Merge branch 'master' into feat/TT-13201/Streams-definition-validator

TykTechnologies · Oct 24, 2024 · 9b99d7a · 9b99d7a
2 parents 0489273 + 93f430c
commit 9b99d7a
Show file tree

Hide file tree

Showing 15 changed files with 458 additions and 52 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -49,7 +49,7 @@ jobs:
             rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023'
             debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye debian/bookworm'
     outputs:
-      tags: ${{ steps.ci_metadata.outputs.tags }}
+      tags: ${{ steps.ci_metadata_ee.outputs.tags }}
       commit_author: ${{ steps.set_outputs.outputs.commit_author}}
     steps:
       - name: Checkout of tyk
@@ -334,7 +334,7 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          gh release download --repo github.com/tyklabs/tyk-pro --archive tar.gz -O env.tgz
+          gh release download --repo github.com/TykTechnologies/tyk-pro --archive tar.gz -O env.tgz
           mkdir auto && tar --strip-components=1 -C auto -xzvf env.tgz
       - name: env up
         shell: bash

diff --git a/.gitignore b/.gitignore
@@ -61,3 +61,5 @@ tyk_linux_*
 *.test
 
 main
+
+/coprocess/*.pb.go-e
diff --git a/apidef/api_definitions.go b/apidef/api_definitions.go
@@ -808,9 +808,30 @@ type UpstreamOAuth struct {
 	Enabled bool `bson:"enabled" json:"enabled"`
 	// ClientCredentials holds the client credentials for upstream OAuth2 authentication.
 	ClientCredentials ClientCredentials `bson:"client_credentials" json:"client_credentials"`
-	// HeaderName is the custom header name to be used for upstream basic authentication.
+	// PasswordAuthentication holds the configuration for upstream OAauth password authentication flow.
+	PasswordAuthentication PasswordAuthentication `bson:"password_authentication,omitempty" json:"passwordAuthentication,omitempty"`
+}
+
+// PasswordAuthentication holds the configuration for upstream OAuth2 password authentication flow.
+type PasswordAuthentication struct {
+	ClientAuthData
+	// Enabled activates upstream OAuth2 password authentication.
+	Enabled bool `bson:"enabled" json:"enabled"`
+	// Username is the username to be used for upstream OAuth2 password authentication.
+	Username string `bson:"username" json:"username"`
+	// Password is the password to be used for upstream OAuth2 password authentication.
+	Password string `bson:"password" json:"password"`
+	// TokenURL is the resource server's token endpoint
+	// URL. This is a constant specific to each server.
+	TokenURL string `bson:"token_url" json:"token_url"`
+	// Scopes specifies optional requested permissions.
+	Scopes []string `bson:"scopes" json:"scopes,omitempty"`
+	// HeaderName is the custom header name to be used for OAuth password authentication flow.
 	// Defaults to `Authorization`.
-	HeaderName string `bson:"header_name" json:"header_name,omitempty"`
+	HeaderName string `bson:"header_name" json:"header_name"`
+
+	// TokenProvider is the OAuth2 password authentication flow token for internal use.
+	Token *oauth2.Token `bson:"-" json:"-"`
 }
 
 // ClientAuthData holds the client ID and secret for upstream OAuth2 authentication.
@@ -824,11 +845,16 @@ type ClientAuthData struct {
 // ClientCredentials holds the client credentials for upstream OAuth2 authentication.
 type ClientCredentials struct {
 	ClientAuthData
+	// Enabled activates upstream OAuth2 client credentials authentication.
+	Enabled bool `bson:"enabled" json:"enabled"`
 	// TokenURL is the resource server's token endpoint
 	// URL. This is a constant specific to each server.
 	TokenURL string `bson:"token_url" json:"token_url"`
 	// Scopes specifies optional requested permissions.
 	Scopes []string `bson:"scopes" json:"scopes,omitempty"`
+	// HeaderName is the custom header name to be used for OAuth client credential flow authentication.
+	// Defaults to `Authorization`.
+	HeaderName string `bson:"header_name" json:"header_name"`
 
 	// TokenProvider is the OAuth2 token provider for internal use.
 	TokenProvider oauth2.TokenSource `bson:"-" json:"-"`
@@ -1523,6 +1549,9 @@ var Template = template.New("").Funcs(map[string]interface{}{
 	},
 })
 
+// ExternalOAuth support will be deprecated starting from 5.7.0.
+// To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead,
+// as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/ext-oauth-middleware/.
 type ExternalOAuth struct {
 	Enabled   bool       `bson:"enabled" json:"enabled"`
 	Providers []Provider `bson:"providers" json:"providers"`

diff --git a/apidef/oas/schema/x-tyk-api-gateway.json b/apidef/oas/schema/x-tyk-api-gateway.json
@@ -1634,6 +1634,7 @@
     },
     "X-Tyk-ExternalOAuth": {
       "type": "object",
+      "description": "Support for external OAuth Middleware will be deprecated starting from 5.7.0. To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead, as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/ext-oauth-middleware/",
       "properties": {
         "enabled": {
           "type": "boolean"
@@ -2043,6 +2044,9 @@
         "clientCredentials": {
           "type": "object",
           "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
             "clientId": {
               "type": "string"
             },
@@ -2052,13 +2056,48 @@
             "tokenUrl": {
               "type": "string"
             },
-            "scopes":{
-              "type": ["array", "null"]
+            "scopes": {
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "headerName": {
+              "type": "string"
             }
           }
         },
-        "headerName": {
-          "type": "string"
+        "passwordAuthentication": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean"
+            },
+            "clientId": {
+              "type": "string"
+            },
+            "clientSecret": {
+              "type": "string"
+            },
+            "tokenUrl": {
+              "type": "string"
+            },
+            "scopes": {
+              "type": [
+                "array",
+                "null"
+              ]
+            },
+            "username": {
+              "type": "string"
+            },
+            "password": {
+              "type": "string"
+            },
+            "headerName": {
+              "type": "string"
+            }
+          }
         }
       }
     }

diff --git a/apidef/oas/security.go b/apidef/oas/security.go
@@ -582,6 +582,9 @@ func (c *IntrospectionCache) ExtractTo(cache *apidef.IntrospectionCache) {
 }
 
 // ExternalOAuth holds configuration for an external OAuth provider.
+// ExternalOAuth support will be deprecated starting from 5.7.0.
+// To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead,
+// as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/ext-oauth-middleware/.
 type ExternalOAuth struct {
 	// Enabled activates external oauth functionality.
 	Enabled bool `bson:"enabled" json:"enabled"` // required

diff --git a/apidef/oas/upstream.go b/apidef/oas/upstream.go
@@ -639,34 +639,72 @@ type UpstreamOAuth struct {
 	Enabled bool `bson:"enabled" json:"enabled"`
 	// ClientCredentials holds the configuration for OAuth2 Client Credentials flow.
 	ClientCredentials *ClientCredentials `bson:"clientCredentials,omitempty" json:"clientCredentials,omitempty"`
-	// HeaderName is the custom header name to be used for upstream basic authentication.
+	// PasswordAuthentication holds the configuration for upstream OAauth password authentication flow.
+	PasswordAuthentication *PasswordAuthentication `bson:"passwordAuthentication,omitempty" json:"passwordAuthentication,omitempty"`
+}
+
+// PasswordAuthentication holds the configuration for upstream OAuth2 password authentication flow.
+type PasswordAuthentication struct {
+	ClientAuthData
+	// Enabled activates upstream OAuth2 password authentication.
+	Enabled bool `bson:"enabled" json:"enabled"`
+	// Username is the username to be used for upstream OAuth2 password authentication.
+	Username string `bson:"username" json:"username"`
+	// Password is the password to be used for upstream OAuth2 password authentication.
+	Password string `bson:"password" json:"password"`
+	// TokenURL is the resource server's token endpoint
+	// URL. This is a constant specific to each server.
+	TokenURL string `bson:"tokenURL" json:"tokenURL"`
+	// Scopes specifies optional requested permissions.
+	Scopes []string `bson:"scopes" json:"scopes,omitempty"`
+	// HeaderName is the custom header name to be used for OAuth password authentication flow.
 	// Defaults to `Authorization`.
 	HeaderName string `bson:"headerName" json:"headerName"`
 }
 
-// ClientCredentials holds the configuration for OAuth2 Client Credentials flow.
-type ClientCredentials struct {
+// ClientAuthData holds the client ID and secret for OAuth2 authentication.
+type ClientAuthData struct {
 	// ClientID is the application's ID.
-	ClientID string `bson:"clientID" json:"clientID"`
+	ClientID string `bson:"clientId" json:"clientId"`
 	// ClientSecret is the application's secret.
 	ClientSecret string `bson:"clientSecret" json:"clientSecret"`
+}
+
+// ClientCredentials holds the configuration for OAuth2 Client Credentials flow.
+type ClientCredentials struct {
+	ClientAuthData
+	// Enabled activates upstream OAuth2 client credentials authentication.
+	Enabled bool `bson:"enabled" json:"enabled"`
 	// TokenURL is the resource server's token endpoint
 	// URL. This is a constant specific to each server.
 	TokenURL string `bson:"tokenURL" json:"tokenURL"`
 	// Scopes specifies optional requested permissions.
 	Scopes []string `bson:"scopes,omitempty" json:"scopes,omitempty"`
+	// HeaderName is the custom header name to be used for OAuth client credential flow authentication.
+	// Defaults to `Authorization`.
+	HeaderName string `bson:"headerName" json:"headerName"`
 }
 
 func (c *ClientCredentials) Fill(api apidef.ClientCredentials) {
+	c.Enabled = api.Enabled
 	c.ClientID = api.ClientID
 	c.ClientSecret = api.ClientSecret
 	c.TokenURL = api.TokenURL
 	c.Scopes = api.Scopes
+	c.HeaderName = api.HeaderName
+}
+
+func (p *PasswordAuthentication) Fill(api apidef.PasswordAuthentication) {
+	p.Enabled = api.Enabled
+	p.Username = api.Username
+	p.Password = api.Password
+	p.TokenURL = api.TokenURL
+	p.Scopes = api.Scopes
+	p.HeaderName = api.HeaderName
 }
 
 func (u *UpstreamOAuth) Fill(api apidef.UpstreamOAuth) {
 	u.Enabled = api.Enabled
-	u.HeaderName = api.HeaderName
 
 	if u.ClientCredentials == nil {
 		u.ClientCredentials = &ClientCredentials{}
@@ -675,18 +713,36 @@ func (u *UpstreamOAuth) Fill(api apidef.UpstreamOAuth) {
 	if ShouldOmit(u.ClientCredentials) {
 		u.ClientCredentials = nil
 	}
+
+	if u.PasswordAuthentication == nil {
+		u.PasswordAuthentication = &PasswordAuthentication{}
+	}
+	u.PasswordAuthentication.Fill(api.PasswordAuthentication)
+	if ShouldOmit(u.PasswordAuthentication) {
+		u.PasswordAuthentication = nil
+	}
 }
 
 func (c *ClientCredentials) ExtractTo(api *apidef.ClientCredentials) {
+	api.Enabled = c.Enabled
 	api.ClientID = c.ClientID
 	api.ClientSecret = c.ClientSecret
 	api.TokenURL = c.TokenURL
 	api.Scopes = c.Scopes
+	api.HeaderName = c.HeaderName
+}
+
+func (p *PasswordAuthentication) ExtractTo(api *apidef.PasswordAuthentication) {
+	api.Enabled = p.Enabled
+	api.Username = p.Username
+	api.Password = p.Password
+	api.TokenURL = p.TokenURL
+	api.Scopes = p.Scopes
+	api.HeaderName = p.HeaderName
 }
 
 func (u *UpstreamOAuth) ExtractTo(api *apidef.UpstreamOAuth) {
 	api.Enabled = u.Enabled
-	api.HeaderName = u.HeaderName
 
 	if u.ClientCredentials == nil {
 		u.ClientCredentials = &ClientCredentials{}
@@ -695,4 +751,12 @@ func (u *UpstreamOAuth) ExtractTo(api *apidef.UpstreamOAuth) {
 		}()
 	}
 	u.ClientCredentials.ExtractTo(&api.ClientCredentials)
+
+	if u.PasswordAuthentication == nil {
+		u.PasswordAuthentication = &PasswordAuthentication{}
+		defer func() {
+			u.PasswordAuthentication = nil
+		}()
+	}
+	u.PasswordAuthentication.ExtractTo(&api.PasswordAuthentication)
 }
diff --git a/apidef/schema.go b/apidef/schema.go
@@ -794,6 +794,9 @@ const Schema = `{
 						"client_credentials": {
 							"type": "object",
 							"properties": {
+								"enabled": {
+									"type": "boolean"
+								},
 								"client_id": {
 									"type": "string"
 								},
@@ -805,11 +808,41 @@ const Schema = `{
 								},
 								"scopes":{
 									"type": ["array", "null"]
-								}	
+								},
+								"header_name": {
+									"type": "string"
+								}
 							}
 						},
-						"header_name": {
-							"type": "string"		
+						"password_authentication": {
+						  "type": "object",
+						  "properties": {
+								"enabled": {
+								  "type": "boolean"
+								},
+								"client_id": {
+								  "type": "string"
+								},
+								"client_secret": {
+								  "type": "string"
+								},
+								"username": {
+								  "type": "string"
+								},
+								"password": {
+								  "type": "string"
+								},
+								"token_url": {
+								  "type": "string"
+								},
+								"scopes": {
+								  "type": ["array", "null"]
+								},
+								"header_name": {
+								  "type": "string"
+								}
+							}
+						  }
 						}
 					}
 				}

diff --git a/gateway/handler_success.go b/gateway/handler_success.go
@@ -343,19 +343,16 @@ func recordDetail(r *http.Request, spec *APISpec) bool {
 		}
 	}
 
-	// Are we even checking?
-	if !spec.GlobalConfig.EnforceOrgDataDetailLogging {
-		return spec.GlobalConfig.AnalyticsConfig.EnableDetailedRecording
-	}
-
-	// We are, so get session data
-	session, ok := r.Context().Value(ctx.OrgSessionContext).(*user.SessionState)
-	if ok && session != nil {
-		return session.EnableDetailedRecording || session.EnableDetailRecording // nolint:staticcheck // Deprecated DetailRecording
+	// decide based on org session.
+	if spec.GlobalConfig.EnforceOrgDataDetailLogging {
+		session, ok := r.Context().Value(ctx.OrgSessionContext).(*user.SessionState)
+		if ok && session != nil {
+			return session.EnableDetailedRecording || session.EnableDetailRecording // nolint:staticcheck // Deprecated DetailRecording
+		}
 	}
 
-	// no session found, use global config
-	return spec.GlobalConfig.AnalyticsConfig.EnableDetailedRecording
+	// no org session found, use global config
+	return spec.GraphQL.Enabled || spec.GlobalConfig.AnalyticsConfig.EnableDetailedRecording
 }
 
 // ServeHTTP will store the request details in the analytics store if necessary and proxy the request to it's

diff --git a/gateway/handler_success_test.go b/gateway/handler_success_test.go
@@ -102,6 +102,13 @@ func TestRecordDetail(t *testing.T) {
 			},
 			expect: true,
 		},
+		{
+			title: "graphql request",
+			spec: testAPISpec(func(spec *APISpec) {
+				spec.GraphQL.Enabled = true
+			}),
+			expect: true,
+		},
 	}
 
 	for _, tc := range testcases {