kontrol: deny self-signed kite keys

Author: rjeczalik

kontrol/handlers.go

@@ -55,7 +55,7 @@ func (k *Kontrol) HandleRegister(r *kite.Request) (interface{}, error) {
 	keyPair, err = k.keyPair.GetKeyFromPublic(strings.TrimSpace(publicKey))
 	if err != nil {
 		newKey = true
-		keyPair, err = k.pickKey(r)
+		keyPair, err = k.pickKey(r, false)
 		if err != nil {
 			return nil, err // nothing to do here ..
 		}
@@ -248,7 +248,9 @@ func (k *Kontrol) HandleMachine(r *kite.Request) (interface{}, error) {
 		}
 	}
 
-	keyPair, err := k.pickKey(r)
+	// TODO(rjeczalik): add test and ensure no identity is leaked
+
+	keyPair, err := k.pickKey(r, true)
 	if err != nil {
 		return nil, err
 	}
@@ -279,15 +281,15 @@ func (k *Kontrol) HandleGetKey(r *kite.Request) (interface{}, error) {
 		return publicKey, nil
 	}
 
-	keyPair, err := k.pickKey(r)
+	keyPair, err := k.pickKey(r, false)
 	if err != nil {
 		return nil, err
 	}
 
 	return keyPair.Public, nil
 }
 
-func (k *Kontrol) pickKey(r *kite.Request) (*KeyPair, error) {
+func (k *Kontrol) pickKey(r *kite.Request, self bool) (*KeyPair, error) {
 	if k.MachineKeyPicker != nil {
 		keyPair, err := k.MachineKeyPicker(r)
 		if err != nil {
@@ -296,14 +298,9 @@ func (k *Kontrol) pickKey(r *kite.Request) (*KeyPair, error) {
 		return keyPair, nil
 	}
 
-	if len(k.lastPublic) != 0 && len(k.lastPrivate) != 0 {
-		return &KeyPair{
-			Public:  k.lastPublic[len(k.lastPublic)-1],
-			Private: k.lastPrivate[len(k.lastPrivate)-1],
-			ID:      k.lastIDs[len(k.lastIDs)-1],
-		}, nil
+	if !self {
+		return nil, errors.New("no valid authentication key found")
 	}
 
-	k.log.Error("neither machineKeyPicker nor public/private keys are available")
-	return nil, errors.New("internal error - 1")
+	return k.KeyPair()
 }

kontrol/http.go

@@ -113,7 +113,7 @@ func (k *Kontrol) HandleRegisterHTTP(rw http.ResponseWriter, req *http.Request)
 				Type: args.Auth.Type,
 				Key:  args.Auth.Key,
 			},
-		})
+		}, false)
 		if err != nil {
 			http.Error(rw, jsonError(err), http.StatusBadRequest)
 			return

kontrol/kontrol_test.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/dgrijalva/jwt-go"
 	"github.com/koding/kite"
+	"github.com/koding/kite/config"
 	"github.com/koding/kite/kitekey"
 	"github.com/koding/kite/protocol"
 	"github.com/koding/kite/testkeys"
@@ -117,6 +118,39 @@ func TestRegisterMachine(t *testing.T) {
 	}
 }
 
+func TestRegisterDenyEvil(t *testing.T) {
+	evil := kite.New("evil", "1.0.0")
+	evil.Config = config.New()
+	evil.Config.Port = 6767
+	evil.Config.Username = "evil"
+	evil.Config.KontrolUser = "evil"
+	evil.Config.KontrolURL = conf.Config.KontrolURL
+	evil.Config.KiteKey = testutil.NewToken("evil", testkeys.PrivateEvil, testkeys.PublicEvil).Raw
+	// KontrolKey can be easily extracted from existing kite.key
+	evil.Config.KontrolKey = testkeys.Public
+	evil.Config.ReadEnvironmentVariables()
+
+	evilURL := &url.URL{
+		Scheme: "http",
+		Host:   "127.0.0.1:6767",
+		Path:   "/kite",
+	}
+
+	_, err := evil.Register(evilURL)
+	if err == nil {
+		t.Errorf("expected kontrol to deny register request: %s", evil.Kite())
+	} else {
+		t.Logf("register denied: %s", err)
+	}
+
+	_, err = evil.GetToken(evil.Kite())
+	if err == nil {
+		t.Errorf("expected kontrol to deny token request: %s", evil.Kite())
+	} else {
+		t.Logf("token denied: %s", err)
+	}
+}
+
 func TestTokenInvalidation(t *testing.T) {
 	oldval := TokenTTL
 	defer func() {

testkeys/testkeys.go

@@ -126,6 +126,44 @@ QFlWPjxAFIYGiUSp8zpbPE12qXqXmFJekOriXHpdLI4jwhsTaoH/4xZNmKDAagHH
 mQIDAQAB
 -----END PUBLIC KEY-----`
 
+const PublicEvil = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs4KnPdBHaS1RIjECBiu2
+V6iRkO7Nf1q6icMLUHBfMhJiWQbS7knFNSfCJ59Zb7girQixJLvMELHn6rgVg1nb
+RiUChBCxGul9NU/Gq5Xk0GzP4CiMmKFwd3DZeai3Tsod9txu/3nmJA6Cl40hXTXc
+2gNSceBCsNz6WBTpp5QHOBntV516ObtN2GUAyuk5XqiCTwGXCL/Sn6QyEEkTdhaT
+g2f//HxPWRR9Wy5juXQxblmJUa3yMUTQ255OW0a8mQa/Lg015SwXhDrPsgkh/5qV
+z/J79rCi0ej9Bkh17+0V0EctML50R1y94JPn+KQ7IbzItahz0j8zmtbDcpAwkdmO
+lQIDAQAB
+-----END PUBLIC KEY-----`
+
+const PrivateEvil = `-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAs4KnPdBHaS1RIjECBiu2V6iRkO7Nf1q6icMLUHBfMhJiWQbS
+7knFNSfCJ59Zb7girQixJLvMELHn6rgVg1nbRiUChBCxGul9NU/Gq5Xk0GzP4CiM
+mKFwd3DZeai3Tsod9txu/3nmJA6Cl40hXTXc2gNSceBCsNz6WBTpp5QHOBntV516
+ObtN2GUAyuk5XqiCTwGXCL/Sn6QyEEkTdhaTg2f//HxPWRR9Wy5juXQxblmJUa3y
+MUTQ255OW0a8mQa/Lg015SwXhDrPsgkh/5qVz/J79rCi0ej9Bkh17+0V0EctML50
+R1y94JPn+KQ7IbzItahz0j8zmtbDcpAwkdmOlQIDAQABAoIBAFsL8XdQpGecLIKD
+CNvIX/ul6+7usBvgEKy+2IY7+IyU9nzhESr7D6MeP0OJdvtLEYth1TckaSQul8pd
+A8xTTvwM2XHSZYGY24CmrcVpiVyNVAIFjwn7F+f8vNEP2amEqh4DP+kkEq5HDcWA
+N2PnZdTNyosni6vY6MC0Gq58Tg0Nf6Wewru1upd/wz6xOshRtlIxoLvrmDXqHuA1
+QdUmCmMcrvlIvHwvfusgLxzih+rBbXdHTkTUdwElvuHr3AXLv5ZY/F7hi7nv8J6X
+NekGhH8uQ+U8BMzXJSS5pupvvrGpaWQlERAj4XZ1XHaN/iXyxv+x+v+Avglg6StM
+hxTqWQECgYEA4j/d+ACh+NyiAGED6i8Lt4I68nUf5AMCIKzFW7oyzeXc5BZmC0da
+DP6xLrgj5B4YkrWCV52k9e8nQaslG1W8238y61xD1cbQ0YvtB43OgMsyyiD/LNu/
+Z86Hz/5nfslDPhF+KzLzF0L0RZJ6mKKriyphn+oqNzqFItFFHYcrza0CgYEAyx1t
+vwP8Q5GGC7NdcT7rW85BSnTYxMPshUORQbo6KABwSp3hHImoPUOqiWAPoizBLWDM
+/GKu2+2JmD4wTz5sShEeyIiNulmyXicJB8YsF+6bz/93l0mOLkuKF9VgDyk1ocFt
+WIEe5wtdURodJx4ky4q28Rl3ZmUh+zrJq3XAEYkCgYBN1Y71TLJsPOr2mmmQXRL4
+1LKWyrhn5qkKuKVEwy/LKbLuPM5qPue55Lzrx6mBRuFJR2xJ3A/uE5I7wzcGyl4o
+XQAVfC5SEw2vqSWoHZ7XLBCS/PsMYaTdf221nl3YfkDFz5rKHcMHU59Zd+T5Ma02
+OSRQsWxIh7dZnQjb+a6WGQKBgFeiVtt3aLvuaZtaxBI8R2fQ0bLCP1SGA+JriJyH
+MNhZeBl5jMq3SfNE4qtq2tPp418kyMyL903Eav1Yt5c5I5fBUzrKT/v6/05IIUlN
+Y3Df7jIL0xlfDw1CYk5uLYfdC9rCjd8FtsOQz65SSgm6o71+F/hmOHHhaIvwjVqA
+72GhAoGAO1FaFhO6h+2tKX7kBDBee5JRqbbtb7yZQyDFRW0iyR9SJEmkMo/K/vAZ
+yRlRnuZkz8QRnRJyKI+YRTeQdLVjGnDGBHwJIxDolqgOGqI4RiuNVrjNEnnReptT
+56sJylfJpR/5/xWF5O/I+RNJ2q/uirkeprWcWOPOqVMZV4hLJcU=
+-----END RSA PRIVATE KEY-----`
+
 ////////////////////////////////////////////////////////////////////////////////
 //
 // TLS certificate