Transfer registry path via gRPC metadata #1366

NikitaSkrynnik · 2022-10-12T12:44:26Z

Description

The main idea: We add Path for registry to check it in Registry Authorization chain elements. The logic of path is the same as in networkservice.

Added chain elements:

grpcmetadata - Transfers registry path via gRPC metadata. Contains Path data structure and methods that get and put path to context.
updatepath - Constructs private path during registration of NS or NSE in registry. Uses context methods from grpcmetadata package.
updatetoken - Adds and updates tokens and expiration time for path segments. Also adds tokens to path_ids field in NetworkService and NetworkServiceEndpoint messages.
Authorize client chain elements - chain elements that check registry path using policies on response from registry.

Other changes:

Added new policy that checks path_ids of NS and NSE messages.
Reworked some registry unit tests that used raw connections to registry. Now they use Registry Client to connect to registry.
All chain elements that are necessary for registry path were added to all registry components (nsmgr, proxy-dns, nsmgr-proxy, registry-client, registry-memory)
Reworked sandbox test token generation functions. It was necessary for updatetoken chain element.

Issue link

#1367

How Has This Been Tested?

Added unit testing to cover
Tested manually
Tested by integration testing
Have not tested

Types of changes

denis-tingaikin · 2022-11-10T09:11:00Z

@NikitaSkrynnik Could you rebase this one?

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

denis-tingaikin

Please fix the remaining comments and they can be merged.

@glazychev-art Do you have any other comments?

denis-tingaikin · 2022-11-29T00:20:38Z

pkg/registry/common/updatepath/nse_server.go

+)
+
+type updatePathNSEServer struct {
+	name string


Suggested change

name string

denis-tingaikin · 2022-11-29T00:20:50Z

pkg/registry/common/updatepath/nse_server.go

+		return nil, err
+	}
+
+	name := s.name


Suggested change

name := s.name

@NikitaSkrynnik Apply this for other similar places

denis-tingaikin · 2022-11-29T00:21:05Z

pkg/registry/common/updatepath/nse_server.go

+	if spiffeID, idErr := spire.SpiffeIDFromContext(ctx); idErr == nil {
+		name = spiffeID.Path()
+	}


Suggested change

if spiffeID, idErr := spire.SpiffeIDFromContext(ctx); idErr == nil {

name = spiffeID.Path()

}

if spiffeID, err := spire.SpiffeIDFromContext(ctx); err == nil {

return err

}

denis-tingaikin · 2022-11-29T10:35:57Z

@NikitaSkrynnik Lets merge this and consider the remaining comments in the separate PR.

…k@main PR link: networkservicemesh/sdk#1366 Commit: a64652c Author: Nikita Skrynnik Date: 2022-11-29 21:36:13 +1100 Message: - Transfer registry path via gRPC metadata (#1366) * add updatepath chain elements for registry Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add nse_test for registry updatepath Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add updatepath tests for nse_server Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add updatetoken chain element for registry Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * clone tests for all updatetoken and updatepath chain elements Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add updatepath and updatetoken to all registries in sdk Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add path_segment and index fields to opa policy input struct Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * debugging Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix sandbox tests Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix authorize ns_server_test Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix networkservice updatetoken TestChain Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add error check in updatepath chain element + fix some linter errors Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix linter issues Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add policy for spiffeID check + add test for policy and authorize registry Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add policy for spiffeID checking to authorize for registry Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix linter issues Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * start adding sandbox test for registry authorize Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add grpcmetadata chain element and unit test Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add map to grpcmetadata + update api refs + fix some errors Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * change authorize map name Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix opa unit tests + fix authorize unit tests + cleanup Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * finish all registry updatepath tests Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add tests for updatepath server + fix refresh bug Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix some sandbox tests Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix a lot of unit tests Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix some linter issue Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix all linter issues Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix datarace in sandbox tests Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix dns test Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add registry authorization client to nsmgr-proxy, proxydns and registry-memory Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix linter Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * remove degub logs Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix linter Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix tests Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix grpcmetadata unit test Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * reduce timeout for test Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix linter issues Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix grpcmetadata unit test Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix grpcmetadata tests + fix a bug in updatepath ns_client Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * cleanup Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * increase timeout for debug Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * reduce timeout Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * add Path data structure for registry Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * rerun CI Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * remove replace for api Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * apply review comments Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * rerun CI Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * apply review comments Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * revert changes in opainput.go Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix linter Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * go mod tidy Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * revert changes in nsmgr/server.go Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * use spiffeid as name for path segments Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * fix linter issue Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * Simpilfy Path.Clone method Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> Signed-off-by: NSMBot <nsmbot@networkservicmesh.io>

NikitaSkrynnik force-pushed the grpc-metadata branch from 86de6da to dad1c4d Compare October 18, 2022 14:28

denis-tingaikin requested review from d-uzlov and DVEfremov November 9, 2022 10:20

NikitaSkrynnik requested review from denis-tingaikin, ThetaDR, glazychev-art and d-uzlov and removed request for DVEfremov and d-uzlov November 9, 2022 10:20

denis-tingaikin requested review from DVEfremov, edwarnicke, fkautz and ThetaDR and removed request for ThetaDR November 9, 2022 10:22

denis-tingaikin assigned glazychev-art and denis-tingaikin Nov 10, 2022

NikitaSkrynnik force-pushed the grpc-metadata branch from f6e17cf to 6c48ca3 Compare November 21, 2022 08:33

NikitaSkrynnik added 12 commits November 23, 2022 17:49

add updatepath chain elements for registry

c3c1ca5

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

add nse_test for registry updatepath

f1d2dd7

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

add updatepath tests for nse_server

d62aa95

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

add updatetoken chain element for registry

98dfc63

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

clone tests for all updatetoken and updatepath chain elements

e3f8581

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

add updatepath and updatetoken to all registries in sdk

772c4d1

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

add path_segment and index fields to opa policy input struct

9632350

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

debugging

dc20732

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

fix sandbox tests

db488dc

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

fix authorize ns_server_test

0aef70b

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

fix networkservice updatetoken TestChain

b053f9d

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

add error check in updatepath chain element + fix some linter errors

c156f3f

Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>

denis-tingaikin requested changes Nov 29, 2022

View reviewed changes

glazychev-art approved these changes Nov 29, 2022

View reviewed changes

denis-tingaikin approved these changes Nov 29, 2022

View reviewed changes

denis-tingaikin merged commit a64652c into networkservicemesh:main Nov 29, 2022

denis-tingaikin mentioned this pull request Dec 4, 2022

Create authorization registry chain elements. #47

Closed

NikitaSkrynnik deleted the grpc-metadata branch July 13, 2023 09:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Transfer registry path via gRPC metadata #1366

Transfer registry path via gRPC metadata #1366

NikitaSkrynnik commented Oct 12, 2022 •

edited by denis-tingaikin

Loading

denis-tingaikin commented Nov 10, 2022

denis-tingaikin left a comment

denis-tingaikin Nov 29, 2022

denis-tingaikin Nov 29, 2022

denis-tingaikin Nov 29, 2022

denis-tingaikin Nov 29, 2022

denis-tingaikin commented Nov 29, 2022

Transfer registry path via gRPC metadata #1366

Transfer registry path via gRPC metadata #1366

Conversation

NikitaSkrynnik commented Oct 12, 2022 • edited by denis-tingaikin Loading

Description

Issue link

How Has This Been Tested?

Types of changes

denis-tingaikin commented Nov 10, 2022

denis-tingaikin left a comment

Choose a reason for hiding this comment

denis-tingaikin Nov 29, 2022

Choose a reason for hiding this comment

denis-tingaikin Nov 29, 2022

Choose a reason for hiding this comment

denis-tingaikin Nov 29, 2022

Choose a reason for hiding this comment

denis-tingaikin Nov 29, 2022

Choose a reason for hiding this comment

denis-tingaikin commented Nov 29, 2022

NikitaSkrynnik commented Oct 12, 2022 •

edited by denis-tingaikin

Loading