Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(AutoTLS): opt-in WSS certs from p2p-forge at libp2p.direct #10521

Merged
merged 25 commits into from
Oct 29, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
ce6d09d
feat: add ability to automatically acquire WSS certificates using p2p…
aschmahmann Sep 18, 2024
ecfc8d9
chore: update changelog
aschmahmann Sep 18, 2024
fe307da
refactor(config): Swarm.ForgeClient
lidel Sep 18, 2024
bfc73d0
fix: wire up config.ForgeClient settings
lidel Sep 20, 2024
7c9842e
refactor(forge): WithUserAgent + WithForgeAuth
lidel Sep 20, 2024
bef0a21
fix: p2p-forge require websocket transport
lidel Sep 20, 2024
06708d8
feat(forge): set certmagic default logger to use go-log
aschmahmann Sep 20, 2024
af543af
chore: logger name
lidel Oct 11, 2024
946298b
Merge master into feat/libp2p-direct
lidel Oct 11, 2024
d5994c1
chore: linter fix for deprecated config option
lidel Oct 11, 2024
7ae58bc
chore: bump p2p-forge client to 65145f8
lidel Oct 11, 2024
4889612
Merge branch 'master' into feat/libp2p-direct
lidel Oct 18, 2024
a038637
docs: Swarm.ForgeClient
lidel Oct 18, 2024
538c9bb
fix: p2p-forge log and debugging
lidel Oct 18, 2024
b306f56
chore(doc): add toc
lidel Oct 18, 2024
9bd8ebb
Merge branch 'master' into feat/libp2p-direct
lidel Oct 21, 2024
21b5c88
Merge remote-tracking branch 'origin/master' into feat/libp2p-direct
lidel Oct 23, 2024
7eeda1b
docs: apply suggestions from code review
lidel Oct 28, 2024
99b7757
refactor: ForgeClient → AutoTLS
lidel Oct 28, 2024
e6e0b7a
Merge branch 'master' into feat/libp2p-direct
lidel Oct 28, 2024
ed7e201
chore: rename logger to autotls
lidel Oct 28, 2024
e51d907
fix: p2p-forge/client with newCertmagicConfig
lidel Oct 28, 2024
73c3fd3
refactor: move AutoTLS to top level
lidel Oct 29, 2024
e68493a
docs: changelog + tracking next steps
lidel Oct 29, 2024
bcabbb4
docs: AutoTLS.Enabled
lidel Oct 29, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions config/forge.go
lidel marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
package config

import p2pforge "github.com/ipshipyard/p2p-forge/client"

// ForgeClient includes optional configuration of p2p-forge client of service
// for obtaining a domain and TLS certificate to improve connectivity for web
// browser clients. More: https://github.com/ipshipyard/p2p-forge#readme
type ForgeClient struct {
// Enables the p2p-forge feature
Enabled Flag `json:",omitempty"`

// Optional override of the parent domain that will be used
ForgeDomain *OptionalString `json:",omitempty"`

// Optional override of HTTP API that acts as ACME DNS-01 Challenge broker
ForgeEndpoint *OptionalString `json:",omitempty"`
lidel marked this conversation as resolved.
Show resolved Hide resolved

// Optional Authorization token, used with private/test instances of p2p-forge
ForgeAuth *OptionalString `json:",omitempty"`
lidel marked this conversation as resolved.
Show resolved Hide resolved

// Optional override of CA ACME API used by p2p-forge system
CAEndpoint *OptionalString `json:",omitempty"`
lidel marked this conversation as resolved.
Show resolved Hide resolved
}

const (
DefaultForgeEnabled = false // experimental, opt-in for now (https://github.com/ipfs/kubo/pull/10521)
DefaultForgeDomain = p2pforge.DefaultForgeDomain
DefaultForgeEndpoint = p2pforge.DefaultForgeEndpoint
DefaultCAEndpoint = p2pforge.DefaultCAEndpoint
)
4 changes: 4 additions & 0 deletions config/swarm.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ type SwarmConfig struct {

// ResourceMgr configures the libp2p Network Resource Manager
ResourceMgr ResourceMgr

// ForgeClient controls the client of a service for obtaining a domain
// and TLS certificate to improve connectivity for web browser clients.
ForgeClient ForgeClient
}

type RelayClient struct {
Expand Down
3 changes: 3 additions & 0 deletions core/node/groups.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,7 @@ func LibP2P(bcfg *BuildCfg, cfg *config.Config, userResourceOverrides rcmgr.Part
enableRelayTransport := cfg.Swarm.Transports.Network.Relay.WithDefault(true) // nolint
enableRelayService := cfg.Swarm.RelayService.Enabled.WithDefault(enableRelayTransport)
enableRelayClient := cfg.Swarm.RelayClient.Enabled.WithDefault(enableRelayTransport)
enableForgeClient := cfg.Swarm.ForgeClient.Enabled.WithDefault(config.DefaultForgeEnabled)

// Log error when relay subsystem could not be initialized due to missing dependency
if !enableRelayTransport {
Expand All @@ -133,6 +134,8 @@ func LibP2P(bcfg *BuildCfg, cfg *config.Config, userResourceOverrides rcmgr.Part

// Services (resource management)
fx.Provide(libp2p.ResourceManager(cfg.Swarm, userResourceOverrides)),
maybeProvide(libp2p.P2PForgeCertMgr, enableForgeClient),
maybeInvoke(libp2p.StartP2PForgeCertMgr, enableForgeClient),
fx.Provide(libp2p.AddrFilters(cfg.Swarm.AddrFilters)),
fx.Provide(libp2p.AddrsFactory(cfg.Addresses.Announce, cfg.Addresses.AppendAnnounce, cfg.Addresses.NoAnnounce)),
fx.Provide(libp2p.SmuxTransport(cfg.Swarm.Transports)),
Expand Down
67 changes: 64 additions & 3 deletions core/node/libp2p/addrs.go
Original file line number Diff line number Diff line change
@@ -1,12 +1,21 @@
package libp2p

import (
"context"
"fmt"
"net/http"
"os"

"github.com/ipfs/kubo/config"
p2pforge "github.com/ipshipyard/p2p-forge/client"
"github.com/libp2p/go-libp2p"
"github.com/libp2p/go-libp2p/core/host"
p2pbhost "github.com/libp2p/go-libp2p/p2p/host/basic"
ma "github.com/multiformats/go-multiaddr"
mamask "github.com/whyrusleeping/multiaddr-filter"

"github.com/caddyserver/certmagic"
"go.uber.org/fx"
)

func AddrFilters(filters []string) func() (*ma.Filters, Libp2pOpts, error) {
Expand Down Expand Up @@ -87,12 +96,26 @@ func makeAddrsFactory(announce []string, appendAnnouce []string, noAnnounce []st
}, nil
}

func AddrsFactory(announce []string, appendAnnouce []string, noAnnounce []string) func() (opts Libp2pOpts, err error) {
return func() (opts Libp2pOpts, err error) {
addrsFactory, err := makeAddrsFactory(announce, appendAnnouce, noAnnounce)
func AddrsFactory(announce []string, appendAnnouce []string, noAnnounce []string) interface{} {
return func(params struct {
fx.In
ForgeMgr *p2pforge.P2PForgeCertMgr `optional:"true"`
},
) (opts Libp2pOpts, err error) {
var addrsFactory p2pbhost.AddrsFactory
announceAddrsFactory, err := makeAddrsFactory(announce, appendAnnouce, noAnnounce)
if err != nil {
return opts, err
}
if params.ForgeMgr == nil {
addrsFactory = announceAddrsFactory
} else {
addrsFactory = func(multiaddrs []ma.Multiaddr) []ma.Multiaddr {
forgeProcessing := params.ForgeMgr.AddressFactory()(multiaddrs)
annouceProcessing := announceAddrsFactory(forgeProcessing)
return annouceProcessing
}
}
opts.Opts = append(opts.Opts, libp2p.AddrsFactory(addrsFactory))
return
}
Expand All @@ -107,3 +130,41 @@ func ListenOn(addresses []string) interface{} {
}
}
}

func P2PForgeCertMgr() (*p2pforge.P2PForgeCertMgr, error) {
storagePath, err := config.Path("", "p2p-forge-certs")
if err != nil {
return nil, err
}

const authEnvVar = "FORGE_ACCESS_TOKEN"
const authForgeHeader = "Forge-Authorization"
authKey, foundAuthKey := os.LookupEnv(authEnvVar)

certMgr, err := p2pforge.NewP2PForgeCertMgr(
p2pforge.WithModifiedForgeRequest(func(req *http.Request) error {
if foundAuthKey {
req.Header.Set(authForgeHeader, authKey)
}
return nil
}),
lidel marked this conversation as resolved.
Show resolved Hide resolved
p2pforge.WithCertificateStorage(&certmagic.FileStorage{Path: storagePath}))
if err != nil {
return nil, err
}

return certMgr, nil
}

func StartP2PForgeCertMgr(lc fx.Lifecycle, certMgr *p2pforge.P2PForgeCertMgr, h host.Host) {
lc.Append(fx.Hook{
OnStart: func(ctx context.Context) error {
certMgr.ProvideHost(h)
return certMgr.Start()
},
OnStop: func(ctx context.Context) error {
certMgr.Stop()
return nil
},
})
}
15 changes: 10 additions & 5 deletions core/node/libp2p/transport.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ package libp2p

import (
"fmt"

"github.com/ipfs/kubo/config"
"github.com/ipshipyard/p2p-forge/client"
"github.com/libp2p/go-libp2p"
"github.com/libp2p/go-libp2p/core/metrics"
quic "github.com/libp2p/go-libp2p/p2p/transport/quic"
Expand All @@ -16,20 +16,25 @@ import (
)

func Transports(tptConfig config.Transports) interface{} {
return func(pnet struct {
return func(params struct {
fx.In
Fprint PNetFingerprint `optional:"true"`
Fprint PNetFingerprint `optional:"true"`
ForgeMgr *client.P2PForgeCertMgr `optional:"true"`
},
) (opts Libp2pOpts, err error) {
privateNetworkEnabled := pnet.Fprint != nil
privateNetworkEnabled := params.Fprint != nil

if tptConfig.Network.TCP.WithDefault(true) {
// TODO(9290): Make WithMetrics configurable
opts.Opts = append(opts.Opts, libp2p.Transport(tcp.NewTCPTransport, tcp.WithMetrics()))
}

if tptConfig.Network.Websocket.WithDefault(true) {
opts.Opts = append(opts.Opts, libp2p.Transport(websocket.New))
if params.ForgeMgr == nil {
opts.Opts = append(opts.Opts, libp2p.Transport(websocket.New))
} else {
opts.Opts = append(opts.Opts, libp2p.Transport(websocket.New, websocket.WithTLSConfig(params.ForgeMgr.TLSConfig())))
}
}

if tptConfig.Network.QUIC.WithDefault(!privateNetworkEnabled) {
Expand Down
8 changes: 8 additions & 0 deletions docs/changelogs/v0.31.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,14 @@

### 🔦 Highlights

#### 🎯 WSS certificates via libp2p.direct

TODO:

This release adds an experimental feature enabling users to acquire CA signed certificates for use in Secure WebSockets
connections that enable browsers to communicate with publicly accessible kubo nodes using transports well supported in
browsers.

### 📝 Changelog

### 👨‍👩‍👧‍👦 Contributors
14 changes: 11 additions & 3 deletions docs/examples/kubo-as-a-library/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ go 1.22
// this if you copy this example.
replace github.com/ipfs/kubo => ./../../..

replace github.com/libp2p/go-libp2p => github.com/libp2p/go-libp2p v0.36.3-0.20240909195832-fbc0ac8f743c

require (
github.com/ipfs/boxo v0.23.0
github.com/ipfs/kubo v0.0.0-00010101000000-000000000000
Expand All @@ -22,14 +24,16 @@ require (
github.com/benbjohnson/clock v1.3.5 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/caddyserver/certmagic v0.21.3 // indirect
github.com/caddyserver/zerossl v0.1.3 // indirect
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
github.com/ceramicnetwork/go-dag-jose v0.1.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/containerd/cgroups v1.1.0 // indirect
github.com/coreos/go-systemd/v22 v22.5.0 // indirect
github.com/crackcomm/go-gitignore v0.0.0-20231225121904-e25f5bc08668 // indirect
github.com/cskr/pubsub v1.0.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/davidlazar/go-crypto v0.0.0-20200604182044-b73af7476f6c // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
github.com/dgraph-io/badger v1.6.2 // indirect
Expand Down Expand Up @@ -97,12 +101,14 @@ require (
github.com/ipld/go-car/v2 v2.13.1 // indirect
github.com/ipld/go-codec-dagpb v1.6.0 // indirect
github.com/ipld/go-ipld-prime v0.21.0 // indirect
github.com/ipshipyard/p2p-forge v0.0.0-20240918220446-2ecd19ac95e1 // indirect
github.com/jackpal/go-nat-pmp v1.0.2 // indirect
github.com/jbenet/go-temp-err-catcher v0.1.0 // indirect
github.com/jbenet/goprocess v0.1.4 // indirect
github.com/klauspost/compress v1.17.9 // indirect
github.com/klauspost/cpuid/v2 v2.2.8 // indirect
github.com/koron/go-ssdp v0.0.4 // indirect
github.com/libdns/libdns v0.2.2 // indirect
github.com/libp2p/go-buffer-pool v0.1.0 // indirect
github.com/libp2p/go-cidranger v1.1.0 // indirect
github.com/libp2p/go-doh-resolver v0.4.0 // indirect
Expand All @@ -123,6 +129,7 @@ require (
github.com/libp2p/zeroconf/v2 v2.2.0 // indirect
github.com/marten-seemann/tcp v0.0.0-20210406111302-dfbc87cc63fd // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mholt/acmez/v2 v2.0.1 // indirect
github.com/miekg/dns v1.1.61 // indirect
github.com/mikioh/tcpinfo v0.0.0-20190314235526-30a79bb1804b // indirect
github.com/mikioh/tcpopt v0.0.0-20190314235656-172688c1accc // indirect
Expand Down Expand Up @@ -162,7 +169,7 @@ require (
github.com/pion/turn/v2 v2.1.6 // indirect
github.com/pion/webrtc/v3 v3.3.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/polydawn/refmt v0.89.0 // indirect
github.com/prometheus/client_golang v1.19.1 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
Expand All @@ -184,6 +191,7 @@ require (
github.com/whyrusleeping/go-keyspace v0.0.0-20160322163242-5b898ac5add1 // indirect
github.com/whyrusleeping/multiaddr-filter v0.0.0-20160516205228-e903e4adabd7 // indirect
github.com/wlynxg/anet v0.0.3 // indirect
github.com/zeebo/blake3 v0.2.3 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
go.opentelemetry.io/otel v1.28.0 // indirect
Expand All @@ -208,7 +216,7 @@ require (
golang.org/x/mod v0.19.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/sys v0.24.0 // indirect
golang.org/x/sys v0.25.0 // indirect
golang.org/x/text v0.16.0 // indirect
golang.org/x/tools v0.23.0 // indirect
golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
Expand Down
Loading
Loading