complete cryptosign-proxy authentication for proxy-backend connections

[oberstet]

tox -e functests-cb:

test/functests/cbtests/test_cb_proxy.py::test_proxy

2022-04-03T11:47:47+0200 2022-04-03T11:47:47+0200 [Proxy       78989] <crossbar.worker.proxy.ProxyFrontendSession.onOpen> Proxy frontend session connected from peer tcp4:127.0.0.1:44844
2022-04-03T11:47:47+0200 2022-04-03T11:47:47+0200 [Proxy       78989] <crossbar.router.auth.anonymous.PendingAuthAnonymous.hello>(realm=foo, details.realm=foo, details.authid=public, details.authrole=quux) [config={'role': 'quux', 'type': 'static'}]
2022-04-03T11:47:47+0200 2022-04-03T11:47:47+0200 [Proxy       78989] <crossbar.worker.proxy.ProxyFrontendSession._accept> Frontend session accepted (Accept(realm=<foo>, authid=<4RNH-FPH4-P33W-GSQG-GXVK-VSCU>, authrole=<quux>, authmethod=anonymous, authprovider=static, authextra={})) - opening proxy backend session ...
2022-04-03T11:47:47+0200 2022-04-03T11:47:47+0200 [Proxy       78989] <crossbar.worker.proxy.ProxyController.map_backend>: ok, proxy backend connection opened mapping frontend session to realm "foo", authrole "quux"
2022-04-03T11:47:47+0200 session leaving 'wamp.error.authentication_failed'
2022-04-03T11:47:47+0200 wamp.error.authentication_failed: None
2022-04-03T11:47:47+0200 2022-04-03T11:47:47+0200 [Proxy       78989] <crossbar.worker.proxy.ProxyFrontendSession.onClose>(wasClean=True)

[oberstet]

works: ok, proxy backend connection opened mapping frontend session to realm "foo", authrole "quux"

2022-04-04T14:02:32+0200 2022-04-04T14:02:32+0200 [Proxy       10420] <crossbar.worker.proxy.ProxyController.map_backend>: ok, proxy backend connection opened mapping frontend session to realm "foo", authrole "quux"
2022-04-04T14:02:32+0200 2022-04-04T14:02:32+0200 [Router      10411] attached session 1836122052430503 to realm "foo" (authid="5X6V-6S3J-KUXP-UA53-6UXS-C3UG", authrole="quux") <crossbar.router.router.Router.attach>

fails: ok, proxy backend connection opened mapping frontend session to realm "foo", authrole "anonymous"

2022-04-04T14:08:25+0200 2022-04-04T14:08:25+0200 [Proxy       11112] <crossbar.worker.proxy.ProxyController.map_backend>: ok, proxy backend connection opened mapping frontend session to realm "foo", authrole "anonymous"
2022-04-04T14:08:25+0200 session leaving 'wamp.error.authentication_failed'
2022-04-04T14:08:25+0200 wamp.error.authentication_failed: None

[oberstet]

2022-04-04T16:21:13+0200 2022-04-04T16:21:13+0200 [Router      24733] attached session 2708028810791765 to realm "foo" (authid="75AY-X4P6-PCEN-5LWW-KEVR-SEHX", authrole="quux") <crossbar.router.router.Router.attach>
2022-04-04T16:21:13+0200 2022-04-04T16:21:13+0200 [Proxy       24745] ProxyBackendSession.onUserError(): "While firing onWelcome"
2022-04-04T16:21:13+0200 Traceback (most recent call last):
2022-04-04T16:21:13+0200   File "/home/oberstet/scm/crossbario/autobahn-python/autobahn/twisted/rawsocket.py", line 141, in stringReceived
2022-04-04T16:21:13+0200     self._session.onMessage(msg)
2022-04-04T16:21:13+0200   File "/home/oberstet/scm/crossbario/crossbar/crossbar/worker/proxy.py", line 705, in onMessage
2022-04-04T16:21:13+0200     super(ProxyBackendSession, self).onMessage(msg)
2022-04-04T16:21:13+0200   File "/home/oberstet/scm/crossbario/autobahn-python/autobahn/wamp/protocol.py", line 540, in onMessage
2022-04-04T16:21:13+0200     d = txaio.as_future(self.onWelcome, msg)
2022-04-04T16:21:13+0200   File "/home/oberstet/cpy39_1/lib/python3.9/site-packages/txaio/tx.py", line 369, in as_future
2022-04-04T16:21:13+0200     return maybeDeferred(fun, *args, **kwargs)
2022-04-04T16:21:13+0200 --- <exception caught here> ---
2022-04-04T16:21:13+0200   File "/home/oberstet/cpy39_1/lib/python3.9/site-packages/twisted/internet/defer.py", line 190, in maybeDeferred
2022-04-04T16:21:13+0200     result = f(*args, **kwargs)
2022-04-04T16:21:13+0200   File "/home/oberstet/scm/crossbario/crossbar/crossbar/worker/proxy.py", line 679, in onWelcome
2022-04-04T16:21:13+0200     return super(ProxyBackendSession, self).onWelcome(msg)
2022-04-04T16:21:13+0200   File "/home/oberstet/scm/crossbario/autobahn-python/autobahn/wamp/protocol.py", line 1834, in onWelcome
2022-04-04T16:21:13+0200     raise RuntimeError(
2022-04-04T16:21:13+0200 builtins.RuntimeError: Received onWelcome for unknown authmethod 'anonymous' [authenticators=['anonymous-proxy']]

[oberstet]

022-04-04T18:28:50+0200 [Controller  37690] <crossbar.node.node.Node.boot>::NODE_BOOT_COMPLETE
2022-04-04T18:28:51+0200 [Proxy       37727] <crossbar.worker.proxy.ProxyFrontendSession.onOpen> Proxy frontend session connected from peer tcp4:127.0.0.1:49816
2022-04-04T18:28:51+0200 [Proxy       37727] <crossbar.worker.proxy.ProxyFrontendSession._process_Hello> processed authmethod "ticket" using <class 'crossbar.router.auth.ticket.PendingAuthTicket'>: Challenge(method=ticket, extra={})
2022-04-04T18:28:51+0200 [Proxy       37727] <crossbar.worker.proxy.ProxyFrontendSession._accept> Frontend session accepted (Accept(realm=<realm1>, authid=<user1>, authrole=<user>, authmethod=ticket, authprovider=static, authextra={})) - opening proxy backend session ...
2022-04-04T18:28:52+0200 [Proxy       37727] <crossbar.worker.proxy.ProxyController.map_backend>: ok, proxy backend connection opened mapping frontend session to realm "realm1", authrole "user"
2022-04-04T18:28:52+0200 [Proxy       37727] <crossbar.worker.proxy.ProxyFrontendSession._accept.<locals>._backend_connected> Proxy backend session authenticating using authmethods=['anonymous-proxy'] 
2022-04-04T18:28:52+0200 [Router      37699] Router attached new session to realm "realm1" (session=3747191555396008, authid="user1", authrole="user", authmethod="anonymous-proxy", authprovider="static") <crossbar.router.router.Router.attach>
2022-04-04T18:28:52+0200 [Proxy       37727] <crossbar.worker.proxy.ProxyFrontendSession._accept.<locals>._backend_connected.<locals>._on_backend_joined> Ok, proxy backend session 3747191555396008 joined!
2022-04-04T18:29:13+0200 [Proxy       37718] <crossbar.worker.proxy.ProxyFrontendSession.onOpen> Proxy frontend session connected from peer tcp4:127.0.0.1:49818
2022-04-04T18:29:13+0200 [Proxy       37718] <crossbar.worker.proxy.ProxyFrontendSession._process_Hello> processed authmethod "ticket" using <class 'crossbar.router.auth.ticket.PendingAuthTicket'>: Challenge(method=ticket, extra={})
2022-04-04T18:29:13+0200 [Proxy       37718] <crossbar.worker.proxy.ProxyFrontendSession._accept> Frontend session accepted (Accept(realm=<realm1>, authid=<user2>, authrole=<user>, authmethod=ticket, authprovider=static, authextra={})) - opening proxy backend session ...
2022-04-04T18:29:13+0200 [Proxy       37718] <crossbar.worker.proxy.ProxyController.map_backend>: ok, proxy backend connection opened mapping frontend session to realm "realm1", authrole "user"
2022-04-04T18:29:13+0200 [Proxy       37718] <crossbar.worker.proxy.ProxyFrontendSession._accept.<locals>._backend_connected> Proxy backend session authenticating using authmethods=['anonymous-proxy'] 
2022-04-04T18:29:13+0200 [Router      37699] Router attached new session to realm "realm1" (session=381140739751398, authid="user2", authrole="user", authmethod="anonymous-proxy", authprovider="static") <crossbar.router.router.Router.attach>
2022-04-04T18:29:13+0200 [Proxy       37718] <crossbar.worker.proxy.ProxyFrontendSession._accept.<locals>._backend_connected.<locals>._on_backend_joined> Ok, proxy backend session 381140739751398 joined!

[om26er]

from my understanding currently the proxy worker, using the node private key authenticates to the router worker when making the backend connection. Is the backend connection only supposed to be made using the proxy worker node's private key or will we support backend connection using the connecting client's private key as well ?

[oberstet]

almost;) as in:

from my understanding currently the proxy worker, using the node private key authenticates to the router worker when making the backend connection.

when the connection to the backend node is via TCP, this is the only option. when the connection is over UDS, it can also use anonymous auth

will we support backend connection using the connecting client's private key as well

the connecting client is the node

[oberstet]

@om26er I've tried to make it more explicit (in the code, that is): https://github.com/crossbario/crossbar/pull/1980/commits/587613130945cbe5c9ba6ad475f36fc5128ca4a9