Skip to content

Commit

Permalink
refactor(cmd-api-server): pull OAuth2 endpoint scopes from openapi.json
Browse files Browse the repository at this point in the history
Primary Changes
----------------
1. added OAuth2 security endpoints scopes to openapi.json
2. added a test to make sure if the scopes are indeed getting
   pulled from the spec file

Fixes #2693

Signed-off-by: aldousalvarez <[email protected]>

1. Please also refactor the third endpoint (prometheus metrics) accordingly
2. Also please extend the test case with each tokens having specific scopes
and then assert that the tokesn with the correct scopes work and the ones
that don't have the correct scopes do not even when they are otherwise
valid tokens.

Signed-off-by: Peter Somogyvari <[email protected]>
  • Loading branch information
aldousalvarez committed Nov 28, 2024
1 parent 27a24dd commit 2af3ae3
Show file tree
Hide file tree
Showing 31 changed files with 1,109 additions and 46 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -493,7 +493,9 @@ jobs:
--tag cmd-api-server \
--tag "ghcr.io/hyperledger/cactus-cmd-api-server:$(date +"%Y-%m-%dT%H-%M-%S" --utc)-dev-$(git rev-parse --short HEAD)"
- if: ${{ env.RUN_TRIVY_SCAN == 'true' }}
- if: |

Check failure on line 496 in .github/workflows/ci.yaml

View workflow job for this annotation

GitHub Actions / ActionLint / Lint_GitHub_Actions

if: condition "${{ env.RUN_TRIVY_SCAN == 'true' \n && (env.DAY_OF_WEEK == '4' || env.DAY_OF_WEEK == '7') }}\n" is always evaluated to true because extra characters are around ${{ }}
${{ env.RUN_TRIVY_SCAN == 'true'
&& (env.DAY_OF_WEEK == '4' || env.DAY_OF_WEEK == '7') }}
name: Run Trivy vulnerability scan for cmd-api-server
uses: aquasecurity/[email protected]
with:
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-cmd-api-server/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@
"fastify": "4.28.1",
"fs-extra": "11.2.0",
"google-protobuf": "3.21.4",
"http-status-codes": "2.1.3",
"jose": "4.15.5",
"json-stable-stringify": "1.0.2",
"lmify": "0.3.0",
Expand Down Expand Up @@ -134,7 +135,6 @@
"google-protobuf": "3.21.4",
"grpc-tools": "1.12.4",
"grpc_tools_node_protoc_ts": "5.3.3",
"http-status-codes": "2.1.4",
"protobufjs": "7.4.0",
"tsx": "4.16.2"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ client.go
configuration.go
go.mod
go.sum
model_cmd_api_server_endpoint_error_response.go
model_health_check_response.go
model_memory_usage.go
model_watch_healthcheck_v1.go
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -84,14 +84,26 @@ Class | Method | HTTP request | Description

## Documentation For Models

- [CmdApiServerEndpointErrorResponse](docs/CmdApiServerEndpointErrorResponse.md)
- [HealthCheckResponse](docs/HealthCheckResponse.md)
- [MemoryUsage](docs/MemoryUsage.md)
- [WatchHealthcheckV1](docs/WatchHealthcheckV1.md)


## Documentation For Authorization

Endpoints do not require authorization.

Authentication schemes defined for the API:
### bearerTokenAuth

- **Type**: HTTP Bearer token authentication

Example

```golang
auth := context.WithValue(context.Background(), sw.ContextAccessToken, "BEARER_TOKEN_STRING")
r, err := client.Service.Operation(auth, args)
```


## Documentation for Utility Methods
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ info:
version: 2.0.0
servers:
- url: /
security:
- bearerTokenAuth:
- read:health
- read:metrics
- read:spec
paths:
/api/v1/api-server/healthcheck:
get:
Expand All @@ -21,6 +26,21 @@ paths:
schema:
$ref: '#/components/schemas/HealthCheckResponse'
description: OK
"401":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Unauthorized - Invalid token
"403":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Forbidden - Valid token but missing correct scope
security:
- bearerTokenAuth:
- read:health
summary: Can be used to verify liveness of an API server instance
x-hyperledger-cacti:
http:
Expand All @@ -37,6 +57,21 @@ paths:
schema:
$ref: '#/components/schemas/PrometheusExporterMetricsResponse'
description: OK
"401":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Unauthorized - Invalid token
"403":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Forbidden - Valid token but missing correct scope
security:
- bearerTokenAuth:
- read:metrics
summary: Get the Prometheus Metrics
x-hyperledger-cacti:
http:
Expand All @@ -54,6 +89,21 @@ paths:
schema:
$ref: '#/components/schemas/GetOpenApiSpecV1EndpointResponse'
description: OK
"401":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Unauthorized - Invalid token
"403":
content:
'*/*':
schema:
$ref: '#/components/schemas/CmdApiServerEndpointErrorResponse'
description: Forbidden - Valid token but missing correct scope
security:
- bearerTokenAuth:
- read:spec
x-hyperledger-cacti:
http:
verbLowerCase: get
Expand Down Expand Up @@ -127,3 +177,14 @@ components:
GetOpenApiSpecV1EndpointResponse:
nullable: false
type: string
CmdApiServerEndpointErrorResponse:
properties:
message:
example: |
Forbidden - Valid token but missing correct scope
type: string
securitySchemes:
bearerTokenAuth:
bearerFormat: JSON Web Tokens
scheme: bearer
type: http

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 2af3ae3

Please sign in to comment.