Merge pull request #275 from pranavrd/fix/auth-cos-admin

fix: authorization for cos admin
datakaveri · Sep 20, 2023 · 40315c5 · 40315c5
2 parents 951f1ca + c5bfaf6
commit 40315c5
Show file tree

Hide file tree

Showing 10 changed files with 102 additions and 38 deletions.
diff --git a/configs/config-example.json b/configs/config-example.json
@@ -29,13 +29,12 @@
       "bypassAuth": true
     },
     {
-      "id": "iudx.catalogue.server.authenticator.AuthenticationVerticle",
+       "id": "iudx.catalogue.server.authenticator.AuthenticationVerticle",
       "host": "",
-      "tempCopAudience": "",
+      "consumerHost": "",
       "verticleInstances": 1,
       "authServerHost": "",
       "issuer": "",
-      "tempCopIssuer": "",
       "jwtIgnoreExpiry": true
     },
     {

diff --git a/src/main/java/iudx/catalogue/server/authenticator/Constants.java b/src/main/java/iudx/catalogue/server/authenticator/Constants.java
@@ -5,7 +5,6 @@ public class Constants {
   public static final String AUTH_SERVER_HOST = "authServerHost";
   public static final String UAC_DEPLOYMENT = "isUACInstance";
   public static final String UAC_ADMIN = "uacAdmin";
-  public static final String COP_ADMIN = "copAdmin";
   public static final String KEYCLOACK_HOST = "keycloakServerHost";
   public static final String CERTS_ENDPOINT = "certsEndpoint";
   public static final String DUMMY_TOKEN_KEY = "authDummyToken";
@@ -18,6 +17,7 @@ public class Constants {
   public static final String REQUEST = "request";
   public static final String BODY = "body";
   public static final String RESOURCE_SERVER_URL = "resourceServerRegURL";
+  public static final String RATINGS = "ratings";
 
   public static final String AUTH_SERVER_ERROR = "Error calling the Auth Server";
 

diff --git a/src/main/java/iudx/catalogue/server/authenticator/JwtAuthenticationServiceImpl.java b/src/main/java/iudx/catalogue/server/authenticator/JwtAuthenticationServiceImpl.java
@@ -39,17 +39,15 @@ public class JwtAuthenticationServiceImpl implements AuthenticationService {
 
   final JWTAuth jwtAuth;
   final String audience;
+  final String consumerAudience;
   final String issuer;
-  String tempCopAudience;
-  String tempCopIssuer;
   private Api api;
 
   JwtAuthenticationServiceImpl(final JWTAuth jwtAuth, final JsonObject config, final Api api) {
     this.jwtAuth = jwtAuth;
     this.audience = config.getString("host");
+    this.consumerAudience = config.getString("consumerHost");
     this.issuer = config.getString("issuer");
-    this.tempCopAudience = config.getString("tempCopAudience");
-    this.tempCopIssuer = config.getString("tempCopIssuer");
     this.api = api;
   }
 
@@ -86,12 +84,13 @@ Future<Boolean> isValidAudienceValue(JwtData jwtData, String itemType, String se
       case ITEM_TYPE_RESOURCE:
         isValidAudience = serverUrl != null && serverUrl.equalsIgnoreCase(jwtData.getAud());
         break;
-      default:
+      case RATINGS:
         isValidAudience =
-            tempCopAudience != null && tempCopAudience.equalsIgnoreCase(jwtData.getAud());
+            consumerAudience != null && consumerAudience.equalsIgnoreCase(jwtData.getAud());
+        break;
+      default:
+        isValidAudience = audience != null && audience.equalsIgnoreCase(jwtData.getAud());
         break;
-        //      default:
-        //        isValidAudience = audience != null && audience.equalsIgnoreCase(jwtData.getAud());
     }
 
     if (isValidAudience) {
@@ -214,9 +213,8 @@ public AuthenticationService tokenInterospect(
               result.jwtData = decodeHandler;
 
               // audience for ratings is different from other cos endpoints
-              if (endPoint.equalsIgnoreCase(api.getRouteRating())
-                  && result.jwtData.getAud().equalsIgnoreCase(audience)) {
-                return Future.succeededFuture(true);
+              if (endPoint.equalsIgnoreCase(api.getRouteRating())) {
+                return isValidAudienceValue(result.jwtData, RATINGS, resourceServerRegUrl);
               }
               return isValidAudienceValue(result.jwtData, itemType, resourceServerRegUrl);
             })
@@ -285,8 +283,7 @@ Future<Boolean> isValidItemId(JwtData jwtData, String itemType, String resourceS
       case ITEM_TYPE_OWNER:
       case ITEM_TYPE_COS:
       case ITEM_TYPE_RESOURCE_SERVER:
-        // TODO: change type validation to cos
-        isValidIid = type.equalsIgnoreCase("cop") && server.equalsIgnoreCase(tempCopIssuer);
+        isValidIid = type.equalsIgnoreCase("cos") && server.equalsIgnoreCase(issuer);
         break;
       case ITEM_TYPE_PROVIDER:
       case ITEM_TYPE_RESOURCE_GROUP:
@@ -313,8 +310,7 @@ Future<Boolean> isValidIssuer(JwtData jwtData, String issuer) {
   }
 
   Future<Boolean> isValidAdmin(JwtData jwtData) {
-    // TODO: cop_admin or cos_admin???
-    if (jwtData.getRole().equalsIgnoreCase("cop_admin")) {
+    if (jwtData.getRole().equalsIgnoreCase("cos_admin")) {
       return Future.succeededFuture(true);
     } else if (jwtData.getRole().equalsIgnoreCase("admin")) {
       return Future.succeededFuture(true);

diff --git a/...n/java/iudx/catalogue/server/authenticator/authorization/AuthorizationContextFactory.java b/...n/java/iudx/catalogue/server/authenticator/authorization/AuthorizationContextFactory.java
@@ -26,8 +26,7 @@ public static AuthorizationStratergy create(String role, Api api) {
       case "admin": {
         return AdminAuthStrategy.getInstance(api);
       }
-      // TODO: cop_admin or cos_admin???
-      case "cop_admin": {
+      case "cos_admin": {
         return CosAdminAuthStrategy.getInstance(api);
       }
       default:

diff --git a/src/main/java/iudx/catalogue/server/validator/ValidatorServiceImpl.java b/src/main/java/iudx/catalogue/server/validator/ValidatorServiceImpl.java
@@ -112,7 +112,9 @@ String getReturnTypeForValidation(JsonObject result) {
         .toString();
   }
 
-  /** {@inheritDoc} */
+  /**
+   * {@inheritDoc}
+   * */
   @SuppressWarnings("unchecked")
   public ValidatorService validateSchema(
       JsonObject request, Handler<AsyncResult<JsonObject>> handler) {
@@ -155,7 +157,9 @@ public ValidatorService validateSchema(
     return this;
   }
 
-  /** {@inheritDoc} */
+  /**
+   * {@inheritDoc}
+   * */
   @SuppressWarnings("unchecked")
   @Override
   public ValidatorService validateItem(

diff --git a/src/test/java/iudx/catalogue/server/authenticator/JwtAuthServiceImplTest.java b/src/test/java/iudx/catalogue/server/authenticator/JwtAuthServiceImplTest.java
@@ -50,8 +50,8 @@ static void init(Vertx vertx, VertxTestContext testContext) {
     authConfig = Configuration.getConfiguration("./configs/config-test.json",1);
     String cert = authConfig.getString("cert");
     authConfig.put("dxApiBasePath", "/iudx/cat/v1");
-    authConfig.put("tempCopIssuer", "cop.iudx.io");
-    authConfig.put("tempCopAudience", "cop.iudx.io");
+    authConfig.put("tempCopIssuer", "cos.iudx.io");
+    authConfig.put("tempCopAudience", "cos.iudx.io");
     JWTAuthOptions jwtAuthOptions = new JWTAuthOptions();
     jwtAuthOptions.addPubSecKey(
             new PubSecKeyOptions()
@@ -107,8 +107,8 @@ private JsonObject authJson() {
         .put("id", "iisc.ac.in/89a36273d77dac4cf38114fca1bbe64392547f86")
         .put("apiEndpoint", "/iudx/cat/v1/item")
         .put("itemType", "iudx:Resource")
-        .put("resourceServerRegURL", "cat-test.iudx.io")
-        .put("ownerUserId", "d8e46706-b9db-44e1-a9aa-e40839396b01")
+        .put("resourceServerRegURL", "rs.iudx.io")
+        .put("ownerUserId", "b2c27f3f-2524-4a84-816e-91f9ab23f837")
         .put("method", Method.POST);
     return jsonObject;
   }
@@ -207,7 +207,7 @@ public void decodeJwtCosAdminSuccess(VertxTestContext testContext) {
     jwtAuthenticationService.decodeJwt(JwtTokenHelper.cosAdminToken)
         .onComplete(handler -> {
           if(handler.succeeded()) {
-            assertEquals("cop_admin", handler.result().getRole());
+            assertEquals("cos_admin", handler.result().getRole());
             testContext.completeNow();
           } else {
             testContext.failNow(handler.cause());
@@ -357,7 +357,7 @@ private static Stream<Arguments> itemTypes2() {
   @DisplayName("successful valid iid check - against cos")
   public void validIidCheckAgainstCos(String itemType, VertxTestContext testContext) {
     JwtData jwtData = jwtDataObject();
-    jwtData.setIid("cop:cop.iudx.io");
+    jwtData.setIid("cos:cos.iudx.io");
 
     jwtAuthenticationService.isValidItemId(jwtData, itemType, "")
         .onComplete(handler -> {
@@ -419,7 +419,7 @@ public void invalidIssuerCheck(VertxTestContext testContext) {
   @DisplayName("successful valid admin check")
   public void validAdminCheck(VertxTestContext testContext) {
     JwtData jwtData = jwtDataObject();
-    jwtData.setRole("cop_admin");
+    jwtData.setRole("cos_admin");
 
     jwtAuthenticationService.isValidAdmin(jwtData)
         .onComplete(handler -> {

diff --git a/src/test/java/iudx/catalogue/server/authenticator/JwtTokenHelper.java b/src/test/java/iudx/catalogue/server/authenticator/JwtTokenHelper.java
@@ -3,7 +3,7 @@
 public class JwtTokenHelper {
 
   static String providerToken =
-          "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJkOGU0NjcwNi1iOWRiLTQ0ZTEtYTlhYS1lNDA4MzkzOTZiMDEiLCJpc3MiOiJhdXRodmVydHguaXVkeC5pbyIsImF1ZCI6ImNhdC10ZXN0Lml1ZHguaW8iLCJleHAiOjE2OTI2MzcwNDAsImlhdCI6MTY5MjU5Mzg0MCwiaWlkIjoicnM6Y2F0LXRlc3QuaXVkeC5pbyIsInJvbGUiOiJwcm92aWRlciIsImNvbnMiOnt9fQ.Aoz__P2_FKIbMiMy_3BZyDgyrn2vd_F5Q_o3GwWRxG5CPtkKB_w7jX56JAFnAF8trIEvPjoKt36-Tffho6d5eQ";
+          "eyJpc3MiOiJjb3MuaXVkeC5pbyIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiJiMmMyN2YzZi0yNTI0LTRhODQtODE2ZS05MWY5YWIyM2Y4MzciLCJpc3MiOiJjb3MuaXVkeC5pbyIsImF1ZCI6InJzLml1ZHguaW8iLCJleHAiOjE2OTUyNTI0ODIsImlhdCI6MTY5NTIwOTI4MiwiaWlkIjoicnM6cnMuaXVkeC5pbyIsInJvbGUiOiJwcm92aWRlciIsImNvbnMiOnt9fQ.msk3fG84GiwSOsUB6W7cDBO4QC8bYFgZAuYQz-8-NQlrZsNMEOXM-ioKQrcSh9oxxsrVYh0qe6KFZTUTEusmlw";
 
   static String delegateToken =
           "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJjMTc2MGY1Mi1iYWI4LTQwZTQtYjA5ZC04NmMxZDMxNDZmMTciLCJpc3MiOiJhdXRodmVydHguaXVkeC5pbyIsImF1ZCI6InJzLml1ZHguaW8iLCJleHAiOjE4ODYxNDU1MTIsImlhdCI6MTY4NjEzNTUxMiwiaWlkIjoicnM6cnMuaXVkeC5pbyIsInJvbGUiOiJkZWxlZ2F0ZSIsImRpZCI6ImIyYzI3ZjNmLTI1MjQtNGE4NC04MTZlLTkxZjlhYjIzZjgzNyIsImRybCI6InByb3ZpZGVyIiwiY29ucyI6e319.4fxcUA0PrG2QRD6KDhEeuMiVrEgVREHXeJm9g-ikuYzfXA7zU_QvhRG-3T_y2xuPbO6TyKKhxdyIKbsy-uLMzQ";
@@ -12,5 +12,5 @@ public class JwtTokenHelper {
           "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJmZDQ3NDg2Yi0zNDk3LTQyNDgtYWMxZS0wODJlNGQzN2E2NmMiLCJpc3MiOiJhdXRodmVydHguaXVkeC5pbyIsImF1ZCI6ImNhdC10ZXN0Lml1ZHguaW8iLCJleHAiOjE2OTI4MTc1MzQsImlhdCI6MTY5Mjc3NDMzNCwiaWlkIjoicnM6Y2F0LXRlc3QuaXVkeC5pbyIsInJvbGUiOiJhZG1pbiIsImNvbnMiOnt9fQ.BVnfycKs28eF8QAfxeXgP52n3g-3JOZS0ZteJ_VQxRQa7iQdLnEfjB5vm8y0gnJnif1_zAkDEC_Sb20kiXPAaA";
 
   static String cosAdminToken =
-      "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJmZDQ3NDg2Yi0zNDk3LTQyNDgtYWMxZS0wODJlNGQzN2E2NmMiLCJpc3MiOiJhdXRodmVydHguaXVkeC5pbyIsImF1ZCI6ImNvcC5pdWR4LmlvIiwiZXhwIjoxODg2MTM1NTEyLCJpYXQiOjE2ODYxMzU1MTIsImlpZCI6ImNvcDpjb3AuaXVkeC5pbyIsInJvbGUiOiJjb3BfYWRtaW4iLCJjb25zIjp7fX0.NUAk8Ie5kUfyWo6zPay2cJPd9ZXs75pLtsa_nXeuXnJJ6ww51DPRFaS4hJe0Qj7_IV__2QxufnTUsltFYv2SDQ";
+      "eyJpc3MiOiJjb3MuaXVkeC5pbyIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiJiMmMyN2YzZi0yNTI0LTRhODQtODE2ZS05MWY5YWIyM2Y4MzciLCJpc3MiOiJjb3MuaXVkeC5pbyIsImF1ZCI6ImNvcy5pdWR4LmlvIiwiZXhwIjoxNjk1MjUxNTQzLCJpYXQiOjE2OTUyMDgzNDMsImlpZCI6ImNvczpjb3MuaXVkeC5pbyIsInJvbGUiOiJjb3NfYWRtaW4iLCJjb25zIjp7fX0.1nW4ERu6f3XqL2pdf4xrKYDfxS3-W3lQgUtVVnV47BCPR-BCodrB6pMBhekZByzwyJsZiXZSKlgARX83XW4Ilw";
 }
diff --git a/src/test/java/iudx/catalogue/server/authenticator/KCAuthServiceImplTest.java b/src/test/java/iudx/catalogue/server/authenticator/KCAuthServiceImplTest.java
@@ -62,10 +62,10 @@ public void TestTokenIntrospect(Vertx vertx, VertxTestContext testContext) {
             .put(METHOD, Method.POST.toString())
             .put(TOKEN, "")
             .put(ITEM_TYPE, ITEM_TYPE_PROVIDER)
-            .put(RESOURCE_SERVER_URL, "cop.iudx.io");
+            .put(RESOURCE_SERVER_URL, "cos.iudx.io");
 
     JwtData jwtData = new JwtData();
-    jwtData.setIss("authvertx.iudx.io");
+    jwtData.setIss("cos.iudx.io");
     doAnswer(Answer -> Future.succeededFuture(jwtData))
         .when(kcAuthenticationServiceSpy)
         .decodeKcToken(anyString());
@@ -141,7 +141,7 @@ private JWTClaimsSet jwtClaimsSetBuilder() throws ParseException {
             + "\t\"aud\": \"account\",\n"
             + "\t\"sub\": \"dummy-admin-id\",\n"
             + "\t\"typ\": \"Bearer\",\n"
-            + "\t\"clientId\": \"cop.iudx.io\"\n"
+            + "\t\"clientId\": \"cos.iudx.io\"\n"
             + "}");
   }
 
@@ -170,7 +170,7 @@ public void TestisValidUAC(Vertx vertx, VertxTestContext testContext) throws Par
 
     JWTClaimsSet jwtClaimsSet = jwtClaimsSetBuilder();
     JwtData jwtData = new JwtData(new JsonObject(jwtClaimsSet.toString()));
-    Util.isValidAdmin("cop.iudx.io", jwtData, true)
+    Util.isValidAdmin("cos.iudx.io", jwtData, true)
         .onComplete(
             handler -> {
               if (handler.succeeded()) {

diff --git a/...va/iudx/catalogue/server/authenticator/authorization/AuthorizationContextFactoryTest.java b/...va/iudx/catalogue/server/authenticator/authorization/AuthorizationContextFactoryTest.java
@@ -63,7 +63,7 @@ public void testCreateDelegate(VertxTestContext vertxTestContext) {
     @Description("test create for cop admin")
     public void testCreateCopAdmin(VertxTestContext testContext) {
         authorizationContextFactory=new AuthorizationContextFactory();
-        String role="cop_admin";
+        String role="cos_admin";
         delegateAuthStrategy= DelegateAuthStrategy.getInstance(this.api);
         assertFalse(delegateAuthStrategy.isAuthorized(authRequest));
         assertNotNull(AuthorizationContextFactory.create(role,this.api));

diff --git a/src/test/resources/iudx-catalogue-server-v5.0.0.postman_collection.json b/src/test/resources/iudx-catalogue-server-v5.0.0.postman_collection.json
@@ -45,7 +45,7 @@
 						],
 						"body": {
 							"mode": "raw",
-							"raw": "{\n  \"itemId\": \"cat-test.iudx.io\",\n  \"itemType\": \"resource_server\",\n  \"role\": \"consumer\"\n}",
+							"raw": "{\n  \"itemId\": \"rs.iudx.io\",\n  \"itemType\": \"resource_server\",\n  \"role\": \"consumer\"\n}",
 							"options": {
 								"raw": {
 									"language": "json"
@@ -197,6 +197,72 @@
 						}
 					},
 					"response": []
+				},
+				{
+					"name": "Get Cos ADMIN token",
+					"event": [
+						{
+							"listen": "test",
+							"script": {
+								"exec": [
+									"var jsonData = JSON.parse(responseBody);",
+									"pm.environment.set(\"cosAdminToken\", jsonData.results.accessToken);",
+									"postman.setEnvironmentVariable(\"cosAdminToken\", jsonData.results.accessToken);"
+								],
+								"type": "text/javascript"
+							}
+						}
+					],
+					"request": {
+						"auth": {
+							"type": "noauth"
+						},
+						"method": "POST",
+						"header": [
+							{
+								"key": "clientId",
+								"value": "{{providerClientID}}",
+								"type": "text"
+							},
+							{
+								"key": "clientSecret",
+								"value": "{{providerClientSecret}}",
+								"type": "text"
+							},
+							{
+								"key": "Cache-Control",
+								"value": "no-cache, no-store, must-revalidate",
+								"type": "text"
+							},
+							{
+								"key": "",
+								"value": "",
+								"type": "text",
+								"disabled": true
+							}
+						],
+						"body": {
+							"mode": "raw",
+							"raw": "{\n  \"itemId\": \"cos.iudx.io\", \n  \"itemType\": \"cos\",\n  \"role\": \"cos_admin\"\n}",
+							"options": {
+								"raw": {
+									"language": "json"
+								}
+							}
+						},
+						"url": {
+							"raw": "https://{{auth-url}}/{{dxAuthBasePath}}/token",
+							"protocol": "https",
+							"host": [
+								"{{auth-url}}"
+							],
+							"path": [
+								"{{dxAuthBasePath}}",
+								"token"
+							]
+						}
+					},
+					"response": []
 				}
 			]
 		},