Introduce KeyTransparencyAuditorService

Author: katherine-signal

cmd/kt-client/audit.go

@@ -14,7 +14,7 @@ import (
 	"github.com/signalapp/keytransparency/cmd/kt-server/pb"
 )
 
-func handleAudit(client pb.KeyTransparencyServiceClient) {
+func handleAudit(client pb.KeyTransparencyAuditorServiceClient) {
 	if flag.Arg(1) == "" {
 		log.Fatal("No starting position given. Usage: kt-client audit <start> <limit>")
 	} else if flag.Arg(2) == "" {

cmd/kt-client/main.go

@@ -74,7 +74,7 @@ func main() {
 
 	defer ktConn.Close()
 
-	ktClient := pb.NewKeyTransparencyServiceClient(ktConn)
+	ktAuditorClient := pb.NewKeyTransparencyAuditorServiceClient(ktConn)
 
 	switch flag.Arg(0) {
 	case "distinguished":
@@ -90,7 +90,7 @@ func main() {
 	case "monitor-timing":
 		handleMonitorTiming(ktQueryClient)
 	case "audit":
-		handleAudit(ktClient)
+		handleAudit(ktAuditorClient)
 	default:
 		log.Fatal("Unexpected operation requested. Allowed arguments: search, update, audit, config")
 	}

cmd/kt-server/kt_handler.go

@@ -31,6 +31,7 @@ type KtHandler struct {
 	auditorTreeHeadsCh chan<- updateAuditorTreeHeadRequest // Channel used to set auditor tree heads
 
 	pb.UnimplementedKeyTransparencyServiceServer
+	pb.UnimplementedKeyTransparencyAuditorServiceServer
 }
 
 func (h *KtHandler) TreeSize(ctx context.Context, req *emptypb.Empty) (*pb.TreeSizeResponse, error) {

cmd/kt-server/main.go

@@ -212,8 +212,14 @@ func main() {
 			util.Log().Fatalf("Failed to create listener for kt server: %v", err)
 		}
 
-		ktServer := grpc.NewServer(getServerOptions(config.KtServiceConfig, []grpc.UnaryServerInterceptor{storeAuditorNameInterceptor(config.KtServiceConfig)})...)
+		ktServer := grpc.NewServer(getServerOptions(config.KtServiceConfig, []grpc.UnaryServerInterceptor{
+			// Downstream interceptors expect the auditor name to be stored in the context, so this interceptor must
+			// be listed first.
+			storeAuditorNameInterceptor(config.KtServiceConfig),
+			grpcServiceNameMetricsInterceptor()})...)
 		pb.RegisterKeyTransparencyServiceServer(ktServer, ktHandler)
+		pb.RegisterKeyTransparencyAuditorServiceServer(ktServer, ktHandler)
+
 		util.Log().Infof("Starting kt server at: %v", ktServiceConfig.ServerAddr)
 		if config.KtTestServiceConfig == nil {
 			healthCheck.SetServingStatus(readiness, healthpb.HealthCheckResponse_SERVING)

cmd/kt-server/pb/key_transparency.pb.go

@@ -38,3 +38,15 @@ service KeyTransparencyService {
   // Auditors use this endpoint to return a signature on the log tree root hash corresponding to the last audited update.
   rpc SetAuditorHead(transparency.AuditorTreeHead) returns (google.protobuf.Empty) {}
 }
+
+// A key transparency service used to provide data to auditors and to accept auditor-signed tree heads.
+// Outside of third-party auditors, this service's endpoints are *not* intended to be used by external clients.
+// It is exposed to the public internet by necessity but will reject calls from unauthenticated callers.
+service KeyTransparencyAuditorService {
+  // Auditors can query this endpoint to learn the current size of the transparency log.
+  rpc TreeSize(google.protobuf.Empty) returns (TreeSizeResponse) {}
+  // Auditors use this endpoint to request a batch of key transparency service updates to audit.
+  rpc Audit(AuditRequest) returns (AuditResponse) {}
+  // Auditors use this endpoint to return a signature on the log tree root hash corresponding to the last audited update.
+  rpc SetAuditorHead(transparency.AuditorTreeHead) returns (google.protobuf.Empty) {}
+}

cmd/kt-server/pb/key_transparency.proto

@@ -10,7 +10,9 @@ import (
 	"context"
 	"crypto/subtle"
 	"fmt"
+	"strings"
 
+	"github.com/hashicorp/go-metrics"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
@@ -97,6 +99,37 @@ func storeAuditorNameInterceptor(config *config.ServiceConfig) func(ctx context.
 	}
 }
 
+func grpcServiceNameMetricsInterceptor() grpc.UnaryServerInterceptor {
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+		service, method, err := parseFullMethodString(info.FullMethod)
+		if err != nil {
+			return nil, err
+		}
+		auditorName, ok := ctx.Value(AuditorNameContextKey).(string)
+		if !ok {
+			return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("invalid type for auditor name. expected string, got %T", auditorName))
+		}
+		labels := []metrics.Label{{Name: "service", Value: service}, {Name: "method", Value: method}, {Name: "auditor", Value: auditorName}}
+		metrics.IncrCounterWithLabels([]string{"kt_handler"}, 1, labels)
+
+		return handler(ctx, req)
+	}
+}
+
+// Parses the full RPC method string for the service and method names.
+// The string is expected to be in the format: /package.service/method.
+func parseFullMethodString(fullMethod string) (string, string, error) {
+	parts := strings.Split(fullMethod, "/")
+	if len(parts) != 3 || len(parts[1]) == 0 || len(parts[2]) == 0 {
+		return "", "", status.Error(codes.InvalidArgument, fmt.Sprintf("unexpected RPC path: %s", fullMethod))
+	}
+	parsedPackageService := strings.Split(parts[1], ".")
+	if len(parsedPackageService) != 2 || len(parsedPackageService[0]) == 0 || len(parsedPackageService[1]) == 0 {
+		return "", "", status.Error(codes.InvalidArgument, fmt.Sprintf("unexpected RPC path: %s", fullMethod))
+	}
+	return parsedPackageService[1], parts[2], nil
+}
+
 // validateAuthorizedHeaders ensures that at least one of the specified header to value mappings is present on the request
 // Returns the last header value that matched.
 func validateAuthorizedHeaders(authorizedHeaders map[string][]string, md metadata.MD) (string, error) {