Skip to content

Commit

Permalink
refactor(cmd-api-server): pull OAuth2 endpoint scopes from openapi.json
Browse files Browse the repository at this point in the history
Primary Changes
----------------
1. added OAuth2 security endpoints scopes to openapi.json
2. added a test to make sure if the scopes are indeed getting
   pulled from the spec file

Fixes #2693

Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com>

1. Please also refactor the third endpoint (prometheus metrics) accordingly
2. Also please extend the test case with each tokens having specific scopes
and then assert that the tokesn with the correct scopes work and the ones
that don't have the correct scopes do not even when they are otherwise
valid tokens.

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
  • Loading branch information
aldousalvarez committed Nov 28, 2024
1 parent 27a24dd commit 125ab22
Show file tree
Hide file tree
Showing 31 changed files with 1,122 additions and 46 deletions.
17 changes: 16 additions & 1 deletion .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,17 @@ jobs:
- name: Set output
id: set-output
run: echo "run-coverage=${{ env.RUN_CODE_COVERAGE }}" >> "$GITHUB_OUTPUT"

check-day:
runs-on: ubuntu-22.04
outputs:
day_of_week: ${{ steps.get_day.outputs.day_of_week }}
steps:
- name: Get current day
id: get_day
run: |
# Get the current day of the week (1 = Monday, 7 = Sunday)
echo "day_of_week=$(date +'%u')" >> "$GITHUB_OUTPUT"
compute_changed_packages:
needs: check-ci-skip
Expand Down Expand Up @@ -445,6 +456,7 @@ jobs:
needs:
- build-dev
- compute_changed_packages
- check-day
if: needs.compute_changed_packages.outputs.cmd-api-server-changed == 'true'
env:
DEV_BUILD_DISABLED: false
Expand Down Expand Up @@ -473,6 +485,9 @@ jobs:
restore-keys: |
${{ runner.os }}-yarn-${{ hashFiles('./yarn.lock') }}
- name: Get current day and time
run: echo "Day of the Week from check-day ${{ needs.check-day.outputs.day_of_week }}"

- run: ./tools/ci.sh
if: ${{ env.RUN_CODE_COVERAGE == 'true' }}
- name: Upload coverage reports as artifacts
Expand All @@ -493,7 +508,7 @@ jobs:
--tag cmd-api-server \
--tag "ghcr.io/hyperledger/cactus-cmd-api-server:$(date +"%Y-%m-%dT%H-%M-%S" --utc)-dev-$(git rev-parse --short HEAD)"
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
- if: ${{ env.RUN_TRIVY_SCAN == 'true' && (needs.check-day.outputs.day_of_week == '4' || needs.check-day.outputs.day_of_week == '5') }}
name: Run Trivy vulnerability scan for cmd-api-server
uses: aquasecurity/trivy-action@0.19.0
with:
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-cmd-api-server/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@
"fastify": "4.28.1",
"fs-extra": "11.2.0",
"google-protobuf": "3.21.4",
"http-status-codes": "2.1.3",
"jose": "4.15.5",
"json-stable-stringify": "1.0.2",
"lmify": "0.3.0",
Expand Down Expand Up @@ -134,7 +135,6 @@
"google-protobuf": "3.21.4",
"grpc-tools": "1.12.4",
"grpc_tools_node_protoc_ts": "5.3.3",
"http-status-codes": "2.1.4",
"protobufjs": "7.4.0",
"tsx": "4.16.2"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ client.go
configuration.go
go.mod
go.sum
model_cmd_api_server_endpoint_error_response.go
model_health_check_response.go
model_memory_usage.go
model_watch_healthcheck_v1.go
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,14 +84,26 @@ Class | Method | HTTP request | Description

## Documentation For Models

- [CmdApiServerEndpointErrorResponse](docs/CmdApiServerEndpointErrorResponse.md)
- [HealthCheckResponse](docs/HealthCheckResponse.md)
- [MemoryUsage](docs/MemoryUsage.md)
- [WatchHealthcheckV1](docs/WatchHealthcheckV1.md)


## Documentation For Authorization

Endpoints do not require authorization.

Authentication schemes defined for the API:
### bearerTokenAuth

- **Type**: HTTP Bearer token authentication

Example

```golang
auth := context.WithValue(context.Background(), sw.ContextAccessToken, "BEARER_TOKEN_STRING")
r, err := client.Service.Operation(auth, args)
```


## Documentation for Utility Methods
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ info:
version: 2.0.0
servers:
- url: /
security:
- bearerTokenAuth:
- read:health
- read:metrics
- read:spec
paths:
/api/v1/api-server/healthcheck:
get:
Expand All @@ -21,6 +26,21 @@ paths:
schema:
$ref: '#/components/schemas/HealthCheckResponse'
description: OK
"401":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Unauthorized - Invalid token
"403":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Forbidden - Valid token but missing correct scope
security:
- bearerTokenAuth:
- read:health
summary: Can be used to verify liveness of an API server instance
x-hyperledger-cacti:
http:
Expand All @@ -37,6 +57,21 @@ paths:
schema:
$ref: '#/components/schemas/PrometheusExporterMetricsResponse'
description: OK
"401":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Unauthorized - Invalid token
"403":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Forbidden - Valid token but missing correct scope
security:
- bearerTokenAuth:
- read:metrics
summary: Get the Prometheus Metrics
x-hyperledger-cacti:
http:
Expand All @@ -54,6 +89,21 @@ paths:
schema:
$ref: '#/components/schemas/GetOpenApiSpecV1EndpointResponse'
description: OK
"401":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Unauthorized - Invalid token
"403":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Forbidden - Valid token but missing correct scope
security:
- bearerTokenAuth:
- read:spec
x-hyperledger-cacti:
http:
verbLowerCase: get
Expand Down Expand Up @@ -127,3 +177,14 @@ components:
GetOpenApiSpecV1EndpointResponse:
nullable: false
type: string
CmdApiServerEndpointErrorResponse:
properties:
message:
example: |
Forbidden - Valid token but missing correct scope
type: string
securitySchemes:
bearerTokenAuth:
bearerFormat: JSON Web Tokens
scheme: bearer
type: http

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 125ab22

Please sign in to comment.