refactor(cmd-api-server): pull OAuth2 endpoint scopes from openapi.json #3463
Conversation
aldousalvarez
requested review from
petermetz,
takeutak,
izuru0,
jagpreetsinghsasan,
VRamakrishna,
sandeepnRES and
outSH
as code owners
aldousalvarez
force-pushed
the
aldousalvarez/issue2693
branch
from
5d2cd8e
to
3321ed3
Compare
| } | ||
|
|
||
| describe("cmd-api-server:getOpenApiSpecV1Endpoint", () => { | ||
| const logLevel: LogLevelDesc = "TRACE"; |
There was a problem hiding this comment.
Change log level to info, dont use trace for tests in CI
There was a problem hiding this comment.
@outSH Got it, just finished updating it.
aldousalvarez
force-pushed
the
aldousalvarez/issue2693
branch
from
3321ed3
to
f44cf0c
Compare
| it("HTTP - returns the OpenAPI spec .json document of the API server itself", async () => { | ||
| const res1Promise = apiClient.getOpenApiSpecV1(); | ||
| await expect(res1Promise).resolves.toHaveProperty("data.openapi"); | ||
| const res1 = await res1Promise; | ||
| expect(res1.status).toEqual(200); | ||
| expect(res1.data).toBeTruthy(); | ||
|
|
||
| console.log("Response data type:", typeof res1.data); | ||
| console.log("Response data:", res1.data); | ||
|
|
||
| let openApiSpec; | ||
| try { | ||
| openApiSpec = | ||
| typeof res1.data === "string" ? JSON.parse(res1.data) : res1.data; | ||
| } catch (error) { | ||
| throw new Error(`Failed to parse OpenAPI spec: ${error.message}`); | ||
| } | ||
|
|
||
| expect(openApiSpec).toHaveProperty("components"); | ||
| expect(openApiSpec.components).toHaveProperty("securitySchemes"); | ||
|
|
||
| const securitySchemes = openApiSpec.components.securitySchemes; | ||
| expect(securitySchemes).toBeObject(); | ||
|
|
||
| const expectedScopes: IExpectedScopes = { | ||
| "read:health": "Read health information", | ||
| "read:metrics": "Read metrics information", | ||
| "read:spec": "Read OpenAPI specification", | ||
| }; | ||
|
|
||
| const securitySchemeNames = Object.keys(securitySchemes); | ||
|
|
||
| securitySchemeNames.forEach((schemeName) => { | ||
| const scheme = securitySchemes[schemeName]; | ||
| expect(scheme).toHaveProperty("flows"); | ||
| const flows = scheme.flows; | ||
| expect(flows).toHaveProperty("authorizationCode"); | ||
| const scopes = flows.authorizationCode.scopes as IExpectedScopes; | ||
|
|
||
| Object.keys(expectedScopes).forEach((scope) => { | ||
| expect(scopes).toHaveProperty(scope); | ||
| expect(scopes[scope]).toEqual(expectedScopes[scope]); | ||
| }); | ||
| }); | ||
| }); |
There was a problem hiding this comment.
@aldousalvarez This verifies that the OpenAPI .json file has the security scheme declared. It does not verify that those are being respected by the endpoint implementations themselves. Please update the endpoints touched by this diff to make use of the declared scopes and then write 2 more test cases for each endpoint in addition this one I'm commenting on. One of them should be the positive test case where with a valid JWT the API client can execute the request and with an invalid JWT the request execution fails with an HTTP 401 unauthorized error.
Note: by test cases I just mean another it("does something...", async () => {...}) block not a separate file.
aldousalvarez
force-pushed
the
aldousalvarez/issue2693
branch
from
f44cf0c
to
25c1eba
Compare
|
Hello @petermetz, Already done the requested changes, re-requested for your review. Thank you |
There was a problem hiding this comment.
@aldousalvarez Looking much better now but it's still missing the crucial negative test case for missing or incorrect scopes, please see my comment above.
| expect(res1.status).toEqual(200); | ||
| expect(res1.data).toBeTruthy(); |
There was a problem hiding this comment.
@aldousalvarez In this test case it is supposed to fail because you are executing with a JWT that does not have the scope declared (so the JWT has a valid signature but it does not declare the correct role based access control and therefore should not work)
aldousalvarez
force-pushed
the
aldousalvarez/issue2693
branch
3 times, most recently
from
dade3eb
to
4c58d17
Compare
petermetz
force-pushed
the
aldousalvarez/issue2693
branch
from
4c58d17
to
20d64d4
Compare
aldousalvarez
force-pushed
the
aldousalvarez/issue2693
branch
2 times, most recently
from
af634c3
to
21fdde9
Compare
aldousalvarez
force-pushed
the
aldousalvarez/issue2693
branch
from
21fdde9
to
a637f50
Compare
There was a problem hiding this comment.
@aldousalvarez Please fix the rest of the failing tests of the cmd-api-server package and also the custom-checks check which also is failing.
| const resPromise = apiClient.getHealthCheckV1({ | ||
| headers: { Authorization: invalidBearerToken }, | ||
| }); | ||
| await expect(resPromise).rejects.toThrow( |
There was a problem hiding this comment.
@aldousalvarez Almost there! Please make sure to explicitly assert that the status property of the is 401 or 403 depending on which one is applicable (403 if the token is valid BUT missing the correct scope, 401 otherwise)
| }); | ||
| await expect(resPromise).rejects.toThrow( | ||
| "Request failed with status code 401", | ||
| ); |
There was a problem hiding this comment.
@aldousalvarez Almost there! Please make sure to explicitly assert that the status property of the is 401 or 403 depending on which one is applicable (403 if the token is valid BUT missing the correct scope, 401 otherwise)
aldousalvarez
force-pushed
the
aldousalvarez/issue2693
branch
from
a637f50
to
916d802
Compare
|
Hello @petermetz I added another test case where it would be 403, and then I also added that it logs which status code it gets,. Should I also add 403 in the responses on the openapi.json as well? Thanks |
@aldousalvarez Sorry for the slow response! Thank you for the changes and to your question: Yes, please declare the 403 in the openapi.tpl.json spec as well (and make sure to run codegen so that it updates openapi.json also) |
aldousalvarez
force-pushed
the
aldousalvarez/issue2693
branch
9 times, most recently
from
10b17c2
to
bf9ae91
Compare
Primary Changes ---------------- 1. added OAuth2 security endpoints scopes to openapi.json 2. added a test to make sure if the scopes are indeed getting pulled from the spec file Fixes hyperledger-cacti#2693 Signed-off-by: aldousalvarez <aldousss.alvarez@gmail.com> 1. Please also refactor the third endpoint (prometheus metrics) accordingly 2. Also please extend the test case with each tokens having specific scopes and then assert that the tokesn with the correct scopes work and the ones that don't have the correct scopes do not even when they are otherwise valid tokens. Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
aldousalvarez
force-pushed
the
aldousalvarez/issue2693
branch
from
bf9ae91
to
30dbad7
Compare
Commit to be reviewed
refactor(cmd-api-server): pull OAuth2 endpoint scopes from openapi.json
Fixes #2693
Pull Request Requirements
upstream/mainbranch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.-sflag when usinggit commitcommand. You may refer to this link for more information.Character Limit
A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.