From 7ba6965cc64855253d57f321f2c701f27fdd04dd Mon Sep 17 00:00:00 2001
From: Varun Dhananjaya <varun.dhananjaya@gmail.com>
Date: Thu, 27 Jul 2023 12:53:33 -0400
Subject: [PATCH] [identity] load OPAQUE server setup from environment variable

Summary:
The Identity service now expects the OPAQUE_SERVER_SETUP environment variable to be set at runtime.

When the keygen command is run, the serialized server setup bytes are now base64 encoded before they're written to the file system. This base64 encoded string must then be made available with the above environment variable when the server is run.

Test Plan:
ran the keygen program, retrieved the base64 encoded string, ran the server program with OPAQUE_SERVER_SETUP=<encoded-string> and the program succeeded.

Also tried supplying an invalid string via env var and the server program crashed, as expected.

Reviewers: jon, bartek

Reviewed By: jon, bartek

Subscribers: ashoat, tomek

Differential Revision: https://phab.comm.dev/D8641
---
 services/identity/src/config.rs    | 46 +++++++++++++++++++++++-------
 services/identity/src/constants.rs |  4 +++
 services/identity/src/keygen.rs    |  5 +++-
 services/identity/src/main.rs      |  1 -
 4 files changed, 44 insertions(+), 12 deletions(-)

diff --git a/services/identity/src/config.rs b/services/identity/src/config.rs
index f1e629397b..1bc446c15d 100644
--- a/services/identity/src/config.rs
+++ b/services/identity/src/config.rs
@@ -1,9 +1,11 @@
+use base64::{engine::general_purpose, DecodeError, Engine as _};
 use once_cell::sync::Lazy;
 use std::{collections::HashSet, env, fmt, fs, io, path};
+use tracing::{error, info};
 
 use crate::constants::{
-  KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, SECRETS_DIRECTORY,
-  SECRETS_SETUP_FILE,
+  KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, OPAQUE_SERVER_SETUP,
+  SECRETS_DIRECTORY, SECRETS_SETUP_FILE,
 };
 
 pub static CONFIG: Lazy<Config> =
@@ -27,10 +29,11 @@ impl Config {
   fn load() -> Result<Self, Error> {
     let localstack_endpoint = env::var(LOCALSTACK_ENDPOINT).ok();
 
-    let mut path = path::PathBuf::new();
-    path.push(SECRETS_DIRECTORY);
-    path.push(SECRETS_SETUP_FILE);
-    let server_setup = get_server_setup_from_file(&path)?;
+    let mut path_buf = path::PathBuf::new();
+    path_buf.push(SECRETS_DIRECTORY);
+    path_buf.push(SECRETS_SETUP_FILE);
+
+    let server_setup = get_server_setup(path_buf.as_path())?;
 
     let reserved_usernames = get_reserved_usernames_set()?;
 
@@ -65,13 +68,36 @@ pub enum Error {
   Env(env::VarError),
   #[display(...)]
   Json(serde_json::Error),
+  #[display(...)]
+  Decode(DecodeError),
 }
 
-fn get_server_setup_from_file<P: AsRef<path::Path>>(
-  path: &P,
+fn get_server_setup(
+  path: &path::Path,
 ) -> Result<comm_opaque2::ServerSetup<comm_opaque2::Cipher>, Error> {
-  let bytes = fs::read(path)?;
-  comm_opaque2::ServerSetup::deserialize(&bytes).map_err(Error::Opaque)
+  let encoded_server_setup = if let Ok(env_setup) =
+    env::var(OPAQUE_SERVER_SETUP)
+  {
+    info!(
+      "Using OPAQUE server setup from env var: {}",
+      OPAQUE_SERVER_SETUP
+    );
+    env_setup
+  } else if let Ok(file_setup) = fs::read_to_string(path) {
+    info!("Using OPAQUE server setup from file: {}", path.display());
+    file_setup
+  } else {
+    error!("Unable to locate OPAQUE server setup. Please run `keygen` command and run Identity service again.");
+    return Err(Error::Io(io::Error::new(
+      io::ErrorKind::NotFound,
+      "Missing server credentials",
+    )));
+  };
+
+  let decoded_server_setup =
+    general_purpose::STANDARD_NO_PAD.decode(encoded_server_setup)?;
+  comm_opaque2::ServerSetup::deserialize(&decoded_server_setup)
+    .map_err(Error::Opaque)
 }
 
 fn get_reserved_usernames_set() -> Result<HashSet<String>, Error> {
diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs
index f911806d6c..1bc06819e4 100644
--- a/services/identity/src/constants.rs
+++ b/services/identity/src/constants.rs
@@ -106,3 +106,7 @@ pub const NONCE_LENGTH: usize = 17;
 // LocalStack
 
 pub const LOCALSTACK_ENDPOINT: &str = "LOCALSTACK_ENDPOINT";
+
+// OPAQUE Server Setup
+
+pub const OPAQUE_SERVER_SETUP: &str = "OPAQUE_SERVER_SETUP";
diff --git a/services/identity/src/keygen.rs b/services/identity/src/keygen.rs
index f02a1822af..4ff27d65f6 100644
--- a/services/identity/src/keygen.rs
+++ b/services/identity/src/keygen.rs
@@ -1,4 +1,5 @@
 use crate::constants::SECRETS_SETUP_FILE;
+use base64::{engine::general_purpose, Engine as _};
 use std::{fs, io, path};
 
 pub fn generate_and_persist_keypair(dir: &str) -> Result<(), io::Error> {
@@ -17,7 +18,9 @@ pub fn generate_and_persist_keypair(dir: &str) -> Result<(), io::Error> {
     eprintln!("{:?} already exists, skipping", path);
   } else {
     println!("Writing setup file to {:?}", path);
-    fs::write(&path, server_setup.serialize())?;
+    let encoded_server_setup =
+      general_purpose::STANDARD_NO_PAD.encode(server_setup.serialize());
+    fs::write(&path, encoded_server_setup)?;
   }
 
   Ok(())
diff --git a/services/identity/src/main.rs b/services/identity/src/main.rs
index 3803ebc98c..2e7cdf3f5d 100644
--- a/services/identity/src/main.rs
+++ b/services/identity/src/main.rs
@@ -4,7 +4,6 @@ use clap::{Parser, Subcommand};
 use database::DatabaseClient;
 use moka::future::Cache;
 use tonic::transport::Server;
-use tracing_subscriber::FmtSubscriber;
 
 mod client_service;
 mod config;