/auth-otel

Author: kamilkisiela

docker/configs/otel-collector/Dockerfile

@@ -183,7 +183,9 @@ services:
         condition: service_healthy
     build:
       context: ./configs/otel-collector
-      dockerfile: Dockerfile
+      dockerfile: ../otel-collector.dockerfile
+    environment:
+      HIVE_OTEL_AUTH_ENDPOINT: 'http://host.docker.internal:3001/otel-auth'
     volumes:
       - ./configs/otel-collector/builder-config.yaml:/builder-config.yaml
       - ./configs/otel-collector/config.yaml:/etc/otel-config.yaml

docker/docker-compose.dev.yml

@@ -379,9 +379,7 @@ target "apollo-router" {
 
 target "otel-collector" {
   inherits = ["otel-collector-base", get_target()]
-  contexts = {
-    config = "${PWD}/docker/configs/otel-collector"
-  }
+  context = "${PWD}/docker/configs/otel-collector"
   args = {
     IMAGE_TITLE = "graphql-hive/otel-collector"
     IMAGE_DESCRIPTION = "OTEL Collector for GraphQL Hive."

docker/docker.hcl

@@ -1,3 +1,7 @@
+FROM scratch AS config
+
+COPY builder-config.yaml .
+
 FROM golang:1.23.7-bookworm AS builder
 
 ARG OTEL_VERSION=0.122.0
@@ -10,7 +14,7 @@ RUN go install go.opentelemetry.io/collector/cmd/builder@v${OTEL_VERSION}
 COPY --from=config builder-config.yaml .
 
 # Build the custom collector
-RUN builder --config=/build/builder-config.yaml
+RUN CGO_ENABLED=0 builder --config=/build/builder-config.yaml
 
 # Stage 2: Final Image
 FROM alpine:3.14

docker/otel-collector.dockerfile

@@ -593,7 +593,7 @@ export async function main() {
       return;
     });
 
-    createOtelAuthEndpoint(server);
+    createOtelAuthEndpoint({ server, authN, redis, pgPool: storage.pool, tracing: !!tracing });
 
     if (env.cdn.providers.api !== null) {
       const s3 = {

packages/services/server/src/index.ts

@@ -1,28 +1,127 @@
 import type { FastifyInstance } from 'fastify';
+import type Redis from 'ioredis';
+import type { DatabasePool } from 'slonik';
+import type { AuthN } from '@hive/api/modules/auth/lib/authz';
+import { PrometheusConfig } from '@hive/api/modules/shared/providers/prometheus-config';
+import { TargetsByIdCache } from '@hive/api/modules/target/providers/targets-by-id-cache';
+import { TargetsBySlugCache } from '@hive/api/modules/target/providers/targets-by-slug-cache';
+import { isUUID } from '@hive/api/shared/is-uuid';
 
-export function createOtelAuthEndpoint(server: FastifyInstance) {
-  server.get('/otel-auth', (req, res) => {
-    const authHeader = req.headers.authorization;
+export function createOtelAuthEndpoint(args: {
+  server: FastifyInstance;
+  tracing: boolean;
+  authN: AuthN;
+  redis: Redis;
+  pgPool: DatabasePool;
+}) {
+  const prometheusConfig = new PrometheusConfig(args.tracing);
+  const targetsByIdCache = new TargetsByIdCache(args.redis, args.pgPool, prometheusConfig);
+  const targetsBySlugCache = new TargetsBySlugCache(args.redis, args.pgPool, prometheusConfig);
+
+  args.server.get('/otel-auth', async (req, reply) => {
     const targetRefHeader = req.headers['x-hive-target-ref'];
-    req.log.info('request! ' + authHeader);
-
-    if (authHeader === 'Bearer 123') {
-      if (targetRefHeader !== 'target-1') {
-        // No access to target-1
-        res.status(403).send({
-          message: 'Forbidden access to the target',
-        });
-        return;
-      }
-
-      res.status(200).send({
-        message: 'Authenticated',
-        targetId: targetRefHeader,
+
+    const targetRefRaw = Array.isArray(targetRefHeader) ? targetRefHeader[0] : targetRefHeader;
+
+    if (typeof targetRefRaw !== 'string' || targetRefRaw.trim().length === 0) {
+      await reply.status(400).send({
+        message: `Missing required header: 'X-Hive-Target-Ref'. Please provide a valid target reference in the request headers.`,
+      });
+      return;
+    }
+
+    const targetRefParseResult = parseTargetRef(targetRefRaw);
+
+    if (!targetRefParseResult.ok) {
+      await reply.status(400).send({
+        message: targetRefParseResult.error,
+      });
+      return;
+    }
+
+    const targetRef = targetRefParseResult.data;
+
+    const session = await args.authN.authenticate({ req, reply });
+
+    const target = await (targetRef.kind === 'id'
+      ? targetsByIdCache.get(targetRef.targetId)
+      : targetsBySlugCache.get(targetRef));
+
+    if (!target) {
+      await reply.status(404).send({
+        message: `The specified target does not exist. Verify the target reference and try again.`,
       });
-    } else {
-      res.status(401).send({
-        message: 'Unauthorized',
+      return;
+    }
+
+    const canReportUsage = await session.canPerformAction({
+      organizationId: target.orgId,
+      action: 'usage:report', // TODO: define a new action for tracing
+      params: {
+        organizationId: target.orgId,
+        projectId: target.projectId,
+        targetId: target.id,
+      },
+    });
+
+    if (!canReportUsage) {
+      await reply.status(403).send({
+        message: `You do not have permission to send traces for this target.`,
       });
+      return;
     }
+
+    await reply.status(200).send({
+      message: 'Authenticated',
+      targetId: target.id,
+    });
+    return;
   });
 }
+
+// TODO: https://github.com/open-telemetry/opentelemetry-collector/blob/ae0b83b94cc4d4cd90a73a2f390d23c25f848aec/config/confighttp/confighttp.go#L551C4-L551C84
+//       swallows the error and returns 401 Unauthorized to the OTel SDK.
+const invalidTaretRefError =
+  'Invalid slug or ID provided for target reference. ' +
+  'Must match target slug "$organization_slug/$project_slug/$target_slug" (e.g. "the-guild/graphql-hive/staging") ' +
+  'or UUID (e.g. c8164307-0b42-473e-a8c5-2860bb4beff6).';
+
+function parseTargetRef(targetRef: string) {
+  if (targetRef.includes('/')) {
+    const parts = targetRef.split('/');
+
+    if (parts.length !== 3) {
+      return {
+        ok: false,
+        error: invalidTaretRefError,
+      } as const;
+    }
+
+    const [organizationSlug, projectSlug, targetSlug] = parts;
+
+    return {
+      ok: true,
+      data: {
+        kind: 'slugs',
+        organizationSlug,
+        projectSlug,
+        targetSlug,
+      },
+    } as const;
+  }
+
+  if (!isUUID(targetRef)) {
+    return {
+      ok: false,
+      error: invalidTaretRefError,
+    } as const;
+  }
+
+  return {
+    ok: true,
+    data: {
+      kind: 'id',
+      targetId: targetRef,
+    },
+  } as const;
+}