feat(auth): send X-GREFFON-TOKEN on cert poll and status callback#19
Open
omarsy wants to merge 1 commit into
Open
feat(auth): send X-GREFFON-TOKEN on cert poll and status callback#19omarsy wants to merge 1 commit into
omarsy wants to merge 1 commit into
Conversation
Companion to greffon/manager#18, which starts enforcing token auth on /api/greffer/certificate/<id>/ and /api/greffer/instances/<id>/. Without this PR, the first cert poll after registration and every status callback would 403 post-merge. The greffer already mints a token at startup (app.state.greffer_token) and posts it in the /register/ body. This PR threads that same token through _fetch_cert and _report_status_change as the X-GREFFON-TOKEN header. register_worker already had the token in a local; monitor_worker reads it once at task start. No CRL-fetch change — the manager keeps ca_crl_view AllowAny because CRLs are CA-signed and every issued cert's CRL distribution point URL is that endpoint (external verifiers must be able to fetch anonymously). Tests: 180/180 pass. New coverage asserts the header is on both the cert poll and the status POST; existing tests are threaded to match the new signatures. This PR is backward-compatible — it only adds a header the current manager ignores. Land this first; manager PR #18 second. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Companion to greffon/manager#18, which adds token auth + gated cert rotation to the two greffer-facing endpoints. Without this PR, the post-accept cert poll and every status callback would 403 once manager-side enforcement lands.
The greffer already mints a token at startup (
app.state.greffer_token) and posts it in the/register/body. This PR threads that same token through_fetch_certand_report_status_changeas anX-GREFFON-TOKENHTTP header — the manager's newGrefferTokenAuthenticationmatches it against eitherGreffer.token(steady state) orGreffer.new_token(first cert poll runs BEFOREaccept_registerhas promoted new_token → token).No CRL-fetch change: the manager keeps
ca_crl_viewasAllowAny(CRLs are CA-signed artifacts; each issued cert's CRL distribution point URL is that endpoint, so external verifiers must be able to fetch anonymously).Dependency + merge order
Merge this first. It's backward-compatible — just adds a request header the current manager ignores. Then greffon/manager#18 starts requiring it.
Test plan
pytest→ 180/180 pass_fetch_cert,_report_status_change,_one_monitor_tick)🤖 Generated with Claude Code