internal/gomote, internal/coordinator/remote: add the sign SSH key endpoint implementation

This change adds the implementation for the sign SSH key endpoint.
The endpoint accepts a public SSH key and signs it with the gomote
server's certificate authority. The certificate added to the public
key will be used to validate if the certificate authority was used
to sign the certificate. It will also be used to determine if
the requestor has rights to initiate and SSH session with the
gomote instance being requested. This is part of a shift to
OpenSSH certificate authentication in the gomote SSH server.

For golang/go#47521
Updates golang/go#48742

Change-Id: I427b34c7f006ae20f5643322dc0754bf7a82e5f1
Reviewed-on: https://go-review.googlesource.com/c/build/+/391516
Trust: Carlos Amedee <[email protected]>
Run-TryBot: Carlos Amedee <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Heschi Kreinick <[email protected]>

Author: cagedmantis

cmd/coordinator/coordinator.go

@@ -341,6 +341,7 @@ func main() {
 	if err := loadStatic(); err != nil {
 		log.Printf("Failed to load static resources: %v", err)
 	}
+	sshCA := mustRetrieveSSHCertificateAuthority()
 
 	var opts []grpc.ServerOption
 	if *buildEnvName == "" && *mode != "dev" && metadata.OnGCE() {
@@ -362,7 +363,7 @@ func main() {
 	dashV1 := legacydash.Handler(gce.GoDSClient(), maintnerClient, string(masterKey()), grpcServer)
 	dashV2 := &builddash.Handler{Datastore: gce.GoDSClient(), Maintner: maintnerClient}
 	gs := &gRPCServer{dashboardURL: "https://build.golang.org"}
-	gomoteServer := gomote.New(remote.NewSessionPool(context.Background()), sched)
+	gomoteServer := gomote.New(remote.NewSessionPool(context.Background()), sched, sshCA)
 	protos.RegisterCoordinatorServer(grpcServer, gs)
 	gomoteprotos.RegisterGomoteServiceServer(grpcServer, gomoteServer)
 	mux.HandleFunc("/", grpcHandlerFunc(grpcServer, handleStatus)) // Serve a status page at farmer.golang.org.
@@ -2214,3 +2215,11 @@ func mustCreateEC2BuildletPool(sc *secret.Client) *pool.EC2Buildlet {
 	}
 	return ec2Pool
 }
+
+func mustRetrieveSSHCertificateAuthority() (privateKey []byte) {
+	privateKey, _, err := remote.SSHKeyPair()
+	if err != nil {
+		log.Fatalf("unable to create SSH CA cert: %s", err)
+	}
+	return
+}

internal/coordinator/remote/ssh.go

@@ -0,0 +1,73 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package remote
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"time"
+
+	"golang.org/x/crypto/ssh"
+)
+
+// SignPublicSSHKey signs a public SSH key using the certificate authority. These keys are intended for use with the specified gomote and owner.
+// The public SSH are intended to be used in OpenSSH certificate authentication with the gomote SSH server.
+func SignPublicSSHKey(ctx context.Context, caPriKey ssh.Signer, rawPubKey []byte, sessionID, ownerID string, d time.Duration) ([]byte, error) {
+	pubKey, _, _, _, err := ssh.ParseAuthorizedKey(rawPubKey)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse public key=%w", err)
+	}
+	cert := &ssh.Certificate{
+		Key:             pubKey,
+		Serial:          1,
+		CertType:        ssh.UserCert,
+		KeyId:           "go_build",
+		ValidPrincipals: []string{fmt.Sprintf("%[email protected]", sessionID), ownerID},
+		ValidAfter:      uint64(time.Now().Unix()),
+		ValidBefore:     uint64(time.Now().Add(d).Unix()),
+		Permissions: ssh.Permissions{
+			Extensions: map[string]string{
+				"permit-X11-forwarding":   "",
+				"permit-agent-forwarding": "",
+				"permit-port-forwarding":  "",
+				"permit-pty":              "",
+				"permit-user-rc":          "",
+			},
+		},
+	}
+	if err := cert.SignCert(rand.Reader, caPriKey); err != nil {
+		return nil, fmt.Errorf("cerificate.SignCert() = %w", err)
+	}
+	mCert := ssh.MarshalAuthorizedKey(cert)
+	return mCert, nil
+}
+
+// SSHKeyPair generates a set of ecdsa256 SSH Keys. The public key is serialized for inclusion in
+// an OpenSSH authorized_keys file. The private key is PEM encoded.
+func SSHKeyPair() (privateKey []byte, publicKey []byte, err error) {
+	private, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+	public, err := ssh.NewPublicKey(&private.PublicKey)
+	if err != nil {
+		return nil, nil, err
+	}
+	publicKey = ssh.MarshalAuthorizedKey(public)
+	priKeyByt, err := x509.MarshalECPrivateKey(private)
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to marshal private key=%w", err)
+	}
+	privateKey = pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: priKeyByt,
+	})
+	return
+}

internal/coordinator/remote/ssh_test.go

@@ -0,0 +1,79 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package remote
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"golang.org/x/crypto/ssh"
+)
+
+func TestSignPublicSSHKey(t *testing.T) {
+	signer, err := ssh.ParsePrivateKey([]byte(devCertCAPrivate))
+	if err != nil {
+		t.Fatalf("ssh.ParsePrivateKey() = %s", err)
+	}
+	ownerID := "accounts.google.com:userIDvalue"
+	sessionID := "user-maria-linux-amd64-12"
+	gotPubKey, err := SignPublicSSHKey(context.Background(), signer, []byte(devCertClientPublic), sessionID, ownerID, time.Minute)
+	if err != nil {
+		t.Fatalf("SignPublicSSHKey(...) = _, %s; want no error", err)
+	}
+	pubKey, _, _, _, err := ssh.ParseAuthorizedKey(gotPubKey)
+	if err != nil {
+		t.Fatalf("ssh.ParseAuthorizedKey(...) = %s; want no error", err)
+	}
+	certChecker := &ssh.CertChecker{}
+	wantPrinciple := fmt.Sprintf("%[email protected]", sessionID)
+	pubKeyCert := pubKey.(*ssh.Certificate)
+	if err := certChecker.CheckCert(wantPrinciple, pubKeyCert); err != nil {
+		t.Fatalf("certChecker.CheckCert(%s, %+v) = %s", wantPrinciple, pubKeyCert, err)
+	}
+	if diff := cmp.Diff(pubKeyCert.SignatureKey.Marshal(), signer.PublicKey().Marshal()); diff != "" {
+		t.Fatalf("Public Keys mismatch (-want +got):\n%s", diff)
+	}
+}
+
+const (
+	// devCertCAPrivate is a private SSH CA certificate to be used for development.
+	devCertCAPrivate = `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCVd2FJ3Db/oV53iRDt1RLscTn41hYXbunuCWIlXze2WAAAAJhjy3ePY8t3
+jwAAAAtzc2gtZWQyNTUxOQAAACCVd2FJ3Db/oV53iRDt1RLscTn41hYXbunuCWIlXze2WA
+AAAEALuUJMb/rEaFNa+vn5RejeoBiiViyda7djgEvMnQ8fRJV3YUncNv+hXneJEO3VEuxx
+OfjWFhdu6e4JYiVfN7ZYAAAAE3Rlc3R1c2VyQGdvbGFuZy5vcmcBAg==
+-----END OPENSSH PRIVATE KEY-----`
+
+	// devCertCAPublic is a public SSH CA certificate to be used for development.
+	devCertCAPublic = `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJV3YUncNv+hXneJEO3VEuxxOfjWFhdu6e4JYiVfN7ZY [email protected]`
+
+	// devCertClientPrivate is a private SSH certificate to be used for development.
+	devCertClientPrivate = `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBxCM6ADdHnjTIHG/IpMa3z32CLwtu3BDUR3k2NNbI3owAAAKDFZ7xtxWe8
+bQAAAAtzc2gtZWQyNTUxOQAAACBxCM6ADdHnjTIHG/IpMa3z32CLwtu3BDUR3k2NNbI3ow
+AAAECidrOyYbTlYxyBSPP7W/UHk3Si2dgWSfkT+eEIETcvqHEIzoAN0eeNMgcb8ikxrfPf
+YIvC27cENRHeTY01sjejAAAAFnRlc3RfY2xpZW50QGdvbGFuZy5vcmcBAgMEBQYH
+-----END OPENSSH PRIVATE KEY-----`
+
+	// devCertClientPublic is a public SSH certificate to be used for development.
+	devCertClientPublic = `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEIzoAN0eeNMgcb8ikxrfPfYIvC27cENRHeTY01sjej [email protected]`
+
+	// devCertAlternateClientPrivate is a private SSH certificate to be used for development.
+	devCertAlternateClientPrivate = `-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDOj8K2lbCSv+LojNcrUf0XH1vqknuEZBkAceiBHuNuEQAAAKDYNRtZ2DUb
+WQAAAAtzc2gtZWQyNTUxOQAAACDOj8K2lbCSv+LojNcrUf0XH1vqknuEZBkAceiBHuNuEQ
+AAAEDS4G3tQt5S4v7CD+DVyT/mwOKgIScIgFOpFt/EsCXL9M6PwraVsJK/4uiM1ytR/Rcf
+W+qSe4RkGQBx6IEe424RAAAAF3Rlc3RfZGlzY2FyZEBnb2xhbmcub3JnAQIDBAUG
+-----END OPENSSH PRIVATE KEY-----`
+
+	// devCertAlternateClientPublic is a public SSH to be used for development.
+	devCertAlternateClientPublic = `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6PwraVsJK/4uiM1ytR/RcfW+qSe4RkGQBx6IEe424R [email protected]`
+)

internal/gomote/gomote.go

@@ -23,6 +23,7 @@ import (
 	"golang.org/x/build/internal/coordinator/schedule"
 	"golang.org/x/build/internal/gomote/protos"
 	"golang.org/x/build/types"
+	"golang.org/x/crypto/ssh"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -38,15 +39,21 @@ type Server struct {
 	// embed the unimplemented server.
 	protos.UnimplementedGomoteServiceServer
 
-	buildlets *remote.SessionPool
-	scheduler scheduler
+	buildlets               *remote.SessionPool
+	scheduler               scheduler
+	sshCertificateAuthority ssh.Signer
 }
 
-// New creates a gomote server.
-func New(rsp *remote.SessionPool, sched *schedule.Scheduler) *Server {
+// New creates a gomote server. If the rawCAPriKey is invalid, the program will exit.
+func New(rsp *remote.SessionPool, sched *schedule.Scheduler, rawCAPriKey []byte) *Server {
+	signer, err := ssh.ParsePrivateKey(rawCAPriKey)
+	if err != nil {
+		log.Fatalf("unable to parse raw certificate authority private key into signer=%s", err)
+	}
 	return &Server{
-		buildlets: rsp,
-		scheduler: sched,
+		buildlets:               rsp,
+		scheduler:               sched,
+		sshCertificateAuthority: signer,
 	}
 }
 
@@ -161,6 +168,7 @@ func (s *Server) InstanceAlive(ctx context.Context, req *protos.InstanceAliveReq
 	return &protos.InstanceAliveResponse{}, nil
 }
 
+// ListDirectory lists the contents of the directory on a gomote instance.
 func (s *Server) ListDirectory(ctx context.Context, req *protos.ListDirectoryRequest) (*protos.ListDirectoryResponse, error) {
 	creds, err := access.IAPFromContext(ctx)
 	if err != nil {
@@ -306,6 +314,28 @@ func (s *Server) RemoveFiles(ctx context.Context, req *protos.RemoveFilesRequest
 	return &protos.RemoveFilesResponse{}, nil
 }
 
+// SignSSHKey signs the public SSH key with a certificate. The signed public SSH key is intended for use with the gomote service SSH
+// server. It will be signed by the certificate authority of the server and will restrict access to the gomote instance that it was
+// signed for.
+func (s *Server) SignSSHKey(ctx context.Context, req *protos.SignSSHKeyRequest) (*protos.SignSSHKeyResponse, error) {
+	creds, err := access.IAPFromContext(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Unauthenticated, "request does not contain the required authentication")
+	}
+	session, err := s.session(req.GetGomoteId(), creds.ID)
+	if err != nil {
+		// the helper function returns meaningful GRPC error.
+		return nil, err
+	}
+	signedPublicKey, err := remote.SignPublicSSHKey(ctx, s.sshCertificateAuthority, req.GetPublicSshKey(), session.ID, session.OwnerID, 5*time.Minute)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "unable to sign ssh key")
+	}
+	return &protos.SignSSHKeyResponse{
+		SignedPublicSshKey: signedPublicKey,
+	}, nil
+}
+
 // WriteTGZFromURL will instruct the gomote instance to download the tar.gz from the provided URL. The tar.gz file will be unpacked in the work directory
 // relative to the directory provided.
 func (s *Server) WriteTGZFromURL(ctx context.Context, req *protos.WriteTGZFromURLRequest) (*protos.WriteTGZFromURLResponse, error) {