feat: enable hiding tracing behind auth

docs/environment-variables.md

@@ -30,7 +30,8 @@
 - [Testing](#testing)
   - [`GATEWAY_CONFORMANCE_TEST`](#gateway_conformance_test)
   - [`IPFS_NS_MAP`](#ipfs_ns_map)
-- [Tracing](#tracing) 
+- [Tracing](#tracing)
+  - [`RAINBOW_TRACING_AUTH`](#rainbow_tracing_auth)
 
 ## Configuration
 
@@ -304,6 +305,12 @@ rather than also included background processes
 2. Requests are only traced when there is a `Traceparent` header passed that is valid
 According to the [Trace Context] specification
 
+### `RAINBOW_TRACING_AUTH`
+
+The ability to pass `Traceparent` or `Tracestate` headers is guarded by an
+`Authorization` header. The value of the `Authorization` header should match
+the value in the `RAINBOW_TRACING_AUTH` environment variable.
+
 [Boxo Tracing]: https://github.com/ipfs/boxo/blob/main/docs/tracing.md
 [Open Telemetry]: https://opentelemetry.io/
 [OpenTelemetry Environment Variable Specification]: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/sdk-environment-variables.md

handlers.go

@@ -84,7 +84,7 @@ func withRequestLogger(next http.Handler) http.Handler {
 	})
 }
 
-func setupGatewayHandler(cfg Config, nd *Node) (http.Handler, error) {
+func setupGatewayHandler(cfg Config, nd *Node, tracingAuth string) (http.Handler, error) {
 	var (
 		backend gateway.IPFSBackend
 		err     error
@@ -208,6 +208,20 @@ func setupGatewayHandler(cfg Config, nd *Node) (http.Handler, error) {
 	// Add tracing.
 	handler = otelhttp.NewHandler(handler, "Gateway")
 
+	// Remove tracing headers if not authorized
+	prevHandler := handler
+	handler = http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
+		if request.Header.Get("Authorization") != tracingAuth {
+			if request.Header.Get("Traceparent") != "" {
+				request.Header.Del("Traceparent")
+			}
+			if request.Header.Get("Tracestate") != "" {
+				request.Header.Del("Tracestate")
+			}
+		}
+		prevHandler.ServeHTTP(writer, request)
+	})
+
 	return handler, nil
 }
 

main.go

@@ -297,6 +297,12 @@ Generate an identity seed and launch a gateway:
 			EnvVars: []string{"RAINBOW_LIBP2P_LISTEN_ADDRS"},
 			Usage:   "Multiaddresses for libp2p bitswap client to listen on (comma-separated)",
 		},
+		&cli.StringFlag{
+			Name:    "tracing-auth",
+			Value:   "",
+			EnvVars: []string{"RAINBOW_TRACING_AUTH"},
+			Usage:   "If set the key gates use of the Traceparent header by requiring the key to be passed in the Authorization header",
+		},
 	}
 
 	app.Commands = []*cli.Command{
@@ -459,7 +465,8 @@ share the same seed as long as the indexes are different.
 		gatewayListen := cctx.String("gateway-listen-address")
 		ctlListen := cctx.String("ctl-listen-address")
 
-		handler, err := setupGatewayHandler(cfg, gnd)
+		tracingAuth := cctx.String("tracing-auth")
+		handler, err := setupGatewayHandler(cfg, gnd, tracingAuth)
 		if err != nil {
 			return err
 		}

main_test.go

@@ -71,7 +71,7 @@ func mustTestNodeWithKey(t *testing.T, cfg Config, sk ic.PrivKey) *Node {
 func mustTestServer(t *testing.T, cfg Config) (*httptest.Server, *Node) {
 	nd := mustTestNode(t, cfg)
 
-	handler, err := setupGatewayHandler(cfg, nd)
+	handler, err := setupGatewayHandler(cfg, nd, "")
 	if err != nil {
 		require.NoError(t, err)
 	}