-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for client certs #2596
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From a code quality perspective, this looks good to me (just a few nits). I don't have much opinion on whether this is the best way to expose SSL configuration options, but it looks reasonable to me.
@@ -216,6 +240,9 @@ pub struct RuntimeConfigOpts { | |||
|
|||
#[serde(skip)] | |||
pub file_path: Option<PathBuf>, | |||
|
|||
#[serde(rename = "client_tls", default)] | |||
pub client_tls_opts: Vec<ClientTlsOpts>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's fairly common to need to change client certs at runtime based on some other logic (e.g presenting certs that represent a particular tenant in a system) - placing them in runtime config means that to use Spin, you'd need N different Spin apps running, which may be subpar
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be clear, this is intended for cases where the client runtime cannot load client certificates. The Spin Javascript SDK v2 uses the browser's fetch
API is a clear example of this. The browser API cannot load certificates presented by the client - it needs the user to add those certificates into the root certificate store in order for that endpoint to be trusted.
I am hopeful that StarlingMonkey or Spin's SDK will eventually provide ways to load TLS certs via guest code similar to Deno, but we're not at that point yet.
(and yes, this is far from ideal)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think ideally we could define a standard API in terms of wasi:http, possibly using proposed request metadata (TLS config was one of my use cases for that proposal).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just filed fermyon/spin-js-sdk#249 to track this feature request.
crates/trigger-http/src/lib.rs
Outdated
})?; | ||
|
||
let (mut sender, worker) = if use_tls { | ||
#[cfg(any(target_arch = "riscv64", target_arch = "s390x"))] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
riscv64 should work for TLS? do we need to update a dependency instead? (tokio-rustls >= 0.25.0 at least worked last i looked)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This impl is copied from wasmtime-wasi-http upstream.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah i guess they haven't fixed it since upstream got fixed
crates/trigger/src/runtime_config.rs
Outdated
#[derive(Debug, Clone)] | ||
pub struct ParsedClientTlsOpts { | ||
pub components: Vec<String>, | ||
pub hosts: Vec<String>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tests and documentation for what happens when multiple TLS blocks contain overlapping hosts would be pretty useful
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great point. I added some testcases for it. right now the last block wins.
is that ok? or we want it to error out if different tls-config found for same component-id/host combination. what do you suggest.
also cc @lann
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically we should allow multiple certs to be configured; the tls negotiation can select from multiple.
(Though ime this is rarely used)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in that case maybe we keep it simple and let the last block win (the current behavior) or should we fail it for now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might suggest first-wins here since that is how variable provider configs already work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 , I have now changed the logic to make first entry win.
I've addressed most of the review comments (except a few unwrap comments, and I do plan to address them before merge). if there are any additional comments, kindly let me know. thanks I will also continue to add more testcases to it until we are ready to merge the PR. |
I think I've addressed most of the review feedback. I can spend some more time to add more tests, but otherwise it looks ok for re-review. thanks |
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
efae441
to
cd2c096
Compare
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good - I have some nits, but you can choose whether to address them or not.
Signed-off-by: Rajat Jindal <[email protected]>
I have addressed most of the nits you suggested. |
@rajatjindal feel free to merge this whenever you're ready |
this PR attempts to add support for client certs based auth. As a summary following are the changes done in this PR:
default_send_request_handler
function fromwasmtime::wasi_http
crate to spin and modifies it to support client-cert-auth and custom-root-ca.client_tls
as a newruntime_config
optioncomponent-id -> host:port
(TBD: do we consider default 443 port here if none provided)Known Limitation:
As of now, it will only work when the Outbound request is made from with-in an http-trigger. The other triggers (e.g. redis-trigger) uses a different code path and that has not been changed in this PR).
Example Runtime config:
I will attempt to add some runtime tests for these changes, but I wanted to submit the PR to be able to collect some initial feedback.
Thank you