Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementing network authentication and segregation logic to the nodes domain #804

Draft
wants to merge 8 commits into
base: staging
Choose a base branch
from
Draft

Implementing network authentication and segregation logic to the nodes domain #804

wants to merge 8 commits into from

Conversation

tegefaulkes
Copy link
Contributor

@tegefaulkes tegefaulkes commented Sep 10, 2024
edited
Loading

Description

This PR focuses on adding logic to the nodes domain to handle checking if a connection is part of a certain network. If the check passes then the connection is added to the usual connection map. If it fails the connection is rejected and forced to close.

During this authentication period, only certain RPC calls are allowed to be made. These are calls that...

  1. Are part of the network authentication process.
  2. Are used to negotiate joining a network.

Both sides of the connection need to authenticate each other before the connection can be used for normal RPC traffic.

Issues Fixed

Tasks

  • 1. Add a new map that tracks connections that have not authenticated their network access yet. Add in the logic for negotiating authentication to the network. And only move the connection from this map to the usual connection map once the connection's network access has been checked in both directions. It may be simpler to only track this for the reverse direction.
  • 2. Create a middleware utility that rejects RPC calls from being made in the forward and reverse direction unless the connection has passed the network authentication.
  • 3. create tests showcasing this new functionality. both the normal case and connections being rejected. 3 types of rejection, forward rejected, reverse rejected and both.
  • 4. Update existing tests to work with the logic change.

Final checklist

  • Domain specific tests
  • Full tests
  • Updated inline-comment documentation
  • Lint fixed
  • Squash and rebased
  • Sanity check the final build

@tegefaulkes tegefaulkes self-assigned this Sep 10, 2024
@linear Linear
Copy link

linear bot commented Sep 10, 2024

ENG-373 Prevent RPC calls for Unauthenticated `NodeConnection`s (Segregated Network Connections)

@tegefaulkes tegefaulkes marked this pull request as draft September 10, 2024 05:56
@tegefaulkes
Copy link
Contributor Author

I'm refreshing my memory and digging through the code. It seems simple enough to add tracking the authentication to the NodeConnectionManager. The only real change is adding authenticatedForward and authenticatedReverse booleans to the newConnAndTimer object. On top of that, we should only update the activeConnection field of the ConnectionsEntry in the connections map once the authentication has been completed.

So.

  1. Add booleans for tracking the authentication state for the forward and reverse direction.
  2. Only add or switch out the primary connection when the network authentication of a connection has completed.

There is one stumbling block however. Current there is an assumption that a connection that has been added with addConnection is already available to be used. But these changes will create a period of time where a connection exists but can't be used.

So when we create a new connection we not only have to wait for the connection to be established but also wait for the network authentication to be completed before it can be used. So we need to update createConnection to wait for this condition before returning.

I'll need to think on this some more.

@CMCDragonkai
Copy link
Member

Status of this @tegefaulkes?

@tegefaulkes
Copy link
Contributor Author

Still no progress with me focusing on PKE.

@tegefaulkes tegefaulkes force-pushed the feature-eng-373-prevent-rpc-calls-for-unauthenticated-nodeconnections branch from e870757 to 47aff1d Compare November 28, 2024 02:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tegefaulkes tegefaulkes

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prevent RPC calls for Unauthenticated NodeConnections (Segregated Network Connections)
2 participants
@tegefaulkes @CMCDragonkai