App layer crypto codec #780
Conversation
…t/realm into app-layer-crypto-codec
Hasn't been an issue the last four commits. |
|
|
||
| // TODO: Find a better way | ||
| // This is terrible, slow, and should never be used. | ||
| func goid() (int, error) { |
| Value string | ||
| } | ||
|
|
||
| type Secrets struct { |
There was a problem hiding this comment.
No, use this:
type Secrets []Secret
| @@ -81,14 +82,17 @@ tokio-stream = "0.1.9" | |||
| tokio-test = "*" | |||
| tokio-util = { version = "0.7.10", features = ["io"] } | |||
| tonic = { git = "https://github.com/hyperium/tonic.git", rev = "07e4ee1" } | |||
| tonic-build = "0.10" | |||
| tonic-build = { git = "https://github.com/hyperium/tonic.git", rev = "c783652" } # Needed git for `.codec_path` in build.rs - previous version of codec setting is really gross. https://github.com/hyperium/tonic/blob/ea8cd3f384e953e177f20a62aa156a75676853f4/examples/build.rs#L44 | |||
There was a problem hiding this comment.
do we still need this/can we update our tonic version?
| **We strongly recommend building agents inside the provided devcontainer `.devcontainer`** | ||
| Building in the dev container limits variables that might cause issues and is the most tested way to compile. | ||
|
|
||
| **Imix requires a server public key so it can encrypt messsages to and from the server check the server log for `[INFO] Public key: <SERVER_PUBKEY>`** |
There was a problem hiding this comment.
note: should be base64 (DIR?) encoded; regardless we should mention the encoding and maybe include that in the name of the env variable
| /* Compile-time constant for the server pubkey, derived from the IMIX_SERVER_PUBKEY environment variable during compilation. | ||
| * To find the servers pubkey check the startup messages on the server look for `[INFO] Public key: <SERVER_PUBKEY>` | ||
| */ | ||
| static SERVER_PUBKEY: [u8; 32] = const_decode::Base64.decode(env!("IMIX_SERVER_PUBKEY").as_bytes()); |
There was a problem hiding this comment.
what happens if env var not set/not correct size - like empty? does it fail at compile time or does it 0 append or does it disable app-layer crypto?
| .lock() | ||
| .unwrap() // Mutex's must unwrap | ||
| .get(&pub_key) | ||
| .context("Key not found")?; |
There was a problem hiding this comment.
a bit more detail in the comments and in the error itself here around what the key is used for, why is there a key history, and how it functions.
| if !buf.has_remaining_mut() { | ||
| // Can't add to the buffer. | ||
| #[cfg(debug_assertions)] | ||
| log::debug!("DANGER can't add to the buffer."); |
There was a problem hiding this comment.
continue anyway? maybe add to the comment how this alters behavior
| secretsManager, err = secrets.NewDebugFileSecrets(EnvSecretsManagerPath.String()) | ||
| } | ||
| if err != nil { | ||
| log.Printf("[ERROR] Unable to setup secrets manager\n") |
There was a problem hiding this comment.
log the error, remove new line(unneeded), maybe return/fatal?
| priv_key_string, err := secretsManager.GetValue("tavern_encryption_private_key") | ||
| if err != nil { | ||
| // Generate a new one if it doesn't exist | ||
| pub_key, priv_key, err := generate_key_pair() |
There was a problem hiding this comment.
nit: no snake case switch all names to camel case
| return nil, nil | ||
| } | ||
|
|
||
| priv_key_bytes, err := x509.MarshalPKCS8PrivateKey(priv_key) |
There was a problem hiding this comment.
nit: no snake case switch all names to camel case
| if err != nil { | ||
| log.Printf("[ERROR] Unable to parse private key %v\n", err) | ||
| } | ||
| priv_key := tmp.(*ecdh.PrivateKey) |
There was a problem hiding this comment.
nit: no snake case switch all names to camel case
| } | ||
| priv_key := tmp.(*ecdh.PrivateKey) | ||
|
|
||
| public_key, err := x22519.NewPublicKey(priv_key.PublicKey().Bytes()) |
There was a problem hiding this comment.
nit: no snake case switch all names to camel case
What type of PR is this?
/kind feature
What this PR does / why we need it:
REALM_tavern_encryption_private_keyTODO
env!Which issue(s) this PR fixes: