Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External policy hook #252

Merged
merged 17 commits into from
Oct 31, 2022
Merged

External policy hook #252

merged 17 commits into from
Oct 31, 2022

Conversation

e-asphyx
Copy link
Contributor

The PR adds an "external policy hook" feature with the reference implementation of a corresponding service

@e-asphyx e-asphyx self-assigned this Sep 27, 2022
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Oct 25, 2022
edited
Loading

Deploying with  Cloudflare Pages  Cloudflare Pages

Latest commit: ea3f2fb
Status: ✅  Deploy successful!
Preview URL: https://17a0cbe9.signatory.pages.dev
Branch Preview URL: https://external-policy-hook.signatory.pages.dev

View logs

jevonearth
jevonearth reviewed Oct 25, 2022
View reviewed changes
docs/remote_policy.md Outdated Show resolved Hide resolved
@e-asphyx
Update remote_policy.md
6340f71 
* "public key hash" -> "public key"
@codeclimate
Copy link

codeclimate bot commented Oct 27, 2022
edited
Loading

Code Climate has analyzed commit ea3f2fb and detected 7 issues on this pull request.

Here's the issue category breakdown:

Category Count
Complexity 7

The test coverage on the diff in this pull request is 61.9% (50% is the threshold).

This pull request will bring the total coverage in the repository to 46.9% (0.7% change).

View more on Code Climate.

@danielelisi
Copy link
Contributor

I've tested this PR by using the approve-list-svc server implementation provided and I can confirm it works as expected. I've also tested failing scenarios using different pub/private key pairs and by allowing/denying IP addresses in the configuration file.

When an external policy hook key pair isn't recognized we receive the following Error signing request: tezos: unknown signature type error with a 500 HTTP response from the external policy service

INFO[0004] GET /authorized_keys                          duration="189.206µs" hostname="localhost:6732" method=GET path=/authorized_keys start_time="2022-10-28T18:27:21-07:00" status=200
ERRO[0004] tezos: unknown signature type                 ops="map[transaction:1]" ops_total=1 pkh=tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH request=generic vault=File vault_name=local_file_keys
ERRO[0004] Error signing request: tezos: unknown signature type 
INFO[0004] POST /keys/tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH  duration=2.713772ms hostname="localhost:6732" method=POST path=/keys/tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH start_time="2022-10-28T18:27:21-07:00" status=500

Whereas when we try signing an operation from an IP address not included in the allow list we get an Error signing request: policy hook: address 127.0.0.1 is not allowed error and a 403 HTTP error from the external policy service

INFO[0003] GET /authorized_keys                          duration="161.324µs" hostname="localhost:6732" method=GET path=/authorized_keys start_time="2022-10-28T18:28:03-07:00" status=200
INFO[0003] Requesting signing operation                  ops="map[transaction:1]" ops_total=1 pkh=tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH request=generic vault=File vault_name=local_file_keys
INFO[0003] About to sign raw bytes                       ops="map[transaction:1]" ops_total=1 pkh=tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH raw=03e26c9929ef01d207f1d0b93027692f5411d1450684a1c5b4c06a653bc6bb87236c00bb9d15400eae78d1c8da772a4ffe2296bb72ac4ee102bef512e90700c0843d0000847bc75d1d2300d8949bfe3d523edd8a1248875800 request=generic vault=File vault_name=local_file_keys
INFO[0003] Signed generic successfully                   ops="map[transaction:1]" ops_total=1 pkh=tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH request=generic vault=File vault_name=local_file_keys
INFO[0003] POST /keys/tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH  duration=9.705053ms hostname="localhost:6732" method=POST path=/keys/tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH start_time="2022-10-28T18:28:03-07:00" status=200
INFO[0025] GET /authorized_keys                          duration="46.58µs" hostname="localhost:6732" method=GET path=/authorized_keys start_time="2022-10-28T18:28:24-07:00" status=200
ERRO[0025] policy hook: address 127.0.0.1 is not allowed  ops="map[transaction:1]" ops_total=1 pkh=tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH request=generic vault=File vault_name=local_file_keys
ERRO[0025] Error signing request: policy hook: address 127.0.0.1 is not allowed 
INFO[0025] POST /keys/tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH  duration=2.454961ms hostname="localhost:6732" method=POST path=/keys/tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH start_time="2022-10-28T18:28:24-07:00" status=403

If the key pair configuration match and the client IP is in the external policy service IP allow list then Signatory correctly signs the operation

INFO[0003] GET /authorized_keys                          duration="210.21µs" hostname="localhost:6732" method=GET path=/authorized_keys start_time="2022-10-28T18:28:57-07:00" status=200
INFO[0003] Requesting signing operation                  ops="map[transaction:1]" ops_total=1 pkh=tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH request=generic vault=File vault_name=local_file_keys
INFO[0003] About to sign raw bytes                       ops="map[transaction:1]" ops_total=1 pkh=tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH raw=0318546f8e435a18479e31d38f6d54216764fa061f39f20ca771dacb86462c4ed46c00bb9d15400eae78d1c8da772a4ffe2296bb72ac4ee102bff512e90700c0843d0000847bc75d1d2300d8949bfe3d523edd8a1248875800 request=generic vault=File vault_name=local_file_keys
INFO[0003] Signed generic successfully                   ops="map[transaction:1]" ops_total=1 pkh=tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH request=generic vault=File vault_name=local_file_keys
INFO[0003] POST /keys/tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH  duration=5.092695ms hostname="localhost:6732" method=POST path=/keys/tz1ck3EJwzFpbLVmXVuEn5Ptwzc6Aj14mHSH start_time="2022-10-28T18:28:57-07:00" status=200

danielelisi
danielelisi approved these changes Oct 31, 2022
View reviewed changes
.gitignore Outdated
Comment on lines 24 to 25
signatory
signatory-cli
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you removing the compiled binaries from the .gitignore?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll revert this change in the .gitignore since when we compile with make all the Signatory binaries are added to the root folder.

@danielelisi danielelisi merged commit 8c3af77 into main Oct 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jevonearth jevonearth jevonearth left review comments

@danielelisi danielelisi danielelisi approved these changes

Assignees

@e-asphyx e-asphyx

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@e-asphyx @danielelisi @jevonearth