Client Assertion (public key) maintenance (#808)

Co-authored-by: Joshua Jones <joshua@general-metrics.com>
bcgov · May 17, 2023 · bbc11e6 · bbc11e6
1 parent a6f9f29
commit bbc11e6
Show file tree

Hide file tree

Showing 35 changed files with 1,241 additions and 46 deletions.
diff --git a/src/authz/graphql-whitelist/httplocalhost4180devportalaccess-0c2f56.gql b/src/authz/graphql-whitelist/httplocalhost4180devportalaccess-0c2f56.gql
@@ -0,0 +1,43 @@
+
+  query GetMyServiceAccesses {
+    myServiceAccesses(where: { productEnvironment_is_null: false }) {
+      id
+      name
+      active
+      credentialReference
+      application {
+        name
+      }
+      productEnvironment {
+        id
+        name
+        flow
+        product {
+          id
+          name
+        }
+        credentialIssuer {
+          clientAuthenticator
+        }
+      }
+    }
+    myAccessRequests(
+      where: { productEnvironment_is_null: false, serviceAccess_is_null: true }
+    ) {
+      id
+      application {
+        name
+      }
+      productEnvironment {
+        id
+        name
+        product {
+          id
+          name
+        }
+      }
+      isComplete
+      isApproved
+      isIssued
+    }
+  }
diff --git a/src/authz/graphql-whitelist/httplocalhost4180devportalaccess-b680e8.gql b/src/authz/graphql-whitelist/httplocalhost4180devportalaccess-b680e8.gql
@@ -0,0 +1,9 @@
+
+  mutation UpdateServiceAccessCredential(
+    $id: ID!
+    $controls: CredentialReferenceUpdateInput
+  ) {
+    updateServiceAccessCredential(id: $id, controls: $controls) {
+      credential
+    }
+  }
diff --git a/src/authz/graphql-whitelist/httplocalhost4180devportalapidirectorypreviewfalse-f0c654.gql b/src/authz/graphql-whitelist/httplocalhost4180devportalapidirectorypreviewfalse-f0c654.gql
@@ -0,0 +1,63 @@
+
+  query GetAccessRequestForm($id: ID!) {
+    allProductsByNamespace(where: { id: $id }) {
+      id
+      name
+      environments {
+        id
+        approval
+        name
+        active
+        flow
+        additionalDetailsToRequest
+        legal {
+          title
+          description
+          link
+          reference
+        }
+        credentialIssuer {
+          clientAuthenticator
+        }
+      }
+    }
+    allDiscoverableProducts(where: { id: $id }) {
+      id
+      name
+      environments {
+        id
+        approval
+        name
+        active
+        flow
+        additionalDetailsToRequest
+        legal {
+          title
+          description
+          link
+          reference
+        }
+        credentialIssuer {
+          clientAuthenticator
+        }
+      }
+    }
+    myApplications {
+      id
+      appId
+      name
+      owner {
+        name
+      }
+    }
+    mySelf {
+      legalsAgreed
+    }
+    allTemporaryIdentities {
+      id
+      userId
+      name
+      providerUsername
+      email
+    }
+  }
diff --git a/src/authz/matrix.csv b/src/authz/matrix.csv
@@ -200,6 +200,7 @@ API Owner Role - All Fields,,,,,read,,*,,,,"api-owner,provider-user",allow,
 API Owner Role - All Fields,,,,,"update,create",,*,,api-owner,,,allow,
 Portal User,,DiscoverableProduct,,,,,,,portal-user,,,allow,
 Portal User,,myServiceAccesses,,,,,,,portal-user,,,allow,filterByAppOwner
+Portal User,,updateServiceAccessCredential,,,,,,,portal-user,,,allow,filterByAppOwner
 Portal User,,regenerateCredentials,,,,,,,portal-user,,,allow,filterByAppOwner
 Portal User,,myApplications,,,,,,,portal-user,,,allow,filterByOwner
 API Owner Role Rules,,allGatewayServicesByNamespace,,,,,,,,,"api-owner,provider-user",allow,filterByUserNS

diff --git a/src/lists/extensions/CredentialRegenerate.ts → src/lists/extensions/ServiceAccess.ts b/src/lists/extensions/CredentialRegenerate.ts → src/lists/extensions/ServiceAccess.ts
@@ -5,21 +5,47 @@ import {
   lookupCredentialReferenceByServiceAccess,
 } from '../../services/keystone';
 import { EnforcementPoint } from '../../authz/enforcement';
-import { KeycloakClientService } from '../../services/keycloak';
+import {
+  ClientAuthenticator,
+  KeycloakClientService,
+} from '../../services/keycloak';
 import {
   CredentialReference,
   NewCredential,
 } from '../../services/workflow/types';
 import { getEnvironmentContext } from '../../services/workflow/get-namespaces';
 import { replaceApiKey } from '../../services/workflow/kong-api-key-replace';
+import { strict as assert } from 'assert';
+import { UpdateCredentials } from '../../services/workflow';
+
+const typeCredentialReferenceUpdateInput = `
+input CredentialReferenceUpdateInput {
+    clientCertificate: String,
+    jwksUrl: String
+}
+`;
 
 module.exports = {
   extensions: [
     (keystone: any) => {
       keystone.extendGraphQLSchema({
-        types: [],
+        types: [{ type: typeCredentialReferenceUpdateInput }],
         queries: [],
         mutations: [
+          {
+            schema:
+              'updateServiceAccessCredential(id: ID!, controls: CredentialReferenceUpdateInput): AccessRequest',
+            resolver: async (
+              item: any,
+              args: any,
+              context: any,
+              info: any,
+              { query, access }: any
+            ) => {
+              return await UpdateCredentials(context, args.id, args.controls);
+            },
+            access: EnforcementPoint,
+          },
           {
             schema: 'regenerateCredentials(id: ID!): AccessRequest',
             resolver: async (

diff --git a/src/mocks/handlers.js b/src/mocks/handlers.js
@@ -20,6 +20,7 @@ import {
   fullfillRequestHandler,
   gatewayServicesHandler,
   getAccessRequestsHandler,
+  getAccessRequestForm,
   getAllConsumerGroupLabelsHandler,
   getConsumersHandler,
   getConsumerHandler,
@@ -73,6 +74,8 @@ import { handleAllDatasets } from './resolvers/datasets';
 import {
   createServiceAccountHandler,
   getAllServiceAccountsHandler,
+  updateMyServiceAccessHandlers,
+  getMyServiceAccessHandlers,
 } from './resolvers/service-accounts';
 import {
   allServicesHandler,
@@ -229,6 +232,7 @@ export const handlers = [
   keystone.query('GetAccessRequests', getAccessRequestsHandler),
   keystone.query('GetConsumerEditDetails', getConsumerProdEnvAccessHandler),
   keystone.query('GetAccessRequestAuth', accessRequestAuthHandler),
+  keystone.query('GetAccessRequestForm', getAccessRequestForm),
   keystone.query('GetFilterConsumers', getConsumersFilterHandler),
   keystone.query('GetAllConsumerGroupLabels', getAllConsumerGroupLabelsHandler),
   keystone.query('GetControlContent', gatewayServicesHandler),
@@ -259,6 +263,7 @@ export const handlers = [
   // Applications
   keystone.query('MyApplications', allApplicationsHandler),
   keystone.query('GetApplicationServices', getApplicationServicesHandler),
+  keystone.query('ApplicationSelectApplications', allApplicationsHandler),
   keystone.mutation('AddApplication', createApplicationHandler),
   keystone.mutation('UpdateApplication', updateApplicationHandler),
   keystone.mutation('RemoveApplication', removeApplicationHandler),
@@ -268,6 +273,11 @@ export const handlers = [
   keystone.query('GetMetrics', getMetricsHandler),
   // Service accounts
   keystone.query('GetAllServiceAccounts', getAllServiceAccountsHandler),
+  keystone.query('GetMyServiceAccesses', getMyServiceAccessHandlers),
+  keystone.mutation(
+    'UpdateServiceAccessCredential',
+    updateMyServiceAccessHandlers
+  ),
   keystone.query('GetGatewayService', getGatewayServiceHandler),
   keystone.query('GetGatewayServiceFilters', getGatewayServiceFilterHandler),
   keystone.mutation('CreateServiceAccount', createServiceAccountHandler),

diff --git a/src/mocks/resolvers/consumers.js b/src/mocks/resolvers/consumers.js
@@ -607,3 +607,70 @@ export const getAllConsumerGroupLabelsHandler = (_, res, ctx) => {
     })
   );
 };
+
+export const getAccessRequestForm = (_, res, ctx) => {
+  return res(
+    ctx.data({
+      allProductsByNamespace: [],
+      allDiscoverableProducts: [
+        {
+          id: 'p1',
+          name: 'eRX Demo API',
+          environments: [
+            {
+              id: 'e1',
+              approval: true,
+              name: 'dev',
+              active: true,
+              flow: 'kong-api-key-acl',
+              additionalDetailsToRequest: '',
+              legal: {
+                title: 'Terms of Use for API Gateway',
+                description: null,
+                link:
+                  'https://www2.gov.bc.ca/gov/content/data/open-data/api-terms-of-use-for-ogl-information',
+                reference: 'terms-of-use-for-api-gateway-1',
+              },
+              credentialIssuer: null,
+            },
+            {
+              id: 'e2',
+              approval: true,
+              name: 'prod',
+              active: true,
+              flow: 'client-credentials',
+              additionalDetailsToRequest: '',
+              legal: null,
+              credentialIssuer: {
+                clientAuthenticator: 'client-jwt-jwks-url',
+              },
+            },
+          ],
+        },
+      ],
+      myApplications: [
+        {
+          id: '111',
+          appId: 'appID1111',
+          name: 'Demo App',
+          owner: {
+            name: 'XT:Jones, Joshua CITZ:IN',
+          },
+        },
+      ],
+      mySelf: {
+        legalsAgreed:
+          '[{"reference":"terms-of-use-for-api-gateway-1","agreedTimestamp":"2023-05-01T18:02:22.973Z"}]',
+      },
+      allTemporaryIdentities: [
+        {
+          id: 'temp1',
+          userId: '2',
+          name: 'XT:Jones, Joshua CITZ:IN',
+          providerUsername: 'JOSHJONE',
+          email: 'joshua@general-metrics.com',
+        },
+      ],
+    })
+  );
+};