg p -> Error (`Msg p)
			\| Error `Not_present ->
issue policy_add commands by vmmd_tls for certificate chain 2018-10-28 19:50:10 +00:00			Error (`Msg "leaf certificate does not contain an albatross extension")
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			`\| Ok (v, wire) ->`
issue policy_add commands by vmmd_tls for certificate chain 2018-10-28 19:50:10 +00:00			`(* we only allow some commands via certificate *)`
			`match wire with`
			\| `Console_cmd (`Console_subscribe _)
			\| `Stats_cmd `Stats_subscribe
			\| `Log_cmd (`Log_subscribe _)
rename Vm to Unikernel 2018-11-13 00:02:05 +00:00			\| `Unikernel_cmd _
versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 20:49:51 +00:00			\| `Policy_cmd `Policy_info -> Ok (name, policies, v, wire)
issue policy_add commands by vmmd_tls for certificate chain 2018-10-28 19:50:10 +00:00			\| _ -> Error (`Msg "unexpected command")