fix: Add missing audience validation when accessing management api wi…

…th oauth
eclipse-edc · Feb 3, 2025 · 6c55097 · 6c55097
1 parent 893f6ca
commit 6c55097
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/...ed/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java b/...ed/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java
@@ -9,6 +9,7 @@
  *
  *  Contributors:
  *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *       Dawex - Add audience validation
  *
  */
 
@@ -27,6 +28,7 @@
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
 import org.eclipse.edc.spi.system.configuration.Config;
+import org.eclipse.edc.token.rules.AudienceValidationRule;
 import org.eclipse.edc.token.rules.ExpirationIssuedAtValidationRule;
 import org.eclipse.edc.token.rules.NotBeforeValidationRule;
 import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
@@ -36,6 +38,7 @@
 
 import static com.nimbusds.jose.jwk.source.JWKSourceBuilder.DEFAULT_CACHE_TIME_TO_LIVE;
 import static org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationService.MANAGEMENT_API_CONTEXT;
+import static org.eclipse.edc.spi.system.ServiceExtensionContext.ANONYMOUS_PARTICIPANT;
 import static org.eclipse.edc.web.spi.configuration.WebServiceConfigurer.WEB_HTTP_PREFIX;
 
 /**
@@ -67,6 +70,9 @@ public class DelegatedAuthenticationExtension implements ServiceExtension {
     @Deprecated(since = "0.12.0", forRemoval = true)
     @Setting(description = "URL where the third-party IdP's public key(s) can be resolved", key = KEY_URL_PROPERTY, required = false)
     private String keyUrl;
+    public static final String AUDIENCE_KEY = "dac.audience";
+    @Setting(context = CONFIG_ALIAS, description = "Expected audience in the token received by the api management", key = AUDIENCE_KEY, required = false)
+    private String audience;
 
     @Inject
     private ApiAuthenticationProviderRegistry providerRegistry;
@@ -96,6 +102,15 @@ public void initialize(ServiceExtensionContext context) {
             throw new EdcException(message);
         }
 
+        if (audience == null) {
+            context.getMonitor().warning("No audience configured for delegated authentication, defaulting to the participantId");
+            audience = context.getParticipantId();
+            if (audience.equals(ANONYMOUS_PARTICIPANT)) {
+                context.getMonitor().warning("No participantId configured for delegated authentication.");
+            }
+        }
+
+        tokenValidationRulesRegistry.addRule(MANAGEMENT_API_CONTEXT, new AudienceValidationRule(audience));
         tokenValidationRulesRegistry.addRule(MANAGEMENT_API_CONTEXT, new NotBeforeValidationRule(clock, validationTolerance, true));
         tokenValidationRulesRegistry.addRule(MANAGEMENT_API_CONTEXT, new ExpirationIssuedAtValidationRule(clock, validationTolerance, true));
 

diff --git a/...rc/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtensionTest.java b/...rc/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtensionTest.java
@@ -9,6 +9,7 @@
  *
  *  Contributors:
  *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *       Dawex - Add audience validation
  *
  */
 
@@ -26,6 +27,7 @@
 import static org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationExtension.AUTH_CACHE_VALIDITY_MS;
 import static org.eclipse.edc.api.auth.delegated.DelegatedAuthenticationExtension.AUTH_KEY_URL;
 import static org.eclipse.edc.junit.assertions.AbstractResultAssert.assertThat;
+import static org.eclipse.edc.spi.system.ServiceExtensionContext.ANONYMOUS_PARTICIPANT;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
@@ -35,11 +37,13 @@
 class DelegatedAuthenticationExtensionTest {
 
     private final Monitor monitor = mock();
+    private ServiceExtensionContext context;
 
     @BeforeEach
     void setUp(ServiceExtensionContext context) {
         when(monitor.withPrefix(anyString())).thenReturn(monitor);
         when(context.getMonitor()).thenReturn(monitor);
+        this.context = context;
     }
 
     @Test
@@ -57,4 +61,17 @@ public void delegatedProvider(DelegatedAuthenticationExtension extension) {
         verify(config).getLong(AUTH_CACHE_VALIDITY_MS, DEFAULT_CACHE_TIME_TO_LIVE);
 
     }
+
+    @Test
+    public void initializeWithNoAudience(DelegatedAuthenticationExtension extension) {
+        extension.initialize(context);
+        verify(monitor).warning("No audience configured for delegated authentication, defaulting to the participantId");
+    }
+
+    @Test
+    public void initializeWithNoAudienceAndDefaultParticipant(DelegatedAuthenticationExtension extension) {
+        when(context.getParticipantId()).thenReturn(ANONYMOUS_PARTICIPANT);
+        extension.initialize(context);
+        verify(monitor).warning("No participantId configured for delegated authentication.");
+    }
 }