KMS-PKI Workers (hashicorp#3101)

This adds a new mechanism for worker authentication that uses the
third-party arbitration of the original KMS flow by leveraging
recently-added capabilities in nodeenrollment to support a registration
wrapper. This allows for workers to be registered to the system with
just a name and a matching wrapper, while at the same time allowing
these workers to be used for private Vault access and multi-hop as they
contain per-worker encryption keys and support rotation.

Nodes using this mode will generate and rotate credentials in-memory
(using another recently added nodeenrollment capability) so will have a
new set of keys on every startup. This has the side effect of ensuring
that there is never a conflict or re-use of these credentials.

Note that the normal test worker flow was using the now-deprecated KMS
method; there is still a test that uses this (explicitly) but all other
tests using test workers that did not specify a specific PKI flow now
actually use this mechanism. This means there is fairly decent test
coverage in a general sense, plus the specific tests updated/added for
this feature.

This also adds a new KMS type that can be used to have
distinct KMSes for upstream authentication vs. accepting from
downstream.

Author: jefferai

CHANGELOG.md

@@ -1,10 +1,17 @@
 # Boundary CHANGELOG
 
 Canonical reference for changes, improvements, and bugfixes for Boundary.
+
 ## Next
 
 ### Deprecations/Changes
 
+* With the introduction of the new KMS variant for worker registration (as
+  described below), using the deprecated behavior requires opting-in. This is
+  only recommended if compatibility with pre-0.13 workers using the KMS auth
+  method is required. Requiring opting in removes some potentially confusing
+  behavior for deciding when to use the old versus new mechanism. To opt in, add
+  `use_deprecated_kms_auth_method = true` to the `worker` config block.
 * When grants are added to roles additional validity checking is now performed.
   This extra validity checking is designed to reject grants that are not
   [documented grant
@@ -17,6 +24,12 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
 
 ### New and Improved
 
+* KMS workers: KMS workers now have feature parity with PKI workers (they
+  support multi-hop and Vault private access) and support separate KMSes for
+  authenticating downstreams across different networks. See the [worker
+  configuration
+  documentation](https://developer.hashicorp.com/boundary/docs/configuration/worker)
+  for more information. ([PR](https://github.com/hashicorp/boundary/pull/3101))
 * roles: Perform additional validity checking on grants at submission time
   ([PR](https://github.com/hashicorp/boundary/pull/3081))
 
@@ -37,7 +50,7 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
   credential type. [PR](https://github.com/hashicorp/boundary/pull/2989)
 * ui: Fix credential library not saving correctly when trying to save it as a
   generic secrets type. ([PR](https://github.com/hashicorp/boundary-ui/pull/1640))
-* sessions: Fix tofu token retreival. ([PR](https://github.com/hashicorp/boundary/pull/3064))
+* sessions: Fix tofu token retrieval. ([PR](https://github.com/hashicorp/boundary/pull/3064))
 
 ## 0.12.0 (2023/01/24)
 

globals/kms.go

@@ -4,10 +4,11 @@
 package globals
 
 const (
-	KmsPurposeRoot              = "root"
-	KmsPurposePreviousRoot      = "previous-root"
-	KmsPurposeWorkerAuth        = "worker-auth"
-	KmsPurposeWorkerAuthStorage = "worker-auth-storage"
-	KmsPurposeRecovery          = "recovery"
-	KmsPurposeConfig            = "config"
+	KmsPurposeRoot                 = "root"
+	KmsPurposePreviousRoot         = "previous-root"
+	KmsPurposeWorkerAuth           = "worker-auth"
+	KmsPurposeWorkerAuthStorage    = "worker-auth-storage"
+	KmsPurposeRecovery             = "recovery"
+	KmsPurposeConfig               = "config"
+	KmsPurposeDownstreamWorkerAuth = "downstream-worker-auth"
 )

go.mod

@@ -96,7 +96,7 @@ require (
 	github.com/hashicorp/cap/ldap v0.0.0-20230123181313-9c0fb924b0d9
 	github.com/hashicorp/go-kms-wrapping/extras/kms/v2 v2.0.0-20221122211539-47c893099f13
 	github.com/hashicorp/go-version v1.3.0
-	github.com/hashicorp/nodeenrollment v0.1.19
+	github.com/hashicorp/nodeenrollment v0.2.0
 	github.com/jimlambrt/gldap v0.1.2
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a
@@ -180,7 +180,7 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
-	github.com/rogpeppe/go-internal v1.8.1 // indirect
+	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/russross/blackfriday/v2 v2.0.1 // indirect
 	github.com/sethvargo/go-diceware v0.3.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect

go.sum

@@ -757,8 +757,8 @@ github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+l
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/nodeenrollment v0.1.19 h1:RZIYFVfjWlK8MZn7owEEmaoDLHMqROL2K9RkJz2Q5cA=
-github.com/hashicorp/nodeenrollment v0.1.19/go.mod h1:N5gYsm8mWiDfIw/j+1IQ6NBO1cWCmhPpvQ9GB1QUnsU=
+github.com/hashicorp/nodeenrollment v0.2.0 h1:79FbU+2MZaHgFxirQM1G9rU71FxCfXQ2hinEIR/xTco=
+github.com/hashicorp/nodeenrollment v0.2.0/go.mod h1:Do2FvaFHgnnMaqhdSTBX+TkQP0ep8VVQ0rOr+ZjUbJU=
 github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO2aRM=
 github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw=
 github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
@@ -1140,7 +1140,6 @@ github.com/pires/go-proxyproto v0.6.1/go.mod h1:Odh9VFOZJCf9G8cLW5o435Xf1J95Jw9G
 github.com/pkg/browser v0.0.0-20210706143420-7d21f8c997e2/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -1202,8 +1201,8 @@ github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
-github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
+github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
 github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
@@ -1952,7 +1951,6 @@ gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
-gopkg.in/errgo.v2 v2.1.0 h1:0vLT13EuvQ0hNvakwLuFZ/jYrLp5F3kcWHXdRggjCE8=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=

internal/cmd/base/option.go

@@ -25,25 +25,24 @@ type Option func(*Options)
 
 // Options - how Options are represented.
 type Options struct {
-	withNoTokenScope                   bool
-	withNoTokenValue                   bool
-	withSkipDatabaseDestruction        bool
-	withSkipAuthMethodCreation         bool
-	withSkipOidcAuthMethodCreation     bool
-	withSkipScopesCreation             bool
-	withSkipHostResourcesCreation      bool
-	withSkipTargetCreation             bool
-	withContainerImage                 string
-	withDialect                        string
-	withDatabaseTemplate               string
-	withEventerConfig                  *event.EventerConfig
-	withEventFlags                     *EventFlags
-	withEventWrapper                   wrapping.Wrapper
-	withAttributeFieldPrefix           string
-	withStatusCode                     int
-	withHostPlugin                     func() (string, plugin.HostPluginServiceClient)
-	withEventGating                    bool
-	withSkipWorkerAuthKmsInstantiation bool
+	withNoTokenScope               bool
+	withNoTokenValue               bool
+	withSkipDatabaseDestruction    bool
+	withSkipAuthMethodCreation     bool
+	withSkipOidcAuthMethodCreation bool
+	withSkipScopesCreation         bool
+	withSkipHostResourcesCreation  bool
+	withSkipTargetCreation         bool
+	withContainerImage             string
+	withDialect                    string
+	withDatabaseTemplate           string
+	withEventerConfig              *event.EventerConfig
+	withEventFlags                 *EventFlags
+	withEventWrapper               wrapping.Wrapper
+	withAttributeFieldPrefix       string
+	withStatusCode                 int
+	withHostPlugin                 func() (string, plugin.HostPluginServiceClient)
+	withEventGating                bool
 }
 
 func getDefaultOptions() Options {
@@ -192,11 +191,3 @@ func WithEventGating(with bool) Option {
 		o.withEventGating = with
 	}
 }
-
-// WithSkipWorkerAuthKmsInstantiation causes KMS methods used for worker-auth to
-// not be processed, useful for dev mode
-func WithSkipWorkerAuthKmsInstantiation(with bool) Option {
-	return func(o *Options) {
-		o.withSkipWorkerAuthKmsInstantiation = with
-	}
-}

internal/cmd/base/servers.go

@@ -18,6 +18,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"syscall"
 	"time"
 
@@ -76,12 +77,18 @@ type Server struct {
 	StderrLock *sync.Mutex
 	Eventer    *event.Eventer
 
-	RootKms              wrapping.Wrapper
-	WorkerAuthKms        wrapping.Wrapper
-	WorkerAuthStorageKms wrapping.Wrapper
-	RecoveryKms          wrapping.Wrapper
-	Kms                  *kms.Kms
-	SecureRandomReader   io.Reader
+	// NOTE: Unlike the other wrappers below, if set, DownstreamWorkerAuthKms
+	// should always be a PooledWrapper, so that we can allow multiple KMSes to
+	// accept downstream connections. As such it's made explicit here.
+	DownstreamWorkerAuthKms *multi.PooledWrapper
+	RootKms                 wrapping.Wrapper
+	WorkerAuthKms           wrapping.Wrapper
+	WorkerAuthStorageKms    wrapping.Wrapper
+	RecoveryKms             wrapping.Wrapper
+	Kms                     *kms.Kms
+	SecureRandomReader      io.Reader
+
+	WorkerAuthDebuggingEnabled *atomic.Bool
 
 	PrometheusRegisterer prometheus.Registerer
 
@@ -118,10 +125,6 @@ type Server struct {
 	DevTargetSessionConnectionLimit  int
 	DevLoopbackHostPluginId          string
 
-	// DevUsePkiForUpstream is a hint that we are in dev mode and have a worker
-	// auth KMS but want to use PKI for upstream connections
-	DevUsePkiForUpstream bool
-
 	EnabledPlugins []EnabledPlugin
 	HostPlugins    map[string]plgpb.HostPluginServiceClient
 
@@ -140,15 +143,16 @@ type Server struct {
 // NewServer creates a new Server.
 func NewServer(cmd *Command) *Server {
 	return &Server{
-		Command:              cmd,
-		ServerSideShutdownCh: make(chan struct{}),
-		InfoKeys:             make([]string, 0, 20),
-		Info:                 make(map[string]string),
-		SecureRandomReader:   rand.Reader,
-		ReloadFuncsLock:      new(sync.RWMutex),
-		ReloadFuncs:          make(map[string][]reloadutil.ReloadFunc),
-		StderrLock:           new(sync.Mutex),
-		PrometheusRegisterer: prometheus.DefaultRegisterer,
+		Command:                    cmd,
+		ServerSideShutdownCh:       make(chan struct{}),
+		InfoKeys:                   make([]string, 0, 20),
+		Info:                       make(map[string]string),
+		SecureRandomReader:         rand.Reader,
+		ReloadFuncsLock:            new(sync.RWMutex),
+		ReloadFuncs:                make(map[string][]reloadutil.ReloadFunc),
+		StderrLock:                 new(sync.Mutex),
+		WorkerAuthDebuggingEnabled: new(atomic.Bool),
+		PrometheusRegisterer:       prometheus.DefaultRegisterer,
 	}
 }
 
@@ -546,25 +550,22 @@ func (b *Server) SetupListeners(ui cli.Ui, config *configutil.SharedConfig, allo
 // SetupKMSes takes in a parsed config, does some minor checking on purposes,
 // and sends each off to configutil to instantiate a wrapper.
 func (b *Server) SetupKMSes(ctx context.Context, ui cli.Ui, config *config.Config, opt ...Option) error {
-	opts := getOpts(opt...)
-
 	sharedConfig := config.SharedConfig
 	var pluginLogger hclog.Logger
 	var err error
 	var previousRootKms wrapping.Wrapper
+	purposeCount := map[string]uint{}
 	for _, kms := range sharedConfig.Seals {
 		for _, purpose := range kms.Purpose {
 			purpose = strings.ToLower(purpose)
+			purposeCount[purpose] = purposeCount[purpose] + 1
 			switch purpose {
 			case "":
 				return errors.New("KMS block missing 'purpose'")
-			case globals.KmsPurposeWorkerAuth:
-				if opts.withSkipWorkerAuthKmsInstantiation {
-					continue
-				}
 			case globals.KmsPurposeRoot,
 				globals.KmsPurposePreviousRoot,
 				globals.KmsPurposeConfig,
+				globals.KmsPurposeWorkerAuth,
 				globals.KmsPurposeWorkerAuthStorage:
 			case globals.KmsPurposeRecovery:
 				if config.Controller != nil && config.DevRecoveryKey != "" {
@@ -595,7 +596,7 @@ func (b *Server) SetupKMSes(ctx context.Context, ui cli.Ui, config *config.Confi
 					pluginutil.WithPluginsFilesystem(kms_plugin_assets.KmsPluginPrefix, kms_plugin_assets.FileSystem()),
 					pluginutil.WithPluginExecutionDirectory(config.Plugins.ExecutionDir),
 				),
-				configutil.WithLogger(pluginLogger.Named(kms.Type).With("purpose", purpose)),
+				configutil.WithLogger(pluginLogger.Named(kms.Type).With("purpose", fmt.Sprintf("%s-%d", purpose, purposeCount[purpose]))),
 			)
 			if wrapperConfigError != nil {
 				return fmt.Errorf(
@@ -641,6 +642,21 @@ func (b *Server) SetupKMSes(ctx context.Context, ui cli.Ui, config *config.Confi
 					return fmt.Errorf("Duplicate KMS block for purpose '%s'. You may need to remove all but the last KMS block for this purpose.", purpose)
 				}
 				b.WorkerAuthKms = wrapper
+			case globals.KmsPurposeDownstreamWorkerAuth:
+				if b.DownstreamWorkerAuthKms == nil {
+					b.DownstreamWorkerAuthKms, err = multi.NewPooledWrapper(ctx, wrapper)
+					if err != nil {
+						return fmt.Errorf("Error instantiating pooled wrapper for downstream worker auth: %w.", err)
+					}
+				} else {
+					added, err := b.DownstreamWorkerAuthKms.AddWrapper(ctx, wrapper)
+					if err != nil {
+						return fmt.Errorf("Error adding additional wrapper to downstream worker auth wrapper pool: %w.", err)
+					}
+					if !added {
+						return fmt.Errorf("Wrapper already added to downstream worker auth wrapper pool.")
+					}
+				}
 			case globals.KmsPurposeWorkerAuthStorage:
 				if b.WorkerAuthStorageKms != nil {
 					return fmt.Errorf("Duplicate KMS block for purpose '%s'. You may need to remove all but the last KMS block for this purpose.", purpose)