From c046e7aadd5cff73361160b8a8374ab52280819a Mon Sep 17 00:00:00 2001 From: Mateusz Chudkowski Date: Tue, 17 Sep 2024 19:38:24 +0200 Subject: [PATCH] multiple admin keys --- prover-sdk/tests/register_test.rs | 12 ++++++++++-- prover/src/auth/register.rs | 2 +- prover/src/auth/validation.rs | 8 ++++---- prover/src/lib.rs | 4 ++-- prover/src/server.rs | 17 ++++++++++------- scripts/e2e_test.sh | 15 ++++++++++----- 6 files changed, 37 insertions(+), 21 deletions(-) diff --git a/prover-sdk/tests/register_test.rs b/prover-sdk/tests/register_test.rs index 873078e..21f592f 100644 --- a/prover-sdk/tests/register_test.rs +++ b/prover-sdk/tests/register_test.rs @@ -4,12 +4,20 @@ use url::Url; #[tokio::test] async fn test_register_authorized() { let url = std::env::var("PROVER_URL").unwrap(); - let admin_key = std::env::var("ADMIN_PRIVATE_KEY").unwrap(); - let admin_key = ProverAccessKey::from_hex_string(&admin_key).unwrap(); + let admin_key1 = std::env::var("ADMIN_PRIVATE_KEY_1").unwrap(); + let admin_key2 = std::env::var("ADMIN_PRIVATE_KEY_2").unwrap(); + + let admin_key = ProverAccessKey::from_hex_string(&admin_key1).unwrap(); let random_key = ProverAccessKey::generate(); let url = Url::parse(&url).unwrap(); let mut sdk = ProverSDK::new(url.clone(), admin_key).await.unwrap(); sdk.register(random_key.0.verifying_key()).await.unwrap(); + let new_sdk = ProverSDK::new(url.clone(), random_key).await; + assert!(new_sdk.is_ok()); + let admin_key = ProverAccessKey::from_hex_string(&admin_key2).unwrap(); + let random_key = ProverAccessKey::generate(); + let mut sdk = ProverSDK::new(url.clone(), admin_key).await.unwrap(); + sdk.register(random_key.0.verifying_key()).await.unwrap(); let new_sdk = ProverSDK::new(url, random_key).await; assert!(new_sdk.is_ok()); } diff --git a/prover/src/auth/register.rs b/prover/src/auth/register.rs index 0989e6f..1ed9d0b 100644 --- a/prover/src/auth/register.rs +++ b/prover/src/auth/register.rs @@ -10,7 +10,7 @@ pub async fn register( _claims: Claims, Json(payload): Json, ) -> Result { - if state.admin_key != payload.authority { + if !state.admins_keys.contains(&payload.authority) { return Err(ProverError::Auth(AuthError::Unauthorized)); } payload diff --git a/prover/src/auth/validation.rs b/prover/src/auth/validation.rs index 9f093a7..9b7801d 100644 --- a/prover/src/auth/validation.rs +++ b/prover/src/auth/validation.rs @@ -119,7 +119,7 @@ mod tests { thread_pool: Arc::new(Mutex::new(ThreadPool::new(1))), nonces, authorizer: Authorizer::Open, - admin_key: generate_verifying_key(&generate_signing_key()), + admins_keys: vec![generate_verifying_key(&generate_signing_key())], sse_tx: Arc::new(Mutex::new(tokio::sync::broadcast::channel(100).0)), }; @@ -162,7 +162,7 @@ mod tests { thread_pool: Arc::new(Mutex::new(ThreadPool::new(1))), nonces, authorizer: Authorizer::Open, - admin_key: generate_verifying_key(&generate_signing_key()), + admins_keys: vec![generate_verifying_key(&generate_signing_key())], sse_tx: Arc::new(Mutex::new(tokio::sync::broadcast::channel(100).0)), }; @@ -202,7 +202,7 @@ mod tests { thread_pool: Arc::new(Mutex::new(ThreadPool::new(1))), nonces, authorizer: Authorizer::Open, - admin_key: generate_verifying_key(&generate_signing_key()), + admins_keys: vec![generate_verifying_key(&generate_signing_key())], sse_tx: Arc::new(Mutex::new(tokio::sync::broadcast::channel(100).0)), }; @@ -243,7 +243,7 @@ mod tests { thread_pool: Arc::new(Mutex::new(ThreadPool::new(1))), nonces, authorizer: Authorizer::Open, - admin_key: generate_verifying_key(&generate_signing_key()), + admins_keys: vec![generate_verifying_key(&generate_signing_key())], sse_tx: Arc::new(Mutex::new(tokio::sync::broadcast::channel(100).0)), }; diff --git a/prover/src/lib.rs b/prover/src/lib.rs index b71ecb2..ba4b1c6 100644 --- a/prover/src/lib.rs +++ b/prover/src/lib.rs @@ -30,6 +30,6 @@ pub struct Args { pub authorized_keys: Vec, #[arg(long, env, default_value = "4")] pub num_workers: usize, - #[arg(long, env)] - pub admin_key: String, + #[arg(long, env, value_delimiter = ',')] + pub admins_keys: Vec, } diff --git a/prover/src/server.rs b/prover/src/server.rs index 3122b85..199e867 100644 --- a/prover/src/server.rs +++ b/prover/src/server.rs @@ -34,7 +34,7 @@ pub struct AppState { pub jwt_secret_key: String, pub nonces: Arc>>, pub authorizer: Authorizer, - pub admin_key: VerifyingKey, + pub admins_keys: Vec, pub sse_tx: Arc>>, } @@ -49,12 +49,15 @@ pub async fn start(args: Args) -> Result<(), ProverError> { let authorizer = Authorizer::Persistent(FileAuthorizer::new(args.authorized_keys_path.clone()).await?); + let mut admins_keys = Vec::new(); + for key in args.admins_keys { + let verifying_key_bytes = prefix_hex::decode::>(key) + .map_err(|e| AuthorizerError::PrefixHexConversionError(e.to_string()))?; + let verifying_key = VerifyingKey::from_bytes(&verifying_key_bytes.try_into()?)?; + admins_keys.push(verifying_key); + authorizer.authorize(verifying_key).await?; + } - let admin_key_bytes = prefix_hex::decode::>(args.admin_key) - .map_err(|e| AuthorizerError::PrefixHexConversionError(e.to_string()))?; - let admin_key = VerifyingKey::from_bytes(&admin_key_bytes.try_into()?)?; - - authorizer.authorize(admin_key).await?; for key in args.authorized_keys.iter() { let verifying_key_bytes = prefix_hex::decode::>(key) .map_err(|e| AuthorizerError::PrefixHexConversionError(e.to_string()))?; @@ -70,7 +73,7 @@ pub async fn start(args: Args) -> Result<(), ProverError> { authorizer, job_store: JobStore::default(), thread_pool: Arc::new(Mutex::new(ThreadPool::new(args.num_workers))), - admin_key, + admins_keys, sse_tx: Arc::new(Mutex::new(sse_tx)), }; diff --git a/scripts/e2e_test.sh b/scripts/e2e_test.sh index f072517..2f0d10e 100755 --- a/scripts/e2e_test.sh +++ b/scripts/e2e_test.sh @@ -32,8 +32,13 @@ PRIVATE_KEY=$(echo "$KEYGEN_OUTPUT" | grep "Private key" | awk '{print $3}' | tr KEYGEN_OUTPUT=$(cargo run -p keygen) -ADMIN_PUBLIC_KEY=$(echo "$KEYGEN_OUTPUT" | grep "Public key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]') -ADMIN_PRIVATE_KEY=$(echo "$KEYGEN_OUTPUT" | grep "Private key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]') +ADMIN_PUBLIC_KEY1=$(echo "$KEYGEN_OUTPUT" | grep "Public key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]') +ADMIN_PRIVATE_KEY1=$(echo "$KEYGEN_OUTPUT" | grep "Private key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]') + +KEYGEN_OUTPUT=$(cargo run -p keygen) + +ADMIN_PUBLIC_KEY2=$(echo "$KEYGEN_OUTPUT" | grep "Public key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]') +ADMIN_PRIVATE_KEY2=$(echo "$KEYGEN_OUTPUT" | grep "Private key" | awk '{print $3}' | tr -d ',' | tr -d '[:space:]') REPLACE_FLAG="" if [ "$CONTAINER_ENGINE" == "podman" ]; then @@ -44,12 +49,12 @@ $CONTAINER_ENGINE run -d --name http_prover_test $REPLACE_FLAG \ --jwt-secret-key "secret" \ --message-expiration-time 3600 \ --session-expiration-time 3600 \ - --authorized-keys $PUBLIC_KEY,$ADMIN_PUBLIC_KEY \ - --admin-key $ADMIN_PUBLIC_KEY + --authorized-keys $PUBLIC_KEY,$ADMIN_PUBLIC_KEY1,$ADMIN_PUBLIC_KEY2 \ + --admins-keys $ADMIN_PUBLIC_KEY1,$ADMIN_PUBLIC_KEY2 start_time=$(date +%s) -PRIVATE_KEY=$PRIVATE_KEY PROVER_URL="http://localhost:3040" ADMIN_PRIVATE_KEY=$ADMIN_PRIVATE_KEY cargo test --no-fail-fast --workspace --verbose +PRIVATE_KEY=$PRIVATE_KEY PROVER_URL="http://localhost:3040" ADMIN_PRIVATE_KEY_1=$ADMIN_PRIVATE_KEY1 ADMIN_PRIVATE_KEY_2=$ADMIN_PRIVATE_KEY2 cargo test --no-fail-fast --workspace --verbose end_time=$(date +%s)