search

spiffe / spire

The SPIFFE Runtime Environment
https://spiffe.io
Apache License 2.0
1.79k stars 473 forks source link

Allow ValidateJWTSVID to be called by unauthenticated clients (as per SPIFFE spec issue 132) #1834

Closed paulhowardarm closed 3 years ago

paulhowardarm commented 4 years ago

For details see: https://github.com/spiffe/spiffe/issues/132

The SPIFFE spec will permit the ValidateJWTSVID RPC to be called by clients without those clients being registered workloads, since validation is a public operation. This issue is to modify the SPIRE runtime to permit such calls.

azdagron commented 4 years ago

Some considerations as we figure out how we want to implement this in SPIRE:

  1. This should probably be opt-in, via a new agent configurable (e.g. "allow_unauthenticated_verifiers" or something). This is important since introducing this feature is a change in behavior and has (potential, and arguably weak) security considerations.
  2. As a first pass, the SVIDs verified via ValidateJWTSVID or the bundles returned via FetchJWTBundle should be scoped to the trust domain the agent belongs to. Historically, SPIRE has considered federation to be a relationship opted in per-workload. Therefore, agents currently only maintain a fresh view of bundles for trust domains that are being federated with workloads that it is authorized to issue identity to. Practically speaking, this means that the set of bundles for federated trust domains known to agents will differ per-agent, depending on the federation relationships for workloads registered against that agent. Additionally since the caller is unauthenticated, there is no way for the agent to discern which federated trust bundles would apply to that caller.
azdagron commented 3 years ago

@evan2645 and I discussed this a bit offline.

We've come to agree that a first pass for this would define a configurable that allowed unattested workloads to fetch X509/JWT bundles via FetchX509Bundles (yet to be implemented, #2089) and FetchJWTBundles. Only the trust bundle for the trust domain would be returned to these callers since there is not a safe way to discern which federated bundles would be applicable to the caller (and there is no guarantee the agent has them depending on the shape of registration).

Callers interested in authenticating SVIDs from federated trust domains have other avenues of obtaining them (e.g. federation endpoints).

There is some concern over extending his feature to the ValidateJWTSVID RPC at this time, mostly related to the direction of trust. This concern probably extends beyond this specific feature and is really a question of whether its appropriate for callers to be passing a secret (i.e. the JWT-SVID) to the Workload API. Anyway, we think its best to punt on this RPC for now. Not having an ability to validate via the API is largely mitigated because the Go SPIFFE library (go-spiffe v2) has functionality to validate JWT-SVIDs, although that doesn't really help for other languages.