[identity] load OPAQUE server setup from environment variable

Summary: The Identity service now expects the OPAQUE_SERVER_SETUP environment variable to be set at runtime. When the keygen command is run, the serialized server setup bytes are now base64 encoded before they're written to the file system. This base64 encoded string must then be made available with the above environment variable when the server is run. Test Plan: ran the keygen program, retrieved the base64 encoded string, ran the server program with OPAQUE_SERVER_SETUP=<encoded-string> and the program succeeded. Also tried supplying an invalid string via env var and the server program crashed, as expected. Reviewers: jon, bartek! Subscribers: ashoat, tomek Differential Revision: https://phab.comm.dev/D8641
CommE2E · Jul 27, 2023 · 8690489 · 8690489
1 parent ba914f5
commit 8690489
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 13 deletions.
diff --git a/services/identity/src/config.rs b/services/identity/src/config.rs
@@ -1,9 +1,9 @@
+use base64::{engine::general_purpose, DecodeError, Engine as _};
 use once_cell::sync::Lazy;
-use std::{collections::HashSet, env, fmt, fs, io, path};
+use std::{collections::HashSet, env, fmt, io};
 
 use crate::constants::{
-  KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, SECRETS_DIRECTORY,
-  SECRETS_SETUP_FILE,
+  KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, OPAQUE_SERVER_SETUP,
 };
 
 pub static CONFIG: Lazy<Config> =
@@ -27,10 +27,7 @@ impl Config {
   fn load() -> Result<Self, Error> {
     let localstack_endpoint = env::var(LOCALSTACK_ENDPOINT).ok();
 
-    let mut path = path::PathBuf::new();
-    path.push(SECRETS_DIRECTORY);
-    path.push(SECRETS_SETUP_FILE);
-    let server_setup = get_server_setup_from_file(&path)?;
+    let server_setup = get_server_setup()?;
 
     let reserved_usernames = get_reserved_usernames_set()?;
 
@@ -65,13 +62,17 @@ pub enum Error {
   Env(env::VarError),
   #[display(...)]
   Json(serde_json::Error),
+  #[display(...)]
+  Decode(DecodeError),
 }
 
-fn get_server_setup_from_file<P: AsRef<path::Path>>(
-  path: &P,
+fn get_server_setup(
 ) -> Result<comm_opaque2::ServerSetup<comm_opaque2::Cipher>, Error> {
-  let bytes = fs::read(path)?;
-  comm_opaque2::ServerSetup::deserialize(&bytes).map_err(Error::Opaque)
+  let encoded_server_setup = env::var(OPAQUE_SERVER_SETUP)?;
+  let decoded_server_setup =
+    general_purpose::STANDARD_NO_PAD.decode(encoded_server_setup)?;
+  comm_opaque2::ServerSetup::deserialize(&decoded_server_setup)
+    .map_err(Error::Opaque)
 }
 
 fn get_reserved_usernames_set() -> Result<HashSet<String>, Error> {

diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs
@@ -106,3 +106,7 @@ pub const NONCE_LENGTH: usize = 17;
 // LocalStack
 
 pub const LOCALSTACK_ENDPOINT: &str = "LOCALSTACK_ENDPOINT";
+
+// OPAQUE Server Setup
+
+pub const OPAQUE_SERVER_SETUP: &str = "OPAQUE_SERVER_SETUP";
diff --git a/services/identity/src/keygen.rs b/services/identity/src/keygen.rs
@@ -1,4 +1,5 @@
 use crate::constants::SECRETS_SETUP_FILE;
+use base64::{engine::general_purpose, Engine as _};
 use std::{fs, io, path};
 
 pub fn generate_and_persist_keypair(dir: &str) -> Result<(), io::Error> {
@@ -17,7 +18,9 @@ pub fn generate_and_persist_keypair(dir: &str) -> Result<(), io::Error> {
     eprintln!("{:?} already exists, skipping", path);
   } else {
     println!("Writing setup file to {:?}", path);
-    fs::write(&path, server_setup.serialize())?;
+    let encoded_server_setup =
+      general_purpose::STANDARD_NO_PAD.encode(server_setup.serialize());
+    fs::write(&path, encoded_server_setup)?;
   }
 
   Ok(())

diff --git a/services/identity/src/main.rs b/services/identity/src/main.rs
@@ -4,7 +4,6 @@ use clap::{Parser, Subcommand};
 use database::DatabaseClient;
 use moka::future::Cache;
 use tonic::transport::Server;
-use tracing_subscriber::FmtSubscriber;
 
 mod client_service;
 mod config;