D9279.diff
No OneTemporary
Actions

Size

8 KB

Referenced Files

None

Subscribers

None

D9279.diff
View Options

	diff --git a/services/backup/Cargo.lock b/services/backup/Cargo.lock
	--- a/services/backup/Cargo.lock
	+++ b/services/backup/Cargo.lock
	@@ -513,6 +513,32 @@
	"tracing",
	]

	+[[package]]
	+name = "aws-sdk-secretsmanager"
	+version = "0.27.0"
	+source = "registry+https://github.com/rust-lang/crates.io-index"
	+checksum = "502ccd2a5469223f03116ed1ef8d310bfe3caa0e8398b968439cd8e76e4ae91c"
	+dependencies = [
	+ "aws-credential-types",
	+ "aws-endpoint",
	+ "aws-http",
	+ "aws-sig-auth",
	+ "aws-smithy-async",
	+ "aws-smithy-client",
	+ "aws-smithy-http",
	+ "aws-smithy-http-tower",
	+ "aws-smithy-json",
	+ "aws-smithy-types",
	+ "aws-types",
	+ "bytes",
	+ "fastrand 1.9.0",
	+ "http",
	+ "regex",
	+ "tokio-stream",
	+ "tower",
	+ "tracing",
	+]
	+
	[[package]]
	name = "aws-sdk-sso"
	version = "0.28.0"
	@@ -956,6 +982,7 @@
	"anyhow",
	"aws-config",
	"aws-sdk-dynamodb",
	+ "aws-sdk-secretsmanager",
	"aws-types",
	"base64 0.21.2",
	"bytes",
	diff --git a/services/blob/Cargo.lock b/services/blob/Cargo.lock
	--- a/services/blob/Cargo.lock
	+++ b/services/blob/Cargo.lock
	@@ -503,6 +503,32 @@
	"url",
	]

	+[[package]]
	+name = "aws-sdk-secretsmanager"
	+version = "0.27.0"
	+source = "registry+https://github.com/rust-lang/crates.io-index"
	+checksum = "502ccd2a5469223f03116ed1ef8d310bfe3caa0e8398b968439cd8e76e4ae91c"
	+dependencies = [
	+ "aws-credential-types",
	+ "aws-endpoint",
	+ "aws-http",
	+ "aws-sig-auth",
	+ "aws-smithy-async",
	+ "aws-smithy-client",
	+ "aws-smithy-http",
	+ "aws-smithy-http-tower",
	+ "aws-smithy-json",
	+ "aws-smithy-types",
	+ "aws-types",
	+ "bytes",
	+ "fastrand",
	+ "http",
	+ "regex",
	+ "tokio-stream",
	+ "tower",
	+ "tracing",
	+]
	+
	[[package]]
	name = "aws-sdk-sso"
	version = "0.28.0"
	@@ -1020,6 +1046,7 @@
	"anyhow",
	"aws-config",
	"aws-sdk-dynamodb",
	+ "aws-sdk-secretsmanager",
	"aws-types",
	"base64 0.21.0",
	"chrono",
	diff --git a/services/comm-services-lib/Cargo.lock b/services/comm-services-lib/Cargo.lock
	--- a/services/comm-services-lib/Cargo.lock
	+++ b/services/comm-services-lib/Cargo.lock
	@@ -473,6 +473,32 @@
	"tracing",
	]

	+[[package]]
	+name = "aws-sdk-secretsmanager"
	+version = "0.27.0"
	+source = "registry+https://github.com/rust-lang/crates.io-index"
	+checksum = "502ccd2a5469223f03116ed1ef8d310bfe3caa0e8398b968439cd8e76e4ae91c"
	+dependencies = [
	+ "aws-credential-types",
	+ "aws-endpoint",
	+ "aws-http",
	+ "aws-sig-auth",
	+ "aws-smithy-async",
	+ "aws-smithy-client",
	+ "aws-smithy-http",
	+ "aws-smithy-http-tower",
	+ "aws-smithy-json",
	+ "aws-smithy-types",
	+ "aws-types",
	+ "bytes",
	+ "fastrand",
	+ "http",
	+ "regex",
	+ "tokio-stream",
	+ "tower",
	+ "tracing",
	+]
	+
	[[package]]
	name = "aws-sdk-sso"
	version = "0.28.0"
	@@ -855,6 +881,7 @@
	"anyhow",
	"aws-config",
	"aws-sdk-dynamodb",
	+ "aws-sdk-secretsmanager",
	"aws-types",
	"base64 0.21.0",
	"bytes",
	diff --git a/services/comm-services-lib/Cargo.toml b/services/comm-services-lib/Cargo.toml
	--- a/services/comm-services-lib/Cargo.toml
	+++ b/services/comm-services-lib/Cargo.toml
	@@ -28,6 +28,7 @@
	serde_json = "1.0"
	aws-config = "0.55"
	aws-sdk-dynamodb = "0.27"
	+aws-sdk-secretsmanager = "0.27"
	aws-types = "0.55"
	base64 = "0.21"
	chrono = "0.4"
	diff --git a/services/comm-services-lib/src/auth/mod.rs b/services/comm-services-lib/src/auth/mod.rs
	--- a/services/comm-services-lib/src/auth/mod.rs
	+++ b/services/comm-services-lib/src/auth/mod.rs
	@@ -1,3 +1,5 @@
	+mod service;
	mod types;

	+pub use service::*;
	pub use types::*;
	diff --git a/services/comm-services-lib/src/auth/service.rs b/services/comm-services-lib/src/auth/service.rs
	new file mode 100644
	--- /dev/null
	+++ b/services/comm-services-lib/src/auth/service.rs
	@@ -0,0 +1,75 @@
	+use aws_sdk_secretsmanager::Client as SecretsManagerClient;
	+use chrono::{DateTime, Duration, NaiveDateTime, Utc};
	+
	+use super::{AuthorizationCredential, ServicesAuthToken, UserIdentity};
	+
	+const SECRET_NAME: &str = "servicesToken";
	+/// duration for which we consider previous token valid
	+/// after rotation
	+const ROTATION_PROTECTION_PERIOD: i64 = 3; // seconds
	+
	+// AWS managed version tags for secrets
	+const AWSCURRENT: &str = "AWSCURRENT";
	+const AWSPREVIOUS: &str = "AWSPREVIOUS";
	+
	+async fn get_services_token_version(
	+ client: &SecretsManagerClient,
	+ version: impl Into<String>,
	+) -> Result<ServicesAuthToken, aws_sdk_secretsmanager::Error> {
	+ let result = client
	+ .get_secret_value()
	+ .secret_id(SECRET_NAME)
	+ .version_id(version)
	+ .send()
	+ .await?;
	+
	+ let token = result
	+ .secret_string()
	+ .expect("Services token secret is not a string. This should not happen");
	+ Ok(ServicesAuthToken::new(token.to_string()))
	+}
	+
	+async fn time_since_rotation(
	+ client: &SecretsManagerClient,
	+) -> Result<Option<chrono::Duration>, aws_sdk_secretsmanager::Error> {
	+ let result = client
	+ .describe_secret()
	+ .secret_id(SECRET_NAME)
	+ .send()
	+ .await?;
	+
	+ let duration = result
	+ .last_rotated_date()
	+ .and_then(\|date\| date.to_millis().ok())
	+ .and_then(NaiveDateTime::from_timestamp_millis)
	+ .map(\|naive\| DateTime::<Utc>::from_utc(naive, Utc))
	+ .map(\|last_rotated\| Utc::now().signed_duration_since(last_rotated));
	+ Ok(duration)
	+}
	+
	+async fn verify_services_token(
	+ client: &SecretsManagerClient,
	+ token_to_verify: &ServicesAuthToken,
	+) -> Result<bool, aws_sdk_secretsmanager::Error> {
	+ let actual_token = get_services_token_version(client, AWSCURRENT).await?;
	+
	+ // we need to always get it to achieve constant time eq
	+ let last_rotated = time_since_rotation(client).await?;
	+ let was_recently_rotated = last_rotated
	+ .filter(\|rotation_time\| {
	+ *rotation_time < Duration::seconds(ROTATION_PROTECTION_PERIOD)
	+ })
	+ .is_some();
	+
	+ let is_valid = *token_to_verify == actual_token;
	+ // token might have just been rotated. In this case check the previous token
	+ // this case makes the function non-constant time, but it happens very rarely
	+ if !is_valid && was_recently_rotated {
	+ let previous_token =
	+ get_services_token_version(client, AWSPREVIOUS).await?;
	+ let previous_valid = *token_to_verify == previous_token;
	+ return Ok(previous_valid);
	+ }
	+
	+ Ok(is_valid)
	+}
	diff --git a/services/commtest/Cargo.lock b/services/commtest/Cargo.lock
	--- a/services/commtest/Cargo.lock
	+++ b/services/commtest/Cargo.lock
	@@ -200,6 +200,32 @@
	"tracing",
	]

	+[[package]]
	+name = "aws-sdk-secretsmanager"
	+version = "0.27.0"
	+source = "registry+https://github.com/rust-lang/crates.io-index"
	+checksum = "502ccd2a5469223f03116ed1ef8d310bfe3caa0e8398b968439cd8e76e4ae91c"
	+dependencies = [
	+ "aws-credential-types",
	+ "aws-endpoint",
	+ "aws-http",
	+ "aws-sig-auth",
	+ "aws-smithy-async",
	+ "aws-smithy-client",
	+ "aws-smithy-http",
	+ "aws-smithy-http-tower",
	+ "aws-smithy-json",
	+ "aws-smithy-types",
	+ "aws-types",
	+ "bytes",
	+ "fastrand 1.9.0",
	+ "http",
	+ "regex",
	+ "tokio-stream",
	+ "tower",
	+ "tracing",
	+]
	+
	[[package]]
	name = "aws-sdk-sso"
	version = "0.28.0"
	@@ -628,6 +654,7 @@
	"anyhow",
	"aws-config",
	"aws-sdk-dynamodb",
	+ "aws-sdk-secretsmanager",
	"aws-types",
	"base64 0.21.3",
	"chrono",
	diff --git a/services/feature-flags/Cargo.lock b/services/feature-flags/Cargo.lock
	--- a/services/feature-flags/Cargo.lock
	+++ b/services/feature-flags/Cargo.lock
	@@ -357,6 +357,32 @@
	"tracing",
	]

	+[[package]]
	+name = "aws-sdk-secretsmanager"
	+version = "0.27.0"
	+source = "registry+https://github.com/rust-lang/crates.io-index"
	+checksum = "502ccd2a5469223f03116ed1ef8d310bfe3caa0e8398b968439cd8e76e4ae91c"
	+dependencies = [
	+ "aws-credential-types",
	+ "aws-endpoint",
	+ "aws-http",
	+ "aws-sig-auth",
	+ "aws-smithy-async",
	+ "aws-smithy-client",
	+ "aws-smithy-http",
	+ "aws-smithy-http-tower",
	+ "aws-smithy-json",
	+ "aws-smithy-types",
	+ "aws-types",
	+ "bytes",
	+ "fastrand",
	+ "http",
	+ "regex",
	+ "tokio-stream",
	+ "tower",
	+ "tracing",
	+]
	+
	[[package]]
	name = "aws-sdk-sso"
	version = "0.28.0"
	@@ -754,6 +780,7 @@
	"anyhow",
	"aws-config",
	"aws-sdk-dynamodb",
	+ "aws-sdk-secretsmanager",
	"aws-types",
	"base64",
	"chrono",
	diff --git a/services/reports/Cargo.lock b/services/reports/Cargo.lock
	--- a/services/reports/Cargo.lock
	+++ b/services/reports/Cargo.lock
	@@ -525,6 +525,32 @@
	"tracing",
	]

	+[[package]]
	+name = "aws-sdk-secretsmanager"
	+version = "0.27.0"
	+source = "registry+https://github.com/rust-lang/crates.io-index"
	+checksum = "502ccd2a5469223f03116ed1ef8d310bfe3caa0e8398b968439cd8e76e4ae91c"
	+dependencies = [
	+ "aws-credential-types",
	+ "aws-endpoint",
	+ "aws-http",
	+ "aws-sig-auth",
	+ "aws-smithy-async",
	+ "aws-smithy-client",
	+ "aws-smithy-http",
	+ "aws-smithy-http-tower",
	+ "aws-smithy-json",
	+ "aws-smithy-types",
	+ "aws-types",
	+ "bytes",
	+ "fastrand 1.9.0",
	+ "http",
	+ "regex",
	+ "tokio-stream",
	+ "tower",
	+ "tracing",
	+]
	+
	[[package]]
	name = "aws-sdk-sso"
	version = "0.28.0"
	@@ -952,6 +978,7 @@
	"anyhow",
	"aws-config",
	"aws-sdk-dynamodb",
	+ "aws-sdk-secretsmanager",
	"aws-types",
	"base64 0.21.3",
	"bytes",

File Metadata

Mime Type: text/plain
Expires: Tue, Nov 26, 5:49 PM (21 h, 27 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 2585650
Default Alt Text: D9279.diff (8 KB)

D9279.diffNo OneTemporaryActions

D9279.diffView Options

File Metadata

Event Timeline

D9279.diff
No OneTemporary
Actions

D9279.diff
View Options