From bd87a68fd72279b8f4d605703c4bbed77e7eeac3 Mon Sep 17 00:00:00 2001 From: davidvader Date: Fri, 21 Oct 2022 18:34:52 -0500 Subject: [PATCH 01/19] wip: queue item signing via asymm keys --- api/webhook.go | 1 - cmd/vela-server/queue.go | 11 ++++++----- cmd/vela-server/server.go | 1 + docker-compose.yml | 8 +++++++- queue/flags.go | 12 ++++++++++++ queue/redis/opts.go | 35 +++++++++++++++++++++++++++++++++++ queue/redis/pop.go | 20 +++++++++++++++++++- queue/redis/push.go | 16 +++++++++++++++- queue/redis/redis.go | 4 ++++ queue/setup.go | 6 ++++++ router/middleware/signing.go | 18 ++++++++++++++++++ 11 files changed, 123 insertions(+), 9 deletions(-) create mode 100644 router/middleware/signing.go diff --git a/api/webhook.go b/api/webhook.go index 1df0171a2..89cae67a9 100644 --- a/api/webhook.go +++ b/api/webhook.go @@ -690,7 +690,6 @@ func PostWebhook(c *gin.Context) { // a build item and publishes it to the queue. func publishToQueue(queue queue.Service, db database.Service, p *pipeline.Build, b *library.Build, r *library.Repo, u *library.User) { item := types.ToItem(p, b, r, u) - logrus.Infof("Converting queue item to json for build %d for %s", b.GetNumber(), r.GetFullName()) byteItem, err := json.Marshal(item) diff --git a/cmd/vela-server/queue.go b/cmd/vela-server/queue.go index 677137e18..891cfd950 100644 --- a/cmd/vela-server/queue.go +++ b/cmd/vela-server/queue.go @@ -18,11 +18,12 @@ func setupQueue(c *cli.Context) (queue.Service, error) { // queue configuration _setup := &queue.Setup{ - Driver: c.String("queue.driver"), - Address: c.String("queue.addr"), - Cluster: c.Bool("queue.cluster"), - Routes: c.StringSlice("queue.routes"), - Timeout: c.Duration("queue.pop.timeout"), + Driver: c.String("queue.driver"), + Address: c.String("queue.addr"), + Cluster: c.Bool("queue.cluster"), + Routes: c.StringSlice("queue.routes"), + Timeout: c.Duration("queue.pop.timeout"), + EncodedSigningPrivateKey: c.String("queue.signing.private-key"), } // setup the queue diff --git a/cmd/vela-server/server.go b/cmd/vela-server/server.go index 114639501..ef883cbb8 100644 --- a/cmd/vela-server/server.go +++ b/cmd/vela-server/server.go @@ -93,6 +93,7 @@ func server(c *cli.Context) error { middleware.Secret(c.String("vela-secret")), middleware.Secrets(secrets), middleware.Scm(scm), + middleware.QueueSigningPrivateKey(c.String("queue.signing.private-key")), middleware.Allowlist(c.StringSlice("vela-repo-allowlist")), middleware.DefaultBuildLimit(c.Int64("default-build-limit")), middleware.DefaultTimeout(c.Int64("default-build-timeout")), diff --git a/docker-compose.yml b/docker-compose.yml index 7f9710d94..edb21aa04 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -41,6 +41,7 @@ services: VELA_ACCESS_TOKEN_DURATION: 60m VELA_DISABLE_WEBHOOK_VALIDATION: 'true' VELA_ENABLE_SECURE_COOKIE: 'false' + VELA_SIGNING_PRIVATE_KEY: 'AgbF+m6RVXvw+mV+K7FkfRBZoYYRsLTg4Dq4yNvuTdNl2CpoXfmJYM/4D+Nsrcm7XZVex6/BMiUjCZZd9hUx2g==' env_file: - .env restart: always @@ -59,7 +60,11 @@ services: # https://go-vela.github.io/docs/administration/worker/ worker: container_name: worker - image: target/vela-worker:latest + build: + context: ../worker + dockerfile: Dockerfile + image: worker:local + # image: target/vela-worker:latest networks: - vela environment: @@ -76,6 +81,7 @@ services: VELA_SERVER_SECRET: 'zB7mrKDTZqNeNTD8z47yG4DHywspAh' WORKER_ADDR: 'http://worker:8080' WORKER_CHECK_IN: 5m + VELA_SIGNING_PUBLIC_KEY: 'ZdgqaF35iWDP+A/jbK3Ju12VXsevwTIlIwmWXfYVMdx=' restart: always ports: - '8081:8080' diff --git a/queue/flags.go b/queue/flags.go index 0fd1e23a6..373fc74dc 100644 --- a/queue/flags.go +++ b/queue/flags.go @@ -50,4 +50,16 @@ var Flags = []cli.Flag{ Usage: "timeout for requests that pop items off the queue", Value: 60 * time.Second, }, + &cli.StringFlag{ + EnvVars: []string{"VELA_SIGNING_PRIVATE_KEY"}, + FilePath: "/vela/signing.key", + Name: "queue.signing.private-key", + Usage: "set value of queue signing private key", + }, + &cli.StringFlag{ + EnvVars: []string{"VELA_SIGNING_PUBLIC_KEY"}, + FilePath: "/vela/signing.pub", + Name: "queue.signing.public-key", + Usage: "set value of queue signing public key", + }, } diff --git a/queue/redis/opts.go b/queue/redis/opts.go index aabcfea05..f2e5ddb74 100644 --- a/queue/redis/opts.go +++ b/queue/redis/opts.go @@ -5,6 +5,7 @@ package redis import ( + "encoding/base64" "fmt" "time" ) @@ -69,3 +70,37 @@ func WithTimeout(timeout time.Duration) ClientOpt { return nil } } + +// WithPrivateKey sets the private key in the queue client for Redis. +func WithPrivateKey(privateKeyEncoded string) ClientOpt { + return func(c *client) error { + c.Logger.Trace("configuring private key in redis queue client") + + privateKeyDecoded, err := base64.StdEncoding.DecodeString(privateKeyEncoded) + if err != nil { + return err + } + + c.config.SigningPrivateKey = new([64]byte) + copy(c.config.SigningPrivateKey[:], privateKeyDecoded) + + return nil + } +} + +// WithPublicKey sets the public key in the queue client for Redis. +func WithPublicKey(publicKeyEncoded string) ClientOpt { + return func(c *client) error { + c.Logger.Tracef("configuring public key in redis queue client") + + publicKeyDecoded, err := base64.StdEncoding.DecodeString(publicKeyEncoded) + if err != nil { + return err + } + + c.config.SigningPublicKey = new([32]byte) + copy(c.config.SigningPublicKey[:], publicKeyDecoded) + + return nil + } +} diff --git a/queue/redis/pop.go b/queue/redis/pop.go index 3f698a5f0..5f4f7d22e 100644 --- a/queue/redis/pop.go +++ b/queue/redis/pop.go @@ -11,6 +11,7 @@ import ( "github.com/go-redis/redis/v8" "github.com/go-vela/types" + "golang.org/x/crypto/nacl/sign" ) // Pop grabs an item from the specified channel off the queue. @@ -35,10 +36,27 @@ func (c *client) Pop(ctx context.Context) (*types.Item, error) { return nil, err } + // check for this on startup + if c.config.SigningPublicKey == nil || len(*c.config.SigningPublicKey) != 32 { + return nil, errors.New("no valid signing public key provided") + } + + _item := []byte(result[1]) + var opened []byte + var out []byte + + // open item + opened, ok := sign.Open(out, _item, c.config.SigningPublicKey) + if !ok { + return nil, errors.New("unable to open queue item") + } + + _item = opened + item := new(types.Item) // unmarshal result into queue item - err = json.Unmarshal([]byte(result[1]), item) + err = json.Unmarshal(_item, item) if err != nil { return nil, err } diff --git a/queue/redis/push.go b/queue/redis/push.go index 620e1174a..53fad345b 100644 --- a/queue/redis/push.go +++ b/queue/redis/push.go @@ -6,16 +6,30 @@ package redis import ( "context" + "errors" + + "golang.org/x/crypto/nacl/sign" ) // Push inserts an item to the specified channel in the queue. func (c *client) Push(ctx context.Context, channel string, item []byte) error { c.Logger.Tracef("pushing item to queue %s", channel) + var signed []byte + var out []byte + + // check for this on startup + if c.config.SigningPrivateKey != nil && len(*c.config.SigningPrivateKey) == 64 { + c.Logger.Tracef("signing item for queue %s", channel) + signed = sign.Sign(out, item, c.config.SigningPrivateKey) + } else { + return errors.New("no valid signing private key provided") + } + // build a redis queue command to push an item to queue // // https://pkg.go.dev/github.com/go-redis/redis?tab=doc#Client.RPush - pushCmd := c.Redis.RPush(ctx, channel, item) + pushCmd := c.Redis.RPush(ctx, channel, signed) // blocking call to push an item to queue and return err // diff --git a/queue/redis/redis.go b/queue/redis/redis.go index 2821e3cde..b562c3108 100644 --- a/queue/redis/redis.go +++ b/queue/redis/redis.go @@ -25,6 +25,10 @@ type config struct { Cluster bool // specifies the timeout to use for the Redis client Timeout time.Duration + // key for signing items pushed to the Redis client + SigningPrivateKey *[64]byte + // key for opening items popped from the Redis client + SigningPublicKey *[32]byte } type client struct { diff --git a/queue/setup.go b/queue/setup.go index ae69a1429..fa01e7460 100644 --- a/queue/setup.go +++ b/queue/setup.go @@ -30,6 +30,10 @@ type Setup struct { Routes []string // specifies the timeout for pop requests for the queue client Timeout time.Duration + // encoded key used for signing items pushed to the queue + EncodedSigningPrivateKey string + // encoded key used for opening items popped from the queue + EncodedSigningPublicKey string } // Redis creates and returns a Vela service capable @@ -45,6 +49,8 @@ func (s *Setup) Redis() (Service, error) { redis.WithChannels(s.Routes...), redis.WithCluster(s.Cluster), redis.WithTimeout(s.Timeout), + redis.WithPrivateKey(s.EncodedSigningPrivateKey), + redis.WithPublicKey(s.EncodedSigningPublicKey), ) } diff --git a/router/middleware/signing.go b/router/middleware/signing.go new file mode 100644 index 000000000..0212d1e7d --- /dev/null +++ b/router/middleware/signing.go @@ -0,0 +1,18 @@ +// Copyright (c) 2022 Target Brands, Inc. All rights reserved. +// +// Use of this source code is governed by the LICENSE file in this repository. + +package middleware + +import ( + "github.com/gin-gonic/gin" +) + +// QueueSigningPrivateKey is a middleware function that attaches the private key used +// to sign items that are pushed to the queue. +func QueueSigningPrivateKey(key string) gin.HandlerFunc { + return func(c *gin.Context) { + c.Set("queue.signing.private-key", key) + c.Next() + } +} From 41a1bba88355d945822c1d15e539c55cf683d8b8 Mon Sep 17 00:00:00 2001 From: davidvader Date: Fri, 21 Oct 2022 18:36:33 -0500 Subject: [PATCH 02/19] revert: docker-compose local changes --- docker-compose.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index edb21aa04..dd10ff3b6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -60,11 +60,7 @@ services: # https://go-vela.github.io/docs/administration/worker/ worker: container_name: worker - build: - context: ../worker - dockerfile: Dockerfile - image: worker:local - # image: target/vela-worker:latest + image: target/vela-worker:latest networks: - vela environment: From 70e9b23f61b6118272e854b01de0c4425cd9f8f8 Mon Sep 17 00:00:00 2001 From: davidvader Date: Fri, 21 Oct 2022 18:40:32 -0500 Subject: [PATCH 03/19] wip: queue item signing via asymm keys --- queue/redis/pop.go | 17 +++++++++-------- queue/redis/push.go | 12 ++++++++---- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/queue/redis/pop.go b/queue/redis/pop.go index 5f4f7d22e..cfea5f772 100644 --- a/queue/redis/pop.go +++ b/queue/redis/pop.go @@ -41,22 +41,23 @@ func (c *client) Pop(ctx context.Context) (*types.Item, error) { return nil, errors.New("no valid signing public key provided") } - _item := []byte(result[1]) + // extract signed item from pop results + signed := []byte(result[1]) + var opened []byte var out []byte - // open item - opened, ok := sign.Open(out, _item, c.config.SigningPublicKey) + // open the item using the public key generated using sign + // + // https://pkg.go.dev/golang.org/x/crypto@v0.1.0/nacl/sign + opened, ok := sign.Open(out, signed, c.config.SigningPublicKey) if !ok { return nil, errors.New("unable to open queue item") } - _item = opened - - item := new(types.Item) - // unmarshal result into queue item - err = json.Unmarshal(_item, item) + item := new(types.Item) + err = json.Unmarshal(opened, item) if err != nil { return nil, err } diff --git a/queue/redis/push.go b/queue/redis/push.go index 53fad345b..5f6720791 100644 --- a/queue/redis/push.go +++ b/queue/redis/push.go @@ -19,13 +19,17 @@ func (c *client) Push(ctx context.Context, channel string, item []byte) error { var out []byte // check for this on startup - if c.config.SigningPrivateKey != nil && len(*c.config.SigningPrivateKey) == 64 { - c.Logger.Tracef("signing item for queue %s", channel) - signed = sign.Sign(out, item, c.config.SigningPrivateKey) - } else { + if c.config.SigningPrivateKey == nil || len(*c.config.SigningPrivateKey) != 64 { return errors.New("no valid signing private key provided") } + c.Logger.Tracef("signing item for queue %s", channel) + + // sign the item using the private key generated using sign + // + // https://pkg.go.dev/golang.org/x/crypto@v0.1.0/nacl/sign + signed = sign.Sign(out, item, c.config.SigningPrivateKey) + // build a redis queue command to push an item to queue // // https://pkg.go.dev/github.com/go-redis/redis?tab=doc#Client.RPush From 2fcaf0c4117f6beab1b50e0ed3e55a5c5fbd580f Mon Sep 17 00:00:00 2001 From: davidvader Date: Fri, 21 Oct 2022 18:45:19 -0500 Subject: [PATCH 04/19] wip: queue signing cleanup --- api/webhook.go | 1 + queue/redis/pop.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/api/webhook.go b/api/webhook.go index 89cae67a9..1df0171a2 100644 --- a/api/webhook.go +++ b/api/webhook.go @@ -690,6 +690,7 @@ func PostWebhook(c *gin.Context) { // a build item and publishes it to the queue. func publishToQueue(queue queue.Service, db database.Service, p *pipeline.Build, b *library.Build, r *library.Repo, u *library.User) { item := types.ToItem(p, b, r, u) + logrus.Infof("Converting queue item to json for build %d for %s", b.GetNumber(), r.GetFullName()) byteItem, err := json.Marshal(item) diff --git a/queue/redis/pop.go b/queue/redis/pop.go index cfea5f772..000313f21 100644 --- a/queue/redis/pop.go +++ b/queue/redis/pop.go @@ -52,7 +52,7 @@ func (c *client) Pop(ctx context.Context) (*types.Item, error) { // https://pkg.go.dev/golang.org/x/crypto@v0.1.0/nacl/sign opened, ok := sign.Open(out, signed, c.config.SigningPublicKey) if !ok { - return nil, errors.New("unable to open queue item") + return nil, errors.New("unable to open signed item") } // unmarshal result into queue item From bae594642d4e597e346710fbd2a6b9dbfc232c75 Mon Sep 17 00:00:00 2001 From: davidvader Date: Thu, 11 May 2023 15:36:31 -0500 Subject: [PATCH 05/19] fix: generate example keys --- docker-compose.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index dd10ff3b6..535128a09 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -41,7 +41,7 @@ services: VELA_ACCESS_TOKEN_DURATION: 60m VELA_DISABLE_WEBHOOK_VALIDATION: 'true' VELA_ENABLE_SECURE_COOKIE: 'false' - VELA_SIGNING_PRIVATE_KEY: 'AgbF+m6RVXvw+mV+K7FkfRBZoYYRsLTg4Dq4yNvuTdNl2CpoXfmJYM/4D+Nsrcm7XZVex6/BMiUjCZZd9hUx2g==' + VELA_SIGNING_PRIVATE_KEY: 'tCIevHOBq6DdN5SSBtteXUusjjd0fOqzk2eyi0DMq04NewmShNKQeUbbp3vkvIckb4pCxc+vxUo+mYf/vzOaSg==' env_file: - .env restart: always @@ -60,7 +60,10 @@ services: # https://go-vela.github.io/docs/administration/worker/ worker: container_name: worker - image: target/vela-worker:latest + build: + context: ../worker + dockerfile: Dockerfile + image: worker:local networks: - vela environment: @@ -77,7 +80,7 @@ services: VELA_SERVER_SECRET: 'zB7mrKDTZqNeNTD8z47yG4DHywspAh' WORKER_ADDR: 'http://worker:8080' WORKER_CHECK_IN: 5m - VELA_SIGNING_PUBLIC_KEY: 'ZdgqaF35iWDP+A/jbK3Ju12VXsevwTIlIwmWXfYVMdx=' + VELA_SIGNING_PUBLIC_KEY: 'DXsJkoTSkHlG26d75LyHJG+KQsXPr8VKPpmH/78zmko=' restart: always ports: - '8081:8080' From 203bdb7b61e1c84ef37b02fe8cfa93a596059113 Mon Sep 17 00:00:00 2001 From: davidvader Date: Thu, 11 May 2023 15:41:33 -0500 Subject: [PATCH 06/19] tweak: env var naming --- docker-compose.yml | 9 +++------ queue/flags.go | 4 ++-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 535128a09..eb2728b19 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -41,7 +41,7 @@ services: VELA_ACCESS_TOKEN_DURATION: 60m VELA_DISABLE_WEBHOOK_VALIDATION: 'true' VELA_ENABLE_SECURE_COOKIE: 'false' - VELA_SIGNING_PRIVATE_KEY: 'tCIevHOBq6DdN5SSBtteXUusjjd0fOqzk2eyi0DMq04NewmShNKQeUbbp3vkvIckb4pCxc+vxUo+mYf/vzOaSg==' + VELA_QUEUE_SIGNING_PRIVATE_KEY: 'tCIevHOBq6DdN5SSBtteXUusjjd0fOqzk2eyi0DMq04NewmShNKQeUbbp3vkvIckb4pCxc+vxUo+mYf/vzOaSg==' env_file: - .env restart: always @@ -60,10 +60,7 @@ services: # https://go-vela.github.io/docs/administration/worker/ worker: container_name: worker - build: - context: ../worker - dockerfile: Dockerfile - image: worker:local + image: target/vela-worker:latest networks: - vela environment: @@ -80,7 +77,7 @@ services: VELA_SERVER_SECRET: 'zB7mrKDTZqNeNTD8z47yG4DHywspAh' WORKER_ADDR: 'http://worker:8080' WORKER_CHECK_IN: 5m - VELA_SIGNING_PUBLIC_KEY: 'DXsJkoTSkHlG26d75LyHJG+KQsXPr8VKPpmH/78zmko=' + VELA_QUEUE_SIGNING_PUBLIC_KEY: 'DXsJkoTSkHlG26d75LyHJG+KQsXPr8VKPpmH/78zmko=' restart: always ports: - '8081:8080' diff --git a/queue/flags.go b/queue/flags.go index 373fc74dc..2ac4d6731 100644 --- a/queue/flags.go +++ b/queue/flags.go @@ -51,13 +51,13 @@ var Flags = []cli.Flag{ Value: 60 * time.Second, }, &cli.StringFlag{ - EnvVars: []string{"VELA_SIGNING_PRIVATE_KEY"}, + EnvVars: []string{"VELA_QUEUE_SIGNING_PRIVATE_KEY"}, FilePath: "/vela/signing.key", Name: "queue.signing.private-key", Usage: "set value of queue signing private key", }, &cli.StringFlag{ - EnvVars: []string{"VELA_SIGNING_PUBLIC_KEY"}, + EnvVars: []string{"VELA_QUEUE_SIGNING_PUBLIC_KEY"}, FilePath: "/vela/signing.pub", Name: "queue.signing.public-key", Usage: "set value of queue signing public key", From 43141eedb7169250dfce8fc20e8e8a9cd3a1b0b5 Mon Sep 17 00:00:00 2001 From: davidvader Date: Thu, 11 May 2023 15:51:39 -0500 Subject: [PATCH 07/19] enhance: key validations --- queue/redis/opts.go | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/queue/redis/opts.go b/queue/redis/opts.go index f2e5ddb74..d94c78c72 100644 --- a/queue/redis/opts.go +++ b/queue/redis/opts.go @@ -6,6 +6,7 @@ package redis import ( "encoding/base64" + "errors" "fmt" "time" ) @@ -76,14 +77,30 @@ func WithPrivateKey(privateKeyEncoded string) ClientOpt { return func(c *client) error { c.Logger.Trace("configuring private key in redis queue client") + if len(privateKeyEncoded) == 0 { + return errors.New("unable to base64 decode private key, provided key is empty") + } + privateKeyDecoded, err := base64.StdEncoding.DecodeString(privateKeyEncoded) if err != nil { return err } + if len(privateKeyDecoded) == 0 { + return errors.New("unable to base64 decode private key, decoded key is empty") + } + c.config.SigningPrivateKey = new([64]byte) copy(c.config.SigningPrivateKey[:], privateKeyDecoded) + if c.config.SigningPrivateKey == nil { + return errors.New("unable to copy decoded queue signing private key, copied key is nil") + } + + if len(c.config.SigningPrivateKey) == 0 { + return errors.New("unable to copy decoded queue signing private key, copied key is empty") + } + return nil } } @@ -93,14 +110,30 @@ func WithPublicKey(publicKeyEncoded string) ClientOpt { return func(c *client) error { c.Logger.Tracef("configuring public key in redis queue client") + if len(publicKeyEncoded) == 0 { + return errors.New("unable to base64 decode public key, provided key is empty") + } + publicKeyDecoded, err := base64.StdEncoding.DecodeString(publicKeyEncoded) if err != nil { return err } + if len(publicKeyDecoded) == 0 { + return errors.New("unable to base64 decode public key, decoded key is empty") + } + c.config.SigningPublicKey = new([32]byte) copy(c.config.SigningPublicKey[:], publicKeyDecoded) + if c.config.SigningPublicKey == nil { + return errors.New("unable to copy decoded queue signing public key, copied key is nil") + } + + if len(c.config.SigningPublicKey) == 0 { + return errors.New("unable to copy decoded queue signing public key, copied key is empty") + } + return nil } } From ae70584aba4834b32529a22ad1b663b94626becb Mon Sep 17 00:00:00 2001 From: davidvader Date: Thu, 11 May 2023 15:54:17 -0500 Subject: [PATCH 08/19] chore: comment wording --- queue/redis/pop.go | 2 +- queue/redis/push.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/queue/redis/pop.go b/queue/redis/pop.go index 000313f21..94ae5e8e3 100644 --- a/queue/redis/pop.go +++ b/queue/redis/pop.go @@ -36,7 +36,7 @@ func (c *client) Pop(ctx context.Context) (*types.Item, error) { return nil, err } - // check for this on startup + // this should already be validated on startup if c.config.SigningPublicKey == nil || len(*c.config.SigningPublicKey) != 32 { return nil, errors.New("no valid signing public key provided") } diff --git a/queue/redis/push.go b/queue/redis/push.go index 5f6720791..7bfc118e7 100644 --- a/queue/redis/push.go +++ b/queue/redis/push.go @@ -18,7 +18,7 @@ func (c *client) Push(ctx context.Context, channel string, item []byte) error { var signed []byte var out []byte - // check for this on startup + // this should already be validated on startup if c.config.SigningPrivateKey == nil || len(*c.config.SigningPrivateKey) != 64 { return errors.New("no valid signing private key provided") } From e48fa44672b234ae3e7d4f929cb29051df1b79e0 Mon Sep 17 00:00:00 2001 From: davidvader Date: Thu, 11 May 2023 15:58:24 -0500 Subject: [PATCH 09/19] chore: go mod tidy --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 7e26a5732..e6d4740a4 100644 --- a/go.mod +++ b/go.mod @@ -31,6 +31,7 @@ require ( github.com/spf13/afero v1.9.5 github.com/urfave/cli/v2 v2.25.1 go.starlark.net v0.0.0-20230302034142-4b1e35fe2254 + golang.org/x/crypto v0.7.0 golang.org/x/oauth2 v0.7.0 gopkg.in/square/go-jose.v2 v2.6.0 gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 @@ -111,7 +112,6 @@ require ( github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect github.com/yuin/gopher-lua v1.1.0 // indirect golang.org/x/arch v0.0.0-20210923205945-b76863e36670 // indirect - golang.org/x/crypto v0.7.0 // indirect golang.org/x/net v0.9.0 // indirect golang.org/x/sys v0.7.0 // indirect golang.org/x/text v0.9.0 // indirect From 683e0a3b0dfb69a03903e647898baeaac313367b Mon Sep 17 00:00:00 2001 From: davidvader Date: Mon, 22 May 2023 11:16:51 -0500 Subject: [PATCH 10/19] wip: nil return to allow read-only setup --- queue/redis/opts.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/queue/redis/opts.go b/queue/redis/opts.go index d94c78c72..8b479b69c 100644 --- a/queue/redis/opts.go +++ b/queue/redis/opts.go @@ -78,7 +78,8 @@ func WithPrivateKey(privateKeyEncoded string) ClientOpt { c.Logger.Trace("configuring private key in redis queue client") if len(privateKeyEncoded) == 0 { - return errors.New("unable to base64 decode private key, provided key is empty") + // return errors.New("unable to base64 decode private key, provided key is empty") + return nil } privateKeyDecoded, err := base64.StdEncoding.DecodeString(privateKeyEncoded) @@ -111,7 +112,8 @@ func WithPublicKey(publicKeyEncoded string) ClientOpt { c.Logger.Tracef("configuring public key in redis queue client") if len(publicKeyEncoded) == 0 { - return errors.New("unable to base64 decode public key, provided key is empty") + // errors.New("unable to base64 decode public key, provided key is empty") + return nil } publicKeyDecoded, err := base64.StdEncoding.DecodeString(publicKeyEncoded) From d9d7364244eec1bd93582ab4b4b1b18a7df15fcf Mon Sep 17 00:00:00 2001 From: davidvader Date: Thu, 20 Jul 2023 10:25:23 -0500 Subject: [PATCH 11/19] chore: add base64 encoded comment --- queue/flags.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/queue/flags.go b/queue/flags.go index 2ac4d6731..7fe58a451 100644 --- a/queue/flags.go +++ b/queue/flags.go @@ -54,12 +54,12 @@ var Flags = []cli.Flag{ EnvVars: []string{"VELA_QUEUE_SIGNING_PRIVATE_KEY"}, FilePath: "/vela/signing.key", Name: "queue.signing.private-key", - Usage: "set value of queue signing private key", + Usage: "set value of base64 encoded queue signing private key", }, &cli.StringFlag{ EnvVars: []string{"VELA_QUEUE_SIGNING_PUBLIC_KEY"}, FilePath: "/vela/signing.pub", Name: "queue.signing.public-key", - Usage: "set value of queue signing public key", + Usage: "set value of base64 encoded queue signing public key", }, } From 96f7bd578e83af82266dc74b20096730eec11d9d Mon Sep 17 00:00:00 2001 From: davidvader Date: Wed, 9 Aug 2023 09:11:50 -0500 Subject: [PATCH 12/19] fix: adding keys to redis test mocks --- queue/redis/length_test.go | 2 +- queue/redis/pop_test.go | 18 +++++++++++++----- queue/redis/push_test.go | 4 ++-- queue/redis/redis.go | 4 +++- queue/redis/redis_test.go | 4 +++- queue/redis/route_test.go | 2 +- router/middleware/queue_test.go | 3 ++- 7 files changed, 25 insertions(+), 12 deletions(-) diff --git a/queue/redis/length_test.go b/queue/redis/length_test.go index 95cb21423..5f96aa781 100644 --- a/queue/redis/length_test.go +++ b/queue/redis/length_test.go @@ -30,7 +30,7 @@ func TestRedis_Length(t *testing.T) { } // setup redis mock - _redis, err := NewTest("vela", "vela:second", "vela:third") + _redis, err := NewTest(_signingPrivateKey, _signingPublicKey, "vela", "vela:second", "vela:third") if err != nil { t.Errorf("unable to create queue service: %v", err) } diff --git a/queue/redis/pop_test.go b/queue/redis/pop_test.go index 8ae6094b7..7aad50d4d 100644 --- a/queue/redis/pop_test.go +++ b/queue/redis/pop_test.go @@ -11,6 +11,7 @@ import ( "time" "github.com/go-vela/types" + "golang.org/x/crypto/nacl/sign" "gopkg.in/square/go-jose.v2/json" ) @@ -24,6 +25,9 @@ func TestRedis_Pop(t *testing.T) { User: _user, } + var signed []byte + var out []byte + // setup queue item bytes, err := json.Marshal(_item) if err != nil { @@ -31,19 +35,21 @@ func TestRedis_Pop(t *testing.T) { } // setup redis mock - _redis, err := NewTest("vela") + _redis, err := NewTest(_signingPrivateKey, _signingPublicKey, "vela") if err != nil { t.Errorf("unable to create queue service: %v", err) } + signed = sign.Sign(out, bytes, _redis.config.SigningPrivateKey) + // push item to queue - err = _redis.Redis.RPush(context.Background(), "vela", bytes).Err() + err = _redis.Redis.RPush(context.Background(), "vela", signed).Err() if err != nil { t.Errorf("unable to push item to queue: %v", err) } // setup timeout redis mock - timeout, err := NewTest("vela") + timeout, err := NewTest(_signingPrivateKey, _signingPublicKey, "vela") if err != nil { t.Errorf("unable to create queue service: %v", err) } @@ -51,15 +57,17 @@ func TestRedis_Pop(t *testing.T) { timeout.config.Timeout = 1 * time.Second // setup badChannel redis mock - badChannel, err := NewTest("vela") + badChannel, err := NewTest(_signingPrivateKey, _signingPublicKey, "vela") if err != nil { t.Errorf("unable to create queue service: %v", err) } // overwrite channel to be invalid badChannel.config.Channels = nil + signed = sign.Sign(out, bytes, badChannel.config.SigningPrivateKey) + // push something to badChannel queue - err = badChannel.Redis.RPush(context.Background(), "vela", bytes).Err() + err = badChannel.Redis.RPush(context.Background(), "vela", signed).Err() if err != nil { t.Errorf("unable to push item to queue: %v", err) } diff --git a/queue/redis/push_test.go b/queue/redis/push_test.go index 69af784e3..8bcc39c14 100644 --- a/queue/redis/push_test.go +++ b/queue/redis/push_test.go @@ -29,13 +29,13 @@ func TestRedis_Push(t *testing.T) { } // setup redis mock - _redis, err := NewTest("vela") + _redis, err := NewTest(_signingPrivateKey, _signingPublicKey, "vela") if err != nil { t.Errorf("unable to create queue service: %v", err) } // setup redis mock - badItem, err := NewTest("vela") + badItem, err := NewTest(_signingPrivateKey, _signingPublicKey, "vela") if err != nil { t.Errorf("unable to create queue service: %v", err) } diff --git a/queue/redis/redis.go b/queue/redis/redis.go index d3adbe57a..1ce252d55 100644 --- a/queue/redis/redis.go +++ b/queue/redis/redis.go @@ -177,7 +177,7 @@ func pingQueue(c *client) error { // This function is intended for running tests only. // //nolint:revive // ignore returning unexported client -func NewTest(channels ...string) (*client, error) { +func NewTest(signingPrivateKey, signingPublicKey string, channels ...string) (*client, error) { // create a local fake redis instance // // https://pkg.go.dev/github.com/alicebob/miniredis/v2#Run @@ -190,5 +190,7 @@ func NewTest(channels ...string) (*client, error) { WithAddress(fmt.Sprintf("redis://%s", _redis.Addr())), WithChannels(channels...), WithCluster(false), + WithPrivateKey(signingPrivateKey), + WithPublicKey(signingPublicKey), ) } diff --git a/queue/redis/redis_test.go b/queue/redis/redis_test.go index aa1bf1a0f..6935a676d 100644 --- a/queue/redis/redis_test.go +++ b/queue/redis/redis_test.go @@ -46,7 +46,9 @@ func Strings(v []string) *[]string { return &v } // setup global variables used for testing. var ( - _build = &library.Build{ + _signingPrivateKey = "tCIevHOBq6DdN5SSBtteXUusjjd0fOqzk2eyi0DMq04NewmShNKQeUbbp3vkvIckb4pCxc+vxUo+mYf/vzOaSg==" + _signingPublicKey = "DXsJkoTSkHlG26d75LyHJG+KQsXPr8VKPpmH/78zmko=" + _build = &library.Build{ ID: Int64(1), Number: Int(1), Parent: Int(1), diff --git a/queue/redis/route_test.go b/queue/redis/route_test.go index de3f99fc9..23328df43 100644 --- a/queue/redis/route_test.go +++ b/queue/redis/route_test.go @@ -14,7 +14,7 @@ import ( func TestRedis_Client_Route(t *testing.T) { // setup - client, _ := NewTest("vela", "16cpu8gb", "16cpu8gb:gcp", "gcp") + client, _ := NewTest(_signingPrivateKey, _signingPublicKey, "vela", "16cpu8gb", "16cpu8gb:gcp", "gcp") tests := []struct { success bool want string diff --git a/router/middleware/queue_test.go b/router/middleware/queue_test.go index cfbd94010..80c22ce07 100644 --- a/router/middleware/queue_test.go +++ b/router/middleware/queue_test.go @@ -20,7 +20,8 @@ func TestMiddleware_Queue(t *testing.T) { // setup types var got queue.Service - want, _ := redis.NewTest() + // signing keys are irrelevant here + want, _ := redis.NewTest("", "") // setup context gin.SetMode(gin.TestMode) From 4786391a3756166c3546546bd66d57414352fae7 Mon Sep 17 00:00:00 2001 From: davidvader Date: Thu, 17 Aug 2023 09:21:04 -0500 Subject: [PATCH 13/19] fix: do not allow empty signing keys --- queue/redis/opts.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/queue/redis/opts.go b/queue/redis/opts.go index 8b479b69c..d94c78c72 100644 --- a/queue/redis/opts.go +++ b/queue/redis/opts.go @@ -78,8 +78,7 @@ func WithPrivateKey(privateKeyEncoded string) ClientOpt { c.Logger.Trace("configuring private key in redis queue client") if len(privateKeyEncoded) == 0 { - // return errors.New("unable to base64 decode private key, provided key is empty") - return nil + return errors.New("unable to base64 decode private key, provided key is empty") } privateKeyDecoded, err := base64.StdEncoding.DecodeString(privateKeyEncoded) @@ -112,8 +111,7 @@ func WithPublicKey(publicKeyEncoded string) ClientOpt { c.Logger.Tracef("configuring public key in redis queue client") if len(publicKeyEncoded) == 0 { - // errors.New("unable to base64 decode public key, provided key is empty") - return nil + return errors.New("unable to base64 decode public key, provided key is empty") } publicKeyDecoded, err := base64.StdEncoding.DecodeString(publicKeyEncoded) From 2c9d1663050489ce52232678116a65c087382607 Mon Sep 17 00:00:00 2001 From: davidvader Date: Thu, 17 Aug 2023 10:19:52 -0500 Subject: [PATCH 14/19] fix: lint --- queue/redis/opts.go | 4 ++++ queue/redis/pop.go | 2 ++ 2 files changed, 6 insertions(+) diff --git a/queue/redis/opts.go b/queue/redis/opts.go index d94c78c72..b992ad2b4 100644 --- a/queue/redis/opts.go +++ b/queue/redis/opts.go @@ -73,6 +73,8 @@ func WithTimeout(timeout time.Duration) ClientOpt { } // WithPrivateKey sets the private key in the queue client for Redis. +// +//nolint:dupl // ignore similar code func WithPrivateKey(privateKeyEncoded string) ClientOpt { return func(c *client) error { c.Logger.Trace("configuring private key in redis queue client") @@ -106,6 +108,8 @@ func WithPrivateKey(privateKeyEncoded string) ClientOpt { } // WithPublicKey sets the public key in the queue client for Redis. +// +//nolint:dupl // ignore similar code func WithPublicKey(publicKeyEncoded string) ClientOpt { return func(c *client) error { c.Logger.Tracef("configuring public key in redis queue client") diff --git a/queue/redis/pop.go b/queue/redis/pop.go index 1e73c9d40..53205beac 100644 --- a/queue/redis/pop.go +++ b/queue/redis/pop.go @@ -45,6 +45,7 @@ func (c *client) Pop(ctx context.Context) (*types.Item, error) { signed := []byte(result[1]) var opened []byte + var out []byte // open the item using the public key generated using sign @@ -57,6 +58,7 @@ func (c *client) Pop(ctx context.Context) (*types.Item, error) { // unmarshal result into queue item item := new(types.Item) + err = json.Unmarshal(opened, item) if err != nil { return nil, err From 346df6c6060023d3f1283440682e253bcfa60d9e Mon Sep 17 00:00:00 2001 From: davidvader Date: Thu, 17 Aug 2023 10:23:18 -0500 Subject: [PATCH 15/19] fix: lint --- queue/redis/push.go | 1 + 1 file changed, 1 insertion(+) diff --git a/queue/redis/push.go b/queue/redis/push.go index 000b8a5bd..76c0f9a04 100644 --- a/queue/redis/push.go +++ b/queue/redis/push.go @@ -24,6 +24,7 @@ func (c *client) Push(ctx context.Context, channel string, item []byte) error { } var signed []byte + var out []byte // this should already be validated on startup From 00507fbe784d5085a8fe23101b362f070c8b0cf3 Mon Sep 17 00:00:00 2001 From: davidvader Date: Thu, 17 Aug 2023 11:36:31 -0500 Subject: [PATCH 16/19] chore: add middleware tests --- queue/redis/opts.go | 6 +- queue/redis/opts_test.go | 137 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 141 insertions(+), 2 deletions(-) diff --git a/queue/redis/opts.go b/queue/redis/opts.go index b992ad2b4..460f54036 100644 --- a/queue/redis/opts.go +++ b/queue/redis/opts.go @@ -80,7 +80,8 @@ func WithPrivateKey(privateKeyEncoded string) ClientOpt { c.Logger.Trace("configuring private key in redis queue client") if len(privateKeyEncoded) == 0 { - return errors.New("unable to base64 decode private key, provided key is empty") + c.Logger.Warn("unable to base64 decode private key, provided key is empty. queue service will be unable to sign items") + return nil } privateKeyDecoded, err := base64.StdEncoding.DecodeString(privateKeyEncoded) @@ -115,7 +116,8 @@ func WithPublicKey(publicKeyEncoded string) ClientOpt { c.Logger.Tracef("configuring public key in redis queue client") if len(publicKeyEncoded) == 0 { - return errors.New("unable to base64 decode public key, provided key is empty") + c.Logger.Warn("unable to base64 decode public key, provided key is empty. queue service will be unable to open items") + return nil } publicKeyDecoded, err := base64.StdEncoding.DecodeString(publicKeyEncoded) diff --git a/queue/redis/opts_test.go b/queue/redis/opts_test.go index b44e79418..8c53265c2 100644 --- a/queue/redis/opts_test.go +++ b/queue/redis/opts_test.go @@ -5,6 +5,7 @@ package redis import ( + "encoding/base64" "fmt" "reflect" "testing" @@ -180,3 +181,139 @@ func TestRedis_ClientOpt_WithCluster(t *testing.T) { } } } + +func TestRedis_ClientOpt_WithSigningPrivateKey(t *testing.T) { + // setup tests + // create a local fake redis instance + // + // https://pkg.go.dev/github.com/alicebob/miniredis/v2#Run + _redis, err := miniredis.Run() + if err != nil { + t.Errorf("unable to create miniredis instance: %v", err) + } + defer _redis.Close() + + tests := []struct { + failure bool + privKey string + want string + }{ + { //valid key input + failure: false, + privKey: "tCIevHOBq6DdN5SSBtteXUusjjd0fOqzk2eyi0DMq04NewmShNKQeUbbp3vkvIckb4pCxc+vxUo+mYf/vzOaSg==", + want: "tCIevHOBq6DdN5SSBtteXUusjjd0fOqzk2eyi0DMq04NewmShNKQeUbbp3vkvIckb4pCxc+vxUo+mYf/vzOaSg==", + }, + { //empty key input + failure: false, + privKey: "", + want: "", + }, + { //invalid base64 encoded input + failure: true, + privKey: "abc123", + want: "", + }, + } + + // run tests + for _, test := range tests { + _service, err := New( + WithAddress(fmt.Sprintf("redis://%s", _redis.Addr())), + WithPrivateKey(test.privKey), + ) + + if test.failure { + if err == nil { + t.Errorf("WithPrivateKey should have returned err") + } + + continue + } + + if err != nil { + t.Errorf("WithPrivateKey returned err: %v", err) + } + + got := "" + if _service.config.SigningPrivateKey != nil { + got = fmt.Sprintf("%s", *_service.config.SigningPrivateKey) + } else { + got = "" + } + + w, _ := base64.StdEncoding.DecodeString(test.want) + + want := string(w) + if !reflect.DeepEqual(got, want) { + t.Errorf("WithPrivateKey is %v, want %v", got, want) + } + } +} + +func TestRedis_ClientOpt_WithSigningPublicKey(t *testing.T) { + // setup tests + // create a local fake redis instance + // + // https://pkg.go.dev/github.com/alicebob/miniredis/v2#Run + _redis, err := miniredis.Run() + if err != nil { + t.Errorf("unable to create miniredis instance: %v", err) + } + defer _redis.Close() + + tests := []struct { + failure bool + pubKey string + want string + }{ + { //valid key input + failure: false, + pubKey: "DXsJkoTSkHlG26d75LyHJG+KQsXPr8VKPpmH/78zmko=", + want: "DXsJkoTSkHlG26d75LyHJG+KQsXPr8VKPpmH/78zmko=", + }, + { //empty key input + failure: false, + pubKey: "", + want: "", + }, + { //invalid base64 encoded input + failure: true, + pubKey: "abc123", + want: "", + }, + } + + // run tests + for _, test := range tests { + _service, err := New( + WithAddress(fmt.Sprintf("redis://%s", _redis.Addr())), + WithPublicKey(test.pubKey), + ) + + if test.failure { + if err == nil { + t.Errorf("WithPublicKey should have returned err") + } + + continue + } + + if err != nil { + t.Errorf("WithPublicKey returned err: %v", err) + } + + got := "" + if _service.config.SigningPublicKey != nil { + got = fmt.Sprintf("%s", *_service.config.SigningPublicKey) + } else { + got = "" + } + + w, _ := base64.StdEncoding.DecodeString(test.want) + + want := string(w) + if !reflect.DeepEqual(got, want) { + t.Errorf("SigningPublicKey is %v, want %v", got, want) + } + } +} From 37926a5c1cddc3361169f3319199e4044bb2e296 Mon Sep 17 00:00:00 2001 From: dave vader <48764154+plyr4@users.noreply.github.com> Date: Wed, 23 Aug 2023 11:27:08 -0500 Subject: [PATCH 17/19] tweak: queue/redis/pop.go suggestion Co-authored-by: Easton Crupper <65553218+ecrupper@users.noreply.github.com> --- queue/redis/pop.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/queue/redis/pop.go b/queue/redis/pop.go index 53205beac..c554ba3c4 100644 --- a/queue/redis/pop.go +++ b/queue/redis/pop.go @@ -44,9 +44,7 @@ func (c *client) Pop(ctx context.Context) (*types.Item, error) { // extract signed item from pop results signed := []byte(result[1]) - var opened []byte - - var out []byte + var opened, out []byte // open the item using the public key generated using sign // From 5815fe9a9ba1f685b3e0fffa3971e3e421d62259 Mon Sep 17 00:00:00 2001 From: davidvader Date: Wed, 23 Aug 2023 11:40:00 -0500 Subject: [PATCH 18/19] tweak: variable naming for queue keys --- cmd/vela-server/queue.go | 12 ++++++------ queue/redis/opts.go | 32 ++++++++++++++++---------------- queue/redis/opts_test.go | 8 ++++---- queue/redis/pop.go | 4 ++-- queue/redis/pop_test.go | 4 ++-- queue/redis/push.go | 4 ++-- queue/redis/redis.go | 4 ++-- queue/setup.go | 12 ++++++------ 8 files changed, 40 insertions(+), 40 deletions(-) diff --git a/cmd/vela-server/queue.go b/cmd/vela-server/queue.go index 891cfd950..50555fc9f 100644 --- a/cmd/vela-server/queue.go +++ b/cmd/vela-server/queue.go @@ -18,12 +18,12 @@ func setupQueue(c *cli.Context) (queue.Service, error) { // queue configuration _setup := &queue.Setup{ - Driver: c.String("queue.driver"), - Address: c.String("queue.addr"), - Cluster: c.Bool("queue.cluster"), - Routes: c.StringSlice("queue.routes"), - Timeout: c.Duration("queue.pop.timeout"), - EncodedSigningPrivateKey: c.String("queue.signing.private-key"), + Driver: c.String("queue.driver"), + Address: c.String("queue.addr"), + Cluster: c.Bool("queue.cluster"), + Routes: c.StringSlice("queue.routes"), + Timeout: c.Duration("queue.pop.timeout"), + PrivateKey: c.String("queue.signing.private-key"), } // setup the queue diff --git a/queue/redis/opts.go b/queue/redis/opts.go index 460f54036..5589eeb92 100644 --- a/queue/redis/opts.go +++ b/queue/redis/opts.go @@ -75,32 +75,32 @@ func WithTimeout(timeout time.Duration) ClientOpt { // WithPrivateKey sets the private key in the queue client for Redis. // //nolint:dupl // ignore similar code -func WithPrivateKey(privateKeyEncoded string) ClientOpt { +func WithPrivateKey(key string) ClientOpt { return func(c *client) error { c.Logger.Trace("configuring private key in redis queue client") - if len(privateKeyEncoded) == 0 { + if len(key) == 0 { c.Logger.Warn("unable to base64 decode private key, provided key is empty. queue service will be unable to sign items") return nil } - privateKeyDecoded, err := base64.StdEncoding.DecodeString(privateKeyEncoded) + decoded, err := base64.StdEncoding.DecodeString(key) if err != nil { return err } - if len(privateKeyDecoded) == 0 { + if len(decoded) == 0 { return errors.New("unable to base64 decode private key, decoded key is empty") } - c.config.SigningPrivateKey = new([64]byte) - copy(c.config.SigningPrivateKey[:], privateKeyDecoded) + c.config.PrivateKey = new([64]byte) + copy(c.config.PrivateKey[:], decoded) - if c.config.SigningPrivateKey == nil { + if c.config.PrivateKey == nil { return errors.New("unable to copy decoded queue signing private key, copied key is nil") } - if len(c.config.SigningPrivateKey) == 0 { + if len(c.config.PrivateKey) == 0 { return errors.New("unable to copy decoded queue signing private key, copied key is empty") } @@ -111,32 +111,32 @@ func WithPrivateKey(privateKeyEncoded string) ClientOpt { // WithPublicKey sets the public key in the queue client for Redis. // //nolint:dupl // ignore similar code -func WithPublicKey(publicKeyEncoded string) ClientOpt { +func WithPublicKey(key string) ClientOpt { return func(c *client) error { c.Logger.Tracef("configuring public key in redis queue client") - if len(publicKeyEncoded) == 0 { + if len(key) == 0 { c.Logger.Warn("unable to base64 decode public key, provided key is empty. queue service will be unable to open items") return nil } - publicKeyDecoded, err := base64.StdEncoding.DecodeString(publicKeyEncoded) + decoded, err := base64.StdEncoding.DecodeString(key) if err != nil { return err } - if len(publicKeyDecoded) == 0 { + if len(decoded) == 0 { return errors.New("unable to base64 decode public key, decoded key is empty") } - c.config.SigningPublicKey = new([32]byte) - copy(c.config.SigningPublicKey[:], publicKeyDecoded) + c.config.PublicKey = new([32]byte) + copy(c.config.PublicKey[:], decoded) - if c.config.SigningPublicKey == nil { + if c.config.PublicKey == nil { return errors.New("unable to copy decoded queue signing public key, copied key is nil") } - if len(c.config.SigningPublicKey) == 0 { + if len(c.config.PublicKey) == 0 { return errors.New("unable to copy decoded queue signing public key, copied key is empty") } diff --git a/queue/redis/opts_test.go b/queue/redis/opts_test.go index 8c53265c2..3f99e3857 100644 --- a/queue/redis/opts_test.go +++ b/queue/redis/opts_test.go @@ -235,8 +235,8 @@ func TestRedis_ClientOpt_WithSigningPrivateKey(t *testing.T) { } got := "" - if _service.config.SigningPrivateKey != nil { - got = fmt.Sprintf("%s", *_service.config.SigningPrivateKey) + if _service.config.PrivateKey != nil { + got = fmt.Sprintf("%s", *_service.config.PrivateKey) } else { got = "" } @@ -303,8 +303,8 @@ func TestRedis_ClientOpt_WithSigningPublicKey(t *testing.T) { } got := "" - if _service.config.SigningPublicKey != nil { - got = fmt.Sprintf("%s", *_service.config.SigningPublicKey) + if _service.config.PublicKey != nil { + got = fmt.Sprintf("%s", *_service.config.PublicKey) } else { got = "" } diff --git a/queue/redis/pop.go b/queue/redis/pop.go index c554ba3c4..732092c32 100644 --- a/queue/redis/pop.go +++ b/queue/redis/pop.go @@ -37,7 +37,7 @@ func (c *client) Pop(ctx context.Context) (*types.Item, error) { } // this should already be validated on startup - if c.config.SigningPublicKey == nil || len(*c.config.SigningPublicKey) != 32 { + if c.config.PublicKey == nil || len(*c.config.PublicKey) != 32 { return nil, errors.New("no valid signing public key provided") } @@ -49,7 +49,7 @@ func (c *client) Pop(ctx context.Context) (*types.Item, error) { // open the item using the public key generated using sign // // https://pkg.go.dev/golang.org/x/crypto@v0.1.0/nacl/sign - opened, ok := sign.Open(out, signed, c.config.SigningPublicKey) + opened, ok := sign.Open(out, signed, c.config.PublicKey) if !ok { return nil, errors.New("unable to open signed item") } diff --git a/queue/redis/pop_test.go b/queue/redis/pop_test.go index da818258f..1f19bf2c3 100644 --- a/queue/redis/pop_test.go +++ b/queue/redis/pop_test.go @@ -39,7 +39,7 @@ func TestRedis_Pop(t *testing.T) { t.Errorf("unable to create queue service: %v", err) } - signed = sign.Sign(out, bytes, _redis.config.SigningPrivateKey) + signed = sign.Sign(out, bytes, _redis.config.PrivateKey) // push item to queue err = _redis.Redis.RPush(context.Background(), "vela", signed).Err() @@ -63,7 +63,7 @@ func TestRedis_Pop(t *testing.T) { // overwrite channel to be invalid badChannel.config.Channels = nil - signed = sign.Sign(out, bytes, badChannel.config.SigningPrivateKey) + signed = sign.Sign(out, bytes, badChannel.config.PrivateKey) // push something to badChannel queue err = badChannel.Redis.RPush(context.Background(), "vela", signed).Err() diff --git a/queue/redis/push.go b/queue/redis/push.go index 76c0f9a04..66c8a386a 100644 --- a/queue/redis/push.go +++ b/queue/redis/push.go @@ -28,7 +28,7 @@ func (c *client) Push(ctx context.Context, channel string, item []byte) error { var out []byte // this should already be validated on startup - if c.config.SigningPrivateKey == nil || len(*c.config.SigningPrivateKey) != 64 { + if c.config.PrivateKey == nil || len(*c.config.PrivateKey) != 64 { return errors.New("no valid signing private key provided") } @@ -37,7 +37,7 @@ func (c *client) Push(ctx context.Context, channel string, item []byte) error { // sign the item using the private key generated using sign // // https://pkg.go.dev/golang.org/x/crypto@v0.1.0/nacl/sign - signed = sign.Sign(out, item, c.config.SigningPrivateKey) + signed = sign.Sign(out, item, c.config.PrivateKey) // build a redis queue command to push an item to queue // diff --git a/queue/redis/redis.go b/queue/redis/redis.go index 1ce252d55..4e4f68aea 100644 --- a/queue/redis/redis.go +++ b/queue/redis/redis.go @@ -26,9 +26,9 @@ type config struct { // specifies the timeout to use for the Redis client Timeout time.Duration // key for signing items pushed to the Redis client - SigningPrivateKey *[64]byte + PrivateKey *[64]byte // key for opening items popped from the Redis client - SigningPublicKey *[32]byte + PublicKey *[32]byte } type client struct { diff --git a/queue/setup.go b/queue/setup.go index fa01e7460..ed0f131c8 100644 --- a/queue/setup.go +++ b/queue/setup.go @@ -30,10 +30,10 @@ type Setup struct { Routes []string // specifies the timeout for pop requests for the queue client Timeout time.Duration - // encoded key used for signing items pushed to the queue - EncodedSigningPrivateKey string - // encoded key used for opening items popped from the queue - EncodedSigningPublicKey string + // private key in base64 used for signing items pushed to the queue + PrivateKey string + // public key in base64 used for opening items popped from the queue + PublicKey string } // Redis creates and returns a Vela service capable @@ -49,8 +49,8 @@ func (s *Setup) Redis() (Service, error) { redis.WithChannels(s.Routes...), redis.WithCluster(s.Cluster), redis.WithTimeout(s.Timeout), - redis.WithPrivateKey(s.EncodedSigningPrivateKey), - redis.WithPublicKey(s.EncodedSigningPublicKey), + redis.WithPrivateKey(s.PrivateKey), + redis.WithPublicKey(s.PublicKey), ) } From 5bf066b5532686cbd7aee28af53cb9e9cae08021 Mon Sep 17 00:00:00 2001 From: davidvader Date: Wed, 23 Aug 2023 11:41:04 -0500 Subject: [PATCH 19/19] tweak: cli variable naming for queue keys --- cmd/vela-server/queue.go | 2 +- cmd/vela-server/server.go | 2 +- queue/flags.go | 4 ++-- router/middleware/signing.go | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cmd/vela-server/queue.go b/cmd/vela-server/queue.go index 50555fc9f..edd703e69 100644 --- a/cmd/vela-server/queue.go +++ b/cmd/vela-server/queue.go @@ -23,7 +23,7 @@ func setupQueue(c *cli.Context) (queue.Service, error) { Cluster: c.Bool("queue.cluster"), Routes: c.StringSlice("queue.routes"), Timeout: c.Duration("queue.pop.timeout"), - PrivateKey: c.String("queue.signing.private-key"), + PrivateKey: c.String("queue.private-key"), } // setup the queue diff --git a/cmd/vela-server/server.go b/cmd/vela-server/server.go index 2eebe28fc..cb9f0edd1 100644 --- a/cmd/vela-server/server.go +++ b/cmd/vela-server/server.go @@ -98,7 +98,7 @@ func server(c *cli.Context) error { middleware.Secret(c.String("vela-secret")), middleware.Secrets(secrets), middleware.Scm(scm), - middleware.QueueSigningPrivateKey(c.String("queue.signing.private-key")), + middleware.QueueSigningPrivateKey(c.String("queue.private-key")), middleware.Allowlist(c.StringSlice("vela-repo-allowlist")), middleware.DefaultBuildLimit(c.Int64("default-build-limit")), middleware.DefaultTimeout(c.Int64("default-build-timeout")), diff --git a/queue/flags.go b/queue/flags.go index 7fe58a451..9f2c508ee 100644 --- a/queue/flags.go +++ b/queue/flags.go @@ -53,13 +53,13 @@ var Flags = []cli.Flag{ &cli.StringFlag{ EnvVars: []string{"VELA_QUEUE_SIGNING_PRIVATE_KEY"}, FilePath: "/vela/signing.key", - Name: "queue.signing.private-key", + Name: "queue.private-key", Usage: "set value of base64 encoded queue signing private key", }, &cli.StringFlag{ EnvVars: []string{"VELA_QUEUE_SIGNING_PUBLIC_KEY"}, FilePath: "/vela/signing.pub", - Name: "queue.signing.public-key", + Name: "queue.public-key", Usage: "set value of base64 encoded queue signing public key", }, } diff --git a/router/middleware/signing.go b/router/middleware/signing.go index 0212d1e7d..05c63b8e5 100644 --- a/router/middleware/signing.go +++ b/router/middleware/signing.go @@ -12,7 +12,7 @@ import ( // to sign items that are pushed to the queue. func QueueSigningPrivateKey(key string) gin.HandlerFunc { return func(c *gin.Context) { - c.Set("queue.signing.private-key", key) + c.Set("queue.private-key", key) c.Next() } }