mirror of
https://github.com/ultravioletrs/cocos.git
synced 2026-06-23 04:10:25 +00:00
Sammy Kerata Oina
8eb1fac9ad
* Refactor and update dependencies in the project - Updated go.sum to replace `github.com/absmach/magistrala` with `github.com/absmach/supermq` across various modules. - Removed VSock configuration from environment variables and QEMU arguments. - Updated QEMU configuration and related tests to remove references to guest CID and VSock. - Added new HTTP transport layer for API endpoints in the manager. - Introduced Prometheus monitoring configuration with alert rules and Alertmanager setup. - Updated service and VM interfaces to remove unused methods and references. - Refactored tests to align with the new structure and dependencies. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add MaxVMs configuration and enforce limit on VM creation Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add comprehensive tests for HTTP transport handlers and endpoints Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Add test case for exceeding maximum number of VMs in TestRun Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Improve error handling in TestHandlerWithCustomRouter to ensure response writing is checked Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Update dependencies to latest versions - Upgrade cel.dev/expr from v0.23.0 to v0.24.0 - Upgrade github.com/absmach/supermq from v0.16.0 to v0.17.0 - Upgrade github.com/cenkalti/backoff from v4.3.0 to v5.0.2 - Upgrade github.com/cncf/xds/go to v0.0.0-20250501225837-2ac532fd4443 - Upgrade github.com/go-chi/chi/v5 from v5.2.1 to v5.2.2 - Upgrade github.com/go-jose/go-jose/v3 from v3.0.3 to v3.0.4 - Upgrade github.com/gofrs/uuid/v5 from v5.3.0 to v5.3.2 - Upgrade github.com/prometheus/client_golang from v1.22.0 to v1.23.0 - Upgrade github.com/prometheus/client_model from v0.6.1 to v0.6.2 - Upgrade github.com/prometheus/common from v0.62.0 to v0.65.0 - Upgrade github.com/prometheus/procfs from v0.15.1 to v0.16.1 - Upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from v0.60.0 to v0.62.0 - Upgrade go.opentelemetry.io/otel/exporters/otlp/otlptrace from v1.36.0 to v1.37.0 - Upgrade golang.org/x/crypto from v0.39.0 to v0.40.0 - Upgrade golang.org/x/sys from v0.33.0 to v0.34.0 - Upgrade golang.org/x/text from v0.26.0 to v0.27.0 - Upgrade golang.org/x/time from v0.11.0 to v0.12.0 - Upgrade google.golang.org/grpc from v1.73.0 to v1.74.2 Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com>
174 lines
3.9 KiB
Go
174 lines
3.9 KiB
Go
// Copyright (c) Ultraviolet
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package auth
|
|
|
|
import (
|
|
"context"
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/ed25519"
|
|
"crypto/rsa"
|
|
"crypto/sha256"
|
|
"crypto/x509"
|
|
"encoding/base64"
|
|
|
|
"github.com/absmach/supermq/pkg/errors"
|
|
"github.com/ultravioletrs/cocos/agent"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/metadata"
|
|
"google.golang.org/grpc/status"
|
|
)
|
|
|
|
type UserRole string
|
|
|
|
const (
|
|
UserMetadataKey = "user-id"
|
|
SignatureMetadataKey = "signature"
|
|
ConsumerRole UserRole = "consumer"
|
|
DataProviderRole UserRole = "data-provider"
|
|
AlgorithmProviderRole UserRole = "algorithm-provider"
|
|
)
|
|
|
|
var (
|
|
ErrMissingMetadata = errors.New("missing metadata")
|
|
ErrInvalidMetadata = errors.New("invalid metadata")
|
|
ErrSignatureVerificationFailed = errors.New("signature verification failed")
|
|
)
|
|
|
|
type Authenticator interface {
|
|
AuthenticateUser(ctx context.Context, role UserRole) (context.Context, error)
|
|
}
|
|
|
|
type service struct {
|
|
resultConsumers []interface{}
|
|
datasetProviders []interface{}
|
|
algorithmProvider interface{}
|
|
}
|
|
|
|
func New(manifest agent.Computation) (Authenticator, error) {
|
|
s := &service{}
|
|
for _, rc := range manifest.ResultConsumers {
|
|
pubKey, err := x509.ParsePKIXPublicKey(rc.UserKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pKey, err := decodePublicKey(pubKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
s.resultConsumers = append(s.resultConsumers, pKey)
|
|
}
|
|
|
|
for _, dp := range manifest.Datasets {
|
|
pubKey, err := x509.ParsePKIXPublicKey(dp.UserKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pKey, err := decodePublicKey(pubKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
s.datasetProviders = append(s.datasetProviders, pKey)
|
|
}
|
|
|
|
pubKey, err := x509.ParsePKIXPublicKey(manifest.Algorithm.UserKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pKey, err := decodePublicKey(pubKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
s.algorithmProvider = pKey
|
|
return s, nil
|
|
}
|
|
|
|
func extractSignature(md metadata.MD) (string, error) {
|
|
signature := md.Get(SignatureMetadataKey)
|
|
if len(signature) != 1 {
|
|
return "", status.Errorf(codes.Unauthenticated, "invalid metadata")
|
|
}
|
|
|
|
return signature[0], nil
|
|
}
|
|
|
|
func verifySignature(role UserRole, signature string, publicKey any) error {
|
|
hash := sha256.Sum256([]byte(role))
|
|
sigByte, err := base64.StdEncoding.DecodeString(signature)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var ok bool
|
|
|
|
switch publicKey := publicKey.(type) {
|
|
case *rsa.PublicKey:
|
|
if err = rsa.VerifyPKCS1v15(publicKey, crypto.SHA256, hash[:], sigByte); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
case *ecdsa.PublicKey:
|
|
ok = ecdsa.VerifyASN1(publicKey, hash[:], sigByte)
|
|
case ed25519.PublicKey:
|
|
ok = ed25519.Verify(publicKey, []byte(role), sigByte)
|
|
}
|
|
|
|
if !ok {
|
|
return ErrSignatureVerificationFailed
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s *service) AuthenticateUser(ctx context.Context, role UserRole) (context.Context, error) {
|
|
md, ok := metadata.FromIncomingContext(ctx)
|
|
if !ok {
|
|
return nil, ErrMissingMetadata
|
|
}
|
|
signature, err := extractSignature(md)
|
|
if err != nil {
|
|
return nil, errors.Wrap(err, ErrInvalidMetadata)
|
|
}
|
|
|
|
switch role {
|
|
case ConsumerRole:
|
|
for i, rc := range s.resultConsumers {
|
|
if err := verifySignature(role, signature, rc); err == nil {
|
|
return agent.IndexToContext(ctx, i), nil
|
|
}
|
|
}
|
|
case DataProviderRole:
|
|
for _, dp := range s.datasetProviders {
|
|
if err := verifySignature(role, signature, dp); err == nil {
|
|
return ctx, nil
|
|
}
|
|
}
|
|
case AlgorithmProviderRole:
|
|
if err := verifySignature(role, signature, s.algorithmProvider); err == nil {
|
|
return ctx, nil
|
|
}
|
|
}
|
|
|
|
return ctx, ErrSignatureVerificationFailed
|
|
}
|
|
|
|
func decodePublicKey(key any) (pubKey any, err error) {
|
|
switch key := key.(type) {
|
|
case *rsa.PublicKey:
|
|
return key, nil
|
|
case *ecdsa.PublicKey:
|
|
return key, nil
|
|
case ed25519.PublicKey:
|
|
return key, nil
|
|
default:
|
|
return nil, errors.New("unsupported public key type")
|
|
}
|
|
}
|