Merge pull request #128 from spiffe/feature/release-cleanup

v0.4.0

Crossing fingers and landing.

Author: v0lkan

app/keeper/cmd/main.go

@@ -9,11 +9,12 @@ import (
 	"fmt"
 
 	"github.com/spiffe/spike-sdk-go/net"
+	"github.com/spiffe/spike-sdk-go/security/mem"
 	"github.com/spiffe/spike-sdk-go/spiffe"
+	"github.com/spiffe/spike-sdk-go/spiffeid"
 
 	"github.com/spiffe/spike/app/keeper/internal/env"
 	http "github.com/spiffe/spike/app/keeper/internal/route/base"
-	"github.com/spiffe/spike/internal/auth"
 	"github.com/spiffe/spike/internal/config"
 	"github.com/spiffe/spike/internal/log"
 	routing "github.com/spiffe/spike/internal/net"
@@ -24,6 +25,12 @@ const appName = "SPIKE Keeper"
 func main() {
 	log.Log().Info(appName, "msg", appName, "version", config.SpikeKeeperVersion)
 
+	if mem.Lock() {
+		log.Log().Info(appName, "msg", "Successfully locked memory.")
+	} else {
+		log.Log().Info(appName, "msg", "Memory is not locked. Please disable swap.")
+	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
@@ -34,7 +41,7 @@ func main() {
 	defer spiffe.CloseSource(source)
 
 	// I should be a SPIKE Keeper.
-	if !auth.IsKeeper(selfSpiffeid) {
+	if !spiffeid.IsKeeper(selfSpiffeid) {
 		log.FatalF("Authenticate: SPIFFE ID %s is not valid.\n", selfSpiffeid)
 	}
 
@@ -46,7 +53,7 @@ func main() {
 	if err := net.ServeWithPredicate(
 		source,
 		func() { routing.HandleRoute(http.Route) },
-		auth.PeerCanTalkToKeeper,
+		spiffeid.PeerCanTalkToKeeper,
 		env.TlsPort(),
 	); err != nil {
 		log.FatalF("%s: Failed to serve: %s\n", appName, err.Error())

app/nexus/cmd/main.go

@@ -9,12 +9,13 @@ import (
 	"fmt"
 
 	"github.com/spiffe/spike-sdk-go/net"
+	"github.com/spiffe/spike-sdk-go/security/mem"
 	"github.com/spiffe/spike-sdk-go/spiffe"
+	"github.com/spiffe/spike-sdk-go/spiffeid"
 
 	"github.com/spiffe/spike/app/nexus/internal/env"
 	"github.com/spiffe/spike/app/nexus/internal/initialization"
 	http "github.com/spiffe/spike/app/nexus/internal/route/base"
-	"github.com/spiffe/spike/internal/auth"
 	"github.com/spiffe/spike/internal/config"
 	"github.com/spiffe/spike/internal/log"
 	routing "github.com/spiffe/spike/internal/net"
@@ -23,8 +24,15 @@ import (
 const appName = "SPIKE Nexus"
 
 func main() {
+
 	log.Log().Info(appName, "msg", appName, "version", config.SpikeNexusVersion)
 
+	if mem.Lock() {
+		log.Log().Info(appName, "msg", "Successfully locked memory.")
+	} else {
+		log.Log().Info(appName, "msg", "Memory is not locked. Please disable swap.")
+	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
@@ -35,7 +43,7 @@ func main() {
 	defer spiffe.CloseSource(source)
 
 	// I should be Nexus.
-	if !auth.IsNexus(selfSpiffeid) {
+	if !spiffeid.IsNexus(selfSpiffeid) {
 		log.FatalF("Authenticate: SPIFFE ID %s is not valid.\n", selfSpiffeid)
 	}
 

app/nexus/internal/env/recovery.go

@@ -58,3 +58,20 @@ func RecoveryOperationPollInterval() time.Duration {
 
 	return 5 * time.Second
 }
+
+// RecoveryKeeperUpdateInterval returns the duration between keeper updates for
+// SPIKE Nexus. It first attempts to read the duration from the
+// SPIKE_NEXUS_KEEPER_UPDATE_INTERVAL environment variable. If the environment
+// variable is set and contains a valid duration string (as parsed by
+// time.ParseDuration), that duration is returned. Otherwise, it returns a
+// default value of 5 minutes.
+func RecoveryKeeperUpdateInterval() time.Duration {
+	e := os.Getenv("SPIKE_NEXUS_KEEPER_UPDATE_INTERVAL")
+	if e != "" {
+		if d, err := time.ParseDuration(e); err == nil {
+			return d
+		}
+	}
+
+	return 5 * time.Minute
+}

app/nexus/internal/initialization/recovery/recovery.go

@@ -123,13 +123,17 @@ func HydrateMemoryFromBackingStore() {
 	log.Log().Info(fName, "msg", "HydrateMemoryFromBackingStore")
 
 	secrets := persist.ReadAllSecrets()
-	if len(secrets) == 0 {
-		return
+	if len(secrets) > 0 {
+		state.ImportSecrets(secrets)
 	}
+	log.Log().Info(fName, "msg", "HydrateMemoryFromBackingStore: secrets loaded")
 
-	state.ImportSecrets(secrets)
+	policies := persist.ReadAllPolicies()
+	if len(policies) > 0 {
+		state.ImportPolicies(policies)
+	}
 
-	log.Log().Info(fName, "msg", "HydrateMemoryFromBackingStore: secrets loaded")
+	log.Log().Info(fName, "msg", "HydrateMemoryFromBackingStore: policies loaded")
 }
 
 // RestoreBackingStoreUsingPilotShards restores the backing store using the
@@ -153,13 +157,37 @@ func HydrateMemoryFromBackingStore() {
 func RestoreBackingStoreUsingPilotShards(shards []ShamirShard) {
 	const fName = "RestoreBackingStoreUsingPilotShards"
 
+	log.Log().Info(fName, "msg", "Restoring backing store using pilot shards")
+
+	// Sanity check:
+	for shard := range shards {
+		value := shards[shard].Value
+		id := shards[shard].Id
+
+		if mem.Zeroed32(value) || id == 0 {
+			log.Log().Error(
+				fName,
+				"msg", "Bad input: ID or Value of a shard is zero. Exiting recovery",
+			)
+			return
+		}
+	}
+
+	log.Log().Info(fName,
+		"msg", "Recovering backing store using pilot shards",
+		"threshold", env.ShamirThreshold(),
+		"len", len(shards),
+	)
+
 	// Ensure we have at least the threshold number of shards
 	if len(shards) < env.ShamirThreshold() {
 		log.Log().Error(fName, "msg", "Insufficient shards for recovery",
 			"provided", len(shards), "required", env.ShamirThreshold())
 		return
 	}
 
+	log.Log().Info(fName, "msg", "Recovering backing store using pilot shards")
+
 	// Recover the root key using the threshold number of shards
 	binaryRec := RecoverRootKey(shards)
 	// Security: Ensure the root key is zeroed out after use.
@@ -202,9 +230,7 @@ func SendShardsPeriodically(source *workloadapi.X509Source) {
 
 	log.Log().Info(fName, "msg", "Will send shards to keepers")
 
-	// TODO: get this from config.
-	//ticker := time.NewTicker(5 * time.Minute)
-	ticker := time.NewTicker(30 * time.Second)
+	ticker := time.NewTicker(env.RecoveryKeeperUpdateInterval())
 	defer ticker.Stop()
 
 	for range ticker.C {
@@ -255,6 +281,7 @@ func NewPilotRecoveryShards() map[int]*[32]byte {
 	log.Log().Info(fName, "msg", "Generating pilot recovery shards")
 
 	if state.RootKeyZero() {
+		log.Log().Info(fName, "msg", "No root key; skipping")
 		return nil
 	}
 
@@ -271,6 +298,8 @@ func NewPilotRecoveryShards() map[int]*[32]byte {
 	var result = make(map[int]*[32]byte)
 
 	for _, share := range rootShares {
+		log.Log().Info(fName, "msg", "Generating share", "share.id", share.ID)
+
 		contribution, err := share.Value.MarshalBinary()
 		if err != nil {
 			log.Log().Error(fName, "msg", "Failed to marshal share")
@@ -282,8 +311,7 @@ func NewPilotRecoveryShards() map[int]*[32]byte {
 			return nil
 		}
 
-		var bb []byte
-		err = share.ID.UnmarshalBinary(bb)
+		bb, err := share.ID.MarshalBinary()
 		if err != nil {
 			log.Log().Error(fName, "msg", "Failed to unmarshal share Id")
 			return nil
@@ -300,9 +328,12 @@ func NewPilotRecoveryShards() map[int]*[32]byte {
 		var rs [32]byte
 		copy(rs[:], contribution)
 
+		log.Log().Info(fName, "msg", "Generated shares", "len", len(rs))
+
 		result[int(ii)] = &rs
 	}
 
+	log.Log().Info(fName, "msg", "Successfully generated pilot recovery shards.")
 	return result
 }
 

app/nexus/internal/initialization/recovery/shamir.go

@@ -74,6 +74,8 @@ func sanityCheck(secret group.Scalar, shares []shamir.Share) {
 func computeShares() (group.Scalar, []shamir.Share) {
 	const fName = "computeShares"
 
+	log.Log().Info(fName, "msg", "Computing Shamir shares")
+
 	state.LockRootKey()
 	defer state.UnlockRootKey()
 	rk := state.RootKeyNoLock()
@@ -83,6 +85,8 @@ func computeShares() (group.Scalar, []shamir.Share) {
 	t := uint(env.ShamirThreshold() - 1) // Need t+1 shares to reconstruct
 	n := uint(env.ShamirShares())        // Total number of shares
 
+	log.Log().Info(fName, "t", t, "n", n)
+
 	// Create secret from our 32 byte key
 	secret := g.NewScalar()
 
@@ -99,7 +103,11 @@ func computeShares() (group.Scalar, []shamir.Share) {
 	reader := crypto.NewDeterministicReader(rk[:])
 	ss := shamir.New(reader, t, secret)
 
+	log.Log().Info(fName, "msg", "Generated Shamir shares")
+
+	computedShares := ss.Share(n)
+
 	// secret is a pointer type; ss.Share(n) is a slice
 	// shares will have monotonically increasing IDs, starting from 1.
-	return secret, ss.Share(n)
+	return secret, computedShares
 }

app/nexus/internal/initialization/recovery/shard.go

@@ -13,8 +13,8 @@ import (
 	apiUrl "github.com/spiffe/spike-sdk-go/api/url"
 	network "github.com/spiffe/spike-sdk-go/net"
 	"github.com/spiffe/spike-sdk-go/security/mem"
+	"github.com/spiffe/spike-sdk-go/spiffeid"
 
-	"github.com/spiffe/spike/internal/auth"
 	"github.com/spiffe/spike/internal/log"
 	"github.com/spiffe/spike/internal/net"
 )
@@ -45,7 +45,7 @@ func shardResponse(source *workloadapi.X509Source, u string) []byte {
 	}
 
 	client, err := network.CreateMtlsClientWithPredicate(
-		source, auth.IsKeeper,
+		source, spiffeid.IsKeeper,
 	)
 
 	if err != nil {
@@ -88,7 +88,7 @@ func shardContributionResponse(
 ) []byte {
 	const fName = "shardContributionResponse"
 
-	client, err := network.CreateMtlsClientWithPredicate(source, auth.IsKeeper)
+	client, err := network.CreateMtlsClientWithPredicate(source, spiffeid.IsKeeper)
 
 	if err != nil {
 		log.Log().Warn(fName,

app/nexus/internal/initialization/recovery/update.go

@@ -16,9 +16,9 @@ import (
 	apiUrl "github.com/spiffe/spike-sdk-go/api/url"
 	network "github.com/spiffe/spike-sdk-go/net"
 	"github.com/spiffe/spike-sdk-go/security/mem"
+	"github.com/spiffe/spike-sdk-go/spiffeid"
 
 	state "github.com/spiffe/spike/app/nexus/internal/state/base"
-	"github.com/spiffe/spike/internal/auth"
 	"github.com/spiffe/spike/internal/log"
 	"github.com/spiffe/spike/internal/net"
 )
@@ -64,6 +64,12 @@ func mustUpdateRecoveryInfo(rk *[32]byte) []secretsharing.Share {
 //  3. findShare() ensures each keeper receives its designated share
 //     This approach simplifies the code flow and maintains consistency across
 //     potential system restarts or failures.
+//
+// Note that sendSharesToKeepers optimistically moves on to the next SPIKE
+// Keeper in the list on error. This is okay, because SPIKE Nexus may not
+// need all keepers to be healthy all at once, and since we periodically
+// send shards to keepers, provided there is no configration mistake,
+// all SPIKE Keepers will get their shards eventually.
 func sendShardsToKeepers(
 	source *workloadapi.X509Source, keepers map[string]string,
 ) {
@@ -74,14 +80,6 @@ func sendShardsToKeepers(
 			keeperApiRoot, string(apiUrl.SpikeKeeperUrlContribute),
 		)
 
-		// TODO: The sendShardsToKeepers function continues to the next keeper
-		// on error. This is reasonable, but consider if all keepers must receive
-		// shares for safety.
-		// For example, maybe configuration problems should cause a fatal error
-		// instead of just bypassing the keeper.
-		// Since this is done periodically in `SendShardsPeriodically()`, we
-		// can overlook temporary issues.
-
 		if err != nil {
 			log.Log().Warn(
 				fName, "msg", "Failed to join path", "url", keeperApiRoot,
@@ -90,7 +88,7 @@ func sendShardsToKeepers(
 		}
 
 		client, err := network.CreateMtlsClientWithPredicate(
-			source, auth.IsKeeper,
+			source, spiffeid.IsKeeper,
 		)
 
 		if err != nil {

app/nexus/internal/route/base/route.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/spiffe/spike-sdk-go/api/url"
 
+	"github.com/spiffe/spike/app/nexus/internal/env"
 	"github.com/spiffe/spike/app/nexus/internal/route/acl/policy"
 	"github.com/spiffe/spike/app/nexus/internal/route/operator"
 	"github.com/spiffe/spike/app/nexus/internal/route/secret"
@@ -40,9 +41,11 @@ func Route(
 		r.Method,
 		func(a url.ApiAction, p url.ApiUrl) net.Handler {
 			emptyRootKey := state.RootKeyZero()
+			inMemoryMode := env.BackendStoreType() == env.Memory
+
 			emergencyAction := p == url.SpikeNexusUrlOperatorRecover ||
 				p == url.SpikeNexusUrlOperatorRestore
-			if emptyRootKey && !emergencyAction {
+			if !inMemoryMode && emptyRootKey && !emergencyAction {
 				return net.NotReady
 			}