Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementing network authentication and segregation logic to the nodes domain #804

Merged
merged 4 commits into from
Feb 6, 2025
Merged

Implementing network authentication and segregation logic to the nodes domain #804

merged 4 commits into from
Feb 6, 2025

Conversation

tegefaulkes
Copy link
Contributor

@tegefaulkes tegefaulkes commented Sep 10, 2024
edited
Loading

Description

This PR focuses on adding logic to the nodes domain to handle checking if a connection is part of a certain network. If the check passes then the connection is added to the usual connection map. If it fails the connection is rejected and forced to close.

During this authentication period, only certain RPC calls are allowed to be made. These are calls that...

  1. Are part of the network authentication process.
  2. Are used to negotiate joining a network.

Both sides of the connection need to authenticate each other before the connection can be used for normal RPC traffic.

Issues Fixed

Tasks

  • 1. Add a new map that tracks connections that have not authenticated their network access yet. Add in the logic for negotiating authentication to the network. And only move the connection from this map to the usual connection map once the connection's network access has been checked in both directions. It may be simpler to only track this for the reverse direction.
  • 2. Create a middleware utility that rejects RPC calls from being made in the forward and reverse direction unless the connection has passed the network authentication.
  • 3. create tests showcasing this new functionality. both the normal case and connections being rejected. 3 types of rejection, forward rejected, reverse rejected and both.
  • 4. Update existing tests to work with the logic change.

Final checklist

  • Domain specific tests
  • Full tests
  • Updated inline-comment documentation
  • Lint fixed
  • Squash and rebased
  • Sanity check the final build

@tegefaulkes tegefaulkes self-assigned this Sep 10, 2024
@linear Linear
Copy link

linear bot commented Sep 10, 2024

ENG-373 Prevent RPC calls for Unauthenticated `NodeConnection`s (Segregated Network Connections)

@tegefaulkes tegefaulkes marked this pull request as draft September 10, 2024 05:56
@tegefaulkes
Copy link
Contributor Author

I'm refreshing my memory and digging through the code. It seems simple enough to add tracking the authentication to the NodeConnectionManager. The only real change is adding authenticatedForward and authenticatedReverse booleans to the newConnAndTimer object. On top of that, we should only update the activeConnection field of the ConnectionsEntry in the connections map once the authentication has been completed.

So.

  1. Add booleans for tracking the authentication state for the forward and reverse direction.
  2. Only add or switch out the primary connection when the network authentication of a connection has completed.

There is one stumbling block however. Current there is an assumption that a connection that has been added with addConnection is already available to be used. But these changes will create a period of time where a connection exists but can't be used.

So when we create a new connection we not only have to wait for the connection to be established but also wait for the network authentication to be completed before it can be used. So we need to update createConnection to wait for this condition before returning.

I'll need to think on this some more.

@CMCDragonkai
Copy link
Member

Status of this @tegefaulkes?

@tegefaulkes
Copy link
Contributor Author

Still no progress with me focusing on PKE.

@tegefaulkes tegefaulkes force-pushed the feature-eng-373-prevent-rpc-calls-for-unauthenticated-nodeconnections branch from e870757 to 47aff1d Compare November 28, 2024 02:46
@CMCDragonkai
Copy link
Member

Reuqires rebase. And ETA on merging this?

@CMCDragonkai
Copy link
Member

As a suggestion, don't go too deep in the technicalities of this, until we have a PKE prototype of the entire login process. I want to see polykey agent start --network matrixai.enterprise.polykey.com trigger a browser launch and a login process. It can be flaky, but we need to go through the entire LOOP. All the way to the bottom.

@tegefaulkes
Copy link
Contributor Author

If I can focus solely on this? 2-3 days. The core of the implementation is done I just need to do some edge case logic and clean up. The main thing missing right now is the timeout for authenticating and testing.

Right now I'm focusing on prototyping the real time data for PKE and specing out work for Matthew.

@tegefaulkes tegefaulkes force-pushed the feature-eng-373-prevent-rpc-calls-for-unauthenticated-nodeconnections branch from 734bbd1 to 4c2d5d8 Compare January 21, 2025 07:18
@CMCDragonkai
Copy link
Member

Should start squashing.

@tegefaulkes
Copy link
Contributor Author

Pretty much done now. I've done a personal review and I just need to do the final checklist before merging.

With the network authentication, I've set it up so that it works with the public networks. So nodes will only connect to nodes within the same network identified by the network URL. This isn't verified in any way besides just checking what network a node claims to be in. This will be specified by the network parameter when starting a Polykey node. Which is set by the --network parameter in CLI.

@tegefaulkes tegefaulkes force-pushed the feature-eng-373-prevent-rpc-calls-for-unauthenticated-nodeconnections branch from e909006 to f97eed2 Compare February 6, 2025 06:03
@tegefaulkes tegefaulkes force-pushed the feature-eng-373-prevent-rpc-calls-for-unauthenticated-nodeconnections branch from f97eed2 to e346d2d Compare February 6, 2025 06:06
@tegefaulkes tegefaulkes force-pushed the feature-eng-373-prevent-rpc-calls-for-unauthenticated-nodeconnections branch from c9de653 to 514f11a Compare February 6, 2025 07:36
@tegefaulkes tegefaulkes marked this pull request as ready for review February 6, 2025 07:36
@tegefaulkes
Copy link
Contributor Author

Done and merging.

@tegefaulkes tegefaulkes merged commit c9f7f8f into staging Feb 6, 2025
36 checks passed
@CMCDragonkai
Copy link
Member

Pretty much done now. I've done a personal review and I just need to do the final checklist before merging.

With the network authentication, I've set it up so that it works with the public networks. So nodes will only connect to nodes within the same network identified by the network URL. This isn't verified in any way besides just checking what network a node claims to be in. This will be specified by the network parameter when starting a Polykey node. Which is set by the --network parameter in CLI.

For the public networks this is all that is required since they are public. They are self-declared.

@CMCDragonkai
Copy link
Member

@aryanjassal can we verify this is working by monitoring the node connections. Testnet and mainnet shouldn't be connecting to each other.

@CMCDragonkai
Copy link
Member

Ideally they shouldn't even try to connect to each other as the node discovery algos should ignore telling the other node about them.

@CMCDragonkai CMCDragonkai mentioned this pull request Feb 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tegefaulkes tegefaulkes

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prevent RPC calls for Unauthenticated NodeConnections (Segregated Network Connections)
2 participants
@tegefaulkes @CMCDragonkai