Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gRPC: add mTLS authentication to post service #5131

Closed
Tracked by #259
, #282
...
fasmat opened this issue Oct 5, 2023 · 0 comments
Closed
Tracked by #259
, #282
...

gRPC: add mTLS authentication to post service #5131

fasmat opened this issue Oct 5, 2023 · 0 comments
Assignees
@fasmat
Labels
area/post

Comments

@fasmat
Copy link
Member

fasmat commented Oct 5, 2023

Description

The post service is able to use mTLS authentication and the node should expose a dedicated gRPC endpoint that requires authentication for the post service to connect to.

Acceptance criteria

  • Additionally to PublicListener and PrivateListener a new endpoint AuthenticatedListener is added
  • AuthenticatedListener expects clients to connect with mTLS Authentication
    • only clients with known certificates are allowed to connect
  • The nodes key and certificate as well as certificates for post services that can connect to the node are read from the nodes local configuration
    • Preferably from a directory on disk instead of from the database or configuration, but make the directory with the certificates configurable
  • An API call is added to the PrivateListener that can be used to trigger the node to reload known certificates from disk
  • In standalone mode the supervisor for the post service generates the keys & certificates for both the node and the post service.
    • It triggers the node to load the certificates from disk after generating them and starts the post service with its generated key & certificate
@fasmat fasmat self-assigned this Oct 5, 2023
This was referenced Oct 5, 2023
Closed
Closed
@dshulyak dshulyak moved this to 📋 Backlog in Dev team kanban Oct 6, 2023
@fasmat fasmat mentioned this issue Oct 6, 2023
Closed
4 tasks
bors bot pushed a commit that referenced this issue Oct 11, 2023
@fasmat
Use dedicated PoST service for Proof generation (#5061)
0befd88 
## Motivation
Part of #5042
Merge after #5091 

## Changes

- Generating poofs is now done via the GRPC API
  - Foundation laid in #5091
  - Upon connection `PostClient` is passed to services via the `postConnectionListener` interface. At the moment these are: `activation::Builder` and `activation::NIPostBuilder` who use it to generate a proof
  - Instead of starting the `PostSupervisor` when `PostServiceCmd` is set it is started when `StartSmeshing == true`
  - The connection does not require authentication (yet) - will be addressed in #5131 
  - Connection cannot handle multiple post services (yet)
- NiPoSTBuilder doesn't verify PoST proofs any more
  - PoST Service does this already before providing the proof
  - additionally when publishing the ATX it goes through the ATX handler that validates the ATX again before broadcasting it.
- Refactored tests in `activation` package to use new API
  - Integration tests that do not use mocks for generating PoST proofs have been moved to `activation/e2e` to allow the use of the `api/grpcserver` package in them
  - `e2e` tests spin up a post service using the post supervisor and query a proof from there
- Slimmed down `postSetupProvider` interface:
  - it is used by the `activation::Builder` and implemented by `activation::PostSetupManager`
  - some of its functionality has been moved into `PostClient` (`GenerateProof` -> `Proof`)
- Replaced `go-spacemesh/log` with `zap` in a few components in the `activation` package.

## Test Plan
- All existing tests involving proof generation have been migrated to use the new PoST service
- New tests added to test the connection specifically.
- Test added for custom types in config.

## TODO
<!-- This section should be removed when all items are complete -->
- [x] Explain motivation or link existing issue(s)
- [x] Test changes and document test plan
- [x] Update documentation as needed
- [x] Update [changelog](../CHANGELOG.md) as needed
@fasmat fasmat moved this from 📋 Backlog to 🏗 Doing in Dev team kanban Oct 12, 2023
@fasmat fasmat mentioned this issue Oct 13, 2023
Closed
4 tasks
@lrettig lrettig mentioned this issue Oct 17, 2023
Closed
9 tasks
bors bot pushed a commit that referenced this issue Oct 19, 2023
@fasmat
Add mTLS grpcserver (#5154)
133bbe5 
## Motivation
Closes #5131

do not merge before spacemeshos/api#268 and spacemeshos/post#245

## Changes
- setup for gRPC servers has been moved from node startup into the `grpcserver` package
- `NewPublic`, `NewPrivate` and `NewTLS` create servers for the given purposes based on the configuration passed to them
- replaced more instances of `go-spacemesh/log` with `zap`

## Test Plan
- existing tests pass
- TODO: add new tests for mTLS connection

## TODO
<!-- This section should be removed when all items are complete -->
- [x] Explain motivation or link existing issue(s)
- [x] Test changes and document test plan
- [x] Update documentation as needed
- [x] Update [changelog](../CHANGELOG.md) as needed
@bors bors bot closed this as completed in 4572d2a Oct 19, 2023
@github-project-automation github-project-automation bot moved this from 🏗 Doing to ✅ Done in Dev team kanban Oct 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fasmat fasmat

Labels
area/post
Projects
Dev team kanban
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Merged by Bors] - Add mTLS grpcserver spacemeshos/go-spacemesh
1 participant
@fasmat