add support for client certs #2596
Conversation
| @@ -216,6 +240,9 @@ pub struct RuntimeConfigOpts { | |||
|
|
|||
| #[serde(skip)] | |||
| pub file_path: Option<PathBuf>, | |||
|
|
|||
| #[serde(rename = "client_tls", default)] | |||
| pub client_tls_opts: Vec<ClientTlsOpts>, | |||
There was a problem hiding this comment.
It's fairly common to need to change client certs at runtime based on some other logic (e.g presenting certs that represent a particular tenant in a system) - placing them in runtime config means that to use Spin, you'd need N different Spin apps running, which may be subpar
There was a problem hiding this comment.
To be clear, this is intended for cases where the client runtime cannot load client certificates. The Spin Javascript SDK v2 uses the browser's fetch API is a clear example of this. The browser API cannot load certificates presented by the client - it needs the user to add those certificates into the root certificate store in order for that endpoint to be trusted.
I am hopeful that StarlingMonkey or Spin's SDK will eventually provide ways to load TLS certs via guest code similar to Deno, but we're not at that point yet.
(and yes, this is far from ideal)
There was a problem hiding this comment.
I think ideally we could define a standard API in terms of wasi:http, possibly using proposed request metadata (TLS config was one of my use cases for that proposal).
There was a problem hiding this comment.
I just filed fermyon/spin-js-sdk#249 to track this feature request.
crates/trigger-http/src/lib.rs
Outdated
| })?; | ||
|
|
||
| let (mut sender, worker) = if use_tls { | ||
| #[cfg(any(target_arch = "riscv64", target_arch = "s390x"))] |
There was a problem hiding this comment.
riscv64 should work for TLS? do we need to update a dependency instead? (tokio-rustls >= 0.25.0 at least worked last i looked)
There was a problem hiding this comment.
This impl is copied from wasmtime-wasi-http upstream.
There was a problem hiding this comment.
ah i guess they haven't fixed it since upstream got fixed
crates/trigger/src/runtime_config.rs
Outdated
| #[derive(Debug, Clone)] | ||
| pub struct ParsedClientTlsOpts { | ||
| pub components: Vec<String>, | ||
| pub hosts: Vec<String>, |
There was a problem hiding this comment.
Tests and documentation for what happens when multiple TLS blocks contain overlapping hosts would be pretty useful
There was a problem hiding this comment.
great point. I added some testcases for it. right now the last block wins.
is that ok? or we want it to error out if different tls-config found for same component-id/host combination. what do you suggest.
also cc @lann
There was a problem hiding this comment.
Technically we should allow multiple certs to be configured; the tls negotiation can select from multiple.
(Though ime this is rarely used)
There was a problem hiding this comment.
in that case maybe we keep it simple and let the last block win (the current behavior) or should we fail it for now?
There was a problem hiding this comment.
I might suggest first-wins here since that is how variable provider configs already work.
There was a problem hiding this comment.
👍 , I have now changed the logic to make first entry win.
|
I've addressed most of the review comments (except a few unwrap comments, and I do plan to address them before merge). if there are any additional comments, kindly let me know. thanks I will also continue to add more testcases to it until we are ready to merge the PR. |
|
I think I've addressed most of the review feedback. I can spend some more time to add more tests, but otherwise it looks ok for re-review. thanks |
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
rajatjindal
force-pushed
the
client-certs
branch
from
efae441
to
cd2c096
Compare
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
Signed-off-by: Rajat Jindal <[email protected]>
I have addressed most of the nits you suggested. |
|
@rajatjindal feel free to merge this whenever you're ready |
this PR attempts to add support for client certs based auth. As a summary following are the changes done in this PR:
default_send_request_handlerfunction fromwasmtime::wasi_httpcrate to spin and modifies it to support client-cert-auth and custom-root-ca.client_tlsas a newruntime_configoptioncomponent-id -> host:port(TBD: do we consider default 443 port here if none provided)Known Limitation:
As of now, it will only work when the Outbound request is made from with-in an http-trigger. The other triggers (e.g. redis-trigger) uses a different code path and that has not been changed in this PR).
Example Runtime config:
I will attempt to add some runtime tests for these changes, but I wanted to submit the PR to be able to collect some initial feedback.
Thank you