[BUG] WASMCLOUD_CLUSTER_SEED does not affect issuers - Githubissues

wasmCloud / wasmcloud-otp

wasmCloud host runtime that leverages Elixir/OTP and Rust to provide simple, secure, distributed application development using the actor model

Apache License 2.0

228 stars 48 forks source link

[BUG] WASMCLOUD_CLUSTER_SEED does not affect issuers #224

Closed brooksmtownsend closed 3 years ago

brooksmtownsend commented 3 years ago

When a WASMCLOUD_CLUSTER_SEED is supplied via environment variables or a dotenv file, this cluster seed will be used to sign invocations. The validation step for antiforgery checks invocations against the valid cluster issuers in the host, that list is supplied by a separate environment variable WASMCLOUD_CLUSTER_ISSUERS.

What I'm observing as a bug here is that if I generate a cluster key and supply it as the cluster seed for my host, that key will not be present in the list of valid invocation issuers. Insted, the ad hoc generated cluster public key is what's present in the valid issuers list.

My proposal is: If a cluster seed is supplied, we should use the nkeys library to extract the public key using the KeyPair::from_seed functionality, and the valid issuers list should include that public key rather than the ad hoc generated issuer.

brooksmtownsend commented 3 years ago

cc @autodidaddict

autodidaddict commented 3 years ago

So, let me try and rephrase:

if we autogenerate an ad hoc key, the issuer is valid
if a seed is supplied, then the cluster issuer of that key is not automatically included in the issuer list.

This is actually functioning by design. If you supply a cluster seed, it is your responsibility to ensure that the public key of that seed is included somewhere in the cluster issuer list.

Or am I misinterpreting the issue?

autodidaddict commented 3 years ago

Oooh we're leaving the public key of the ad hoc issuer in the valid issuers list even if someone supplies their own seed key. Yes, this is a bug, we should ensure the ad hoc key is removed from the issuer list if someone supplies their own seed.

brooksmtownsend commented 3 years ago

I completely agree with your second point (ad hoc key should not be in issuers if a seed is supplied)

Is there a use case where you would want to supply your own cluster key AND you want to supply a different set of valid issuers (not including the corresponding issuer to the supplied cluster key)? Would this scenario even work?

autodidaddict commented 3 years ago

Lets say you have 6 different signing keys that you're using (maybe 1 per region or 1 per infra etc). Each host will be given one seed and six issuers.

brooksmtownsend commented 3 years ago

That makes sense, but would you ever want the issuer corresponding to that host's seed to be absent from the allowed issuer list?

autodidaddict commented 3 years ago

Good point. Invocations originating from that host would have to be validated by that host in some scenarios.

autodidaddict commented 3 years ago

Should probably do a little extra shenanigans to force the public key corresponding to the signing key to always be in the issuers list.