Merge pull request #305 from aholovko/gnap_acceptance_test

test: acceptance test for GNAP authorization support
trustbloc · May 24, 2022 · 52184bd · 52184bd
2 parents bf9a56f + d3bc955
commit 52184bd
Show file tree

Hide file tree

Showing 21 changed files with 2,144 additions and 97 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -18,6 +18,15 @@ on:
       - main
 
 jobs:
+  SemanticPullRequest:
+    name: Semantic Pull Request Check
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   Checks:
     runs-on: ubuntu-latest
     timeout-minutes: 10
@@ -66,6 +75,7 @@ jobs:
       - name: Run BDD tests
         run: |
           echo '127.0.0.1 oidc.provider.example.com' | sudo tee -a /etc/hosts
+          echo '127.0.0.1 auth.trustbloc.local' | sudo tee -a /etc/hosts
           make bdd-test
 
   Publish:

diff --git a/cmd/kms-server/go.mod b/cmd/kms-server/go.mod
@@ -16,8 +16,8 @@ require (
 	github.com/hyperledger/aries-framework-go-ext/component/storage/couchdb v0.0.0-20220330151152-6bbd64bde42e
 	github.com/hyperledger/aries-framework-go-ext/component/storage/mongodb v0.0.0-20220330151152-6bbd64bde42e
 	github.com/hyperledger/aries-framework-go-ext/component/vdr/orb v1.0.0-rc.1
-	github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220330140627-07042d78580c
-	github.com/hyperledger/aries-framework-go/spi v0.0.0-20220330140627-07042d78580c
+	github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220516154446-0ba34929e05b
+	github.com/hyperledger/aries-framework-go/spi v0.0.0-20220516154446-0ba34929e05b
 	github.com/lafriks/go-shamir v1.1.0
 	github.com/ory/dockertest/v3 v3.8.1
 	github.com/piprate/json-gold v0.4.1

diff --git a/cmd/kms-server/go.sum b/cmd/kms-server/go.sum
@@ -820,8 +820,9 @@ github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-202203080
 github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220322085443-50e8f9bd208b/go.mod h1:yLgRpVlZ2heeeOpTgvEnG/yHL9q1keUu5ILQ6s2qpLU=
 github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220324201531-18c87667df19/go.mod h1:ryG46jQRvQUUH/0wjORghfJnxJVH1yIXIsAv1GXIWp8=
 github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220330133350-1c2d9d65aea4/go.mod h1:ryG46jQRvQUUH/0wjORghfJnxJVH1yIXIsAv1GXIWp8=
-github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220330140627-07042d78580c h1:SMqJ0JQM4a2/aVmJtlJgJQDl+6GTPygka9lUUy8OtXc=
 github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220330140627-07042d78580c/go.mod h1:ryG46jQRvQUUH/0wjORghfJnxJVH1yIXIsAv1GXIWp8=
+github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220516154446-0ba34929e05b h1:G6t6RwcIOn9/0zK4ONVsViBaMAq4oqqzh9mT4WxYrY0=
+github.com/hyperledger/aries-framework-go/component/storageutil v0.0.0-20220516154446-0ba34929e05b/go.mod h1:ryG46jQRvQUUH/0wjORghfJnxJVH1yIXIsAv1GXIWp8=
 github.com/hyperledger/aries-framework-go/spi v0.0.0-20210320144851-40976de98ccf/go.mod h1:fDr9wW00GJJl1lR1SFHmJW8utIocdvjO5RNhAYS05EY=
 github.com/hyperledger/aries-framework-go/spi v0.0.0-20210322152545-e6ebe2c79a2a/go.mod h1:fDr9wW00GJJl1lR1SFHmJW8utIocdvjO5RNhAYS05EY=
 github.com/hyperledger/aries-framework-go/spi v0.0.0-20210409151411-eeeb8508bd87/go.mod h1:dBYKKD8U8U9o0g5BdNFFaRtjt9KTkiAYfQt+TTp+w1o=
@@ -845,8 +846,9 @@ github.com/hyperledger/aries-framework-go/spi v0.0.0-20220308060532-714cd5c18552
 github.com/hyperledger/aries-framework-go/spi v0.0.0-20220322085443-50e8f9bd208b/go.mod h1:4bD5c5fj5K7rkQurVa/8I8+TfNcI4bxIBzaUNcxTOTg=
 github.com/hyperledger/aries-framework-go/spi v0.0.0-20220324201531-18c87667df19/go.mod h1:4bD5c5fj5K7rkQurVa/8I8+TfNcI4bxIBzaUNcxTOTg=
 github.com/hyperledger/aries-framework-go/spi v0.0.0-20220330133350-1c2d9d65aea4/go.mod h1:4bD5c5fj5K7rkQurVa/8I8+TfNcI4bxIBzaUNcxTOTg=
-github.com/hyperledger/aries-framework-go/spi v0.0.0-20220330140627-07042d78580c h1:snzJfKNYzt57Q2/+P0YdCJus+K2k3c3fUTvOSoHSUxU=
 github.com/hyperledger/aries-framework-go/spi v0.0.0-20220330140627-07042d78580c/go.mod h1:4bD5c5fj5K7rkQurVa/8I8+TfNcI4bxIBzaUNcxTOTg=
+github.com/hyperledger/aries-framework-go/spi v0.0.0-20220516154446-0ba34929e05b h1:FKKAVz3KHByOxGyy6akY1T8RHlDuYPXiq+OeZB0NL8Q=
+github.com/hyperledger/aries-framework-go/spi v0.0.0-20220516154446-0ba34929e05b/go.mod h1:4bD5c5fj5K7rkQurVa/8I8+TfNcI4bxIBzaUNcxTOTg=
 github.com/hyperledger/aries-framework-go/test/component v0.0.0-20210324232048-34ff560ed041/go.mod h1:eKGEEe+PJNDQo7kVif3sUKBWwnsQDkE3gD/QlpmukcQ=
 github.com/hyperledger/aries-framework-go/test/component v0.0.0-20210409151411-eeeb8508bd87/go.mod h1:JHzDtgJLd0134iLFXLxGBjJF+Z+TgiElA/5oVgMazts=
 github.com/hyperledger/aries-framework-go/test/component v0.0.0-20210421203733-b5dfd703a8fc/go.mod h1:asiCVCtH/nocWKhZRMz12aFgdUh8lRHqKis0M8Ei/4I=

diff --git a/scripts/generate_test_keys.sh b/scripts/generate_test_keys.sh
@@ -19,7 +19,8 @@ subjectAltName = @alt_names
 [alt_names]
 DNS.1 = localhost
 DNS.2 = oidc.provider.example.com
-DNS.3 = *.trustbloc.local" >> "$tmp"
+DNS.3 = *.trustbloc.local
+DNS.4 = testnet.orb.local" >> "$tmp"
 
 #create CA
 openssl ecparam -name prime256v1 -genkey -noout -out test/bdd/fixtures/keys/tls/ec-cakey.pem

diff --git a/test/bdd/bddtests_test.go b/test/bdd/bddtests_test.go
@@ -21,6 +21,7 @@ import (
 	"github.com/trustbloc/kms/test/bdd/pkg/cli"
 	"github.com/trustbloc/kms/test/bdd/pkg/common"
 	"github.com/trustbloc/kms/test/bdd/pkg/context"
+	"github.com/trustbloc/kms/test/bdd/pkg/gnap"
 	"github.com/trustbloc/kms/test/bdd/pkg/keystore"
 	"github.com/trustbloc/kms/test/bdd/pkg/kms"
 )
@@ -35,8 +36,8 @@ const (
 var logger = log.New("kms/bdd")
 
 func TestMain(m *testing.M) {
-	// default is to run all tests with tag @all
-	tags := "all"
+	// default is to run all tests with tag @all but excluding those marked with @wip
+	tags := "all && ~@wip"
 
 	if os.Getenv("TAGS") != "" {
 		tags = os.Getenv("TAGS")
@@ -142,10 +143,16 @@ func initializeScenario(ctx *godog.ScenarioContext) {
 		logger.Fatalf("Failed to create a new BDD context: %s", err.Error())
 	}
 
+	gnapSteps, err := gnap.NewSteps(bddContext.TLSConfig())
+	if err != nil {
+		logger.Fatalf("Failed to create gnap steps: %s", err.Error())
+	}
+
 	features := []feature{
 		common.NewSteps(),
 		keystore.NewSteps(),
 		kms.NewSteps(bddContext.TLSConfig()),
+		gnapSteps,
 		cli.NewCLISteps(),
 	}
 

diff --git a/test/bdd/features/keystore_api.feature b/test/bdd/features/keystore_api.feature
@@ -10,6 +10,6 @@ Feature: Keystore management operations
 
   Scenario: User creates a keystore
     Given Key Server is running on "localhost" port "4466"
-    And   Hub Auth is running on "localhost" port "8070"
+    And   Hub Auth is running on "auth.trustbloc.local" port "8070"
     When  user makes an HTTP POST to "https://localhost:4466/v1/keystores" to create a keystore
     Then  user gets a response with HTTP status "200 OK" and valid key store URL and root capabilities
diff --git a/test/bdd/features/kms_api.feature b/test/bdd/features/kms_api.feature
@@ -10,7 +10,7 @@ Feature: KMS and crypto operations
   Background:
     Given Key Server is running on "localhost" port "4466"
       And AuthZ Key Server is running on "localhost" port "4455"
-      And Hub Auth is running on "localhost" port "8070"
+      And Hub Auth is running on "auth.trustbloc.local" port "8070"
       And EDV is running on "localhost" port "8081"
       And "Alice" wallet has stored secret on Hub Auth
       And "Bob" wallet has stored secret on Hub Auth

diff --git a/test/bdd/features/kms_crypto_box_api.feature b/test/bdd/features/kms_crypto_box_api.feature
@@ -10,7 +10,7 @@ Feature: KMS CryptoBox operations
   Background:
     Given Key Server is running on "localhost" port "4466"
       And AuthZ Key Server is running on "localhost" port "4455"
-      And Hub Auth is running on "localhost" port "8070"
+      And Hub Auth is running on "auth.trustbloc.local" port "8070"
       And EDV is running on "localhost" port "8081"
       And "Alice" wallet has stored secret on Hub Auth
       And "Bob" wallet has stored secret on Hub Auth

diff --git a/test/bdd/features/kms_gnap.feature b/test/bdd/features/kms_gnap.feature
@@ -0,0 +1,20 @@
+#
+# Copyright SecureKey Technologies Inc. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+@all
+@gnap
+@wip
+Feature: KMS authorization with GNAP
+  Scenario: User authorizes with GNAP to create a key store
+    Given "Alice" has been granted with GNAP access token to Key Server
+    When  an HTTP POST with GNAP access token and "(request-target),authorization,digest" headers signed by "Alice" is sent to "https://localhost:4466/v1/keystores"
+          """
+          {
+            "controller": "{{ .GetDID "Alice" }}"
+          }
+          """
+    Then  response status is "200 OK"
+     And  response contains non-empty "key_store_url"
diff --git a/test/bdd/fixtures/.env b/test/bdd/fixtures/.env
@@ -7,15 +7,18 @@
 KMS_SERVER_IMAGE=ghcr.io/trustbloc/kms
 
 AUTH_REST_IMAGE=ghcr.io/trustbloc-cicd/auth
-AUTH_REST_IMAGE_TAG=0.1.9-snapshot-15ed894
+AUTH_REST_IMAGE_TAG=0.1.9-snapshot-2540de8
 
 HYDRA_IMAGE_TAG=v1.3.2-alpine
 MYSQL_IMAGE_TAG=8.0.20
 
 MOCK_LOGIN_CONSENT_IMAGE=mockloginconsent
 
-EDV_REST_IMAGE=ghcr.io/trustbloc/edv
-EDV_REST_IMAGE_TAG=0.1.8
+SIDETREE_MOCK_IMAGE=ghcr.io/trustbloc-cicd/sidetree-mock
+SIDETREE_MOCK_IMAGE_TAG=0.7.0-snapshot-799d4d5
+
+EDV_REST_IMAGE=ghcr.io/trustbloc-cicd/edv
+EDV_REST_IMAGE_TAG=0.1.9-snapshot-fb17917
 
 MONGODB_IMAGE=mongo
 MONGODB_IMAGE_TAG=4.0.0

diff --git a/test/bdd/fixtures/docker-compose.yml b/test/bdd/fixtures/docker-compose.yml
@@ -235,25 +235,27 @@ services:
     image: ${AUTH_REST_IMAGE}:${AUTH_REST_IMAGE_TAG}
     environment:
       - AUTH_REST_HOST_URL=0.0.0.0:8070
+      - AUTH_REST_EXTERNAL_URL=https://auth.trustbloc.local:8070
       - AUTH_REST_TLS_CACERTS=/etc/keys/tls/ec-cacert.pem
       - AUTH_REST_TLS_SYSTEMCERTPOOL=true
       - AUTH_REST_TLS_SERVE_CERT=/etc/keys/tls/ec-pubCert.pem
       - AUTH_REST_TLS_SERVE_KEY=/etc/keys/tls/ec-key.pem
       - AUTH_REST_DATABASE_TYPE=mongodb
       - AUTH_REST_DATABASE_URL=mongodb://mongodb.example.com:27017
       - AUTH_REST_DATABASE_PREFIX=authrest_
-      - AUTH_REST_OIDC_CALLBACK=https://localhost:8070/oauth2/callback
+      - AUTH_REST_OIDC_CALLBACK=https://auth.trustbloc.local:8070/oauth2/callback
       - AUTH_REST_OIDC_PROVIDERS_CONFIG=/etc/oidc-config/providers.yaml
-      - AUTH_REST_SDS_DOCS_URL=https://TODO.docs.sds.org/
-      - AUTH_REST_SDS_OPSKEYS_URL=https://TODO.keys.sds.org/
-      - AUTH_REST_KEYSERVER_AUTH_URL=https://TODO.auth.keyserver.org/
-      - AUTH_REST_KEYSERVER_OPS_URL=https://TODO.ops.keyserver.org/
+      - AUTH_REST_SDS_DOCS_URL=https://TODO.docs.sds.org
+      - AUTH_REST_SDS_OPSKEYS_URL=https://TODO.keys.sds.org
+      - AUTH_REST_KEYSERVER_AUTH_URL=https://TODO.auth.keyserver.org
+      - AUTH_REST_KEYSERVER_OPS_URL=https://TODO.ops.keyserver.org
       - AUTH_REST_HYDRA_URL=https://hydra.trustbloc.local:4445
       - AUTH_REST_API_TOKEN=test_token
       - AUTH_REST_COOKIE_AUTH_KEY=/etc/keys/session_cookies/auth.key
       - AUTH_REST_COOKIE_ENC_KEY=/etc/keys/session_cookies/enc.key
       - AUTH_REST_LOG_LEVEL=DEBUG
       - AUTH_REST_STATIC_IMAGES=/etc/static/images
+      - GNAP_ACCESS_POLICY=/etc/gnap-config/access_policy.json
     ports:
       - 8070:8070
     entrypoint: ""
@@ -262,9 +264,30 @@ services:
       - ./keys:/etc/keys
       - ./oidc-config:/etc/oidc-config
       - ./static:/etc/static
+      - ./gnap-config:/etc/gnap-config
     depends_on:
       - hydra.trustbloc.local
       - mongodb.example.com
+      - oidc.provider.example.com
+    networks:
+      - bdd_net
+
+  testnet.orb.local:
+    container_name: testnet.orb.local
+    image: ${SIDETREE_MOCK_IMAGE}:${SIDETREE_MOCK_IMAGE_TAG}
+    environment:
+      - SIDETREE_MOCK_TLS_CERTIFICATE=/etc/sidetree/tls/ec-pubCert.pem
+      - SIDETREE_MOCK_TLS_KEY=/etc/sidetree/tls/ec-key.pem
+      - SIDETREE_MOCK_HOST=0.0.0.0
+      - SIDETREE_MOCK_PORT=443
+      - SIDETREE_MOCK_DID_NAMESPACE=did:orb
+      - SIDETREE_MOCK_DID_ALIASES=did:orb:testnet.orb.local
+      - SIDETREE_MOCK_EXTERNAL_ENDPOINT=https://testnet.orb.local
+      - SIDETREE_MOCK_WELLKNOWN_PATH=did-orb
+    ports:
+      - "443:443"
+    volumes:
+      - ./keys/tls:/etc/sidetree/tls
     networks:
       - bdd_net
 
@@ -279,8 +302,8 @@ services:
     environment:
       - DSN=mysql://hydra:hydra-secret-pw@tcp(mysql:3306)/hydra?max_conns=20&max_idle_conns=4
       - URLS_SELF_ISSUER=https://localhost:4444/
-      - URLS_CONSENT=https://localhost:8070/hydra/consent
-      - URLS_LOGIN=https://localhost:8070/hydra/login
+      - URLS_CONSENT=https://auth.trustbloc.local:8070/hydra/consent
+      - URLS_LOGIN=https://auth.trustbloc.local:8070/hydra/login
       - SECRETS_SYSTEM=testSecretsSystem
       - OIDC_SUBJECT_TYPES_SUPPORTED=public
       - OIDC_SUBJECT_TYPE_PAIRWISE_SALT=testSecretsSystem

diff --git a/test/bdd/fixtures/gnap-config/access_policy.json b/test/bdd/fixtures/gnap-config/access_policy.json
@@ -0,0 +1,13 @@
+{
+  "access-types": [
+    {
+      "reference": "example-token-type",
+      "permission": "NeedsConsent",
+      "expires-in": 3600,
+      "access": {
+        "type": "https://trustbloc.net/definitions/example/access-token",
+        "subject-keys": ["sub"]
+      }
+    }
+  ]
+}
diff --git a/test/bdd/fixtures/hydra-config/hydra_configure.sh b/test/bdd/fixtures/hydra-config/hydra_configure.sh
@@ -16,6 +16,21 @@ hydra clients create \
     --response-types code,id_token \
     --scope openid,profile,email \
     --skip-tls-verify \
-    --callbacks https://localhost:8070/oauth2/callback
+    --callbacks https://auth.trustbloc.local:8070/oauth2/callback
 
-echo "Finished creating client!"
+echo "Finished creating oidc client!"
+
+echo "Creating oidc client for gnap flow..."
+# will use --skip-tls-verify because hydra doesn't trust self-signed certificate
+# remove it when using real certificate
+hydra clients create \
+    --endpoint https://oidc.provider.example.com:5556 \
+    --id auth1 \
+    --secret auth-secret \
+    --grant-types authorization_code,refresh_token \
+    --response-types code,id_token \
+    --scope openid,profile,email \
+    --skip-tls-verify \
+    --callbacks https://auth.trustbloc.local:8070/oidc/callback
+
+echo "Finished creating oidc client for gnap flow!"
diff --git a/test/bdd/fixtures/oidc-config/providers.yaml b/test/bdd/fixtures/oidc-config/providers.yaml
@@ -9,3 +9,23 @@ providers:
     url: https://oidc.provider.example.com:5555/
     clientID: auth
     clientSecret: auth-secret
+    name: Demo OIDC
+    signUpIconURL:
+      en: https://localhost:8070/static/images/sign-up-icon-en.svg
+      fr: https://localhost:8070/static/images/sign-up-icon-fr.svg
+    signInIconURL:
+      en: https://localhost:8070/static/images/sign-in-icon-en.svg
+      fr: https://localhost:8070/static/images/sign-in-icon-fr.svg
+    order: 1
+  mockbank1:
+    url: https://oidc.provider.example.com:5555/
+    clientID: auth1
+    clientSecret: auth-secret
+    name: Demo GNAP
+    signUpIconURL:
+      en: https://localhost:8070/static/images/sign-up-icon-en.svg
+      fr: https://localhost:8070/static/images/sign-up-icon-fr.svg
+    signInIconURL:
+      en: https://localhost:8070/static/images/sign-in-icon-en.svg
+      fr: https://localhost:8070/static/images/sign-in-icon-fr.svg
+    order: 2