fix1

Author: shadow0wolf

README.md

@@ -1,10 +1,69 @@
-## Problem Statement : ##
- Process only valid telemetry requests coming from valid secure-agents.
- 
- OTEL Collector (deployed in enterprise cloud) will recieve telemetry requests from agentdeployed on user's on-prem these telemetry requests will arrive via internet thus it is required to filter malicious requests (DOS attack).   
+## 1. PROBLEM STATEMENT  ##
+ **Process only valid telemetry requests coming from valid secure-agents.**
 
+OTEL Collector (deployed in enterprise cloud) will recieve HTTP/gRPC telemetry-requests (telemetry-signals) from informatica-secure-agent via internet , thus it is required to filter malicious requests (DOS attack) and allow the data from validated telemetry-signals to be exported to downtream component.    
+## 2. GUIDELINES PROVIDED BY OTEL ON CUSTOM AUTHENTICATOR IMPLEMENTATION ##
+(ref :[official otel doc] https://opentelemetry.io/docs/collector/custom-auth/)
+
+The OpenTelemetry Collector allows receivers and exporters to be connected to authenticators, providing a way to both authenticate incoming connections at the receiver’s side, as well as adding authentication data to outgoing requests at the exporter’s side.
+
+This mechanism is implemented on top of the extensions framework provided by OTEL Collector.Authenticators are regular extensions that also satisfy one or more interfaces mentioned below :
+
+**Server Authenticator Interface :**
+(single interface for gRPC and HTTP)
+<pre> 1. <a>go.opentelemetry.io/collector/config/configauth/ServerAuthenticator</a></pre>
+
+**Client Authenticator Interfaces :**
+<pre>
+   1. <a>go.opentelemetry.io/collector/config/configauth/GRPCClientAuthenticator</a>
+   2. <a>go.opentelemetry.io/collector/config/configauth/HTTPClientAuthenticator</a>
+</pre>
+
+
+**Typs of Authenticators :**
+
+**1> Server Authenticator :**
+ Used in receivers, intercept incoming HTTP/gRPC request (telemetry-signal), authentication data is expected to be contained in incoming telemetry-signals , this is used for authentication of telemetry signal. 
+
+**2> Client Authenticator :**
+ Used in exporters,  perform client-side authentication for outgoing telemetry signals, add authentication-data to telemetry-signal which is exported to downstream component e.g. Elastic-APM.
+
+## 2.1 Server Authenticator : ##
+It is an GOLang "extension" framework interface-implementation with a _**Authenticate()**_ funtion , receiving the payload-headers as parameter. 
+
+If the authenticator is able to authenticate the incoming connection, then **return a nil error** , otherwise return concrete-error.
+
+As an extension, the authenticator should make sure to initialize all the resources it needs during the **Start()** phase, and is expected to clean them up upon **Shutdown()**.
+
+refer :
+<pre><a>https://github.com/open-telemetry/opentelemetry-collector/blob/main/extension/auth/server.go</a>
+<a>https://github.com/open-telemetry/opentelemetry-collector/blob/main/service/extensions/extensions.go</a></pre>
+
+**The Authenticate call is part of the hot path for incoming requests and will block the pipeline if it does not complete execution.**
+Thus it becomes critical to properly handle any blocking operations. Concretely, respect the deadline set by the context, in case one is provided. 
+
+## 3.IMPLEMENTATION CONSIDERATIONS ##
+  **1> Securing communication between OTEL collector and session service :**
+
+      This is performed using one-way ssl ,session service sending server certificate and certificate being validated on otel-collector , ca-certificate would be used to validate SSL certificate provided by sesison-service , ca-certificate setting is optional , in case it is not set go will use system level settings for validating server certs (which might not work correctly) . This certificate is assumed to be mounted in a directory on the file system which is specified in collector run configuration (infa_auth.ca_cert_path)
+  
+  **2> Securing communication between agent and OTEL collector :**
+  
+      TO-DO
+  
+  **3> Securing communication between OTEL collector and Elastic APM server:**
+  
+      TO-DO 
+  
+  **4> NO session caching :**
+  
+     Any session info fetched including session expiry time , will not be cached , session service GET agent sesison API 
+     would be invoked for each arriving telemetry-signal
+
+## 4.IMPLEMENTATION DETAILS ##
+
 
-## _BUILDING collector binary_ ##
+## 5._BUILDING collector binary_ ##
 
 ```sh
 ./builder --config=/mnt/c/tmp/otel_build_config.yaml 

authdata.go

@@ -1,10 +1,13 @@
-// Copyright The OpenTelemetry Authors
-// SPDX-License-Identifier: Apache-2.0
-
 package infa_auth
 
-// Config has the configuration for the OIDC Authenticator extension.
+// Config has the configuration for the INFA AUTH Authenticator extension.
 type Config struct {
-	ValidationURL string `mapstructure:"validation_url"`
-	Headerkey     string `mapstructure:"header_key"`
+	TimeOut            int    `mapstructure:"time_out"`
+	ClientSideSsl      bool   `mapstructure:"client_side_ssl"`
+	ValidationURL      string `mapstructure:"validation_url"`
+	Headerkey          string `mapstructure:"header_key"`
+	ClientCertPath     string `mapstructure:"client_cert_path"`
+	CACertPath         string `mapstructure:"ca_cert_path"`
+	InsecureSkipVerify bool   `mapstructure:"insecure_skip_verify"`
+	ClientKeyPath      string `mapstructure:"client_key_path"`
 }

config.go

@@ -12,43 +12,34 @@ import (
 	"go.opentelemetry.io/collector/confmap/confmaptest"
 )
 
-/*
-func TestLoadConfig2(t *testing.T) {
-
-	//factories, err := componenttest.ExampleComponents()
-	assert.NoError(t, err)
-
-	//factories.Extension[typeStr] = NewFactory()
-
-	//cfg, err := configtest.LoadConfigFile(t, path.Join(".", "testdata", "config.yaml"), factories)
-	require.NoError(t, err)
-	//require.NotNil(t, cfg)
-}
-*/
-
 type Aaa struct {
-	id          component.ID
-	expected    component.Config
-	expectedErr bool
+	id       component.ID
+	expected component.Config
 }
 
 func TestLoadConfig(t *testing.T) {
 	cm, err := confmaptest.LoadConf(filepath.Join("testdata", "config.yaml"))
 	require.NoError(t, err)
 	factory := NewFactory()
-	cfg := factory.CreateDefaultConfig()
+	defaultCfg := factory.CreateDefaultConfig()
 
 	var tt = Aaa{
 		id: component.NewID(metadata.Type),
 		expected: &Config{
-			ValidationURL: "https://pod.ics.dev:444/session-service/api/v1/session/Agent",
-			Headerkey:     "IDS-AGENT-SESSION-ID",
+			TimeOut:            2,
+			ClientSideSsl:      true,
+			ValidationURL:      "https://pod.ics.dev:444/session-service/api/v1/session/Agent",
+			Headerkey:          "IDS-AGENT-SESSION-ID",
+			ClientCertPath:     "/mnt/a/c1Client.crt",
+			CACertPath:         "/mnt/a/ca_cert_path.crt",
+			InsecureSkipVerify: true,
+			ClientKeyPath:      "/mnt/a/client_key_path.pem",
 		},
 	}
 
 	sub, err := cm.Sub(tt.id.String())
 	require.NoError(t, err)
-	require.NoError(t, component.UnmarshalConfig(sub, cfg))
-	assert.NoError(t, component.ValidateConfig(cfg))
-	assert.Equal(t, tt.expected, cfg)
+	require.NoError(t, component.UnmarshalConfig(sub, defaultCfg))
+	assert.NoError(t, component.ValidateConfig(defaultCfg))
+	assert.Equal(t, tt.expected, defaultCfg)
 }