Adding support for securing webtask execution #197
Conversation
bin/create.js
Outdated
| type: 'boolean' | ||
| }, | ||
| 'execution-scope': { | ||
| description: 'Set the wt-execution-scope metadata property to the name of a custom scope that can be used for authorization of webtask execution. Requires --secure flag to be set.', |
There was a problem hiding this comment.
Set the wt-execution-scope
Missing a 'j'
There was a problem hiding this comment.
Where is the 'j' missing? I looked over 139-146...
lib/secureWebtask.js
Outdated
| const JWT_MIDDLEWARE = '@webtask/jwt-middleware'; | ||
| const JWT_MIDDLEWARE_VERSION = '^1.4.0'; | ||
|
|
||
| module.exports = secureWebtask = (args, options) => { |
There was a problem hiding this comment.
Looks like we're accidentally creating a secureWebtask global here.
lib/secureWebtask.js
Outdated
| const Request = Bluebird.promisifyAll(require('request')); | ||
| const Cli = require('structured-cli'); | ||
|
|
||
| const MIDDLWARE_COMPILER = '@webtask/middleware-compiler'; |
There was a problem hiding this comment.
Now that these are being used across several parts of the cli, I'd like to see these 'magic constants' centralized so that we only have to change one place to keep them up to date.
lib/secureWebtask.js
Outdated
| throw new Cli.error.serverError(`Unable to read response from the discovery endpoint.`); | ||
| } | ||
|
|
||
| args.meta['wt-execution-iss'] = body.authorization_server; |
There was a problem hiding this comment.
Can we add some checks to see that these are actually returned from the server?
lib/secureWebtask.js
Outdated
| }); | ||
| } | ||
|
|
||
| function addMeta(args, res, options) { |
There was a problem hiding this comment.
I can't remember, but is there any situation in which args.meta comes in as undefined?
There was a problem hiding this comment.
Yes, there is. If I run wt create {file} -p {profile} --secure --execution-scope wt:exec there will be no args.meta at the time when secureWebtask.js gets called. The only way for args.meta to be set is if middleware or meta are set by the user.
lib/secureWebtask.js
Outdated
| args.meta['wt-middleware'] = JWT_MIDDLEWARE; | ||
| } | ||
|
|
||
| if (!args.syntheticDependencies[MIDDLWARE_COMPILER]) { |
There was a problem hiding this comment.
Similar question, is there any code path in which args.syntheticDependencies hasn't been defined yet?
There was a problem hiding this comment.
Yes, there is. If I run wt create {file} -p {profile} --secure --execution-scope wt:exec there will be no syntheticDependencies at the time when secureWebtask.js gets called. The only way for syntheticDependencies to be set is if middleware or node-dependencies are set by the user.
lib/validateCreateArgs.js
Outdated
| @@ -44,6 +44,10 @@ function validateCreateArgs(args) { | |||
|
|
|||
| } | |||
|
|
|||
| if (args.profile.securityVersion === "v1" && args.secure){ | |||
There was a problem hiding this comment.
I can't remember if we had decided to support custom issuers and custom audiences in the first iteration. What would you think about logic whereby either both --jwt-audience and --jwt-issuer are required or neither must be present. If neither are present, then we would fall back to discovering the defaults from the cluster.
There was a problem hiding this comment.
@ggoodman do you mean additional CLI flags with values that take precedence over the call to the discovery endpoint? I think it is a good idea and I can add it to the CLI.
|
@lzychowski can you add a sample to the PR description showing the usage patterns for a CLI user? |
To secure the execution of a webtask user can add the
--authflag to thecreatemethod. Currently the only supported authentication method isjwt.for example:
wt create file.js --auth jwt --meta-file metafor V1 profileswt create file.js --auth jwtfor V2 profilesDeployments with V1 security enabled (required):
wt-execution-audmetadata property which identifies the recipients that the JWT is intended for (requireswt-execution-issto be specified as well).wt-execution-issmetadata property which identifies the principal that issued the JWT (requireswt-execution-audto be specified as well).Deployments with V2 security enabled (optional):
wt-execution-audmetadata property which identifies the recipients that the JWT is intended for (requireswt-execution-issto be specified as well).wt-execution-issmetadata property which identifies the principal that issued the JWT (requireswt-execution-audto be specified as well).wt-execution-issnorwt-execution-audmetadata properties are specified the wt cli will retrieve issuer and audience values from the deployment discovery endpoint. Automatic retrieval of the issuer and audience works only on deployments with V2 security turned on.Additional metadata can be specified when using this flag:
wt-execution-scopemetadata property to the name of a custom scope that can be used for authorization of webtask execution.See https://www.npmjs.com/package/@webtask/jwt-middleware for more details.