Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updated primaryHandler and talaria config to include a check for fail open #348

Merged
merged 5 commits into from
Oct 26, 2023
Merged

updated primaryHandler and talaria config to include a check for fail open #348

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e3960e9
updated primaryHandler and talaria config to include a check for fail…
maurafortino Oct 4, 2023
1a685f4
fixed failing unmarshaling & added comments
maurafortino Oct 4, 2023
91841a9
Merge branch 'main' into fail-open
denopink Oct 24, 2023
7aa3ac5
feat(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.3 (#351)
dependabot[bot] Oct 25, 2023
593f2f2
Merge branch 'main' into fail-open
maurafortino Oct 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 39 additions & 14 deletions primaryHandler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,10 @@
// RehasherServicesConfigKey is the path to the services for whose events talaria's
// rehasher should listen to.
RehasherServicesConfigKey = "device.rehasher.services"

// FailOpenConfigKey is the path to the fail open boolean which will determine
// which route to take when a device tries to connect to talaria
FailOpenConfigKey = "failOpen"
)

// NoOpConstructor provides a transparent way for constructors that make up
Expand Down Expand Up @@ -314,20 +318,41 @@
}

// the secured variant of the device connect handler - compatible with v2 and v3
r.Handle(
fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
deviceConnectChain.
Extend(versionCompatibleAuth).
Append(DeviceMetadataMiddleware(getLogger)).
Then(connectHandler),
).HeadersRegexp("Authorization", ".*")

r.Handle(
fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
deviceConnectChain.
Append(DeviceMetadataMiddleware(getLogger)).
Then(connectHandler),
)
// default functionality is to allow for talaria to accept devices with or without authorization
// failOpen must be set to false in config in order to require authorization from any device trying to connect
failOpen := true
if v.IsSet(FailOpenConfigKey) {
err := v.UnmarshalKey(FailOpenConfigKey, &failOpen)
if err != nil {
logger.Error("failOpen parse failure", zap.Error(err))
return nil, errors.New("failed parsing FailOpen boolean")

}

Check warning on line 330 in primaryHandler.go

View check run for this annotation

Codecov / codecov/patch

primaryHandler.go#L323-L330 

Added lines #L323 - L330 were not covered by tests
}
if failOpen {
r.Handle(
fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
deviceConnectChain.
Extend(versionCompatibleAuth).
Append(DeviceMetadataMiddleware(getLogger)).
Then(connectHandler),
).HeadersRegexp("Authorization", ".*")

r.Handle(
fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
deviceConnectChain.
Append(DeviceMetadataMiddleware(getLogger)).
Then(connectHandler),
)
} else {
r.Handle(
fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
deviceConnectChain.
Extend(versionCompatibleAuth).
Append(DeviceMetadataMiddleware(getLogger)).
Then(connectHandler),
)
}

Check warning on line 355 in primaryHandler.go

View check run for this annotation

Codecov / codecov/patch

primaryHandler.go#L332-L355 

Added lines #L332 - L355 were not covered by tests

apiHandler.Handle(
"/device/{deviceID}/stat",
Expand Down
4 changes: 4 additions & 0 deletions talaria.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -633,3 +633,7 @@ zap:
# "console", as well as any third-party encodings registered via
# RegisterEncoder.
encoding: json

#(Optional) failOpen determines if talaria should allow devices without authentication to connect or not
#default is to allow for fail open
failOpen: true