feat(security): Replace security-proxy-setup for adding users (edgexf…

…oundry#2808)

Replaces security-proxy-setup for adding users to the Kong proxy.

This new utility changes the JWT authentication mode from HS256 to
RS256, thus avoiding exposure of the HMAC secret on the server side.
This new utility also puts the client_id and client_secret for
OAuth2 authentication in the hands of the user.
Although in the new scheme the user is responsible for generating
tokens via either the client_credentials OAuth2 flow,
or client-side JWT signing, utility methods are provided
for that function that do not depend upon the server.

The new utility eliminates the requirement from security-proxy-setup
that a valid security secret store token is available.

Fixes edgexfoundry#2477
Fixes edgexfoundry#2549
Fixes edgexfoundry#2568

Signed-off-by: Bryon Nevis <bryon.nevis@intel.com>

Makefile

@@ -23,7 +23,8 @@ MICROSERVICES=cmd/core-metadata/core-metadata cmd/core-data/core-data \
 	cmd/security-secrets-setup/security-secrets-setup cmd/security-proxy-setup/security-proxy-setup \
 	cmd/security-secretstore-setup/security-secretstore-setup \
 	cmd/security-file-token-provider/security-file-token-provider \
-	cmd/security-bootstrap-redis/security-bootstrap-redis
+	cmd/security-bootstrap-redis/security-bootstrap-redis \
+	cmd/secrets-config/secrets-config
 
 .PHONY: $(MICROSERVICES)
 
@@ -78,6 +79,9 @@ cmd/security-file-token-provider/security-file-token-provider:
 cmd/security-bootstrap-redis/security-bootstrap-redis:
 	$(GO) build $(GOFLAGS) -o ./cmd/security-bootstrap-redis/security-bootstrap-redis ./cmd/security-bootstrap-redis
 
+cmd/secrets-config/secrets-config:
+	$(GO) build $(GOFLAGS) -o ./cmd/secrets-config ./cmd/secrets-config
+
 clean:
 	rm -f $(MICROSERVICES)
 

cmd/secrets-config/Attribution.txt

@@ -0,0 +1,176 @@
+The following open source projects are referenced by Security Proxy Setup:
+
+pkg/errors (BSD-2) https://github.com/pkg/errors
+https://github.com/pkg/errors/blob/master/LICENSE
+
+gorilla/mux (BSD-3) - https://github.com/gorilla/mux
+https://github.com/gorilla/mux/blob/master/LICENSE
+
+globalsign/mgo (unspecified) - https://github.com/globalsign/mgo
+https://github.com/globalsign/mgo/blob/master/LICENSE
+
+pebbe/zmq4 (BSD-2) https://github.com/pebbe/zmq4
+https://github.com/pebbe/zmq4/blob/master/LICENSE.txt
+
+go-kit/kit (MIT) github.com/go-kit/kit
+https://github.com/go-kit/kit/blob/master/LICENSE
+
+go-logfmt/logfmt (MIT) https://github.com/go-logfmt/logfmt
+https://github.com/go-logfmt/logfmt/blob/master/LICENSE
+
+robfig/cron (MIT) https://github.com/robfig/cron
+https://github.com/robfig/cron/blob/master/LICENSE
+
+dgrijalva/jwt-go (MIT) https://github.com/dgrijalva/jwt-go
+https://github.com/dgrijalva/jwt-go/blob/master/LICENSE
+
+google/uuid (BSD-3) https://github.com/google/uuid
+https://github.com/google/uuid/blob/master/LICENSE
+
+pelletier/go-toml (MIT) https://github.com/pelletier/go-toml
+https://github.com/pelletier/go-toml/blob/master/LICENSE
+
+influxdata/influxdb/client/v2 (MIT) https://github.com/influxdata/influxdb
+https://github.com/influxdata/influxdb/blob/master/LICENSE
+
+influxdata/platform (MIT) https://github.com/influxdata/platform
+https://github.com/influxdata/platform/blob/master/LICENSE
+
+eclipse/paho.mqtt.golang (Eclipse Public License 1.0) https://github.com/eclipse/paho.mqtt.golang
+https://github.com/eclipse/paho.mqtt.golang/blob/master/LICENSE
+
+mattn/go-xmpp (BSD-3) https://github.com/mattn/go-xmpp
+https://github.com/mattn/go-xmpp/blob/master/LICENSE
+
+BurntSushi/toml (MIT) https://github.com/BurntSushi/toml
+https://github.com/BurntSushi/toml/blob/master/COPYING
+
+mitchellh/consulstructure (MIT) https://github.com/mitchellh/consulstructure
+https://github.com/mitchellh/consulstructure/blob/master/LICENSE
+
+mitchellh/mapstructure (MIT) https://github.com/mitchellh/mapstructure
+https://github.com/mitchellh/mapstructure/blob/master/LICENSE
+
+mitchellh/reflectwalk (MIT) https://github.com/mitchellh/reflectwalk
+https://github.com/mitchellh/reflectwalk/blob/master/LICENSE
+
+cenkalti/backoff (MIT) https://github.com/cenkalti/backoff
+https://github.com/cenkalti/backoff/blob/master/LICENSE
+
+hashicorp/consul/api 1.1.0 (Mozilla Public License 2.0) - https://github.com/hashicorp/consul/api
+https://github.com/hashicorp/consul/blob/master/LICENSE
+
+hashicorp/go-cleanhttp (Mozilla Public License 2.0) - https://github.com/hashicorp/go-cleanhttp
+https://github.com/hashicorp/go-cleanhttp/blob/master/LICENSE
+
+hashicorp/go-rootcerts (Mozilla Public License 2.0) https://github.com/hashicorp/go-rootcerts
+https://github.com/hashicorp/go-rootcerts/blob/master/LICENSE
+
+mitchellh/go-homedir (MIT) https://github.com/mitchellh/go-homedir
+https://github.com/mitchellh/go-homedir/blob/master/LICENSE
+
+mitchellh/mapstructure (MIT) https://github.com/mitchellh/mapstructure
+https://github.com/mitchellh/mapstructure/blob/master/LICENSE
+
+mitchellh/copystructure (MIT) https://github.com/mitchellh/copystructure
+https://github.com/mitchellh/copystructure/blob/master/LICENSE
+
+hashicorp/serf (Mozilla Public License 2.0) https://github.com/hashicorp/serf
+https://github.com/hashicorp/serf/blob/master/LICENSE
+
+armon/go-metrics (MIT) https://github.com/armon/go-metrics
+https://github.com/armon/go-metrics/blob/master/LICENSE
+
+hashicorp/go-immutable-radix (Mozilla Public License 2.0) https://github.com/hashicorp/go-immutable-radix
+https://github.com/hashicorp/go-immutable-radix/blob/master/LICENSE
+
+hashicorp/golang-lru (Mozilla Public License 2.0) https://github.com/hashicorp/golang-lru
+https://github.com/hashicorp/golang-lru/blob/master/LICENSE
+
+github.com/go-redis/redis/v7 (BSD-2) https://github.com/go-redis/redis
+https://github.com/go-redis/redis/blob/master/LICENSE
+https://github.com/go-redis/redis/blob/master/LICENSE
+
+gomodule/redigo (Apache 2.0) https://github.com/gomodule/redigo
+https://github.com/gomodule/redigo/blob/master/LICENSE
+
+OneOfOne/xxhash (Apache 2.0) https://github.com/OneOfOne/xxhash
+https://github.com/OneOfOne/xxhash/blob/master/LICENSE
+
+imdario/mergo (BSD-3) github.com/imdario/mergo
+https://github.com/imdario/mergo/blob/master/LICENSE
+
+magiconair/properties (BSD-2) https://github.com/magiconair/properties
+https://github.com/magiconair/properties/blob/master/LICENSE
+
+gopkg.in/eapache/queue.v1 (MIT) gopkg.in/eapache/queue.v1
+https://github.com/eapache/queue/blob/v1.1.0/LICENSE
+
+bertimus9/systemstat (MIT) https://bitbucket.org/bertimus9/systemstat
+https://bitbucket.org/bertimus9/systemstat/src/master/LICENSE
+
+davecgh/go-spew (ISC) https://github.com/davecgh/go-spew
+https://github.com/davecgh/go-spew/blob/master/LICENSE
+
+edgexfoundry/go-mod-bootstrap (Apache 2.0) https://github.com/edgexfoundry/go-mod-bootstrap
+https://github.com/edgexfoundry/go-mod-bootstrap/blob/master/LICENSE
+
+edgexfoundry/go-mod-configuration (Apache 2.0) https://github.com/edgexfoundry/go-mod-configuration
+https://github.com/edgexfoundry/go-mod-configuration/blob/master/LICENSE
+
+edgexfoundry/go-mod-core-contracts (Apache 2.0) https://github.com/edgexfoundry/go-mod-core-contracts
+https://github.com/edgexfoundry/go-mod-core-contracts/blob/master/LICENSE
+
+edgexfoundry/go-mod-messaging (Apache 2.0) https://github.com/edgexfoundry/go-mod-messaging
+https://github.com/edgexfoundry/go-mod-messaging/blob/master/LICENSE
+
+edgexfoundry/go-mod-registry (Apache 2.0) https://github.com/edgexfoundry/go-mod-registry
+https://github.com/edgexfoundry/go-mod-registry/blob/master/LICENSE
+
+edgexfoundry/go-mod-secrets (Apache 2.0) https://github.com/edgexfoundry/go-mod-secrets
+https://github.com/edgexfoundry/go-mod-secrets/blob/master/LICENSE
+
+gorilla/context (BSD-3) https://github.com/gorilla/context
+https://github.com/gorilla/context/blob/master/LICENSE
+
+kr/logfmt (Unspecified) https://github.com/kr/logfmt
+https://github.com/kr/logfmt/blob/master/Readme
+
+pmezard/go-difflib (Unspecified) https://github.com/pmezard/go-difflib
+https://github.com/pmezard/go-difflib/blob/master/LICENSE
+
+stretchr/objx (MIT) https://github.com/stretchr/objx
+https://github.com/stretchr/objx/blob/master/LICENSE
+
+stretchr/testify (MIT) https://github.com/stretchr/testify
+https://github.com/stretchr/testify/blob/master/LICENSE
+
+fxamacker/cbor (MIT) https://github.com/fxamacker/cbor/v2
+https://github.com/fxamacker/cbor/blob/master/README.md#license
+
+x448/float16 (MIT) https://github.com/x448/float16
+https://github.com/x448/float16/blob/master/LICENSE
+
+golang.org/x/net (Unspecified) https://github.com/golang/net
+https://github.com/golang/net/blob/master/LICENSE
+
+gopkg.in/yaml.v2 (Apache 2.0) https://github.com/go-yaml/yaml/
+https://github.com/go-yaml/yaml/blob/v2.2.2/LICENSE
+
+cloudflare/gokey (BSD-3) https://github.com/cloudflare/gokey
+https://github.com/cloudflare/gokey/blob/master/LICENSE
+
+golang.org/x/crypto (Unspecified) https://github.com/golang/crypto
+https://github.com/golang/crypto/blob/master/LICENSE
+
+go-playground/locales (MIT) https://github.com/go-playground/locales
+https://github.com/go-playground/locales/blob/master/LICENSE
+
+go-playground/universal-translator (MIT) https://github.com/go-playground/universal-translator
+https://github.com/go-playground/universal-translator/blob/master/LICENSE
+
+github.com/go-playground/validator/v10 (MIT) https://github.com/go-playground/validator
+https://github.com/go-playground/validator/blob/master/LICENSE
+
+leodido/go-urn (MIT) https://github.com/leodido/go-urn
+https://github.com/leodido/go-urn

cmd/secrets-config/README.md

@@ -0,0 +1,182 @@
+% secrets-config-proxy(1) User Manuals secrets-config-proxy(1)
+
+# NAME
+
+secrets-config-proxy – Configure EdgeX API gateway service
+
+# SYNOPSIS
+
+**secrets-config proxy** SUBCOMMAND [OPTIONS]
+
+# DESCRIPTION
+
+Configures the EdgeX API gateway service.
+
+This command is used to configure the TLS certificate for external connections, create authentication tokens for inbound proxy access, and other related utility functions.
+
+Proxy configuration commands (listed below) require access to the secret store master key in order to generate temporary secret store access credentials.
+
+# OPTIONS
+
+  * **--confdir** _/path/to/directory/with/configuration.toml_ (optional)
+
+    Points to directory containing a configuration.toml file.
+
+# SUBCOMMANDS
+
+  * **tls**
+
+    Configure inbound TLS certificate. This command will provision the TLS secrets into the secret store and re-deploy them to Kong. Requires additional arguments:
+
+    * **--incert** _/path/to/certchain_ (required)
+
+      Path to TLS leaf certificate (PEM-encoded x.509) (the file extension is arbitrary).
+      If intermediate certificates are required to chain to a certificate authority,
+      these should also be included.
+      The root certificate authority should not be included.
+
+    * **--inkey** _/path/to/private\_key_ (required)
+
+      Path to TLS private key (PEM-encoded).
+
+  * **adduser**
+
+    Create an API gateway user using specified token type. Requires additional arguments:
+
+    * **--token-type** jwt | oauth2 (required)
+
+      Create user using either the JWT or OAuth2 authentication plugin.
+      This value must match the configured authentication plugin
+      (`KongAuth.Name` in security-proxy-setup's `configuration.toml`).
+
+    * **--user** _username_ (required)
+
+      Username of the user to add.
+
+    * **--group** _group_ (optional)
+
+      Group to which the user belongs, defaults to "admin".
+      This should be the group associated with the route ACL
+      (`KongAuth.WhiteList` in security-proxy-setup's `configuration.toml`).
+      (Note that secrets-config shares the same configuration as security-proxy-setup
+      as they both configure the EdgeX API gateway.)
+
+
+    The following options are used when token-type == "jwt":
+
+    * **--algorithm** RS256 | ES256 (required for JWT method)
+
+      Algorithm used for signing the JWT.
+      (See [RFC 7518](https://tools.ietf.org/html/rfc7518#section-3.1) for a list of signing algorithms.)
+
+    * **--public\_key** _/path/to/public\_key_ (required for JWT tokens)
+
+      Public key (in PEM format) used to validate the JWT.
+      (Not an x.509 certificate.)
+      This key is assumed to have been pre-created using some external mechanism such as a TPM, HSM, openssl, or other method.
+
+    * **--id** _key_ (optional)
+
+      Optional user-specified "key" used for linkage with an incoming JWT via Kong's config.key\_claim\_name setting (defaults to "iss" field).
+      See
+      [Kong documentation for JWT plugin](https://docs.konghq.com/hub/kong-inc/jwt/#craft-a-jwt-with-publicprivate-keys-rs256-or-es256)
+      for an example of how this parameter is used.
+
+    Upon completion, for token-type == "jwt", the command outputs the autogenerated _key_ for the **id** command above.
+    This value must be used during later construction of the JWT.
+
+
+    The following options are used when token-type == "oauth2":
+
+    * **--client\_id** (optional)
+
+      Optional manually-specified OAuth2 client_id.  Will be generated if not present.  Equivalent to a username.
+
+    * **--client\_secret** (optional)
+
+      Optional manually-specified OAuth2 client_secret.  Will be generated if not present.  Equivalent to a password.
+
+    * **--redirect\_uris** _url\_for\_browser\_redirection_ (optional)
+
+      OAuth2 redirect URL for browser-based users. Defaults to "https://localhost".  This is not currently used by EdgeX but the API gateway requires a value.
+
+    Upon completion, for token-type == "oauth2", the command outputs a JSON structure containing the client_id and client_secret.
+
+
+  * **deluser**
+
+    Delete a API gateway user. Requires additional arguments:
+
+    * **--user** _username_ (required)
+
+      Username of the user to delete.
+
+
+  * **jwt**
+
+    Utility function to create a JWT proxy authentication token from a supplied secret. This command does not require secret store access, but the values supplied must match those presented to the adduser command earlier. Requires additional arguments:
+
+    * **--algorithm** `RS256` | `ES256` (required)
+
+      Algorithm used for signing the JWT.
+      (See [RFC 7518](https://tools.ietf.org/html/rfc7518#section-3.1) for a list of signing algorithms.)
+
+    * **--id** _key_ (required)
+
+      The "key" field from the "adduser" command.
+      (This will be either the --id argument passed in, or the automatically generated identifier.)
+      (This is not actually a cryptographic key, but a unique identifier such as would be used in a database.)
+
+    * **--private\_key** _/path/to/private.key_ (required)
+
+      Private key used to sign the JWT (PEM-encoded) with a key type corresponding to the above-supplied algorithm.
+
+    * **--exp** _duration_ (optional)
+
+      Duration of generated JWT expressed as a golang-parseable duration value. Use "never" to omit an expiration field in the JWT. Defaults to "1h" (one hour) if unspecified.
+
+
+    The generated JWT will be the encoded representation of:
+
+      <pre>
+      {
+        &quot;typ&quot;: &quot;JWT&quot;,
+        &quot;alg&quot;: &quot;RS256 | ES256&quot;
+      }
+      {
+        &quot;iss&quot;: &quot;_key_&quot;,
+        &quot;exp&quot;: (calculated expiration time)
+      }
+      (signature)
+      </pre>
+
+
+  * **oauth2**
+
+    Utility function to create an OAuth2 proxy authentication token using the client_credentials OAuth2 grant flow. This command does not require secret store access, but the values supplied must match those presented to the adduser command earlier. Requires additional arguments:
+
+    * **--client\_id** _client\_id_ (required)
+
+      OAuth2 client_id from previous "adduser" command.  Equivalent to a username.
+
+    * **--client\_secret** _client\_secret_ (required)
+
+      OAuth2 client_secret from previous "adduser" command.  Equivalent to a password.
+
+
+
+# CONFIGURATION
+
+# ENVIRONMENT
+
+  * **IKM\_HOOK**
+
+    Enables decryption of an encrypted secret store master key by pointing at an executable that returns an encryption seed that is formatted as a hex-encoded (typically 32-byte) string to its stdout.
+    This optional feature, if enabled, requires pointing at the same executable that was used
+    by security-secretstore-setup to provision and unlock the EdgeX the secret store.
+
+# SEE ALSO
+
+secrets-config(1)
+
+EdgeX Foundry Last change: 2020