Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(prism-agent): add JWT auth support for agent-admin role #840

Merged
merged 23 commits into from
Jan 12, 2024
Merged

feat(prism-agent): add JWT auth support for agent-admin role #840

merged 23 commits into from
Jan 12, 2024

Conversation

patlo-iog
Copy link
Contributor

@patlo-iog patlo-iog commented Jan 11, 2024
edited
Loading

Overview

ATL-6074. This PR adds a concept of EntityRole to Entity and KeycloakEntity to implement the admin role auth of both JWT and admin-api-key following this ADR.

Checklist

My PR contains...

  • No code changes (changes to documentation, CI, metadata, etc.)
  • Bug fixes (non-breaking change which fixes an issue)
  • Improvements (misc. changes to existing features)
  • Features (non-breaking change which adds functionality)

My changes...

  • are breaking changes
  • are not breaking changes
  • If yes to above: I have updated the documentation accordingly

Documentation

  • My changes do not require a change to the project documentation
  • My changes require a change to the project documentation
  • If yes to above: I have updated the documentation accordingly

Tests

  • My changes can not or do not need to be tested
  • My changes can and should be tested by unit and/or integration tests
  • If yes to above: I have added tests to cover my changes
  • If yes to above: I have taken care to cover edge cases in my tests

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 11, 2024
edited
Loading

Integration Test Results

11 files  ±0  11 suites  ±0   2s ⏱️ ±0s
24 tests ±0  24 ✅ ±0  0 💤 ±0  0 ❌ ±0 
25 runs  ±0  25 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 4c459e3. ± Comparison against base commit b48fe3c.

♻️ This comment has been updated with latest results.

@patlo-iog patlo-iog force-pushed the feat/admin-role-jwt branch 2 times, most recently from f0bba4c to 71f31bb Compare January 11, 2024 10:38
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 11, 2024
edited
Loading

Unit Test Results

 85 files  ±0   85 suites  ±0   20m 10s ⏱️ -54s
719 tests +6  711 ✅ +6  8 💤 ±0  0 ❌ ±0 
725 runs  +6  717 ✅ +6  8 💤 ±0  0 ❌ ±0 

Results for commit 4c459e3. ± Comparison against base commit b48fe3c.

This pull request removes 8 and adds 14 tests. Note that renamed tests count towards both. 
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate - allow token with a permitted wallet
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate - reject expired token
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate - reject malformed token
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate - reject token with a wallet that doesn't exist
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate - reject token with multiple permitted wallets
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate - reject token with no permitted wallet
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate with auto-upgrade RPT disabled - accecpt RPT token with a permitted wallet
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate with auto-upgrade RPT disabled - reject non-RPT token

io.iohk.atala.iam.authentication.SecurityLogicSpec ‑  - authorizeRole accept if the role is matched
io.iohk.atala.iam.authentication.SecurityLogicSpec ‑  - authorizeRole reject if the role is not matched
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate - authenticate entity with multiple role not support
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate - authenticate entity with specified role
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authenticate - authenticate entity with tenant role if not specified
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authorizeWalletAccess - admin role is not authorized for wallet access
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authorizeWalletAccess - allow token with a permitted wallet
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authorizeWalletAccess - reject expired token
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authorizeWalletAccess - reject malformed token
io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticatorSpec ‑ KeycloakAuthenticatorSepc - authorizeWalletAccess - reject token with a wallet that doesn't exist
…

♻️ This comment has been updated with latest results.

@patlo-iog patlo-iog force-pushed the feat/admin-role-jwt branch 7 times, most recently from 3e637a9 to e9fce5f Compare January 11, 2024 12:17
@patlo-iog
wip: refactor accessToken
bfbcf51 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
fix: accessToken invalid
b11820e 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
feat: extract roles from JWT
ed5bdba 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
wip: local test config
02a772c 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
wip: read configured claim path
33402ab 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
fix: parse roles from path config
ae40893 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
wip: add jwtrole
fa55569 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
fix: graceful handling when role not found
0729ffb 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
fix: less verbose auth logging
a0f5c27 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
wip: entity role
2fd7b8d 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
fix: generalize EntityRole instead of JWT
0fae567 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
chore: rename authorizeWalletAccess
7f03fa5 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
fix: admin cannot access wallet
851d0b8 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
fix: authorizeRole in SecurityLogic
a49b619 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
feat: admin jwt role on entity endpoints
4bd8c1f 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
chore: scalafmt
598003f 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog
chore: pr cleanup
a9ea700 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog patlo-iog changed the title feat(prism-agent): add JWT auth support for agent-admin role [WIP] feat(prism-agent): add JWT auth support for agent-admin role Jan 11, 2024
@patlo-iog patlo-iog marked this pull request as ready for review January 11, 2024 12:26
yshyn-iohk
yshyn-iohk approved these changes Jan 11, 2024
View reviewed changes
Copy link
Member

@yshyn-iohk yshyn-iohk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job, @patlo-iog!

@patlo-iog
fix: pr feedback
4c459e3 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
@patlo-iog patlo-iog requested a review from a user January 12, 2024 06:22
@patlo-iog patlo-iog requested a review from BS-IO as a code owner January 12, 2024 06:22
@atala-dev atala-dev added the docs label Jan 12, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jan 12, 2024

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
0.9% Duplication on New Code

See analysis details on SonarCloud

@patlo-iog patlo-iog merged commit 3ccd56e into main Jan 12, 2024
11 checks passed
@patlo-iog patlo-iog deleted the feat/admin-role-jwt branch January 12, 2024 08:11
atala-dev added a commit that referenced this pull request Jan 25, 2024
@atala-dev
chore(release): cut open enterprise agent 1.25.0 release
8954d09 
# [1.25.0](https://github.com/hyperledger-labs/open-enterprise-agent/compare/prism-agent-v1.24.0...prism-agent-v1.25.0) (2024-01-25)

### Features

* **prism-agent:** add JWT auth support for agent-admin role ([#840](https://github.com/hyperledger-labs/open-enterprise-agent/issues/840)) ([3ccd56e](https://github.com/hyperledger-labs/open-enterprise-agent/commit/3ccd56efadbbb3ea70e7ca63e9eb89564a83c02f))
* upgrade ZIO http client to improve performance ([#850](https://github.com/hyperledger-labs/open-enterprise-agent/issues/850)) ([7aa9b4c](https://github.com/hyperledger-labs/open-enterprise-agent/commit/7aa9b4c27f92b169c72a68cd4bb8f4afb63943d4))

Signed-off-by: Anton Baliasnikov <anton.baliasnikov@iohk.io>
shotexa pushed a commit that referenced this pull request Mar 6, 2024
@patlo-iog @shotexa
feat(prism-agent): add JWT auth support for agent-admin role (#840)
dc3e805 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
shotexa pushed a commit that referenced this pull request Mar 6, 2024
@atala-dev @shotexa
chore(release): cut open enterprise agent 1.25.0 release
69a46c4 
# [1.25.0](https://github.com/hyperledger-labs/open-enterprise-agent/compare/prism-agent-v1.24.0...prism-agent-v1.25.0) (2024-01-25)

### Features

* **prism-agent:** add JWT auth support for agent-admin role ([#840](https://github.com/hyperledger-labs/open-enterprise-agent/issues/840)) ([3ccd56e](https://github.com/hyperledger-labs/open-enterprise-agent/commit/3ccd56efadbbb3ea70e7ca63e9eb89564a83c02f))
* upgrade ZIO http client to improve performance ([#850](https://github.com/hyperledger-labs/open-enterprise-agent/issues/850)) ([7aa9b4c](https://github.com/hyperledger-labs/open-enterprise-agent/commit/7aa9b4c27f92b169c72a68cd4bb8f4afb63943d4))

Signed-off-by: Anton Baliasnikov <anton.baliasnikov@iohk.io>
Signed-off-by: Shota Jolbordi <shota.jolbordi@iohk.io>
shotexa pushed a commit that referenced this pull request Mar 6, 2024
@patlo-iog @shotexa
feat(prism-agent): add JWT auth support for agent-admin role (#840)
cbc26ce 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
Signed-off-by: Shota Jolbordi <shota.jolbordi@iohk.io>
shotexa pushed a commit that referenced this pull request Mar 6, 2024
@atala-dev @shotexa
chore(release): cut open enterprise agent 1.25.0 release
193338d 
# [1.25.0](https://github.com/hyperledger-labs/open-enterprise-agent/compare/prism-agent-v1.24.0...prism-agent-v1.25.0) (2024-01-25)

### Features

* **prism-agent:** add JWT auth support for agent-admin role ([#840](https://github.com/hyperledger-labs/open-enterprise-agent/issues/840)) ([3ccd56e](https://github.com/hyperledger-labs/open-enterprise-agent/commit/3ccd56efadbbb3ea70e7ca63e9eb89564a83c02f))
* upgrade ZIO http client to improve performance ([#850](https://github.com/hyperledger-labs/open-enterprise-agent/issues/850)) ([7aa9b4c](https://github.com/hyperledger-labs/open-enterprise-agent/commit/7aa9b4c27f92b169c72a68cd4bb8f4afb63943d4))

Signed-off-by: Anton Baliasnikov <anton.baliasnikov@iohk.io>
Signed-off-by: Shota Jolbordi <shota.jolbordi@iohk.io>
shotexa pushed a commit that referenced this pull request Mar 18, 2024
@patlo-iog @shotexa
feat(prism-agent): add JWT auth support for agent-admin role (#840)
ca283ca 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
Signed-off-by: Shota Jolbordi <shota.jolbordi@iohk.io>
shotexa pushed a commit that referenced this pull request Mar 18, 2024
@atala-dev @shotexa
chore(release): cut open enterprise agent 1.25.0 release
3f20556 
# [1.25.0](https://github.com/hyperledger-labs/open-enterprise-agent/compare/prism-agent-v1.24.0...prism-agent-v1.25.0) (2024-01-25)

### Features

* **prism-agent:** add JWT auth support for agent-admin role ([#840](https://github.com/hyperledger-labs/open-enterprise-agent/issues/840)) ([3ccd56e](https://github.com/hyperledger-labs/open-enterprise-agent/commit/3ccd56efadbbb3ea70e7ca63e9eb89564a83c02f))
* upgrade ZIO http client to improve performance ([#850](https://github.com/hyperledger-labs/open-enterprise-agent/issues/850)) ([7aa9b4c](https://github.com/hyperledger-labs/open-enterprise-agent/commit/7aa9b4c27f92b169c72a68cd4bb8f4afb63943d4))

Signed-off-by: Anton Baliasnikov <anton.baliasnikov@iohk.io>
Signed-off-by: Shota Jolbordi <shota.jolbordi@iohk.io>
shotexa pushed a commit that referenced this pull request Mar 18, 2024
@patlo-iog @shotexa
feat(prism-agent): add JWT auth support for agent-admin role (#840)
1974c07 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
Signed-off-by: Shota Jolbordi <shota.jolbordi@iohk.io>
shotexa pushed a commit that referenced this pull request Mar 18, 2024
@atala-dev @shotexa
chore(release): cut open enterprise agent 1.25.0 release
d1a3dc8 
# [1.25.0](https://github.com/hyperledger-labs/open-enterprise-agent/compare/prism-agent-v1.24.0...prism-agent-v1.25.0) (2024-01-25)

### Features

* **prism-agent:** add JWT auth support for agent-admin role ([#840](https://github.com/hyperledger-labs/open-enterprise-agent/issues/840)) ([3ccd56e](https://github.com/hyperledger-labs/open-enterprise-agent/commit/3ccd56efadbbb3ea70e7ca63e9eb89564a83c02f))
* upgrade ZIO http client to improve performance ([#850](https://github.com/hyperledger-labs/open-enterprise-agent/issues/850)) ([7aa9b4c](https://github.com/hyperledger-labs/open-enterprise-agent/commit/7aa9b4c27f92b169c72a68cd4bb8f4afb63943d4))

Signed-off-by: Anton Baliasnikov <anton.baliasnikov@iohk.io>
Signed-off-by: Shota Jolbordi <shota.jolbordi@iohk.io>
shotexa pushed a commit that referenced this pull request Mar 18, 2024
@patlo-iog @shotexa
feat(prism-agent): add JWT auth support for agent-admin role (#840)
ff7c14f 
Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
Signed-off-by: Shota Jolbordi <shota.jolbordi@iohk.io>
shotexa pushed a commit that referenced this pull request Mar 18, 2024
@atala-dev @shotexa
chore(release): cut open enterprise agent 1.25.0 release
3658175 
# [1.25.0](https://github.com/hyperledger-labs/open-enterprise-agent/compare/prism-agent-v1.24.0...prism-agent-v1.25.0) (2024-01-25)

### Features

* **prism-agent:** add JWT auth support for agent-admin role ([#840](https://github.com/hyperledger-labs/open-enterprise-agent/issues/840)) ([3ccd56e](https://github.com/hyperledger-labs/open-enterprise-agent/commit/3ccd56efadbbb3ea70e7ca63e9eb89564a83c02f))
* upgrade ZIO http client to improve performance ([#850](https://github.com/hyperledger-labs/open-enterprise-agent/issues/850)) ([7aa9b4c](https://github.com/hyperledger-labs/open-enterprise-agent/commit/7aa9b4c27f92b169c72a68cd4bb8f4afb63943d4))

Signed-off-by: Anton Baliasnikov <anton.baliasnikov@iohk.io>
Signed-off-by: Shota Jolbordi <shota.jolbordi@iohk.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yshyn-iohk yshyn-iohk yshyn-iohk approved these changes

@bvoiturier bvoiturier Awaiting requested review from bvoiturier

@antonbaliasnikov antonbaliasnikov Awaiting requested review from antonbaliasnikov

@BS-IO BS-IO Awaiting requested review from BS-IO

Assignees
No one assigned
Labels
build docs prism-agent
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@patlo-iog @yshyn-iohk @atala-dev