feat: certificate fingerprints auto-refresh #247
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nvtaveras
changed the title
|
closing for #264 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This is an improvement over the way certificate fingerprints are managed for exchange adapters. Instead of having static values hardcoded in the application for each individual adapter, all certificate fingerprints are now placed under a single file
certificates.jsonwhich is periodically fetched by the application by configuring an urlCERTIFICATE_MANAGER_JSON_URLand a refresh intervalCERTIFICATE_MANAGER_REFRESH_INTERVAL_MS. This will allow us to update certificate fingerprints for any adapter whenever they change/expire without having to release a new version of the client and re-deploying the oracles.Instead of hosting the certificates file on a cloud bucket I decided to host it directly in the repo which achieves two things:
During app initialization the certificates are loaded from the local json file, so the application works as before even if the configured url is unavailable/not set during initialization, making these changes backwards compatible.
We can point the
CERTIFICATE_MANAGER_JSON_URLdirectly to the raw url of the file in the repo, eliminating the need of managing the file somewhere else unless we explicitly want to. The default poll interval is set to 10 minutes which I don't think will cause any rate limiting by github but we'll see later after this is deployed.Tested
Tested it by running a local server and modifying the certificates from the served json on the fly and checking that fingerprint errors are fixed after the new json is fetched.