Hrana server authentication #235
Conversation
sqld/src/hrana/mod.rs
Outdated
|
|
||
| pub fn load_jwt_key(path: &Path) -> Result<jsonwebtoken::DecodingKey> { | ||
| let data = fs::read(path)?; | ||
| if data.starts_with(b"-----BEGIN PUBLIC KEY-----") { | ||
| jsonwebtoken::DecodingKey::from_ed_pem(&data) | ||
| .context("Could not decode Ed25519 public key from PEM") | ||
| } else if data.starts_with(b"-----BEGIN PRIVATE KEY-----") { | ||
| bail!("Received a private key, but a public key is expected") | ||
| } else if data.starts_with(b"-----BEGIN") { | ||
| bail!("Key is in unsupported PEM format") | ||
| } else if let Ok(data_str) = str::from_utf8(&data) { | ||
| jsonwebtoken::DecodingKey::from_ed_components(&data_str) | ||
| .context("Could not decode Ed25519 public key from base64") | ||
| } else { | ||
| bail!("Key is in an unsupported binary format") | ||
| } | ||
| } |
There was a problem hiding this comment.
This code would certainly be useful in the auth mod!
There was a problem hiding this comment.
The code in http/auth.rs seems to implement a diferent mechanism, instead of passing an argument pointing to a file with Ed25519 pubkey, we pass an argument that directly contains a base64-encoded RSA pubkey in PKCS#8 (which is awkwardly decoded by wrapping it in PEM headers and parsing it as PEM). However, the JWT auth in HTTP is not yet used in Turso, so perhaps we can use the Hrana mechanism also in HTTP?
There was a problem hiding this comment.
Wait now that you mention it, I'm wondering if moving files to the deployed machines is desirable? It's probably easier to pass this value as an environment variable on provisioning
There was a problem hiding this comment.
There was a problem hiding this comment.
We do a similar thing with TLS certificates and keys for gRPC: they are passed as env variables to the container and the entrypoint script stores them in temporary files and passes the paths to these files to sqld via the command line arguments.
Now that I think about it again, this is rather silly: it would be better if all keys/certs were passed to sqld in one of two ways:
- With a command line argument pointing to a file (useful when you run sqld standalone)
- With an env variable containing the data (useful when you run sqld in a container)
However, I'm not sure how we could implement this scheme with clap?
There was a problem hiding this comment.
Maybe @CodingDoug and @athoscouto input would be useful here
There was a problem hiding this comment.
I added the option of passing the key directly in env SQLD_HRANA_JWT_KEY, so we won't need to create temporary files in a container.
honzasp
force-pushed
the
hrana-auth
branch
3 times, most recently
from
141d78a to
b7fbf40
Compare
honzasp
force-pushed
the
hrana-auth
branch
3 times, most recently
from
cfbb62a to
7459d64
Compare
|
bors merge |
|
Merge conflict. |
|
bors merge |
|
Build succeeded: |
Implement authentication in Hrana using JWTs. An Ed25519 public key is passed to sqld using
--hrana-jwt-key-file, and the received JWT is verified using this key. We ignore the claims, except by validating the expiration inexp.I also added a helper script
scripts/gen_jwt.pyto generate the key and a JWT.This PR is stacked on top of #231.