Skip to content

Add support for SPIFFE bundle sequence number #4061

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 20, 2023
Merged

Add support for SPIFFE bundle sequence number #4061

merged 3 commits into from
Apr 20, 2023

Conversation

maxlambrecht
Copy link
Member

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality

Adds supports for SPIFFE Bundle sequence number.

Description of change

A new field sequence_number was added to the Bundle type defined in common.proto.
The datastore Append and Prune methods increment the sequence number when the bundle was changed.
This sequence number is saved to the DB.
The sequence_number is now set in the Bundle services responses.

Which issue this PR fixes

Fixes #1495

MarcosDY
MarcosDY reviewed Apr 13, 2023
View reviewed changes
pkg/server/api/bundle/v1/service_test.go
@@ -2494,6 +2500,7 @@ func TestBatchSetFederatedBundle(t *testing.T) {
updatedBundle := makeValidBundle(t, federatedTrustDomain)
// Change the refresh hint
updatedBundle.RefreshHint = 120
updatedBundle.SequenceNumber = 42
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you allowing to set a sequence number on creating and when updating a bundle?
I think we must prevent that to happens

Copy link
Member Author

@maxlambrecht maxlambrecht Apr 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it

Copy link
Collaborator

@MarcosDY MarcosDY Apr 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok,
here is the situation,

1- In case of "server trust domain" we must not allow update sequence number, I think that is covered in case since we allow to call create or update only on federated bundles.
2- in case of federated bundles, we must allow a regular CRUD where third parties can choose any Sequence they want
3- we must allow to set the sequence on federated bundles on creation (to keep the same sequence that is on federated server database)
4- we must prevent to set something different than 0 when creating "server" bundle

So looks like we are safe, but we'll need to double check all

amartinezfayo
amartinezfayo reviewed Apr 18, 2023
View reviewed changes
pkg/server/datastore/sqlstore/sqlstore.go Outdated
@@ -1088,6 +1093,7 @@ func pruneBundle(tx *gorm.DB, trustDomainID string, expiry time.Time, log logrus

// Update only if bundle was modified
if changed {
newBundle.SequenceNumber++
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

newBundle will always come with SequenceNumber = 0, so this will reset the SequenceNumber to 1 when pruning. We should increment the number from the current bundle.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! I fixed it and updated the prune test to use sequence numbers other than 0 and 1 to catch this.

Max Lambrecht added 2 commits April 18, 2023 11:07
Add support for SPIFFE bundle sequence number
9257ee8 
Signed-off-by: Max Lambrecht <[email protected]>
Address PR comment
3c8c9d5 
Signed-off-by: Max Lambrecht <[email protected]>
@maxlambrecht maxlambrecht force-pushed the add-support-for-bundle-sequence-number branch from b9646a0 to 3c8c9d5 Compare April 18, 2023 16:10
@amartinezfayo amartinezfayo added this to the 1.6.4 milestone Apr 20, 2023
amartinezfayo
amartinezfayo approved these changes Apr 20, 2023
View reviewed changes
Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @maxlambrecht!

@amartinezfayo amartinezfayo merged commit 7134ec3 into spiffe:main Apr 20, 2023
@maxlambrecht maxlambrecht deleted the add-support-for-bundle-sequence-number branch April 21, 2023 18:27
d-goro pushed a commit to d-goro/spire that referenced this pull request May 18, 2023
@d-goro
Add support for SPIFFE bundle sequence number (spiffe#4061)
41307f5 
* Add support for SPIFFE bundle sequence number

Signed-off-by: Max Lambrecht <[email protected]>
Signed-off-by: Dmitry Gorochovsky <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarcosDY MarcosDY MarcosDY left review comments

@amartinezfayo amartinezfayo amartinezfayo approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@azdagron azdagron Awaiting requested review from azdagron

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

@amartinezfayo amartinezfayo

Labels
None yet
Projects
None yet
Milestone
1.6.4
Development

Successfully merging this pull request may close these issues.

SPIRE should support SPIFFE Bundle sequence number
3 participants
@maxlambrecht @MarcosDY @amartinezfayo