Rearchitect to remove Gin server package, add JWT-protected HTTP routes #10
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This code was originally written before OpenCHAMI services standardized on Chi. Also, Gin uses a very different Context-based interface for handler functions, and is therefore not easily interoperable with existing handlers like those used for JWT verification.
We now return a 404 error when the cloud-init datastore for the
requested name is empty. In context, this means that the requested name:
a) has no node-specific cloud-init data assocated with it
b) is not part of any SMD groups whose data it would otherwise
inherit
The actual verification isn't yet implemented — this work forms a base for that.
This copies much JWKS helper code (`cmd/cloud-init-server/auth.go`) from https://github.com/OpenCHAMI/smd/blob/cdac4f1a606401a2b150513b935143238e3eb026/cmd/smd/routers.go with certain irrelevant-to-us parts stripped out.
This is the key that must be included in future GET/DELETE/etc. requests in order to access the node in question. May be different from the originally specified name, particularly if the latter includes special characters which may not be URL-safe.
This ensures the flag is always given a value (even an empty one), preventing parse errors.
This seriously complicates the data-retrieval process, especially when talking to SMD. Also, since we're dealing with MAC addresses here, the colons will *always* be "slugged" into dashes, so there's no real way to avoid this mangling.
Your parsers will thank me.
This is the case when no xname can be found for the given MAC address, in which case we consider the possibility that the input isn't a MAC address at all, and use it as directly as a datastore key.
Apparently Chi gets mad if you don't follow their expected setup order.
These are based on the routers present in SMD.
LRitzdorf
force-pushed
the
lritzdorf/rearchitect
branch
from
48a0a12 to
0af7c7a
Compare
We use this to grab a new token when necessary.
LRitzdorf
force-pushed
the
lritzdorf/rearchitect
branch
from
0af7c7a to
2735311
Compare
As long as they follow the standard output format.
| } | ||
|
|
||
| // Refresh the cached access token, using the provided JWT server | ||
| func (s *SMDClient) RefreshToken() error { |
There was a problem hiding this comment.
One thing to keep in mind is that OPAAL's token endpoint returns a JWT bearer token without having to perform an authorization grant that's expected from OAuth 2 servers. I may be worth implementing some way to do a client credentials grant (which is what OPAAL is doing here) to get a token later on. For now though, this should be fine.
davidallendj
approved these changes
Jul 17, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a rework of the cloud-init server's high-level structure. Notably, it:
/cloud-init-securewhose access is controlled via JWT authorizationSee also, the updated CHANGELOG.md.