feat(runtime): enhance the access protection security model #452
Conversation
|
|
||
| When building a distributed application, you don't want all functions to be available by the outside world. Some functions are only used internally by other segments. To protect the access to these functions, Jitar provides a `secret` property in the [runtime services](../fundamentals/runtime-services#node). This secret is used to create trusted clients. Trusted clients can access functions with the `protected` access level. | ||
|
|
||
| Any client that wants to access a protected function must provide a valid access key. The access key needs to be added to the http header `x-access-key`. Any node that has a valid access key is considered a trusted client, and automatically adds the access key to the http header of outgoing requests. Any node that doesn't have a valid access key is considered an untrusted client and can only access `public` functions. |
There was a problem hiding this comment.
The header X-Access-Key is, in a security context, generic enough to conflict with other systems (I know systems that use this header too). My suggestion would be to make it more jitar specific, like: X-Jitar-Protected-Access-Key.
There was a problem hiding this comment.
Good suggestion, I changed the header key.
| @@ -115,6 +115,7 @@ The following configuration properties are available: | |||
| * repository - url of the repository (required). | |||
| * segments - list of segment names to load (optional, loads all segments by default). | |||
| * middlewares - list of [middleware modules](../develop/middleware.md) to load (optional). | |||
| * secret - shared secret for creating trusted clients (optional). | |||
There was a problem hiding this comment.
How do the terms secret and access key relate to each other? Can we use a singe term for both to make things more clear?
There was a problem hiding this comment.
The string I've used is trustKey, because the key builds trust between the nodes and the gateway, allowing them to access protected procedures.
There was a problem hiding this comment.
Is it more clear to rename this segment to protected.segment.json?
There was a problem hiding this comment.
There is also a private procedure in there, and it's still related to the game folder in the source. This keeps everything aligned, just as it is in the other examples.
There was a problem hiding this comment.
Is it more clear to rename this segment to public.segment.json
| @@ -25,6 +25,22 @@ export default class Procedure | |||
| return implementations.some(implementation => implementation.public); | |||
| } | |||
|
|
|||
| get protected() | |||
| { | |||
There was a problem hiding this comment.
Should we mention this in the docs?
|
|
||
| return this.#gateway.run(request); | ||
| } | ||
|
|
||
| async #runProcedure(procedure: Procedure, request: Request): Promise<Response> | ||
| { | ||
| const secret = request.headers.get('x-access-key'); |
There was a problem hiding this comment.
| const secret = request.headers.get('x-access-key'); | |
| const secret = request.getHeader('x-access-key'); |
There was a problem hiding this comment.
I'm missing a test for a failing registration of a node, and protected related test in the local node spec.
|
|
||
| When building a distributed application, you don't want all functions to be available by the outside world. Some functions are only used internally by other segments. To protect the access to these functions, Jitar provides a `trustKey` property in the [runtime services](../fundamentals/runtime-services#node). This key is used to create trusted clients. Trusted clients can access functions with the `protected` access level. | ||
|
|
||
| Any client that wants to access a protected function must provide a valid key. It needs to be added to the http header `X-Jitar-Protected-Access-Key`. Any node that has a valid key is automatically considered a trusted client, and adds the access key to the http header of outgoing requests. Any node that doesn't have a valid access key is considered an untrusted client and can only access `public` functions. |
There was a problem hiding this comment.
As discussed, we'll use X-Jitar-Trust-Key to make it consistent with the used property.
There was a problem hiding this comment.
The key has been changed in the code, but not in the docs yet.
| @@ -3,5 +3,5 @@ import ProcedureRuntime from './ProcedureRuntime.js'; | |||
|
|
|||
| export default abstract class Node extends ProcedureRuntime | |||
| { | |||
| get trustKey(): string | undefined { return undefined; } | |||
There was a problem hiding this comment.
Can we make this property abstract, so the remote node also gets an explicit implementation?
|
|
||
| // Run the protected function with key (succeeds) | ||
| GET http://localhost:3000/rpc/game/checkSecret?secret=123 HTTP/1.1 | ||
| X-Jitar-Protected-Access-Key: VERY_SECRET_KEY |
There was a problem hiding this comment.
| X-Jitar-Protected-Access-Key: VERY_SECRET_KEY | |
| X-Jitar-Trust-Key: VERY_SECRET_KEY |
|
|
||
| When building a distributed application, you don't want all functions to be available by the outside world. Some functions are only used internally by other segments. To protect the access to these functions, Jitar provides a `trustKey` property in the [runtime services](../fundamentals/runtime-services#node). This key is used to create trusted clients. Trusted clients can access functions with the `protected` access level. | ||
|
|
||
| Any client that wants to access a protected function must provide a valid key. It needs to be added to the http header `X-Jitar-Protected-Access-Key`. Any node that has a valid key is automatically considered a trusted client, and adds the access key to the http header of outgoing requests. Any node that doesn't have a valid access key is considered an untrusted client and can only access `public` functions. |
There was a problem hiding this comment.
The key has been changed in the code, but not in the docs yet.
petermasking
deleted the
448-enhance-the-access-protection-security-model
branch
Fixes #448
Changes proposed in this pull request:
@MaskingTechnology/jitar