Skip to content

Commit

Permalink
feat: enable hiding tracing behind auth
Browse files Browse the repository at this point in the history
  • Loading branch information
aschmahmann committed Jun 10, 2024
1 parent ea2bd31 commit 3a6ac49
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 4 deletions.
9 changes: 8 additions & 1 deletion docs/environment-variables.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,8 @@
- [Testing](#testing)
- [`GATEWAY_CONFORMANCE_TEST`](#gateway_conformance_test)
- [`IPFS_NS_MAP`](#ipfs_ns_map)
- [Tracing](#tracing)
- [Tracing](#tracing)
- [`RAINBOW_TRACING_AUTH`](#rainbow_tracing_auth)

## Configuration

Expand Down Expand Up @@ -304,6 +305,12 @@ rather than also included background processes
2. Requests are only traced when there is a `Traceparent` header passed that is valid
According to the [Trace Context] specification

### `RAINBOW_TRACING_AUTH`

The ability to pass `Traceparent` or `Tracestate` headers is guarded by an
`Authorization` header. The value of the `Authorization` header should match
the value in the `RAINBOW_TRACING_AUTH` environment variable.

[Boxo Tracing]: https://github.com/ipfs/boxo/blob/main/docs/tracing.md
[Open Telemetry]: https://opentelemetry.io/
[OpenTelemetry Environment Variable Specification]: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/sdk-environment-variables.md
Expand Down
16 changes: 15 additions & 1 deletion handlers.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ func withRequestLogger(next http.Handler) http.Handler {
})
}

func setupGatewayHandler(cfg Config, nd *Node) (http.Handler, error) {
func setupGatewayHandler(cfg Config, nd *Node, tracingAuth string) (http.Handler, error) {
var (
backend gateway.IPFSBackend
err error
Expand Down Expand Up @@ -208,6 +208,20 @@ func setupGatewayHandler(cfg Config, nd *Node) (http.Handler, error) {
// Add tracing.
handler = otelhttp.NewHandler(handler, "Gateway")

// Remove tracing headers if not authorized
prevHandler := handler
handler = http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
if request.Header.Get("Authorization") != tracingAuth {
if request.Header.Get("Traceparent") != "" {
request.Header.Del("Traceparent")
}
if request.Header.Get("Tracestate") != "" {
request.Header.Del("Tracestate")
}
}
prevHandler.ServeHTTP(writer, request)
})

return handler, nil
}

Expand Down
9 changes: 8 additions & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,12 @@ Generate an identity seed and launch a gateway:
EnvVars: []string{"RAINBOW_LIBP2P_LISTEN_ADDRS"},
Usage: "Multiaddresses for libp2p bitswap client to listen on (comma-separated)",
},
&cli.StringFlag{
Name: "tracing-auth",
Value: "",
EnvVars: []string{"RAINBOW_TRACING_AUTH"},
Usage: "If set the key gates use of the Traceparent header by requiring the key to be passed in the Authorization header",
},
}

app.Commands = []*cli.Command{
Expand Down Expand Up @@ -459,7 +465,8 @@ share the same seed as long as the indexes are different.
gatewayListen := cctx.String("gateway-listen-address")
ctlListen := cctx.String("ctl-listen-address")

handler, err := setupGatewayHandler(cfg, gnd)
tracingAuth := cctx.String("tracing-auth")
handler, err := setupGatewayHandler(cfg, gnd, tracingAuth)
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ func mustTestNodeWithKey(t *testing.T, cfg Config, sk ic.PrivKey) *Node {
func mustTestServer(t *testing.T, cfg Config) (*httptest.Server, *Node) {
nd := mustTestNode(t, cfg)

handler, err := setupGatewayHandler(cfg, nd)
handler, err := setupGatewayHandler(cfg, nd, "")
if err != nil {
require.NoError(t, err)
}
Expand Down

0 comments on commit 3a6ac49

Please sign in to comment.