feat(relay): add mechanism to only allow events from trusted relays (#4772)

This PR adds a signature to requests between relays which is used to
verify if the request comes from a trusted relay.

It leverages the signature mechanism used by `relay-auth` which already
includes a timestamp which can be checked for a `max_age`. The signature
itself does not contain any data since we are not interested in data
integrity and we just want to see if we can successfully verify the
signature by any of the public keys that are added by the user.

Envelopes coming from internal relays are not checked because they are
already in our infrastructure and are considered trusted.

The `max_age` for envelopes from external relays is set to 5 Minutes
currently.

ref RELAY-17

Author: Litarnus

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+**Features**:
+
+- Add mechanism to allow ingestion only from trusted relays. ([#4772](https://github.com/getsentry/relay/pull/4772))
+
 **Bug Fixes**:
 
 - Preserve user specified event values in Unreal crash reports. ([#4882](https://github.com/getsentry/relay/pull/4882))

relay-auth/src/lib.rs

@@ -23,6 +23,7 @@
 )]
 
 use std::fmt;
+use std::fmt::Display;
 use std::str::FromStr;
 
 use chrono::{DateTime, Duration, Utc};
@@ -196,7 +197,7 @@ impl SecretKey {
     /// Signs some data with the secret key and returns the signature.
     ///
     /// This is will sign with the default header.
-    pub fn sign(&self, data: &[u8]) -> String {
+    pub fn sign(&self, data: &[u8]) -> Signature {
         self.sign_with_header(data, &SignatureHeader::default())
     }
 
@@ -205,7 +206,7 @@ impl SecretKey {
     ///
     /// The default behavior is to attach the timestamp in the header to the
     /// signature so that old signatures on verification can be rejected.
-    pub fn sign_with_header(&self, data: &[u8], header: &SignatureHeader) -> String {
+    pub fn sign_with_header(&self, data: &[u8], header: &SignatureHeader) -> Signature {
         let mut header =
             serde_json::to_vec(&header).expect("attempted to pack non json safe header");
         let header_encoded = BASE64URL_NOPAD.encode(&header);
@@ -215,11 +216,11 @@ impl SecretKey {
         let mut sig_encoded = BASE64URL_NOPAD.encode(&sig.to_bytes());
         sig_encoded.push('.');
         sig_encoded.push_str(&header_encoded);
-        sig_encoded
+        Signature(sig_encoded)
     }
 
     /// Packs some serializable data into JSON and signs it with the default header.
-    pub fn pack<S: Serialize>(&self, data: S) -> (Vec<u8>, String) {
+    pub fn pack<S: Serialize>(&self, data: S) -> (Vec<u8>, Signature) {
         self.pack_with_header(data, &SignatureHeader::default())
     }
 
@@ -228,7 +229,7 @@ impl SecretKey {
         &self,
         data: S,
         header: &SignatureHeader,
-    ) -> (Vec<u8>, String) {
+    ) -> (Vec<u8>, Signature) {
         // this can only fail if we deal with badly formed data.  In that case we
         // consider that a panic.  Should not happen.
         let json = serde_json::to_vec(&data).expect("attempted to pack non json safe data");
@@ -302,8 +303,8 @@ pub struct PublicKey {
 impl PublicKey {
     /// Verifies the signature and returns the embedded signature
     /// header.
-    pub fn verify_meta(&self, data: &[u8], sig: &str) -> Option<SignatureHeader> {
-        let mut iter = sig.splitn(2, '.');
+    pub fn verify_meta(&self, data: &[u8], sig: SignatureRef<'_>) -> Option<SignatureHeader> {
+        let mut iter = sig.0.splitn(2, '.');
         let sig_bytes = match iter.next() {
             Some(sig_encoded) => BASE64URL_NOPAD.decode(sig_encoded.as_bytes()).ok()?,
             None => return None,
@@ -325,12 +326,17 @@ impl PublicKey {
     }
 
     /// Verifies a signature but discards the header.
-    pub fn verify(&self, data: &[u8], sig: &str) -> bool {
+    pub fn verify(&self, data: &[u8], sig: SignatureRef<'_>) -> bool {
         self.verify_meta(data, sig).is_some()
     }
 
     /// Verifies a signature and checks the timestamp.
-    pub fn verify_timestamp(&self, data: &[u8], sig: &str, max_age: Option<Duration>) -> bool {
+    pub fn verify_timestamp(
+        &self,
+        data: &[u8],
+        sig: SignatureRef<'_>,
+        max_age: Option<Duration>,
+    ) -> bool {
         self.verify_meta(data, sig)
             .map(|header| max_age.is_none() || !header.expired(max_age.unwrap()))
             .unwrap_or(false)
@@ -340,7 +346,7 @@ impl PublicKey {
     pub fn unpack_meta<D: DeserializeOwned>(
         &self,
         data: &[u8],
-        signature: &str,
+        signature: SignatureRef<'_>,
     ) -> Result<(SignatureHeader, D), UnpackError> {
         if let Some(header) = self.verify_meta(data, signature) {
             serde_json::from_slice(data)
@@ -358,7 +364,7 @@ impl PublicKey {
     pub fn unpack<D: DeserializeOwned>(
         &self,
         data: &[u8],
-        signature: &str,
+        signature: SignatureRef<'_>,
         max_age: Option<Duration>,
     ) -> Result<D, UnpackError> {
         let (header, data) = self.unpack_meta(data, signature)?;
@@ -575,7 +581,7 @@ impl RegisterRequest {
     /// the data is returned.
     pub fn bootstrap_unpack(
         data: &[u8],
-        signature: &str,
+        signature: SignatureRef<'_>,
         max_age: Option<Duration>,
     ) -> Result<RegisterRequest, UnpackError> {
         let req: RegisterRequest = serde_json::from_slice(data).map_err(UnpackError::BadPayload)?;
@@ -653,7 +659,7 @@ impl RegisterResponse {
     /// Unpacks the register response and validates signatures.
     pub fn unpack(
         data: &[u8],
-        signature: &str,
+        signature: SignatureRef<'_>,
         secret: &[u8],
         max_age: Option<Duration>,
     ) -> Result<(Self, RegisterState), UnpackError> {
@@ -687,6 +693,80 @@ impl RegisterResponse {
     }
 }
 
+/// A wrapper around a String that represents a signature.
+#[derive(Debug, Clone, PartialEq)]
+pub struct Signature(pub String);
+
+impl Display for Signature {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}", self.0)
+    }
+}
+
+impl Signature {
+    /// Verifies the signature against any of the provided public keys.
+    ///
+    /// Returns `true` if the signature is valid with one of the given
+    /// public keys and satisfies the timestamp constraints defined by `start_time`
+    /// and `max_age`.
+    pub fn verify_any(
+        &self,
+        public_key: &[PublicKey],
+        start_time: DateTime<Utc>,
+        max_age: Duration,
+    ) -> bool {
+        public_key
+            .iter()
+            .any(|p| self.verify(p, start_time, max_age))
+    }
+
+    /// Verifies the signature using the specified public key.
+    ///
+    /// The signature is considered valid if it can be verified using the given
+    /// public key and its embedded timestamp falls within the valid time range,
+    /// starting from `start_time` and not exceeding `max_age`.
+    pub fn verify(
+        &self,
+        public_key: &PublicKey,
+        start_time: DateTime<Utc>,
+        max_age: Duration,
+    ) -> bool {
+        let Some(header) = public_key.verify_meta(&[], self.as_signature_ref()) else {
+            return false;
+        };
+        let Some(timestamp) = header.timestamp else {
+            return false;
+        };
+        let elapsed = start_time - timestamp;
+        elapsed >= Duration::zero() && elapsed <= max_age
+    }
+
+    /// Verifies the signature against the given data and public key.
+    ///
+    /// Returns `true` if the signature is valid for the provided `data`
+    /// when verified with the given public key.
+    pub fn verify_bytes(&self, data: &[u8], public_key: &PublicKey) -> bool {
+        public_key
+            .verify_meta(data, self.as_signature_ref())
+            .is_some()
+    }
+
+    /// Returns a borrowed view of the signature as a `SignatureRef`.
+    ///
+    /// This method provides a lightweight reference wrapper over the internal
+    /// signature data.
+    pub fn as_signature_ref(&self) -> SignatureRef<'_> {
+        SignatureRef(self.0.as_str())
+    }
+}
+
+/// A borrowed reference to a signature string used for validation.
+///
+/// `SignatureRef` provides a view into the signature data as a string slice,
+/// allowing verification to work with borrowed data without unnecessary allocations.
+/// This type is typically obtained by borrowing from an owned [`Signature`].
+pub struct SignatureRef<'a>(pub &'a str);
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -753,10 +833,10 @@ mod tests {
         let data = b"Hello World!";
 
         let sig = sk.sign(data);
-        assert!(pk.verify(data, &sig));
+        assert!(pk.verify(data, sig.as_signature_ref()));
 
         let bad_sig = "jgubwSf2wb2wuiRpgt2H9_bdDSMr88hXLp5zVuhbr65EGkSxOfT5ILIWr623twLgLd0bDgHg6xzOaUCX7XvUCw";
-        assert!(!pk.verify(data, bad_sig));
+        assert!(!pk.verify(data, SignatureRef(bad_sig)));
     }
 
     #[test]
@@ -774,8 +854,12 @@ mod tests {
         let (request_bytes, request_sig) = sk.pack(request);
 
         // attempt to get the data through bootstrap unpacking.
-        let request =
-            RegisterRequest::bootstrap_unpack(&request_bytes, &request_sig, Some(max_age)).unwrap();
+        let request = RegisterRequest::bootstrap_unpack(
+            &request_bytes,
+            request_sig.as_signature_ref(),
+            Some(max_age),
+        )
+        .unwrap();
         assert_eq!(request.relay_id(), relay_id);
         assert_eq!(request.public_key(), &pk);
 
@@ -800,7 +884,7 @@ mod tests {
         let (response_bytes, response_sig) = sk.pack(response);
         let (response, _) = RegisterResponse::unpack(
             &response_bytes,
-            &response_sig,
+            response_sig.as_signature_ref(),
             upstream_secret,
             Some(max_age),
         )
@@ -836,8 +920,12 @@ mod tests {
         println!("REQUEST_SIG = \"{request_sig}\"");
 
         // attempt to get the data through bootstrap unpacking.
-        let request =
-            RegisterRequest::bootstrap_unpack(&request_bytes, &request_sig, Some(max_age)).unwrap();
+        let request = RegisterRequest::bootstrap_unpack(
+            &request_bytes,
+            request_sig.as_signature_ref(),
+            Some(max_age),
+        )
+        .unwrap();
 
         let upstream_secret = b"secret";
 
@@ -906,4 +994,61 @@ mod tests {
     fn test_relay_version_from_str() {
         assert_eq!(RelayVersion::new(20, 7, 0), "20.7.0".parse().unwrap());
     }
+
+    #[test]
+    fn test_verify_any() {
+        let pair1 = generate_key_pair();
+        let pair2 = generate_key_pair();
+        let pair3 = generate_key_pair();
+
+        let signature = pair3.0.sign(&[]);
+        assert!(signature.verify_any(
+            &[pair1.1, pair2.1, pair3.1],
+            Utc::now(),
+            Duration::seconds(10)
+        ));
+    }
+
+    #[test]
+    fn test_verify_max_age() {
+        let pair = generate_key_pair();
+        let signature = pair.0.sign(&[]);
+        let start_time = Utc::now();
+        // The signature is valid in general
+        assert!(signature.verify(&pair.1, start_time, Duration::seconds(10)));
+        // Signature is no longer valid because too much time elapsed
+        assert!(!signature.verify(
+            &pair.1,
+            start_time - Duration::seconds(1),
+            Duration::milliseconds(500)
+        ))
+    }
+
+    #[test]
+    fn test_verify_any_max_age() {
+        let start_time = Utc::now();
+        let pair1 = generate_key_pair();
+        let pair2 = generate_key_pair();
+        let pair3 = generate_key_pair();
+
+        let header = SignatureHeader {
+            timestamp: Some(start_time),
+        };
+        let signature = pair3.0.sign_with_header(&[], &header);
+
+        let public_keys = &[pair1.1, pair2.1, pair3.1];
+
+        // Signature still valid after 1 second
+        assert!(signature.verify_any(
+            public_keys,
+            start_time + Duration::seconds(1),
+            Duration::seconds(2)
+        ));
+        // Signature is no longer valid because too much time elapsed
+        assert!(!signature.verify_any(
+            public_keys,
+            start_time + Duration::seconds(3),
+            Duration::seconds(2)
+        ))
+    }
 }

relay-cabi/src/auth.rs

@@ -1,6 +1,6 @@
 use chrono::Duration;
 use relay_auth::{
-    PublicKey, RegisterRequest, RegisterResponse, RelayId, RelayVersion, SecretKey,
+    PublicKey, RegisterRequest, RegisterResponse, RelayId, RelayVersion, SecretKey, SignatureRef,
     generate_key_pair, generate_relay_id,
 };
 use serde::Serialize;
@@ -60,7 +60,8 @@ pub unsafe extern "C" fn relay_publickey_verify(
     sig: *const RelayStr,
 ) -> bool {
     let pk = spk as *const PublicKey;
-    unsafe { (*pk).verify((*data).as_bytes(), (*sig).as_str()) }
+    let signature = SignatureRef(unsafe { (*sig).as_str() });
+    unsafe { (*pk).verify((*data).as_bytes(), signature) }
 }
 
 /// Verifies a signature
@@ -74,7 +75,8 @@ pub unsafe extern "C" fn relay_publickey_verify_timestamp(
 ) -> bool {
     let pk = spk as *const PublicKey;
     let max_age = Some(Duration::seconds(i64::from(max_age)));
-    unsafe { (*pk).verify_timestamp((*data).as_bytes(), (*sig).as_str(), max_age) }
+    let signature = SignatureRef(unsafe { (*sig).as_str() });
+    unsafe { (*pk).verify_timestamp((*data).as_bytes(), signature, max_age) }
 }
 
 /// Parses a secret key from a string.
@@ -111,7 +113,8 @@ pub unsafe extern "C" fn relay_secretkey_sign(
     data: *const RelayBuf,
 ) -> RelayStr {
     let pk = spk as *const SecretKey;
-    unsafe { RelayStr::from_string((*pk).sign((*data).as_bytes())) }
+    let signature = unsafe { (*pk).sign((*data).as_bytes()) };
+    RelayStr::from_string(signature.0)
 }
 
 /// Generates a secret, public key pair.
@@ -146,10 +149,10 @@ pub unsafe extern "C" fn relay_create_register_challenge(
         0 => None,
         m => Some(Duration::seconds(i64::from(m))),
     };
+    let signature = SignatureRef(unsafe { (*signature).as_str() });
 
     let challenge = unsafe {
-        let req =
-            RegisterRequest::bootstrap_unpack((*data).as_bytes(), (*signature).as_str(), max_age)?;
+        let req = RegisterRequest::bootstrap_unpack((*data).as_bytes(), signature, max_age)?;
 
         req.into_challenge((*secret).as_str().as_bytes())
     };
@@ -179,9 +182,10 @@ pub unsafe extern "C" fn relay_validate_register_response(
         m => Some(Duration::seconds(i64::from(m))),
     };
 
+    let signature = SignatureRef(unsafe { (*signature).as_str() });
     let (response, state) = RegisterResponse::unpack(
         unsafe { (*data).as_bytes() },
-        unsafe { (*signature).as_str() },
+        signature,
         unsafe { (*secret).as_str().as_bytes() },
         max_age,
     )?;