Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug fixes in gateway #1157

Merged
merged 24 commits into from
Dec 9, 2024
Merged

Bug fixes in gateway #1157

merged 24 commits into from
Dec 9, 2024

Conversation

afsalthaj
Copy link
Contributor

@afsalthaj afsalthaj commented Dec 9, 2024
edited
Loading

  • Make sure worker name can look up athentication details, and not just response body.

  • JWKset were never serialized (its "skipped" in openidconnect library), and provider-metadata reuse for performance reasons resulted in signature mismatch errors. So now for claim verification, we discover the keyset on the fly, and is now consistently working.

  • 2 test additions in Rib, which I thought was missing (but there is no bug here)

Here is a simple end user test with this api-definition, where both worker name and response mapping looks up authentication fields.

image

@afsalthaj afsalthaj marked this pull request as ready for review December 9, 2024 04:11
afsalthaj
afsalthaj commented Dec 9, 2024
View reviewed changes
golem-rib/src/interpreter/rib_interpreter.rs
.unwrap();

assert_eq!(result, TypeAnnotatedValue::Str("foo, bar".to_string()));
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added these tests, but there are no bugs in logic

golem-worker-service-base/src/gateway_execution/gateway_binding_resolver.rs
impl GatewayBindingResolverError {
pub fn internal(err: &str) -> Self {
GatewayBindingResolverError::Internal(err.to_string())
impl ErrorOrRedirect {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

During the binding resolution phase itself (resolving a binding based on a http request, where the worker name is also resolved (Ex: worker-${request.auth.given_name})), middlewares such as authentication is applied, and can decide to redirect or not. That's the main change.

golem-worker-service-base/tests/api_gateway_end_to_end_tests.rs
let e = public_key.e().to_bytes_be();
let kid = JsonWebKeyId::new("my-key-id".to_string());
JsonWebKeySet::new(vec![CoreJsonWebKey::new_rsa(n, e, Some(kid))])
})
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now the test case is better, that the provider metadata will have the public key in it.
And the corresponding id_token will have its private key. Much easier to understand tests

@afsalthaj afsalthaj merged commit 6458190 into main Dec 9, 2024
18 checks passed
@afsalthaj afsalthaj deleted the bug_fixes_gateway branch December 9, 2024 06:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@noise64 noise64 noise64 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@afsalthaj @noise64