inter-service broker security

Author: CaptainAril

src/api/constants/queues.py

@@ -0,0 +1,12 @@
+from typing import TypedDict
+
+
+class QueueNames(TypedDict):
+    USER_REGISTRATION: str
+    EMAIL_VALIDATION: str
+
+
+QUEUE_NAMES: QueueNames = {
+    "USER_REGISTRATION": "create_user",
+    "EMAIL_VALIDATION": "validate_email",
+}

src/api/constants/signature_sources.py

@@ -0,0 +1,12 @@
+from typing import TypedDict
+
+
+class SignatureSources(TypedDict):
+    gateway: str
+    queue: str
+
+
+SIGNATURE_SOURCES: SignatureSources = {
+    "gateway": "Gateway",
+    "queue": "Broker Queue",
+}

src/api/middlewares/BrokerMiddleware.py

@@ -0,0 +1,76 @@
+from types import CoroutineType
+from typing import Any
+from collections.abc import Callable, Awaitable
+
+from faststream import BaseMiddleware
+from faststream.broker.message import StreamMessage
+from faststream.rabbit.message import RabbitMessage
+
+from src.env import queue
+from src.utils.logger import Logger
+from src.api.services.UtilityService import UtilityService
+from src.api.constants.signature_sources import SIGNATURE_SOURCES
+
+
+class PublishMiddleware(BaseMiddleware):
+    """
+    Middleware to handle subscription messages.
+    """
+
+    async def publish_scope(
+        self,
+        call_next: Callable[..., Awaitable[Any]],
+        msg: RabbitMessage,
+        *args: tuple[Any, ...],
+        **kwargs: dict[str, Any],
+    ) -> CoroutineType:
+        timestamp = UtilityService.get_timestamp()
+        signature = UtilityService.generate_signature(queue["key"], timestamp)
+
+        headers = {}
+
+        headers["X-BROKER-SIGNATURE"] = signature
+        headers["X-BROKER-TIMESTAMP"] = timestamp
+        headers["X-BROKER-KEY"] = queue["key"]
+
+        kwargs["headers"] = headers
+        return await super().publish_scope(call_next, msg, *args, **kwargs)
+
+
+class SubscribeMiddleware(BaseMiddleware):
+    async def consume_scope(
+        self, call_next: Callable[[Any], Awaitable[Any]], msg: StreamMessage
+    ) -> CoroutineType | None:
+        logger = Logger(__name__)
+        try:
+            UtilityService.verify_signature(
+                logger=logger,
+                signature_data={
+                    "signature": msg.headers["X-BROKER-SIGNATURE"],
+                    "timestamp": msg.headers["X-BROKER-TIMESTAMP"],
+                    "key": queue["key"],
+                    "ttl": queue["ttl"],
+                    "title": SIGNATURE_SOURCES["gateway"],
+                },
+            )
+
+            return await super().consume_scope(call_next, msg)
+        except KeyError as e:
+            message = f"Missing required header: {e}"
+            logger.error(
+                {
+                    "activity_type": "Authenticate GatewaBroker Queue Request",
+                    "message": message,
+                    "metadata": {"headers": msg.headers},
+                }
+            )
+        except Exception as e:
+            queue_operation = msg.raw_message.routing_key
+            message = f"`{queue_operation}` operation failed: {e}"
+            logger.error(
+                {
+                    "activity_type": "Authenticate GatewaBroker Queue Request",
+                    "message": message,
+                    "metadata": {"headers": msg.headers, "message": msg._decoded_body},
+                }
+            )

src/api/middlewares/GateWayMiddleware.py

@@ -1,12 +1,12 @@
 from django.http import HttpRequest
 from ninja.errors import AuthenticationError
-from ninja.openapi.schema import OpenAPISchema
 from ninja.security import APIKeyHeader
+from ninja.openapi.schema import OpenAPISchema
 
-from src.api.constants.signature_sources import SIGNATURE_SOURCES
-from src.api.services.UtilityService import SignatureData, UtilityService
 from src.env import api_gateway
 from src.utils.logger import Logger
+from src.api.services.UtilityService import SignatureData, UtilityService
+from src.api.constants.signature_sources import SIGNATURE_SOURCES
 
 
 class GateWayAuth(APIKeyHeader):
@@ -43,7 +43,7 @@ def authenticate(self, request: HttpRequest, key: str | None) -> str | None:
                 }
             )
             raise AuthenticationError(message=message)
-        
+
         signature_data: SignatureData = {
             "signature": api_signature,
             "timestamp": api_timestamp,
@@ -52,7 +52,9 @@ def authenticate(self, request: HttpRequest, key: str | None) -> str | None:
             "title": SIGNATURE_SOURCES["gateway"],
         }
 
-        UtilityService.verify_signature(logger=self.logger, signature_data=signature_data)
+        UtilityService.verify_signature(
+            logger=self.logger, signature_data=signature_data
+        )
 
         self.logger.debug(
             {

src/api/services/UserService.py

@@ -2,16 +2,16 @@
 
 from faststream.rabbit import RabbitRouter
 
-from src.api.constants.activity_types import ACTIVITY_TYPES
-from src.api.constants.messages import DYNAMIC_MESSAGES, MESSAGES
+from src.utils.svcs import Service
+from src.utils.logger import Logger
+from src.api.models.postgres import User
 from src.api.constants.queues import QUEUE_NAMES
+from src.api.constants.messages import MESSAGES, DYNAMIC_MESSAGES
+from src.api.typing.UserSuccess import UserSuccess
+from src.api.constants.activity_types import ACTIVITY_TYPES
+from src.api.repositories.UserRepository import UserRepository
 from src.api.models.payload.requests.CreateUserRequest import CreateUserRequest
 from src.api.models.payload.requests.UpdateUserRequest import UpdateUserRequest
-from src.api.models.postgres import User
-from src.api.repositories.UserRepository import UserRepository
-from src.api.typing.UserSuccess import UserSuccess
-from src.utils.logger import Logger
-from src.utils.svcs import Service
 
 from .UtilityService import UtilityService
 

src/api/services/UtilityService.py

@@ -1,32 +1,34 @@
-import hashlib
 import hmac
-from datetime import datetime, timedelta
-from typing import TypedDict
+import hashlib
 from uuid import uuid4
+from typing import TypedDict
+from datetime import datetime, timedelta
 
-import bcrypt
 import jwt
-from django.utils import timezone
+import bcrypt
 from faker import Faker
+from django.utils import timezone
 from ninja.errors import AuthenticationError
 
-from src.api.enums.CharacterCasing import CharacterCasing
-from src.api.models.postgres import User
-from src.api.typing.ExpireUUID import ExpireUUID
 from src.env import jwt_config
-from src.utils.logger import Logger
 from src.utils.svcs import Service
+from src.utils.logger import Logger
+from src.api.models.postgres import User
+from src.api.typing.ExpireUUID import ExpireUUID
+from src.api.enums.CharacterCasing import CharacterCasing
 
 DEFAULT_CHARACTER_LENGTH = 12
 fake = Faker()
 
+
 class SignatureData(TypedDict):
     title: str
     signature: str
     timestamp: str
     key: str
     ttl: int | float
 
+
 @Service()
 class UtilityService:
     @staticmethod
@@ -91,25 +93,22 @@ def generate_uuid() -> ExpireUUID:
         lifespan = timedelta(hours=24)
         expires_at = current_time + lifespan
         return {"uuid": uuid4(), "expires_at": expires_at}
-    
+
     @staticmethod
     def generate_signature(key: str, timestamp: str) -> str:
         signature = hmac.new(
             key=key.encode(), msg=timestamp.encode(), digestmod=hashlib.sha256
         ).hexdigest()
         return signature
 
-
     @staticmethod
     def verify_signature(signature_data: SignatureData, logger: Logger) -> bool:
-        
         signature = signature_data["signature"]
         timestamp = signature_data["timestamp"]
         key = signature_data["key"]
         ttl = signature_data["ttl"]
         title = signature_data["title"]
 
-
         valid_signature = UtilityService.generate_signature(key, timestamp)
         is_valid = hmac.compare_digest(valid_signature, signature)
 
@@ -124,9 +123,9 @@ def verify_signature(signature_data: SignatureData, logger: Logger) -> bool:
             )
             raise AuthenticationError(message=message)
 
-        initial_time = datetime.fromtimestamp(float(timestamp)/ 1000)
+        initial_time = datetime.fromtimestamp(float(timestamp) / 1000)
         valid_window = initial_time + timedelta(minutes=ttl)
-        
+
         if valid_window < datetime.now():
             message = "Signature expired!"
             logger.error(
@@ -140,8 +139,7 @@ def verify_signature(signature_data: SignatureData, logger: Logger) -> bool:
 
         return True
 
-
     @staticmethod
     def get_timestamp() -> str:
         current_time = datetime.now().timestamp() * 1000
-        return str(current_time)
+        return str(current_time)

src/config/asgi.py

@@ -11,8 +11,8 @@
 
 from django.core.asgi import get_asgi_application
 from faststream.rabbit import RabbitBroker
-from starlette.applications import Starlette
 from starlette.routing import Mount
+from starlette.applications import Starlette
 
 from src.env import rabbitmq_config
 
@@ -21,9 +21,12 @@
 
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "src.config.settings")
 
-def setup_broker_middlewares():
-    from src.api.middlewares.BrokerMiddleware import (PublishMiddleware,
-                                                      SubscribeMiddleware)
+
+def setup_broker_middlewares() -> None:
+    from src.api.middlewares.BrokerMiddleware import (
+        PublishMiddleware,
+        SubscribeMiddleware,
+    )
 
     broker.add_middleware(SubscribeMiddleware)
     broker.add_middleware(PublishMiddleware)
@@ -36,5 +39,4 @@ def setup_broker_middlewares():
 )
 
 
-from src.api.services.external import \
-    RabbitMQRoutes as RabbitMQRoutes  # noqa: E402
+from src.api.services.external import RabbitMQRoutes as RabbitMQRoutes  # noqa: E402

src/config/settings.py

@@ -2,11 +2,11 @@
 
 from .apps import INSTALLED_APPS as INSTALLED_APPS
 from .caches import CACHES as CACHES
-from .databases import DATABASE_ROUTERS as DATABASE_ROUTERS
-from .databases import DATABASES as DATABASES
 from .logger import LOGGING as LOGGING
-from .middleware import MIDDLEWARE as MIDDLEWARE
+from .databases import DATABASES as DATABASES
+from .databases import DATABASE_ROUTERS as DATABASE_ROUTERS
 from .templates import TEMPLATES as TEMPLATES
+from .middleware import MIDDLEWARE as MIDDLEWARE
 
 SECRET_KEY = app["secret_key"]
 DEBUG = app["debug"]
@@ -20,10 +20,10 @@
 MEDIA_URL = "media/"
 
 
-LANGUAGE_CODE = 'en-us'
+LANGUAGE_CODE = "en-us"
 
-TIME_ZONE = 'UTC'
+TIME_ZONE = "UTC"
 
 USE_I18N = True
 
-USE_TZ = True
+USE_TZ = True

src/env.py

@@ -1,7 +1,7 @@
 from typing import TypedDict
 
-from src import __description__, __display_name__, __name__, __version__
-from src.utils.env import get_env_float, get_env_int, get_env_list, get_env_str
+from src import __name__, __version__, __description__, __display_name__
+from src.utils.env import get_env_int, get_env_str, get_env_list, get_env_float
 
 
 class Env:
@@ -58,10 +58,12 @@ class Gateway(TypedDict):
     key: str
     ttl: int
 
+
 class Queue(TypedDict):
     key: str
     ttl: float
 
+
 env = Env()
 
 app: App = {
@@ -134,6 +136,6 @@ class Queue(TypedDict):
     "jwt_config",
     "log",
     "otp",
-    "rabbitmq_config",
     "queue",
+    "rabbitmq_config",
 ]

src/utils/env/__init__.py

@@ -1,8 +1,8 @@
-from .env import get_env_float, get_env_int, get_env_list, get_env_str
+from .env import get_env_int, get_env_str, get_env_list, get_env_float
 
 __all__ = [
+    "get_env_float",
     "get_env_int",
     "get_env_list",
     "get_env_str",
-    "get_env_float",
 ]