Add ephemeral admin certificates with step-ca#4846
Conversation
2a10ede to
bbab945
Compare
|
@greptileai review |
Greptile SummaryThis PR adds ephemeral admin certificates via an external CA (step-ca) so admins can receive short-lived mTLS certs issued through OIDC instead of shipping long-lived
Confidence Score: 5/5Safe to merge. The ephemeral cert acquisition, caching, validation, and renewal paths are all correctly implemented; the static admin path is unchanged. The new code handles all the tricky edge cases well: atomic cache writes via temp-dir rename, POSIX file locking to serialize provider calls, chain-to-rootCA validation before accepting any issued cert, correct ordering of cell reset and re-authentication after renewal, and defensive parsing of cert validity throughout the clone-guard path. No logic bugs were found in any of the changed files. No files require special attention. The two observations (hardcoded RSA 2048 key parameters and unfiltered subprocess stderr) are minor design-level points that do not affect correctness or security. Important Files Changed
Sequence Diagram%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant Admin as Admin CLI
participant Cache as Cert Cache (~/.nvflare)
participant StepCA as step-ca (OIDC)
participant FLARE as FLARE Server
Admin->>Admin: AdminAPI.__init__() ensure_client_cert_valid()
Admin->>Cache: acquire POSIX flock (LOCK_EX)
Cache-->>Admin: no valid cached cert
Admin->>StepCA: step ca certificate (OIDC browser flow)
StepCA-->>Admin: client.crt + client.key
Admin->>Admin: validate chain to rootCA.pem, verify key match CN org role
Admin->>Cache: store under ~/.nvflare/ephemeral_admin_certs/hash/ns/
Admin->>Cache: release flock
Admin->>FLARE: connect() mTLS with new cert
FLARE-->>Admin: mTLS OK
Admin->>FLARE: CERT_LOGIN (HCI)
FLARE-->>Admin: session token
Note over Admin,FLARE: Submit job
Admin->>Admin: ensure_client_cert_valid() renewal window check
Admin->>Admin: sign_folders embed client.crt as .__nvfl_submitter.crt
Admin->>FLARE: submit_job --ephemeral-admin-cert zip
FLARE->>FLARE: _submitter_cert_validity(zip) extract not_before/not_after
FLARE->>FLARE: store SUBMITTER_CERT_VALIDITY in job meta
Note over Admin,FLARE: Clone job (later)
Admin->>FLARE: clone_job
FLARE->>FLARE: _clone_signature_error() check now vs not_before/not_after
alt cert still valid
FLARE-->>Admin: clone created SUBMITTER_CERT_VALIDITY propagated
else cert expired
FLARE-->>Admin: error download and resubmit
end
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant Admin as Admin CLI
participant Cache as Cert Cache (~/.nvflare)
participant StepCA as step-ca (OIDC)
participant FLARE as FLARE Server
Admin->>Admin: AdminAPI.__init__() ensure_client_cert_valid()
Admin->>Cache: acquire POSIX flock (LOCK_EX)
Cache-->>Admin: no valid cached cert
Admin->>StepCA: step ca certificate (OIDC browser flow)
StepCA-->>Admin: client.crt + client.key
Admin->>Admin: validate chain to rootCA.pem, verify key match CN org role
Admin->>Cache: store under ~/.nvflare/ephemeral_admin_certs/hash/ns/
Admin->>Cache: release flock
Admin->>FLARE: connect() mTLS with new cert
FLARE-->>Admin: mTLS OK
Admin->>FLARE: CERT_LOGIN (HCI)
FLARE-->>Admin: session token
Note over Admin,FLARE: Submit job
Admin->>Admin: ensure_client_cert_valid() renewal window check
Admin->>Admin: sign_folders embed client.crt as .__nvfl_submitter.crt
Admin->>FLARE: submit_job --ephemeral-admin-cert zip
FLARE->>FLARE: _submitter_cert_validity(zip) extract not_before/not_after
FLARE->>FLARE: store SUBMITTER_CERT_VALIDITY in job meta
Note over Admin,FLARE: Clone job (later)
Admin->>FLARE: clone_job
FLARE->>FLARE: _clone_signature_error() check now vs not_before/not_after
alt cert still valid
FLARE-->>Admin: clone created SUBMITTER_CERT_VALIDITY propagated
else cert expired
FLARE-->>Admin: error download and resubmit
end
Reviews (10): Last reviewed commit: "Avoid duplicate step-ca timeout validati..." | Re-trigger Greptile |
bbab945 to
86e49e4
Compare
|
@greptileai review |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #4846 +/- ##
==========================================
+ Coverage 56.53% 56.77% +0.24%
==========================================
Files 969 972 +3
Lines 92261 92764 +503
==========================================
+ Hits 52161 52669 +508
+ Misses 40100 40095 -5
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Follow-up on the updated Greptile summary:
Validation: |
|
Addressed the updated Greptile compatibility finding in
Validation: |
|
Addressed the latest Greptile summary nits in
Validation: |
|
Addressed the latest Greptile summary finding in
Validation: |
|
Addressed the latest Greptile summary cleanup in
Validation: |
Summary
ephemeral_admin_certprovisioning for startup kits without long-lived admin keysstep_caproviderSecurity model
The external certificate provider authenticates the admin and issues a short-lived certificate chain rooted in the FLARE project CA. FLARE validates the chain, certificate validity, key match, identity, organization, and role before use. The server and clients continue to rely on the existing admin certificate login, authorization, and job-signature verification paths; no OIDC tokens are introduced into those components.
The built-in step-ca adapter invokes the
stepCLI. step-ca owns OIDC login and claim-to-certificate mapping. Valid credentials are cached per OS user until they enter the renewal window, avoiding a browser flow for every CLI command.Compatibility
Static admins remain unchanged and can coexist with ephemeral admin kits in the same
project.yml. Ephemeral kits omitclient.crtandclient.key; the authenticated identity, organization, and FLARE role come from the issued certificate.