Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

INFOPLAT-1562 dynamic expiring auth headers #974

Open
wants to merge 28 commits into
base: main
Choose a base branch
from
Open

INFOPLAT-1562 dynamic expiring auth headers #974

wants to merge 28 commits into from
+408 −19

Conversation

hendoxc
Copy link

@hendoxc hendoxc commented Dec 13, 2024
edited
Loading

INFOPLAT-1560

What

Allows usage of dynamic auth headers by implementing grpc.PerRPCCredentials & setting as a DialOption on the otel client

Why

Makes tokens expire, in the case that one is leaked or intercepted.

  • someone can indeed steal a token, update the timestamp portion of the token, then try send data to the gateway endpoint, however since pubkey bytes + timestamp bytes are what's being signed, the signature part of the token is invalid, and will be rejected by the gateway
  • on the gateway, version 2 tokens have their timestamp part checked time.Now > timestamp > time.Now - serverTTL

Notes

Current users of the client can still configure static headers using the AuthHeaders field of beholder client Config. To enable dynamic headers they instead should configure AuthHeaderProvider

cll-gg
cll-gg reviewed Dec 16, 2024
View reviewed changes
pkg/beholder/auth.go Outdated Show resolved Hide resolved
cll-gg
cll-gg reviewed Dec 16, 2024
View reviewed changes
pkg/beholder/auth.go Outdated Show resolved Hide resolved
cll-gg
cll-gg reviewed Dec 16, 2024
View reviewed changes
pkg/beholder/auth.go Outdated Show resolved Hide resolved
4of9
4of9 reviewed Dec 16, 2024
View reviewed changes
pkg/beholder/auth.go Outdated Show resolved Hide resolved
pkg/beholder/auth.go Outdated Show resolved Hide resolved
@hendoxc hendoxc mentioned this pull request Dec 17, 2024
Closed
hendoxc and others added 6 commits December 17, 2024 11:14
@hendoxc @4of9
INFOPLAT-1559 Adds auth header token expiry functionality
a2177ac 
- Adds function for signing publickey + timestamp.
- Adjusts `BuildAuthHeaders` to take variadic args allowing backwards compatibiilty

INFOPLAT-1559 Fixes some lint issues

INFOPLAT-1559 Handles edge case of negative timestamps

INFOPLAT-1559 Switches to exposing new function

- go recommended way to add extend a function
- added Config as 2nd arg as opposed to optional args

INFOPLAT-1559 Adjusts `authHeaderVersion2`

- minor refactor of test

INFOPLAT-1559 Tightens time range for test

Update pkg/beholder/auth.go

Co-authored-by: 4of9 <177086174+4of9@users.noreply.github.com>
@hendoxc
INFOPLAT-1559 Removes sleep
c2e1595
@hendoxc
INFOPLAT-1559 Updates test comments
1ef77e8
@hendoxc
INFOPLAT-1560 Adds grpc.PerRPCCredentials implementation
cdb4455 
- allows for dynamic headers auth tokens to be used in GRPC request headers
- auto refreshes the token on interval
@hendoxc
INFOPLAT-1560 Adds AuthHeaderProvider to beholder client config
c2a542e
@hendoxc
INFOPLAT-1560 Allows AuthHeaderProvider to be used instead of stati…
e40e8fd 
…c `AuthHeaders`

Need this for migration of existing usage - current users of beholder can still use never verions while using static headers, but can make the switch across to setting `AuthHeaderProvider`
@hendoxc hendoxc force-pushed the INFOPLAT-1562-dynamic-expiring-auth-headers branch from 2ed4940 to e40e8fd Compare December 17, 2024 18:18
@hendoxc
INFOPLAT-1560 Update refresh logic
4dfa84f 
bit more clear conceptually
@hendoxc
INFOPLAT-1560 Makes refresh thread safe
88e9813 
protects against concurrent calls of `refresh`

INFOPLAT-1560 Makes `refresh` thread safe
@hendoxc
INFOPLAT-1560 Makes RequireTransportSecurity configurable
83ef2a4
@hendoxc
INFOPLAT-1560 Fixes tests
5acee42
@hendoxc hendoxc dismissed stale reviews from cll-gg and 4of9 via f196c1a January 8, 2025 20:00
@hendoxc hendoxc force-pushed the INFOPLAT-1562-dynamic-expiring-auth-headers branch from f196c1a to 2bb5c5c Compare January 8, 2025 20:12
patrickhuie19
patrickhuie19 reviewed Jan 9, 2025
View reviewed changes
pkg/beholder/auth.go Outdated

// authHeaderPerRPCredentials is a PerRPCCredentials implementation that provides the auth headers
type authHeaderPerRPCCredentials struct {
privKey ed25519.PrivateKey
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Passing a private key around will make eventual isolation of the keystore difficult. If possible, I'd like to see us use the keystore directly here

hendoxc added 2 commits January 9, 2025 12:03
@hendoxc
INFOPLAT-1562 Adjusts authHeaderPerRPCCredentials to have configura…
fff5b5f 
…ble refresh

refersh mechanism is configurable such that it can be used in loops where gRPC calls back to the core node.

On the core node itself, the csa private key is accessible though the keystore, so we can just call `BuildAuthHeadersV2`
@hendoxc
Merge branch 'INFOPLAT-1562-dynamic-expiring-auth-headers' of github.…
d567ef5 
…com:smartcontractkit/chainlink-common into INFOPLAT-1562-dynamic-expiring-auth-headers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patrickhuie19 patrickhuie19 patrickhuie19 left review comments

@jmank88 jmank88 jmank88 left review comments

@cll-gg cll-gg cll-gg left review comments

@Atrax1 Atrax1 Awaiting requested review from Atrax1 Atrax1 was automatically assigned from smartcontractkit/foundations

@pkcll pkcll Awaiting requested review from pkcll

@4of9 4of9 Awaiting requested review from 4of9

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@hendoxc @jmank88 @patrickhuie19 @cll-gg @4of9 @pkcll