multiple admin keys

cartridge-gg · Sep 17, 2024 · c046e7a · c046e7a
1 parent ddeb119
commit c046e7a
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 21 deletions.
diff --git a/prover-sdk/tests/register_test.rs b/prover-sdk/tests/register_test.rs
@@ -4,12 +4,20 @@ use url::Url;
 #[tokio::test]
 async fn test_register_authorized() {
     let url = std::env::var("PROVER_URL").unwrap();
-    let admin_key = std::env::var("ADMIN_PRIVATE_KEY").unwrap();
-    let admin_key = ProverAccessKey::from_hex_string(&admin_key).unwrap();
+    let admin_key1 = std::env::var("ADMIN_PRIVATE_KEY_1").unwrap();
+    let admin_key2 = std::env::var("ADMIN_PRIVATE_KEY_2").unwrap();
+
+    let admin_key = ProverAccessKey::from_hex_string(&admin_key1).unwrap();
     let random_key = ProverAccessKey::generate();
     let url = Url::parse(&url).unwrap();
     let mut sdk = ProverSDK::new(url.clone(), admin_key).await.unwrap();
     sdk.register(random_key.0.verifying_key()).await.unwrap();
+    let new_sdk = ProverSDK::new(url.clone(), random_key).await;
+    assert!(new_sdk.is_ok());
+    let admin_key = ProverAccessKey::from_hex_string(&admin_key2).unwrap();
+    let random_key = ProverAccessKey::generate();
+    let mut sdk = ProverSDK::new(url.clone(), admin_key).await.unwrap();
+    sdk.register(random_key.0.verifying_key()).await.unwrap();
     let new_sdk = ProverSDK::new(url, random_key).await;
     assert!(new_sdk.is_ok());
 }

diff --git a/prover/src/auth/register.rs b/prover/src/auth/register.rs
@@ -10,7 +10,7 @@ pub async fn register(
     _claims: Claims,
     Json(payload): Json<AddKeyRequest>,
 ) -> Result<impl IntoResponse, ProverError> {
-    if state.admin_key != payload.authority {
+    if !state.admins_keys.contains(&payload.authority) {
         return Err(ProverError::Auth(AuthError::Unauthorized));
     }
     payload

diff --git a/prover/src/auth/validation.rs b/prover/src/auth/validation.rs
@@ -119,7 +119,7 @@ mod tests {
             thread_pool: Arc::new(Mutex::new(ThreadPool::new(1))),
             nonces,
             authorizer: Authorizer::Open,
-            admin_key: generate_verifying_key(&generate_signing_key()),
+            admins_keys: vec![generate_verifying_key(&generate_signing_key())],
             sse_tx: Arc::new(Mutex::new(tokio::sync::broadcast::channel(100).0)),
         };
 
@@ -162,7 +162,7 @@ mod tests {
             thread_pool: Arc::new(Mutex::new(ThreadPool::new(1))),
             nonces,
             authorizer: Authorizer::Open,
-            admin_key: generate_verifying_key(&generate_signing_key()),
+            admins_keys: vec![generate_verifying_key(&generate_signing_key())],
             sse_tx: Arc::new(Mutex::new(tokio::sync::broadcast::channel(100).0)),
         };
 
@@ -202,7 +202,7 @@ mod tests {
             thread_pool: Arc::new(Mutex::new(ThreadPool::new(1))),
             nonces,
             authorizer: Authorizer::Open,
-            admin_key: generate_verifying_key(&generate_signing_key()),
+            admins_keys: vec![generate_verifying_key(&generate_signing_key())],
             sse_tx: Arc::new(Mutex::new(tokio::sync::broadcast::channel(100).0)),
         };
 
@@ -243,7 +243,7 @@ mod tests {
             thread_pool: Arc::new(Mutex::new(ThreadPool::new(1))),
             nonces,
             authorizer: Authorizer::Open,
-            admin_key: generate_verifying_key(&generate_signing_key()),
+            admins_keys: vec![generate_verifying_key(&generate_signing_key())],
             sse_tx: Arc::new(Mutex::new(tokio::sync::broadcast::channel(100).0)),
         };
 

diff --git a/prover/src/lib.rs b/prover/src/lib.rs
@@ -30,6 +30,6 @@ pub struct Args {
     pub authorized_keys: Vec<String>,
     #[arg(long, env, default_value = "4")]
     pub num_workers: usize,
-    #[arg(long, env)]
-    pub admin_key: String,
+    #[arg(long, env, value_delimiter = ',')]
+    pub admins_keys: Vec<String>,
 }
diff --git a/prover/src/server.rs b/prover/src/server.rs
@@ -34,7 +34,7 @@ pub struct AppState {
     pub jwt_secret_key: String,
     pub nonces: Arc<Mutex<HashMap<NonceString, VerifyingKey>>>,
     pub authorizer: Authorizer,
-    pub admin_key: VerifyingKey,
+    pub admins_keys: Vec<VerifyingKey>,
     pub sse_tx: Arc<Mutex<Sender<String>>>,
 }
 
@@ -49,12 +49,15 @@ pub async fn start(args: Args) -> Result<(), ProverError> {
 
     let authorizer =
         Authorizer::Persistent(FileAuthorizer::new(args.authorized_keys_path.clone()).await?);
+    let mut admins_keys = Vec::new();
+    for key in args.admins_keys {
+        let verifying_key_bytes = prefix_hex::decode::<Vec<u8>>(key)
+            .map_err(|e| AuthorizerError::PrefixHexConversionError(e.to_string()))?;
+        let verifying_key = VerifyingKey::from_bytes(&verifying_key_bytes.try_into()?)?;
+        admins_keys.push(verifying_key);
+        authorizer.authorize(verifying_key).await?;
+    }
 
-    let admin_key_bytes = prefix_hex::decode::<Vec<u8>>(args.admin_key)
-        .map_err(|e| AuthorizerError::PrefixHexConversionError(e.to_string()))?;
-    let admin_key = VerifyingKey::from_bytes(&admin_key_bytes.try_into()?)?;
-
-    authorizer.authorize(admin_key).await?;
     for key in args.authorized_keys.iter() {
         let verifying_key_bytes = prefix_hex::decode::<Vec<u8>>(key)
             .map_err(|e| AuthorizerError::PrefixHexConversionError(e.to_string()))?;
@@ -70,7 +73,7 @@ pub async fn start(args: Args) -> Result<(), ProverError> {
         authorizer,
         job_store: JobStore::default(),
         thread_pool: Arc::new(Mutex::new(ThreadPool::new(args.num_workers))),
-        admin_key,
+        admins_keys,
         sse_tx: Arc::new(Mutex::new(sse_tx)),
     };
 

diff --git a/scripts/e2e_test.sh b/scripts/e2e_test.sh
@@ -32,8 +32,13 @@ PRIVATE_KEY=$(echo "$KEYGEN_OUTPUT" | grep "Private key" | awk '{print $3}' | tr
 
 KEYGEN_OUTPUT=$(cargo run -p keygen)
 
-ADMIN_PUBLIC_KEY=$(echo "$KEYGEN_OUTPUT" | grep "Public key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]')
-ADMIN_PRIVATE_KEY=$(echo "$KEYGEN_OUTPUT" | grep "Private key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]')
+ADMIN_PUBLIC_KEY1=$(echo "$KEYGEN_OUTPUT" | grep "Public key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]')
+ADMIN_PRIVATE_KEY1=$(echo "$KEYGEN_OUTPUT" | grep "Private key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]')
+
+KEYGEN_OUTPUT=$(cargo run -p keygen)
+
+ADMIN_PUBLIC_KEY2=$(echo "$KEYGEN_OUTPUT" | grep "Public key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]')
+ADMIN_PRIVATE_KEY2=$(echo "$KEYGEN_OUTPUT" | grep "Private key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]')
 
 REPLACE_FLAG=""
 if [ "$CONTAINER_ENGINE" == "podman" ]; then
@@ -44,12 +49,12 @@ $CONTAINER_ENGINE run -d --name http_prover_test $REPLACE_FLAG \
     --jwt-secret-key "secret" \
     --message-expiration-time 3600 \
     --session-expiration-time 3600 \
-    --authorized-keys $PUBLIC_KEY,$ADMIN_PUBLIC_KEY \
-    --admin-key $ADMIN_PUBLIC_KEY 
+    --authorized-keys $PUBLIC_KEY,$ADMIN_PUBLIC_KEY1,$ADMIN_PUBLIC_KEY2 \
+    --admins-keys $ADMIN_PUBLIC_KEY1,$ADMIN_PUBLIC_KEY2 
 
 start_time=$(date +%s)
 
-PRIVATE_KEY=$PRIVATE_KEY PROVER_URL="http://localhost:3040" ADMIN_PRIVATE_KEY=$ADMIN_PRIVATE_KEY cargo test --no-fail-fast --workspace --verbose
+PRIVATE_KEY=$PRIVATE_KEY PROVER_URL="http://localhost:3040" ADMIN_PRIVATE_KEY_1=$ADMIN_PRIVATE_KEY1 ADMIN_PRIVATE_KEY_2=$ADMIN_PRIVATE_KEY2 cargo test --no-fail-fast --workspace --verbose
 
 end_time=$(date +%s)