Closed eguzki closed 7 months ago
Attention: 9 lines
in your changes are missing coverage. Please review.
Comparison is base (
1148fc8
) 0.38% compared to head (675c190
) 0.38%.
Files | Patch % | Lines |
---|---|---|
pkg/utils/maps.go | 0.00% | 9 Missing :warning: |
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
đź‘€
Works great
@jasonmadigan completed the verification steps and added some doc
Ready for review!
What
The new command
kuadrantctl generate kuadrant authpolicy
to create kuadrant Auth Policy from OpenAPI Specification (OAS) 3.x powered with kuadrant extensions was introduced in #4646 implemented the Security Scheme Object type
openIdConnect
.This PR implements another type:
apiKey
Example
Running the command
The generated authpolicy
In this particular example, the endpoint
GET /dog
will be protected. The token needs to be in the query string of the request included in a parameter nameddog_token
.Kuadrant will validate received tokens against tokens found in secrets with label
kuadrant.io/apikeys-by: ${sec scheme name}
. In this particular example the label selector will be:kuadrant.io/apikeys-by: securedDog
. Like the following example:For more information about Kuadrant auth based on api key: https://docs.kuadrant.io/authorino/docs/user-guides/api-key-authentication/
Verification Steps
The verification steps will lead you to the process of deploying and testing the following api with endpoints protected using different auth schemes:
GET /api/v1/cat
POST /api/v1/cat
GET /api/v1/dog
GET /api/v1/snake
petstore
petstore
. In the Client Protocol field, selectopenid-connect
.bob
, set the Email Verified switch to ON, and click Save.p
. Enter the password in both the fields, set the Temporary switch to OFF to avoid the password reset at the next login, and clickSet Password
.Now, let's run local cluster to test the kuadrantctl new command to generate authpolicy.
authpolicy-api-key
bin/kuadrantctl
pathCreate an API key only valid for
POST /api/v1/cat
endpointCreate an API key only valid for
GET /api/v1/snake
endpointCreate the HTTPRoute using the CLI
Create Kuadrant's Auth Policy
Now, we are ready to test OpenAPI endpoints :exclamation:
GET /api/v1/cat
-> It's a public endpoint, hence should return 200 OkPOST /api/v1/cat
-> It's a protected endpoint with apikeyWithout any credentials, it should return
401 Unauthorized
the reason headers tell that
credential not found
. Credentials satisfyingpostCat_cat_api_key
authentication is needed.According to the OpenAPI spec, it should be a header named
api_key
. What if we try a wrong token? one token assigned to other endpoint, i.e.I_LIKE_SNAKES
instead of the valid oneI_LIKE_CATS
. It should return401 Unauthorized
.the reason headers tell that
the API Key provided is invalid
. Using valid token (from the secretcat-api-key-1
assigned toPOST /api/v1/cats
) in theapi_key
header should return 200 OkGET /api/v1/dog
-> It's a protected endpoint with oidc (assigned to our keycloak instance andpetstore
realm)without credentials, it should return
401 Unauthorized
To get the authentication token, this example is using Direct Access Grants oauth2 grant type (also known as Client Credentials grant type). When configuring the Keycloak (OIDC provider) client settings, we enabled Direct Access Grants to enable this procedure. We will be authenticating as
bob
user withp
password. We previously createdbob
user in Keycloak in thepetstore
realm.With the access token in place, let's try to get those puppies
it should return 200 OK
GET /api/v1/snake
-> It's a protected endpoint with oidc (assigned to our keycloak instance andpetstore
realm) OR with apiKeyThis example is to show that multiple sec requirements (with OR semantics) can be specified for an OpenAPI operation.
without credentials, it should return
401 Unauthorized
With the access token in place, it should return 200 OK (unless the token has expired)
With apiKey it should also work. According to the OpenAPI spec security scheme, it should be a query string named
snake_token
and the token needs to be valid token (from the secretsnake-api-key-1
assigned toGET /api/v1/snake
)