Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

INFOPLAT-1562 dynamic expiring auth headers #974

Open
wants to merge 25 commits into
base: main
Choose a base branch
from
Open

INFOPLAT-1562 dynamic expiring auth headers #974

wants to merge 25 commits into from

Conversation

hendoxc
Copy link

@hendoxc hendoxc commented Dec 13, 2024
edited
Loading

INFOPLAT-1560

What

Allows usage of dynamic auth headers by implementing grpc.PerRPCCredentials & setting as a DialOption on the otel client

Why

Makes tokens expire, in the case that one is leaked or intercepted.

  • someone can indeed steal a token, update the timestamp portion of the token, then try send data to the gateway endpoint, however since pubkey bytes + timestamp bytes are what's being signed, the signature part of the token is invalid, and will be rejected by the gateway
  • on the gateway, version 2 tokens have their timestamp part checked time.Now > timestamp > time.Now - serverTTL

Notes

Current users of the client can still configure static headers using the AuthHeaders field of beholder client Config. To enable dynamic headers they instead should configure AuthHeaderProvider

cll-gg
cll-gg reviewed Dec 16, 2024
View reviewed changes
pkg/beholder/auth.go Outdated Show resolved Hide resolved
cll-gg
cll-gg reviewed Dec 16, 2024
View reviewed changes
pkg/beholder/auth.go Outdated Show resolved Hide resolved
4of9
4of9 reviewed Dec 16, 2024
View reviewed changes
pkg/beholder/auth.go Outdated Show resolved Hide resolved
pkg/beholder/auth.go Show resolved Hide resolved
@hendoxc hendoxc mentioned this pull request Dec 17, 2024
Closed
hendoxc and others added 6 commits December 17, 2024 11:14
@hendoxc @4of9
INFOPLAT-1559 Adds auth header token expiry functionality
a2177ac 
- Adds function for signing publickey + timestamp.
- Adjusts `BuildAuthHeaders` to take variadic args allowing backwards compatibiilty

INFOPLAT-1559 Fixes some lint issues

INFOPLAT-1559 Handles edge case of negative timestamps

INFOPLAT-1559 Switches to exposing new function

- go recommended way to add extend a function
- added Config as 2nd arg as opposed to optional args

INFOPLAT-1559 Adjusts `authHeaderVersion2`

- minor refactor of test

INFOPLAT-1559 Tightens time range for test

Update pkg/beholder/auth.go

Co-authored-by: 4of9 <177086174+4of9@users.noreply.github.com>
@hendoxc
INFOPLAT-1559 Removes sleep
c2e1595
@hendoxc
INFOPLAT-1559 Updates test comments
1ef77e8
@hendoxc
INFOPLAT-1560 Adds grpc.PerRPCCredentials implementation
cdb4455 
- allows for dynamic headers auth tokens to be used in GRPC request headers
- auto refreshes the token on interval
@hendoxc
INFOPLAT-1560 Adds AuthHeaderProvider to beholder client config
c2a542e
@hendoxc
INFOPLAT-1560 Allows AuthHeaderProvider to be used instead of stati…
e40e8fd 
…c `AuthHeaders`

Need this for migration of existing usage - current users of beholder can still use never verions while using static headers, but can make the switch across to setting `AuthHeaderProvider`
@hendoxc hendoxc force-pushed the INFOPLAT-1562-dynamic-expiring-auth-headers branch from 2ed4940 to e40e8fd Compare December 17, 2024 18:18
@hendoxc
INFOPLAT-1560 Update refresh logic
4dfa84f 
bit more clear conceptually
@hendoxc
INFOPLAT-1560 Makes refresh thread safe
88e9813 
protects against concurrent calls of `refresh`

INFOPLAT-1560 Makes `refresh` thread safe
@hendoxc
INFOPLAT-1560 Makes RequireTransportSecurity configurable
83ef2a4
@hendoxc
INFOPLAT-1560 Fixes tests
5acee42
@hendoxc hendoxc dismissed stale reviews from pkcll and 4of9 via d895532 December 20, 2024 19:10
pkcll
pkcll previously approved these changes Dec 20, 2024
View reviewed changes
@hendoxc hendoxc requested a review from a team as a code owner December 23, 2024 17:42
@hendoxc hendoxc requested a review from Atrax1 December 23, 2024 17:42
@hendoxc hendoxc requested review from 4of9 and pkcll December 23, 2024 17:43
@hendoxc
Revert "INFOPLAT-1562 Reconfigure loop configs to use AuthHeaderProvi…
2bb5c5c 
…der"

This reverts commit aae9c45.
@hendoxc
INFOPLAT1-1562 Reconfigures loops to use AuthHeaderProvider
963f8c3 
keeps old struct fields, to not break build. Will circle back to removing them one, this PR has been integrated into chainlink node
@hendoxc hendoxc deployed to integration December 23, 2024 18:14 — with GitHub Actions Active
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmank88 jmank88 jmank88 left review comments

@cll-gg cll-gg Awaiting requested review from cll-gg

@Atrax1 Atrax1 Awaiting requested review from Atrax1 Atrax1 is a code owner automatically assigned from smartcontractkit/foundations

@4of9 4of9 Awaiting requested review from 4of9

@pkcll pkcll Awaiting requested review from pkcll

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@hendoxc @jmank88 @cll-gg @4of9 @pkcll