search

opengeospatial / ets-ogcapi-features10

Public Repository for the OGC API - Features Compliance Test Suite
Other
16 stars 6 forks source link

OGC API features service behind authentication #232

Open claustres opened 7 months ago

claustres commented 7 months ago

First of all thanks for this useful tool that helps us enhance our service.

Describe the bug

I would like to test a service protected with a jwt given as a query parameter with the all-in-one jar. If I remove the protection the tests are running almost fine with e.g. the following results: <testng-results total="211" passed="178" failed="0" skipped="33"> However, the tests stop quickly with the following results when enabling the protection: <testng-results total="42" passed="1" failed="3" skipped="38">

One of the first test to fail which probably causes others to be skipped is the following:

<test-method signature="landingPageRetrieval()[pri:0, instance:org.opengis.cite.ogcapifeatures10.conformance.core.landingpage.LandingPage@12aba8be]" started-at="2023-12-13T16:49:43Z" name="landingPageRetrieval" description="Implements A.2.2. Landing Page {root}/, Abstract Test 3 (Requirement /req/core/root-op)" groups="landingpage" finished-at="2023-12-13T16:49:44Z" duration-ms="525" status="FAIL">
<exception class="java.lang.AssertionError">
<message>
1 expectation failed. Expected status code <200> but was <401>.
</message>
</exception>
<!-- java.lang.AssertionError -->
<reporter-output> </reporter-output>
<attributes>
<attribute name="request">
Request method: GET Request URI: https://api.irsn-planet.staging.ul2i.fr/kfs/ Proxy: <none> Request params: <none> Query params: <none> Form params: <none> Path params: <none> Headers: Accept=application/json, application/javascript, text/javascript, text/json Cookies: <none> Multiparts: <none> Body: <none>
</attribute>
<!-- request -->
<attribute name="response">
HTTP/1.1 401 Unauthorized Date: Wed, 13 Dec 2023 15:49:44 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12 Connection: keep-alive access-control-allow-origin: * eg-consumer-id: anonymous etag: W/"c-dAuDFQrdjS3hezqxDTNgW7AOlYk" WWW-Authenticate: Basic Strict-Transport-Security: max-age=15724800; includeSubDomains <html> <body>Unauthorized</body> </html>
</attribute>
<!-- response -->
</attributes>
</test-method>
<!-- landingPageRetrieval -->

One can see the jwt query paramter is lost.

To Reproduce

  1. setup your test-run-props like this: <entry key="iut">https://api.irsn-planet.staging.ul2i.fr/kfs?jwt=XXX</entry>
  2. Run java -jar ./ets-ogcapi-features10-1.7-aio.jar -o . -h ./test-run-props.xml
  3. Open test logs

Expected behavior

The test suite should be able to reach the landing page if the token is provided in the base URL. After this, as all links provided in responses by the service should keep the token I guess it should work as usual.

Additional context

The service can also be protected with the token given in header (Bearer JWT) if it helps.

I can provide you with a test token through a secured private channel if required.

Thanks for your support.

dstenger commented 7 months ago

Thank you for reporting. We will discuss your requirement in the CITE team.

ghobona commented 6 months ago

Thank you for proposing the enhancement.

We are indeed planning to introduce support for APIs that have access control. However, work on the enhancement will begin in the second half of 2024 or soon after the release of version 6 of TEAM Engine.

claustres commented 6 months ago

Thanks for considering it, it will help a lot. Indeed, it is currently hard to test production deployments as we can not temporarily remove the authentication. I was just wondering if supporting token/api key authentication as query parameter could almost work "as is". Indeed, if you provide the token in the initial URL under test, e.g. myservice.com?token=xxx and the conformance suite only uses links returned by the API, which also contains the initial token, this could probably work. But I do not know the internals and it might not be that simple.