fix: audit trustd code for security

There are no security issues fixed.

Drop username/password creds - they were not used.

Improve security of token interceptor.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

Author: smira

internal/app/trustd/main.go

@@ -104,6 +104,7 @@ func trustdMain() error {
 		&reg.Registrator{Resources: resources},
 		factory.WithDefaultLog(),
 		factory.WithUnaryInterceptor(creds.UnaryInterceptor()),
+		factory.WithStreamInterceptor(creds.StreamInterceptor()),
 		factory.ServerOptions(
 			grpc.Creds(
 				credentials.NewTLS(serverTLSConfig),

pkg/grpc/middleware/auth/basic/basic.go

@@ -23,6 +23,7 @@ type Credentials interface {
 	credentials.PerRPCCredentials
 
 	UnaryInterceptor() grpc.UnaryServerInterceptor
+	StreamInterceptor() grpc.StreamServerInterceptor
 }
 
 // NewConnection initializes a grpc.ClientConn configured for basic

pkg/grpc/middleware/auth/basic/token.go

@@ -6,11 +6,13 @@ package basic
 
 import (
 	"context"
-	"fmt"
+	"crypto/sha256"
+	"crypto/subtle"
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
 )
 
 // TokenGetterFunc is the function to dynamically retrieve the token.
@@ -66,13 +68,23 @@ func (b *TokenCredentials) authenticate(ctx context.Context) error {
 		return err
 	}
 
-	if md, ok := metadata.FromIncomingContext(ctx); ok {
-		if len(md["token"]) > 0 && md["token"][0] == token {
-			return nil
-		}
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return status.Error(codes.Unauthenticated, "missing token")
+	}
+
+	if len(md["token"]) == 0 {
+		return status.Error(codes.Unauthenticated, "missing token")
+	}
+
+	incomingTokenHash := sha256.Sum256([]byte(md["token"][0]))
+	expectedTokenHash := sha256.Sum256([]byte(token))
+
+	if subtle.ConstantTimeCompare(incomingTokenHash[:], expectedTokenHash[:]) != 1 {
+		return status.Error(codes.Unauthenticated, "invalid token")
 	}
 
-	return fmt.Errorf("%s", codes.Unauthenticated.String())
+	return nil
 }
 
 // UnaryInterceptor sets the UnaryServerInterceptor for the server and enforces
@@ -86,3 +98,14 @@ func (b *TokenCredentials) UnaryInterceptor() grpc.UnaryServerInterceptor {
 		return handler(ctx, req)
 	}
 }
+
+// StreamInterceptor sets the StreamServerInterceptor for the server and enforces
+// basic authentication.
+//
+// For now, it rejects any API, as we don't have any streaming APIs in trustd component.
+// This is to prevent accidentally allowing unauthenticated access to streaming APIs in the future without realizing it.
+func (b *TokenCredentials) StreamInterceptor() grpc.StreamServerInterceptor {
+	return func(any, grpc.ServerStream, *grpc.StreamServerInfo, grpc.StreamHandler) error {
+		return status.Error(codes.Unimplemented, "streaming APIs are not supported")
+	}
+}

pkg/grpc/middleware/auth/basic/token_test.go

@@ -0,0 +1,83 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package basic_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+
+	"github.com/siderolabs/talos/pkg/grpc/middleware/auth/basic"
+)
+
+func TestTokenInterceptor(t *testing.T) {
+	t.Parallel()
+
+	const validToken = "valid-token"
+
+	creds := basic.NewTokenCredentials(validToken)
+
+	interceptor := creds.UnaryInterceptor()
+
+	for _, test := range []struct {
+		name string
+
+		md      metadata.MD
+		wantErr bool
+	}{
+		{
+			name: "valid token",
+
+			md: metadata.MD{
+				"token": []string{validToken},
+			},
+			wantErr: false,
+		},
+		{
+			name: "invalid token",
+
+			md: metadata.MD{
+				"token": []string{"invalid-token"},
+			},
+			wantErr: true,
+		},
+		{
+			name:    "missing token",
+			md:      metadata.MD{},
+			wantErr: true,
+		},
+		{
+			name:    "no metadata",
+			md:      nil,
+			wantErr: true,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			ctx := t.Context()
+
+			if test.md != nil {
+				ctx = metadata.NewIncomingContext(ctx, test.md)
+			}
+
+			_, err := interceptor(ctx, nil, nil, func(context.Context, any) (any, error) {
+				return nil, nil
+			})
+
+			if test.wantErr {
+				require.Error(t, err)
+				assert.Equal(t, codes.Unauthenticated, status.Code(err))
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}