Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom jwt http ACL policy #114

Conversation

austenLacy
Copy link

@austenLacy austenLacy commented Aug 1, 2023

What

Adds a custom shopify JWT http ACL policy. It works by checking for a JWT token from header in the request and verifying that it's a valid JWT generated by Shopify. It also adds a configurable authorization service that validates a Shopify employee belongs to a declarative list of groups.

Manual testing

Verify it denies access if no token

spin@localhost:~/src/github.com/Shopify/vitess$ curl localhost:15100/debug/env
Access denied: not allowed: shopify_jwt security_policy enforced

Verify it works with a valid token

spin@localhost:~/src/github.com/Shopify/curl -H 'TOKEN_HEADER_HERE '"$TOKEN"'' localhost:15100/debug/env
<!DOCTYPE html>
        <h3>Internal Variables</h3>

        <table class="gridtable">

        <thead><tr>
                <th>Variable Name</th>
                <th>Value</th>
                <th>Action</th>
        </tr></thead>

        <tr><form method="POST">
                <td>PoolSize</td>
                <td>
                        <input type="hidden" name="varname" value="PoolSize"></input>
                        <input type="text" name="value" value="16"></input>
... # cut off for brevity

Verify a malformed JWT denies access

spin@localhost:~/src/github.com/Shopify/vitess$ curl -H 'TOKEN_HEADER_HERE foobar' localhost:15100/debug/env
Access denied: failed to parse JWT token: token is malformed: token contains an invalid number of segments

Verify an invalid JWT denies access

spin@localhost:~/src/github.com/Shopify/vitess$ curl -H 'TOKEN_HEADER_HERE '"$BAD_TOKEN"'' localhost:15100/debug/env
Access denied: failed to parse JWT token: token is unverifiable: error while executing keyfunc: the JWT has an invalid kid: could not find kid in JWT header

@austenLacy austenLacy changed the base branch from main to v15.0.3-shopify-4 August 1, 2023 18:48
@austenLacy austenLacy force-pushed the austenlacy/vitess-project-345/custom-http-acl-policy branch 2 times, most recently from d0dc688 to f218a39 Compare August 1, 2023 19:17
@austenLacy austenLacy force-pushed the austenlacy/vitess-project-345/custom-http-acl-policy branch from ffc1444 to 40957d3 Compare August 1, 2023 20:51
@austenLacy austenLacy changed the title Custom Minerva http ACL policy Custom jwt http ACL policy Aug 1, 2023
@austenLacy austenLacy force-pushed the austenlacy/vitess-project-345/custom-http-acl-policy branch 4 times, most recently from 7b49ea4 to 2dcc33b Compare August 1, 2023 20:58
@austenLacy austenLacy changed the title Custom jwt http ACL policy [DRAFT] Custom jwt http ACL policy Aug 7, 2023
@austenLacy austenLacy changed the title [DRAFT] Custom jwt http ACL policy Custom jwt http ACL policy Aug 28, 2023
@austenLacy austenLacy marked this pull request as ready for review August 28, 2023 14:05
@austenLacy austenLacy changed the base branch from v15.0.3-shopify-4 to v15.0.3-shopify-6 August 28, 2023 15:04
Signed-off-by: Austen Lacy <austen.lacy@shopify.com>
@austenLacy austenLacy force-pushed the austenlacy/vitess-project-345/custom-http-acl-policy branch from 2dcc33b to 4d1cf29 Compare August 28, 2023 15:07
Signed-off-by: Austen Lacy <austen.lacy@shopify.com>
@github-actions
Copy link

This PR is being marked as stale because it has been open for 30 days with no activity. To rectify, you may do any of the following:

  • Push additional commits to the associated branch.
  • Remove the stale label.
  • Add a comment indicating why it is not stale.

If no action is taken within 7 days, this PR will be closed.

@github-actions github-actions bot added the Stale label Sep 29, 2023
@github-actions
Copy link

github-actions bot commented Oct 6, 2023

This PR was closed because it has been stale for 7 days with no activity.

@github-actions github-actions bot closed this Oct 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Bug Report: DELETE FROM <sequence table> fails with does not have a primary vindex
1 participant