Merge pull request #17 from FIWARE/configurableAuth

Make TIR auth configurable
FIWARE · Nov 16, 2023 · 1c5ae03 · 1c5ae03
2 parents 1fa21bf + e7a8d95
commit 1c5ae03
Show file tree

Hide file tree

Showing 9 changed files with 175 additions and 9 deletions.
diff --git a/api/trusted-issuers-registry.yaml b/api/trusted-issuers-registry.yaml
@@ -30,6 +30,12 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ProblemDetails'
+        '401':
+          description: Unauthorized
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ProblemDetails'
         '500':
           description: Internal Server Error
           content:
@@ -58,6 +64,12 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ProblemDetails'
+        '401':
+          description: Unauthorized
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ProblemDetails'
         '404':
           description: Not found
           content:

diff --git a/src/main/java/org/fiware/iam/tir/rest/AnonymousTrustedIssuersRegistry.java b/src/main/java/org/fiware/iam/tir/rest/AnonymousTrustedIssuersRegistry.java
@@ -0,0 +1,21 @@
+package org.fiware.iam.tir.rest;
+
+import io.micronaut.context.annotation.Requires;
+import io.micronaut.http.annotation.Controller;
+import io.micronaut.security.annotation.Secured;
+import io.micronaut.security.rules.SecurityRule;
+import org.fiware.iam.tir.issuers.IssuersProvider;
+import org.fiware.iam.tir.issuers.TrustedIssuerMapper;
+
+
+/**
+ * Implementation of the Trusted Issuers Registry API that does not require the users to authenticate
+ */
+@Requires(property="general.trustedIssuersRegistry.authenticated", notEquals="true")
+@Controller("${general.basepath:/}")
+@Secured(SecurityRule.IS_ANONYMOUS)
+public class AnonymousTrustedIssuersRegistry extends TrustedIssuersRegistry{
+    public AnonymousTrustedIssuersRegistry(IssuersProvider issuersProvider, TrustedIssuerMapper mapper) {
+        super(issuersProvider, mapper);
+    }
+}
diff --git a/src/main/java/org/fiware/iam/tir/rest/AuthenticatedTrustedIssuersRegistry.java b/src/main/java/org/fiware/iam/tir/rest/AuthenticatedTrustedIssuersRegistry.java
@@ -0,0 +1,21 @@
+package org.fiware.iam.tir.rest;
+
+import io.micronaut.context.annotation.Requires;
+import io.micronaut.http.annotation.Controller;
+import io.micronaut.security.annotation.Secured;
+import io.micronaut.security.rules.SecurityRule;
+import org.fiware.iam.tir.issuers.IssuersProvider;
+import org.fiware.iam.tir.issuers.TrustedIssuerMapper;
+
+
+/**
+ * Implementation of the Trusted Issuers Registry API that requires the users to authenticate
+ */
+@Requires(property="general.trustedIssuersRegistry.authenticated", value="true")
+@Controller("${general.basepath:/}")
+@Secured(SecurityRule.IS_AUTHENTICATED)
+public class AuthenticatedTrustedIssuersRegistry extends TrustedIssuersRegistry{
+    public AuthenticatedTrustedIssuersRegistry(IssuersProvider issuersProvider, TrustedIssuerMapper mapper) {
+        super(issuersProvider, mapper);
+    }
+}
diff --git a/src/main/java/org/fiware/iam/tir/rest/TrustedIssuersRegistry.java b/src/main/java/org/fiware/iam/tir/rest/TrustedIssuersRegistry.java
@@ -19,9 +19,7 @@
 
 @RequiredArgsConstructor
 @Slf4j
-@Controller("${general.basepath:/}")
-@Secured(SecurityRule.IS_ANONYMOUS)
-public class TrustedIssuersRegistry implements TirApi {
+abstract class TrustedIssuersRegistry implements TirApi {
     private final IssuersProvider issuersProvider;
     private final TrustedIssuerMapper mapper;
 

diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
@@ -36,6 +36,8 @@ endpoints:
     sensitive: false
 
 general:
+  trustedIssuersRegistry:
+    authenticated: false
   contextUrl: "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#"
 ##  "https://www.w3.org/2018/credentials/v1", "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#", "https://w3id.org/security/suites/jws-2020/v1"
 

diff --git a/src/test/java/org/fiware/iam/tir/rest/AuthenticatedTrustedIssuersRegistryIT.java b/src/test/java/org/fiware/iam/tir/rest/AuthenticatedTrustedIssuersRegistryIT.java
@@ -0,0 +1,95 @@
+package org.fiware.iam.tir.rest;
+
+import changeMe.JwtProvider;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.github.wistefan.mapping.JavaObjectMapper;
+import io.micronaut.context.annotation.Property;
+import io.micronaut.http.HttpResponse;
+import io.micronaut.http.HttpStatus;
+import io.micronaut.security.token.jwt.signature.SignatureGeneratorConfiguration;
+import io.micronaut.test.extensions.junit5.annotation.MicronautTest;
+import org.fiware.iam.common.configuration.GeneralProperties;
+import org.fiware.iam.tir.api.TirApiTestClient;
+import org.fiware.iam.tir.api.TirApiTestSpec;
+import org.fiware.iam.tir.issuers.TrustedIssuer;
+import org.fiware.iam.tir.model.IssuerVO;
+import org.fiware.iam.tir.model.IssuersResponseVO;
+import org.fiware.ngsi.api.EntitiesApiClient;
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+@MicronautTest(packages = {"org.fiware.iam.tir"})
+@Property(name = "general.trustedIssuersRegistry.authenticated", value = "true")
+public class AuthenticatedTrustedIssuersRegistryIT extends NGSIBasedTest implements TirApiTestSpec {
+
+    private final SignatureGeneratorConfiguration signature;
+    final TirApiTestClient apiClient;
+
+    public AuthenticatedTrustedIssuersRegistryIT(EntitiesApiClient entitiesApiClient, JavaObjectMapper javaObjectMapper, ObjectMapper objectMapper, GeneralProperties generalProperties, SignatureGeneratorConfiguration signature, TirApiTestClient apiClient1) {
+        super(entitiesApiClient, javaObjectMapper, objectMapper, generalProperties);
+        this.signature = signature;
+        this.apiClient = apiClient1;
+    }
+
+    private String genToken(){
+       return new JwtProvider(signature).builder().subject("test").issuer("issuer").toBearer();
+    }
+
+    @Test
+    @Override
+    public void getIssuer200() throws Exception {
+        createIssuer(new TrustedIssuer("someId").setIssuer("someDid"));
+        assertEquals(HttpStatus.OK, apiClient.getIssuer(genToken(), "someDid").getStatus());
+    }
+
+    @Override
+    public void getIssuer400() throws Exception {
+    }
+
+    @Test
+    @Override
+    public void getIssuer401() throws Exception {
+        createIssuer(new TrustedIssuer("someId").setIssuer("someDid"));
+        HttpResponse<IssuerVO> response = callAndCatch(() -> apiClient.getIssuer("someDid"));
+        assertEquals(HttpStatus.UNAUTHORIZED,response.getStatus());
+    }
+
+    @Override
+    public void getIssuer404() throws Exception {
+    }
+
+    @Override
+    public void getIssuer500() throws Exception {
+    }
+
+    @Test
+    @Override
+    public void getIssuers200() throws Exception {
+        createIssuer(new TrustedIssuer("someId").setIssuer("someDid"));
+        createIssuer(new TrustedIssuer("someId2").setIssuer("someDid2"));
+
+        HttpResponse<IssuersResponseVO> issuersResponse = apiClient.getIssuers(genToken(), 100, null);
+        assertThat(issuersResponse).extracting(HttpResponse::getStatus).isEqualTo(HttpStatus.OK);
+
+        IssuersResponseVO responseBody = issuersResponse.body();
+        assertThat(responseBody).extracting(IssuersResponseVO::getItems).asList().hasSize(2);
+    }
+
+    @Override
+    public void getIssuers400() throws Exception {
+    }
+
+    @Test
+    @Override
+    public void getIssuers401() throws Exception {
+        createIssuer(new TrustedIssuer("someId").setIssuer("someDid"));
+        HttpResponse<IssuersResponseVO> response = callAndCatch(() -> apiClient.getIssuers(100, null));
+        assertEquals(HttpStatus.UNAUTHORIZED,response.getStatus());
+    }
+
+    @Override
+    public void getIssuers500() throws Exception {
+    }
+}
diff --git a/src/test/java/org/fiware/iam/tir/rest/DidRegistryIT.java b/src/test/java/org/fiware/iam/tir/rest/DidRegistryIT.java
@@ -50,6 +50,9 @@ public DidService mockDidService() {
             .id("did:web:someDid")
             .addVerificationMethodItem(new JsonWebKey2020VerificationMethodVO().id("did:web:someDid").publicKeyJwk(new JWKVO().x5u("example.com/cert")));
 
+    private String genToken(){
+        return new JwtProvider(signature).builder().subject("test").issuer("issuer").toBearer();
+    }
     public DidRegistryIT(EntitiesApiClient entitiesApiClient, JavaObjectMapper javaObjectMapper, ObjectMapper objectMapper, GeneralProperties generalProperties, DidApiTestClient apiClient, InMemoryPartiesRepo partyRepo, DidService didService, SignatureGeneratorConfiguration signature) {
         super(entitiesApiClient, javaObjectMapper, objectMapper, generalProperties);
         this.apiClient = apiClient;
@@ -61,13 +64,13 @@ public DidRegistryIT(EntitiesApiClient entitiesApiClient, JavaObjectMapper javaO
     @Test
     @Override
     public void getDIDDocument200() throws Exception {
-        String bearerToken = new JwtProvider(signature).builder().toBearer();
+
         when(didService.retrieveDidDocument("did:web:someDid")).thenReturn(Optional.of(SOME_DID_DOCUMENT));
         when(didService.getCertificate(SOME_DID_DOCUMENT)).thenReturn(Optional.of("someCert"));
 
         createIssuer(new TrustedIssuer("did:web:someId").setIssuer("did:web:someDid"));
         partyRepo.updateParties();
-        HttpResponse<DIDDocumentVO> answer = apiClient.getDIDDocument(bearerToken, "did:web:someDid", null);
+        HttpResponse<DIDDocumentVO> answer = apiClient.getDIDDocument(genToken(), "did:web:someDid", null);
         assertEquals(HttpStatus.OK, answer.getStatus());
 
         assertEquals(toJson(SOME_DID_DOCUMENT), toJson(answer.getBody().get()));
@@ -81,7 +84,7 @@ private String toJson(Object obj) {
     @Disabled("Test client verifies the parameter already")
     @Override
     public void getDIDDocument400() throws Exception {
-        HttpResponse<DIDDocumentVO> answer = apiClient.getDIDDocument(null, null);
+        HttpResponse<DIDDocumentVO> answer = apiClient.getDIDDocument(genToken(),null, null);
         assertEquals(HttpStatus.BAD_REQUEST, answer.getStatus());
     }
 
@@ -96,7 +99,7 @@ public void getDIDDocument401() throws Exception {
     @Test
     @Override
     public void getDIDDocument404() throws Exception {
-        HttpResponse<DIDDocumentVO> answer = apiClient.getDIDDocument("did:ebsi:unknown", null);
+        HttpResponse<DIDDocumentVO> answer = apiClient.getDIDDocument(genToken(),"did:ebsi:unknown", null);
         assertEquals(HttpStatus.NOT_FOUND, answer.getStatus());
     }
 

diff --git a/src/test/java/org/fiware/iam/tir/rest/TrustedIssuersRegistryIT.java b/src/test/java/org/fiware/iam/tir/rest/TrustedIssuersRegistryIT.java
@@ -5,6 +5,7 @@
 import io.micronaut.http.HttpMessage;
 import io.micronaut.http.HttpResponse;
 import io.micronaut.http.HttpStatus;
+import io.micronaut.security.token.jwt.signature.SignatureGeneratorConfiguration;
 import io.micronaut.test.extensions.junit5.annotation.MicronautTest;
 import org.fiware.iam.common.configuration.GeneralProperties;
 import org.fiware.iam.tir.api.TirApiTestClient;
@@ -21,8 +22,7 @@
 @MicronautTest(packages = {"org.fiware.iam.tir"})
 public class TrustedIssuersRegistryIT extends NGSIBasedTest implements TirApiTestSpec {
 
-
-    private final TirApiTestClient apiClient;
+    final TirApiTestClient apiClient;
 
     public TrustedIssuersRegistryIT(EntitiesApiClient entitiesApiClient, JavaObjectMapper javaObjectMapper, ObjectMapper objectMapper, GeneralProperties generalProperties, TirApiTestClient apiClient) {
         super(entitiesApiClient, javaObjectMapper, objectMapper, generalProperties);
@@ -43,6 +43,12 @@ public void getIssuer400() throws Exception {
         assertEquals(HttpStatus.BAD_REQUEST, apiClient.getIssuer(null).getStatus());
     }
 
+    @Disabled("Not possible in anonymous case")
+    @Override
+    public void getIssuer401() throws Exception {
+
+    }
+
     @Test
     @Override
     public void getIssuer404() throws Exception {
@@ -74,6 +80,12 @@ public void getIssuers400() throws Exception {
         assertEquals(HttpStatus.BAD_REQUEST, callAndCatch(() -> apiClient.getIssuers(-1, null)).getStatus());
     }
 
+    @Disabled("Not possible in anonymous case")
+    @Override
+    public void getIssuers401() throws Exception {
+
+    }
+
     @Disabled("Can't provoke it")
     @Override
     public void getIssuers500() throws Exception {

diff --git a/src/test/resources/application.yaml b/src/test/resources/application.yaml
@@ -27,6 +27,8 @@ micronaut:
         read-timeout: 30
 
 general:
+  trustedIssuersRegistry:
+    authenticated: false
   contextUrl: "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#"
 ##  "https://www.w3.org/2018/credentials/v1", "https://registry.lab.gaia-x.eu/development/api/trusted-shape-registry/v1/shapes/jsonld/trustframework#", "https://w3id.org/security/suites/jws-2020/v1"