Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add mtls for keymanager api requests #5048

Open
wants to merge 5 commits into
base: add_encryption_service
Choose a base branch
from
Open

feat: add mtls for keymanager api requests #5048

wants to merge 5 commits into from
+106 −19

Conversation

dracarys18
Copy link
Member

@dracarys18 dracarys18 commented Jun 19, 2024
edited
Loading

Type of Change

  • Enhancement

Description

Add mTLS while calling keymanager service

Additional Changes

  • This PR modifies application configuration/environment variables

Motivation and Context

This PR adds a new reqwest::Client with Certificates and CA to contact with the key manager

How did you test it?

Checklist

  • I formatted the code cargo +nightly fmt --all
  • I addressed lints thrown by cargo clippy
  • I reviewed the submitted code

@dracarys18 dracarys18 added A-core Area: Core flows S-waiting-on-review Status: This PR has been implemented and needs to be reviewed labels Jun 19, 2024
@dracarys18 dracarys18 added this to the June 2024 Release milestone Jun 19, 2024
@dracarys18 dracarys18 self-assigned this Jun 19, 2024
@dracarys18 dracarys18 requested a review from a team as a code owner June 19, 2024 17:38
@dracarys18 dracarys18 changed the title feat: create key in encryption service during merchant account and us… feat: add mtls for keymanager api requests Jun 19, 2024
Narayanbhat166
Narayanbhat166 reviewed Jun 25, 2024
View reviewed changes
crates/router/src/encryption.rs
Comment on lines +26 to +34
#[cfg(feature = "keymanager_mtls")]
{
let ca = state.conf.key_manager.ca.clone();
let cert = state.conf.key_manager.cert.clone();

let identity = reqwest::Identity::from_pem(cert.peek().as_ref())
.change_context(errors::ApiClientError::ClientConstructionFailed)?;
let ca_cert = reqwest::Certificate::from_pem(ca.peek().as_ref())
.change_context(errors::ApiClientError::ClientConstructionFailed)?;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can use

if cfg!(feature = "keymanager_mtls")

you would not need #[allow(unused_mut)] in that case

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We cannot do this since ca and cert have compile time feature constraints

ArjunKarthik
ArjunKarthik approved these changes Jul 4, 2024
View reviewed changes
Copy link
Contributor

@ArjunKarthik ArjunKarthik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Narayanbhat166 Narayanbhat166 Narayanbhat166 left review comments

@ArjunKarthik ArjunKarthik ArjunKarthik approved these changes

Assignees

@dracarys18 dracarys18

Labels
A-core Area: Core flows S-waiting-on-review Status: This PR has been implemented and needs to be reviewed
Projects
None yet
Milestone
July 2024 Release
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dracarys18 @ArjunKarthik @Narayanbhat166 @bernard-eugine