search

depot / node-spiffe

A SPIFFE Workload API client for Node.js
https://www.npmjs.com/package/spiffe
MIT License
4 stars 0 forks source link

Await of RPC call is not being resolved #27

Closed alperdedeoglu closed 1 year ago

alperdedeoglu commented 1 year ago

When we make a call to the workload agent API over gRPC using the client with the following approach:

let call = service.myMethod(foo);
for await (let message of call.responses) {
    console.log("got a message", message)
}
await call;
console.log("After Response"). // never gets executed

"After response" console.log statement is never reached. In protobuf-ts manual it is recommended to use it this way for error handling. Please see here.

I think spire workload agent server does not end the call with something recognized by protobuf-ts, therefore if we want to await the call for error handling, await is blocking the execution.

jacobwgillespie commented 1 year ago

Hey, yeah I believe the SPIFFE Workload API will continue to hold the stream open and push updates over time, so like you would receive the initial certificate response, but the stream would not end, and later the server would send another new certificate response when the client needs to update certificates.

There's some more detail in the API docs here: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md#42-stream-responses.

Someday I'm hoping to switch the underlying gRPC client in this library to Connect (https://github.com/connectrpc/connect-es) in gRPC mode. Right now, it doesn't support listening on file sockets, so I'd need to add that, but it would eliminate the need to await the call to see any errors, as the errors would automatically throw just from the for await (let message of stream).

alperdedeoglu commented 1 year ago

I see thanks for the explanation! You are right, I saw the issue also on connect side. Then ideally the flow would be the following as of today:

  1. Client initiates a connection to Workload Agent API.
  2. Client sends a request to the Workload Agent API for initial certificate response.
  3. Client leaves the stream open, and waits for additional responses from Workload Agent API.
  4. When client has a new certificate response from the Workload Agent API, client application should replace the certificate with the new one.
jacobwgillespie commented 1 year ago

Yeah, exactly, that is my understanding as well 👍

I think it's possible to pass a unix file socket connection to Connect directly, and if so then I could add unix file socket support in node-spiffe here, but I haven't had a chance to try it out yet.