search

ramgrandhi / serverless-wso2-apim

Serverless Framework plugin to manage APIs on WSO2 API Manager.
MIT License
10 stars 13 forks source link

Add support for mutualSSL #89

Closed ramgrandhi closed 1 year ago

ramgrandhi commented 1 year ago

Background

Starting from WSO2 APIM 3.x.x, you can secure APIs using mutual-SSL on top of existing OAuth2 scheme. More is documented here.

Actual Behavior

Currently, this plugin deploys APIs using default OAuth2 scheme. There is no mechanism to supply mutual-SSL and associated client-certificate in the serverless.yml configuration.

Expected Behavior

This plugin must:

  1. Allow to configure the security scheme as mutual-SSL as well as a mechanism to supply client-certificate in serverless.yml - See the proposal below. Keep oAuth2 as defaults, if not set; however when set, mutualSSL can be enabled.
  2. Upload/Upsert client-certificate to WSO2 using its REST API here - See the proposal below.
  3. Update securityScheme accordingly [here]() - See the proposal below.

Proposal

  1. serverless.yml configuration can be extended as below. 

    custom:
wso2apim:
securitySchemes: # Optional
  oauth2:  # Defaults to `oauth2` if not set
    enabled: true  # Defaults to `true` if not set
  mutualSsl:
    enabled: true
    clientCert: "file://certs/client-cert.crt"  # Only `file://` protocol supported, no CF Imports etc.

  2. While uploading/upserting client-certificate, you can use the following naming convention for certAlias.

    ClientCert___<APIName>___<Version>___<index>_at_<tenantSuffix>

  3. Supported values for securityScheme by WSO2 APIM REST APIs is below, here is the permalink.

    "securityScheme": [
    "mutualssl",
    "mutualssl_mandatory",
    "oauth2"
]

Assumptions:

  1. Potential validation for SLS config (custom.wso2apim.securitySchemes) must at least include:

    • securitySchemes entry, if present, then must have either oauth2 or mutualSsl or both as its children.
    • securitySchemes.oauth2 is optional. but, if it is present, then it must have valid values true or false.
    • securitySchemes.mutualSsl if present, then it must have valid values true or false and valid clientCert file URL (during validation, see if the file mentioned is accessible (or) not using fs.existsSync() for example). This will help avoid run-time errors if file not found etc.

  2. Potential e2e test cases must at least include:

    • valid-mtls-enabled
    • valid-oauth2-mtls-enabled
    • valid-oauth2-enabled
    • valid-no-oauth2
    • invalid-securitySchemes
ramgrandhi commented 1 year ago

Thank you @rayvdgugten for your willingness to pick this up!

Here is how we can attack this, good luck with your first contribution to this repo! 🙌

  1. validateConfig() -> to do basic validation of input serverless.yml -> securitySchemes section as below.
  2. uploadCerts() -> to add another section inside, which deals with ClientCert uploads. Reuse utils like detectAndSplitCerts() & saveCert() etc to save the clientCert to file system.
  3. 3.2.0/uploadCert() -> Make a clone of this and call it as 3.2.0/uploadClientCert() since the underlying API of WSO2 is different for uploading client certificates here -> Use Unlimited as throttling tier for certificate, since it is mandatory parameter on WSO2 REST API.

Happy to help!

ramgrandhi commented 1 year ago

Closing this, v0.6.0 is released with this feature.