Skip to content

Commit

Permalink
refactor: Use PyFxA to verify Tokenserver tokens (#1103)
Browse files Browse the repository at this point in the history 
Closes #1098, #1102
  • Loading branch information
@ethowitz
ethowitz authored Jun 25, 2021
1 parent 0b37bbe commit 3440177
Show file tree
Hide file tree
Showing 14 changed files with 341 additions and 259 deletions.
8 changes: 7 additions & 1 deletion .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ commands:
name: Setup python
command: |
sudo apt-get update && sudo apt-get install -y python3-dev python3-pip
pip3 install hawkauthlib konfig pyramid pyramid_hawkauth requests simplejson tokenlib unittest2 WebTest WSGIProxy2
pip3 install flake8 hawkauthlib konfig pyramid pyramid_hawkauth requests simplejson unittest2 WebTest WSGIProxy2
pip3 install -r requirements.txt
rust-check:
steps:
- run:
Expand All @@ -38,6 +39,11 @@ commands:
cargo fmt -- --check
# https://github.com/bodil/sized-chunks/issues/11
cargo audit --ignore RUSTSEC-2020-0041
python-check:
steps:
- run:
name: Core Python Checks
command: flake8 src/tokenserver/verify.py
rust-clippy:
steps:
- run:
Expand Down
83 changes: 22 additions & 61 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 0 additions & 2 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,9 @@ hex = "0.4.3"
hostname = "0.3.1"
hkdf = "0.11"
hmac = "0.11"
jsonwebtoken = "7.2.0"
log = { version = "0.4", features = ["max_level_debug", "release_max_level_info"] }
mime = "0.3"
num_cpus = "1"
openssl = "0.10.34"
# must match what's used by googleapis-raw
protobuf = "2.20.0"
rand = "0.8"
Expand Down
9 changes: 5 additions & 4 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ ADD . /app
ENV PATH=$PATH:/root/.cargo/bin
# temp removed --no-install-recommends due to CI docker build issue
RUN apt-get -q update && \
apt-get -q install -y --no-install-recommends default-libmysqlclient-dev cmake golang-go python3-dev python3-pip && \
pip3 install tokenlib && \
apt-get -q install -y --no-install-recommends default-libmysqlclient-dev cmake golang-go python3-dev python3-pip python3-setuptools && \
pip3 install -r requirements.txt && \
rm -rf /var/lib/apt/lists/*

RUN \
Expand All @@ -16,12 +16,13 @@ RUN \

FROM debian:buster-slim
WORKDIR /app
COPY --from=builder /app/requirements.txt /app
RUN \
groupadd --gid 10001 app && \
useradd --uid 10001 --gid 10001 --home /app --create-home app && \
apt-get -q update && \
apt-get -q install -y build-essential default-libmysqlclient-dev libssl-dev ca-certificates libcurl4 python3-dev python3-pip curl jq && \
pip3 install tokenlib && \
apt-get -q install -y build-essential default-libmysqlclient-dev libssl-dev ca-certificates libcurl4 python3-dev python3-pip python3-setuptools curl jq && \
pip3 install -r /app/requirements.txt && \
rm -rf /var/lib/apt/lists/*

COPY --from=builder /app/bin /app/bin
Expand Down
2 changes: 2 additions & 0 deletions requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
pyfxa==0.7.7
tokenlib==2.0.0
15 changes: 7 additions & 8 deletions src/server/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ use crate::db::{pool_from_settings, spawn_pool_periodic_reporter, DbPool};
use crate::error::ApiError;
use crate::server::metrics::Metrics;
use crate::settings::{Deadman, Secrets, ServerLimits, Settings};
use crate::tokenserver;
use crate::tokenserver::{self, OAuthVerifier, VerifyToken};
use crate::web::{handlers, middleware};

pub const BSO_ID_REGEX: &str = r"[ -~]{1,64}";
Expand Down Expand Up @@ -44,10 +44,10 @@ pub struct ServerState {
// TODO: These will eventually be added as settings passed to a more mature
// database adapter (which will be added in #1054)
pub tokenserver_database_url: Option<String>,
pub tokenserver_jwks_rsa_modulus: Option<String>,
pub tokenserver_jwks_rsa_exponent: Option<String>,
pub fxa_metrics_hash_secret: Option<String>, // SYNC_FXA_METRICS_HASH_SECRET

pub tokenserver_oauth_verifier: Box<dyn VerifyToken>,

/// Metric reporting
pub metrics: Box<StatsdClient>,

Expand Down Expand Up @@ -183,9 +183,7 @@ impl Server {
let host = settings.host.clone();
let port = settings.port;
let tokenserver_database_url = Arc::new(settings.tokenserver_database_url.clone());
let tokenserver_jwks_rsa_modulus = Arc::new(settings.tokenserver_jwks_rsa_modulus.clone());
let tokenserver_jwks_rsa_exponent =
Arc::new(settings.tokenserver_jwks_rsa_exponent.clone());
let fxa_oauth_server_url = settings.fxa_oauth_server_url;
let fxa_metrics_hash_secret = Arc::new(settings.fxa_metrics_hash_secret.clone());
let quota_enabled = settings.enable_quota;
let actix_keep_alive = settings.actix_keep_alive;
Expand All @@ -204,9 +202,10 @@ impl Server {
limits_json: limits_json.clone(),
secrets: Arc::clone(&secrets),
tokenserver_database_url: (*tokenserver_database_url).clone(),
tokenserver_jwks_rsa_modulus: (*tokenserver_jwks_rsa_modulus).clone(),
tokenserver_jwks_rsa_exponent: (*tokenserver_jwks_rsa_exponent).clone(),
fxa_metrics_hash_secret: (*fxa_metrics_hash_secret).clone(),
tokenserver_oauth_verifier: Box::new(OAuthVerifier {
fxa_oauth_server_url: fxa_oauth_server_url.clone(),
}),
metrics: Box::new(metrics.clone()),
port,
quota_enabled,
Expand Down
4 changes: 2 additions & 2 deletions src/server/test.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ use crate::db::pool_from_settings;
use crate::db::results::{DeleteBso, GetBso, PostBsos, PutBso};
use crate::db::util::SyncTimestamp;
use crate::settings::{test_settings, Secrets, ServerLimits};
use crate::tokenserver::MockOAuthVerifier;
use crate::web::{auth::HawkPayload, extractors::BsoBody, X_LAST_MODIFIED};

lazy_static! {
Expand Down Expand Up @@ -70,9 +71,8 @@ async fn get_test_state(settings: &Settings) -> ServerState {
limits_json: serde_json::to_string(&**SERVER_LIMITS).unwrap(),
secrets: Arc::clone(&SECRETS),
tokenserver_database_url: None,
tokenserver_jwks_rsa_modulus: None,
tokenserver_jwks_rsa_exponent: None,
fxa_metrics_hash_secret: None,
tokenserver_oauth_verifier: Box::new(MockOAuthVerifier::default()),
metrics: Box::new(metrics),
port: settings.port,
quota_enabled: settings.enable_quota,
Expand Down
10 changes: 4 additions & 6 deletions src/settings.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,6 @@ pub struct Settings {
/// that are used during Hawk authentication.
pub master_secret: Secrets,

pub tokenserver_jwks_rsa_modulus: Option<String>,
pub tokenserver_jwks_rsa_exponent: Option<String>,
pub fxa_metrics_hash_secret: Option<String>,
pub human_logs: bool,

Expand All @@ -82,6 +80,9 @@ pub struct Settings {
pub enforce_quota: bool,

pub spanner_emulator_host: Option<String>,

/// The URL of the FxA server used for verifying Tokenserver OAuth tokens
pub fxa_oauth_server_url: Option<String>,
}

impl Default for Settings {
Expand All @@ -102,8 +103,6 @@ impl Default for Settings {
actix_keep_alive: None,
limits: ServerLimits::default(),
master_secret: Secrets::default(),
tokenserver_jwks_rsa_exponent: None,
tokenserver_jwks_rsa_modulus: None,
fxa_metrics_hash_secret: None,
statsd_host: None,
statsd_port: 8125,
Expand All @@ -112,6 +111,7 @@ impl Default for Settings {
enable_quota: false,
enforce_quota: false,
spanner_emulator_host: None,
fxa_oauth_server_url: None,
}
}
}
Expand All @@ -138,8 +138,6 @@ impl Settings {
// for database_pool_max_size doesn't quite work. Generally the max pool size is
// 10.
s.set_default::<Option<String>>("tokenserver_database_url", None)?;
s.set_default::<Option<String>>("tokenserver_jwks_rsa_modulus", None)?;
s.set_default::<Option<String>>("tokenserver_jwks_rsa_exponent", None)?;
s.set_default::<Option<String>>("fxa_metrics_hash_secret", None)?;
s.set_default("master_secret", "")?;
s.set_default("limits.max_post_bytes", i64::from(DEFAULT_MAX_POST_BYTES))?;
Expand Down
Loading

0 comments on commit 3440177

Please sign in to comment.