Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improved peerguard auth support #5086

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Improved peerguard auth support #5086

wants to merge 3 commits into from

Conversation

mintyleaf
Copy link
Contributor

Description

This PR is tied with mudler/edgevpn#863, adding authorization support at P2P protocol level

  • Rewrite P2P flags handling
  • Add needed configuration support
  • Add a secure http API for managing workers public keys at the ledger

Notes for Reviewers
This is a draft PR, the edgevpn changes needs to be resolved and approved first

Signed commits

  • Yes, I signed my commits.

@github-actions github-actions bot added enhancement New feature or request dependencies labels Mar 29, 2025
@mintyleaf mintyleaf marked this pull request as draft March 29, 2025 02:50
@netlify Netlify
Copy link

netlify bot commented Mar 29, 2025
edited
Loading

Deploy Preview for localai ready!

Name Link
🔨 Latest commit 2ee3c83
🔍 Latest deploy log https://app.netlify.com/sites/localai/deploys/67edc3973e93f50008c1848c
😎 Deploy Preview https://deploy-preview-5086--localai.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@mintyleaf
Copy link
Contributor Author

mintyleaf commented Mar 29, 2025
edited
Loading

@mudler hello there!

I guess, that is a good starting point with porting my recent edgevpn changes there, and i was kinda forced to finally took out the P2P configuration flags at top level

I want to wait until my idea about auth provider mechanism for authoritarian trusted nodes as auth middleware for http api for managing the ledger buckets will be approved, but there are raw outline ported from edgevpn at core/http/routes/peerguard.go

Thanks in advance!

@mintyleaf
Copy link
Contributor Author

mintyleaf commented Mar 29, 2025
edited
Loading

UPD:
Seems like i get confused by --federated and federated flags (again)
As federated server is working with raw TCP proxy, we can't use fiber routes or other fancy stuff
Either we need to include that near the tcp proxy thing, or use another port for some http library usage
But that is kinda counterintuitive for me, and the thing should be accessed from the so-called "API" port imho

UPD2:
I guess i can read the incoming connection through the bufio.Reader peeking arbitrary amount of bytes first, match if the first bytes resembling the GET/PUT/DELETE request at desired ledger url, and then block further proxying and throw that connection to read by net.http, checking the authorization header public key against p2p auth providers of that federated node, ideally reusing the Authenticate logic in Challenger routine

@mintyleaf
Copy link
Contributor Author

The only thing remaining and controversial for me is an attempt to reuse AuthProviders
I'm kinda feeling bad to mock everything needed, so feedback is needed =D

The connection http request checker is mostly untested, shared it just to get an idea of how it can be done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mintyleaf