feat(amphora-service): protect public endpoints

Signed-off-by: Sebastian Becker <[email protected]>
carbynestack · Nov 14, 2024 · e683198 · e683198
1 parent 5b4321d
commit e683198
Show file tree

Hide file tree

Showing 27 changed files with 864 additions and 397 deletions.
diff --git a/...ra-service/src/main/java/io/carbynestack/amphora/service/calculation/SecretShareUtil.java b/...ra-service/src/main/java/io/carbynestack/amphora/service/calculation/SecretShareUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021 - for information on the respective copyright owner
+ * Copyright (c) 2021-2024 - for information on the respective copyright owner
  * see the NOTICE file and/or the repository https://github.com/carbynestack/amphora.
  *
  * SPDX-License-Identifier: Apache-2.0
@@ -13,6 +13,7 @@
 import io.carbynestack.amphora.common.MaskedInput;
 import io.carbynestack.amphora.common.MaskedInputData;
 import io.carbynestack.amphora.common.SecretShare;
+import io.carbynestack.amphora.common.Tag;
 import io.carbynestack.castor.common.entities.Field;
 import io.carbynestack.castor.common.entities.InputMask;
 import io.carbynestack.castor.common.entities.Share;

diff --git a/amphora-service/src/main/java/io/carbynestack/amphora/service/config/AuthProperties.java b/amphora-service/src/main/java/io/carbynestack/amphora/service/config/AuthProperties.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2024 - for information on the respective copyright owner
+ * see the NOTICE file and/or the repository https://github.com/carbynestack/amphora.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package io.carbynestack.amphora.service.config;
+
+
+import lombok.Data;
+import lombok.experimental.Accessors;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+
+@ConfigurationProperties(prefix = "carbynestack.auth")
+@Component
+@Data
+@Accessors(chain = true)
+public class AuthProperties {
+    private String userIdFieldName;
+}
diff --git a/amphora-service/src/main/java/io/carbynestack/amphora/service/config/OpaConfig.java b/amphora-service/src/main/java/io/carbynestack/amphora/service/config/OpaConfig.java
@@ -7,20 +7,21 @@
 
 package io.carbynestack.amphora.service.config;
 
+import io.carbynestack.amphora.service.opa.JwtReader;
 import io.carbynestack.amphora.service.opa.OpaClient;
-import io.carbynestack.castor.client.download.CastorIntraVcpClient;
-import io.carbynestack.castor.client.download.DefaultCastorIntraVcpClient;
 import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.web.client.RestTemplate;
 
-import java.io.File;
 import java.net.URI;
 
 @Configuration
 public class OpaConfig {
 
+  @Bean
+  JwtReader jwtReader(AuthProperties authProperties) {
+    return new JwtReader(authProperties.getUserIdFieldName());
+  }
+
   @Bean
   OpaClient opaClient(OpaProperties opaProperties) {
     return OpaClient.builder()

diff --git a/amphora-service/src/main/java/io/carbynestack/amphora/service/config/OpaProperties.java b/amphora-service/src/main/java/io/carbynestack/amphora/service/config/OpaProperties.java
@@ -11,7 +11,7 @@
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.stereotype.Component;
 
-@ConfigurationProperties(prefix = "carbynestack.amphora.opa")
+@ConfigurationProperties(prefix = "carbynestack.opa")
 @Component
 @Data
 @Accessors(chain = true)

diff --git a/...rvice/src/main/java/io/carbynestack/amphora/service/exceptions/UnauthorizedException.java b/...rvice/src/main/java/io/carbynestack/amphora/service/exceptions/UnauthorizedException.java
@@ -0,0 +1,14 @@
+/*
+ * Copyright (c) 2024 - for information on the respective copyright owner
+ * see the NOTICE file and/or the repository https://github.com/carbynestack/amphora.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package io.carbynestack.amphora.service.exceptions;
+
+public class UnauthorizedException extends Exception {
+    public UnauthorizedException(String message) {
+        super(message);
+    }
+}
diff --git a/amphora-service/src/main/java/io/carbynestack/amphora/service/opa/JwtReader.java b/amphora-service/src/main/java/io/carbynestack/amphora/service/opa/JwtReader.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2024 - for information on the respective copyright owner
+ * see the NOTICE file and/or the repository https://github.com/carbynestack/amphora.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package io.carbynestack.amphora.service.opa;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.carbynestack.amphora.service.exceptions.UnauthorizedException;
+import io.vavr.control.Option;
+
+import java.util.Base64;
+
+public class JwtReader {
+    static ObjectMapper mapper = new ObjectMapper();
+    private final String userIdField;
+
+    public JwtReader(String userIdField) {
+        this.userIdField = userIdField;
+    }
+
+    public String extractUserIdFromAuthHeader(String header) throws UnauthorizedException {
+        return extractFieldFromAuthHeader(header, userIdField);
+    }
+
+    private static String extractFieldFromAuthHeader(String header, String field) throws UnauthorizedException {
+        return tokenFromHeader(header)
+                .flatMap(JwtReader::dataNodeFromToken)
+                .flatMap(node -> fieldFromNode(node, field))
+                .getOrElseThrow(() -> new UnauthorizedException("No token provided"));
+    }
+
+    private static Option<JsonNode> dataNodeFromToken(String token) {
+        String[] parts = token.split("\\.");
+        if (parts.length != 3) {
+            return Option.none();
+        }
+        try {
+            String jwt = new String(Base64.getDecoder().decode(parts[1]));
+            return Option.of(mapper.reader().readTree(jwt));
+        } catch (JsonProcessingException e) {
+            return Option.none();
+        }
+    }
+
+    private static Option<String> tokenFromHeader(String header) {
+        if (header != null && header.startsWith("Bearer ")) {
+            return Option.of(header.substring(7));
+        }
+        return Option.none();
+    }
+
+    private static Option<String> fieldFromNode(JsonNode node, String field) {
+        try {
+            for(String f : field.split("\\.")) {
+                node = node.get(f);
+            }
+            return Option.of(node.asText());
+        } catch (NullPointerException e) {
+            return Option.none();
+        }
+    }
+}
+
diff --git a/amphora-service/src/main/java/io/carbynestack/amphora/service/opa/OpaClient.java b/amphora-service/src/main/java/io/carbynestack/amphora/service/opa/OpaClient.java
@@ -42,7 +42,7 @@ public OpaClient(URI opaServiceUri, String defaultPolicyPackage) {
      * @param tags The tags describing the accessed object.
      * @return True if the subject can perform the action, false otherwise (or if an error occurred).
      */
-    boolean isAllowed(String policyPackage, String action, String subject, List<Tag> tags) {
+    public boolean isAllowed(String policyPackage, String action, String subject, List<Tag> tags) {
         OpaRequestBody body = OpaRequestBody.builder()
                 .subject(subject)
                 .tags(tags)

diff --git a/amphora-service/src/main/java/io/carbynestack/amphora/service/opa/OpaService.java b/amphora-service/src/main/java/io/carbynestack/amphora/service/opa/OpaService.java
@@ -17,6 +17,8 @@
 @Service
 public class OpaService {
     public static final String POLICY_PACKAGE_TAG_KEY = "accessPolicy";
+    public static final String OWNER_TAG_KEY = "owner";
+
     static final String READ_SECRET_ACTION_NAME = "read";
     static final String DELETE_SECRET_ACTION_NAME = "delete";
     static final String CREATE_TAG_ACTION_NAME = "tag/create";