NVSHAS-9553-9979-9987

Author: williamlin-suse

controller/api/apis.go

@@ -3865,13 +3865,14 @@ type RESTUserRoleConfigData struct {
 
 // Import task
 type RESTImportTask struct {
-	TID            string    `json:"tid"`
-	CtrlerID       string    `json:"ctrler_id"`
-	LastUpdateTime time.Time `json:"last_update_time,omitempty"`
-	Percentage     int       `json:"percentage"`
-	TriggeredBy    string    `json:"triggered_by,omitempty"` // fullname of the user who triggers import
-	Status         string    `json:"status,omitempty"`
-	TempToken      string    `json:"temp_token,omitempty"`
+	TID                    string              `json:"tid"`
+	CtrlerID               string              `json:"ctrler_id"`
+	LastUpdateTime         time.Time           `json:"last_update_time,omitempty"`
+	Percentage             int                 `json:"percentage"`
+	TriggeredBy            string              `json:"triggered_by,omitempty"` // fullname of the user who triggers import
+	Status                 string              `json:"status,omitempty"`
+	TempToken              string              `json:"temp_token,omitempty"`
+	FailToDecryptKeyFields map[string][]string `json:"fail_to_decrypt_key_fields"` // key : []fields
 }
 
 type RESTImportTaskData struct {

controller/api/apis.yaml

@@ -7519,6 +7519,14 @@ definitions:
       temp_token:
         type: string
         example: ""
+      fail_to_decrypt_key_fields:
+        type: object
+        description: Object key is kv key and value is array of cloaked fields that cannot be decrypted
+        additionalProperties:
+          type: array
+          items:
+            type: string
+          example: ["x509_cert", "signing_cert"]
   RESTImportTaskData:
     type: object
     required:

controller/api/internal_apis.go

@@ -180,6 +180,7 @@ type AlertType string
 const (
 	AlertTypeRBAC           AlertType = "RBAC"
 	AlertTypeTlsCertificate AlertType = "TLS_CERTIFICATE"
+	AlertTypeOthers         AlertType = "Others"
 )
 
 type RESTNvAlertGroup struct {

controller/api/log_apis.go

@@ -161,6 +161,10 @@ const (
 	EventNameGroupMetricViolation        = "Group.Metric.Violation"
 	EventNameKvRestored                  = "Configuration.Restore"
 	EventNameScanDataRestored            = "Scan.Data.Restore"
+	EventNameMismatchedDEKSeed           = "Security.DEK.Seed.Mismatch"
+	EventNameDEKSeedUnavailable          = "Security.DEK.Seed.Unavailable"
+	EventNameReEncryptWithDEK            = "Security.DEK.Encrypt"
+	EventNameEncryptionSecretSet         = "Security.Encryption.Secret.Set"
 )
 
 // TODO: these are not events but incidents

controller/cache/cache.go

@@ -1,12 +1,15 @@
 package cache
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"net"
 	"os"
 	"reflect"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -178,11 +181,13 @@ const (
 type Context struct {
 	k8sVersion               string
 	ocVersion                string
-	RancherEP                string // from yaml/helm chart
-	RancherSSO               bool   // from yaml/helm chart
-	TelemetryFreq            uint   // from yaml
-	CheckDefAdminFreq        uint   // from yaml, in minutes
-	CspPauseInterval         uint   // from yaml, in minutes
+	RancherEP                string        // from yaml/helm chart
+	RancherSSO               bool          // from yaml/helm chart
+	TelemetryFreq            uint          // from yaml
+	KeyRotationDuration      time.Duration // from yaml
+	CheckKeyRotationDuration time.Duration // from yaml
+	CheckDefAdminFreq        uint          // from yaml, in minutes
+	CspPauseInterval         uint          // from yaml, in minutes
 	LocalDev                 *common.LocalDevice
 	EvQueue                  cluster.ObjectQueueInterface
 	AuditQueue               cluster.ObjectQueueInterface
@@ -1679,6 +1684,9 @@ func startWorkerThread(ctx *Context) {
 	groupMetricCheckTicker := time.NewTicker(groupMetricCheckPeriod)
 	policyMetricCheckTicker := time.NewTicker(policyMetricCheckPeriod)
 
+	keyRotationCheckTicker := time.NewTicker(cctx.CheckKeyRotationDuration)
+	log.WithFields(log.Fields{"CheckKeyRotationDuration": cctx.CheckKeyRotationDuration, "KeyRotationDuration": cctx.KeyRotationDuration}).Info()
+
 	wlSuspected := utils.NewSet() // supicious workload ids
 	pruneKvTicker := time.NewTicker(pruneKVPeriod)
 	pruneWorkloadKV(wlSuspected) // the first scan
@@ -1742,6 +1750,8 @@ func startWorkerThread(ctx *Context) {
 				cacheMutexUnlock()
 			case <-pruneKvTicker.C:
 				pruneWorkloadKV(wlSuspected)
+			case <-keyRotationCheckTicker.C:
+				checkKeyRotation()
 			case <-scannerTicker.C:
 				if isScanner() {
 					// Remove stalled scanner
@@ -2031,6 +2041,33 @@ func startWorkerThread(ctx *Context) {
 							log.WithFields(log.Fields{"name": o.Name, "domain": o.Domain}).Info("deleted")
 						}
 					}
+				case resource.RscTypeSecret:
+					var err error
+					var lock cluster.LockInterface
+					for i := 0; i < 4; i++ {
+						var encKeys common.EncKeys
+						var currEncKeyVer string
+						lock, err = clusHelper.AcquireLock(share.CLUSStoreSecretKey, time.Duration(time.Second)*4)
+						if err == nil {
+							if encKeys, currEncKeyVer, _, err = resource.RetrieveStorePassphrases(); err == nil {
+								if len(encKeys) > 0 {
+									if err = common.InitAesGcmKey(encKeys, currEncKeyVer); err == nil {
+										log.Info("store passphrases reloaded")
+										clusHelper.ReleaseLock(lock)
+										break
+									}
+									log.WithFields(log.Fields{"i": i, "lead": isLeader(), "err": err}).Error("Failed to init AesGcm")
+								}
+							} else {
+								log.WithFields(log.Fields{"i": i, "err": err}).Error("Failed to reloaded store passphrases")
+							}
+							clusHelper.ReleaseLock(lock)
+						}
+						time.Sleep(time.Second)
+					}
+					if err != nil {
+						log.WithFields(log.Fields{"err": err}).Error("Failed to reloaded store passphrases")
+					}
 				/*
 						case resource.RscTypeMutatingWebhookConfiguration:
 							var n, o *resource.AdmissionWebhookConfiguration
@@ -2108,6 +2145,54 @@ func startWorkerThread(ctx *Context) {
 	}()
 }
 
+func checkKeyRotation() {
+	if !isLeader() {
+		return
+	}
+
+	if valueBackup, _ := cluster.Get(share.CLUSSystemEncMigratedKey); len(valueBackup) > 0 {
+		var cfgEncBackup share.CLUSSystemConfigEncMigrated
+		if err := json.Unmarshal(valueBackup, &cfgEncBackup); err == nil {
+			if time.Now().UTC().After(cfgEncBackup.EncDataExpirationTime) {
+				// the backup is expired
+				_ = cluster.Delete(share.CLUSSystemEncMigratedKey)
+				log.Info("encryption-migrated config backup is deleted")
+			}
+		}
+	}
+
+	value, _ := cluster.Get(share.CLUSNextKeyRotationTSKey)
+	if len(value) == 0 {
+		_ = kv.SetNextKeyRotationTime(cctx.KeyRotationDuration)
+		return
+	}
+	i, err := strconv.ParseInt(string(value), 10, 64)
+	if err != nil {
+		return
+	}
+	nextKeyRotationTime := time.Unix(i, 0)
+	if time.Now().After(nextKeyRotationTime) {
+		if err := resource.AddStorePassphrase(); err == nil {
+			if err = kv.SetNextKeyRotationTime(cctx.KeyRotationDuration); err == nil {
+				alert := "Important: Please backup the data in Kubernetes secret neuvector-store-secret reset by NeuVector"
+				b := sha256.Sum256([]byte(alert))
+				key := hex.EncodeToString(b[:])
+				allUser := clusHelper.GetAllUsers(access.NewReaderAccessControl())
+				for _, user := range allUser {
+					accepted := utils.NewSetFromStringSlice(user.AcceptedAlerts)
+					if accepted.Contains(key) {
+						accepted.Remove(key)
+						user.AcceptedAlerts = accepted.ToStringSlice()
+						if err = clusHelper.PutUser(user); err != nil {
+							log.WithFields(log.Fields{"": user.Fullname, "err": err}).Error()
+						}
+					}
+				}
+			}
+		}
+	}
+}
+
 // handler of K8s resource watcher calls cbResourceWatcher() which sends to orchObjChan/objChan
 // [2021-02-15] CRD-related resource changes do not call this function.
 //

controller/cache/config.go

@@ -32,6 +32,7 @@ type webhookCache struct {
 
 const DefaultScannerConfigUpdateTimeout = time.Minute * 5
 
+var encMigratedConfigRestored bool
 var systemConfigCache share.CLUSSystemConfig = common.DefaultSystemConfig
 var fedSystemConfigCache share.CLUSSystemConfig = share.CLUSSystemConfig{CfgType: share.FederalCfg}
 var webhookCacheMap map[string]*webhookCache = make(map[string]*webhookCache, 0)    // Only the enabled webhooks
@@ -467,6 +468,42 @@ func (m CacheMethod) GetSystemConfigClusterName(acc *access.AccessControl) strin
 	return systemConfigCache.ClusterName
 }
 
+func encMigrateSystemConfig(valueBackup, value []byte) {
+	controllers := cacher.GetAllControllers(access.NewAdminAccessControl())
+	for _, ctrler := range controllers {
+		if ctrler.Ver != cctx.CtrlerVersion {
+			log.WithFields(log.Fields{"target": ctrler.Ver, "me": cctx.CtrlerVersion}).Info()
+			// the system config backup for variant encryption key migration is found.
+			// it means sensitive fields in system config are re-encrypted for variant encryption key migration.
+			var dec common.DecryptUnmarshaller
+			var cfg share.CLUSSystemConfig
+			if err := dec.Unmarshal(value, &cfg); err == nil && dec.GetDecryptedFieldsNumber() == 0 {
+				// however, it's unexpected that no sensitive field is decrypted in dec.Unmarshal() call.
+				// it means all sensitive fields in current system config(cfg) were set to empty string that we need to restore system config from the system config backup
+				var cfgEncBackup share.CLUSSystemConfigEncMigrated
+				if err = json.Unmarshal(valueBackup, &cfgEncBackup); err == nil {
+					if time.Now().UTC().Before(cfgEncBackup.EncDataExpirationTime) {
+						// the backup is not expired yet
+						if err = cluster.PutBinary(share.CLUSConfigSystemKey, []byte(cfgEncBackup.EncMigratedSystemConfig)); err == nil {
+							log.Info("encryption-migrated config is restored")
+							encMigratedConfigRestored = true
+						}
+					} else {
+						_ = cluster.Delete(share.CLUSSystemEncMigratedKey)
+						log.Info("encryption-migrated config backup is deleted")
+					}
+				} else {
+					_ = cluster.Delete(share.CLUSSystemEncMigratedKey)
+					log.WithFields(log.Fields{"err": err}).Error("failed to json unmarshal encryption-migrated config")
+				}
+			} else if err != nil {
+				log.WithFields(log.Fields{"err": err}).Error("failed to dec unmarshal system config")
+			}
+			break
+		}
+	}
+}
+
 func systemConfigUpdate(nType cluster.ClusterNotifyType, key string, value []byte) {
 	log.WithFields(log.Fields{"type": cluster.ClusterNotifyName[nType], "key": key}).Debug()
 
@@ -477,6 +514,14 @@ func systemConfigUpdate(nType cluster.ClusterNotifyType, key string, value []byt
 		_ = json.Unmarshal(value, &cfg)
 		log.WithFields(log.Fields{"config": cfg}).Debug()
 
+		if nType == cluster.ClusterNotifyModify {
+			if valueBackup, _ := cluster.Get(share.CLUSSystemEncMigratedKey); len(valueBackup) > 0 {
+				if !encMigratedConfigRestored {
+					encMigrateSystemConfig(valueBackup, value)
+				}
+			}
+		}
+
 		if cfg.IBMSAConfigNV.EpEnabled && cfg.IBMSAConfigNV.EpStart == 1 {
 			if isLeader() {
 				var param interface{} = &cfg.IBMSAConfig

controller/cache/object.go

@@ -1646,6 +1646,7 @@ func ObjectUpdateHandler(nType cluster.ClusterNotifyType, key string, value []by
 	case "uniconf":
 		uniconfUpdate(nType, key, value)
 	case "cert":
+		value, _, _ = kv.UpgradeAndConvert(key, value)
 		certObjectUpdate(nType, key, value)
 	case "throttled", "telemetry":
 	default:

controller/cluster.go

@@ -141,7 +141,7 @@ func leadChangeHandler(newLead, oldLead string) {
 			}
 
 			if emptyKvFound {
-				if _, _, restored, restoredKvVersion, err := kv.GetConfigHelper().Restore(); restored && err == nil {
+				if _, _, restored, restoredKvVersion, err := kv.GetConfigHelper().Restore(Host, Ctrler); restored && err == nil {
 					clog := share.CLUSEventLog{
 						Event:          share.CLUSEvKvRestored,
 						HostID:         Host.ID,
@@ -216,7 +216,7 @@ func ctlrMemberUpdateHandler(nType cluster.ClusterNotifyType, memberAddr string,
 			selfRejoin = false
 
 			ctlrPutLocalInfo()
-			logController(share.CLUSEvControllerJoin)
+			logController(share.CLUSEvControllerJoin, "")
 		}
 	} else if nType == cluster.ClusterNotifyDelete {
 		if Ctrler.ClusterIP == memberAddr {
@@ -247,13 +247,14 @@ func clusterStart(clusterCfg *cluster.ClusterConfig) (string, string, error) {
 	return cluster.GetSelfAddress(), lead, nil
 }
 
-func logController(ev share.TLogEvent) {
+func logController(ev share.TLogEvent, msg string) {
 	clog := share.CLUSEventLog{
 		Event:          ev,
 		HostID:         Host.ID,
 		HostName:       Host.Name,
 		ControllerID:   Ctrler.ID,
 		ControllerName: Ctrler.Name,
+		Msg:            msg,
 	}
 	switch ev {
 	case share.CLUSEvControllerStart:

controller/common/common.go

@@ -82,6 +82,9 @@ var ErrObjectExists error = errors.New("Object exists")
 var ErrAtomicWriteFail error = errors.New("Atomic write failed")
 var ErrUnsupported error = errors.New("Unsupported action")
 var ErrClusterWriteFail error = errors.New("Failed to write cluster")
+var ErrInvalidPassphrase error = errors.New("Invalid passphrase for data encryption key")
+var ErrDEKSeedUnavailable error = errors.New("store passphrase unavailable")
+var ErrEmptyValue error = errors.New("Empty value")
 
 var defaultWebhookCategory []string = []string{}
 var defaultSyslogCategory []string = []string{
@@ -340,6 +343,10 @@ var LogEventMap = map[share.TLogEvent]LogEventInfo{
 	share.CLUSEvGroupMetricViolation:        {api.EventNameGroupMetricViolation, api.EventCatGroup, api.LogLevelWARNING},
 	share.CLUSEvKvRestored:                  {api.EventNameKvRestored, api.EventCatConfig, api.LogLevelINFO},
 	share.CLUSEvScanDataRestored:            {api.EventNameScanDataRestored, api.EventCatScan, api.LogLevelINFO},
+	share.CLUSEvMismatchedDEKSeed:           {api.EventNameMismatchedDEKSeed, api.EventCatConfig, api.LogLevelERR},
+	share.CLUSEvDEKSeedUnavailable:          {api.EventNameDEKSeedUnavailable, api.EventCatConfig, api.LogLevelWARNING},
+	share.CLUSEvReEncryptWithDEK:            {api.EventNameReEncryptWithDEK, api.EventCatConfig, api.LogLevelINFO},
+	share.CLUSEvEncryptionSecretSet:         {api.EventNameEncryptionSecretSet, api.EventCatConfig, api.LogLevelNOTICE},
 }
 
 type LogIncidentInfo struct {