Skip to content

Commit

Permalink
[identity] load OPAQUE server setup from environment variable
Browse files Browse the repository at this point in the history
Summary:
The Identity service now expects the OPAQUE_SERVER_SETUP environment variable to be set at runtime.

When the keygen command is run, the serialized server setup bytes are now base64 encoded before they're written to the file system. This base64 encoded string must then be made available with the above environment variable when the server is run.

Test Plan:
ran the keygen program, retrieved the base64 encoded string, ran the server program with OPAQUE_SERVER_SETUP=<encoded-string> and the program succeeded.

Also tried supplying an invalid string via env var and the server program crashed, as expected.

Reviewers: jon, bartek

Reviewed By: jon, bartek

Subscribers: ashoat, tomek

Differential Revision: https://phab.comm.dev/D8641
  • Loading branch information
vdhanan committed Jul 28, 2023
1 parent 41939d6 commit 7ba6965
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 12 deletions.
46 changes: 36 additions & 10 deletions services/identity/src/config.rs
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
use base64::{engine::general_purpose, DecodeError, Engine as _};
use once_cell::sync::Lazy;
use std::{collections::HashSet, env, fmt, fs, io, path};
use tracing::{error, info};

use crate::constants::{
KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, SECRETS_DIRECTORY,
SECRETS_SETUP_FILE,
KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, OPAQUE_SERVER_SETUP,
SECRETS_DIRECTORY, SECRETS_SETUP_FILE,
};

pub static CONFIG: Lazy<Config> =
Expand All @@ -27,10 +29,11 @@ impl Config {
fn load() -> Result<Self, Error> {
let localstack_endpoint = env::var(LOCALSTACK_ENDPOINT).ok();

let mut path = path::PathBuf::new();
path.push(SECRETS_DIRECTORY);
path.push(SECRETS_SETUP_FILE);
let server_setup = get_server_setup_from_file(&path)?;
let mut path_buf = path::PathBuf::new();
path_buf.push(SECRETS_DIRECTORY);
path_buf.push(SECRETS_SETUP_FILE);

let server_setup = get_server_setup(path_buf.as_path())?;

let reserved_usernames = get_reserved_usernames_set()?;

Expand Down Expand Up @@ -65,13 +68,36 @@ pub enum Error {
Env(env::VarError),
#[display(...)]
Json(serde_json::Error),
#[display(...)]
Decode(DecodeError),
}

fn get_server_setup_from_file<P: AsRef<path::Path>>(
path: &P,
fn get_server_setup(
path: &path::Path,
) -> Result<comm_opaque2::ServerSetup<comm_opaque2::Cipher>, Error> {
let bytes = fs::read(path)?;
comm_opaque2::ServerSetup::deserialize(&bytes).map_err(Error::Opaque)
let encoded_server_setup = if let Ok(env_setup) =
env::var(OPAQUE_SERVER_SETUP)
{
info!(
"Using OPAQUE server setup from env var: {}",
OPAQUE_SERVER_SETUP
);
env_setup
} else if let Ok(file_setup) = fs::read_to_string(path) {
info!("Using OPAQUE server setup from file: {}", path.display());
file_setup
} else {
error!("Unable to locate OPAQUE server setup. Please run `keygen` command and run Identity service again.");
return Err(Error::Io(io::Error::new(
io::ErrorKind::NotFound,
"Missing server credentials",
)));
};

let decoded_server_setup =
general_purpose::STANDARD_NO_PAD.decode(encoded_server_setup)?;
comm_opaque2::ServerSetup::deserialize(&decoded_server_setup)
.map_err(Error::Opaque)
}

fn get_reserved_usernames_set() -> Result<HashSet<String>, Error> {
Expand Down
4 changes: 4 additions & 0 deletions services/identity/src/constants.rs
Original file line number Diff line number Diff line change
Expand Up @@ -106,3 +106,7 @@ pub const NONCE_LENGTH: usize = 17;
// LocalStack

pub const LOCALSTACK_ENDPOINT: &str = "LOCALSTACK_ENDPOINT";

// OPAQUE Server Setup

pub const OPAQUE_SERVER_SETUP: &str = "OPAQUE_SERVER_SETUP";
5 changes: 4 additions & 1 deletion services/identity/src/keygen.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
use crate::constants::SECRETS_SETUP_FILE;
use base64::{engine::general_purpose, Engine as _};
use std::{fs, io, path};

pub fn generate_and_persist_keypair(dir: &str) -> Result<(), io::Error> {
Expand All @@ -17,7 +18,9 @@ pub fn generate_and_persist_keypair(dir: &str) -> Result<(), io::Error> {
eprintln!("{:?} already exists, skipping", path);
} else {
println!("Writing setup file to {:?}", path);
fs::write(&path, server_setup.serialize())?;
let encoded_server_setup =
general_purpose::STANDARD_NO_PAD.encode(server_setup.serialize());
fs::write(&path, encoded_server_setup)?;
}

Ok(())
Expand Down
1 change: 0 additions & 1 deletion services/identity/src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ use clap::{Parser, Subcommand};
use database::DatabaseClient;
use moka::future::Cache;
use tonic::transport::Server;
use tracing_subscriber::FmtSubscriber;

mod client_service;
mod config;
Expand Down

0 comments on commit 7ba6965

Please sign in to comment.