Security token passed with OwP requests - Githubissues

yalelibrary / YUL-DC

Preliminary issue tracking for Yale University Libraries Digital Collections project

3 stars 0 forks source link

Security token passed with OwP requests #2877

Closed sshetenhelm closed 3 months ago

sshetenhelm commented 4 months ago

Story Right now communications are "open" between Mgmt APIs and Blacklight. It might be good to have a security token of some kind passed with the requests. The Mgmt APIs are blocked by the firewall [note: need to review/confirm the setup] and should be unreachable but this would be a second line of defense.

This work should take place after #2876 (merging demo with main) but prior to release)

Acceptance

[x] Configure security token in AWS Parameter Store
[x] Add to Camerata
- [x] Management
- [x] Blacklight
[x] Pass security token with OwP API requests from Blacklight
- [x] Use Authorization HTTP header
[x] All OwP handlers in Management validate the header value

K8Sewell commented 3 months ago

PRs ready for review: Blacklight - https://github.com/yalelibrary/yul-dc-blacklight/pull/1032/ Camerata - https://github.com/yalelibrary/yul-dc-camerata/pull/382 Management - https://github.com/yalelibrary/yul-dc-management/pull/1418

K8Sewell commented 3 months ago

Camerata - auto-deployed to Test Blacklight - Deployed to Test with release v1.63.7 Management - Deployed to Test with release v2.71.5

K8Sewell commented 3 months ago

Not working - taking back to in progress

K8Sewell commented 3 months ago

I did not add the token variable to all the places it needed to be. This PR fixes that - https://github.com/yalelibrary/yul-dc-camerata/pull/384

K8Sewell commented 3 months ago

Confirmed that auth token present in blacklight and management tasks on AWS yet still getting an 'unauthorized' response instead of displaying the request form as expected. Taking back to in progress.

K8Sewell commented 3 months ago

PRs ready for review:

https://github.com/yalelibrary/yul-dc-blacklight/pull/1042 https://github.com/yalelibrary/yul-dc-management/pull/1426

K8Sewell commented 3 months ago

PRs ready for review:

https://github.com/yalelibrary/yul-dc-blacklight/pull/1043 https://github.com/yalelibrary/yul-dc-management/pull/1426

martinlovell commented 3 months ago

We can just put the header on requests so management knows it's blacklight. We don't need them on responses. Blacklight will trust that it's talking to management for this ticket.

K8Sewell commented 3 months ago

Updated the PRs and they are ready for review

PRs ready for review:

https://github.com/yalelibrary/yul-dc-blacklight/pull/1043 https://github.com/yalelibrary/yul-dc-management/pull/1426

K8Sewell commented 3 months ago

Deployed to Test with Blacklight release v1.63.8 and Management release v2.71.6

K8Sewell commented 3 months ago

Behaviors work as expected. Will promote to UAT.

#### Curl in Terminal ![Image](https://github.com/user-attachments/assets/9d3e3749-cc7e-406f-9f1e-48aba2d2476e) #### User Flow Pending request from pending to approved ![Image](https://github.com/user-attachments/assets/8b0bf3d1-e503-4def-a1a3-35f86f58dd09) ![Image](https://github.com/user-attachments/assets/67f5d37f-e17f-4985-8713-4ca93fdd9992) Creation of request ![Image](https://github.com/user-attachments/assets/7ade6aea-31b3-48f8-8976-306c73f0b027) ![Image](https://github.com/user-attachments/assets/bb30aee0-363a-4065-bb17-cd04127132e8) ![Image](https://github.com/user-attachments/assets/a3dac37f-dbf1-4efd-81eb-b3f470274a62) ![Image](https://github.com/user-attachments/assets/17956d88-7b55-4df6-a8b2-d48b8c0338d2) As an admin of some but not all permission sets - search display results as expected ![Image](https://github.com/user-attachments/assets/d9b50cbc-b924-4ca2-8232-60c9b41e7e9b)

sshetenhelm commented 3 months ago

Appears to be working as expected for me in UAT :)