feat: add BrowserID support to Tokenserver

Closes #1215
mozilla-services · Feb 4, 2022 · 79e9735 · 79e9735
1 parent aa93312
commit 79e9735
Show file tree

Hide file tree

Showing 32 changed files with 2,238 additions and 1,007 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -36,6 +36,7 @@ diesel = { version = "1.4", features = ["mysql", "r2d2"] }
 diesel_logger = "0.1.1"
 diesel_migrations = { version = "1.4.0", features = ["mysql"] }
 docopt = "1.1.0"
+dyn-clone = "1.0.4"
 env_logger = "0.9"
 futures = { version = "0.3", features = ["compat"] }
 google-cloud-rust-raw = "0.11.0"
@@ -44,7 +45,6 @@ google-cloud-rust-raw = "0.11.0"
 # `cargo build --features grpcio/openssl ...`
 grpcio = { version = "0.9" }
 lazy_static = "1.4.0"
-pyo3 = { version = "0.14", features = ["auto-initialize"] }
 hawk = "3.2"
 hex = "0.4.3"
 hostname = "0.3.1"
@@ -53,11 +53,14 @@ hmac = "0.11"
 http = "0.2.5"
 log = { version = "0.4", features = ["max_level_debug", "release_max_level_info"] }
 mime = "0.3"
+mockito = "0.30.0"
 num_cpus = "1"
 # must match what's used by googleapis-raw
 protobuf = "2.20.0"
+pyo3 = { version = "0.14", features = ["auto-initialize"] }
 rand = "0.8"
 regex = "1.4"
+reqwest = { version = "0.11.9", features = ["blocking", "json"] }
 # pin to 0.19: https://github.com/getsentry/sentry-rust/issues/277
 sentry = { version = "0.19", features = ["with_curl_transport"] }# pin to 0.19 until on-prem sentry server is updated
 sentry-backtrace = "0.19"
@@ -84,12 +87,8 @@ validator = "0.14"
 validator_derive = "0.14"
 woothee = "0.11"
 
-[dev-dependencies]
-jsonwebtoken = "7.2.0"
-
 [features]
 no_auth = []
-tokenserver_test_mode = []
 
 [[bin]]
 name = "purge_ttl"
diff --git a/Makefile b/Makefile
@@ -36,10 +36,10 @@ docker_stop_spanner:
 	docker-compose -f docker-compose.spanner.yaml down
 
 run:
-	RUST_LOG=debug RUST_BACKTRACE=full cargo run --features tokenserver_test_mode -- --config config/local.toml
+	RUST_LOG=debug RUST_BACKTRACE=full cargo run --features grpcio/openssl -- --config config/local.toml
 
 run_spanner:
 	GOOGLE_APPLICATION_CREDENTIALS=$(PATH_TO_SYNC_SPANNER_KEYS) GRPC_DEFAULT_SSL_ROOTS_FILE_PATH=$(PATH_TO_GRPC_CERT) make run
 
 test:
-	SYNC_DATABASE_URL=$(SYNC_DATABASE_URL) SYNC_TOKENSERVER__DATABASE_URL=$(SYNC_TOKENSERVER__DATABASE_URL) RUST_TEST_THREADS=1 cargo test --features tokenserver_test_mode
+	SYNC_DATABASE_URL=$(SYNC_DATABASE_URL) SYNC_TOKENSERVER__DATABASE_URL=$(SYNC_TOKENSERVER__DATABASE_URL) RUST_TEST_THREADS=1 cargo test --features grpcio/openssl
diff --git a/config/local.example.toml b/config/local.example.toml
@@ -22,7 +22,9 @@ tokenserver.enabled = true
 tokenserver.fxa_email_domain = "api-accounts.stage.mozaws.net"
 tokenserver.fxa_metrics_hash_secret = "INSERT_SECRET_KEY_HERE"
 tokenserver.fxa_oauth_server_url = "https://oauth.stage.mozaws.net"
-tokenserver.test_mode_enabled = false
+tokenserver.fxa_browserid_audience = "https://api-accounts.stage.mozaws.net"
+tokenserver.fxa_browserid_issuer = "https://api-accounts.stage.mozaws.net"
+tokenserver.fxa_browserid_server_url = "https://verifier.stage.mozaws.net/v2"
 
 # cors settings
 # cors_allowed_origin = "localhost"

diff --git a/docker-compose.e2e.mysql.yaml b/docker-compose.e2e.mysql.yaml
@@ -27,9 +27,10 @@ services:
           SYNC_DATABASE_URL: mysql://test:test@sync-db:3306/syncstorage
           SYNC_TOKENSERVER__DATABASE_URL: mysql://test:test@tokenserver-db:3306/tokenserver
           SYNC_TOKENSERVER__ENABLED: "true"
+          SYNC_TOKENSERVER__FXA_BROWSERID_AUDIENCE: "https://token.stage.mozaws.net/"
+          SYNC_TOKENSERVER__FXA_BROWSERID_ISSUER: "api-accounts.stage.mozaws.net"
           SYNC_TOKENSERVER__FXA_EMAIL_DOMAIN: api-accounts.stage.mozaws.net
           SYNC_TOKENSERVER__FXA_METRICS_HASH_SECRET: secret0
-          SYNC_TOKENSERVER__FXA_OAUTH_SERVER_URL: https://oauth.stage.mozaws.net
           TOKENSERVER_HOST: http://localhost:8000
         entrypoint: >
           /bin/sh -c "

diff --git a/docker-compose.e2e.spanner.yaml b/docker-compose.e2e.spanner.yaml
@@ -28,9 +28,10 @@ services:
           SYNC_SPANNER_EMULATOR_HOST: sync-db:9010
           SYNC_TOKENSERVER__DATABASE_URL: mysql://test:test@tokenserver-db:3306/tokenserver
           SYNC_TOKENSERVER__ENABLED: "true"
+          SYNC_TOKENSERVER__FXA_BROWSERID_AUDIENCE: "https://token.stage.mozaws.net/"
+          SYNC_TOKENSERVER__FXA_BROWSERID_ISSUER: "api-accounts.stage.mozaws.net"
           SYNC_TOKENSERVER__FXA_EMAIL_DOMAIN: api-accounts.stage.mozaws.net
           SYNC_TOKENSERVER__FXA_METRICS_HASH_SECRET: secret0
-          SYNC_TOKENSERVER__FXA_OAUTH_SERVER_URL: https://oauth.stage.mozaws.net
           TOKENSERVER_HOST: http://localhost:8000
         entrypoint: >
           /bin/sh -c "

diff --git a/docker-compose.mysql.yaml b/docker-compose.mysql.yaml
@@ -28,6 +28,13 @@ services:
             MYSQL_USER: test
             MYSQL_PASSWORD: test
 
+    mock-fxa-server:
+        image: app:build
+        restart: "no"
+        entrypoint: "python /app/tools/integration_tests/tokenserver/mock_fxa_server.py"
+        environment:
+            MOCK_FXA_SERVER_PORT: 6000
+
     syncstorage-rs:
         image: ${SYNCSTORAGE_RS_IMAGE:-syncstorage-rs:latest}
         restart: always

diff --git a/docker-compose.spanner.yaml b/docker-compose.spanner.yaml
@@ -28,6 +28,12 @@ services:
             MYSQL_DATABASE: tokenserver
             MYSQL_USER: test
             MYSQL_PASSWORD: test
+    mock-fxa-server:
+        image: app:build
+        restart: "no"
+        entrypoint: "python /app/tools/integration_tests/tokenserver/mock_fxa_server.py"
+        environment:
+            MOCK_FXA_SERVER_PORT: 6000
     syncstorage-rs:
         image: ${SYNCSTORAGE_RS_IMAGE:-syncstorage-rs:latest}
         restart: always

diff --git a/src/settings.rs b/src/settings.rs
@@ -189,9 +189,29 @@ impl Settings {
             "mysql://[email protected]/tokenserver",
         )?;
         s.set_default("tokenserver.enabled", false)?;
-        s.set_default("tokenserver.fxa_email_domain", "test.com")?;
+        s.set_default(
+            "tokenserver.fxa_browserid_audience",
+            "https://token.stage.mozaws.net",
+        )?;
+        s.set_default(
+            "tokenserver.fxa_browserid_issuer",
+            "api-accounts.stage.mozaws.net",
+        )?;
+        s.set_default(
+            "tokenserver.fxa_browserid_server_url",
+            "https://verifier.stage.mozaws.net/v2",
+        )?;
+        s.set_default("tokenserver.fxa_browserid_request_timeout", 10)?;
+        s.set_default(
+            "tokenserver.fxa_email_domain",
+            "api-accounts.stage.mozaws.net",
+        )?;
         s.set_default("tokenserver.fxa_metrics_hash_secret", "secret")?;
-        s.set_default("tokenserver.test_mode_enabled", false)?;
+        s.set_default(
+            "tokenserver.fxa_oauth_server_url",
+            "https://oauth.stage.mozaws.net",
+        )?;
+        s.set_default("tokenserver.fxa_oauth_request_timeout", 10)?;
         s.set_default("tokenserver.node_type", "spanner")?;
         s.set_default("tokenserver.statsd_label", "syncstorage.tokenserver")?;
 

diff --git a/src/tokenserver/README.md b/src/tokenserver/README.md
@@ -24,30 +24,12 @@ This functionality was previously provided by a [Python service](https://github.
 
 ## Configuration
 
-You can find example settings for Tokenserver in [config/local.example.toml](../../config/local.example.toml). The available settings are:
-
-| Option | Default value | Description |
-| --- | --- | --- |
-| `disable_syncstorage` | `false` | whether to disable the Sync Storage endpoints (see [Disabling Syncstorage](#disabling-syncstorage) for more information) |
-| `tokenserver.database_url` | `"mysql://[email protected]/tokenserver_rs"` | database DSN |
-| `tokenserver.database_pool_max_size` | `None` | the maximum number of connections in the database pool |
-| `tokenserver.database_pool_min_idle` | `None` | the minimum number of idle database connections to maintain at all times |
-| `tokenserver.database_pool_connection_timeout` | `Some(30)` | the timeout (in seconds) when waiting for an available connection |
-| `tokenserver.fxa_metrics_hash_secret` | `"secret"` | the secret used to hash users' FxA UIDs |
-| `tokenserver.fxa_email_domain` | `"api.accounts.firefox.com"` | the email domain used to contruct the FxA email address from the user's FxA UID |
-| `tokenserver.fxa_oauth_server_url` | `None` | the URL of the FxA OAuth server to be used to verify user's OAuth tokens |
-| `tokenserver.test_mode_enabled` | `false` | whether to enable Tokenserver's [test mode](#test-mode) |
+You can find example settings for Tokenserver in [config/local.example.toml](../../config/local.example.toml). The available settings are described in doc comments [here](../../src/tokenserver/settings.rs).
 
 ### Disabling Syncstorage
 
 Tokenserver can be run as a standalone service by disabling the Sync Storage endpoints. This can be done simply by setting the `disable_syncstorage` setting to `true`. **Note that the Sync Storage settings must still be set even when those endpoints are disabled.**
 
-### Test Mode
-
-When Tokenserver's "test mode" is enabled, OAuth tokens are unpacked without being verified by FxA. Essentially, this allows one to "forge" an OAuth token as though it were created by FxA. This can be useful to test new functionality during development or to run integration tests.
-
-**NOTE:** This should **never** be run in production.
-
 ### Connecting to Firefox
 
 1. Visit `about:config` in Firefox