Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add JWS Domain object to the Athenz Domain custom resource #26

Closed
mcieplak opened this issue Mar 20, 2021 · 3 comments
Closed

Add JWS Domain object to the Athenz Domain custom resource #26

mcieplak opened this issue Mar 20, 2021 · 3 comments
Labels
enhancement New feature or request HackTogether For Yahoo Hack Together event

Comments

@mcieplak
Copy link
Contributor

mcieplak commented Mar 20, 2021
edited
Loading

Please describe the problem that you are trying to solve
Update the Athenz Domain custom resource spec to support the JWS domain object.

Describe the solution you'd like
This issue is meant to introduce the first set of changes required for the Athenz Syncer to move to the new JWS Domain API endpoint.

The current Athenz Domain custom resource is using the SignedDomain object which is populated by the results of the Athenz sys modified domain API response. We need to introduce the JWSDomain object in the AthenzDomainStatus object in order to store the results of the new JWS domain API response.

Once this change is made, the Athenz Domain custom resource must be regenerated using the kubernetes code-generator.

Additional context
Currently, the Athenz Syncer fetches the Athenz domain content using the ZMS sys modified domains API which returns the entire contents of the domain along with a key ID / signature which was used to sign this content. Due to the domain spec constantly changing, it is not feasible to use these signatures to validate this content as the API the client is on might be different than the ZMS server. For example, if ZMS is running with version v1.10.9 which contains a new field for the domain spec, and the client is running on v1.10.8 then the client will drop this new field during the json to object cast and the signature verification will fail.

In order to allow consumers of the Athenz Domain custom resource to correctly verify the signatures of the domain objects, a new API was introduced by Athenz which provides the contents of the domain as an JSON Web Signature (JWS) response (shown below).

{
  "payload": "Zm9vYmFyCg==.....",
  "header": {
    "keyid": "zms.key.3.0"
  },
  "signature": "YmFyZm9vCg==...",
  "protected": "YmFyCg==..."
}

As can be seen above, the payload is the content of the Athenz domain signed by the ZMS private key and ybase64 encoded. In order to verify and read the payload, the ZMS key (described by the keyid field) needs to be used to compare against the signature field.
@mcieplak mcieplak added enhancement New feature or request HackTogether For Yahoo Hack Together event labels Mar 20, 2021
This was referenced Mar 20, 2021
Open
Open
@patrasap0908
Copy link
Contributor

Hey @mcieplak (again), I'd like to work on this one too if that's okay.

@mcieplak
Copy link
Contributor Author

Hey, sure that would be great. Thanks!

@patrasap0908 patrasap0908 mentioned this issue Mar 27, 2021
Merged
@mcieplak
Copy link
Contributor Author

Closing this issue as the PR has been merged. Thanks @patrasap0908 for your contribution!

zetaj pushed a commit that referenced this issue Oct 20, 2021
Undo PR #31 to prevent it from blocking client-go and its dependencie…
e1f7097 
…s upgrade since issue #26 hasn't been done yet
@zetaj zetaj mentioned this issue Oct 20, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request HackTogether For Yahoo Hack Together event
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcieplak @patrasap0908