-
Notifications
You must be signed in to change notification settings - Fork 213
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Dominik Pinsel <dominik.pinsel@daimler.com> Co-authored-by: Paul Latzelsperger <43503240+paullatzelsperger@users.noreply.github.com>
- Loading branch information
1 parent
385be86
commit a0d6d42
Showing
5 changed files
with
153 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Token Based Authentication Service | ||
|
||
The token based authentication service extension is used to secure connector APIs. These APIs are not protected by the `AuthenticationService` by default. To find out how a specific API is protected please consult its documentation. | ||
|
||
APIs, protected by this extension, require a client to authenticate by adding a authentication key to the request header. | ||
|
||
Authentication Header Example: | ||
``` | ||
curl <url> --header "X-API-Key: <key>" | ||
``` | ||
|
||
## Configuration | ||
|
||
| Key | Description | Required | | ||
|:-----------------------|:-------------------------------------------------------------|:---------| | ||
| edc.api.auth.key | API Key Header Value | false | | ||
| edc.api.auth.key.alias | Secret name of the API Key Header Value, stored in the vault | false | | ||
|
||
- If the API key is stored in the Vault _and_ in the configuration, the extension will take the key from the vault. | ||
|
||
- If no API key is defined, a random value is generated and printed out into the logs. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
105 changes: 105 additions & 0 deletions
105
...t/java/org/eclipse/dataspaceconnector/api/auth/TokenBasedAuthenticationExtensionTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
/* | ||
* Copyright (c) 2022 Mercedes-Benz Tech Innovation GmbH | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Apache License, Version 2.0 which is available at | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* Contributors: | ||
* Mercedes-Benz Tech Innovation GmbH - initial implementation | ||
* | ||
*/ | ||
|
||
package org.eclipse.dataspaceconnector.api.auth; | ||
|
||
import org.eclipse.dataspaceconnector.junit.extensions.DependencyInjectionExtension; | ||
import org.eclipse.dataspaceconnector.spi.security.Vault; | ||
import org.eclipse.dataspaceconnector.spi.system.ServiceExtensionContext; | ||
import org.eclipse.dataspaceconnector.spi.system.injection.ObjectFactory; | ||
import org.junit.jupiter.api.BeforeEach; | ||
import org.junit.jupiter.api.Test; | ||
import org.junit.jupiter.api.extension.ExtendWith; | ||
|
||
import static org.mockito.Mockito.anyString; | ||
import static org.mockito.Mockito.eq; | ||
import static org.mockito.Mockito.isNull; | ||
import static org.mockito.Mockito.mock; | ||
import static org.mockito.Mockito.never; | ||
import static org.mockito.Mockito.spy; | ||
import static org.mockito.Mockito.times; | ||
import static org.mockito.Mockito.verify; | ||
import static org.mockito.Mockito.when; | ||
|
||
@ExtendWith(DependencyInjectionExtension.class) | ||
public class TokenBasedAuthenticationExtensionTest { | ||
|
||
private TokenBasedAuthenticationExtension extension; | ||
|
||
private static final String AUTH_SETTING_APIKEY = "edc.api.auth.key"; | ||
|
||
private static final String AUTH_SETTING_APIKEY_ALIAS = "edc.api.auth.key.alias"; | ||
|
||
private static final String VAULT_KEY = "foo"; | ||
|
||
private Vault vaultMock; | ||
private ServiceExtensionContext serviceExtensionContextMock; | ||
|
||
@BeforeEach | ||
void setup(ServiceExtensionContext context, ObjectFactory factory) { | ||
|
||
serviceExtensionContextMock = spy(context); //used to inject the config | ||
vaultMock = mock(Vault.class); | ||
|
||
context.registerService(Vault.class, vaultMock); | ||
context.registerService(ServiceExtensionContext.class, serviceExtensionContextMock); | ||
|
||
when(vaultMock.resolveSecret(VAULT_KEY)).thenReturn("foo"); | ||
|
||
extension = factory.constructInstance(TokenBasedAuthenticationExtension.class); | ||
} | ||
|
||
@Test | ||
public void testPrimaryMethod_loadKeyFromVault() { | ||
setAuthSettingApiKeyAlias(VAULT_KEY); | ||
setAuthSettingApiKey("bar"); | ||
|
||
extension.initialize(serviceExtensionContextMock); | ||
|
||
verify(serviceExtensionContextMock, never()) | ||
.getSetting(eq(AUTH_SETTING_APIKEY), anyString()); | ||
|
||
verify(serviceExtensionContextMock, times(1)) | ||
.getSetting(AUTH_SETTING_APIKEY_ALIAS, null); | ||
|
||
verify(vaultMock, times(1)).resolveSecret(VAULT_KEY); | ||
} | ||
|
||
@Test | ||
public void testSecondaryMethod_loadKeyFromConfig() { | ||
|
||
setAuthSettingApiKeyAlias(null); | ||
setAuthSettingApiKey("bar"); | ||
|
||
extension.initialize(serviceExtensionContextMock); | ||
|
||
verify(serviceExtensionContextMock, times(1)) | ||
.getSetting(eq(AUTH_SETTING_APIKEY), anyString()); | ||
|
||
verify(serviceExtensionContextMock, times(1)) | ||
.getSetting(AUTH_SETTING_APIKEY_ALIAS, null); | ||
|
||
verify(vaultMock, times(0)).resolveSecret(anyString()); | ||
} | ||
|
||
private void setAuthSettingApiKey(String value) { | ||
when(serviceExtensionContextMock.getSetting(eq(AUTH_SETTING_APIKEY), anyString())) | ||
.thenReturn(value); | ||
} | ||
|
||
private void setAuthSettingApiKeyAlias(String value) { | ||
when(serviceExtensionContextMock.getSetting(eq(AUTH_SETTING_APIKEY_ALIAS), isNull())) | ||
.thenReturn(value); | ||
} | ||
} |