New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding support for securing webtask execution #197
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering what alternative flag names might be possible. I think --secure
might be a bit generic as there are many different approaches to securing a webtask.
bin/create.js
Outdated
type: 'boolean' | ||
}, | ||
'execution-scope': { | ||
description: 'Set the wt-execution-scope metadata property to the name of a custom scope that can be used for authorization of webtask execution. Requires --secure flag to be set.', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Set the wt-execution-scope
Missing a 'j'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where is the 'j' missing? I looked over 139-146...
lib/secureWebtask.js
Outdated
const JWT_MIDDLEWARE = '@webtask/jwt-middleware'; | ||
const JWT_MIDDLEWARE_VERSION = '^1.4.0'; | ||
|
||
module.exports = secureWebtask = (args, options) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we're accidentally creating a secureWebtask
global here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
lib/secureWebtask.js
Outdated
const Request = Bluebird.promisifyAll(require('request')); | ||
const Cli = require('structured-cli'); | ||
|
||
const MIDDLWARE_COMPILER = '@webtask/middleware-compiler'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that these are being used across several parts of the cli, I'd like to see these 'magic constants' centralized so that we only have to change one place to keep them up to date.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
lib/secureWebtask.js
Outdated
throw new Cli.error.serverError(`Unable to read response from the discovery endpoint.`); | ||
} | ||
|
||
args.meta['wt-execution-iss'] = body.authorization_server; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add some checks to see that these are actually returned from the server?
lib/secureWebtask.js
Outdated
}); | ||
} | ||
|
||
function addMeta(args, res, options) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't remember, but is there any situation in which args.meta
comes in as undefined
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, there is. If I run wt create {file} -p {profile} --secure --execution-scope wt:exec
there will be no args.meta
at the time when secureWebtask.js
gets called. The only way for args.meta
to be set is if middleware
or meta
are set by the user.
lib/secureWebtask.js
Outdated
args.meta['wt-middleware'] = JWT_MIDDLEWARE; | ||
} | ||
|
||
if (!args.syntheticDependencies[MIDDLWARE_COMPILER]) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar question, is there any code path in which args.syntheticDependencies
hasn't been defined yet?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, there is. If I run wt create {file} -p {profile} --secure --execution-scope wt:exec
there will be no syntheticDependencies
at the time when secureWebtask.js
gets called. The only way for syntheticDependencies
to be set is if middleware
or node-dependencies
are set by the user.
lib/validateCreateArgs.js
Outdated
@@ -44,6 +44,10 @@ function validateCreateArgs(args) { | |||
|
|||
} | |||
|
|||
if (args.profile.securityVersion === "v1" && args.secure){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't remember if we had decided to support custom issuers and custom audiences in the first iteration. What would you think about logic whereby either both --jwt-audience
and --jwt-issuer
are required or neither must be present. If neither are present, then we would fall back to discovering the defaults from the cluster.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ggoodman do you mean additional CLI flags with values that take precedence over the call to the discovery endpoint? I think it is a good idea and I can add it to the CLI.
@lzychowski can you add a sample to the PR description showing the usage patterns for a CLI user? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Following some discussions with the team, I wonder if we should rename jwt
to something more explicit like jwt-rsa256
or...?
To secure the execution of a webtask user can add the
--auth
flag to thecreate
method. Currently the only supported authentication method isjwt
.for example:
wt create file.js --auth jwt --meta-file meta
for V1 profileswt create file.js --auth jwt
for V2 profilesDeployments with V1 security enabled (required):
wt-execution-aud
metadata property which identifies the recipients that the JWT is intended for (requireswt-execution-iss
to be specified as well).wt-execution-iss
metadata property which identifies the principal that issued the JWT (requireswt-execution-aud
to be specified as well).Deployments with V2 security enabled (optional):
wt-execution-aud
metadata property which identifies the recipients that the JWT is intended for (requireswt-execution-iss
to be specified as well).wt-execution-iss
metadata property which identifies the principal that issued the JWT (requireswt-execution-aud
to be specified as well).wt-execution-iss
norwt-execution-aud
metadata properties are specified the wt cli will retrieve issuer and audience values from the deployment discovery endpoint. Automatic retrieval of the issuer and audience works only on deployments with V2 security turned on.Additional metadata can be specified when using this flag:
wt-execution-scope
metadata property to the name of a custom scope that can be used for authorization of webtask execution.See https://www.npmjs.com/package/@webtask/jwt-middleware for more details.