diff --git a/DESIGN.md b/DESIGN.md index d32d4abb..aa03f7bf 100644 --- a/DESIGN.md +++ b/DESIGN.md @@ -11,10 +11,10 @@ openssl keys. Specifically, client creates a keypair on startup, or when asked to rekey. The Fleetspeak [`common.ClientID`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/common#ClientID) is the first 8 bytes of a sha256 hash of the public part of this key. It is the -[Server Communicator's](#server-communicator) responsibility to verify the identity of -clients. The recommended approach is to communicate over TLS using the client's -Fleetspeak key as TLS client identification. The [`https.Communicator` -source](https://github.com/google/fleetspeak/blob/master/fleetspeak/src/server/https/https.go) +[Server Communicator's](#server-communicator) responsibility to verify the +identity of clients. The recommended approach is to communicate over TLS using +the client's Fleetspeak key as TLS client identification. The +[`https.Communicator` source](https://github.com/google/fleetspeak/blob/master/fleetspeak/src/server/https/https.go) has an example of this. ## Messages @@ -41,8 +41,8 @@ instantiate a [`server.Server`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/server#Server), providing the components needed for your particular installation. - ## Miniserver: An Example + The [`miniserver`](https://github.com/google/fleetspeak/blob/master/fleetspeak/src/demo/miniserver/miniserver.go) binary from the demo directory defines a Fleetspeak Server in a way suitable for @@ -51,19 +51,19 @@ demonstrations and small installations. When run, the miniserver binary binds two ports, and accepts bind addresses for each from the command line. The `--https_addr` flag determines the interface and port that clients will connect to. It needs to be open to the internet, or at -least to all Fleetspeak client machines. See [Server -Communicator](#server-communicator), below. +least to all Fleetspeak client machines. See +[Server Communicator](#server-communicator), below. The `--admin_addr` flag determines the interface and port that the [Administrative Interface](#administrative-interface) listens on. The miniserver binary does not perform any authentication of administrative requests. Therefore access to this port needs to be limited to trusted processes. -The miniserver process stores all of its state in an SQLite version 3 -database. The location of this database file is set by the flag -`--database_path`. This file will be created if missing. After running -miniserver, you can examine the system state using, e.g., the `sqlite3` command -and package on Debian systems. See [Datastore](#datastore) below. +The miniserver process stores all of its state in an SQLite version 3 database. +The location of this database file is set by the flag `--database_path`. This +file will be created if missing. After running miniserver, you can examine the +system state using, e.g., the `sqlite3` command and package on Debian systems. +See [Datastore](#datastore) below. ## Administrative Interface @@ -83,7 +83,8 @@ Datastore implementation providing a view of the same database. Currently we provide two Datastore implementations. At a minimum, any Datastore implementation should pass the tests implemented by -the [`dbtesting`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/server/dbtesting) +the +[`dbtesting`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/server/dbtesting) package. ### SQLite @@ -101,6 +102,7 @@ It does not support multiple servers processes - the SQLite database file should only be opened by one instance of `sqlite.Datastore` at a time. ### Mysql + The [`mysql.Datastore`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/server/mysql#Datastore) implements @@ -129,14 +131,14 @@ reverse proxying. When messages arrive on a Fleetspeak server, they must be addressed to a particular service - the `destination` field as described in -[Messages](#messages). A Fleetspeak server runs one or more Services in order -to handle these messages. By configuring additional independent services a -single Fleetspeak installation can handle messages for independent purposes. +[Messages](#messages). A Fleetspeak server runs one or more Services in order to +handle these messages. By configuring additional independent services a single +Fleetspeak installation can handle messages for independent purposes. A service is configured by a [`fleetspeak.server.ServiceConfig`](https://github.com/google/fleetspeak/blob/master/fleetspeak/src/server/proto/fleetspeak_server/services.proto) -protocol buffer. Besides the name, used to address the service, the most important parameter -is `factory`. This string is used to look up a +protocol buffer. Besides the name, used to address the service, the most +important parameter is `factory`. This string is used to look up a [`service.Factory`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/server/service#Factory), which determines what code to use to process incoming messages. @@ -160,16 +162,15 @@ It expects configuration parameters to be provided in a protocol buffer, and the target GRPC server must implement the `fleetspeak.grpcservice.Processor` GRPC interface. -In addition to the factory, the grpcservice package also exports a [concrete -type](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/server/grpcservice#GRPCService) +In addition to the factory, the grpcservice package also exports a +[concrete type](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/server/grpcservice#GRPCService) which can be used to derive a GRPC-based service with more control over how and when it dials a new GRPC target. - # Client The Fleetspeak Client is a small process which runs on an endpoint and -communicates with a Fleetspeak Server. Much like the server, it consists of a +communicates with a Fleetspeak Server. Much like the server, it consists of a base [`client.Client`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/client#Client) along with a collection of components, and individual installations may adjust @@ -209,15 +210,17 @@ the Fleetspeak client binary as trusted. In addition to the security critical parameters described in the previous section, a Fleetspeak client normally requires a configuration directory to store its private key and to look for additional configuration. See the comments -on [`config.Configuration`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/client/config#Configuration) for details. +on +[`config.Configuration`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/client/config#Configuration) +for details. ## Client Communicator Every client requires a [`Communicator`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/client/comms#Communicator) -component which handles communication with the server. This component defines how -the client communicates with the Fleetspeak server and should agree on protocol -with a corresponding [Server Communicator](#server-communicator). +component which handles communication with the server. This component defines +how the client communicates with the Fleetspeak server and should agree on +protocol with a corresponding [Server Communicator](#server-communicator). The quintessential example is [`https.Communicator`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/client/https#Communicator) @@ -230,10 +233,10 @@ support for specialized tunneling or proxying. When messages arrive on a Fleetspeak client, they must be addressed to a particular service - the `destination` field as described in -[Messages](#messages). A Fleetspeak client runs one or more Services in order -to handle these messages, and create message to send to the server. By -configuring additional independent services a single Fleetspeak client process -can handle messages for independent purposes. +[Messages](#messages). A Fleetspeak client runs one or more Services in order to +handle these messages, and create message to send to the server. By configuring +additional independent services a single Fleetspeak client process can handle +messages for independent purposes. A service is typically configured by dropping a [`fleetspeak.SignedClientServiceConfig`](https://github.com/google/fleetspeak/blob/master/fleetspeak/src/common/proto/fleetspeak/system.proto) @@ -242,21 +245,20 @@ the most important parameter is `factory`. This string is used to look up a [`service.Factory`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/client/service#Factory), which determines what code to use to process incoming messages. -This dropped configuration file must be signed with the deployment -key. Therefore by controlling access to the private part of the deployment key, -and hardcoding the public exponent into the client binary, allows an -installation to maintain strong control over what a particular client binary is -capable of. +This dropped configuration file must be signed with the deployment key. +Therefore by controlling access to the private part of the deployment key, and +hardcoding the public exponent into the client binary, allows an installation to +maintain strong control over what a particular client binary is capable of. ### Stdinservice The [`stdinservice.Factory`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/client/stdinservice#Factory) runs a binary with flags and standard input provided by a message, and returns -the output it produces. The service configuration determines what binary to -run. Every message received by the service causes and execution of the -binary. The configuration used in the [`demo` -directory](https://github.com/google/fleetspeak/tree/master/fleetspeak/src/demo) +the output it produces. The service configuration determines what binary to run. +Every message received by the service causes and execution of the binary. The +configuration used in the +[`demo` directory](https://github.com/google/fleetspeak/tree/master/fleetspeak/src/demo) sets up services based on this for the `ls` and `cat` binaries. ### Daemonservice @@ -266,8 +268,8 @@ The handles the use case in which you want Fleetspeak to run a sub-process and send/receive [messages](#messages) to/from it. This gives full control over what is sent to the server, but requires more integration. The sub-process should use -the [`daemonservice` client -library](https://github.com/google/fleetspeak/tree/master/fleetspeak/src/client/daemonservice/client) +the +[`daemonservice` client library](https://github.com/google/fleetspeak/tree/master/fleetspeak/src/client/daemonservice/client) (currently available for go and python) to communicate through Fleetspeak. ### Socketservice @@ -275,9 +277,9 @@ library](https://github.com/google/fleetspeak/tree/master/fleetspeak/src/client/ The [`socketservice.Factory`](https://godoc.org/github.com/google/fleetspeak/fleetspeak/src/client/socketservice#Factory) handles the use case in which you want Fleetspeak and some separately running -process to find each other and communicate using a local filesystem path, -e.g. through a UNIX domain socket. Much like [`Daemonservice`](#daemonservice) -this also gives full control over what is sent to the server and requires some -integration. The sister process should use the [`socketservice` client -library](https://github.com/google/fleetspeak/tree/master/fleetspeak/src/client/socketservice/client) +process to find each other and communicate using a local filesystem path, e.g. +through a UNIX domain socket. Much like [`Daemonservice`](#daemonservice) this +also gives full control over what is sent to the server and requires some +integration. The sister process should use the +[`socketservice` client library](https://github.com/google/fleetspeak/tree/master/fleetspeak/src/client/socketservice/client) to communicate through Fleetspeak. diff --git a/docs/guide.md b/docs/guide.md index 5b4bf524..140a216b 100644 --- a/docs/guide.md +++ b/docs/guide.md @@ -1,5 +1,4 @@ -Guide -===== +# Guide This guide will walk you through setting up your own Fleetspeak instance (both the client and the server) by compiling everything yourself and explaining all @@ -12,9 +11,7 @@ service and a general idea how to extend this setup to more sophisticated tasks. [design]: ../DESIGN.md - -MySQL setup ------------ +## MySQL setup Fleetspeak uses MySQL as its primary data store. Make sure that you have a relatively new MySQL or MariaDB installation—please refer to the official @@ -22,20 +19,22 @@ documentation for instructions specific to your platform. Fire-up the MySQL console as an administrative user, e.g.: - $ mysql --user root +``` +$ mysql --user root +``` Create a Fleetspeak database and an associated database user: - mysql> CREATE USER `fleetspeak-user` IDENTIFIED BY 'fleetspeak-password'; - mysql> CREATE DATABASE `fleetspeak`; - mysql> GRANT ALL PRIVILEGES ON `fleetspeak`.* TO `fleetspeak-user`; +``` +mysql> CREATE USER `fleetspeak-user` IDENTIFIED BY 'fleetspeak-password'; +mysql> CREATE DATABASE `fleetspeak`; +mysql> GRANT ALL PRIVILEGES ON `fleetspeak`.* TO `fleetspeak-user`; +``` Remember the database name, the username and the password—they will be specified later in the Fleetspeak configuration file. - -Fleetspeak compilation ----------------------- +## Fleetspeak compilation Fleetspeak is written in the [Go programming language][golang]. Therefore, in order to compile it you need to install the Go development environment on your @@ -46,18 +45,17 @@ In order to simply compile everything, setup `$GOPATH` to a folder of your choice (it will be used by the Go to store the sources and resulting binary files) and run the `go get` tool: - $ export GOPATH="$HOME/fleetspeak" - $ go get github.com/google/fleetspeak/... +``` +$ export GOPATH="$HOME/fleetspeak" +$ go get github.com/google/fleetspeak/... +``` That's it! Now, in your `$GOPATH/bin` you should have multiple Fleetspeak binary files available: `admin`, `client`, `config`, `server`. - [golang]: https://golang.org/ - -Fleetspeak configuration ------------------------- +## Fleetspeak configuration Fleetspeak uses a bunch of configuration files written in the [Protocol Buffers][protobuf] text format. Thanks to this, you can always inspect @@ -107,17 +105,19 @@ possible options. Create the directories if needed and run the configurator: - $ mkdir $HOME/.config/fleetspeak-server $HOME/.config/fleetspeak-client - $ $GOPATH/bin/config -config "$HOME/.config/fleetspeak.textproto" +``` +$ mkdir $HOME/.config/fleetspeak-server $HOME/.config/fleetspeak-client +$ $GOPATH/bin/config -config "$HOME/.config/fleetspeak.textproto" +``` This should generate a bunch of configuration files: - * `$HOME/.config/fleetspeak-server/ca.pem` - * `$HOME/.config/fleetspeak-server/ca-key.pem` - * `$HOME/.config/fleetspeak-server/server.pem` - * `$HOME/.config/fleetspeak-server/server-key.pem` - * `$HOME/.config/fleetspeak-server/components.textproto` - * `$HOME/.config/fleetspeak-client/config.textproto` +* `$HOME/.config/fleetspeak-server/ca.pem` +* `$HOME/.config/fleetspeak-server/ca-key.pem` +* `$HOME/.config/fleetspeak-server/server.pem` +* `$HOME/.config/fleetspeak-server/server-key.pem` +* `$HOME/.config/fleetspeak-server/components.textproto` +* `$HOME/.config/fleetspeak-client/config.textproto` [protobuf]: https://developers.google.com/protocol-buffers/ @@ -126,14 +126,18 @@ This should generate a bunch of configuration files: For now, since we do not want to create any services yet, create an empty services configuration file: - $ touch $HOME/.config/fleetspeak-server/services.textproto +``` +$ touch $HOME/.config/fleetspeak-server/services.textproto +``` It should be possible to run the server now: - $ $GOPATH/bin/server \ - -components_config "$HOME/.config/fleetspeak-server/components.textproto" \ - -services_config "$HOME/.config/fleetspeak-server/services.textproto" \ - -alsologtostderr +``` +$ $GOPATH/bin/server \ + -components_config "$HOME/.config/fleetspeak-server/components.textproto" \ + -services_config "$HOME/.config/fleetspeak-server/services.textproto" \ + -alsologtostderr +``` In the terminal, you should see a log message that the Fleetspeak server has started. @@ -156,23 +160,25 @@ Create folders where the future client services configuration will be stored and an (empty) communicator configuration. These files are not strictly necessary, but we create them to avoid confusing warnings. - $ mkdir $HOME/.config/fleetspeak-client/services - $ mkdir $HOME/.config/fleetspeak-client/textservices - $ touch $HOME/.config/fleetspeak-client/communicator.txt +``` +$ mkdir $HOME/.config/fleetspeak-client/services +$ mkdir $HOME/.config/fleetspeak-client/textservices +$ touch $HOME/.config/fleetspeak-client/communicator.txt +``` It should be possible to run the client now: - $ $GOPATH/bin/client \ - -config "$HOME/.config/fleetspeak-client/config.textproto" \ - -alsologtostderr +``` +$ $GOPATH/bin/client \ + -config "$HOME/.config/fleetspeak-client/config.textproto" \ + -alsologtostderr +``` It the terminal you should see a log message with see the client id (remember it for later) and, if the server is running, the client should not complain about the connection being refused. - -Fleetspeak services -------------------- +## Fleetspeak services Fleetspeak is just a message delivery system and its pretty useless on its own. In order to do something useful with it, we need services that want to talk with @@ -190,8 +196,10 @@ In this guide we will use [virtualenv][virtualenv] to avoid cluttering the system namespace, but you can install everything globally, if you prefer. Initialize the virtual environment and install necessary packages: - $ python3 -m venv $HOME/.venv/FLEETSPEAK - $ $HOME/.venv/FLEETSPEAK/bin/pip install absl-py protobuf fleetspeak +``` +$ python3 -m venv $HOME/.venv/FLEETSPEAK +$ $HOME/.venv/FLEETSPEAK/bin/pip install absl-py protobuf fleetspeak +``` [python]: https://python.org/ [python-fleetspeak]: https://pypi.org/project/fleetspeak/ @@ -231,8 +239,8 @@ if __name__ == "__main__": The program simply creates a connection to the Fleetspeak client and loops waiting for messages indefinitely. In this example, to avoid writing boilerplate -involved with creating custom Protocol Buffer message definitions, we simply -use the `StringValue` message—a standard wrapper around the `string` type. +involved with creating custom Protocol Buffer message definitions, we simply use +the `StringValue` message—a standard wrapper around the `string` type. Because this program makes sense only within the virtual environment, we also need a wrapper script that runs it. Save the following somewhere, e.g. @@ -245,7 +253,9 @@ $HOME/.venv/FLEETSPEAK/bin/python "$HOME/hello.py" This script should be an executable: - $ chmod +x $HOME/hello.sh +``` +$ chmod +x $HOME/hello.sh +``` Finally, we need to make the Fleetspeak client aware of this service. For this purpose, create the following `hello.service` and place it the `textservices` @@ -255,12 +265,14 @@ folder of the Fleetspeak client configuration: name: "hello" factory: "Daemon" config: { - [type.googleapis.com/fleetspeak.daemonservice.Config]: { + argv: "$HOME/hello.sh" } } ``` +[type.googleapis.com/fleetspeak.daemonservice.Config]: { + Once again, note that Fleetspeak does not understand shell variables, so you need to expand `$HOME` manually it the script above. @@ -341,30 +353,35 @@ services { } ``` -Running -------- +## Running Everything should now be properly set-up and ready to run. First, launch the server: - $ $GOPATH/bin/server \ - -components_config "$HOME/.config/fleetspeak-server/components.textproto" \ - -services_config "$HOME/.config/fleetspeak-server/services.textproto" \ - -alsologtostderr +``` +$ $GOPATH/bin/server \ + -components_config "$HOME/.config/fleetspeak-server/components.textproto" \ + -services_config "$HOME/.config/fleetspeak-server/services.textproto" \ + -alsologtostderr +``` In a separate terminal, launch the client and note down the client identifier: - $ $GOPATH/bin/client \ - -config "$HOME/.config/fleetspeak-client/config.textproto" \ - -alsologtostderr +``` +$ $GOPATH/bin/client \ + -config "$HOME/.config/fleetspeak-client/config.textproto" \ + -alsologtostderr +``` Finally, in yet another terminal, run the server service with the appropriate client identifier: - $ $HOME/.venv/FLEETSPEAK/bin/python $HOME/greeter.py \ - --client_id="d741e09e257bf4ba" \ - --fleetspeak_message_listen_address="localhost:1337" \ - --fleetspeak_server="localhost:9091" \ - --alsologtostderr +``` +$ $HOME/.venv/FLEETSPEAK/bin/python $HOME/greeter.py \ + --client_id="d741e09e257bf4ba" \ + --fleetspeak_message_listen_address="localhost:1337" \ + --fleetspeak_server="localhost:9091" \ + --alsologtostderr +``` Enter your name as requested and soon a message with response should be logged. diff --git a/fleetspeak/src/e2etesting/balancer/proxyproto/proxyproto.go b/fleetspeak/src/e2etesting/balancer/proxyproto/proxyproto.go index 2fbdac15..1dbfb8b2 100644 --- a/fleetspeak/src/e2etesting/balancer/proxyproto/proxyproto.go +++ b/fleetspeak/src/e2etesting/balancer/proxyproto/proxyproto.go @@ -2,10 +2,11 @@ package proxyproto import ( "fmt" - proxyproto "github.com/pires/go-proxyproto" "io" "net" "strconv" + + proxyproto "github.com/pires/go-proxyproto" ) func splitHostPort(addr string) (net.IP, uint16, error) { diff --git a/fleetspeak/src/e2etesting/frr_master_server_main/frr_master_server_main.go b/fleetspeak/src/e2etesting/frr_master_server_main/frr_master_server_main.go index fb8483a6..d91d3cb1 100644 --- a/fleetspeak/src/e2etesting/frr_master_server_main/frr_master_server_main.go +++ b/fleetspeak/src/e2etesting/frr_master_server_main/frr_master_server_main.go @@ -3,12 +3,13 @@ package main import ( "flag" "fmt" + "net" + "os" + frr "github.com/google/fleetspeak/fleetspeak/src/inttesting/frr" fgrpc "github.com/google/fleetspeak/fleetspeak/src/inttesting/frr/proto/fleetspeak_frr" sgrpc "github.com/google/fleetspeak/fleetspeak/src/server/proto/fleetspeak_server" "google.golang.org/grpc" - "net" - "os" ) var ( diff --git a/fleetspeak/src/e2etesting/localtesting/end_to_end_test.go b/fleetspeak/src/e2etesting/localtesting/end_to_end_test.go index 98559b83..d0980ecf 100644 --- a/fleetspeak/src/e2etesting/localtesting/end_to_end_test.go +++ b/fleetspeak/src/e2etesting/localtesting/end_to_end_test.go @@ -2,11 +2,12 @@ package localtesting_test import ( "flag" - "github.com/google/fleetspeak/fleetspeak/src/e2etesting/setup" - "github.com/google/fleetspeak/fleetspeak/src/e2etesting/tests" "os" "path/filepath" "testing" + + "github.com/google/fleetspeak/fleetspeak/src/e2etesting/setup" + "github.com/google/fleetspeak/fleetspeak/src/e2etesting/tests" ) var ( diff --git a/fleetspeak/src/e2etesting/tests/end_to_end_tests.go b/fleetspeak/src/e2etesting/tests/end_to_end_tests.go index dc260af2..edf37f39 100644 --- a/fleetspeak/src/e2etesting/tests/end_to_end_tests.go +++ b/fleetspeak/src/e2etesting/tests/end_to_end_tests.go @@ -3,12 +3,13 @@ package tests import ( "context" "fmt" - fgrpc "github.com/google/fleetspeak/fleetspeak/src/inttesting/frr/proto/fleetspeak_frr" - fpb "github.com/google/fleetspeak/fleetspeak/src/inttesting/frr/proto/fleetspeak_frr" - "google.golang.org/grpc" "math/rand" "testing" "time" + + fgrpc "github.com/google/fleetspeak/fleetspeak/src/inttesting/frr/proto/fleetspeak_frr" + fpb "github.com/google/fleetspeak/fleetspeak/src/inttesting/frr/proto/fleetspeak_frr" + "google.golang.org/grpc" ) var ( diff --git a/fleetspeak/src/server/components/components.go b/fleetspeak/src/server/components/components.go index 49453da3..41a74aab 100644 --- a/fleetspeak/src/server/components/components.go +++ b/fleetspeak/src/server/components/components.go @@ -23,15 +23,16 @@ import ( "database/sql" "errors" "fmt" - "google.golang.org/grpc" "net" "net/http" + "google.golang.org/grpc" + + log "github.com/golang/glog" "github.com/google/fleetspeak/fleetspeak/src/server" "github.com/google/fleetspeak/fleetspeak/src/server/admin" "github.com/google/fleetspeak/fleetspeak/src/server/authorizer" "github.com/google/fleetspeak/fleetspeak/src/server/comms" - log "github.com/golang/glog" cauthorizer "github.com/google/fleetspeak/fleetspeak/src/server/components/authorizer" chttps "github.com/google/fleetspeak/fleetspeak/src/server/components/https" cnotifications "github.com/google/fleetspeak/fleetspeak/src/server/components/notifications" @@ -114,9 +115,9 @@ func MakeComponents(cfg *cpb.Config) (*server.Components, error) { log.Warningln("####################################################################") } if (hcfg.FrontendMode == cpb.FrontendMode_MTLS && hcfg.ClientCertificateHeader != "") || - (hcfg.FrontendMode == cpb.FrontendMode_HEADER_TLS && hcfg.ClientCertificateHeader =="") { - return nil, fmt.Errorf("Invalid frontend mode combination for running Fleetspeak: frontendMode=%s, clientCertificateHeader=%s", - hcfg.FrontendMode, hcfg.ClientCertificateHeader) + (hcfg.FrontendMode == cpb.FrontendMode_HEADER_TLS && hcfg.ClientCertificateHeader == "") { + return nil, fmt.Errorf("Invalid frontend mode combination for running Fleetspeak: frontendMode=%s, clientCertificateHeader=%s", + hcfg.FrontendMode, hcfg.ClientCertificateHeader) } } // Notification setup. diff --git a/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go b/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go index cf3966c7..eeff401e 100644 --- a/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go +++ b/fleetspeak/src/server/components/proto/fleetspeak_components/config.pb.go @@ -34,21 +34,23 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) -// FrontendMode defines the connectivity setup between the Fleetspeak agents (clients) and the frontend (server). -// It is key to Fleetspeak's design that agents connect via mTLS. -// However, the mTLS connection can either be terminated by the Fleetspeak frontend (as per the original design) -// or on an intermediate layer 7 load balancer. -// Depending on the setup choose the matching mode below. +// FrontendMode defines the connectivity setup between the Fleetspeak agents +// (clients) and the frontend (server). It is key to Fleetspeak's design that +// agents connect via mTLS. However, the mTLS connection can either be +// terminated by the Fleetspeak frontend (as per the original design) or on an +// intermediate layer 7 load balancer. Depending on the setup choose the +// matching mode below. type FrontendMode int32 const ( - // In this mode Fleetspeak terminates the mTLS connection (as per original design). - // The Fleetspeak frontend can extract the mTLS client certificate from the HTTP - // request to identify client. + // In this mode Fleetspeak terminates the mTLS connection (as per original + // design). The Fleetspeak frontend can extract the mTLS client certificate + // from the HTTP request to identify client. FrontendMode_MTLS FrontendMode = 0 // In this mode a layer 7 load balancer is terminating the mTLS connection. - // This requires the that the client certificate is delivered via a HTTP header. - // Use the HttpsConfig.client_certificate_header below to set the header's name. + // This requires the that the client certificate is delivered via a HTTP + // header. Use the HttpsConfig.client_certificate_header below to set the + // header's name. FrontendMode_HEADER_TLS FrontendMode = 1 ) @@ -256,16 +258,18 @@ type HttpsConfig struct { // header. This should be used if TLS is terminated at the load balancer and // client certificates can be passed upstream to the fleetspeak server as an // http header. - // Note for this parameter to take effect you also need to set the frontend_mode - // parameter below accordingly. This is a safety net mechanism to avoid scenarios - // where client_certificate_header is set to non-empty unintentionally. + // Note for this parameter to take effect you also need to set the + // frontend_mode parameter below accordingly. This is a safety net mechanism + // to avoid scenarios where client_certificate_header is set to non-empty + // unintentionally. ClientCertificateHeader string `protobuf:"bytes,5,opt,name=client_certificate_header,json=clientCertificateHeader,proto3" json:"client_certificate_header,omitempty"` // The frontend_mode parameter serves as a safety net to avoid scenarios where // the client_certificate_header is set accidentially. // frontend_mode defaults to mTLS where the client certificate is delivered // in Fleetspeaks' original design. // In case certificate delivery is desired through a HTTP header you need set - // both the frontend_mode and the client_certificate_header parameters accordingly. + // both the frontend_mode and the client_certificate_header parameters + // accordingly. FrontendMode FrontendMode `protobuf:"varint,6,opt,name=frontend_mode,json=frontendMode,proto3,enum=fleetspeak.components.FrontendMode" json:"frontend_mode,omitempty"` } diff --git a/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto b/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto index 74688123..344e6b36 100644 --- a/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto +++ b/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto @@ -18,19 +18,21 @@ package fleetspeak.components; option go_package = "github.com/google/fleetspeak/fleetspeak/src/server/components/proto/fleetspeak_components"; -// FrontendMode defines the connectivity setup between the Fleetspeak agents (clients) and the frontend (server). -// It is key to Fleetspeak's design that agents connect via mTLS. -// However, the mTLS connection can either be terminated by the Fleetspeak frontend (as per the original design) -// or on an intermediate layer 7 load balancer. -// Depending on the setup choose the matching mode below. +// FrontendMode defines the connectivity setup between the Fleetspeak agents +// (clients) and the frontend (server). It is key to Fleetspeak's design that +// agents connect via mTLS. However, the mTLS connection can either be +// terminated by the Fleetspeak frontend (as per the original design) or on an +// intermediate layer 7 load balancer. Depending on the setup choose the +// matching mode below. enum FrontendMode { - // In this mode Fleetspeak terminates the mTLS connection (as per original design). - // The Fleetspeak frontend can extract the mTLS client certificate from the HTTP - // request to identify client. + // In this mode Fleetspeak terminates the mTLS connection (as per original + // design). The Fleetspeak frontend can extract the mTLS client certificate + // from the HTTP request to identify client. MTLS = 0; // In this mode a layer 7 load balancer is terminating the mTLS connection. - // This requires the that the client certificate is delivered via a HTTP header. - // Use the HttpsConfig.client_certificate_header below to set the header's name. + // This requires the that the client certificate is delivered via a HTTP + // header. Use the HttpsConfig.client_certificate_header below to set the + // header's name. HEADER_TLS = 1; // HEADER_TLS_CHECKSUM = 2; // reserved for future use // HEADER_CLEARTEXT = 3; // reserved for future use @@ -105,17 +107,19 @@ message HttpsConfig { // header. This should be used if TLS is terminated at the load balancer and // client certificates can be passed upstream to the fleetspeak server as an // http header. - // Note for this parameter to take effect you also need to set the frontend_mode - // parameter below accordingly. This is a safety net mechanism to avoid scenarios - // where client_certificate_header is set to non-empty unintentionally. + // Note for this parameter to take effect you also need to set the + // frontend_mode parameter below accordingly. This is a safety net mechanism + // to avoid scenarios where client_certificate_header is set to non-empty + // unintentionally. string client_certificate_header = 5; - + // The frontend_mode parameter serves as a safety net to avoid scenarios where // the client_certificate_header is set accidentially. // frontend_mode defaults to mTLS where the client certificate is delivered // in Fleetspeaks' original design. // In case certificate delivery is desired through a HTTP header you need set - // both the frontend_mode and the client_certificate_header parameters accordingly. + // both the frontend_mode and the client_certificate_header parameters + // accordingly. FrontendMode frontend_mode = 6; } diff --git a/fleetspeak/src/server/https/client_certificate_test.go b/fleetspeak/src/server/https/client_certificate_test.go index 74922c17..e7dee518 100644 --- a/fleetspeak/src/server/https/client_certificate_test.go +++ b/fleetspeak/src/server/https/client_certificate_test.go @@ -81,8 +81,8 @@ func makeTestClient(t *testing.T) (common.ClientID, *http.Client, []byte) { cl := http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ - RootCAs: cp, - Certificates: []tls.Certificate{clientCert}, + RootCAs: cp, + Certificates: []tls.Certificate{clientCert}, InsecureSkipVerify: true, }, Dial: (&net.Dialer{ @@ -108,7 +108,7 @@ func TestFrontendMode_MTLS(t *testing.T) { t.Error("Expected client certificate but received none") } // test the invalid frontend mode combination - cert, err = GetClientCert(req, "", cpb.FrontendMode_HEADER_TLS) + _, err = GetClientCert(req, "", cpb.FrontendMode_HEADER_TLS) if err == nil { t.Error("Expected error for invalid frontend mode combination but received none") } @@ -116,7 +116,7 @@ func TestFrontendMode_MTLS(t *testing.T) { })) ts.TLS = &tls.Config{ ClientAuth: tls.RequireAnyClientCert, - } + } ts.StartTLS() defer ts.Close() @@ -149,7 +149,7 @@ func TestFrontendMode_HEADER_TLS(t *testing.T) { t.Error("Expected client certificate but received none") } // test the invalid frontend mode combination - cert, err = GetClientCert(req, clientCertHeader, cpb.FrontendMode_MTLS) + _, err = GetClientCert(req, clientCertHeader, cpb.FrontendMode_MTLS) if err == nil { t.Error("Expected error for invalid frontend mode combination but received none") } @@ -157,7 +157,7 @@ func TestFrontendMode_HEADER_TLS(t *testing.T) { })) ts.TLS = &tls.Config{ ClientAuth: tls.RequireAnyClientCert, - } + } ts.StartTLS() defer ts.Close() diff --git a/fleetspeak/src/server/sqlite/sqlite_test.go b/fleetspeak/src/server/sqlite/sqlite_test.go index 034fa0c5..53735ecc 100644 --- a/fleetspeak/src/server/sqlite/sqlite_test.go +++ b/fleetspeak/src/server/sqlite/sqlite_test.go @@ -16,10 +16,11 @@ package sqlite import ( "fmt" - "github.com/google/fleetspeak/fleetspeak/src/comtesting" "path" "testing" + "github.com/google/fleetspeak/fleetspeak/src/comtesting" + log "github.com/golang/glog" "github.com/google/fleetspeak/fleetspeak/src/server/db" diff --git a/terraform/cloudtesting/end_to_end_test.go b/terraform/cloudtesting/end_to_end_test.go index 0fa4eaf8..94640a6a 100644 --- a/terraform/cloudtesting/end_to_end_test.go +++ b/terraform/cloudtesting/end_to_end_test.go @@ -3,14 +3,15 @@ package cloudtesting_test import ( "flag" "fmt" - "github.com/google/fleetspeak/fleetspeak/src/e2etesting/setup" - "github.com/google/fleetspeak/fleetspeak/src/e2etesting/tests" "io/ioutil" "os" "path/filepath" "strings" "testing" "time" + + "github.com/google/fleetspeak/fleetspeak/src/e2etesting/setup" + "github.com/google/fleetspeak/fleetspeak/src/e2etesting/tests" ) var ( diff --git a/terraform/fleetspeak_configurator/build_configs.go b/terraform/fleetspeak_configurator/build_configs.go index ca0f336c..0fbebf40 100644 --- a/terraform/fleetspeak_configurator/build_configs.go +++ b/terraform/fleetspeak_configurator/build_configs.go @@ -3,10 +3,11 @@ package main import ( "flag" "fmt" - "github.com/google/fleetspeak/fleetspeak/src/e2etesting/setup" "io/ioutil" "os" "strings" + + "github.com/google/fleetspeak/fleetspeak/src/e2etesting/setup" ) var (