refactor(turborepo): Signature Authentication (2nd try)

.cargo/config.toml

@@ -8,8 +8,8 @@ linker = "rust-lld"
 xtask = "run --package xtask --"
 tr-build = "build -p turbo"
 tr-run = "run -p turbo"
-tr-test = "test -p turborepo-* -p turbopath -p vercel-api-mock --features rustls-tls"
-tr-check = "check -p turbo -p vercel-api-mock"
+tr-test = "test -p turborepo-* -p turbopath -p vercel-api-mock -p turborepo-cache --features rustls-tls"
+tr-check = "check -p turbo -p vercel-api-mock -p turborepo-ffi"
 # Builds all test code to check for compiler errors before running
 tp-pre-test = "nextest run --no-run --workspace --release --exclude turbo --exclude turborepo-* --exclude turbopath --exclude vercel-api-mock"
 tp-test = "nextest run --workspace --release --no-fail-fast --exclude turbo --exclude turborepo-* --exclude turbopath --exclude vercel-api-mock"

.github/workflows/test.yml

@@ -100,6 +100,7 @@ jobs:
             !crates/pidlock/**
             !crates/turborepo/**
             !crates/turborepo-api-client/**
+            !crates/turborepo-cache/**
             !crates/turborepo-lib/**
             !crates/turborepo-ffi/**
             !crates/turborepo-scm/**
@@ -128,6 +129,7 @@ jobs:
             crates/pidlock/**
             crates/turborepo/**
             crates/turborepo-api-client/**
+            crates/turborepo-cache/**
             crates/turborepo-lib/**
             crates/turborepo-ffi/**
             crates/turborepo-scm/**

Cargo.toml

@@ -12,6 +12,7 @@ members = [
   "crates/glob-match",
   "crates/turborepo",
   "crates/turborepo-api-client",
+  "crates/turborepo-cache",
   "crates/turborepo-ffi",
   "crates/turborepo-fs",
   "crates/turborepo-lib",
@@ -125,6 +126,7 @@ turbopack-tests = { path = "crates/turbopack-tests" }
 turbopath = { path = "crates/turbopath" }
 turborepo = { path = "crates/turborepo" }
 turborepo-api-client = { path = "crates/turborepo-api-client" }
+turborepo-cache = { path = "crates/turborepo-cache" }
 turborepo-ffi = { path = "crates/turborepo-ffi" }
 turborepo-fs = { path = "crates/turborepo-fs" }
 turborepo-lib = { path = "crates/turborepo-lib" }

cli/internal/cache/cache_http.go

@@ -277,7 +277,7 @@ func newHTTPCache(opts Opts, client client, recorder analytics.Recorder, repoRoo
 		signerVerifier: &ArtifactSignatureAuthentication{
 			// TODO(Gaspar): this should use RemoteCacheOptions.TeamId once we start
 			// enforcing team restrictions for repositories.
-			teamId:  client.GetTeamID(),
+			teamID:  client.GetTeamID(),
 			enabled: opts.RemoteCacheOpts.Signature,
 		},
 	}

cli/internal/cache/cache_signature_authentication.go

@@ -7,16 +7,17 @@ import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/base64"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"hash"
 	"os"
 )
 
 type ArtifactSignatureAuthentication struct {
-	teamId  string
-	enabled bool
+	teamID string
+	// Used for testing purposes
+	secretKeyOverride []byte
+	enabled           bool
 }
 
 func (asa *ArtifactSignatureAuthentication) isEnabled() bool {
@@ -25,12 +26,18 @@ func (asa *ArtifactSignatureAuthentication) isEnabled() bool {
 
 // If the secret key is not found or the secret key length is 0, an error is returned
 // Preference is given to the environment specified secret key.
-func (asa *ArtifactSignatureAuthentication) secretKey() ([]byte, error) {
-	secret := os.Getenv("TURBO_REMOTE_CACHE_SIGNATURE_KEY")
+func (asa *ArtifactSignatureAuthentication) getSecretKey() ([]byte, error) {
+	var secret []byte
+	if asa.secretKeyOverride != nil {
+		secret = asa.secretKeyOverride
+	} else {
+		secret = []byte(os.Getenv("TURBO_REMOTE_CACHE_SIGNATURE_KEY"))
+	}
+
 	if len(secret) == 0 {
 		return nil, errors.New("signature secret key not found. You must specify a secret key in the TURBO_REMOTE_CACHE_SIGNATURE_KEY environment variable")
 	}
-	return []byte(secret), nil
+	return secret, nil
 }
 
 func (asa *ArtifactSignatureAuthentication) generateTag(hash string, artifactBody []byte) (string, error) {
@@ -43,22 +50,13 @@ func (asa *ArtifactSignatureAuthentication) generateTag(hash string, artifactBod
 }
 
 func (asa *ArtifactSignatureAuthentication) getTagGenerator(hash string) (hash.Hash, error) {
-	teamId := asa.teamId
-	secret, err := asa.secretKey()
-	if err != nil {
-		return nil, err
-	}
-	artifactMetadata := &struct {
-		Hash   string `json:"hash"`
-		TeamId string `json:"teamId"`
-	}{
-		Hash:   hash,
-		TeamId: teamId,
-	}
-	metadata, err := json.Marshal(artifactMetadata)
+	teamID := asa.teamID
+	secret, err := asa.getSecretKey()
 	if err != nil {
 		return nil, err
 	}
+	metadata := []byte(hash)
+	metadata = append(metadata, []byte(teamID)...)
 
 	// TODO(Gaspar) Support additional signing algorithms here
 	h := hmac.New(sha256.New, secret)