Merge pull request #48 from junkurihara/develop

0.3.0

Author: junkurihara

.github/workflows/release_docker.yml

@@ -50,7 +50,7 @@ jobs:
 
       - name: Release Build and push x86_64
         if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref == 'develop' && github.event.pull_request.base.ref == 'main' && github.event.pull_request.merged == true }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
@@ -64,7 +64,7 @@ jobs:
 
       - name: Nightly build and push x86_64
         if: ${{ (github.ref_name == 'develop') && (github.event_name == 'push') }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
@@ -78,7 +78,7 @@ jobs:
 
       - name: Unstable build and push x86_64 for 'feat/*' branches (for development purposes)
         if: ${{ startsWith(github.ref_name, 'feat/') && (github.event_name == 'push') }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true

Cargo.toml

@@ -1,5 +1,5 @@
 [workspace.package]
-version = "0.2.0"
+version = "0.3.0"
 authors = ["Jun Kurihara"]
 homepage = "https://github.com/junkurihara/modoh-server"
 repository = "https://github.com/junkurihara/modoh-server"

README.md

@@ -74,6 +74,7 @@ Options:
   -t, --otel-trace                    Enable opentelemetry for trace. Unless explicitly specified with '-e', collector endpoint is 'http://localhost:4317'.
   -m, --otel-metrics                  Enable opentelemetry for metrics. Unless explicitly specified with '-e', collector endpoint is 'http://localhost:4317'.
   -e, --otlp-endpoint <ENDPOINT_URL>  Opentelemetry collector endpoint url connected via gRPC
+  -q, --qrlog <PATH>                  Enable query-response logging. Unless specified, it is disabled.
   -h, --help                          Print help
   -V, --version                       Print version
 ```
@@ -224,7 +225,7 @@ For the secure deployment of `modoh-server`, the access control mechanisms shoul
 
 ### Client Authentication using Bearer Token
 
-For the client authentication, we can use the Bearer token in HTTP Authorization header, which is issued by [`rust-token-server`](https://github.com/junkurihara/rust-token-server) in the context of OpenID Connect. The authentication through the token validation is configured in the `[validation]` directive in `config.toml` as follows.
+For the client authentication, we can use the Bearer token in HTTP Authorization header, which is issued by [`rust-token-server`](https://github.com/junkurihara/rust-token-server) in the form of **OpenID Connect ID Token** or **Anonymous Token based on the blind RSA signatures ([RFC9474](https://www.rfc-editor.org/rfc/rfc9474.html))**. The authentication through the token validation is configured in the `[validation]` directive in `config.toml` as follows.
 
 ```toml
 ## Validation of source, typically user clients, using Id token
@@ -243,7 +244,7 @@ token_issuer = "https://example.com/v1.0"
 client_ids = ["client_id_1", "client_id_2"]
 ```
 
-`modoh-server` allows multiple `[[validation.token]]` directives to accepts multiple clients authorized under various authorities. `modoh-server` periodically fetches their validation keys (public keys) through the token APIs' `jwks` endpoints, and concurrently verifies a request with the retrieved keys.
+`modoh-server` allows multiple `[[validation.token]]` directives to accepts multiple clients authorized under various authorities. `modoh-server` periodically fetches their validation keys (public keys) through the token APIs' `jwks` (for ID tokens) and `blindjwks` (for anonymous token) endpoints, and concurrently verifies a request with the retrieved keys.
 
 Note that *when the bearer token does not exist in the HTTP request header, the request filtering based on the token validation is always bypassed*. This is because requests not from clients but from other relays have no such token in their header [^1]. Thus, *you should employ the source IP filtering mechanism for pre-authorized relays simultaneously with token validation.*
 

docker/Dockerfile

@@ -22,7 +22,7 @@ RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS &&
     curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain stable && \
     export PATH="$HOME/.cargo/bin:$PATH" && \
     echo "Building Mutualized Oblivious DNS relay and target from source" && \
-    cargo build --release --no-default-features --features=otel-full,otel-evil-trace --package modoh-server && \
+    cargo build --release --no-default-features --features=otel-full,otel-evil-trace,qrlog --package modoh-server && \
     strip --strip-all /tmp/target/release/modoh-server
 
 ########################################

docker/README.md

@@ -11,6 +11,7 @@ We have several container-specific environment variables, which doesn't relates
 - `LOG_TO_FILE=true|false` (default: `false`): Enable logging to the log file `/modoh/log/modoh-server.log` using `logrotate`. You should mount `/modoh/log` via docker volume option if enabled. The log dir and file will be owned by the `HOST_USER` with `HOST_UID:HOST_GID` on the host machine. Hence, `HOST_USER`, `HOST_UID` and `HOST_GID` should be the same as ones of the user who executes the `modoh-server` container on the host.
 - `DISABLE_OTEL`: If explicitly set to `true`, `--trace` and `--metrics` are disabled in the execute option. (default: `false`)
 - `OTEL_ENDPOINT`: Set the gRPC endpoint of `opentelemetry-collector`. (default: `http://localhost:4317` but no collector is contained in the `modoh-server` docker container.)
+- `ENABLE_QRLOG`: If explicitly set to `true`, query-response logging is enabled in the `modoh-server`. (default: `false`) The log file will be `/modoh/log/qrlog.log` in the container. Note that the log rotation is set as the `modoh-server` system log.
 
 See [`./docker-compose.yml`](./docker-compose.yml) for the detailed configuration of the above environment variables.
 

docker/docker-compose.yml

@@ -21,6 +21,7 @@ services:
       # - WATCH=true
       # - DISABLE_OTEL=true # opentelemetry is disabled if DISABLE_OTEL=true (default: false)
       - OTLP_ENDPOINT=http://otel-collector:4317 # opentelemetry endpoint (default: http://localhost:4317)
+      # - ENABLE_QRLOG=true # qrlog is enabled if ENABLE_QRLOG is set. Record in `/modoh/log/qrlog.log` [default=false]
     tty: false
     privileged: true
     volumes:

docker/entrypoint.sh

@@ -13,6 +13,9 @@ CONFIG_FILE=/etc/modoh-server.toml
 CONFIG_DIR=/modoh/config
 CONFIG_FILE_IN_DIR=${CONFIG_FILENAME:-modoh-server.toml}
 
+QRLOG_FILE=${LOG_DIR}/qrlog.log
+QRLOGGING=${ENABLE_QRLOG:-false}
+
 #######################################
 # Setup logrotate
 function setup_logrotate () {
@@ -43,7 +46,8 @@ include /etc/logrotate.d
 # system-specific logs may be also be configured here.
 EOF
 
-  cat > /etc/logrotate.d/modoh-server.conf << EOF
+  if "${LOGGING}"; then
+    cat > /etc/logrotate.d/modoh-server.conf << EOF
 ${LOG_FILE} {
     dateext
     daily
@@ -58,6 +62,25 @@ ${LOG_FILE} {
     su ${USER} ${USER}
 }
 EOF
+  fi
+
+  if "${QRLOGGING}"; then
+    cat > /etc/logrotate.d/qrlog.conf << EOF
+${QRLOG_FILE} {
+    dateext
+    daily
+    missingok
+    rotate ${LOG_NUM}
+    notifempty
+    compress
+    delaycompress
+    dateformat -%Y-%m-%d-%s
+    size ${LOG_SIZE}
+    copytruncate
+    su ${USER} ${USER}
+}
+EOF
+  fi
 }
 
 #######################################
@@ -71,7 +94,7 @@ function setup_ubuntu () {
   fi
 
   # for crontab when logging
-  if "${LOGGING}"; then
+  if ${LOGGING} || ${QRLOGGING} ; then
     # Set up logrotate
     setup_logrotate
 
@@ -95,7 +118,7 @@ function setup_alpine () {
   fi
 
   # for crontab when logging
-  if "${LOGGING}"; then
+  if ${LOGGING} || ${QRLOGGING} ; then
     # Set up logrotate
     setup_logrotate
 

docker/run.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env sh
 CONFIG_FILE=/etc/modoh-server.toml
 DEFAULT_OTLP_ENDPOINT=http://localhost:4317
+QRLOG_FILE=/modoh/log/qrlog.log
 
 # debug level logging
 if [ -z $LOG_LEVEL ]; then
@@ -40,8 +41,19 @@ else
   OTEL_ARG="--otel-trace --otel-metrics --otlp-endpoint ${OTLP_ENDPOINT}"
 fi
 
+# query-response logging
+QRLOG_ARG=""
+if [ -z $ENABLE_QRLOG ]; then
+  ENABLE_QRLOG=false
+fi
+if $ENABLE_QRLOG ; then
+  echo "modoh-server: Query-Response logging enabled with file ${QRLOG_FILE}"
+  QRLOG_ARG="--qrlog ${QRLOG_FILE}"
+fi
+
+
 if  $WATCH ; then
-  RUST_LOG=${LOG_LEVEL} /modoh/bin/modoh-server --config ${CONFIG_FILE} -w ${OTEL_ARG}
+  RUST_LOG=${LOG_LEVEL} /modoh/bin/modoh-server --config ${CONFIG_FILE} -w ${OTEL_ARG} ${QRLOG_ARG}
 else
-  RUST_LOG=${LOG_LEVEL} /modoh/bin/modoh-server --config ${CONFIG_FILE} ${OTEL_ARG}
+  RUST_LOG=${LOG_LEVEL} /modoh/bin/modoh-server --config ${CONFIG_FILE} ${OTEL_ARG} ${QRLOG_ARG}
 fi

httpsig-registry/Cargo.toml

@@ -13,13 +13,13 @@ edition.workspace = true
 publish.workspace = true
 
 [dependencies]
-anyhow = { version = "1.0.83" }
-thiserror = { version = "1.0.60" }
-pulldown-cmark = { version = "0.10.3", default-features = false }
+anyhow = { version = "1.0.86" }
+thiserror = { version = "1.0.63" }
+pulldown-cmark = { version = "0.12.0", default-features = false }
 http = { version = "1.1.0" }
-indexmap = { version = "2.2.6" }
+indexmap = { version = "2.4.0" }
 minisign-verify = { version = "0.2.1" }
-reqwest = { version = "0.12.4", default-features = false, features = [
+reqwest = { version = "0.12.7", default-features = false, features = [
   "rustls-tls",
   "http2",
   "hickory-dns",
@@ -28,7 +28,7 @@ futures = { version = "0.3.30", default-features = false, features = [
   "std",
   "async-await",
 ] }
-tokio = { version = "1.37.0", features = [
+tokio = { version = "1.39.3", features = [
   "net",
   "rt-multi-thread",
   "time",

httpsig-wire-proto/Cargo.toml

@@ -13,11 +13,11 @@ edition.workspace = true
 publish.workspace = true
 
 [dependencies]
-anyhow = "1.0.83"
-thiserror = "1.0.60"
+anyhow = "1.0.86"
+thiserror = "1.0.63"
 rand = "0.8.5"
-hpke = "0.11.0"
-bytes = "1.6.0"
+hpke = "0.12.0"
+bytes = "1.7.1"
 byteorder = "1.5.0"
 p256 = { version = "0.13.2" }
 elliptic-curve = { version = "0.13.8", features = ["ecdh"] }

httpsig-wire-proto/src/lib.rs

@@ -23,9 +23,9 @@ pub const HTTPSIG_PROTO_VERSION_PK: u16 = 0x0020;
 /// Key types used for httpsig verification
 /// - Asymmetric key for public-key-based signature like ed25519, ecdsa-p256-sha256 (es256).
 /// - Asymmetric key to perform Diffie-Hellman key exchange for hmac-sha256 (hs256) signature.
-/// These are automatically generated and exposed at `/.well-known/httpsigconfigs` endpoint.
-///   default = ["hs256-x25519-hkdf-sha256"],
-///  supported = "hs256-p256-hkdf-sha256" (hmac-sha256 with hkdf via ecdh), "hs256-x25519-hkdf-sha256" (hmac-sha256 with hkdf via ecdh), "ed25519", and "es256"
+///   These are automatically generated and exposed at `/.well-known/httpsigconfigs` endpoint.
+///   default: ["hs256-x25519-hkdf-sha256"],
+///   supported: "hs256-p256-hkdf-sha256" (hmac-sha256 with hkdf via ecdh), "hs256-x25519-hkdf-sha256" (hmac-sha256 with hkdf via ecdh), "ed25519", and "es256"
 pub enum HttpSigKeyTypes {
   #[default]
   /// hs256-x25519-hkdf-sha256

modoh-bin/Cargo.toml

@@ -15,7 +15,7 @@ publish.workspace = true
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [features]
-default = ["otel-full", "otel-evil-trace"]
+default = ["otel-full", "otel-evil-trace", "qrlog"]
 otel-full = ["otel-trace", "otel-metrics", "otel-instance-id"]
 otel-trace = [
   "opentelemetry/trace",
@@ -38,6 +38,11 @@ otel-base = [
   "dep:opentelemetry-semantic-conventions",
 ]
 otel-instance-id = ["dep:uuid"]
+qrlog = [
+  "modoh-server-lib/qrlog",
+  "tracing-subscriber/json",
+  "tracing-subscriber/chrono",
+]
 
 # DO NOT USE THIS IN PRODUCTION
 otel-evil-trace = ["modoh-server-lib/evil-trace", "otel-trace"]
@@ -47,39 +52,39 @@ modoh-server-lib = { path = "../modoh-lib", default-features = false, features =
   "rustls",
 ] }
 
-anyhow = "1.0.83"
+anyhow = "1.0.86"
 mimalloc = { version = "*", default-features = false }
-serde = { version = "1.0.202", default-features = false, features = ["derive"] }
+serde = { version = "1.0.208", default-features = false, features = ["derive"] }
 derive_builder = "0.20.0"
-tokio = { version = "1.37.0", default-features = false, features = [
+tokio = { version = "1.39.3", default-features = false, features = [
   "net",
   "rt-multi-thread",
   "time",
   "sync",
   "macros",
 ] }
-async-trait = "0.1.80"
-url = "2.5.0"
+async-trait = "0.1.81"
+url = "2.5.2"
 
 # config
-clap = { version = "4.5.4", features = ["std", "cargo", "wrap_help"] }
-toml = { version = "0.8.13", default-features = false, features = ["parse"] }
-hot_reload = "0.1.5"
+clap = { version = "4.5.16", features = ["std", "cargo", "wrap_help"] }
+toml = { version = "0.8.19", default-features = false, features = ["parse"] }
+hot_reload = "0.1.6"
 
 # tracing and metrics
 tracing = { version = "0.1.40" }
-tracing-subscriber = { version = "0.3.18", features = ["env-filter", "json"] }
-tracing-opentelemetry = { version = "0.23.0", optional = true }
-opentelemetry = { version = "0.22.0", optional = true }
-opentelemetry_sdk = { version = "0.22.1", features = [
+tracing-subscriber = { version = "0.3.18", features = ["fmt"] }
+tracing-opentelemetry = { version = "0.25.0", optional = true }
+opentelemetry = { version = "0.24.0", optional = true }
+opentelemetry_sdk = { version = "0.24.1", features = [
   "rt-tokio",
 ], optional = true }
-opentelemetry-stdout = { version = "0.3.0", optional = true }
-opentelemetry-otlp = { version = "0.15.0", optional = true }
-opentelemetry-semantic-conventions = { version = "0.14.0", optional = true }
+opentelemetry-stdout = { version = "0.5.0", optional = true }
+opentelemetry-otlp = { version = "0.17.0", optional = true }
+opentelemetry-semantic-conventions = { version = "0.16.0", optional = true }
 
 # add random otel service id whenever restarting
-uuid = { version = "1.8.0", default-features = false, features = [
+uuid = { version = "1.10.0", default-features = false, features = [
   "v4",
   "fast-rng",
 ], optional = true }

modoh-bin/src/config/parse.rs

@@ -1,4 +1,5 @@
 use crate::trace::TraceConfig;
+use crate::QrlogConfig;
 use clap::{Arg, ArgAction};
 
 #[cfg(any(feature = "otel-trace", feature = "otel-metrics"))]
@@ -13,6 +14,7 @@ pub struct Opts {
   pub config_file_path: String,
   pub watch: bool,
   pub trace_config: TraceConfig<String>,
+  pub qrlog_config: QrlogConfig,
 }
 
 /// Parse arg values passed from cli
@@ -40,15 +42,19 @@ pub fn parse_opts() -> Result<Opts, anyhow::Error> {
       .long("otel-trace")
       .short('t')
       .action(ArgAction::SetTrue)
-      .help("Enable opentelemetry for trace. Unless explicitly specified with '-e', collector endpoint is 'http://localhost:4317'."),
+      .help(
+        "Enable opentelemetry for trace. Unless explicitly specified with '-e', collector endpoint is 'http://localhost:4317'.",
+      ),
   );
   #[cfg(feature = "otel-metrics")]
   let options = options.arg(
     Arg::new("otel_metrics")
       .long("otel-metrics")
       .short('m')
       .action(ArgAction::SetTrue)
-      .help("Enable opentelemetry for metrics. Unless explicitly specified with '-e', collector endpoint is 'http://localhost:4317'."),
+      .help(
+        "Enable opentelemetry for metrics. Unless explicitly specified with '-e', collector endpoint is 'http://localhost:4317'.",
+      ),
   );
   #[cfg(any(feature = "otel-trace", feature = "otel-metrics"))]
   let options = options.arg(
@@ -62,6 +68,14 @@ pub fn parse_opts() -> Result<Opts, anyhow::Error> {
       ])
       .help("Opentelemetry collector endpoint url connected via gRPC"),
   );
+  #[cfg(feature = "qrlog")]
+  let options = options.arg(
+    Arg::new("qrlog")
+      .long("qrlog")
+      .short('q')
+      .value_name("PATH")
+      .help("Enable query-response logging. Unless specified, it is disabled."),
+  );
 
   let matches = options.get_matches();
 
@@ -86,9 +100,17 @@ pub fn parse_opts() -> Result<Opts, anyhow::Error> {
     _marker: std::marker::PhantomData,
   };
 
+  ///////////////////////////////////
+  let qrlog_config = QrlogConfig {
+    #[cfg(feature = "qrlog")]
+    qrlog_path: { matches.get_one::<String>("qrlog").map(|s| s.to_owned()) },
+    _marker: std::marker::PhantomData,
+  };
+
   Ok(Opts {
     config_file_path,
     watch,
     trace_config,
+    qrlog_config,
   })
 }

modoh-bin/src/config/target_config.rs

@@ -65,7 +65,7 @@ impl TryInto<ServiceConfig> for &TargetConfig {
     info!("Listening on {}", service_conf.listener_socket);
 
     if let Some(hostname) = &self.config_toml.hostname {
-      service_conf.hostname.clone_from(hostname);
+      service_conf.hostname.clone_from(&hostname.to_ascii_lowercase());
     }
     info!("Hostname: {}", service_conf.hostname);
 

modoh-bin/src/constants.rs

@@ -3,3 +3,8 @@ pub const CONFIG_WATCH_DELAY_SECS: u32 = 30;
 pub const DEFAULT_OTLP_ENDPOINT: &str = "http://localhost:4317";
 #[cfg(any(feature = "otel-trace", feature = "otel-metrics"))]
 pub const OTEL_SERVICE_NAMESPACE: &str = "modoh";
+#[cfg(feature = "otel-trace")]
+pub const OTEL_TRACE_BATCH_QUEUE_SIZE: usize = 8192;
+
+#[cfg(feature = "qrlog")]
+pub const QRLOG_EVENT_NAME: &str = "qrlog";