CASSANDRASC-141: Mutual TLS Authentication and Authorization to Sidecar

build.gradle

@@ -179,6 +179,9 @@ configurations {
 }
 
 dependencies {
+    implementation group: 'org.bouncycastle', name: 'bcpkix-jdk18on', version: '1.78.1'
+    implementation(project(':vertx-auth-mtls'))
+
     compileOnly('org.jetbrains:annotations:23.0.0')
     testCompileOnly('org.jetbrains:annotations:23.0.0')
     integrationTestCompileOnly('org.jetbrains:annotations:23.0.0')
@@ -259,6 +262,14 @@ dependencies {
     integrationTestImplementation(group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310', version: "${project.jacksonVersion}")
 
     containerTestImplementation('com.adobe.testing:s3mock-testcontainers:2.17.0') // 3.x version do not support java 11
+
+    testImplementation group: 'junit', name: 'junit', version: '4.13'
+    testImplementation platform('org.junit:junit-bom:5.10.0')
+    testImplementation 'org.junit.jupiter:junit-jupiter'
+    implementation group: 'org.apache.commons', name: 'commons-collections4', version: '4.3'
+    implementation 'org.jetbrains:annotations:24.0.0'
+    implementation 'org.apache.httpcomponents:httpclient:4.5.2'
+    implementation group: 'org.codehaus.httpcache4j.uribuilder', name: 'uribuilder', version: '1.0.0'
 }
 
 jar {
@@ -384,12 +395,9 @@ def integrationTest = task("integrationTest")
             systemProperty "cassandra.sidecar.versions_to_test", versionsToTest
         }
         useJUnitPlatform() {
-            if (name.contains("HeavyWeight"))
-            {
+            if (name.contains("HeavyWeight")) {
                 includeTags "heavy"
-            }
-            else
-            {
+            } else {
                 excludeTags "heavy"
             }
         }
@@ -416,8 +424,7 @@ def integrationTest = task("integrationTest")
             logger.lifecycle("--")
             if (totalTime >= 60) { // log the tests that take 1 minute and more
                 logger.warn("$descriptor.displayName took $totalTime s")
-            }
-            else {
+            } else {
                 logger.info("$descriptor.displayName took $totalTime s")
             }
         }

settings.gradle

@@ -24,7 +24,7 @@ include "adapters:cassandra41"
 include "client-common"
 include "server-common"
 include "client"
+include "vertx-auth-mtls"
 include "vertx-client"
 include "vertx-client-shaded"
 include "docs"
-

src/main/dist/conf/sidecar.yaml

@@ -83,6 +83,14 @@ sidecar:
     min_free_space_percent: 10
     # file_permissions: "rw-r--r--" # when not specified, the default file permissions are owner read & write, group & others read
   allowable_time_skew_in_minutes: 60
+  # Insert here cache details
+  refresh_permission_caches:
+    initial_delay_millis: 0
+    poll_freq_millis: 30000
+    stale_after_millis: 3600000
+    cache:
+      expire_after_access_millis: 7200000
+      maximum_size: 10000
   sstable_import:
     poll_interval_millis: 100
     cache:
@@ -113,23 +121,43 @@ sidecar:
 #
 # Enable SSL configuration (Disabled by default)
 #
-#  ssl:
-#    enabled: true
-#    use_openssl: true
-#    handshake_timeout_sec: 10
-#    client_auth: NONE # valid options are NONE, REQUEST, REQUIRED
-#    accepted_protocols:
-#     - TLSv1.2
-#     - TLSv1.3
-#    cipher_suites: []
-#    keystore:
-#      type: PKCS12
-#      path: "path/to/keystore.p12"
-#      password: password
-#      check_interval_sec: 300
-#    truststore:
-#      path: "path/to/truststore.p12"
-#      password: password
+#ssl:
+#  enabled: true
+#  use_openssl: true
+#  handshake_timeout_sec: 10
+#  client_auth: REQUIRED # valid options are NONE, REQUEST, REQUIRED
+#  accepted_protocols:
+#   - TLSv1.2
+#   - TLSv1.3
+#  cipher_suites: []
+#  keystore:
+#    type: PKCS12
+#    path: "path/to/keystore.p12"
+#    password: password
+#    check_interval_sec: 300
+#  truststore:
+#    path: "path/to/truststore.jks"
+#    password: password
+
+# Authentication Configuration
+authenticator:
+  auth_config: AllowAll # Valid options are MutualTls or AllowAll
+  # Valid options are Spiffe, AllowAll or RejectAll
+  cert_validator: AllowAll
+  # Valid options are MutualTls, AllowAll or RejectAll
+  id_validator: AllowAll
+  authorized_identities:
+    - spiffe://authorized/admin/identities
+
+# Authorizer Configuration
+authorizer:
+  auth_config: AllowAll # valid options are AllowAll or MutualTLS
+  role_to_sidecar_permissions: # Permissions mapping roles to sidecar specific permissions
+#    - role: "trusted_role"
+#      permissions:
+#        - ClEANUP_SSTABLE
+#           - "< KEYSPACE system_auth >"
+#           - "< TABLE system_auth.roles >"
 
 driver_parameters:
   contact_points:

src/main/java/org/apache/cassandra/sidecar/CassandraSidecarDaemon.java

@@ -40,8 +40,7 @@ public class CassandraSidecarDaemon
 
     public static void main(String[] args)
     {
-        String yamlConfigurationPath = System.getProperty("sidecar.config", "file://./conf/config.yaml");
-
+        String yamlConfigurationPath = System.getProperty("sidecar.config", "file://./conf/sidecar.yaml");
         Path confPath;
         try
         {

src/main/java/org/apache/cassandra/sidecar/auth/authentication/AllowAllAuthenticationProvider.java

@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.auth.authentication;
+
+import io.vertx.core.AsyncResult;
+import io.vertx.core.Future;
+import io.vertx.core.Handler;
+import io.vertx.core.json.JsonObject;
+import io.vertx.ext.auth.User;
+import io.vertx.ext.auth.authentication.AuthenticationProvider;
+import io.vertx.ext.auth.authentication.Credentials;
+
+/**
+ * Authentication provider to approve all requests regardless of the certificate they send.
+ */
+public class AllowAllAuthenticationProvider implements AuthenticationProvider
+{
+    @Override
+    public Future<User> authenticate(Credentials credentials)
+    {
+        return Future.succeededFuture(User.fromName("AllowAll"));
+    }
+
+    @Override
+    public void authenticate(JsonObject credentials, Handler<AsyncResult<User>> resultHandler)
+    {
+        throw new UnsupportedOperationException("Deprecated authentication method");
+    }
+}

src/main/java/org/apache/cassandra/sidecar/auth/authentication/AuthenticatorConfig.java

@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.auth.authentication;
+
+/**
+ * Supported authentication providers
+ */
+public enum AuthenticatorConfig
+{
+    MutualTls,
+    AllowAll
+}

src/main/java/org/apache/cassandra/sidecar/auth/authentication/CertificateValidatorConfig.java

@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.auth.authentication;
+
+/**
+ * Supported Certificate Validators
+ */
+public enum CertificateValidatorConfig
+{
+    Spiffe,
+    AllowAll,
+    RejectAll
+}

src/main/java/org/apache/cassandra/sidecar/auth/authentication/IdentityValidatorConfig.java

@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.auth.authentication;
+
+/**
+ * Supported identity validators
+ */
+public enum IdentityValidatorConfig
+{
+    MutualTls,
+    AllowAll,
+    RejectAll
+}

src/main/java/org/apache/cassandra/sidecar/auth/authorization/AllowAllAuthorizationProvider.java

@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.auth.authorization;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import io.vertx.core.AsyncResult;
+import io.vertx.core.Future;
+import io.vertx.core.Handler;
+import io.vertx.ext.auth.User;
+import io.vertx.ext.auth.authorization.AndAuthorization;
+import io.vertx.ext.auth.authorization.Authorization;
+import io.vertx.ext.auth.authorization.AuthorizationProvider;
+import io.vertx.ext.auth.authorization.RoleBasedAuthorization;
+
+/**
+ * Authorizer to allow all requests and grant every request all permissions
+ */
+public class AllowAllAuthorizationProvider implements AuthorizationProvider
+{
+    public String getId()
+    {
+        return "AllowAll";
+    }
+
+    public void getAuthorizations(User user, Handler<AsyncResult<Void>> handler)
+    {
+        getAuthorizations(user).onComplete(handler);
+    }
+
+    public Future<Void> getAuthorizations(User user)
+    {
+        if (user == null)
+        {
+            return Future.failedFuture("User cannot be null");
+        }
+
+        Set<Authorization> allowAllAuthorizations = new HashSet<>();
+        AndAuthorization allowAllPermissions = AndAuthorization.create();
+        for (MutualTlsPermissions perm : MutualTlsPermissions.ALL)
+        {
+            allowAllPermissions.addAuthorization(RoleBasedAuthorization.create(perm.name()).setResource("ALL KEYSPACES"));
+        }
+        allowAllAuthorizations.add(allowAllPermissions);
+        user.authorizations().add(getId(), allowAllAuthorizations);
+
+        return Future.succeededFuture();
+    }
+}

src/main/java/org/apache/cassandra/sidecar/auth/authorization/AuthorizerConfig.java

@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.auth.authorization;
+
+/**
+ * Supported authorization providers
+ */
+public enum AuthorizerConfig
+{
+    MutualTls,
+    AllowAll
+}