-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for multiple preshared keys #537
Conversation
8586263
to
6448574
Compare
pkg/cmd/server/server.go
Outdated
@@ -339,7 +352,7 @@ type completedServerConfig struct { | |||
|
|||
unaryMiddleware []grpc.UnaryServerInterceptor | |||
streamingMiddleware []grpc.StreamServerInterceptor | |||
presharedKey string | |||
presharedKey []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
presharedKey => presharedKeys
pkg/cmd/server/server.go
Outdated
@@ -103,7 +103,11 @@ func (c *Config) Complete() (RunnableServer, error) { | |||
} | |||
|
|||
if c.GRPCAuthFunc == nil { | |||
log.Trace().Int("preshared-key-length", len(c.PresharedKey)).Msg("using gRPC auth with preshared key") | |||
log.Trace().Int("preshared-keys", len(c.PresharedKey)).Msg("using gRPC auth with preshared key(s)") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
preshared-keys-count
pkg/cmd/server/server.go
Outdated
@@ -141,10 +145,15 @@ func (c *Config) Complete() (RunnableServer, error) { | |||
return nil, fmt.Errorf("failed to create dispatcher: %w", cerr) | |||
} | |||
|
|||
presharedKey := "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
presharedKey => dispatchKey
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
used dispatchPresharedKey
@@ -141,10 +145,15 @@ func (c *Config) Complete() (RunnableServer, error) { | |||
return nil, fmt.Errorf("failed to create dispatcher: %w", cerr) | |||
} | |||
|
|||
presharedKey := "" | |||
if len(c.PresharedKey) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why check this? Shouldn't it error before here if len(c.PresharedKeys) == 0
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not if no keys were given; remember: preshared keys are ignored if a custom auth function is specified
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, gotcha.
I wonder if it makes more sense to hoist this up to where all of the other preshared key logic is.
require.NoError(err) | ||
require.Equal(healthpb.HealthCheckResponse_SERVING, resp.GetStatus()) | ||
|
||
client := v1alpha1.NewSchemaServiceClient(conn) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not use v1?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copy paste
var conn *grpc.ClientConn | ||
var err error | ||
if key == "" { | ||
conn, err = grpc.Dial(fmt.Sprintf("localhost:%s", tester.port), grpc.WithTransportCredentials(insecure.NewCredentials())) | ||
} else { | ||
conn, err = grpc.Dial(fmt.Sprintf("localhost:%s", tester.port), | ||
grpc.WithInsecure(), | ||
grpcutil.WithInsecureBearerToken(key), | ||
) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opts := []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())}
if key != "" {
opts = append(opts, grpcutil.WithInsecureBearerToken(key))
}
conn, err := grpc.Dial(fmt.Sprintf("localhost:%s", tester.port), opts...)
9439f23
to
caa0998
Compare
6a8a912
to
a8bad15
Compare
.github/workflows/build-test.yaml
Outdated
- uses: "docker/build-push-action@v1" | ||
with: | ||
push: false | ||
tags: "currentpr" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make this dev
instead of currentpr
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dev
has a risk of overloading with a, well, development image. I wanted to be explicitly different from all other contexts
.github/workflows/build-test.yaml
Outdated
@@ -50,7 +50,10 @@ jobs: | |||
- uses: "actions/setup-go@v3" | |||
with: | |||
go-version: "^1.17" | |||
- uses: "authzed/actions/docker-build@main" | |||
- uses: "docker/build-push-action@v1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably need to rename this job
image-build
=> docker-tests
Build Container Image
=> Build & Test Container Image
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we do, it'll break the CI submit checks, so I left it as is (unless we should change those too)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's really easy to change them. I'd rather spend two seconds in the GitHub settings than live with names and descriptions of things that don't make sense.
tester, err := newTester(t, | ||
&dockertest.RunOptions{ | ||
Repository: "authzed/spicedb", | ||
Tag: "currentpr", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dev
opts = append(opts, grpcutil.WithInsecureBearerToken(key)) | ||
} | ||
conn, err := grpc.Dial(fmt.Sprintf("localhost:%s", tester.port), opts...) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why the new line here?
require.NoError(err) | ||
defer conn.Close() | ||
|
||
resp, err := healthpb.NewHealthClient(conn).Check(context.Background(), &healthpb.HealthCheckRequest{Service: "authzed.api.v1alpha1.SchemaService"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is against v1alpha1, but then you use v1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its mostly to make sure the service is running at all, but I can change it
} else { | ||
s, ok := status.FromError(err) | ||
require.True(ok) | ||
require.Equal(codes.Unknown, s.Code()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be codes.Unauthenticated
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, we don't return that code if the key does not match
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that seems... like a bug
@@ -29,7 +29,7 @@ func TestTestServer(t *testing.T) { | |||
tester, err := newTester(t, | |||
&dockertest.RunOptions{ | |||
Repository: "authzed/spicedb", | |||
Tag: "latest", | |||
Tag: "currentpr", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dev
client := v1.NewSchemaServiceClient(conn) | ||
_, err = client.WriteSchema(context.Background(), &v1.WriteSchemaRequest{ | ||
Schema: ` | ||
definition user {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not use a simpler schema? It's not really relevant to the test
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copy-pasted it; I can make it simpler, but it wasn't a big deal to change either way
@@ -141,10 +145,15 @@ func (c *Config) Complete() (RunnableServer, error) { | |||
return nil, fmt.Errorf("failed to create dispatcher: %w", cerr) | |||
} | |||
|
|||
presharedKey := "" | |||
if len(c.PresharedKey) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, gotcha.
I wonder if it makes more sense to hoist this up to where all of the other preshared key logic is.
0d2d311
to
0652856
Compare
Fixes AUTHZ-500
… prevent pulling the normal image accidentally
0652856
to
8c0659f
Compare
Fixes #288
Fixes AUTHZ-500