forked from trustbloc/vcs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add support OIDC client credential authorization
Closes trustbloc#751 Signed-off-by: Andrii Holovko <[email protected]>
- Loading branch information
Showing
19 changed files
with
503 additions
and
61 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
/* | ||
Copyright SecureKey Technologies Inc. All Rights Reserved. | ||
SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package mw | ||
|
||
import ( | ||
"crypto/subtle" | ||
"net/http" | ||
|
||
"github.com/labstack/echo/v4" | ||
) | ||
|
||
const ( | ||
header = "X-API-Key" | ||
) | ||
|
||
// APIKeyAuth returns a middleware that authenticates requests using the API key from X-API-Key header. | ||
func APIKeyAuth(apiKey string) echo.MiddlewareFunc { | ||
return func(next echo.HandlerFunc) echo.HandlerFunc { | ||
return func(c echo.Context) error { | ||
apiKeyHeader := c.Request().Header.Get(header) | ||
if subtle.ConstantTimeCompare([]byte(apiKeyHeader), []byte(apiKey)) != 1 { | ||
return &echo.HTTPError{ | ||
Code: http.StatusUnauthorized, | ||
Message: "Unauthorized", | ||
} | ||
} | ||
|
||
return next(c) | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
/* | ||
Copyright SecureKey Technologies Inc. All Rights Reserved. | ||
SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
package mw_test | ||
|
||
import ( | ||
"net/http" | ||
"net/http/httptest" | ||
"testing" | ||
|
||
"github.com/labstack/echo/v4" | ||
"github.com/stretchr/testify/require" | ||
|
||
"github.com/trustbloc/vcs/pkg/restapi/v1/mw" | ||
) | ||
|
||
func TestApiKeyAuth(t *testing.T) { | ||
t.Run("Success", func(t *testing.T) { | ||
handlerCalled := false | ||
handler := func(c echo.Context) error { | ||
handlerCalled = true | ||
return c.String(http.StatusOK, "test") | ||
} | ||
|
||
middlewareChain := mw.APIKeyAuth("test-api-key")(handler) | ||
|
||
e := echo.New() | ||
req := httptest.NewRequest(http.MethodGet, "/", nil) | ||
req.Header.Set("X-API-Key", "test-api-key") | ||
rec := httptest.NewRecorder() | ||
c := e.NewContext(req, rec) | ||
|
||
err := middlewareChain(c) | ||
|
||
require.NoError(t, err) | ||
require.True(t, handlerCalled) | ||
}) | ||
|
||
t.Run("401 Unauthorized", func(t *testing.T) { | ||
handlerCalled := false | ||
handler := func(c echo.Context) error { | ||
handlerCalled = true | ||
return c.String(http.StatusOK, "test") | ||
} | ||
|
||
middlewareChain := mw.APIKeyAuth("test-api-key")(handler) | ||
|
||
e := echo.New() | ||
req := httptest.NewRequest(http.MethodGet, "/", nil) | ||
req.Header.Set("X-API-Key", "invalid-api-key") | ||
rec := httptest.NewRecorder() | ||
c := e.NewContext(req, rec) | ||
|
||
err := middlewareChain(c) | ||
|
||
require.Error(t, err) | ||
require.Contains(t, err.Error(), "Unauthorized") | ||
require.False(t, handlerCalled) | ||
}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
#!/bin/sh | ||
# | ||
# Copyright SecureKey Technologies Inc. All Rights Reserved. | ||
# | ||
# SPDX-License-Identifier: Apache-2.0 | ||
# | ||
|
||
echo "Creating client for org1..." | ||
# will use --skip-tls-verify because hydra doesn't trust self-signed certificate | ||
# remove it when using real certificate | ||
hydra clients create \ | ||
--endpoint https://oidc-provider.example.com:4445 \ | ||
--id org1 \ | ||
--secret org1-secret \ | ||
--grant-types client_credentials \ | ||
--response-types token,code \ | ||
--scope org_admin \ | ||
--skip-tls-verify | ||
|
||
echo "Finished creating client for org1" |
Oops, something went wrong.