Add support for multiple preshared keys #537
Conversation
github-actions
bot
added
area/CLI
josephschorr
force-pushed
the
preshared-keys
branch
from
8586263
to
6448574
Compare
pkg/cmd/server/server.go
Outdated
| @@ -339,7 +352,7 @@ type completedServerConfig struct { | |||
|
|
|||
| unaryMiddleware []grpc.UnaryServerInterceptor | |||
| streamingMiddleware []grpc.StreamServerInterceptor | |||
| presharedKey string | |||
| presharedKey []string | |||
There was a problem hiding this comment.
presharedKey => presharedKeys
pkg/cmd/server/server.go
Outdated
| @@ -103,7 +103,11 @@ func (c *Config) Complete() (RunnableServer, error) { | |||
| } | |||
|
|
|||
| if c.GRPCAuthFunc == nil { | |||
| log.Trace().Int("preshared-key-length", len(c.PresharedKey)).Msg("using gRPC auth with preshared key") | |||
| log.Trace().Int("preshared-keys", len(c.PresharedKey)).Msg("using gRPC auth with preshared key(s)") | |||
pkg/cmd/server/server.go
Outdated
| @@ -141,10 +145,15 @@ func (c *Config) Complete() (RunnableServer, error) { | |||
| return nil, fmt.Errorf("failed to create dispatcher: %w", cerr) | |||
| } | |||
|
|
|||
| presharedKey := "" | |||
There was a problem hiding this comment.
used dispatchPresharedKey
| @@ -141,10 +145,15 @@ func (c *Config) Complete() (RunnableServer, error) { | |||
| return nil, fmt.Errorf("failed to create dispatcher: %w", cerr) | |||
| } | |||
|
|
|||
| presharedKey := "" | |||
| if len(c.PresharedKey) > 0 { | |||
There was a problem hiding this comment.
Why check this? Shouldn't it error before here if len(c.PresharedKeys) == 0?
There was a problem hiding this comment.
Not if no keys were given; remember: preshared keys are ignored if a custom auth function is specified
There was a problem hiding this comment.
Oh, gotcha.
I wonder if it makes more sense to hoist this up to where all of the other preshared key logic is.
| require.NoError(err) | ||
| require.Equal(healthpb.HealthCheckResponse_SERVING, resp.GetStatus()) | ||
|
|
||
| client := v1alpha1.NewSchemaServiceClient(conn) |
| var conn *grpc.ClientConn | ||
| var err error | ||
| if key == "" { | ||
| conn, err = grpc.Dial(fmt.Sprintf("localhost:%s", tester.port), grpc.WithTransportCredentials(insecure.NewCredentials())) | ||
| } else { | ||
| conn, err = grpc.Dial(fmt.Sprintf("localhost:%s", tester.port), | ||
| grpc.WithInsecure(), | ||
| grpcutil.WithInsecureBearerToken(key), | ||
| ) | ||
| } |
There was a problem hiding this comment.
opts := []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())}
if key != "" {
opts = append(opts, grpcutil.WithInsecureBearerToken(key))
}
conn, err := grpc.Dial(fmt.Sprintf("localhost:%s", tester.port), opts...)
josephschorr
force-pushed
the
preshared-keys
branch
3 times, most recently
from
9439f23
to
caa0998
Compare
josephschorr
force-pushed
the
preshared-keys
branch
3 times, most recently
from
6a8a912
to
a8bad15
Compare
.github/workflows/build-test.yaml
Outdated
| - uses: "docker/build-push-action@v1" | ||
| with: | ||
| push: false | ||
| tags: "currentpr" |
There was a problem hiding this comment.
make this dev instead of currentpr
There was a problem hiding this comment.
dev has a risk of overloading with a, well, development image. I wanted to be explicitly different from all other contexts
.github/workflows/build-test.yaml
Outdated
| @@ -50,7 +50,10 @@ jobs: | |||
| - uses: "actions/setup-go@v3" | |||
| with: | |||
| go-version: "^1.17" | |||
| - uses: "authzed/actions/docker-build@main" | |||
| - uses: "docker/build-push-action@v1" | |||
There was a problem hiding this comment.
probably need to rename this job
image-build => docker-tests
Build Container Image => Build & Test Container Image
There was a problem hiding this comment.
If we do, it'll break the CI submit checks, so I left it as is (unless we should change those too)
There was a problem hiding this comment.
It's really easy to change them. I'd rather spend two seconds in the GitHub settings than live with names and descriptions of things that don't make sense.
| tester, err := newTester(t, | ||
| &dockertest.RunOptions{ | ||
| Repository: "authzed/spicedb", | ||
| Tag: "currentpr", |
| opts = append(opts, grpcutil.WithInsecureBearerToken(key)) | ||
| } | ||
| conn, err := grpc.Dial(fmt.Sprintf("localhost:%s", tester.port), opts...) | ||
|
|
| require.NoError(err) | ||
| defer conn.Close() | ||
|
|
||
| resp, err := healthpb.NewHealthClient(conn).Check(context.Background(), &healthpb.HealthCheckRequest{Service: "authzed.api.v1alpha1.SchemaService"}) |
There was a problem hiding this comment.
This is against v1alpha1, but then you use v1
There was a problem hiding this comment.
Its mostly to make sure the service is running at all, but I can change it
| } else { | ||
| s, ok := status.FromError(err) | ||
| require.True(ok) | ||
| require.Equal(codes.Unknown, s.Code()) |
There was a problem hiding this comment.
Shouldn't this be codes.Unauthenticated?
There was a problem hiding this comment.
Currently, we don't return that code if the key does not match
| @@ -29,7 +29,7 @@ func TestTestServer(t *testing.T) { | |||
| tester, err := newTester(t, | |||
| &dockertest.RunOptions{ | |||
| Repository: "authzed/spicedb", | |||
| Tag: "latest", | |||
| Tag: "currentpr", | |||
| client := v1.NewSchemaServiceClient(conn) | ||
| _, err = client.WriteSchema(context.Background(), &v1.WriteSchemaRequest{ | ||
| Schema: ` | ||
| definition user {} |
There was a problem hiding this comment.
Why not use a simpler schema? It's not really relevant to the test
There was a problem hiding this comment.
Copy-pasted it; I can make it simpler, but it wasn't a big deal to change either way
| @@ -141,10 +145,15 @@ func (c *Config) Complete() (RunnableServer, error) { | |||
| return nil, fmt.Errorf("failed to create dispatcher: %w", cerr) | |||
| } | |||
|
|
|||
| presharedKey := "" | |||
| if len(c.PresharedKey) > 0 { | |||
There was a problem hiding this comment.
Oh, gotcha.
I wonder if it makes more sense to hoist this up to where all of the other preshared key logic is.
josephschorr
force-pushed
the
preshared-keys
branch
3 times, most recently
from
0d2d311
to
0652856
Compare
Fixes AUTHZ-500
… prevent pulling the normal image accidentally
jzelinskie
force-pushed
the
preshared-keys
branch
from
0652856
to
8c0659f
Compare
Fixes #288
Fixes AUTHZ-500