From 3a6ac497536f9347db757d18ab33f9c1c729d6b8 Mon Sep 17 00:00:00 2001 From: Adin Schmahmann Date: Wed, 22 May 2024 16:11:58 -0400 Subject: [PATCH] feat: enable hiding tracing behind auth --- docs/environment-variables.md | 9 ++++++++- handlers.go | 16 +++++++++++++++- main.go | 9 ++++++++- main_test.go | 2 +- 4 files changed, 32 insertions(+), 4 deletions(-) diff --git a/docs/environment-variables.md b/docs/environment-variables.md index c5a9782..39fc50f 100644 --- a/docs/environment-variables.md +++ b/docs/environment-variables.md @@ -30,7 +30,8 @@ - [Testing](#testing) - [`GATEWAY_CONFORMANCE_TEST`](#gateway_conformance_test) - [`IPFS_NS_MAP`](#ipfs_ns_map) -- [Tracing](#tracing) +- [Tracing](#tracing) + - [`RAINBOW_TRACING_AUTH`](#rainbow_tracing_auth) ## Configuration @@ -304,6 +305,12 @@ rather than also included background processes 2. Requests are only traced when there is a `Traceparent` header passed that is valid According to the [Trace Context] specification +### `RAINBOW_TRACING_AUTH` + +The ability to pass `Traceparent` or `Tracestate` headers is guarded by an +`Authorization` header. The value of the `Authorization` header should match +the value in the `RAINBOW_TRACING_AUTH` environment variable. + [Boxo Tracing]: https://github.com/ipfs/boxo/blob/main/docs/tracing.md [Open Telemetry]: https://opentelemetry.io/ [OpenTelemetry Environment Variable Specification]: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/sdk-environment-variables.md diff --git a/handlers.go b/handlers.go index 9040649..ebddfb8 100644 --- a/handlers.go +++ b/handlers.go @@ -84,7 +84,7 @@ func withRequestLogger(next http.Handler) http.Handler { }) } -func setupGatewayHandler(cfg Config, nd *Node) (http.Handler, error) { +func setupGatewayHandler(cfg Config, nd *Node, tracingAuth string) (http.Handler, error) { var ( backend gateway.IPFSBackend err error @@ -208,6 +208,20 @@ func setupGatewayHandler(cfg Config, nd *Node) (http.Handler, error) { // Add tracing. handler = otelhttp.NewHandler(handler, "Gateway") + // Remove tracing headers if not authorized + prevHandler := handler + handler = http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) { + if request.Header.Get("Authorization") != tracingAuth { + if request.Header.Get("Traceparent") != "" { + request.Header.Del("Traceparent") + } + if request.Header.Get("Tracestate") != "" { + request.Header.Del("Tracestate") + } + } + prevHandler.ServeHTTP(writer, request) + }) + return handler, nil } diff --git a/main.go b/main.go index b5ac77f..003cbb8 100644 --- a/main.go +++ b/main.go @@ -297,6 +297,12 @@ Generate an identity seed and launch a gateway: EnvVars: []string{"RAINBOW_LIBP2P_LISTEN_ADDRS"}, Usage: "Multiaddresses for libp2p bitswap client to listen on (comma-separated)", }, + &cli.StringFlag{ + Name: "tracing-auth", + Value: "", + EnvVars: []string{"RAINBOW_TRACING_AUTH"}, + Usage: "If set the key gates use of the Traceparent header by requiring the key to be passed in the Authorization header", + }, } app.Commands = []*cli.Command{ @@ -459,7 +465,8 @@ share the same seed as long as the indexes are different. gatewayListen := cctx.String("gateway-listen-address") ctlListen := cctx.String("ctl-listen-address") - handler, err := setupGatewayHandler(cfg, gnd) + tracingAuth := cctx.String("tracing-auth") + handler, err := setupGatewayHandler(cfg, gnd, tracingAuth) if err != nil { return err } diff --git a/main_test.go b/main_test.go index 33c0354..a4eb39b 100644 --- a/main_test.go +++ b/main_test.go @@ -71,7 +71,7 @@ func mustTestNodeWithKey(t *testing.T, cfg Config, sk ic.PrivKey) *Node { func mustTestServer(t *testing.T, cfg Config) (*httptest.Server, *Node) { nd := mustTestNode(t, cfg) - handler, err := setupGatewayHandler(cfg, nd) + handler, err := setupGatewayHandler(cfg, nd, "") if err != nil { require.NoError(t, err) }