[keyserver] Authorize blob service requests
ClosedPublic
Actions

Authored by bartek on Feb 1 2024, 1:30 AM.

Details

Reviewers

tomek
marcin
michal

Commits

rCOMMc98884624359: [keyserver] Authorize blob service requests

Summary

Resolves ENG-6287.
Added Authorization header to blob service requests.

Test Plan

Called all these blob functions in "main" keyserver.js. In blob service handlers, I added the following:

#[instrument(name = "assign_holder", skip(service))]
pub async fn assign_holder_handler(
  // ...
  auth: comm_lib::auth::AuthorizationCredential,
) -> actix_web::Result<HttpResponse> {
  info!(?auth, "Assign holder request");
  // ...

And checked the logs to see that the auth struct was populated with the correct data from the keyserver.

Diff Detail

Repository

rCOMM Comm

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

bartek created this revision.Feb 1 2024, 1:30 AM

bartek held this revision as a draft.

Herald added a subscriber: ashoat. · View Herald TranscriptFeb 1 2024, 1:30 AM

Harbormaster failed remote builds in B26400: Diff 36502!Feb 1 2024, 1:41 AM

Rebase

Harbormaster completed remote builds in B26402: Diff 36504.Feb 1 2024, 2:05 AM

bartek published this revision for review.Feb 1 2024, 2:08 AM

bartek added inline comments.

keyserver/src/services/blob.js
20 ↗	(On Diff #36504)	This is on purpose NOT `$ReadOnly` - seems like `fetch()` doesn't like the plus sign 😛
lib/utils/services-utils.js
17 ↗	(On Diff #36504)	I really don't like passing this param all the time but haven't got any better idea than possibly this: Create higher-order-function (curry this one) in `lib`: `const httpAuthorizationHeaderFactoryFn = b64encodeFn => authMetadata => { ... }` For each platform create `{keyserver,native,web}/utils/some-utils.js` with keyserver: `const createHTTPAuthorizationHeader = httpAuthorizationHeaderFactoryFn(the_above_Buffer_from_fn);` native: `const createHTTPAuthorizationHeader = httpAuthorizationHeaderFactoryFn(some_fns_from_commUtilsModule);` web: `const createHTTPAuthorizationHeader = httpAuthorizationHeaderFactoryFn(btoa);` But the above is still not perfect. Let's assume I want to add another utility function on top of this one: function createDefaultHTTPHeaders(authMetadata: AuthMetadata): { [string]: string } { const authorizationValue = createHTTPAuthorizationHeader(authMetadata); return { Authorization: authorizationValue, }; } I'd have to repeat this function 3 times per platform, or curry the same way as the original: `const defaultHTTPHeadersFactory = authHeaderFn => authMetadata => { ... }`

bartek added a child revision: D10909: [lib] Add hook for easy access to CSAT.Feb 1 2024, 4:04 AM

bartek mentioned this in D10910: [native] Pass CSAT to Blob service when fetching multimedia.Feb 1 2024, 4:09 AM

bartek mentioned this in D10913: [native][web] Add AuthMetadata to Blob service upload actions.Feb 1 2024, 5:42 AM

tomek accepted this revision.Feb 1 2024, 5:56 AM

tomek added inline comments.

lib/utils/services-utils.js
17 ↗	(On Diff #36504)	Not sure if we can elegantly solve this. Maybe some platform-specific config might help... not sure if it is worth it.

This revision is now accepted and ready to land.Feb 1 2024, 5:56 AM

bartek added inline comments.Feb 1 2024, 6:05 AM

lib/utils/services-utils.js
17 ↗	(On Diff #36504)	Probably I'll have to add the js-only base-64 dependency to lib. I worked around passing callback to multimedia endpoints, but reports stuff is mostly lib-only so no good way of doing it. The library is slower than platform-specific APIs I mentioned above, but Authorization header isn't too much data so performance shouldn't hurt