Implement upstream authority plugin for GCP

conf/server/server_full.conf

@@ -571,6 +571,35 @@ plugins {
     #     }
     # }
 
+    # UpstreamAuthority "gcp_cas": Uses a Certificate Authority Service of
+    # Google Cloud Platform to sign SPIRE server intermediate certificates.
+    # UpstreamAuthority "gcp_cas" {
+    #     plugin_data {
+    #
+    #         # Required: Specifies which CAs should be used for signing
+    #         root_cert_spec {
+    #             # All fields are required
+    #             # Project name + region name is used to retrieve a set of CAs
+    #             project_name = ""
+    #             region_name = ""
+    #             # label key + label value is used to filter and select a subset of CAs
+    #             project_name = ""
+    #             region_name = ""
+    #         }
+    #
+    #         # Optional: Specifies which additional root CAs should be in the trust bundle
+    #         trust_bundle_cert_spec = [ {
+    #             # All fields are required
+    #             # Project name + region name is used to retrieve a set of CAs
+    #             project_name = ""
+    #             region_name = ""
+    #             # label key + label value is used to filter and select a subset of CAs
+    #             project_name = ""
+    #             region_name = ""
+    #         } ]
+    #     }
+    # }
+
     # UpstreamAuthority "vault": Uses a PKI Secret Engine from HashiCorp Vault
     # to sign SPIRE server intermediate certificates.
     # UpstreamAuthority "vault" {

doc/plugin_server_upstreamauthority_gcp_cas.md

@@ -0,0 +1,82 @@
+# Server plugin: UpstreamAuthority "gcp_cas"
+
+The `gcp_cas` plugin uses the Certificate Authority from Google Cloud Platform, known as "Certificate Authority Service" (CAS),
+ to generate intermediate signing certificates for SPIRE Server.
+
+# Considerations
+**This plugin relies on GCP Certificate Authority Service which is currently in Beta and hence is not recommended to run in production environments**.
+
+# Configuration
+
+The plugin has two configuration sections:
+1. mandatory root_cert_spec:
+It is used to specify which CAs are used for signing intermediate CAs as well as being
+ part of the trusted root bundle. If it matches multiple CAs, the earliest expiring CA is used for signing.
+1. optional trust_bundle_cert_spec:
+It is used to specify additional CA roots that should be part of the trusted root bundle
+but not be eligible for signing intermediate CAs.
+
+"root_cert_spec" requires the following attributes:
+
+| Configuration                 | Description                                                       |
+| ----------------------------- | ----------------------------------------------------------------- |
+| project_name   | Project in GCP that has the root CA certificate                   |
+| region_name    | The name of the region within GCP                                 |
+| label_key      | Label key - value pair is used to filter and select the relevant certificate  |
+| label_value    | Label key - value pair is used to filter and select the relevant certificate  |
+
+"trusted_root_cert_spec" is identical to "root_cer_spec" and it requires the following attributes:
+
+| Configuration                 | Description                                                       |
+| ----------------------------- | ----------------------------------------------------------------- |
+| project_name   | Project in GCP that has root CA certificates                                  |
+| region_name    | The name of the region within GCP                                             |
+| label_key      | Label key - value pair is used to filter and select the relevant certificate  |
+| label_value    | Label key - value pair is used to filter and select the relevant certificate  |
+
+
+
+##Sample configuration:
+
+```yaml
+UpstreamAuthority "gcp_cas" {
+    plugin_data {
+        root_cert_spec {
+            project_name = "MyProject"
+            region_name = "us-central1"
+            label_key = "myapp-identity-root"
+            label_value = "true"
+        }
+        trust_bundle_cert_spec = [
+            {
+                project_name = "DiffProject"
+                region_name = "us-central1"
+                label_key = "diffapp-identity-root"
+                label_value = "true"
+            }
+        ]
+    }
+}
+```
+# What does the plugin do
+The plugin retrieves the CAs in GCPs that are in Enabled state and match the root cert spec parameters specified
+ in the plugin configuration. Among the matching certificates, the CA with the earliest expiry time is selected and
+ used to create and sign an intermediate CA. The trust bundle contains all the CAs that matched the root_cert_spec label
+ as well as the trusted_root_spec label.
+
+# CA Rotation
+* Steady state: Config label matches CA X and CA Y in CAS; plugin has been signing with CA X and all agents are trusting CA X and CA Y.
+* Now create CA Z with the same label in CAS.
+* Disable and optionally delete CA X in CAS.
+* This builds a new trust bundle with Y and Z's root certificates and signs the issuing CA with Y which is now the earliest expiring CA.
+* This doesn't impact existing workloads because they have been trusting Y even before SPIRE started to sign with Y.
+
+# Authentication with Google Cloud Platform
+This plugin connects and authenticates with Google Cloud Platform's CAS implicitly using Application Default Credentials (ADC).
+The ADC mechanism is documented at <https://cloud.google.com/docs/authentication/production#automatically>.
+
+>ADC looks for service account credentials in the following order:
+>1. If the environment variable GOOGLE_APPLICATION_CREDENTIALS is set, ADC uses the service account file that the variable points to.
+>1. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the service account that is attached to the resource that is running your code.
+>1. If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, and there is no service account attached to the resource that is running your code, ADC uses the default service account that Compute Engine, Google Kubernetes Engine, App Engine, Cloud Run, and Cloud Functions provide.
+>1. If ADC can't use any of the above credentials, an error occurs.

doc/spire_server.md

@@ -36,6 +36,7 @@ This document is a configuration reference for SPIRE Server. It includes informa
 | UpstreamAuthority | [disk](/doc/plugin_server_upstreamauthority_disk.md) | Uses a CA loaded from disk to sign SPIRE server intermediate certificates. |
 | UpstreamAuthority | [aws_pca](/doc/plugin_server_upstreamauthority_aws_pca.md) | Uses a Private Certificate Authority from AWS Certificate Manager to sign SPIRE server intermediate certificates. |
 | UpstreamAuthority | [awssecret](/doc/plugin_server_upstreamauthority_awssecret.md) | Uses a CA loaded from AWS SecretsManager to sign SPIRE server intermediate certificates. |
+| UpstreamAuthority | [gcp_cas](/doc/plugin_server_upstreamauthority_gcp_cas.md) | Uses a Private Certificate Authority from GCP Certificate Authority Service to sign SPIRE Server intermediate certificates. |
 | UpstreamAuthority | [vault](/doc/plugin_server_upstreamauthority_vault.md) | Uses a PKI Secret Engine from HashiCorp Vault to sign SPIRE server intermediate certificates. |
 | UpstreamAuthority | [spire](/doc/plugin_server_upstreamauthority_spire.md) | Uses an upstream SPIRE server in the same trust domain to obtain intermediate signing certificates for SPIRE server. |
 

go.mod

@@ -3,7 +3,8 @@ module github.com/spiffe/spire
 go 1.15
 
 require (
-	cloud.google.com/go/storage v1.6.0
+	cloud.google.com/go v0.80.0
+	cloud.google.com/go/storage v1.10.0
 	github.com/Azure/azure-sdk-for-go v44.0.0+incompatible
 	github.com/Azure/go-autorest/autorest v0.11.0
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.0
@@ -30,8 +31,8 @@ require (
 	github.com/go-ole/go-ole v1.2.4 // indirect
 	github.com/go-sql-driver/mysql v1.4.1
 	github.com/gofrs/uuid v3.2.0+incompatible
-	github.com/golang/mock v1.4.3
-	github.com/golang/protobuf v1.5.0
+	github.com/golang/mock v1.5.0
+	github.com/golang/protobuf v1.5.1
 	github.com/google/go-cmp v0.5.5
 	github.com/hashicorp/go-hclog v0.14.0
 	github.com/hashicorp/go-plugin v1.3.0
@@ -54,18 +55,18 @@ require (
 	github.com/sirupsen/logrus v1.4.2
 	github.com/spiffe/go-spiffe/v2 v2.0.0-beta.5
 	github.com/spiffe/spire-api-sdk v1.0.0-pre.0.20210318220945-7ff3eb0759ce
-	github.com/stretchr/testify v1.5.1
+	github.com/stretchr/testify v1.6.1
 	github.com/uber-go/tally v3.3.12+incompatible
 	github.com/zeebo/errs v1.2.2
 	go.uber.org/atomic v1.4.0
 	go.uber.org/goleak v0.10.0
 	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
-	golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e
-	golang.org/x/sys v0.0.0-20200331124033-c3d80250170d
+	golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4
+	golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0
-	golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4
-	google.golang.org/api v0.29.0
-	google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98
+	golang.org/x/tools v0.1.0
+	google.golang.org/api v0.42.0
+	google.golang.org/genproto v0.0.0-20210323160006-e668133fea6a
 	google.golang.org/grpc v1.36.0
 	google.golang.org/protobuf v1.26.0
 	gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0 // indirect