From 53900afb30b874fe9e8a15e5fc3596694dfe93b7 Mon Sep 17 00:00:00 2001 From: Joey Kraut Date: Wed, 23 Oct 2024 17:43:19 -0700 Subject: [PATCH] auth-server: Add management key and gate key management API --- Cargo.lock | 324 ++++++++++++++---- auth/auth-server-api/src/lib.rs | 4 +- auth/auth-server/Cargo.toml | 11 +- auth/auth-server/src/main.rs | 34 +- auth/auth-server/src/server/api_auth.rs | 13 + .../src/server/handle_key_management.rs | 35 +- auth/auth-server/src/server/helpers.rs | 10 +- auth/auth-server/src/server/mod.rs | 11 +- 8 files changed, 352 insertions(+), 90 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 553456f..4602596 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -283,10 +283,10 @@ dependencies = [ "ark-bn254", "ark-ec", "ark-ff 0.4.2", - "circuit-types", - "circuits", - "common", - "constants", + "circuit-types 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "circuits 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "common 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "contracts-common", "ethers", "itertools 0.12.1", @@ -296,14 +296,14 @@ dependencies = [ "num-traits", "postcard", "rand 0.8.5", - "renegade-crypto", + "renegade-crypto 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "renegade-metrics", "ruint", "serde", "serde_with", "tokio", "tracing", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", ] [[package]] @@ -511,7 +511,7 @@ dependencies = [ [[package]] name = "ark-mpc" version = "0.1.2" -source = "git+https://github.com/renegade-fi/ark-mpc.git#96895f469d4276fb71c01a4887d4b55f539b9297" +source = "git+https://github.com/renegade-fi/ark-mpc#96895f469d4276fb71c01a4887d4b55f539b9297" dependencies = [ "ark-ec", "ark-ff 0.4.2", @@ -724,10 +724,10 @@ dependencies = [ "bytes", "chrono", "clap", - "common", + "common 0.1.0", "diesel", "diesel-async", - "external-api", + "external-api 0.1.0", "futures-util", "http 0.2.12", "hyper 0.14.31", @@ -741,7 +741,7 @@ dependencies = [ "tokio", "tokio-postgres", "tracing", - "util", + "util 0.1.0", "uuid 1.11.0", "warp", ] @@ -1642,6 +1642,16 @@ dependencies = [ "zeroize", ] +[[package]] +name = "circuit-macros" +version = "0.1.0" +dependencies = [ + "itertools 0.10.5", + "proc-macro2", + "quote", + "syn 1.0.109", +] + [[package]] name = "circuit-macros" version = "0.1.0" @@ -1653,6 +1663,36 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "circuit-types" +version = "0.1.0" +dependencies = [ + "ark-bn254", + "ark-ec", + "ark-ff 0.4.2", + "ark-mpc", + "ark-serialize 0.4.2", + "async-trait", + "bigdecimal 0.3.1", + "byteorder", + "circuit-macros 0.1.0", + "constants 0.1.0", + "futures", + "hex 0.4.3", + "itertools 0.10.5", + "jf-primitives", + "k256", + "lazy_static", + "mpc-plonk", + "mpc-relation", + "num-bigint", + "num-integer", + "rand 0.8.5", + "renegade-crypto 0.1.0", + "serde", + "serde_json", +] + [[package]] name = "circuit-types" version = "0.1.0" @@ -1666,8 +1706,8 @@ dependencies = [ "async-trait", "bigdecimal 0.3.1", "byteorder", - "circuit-macros", - "constants", + "circuit-macros 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "futures", "hex 0.4.3", "itertools 0.10.5", @@ -1679,9 +1719,38 @@ dependencies = [ "num-bigint", "num-integer", "rand 0.8.5", - "renegade-crypto", + "renegade-crypto 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "serde", + "serde_json", +] + +[[package]] +name = "circuits" +version = "0.1.0" +dependencies = [ + "ark-crypto-primitives", + "ark-ec", + "ark-ff 0.4.2", + "ark-mpc", + "bigdecimal 0.3.1", + "bitvec 1.0.1", + "circuit-macros 0.1.0", + "circuit-types 0.1.0", + "constants 0.1.0", + "futures", + "itertools 0.10.5", + "jf-primitives", + "lazy_static", + "mpc-plonk", + "mpc-relation", + "num-bigint", + "num-integer", + "rand 0.8.5", + "renegade-crypto 0.1.0", "serde", "serde_json", + "tracing", + "util 0.1.0", ] [[package]] @@ -1695,9 +1764,9 @@ dependencies = [ "ark-mpc", "bigdecimal 0.3.1", "bitvec 1.0.1", - "circuit-macros", - "circuit-types", - "constants", + "circuit-macros 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "circuit-types 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "futures", "itertools 0.10.5", "jf-primitives", @@ -1707,11 +1776,11 @@ dependencies = [ "num-bigint", "num-integer", "rand 0.8.5", - "renegade-crypto", + "renegade-crypto 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "serde", "serde_json", "tracing", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", ] [[package]] @@ -1828,6 +1897,45 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "common" +version = "0.1.0" +dependencies = [ + "ark-mpc", + "async-trait", + "base64 0.22.1", + "bimap", + "circuit-types 0.1.0", + "circuits 0.1.0", + "constants 0.1.0", + "contracts-common", + "crossbeam", + "derivative", + "ed25519-dalek 1.0.1", + "ethers", + "hmac", + "indexmap 2.6.0", + "itertools 0.10.5", + "k256", + "lazy_static", + "libp2p", + "libp2p-identity", + "metrics", + "num-bigint", + "num-traits", + "rand 0.8.5", + "renegade-crypto 0.1.0", + "renegade-dealer-api 0.1.0 (git+https://github.com/renegade-fi/renegade-dealer.git)", + "serde", + "serde_json", + "sha2 0.10.8", + "signature 2.2.0", + "tokio", + "tracing", + "util 0.1.0", + "uuid 1.11.0", +] + [[package]] name = "common" version = "0.1.0" @@ -1837,9 +1945,9 @@ dependencies = [ "async-trait", "base64 0.22.1", "bimap", - "circuit-types", - "circuits", - "constants", + "circuit-types 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "circuits 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "contracts-common", "crossbeam", "derivative", @@ -1856,7 +1964,7 @@ dependencies = [ "num-bigint", "num-traits", "rand 0.8.5", - "renegade-crypto", + "renegade-crypto 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "renegade-dealer-api 0.1.0 (git+https://github.com/renegade-fi/renegade-dealer.git)", "serde", "serde_json", @@ -1864,7 +1972,7 @@ dependencies = [ "signature 2.2.0", "tokio", "tracing", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "uuid 1.11.0", ] @@ -1889,7 +1997,7 @@ dependencies = [ "serde_json", "tokio", "tracing", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "warp", ] @@ -1901,11 +2009,11 @@ dependencies = [ "arbitrum-client", "base64 0.13.1", "bimap", - "circuit-types", + "circuit-types 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "clap", "colored", - "common", - "constants", + "common 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "ed25519-dalek 1.0.1", "ethers", "json", @@ -1917,7 +2025,7 @@ dependencies = [ "toml 0.5.11", "tracing", "url", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", ] [[package]] @@ -1945,6 +2053,16 @@ version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "245097e9a4535ee1e3e3931fcfcd55a796a44c643e8596ff6566d68f09b87bbc" +[[package]] +name = "constants" +version = "0.1.0" +dependencies = [ + "ark-bn254", + "ark-ec", + "ark-ed-on-bn254", + "ark-mpc", +] + [[package]] name = "constants" version = "0.1.0" @@ -3004,22 +3122,41 @@ dependencies = [ [[package]] name = "external-api" version = "0.1.0" -source = "git+https://github.com/renegade-fi/renegade.git#e46651ebd6e4031852f3ce28a8e7063d2f0a217d" dependencies = [ "base64 0.22.1", - "circuit-types", - "common", - "constants", + "circuit-types 0.1.0", + "common 0.1.0", + "constants 0.1.0", "ethers", "hex 0.4.3", "http 0.2.12", "itertools 0.10.5", "num-bigint", - "renegade-crypto", + "renegade-crypto 0.1.0", "serde", "serde_json", "thiserror", - "util", + "util 0.1.0", + "uuid 1.11.0", +] + +[[package]] +name = "external-api" +version = "0.1.0" +source = "git+https://github.com/renegade-fi/renegade.git#e46651ebd6e4031852f3ce28a8e7063d2f0a217d" +dependencies = [ + "base64 0.22.1", + "circuit-types 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "common 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "ethers", + "hex 0.4.3", + "itertools 0.10.5", + "num-bigint", + "renegade-crypto 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "serde", + "serde_json", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "uuid 1.11.0", ] @@ -3186,15 +3323,15 @@ dependencies = [ "bb8", "bigdecimal 0.4.5", "bytes", - "circuit-types", - "circuits", + "circuit-types 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "circuits 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "clap", - "common", - "constants", + "common 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "diesel", "diesel-async", "ethers", - "external-api", + "external-api 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "fireblocks-sdk", "funds-manager-api", "futures", @@ -3206,14 +3343,14 @@ dependencies = [ "num-bigint", "postgres-native-tls", "rand 0.8.5", - "renegade-crypto", + "renegade-crypto 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "reqwest 0.12.8", "serde", "serde_json", "tokio", "tokio-postgres", "tracing", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "uuid 1.11.0", "warp", ] @@ -3223,7 +3360,7 @@ name = "funds-manager-api" version = "0.1.0" dependencies = [ "ethers", - "external-api", + "external-api 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "hex 0.4.3", "hmac", "http 0.2.12", @@ -3450,8 +3587,8 @@ version = "0.1.0" source = "git+https://github.com/renegade-fi/renegade.git#e46651ebd6e4031852f3ce28a8e7063d2f0a217d" dependencies = [ "bincode", - "circuit-types", - "common", + "circuit-types 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "common 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "hmac", "libp2p", "openraft", @@ -3459,7 +3596,7 @@ dependencies = [ "serde_json", "sha2 0.10.8", "tracing", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "uuid 1.11.0", ] @@ -4138,17 +4275,17 @@ version = "0.1.0" source = "git+https://github.com/renegade-fi/renegade.git#e46651ebd6e4031852f3ce28a8e7063d2f0a217d" dependencies = [ "ark-mpc", - "circuit-types", - "circuits", - "common", - "constants", + "circuit-types 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "circuits 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "common 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "crossbeam", - "external-api", + "external-api 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "gossip-api", "libp2p", "libp2p-core", "tokio", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "uuid 1.11.0", ] @@ -5612,10 +5749,10 @@ source = "git+https://github.com/renegade-fi/renegade.git#e46651ebd6e4031852f3ce dependencies = [ "async-trait", "atomic_float 0.1.0", - "common", - "constants", + "common 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "create2", - "external-api", + "external-api 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "futures", "futures-util", "hex 0.3.2", @@ -5634,7 +5771,7 @@ dependencies = [ "tracing", "tungstenite 0.18.0", "url", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "web3", ] @@ -6118,6 +6255,24 @@ dependencies = [ "bytecheck", ] +[[package]] +name = "renegade-crypto" +version = "0.1.0" +dependencies = [ + "ark-ec", + "ark-ff 0.4.2", + "ark-mpc", + "bigdecimal 0.3.1", + "constants 0.1.0", + "ethers-core", + "itertools 0.10.5", + "lazy_static", + "num-bigint", + "rand 0.8.5", + "serde", + "serde_json", +] + [[package]] name = "renegade-crypto" version = "0.1.0" @@ -6127,7 +6282,7 @@ dependencies = [ "ark-ff 0.4.2", "ark-mpc", "bigdecimal 0.3.1", - "constants", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "ethers-core", "itertools 0.10.5", "lazy_static", @@ -6188,13 +6343,13 @@ version = "0.1.0" source = "git+https://github.com/renegade-fi/renegade.git#e46651ebd6e4031852f3ce28a8e7063d2f0a217d" dependencies = [ "atomic_float 1.1.0", - "circuit-types", - "common", + "circuit-types 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "common 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "lazy_static", "metrics", "num-bigint", "tracing", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", ] [[package]] @@ -6203,9 +6358,9 @@ version = "0.1.0" dependencies = [ "arbitrum-client", "async-trait", - "common", + "common 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "config", - "external-api", + "external-api 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "futures-util", "hyper 0.14.31", "matchit", @@ -6218,7 +6373,7 @@ dependencies = [ "tracing", "tracing-subscriber 0.3.18", "tungstenite 0.18.0", - "util", + "util 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", ] [[package]] @@ -7439,7 +7594,7 @@ version = "0.1.0" source = "git+https://github.com/renegade-fi/renegade.git#e46651ebd6e4031852f3ce28a8e7063d2f0a217d" dependencies = [ "bus", - "common", + "common 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "futures", "serde", "tokio", @@ -8219,6 +8374,43 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" +[[package]] +name = "util" +version = "0.1.0" +dependencies = [ + "ark-ec", + "ark-serialize 0.4.2", + "chrono", + "circuit-types 0.1.0", + "constants 0.1.0", + "crossbeam", + "eyre", + "futures", + "hex 0.4.3", + "json", + "libp2p", + "metrics", + "metrics-exporter-statsd", + "metrics-tracing-context", + "metrics-util", + "num-bigint", + "num-traits", + "opentelemetry", + "opentelemetry-datadog", + "opentelemetry-otlp", + "opentelemetry-semantic-conventions", + "opentelemetry_sdk", + "rand 0.8.5", + "renegade-crypto 0.1.0", + "serde", + "serde_json", + "tokio", + "tracing", + "tracing-opentelemetry", + "tracing-serde", + "tracing-subscriber 0.3.18", +] + [[package]] name = "util" version = "0.1.0" @@ -8227,8 +8419,8 @@ dependencies = [ "ark-ec", "ark-serialize 0.4.2", "chrono", - "circuit-types", - "constants", + "circuit-types 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", + "constants 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "crossbeam", "eyre", "futures", @@ -8247,7 +8439,7 @@ dependencies = [ "opentelemetry-semantic-conventions", "opentelemetry_sdk", "rand 0.8.5", - "renegade-crypto", + "renegade-crypto 0.1.0 (git+https://github.com/renegade-fi/renegade.git)", "serde", "serde_json", "tokio", diff --git a/auth/auth-server-api/src/lib.rs b/auth/auth-server-api/src/lib.rs index 0dfae3d..fcffe20 100644 --- a/auth/auth-server-api/src/lib.rs +++ b/auth/auth-server-api/src/lib.rs @@ -6,7 +6,7 @@ #![deny(clippy::needless_pass_by_ref_mut)] #![feature(trivial_bounds)] -use serde::Deserialize; +use serde::{Deserialize, Serialize}; use uuid::Uuid; /// The Renegade API key header @@ -26,7 +26,7 @@ pub const API_KEYS_PATH: &str = "api-keys"; pub const DEACTIVATE_API_KEY_PATH: &str = "/api-keys/{id}/deactivate"; /// A request to create a new API key -#[derive(Debug, Deserialize)] +#[derive(Debug, Serialize, Deserialize)] pub struct CreateApiKeyRequest { /// The API key id pub id: Uuid, diff --git a/auth/auth-server/Cargo.toml b/auth/auth-server/Cargo.toml index b635043..385aad2 100644 --- a/auth/auth-server/Cargo.toml +++ b/auth/auth-server/Cargo.toml @@ -26,9 +26,14 @@ rand = "0.8.5" # === Renegade Dependencies === # auth-server-api = { path = "../auth-server-api" } -renegade-common = { package = "common", git = "https://github.com/renegade-fi/renegade.git" } -renegade-util = { package = "util", git = "https://github.com/renegade-fi/renegade.git" } -renegade-api = { package = "external-api", git = "https://github.com/renegade-fi/renegade.git", features = [ +# renegade-common = { package = "common", git = "https://github.com/renegade-fi/renegade.git" } +# renegade-util = { package = "util", git = "https://github.com/renegade-fi/renegade.git" } +# renegade-api = { package = "external-api", git = "https://github.com/renegade-fi/renegade.git", features = [ +# "auth", +# ] } +renegade-common = { package = "common", path = "/Users/joeykraut/work/renegade/common" } +renegade-util = { package = "util", path = "/Users/joeykraut/work/renegade/util" } +renegade-api = { package = "external-api", path = "/Users/joeykraut/work/renegade/external-api", features = [ "auth", ] } diff --git a/auth/auth-server/src/main.rs b/auth/auth-server/src/main.rs index 90f706e..59deada 100644 --- a/auth/auth-server/src/main.rs +++ b/auth/auth-server/src/main.rs @@ -17,17 +17,20 @@ pub(crate) mod models; pub(crate) mod schema; mod server; -use auth_server_api::API_KEYS_PATH; +use auth_server_api::{CreateApiKeyRequest, API_KEYS_PATH}; +use bytes::Bytes; use clap::Parser; +use http::HeaderMap; use renegade_util::telemetry::configure_telemetry; use reqwest::StatusCode; +use serde::Deserialize; use serde_json::json; use std::net::SocketAddr; use std::sync::Arc; use thiserror::Error; use tracing::{error, info}; use uuid::Uuid; -use warp::{Filter, Rejection, Reply}; +use warp::{filters::path::FullPath, Filter, Rejection, Reply}; use server::Server; @@ -48,6 +51,10 @@ pub struct Cli { /// The encryption key used to encrypt/decrypt database values #[arg(long, env = "ENCRYPTION_KEY")] pub encryption_key: String, + /// The management key for the auth server, used to authenticate management + /// requests + #[arg(long, env = "MANAGEMENT_KEY")] + pub management_key: String, /// The URL of the relayer #[arg(long, env = "RELAYER_URL")] pub relayer_url: String, @@ -86,6 +93,12 @@ impl ApiError { pub fn internal(msg: T) -> Self { Self::InternalError(msg.to_string()) } + + /// Create a new bad request error + #[allow(clippy::needless_pass_by_value)] + pub fn bad_request(msg: T) -> Self { + Self::BadRequest(msg.to_string()) + } } // Implement warp::reject::Reject for ApiError @@ -126,17 +139,26 @@ async fn main() { // Add an API key let add_api_key = warp::path(API_KEYS_PATH) .and(warp::post()) - .and(warp::body::json()) + .and(warp::path::full()) + .and(warp::header::headers_cloned()) + .and(warp::body::bytes()) .and(with_server(server.clone())) - .and_then(|request, server: Arc| async move { server.add_key(request).await }); + .and_then(|path, headers, body, server: Arc| async move { + server.add_key(path, headers, body).await + }); // Expire an API key let expire_api_key = warp::path(API_KEYS_PATH) .and(warp::path::param::()) .and(warp::path("deactivate")) + .and(warp::path::full()) + .and(warp::header::headers_cloned()) + .and(warp::body::bytes()) .and(warp::post()) .and(with_server(server.clone())) - .and_then(|id: Uuid, server: Arc| async move { server.expire_key(id).await }); + .and_then(|id, path, headers, body, server: Arc| async move { + server.expire_key(id, path, headers, body).await + }); // --- Proxied Routes --- // @@ -155,7 +177,7 @@ async fn main() { // Bind the server and listen info!("Starting auth server on port {}", listen_addr.port()); let routes = - ping.or(add_api_key).or(expire_api_key).or(atomic_match_path).recover(handle_rejection); + ping.or(atomic_match_path).or(expire_api_key).or(add_api_key).recover(handle_rejection); warp::serve(routes).bind(listen_addr).await; } diff --git a/auth/auth-server/src/server/api_auth.rs b/auth/auth-server/src/server/api_auth.rs index 894dfeb..d95b4a0 100644 --- a/auth/auth-server/src/server/api_auth.rs +++ b/auth/auth-server/src/server/api_auth.rs @@ -4,13 +4,26 @@ use auth_server_api::RENEGADE_API_KEY_HEADER; use http::HeaderMap; use renegade_api::auth::validate_expiring_auth; use renegade_common::types::wallet::keychain::HmacKey; +use serde::Serialize; use uuid::Uuid; +use warp::filters::path::FullPath; use crate::{error::AuthServerError, ApiError}; use super::{helpers::aes_decrypt, Server}; impl Server { + /// Authorize a management request + pub fn authorize_management_request( + &self, + path: FullPath, + headers: &HeaderMap, + body: &[u8], + ) -> Result<(), ApiError> { + validate_expiring_auth(path.as_str(), headers, body, &self.management_key) + .map_err(|_| ApiError::Unauthorized) + } + /// Authorize a request pub(crate) async fn authorize_request( &self, diff --git a/auth/auth-server/src/server/handle_key_management.rs b/auth/auth-server/src/server/handle_key_management.rs index 0fa3dee..5a34ad9 100644 --- a/auth/auth-server/src/server/handle_key_management.rs +++ b/auth/auth-server/src/server/handle_key_management.rs @@ -2,8 +2,10 @@ use crate::models::NewApiKey; use auth_server_api::CreateApiKeyRequest; +use bytes::Bytes; +use http::HeaderMap; use uuid::Uuid; -use warp::{reject::Rejection, reply::Reply}; +use warp::{filters::path::FullPath, reject::Rejection, reply::Reply}; use crate::ApiError; @@ -14,18 +16,39 @@ use super::{ impl Server { /// Add a new API key to the database - pub async fn add_key(&self, req: CreateApiKeyRequest) -> Result { + pub async fn add_key( + &self, + path: FullPath, + headers: HeaderMap, + body: Bytes, + ) -> Result { + // Check management auth on the request + self.authorize_management_request(path, &headers, &body)?; + + // Deserialize the request + let req: CreateApiKeyRequest = + serde_json::from_slice(&body).map_err(ApiError::bad_request)?; + + // Add the key to the database let encrypted_secret = aes_encrypt(&req.secret, &self.encryption_key)?; let new_key = NewApiKey::new(req.id, encrypted_secret, req.description); - self.add_key_query(new_key) - .await - .map_err(|e| warp::reject::custom(ApiError::InternalError(e.to_string())))?; + self.add_key_query(new_key).await.map_err(ApiError::internal)?; Ok(empty_json_reply()) } /// Expire an existing API key - pub async fn expire_key(&self, key_id: Uuid) -> Result { + pub async fn expire_key( + &self, + key_id: Uuid, + path: FullPath, + headers: HeaderMap, + body: Bytes, + ) -> Result { + // Check management auth on the request + self.authorize_management_request(path, &headers, &body)?; + + // Expire the key self.expire_key_query(key_id) .await .map_err(|e| warp::reject::custom(ApiError::InternalError(e.to_string())))?; diff --git a/auth/auth-server/src/server/helpers.rs b/auth/auth-server/src/server/helpers.rs index 95d5056..bebc8cc 100644 --- a/auth/auth-server/src/server/helpers.rs +++ b/auth/auth-server/src/server/helpers.rs @@ -52,6 +52,8 @@ pub fn aes_decrypt(value: &str, key: &[u8]) -> Result { #[cfg(test)] mod tests { + use renegade_common::types::wallet::keychain::HmacKey; + use super::*; /// Tests AES encryption and decryption @@ -66,11 +68,11 @@ mod tests { assert_eq!(value, decrypted); } - /// Generate an encryption key, base64 encode it, and print it + /// Generate a management key #[test] - pub fn generate_encryption_key() { - let key = Aes128Gcm::generate_key(&mut thread_rng()); - let encoded = general_purpose::STANDARD.encode(&key); + fn test_generate_management_key() { + let key = HmacKey::random(); + let encoded = general_purpose::STANDARD.encode(key.0); println!("{}", encoded); } } diff --git a/auth/auth-server/src/server/mod.rs b/auth/auth-server/src/server/mod.rs index d0df323..0700880 100644 --- a/auth/auth-server/src/server/mod.rs +++ b/auth/auth-server/src/server/mod.rs @@ -41,6 +41,8 @@ pub struct Server { pub relayer_url: String, /// The admin key for the relayer pub relayer_admin_key: HmacKey, + /// The management key for the auth server + pub management_key: HmacKey, /// The encryption key for storing API secrets pub encryption_key: Vec, /// The HTTP client @@ -53,11 +55,13 @@ impl Server { // Setup the DB connection pool let db_pool = create_db_pool(&args.database_url).await?; - // Parse the decryption key as a base64 encoded string + // Parse the decryption key, management key, and relayer admin key as + // base64 encoded strings let encryption_key = general_purpose::STANDARD .decode(&args.encryption_key) .map_err(AuthServerError::encryption)?; - + let management_key = + HmacKey::from_base64_string(&args.management_key).map_err(AuthServerError::setup)?; let relayer_admin_key = HmacKey::from_base64_string(&args.relayer_admin_key).map_err(AuthServerError::setup)?; @@ -65,6 +69,7 @@ impl Server { db_pool: Arc::new(db_pool), relayer_url: args.relayer_url, relayer_admin_key, + management_key, encryption_key, client: Client::new(), }) @@ -84,7 +89,7 @@ impl Server { body: Bytes, ) -> Result, ApiError> { // Admin authenticate the request - self.admin_authenticate(path, &mut headers, &body).await?; + self.admin_authenticate(path, &mut headers, &body)?; // Forward the request to the relayer let url = format!("{}{}", self.relayer_url, path);