Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make TLS and Authorization Configuration Fields Optional #589

Open
wants to merge 12 commits into
base: dev
Choose a base branch
from
Open

Make TLS and Authorization Configuration Fields Optional #589

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
9fb64ac
feat: Add optional fields for TLS private key and certificate paths
yorozunouchu Sep 11, 2024
f500ef3
Add optional field for whitelist_csv_path
funkyenough Sep 11, 2024
920e5a7
Merge branch 'tlsnotary:main' into notary-server-configration
yorozunouchu Sep 11, 2024
275bbb8
Merge branch 'notary-server-configration' of https://github.com/yoroz…
funkyenough Sep 11, 2024
8429035
fix test cases for whitelist_csv_path
funkyenough Sep 18, 2024
77d5d99
Merge branch 'main' of https://github.com/tlsnotary/tlsn into notary-…
funkyenough Oct 19, 2024
9b38607
fix issues pointed out by yuroitaki
funkyenough Oct 19, 2024
2f168c7
Merge branch 'dev' into notary-server-configration
yorozunouchu Oct 31, 2024
3348797
Add error handling for missing PEM paths when TLS is enabled
yorozunouchu Oct 31, 2024
e3388b9
Fix formatting and linting
funkyenough Nov 14, 2024
c966cf2
Merge branch 'dev' into notary-server-configration
funkyenough Nov 14, 2024
9662f70
throw error if pem files do not exist
funkyenough Nov 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions crates/notary/server/src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ pub struct AuthorizationProperties {
/// Switch to turn on or off auth middleware
pub enabled: bool,
/// File path of the whitelist API key csv
pub whitelist_csv_path: String,
pub whitelist_csv_path: Option<String>,
}

#[derive(Clone, Debug, Deserialize, Default)]
Expand Down Expand Up @@ -53,8 +53,8 @@ pub struct TLSProperties {
/// turned on unless TLS is handled by external setup e.g. reverse proxy,
/// cloud)
pub enabled: bool,
pub private_key_pem_path: String,
pub certificate_pem_path: String,
pub private_key_pem_path: Option<String>,
pub certificate_pem_path: Option<String>,
}

#[derive(Clone, Debug, Deserialize, Default)]
Expand Down
70 changes: 45 additions & 25 deletions crates/notary/server/src/server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,11 +61,19 @@ pub async fn run_server(config: &NotaryServerProperties) -> Result<(), NotarySer
debug!("Skipping TLS setup as it is turned off.");
None
} else {
let (tls_private_key, tls_certificates) = load_tls_key_and_cert(
&config.tls.private_key_pem_path,
&config.tls.certificate_pem_path,
)
.await?;
let private_key_pem_path = config
.tls
.private_key_pem_path
.as_deref()
.ok_or_else(|| eyre!("TLS is enabled but private key PEM path is not set"))?;
let certificate_pem_path = config
.tls
.certificate_pem_path
.as_deref()
.ok_or_else(|| eyre!("TLS is enabled but certificate PEM path is not set"))?;

let (tls_private_key, tls_certificates) =
load_tls_key_and_cert(private_key_pem_path, certificate_pem_path).await?;

let mut server_config = ServerConfig::builder()
.with_safe_defaults()
Expand Down Expand Up @@ -293,11 +301,17 @@ fn load_authorization_whitelist(
debug!("Skipping authorization as it is turned off.");
None
} else {
// Check if whitelist_csv_path is Some and convert to &str
let whitelist_csv_path = config
.authorization
.whitelist_csv_path
.as_deref()
.ok_or_else(|| {
eyre!("Authorization whitelist csv path is not provided in the config")
})?;
// Load the csv
let whitelist_csv = parse_csv_file::<AuthorizationWhitelistRecord>(
&config.authorization.whitelist_csv_path,
)
.map_err(|err| eyre!("Failed to parse authorization whitelist csv: {:?}", err))?;
let whitelist_csv = parse_csv_file::<AuthorizationWhitelistRecord>(whitelist_csv_path)
.map_err(|err| eyre!("Failed to parse authorization whitelist csv: {:?}", err))?;
// Convert the whitelist record into hashmap for faster lookup
let whitelist_hashmap = authorization_whitelist_vec_into_hashmap(whitelist_csv);
Some(whitelist_hashmap)
Expand Down Expand Up @@ -347,12 +361,18 @@ fn watch_and_reload_authorization_whitelist(
)
.map_err(|err| eyre!("Error occured when setting up watcher for hot reload: {err}"))?;

// Check if whitelist_csv_path is Some and convert to &str
let whitelist_csv_path = config
.authorization
.whitelist_csv_path
.as_deref()
.ok_or_else(|| {
eyre!("Authorization whitelist csv path is not provided in the config")
})?;

// Start watcher to listen to any changes on the whitelist file
watcher
.watch(
Path::new(&config.authorization.whitelist_csv_path),
RecursiveMode::Recursive,
)
.watch(Path::new(whitelist_csv_path), RecursiveMode::Recursive)
.map_err(|err| eyre!("Error occured when starting up watcher for hot reload: {err}"))?;

Some(watcher)
Expand Down Expand Up @@ -404,7 +424,7 @@ mod test {
let config = NotaryServerProperties {
authorization: AuthorizationProperties {
enabled: true,
whitelist_csv_path,
whitelist_csv_path: Some(whitelist_csv_path.clone()),
},
..Default::default()
};
Expand All @@ -428,16 +448,16 @@ mod test {
api_key: "unit-test-api-key".to_string(),
created_at: "unit-test-created-at".to_string(),
};
let file = OpenOptions::new()
.append(true)
.open(&config.authorization.whitelist_csv_path)
.unwrap();
let mut wtr = WriterBuilder::new()
.has_headers(false) // Set to false to avoid writing header again
.from_writer(file);
wtr.serialize(new_record).unwrap();
wtr.flush().unwrap();

if let Some(ref path) = config.authorization.whitelist_csv_path {
let file = OpenOptions::new().append(true).open(path).unwrap();
let mut wtr = WriterBuilder::new()
.has_headers(false) // Set to false to avoid writing header again
.from_writer(file);
wtr.serialize(new_record).unwrap();
wtr.flush().unwrap();
} else {
panic!("Whitelist CSV path should be provided in the config");
}
// Sleep to buy a bit of time for updated whitelist to be hot reloaded
tokio::time::sleep(Duration::from_millis(50)).await;

Expand All @@ -448,6 +468,6 @@ mod test {
.contains_key("unit-test-api-key"));

// Delete the cloned whitelist
std::fs::remove_file(&config.authorization.whitelist_csv_path).unwrap();
std::fs::remove_file(&whitelist_csv_path).unwrap();
}
}
6 changes: 3 additions & 3 deletions crates/notary/tests-integration/tests/notary.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,8 @@ fn get_server_config(port: u16, tls_enabled: bool, auth_enabled: bool) -> Notary
},
tls: TLSProperties {
enabled: tls_enabled,
private_key_pem_path: "../server/fixture/tls/notary.key".to_string(),
certificate_pem_path: "../server/fixture/tls/notary.crt".to_string(),
private_key_pem_path: Some("../server/fixture/tls/notary.key".to_string()),
certificate_pem_path: Some("../server/fixture/tls/notary.crt".to_string()),
},
notary_key: NotarySigningKeyProperties {
private_key_pem_path: "../server/fixture/notary/notary.key".to_string(),
Expand All @@ -65,7 +65,7 @@ fn get_server_config(port: u16, tls_enabled: bool, auth_enabled: bool) -> Notary
},
authorization: AuthorizationProperties {
enabled: auth_enabled,
whitelist_csv_path: "../server/fixture/auth/whitelist.csv".to_string(),
whitelist_csv_path: Some("../server/fixture/auth/whitelist.csv".to_string()),
},
}
}
Expand Down