feat(chart/service)!: Add authorization (#80)

* fix(chart/service)!: add authorization for secret access Signed-off-by: Sebastian Becker <[email protected]> * feat(service): add execute opa verification Signed-off-by: Sebastian Becker <[email protected]> * feat(service): add logging for opa requests Signed-off-by: Sebastian Becker <[email protected]> * feat(service): cancel tcp check on game errors Signed-off-by: Sebastian Becker <[email protected]> * feat(service): undo changes to server Signed-off-by: Sebastian Becker <[email protected]> * feat(service): fix opa service uri malformatting Signed-off-by: Sebastian Becker <[email protected]> * feat(service): add user info to opa evaluation Signed-off-by: Sebastian Becker <[email protected]> * chore(service): address PR findings Signed-off-by: Sebastian Becker <[email protected]> --------- Signed-off-by: Sebastian Becker <[email protected]>
carbynestack · Dec 17, 2024 · d2b2899 · d2b2899
1 parent 39055d0
commit d2b2899
Show file tree

Hide file tree

Showing 21 changed files with 711 additions and 103 deletions.
diff --git a/charts/ephemeral/templates/ephemeral.yaml b/charts/ephemeral/templates/ephemeral.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2021-2023 - for information on the respective copyright owner
+# Copyright (c) 2021-2024 - for information on the respective copyright owner
 # see the NOTICE file and/or the repository https://github.com/carbynestack/ephemeral.
 #
 # SPDX-License-Identifier: Apache-2.0
@@ -35,6 +35,11 @@ spec:
               containerPort: 8080
             - name: tcp
               containerPort: 5000
+          env:
+            - name: EPHEMERAL_PROGRAM_IDENTIFIER
+              value: {{ .Values.ephemeral.programIdentifier }}
+            - name: EPHEMERAL_OPA_POLICY_PACKAGE
+              value: {{ .Values.ephemeral.opa.policyPackage }}
           volumeMounts:
             - name: config-volume
               mountPath: /etc/config
@@ -72,6 +77,7 @@ metadata:
 data:
   config.json: |-
     {
+      "authUserIdField": "{{ .Values.ephemeral.authUserIdField }}",
       "retrySleep": "50ms",
       "networkEstablishTimeout": "{{ .Values.ephemeral.networkEstablishTimeout }}",
       "prime": "{{ .Values.ephemeral.spdz.prime }}",
@@ -81,6 +87,9 @@ data:
       "gf2nBitLength": {{ .Values.ephemeral.spdz.gf2nBitLength }},
       "gf2nStorageSize": {{ .Values.ephemeral.spdz.gf2nStorageSize }},
       "prepFolder": "{{ .Values.ephemeral.spdz.prepFolder }}",
+      "opaConfig": {
+        "endpoint": "{{ .Values.ephemeral.opa.endpoint }}"
+      },
       "amphoraConfig": {
         "host": "{{ .Values.ephemeral.amphora.host }}",
         "scheme": "{{ .Values.ephemeral.amphora.scheme }}",

diff --git a/charts/ephemeral/values.yaml b/charts/ephemeral/values.yaml
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2021-2023 - for information on the respective copyright owner
+# Copyright (c) 2021-2024 - for information on the respective copyright owner
 # see the NOTICE file and/or the repository https://github.com/carbynestack/ephemeral.
 #
 # SPDX-License-Identifier: Apache-2.0
@@ -46,6 +46,11 @@ ephemeral:
       memory:
       cpu:
   minScale: 1
+  programIdentifier: "ephemeral-generic"
+  authUserIdField: "sub"
+  opa:
+    endpoint: "http://opa.default.svc.cluster.local:8081/"
+    policyPackage: "carbynestack.def"
   amphora:
     host: "amphora"
     scheme: "http"

diff --git a/cmd/ephemeral/main.go b/cmd/ephemeral/main.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2021-2023 - for information on the respective copyright owner
+// Copyright (c) 2021-2024 - for information on the respective copyright owner
 // see the NOTICE file and/or the repository https://github.com/carbynestack/ephemeral.
 //
 // SPDX-License-Identifier: Apache-2.0
@@ -11,7 +11,9 @@ import (
 	"github.com/carbynestack/ephemeral/pkg/castor"
 	. "github.com/carbynestack/ephemeral/pkg/ephemeral"
 	l "github.com/carbynestack/ephemeral/pkg/logger"
+	"github.com/carbynestack/ephemeral/pkg/opa"
 	"github.com/carbynestack/ephemeral/pkg/utils"
+	"os"
 
 	. "github.com/carbynestack/ephemeral/pkg/types"
 	"math/big"
@@ -54,22 +56,22 @@ func main() {
 
 // GetHandlerChain returns a chain of handlers that are used to process HTTP requests.
 func GetHandlerChain(conf *SPDZEngineConfig, logger *zap.SugaredLogger) (http.Handler, error) {
-	typedConfig, err := InitTypedConfig(conf)
+	typedConfig, err := InitTypedConfig(conf, logger)
 	if err != nil {
 		return nil, err
 	}
 	spdzClient, err := NewSPDZEngine(logger, utils.NewCommander(), typedConfig)
 	if err != nil {
 		return nil, err
 	}
-	server := NewServer(spdzClient.Compile, spdzClient.Activate, logger, typedConfig)
+	server := NewServer(conf.AuthUserIdField, spdzClient.Compile, spdzClient.Activate, logger, typedConfig)
 	activationHandler := http.HandlerFunc(server.ActivationHandler)
 	// Apply in Order:
 	// 1) MethodFilter: Check that only POST Requests can go through
-	// 2) BodyFilter: Check that Request Body is set properly and Sets the CtxConfig to the request
+	// 2) RequestFilter: Check that Request Body is set properly and Sets the CtxConfig to the request
 	// 3) CompilationHandler: Compiles the script if ?compile=true
 	// 4) ActivationHandler: Runs the script
-	filterChain := server.MethodFilter(server.BodyFilter(server.CompilationHandler(activationHandler)))
+	filterChain := server.MethodFilter(server.RequestFilter(server.CompilationHandler(activationHandler)))
 	return filterChain, nil
 }
 
@@ -89,7 +91,7 @@ func ParseConfig(path string) (*SPDZEngineConfig, error) {
 
 // InitTypedConfig converts the string parameters that were parsed by standard json parser to
 // the parameters which are used internally, e.g. string -> time.Duration.
-func InitTypedConfig(conf *SPDZEngineConfig) (*SPDZEngineTypedConfig, error) {
+func InitTypedConfig(conf *SPDZEngineConfig, logger *zap.SugaredLogger) (*SPDZEngineTypedConfig, error) {
 	retrySleep, err := time.ParseDuration(conf.RetrySleep)
 	if err != nil {
 		return nil, err
@@ -123,6 +125,19 @@ func InitTypedConfig(conf *SPDZEngineConfig) (*SPDZEngineTypedConfig, error) {
 	if err != nil {
 		return nil, err
 	}
+	programIdentifier, ok := os.LookupEnv("EPHEMERAL_PROGRAM_IDENTIFIER")
+	if !ok {
+		programIdentifier = conf.ProgramIdentifier
+	}
+
+	policyPackage, ok := os.LookupEnv("EPHEMERAL_OPA_POLICY_PACKAGE")
+	if !ok {
+		policyPackage = conf.OpaConfig.PolicyPackage
+	}
+	opaClient, err := opa.NewClient(logger, conf.OpaConfig.Endpoint, policyPackage)
+	if err != nil {
+		return nil, err
+	}
 
 	amphoraURL := url.URL{
 		Host:   conf.AmphoraConfig.Host,
@@ -145,6 +160,7 @@ func InitTypedConfig(conf *SPDZEngineConfig) (*SPDZEngineTypedConfig, error) {
 	}
 
 	return &SPDZEngineTypedConfig{
+		ProgramIdentifier:       programIdentifier,
 		NetworkEstablishTimeout: networkEstablishTimeout,
 		RetrySleep:              retrySleep,
 		Prime:                   p,
@@ -154,6 +170,7 @@ func InitTypedConfig(conf *SPDZEngineConfig) (*SPDZEngineTypedConfig, error) {
 		Gf2nBitLength:           conf.Gf2nBitLength,
 		Gf2nStorageSize:         conf.Gf2nStorageSize,
 		PrepFolder:              conf.PrepFolder,
+		OpaClient:               opaClient,
 		AmphoraClient:           amphoraClient,
 		CastorClient:            castorClient,
 		TupleStock:              conf.CastorConfig.TupleStock,