Closed ramgrandhi closed 1 year ago
Thank you @rayvdgugten for your willingness to pick this up!
Here is how we can attack this, good luck with your first contribution to this repo! 🙌
validateConfig()
-> to do basic validation of input serverless.yml
-> securitySchemes section as below.uploadCerts()
-> to add another section inside, which deals with ClientCert uploads. Reuse utils like detectAndSplitCerts()
& saveCert()
etc to save the clientCert to file system.3.2.0/uploadCert()
-> Make a clone of this and call it as 3.2.0/uploadClientCert()
since the underlying API of WSO2 is different for uploading client certificates here -> Use Unlimited
as throttling tier for certificate, since it is mandatory parameter on WSO2 REST API.Happy to help!
Closing this, v0.6.0 is released with this feature.
Background
Starting from WSO2 APIM 3.x.x, you can secure APIs using
mutual-SSL
on top of existingOAuth2
scheme. More is documented here.Actual Behavior
Currently, this plugin deploys APIs using default
OAuth2
scheme. There is no mechanism to supplymutual-SSL
and associated client-certificate in theserverless.yml
configuration.Expected Behavior
This plugin must:
mutual-SSL
as well as a mechanism to supply client-certificate inserverless.yml
- See the proposal below. Keep oAuth2 as defaults, if not set; however when set, mutualSSL can be enabled.securityScheme
accordingly [here]() - See the proposal below.Proposal
serverless.yml
configuration can be extended as below.While uploading/upserting client-certificate, you can use the following naming convention for
certAlias
.Supported values for
securityScheme
by WSO2 APIM REST APIs is below, here is the permalink.Assumptions:
Potential validation for SLS config (
custom.wso2apim.securitySchemes
) must at least include:securitySchemes
entry, if present, then must have either oauth2 or mutualSsl or both as its children.securitySchemes.oauth2
is optional. but, if it is present, then it must have valid valuestrue or false
.securitySchemes.mutualSsl
if present, then it must have valid valuestrue or false
and validclientCert
file URL (during validation, see if the file mentioned is accessible (or) not usingfs.existsSync()
for example). This will help avoid run-time errors if file not found etc.Potential e2e test cases must at least include: