feat: add signature validation from local cert (NR-348962) (#997)

* feat: add signature validation from local cert

* clean cert file on drop

Author: gsanchezgavier

agent-control/src/opamp/remote_config/signature.rs

@@ -186,7 +186,7 @@ fn parse_rsa_algorithm(algo: &str) -> Option<SigningAlgorithm> {
 #[derive(Debug, Serialize, PartialEq, Clone)]
 pub struct Signatures {
     #[serde(flatten)]
-    signatures: HashMap<ConfigID, SignatureData>,
+    pub signatures: HashMap<ConfigID, SignatureData>,
 }
 
 impl<'de> Deserialize<'de> for Signatures {

agent-control/src/opamp/remote_config/validators/signature/validator.rs

@@ -1,12 +1,15 @@
+use std::path::PathBuf;
 use std::time::Duration;
 
 use crate::agent_control::config::AgentTypeFQN;
 use crate::opamp::remote_config::signature::SIGNATURE_CUSTOM_CAPABILITY;
 use crate::opamp::remote_config::validators::RemoteConfigValidator;
 use crate::opamp::remote_config::RemoteConfig;
+use nix::NixPath;
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 use tracing::log::error;
+use tracing::{info, warn};
 use url::Url;
 
 use super::certificate_fetcher::CertificateFetcher;
@@ -33,11 +36,25 @@ pub fn build_signature_validator(
     config: SignatureValidatorConfig,
 ) -> Result<SignatureValidator, SignatureValidatorError> {
     if !config.enabled {
+        warn!("Remote config signature validation is disabled");
         return Ok(SignatureValidator::Noop);
     }
 
-    let certificate_fetcher =
-        CertificateFetcher::Https(config.certificate_server_url, DEFAULT_HTTPS_CLIENT_TIMEOUT);
+    // Certificate from file takes precedence over fetching from the server when it is set
+    let certificate_fetcher = if !config.certificate_pem_file_path.is_empty() {
+        warn!(
+            "Remote config signature validation is enabled, using certificate from file: {}. Certificate rotation is not supported",
+            config.certificate_pem_file_path.display()
+        );
+        CertificateFetcher::PemFile(config.certificate_pem_file_path)
+    } else {
+        info!(
+            "Remote config signature validation is enabled, fetching certificate from: {}",
+            config.certificate_server_url
+        );
+        CertificateFetcher::Https(config.certificate_server_url, DEFAULT_HTTPS_CLIENT_TIMEOUT)
+    };
+
     let certificate_store = CertificateStore::try_new(certificate_fetcher)
         .map_err(|e| SignatureValidatorError::InitializeCertificateStore(e.to_string()))?;
 
@@ -50,6 +67,10 @@ pub fn build_signature_validator(
 pub struct SignatureValidatorConfig {
     #[serde(default = "default_signature_validator_url")]
     pub certificate_server_url: Url,
+    /// Path to the PEM file containing the certificate to validate the signature.
+    /// Takes precedence over fetching from the server when it is set
+    #[serde(default)]
+    pub certificate_pem_file_path: PathBuf,
     #[serde(default = "default_signature_validator_config_enabled")]
     pub enabled: bool,
 }
@@ -59,6 +80,7 @@ impl Default for SignatureValidatorConfig {
         Self {
             enabled: default_signature_validator_config_enabled(),
             certificate_server_url: default_signature_validator_url(),
+            certificate_pem_file_path: PathBuf::new(),
         }
     }
 }
@@ -164,6 +186,7 @@ impl RemoteConfigValidator for CertificateSignatureValidator {
 #[cfg(test)]
 mod tests {
     use std::collections::HashMap;
+    use std::str::FromStr;
 
     use super::*;
     use crate::agent_control::config::AgentID;
@@ -218,6 +241,7 @@ enabled: false
                 expected: SignatureValidatorConfig {
                     enabled: false,
                     certificate_server_url: Url::parse(DEFAULT_CERTIFICATE_SERVER_URL).unwrap(),
+                    certificate_pem_file_path: PathBuf::new(),
                 },
             },
             TestCase {
@@ -228,6 +252,7 @@ enabled: true
                 expected: SignatureValidatorConfig {
                     enabled: true,
                     certificate_server_url: Url::parse(DEFAULT_CERTIFICATE_SERVER_URL).unwrap(),
+                    certificate_pem_file_path: PathBuf::new(),
                 },
             },
             TestCase {
@@ -238,6 +263,7 @@ certificate_server_url: https://example.com
                 expected: SignatureValidatorConfig {
                     enabled: DEFAULT_SIGNATURE_VALIDATOR_ENABLED,
                     certificate_server_url: Url::parse("https://example.com").unwrap(),
+                    certificate_pem_file_path: PathBuf::new(),
                 },
             },
             TestCase {
@@ -249,6 +275,32 @@ certificate_server_url: https://example.com
                 expected: SignatureValidatorConfig {
                     enabled: true,
                     certificate_server_url: Url::parse("https://example.com").unwrap(),
+                    certificate_pem_file_path: PathBuf::new(),
+                },
+            },
+            TestCase {
+                name: "Setup file and enabled",
+                cfg: r#"
+enabled: true
+certificate_pem_file_path: /path/to/file
+"#,
+                expected: SignatureValidatorConfig {
+                    enabled: true,
+                    certificate_server_url: Url::parse(DEFAULT_CERTIFICATE_SERVER_URL).unwrap(),
+                    certificate_pem_file_path: PathBuf::from_str("/path/to/file").unwrap(),
+                },
+            },
+            TestCase {
+                name: "Setup file and url and enabled",
+                cfg: r#"
+enabled: true
+certificate_server_url: https://example.com
+certificate_pem_file_path: /path/to/file
+"#,
+                expected: SignatureValidatorConfig {
+                    enabled: true,
+                    certificate_server_url: Url::parse("https://example.com").unwrap(),
+                    certificate_pem_file_path: PathBuf::from_str("/path/to/file").unwrap(),
                 },
             },
         ];

agent-control/tests/common/opamp.rs

@@ -1,14 +1,23 @@
 use super::runtime::tokio_runtime;
 use actix_web::{web, App, HttpResponse, HttpServer};
+use base64::prelude::BASE64_STANDARD;
+use base64::Engine;
 use newrelic_agent_control::opamp::instance_id::InstanceID;
+use newrelic_agent_control::opamp::remote_config::signature::{
+    SignatureData, SigningAlgorithm, SIGNATURE_CUSTOM_CAPABILITY, SIGNATURE_CUSTOM_MESSAGE_TYPE,
+};
 use opamp_client::opamp;
 use prost::Message;
+use rcgen::{CertificateParams, KeyPair, PKCS_ED25519};
+use std::path::PathBuf;
 use std::sync::Mutex;
 use std::time::Duration;
 use std::{collections::HashMap, net, sync::Arc};
+use tempfile::TempDir;
 use tokio::task::JoinHandle;
 
 const FAKE_SERVER_PATH: &str = "/opamp-fake-server";
+const CERT_FILE: &str = "server.crt";
 
 pub type ConfigResponses = HashMap<InstanceID, ConfigResponse>;
 
@@ -28,13 +37,26 @@ pub type EffectiveConfigs = HashMap<InstanceID, opamp::proto::EffectiveConfig>;
 pub type RemoteConfigStatus = HashMap<InstanceID, opamp::proto::RemoteConfigStatus>;
 
 /// Represents the state of the FakeServer.
-#[derive(Default)]
 struct State {
     health_statuses: HealthStatuses,
     attributes: Attributes,
     config_responses: ConfigResponses,
     effective_configs: EffectiveConfigs,
     config_status: RemoteConfigStatus,
+    // Server private key to sign the remote config
+    key_pair: KeyPair,
+}
+impl State {
+    fn new(key_pair: KeyPair) -> Self {
+        Self {
+            health_statuses: Default::default(),
+            attributes: Default::default(),
+            config_responses: Default::default(),
+            effective_configs: Default::default(),
+            config_status: Default::default(),
+            key_pair,
+        }
+    }
 }
 
 #[derive(Clone, Debug, Default)]
@@ -52,26 +74,47 @@ impl From<&str> for ConfigResponse {
 }
 
 impl ConfigResponse {
-    fn encode(&self) -> Vec<u8> {
-        // remote config is only set if there is any content
-        let remote_config = self
-            .clone()
-            .raw_body
-            .map(|raw_body| opamp::proto::AgentRemoteConfig {
+    fn encode(&self, key_pair: &KeyPair) -> Vec<u8> {
+        let mut remote_config = None;
+        let mut custom_message = None;
+
+        if let Some(config) = self.raw_body.clone() {
+            remote_config = Some(opamp::proto::AgentRemoteConfig {
                 config_hash: "hash".into(), // fake has for the shake of simplicity
                 config: Some(opamp::proto::AgentConfigMap {
                     config_map: HashMap::from([(
                         "".to_string(),
                         opamp::proto::AgentConfigFile {
-                            body: raw_body.clone().into_bytes(),
+                            body: config.clone().into_bytes(),
                             content_type: " text/yaml".to_string(),
                         },
                     )]),
                 }),
             });
+
+            let key_pair_ring =
+                ring::signature::Ed25519KeyPair::from_pkcs8(&key_pair.serialize_der()).unwrap();
+            let signature = key_pair_ring.sign(config.as_bytes());
+
+            let custom_message_data: HashMap<String, Vec<SignatureData>> = HashMap::from([(
+                "fakeCRC".to_string(),
+                vec![SignatureData {
+                    signature: BASE64_STANDARD.encode(signature.as_ref()),
+                    signing_algorithm: SigningAlgorithm::ED25519,
+                    key_id: "fake".to_string(),
+                }],
+            )]);
+
+            custom_message = Some(opamp::proto::CustomMessage {
+                capability: SIGNATURE_CUSTOM_CAPABILITY.to_string(),
+                r#type: SIGNATURE_CUSTOM_MESSAGE_TYPE.to_string(),
+                data: serde_json::to_vec(&custom_message_data).unwrap(),
+            });
+        }
         opamp::proto::ServerToAgent {
             instance_uid: "test".into(), // fake uid for the sake of simplicity
             remote_config,
+            custom_message,
             ..Default::default()
         }
         .encode_to_vec()
@@ -85,6 +128,7 @@ pub struct FakeServer {
     state: Arc<Mutex<State>>,
     port: u16,
     path: String,
+    cert_tmp_dir: TempDir,
 }
 
 impl FakeServer {
@@ -95,18 +139,29 @@ impl FakeServer {
 
     /// Starts and returns new FakeServer in a random port.
     pub fn start_new() -> Self {
-        let state = Arc::new(Mutex::new(State::default()));
         // While binding to port 0, the kernel gives you a free ephemeral port.
         let listener = net::TcpListener::bind("0.0.0.0:0").unwrap();
         let port = listener.local_addr().unwrap().port();
 
+        let key_pair = KeyPair::generate_for(&PKCS_ED25519).unwrap();
+        let cert = CertificateParams::new(vec!["localhost".to_string()])
+            .unwrap()
+            .self_signed(&key_pair)
+            .unwrap();
+
+        let tmp_dir = tempfile::tempdir().unwrap();
+        std::fs::write(tmp_dir.path().join(CERT_FILE), cert.pem()).unwrap();
+
+        let state = Arc::new(Mutex::new(State::new(key_pair)));
+
         let handle = tokio_runtime().spawn(Self::run_http_server(listener, state.clone()));
 
         Self {
             handle,
             state,
             port,
             path: FAKE_SERVER_PATH.to_string(),
+            cert_tmp_dir: tmp_dir,
         }
     }
 
@@ -132,6 +187,10 @@ impl FakeServer {
         state.config_responses.insert(identifier, response);
     }
 
+    pub fn cert_file_path(&self) -> PathBuf {
+        self.cert_tmp_dir.path().join(CERT_FILE)
+    }
+
     pub fn get_health_status(
         &self,
         identifier: &InstanceID,
@@ -220,5 +279,5 @@ async fn opamp_handler(state: web::Data<Arc<Mutex<State>>>, req: web::Bytes) ->
     // `message` content before removing the config response from the state.
     state.config_responses.remove(&instance_id);
 
-    HttpResponse::Ok().body(config_response.encode())
+    HttpResponse::Ok().body(config_response.encode(&state.key_pair))
 }

agent-control/tests/k8s/data/k8s_opamp_add_sub_agent/local-data-agent-control.template

@@ -2,6 +2,9 @@ fleet_control:
   endpoint: <opamp-endpoint>
   headers:
     api-key: test-api-key
+  signature_validation:
+    certificate_pem_file_path: <cert-path>
+    enabled: true
 k8s:
   namespace: <ns>
   cluster_name: <cluster-name>

agent-control/tests/k8s/data/k8s_opamp_attributes_existing_agent_type/local-data-agent-control.template

@@ -2,6 +2,9 @@ opamp:
   endpoint: <opamp-endpoint>
   headers:
     api-key: test-api-key
+  signature_validation:
+    certificate_pem_file_path: <cert-path>
+    enabled: true
 k8s:
   namespace: <ns>
   cluster_name: <cluster-name>

agent-control/tests/k8s/data/k8s_opamp_cr_subagent_installed_before_crd/local-data-agent-control.template

@@ -2,6 +2,9 @@ fleet_control:
   endpoint: <opamp-endpoint>
   headers:
     api-key: test-api-key
+  signature_validation:
+    certificate_pem_file_path: <cert-path>
+    enabled: true
 k8s:
   namespace: <ns>
   cluster_name: <cluster-name>

agent-control/tests/k8s/data/k8s_opamp_enabled_with_no_remote_configuration/local-data-agent-control.template

@@ -2,6 +2,9 @@ fleet_control:
   endpoint: <opamp-endpoint>
   headers:
     api-key: test-api-key
+  signature_validation:
+    certificate_pem_file_path: <cert-path>
+    enabled: true
 k8s:
   namespace: <ns>
   cluster_name: <cluster-name>

agent-control/tests/k8s/data/k8s_opamp_foo_cr_subagent/local-data-agent-control.template

@@ -2,6 +2,9 @@ fleet_control:
   endpoint: <opamp-endpoint>
   headers:
     api-key: test-api-key
+  signature_validation:
+    certificate_pem_file_path: <cert-path>
+    enabled: true
 k8s:
   namespace: <ns>
   cluster_name: <cluster-name>

agent-control/tests/k8s/data/k8s_opamp_subagent_configuration_change/local-data-agent-control.template

@@ -2,6 +2,9 @@ fleet_control:
   endpoint: <opamp-endpoint>
   headers:
     api-key: test-api-key
+  signature_validation:
+    certificate_pem_file_path: <cert-path>
+    enabled: true
 k8s:
   namespace: <ns>
   cluster_name: <cluster-name>

agent-control/tests/k8s/data/k8s_opamp_subagent_modify_secret/local-data-agent-control.template

@@ -2,6 +2,9 @@ fleet_control:
   endpoint: <opamp-endpoint>
   headers:
     api-key: test-api-key
+  signature_validation:
+    certificate_pem_file_path: <cert-path>
+    enabled: true
 k8s:
   namespace: <ns>
   cluster_name: <cluster-name>