From 1095e3f859c9c61bc3afc33a2cdeafac74ea3d16 Mon Sep 17 00:00:00 2001 From: Olivier Le Thanh Duong Date: Thu, 13 Jun 2024 13:46:33 +0200 Subject: [PATCH] Problem: Crash when trying to auth via websocket (#630) The auth function in websocket was crashing when the header "X-Auth-Signature" wasn't passed, even that authentification method wasn't used. This caused issues when header "X-Auth-Signature" was not passed. Endpoint authenticate_api_request is not adequate for Websocket connections (#632) --------- Co-authored-by: Hugo Herter --- src/aleph/vm/orchestrator/views/operator.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/aleph/vm/orchestrator/views/operator.py b/src/aleph/vm/orchestrator/views/operator.py index 7617a3bb5..148ecd092 100644 --- a/src/aleph/vm/orchestrator/views/operator.py +++ b/src/aleph/vm/orchestrator/views/operator.py @@ -10,7 +10,6 @@ from aleph.vm.models import VmExecution from aleph.vm.orchestrator.run import create_vm_execution -from aleph.vm.orchestrator.views import authenticate_api_request from aleph.vm.orchestrator.views.authentication import ( authenticate_websocket_message, require_jwk_authentication, @@ -68,7 +67,7 @@ async def stream_logs(request: web.Request) -> web.StreamResponse: ws = web.WebSocketResponse() await ws.prepare(request) try: - await authenticate_for_vm_or_403(execution, request, vm_hash, ws) + await authenticate_websocket_for_vm_or_403(execution, vm_hash, ws) await ws.send_json({"status": "connected"}) queue = execution.vm.get_log_queue() @@ -88,12 +87,12 @@ async def stream_logs(request: web.Request) -> web.StreamResponse: execution.vm.unregister_queue(queue) -async def authenticate_for_vm_or_403(execution, request, vm_hash, ws): - """Allow authentication via HEADER or via websocket""" - if authenticate_api_request(request): - logger.debug(f"Accepted request to access logs via the allocatioan api key on {vm_hash}") - return True +async def authenticate_websocket_for_vm_or_403(execution: VmExecution, vm_hash: ItemHash, ws: web.WebSocketResponse): + """Authenticate a websocket connection. + Web browsers do not allow setting headers in WebSocket requests, so the authentication + relies on the first message sent by the client. + """ first_message = await ws.receive_json() credentials = first_message["auth"] authenticated_sender = await authenticate_websocket_message(credentials)