Paths

Table of Contentst

-
services/reports/src/
-
reports/
-
src/
1
service.rs

[reports-service] Obtain service-to-service token for anonymous requests
ClosedPublic
Actions

Authored by bartek on Sep 25 2023, 5:54 AM.

Details

Reviewers

michal
varun
• jon

Commits

rCOMMd720180112f1: [reports-service] Obtain service-to-service token for anonymous requests

Summary

For reports service, we need to support both authenticated and anonymous requests. For authenticated requests, we can obtain the client token from the request context. For anonymous requests, we need to obtain the service-to-service token from the AuthService.

Depends on D9281

Test Plan

Used Postman to call reports service. When provided UserIdentity token, it passed it through to Blob service. When not provided, it obtained the service-to-service token and passed it through to Blob service.
When called with service-to-service token, it returned HTTP 403 - we don't expect reports service to be called by other services.

Diff Detail

Repository

rCOMM Comm

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

bartek created this revision.Sep 25 2023, 5:54 AM

bartek held this revision as a draft.

Herald added a reviewer: • jon. · View Herald TranscriptSep 25 2023, 5:54 AM

Herald added subscribers: tomek, ashoat. · View Herald Transcript

bartek added a child revision: D9283: [services-lib] Call token verification in HTTP auth middleware.Sep 25 2023, 5:55 AM

Harbormaster failed remote builds in B22821: Diff 31391!Sep 25 2023, 5:56 AM

Rebase

Harbormaster completed remote builds in B22825: Diff 31395.Sep 25 2023, 6:22 AM

bartek published this revision for review.Sep 25 2023, 6:40 AM

michal added inline comments.Sep 26 2023, 2:16 AM

services/reports/src/service.rs
237–261 ↗	(On Diff #31395)	Do you think it would make sense to move this into authorization middleware? So you can specify something like .wrap(get_comm_authentication_middleware(AllowedAuth::user())) // or .wrap(get_comm_authentication_middleware(AllowedAuth::unauthorized())) // -> this would insert `AuthorizationCredential` with service token automatically // or .wrap(get_comm_authentication_middleware(AllowedAuth::services().user())) I don't remember exactly what the API for the reports service is, but right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

bartek added inline comments.Oct 2 2023, 6:19 AM

services/reports/src/service.rs
237–261 ↗	(On Diff #31395)	I played with various solutions a bit (spent a little too long on this). Your suggestion makes sense in case of API, and looks like it is doable. However, regarding having protected and unprotected endpoints: right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints. This is expected, we don't authenticate endpoints yet because we don't have client token. However, this code works well with your existing auth middleware - endpoints wrapped with it will return 401 even before this code is executed. so in the future, when we have client token, doing the following will work: let auth_middleware = get_comm_authentication_middleware(); // this will require client token and fail if not provided web::scope("/authenticated") .wrap(auth_middleware) .service(...) // this will accept both authenticated and anonymous requests. // for the latter, service-to-service token will be obtained web::scope("/anonymous") // .wrap(auth_middleware) // no wrap .service(...) To conclude, I might refactor to look more as you suggested, but it makes more sense to do it later when we have client token available (2nd part of my task that is currently blocked). I can create a follow up task for this if you wish

michal accepted this revision.Oct 2 2023, 6:43 AM

michal added inline comments.

services/reports/src/service.rs
237–261 ↗	(On Diff #31395)	Makes sense, I got confused a bit

This revision is now accepted and ready to land.Oct 2 2023, 6:43 AM

Closed by commit rCOMMd720180112f1: [reports-service] Obtain service-to-service token for anonymous requests (authored by bartek). · Explain WhyOct 2 2023, 6:53 AM

This revision was automatically updated to reflect the committed changes.

bartek added a commit: rCOMMd720180112f1: [reports-service] Obtain service-to-service token for anonymous requests.

Revision Contents
Changeset List

Path

Size

services/

reports/

src/

service.rs

83 lines

Diff 31391

View Options

services/reports/src/service.rs

Show First 20 Lines • Show All 55 Lines • ▼ Show 20 Lines	networks:
- services-net		- services-net
build:		build:
dockerfile: services/identity/Dockerfile		dockerfile: services/identity/Dockerfile
context: ../		context: ../
image: commapp/identity-server:0.1		image: commapp/identity-server:0.1
container_name: identity-server		container_name: identity-server
ports:		ports:
- "${COMM_SERVICES_PORT_IDENTITY}:50051"		- "${COMM_SERVICES_PORT_IDENTITY}:50051"
		# localstack
		localstack:
		image: localstack/localstack
		container_name: localstack
		hostname: localstack
		ports:
		- "4566:4566"
		environment:
		- SERVICES=s3,dynamodb
		- DATA_DIR=${TMPDIR}/localstack/data
		- HOSTNAME_EXTERNAL=localstack
		volumes:
		jimUnsubmitted Not Done Inline Actions Why bind mount a temp directory instead of using a data volume? It's just gonna create issues with permissions. Also ${TMPDIR} is not used to refer to a path in both the host and the container which is a bad idea. jim: Why bind mount a temp directory instead of using a data volume? It's just gonna create issues…
		- ${TMPDIR}:/tmp/localstack
		networks:
		- services-net

[reports-service] Obtain service-to-service token for anonymous requestsClosedPublicActions