Skip to content

feat(auth): send X-GREFFON-TOKEN on cert poll and status callback#19

Open
omarsy wants to merge 1 commit into
mainfrom
feat/send-token-on-greffer-callbacks
Open

feat(auth): send X-GREFFON-TOKEN on cert poll and status callback#19
omarsy wants to merge 1 commit into
mainfrom
feat/send-token-on-greffer-callbacks

Conversation

@omarsy

@omarsy omarsy commented Apr 22, 2026

Copy link
Copy Markdown
Member

Summary

Companion to greffon/manager#18, which adds token auth + gated cert rotation to the two greffer-facing endpoints. Without this PR, the post-accept cert poll and every status callback would 403 once manager-side enforcement lands.

The greffer already mints a token at startup (app.state.greffer_token) and posts it in the /register/ body. This PR threads that same token through _fetch_cert and _report_status_change as an X-GREFFON-TOKEN HTTP header — the manager's new GrefferTokenAuthentication matches it against either Greffer.token (steady state) or Greffer.new_token (first cert poll runs BEFORE accept_register has promoted new_token → token).

No CRL-fetch change: the manager keeps ca_crl_view as AllowAny (CRLs are CA-signed artifacts; each issued cert's CRL distribution point URL is that endpoint, so external verifiers must be able to fetch anonymously).

Dependency + merge order

Merge this first. It's backward-compatible — just adds a request header the current manager ignores. Then greffon/manager#18 starts requiring it.

Test plan

  • pytest180/180 pass
  • New tests assert the header is present on the cert poll and the status POST
  • Existing tests threaded to the new signatures (token parameter on _fetch_cert, _report_status_change, _one_monitor_tick)

🤖 Generated with Claude Code

Companion to greffon/manager#18, which starts enforcing token auth on
/api/greffer/certificate/<id>/ and /api/greffer/instances/<id>/. Without
this PR, the first cert poll after registration and every status
callback would 403 post-merge.

The greffer already mints a token at startup (app.state.greffer_token)
and posts it in the /register/ body. This PR threads that same token
through _fetch_cert and _report_status_change as the X-GREFFON-TOKEN
header. register_worker already had the token in a local; monitor_worker
reads it once at task start.

No CRL-fetch change — the manager keeps ca_crl_view AllowAny because
CRLs are CA-signed and every issued cert's CRL distribution point URL
is that endpoint (external verifiers must be able to fetch
anonymously).

Tests: 180/180 pass. New coverage asserts the header is on both the
cert poll and the status POST; existing tests are threaded to match
the new signatures.

This PR is backward-compatible — it only adds a header the current
manager ignores. Land this first; manager PR #18 second.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant