Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add missing audience validation when accessing management api with oauth #4784

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Add missing audience validation when accessing management api with oauth #4784

wants to merge 1 commit into from
+47 −1

Conversation

scandinave
Copy link
Contributor

What this PR changes/adds

This PR add the audience Validation for the API management context

Why it does that

Not validating audience is a security risk.

Further notes

I have added some tests to validate the modification in the extension. But I could not find a way to change the value of an injected configuration field annotated by @Settings. So I can't unit test that when I set an audience, everything works as expected.

I have validated the code manually though.

Who will sponsor this feature?

@paullatzelsperger

Linked Issue(s)

Closes #4768

Please be sure to take a look at the contributing guidelines and our etiquette for pull requests.

@scandinave scandinave force-pushed the fix/audience-validation-in-api-management branch 2 times, most recently from 6c55097 to 2063bb3 Compare February 3, 2025 13:21
@paullatzelsperger paullatzelsperger self-requested a review February 3, 2025 16:24
@scandinave scandinave force-pushed the fix/audience-validation-in-api-management branch 2 times, most recently from cc6d2fb to 994b0c5 Compare February 4, 2025 09:09
@scandinave
Copy link
Contributor Author

Not sure about the use of the context and key value of the @Setting annotation for the audience configuration. Is it ok ?

@scandinave scandinave marked this pull request as ready for review February 4, 2025 13:05
@paullatzelsperger paullatzelsperger added enhancement New feature or request api Feature related to the (REST) api labels Feb 7, 2025
paullatzelsperger
paullatzelsperger requested changes Feb 7, 2025
View reviewed changes
Copy link
Member

@paullatzelsperger paullatzelsperger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generally OK, but some problems with code consistency

...gated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java Outdated
@@ -96,6 +102,15 @@ public void initialize(ServiceExtensionContext context) {
throw new EdcException(message);
}

if (audience == null) {
context.getMonitor().warning("No audience configured for delegated authentication, defaulting to the participantId");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: re-use monitor from line 95

Copy link
Contributor Author

@scandinave scandinave Feb 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also replaced the previous context.monitor by the one form line 95.

...gated/src/main/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtension.java Outdated Show resolved Hide resolved
...d/src/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtensionTest.java Outdated Show resolved Hide resolved
...d/src/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtensionTest.java Outdated Show resolved Hide resolved
...d/src/test/java/org/eclipse/edc/api/auth/delegated/DelegatedAuthenticationExtensionTest.java
@@ -57,4 +73,34 @@ public void delegatedProvider(DelegatedAuthenticationExtension extension) {
verify(config).getLong(AUTH_CACHE_VALIDITY_MS, DEFAULT_CACHE_TIME_TO_LIVE);

}

@Test
void initializeWithAudience(ServiceExtensionContext context, ObjectFactory factory) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of using the objectfactory, you can directly inject the DelegatedAuthExtension into the test method, c.f. the previous test method

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what I have done at first but if I do that the audience value is already injected with a null value before I can set it in the test.

@scandinave scandinave force-pushed the fix/audience-validation-in-api-management branch 3 times, most recently from d2dcca6 to 2e40ac1 Compare February 7, 2025 07:21
@scandinave scandinave force-pushed the fix/audience-validation-in-api-management branch from 2e40ac1 to 595a377 Compare February 8, 2025 13:53
@scandinave scandinave force-pushed the fix/audience-validation-in-api-management branch from 595a377 to 95217df Compare February 8, 2025 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paullatzelsperger paullatzelsperger Awaiting requested review from paullatzelsperger

Assignees
No one assigned
Labels
api Feature related to the (REST) api enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

API management is missing token Audience validation
2 participants
@scandinave @paullatzelsperger