Merge branch 'master' into PER-11752-add-rc-support-ci

Author: EliMoshkovich

app-tests/docker-compose-app-tests.yml

@@ -24,6 +24,7 @@ services:
       - OPAL_POLICY_REPO_WEBHOOK_PARAMS={"secret_header_name":"x-webhook-token","secret_type":"token","secret_parsing_regex":"(.*)","event_request_key":"gitEvent","push_event_value":"git.push"}
       - OPAL_AUTH_PUBLIC_KEY=${OPAL_AUTH_PUBLIC_KEY}
       - OPAL_AUTH_PRIVATE_KEY=${OPAL_AUTH_PRIVATE_KEY}
+      - OPAL_AUTH_PRIVATE_KEY_PASSPHRASE=${OPAL_AUTH_PRIVATE_KEY_PASSPHRASE}
       - OPAL_AUTH_MASTER_TOKEN=${OPAL_AUTH_MASTER_TOKEN}
       - OPAL_AUTH_JWT_AUDIENCE=https://api.opal.ac/v1/
       - OPAL_AUTH_JWT_ISSUER=https://opal.ac/

app-tests/run.sh

@@ -3,14 +3,16 @@ set -e
 
 export OPAL_AUTH_PUBLIC_KEY
 export OPAL_AUTH_PRIVATE_KEY
+export OPAL_AUTH_PRIVATE_KEY_PASSPHRASE
 export OPAL_AUTH_MASTER_TOKEN
 export OPAL_CLIENT_TOKEN
 export OPAL_DATA_SOURCE_TOKEN
 
 function generate_opal_keys {
   echo "- Generating OPAL keys"
 
-  ssh-keygen -q -t rsa -b 4096 -m pem -f opal_crypto_key -N ""
+  OPAL_AUTH_PRIVATE_KEY_PASSPHRASE="123456"
+  ssh-keygen -q -t rsa -b 4096 -m pem -f opal_crypto_key -N "$OPAL_AUTH_PRIVATE_KEY_PASSPHRASE"
   OPAL_AUTH_PUBLIC_KEY="$(cat opal_crypto_key.pub)"
   OPAL_AUTH_PRIVATE_KEY="$(tr '\n' '_' < opal_crypto_key)"
   rm opal_crypto_key.pub opal_crypto_key

docker/docker-compose-with-security.yml

@@ -39,6 +39,7 @@ services:
       # private key (used for signing on new JWT tokens).
       - OPAL_AUTH_PUBLIC_KEY=${OPAL_AUTH_PUBLIC_KEY}
       - OPAL_AUTH_PRIVATE_KEY=${OPAL_AUTH_PRIVATE_KEY}
+      - OPAL_AUTH_PRIVATE_KEY_PASSPHRASE=${OPAL_AUTH_PRIVATE_KEY_PASSPHRASE}
       # the master token is used in only one scenario - when we want to generate a new JWT token.
       # the /token api endpoint on the OPAL server is the only endpoint that requires the master token.
       - OPAL_AUTH_MASTER_TOKEN=${OPAL_AUTH_MASTER_TOKEN}

docker/run-example-with-security.sh

@@ -22,7 +22,8 @@ echo "keys and run OPAL in *secure mode*."
 echo "------------------------------------------------------------------"
 
 echo "generating opal crypto keys..."
-ssh-keygen -q -t rsa -b 4096 -m pem -f opal_crypto_key -N ""
+export OPAL_AUTH_PRIVATE_KEY_PASSPHRASE="123456"
+ssh-keygen -q -t rsa -b 4096 -m pem -f opal_crypto_key -N "$OPAL_AUTH_PRIVATE_KEY_PASSPHRASE"
 
 echo "saving crypto keys to env vars and removing temp key files..."
 export OPAL_AUTH_PUBLIC_KEY=`cat opal_crypto_key.pub`

packages/opal-client/opal_client/data/api.py

@@ -27,7 +27,7 @@ async def _handle_policy_data_update(span=None):
                     )
                 return {"status": "ok"}
             else:
-                if span:
+                if span is not None:
                     span.set_status(trace.StatusCode.ERROR)
                     span.set_attribute("error", True)
                     span.set_attribute("error_type", "updater_disabled")
@@ -37,7 +37,7 @@ async def _handle_policy_data_update(span=None):
                 )
         except Exception as e:
             logger.error(f"Error during data update: {str(e)}")
-            if span:
+            if span is not None:
                 span.set_status(trace.StatusCode.ERROR)
                 span.set_attribute("error", True)
                 span.record_exception(e)

packages/opal-client/opal_client/policy/api.py

@@ -21,7 +21,7 @@ async def _handle_policy_update(span=None):
             return {"status": "ok"}
         except Exception as e:
             logger.error(f"Error during policy update: {str(e)}")
-            if span:
+            if span is not None:
                 span.set_status(trace.StatusCode.ERROR)
                 span.set_attribute("error", True)
                 span.record_exception(e)

packages/opal-server/opal_server/policy/watcher/task.py

@@ -126,7 +126,8 @@ async def trigger(self, topic: Topic, data: Any):
         pull)"""
         try:
             async with start_span("opal_server_policy_update") as span:
-                span.set_attribute("topic", str(topic))
+                if span is not None:
+                    span.set_attribute("topic", str(topic))
                 await self._watcher.check_for_changes()
         except Exception as e:
             raise

packages/opal-server/opal_server/scopes/api.py

@@ -125,7 +125,8 @@ async def put_scope(
         claims: JWTClaims = Depends(authenticator),
     ):
         async with start_span("opal_server_policy_update") as span:
-            span.set_attribute("scope_id", scope_in.scope_id)
+            if span is not None:
+                span.set_attribute("scope_id", scope_in.scope_id)
             return await _handle_put_scope(force_fetch, scope_in, claims)
 
     async def _handle_put_scope(
@@ -273,7 +274,8 @@ async def get_scope_policy(
         ),
     ):
         async with start_span("opal_server_policy_bundle_request") as span:
-            span.set_attribute("scope_id", scope_id)
+            if span is not None:
+                span.set_attribute("scope_id", scope_id)
             policy_bundle = await _handle_get_scope_policy(scope_id, base_hash)
             policy_bundle_size_histogram = get_policy_bundle_size_histogram()
             if policy_bundle_size_histogram and policy_bundle.bundle:
@@ -380,7 +382,8 @@ async def publish_data_update_event(
         scope_id: str = Path(..., description="Scope ID"),
     ):
         async with start_span("opal_server_data_update") as span:
-            span.set_attribute("scope_id", scope_id)
+            if span is not None:
+                span.set_attribute("scope_id", scope_id)
             await _handle_publish_data_update_event(update, claims, scope_id, span)
 
     async def _handle_publish_data_update_event(
@@ -399,7 +402,7 @@ async def _handle_publish_data_update_event(
                 entry.topics = [f"data:{topic}" for topic in entry.topics]
                 all_topics.update(entry.topics)
 
-            if span:
+            if span is not None:
                 span.set_attribute("entries_count", len(update.entries))
                 span.set_attribute("topics", list(all_topics))