wip: rename realm certificates

Author: cilki

README.md

@@ -47,11 +47,17 @@ the attack surface is consequently expanded with appropriate probabilities.
 With virtual estates, it's not always clear who is in control of what and
 exactly how much control they have.
 
-Control is usually divided among multiple parties. For example, control of your
-Github repos is shared between you and Github Inc (and probably Microsoft too).
-Control of your physical iPhone is shared between you and Apple (with Apple
-argubly having the majority). Control of your password manager is hopefully not
-shared with anyone.
+Control is usually divided among multiple parties. Some examples:
+
+- Control of your Github repos (a digital asset) is shared between you, Github
+  Inc, and probably Microsoft too.
+
+- Control of your iPhone (a physical asset) is shared between you and Apple.
+  Arguably, Apple has more control of it than you do.
+
+- Control of your password manager (a digital asset) is hopefully not shared
+  with anyone. SaaS password managers have some minimal level of control even
+  with proper encryption.
 
 While it's impossible to know exactly what percentage of control we have over
 our virtual estates, it definitely seems to be trending down. People are willing
@@ -99,7 +105,8 @@ server compromise.
 ## How it works
 
 Sandpolis runs an agent on your devices and allows you to interact with them
-from a client application.
+from a client application. A server mediates client/agent communication and
+stores historical data about instances in the network.
 
 ## Layers
 

sandpolis-realm/README.md

@@ -7,7 +7,7 @@ simultaneously while agent instances belong to one realm at a time.
 As an example, you can have _work_ and _home_ realms that are completely
 isolated (other than running on the same server).
 
-### User membership
+### Realm membership
 
 Users can become members of a realm with an associated set of permissions.
 
@@ -17,5 +17,28 @@ All users are members of a special realm called _default_.
 
 ### Realm authentication
 
-All connections to a server instance must be authenticated with a realm using
-clientAuth certificates.
+All connections to a server instance must be authenticated with a realm using a
+TLS certificate.
+
+There are four types of certificate:
+
+#### Realm cluster certificate
+
+Each realm has a single "root" cluster certificate that signs new server,
+client, and agent certificates.
+
+#### Realm server certificate
+
+This certificate is used by clients and agents to verify the server is part of
+the cluster.
+
+#### Realm client certificate
+
+This certificate is used to authenticate with servers as a client instance. The
+server verifies the client certificate was issued by the cluster certificate.
+
+#### Realm agent certificate
+
+Also a clientAuth certificate, but is distinct from regular realm client
+certificates so that it's impossible to use an agent cert to authenticate as a
+client instance.

sandpolis-realm/src/lib.rs

@@ -44,21 +44,14 @@ impl RealmLayer {
         // Create default realm if it doesn't exist
         if database.get(Some("default".parse()?)).await.is_err() {
             debug!("Creating default realm");
-            let db = database.get(None).await?;
-            let rw = db.rw_transaction()?;
-            if rw
-                .get()
-                .secondary::<RealmData>(RealmDataKey::name, "default".parse::<RealmName>()?)?
-                .is_none()
-            {
-                rw.insert(RealmData::default());
-                rw.commit()?;
-            }
+            let db = database.get(Some("default".parse()?)).await?;
+
+            let default_realm = RealmData::default();
 
             #[cfg(feature = "server")]
             let ca = realm.insert_document(
                 "ca",
-                RealmCaCert::new(
+                RealmClusterCert::new(
                     instance_layer.data.value().cluster_id,
                     realm.data.name.clone(),
                 )?,
@@ -70,6 +63,12 @@ impl RealmLayer {
                 ca.data
                     .server_cert(instance_layer.data.value().instance_id)?,
             )?;
+
+            {
+                let rw = db.rw_transaction()?;
+                rw.insert(default_realm);
+                rw.commit()?;
+            }
         }
 
         // Load all realm databases
@@ -112,22 +111,27 @@ pub struct RealmData {
     #[secondary_key(unique)]
     pub name: RealmName,
     pub owner: UserName,
+
+    pub cluster_cert: Option<RealmClusterCert>,
 }
 
-/// The realm's global CA cert. These have a lifetime of 100 years.
-#[derive(Serialize, Deserialize, Debug)]
-pub struct RealmCaCert {
+/// The realm's global CA certificate.
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq)]
+pub struct RealmClusterCert {
     pub name: RealmName,
+    /// PEM-encoded certificate
     pub cert: String,
-    pub key: String,
+    /// PEM-encoded key
+    pub key: Option<String>,
 }
 
-/// Each server in the cluster gets its own server certificate. These have a
-/// lifetime 1 year.
-#[derive(Serialize, Deserialize, Debug)]
+/// Each server in the cluster gets its own server certificate.
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq)]
 pub struct RealmServerCert {
+    /// PEM-encoded certificate
     pub cert: String,
-    pub key: String,
+    /// PEM-encoded key
+    pub key: Option<String>,
 }
 
 impl RealmServerCert {
@@ -154,13 +158,13 @@ impl RealmServerCert {
     }
 }
 
-/// A _client_ certificate (not as in "client" instance) used to authenticate
-/// with a server instance.
+/// Realm certificate for client instances that can authenticate with a server
+/// instance against a particular realm.
 #[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq)]
 pub struct RealmClientCert {
     pub ca: String,
     pub cert: String,
-    pub key: String,
+    pub key: Option<String>,
 }
 
 impl RealmClientCert {
@@ -190,7 +194,7 @@ impl RealmClientCert {
         // Combine cert and key together
         let mut bundle = Vec::new();
         bundle.extend_from_slice(&self.cert.as_bytes());
-        bundle.extend_from_slice(&self.key.as_bytes());
+        bundle.extend_from_slice(&self.key.ok_or_else(|| anyhow!("No key"))?.as_bytes());
         Ok(reqwest::Identity::from_pem(&bundle)?)
     }
 
@@ -221,8 +225,17 @@ impl RealmClientCert {
     }
 }
 
+/// Realm certificate for agent instances that can authenticate with a server
+/// instance against a particular realm.
+#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq)]
+pub struct RealmAgentCert {
+    pub ca: String,
+    pub cert: String,
+    pub key: String,
+}
+
 pub enum RealmPermission {
-    /// Right to create realms on the server
+    /// Right to create new realms on the server
     Create,
     /// Right to view all realms on the server
     List,

sandpolis-realm/src/server.rs

@@ -1,11 +1,10 @@
-//! Server implementation
-
-use super::RealmCaCert;
 use super::RealmClientCert;
+use super::RealmClusterCert;
 use super::RealmData;
 use super::RealmName;
 use super::RealmServerCert;
 use anyhow::Result;
+use anyhow::anyhow;
 use anyhow::bail;
 use axum::{
     Extension, extract::Request, middleware::AddExtension, middleware::Next, response::Response,
@@ -36,14 +35,15 @@ use std::io;
 use std::sync::Arc;
 use tempfile::TempDir;
 use tempfile::tempdir;
+use time::Duration;
 use time::OffsetDateTime;
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::server::TlsStream;
 use tower::Layer;
 use tracing::debug;
 use x509_parser::prelude::{FromDer, X509Certificate};
 
-impl super::RealmCaCert {
+impl super::RealmClusterCert {
     /// Generate a new realm CA certificate.
     pub fn new(cluster_id: ClusterId, name: RealmName) -> Result<Self> {
         // Generate key
@@ -53,6 +53,7 @@ impl super::RealmCaCert {
         let mut cert_params = CertificateParams::default();
         cert_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
         cert_params.not_before = OffsetDateTime::now_utc();
+        cert_params.not_after = OffsetDateTime::now_utc().saturating_add(Duration::days(36780));
         cert_params.subject_alt_names = vec![SanType::DnsName(cluster_id.to_string().try_into()?)];
 
         // TODO still needed?
@@ -68,7 +69,7 @@ impl super::RealmCaCert {
         Ok(Self {
             name,
             cert: cert.pem(),
-            key: keypair.serialize_pem(),
+            key: Some(keypair.serialize_pem()),
         })
     }
 
@@ -78,10 +79,12 @@ impl super::RealmCaCert {
         Ok(CertificateParams::from_ca_cert_der(
             &pem::parse(&self.cert)?.into_contents().try_into()?,
         )?
-        .self_signed(&KeyPair::from_pem(&self.key)?)?)
+        .self_signed(&KeyPair::from_pem(
+            &self.key.ok_or_else(|| anyhow!("No key"))?,
+        )?)?)
     }
 
-    /// Generate a new _clientAuth_ certificate signed by the realm's CA.
+    /// Generate a new realm certificate for client instances.
     pub fn client_cert(&self) -> Result<RealmClientCert> {
         // Generate key
         let keypair = KeyPair::generate()?;
@@ -92,10 +95,10 @@ impl super::RealmCaCert {
             .extended_key_usages
             .push(ExtendedKeyUsagePurpose::ClientAuth);
         cert_params.not_before = OffsetDateTime::now_utc();
+        cert_params.not_after = OffsetDateTime::now_utc().saturating_add(Duration::days(365));
         cert_params
             .distinguished_name
             .push(DnType::CommonName, &*self.name);
-        // TODO not_after of 1 month
 
         // Generate the certificate signed by the CA
         let cert = cert_params.signed_by(&keypair, &self.ca()?, &KeyPair::from_pem(&self.key)?)?;
@@ -104,11 +107,11 @@ impl super::RealmCaCert {
         Ok(RealmClientCert {
             ca: self.ca()?.pem(),
             cert: cert.pem(),
-            key: keypair.serialize_pem(),
+            key: Some(keypair.serialize_pem()),
         })
     }
 
-    /// Generate a new _serverAuth_ certificate signed by the realm's CA.
+    /// Generate a new realm certificate for server instances.
     pub fn server_cert(&self, server_id: InstanceId) -> Result<RealmServerCert> {
         if !server_id.is_type(InstanceType::Server) {
             bail!("A server ID is required");
@@ -123,18 +126,22 @@ impl super::RealmCaCert {
             .extended_key_usages
             .push(ExtendedKeyUsagePurpose::ServerAuth);
         cert_params.not_before = OffsetDateTime::now_utc();
+        cert_params.not_after = OffsetDateTime::now_utc().saturating_add(Duration::days(365));
         cert_params.subject_alt_names = vec![SanType::DnsName(
             format!("{server_id}.{}", self.name).try_into()?,
         )];
-        // TODO not_after of 1 year
 
         // Generate the certificate signed by the CA
-        let cert = cert_params.signed_by(&keypair, &self.ca()?, &KeyPair::from_pem(&self.key)?)?;
+        let cert = cert_params.signed_by(
+            &keypair,
+            &self.ca()?,
+            &KeyPair::from_pem(&self.key.ok_or_else(|| anyhow!("No key"))?)?,
+        )?;
 
         debug!(cert = ?cert.params(), "Generated new realm server certificate");
         Ok(RealmServerCert {
             cert: cert.pem(),
-            key: keypair.serialize_pem(),
+            key: Some(keypair.serialize_pem()),
         })
     }
 }
@@ -157,7 +164,7 @@ mod test_realm_ca {
 
     #[test]
     fn test_generate_and_authenticate() -> Result<()> {
-        let ca = RealmCaCert::new(ClusterId::default(), "default".parse()?)?;
+        let ca = RealmClusterCert::new(ClusterId::default(), "default".parse()?)?;
         let client = ca.client_cert()?;
         let server = ca.server_cert(InstanceId::new_server())?;
 
@@ -207,38 +214,53 @@ pub struct TlsData {
     peer_certificates: Option<Vec<CertificateDer<'static>>>,
 }
 
+/// Accepts TLS connections with realm certificates.
 #[derive(Debug, Clone)]
 pub struct RealmAcceptor(RustlsAcceptor);
 
 impl RealmAcceptor {
-    pub fn new(realms: Collection<RealmData>) -> Result<Self> {
+    pub fn new(realms: Vec<RealmData>) -> Result<Self> {
         let mut roots = RootCertStore::empty();
         let mut sni_resolver = ResolvesServerCertUsingSni::new();
 
         let config = ServerConfig::builder();
 
-        for realm in realms.documents() {
-            let realm = realm?;
-            let ca: Document<RealmCaCert> = realm.get_document("ca")?.unwrap();
-            let server: Document<RealmServerCert> = realm.get_document("server")?.unwrap();
-
-            roots.add(pem::parse(&ca.data.cert)?.into_contents().try_into()?)?;
+        for realm in realms {
+            // Add cluster cert as a CA cert to the root store
+            {
+                let cluster_cert: &RealmClusterCert = realm
+                    .cluster_cert
+                    .as_ref()
+                    .ok_or_else(|| anyhow!("No cluster cert")?);
 
-            let private_key = config
-                .crypto_provider()
-                .key_provider
-                .load_private_key(PrivateKeyDer::from_pem_slice(&server.data.key.as_bytes())?)?;
-
-            sni_resolver.add(
-                &server.data.subject_name()?,
-                rustls::sign::CertifiedKey::new(
-                    vec![pem::parse(&server.data.cert)?.into_contents().try_into()?],
-                    private_key,
-                ),
-            )?;
+                roots.add(pem::parse(&cluster_cert.cert)?.into_contents().try_into()?)?;
+            }
 
-            // TODO
-            break;
+            // Add server cert to the SNI resolver
+            {
+                let server_cert: Document<RealmServerCert> = realm.get_document("server")?.unwrap();
+                let private_key = config.crypto_provider().key_provider.load_private_key(
+                    PrivateKeyDer::from_pem_slice(
+                        &server_cert
+                            .data
+                            .key
+                            .ok_or_else(|| anyhow!("No server key")?)
+                            .as_bytes(),
+                    )?,
+                )?;
+
+                sni_resolver.add(
+                    &server_cert.data.subject_name()?,
+                    rustls::sign::CertifiedKey::new(
+                        vec![
+                            pem::parse(&server_cert.data.cert)?
+                                .into_contents()
+                                .try_into()?,
+                        ],
+                        private_key,
+                    ),
+                )?;
+            }
         }
 
         Ok(Self(RustlsAcceptor::new(RustlsConfig::from_config(