ore,server-core,pgwire,balancerd,environmentd: migrate TLS from openssl to rustls

about.toml

@@ -4,6 +4,7 @@ accepted = [
     "Apache-2.0",
     "Apache-2.0 WITH LLVM-exception",
     "CC0-1.0",
+    "CDLA-Permissive-2.0",
     "0BSD",
     "BSD-2-Clause",
     "BSD-3-Clause",

bin/lint-fips-containers

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Copyright Materialize, Inc. and contributors. All rights reserved.
+#
+# Use of this software is governed by the Business Source License
+# included in the LICENSE file at the root of this repository.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0.
+#
+# lint-fips-containers -- audit container definitions for FIPS compliance gaps
+
+exec "$(dirname "$0")"/pyactivate -m materialize.cli.lint_fips_containers "$@"

bin/lint-openssl

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Copyright Materialize, Inc. and contributors. All rights reserved.
+#
+# Use of this software is governed by the Business Source License
+# included in the LICENSE file at the root of this repository.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0.
+#
+# lint-openssl -- detect OpenSSL usage across the codebase
+
+exec "$(dirname "$0")"/pyactivate -m materialize.cli.lint_openssl "$@"

ci/builder/Dockerfile

@@ -181,6 +181,12 @@ RUN gpg --dearmor < nodesource.asc > /etc/apt/keyrings/nodesource.gpg \
     && npm install -g corepack \
     && corepack enable
 
+# Install Go, required by aws-lc-fips-sys to build the FIPS-validated
+# BoringSSL module. Activated when cargo builds with --all-features (which
+# enables the mz-ore `fips` feature). Go 1.18+ is required.
+RUN curl -fsSL https://go.dev/dl/go1.24.2.linux-$ARCH_GO.tar.gz | tar -C /usr/local -xzf -
+ENV PATH="/usr/local/go/bin:${PATH}"
+
 RUN curl -fsSL https://github.com/koalaman/shellcheck/releases/download/v0.11.0/shellcheck-v0.11.0.linux.$ARCH_GCC.tar.xz > shellcheck.tar.xz \
     && tar -xJf shellcheck.tar.xz -C /usr/local/bin --strip-components 1 shellcheck-v0.11.0/shellcheck \
     && rm shellcheck.tar.xz \

console/src/components/ConnectInstructions.tsx

@@ -20,20 +20,35 @@ import TerminalIcon from "~/svg/Terminal";
 
 import { CopyableBox, TabbedCodeBlock } from "./copyableComponents";
 
+export interface ConnectInstructionsProps extends BoxProps {
+  /** The user string to display. Falls back to user.email if not provided. */
+  userStr?: string;
+  /** Frontegg user object. Required for cloud mode. */
+  user?: User;
+  /** Override the environmentd address (host:port). */
+  environmentdAddress?: string;
+  /** Override the query params in the psql connection string. */
+  psqlQueryParams?: string;
+}
+
 const ConnectInstructions = ({
   user,
   ...props
-}: BoxProps & { userStr: string | undefined; user: User }): JSX.Element => {
+}: ConnectInstructionsProps): JSX.Element => {
   const [currentEnvironment] = useAtom(currentEnvironmentState);
   const { clusterName } = useParams<ClusterDetailParams>();
 
-  if (!currentEnvironment || currentEnvironment.state !== "enabled") {
+  const envAddress =
+    props.environmentdAddress ??
+    (currentEnvironment?.state === "enabled"
+      ? currentEnvironment.sqlAddress
+      : undefined);
+
+  if (!envAddress) {
     return <Spinner />;
   }
 
-  const userStr = props.userStr || user.email;
-
-  const environmentdAddress = currentEnvironment.sqlAddress;
+  const userStr = props.userStr || user?.email || "";
 
   const defaultClusterOptionString = clusterName
     ? `&options=--cluster%3D${clusterName}`
@@ -43,11 +58,14 @@ const ConnectInstructions = ({
   // attacks, but that mode requires specifying `sslrootcert=/path/to/cabundle`,
   // and that path varies by platform. So instead we use `require`, which is
   // at least better than the default of `prefer`.
+  const queryParams =
+    props.psqlQueryParams ?? `sslmode=require${defaultClusterOptionString}`;
+
   const psqlCopyString = `psql "postgres://${encodeURIComponent(
     userStr,
-  )}@${environmentdAddress}/materialize?sslmode=require${defaultClusterOptionString}"`;
+  )}@${envAddress}/materialize?${queryParams}"`;
 
-  const [host, port] = environmentdAddress.split(":");
+  const [host, port] = envAddress.split(":");
   return (
     <TabbedCodeBlock
       data-testid="connection-options"

console/src/components/OidcConnectModal.tsx

@@ -0,0 +1,96 @@
+// Copyright Materialize, Inc. and contributors. All rights reserved.
+//
+// Use of this software is governed by the Business Source License
+// included in the LICENSE file.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0.
+
+import {
+  ModalBody,
+  ModalCloseButton,
+  ModalContent,
+  ModalHeader,
+  ModalOverlay,
+  Text,
+  useTheme,
+  VStack,
+} from "@chakra-ui/react";
+import React from "react";
+
+import ConnectInstructions from "~/components/ConnectInstructions";
+import { SecretCopyableBox } from "~/components/copyableComponents";
+import { Modal } from "~/components/Modal";
+import { useAuth } from "~/external-library-wrappers/oidc";
+import { MaterializeTheme } from "~/theme";
+import { obfuscateSecret } from "~/utils/format";
+
+const OIDC_USERNAME_PLACEHOLDER = "<your_oidc_username>";
+
+const OidcConnectModal = ({
+  onClose,
+  isOpen,
+}: {
+  onClose: () => void;
+  isOpen: boolean;
+}) => {
+  const { colors } = useTheme<MaterializeTheme>();
+  const auth = useAuth();
+  const idToken = auth.user?.id_token;
+
+  const obfuscated = idToken ? obfuscateSecret(idToken) : "";
+
+  // Default to the console's hostname, but customers may need to adjust
+  // if Materialize is exposed on a different host behind a load balancer.
+  const defaultSqlAddress = `${window.location.hostname}:6875`;
+
+  return (
+    <Modal size="3xl" isOpen={isOpen} onClose={onClose}>
+      <ModalOverlay />
+      <ModalContent>
+        <ModalHeader fontWeight="500">Connect To Materialize</ModalHeader>
+        <ModalCloseButton />
+        <ModalBody pt="2" pb="6" alignItems="stretch">
+          <Text
+            fontSize="sm"
+            whiteSpace="normal"
+            color={colors.foreground.secondary}
+          >
+            Use the details below to connect to Materialize. The host and port
+            shown are defaults and may need to be adjusted for your deployment.
+            When prompted for a password, paste the ID token.
+          </Text>
+          {idToken ? (
+            <VStack alignItems="stretch" spacing={6} mt="4">
+              <ConnectInstructions
+                userStr={OIDC_USERNAME_PLACEHOLDER}
+                environmentdAddress={defaultSqlAddress}
+                psqlQueryParams="options=--oidc_auth_enabled%3Dtrue"
+              />
+              <VStack alignItems="stretch" spacing={2}>
+                <Text textStyle="heading-xs">ID Token</Text>
+                <SecretCopyableBox
+                  label="idToken"
+                  contents={idToken}
+                  obfuscatedContent={obfuscated}
+                  overflow="hidden"
+                  minWidth={0}
+                />
+                <Text fontSize="sm" color={colors.foreground.secondary}>
+                  When prompted for a password, paste this ID token.
+                </Text>
+              </VStack>
+            </VStack>
+          ) : (
+            <Text fontSize="sm" mt="4">
+              No ID token available. Please sign in again.
+            </Text>
+          )}
+        </ModalBody>
+      </ModalContent>
+    </Modal>
+  );
+};
+
+export default OidcConnectModal;

console/src/layouts/NavBar.tsx

@@ -27,6 +27,7 @@ import useResizeObserver from "use-resize-observer";
 import ConnectModal from "~/components/ConnectModal";
 import FreeTrialNotice from "~/components/FreeTrialNotice";
 import { MaterializeLogo } from "~/components/MaterializeLogo";
+import OidcConnectModal from "~/components/OidcConnectModal";
 import { AppConfigSwitch } from "~/config/AppConfigSwitch";
 import EnvironmentSelectField from "~/layouts/EnvironmentSelect";
 import ProfileDropdown from "~/layouts/ProfileDropdown";
@@ -277,6 +278,21 @@ export const NavBar = ({ isCollapsed }: NavBarProps) => {
                 </HideIfEnvironmentDisabled>
               )
             }
+            selfManagedConfigElement={({ appConfig }) =>
+              appConfig.authMode === "Oidc" ? (
+                <HideIfEnvironmentDisabled>
+                  <ConnectMenuItem
+                    isCollapsed={isCollapsed}
+                    width="100%"
+                    onClick={onOpenConnectModal}
+                  />
+                  <OidcConnectModal
+                    onClose={onCloseConnectModal}
+                    isOpen={isConnectModalOpen}
+                  />
+                </HideIfEnvironmentDisabled>
+              ) : null
+            }
           />
         )}
         <ProfileDropdown

console/src/layouts/NavBar/NavMenu.tsx

@@ -23,6 +23,7 @@ import { Location, useLocation } from "react-router-dom";
 import { useCanViewUsage } from "~/api/auth";
 import ConnectModal from "~/components/ConnectModal";
 import FreeTrialNotice from "~/components/FreeTrialNotice";
+import OidcConnectModal from "~/components/OidcConnectModal";
 import { AppConfigSwitch, CloudRuntimeConfig } from "~/config/AppConfigSwitch";
 import { useFlags } from "~/hooks/useFlags";
 import { useIsSuperUser } from "~/hooks/useIsSuperUser";
@@ -305,6 +306,21 @@ const NavMenuMobile = (props: {
                 </HideIfEnvironmentDisabled>
               )
             }
+            selfManagedConfigElement={({ appConfig }) =>
+              appConfig.authMode === "Oidc" ? (
+                <HideIfEnvironmentDisabled>
+                  <ConnectMenuItem
+                    width="100%"
+                    onClick={onOpenConnectModal}
+                    mb={{ base: 0, lg: 6 }}
+                  />
+                  <OidcConnectModal
+                    onClose={onCloseConnectModal}
+                    isOpen={isConnectModalOpen}
+                  />
+                </HideIfEnvironmentDisabled>
+              ) : null
+            }
           />
         </VStack>
       </VStack>

console/src/queries/frontegg.ts

@@ -39,6 +39,7 @@ import {
   UserApiToken,
 } from "~/api/frontegg/types";
 import { User } from "~/external-library-wrappers/frontegg";
+import { obfuscateSecret } from "~/utils/format";
 
 export const fronteggQueryKeys = {
   all: () => buildGlobalQueryKey("frontegg"),
@@ -92,7 +93,7 @@ function formatAppPassword({ clientId, secret }: NewApiToken) {
   const formattedClientId = clientId.replaceAll("-", "");
   const formattedSecret = secret.replaceAll("-", "");
   const password = `mzp_${formattedClientId}${formattedSecret}`;
-  const obfuscatedPassword = `${new Array(password.length).fill("*").join("")}`;
+  const obfuscatedPassword = obfuscateSecret(password);
   return { password, obfuscatedPassword };
 }
 

console/src/utils/format.ts

@@ -11,6 +11,11 @@ import { IPostgresInterval } from "postgres-interval";
 
 import { pluralize } from "~/util";
 
+/** Creates an obfuscated string of asterisks matching the length of the input. */
+export function obfuscateSecret(secret: string): string {
+  return "*".repeat(secret.length);
+}
+
 const kilobyte = 1024n;
 const megabyte = 1024n * 1024n;
 const gigabyte = 1024n * 1024n * 1024n;