Skip to content
This repository was archived by the owner on Apr 6, 2026. It is now read-only.

AMCERTS-155 - Add auth to certs#156

Merged
dborovcanin merged 40 commits into
absmach:mainfrom
nyagamunene:add_auth_to_certs
Sep 17, 2025
Merged

AMCERTS-155 - Add auth to certs#156
dborovcanin merged 40 commits into
absmach:mainfrom
nyagamunene:add_auth_to_certs

Conversation

@nyagamunene

Copy link
Copy Markdown
Contributor

What type of PR is this?

What does this do?

Which issue(s) does this PR fix/relate to?

Have you included tests for your changes?

Did you document any new/modified features?

Notes

@nyagamunene nyagamunene marked this pull request as ready for review September 8, 2025 17:18
Comment thread api/http/endpoint.go
}

cert, err := svc.IssueFromCSR(ctx, req.entityID, req.ttl, certs.CSR{CSR: []byte(req.CSR)})
session, ok := ctx.Value(api.SessionKey).(authn.Session)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's have a new issue form csr issuefromcsrInternal and have the auth be from a token defined in env, this is to be used in agent

Comment thread api/http/endpoint.go Outdated
return fileDownloadRes{}, err
}
cert, ca, err := svc.RetrieveCert(ctx, req.token, req.id)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

download cert was using the internly generated token from requestdownloadtoken, so this should not be the case

Comment thread api/http/endpoint.go Outdated
return nil, err
}

session, ok := ctx.Value(api.SessionKey).(authn.Session)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ocsp endpoint is supposed to be unsecured so remove auth

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same with csr endpoint @nyagamunene

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

csr should not require domainID in the url @nyagamunene

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment thread api/http/endpoint.go
}

cert, err := svc.GetChainCA(ctx, req.token)
session, ok := ctx.Value(api.SessionKey).(authn.Session)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same for download ca, we generate a token in getDownloadCAToken endpoint, so this is supposed to be the only auth not mg token

Comment thread api/http/requests.go Outdated
Comment thread api/http/transport.go Outdated
Comment thread api/http/transport.go Outdated
Comment thread api/http/transport.go Outdated
Comment thread api/middleware.go Outdated
Comment thread api/http/transport.go Outdated
Comment thread cmd/certs/main.go Outdated
location ~ ^/(pats) {
include snippets/proxy-headers.conf;
add_header Access-Control-Expose-Headers Location;
proxy_pass http://auth:${SMQ_AUTH_HTTP_PORT};

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these are supermq files, why do we need them here?

definition user {}


definition role {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here, we don't need to copy supermq docker. just document how it can be used with supermq, or update supermq docker to include it

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are handling auth just like we do in billing. So should we completely remove supermq and just have the env variables in certs env file. supermq-auth and certs are communicating via gRPC will it not cause issues?

Comment thread service.go
WashingtonKK
WashingtonKK previously approved these changes Sep 16, 2025
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
WashingtonKK
WashingtonKK previously approved these changes Sep 17, 2025
Comment thread api/http/transport.go Outdated
Comment thread api/http/transport.go Outdated
Comment thread api/http/common.go
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Comment thread api/http/transport.go Outdated
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
@dborovcanin dborovcanin merged commit 8f5858c into absmach:main Sep 17, 2025
3 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature: Add auth to certs

4 participants