Page MenuHomePhabricator

[services-lib] Add fn to verify services token
ClosedPublic

Authored by bartek on Sep 25 2023, 5:44 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 26, 11:40 AM
Unknown Object (File)
Thu, Dec 26, 11:40 AM
Unknown Object (File)
Thu, Dec 26, 11:40 AM
Unknown Object (File)
Wed, Dec 25, 12:12 PM
Unknown Object (File)
Wed, Dec 25, 11:48 AM
Unknown Object (File)
Sun, Dec 22, 7:44 AM
Unknown Object (File)
Sat, Dec 21, 2:09 PM
Unknown Object (File)
Sat, Dec 21, 2:09 PM
Subscribers

Details

Summary

This diff adds logic to access and verify service-to-service token held in AWS secrets manager.
AWS uses "tags" to version secrets. The current version of the secret is tagged AWSCURRENT. Previous version from before rotation is tagged with AWSPREVIOUS.

Depends on D9277

Test Plan
  • Verified that the secret is accessible.
  • Validation logic works for token with tag AWSCURRENT (set in terraform, also set by default in AWS).
  • Rotated the secret (changed manually so last_rotated() replaced with last_changed()) and verified the old token is invalid.
  • Increased the protection period to 1 hour and verified that the old token is still valid.

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

bartek held this revision as a draft.
bartek published this revision for review.Sep 25 2023, 5:58 AM
varun requested changes to this revision.Sep 25 2023, 11:08 AM
varun added inline comments.
services/comm-services-lib/src/auth/service.rs
64 ↗(On Diff #31388)

i'm confused why we aren't using the constant_time_eq functon here

This revision now requires changes to proceed.Sep 25 2023, 11:08 AM
bartek added inline comments.
services/comm-services-lib/src/auth/service.rs
64 ↗(On Diff #31388)

This type implements PartialEq from D9242 - constant time eq is done there

how often are we rotating the token?

This revision is now accepted and ready to land.Sep 25 2023, 12:34 PM
michal added inline comments.
services/comm-services-lib/src/auth/service.rs
11–17 ↗(On Diff #31388)

Potentially this could be an enum but doesn't really matter

how often are we rotating the token?

This question does not appear to have been answered

In D9279#273116, @varun wrote:

how often are we rotating the token?

We're not rotating it yet - there's a separate task for this: ENG-4943. Currently, the token is generated by Terraform in D9276

how often are we rotating the token?

This question does not appear to have been answered

Sorry, I had answer written but apparently I didn't click "Submit" 🤦‍♂️ hopefully @varun got the answer when reviewing D9276