Skip to content

Commit

Permalink
feat: make secret configurable & use CookieStore for sessions
Browse files Browse the repository at this point in the history
  • Loading branch information
xDarksome committed Jul 11, 2023
1 parent 7fe7ec0 commit 5b02c84
Show file tree
Hide file tree
Showing 12 changed files with 29 additions and 19 deletions.
2 changes: 2 additions & 0 deletions .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,7 @@ PROJECT_REGISTRY_AUTH_TOKEN="See 1Password: cloudflare-workers/prod/internal-api
PROJECT_REGISTRY_CACHE_URL=redis://localhost:6379/1
TEST_PROJECT_ID="Create one on https://wc-cloud-staging.vercel.app"

SECRET="See 1Password: prod-bouncer-secret"

# Terraform
GRAFANA_AUTH=
1 change: 1 addition & 0 deletions .github/workflows/cd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ concurrency:

env:
TF_VAR_project_registry_auth_token: ${{ secrets.PROJECT_REGISTRY_AUTH_TOKEN }}
TF_VAR_secret: ${{ secrets.SECRET }}

jobs:
get-version:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/ci_terraform.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ concurrency:

env:
TF_VAR_project_registry_auth_token: ${{ secrets.PROJECT_REGISTRY_AUTH_TOKEN }}
TF_VAR_secret: ${{ secrets.SECRET }}

jobs:
fmt:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ concurrency:

env:
TF_VAR_project_registry_auth_token: ${{ secrets.PROJECT_REGISTRY_AUTH_TOKEN }}
TF_VAR_secret: ${{ secrets.SECRET }}

jobs:
build-container:
Expand Down
1 change: 0 additions & 1 deletion Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ derive_more = "0.99"
envy = "0.4"
futures = "0.3"
log = "0.4"
rand = "0.8"
thiserror = "1.0"
tap = "1.0"

Expand Down
23 changes: 11 additions & 12 deletions src/http_server/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ use {
axum_sessions::{async_session, SessionLayer},
futures::FutureExt,
hyper::{header, Method, StatusCode},
std::{future::Future, iter, net::SocketAddr, sync::Arc},
std::{future::Future, iter, net::SocketAddr, sync::Arc, time::Duration},
tap::{Pipe, Tap},
tower_http::cors::{self, CorsLayer},
tracing::{info, instrument},
Expand Down Expand Up @@ -39,7 +39,8 @@ pub async fn run(
.allow_origin(cors::Any)
.allow_methods([Method::OPTIONS, Method::GET]);

let session_layer = SessionLayer::new(async_session::MemoryStore::new(), session_secret);
let session_layer = SessionLayer::new(async_session::CookieStore, session_secret)
.with_session_ttl(Some(Duration::from_secs(60 * 60))); // 1 hour

let metrics_layer = MetricLayerBuilder::new()
// We overwrite enexpected enpoint paths here, otherwise this label will collect a bunch
Expand Down Expand Up @@ -92,16 +93,14 @@ const UNKNOWN_PROJECT_MSG: &str = "Project with the provided ID doesn't exist. P
pub async fn root(
State(app): State<Arc<impl Bouncer>>,
Path(project_id): Path<ProjectId>,
) -> Result<impl IntoResponse, Response> {
let headers = match app.get_verify_status(project_id).await? {
VerifyStatus::Disabled => None,
VerifyStatus::Enabled { verified_domains } => Some([(
header::CONTENT_SECURITY_POLICY,
build_content_security_header(verified_domains),
)]),
};

Ok((headers, Html(INDEX_HTML)))
) -> Result<Response, Response> {
Ok(match app.get_verify_status(project_id).await? {
VerifyStatus::Disabled => String::new().into_response(),
VerifyStatus::Enabled { verified_domains } => {
let csp = build_content_security_header(verified_domains);
([(header::CONTENT_SECURITY_POLICY, csp)], Html(INDEX_HTML)).into_response()
}
})
}

impl From<GetVerifyStatusError> for Response {
Expand Down
8 changes: 3 additions & 5 deletions src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ use {
},
build_info::VersionControl,
futures::{future::select, FutureExt},
rand::RngCore,
serde::{Deserialize, Deserializer},
std::{future::Future, str::FromStr},
tokio::signal::unix::{signal, SignalKind},
Expand All @@ -37,6 +36,8 @@ pub struct Configuration {
pub project_registry_url: String,
pub project_registry_auth_token: String,
pub project_registry_cache_url: String,

pub secret: String,
}

build_info::build_info!(fn build_info);
Expand Down Expand Up @@ -86,13 +87,10 @@ async fn main() -> Result<(), anyhow::Error> {

let app = bouncer::new((attestation_store, project_registry));

let mut session_secret = [0; 64];
rand::thread_rng().try_fill_bytes(&mut session_secret)?;

bouncer::http_server::run(
app,
config.port,
&session_secret,
config.secret.as_bytes(),
move || prometheus.render(),
config.prometheus_port,
health_provider,
Expand Down
1 change: 1 addition & 0 deletions terraform/ecs/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ resource "aws_ecs_task_definition" "app_task_definition" {
{ name = "PROJECT_REGISTRY_CACHE_URL", value = "redis://${var.redis_url}/1" },
{ name = "PROJECT_REGISTRY_URL", value = var.project_registry_url },
{ name = "PROJECT_REGISTRY_AUTH_TOKEN", value = var.project_registry_auth_token },
{ name = "SECRET", value = var.secret },
],
dependsOn = [
{ containerName = "aws-otel-collector", condition = "START" }
Expand Down
4 changes: 4 additions & 0 deletions terraform/ecs/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ variable "project_registry_auth_token" {
sensitive = true
}

variable "secret" {
type = string
}

variable "prometheus_endpoint" {
type = string
}
Expand Down
1 change: 1 addition & 0 deletions terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -102,4 +102,5 @@ module "ecs" {
redis_url = module.redis.endpoint
project_registry_url = var.project_registry_url
project_registry_auth_token = var.project_registry_auth_token
secret = var.secret
}
4 changes: 4 additions & 0 deletions terraform/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ variable "region" {
default = "eu-central-1"
}

variable "secret" {
type = string
}

variable "azs" {
type = list(string)
default = ["eu-central-1a", "eu-central-1b", "eu-central-1c"]
Expand Down

0 comments on commit 5b02c84

Please sign in to comment.