feat: add BrowserID support for Tokenserver

[ethowitz]

Description

• Refactor the support.rs file into a new tokenserver::auth module
• Add a verifier responsible for verifying BrowserID assertions by making a request to FxA
• Simplify integration testing by removing Tokenserver's "test mode" and instead adding a server to mock FxA responses (this allows us to test the OAuth and BrowserID verifiers more thoroughly since we're not just stubbing them out)
• Add request timeout settings for both the OAuth and BrowserID verifiers
• Adjust a number of the client state values in the unit and integration tests to be more straightforward (the tests now make it more obvious that the X-Client-State header contains the hex-encoded client state bytes and the X-KeyID header contains the base64-encoded client state bytes
• Add a number of missing doc comments and regular comments to make the logic clearer

Testing

The new verifier has very comprehensive unit and integration test coverage.

Issue(s)

Closes #1215

[ethowitz]

The build was failing on my machine because of a conflict between openssl and boringssl. This resolves the issue (and I see that there's a comment relating to this in Cargo.toml). Is it worth leaving this here to prevent issues in the future?

[jrconlin]

Yes. Along with a comment explaining why you're including the feature.
(Remember, future folks in a hurry will not read everything, so repeating important points is very useful)

[pjenvey]

Do you have output of this build failure?

I think this ends up disabling boringssl entirely in grpcio. We avoided doing this in the past but I can't track down why (possibly it wasn't even an option when we originally built syncstorage). There's a couple concerns about doing this though:

• we should test it extensively on stage before it rolls out further
• I think it should be the default so all the unit/integration tests are running against this option

[ethowitz]

This specifically started happening when I added reqwest as a new dependency. The first error I ran into was when I tried to create a new reqwest client -- I got this very unhelpful runtime error:

reqwest::Error { kind: Builder, source: Normal(ErrorStack([])) }

I tried a series of random things until I eventually added the native-tls-vendored feature to see if vendoring the TLS library would solve my problem. Then I got a series of linker errors suggesting a conflict between openssl and boringssl:

  = note: /usr/bin/ld: /home/edonowitz/syncstorage-rs/target/debug/deps/libgrpcio_sys-f6372abe3c9ae8ee.rlib(ssl_lib.cc.o): in function `SSL_free':
          /home/edonowitz/.cargo/registry/src/github.com-1ecc6299db9ec823/boringssl-src-0.3.0+688fc5c/boringssl/src/ssl/ssl_lib.cc:744: multiple definition of `SSL_free'; /home/edonowitz/syncstorage-rs/target/debug/deps/libopenssl_sys-917c211f838ee9d5.rlib(ssl_lib.o):/home/edonowitz/syncstorage-rs/target/debug/build/openssl-sys-215daf9bb4881309/out/openssl-build/build/src/ssl/ssl_lib.c:1147: first defined here

I was able to resolve the issue by removing the native-tls-vendored feature and adding --features grpcio/openssl when compiling, which I assumed to mean that the conflict between boringssl and openssl was, in fact, the culprit.

[pjenvey]

Finally tracked down the issue I was thinking of: syncstorage-rs#766 (CC: @jrconlin).

Basically: we enabled openssl narrowed to solely on Ubuntu. Due to a cargo issue I believe it became enabled on more platforms such as Debian used in our Docker, resulting in "Corruption detected" errors on stage.

This grpc.io issue suggests it could still be an issue. We could try enabling it again and see if the issue persists. Like I mentioned earlier, we would probably want it on by default in Cargo.toml so all tests run against it.

Another potential alternative we could try is using rusttls for reqwest instead.

[ethowitz]

Tokenserver's "test mode" stubbed out the main token verifiers for fake ones, prevent us from being able to test the verifiers themselves with integration tests. I removed the test mode in favor of adding a local server that mocks responses from FxA. This way, we don't need to stub out the verifiers in the Rust code.

[ethowitz]

I figured it made sense not to have to maintain documentation in two places

[ethowitz]

Due to serde/Rust's type system, there is some deviation between how the old and new Tokenserver handles a faulty FxA response. For certain situations (e.g. a fxa-generation claim that isn't an integer), the old Tokenserver returns a 401, but for others (e.g. FxA responds with malformed JSON), it returns a 503. I would have had to write a pretty lengthy custom Deserializer to handle these cases the same way, and I figured it would be better just to handle all of them as 503 errors anyway, since they would be errors internal to Sync.

[ethowitz]

The old Tokenserver manually checks to see if the status field is set to "okay", but I am relying on serde's support for internally-tagged enums to express this check in the type system. A status other than "okay" or "failure" would result in a 503 error (which differs from the old Tokenserver, which would return a 401), but the structure of error vs success responses is well-documented, and it seemed reasonable to me to implement it this way. I think it should be considered an internal error if FxA sends us an errant status.

[ethowitz]

I use a custom deserializer here to differentiate between missing fields and null fields, since these cases are handled differently.

[jrconlin]

Wouldn't a missing field be an error?

[ethowitz]

These fields aren't mandatory, and I think older clients may not send them. The legacy Tokenserver is built to handle situations where the fields aren't sent: https://github.com/mozilla-services/tokenserver/blob/master/tokenserver/views.py#L355-L361

[jrconlin]

Ok, I think I understand the problem. My apologies if I'm stating the obvious.

All of these values are optional.
If they are present, they can either be Null or a value.
There is handling logic present for all of these cases.

As I understand, json_serde translates Some(()) as equivalent to Null. The problem is that once the value has been deserialized, that bit of information is potentially lost since typing doesn't have the concept of Null. Your solution is to double-wrap the value and let the outside Option indicate if the value is Present or Not, with the inner Option indicate if the value is set or Null. The only other option would be to keep the values as serde_json::Value and then do is_null() / as_*() on demand.

I don't really think there's a great solution here, but I do think we absolutely need to document this so that folks later understand what's going on.

[ethowitz]

Yup, that's it. I'll definitely add some more comments to make it more obvious whats going on 👍🏻

[ethowitz]

The old Tokenserver sets a timeout attribute on the OAuth client object, but I don't see such an attribute referenced in the code: https://github.com/mozilla/PyFxA/blob/main/fxa/oauth.py#L24

[ethowitz]

This is comparable to this method on the old Tokenserver. Note that the Python function throws a number of different exceptions, which are turned into errors reported to the client here

[ethowitz]

The unit and integration tests previously set the client state equal to "aaa" (which is not valid hex), even though the client state is stored in the database as hex. I updated the client state values throughout the unit and integration tests to improve the consistency and make things easier to understand.

[ethowitz]

Open to suggestions here...I wanted to just compare the options themselves using comparison operators, but the semantics of Option's impl for PartialOrd didn't work for my use case: https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=2073cf8cbebae1806f073b04c3110dd2

[pjenvey]

I noticed you could also use matches! to reduce the nested scopes instead.

https://github.com/mozilla-services/syncstorage-rs/compare/feat/tokenserver-add-browserid-support-pjenvey-matches

I think I find the matches! version easier to understand but that's debatable 😃 (cargo fmt definitely disagrees since it's a macro).

[ethowitz]

I tried my hand at writing my own (very simple) opt_cmp! macro to accomplish something similar, but IMO it's a bit more readable. It lets you do something like opt_cmp!(opta < optb), where opta and optb are both Options. Let me know what you think!

[ethowitz]

This was a bug :(

[ethowitz]

But it was caught by the integration tests :)

[ethowitz]

We run all the local tests with both BrowserID and OAuth requests to be extra safe here

[ethowitz]

These mock verify endpoints work the same way as this mock server from the old Tokenserver's load tests. Instead of sending an opaque JWT token, the client sending the request to Tokenserver encodes the response it desires from FxA in the Authorization header (e.g. Authorization: { "body": { .. }, "status": 200 })

Note that this server is stubbing out FxA, so the flow is:
User --> Tokenserver --> FxA

Tokenserver is oblivious to the fact that the client is sending it bogus tokens since it just passes it along to the verification server.

[pjenvey]

I'll note that I see one exception reported from the mock verifier during the docker compose e2e tests -- is it expected?

[ethowitz]

That exception is from a test that sends it improperly-formatted JSON -- an exception is thrown by json.loads and a 5XX error is returned. Do you think we should catch that exception and return a response explicitly?

[ethowitz]

_build_oauth_headers() and _build_browserid_headers() are responsible for building the bogus auth headers I referenced here

[jrconlin]

you've got a pattern where you call this, then add a bunch of extra headers. Have you thought about just setting headers, then updating from kwargs so you could add the extra headers to the function arguments?

[ethowitz]

That's way better :) My Python skills are rusty

[ethowitz]

If Py didn't use an Arc internally, we'd need to use one here to maintain keep-alive connections between threads

[ethowitz]

https://docs.rs/pyo3/0.15.1/pyo3/struct.Py.html#impl-Clone

[ethowitz]

The async request client does use an Arc internally, but I specifically chose to use the blocking client. We don't want these BrowserID requests to FxA happening on Actix's worker threads; instead, I use web::block to invoke the requests on threads in the blocking threadpool. If I had used the async client, I would have had to wrap each request invocation with web::block(futures::executor::block_on(|| { .. })) instead of simply using web::block.

[pjenvey]

We don't want these BrowserID requests to FxA happening on Actix's worker threads;

Why not? The verify method is async so it seems we could use the async reqwest client -- .awaiting it instead of the block/block_on combo.

[ethowitz]

Ah I think I had myself confused. Since the requests are async, it's okay if they run on the worker threads since they wouldn't be blocking them. Thanks for the catch

[jrconlin]

will continue review tomorrow, but need to reboot and don't want to lose these.

[jrconlin]

half wondering if pairing up the common args might make the difference stand out a bit more.

e.g.

cargo install --path . --locked --root /app --features grpcio/openssl && \
cargo install --path . --locked --root /app --features grpcio/openssl --bin purge_ttl 

[jrconlin]

Yes. Along with a comment explaining why you're including the feature.
(Remember, future folks in a hurry will not read everything, so repeating important points is very useful)

[jrconlin]

I don't think we want to eat this error, do we?
If the request build failed, shouldn't we pass along the error that is reported rather than just "something went wrong 🤷🏻‍♀️"

[ethowitz]

Oof, I think I included this as a temporary measure while I was still working on the feature and forgot to clean it up. Thanks for the catch

[ethowitz]

Actually after looking a bit more closely, this is just the code that creates the request client on startup -- we're already returning (panicking with) a descriptive error here if we run into problems. Do you still think we'd benefit from returning something here?

[jrconlin]

Might want to fix the error on line 204. That should be a - run: instead of = run:

(it's an old bug.)

[jrconlin]

I'm confused why you're wrapping the value in a double Option, and it seems a bit confusing. What you're saying is that the value can either be None or None or i64, right?

It might be better to present this as Result<Option<i64>>? That would also keep us from potentially eating errors.

[ethowitz]

Related to this thread

The second Option indicates whether the field was present or not in the JSON returned by FxA. I chose to use an Option here instead of a Result because it's not actually an error if one of these fields is missing in the response

[jrconlin]

Wouldn't a missing field be an error?

[jrconlin]

you've got a pattern where you call this, then add a bunch of extra headers. Have you thought about just setting headers, then updating from kwargs so you could add the extra headers to the function arguments?

[pjenvey]

still working my way through this one, sorry

[pjenvey]

We don't want these BrowserID requests to FxA happening on Actix's worker threads;

Why not? The verify method is async so it seems we could use the async reqwest client -- .awaiting it instead of the block/block_on combo.

[pjenvey]

nit: You might be able to kill this block entirely by using error_for_status along with including e.is_status() along w/ the if e.is_connect check.

[ethowitz]

ooo nice catch!

[pjenvey]

No request for changes here but I'll just note I like using serde's json! macro for these things (you would need to to_string() its result if you really need the text version). The downside however, as with any macro, is potentially added compile times.

[pjenvey]

Might this still need a sleep like e2e.mysql continues to have?

[ethowitz]

Ah yeah, my removing that was not intentional 😅

[pjenvey]

nit: can save a clone here

Suggested change

	let device_id = auth_data
	.device_id
	.clone()
	.unwrap_or_else(|| "none".to_owned());
	hash_device_id(&hashed_fxa_uid, &device_id, fxa_metrics_hash_secret)
	let device_id = auth_data.device_id.as_deref().unwrap_or("none");
	hash_device_id(&hashed_fxa_uid, device_id, fxa_metrics_hash_secret)

[pjenvey]

I'll note that I see one exception reported from the mock verifier during the docker compose e2e tests -- is it expected?

[pjenvey]

let's also set a connect_timeout as well.

[pjenvey]

I noticed you could also use matches! to reduce the nested scopes instead.

https://github.com/mozilla-services/syncstorage-rs/compare/feat/tokenserver-add-browserid-support-pjenvey-matches

I think I find the matches! version easier to understand but that's debatable 😃 (cargo fmt definitely disagrees since it's a macro).

[ethowitz]

I had to revert this back because it wasn't handling 2XX errors other than 200 correctly (the old Tokenserver returns a 503 to the client if FxA returns anything other than a 200, not just anything other than a 2XX)

[ethowitz]

@pjenvey @jrconlin Rebased! Ready for another pass whenever you get a chance

[pjenvey]

Suggested change

	.timeout(Duration::new(settings.fxa_browserid_request_timeout, 0))
	.connect_timeout(Duration::new(settings.fxa_browserid_connect_timeout, 0))
	.timeout(Duration::from_secs(settings.fxa_browserid_request_timeout))
	.connect_timeout(Duration::from_secs(settings.fxa_browserid_connect_timeout))

[pjenvey]

Nit: it does live in core but since it's reimported into std it's usually referenced from there instead.

Suggested change

	use core::time::Duration;
	use std::time::Duration;

[pjenvey]

is this clone needed?

Suggested change

	let verify_output = state.browserid_verifier.clone().verify(assertion).await?;
	let verify_output = state.browserid_verifier.verify(assertion).await?;

[ethowitz]

Ah no, that was from a previous iteration when I was passing the verifier into another thread. Thanks for the catch!

[pjenvey]

Finally tracked down the issue I was thinking of: syncstorage-rs#766 (CC: @jrconlin).

Basically: we enabled openssl narrowed to solely on Ubuntu. Due to a cargo issue I believe it became enabled on more platforms such as Debian used in our Docker, resulting in "Corruption detected" errors on stage.

This grpc.io issue suggests it could still be an issue. We could try enabling it again and see if the issue persists. Like I mentioned earlier, we would probably want it on by default in Cargo.toml so all tests run against it.

Another potential alternative we could try is using rusttls for reqwest instead.

[pjenvey]

This looks pretty good 👍 with a big caveat on switching to openssl (see by above comment).

[ethowitz]

@pjenvey Are we reasonably confident that rusttls is safe? If so, it's probably easiest just to use that

[pjenvey]

@pjenvey Are we reasonably confident that rusttls is safe? If so, it's probably easiest just to use that

In the past foxsec has recommended sticking with more proven options like openssl/necko. I don't recall if they explicitly veto'd rustls usage though, we could ping them about its usage here. Plus it's had an audit and a significant effort put into it recently.

(if this is even an option, I noted in slack you had issues trying rustls previously w/ reqwest)

[pjenvey]

thanks Ethan!