Feat/ttls (#131)

* #672 add ttls conf to env

* #672 add change requests

* #672 add change requests

* #672 add change requests

* #672 change requests: return on err

* #672 use intermediateCert for ttls conf

Author: 3u13r

Diff for: coordinator/core/marbleapi.go

@@ -13,6 +13,8 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
 	"math"
 	"text/template"
 	"time"
@@ -88,6 +90,12 @@ func (c *Core) Activate(ctx context.Context, req *rpc.ActivationReq) (*rpc.Activ
 	}
 
 	marble := c.manifest.Marbles[req.GetMarbleType()] // existence has been checked in verifyManifestRequirement
+	// add TTLS config to Env
+	if err := c.setTTLSConfig(marble); err != nil {
+		c.zaplogger.Error("Could not create TTLS config.", zap.Error(err))
+		return nil, err
+	}
+
 	params, err := customizeParameters(marble.Parameters, authSecrets, secrets)
 	if err != nil {
 		c.zaplogger.Error("Could not customize parameters.", zap.Error(err))
@@ -306,3 +314,24 @@ func (c *Core) generateMarbleAuthSecrets(req *rpc.ActivationReq, marbleUUID uuid
 
 	return authSecrets, nil
 }
+
+func (c *Core) setTTLSConfig(marble manifest.Marble) error {
+	ttlsConf := make(map[string]map[string]string)
+	ttlsConf["tls"] = make(map[string]string)
+	for _, tag := range marble.TLS {
+		for _, entry := range c.manifest.TLS[tag].Outgoing {
+			pemCert := pem.Block{Type: "CERTIFICATE", Bytes: c.intermediateCert.Raw}
+			ttlsConf["tls"][entry.Addr+":"+entry.Port] = string(pem.EncodeToMemory(&pemCert))
+		}
+	}
+	ttlsConfJSON, err := json.Marshal(ttlsConf)
+	if err != nil {
+		return err
+	}
+	if marble.Parameters.Env == nil {
+		marble.Parameters.Env = make(map[string]string)
+	}
+	marble.Parameters.Env["MARBLE_TTLS_CONFIG"] = string(ttlsConfJSON)
+
+	return nil
+}

Diff for: coordinator/core/marbleapi_test.go

@@ -245,6 +245,21 @@ func (ms *marbleSpawner) newMarble(marbleType string, infraName string, shouldSu
 		}
 		ms.mutex.Unlock()
 	}
+
+	// Validate ttls conf
+	config := make(map[string]map[string]string)
+	ms.assert.NoError(json.Unmarshal([]byte(params.Env["MARBLE_TTLS_CONFIG"]), &config))
+	if marbleType == "backend_first" {
+		ms.assert.NotEqual(nil, config["tls"]["localhost:8080"])
+		ms.assert.NotEqual(nil, config["tls"]["service.namespace:4242"])
+	} else if marbleType == "backend_other" {
+		ms.assert.NotEqual(nil, config["tls"]["localhost:8080"])
+		ms.assert.NotEqual(nil, config["tls"]["service.namespace:4242"])
+		ms.assert.NotEqual(nil, config["tls"]["example.com:40000"])
+	} else if marbleType == "frontend" {
+		ms.assert.NotEqual(nil, config["tls"])
+		ms.assert.Equal(0, len(config["tls"]))
+	}
 }
 
 func (ms *marbleSpawner) newMarbleAsync(marbleType string, infraName string, shouldSucceed bool) {

Diff for: coordinator/manifest/manifest.go

@@ -38,6 +38,8 @@ type Manifest struct {
 	Secrets map[string]Secret
 	// RecoveryKeys holds one or multiple RSA public keys to encrypt multiple secrets, which can be used to decrypt the sealed state again in case the encryption key on disk was corrupted somehow.
 	RecoveryKeys map[string]string
+	// TLS contains tags which can be assiged to Marbles to specify which connections should be elevated to TLS
+	TLS map[string]TLStag
 }
 
 // Marble describes a service in the mesh that should be handled and verified by the Coordinator
@@ -49,6 +51,22 @@ type Marble struct {
 	// Parameters contains lists for files, environment variables and commandline arguments that should be passed to the application.
 	// Placeholder variables are supported for specific assets of the marble's activation process.
 	Parameters *rpc.Parameters
+	// TLS holds a list of tags which are specified in the manifest
+	TLS []string
+}
+
+// TLStag describes which entries should be used to determine the ttls connections of a marble
+type TLStag struct {
+	// Outgoing holds a list of all outgoing addresses that should be elevated to TLS
+	Outgoing []TLSTagEntry
+	// Incoming holds a list of all incoming addresses that should be elevated to TLS
+	Incoming []TLSTagEntry
+}
+
+// TLSTagEntry describes one connection which should be elevated to ttls
+type TLSTagEntry struct {
+	Port string
+	Addr string
 }
 
 // Check checks if the manifest is consistent.

Diff for: test/manifests.go

@@ -69,7 +69,10 @@ const ManifestJSON string = `{
 					"--first",
 					"serve"
 				]
-			}
+			},
+			"TLS": [
+				"web"
+			]
 		},
 		"backend_other": {
 			"Package": "backend",
@@ -82,7 +85,10 @@ const ManifestJSON string = `{
 				"Argv": [
 					"serve"
 				]
-			}
+			},
+			"TLS": [
+				"web", "anotherWeb"
+			]
 		},
 		"frontend": {
 			"Package": "frontend",
@@ -130,6 +136,28 @@ const ManifestJSON string = `{
 			},
 			"ValidFor": 7
 		}
+	},
+	"TLS": {
+		"web": {
+			"Outgoing": [
+				{
+					"Port": "8080",
+					"Addr": "localhost"
+				},
+				{
+					"Port": "4242",
+					"Addr": "service.namespace"
+				}
+			]
+		},
+		"anotherWeb": {
+			"Outgoing": [
+				{
+					"Port": "40000",
+					"Addr": "example.com"
+				}
+			]
+		}
 	}
 }`