From 9cbdce5cb2c2f0a5b970544402c518089e8fd31d Mon Sep 17 00:00:00 2001 From: JonasVHG <4658984+JonasVHG@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:03:52 +0100 Subject: [PATCH 01/10] always assume keycloak is enabled --- app/JsonDocumentFetcherProvider.php | 2 +- app/RoutingServiceProvider.php | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/app/JsonDocumentFetcherProvider.php b/app/JsonDocumentFetcherProvider.php index b2b79228..109eda0a 100644 --- a/app/JsonDocumentFetcherProvider.php +++ b/app/JsonDocumentFetcherProvider.php @@ -33,7 +33,7 @@ public function register(): void private function getTokenGenerator(): TokenGenerator { - if ($this->parameter('keycloak.enabled')) { + if (true) { return new KeycloakTokenGenerator( new Client(), $this->parameter('keycloak.domain'), diff --git a/app/RoutingServiceProvider.php b/app/RoutingServiceProvider.php index 3e0c7ba5..16247a4c 100644 --- a/app/RoutingServiceProvider.php +++ b/app/RoutingServiceProvider.php @@ -54,8 +54,7 @@ function (): Router { $metadataGenerator = $this->getMetadataGenerator(); - $pemFile = $this->parameter('keycloak.enabled') ? - $this->parameter('keycloak.pem_file') : $this->parameter('auth0.pem_file'); + $pemFile = $this->parameter('keycloak.pem_file'); $authenticateRequest = new AuthenticateRequest( $this->getLeagueContainer(), new CultureFeed($oauthClient), @@ -127,7 +126,7 @@ function (): Router { private function getManagementTokenProvider(): ManagementTokenProvider { - if ($this->parameter('keycloak.enabled')) { + if (true) { return new ManagementTokenProvider( new KeycloakTokenGenerator( new Client(), @@ -156,7 +155,7 @@ private function getManagementTokenProvider(): ManagementTokenProvider private function getMetadataGenerator(): MetadataGenerator { - if ($this->parameter('keycloak.enabled')) { + if (true) { return new KeycloakMetadataGenerator( new Client([ 'http_errors' => false, From 11e544cd026b5f3f472a0e59642c1c194c4bedcf Mon Sep 17 00:00:00 2001 From: JonasVHG <4658984+JonasVHG@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:06:25 +0100 Subject: [PATCH 02/10] remove all references to Auth0TokenGenerator --- app/JsonDocumentFetcherProvider.php | 25 ++++------------ app/RoutingServiceProvider.php | 46 +++++++---------------------- 2 files changed, 16 insertions(+), 55 deletions(-) diff --git a/app/JsonDocumentFetcherProvider.php b/app/JsonDocumentFetcherProvider.php index 109eda0a..4a8aaf7c 100644 --- a/app/JsonDocumentFetcherProvider.php +++ b/app/JsonDocumentFetcherProvider.php @@ -4,7 +4,6 @@ namespace CultuurNet\UDB3\SearchService; -use CultuurNet\UDB3\Search\Http\Authentication\Auth0\Auth0TokenGenerator; use CultuurNet\UDB3\Search\Http\Authentication\Keycloak\KeycloakTokenGenerator; use CultuurNet\UDB3\Search\Http\Authentication\Token\TokenGenerator; use CultuurNet\UDB3\Search\JsonDocument\GuzzleJsonDocumentFetcher; @@ -33,24 +32,12 @@ public function register(): void private function getTokenGenerator(): TokenGenerator { - if (true) { - return new KeycloakTokenGenerator( - new Client(), - $this->parameter('keycloak.domain'), - $this->parameter('keycloak.entry_api_client_id'), - $this->parameter('keycloak.entry_api_client_secret'), - $this->parameter('keycloak.entry_api_audience') - ); - } - - return new Auth0TokenGenerator( - new Client([ - 'http_errors' => false, - ]), - $this->parameter('auth0.domain'), - $this->parameter('auth0.entry_api_client_id'), - $this->parameter('auth0.entry_api_client_secret'), - $this->parameter('auth0.entry_api_audience') + return new KeycloakTokenGenerator( + new Client(), + $this->parameter('keycloak.domain'), + $this->parameter('keycloak.entry_api_client_id'), + $this->parameter('keycloak.entry_api_client_secret'), + $this->parameter('keycloak.entry_api_audience') ); } } diff --git a/app/RoutingServiceProvider.php b/app/RoutingServiceProvider.php index 16247a4c..6f6de58d 100644 --- a/app/RoutingServiceProvider.php +++ b/app/RoutingServiceProvider.php @@ -7,8 +7,6 @@ use CultureFeed; use CultureFeed_DefaultOAuthClient; use CultuurNet\UDB3\Search\FileReader; -use CultuurNet\UDB3\Search\Http\Authentication\Auth0\Auth0TokenGenerator; -use CultuurNet\UDB3\Search\Http\Authentication\Auth0\Auth0MetadataGenerator; use CultuurNet\UDB3\Search\Http\Authentication\AuthenticateRequest; use CultuurNet\UDB3\Search\Http\Authentication\Consumer; use CultuurNet\UDB3\Search\Http\Authentication\Keycloak\KeycloakTokenGenerator; @@ -126,50 +124,26 @@ function (): Router { private function getManagementTokenProvider(): ManagementTokenProvider { - if (true) { - return new ManagementTokenProvider( - new KeycloakTokenGenerator( - new Client(), - $this->parameter('keycloak.domain'), - $this->parameter('keycloak.client_id'), - $this->parameter('keycloak.client_secret'), - $this->parameter('keycloak.domain') . '/api/v2/' - ), - new ManagementTokenFileRepository(__DIR__ . '/../cache/keycloak-management-token-cache.json'), - ); - } - return new ManagementTokenProvider( - new Auth0TokenGenerator( - new Client([ - 'http_errors' => false, - ]), - $this->parameter('auth0.domain'), - $this->parameter('auth0.client_id'), - $this->parameter('auth0.client_secret'), - $this->parameter('auth0.domain') . '/api/v2/' + new KeycloakTokenGenerator( + new Client(), + $this->parameter('keycloak.domain'), + $this->parameter('keycloak.client_id'), + $this->parameter('keycloak.client_secret'), + $this->parameter('keycloak.domain') . '/api/v2/' ), - new ManagementTokenFileRepository(__DIR__ . '/../cache/auth0-management-token-cache.json'), + new ManagementTokenFileRepository(__DIR__ . '/../cache/keycloak-management-token-cache.json'), ); } private function getMetadataGenerator(): MetadataGenerator { - if (true) { - return new KeycloakMetadataGenerator( - new Client([ - 'http_errors' => false, - ]), - $this->parameter('keycloak.domain'), - $this->parameter('keycloak.realm'), - ); - } - - return new Auth0MetadataGenerator( + return new KeycloakMetadataGenerator( new Client([ 'http_errors' => false, ]), - $this->parameter('auth0.domain') + $this->parameter('keycloak.domain'), + $this->parameter('keycloak.realm'), ); } } From 512bf21974b337a87a1e19ef4bf85a084dbf4f3a Mon Sep 17 00:00:00 2001 From: JonasVHG <4658984+JonasVHG@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:29:03 +0100 Subject: [PATCH 03/10] Delete Auth0TokenGenerator --- .../Auth0/Auth0TokenGenerator.php | 89 ------------------- 1 file changed, 89 deletions(-) delete mode 100644 src/Http/Authentication/Auth0/Auth0TokenGenerator.php diff --git a/src/Http/Authentication/Auth0/Auth0TokenGenerator.php b/src/Http/Authentication/Auth0/Auth0TokenGenerator.php deleted file mode 100644 index 81f42d2a..00000000 --- a/src/Http/Authentication/Auth0/Auth0TokenGenerator.php +++ /dev/null @@ -1,89 +0,0 @@ -domain = $domain; - $this->client = $client; - $this->clientId = $clientId; - $this->clientSecret = $clientSecret; - $this->audience = $audience; - $this->logger = new NullLogger(); - } - - public function managementToken(): Token - { - return $this->fetchToken(); - } - - public function loginToken(): Token - { - return $this->fetchToken(); - } - - private function fetchToken(): Token - { - $response = $this->client->post( - 'https://' . $this->domain . '/oauth/token', - [ - 'headers' => ['content-type' => 'application/json'], - 'json' => [ - 'client_id' => $this->clientId, - 'client_secret' => $this->clientSecret, - 'audience' => 'https://' . $this->audience, - 'grant_type' => 'client_credentials', - ], - ] - ); - - if ($response->getStatusCode() !== 200) { - $message = 'Auth0 error when getting token: ' . $response->getStatusCode(); - - if ($response->getStatusCode() >= 500) { - $this->logger->error($message); - throw new ConnectException( - $message, - new Request('POST', 'https://' . $this->domain . '/oauth/token') - ); - } - - $this->logger->info($message); - } - - $res = Json::decodeAssociatively($response->getBody()->getContents()); - return new Token( - $res['access_token'], - new DateTimeImmutable(), - $res['expires_in'] - ); - } -} From e898e0140acf49fd04ce3bc8bd4f694bdd4650fc Mon Sep 17 00:00:00 2001 From: JonasVHG <4658984+JonasVHG@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:29:16 +0100 Subject: [PATCH 04/10] make code agnostic about which oauth server we use. --- .../AuthenticateRequestTest.php | 28 +++++++++++-------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/tests/Http/Authentication/AuthenticateRequestTest.php b/tests/Http/Authentication/AuthenticateRequestTest.php index 4759b011..a4973da5 100644 --- a/tests/Http/Authentication/AuthenticateRequestTest.php +++ b/tests/Http/Authentication/AuthenticateRequestTest.php @@ -13,7 +13,7 @@ use CultuurNet\UDB3\Search\Http\Authentication\ApiProblems\MissingCredentials; use CultuurNet\UDB3\Search\Http\Authentication\ApiProblems\NotAllowedToUseSapi; use CultuurNet\UDB3\Search\Http\Authentication\ApiProblems\RemovedApiKey; -use CultuurNet\UDB3\Search\Http\Authentication\Auth0\Auth0MetadataGenerator; +use CultuurNet\UDB3\Search\Http\Authentication\Keycloak\KeycloakMetadataGenerator; use CultuurNet\UDB3\Search\Http\Authentication\Token\Token; use CultuurNet\UDB3\Search\Http\Authentication\Token\TokenGenerator; use CultuurNet\UDB3\Search\Http\Authentication\Token\ManagementTokenProvider; @@ -70,7 +70,7 @@ protected function setUp(): void $this->pemFile = FileReader::read(__DIR__ . '/samples/public.pem'); $managementToken = new Token( - 'my_auth0_token', + 'my_oauth_token', new DateTimeImmutable(), 86400 ); @@ -309,9 +309,10 @@ public function it_handles_requests_with_client_id_with_missing_sapi_permission_ $this->container, $this->cultureFeed, $this->managementTokenProvider, - new Auth0MetadataGenerator( + new KeycloakMetadataGenerator( new Client(['handler' => $mockHandler]), - 'domain' + 'domain', + 'realm' ), new InMemoryDefaultQueryRepository([]), $this->pemFile @@ -345,9 +346,10 @@ public function it_handles_requests_with_client_id_without_metadata(): void $this->container, $this->cultureFeed, $this->managementTokenProvider, - new Auth0MetadataGenerator( + new KeycloakMetadataGenerator( new Client(['handler' => $mockHandler]), - 'domain' + 'domain', + 'realm' ), new InMemoryDefaultQueryRepository([]), $this->pemFile @@ -371,21 +373,22 @@ public function it_handles_requests_with_client_id_without_metadata(): void /** * @test */ - public function it_allows_all_access_when_auth0_is_down(): void + public function it_allows_all_access_when_oauth_server_is_down(): void { $request = (new ServerRequestFactory()) ->createServerRequest('GET', 'https://search.uitdatabank.be') ->withHeader('x-client-id', 'my_active_client_id'); - $mockHandler = new MockHandler([new ConnectException('No connection with Auth0', $request)]); + $mockHandler = new MockHandler([new ConnectException('No connection with OAuth server', $request)]); $authenticateRequest = new AuthenticateRequest( $this->container, $this->cultureFeed, $this->managementTokenProvider, - new Auth0MetadataGenerator( + new KeycloakMetadataGenerator( new Client(['handler' => $mockHandler]), - 'domain' + 'domain', + 'realm' ), new InMemoryDefaultQueryRepository([]), $this->pemFile @@ -430,9 +433,10 @@ public function it_handles_valid_requests_with_client_id(ServerRequestInterface $this->container, $this->cultureFeed, $this->managementTokenProvider, - new Auth0MetadataGenerator( + new KeycloakMetadataGenerator( new Client(['handler' => $mockHandler]), - 'domain' + 'domain', + 'realm' ), new InMemoryDefaultQueryRepository([]), $this->pemFile From bdf9e66d527a5ebb94729388952d74db345fe2c4 Mon Sep 17 00:00:00 2001 From: JonasVHG <4658984+JonasVHG@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:38:17 +0100 Subject: [PATCH 05/10] Delete Auth0MetadataGenerator --- .../Auth0/Auth0MetadataGenerator.php | 64 ------------------- 1 file changed, 64 deletions(-) delete mode 100644 src/Http/Authentication/Auth0/Auth0MetadataGenerator.php diff --git a/src/Http/Authentication/Auth0/Auth0MetadataGenerator.php b/src/Http/Authentication/Auth0/Auth0MetadataGenerator.php deleted file mode 100644 index 7f5e0de7..00000000 --- a/src/Http/Authentication/Auth0/Auth0MetadataGenerator.php +++ /dev/null @@ -1,64 +0,0 @@ -domain = $domain; - $this->client = $client; - $this->logger = new NullLogger(); - } - - public function get(string $clientId, string $token): ?array - { - $response = $this->client->get( - 'https://' . $this->domain . '/api/v2/clients/' . $clientId, - [ - 'headers' => ['Authorization' => 'Bearer ' . $token], - ] - ); - - if ($response->getStatusCode() !== 200) { - $message = 'Auth0 error when getting metadata: ' . $response->getStatusCode(); - - if ($response->getStatusCode() >= 500) { - $this->logger->error($message); - throw new ConnectException( - $message, - new Request('GET', 'https://' . $this->domain . '/api/v2/clients/' . $clientId) - ); - } - - $this->logger->info($message); - return null; - } - - $res = Json::decodeAssociatively($response->getBody()->getContents()); - return $res['client_metadata'] ?? []; - } - - public function setLogger(LoggerInterface $logger): void - { - $this->logger = $logger; - } -} From 26d38c67c6e0075c5b94828c888503ba587abdce Mon Sep 17 00:00:00 2001 From: JonasVHG <4658984+JonasVHG@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:39:42 +0100 Subject: [PATCH 06/10] Make code oauthServer agnostic --- src/Http/Authentication/AuthenticateRequest.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Http/Authentication/AuthenticateRequest.php b/src/Http/Authentication/AuthenticateRequest.php index 2e6e82c1..cebe6c64 100644 --- a/src/Http/Authentication/AuthenticateRequest.php +++ b/src/Http/Authentication/AuthenticateRequest.php @@ -92,7 +92,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface private function handleClientId(ServerRequestInterface $request, RequestHandlerInterface $handler, string $clientId): ResponseInterface { - $auth0Down = false; + $oauthServerDown = false; $metadata = []; try { @@ -106,11 +106,11 @@ private function handleClientId(ServerRequestInterface $request, RequestHandlerI } } catch (ConnectException $connectException) { $this->logger->error('OAuth server was detected as down, this results in disabling authentication'); - $auth0Down = true; + $oauthServerDown = true; } // Bypass the sapi access validation when Auth0 is down to make sure sapi requests are still handled. - if (!$auth0Down && !$this->hasSapiAccess($metadata)) { + if (!$oauthServerDown && !$this->hasSapiAccess($metadata)) { return (new NotAllowedToUseSapi($clientId))->toResponse(); } From 86e610afa138a5ac1af959eebc30a99d10fc6530 Mon Sep 17 00:00:00 2001 From: JonasVHG <4658984+JonasVHG@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:54:25 +0100 Subject: [PATCH 07/10] make comment code agnostic --- src/Http/Authentication/AuthenticateRequest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Http/Authentication/AuthenticateRequest.php b/src/Http/Authentication/AuthenticateRequest.php index cebe6c64..73e7863e 100644 --- a/src/Http/Authentication/AuthenticateRequest.php +++ b/src/Http/Authentication/AuthenticateRequest.php @@ -109,7 +109,7 @@ private function handleClientId(ServerRequestInterface $request, RequestHandlerI $oauthServerDown = true; } - // Bypass the sapi access validation when Auth0 is down to make sure sapi requests are still handled. + // Bypass the sapi access validation when the oauth server is down to make sure sapi requests are still handled. if (!$oauthServerDown && !$this->hasSapiAccess($metadata)) { return (new NotAllowedToUseSapi($clientId))->toResponse(); } From 3ab6125fc755b5c7e64dbcdf30458c75c5b79ced Mon Sep 17 00:00:00 2001 From: JonasVHG <4658984+JonasVHG@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:25:10 +0100 Subject: [PATCH 08/10] update mockResponse in tests --- .../Authentication/AuthenticateRequestTest.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/tests/Http/Authentication/AuthenticateRequestTest.php b/tests/Http/Authentication/AuthenticateRequestTest.php index a4973da5..7592c7c9 100644 --- a/tests/Http/Authentication/AuthenticateRequestTest.php +++ b/tests/Http/Authentication/AuthenticateRequestTest.php @@ -301,7 +301,12 @@ public function it_handles_requests_with_client_id_with_missing_sapi_permission_ { $mockHandler = new MockHandler([ new Response(200, [], Json::encode([ - 'client_metadata' => ['publiq-apis' => 'ups entry'], + 0 => [ + 'defaultClientScopes' => [ + 'publiq-api-ups-scope', + 'publiq-api-entry-scope', + ], + ], ])), ]); @@ -425,7 +430,13 @@ public function it_handles_valid_requests_with_client_id(ServerRequestInterface { $mockHandler = new MockHandler([ new Response(200, [], Json::encode([ - 'client_metadata' => ['publiq-apis' => 'ups entry sapi'], + 0 => [ + 'defaultClientScopes' => [ + 'publiq-api-ups-scope', + 'publiq-api-entry-scope', + 'publiq-api-sapi-scope', + ], + ], ])), ]); From 923e03a011aab244e46c5664df0af7f0e8f47b1a Mon Sep 17 00:00:00 2001 From: JonasVHG <4658984+JonasVHG@users.noreply.github.com> Date: Mon, 18 Nov 2024 16:00:48 +0100 Subject: [PATCH 09/10] rename $oauthServerDown to $oAuthServerDown --- src/Http/Authentication/AuthenticateRequest.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Http/Authentication/AuthenticateRequest.php b/src/Http/Authentication/AuthenticateRequest.php index 73e7863e..55d8c51c 100644 --- a/src/Http/Authentication/AuthenticateRequest.php +++ b/src/Http/Authentication/AuthenticateRequest.php @@ -92,7 +92,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface private function handleClientId(ServerRequestInterface $request, RequestHandlerInterface $handler, string $clientId): ResponseInterface { - $oauthServerDown = false; + $oAuthServerDown = false; $metadata = []; try { @@ -106,11 +106,11 @@ private function handleClientId(ServerRequestInterface $request, RequestHandlerI } } catch (ConnectException $connectException) { $this->logger->error('OAuth server was detected as down, this results in disabling authentication'); - $oauthServerDown = true; + $oAuthServerDown = true; } // Bypass the sapi access validation when the oauth server is down to make sure sapi requests are still handled. - if (!$oauthServerDown && !$this->hasSapiAccess($metadata)) { + if (!$oAuthServerDown && !$this->hasSapiAccess($metadata)) { return (new NotAllowedToUseSapi($clientId))->toResponse(); } From be48e2a91f84c9f35f1e738c3840675fe22f7656 Mon Sep 17 00:00:00 2001 From: JonasVHG <4658984+JonasVHG@users.noreply.github.com> Date: Mon, 18 Nov 2024 16:01:40 +0100 Subject: [PATCH 10/10] make jwtUrl always `jwt.domain` from config --- src/Http/Authentication/AuthenticateRequest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Http/Authentication/AuthenticateRequest.php b/src/Http/Authentication/AuthenticateRequest.php index 55d8c51c..118207b6 100644 --- a/src/Http/Authentication/AuthenticateRequest.php +++ b/src/Http/Authentication/AuthenticateRequest.php @@ -145,7 +145,7 @@ private function handleAccessToken( } $config = $this->container->get(Config::class); - $jwtUrl = $config->get('keycloak.enabled') ? $config->get('jwt.domain') : null; + $jwtUrl = $config->get('jwt.domain'); if (!$token->isAllowedOnSearchApi($jwtUrl)) { return (new NotAllowedToUseSapi())->toResponse(); }