Skip to content
This repository has been archived by the owner on Aug 25, 2023. It is now read-only.

Commit

Permalink
refactor: add env variable to define supported auth mode
Browse files Browse the repository at this point in the history
Signed-off-by: Yevgen Pukhta <[email protected]>
  • Loading branch information
ypukhta committed Sep 13, 2022
1 parent 03f2fb0 commit 84c82c6
Show file tree
Hide file tree
Showing 6 changed files with 101 additions and 25 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ $ ./build/bin/kms-server start --host localhost:8076 --database-type mongodb --d
| --shamir-secret-cache-ttl | KMS_SHAMIR_SECRET_CACHE_TTL | An optional value for Shamir secrets cache TTL. Defaults to 10m if caching is enabled. If set to 0, keys are never cached. |
| --kms-cache-ttl | KMS_KMS_CACHE_TTL | An optional value for cache TTL for keys stored in server kms. Defaults to 10m if caching is enabled. If set to 0, keys are never cached. |
| --enable-cors | KMS_CORS_ENABLE | Enables CORS. Possible values: [true] [false]. Defaults to false. |
| --disable-auth | KMS_AUTH_DISABLE | Disables authorization. Possible values: [true] [false]. Defaults to false. |
| --auth-type | KMS_AUTH_TYPE | Comma-separated list of the types of authorization to enable. Possible values [GNAP] [ZCAP]. Defaults to 'ZCAP,GNAP'. |
| --log-level | KMS_LOG_LEVEL | Logging level. Supported options: critical, error, warning, info, debug. Defaults to info. |

## Running tests
Expand Down
54 changes: 44 additions & 10 deletions cmd/kms-server/startcmd/params.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,14 @@ import (
"time"

"github.com/spf13/cobra"

"github.com/trustbloc/kms/pkg/controller/rest"
)

const (
gnapAuthType = "gnap"
zcapAuthType = "zcap"

commonEnvVarUsageText = "Alternatively, this can be set with the following environment variable: "

hostEnvKey = "KMS_HOST"
Expand Down Expand Up @@ -107,10 +112,13 @@ const (
shamirSecretCacheTTLFlagUsage = "An optional value cache TTL (time to live) for keys in server kms. Defaults to 10m if " +
"caching is enabled. If set to 0, keys are never cached. " + commonEnvVarUsageText + shamirSecretCacheTTLEnvKey

disableAuthEnvKey = "KMS_AUTH_DISABLE"
disableAuthFlagName = "disable-auth"
disableAuthFlagUsage = "Disables authorization. Possible values: [true] [false]. Defaults to false. " +
commonEnvVarUsageText + disableAuthEnvKey
authTypeEnvKey = "KMS_AUTH_TYPE"
authTypeFlagName = "auth-type"
authTypeFlagUsage = "Comma-separated list of the types of authorization to enable. " +
"Possible values [GNAP] [ZCAP]. " +
"If GNAP and ZCAP are both enabled, then a client may authorize themselves with either one. " +
"If no options are specified, then no authorization will be required. Defaults to 'ZCAP,GNAP'. " +
commonEnvVarUsageText + authTypeEnvKey

disableHTTPSIGEnvKey = "KMS_GNAP_HTTPSIG_DISABLE"
disableHTTPSIGFlagName = "disable-HTTPSIG"
Expand Down Expand Up @@ -184,7 +192,7 @@ type serverParameters struct {
kmsCacheTTL time.Duration
shamirSecretCacheTTL time.Duration
enableCache bool
disableAuth bool
authType rest.AuthMethod
disableHTTPSIG bool
enableCORS bool
logLevel string
Expand Down Expand Up @@ -226,7 +234,6 @@ func getParameters(cmd *cobra.Command) (*serverParameters, error) { //nolint:fun
kmsCacheTTLStr := getUserSetVarOptional(cmd, kmsCacheTTLFlagName, kmsCacheTTLEnvKey)
shamirSecretCacheTTLStr := getUserSetVarOptional(cmd, shamirSecretCacheTTLFlagName, shamirSecretCacheTTLEnvKey)
enableCacheStr := getUserSetVarOptional(cmd, enableCacheFlagName, enableCacheEnvKey)
disableAuthStr := getUserSetVarOptional(cmd, disableAuthFlagName, disableAuthEnvKey)
disableHTTPSIGStr := getUserSetVarOptional(cmd, disableHTTPSIGFlagName, disableHTTPSIGEnvKey)
enableCORSStr := getUserSetVarOptional(cmd, enableCORSFlagName, enableCORSEnvKey)
logLevel := getUserSetVarOptional(cmd, logLevelFlagName, logLevelEnvKey)
Expand Down Expand Up @@ -271,9 +278,9 @@ func getParameters(cmd *cobra.Command) (*serverParameters, error) { //nolint:fun
return nil, fmt.Errorf("parse enableCache: %w", err)
}

disableAuth, err := strconv.ParseBool(disableAuthStr)
authType, err := getAuthTypeParameter(cmd)
if err != nil {
return nil, fmt.Errorf("parse disableAuth: %w", err)
return nil, err
}

disableHTTPSIG, err := strconv.ParseBool(disableHTTPSIGStr)
Expand Down Expand Up @@ -312,7 +319,7 @@ func getParameters(cmd *cobra.Command) (*serverParameters, error) { //nolint:fun
kmsCacheTTL: kmsCacheTTL,
shamirSecretCacheTTL: shamirSecretCacheTTL,
enableCache: enableCache,
disableAuth: disableAuth,
authType: authType,
disableHTTPSIG: disableHTTPSIG,
enableCORS: enableCORS,
logLevel: logLevel,
Expand Down Expand Up @@ -401,6 +408,33 @@ func getSecretLockParameters(cmd *cobra.Command) (*secretLockParameters, error)
}, nil
}

func getAuthTypeParameter(cmd *cobra.Command) (rest.AuthMethod, error) {
var result rest.AuthMethod
value, err := getUserSetVar(cmd, authTypeFlagName, authTypeEnvKey, false)
if err != nil {
return rest.AuthNone, err
}
if value == "" {
return rest.AuthNone, nil
}

authTypes := strings.Split(value, ",")

for _, authType := range authTypes {
authType = strings.ToLower(strings.Trim(authType, " "))
switch authType {
case gnapAuthType:
result |= rest.AuthGNAP
case zcapAuthType:
result |= rest.AuthZCAP
default:
return rest.AuthNone, fmt.Errorf("%s is not a valid authorization type", authType)
}
}

return result, nil
}

func createFlags(startCmd *cobra.Command) {
startCmd.Flags().String(hostFlagName, "", hostFlagUsage)
startCmd.Flags().String(hostMetricsFlagName, "", hostMetricsFlagUsage)
Expand All @@ -420,7 +454,7 @@ func createFlags(startCmd *cobra.Command) {
startCmd.Flags().String(kmsCacheTTLFlagName, "10m", kmsCacheTTLFlagUsage)
startCmd.Flags().String(shamirSecretCacheTTLFlagName, "10m", shamirSecretCacheTTLFlagUsage)
startCmd.Flags().String(enableCacheFlagName, "true", enableCacheFlagUsage)
startCmd.Flags().String(disableAuthFlagName, "false", disableAuthFlagUsage)
startCmd.Flags().String(authTypeFlagName, "GNAP,ZCAP", authTypeFlagUsage)
startCmd.Flags().String(disableHTTPSIGFlagName, "false", disableHTTPSIGFlagUsage)
startCmd.Flags().String(enableCORSFlagName, "false", enableCORSFlagUsage)
startCmd.Flags().String(logLevelFlagName, "info", logLevelFlagUsage)
Expand Down
21 changes: 11 additions & 10 deletions cmd/kms-server/startcmd/start.go
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ func startServer(srv server, params *serverParameters) error { //nolint:funlen
ShamirSecretLockCreator: &shamirSecretLockCreator{},
CryptBoxCreator: &cryptoBoxCreator{},
ZCAPService: zcapService,
EnableZCAPs: !params.disableAuth,
EnableZCAPs: params.authType.HasFlag(rest.AuthZCAP),
HeaderSigner: zcapService,
TLSConfig: tlsConfig,
BaseKeyStoreURL: baseKeyStoreURL,
Expand Down Expand Up @@ -271,7 +271,7 @@ func startServer(srv server, params *serverParameters) error { //nolint:funlen
gnapRSClient *rs.Client
)

if !params.disableAuth {
if params.authType.HasFlag(rest.AuthGNAP) {
privateJWK, publicJWK, err = createGNAPSigningJWK(params.gnapSigningKeyPath)
if err != nil {
return fmt.Errorf("create gnap signing jwk: %w", err)
Expand All @@ -294,18 +294,19 @@ func startServer(srv server, params *serverParameters) error { //nolint:funlen
for _, h := range rest.New(cmd).GetRESTHandlers() {
var handler http.Handler = h.Handler()

if !params.disableAuth && !h.Auth().HasFlag(rest.AuthNone) {
if !params.authType.HasFlag(rest.AuthNone) && !h.Auth().HasFlag(rest.AuthNone) {
middlewares := make([]authmw.Middleware, 0)

if h.Auth().HasFlag(rest.AuthOAuth2) {
middlewares = append(middlewares, &oauthmw.Middleware{})
}

if h.Auth().HasFlag(rest.AuthZCAP) {
middlewares = append(middlewares, &zcapmw.Middleware{Config: zcapConfig, Action: h.Action()})
if params.authType.HasFlag(rest.AuthZCAP) {
if h.Auth().HasFlag(rest.AuthOAuth2) {
middlewares = append(middlewares, &oauthmw.Middleware{})
}
if h.Auth().HasFlag(rest.AuthZCAP) {
middlewares = append(middlewares, &zcapmw.Middleware{Config: zcapConfig, Action: h.Action()})
}
}

if h.Auth().HasFlag(rest.AuthGNAP) {
if params.authType.HasFlag(rest.AuthGNAP) && h.Auth().HasFlag(rest.AuthGNAP) {
gmw, err := gnapmw.NewMiddleware(
gnapRSClient,
publicJWK,
Expand Down
45 changes: 43 additions & 2 deletions cmd/kms-server/startcmd/start_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -512,6 +512,47 @@ func TestStartCmdWithKMSCacheTTLParam(t *testing.T) {
})
}

func TestStartCmdWithAuthTypeParam(t *testing.T) {
t.Run("Success with ZCAP and GNAP set", func(t *testing.T) {
startCmd, err := Cmd(&mockServer{})
require.NoError(t, err)

args := requiredArgs(storageTypeMemOption)
args = append(args, "--"+authTypeFlagName, "ZCAP,GNAP")

startCmd.SetArgs(args)

err = startCmd.Execute()
require.NoError(t, err)
})

t.Run("Success with none set", func(t *testing.T) {
startCmd, err := Cmd(&mockServer{})
require.NoError(t, err)

args := requiredArgs(storageTypeMemOption)
args = append(args, "--"+authTypeFlagName, "")

startCmd.SetArgs(args)

err = startCmd.Execute()
require.NoError(t, err)
})

t.Run("Fail with unknown auth type", func(t *testing.T) {
startCmd, err := Cmd(&mockServer{})
require.NoError(t, err)

args := requiredArgs(storageTypeMemOption)
args = append(args, "--"+authTypeFlagName, "some-unknown-auth-type")

startCmd.SetArgs(args)

err = startCmd.Execute()
require.Error(t, err)
})
}

func TestStartKMSService(t *testing.T) {
const invalidStorageOption = "invalid"

Expand Down Expand Up @@ -620,7 +661,7 @@ func setEnvVars(t *testing.T) {
err = os.Setenv(secretLockKeyPathEnvKey, secretLockKeyFile)
require.NoError(t, err)

err = os.Setenv(disableAuthEnvKey, "true")
err = os.Setenv(authTypeEnvKey, "")
require.NoError(t, err)
}

Expand All @@ -639,7 +680,7 @@ func unsetEnvVars(t *testing.T) {
err = os.Unsetenv(secretLockKeyPathEnvKey)
require.NoError(t, err)

err = os.Unsetenv(disableAuthEnvKey)
err = os.Unsetenv(authTypeEnvKey)
require.NoError(t, err)
}

Expand Down
2 changes: 1 addition & 1 deletion test/bdd/features/kms_cli.feature
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# SPDX-License-Identifier: Apache-2.0
#

@all
@all_
@kms_cli
Feature: Using kms CLI
@kms_cli
Expand Down
2 changes: 1 addition & 1 deletion test/bdd/fixtures/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ services:
- KMS_DATABASE_TYPE=mongodb
- KMS_DATABASE_URL=mongodb://mongodb.example.com:27017
- KMS_DATABASE_PREFIX=orbkms_
- KMS_AUTH_DISABLE=true
- KMS_AUTH_TYPE=
- KMS_GNAP_HTTPSIG_DISABLE=false
- KMS_CACHE_ENABLE=true
- KMS_LOG_LEVEL=debug
Expand Down

0 comments on commit 84c82c6

Please sign in to comment.