Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom jwt http ACL policy #114

Closed
wants to merge 2 commits into from
Closed

Custom jwt http ACL policy #114

wants to merge 2 commits into from

Conversation

austenLacy
Copy link

@austenLacy austenLacy commented Aug 1, 2023
edited
Loading

What

Adds a custom shopify JWT http ACL policy. It works by checking for a JWT token from header in the request and verifying that it's a valid JWT generated by Shopify. It also adds a configurable authorization service that validates a Shopify employee belongs to a declarative list of groups.

Manual testing

Verify it denies access if no token

spin@localhost:~/src/github.com/Shopify/vitess$ curl localhost:15100/debug/env
Access denied: not allowed: shopify_jwt security_policy enforced

Verify it works with a valid token

spin@localhost:~/src/github.com/Shopify/curl -H 'TOKEN_HEADER_HERE '"$TOKEN"'' localhost:15100/debug/env
<!DOCTYPE html>
        <h3>Internal Variables</h3>

        <table class="gridtable">

        <thead><tr>
                <th>Variable Name</th>
                <th>Value</th>
                <th>Action</th>
        </tr></thead>

        <tr><form method="POST">
                <td>PoolSize</td>
                <td>
                        <input type="hidden" name="varname" value="PoolSize"></input>
                        <input type="text" name="value" value="16"></input>
... # cut off for brevity

Verify a malformed JWT denies access

spin@localhost:~/src/github.com/Shopify/vitess$ curl -H 'TOKEN_HEADER_HERE foobar' localhost:15100/debug/env
Access denied: failed to parse JWT token: token is malformed: token contains an invalid number of segments

Verify an invalid JWT denies access

spin@localhost:~/src/github.com/Shopify/vitess$ curl -H 'TOKEN_HEADER_HERE '"$BAD_TOKEN"'' localhost:15100/debug/env
Access denied: failed to parse JWT token: token is unverifiable: error while executing keyfunc: the JWT has an invalid kid: could not find kid in JWT header

@austenLacy austenLacy changed the base branch from main to v15.0.3-shopify-4 August 1, 2023 18:48
@austenLacy austenLacy force-pushed the austenlacy/vitess-project-345/custom-http-acl-policy branch 2 times, most recently from d0dc688 to f218a39 Compare August 1, 2023 19:17
@austenLacy austenLacy force-pushed the austenlacy/vitess-project-345/custom-http-acl-policy branch from ffc1444 to 40957d3 Compare August 1, 2023 20:51
@austenLacy austenLacy changed the title Custom Minerva http ACL policy Custom jwt http ACL policy Aug 1, 2023
@austenLacy austenLacy force-pushed the austenlacy/vitess-project-345/custom-http-acl-policy branch 4 times, most recently from 7b49ea4 to 2dcc33b Compare August 1, 2023 20:58
@austenLacy austenLacy changed the title Custom jwt http ACL policy [DRAFT] Custom jwt http ACL policy Aug 7, 2023
@austenLacy austenLacy changed the title [DRAFT] Custom jwt http ACL policy Custom jwt http ACL policy Aug 28, 2023
@austenLacy austenLacy marked this pull request as ready for review August 28, 2023 14:05
@austenLacy austenLacy changed the base branch from v15.0.3-shopify-4 to v15.0.3-shopify-6 August 28, 2023 15:04
@austenLacy
add shopify_jwt acl policy
4d1cf29 
Signed-off-by: Austen Lacy <[email protected]>
@austenLacy austenLacy force-pushed the austenlacy/vitess-project-345/custom-http-acl-policy branch from 2dcc33b to 4d1cf29 Compare August 28, 2023 15:07
@github-actions
Copy link

This PR is being marked as stale because it has been open for 30 days with no activity. To rectify, you may do any of the following:

  • Push additional commits to the associated branch.
  • Remove the stale label.
  • Add a comment indicating why it is not stale.

If no action is taken within 7 days, this PR will be closed.

@github-actions github-actions bot added the Stale label Sep 29, 2023
@github-actions
Copy link

github-actions bot commented Oct 6, 2023

This PR was closed because it has been stale for 7 days with no activity.

@github-actions github-actions bot closed this Oct 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brendar brendar Awaiting requested review from brendar

@hkdsun hkdsun Awaiting requested review from hkdsun

Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bug Report: DELETE FROM <sequence table> fails with does not have a primary vindex
1 participant
@austenLacy