LocalAI
LocalAI copied to clipboard
mudler
Improved peerguard auth support
Description
This PR is tied with https://github.com/mudler/edgevpn/pull/863, adding authorization support at P2P protocol level
- [x] Rewrite P2P flags handling
- [x] Add needed configuration support
- [ ] Add a secure http API for managing workers public keys at the ledger
Notes for Reviewers This is a draft PR, the edgevpn changes needs to be resolved and approved first
Signed commits
- [ ] Yes, I signed my commits.
Deploy Preview for localai ready!
| Name | Link |
|---|---|
| Latest commit | 2ee3c8311ae9a3b3bf5cc070c7c7fa03592ade5e |
| Latest deploy log | https://app.netlify.com/sites/localai/deploys/67edc3973e93f50008c1848c |
| Deploy Preview | https://deploy-preview-5086--localai.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
@mudler hello there!
I guess, that is a good starting point with porting my recent edgevpn changes there, and i was kinda forced to finally took out the P2P configuration flags at top level
I want to wait until my idea about auth provider mechanism for authoritarian trusted nodes as auth middleware for http api for managing the ledger buckets will be approved, but there are raw outline ported from edgevpn at core/http/routes/peerguard.go
Thanks in advance!
UPD: Seems like i get confused by --federated and federated flags (again) As federated server is working with raw TCP proxy, we can't use fiber routes or other fancy stuff Either we need to include that near the tcp proxy thing, or use another port for some http library usage But that is kinda counterintuitive for me, and the thing should be accessed from the so-called "API" port imho
UPD2: I guess i can read the incoming connection through the bufio.Reader peeking arbitrary amount of bytes first, match if the first bytes resembling the GET/PUT/DELETE request at desired ledger url, and then block further proxying and throw that connection to read by net.http, checking the authorization header public key against p2p auth providers of that federated node, ideally reusing the Authenticate logic in Challenger routine
The only thing remaining and controversial for me is an attempt to reuse AuthProviders I'm kinda feeling bad to mock everything needed, so feedback is needed =D
The connection http request checker is mostly untested, shared it just to get an idea of how it can be done
This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This PR was closed because it has been stalled for 10 days with no activity.