Skip to content

Commit

Permalink
Update the authentication process for composite views (#4284)
Browse files Browse the repository at this point in the history
* Update the authentication process for composite views

includes removing postgres storage encryption as we no longer use this

* fix PR issues

* test fixes

* more fixes

* docs

* more docs
  • Loading branch information
shinyhappydan authored Sep 20, 2023
1 parent 1bf50fd commit d1492e9
Show file tree
Hide file tree
Showing 45 changed files with 170 additions and 422 deletions.
6 changes: 0 additions & 6 deletions delta/app/src/main/resources/app.conf
Original file line number Diff line number Diff line change
Expand Up @@ -277,12 +277,6 @@ app {
}
}

# secrets encryption configuration
encryption {
password = "changeme"
salt = "salt"
}

# projection configuration
projections {
cluster {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package ch.epfl.bluebrain.nexus.delta.config
import ch.epfl.bluebrain.nexus.delta.kernel.cache.CacheConfig
import ch.epfl.bluebrain.nexus.delta.rdf.jsonld.api.JsonLdApiConfig
import ch.epfl.bluebrain.nexus.delta.sdk.acls.AclsConfig
import ch.epfl.bluebrain.nexus.delta.sdk.crypto.EncryptionConfig
import ch.epfl.bluebrain.nexus.delta.sdk.fusion.FusionConfig
import ch.epfl.bluebrain.nexus.delta.sdk.model.ServiceAccountConfig
import ch.epfl.bluebrain.nexus.delta.sdk.organizations.OrganizationsConfig
Expand Down Expand Up @@ -47,7 +46,6 @@ final case class AppConfig(
schemas: SchemasConfig,
serviceAccount: ServiceAccountConfig,
sse: SseConfig,
encryption: EncryptionConfig,
projections: ProjectionConfig,
fusion: FusionConfig
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import ch.epfl.bluebrain.nexus.delta.routes.ErrorRoutes
import ch.epfl.bluebrain.nexus.delta.sdk.IndexingAction.AggregateIndexingAction
import ch.epfl.bluebrain.nexus.delta.sdk._
import ch.epfl.bluebrain.nexus.delta.sdk.acls.Acls
import ch.epfl.bluebrain.nexus.delta.sdk.crypto.Crypto
import ch.epfl.bluebrain.nexus.delta.sdk.fusion.FusionConfig
import ch.epfl.bluebrain.nexus.delta.sdk.http.StrictEntity
import ch.epfl.bluebrain.nexus.delta.sdk.identities.model.ServiceAccount
Expand Down Expand Up @@ -61,7 +60,6 @@ class DeltaModule(appCfg: AppConfig, config: Config)(implicit classLoader: Class
make[BaseUri].from { appCfg.http.baseUri }
make[StrictEntity].from { appCfg.http.strictEntityTimeout }
make[ServiceAccount].from { appCfg.serviceAccount.value }
make[Crypto].from { appCfg.encryption.crypto }

make[Transactors].fromResource {
Transactors.init(appCfg.database)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,17 @@ import akka.http.scaladsl.model.{HttpRequest, Uri}
import ch.epfl.bluebrain.nexus.delta.Main.pluginsMaxPriority
import ch.epfl.bluebrain.nexus.delta.config.AppConfig
import ch.epfl.bluebrain.nexus.delta.kernel.cache.CacheConfig
import ch.epfl.bluebrain.nexus.delta.kernel.effect.migration._
import ch.epfl.bluebrain.nexus.delta.kernel.search.Pagination.FromPagination
import ch.epfl.bluebrain.nexus.delta.rdf.Vocabulary.contexts
import ch.epfl.bluebrain.nexus.delta.rdf.jsonld.context.{ContextValue, RemoteContextResolution}
import ch.epfl.bluebrain.nexus.delta.rdf.utils.JsonKeyOrdering
import ch.epfl.bluebrain.nexus.delta.routes.IdentitiesRoutes
import ch.epfl.bluebrain.nexus.delta.sdk.PriorityRoute
import ch.epfl.bluebrain.nexus.delta.sdk.acls.AclCheck
import ch.epfl.bluebrain.nexus.delta.sdk.auth.{AuthTokenProvider, OpenIdAuthService}
import ch.epfl.bluebrain.nexus.delta.sdk.http.{HttpClient, HttpClientError}
import ch.epfl.bluebrain.nexus.delta.sdk.identities.{Identities, IdentitiesImpl}
import ch.epfl.bluebrain.nexus.delta.kernel.search.Pagination.FromPagination
import ch.epfl.bluebrain.nexus.delta.sdk.model.search.SearchParams.RealmSearchParams
import ch.epfl.bluebrain.nexus.delta.sdk.model.{BaseUri, ResourceF}
import ch.epfl.bluebrain.nexus.delta.sdk.realms.Realms
Expand All @@ -22,7 +24,6 @@ import io.circe.Json
import izumi.distage.model.definition.{Id, ModuleDef}
import monix.bio.{IO, UIO}
import monix.execution.Scheduler
import ch.epfl.bluebrain.nexus.delta.kernel.effect.migration._

/**
* Identities module wiring config.
Expand All @@ -46,6 +47,14 @@ object IdentitiesModule extends ModuleDef {
IdentitiesImpl(findActiveRealm, getUserInfo, config)
}

make[OpenIdAuthService].from { (httpClient: HttpClient @Id("realm"), realms: Realms) =>
new OpenIdAuthService(httpClient, realms)
}

make[AuthTokenProvider].fromEffect { (authService: OpenIdAuthService) =>
AuthTokenProvider(authService)
}

many[RemoteContextResolution].addEffect(ContextValue.fromFile("contexts/identities.json").map { ctx =>
RemoteContextResolution.fixed(contexts.identities -> ctx)
})
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ plugins.composite-views {
# the maximum batching duration. In this window, duplicated persistence ids are discarded
max-time-window = 500 millis
}
# the credentials for comminication with the remote source
remote-source-credentials {
type: "anonymous"
}
# the minimum allowed value for periodic rebuild strategy
min-interval-rebuild = 30 minutes
# the interval at which a view will look for requested restarts
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.model._
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.serialization.CompositeViewFieldsJsonLdSourceDecoder
import ch.epfl.bluebrain.nexus.delta.rdf.IriOrBNode.Iri
import ch.epfl.bluebrain.nexus.delta.rdf.jsonld.api.JsonLdApi
import ch.epfl.bluebrain.nexus.delta.sdk.crypto.Crypto
import ch.epfl.bluebrain.nexus.delta.sdk.identities.model.Caller
import ch.epfl.bluebrain.nexus.delta.sdk.implicits._
import ch.epfl.bluebrain.nexus.delta.sdk.jsonld.ExpandIri
Expand Down Expand Up @@ -478,15 +477,15 @@ object CompositeViews {
}
}

def definition(validate: ValidateCompositeView, crypto: Crypto)(implicit
def definition(validate: ValidateCompositeView)(implicit
clock: Clock[UIO],
uuidF: UUIDF
): ScopedEntityDefinition[Iri, CompositeViewState, CompositeViewCommand, CompositeViewEvent, CompositeViewRejection] =
ScopedEntityDefinition(
entityType,
StateMachine(None, evaluate(validate), next),
CompositeViewEvent.serializer(crypto),
CompositeViewState.serializer(crypto),
CompositeViewEvent.serializer,
CompositeViewState.serializer,
Tagger[CompositeViewEvent](
{
case r: CompositeViewTagAdded => Some(r.tag -> r.targetRev)
Expand Down Expand Up @@ -515,7 +514,6 @@ object CompositeViews {
fetchContext: FetchContext[CompositeViewRejection],
contextResolution: ResolverContextResolution,
validate: ValidateCompositeView,
crypto: Crypto,
config: CompositeViewsConfig,
xas: Transactors
)(implicit
Expand All @@ -530,7 +528,7 @@ object CompositeViews {
.map { sourceDecoder =>
new CompositeViews(
ScopedEventLog(
definition(validate, crypto),
definition(validate),
config.eventLog,
xas
),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import ch.epfl.bluebrain.nexus.delta.plugins.blazegraph.client.BlazegraphClient
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.client.DeltaClient
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.config.CompositeViewsConfig
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.deletion.CompositeViewsDeletionTask
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.indexing.{CompositeProjectionLifeCycle, CompositeSinks, CompositeSpaces, CompositeViewsCoordinator, MetadataPredicates}
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.indexing._
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.migration.MigrateCompositeViews
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.model.CompositeViewRejection.ProjectContextRejection
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.model._
Expand All @@ -22,7 +22,7 @@ import ch.epfl.bluebrain.nexus.delta.rdf.jsonld.context.{ContextValue, JsonLdCon
import ch.epfl.bluebrain.nexus.delta.rdf.utils.JsonKeyOrdering
import ch.epfl.bluebrain.nexus.delta.sdk._
import ch.epfl.bluebrain.nexus.delta.sdk.acls.AclCheck
import ch.epfl.bluebrain.nexus.delta.sdk.crypto.Crypto
import ch.epfl.bluebrain.nexus.delta.sdk.auth.AuthTokenProvider
import ch.epfl.bluebrain.nexus.delta.sdk.deletion.ProjectDeletionTask
import ch.epfl.bluebrain.nexus.delta.sdk.directives.DeltaSchemeDirectives
import ch.epfl.bluebrain.nexus.delta.sdk.fusion.FusionConfig
Expand Down Expand Up @@ -51,9 +51,15 @@ class CompositeViewsPluginModule(priority: Int) extends ModuleDef {

make[CompositeViewsConfig].fromEffect { cfg => CompositeViewsConfig.load(cfg) }

make[DeltaClient].from { (cfg: CompositeViewsConfig, as: ActorSystem[Nothing], sc: Scheduler) =>
val httpClient = HttpClient()(cfg.remoteSourceClient.http, as.classicSystem, sc)
DeltaClient(httpClient, cfg.remoteSourceClient.retryDelay)(as, sc)
make[DeltaClient].from {
(
cfg: CompositeViewsConfig,
as: ActorSystem[Nothing],
sc: Scheduler,
authTokenProvider: AuthTokenProvider
) =>
val httpClient = HttpClient()(cfg.remoteSourceClient.http, as.classicSystem, sc)
DeltaClient(httpClient, authTokenProvider, cfg.remoteSourceCredentials, cfg.remoteSourceClient.retryDelay)(as, sc)
}

make[BlazegraphClient].named("blazegraph-composite-indexing-client").from {
Expand Down Expand Up @@ -91,7 +97,6 @@ class CompositeViewsPluginModule(priority: Int) extends ModuleDef {
permissions: Permissions,
client: ElasticSearchClient,
deltaClient: DeltaClient,
crypto: Crypto,
config: CompositeViewsConfig,
baseUri: BaseUri
) =>
Expand All @@ -101,7 +106,6 @@ class CompositeViewsPluginModule(priority: Int) extends ModuleDef {
permissions.fetchPermissionSet,
client,
deltaClient,
crypto,
config.prefix,
config.sources.maxSources,
config.maxProjections
Expand All @@ -113,7 +117,6 @@ class CompositeViewsPluginModule(priority: Int) extends ModuleDef {
fetchContext: FetchContext[ContextRejection],
contextResolution: ResolverContextResolution,
validate: ValidateCompositeView,
crypto: Crypto,
config: CompositeViewsConfig,
xas: Transactors,
api: JsonLdApi,
Expand All @@ -124,7 +127,6 @@ class CompositeViewsPluginModule(priority: Int) extends ModuleDef {
fetchContext.mapRejection(ProjectContextRejection),
contextResolution,
validate,
crypto,
config,
xas
)(
Expand Down Expand Up @@ -319,15 +321,15 @@ class CompositeViewsPluginModule(priority: Int) extends ModuleDef {
)(baseUri, config.pagination, s, cr, ordering)
}

make[CompositeView.Shift].from { (views: CompositeViews, base: BaseUri, crypto: Crypto) =>
CompositeView.shift(views)(base, crypto)
make[CompositeView.Shift].from { (views: CompositeViews, base: BaseUri) =>
CompositeView.shift(views)(base)
}

many[ResourceShift[_, _, _]].ref[CompositeView.Shift]

many[SseEncoder[_]].add { (crypto: Crypto, base: BaseUri) => CompositeViewEvent.sseEncoder(crypto)(base) }
many[SseEncoder[_]].add { (base: BaseUri) => CompositeViewEvent.sseEncoder(base) }

many[ScopedEventMetricEncoder[_]].add { (crypto: Crypto) => CompositeViewEvent.compositeViewMetricEncoder(crypto) }
many[ScopedEventMetricEncoder[_]].add { () => CompositeViewEvent.compositeViewMetricEncoder }

many[PriorityRoute].add {
(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,11 @@ import cats.syntax.all._
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.client.DeltaClient
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.indexing.projectionIndex
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.model.CompositeViewProjection.{ElasticSearchProjection, SparqlProjection}
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.model.CompositeViewRejection.{CrossProjectSourceForbidden, CrossProjectSourceProjectNotFound, DuplicateIds, InvalidElasticSearchProjectionPayload, InvalidEncryptionSecrets, InvalidRemoteProjectSource, PermissionIsNotDefined, TooManyProjections, TooManySources, WrappedElasticSearchClientError}
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.model.CompositeViewSource.{AccessToken, CrossProjectSource, ProjectSource, RemoteProjectSource}
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.model.CompositeViewRejection.{CrossProjectSourceForbidden, CrossProjectSourceProjectNotFound, DuplicateIds, InvalidElasticSearchProjectionPayload, InvalidRemoteProjectSource, PermissionIsNotDefined, TooManyProjections, TooManySources, WrappedElasticSearchClientError}
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.model.CompositeViewSource.{CrossProjectSource, ProjectSource, RemoteProjectSource}
import ch.epfl.bluebrain.nexus.delta.plugins.compositeviews.model.{CompositeViewProjection, CompositeViewRejection, CompositeViewSource, CompositeViewValue}
import ch.epfl.bluebrain.nexus.delta.plugins.elasticsearch.client.{ElasticSearchClient, IndexLabel}
import ch.epfl.bluebrain.nexus.delta.sdk.acls.AclCheck
import ch.epfl.bluebrain.nexus.delta.sdk.crypto.Crypto
import ch.epfl.bluebrain.nexus.delta.sdk.http.HttpClientError
import ch.epfl.bluebrain.nexus.delta.sdk.http.HttpClientError.HttpClientStatusError
import ch.epfl.bluebrain.nexus.delta.sdk.model.BaseUri
Expand Down Expand Up @@ -37,7 +36,6 @@ object ValidateCompositeView {
fetchPermissions: UIO[Set[Permission]],
client: ElasticSearchClient,
deltaClient: DeltaClient,
crypto: Crypto,
prefix: String,
maxSources: Int,
maxProjections: Int
Expand All @@ -49,13 +47,6 @@ object ValidateCompositeView {
projects.fetch(cpSource.project).mapError(_ => CrossProjectSourceProjectNotFound(cpSource)).void
}

def validateCrypto(token: Option[AccessToken]): IO[InvalidEncryptionSecrets.type, Unit] = token match {
case Some(AccessToken(value)) =>
IO.fromEither(crypto.encrypt(value.value).flatMap(crypto.decrypt).toEither.void)
.mapError(_ => InvalidEncryptionSecrets)
case None => IO.unit
}

def validatePermission(permission: Permission) =
fetchPermissions.flatMap { perms =>
IO.when(!perms.contains(permission))(IO.raiseError(PermissionIsNotDefined(permission)))
Expand All @@ -76,7 +67,7 @@ object ValidateCompositeView {
case _: ProjectSource => IO.unit
case cpSource: CrossProjectSource => validateAcls(cpSource) >> validateProject(cpSource)
case rs: RemoteProjectSource =>
checkRemoteEvent(rs).mapError(InvalidRemoteProjectSource(rs, _)) >> validateCrypto(rs.token)
checkRemoteEvent(rs).mapError(InvalidRemoteProjectSource(rs, _))
}

val validateProjection: CompositeViewProjection => IO[CompositeViewRejection, Unit] = {
Expand Down
Loading

0 comments on commit d1492e9

Please sign in to comment.