From eb998d77533a033669916051d5f1cd38a6e14636 Mon Sep 17 00:00:00 2001 From: Panos Chatzopoulos Date: Mon, 26 Jun 2023 15:17:45 +0200 Subject: [PATCH 1/3] rebase main --- charts/sda-svc/README.md | 2 +- charts/sda-svc/templates/auth-deploy.yaml | 2 + charts/sda-svc/values.yaml | 1 + sda-auth/config.go | 4 +- sda-auth/config.yaml | 1 + sda-auth/config_test.go | 1 + sda-auth/dev-server/docker-compose.yml | 14 ++++++ sda-auth/go.mod | 3 ++ sda-auth/go.sum | 53 +++++++++++++++++++++++ sda-auth/info.go | 46 ++++++++++++++++++++ sda-auth/main.go | 13 ++++++ 11 files changed, 138 insertions(+), 2 deletions(-) create mode 100644 sda-auth/info.go diff --git a/charts/sda-svc/README.md b/charts/sda-svc/README.md index 1e80ce536..75d4ef41f 100644 --- a/charts/sda-svc/README.md +++ b/charts/sda-svc/README.md @@ -95,7 +95,7 @@ Parameter | Description | Default `global.cega.password` | Password for the EGA user authentication service. |`""` `global.c4gh.keyFile` | Private C4GH key. |`c4gh.key` `global.c4gh.passphrase` | Passphrase for the private C4GH key. |`""` -`global.c4gh.publicFile` | Public key corresponding to the private key, neeeded for tests. |`""` +`global.c4gh.publicFile` | Public key corresponding to the private key, provided in /info endpoint and neeeded for tests. |`""` `global.db.host` | Hostname for the database. |`""` `global.db.name` | Database to connect to. |`lega` `global.db.passIngest` | Password used for `data in` services. |`""` diff --git a/charts/sda-svc/templates/auth-deploy.yaml b/charts/sda-svc/templates/auth-deploy.yaml index 12f47927e..32009041a 100644 --- a/charts/sda-svc/templates/auth-deploy.yaml +++ b/charts/sda-svc/templates/auth-deploy.yaml @@ -137,6 +137,8 @@ spec: {{- end }} - name: RESIGNJWT value: {{ .Values.global.auth.resignJwt | quote }} + - name: PUBLICFILE + value: {{ .Values.global.c4gh.publicFile | quote }} {{- if .Values.global.tls.enabled}} - name: SERVER_CERT value: {{ template "tlsPath" . }}/tls.crt diff --git a/charts/sda-svc/values.yaml b/charts/sda-svc/values.yaml index 8b7f39df8..ed277c533 100644 --- a/charts/sda-svc/values.yaml +++ b/charts/sda-svc/values.yaml @@ -192,6 +192,7 @@ global: passphrase: "" backupPubKey: "" + db: host: "" name: "sda" diff --git a/sda-auth/config.go b/sda-auth/config.go index 6963808ec..481b6f689 100644 --- a/sda-auth/config.go +++ b/sda-auth/config.go @@ -55,6 +55,7 @@ type Config struct { ResignJwt bool InfoURL string InfoText string + PublicFile string } // NewConfig initializes and parses the config file and/or environment using @@ -94,6 +95,7 @@ func (c *Config) readConfig() error { c.JwtIssuer = viper.GetString("jwtIssuer") c.InfoURL = viper.GetString("infoUrl") c.InfoText = viper.GetString("infoText") + c.PublicFile = viper.GetString("publicFile") viper.SetDefault("ResignJwt", true) c.ResignJwt = viper.GetBool("resignJwt") @@ -181,7 +183,7 @@ func (c *Config) readConfig() error { return nil } - for _, s := range []string{"jwtIssuer", "JwtPrivateKey", "JwtSignatureAlg"} { + for _, s := range []string{"jwtIssuer", "JwtPrivateKey", "JwtSignatureAlg", "s3Inbox", "publicFile"} { if viper.GetString(s) == "" { return fmt.Errorf("%s not set", s) } diff --git a/sda-auth/config.yaml b/sda-auth/config.yaml index 5a74294b9..fc7c1cec3 100644 --- a/sda-auth/config.yaml +++ b/sda-auth/config.yaml @@ -24,3 +24,4 @@ jwtSignatureAlg: "ES256" resignJwt: true infoText: "About Federated EGA" infoUrl: "https://ega-archive.org/about/projects-and-funders/federated-ega/" +publicFile: "/keys/c4gh.pub.pem" diff --git a/sda-auth/config_test.go b/sda-auth/config_test.go index 208612120..f24931c63 100644 --- a/sda-auth/config_test.go +++ b/sda-auth/config_test.go @@ -32,6 +32,7 @@ type ConfigTests struct { ResignJwt bool InfoURL string InfoText string + C4ghPubKeyFile string } func TestConfigTestSuite(t *testing.T) { diff --git a/sda-auth/dev-server/docker-compose.yml b/sda-auth/dev-server/docker-compose.yml index a1f2f246e..63280c6f5 100644 --- a/sda-auth/dev-server/docker-compose.yml +++ b/sda-auth/dev-server/docker-compose.yml @@ -43,6 +43,16 @@ services: - CEGA_USERS_USER=dummy ports: - 8443:8443 + keygen: + image: golang:alpine3.16 + container_name: keygen + command: + - "/bin/sh" + - "-c" + - if [ ! -f "/out/c4gh.sec.pem" ]; then wget -qO- "https://github.com/neicnordic/crypt4gh/releases/latest/download/crypt4gh_linux_x86_64.tar.gz" | tar zxf -; + ./crypt4gh generate -n c4gh -p privatekeypass && mv *.pem /out/; fi + volumes: + - ../keys:/out auth: container_name: auth build: @@ -55,6 +65,8 @@ services: condition: service_healthy cega: condition: service_started + keygen: + condition: service_completed_successfully environment: - ELIXIR_ID=XC56EL11xx - ELIXIR_PROVIDER=http://oidc:9090 @@ -73,9 +85,11 @@ services: - JWTSIGNATUREALG=ES256 - INFOTEXT=About Federated EGA - INFOURL=https://ega-archive.org/about/projects-and-funders/federated-ega/ + - PUBLICFILE=keys/c4gh.pub.pem volumes: - ../keys:/keys - ../:/sda-auth + - ./keys/c4gh.pub.pem:/c4gh.pub.pem image: sda-auth ports: - 8080:8080 diff --git a/sda-auth/go.mod b/sda-auth/go.mod index caa21e294..5f2083859 100644 --- a/sda-auth/go.mod +++ b/sda-auth/go.mod @@ -9,6 +9,7 @@ require ( github.com/iris-contrib/middleware/cors v0.0.0-20230311205048-b568fe9b470f github.com/kataras/iris/v12 v12.2.7 github.com/lestrrat/go-jwx v0.9.1 + github.com/neicnordic/crypt4gh v1.7.6 github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282 github.com/sirupsen/logrus v1.9.3 github.com/spf13/viper v1.18.2 @@ -20,6 +21,7 @@ require ( ) require ( + filippo.io/edwards25519 v1.0.0 // indirect github.com/BurntSushi/toml v1.3.2 // indirect github.com/CloudyKit/fastprinter v0.0.0-20200109182630-33d98a066a53 // indirect github.com/CloudyKit/jet/v6 v6.2.0 // indirect @@ -28,6 +30,7 @@ require ( github.com/andybalholm/brotli v1.0.5 // indirect github.com/aymerick/douceur v0.2.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a // indirect github.com/fatih/structs v1.1.0 // indirect github.com/flosch/pongo2/v4 v4.0.2 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect diff --git a/sda-auth/go.sum b/sda-auth/go.sum index a572f88e9..c49afc053 100644 --- a/sda-auth/go.sum +++ b/sda-auth/go.sum @@ -1,3 +1,44 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek= +filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/CloudyKit/fastprinter v0.0.0-20200109182630-33d98a066a53 h1:sR+/8Yb4slttB4vD+b9btVEnWgL3Q00OBTzVT8B9C0c= @@ -21,6 +62,14 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a h1:saTgr5tMLFnmy/yg3qDTft4rE5DY2uJ/cCxCe3q0XTU= +github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a/go.mod h1:Bw9BbhOJVNR+t0jCqx2GC6zv0TGBsShs56Y3gfSCvl0= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= @@ -96,6 +145,8 @@ github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/neicnordic/crypt4gh v1.7.6 h1:Vqcb8Yb950oaBBJFepDK1oLeu9rZzpywYWVHLmO0oI8= +github.com/neicnordic/crypt4gh v1.7.6/go.mod h1:rqmVXsprDFBRRLJkm1cK9kLETBPGEZmft9lHD/V40wk= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282 h1:TQMyrpijtkFyXpNI3rY5hsZQZw+paiH+BfAlsb81HBY= @@ -202,6 +253,8 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= diff --git a/sda-auth/info.go b/sda-auth/info.go new file mode 100644 index 000000000..cbd760fe5 --- /dev/null +++ b/sda-auth/info.go @@ -0,0 +1,46 @@ +package main + +import ( + "fmt" + "os" + "path/filepath" + + "github.com/kataras/iris/v12" + "github.com/neicnordic/crypt4gh/keys" + log "github.com/sirupsen/logrus" +) + +type Info struct { + ClientID string `json:"client_id"` + OidcURI string `json:"oidc_uri"` + PublicKey string `json:"public_key"` + InboxURI string `json:"inbox_uri"` +} + +// Reads the public key file and returns the public key +func readPublicKeyFile(filename string) (key *[32]byte, err error) { + log.Info("Reading Public key file") + file, err := os.Open(filepath.Clean(filename)) + if err != nil { + return nil, err + } + defer file.Close() + publicKey, err := keys.ReadPublicKey(file) + if err != nil { + return nil, fmt.Errorf("error while reading public key file %s: %v", filename, err) + } + + return &publicKey, err +} + +// getInfo returns information needed by the client to authenticate +func (auth AuthHandler) getInfo(ctx iris.Context) { + info := Info{ClientID: auth.OAuth2Config.ClientID, OidcURI: auth.Config.JwtIssuer, PublicKey: auth.pubKey, InboxURI: auth.Config.S3Inbox} + + err := ctx.JSON(info) + if err != nil { + log.Error("Failure to get Info ", err) + + return + } +} diff --git a/sda-auth/main.go b/sda-auth/main.go index 40aa2a1ed..18089a2c3 100644 --- a/sda-auth/main.go +++ b/sda-auth/main.go @@ -1,6 +1,7 @@ package main import ( + "encoding/hex" "encoding/json" "fmt" "io" @@ -35,6 +36,7 @@ type AuthHandler struct { OIDCProvider *oidc.Provider htmlDir string staticDir string + pubKey string } func (auth AuthHandler) getInboxConfig(ctx iris.Context, authType string) { @@ -380,6 +382,7 @@ func main() { OIDCProvider: provider, htmlDir: "./frontend/templates", staticDir: "./frontend/static", + pubKey: "", } // Initialise web server @@ -417,6 +420,16 @@ func main() { app.Get("/elixir/login", authHandler.getElixirLogin) app.Get("/elixir/cors_login", authHandler.getElixirCORSLogin) + publicKey, err := readPublicKeyFile(authHandler.Config.PublicFile) + if err != nil { + log.Info("Failure to get public key: ", err) + } else { + authHandler.pubKey = hex.EncodeToString(publicKey[:]) + } + + if publicKey != nil { + app.Get("/info", authHandler.getInfo) + } app.UseGlobal(globalHeaders) if config.Server.Cert != "" && config.Server.Key != "" { From 671a73b6e338d14a53399d530b87832bb02b36cf Mon Sep 17 00:00:00 2001 From: Panos Chatzopoulos Date: Mon, 25 Sep 2023 15:30:44 +0200 Subject: [PATCH 2/3] added test for info endpoint --- sda-auth/config.go | 4 ---- sda-auth/config_test.go | 5 +++++ sda-auth/info.go | 2 +- sda-auth/main.go | 1 + 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/sda-auth/config.go b/sda-auth/config.go index 481b6f689..d18ead7ea 100644 --- a/sda-auth/config.go +++ b/sda-auth/config.go @@ -174,10 +174,6 @@ func (c *Config) readConfig() error { log.Printf("Setting log level to '%s'", stringLevel) } - if viper.GetString("s3Inbox") == "" { - return fmt.Errorf("%s not set", "s3Inbox") - } - // no need to check the variables for JWT generation if we won't use it if (cega.ID == "" && cega.Secret == "") && !c.ResignJwt { return nil diff --git a/sda-auth/config_test.go b/sda-auth/config_test.go index f24931c63..4162578a9 100644 --- a/sda-auth/config_test.go +++ b/sda-auth/config_test.go @@ -33,6 +33,7 @@ type ConfigTests struct { InfoURL string InfoText string C4ghPubKeyFile string + PublicFile string } func TestConfigTestSuite(t *testing.T) { @@ -90,6 +91,7 @@ func (suite *ConfigTests) SetupTest() { suite.ResignJwt = true suite.InfoURL = "https://test.info" suite.InfoText = "About LEGA" + suite.PublicFile = "public.pem" // Write config to temp config file configYaml, err := yaml.Marshal(Config{ @@ -103,6 +105,7 @@ func (suite *ConfigTests) SetupTest() { ResignJwt: suite.ResignJwt, InfoURL: suite.InfoURL, InfoText: suite.InfoText, + PublicFile: suite.PublicFile, }) if err != nil { log.Errorf("Error marshalling config yaml: %v", err) @@ -187,6 +190,7 @@ func (suite *ConfigTests) TestConfig() { os.Setenv("INFOTEXT", fmt.Sprintf("env_%v", suite.InfoText)) os.Setenv("INFOURL", fmt.Sprintf("env_%v", suite.InfoURL)) + os.Setenv("PUBLICFILE", fmt.Sprintf("env_%v", suite.PublicFile)) // re-read the config config, err = NewConfig() @@ -213,6 +217,7 @@ func (suite *ConfigTests) TestConfig() { assert.Equal(suite.T(), fmt.Sprintf("env_%v", suite.InfoText), config.InfoText, "Project info text misread from environment variable") assert.Equal(suite.T(), fmt.Sprintf("env_%v", suite.InfoURL), config.InfoURL, "Project info text misread from environment variable") + assert.Equal(suite.T(), fmt.Sprintf("env_%v", suite.PublicFile), config.PublicFile, "Public file misread from environment variable") // Check missing private key os.Setenv("JWTPRIVATEKEY", "nonexistent-key-file") diff --git a/sda-auth/info.go b/sda-auth/info.go index cbd760fe5..1a46bc134 100644 --- a/sda-auth/info.go +++ b/sda-auth/info.go @@ -35,7 +35,7 @@ func readPublicKeyFile(filename string) (key *[32]byte, err error) { // getInfo returns information needed by the client to authenticate func (auth AuthHandler) getInfo(ctx iris.Context) { - info := Info{ClientID: auth.OAuth2Config.ClientID, OidcURI: auth.Config.JwtIssuer, PublicKey: auth.pubKey, InboxURI: auth.Config.S3Inbox} + info := Info{ClientID: auth.OAuth2Config.ClientID, OidcURI: auth.Config.Elixir.Provider, PublicKey: auth.pubKey, InboxURI: auth.Config.S3Inbox} err := ctx.JSON(info) if err != nil { diff --git a/sda-auth/main.go b/sda-auth/main.go index 18089a2c3..ad3282b98 100644 --- a/sda-auth/main.go +++ b/sda-auth/main.go @@ -427,6 +427,7 @@ func main() { authHandler.pubKey = hex.EncodeToString(publicKey[:]) } + // Endpoint for client login info if publicKey != nil { app.Get("/info", authHandler.getInfo) } From 56a8453857f9bbeb48e58290225ab3980bf2674b Mon Sep 17 00:00:00 2001 From: Panos Chatzopoulos Date: Thu, 16 Nov 2023 15:46:12 +0100 Subject: [PATCH 3/3] Changes in templates for deployment --- .../scripts/charts/dependencies.sh | 1 - .../integration/scripts/charts/values.yaml | 2 +- charts/sda-svc/README.md | 2 +- charts/sda-svc/templates/auth-deploy.yaml | 15 +++++- charts/sda-svc/values.yaml | 1 - sda-auth/config.go | 8 +++- sda-auth/config_test.go | 1 - sda-auth/dev-server/docker-compose.yml | 6 +-- sda-auth/go.sum | 48 +------------------ sda-auth/info.go | 3 +- sda-auth/main.go | 10 ++-- 11 files changed, 32 insertions(+), 65 deletions(-) diff --git a/.github/integration/scripts/charts/dependencies.sh b/.github/integration/scripts/charts/dependencies.sh index d0d752e35..d38df7c00 100644 --- a/.github/integration/scripts/charts/dependencies.sh +++ b/.github/integration/scripts/charts/dependencies.sh @@ -19,7 +19,6 @@ C4GHPASSPHRASE="$(random-string)" export C4GHPASSPHRASE crypt4gh generate -n c4gh -p "$C4GHPASSPHRASE" kubectl create secret generic c4gh --from-file="c4gh.sec.pem" --from-file="c4gh.pub.pem" --from-literal=passphrase="${C4GHPASSPHRASE}" - # secret for the OIDC keypair openssl ecparam -name prime256v1 -genkey -noout -out "jwt.key" openssl ec -in "jwt.key" -pubout -out "jwt.pub" diff --git a/.github/integration/scripts/charts/values.yaml b/.github/integration/scripts/charts/values.yaml index a33446f24..96639f753 100644 --- a/.github/integration/scripts/charts/values.yaml +++ b/.github/integration/scripts/charts/values.yaml @@ -48,7 +48,7 @@ global: secretName: c4gh keyFile: c4gh.sec.pem publicFile: c4gh.pub.pem - passphrase: PLACEHOLDER_VALUE + passphrase: PLACEHOLDER_VALUE db: host: "postgres-sda-db" user: "postgres" diff --git a/charts/sda-svc/README.md b/charts/sda-svc/README.md index 75d4ef41f..77f8c45ac 100644 --- a/charts/sda-svc/README.md +++ b/charts/sda-svc/README.md @@ -95,7 +95,7 @@ Parameter | Description | Default `global.cega.password` | Password for the EGA user authentication service. |`""` `global.c4gh.keyFile` | Private C4GH key. |`c4gh.key` `global.c4gh.passphrase` | Passphrase for the private C4GH key. |`""` -`global.c4gh.publicFile` | Public key corresponding to the private key, provided in /info endpoint and neeeded for tests. |`""` +`global.c4gh.publicFile` | Public key corresponding to the private key, provided in /info endpoint. |`""` `global.db.host` | Hostname for the database. |`""` `global.db.name` | Database to connect to. |`lega` `global.db.passIngest` | Password used for `data in` services. |`""` diff --git a/charts/sda-svc/templates/auth-deploy.yaml b/charts/sda-svc/templates/auth-deploy.yaml index 32009041a..f6011c88e 100644 --- a/charts/sda-svc/templates/auth-deploy.yaml +++ b/charts/sda-svc/templates/auth-deploy.yaml @@ -138,7 +138,7 @@ spec: - name: RESIGNJWT value: {{ .Values.global.auth.resignJwt | quote }} - name: PUBLICFILE - value: {{ .Values.global.c4gh.publicFile | quote }} + value: "{{ template "c4ghPath" . }}/{{ .Values.global.c4gh.publicFile }}" {{- if .Values.global.tls.enabled}} - name: SERVER_CERT value: {{ template "tlsPath" . }}/tls.crt @@ -186,6 +186,10 @@ spec: - name: jwt mountPath: {{ template "jwtPath" . }} {{- end }} + {{- if not .Values.global.vaultSecrets }} + - name: c4gh + mountPath: {{ template "c4ghPath" . }} + {{- end }} volumes: {{- if and (.Values.global.auth.resignJwt) (not .Values.global.vaultSecrets) }} - name: jwt @@ -198,6 +202,15 @@ spec: - key: {{ required "The name of the JWT signing key is needed" .Values.global.auth.jwtKey }} path: {{ .Values.global.auth.jwtKey }} {{- end }} + {{- if not .Values.global.vaultSecrets }} + - name: c4gh + secret: + defaultMode: 0440 + secretName: {{ required "A secret for the C4GH public key is needed" .Values.global.c4gh.secretName }} + items: + - key: {{ required "The C4GH public key is needed" .Values.global.c4gh.publicFile }} + path: {{ .Values.global.c4gh.publicFile }} + {{- end }} {{- if and (not .Values.global.pkiService) .Values.global.tls.enabled }} - name: tls projected: diff --git a/charts/sda-svc/values.yaml b/charts/sda-svc/values.yaml index ed277c533..8b7f39df8 100644 --- a/charts/sda-svc/values.yaml +++ b/charts/sda-svc/values.yaml @@ -192,7 +192,6 @@ global: passphrase: "" backupPubKey: "" - db: host: "" name: "sda" diff --git a/sda-auth/config.go b/sda-auth/config.go index d18ead7ea..c582e094b 100644 --- a/sda-auth/config.go +++ b/sda-auth/config.go @@ -174,12 +174,18 @@ func (c *Config) readConfig() error { log.Printf("Setting log level to '%s'", stringLevel) } + for _, s := range []string{"s3Inbox", "publicFile"} { + if viper.GetString(s) == "" { + return fmt.Errorf("%s not set", s) + } + } + // no need to check the variables for JWT generation if we won't use it if (cega.ID == "" && cega.Secret == "") && !c.ResignJwt { return nil } - for _, s := range []string{"jwtIssuer", "JwtPrivateKey", "JwtSignatureAlg", "s3Inbox", "publicFile"} { + for _, s := range []string{"jwtIssuer", "JwtPrivateKey", "JwtSignatureAlg"} { if viper.GetString(s) == "" { return fmt.Errorf("%s not set", s) } diff --git a/sda-auth/config_test.go b/sda-auth/config_test.go index 4162578a9..ac5f36547 100644 --- a/sda-auth/config_test.go +++ b/sda-auth/config_test.go @@ -32,7 +32,6 @@ type ConfigTests struct { ResignJwt bool InfoURL string InfoText string - C4ghPubKeyFile string PublicFile string } diff --git a/sda-auth/dev-server/docker-compose.yml b/sda-auth/dev-server/docker-compose.yml index 63280c6f5..de51dbd48 100644 --- a/sda-auth/dev-server/docker-compose.yml +++ b/sda-auth/dev-server/docker-compose.yml @@ -52,7 +52,7 @@ services: - if [ ! -f "/out/c4gh.sec.pem" ]; then wget -qO- "https://github.com/neicnordic/crypt4gh/releases/latest/download/crypt4gh_linux_x86_64.tar.gz" | tar zxf -; ./crypt4gh generate -n c4gh -p privatekeypass && mv *.pem /out/; fi volumes: - - ../keys:/out + - /tmp:/out auth: container_name: auth build: @@ -85,11 +85,11 @@ services: - JWTSIGNATUREALG=ES256 - INFOTEXT=About Federated EGA - INFOURL=https://ega-archive.org/about/projects-and-funders/federated-ega/ - - PUBLICFILE=keys/c4gh.pub.pem + - PUBLICFILE=/c4gh.pub.pem volumes: - ../keys:/keys - ../:/sda-auth - - ./keys/c4gh.pub.pem:/c4gh.pub.pem + - /tmp/c4gh.pub.pem:/c4gh.pub.pem image: sda-auth ports: - 8080:8080 diff --git a/sda-auth/go.sum b/sda-auth/go.sum index c49afc053..608c1908c 100644 --- a/sda-auth/go.sum +++ b/sda-auth/go.sum @@ -1,44 +1,5 @@ -cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= -cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= -cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= -cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= -cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= -cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= -cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= -cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= -cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= -cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= -cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= -cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= -cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= -cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= -cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= -cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY= -cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= -cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= -cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= -cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= -cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= -cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= -cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= -cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= -cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= -cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= -cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= -cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= -cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= -cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= -cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= -cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= -dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek= filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/CloudyKit/fastprinter v0.0.0-20200109182630-33d98a066a53 h1:sR+/8Yb4slttB4vD+b9btVEnWgL3Q00OBTzVT8B9C0c= @@ -64,12 +25,6 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a h1:saTgr5tMLFnmy/yg3qDTft4rE5DY2uJ/cCxCe3q0XTU= github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a/go.mod h1:Bw9BbhOJVNR+t0jCqx2GC6zv0TGBsShs56Y3gfSCvl0= -github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= -github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= -github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= -github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= @@ -253,8 +208,7 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= diff --git a/sda-auth/info.go b/sda-auth/info.go index 1a46bc134..375bad2fe 100644 --- a/sda-auth/info.go +++ b/sda-auth/info.go @@ -1,7 +1,6 @@ package main import ( - "fmt" "os" "path/filepath" @@ -27,7 +26,7 @@ func readPublicKeyFile(filename string) (key *[32]byte, err error) { defer file.Close() publicKey, err := keys.ReadPublicKey(file) if err != nil { - return nil, fmt.Errorf("error while reading public key file %s: %v", filename, err) + return nil, err } return &publicKey, err diff --git a/sda-auth/main.go b/sda-auth/main.go index ad3282b98..a6cd508fd 100644 --- a/sda-auth/main.go +++ b/sda-auth/main.go @@ -422,15 +422,13 @@ func main() { publicKey, err := readPublicKeyFile(authHandler.Config.PublicFile) if err != nil { - log.Info("Failure to get public key: ", err) - } else { - authHandler.pubKey = hex.EncodeToString(publicKey[:]) + log.Fatalf("Failed to get public key: %s", err.Error()) } + authHandler.pubKey = hex.EncodeToString(publicKey[:]) // Endpoint for client login info - if publicKey != nil { - app.Get("/info", authHandler.getInfo) - } + app.Get("/info", authHandler.getInfo) + app.UseGlobal(globalHeaders) if config.Server.Cert != "" && config.Server.Key != "" {