Merge pull request #4 from openfort-xyz/feat/add-pem-to-custom-provider

feat: add pem to validate custom provider
openfort-xyz · Apr 11, 2024 · 37a3a1c · 37a3a1c
2 parents 4be3af2 + 9c9a7e9
commit 37a3a1c
Show file tree

Hide file tree

Showing 18 changed files with 356 additions and 34 deletions.
diff --git a/README.md b/README.md
@@ -138,6 +138,17 @@ curl --location --request DELETE 'https://shield.openfort.xyz/project/providers/
     }
   }
   ```
+- Custom provider also can work with a PEM and Key type ("rsa" or "ecdsa" or "ed25519")
+  ```json
+  {
+    "providers": {
+      "custom": {
+        "pem": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----",
+        "key_type": "ecdsa"
+      }
+    }
+  }
+  ```
 
 #### 8. Get Allowed Origins
 - **GET**: `https://shield.openfort.xyz/project/allowed-origins`

diff --git a/cmd/cli/api.go b/cmd/cli/api.go
@@ -1,6 +1,8 @@
 package cli
 
 import (
+	"errors"
+	"net/http"
 	"os"
 	"os/signal"
 	"sync"
@@ -43,7 +45,7 @@ func NewCmdServer() *cobra.Command {
 				wg.Done()
 			}()
 
-			if err = server.Start(cmd.Context()); err != nil {
+			if err = server.Start(cmd.Context()); err != nil && !errors.Is(err, http.ErrServerClosed) {
 				return err
 			}
 

diff --git a/internal/applications/projectapp/app.go b/internal/applications/projectapp/app.go
@@ -103,6 +103,10 @@ func (a *ProjectApplication) AddProviders(ctx context.Context, opts ...ProviderO
 		providers = append(providers, &provider.Provider{ProjectID: projectID, Type: provider.TypeOpenfort, Config: &provider.OpenfortConfig{PublishableKey: *cfg.openfortPublishableKey}})
 	}
 
+	if cfg.jwkURL != nil && cfg.pem != nil {
+		return nil, ErrJWKPemConflict
+	}
+
 	if cfg.jwkURL != nil {
 		prov, err := a.providerRepo.GetByProjectAndType(ctx, projectID, provider.TypeCustom)
 		if err != nil && !errors.Is(err, domain.ErrProviderNotFound) {
@@ -115,6 +119,18 @@ func (a *ProjectApplication) AddProviders(ctx context.Context, opts ...ProviderO
 		providers = append(providers, &provider.Provider{ProjectID: projectID, Type: provider.TypeCustom, Config: &provider.CustomConfig{JWK: *cfg.jwkURL}})
 	}
 
+	if cfg.pem != nil {
+		prov, err := a.providerRepo.GetByProjectAndType(ctx, projectID, provider.TypeCustom)
+		if err != nil && !errors.Is(err, domain.ErrProviderNotFound) {
+			a.logger.ErrorContext(ctx, "failed to get provider", logger.Error(err))
+			return nil, fromDomainError(err)
+		}
+		if err == nil && prov != nil {
+			return nil, ErrProviderAlreadyExists
+		}
+		providers = append(providers, &provider.Provider{ProjectID: projectID, Type: provider.TypeCustom, Config: &provider.CustomConfig{PEM: *cfg.pem, KeyType: cfg.keyType}})
+	}
+
 	if len(providers) == 0 {
 		return nil, ErrNoProviderSpecified
 	}
@@ -204,6 +220,22 @@ func (a *ProjectApplication) UpdateProvider(ctx context.Context, providerID stri
 			return fromDomainError(err)
 		}
 	}
+
+	if cfg.pem != nil {
+		if prov.Type != provider.TypeCustom {
+			return ErrProviderMismatch
+		}
+
+		if prov.Config.(*provider.CustomConfig).KeyType == provider.KeyTypeUnknown && cfg.keyType == provider.KeyTypeUnknown {
+			return ErrKeyTypeNotSpecified
+		}
+
+		err = a.providerRepo.UpdateCustom(ctx, &provider.CustomConfig{ProviderID: providerID, PEM: *cfg.pem, KeyType: cfg.keyType})
+		if err != nil {
+			a.logger.ErrorContext(ctx, "failed to update custom provider", logger.Error(err))
+			return fromDomainError(err)
+		}
+	}
 	return nil
 }
 

diff --git a/internal/applications/projectapp/app_test.go b/internal/applications/projectapp/app_test.go
@@ -206,7 +206,7 @@ func TestProjectApplication_AddProviders(t *testing.T) {
 			name: "success",
 			options: []ProviderOption{
 				WithOpenfort("publishableKey"),
-				WithCustom("ur"),
+				WithCustomJWK("ur"),
 			},
 			wantErr:       nil,
 			wantProviders: 2,
@@ -220,6 +220,21 @@ func TestProjectApplication_AddProviders(t *testing.T) {
 				providerRepo.On("CreateCustom", mock.Anything, mock.AnythingOfType("*provider.CustomConfig")).Return(nil)
 			},
 		},
+		{
+			name: "success with pem",
+			options: []ProviderOption{
+				WithCustomPEM("pem", provider.KeyTypeECDSA),
+			},
+			wantErr:       nil,
+			wantProviders: 1,
+			mock: func() {
+				projectRepo.ExpectedCalls = nil
+				providerRepo.ExpectedCalls = nil
+				providerRepo.On("GetByProjectAndType", mock.Anything, mock.Anything, provider.TypeCustom).Return(nil, domain.ErrProviderNotFound)
+				providerRepo.On("Create", mock.Anything, mock.AnythingOfType("*provider.Provider")).Return(nil)
+				providerRepo.On("CreateCustom", mock.Anything, mock.AnythingOfType("*provider.CustomConfig")).Return(nil)
+			},
+		},
 		{
 			name:    "no providers",
 			wantErr: ErrNoProviderSpecified,
@@ -243,7 +258,7 @@ func TestProjectApplication_AddProviders(t *testing.T) {
 		{
 			name: "custom provider already exists",
 			options: []ProviderOption{
-				WithCustom("ur"),
+				WithCustomJWK("ur"),
 			},
 			wantErr: ErrProviderAlreadyExists,
 			mock: func() {
@@ -252,6 +267,30 @@ func TestProjectApplication_AddProviders(t *testing.T) {
 				providerRepo.On("GetByProjectAndType", mock.Anything, mock.Anything, provider.TypeCustom).Return(&provider.Provider{}, nil)
 			},
 		},
+		{
+			name: "custom provider already exists",
+			options: []ProviderOption{
+				WithCustomPEM("pem", provider.KeyTypeECDSA),
+			},
+			wantErr: ErrProviderAlreadyExists,
+			mock: func() {
+				projectRepo.ExpectedCalls = nil
+				providerRepo.ExpectedCalls = nil
+				providerRepo.On("GetByProjectAndType", mock.Anything, mock.Anything, provider.TypeCustom).Return(&provider.Provider{}, nil)
+			},
+		},
+		{
+			name: "custom provider conflict config",
+			options: []ProviderOption{
+				WithCustomJWK("ur"),
+				WithCustomPEM("pem", provider.KeyTypeECDSA),
+			},
+			wantErr: ErrJWKPemConflict,
+			mock: func() {
+				projectRepo.ExpectedCalls = nil
+				providerRepo.ExpectedCalls = nil
+			},
+		},
 		{
 			name: "error getting openfort provider",
 			options: []ProviderOption{
@@ -267,7 +306,19 @@ func TestProjectApplication_AddProviders(t *testing.T) {
 		{
 			name: "error getting custom provider",
 			options: []ProviderOption{
-				WithCustom("ur"),
+				WithCustomJWK("ur"),
+			},
+			wantErr: ErrInternal,
+			mock: func() {
+				projectRepo.ExpectedCalls = nil
+				providerRepo.ExpectedCalls = nil
+				providerRepo.On("GetByProjectAndType", mock.Anything, mock.Anything, provider.TypeCustom).Return(nil, errors.New("repository error"))
+			},
+		},
+		{
+			name: "error getting custom provider",
+			options: []ProviderOption{
+				WithCustomPEM("pem", provider.KeyTypeECDSA),
 			},
 			wantErr: ErrInternal,
 			mock: func() {
@@ -280,7 +331,7 @@ func TestProjectApplication_AddProviders(t *testing.T) {
 			name: "error configuring provider",
 			options: []ProviderOption{
 				WithOpenfort("publishableKey"),
-				WithCustom("ur"),
+				WithCustomJWK("ur"),
 			},
 			wantErr: ErrInternal,
 			mock: func() {
@@ -496,7 +547,7 @@ func TestProjectApplication_UpdateProvider(t *testing.T) {
 		mock       func()
 	}{
 		{
-			name:       "success",
+			name:       "success openfort",
 			providerID: "provider-id",
 			wantErr:    nil,
 			mock: func() {
@@ -510,6 +561,29 @@ func TestProjectApplication_UpdateProvider(t *testing.T) {
 				WithOpenfort("publishable-key"),
 			},
 		},
+		{
+			name: "success custom jwk",
+			mock: func() {
+				projectRepo.ExpectedCalls = nil
+				providerRepo.ExpectedCalls = nil
+				providerRepo.On("Get", mock.Anything, mock.Anything).Return(customProvider, nil)
+				providerRepo.On("Update", mock.Anything, mock.Anything).Return(nil)
+				providerRepo.On("UpdateCustom", mock.Anything, mock.Anything).Return(nil)
+			},
+			options: []ProviderOption{
+				WithCustomJWK("url"),
+			},
+		},
+		{
+			name: "success custom pem",
+			mock: func() {
+				projectRepo.ExpectedCalls = nil
+				providerRepo.ExpectedCalls = nil
+				providerRepo.On("Get", mock.Anything, mock.Anything).Return(customProvider, nil)
+				providerRepo.On("Update", mock.Anything, mock.Anything).Return(nil)
+				providerRepo.On("UpdateCustom", mock.Anything, mock.Anything).Return(nil)
+			},
+		},
 		{
 			name:       "provider not found",
 			providerID: "provider-id",
@@ -562,7 +636,32 @@ func TestProjectApplication_UpdateProvider(t *testing.T) {
 				providerRepo.On("Get", mock.Anything, mock.Anything).Return(&provider.Provider{ProjectID: "project_id", Type: provider.TypeOpenfort}, nil)
 			},
 			options: []ProviderOption{
-				WithCustom("ur"),
+				WithCustomJWK("ur"),
+			},
+		},
+		{
+			name:    "error provider mismatch",
+			wantErr: ErrProviderMismatch,
+			mock: func() {
+				projectRepo.ExpectedCalls = nil
+				providerRepo.ExpectedCalls = nil
+				providerRepo.On("Get", mock.Anything, mock.Anything).Return(&provider.Provider{ProjectID: "project_id", Type: provider.TypeOpenfort}, nil)
+			},
+			options: []ProviderOption{
+				WithCustomPEM("pem", provider.KeyTypeECDSA),
+			},
+		},
+		{
+			name:       "error key not specified",
+			providerID: "provider-id",
+			wantErr:    ErrKeyTypeNotSpecified,
+			mock: func() {
+				projectRepo.ExpectedCalls = nil
+				providerRepo.ExpectedCalls = nil
+				providerRepo.On("Get", mock.Anything, mock.Anything).Return(&provider.Provider{ProjectID: "project_id", Type: provider.TypeCustom, Config: &provider.CustomConfig{}}, nil)
+			},
+			options: []ProviderOption{
+				WithCustomPEM("pem", provider.KeyTypeUnknown),
 			},
 		},
 		{
@@ -592,7 +691,22 @@ func TestProjectApplication_UpdateProvider(t *testing.T) {
 				providerRepo.On("UpdateCustom", mock.Anything, mock.Anything).Return(errors.New("repository error"))
 			},
 			options: []ProviderOption{
-				WithCustom("ur"),
+				WithCustomJWK("ur"),
+			},
+		},
+		{
+			name:       "error updating custom provider",
+			providerID: "provider-id",
+			wantErr:    ErrInternal,
+			mock: func() {
+				projectRepo.ExpectedCalls = nil
+				providerRepo.ExpectedCalls = nil
+				providerRepo.On("Get", mock.Anything, mock.Anything).Return(customProvider, nil)
+				providerRepo.On("Update", mock.Anything, mock.Anything).Return(nil)
+				providerRepo.On("UpdateCustom", mock.Anything, mock.Anything).Return(errors.New("repository error"))
+			},
+			options: []ProviderOption{
+				WithCustomPEM("pem", provider.KeyTypeECDSA),
 			},
 		},
 	}

diff --git a/internal/applications/projectapp/errors.go b/internal/applications/projectapp/errors.go
@@ -10,6 +10,7 @@ var (
 	ErrProjectNotFound             = errors.New("project not found")
 	ErrNoProviderSpecified         = errors.New("no provider specified")
 	ErrProviderMismatch            = errors.New("provider mismatch")
+	ErrKeyTypeNotSpecified         = errors.New("key type not specified")
 	ErrInvalidProviderConfig       = errors.New("invalid provider config")
 	ErrUnknownProviderType         = errors.New("unknown provider type")
 	ErrProviderAlreadyExists       = errors.New("custom authentication already registered for this project")
@@ -18,6 +19,7 @@ var (
 	ErrEncryptionPartAlreadyExists = errors.New("encryption part already exists")
 	ErrAllowedOriginNotFound       = errors.New("allowed origin not found")
 	ErrEncryptionNotConfigured     = errors.New("encryption not configured")
+	ErrJWKPemConflict              = errors.New("jwk and pem cannot be set at the same time")
 	ErrInternal                    = errors.New("internal error")
 )
 

diff --git a/internal/applications/projectapp/options.go b/internal/applications/projectapp/options.go
@@ -1,13 +1,22 @@
 package projectapp
 
+import "go.openfort.xyz/shield/internal/core/domain/provider"
+
 type ProviderOption func(*providerConfig)
 
-func WithCustom(url string) ProviderOption {
+func WithCustomJWK(url string) ProviderOption {
 	return func(c *providerConfig) {
 		c.jwkURL = &url
 	}
 }
 
+func WithCustomPEM(pem string, keyType provider.KeyType) ProviderOption {
+	return func(c *providerConfig) {
+		c.pem = &pem
+		c.keyType = keyType
+	}
+}
+
 func WithOpenfort(openfortProjectID string) ProviderOption {
 	return func(c *providerConfig) {
 		c.openfortPublishableKey = &openfortProjectID
@@ -16,6 +25,8 @@ func WithOpenfort(openfortProjectID string) ProviderOption {
 
 type providerConfig struct {
 	jwkURL                 *string
+	pem                    *string
+	keyType                provider.KeyType
 	openfortPublishableKey *string
 }
 

diff --git a/internal/core/domain/provider/customcfg.go b/internal/core/domain/provider/customcfg.go
@@ -3,4 +3,15 @@ package provider
 type CustomConfig struct {
 	ProviderID string
 	JWK        string
+	PEM        string
+	KeyType    KeyType
 }
+
+type KeyType int8
+
+const (
+	KeyTypeUnknown KeyType = iota
+	KeyTypeRSA
+	KeyTypeECDSA
+	KeyTypeEd25519
+)
diff --git a/internal/infrastructure/handlers/rest/api/errors.go b/internal/infrastructure/handlers/rest/api/errors.go
@@ -27,6 +27,7 @@ var (
 	ErrMissingProvider       = &Error{"Missing provider", http.StatusBadRequest}
 	ErrProviderNotFound      = &Error{"Provider not found", http.StatusNotFound}
 	ErrInvalidProviderConfig = &Error{"Invalid provider config", http.StatusBadRequest}
+	ErrMissingKeyType        = &Error{"Missing key type", http.StatusBadRequest}
 	ErrProviderAlreadyExists = &Error{"Custom authentication already registered for this project", http.StatusConflict}
 
 	ErrShareNotFound      = &Error{"Share not found", http.StatusNotFound}
@@ -37,6 +38,7 @@ var (
 	ErrExternalUserAlreadyExists   = &Error{"External user already exists", http.StatusConflict}
 	ErrEncryptionPartRequired      = &Error{"The requested share have project entropy and encryption part is required", http.StatusConflict}
 	ErrEncryptionNotConfigured     = &Error{"Encryption not configured", http.StatusConflict}
+	ErrJWKPemConflict              = &Error{"JWK and PEM cannot be set at the same time", http.StatusConflict}
 	ErrInvalidEncryptionPart       = &Error{"Invalid encryption part", http.StatusBadRequest}
 	ErrEncryptionPartAlreadyExists = &Error{"Encryption part already exists", http.StatusConflict}
 	ErrAllowedOriginNotFound       = &Error{"Allowed origin not found", http.StatusNotFound}

diff --git a/internal/infrastructure/handlers/rest/projecthdl/errors.go b/internal/infrastructure/handlers/rest/projecthdl/errors.go
@@ -18,6 +18,8 @@ func fromApplicationError(err error) *api.Error {
 		return api.ErrMissingProvider
 	case errors.Is(err, projectapp.ErrProviderMismatch):
 		return api.ErrInvalidProviderConfig
+	case errors.Is(err, projectapp.ErrKeyTypeNotSpecified):
+		return api.ErrMissingKeyType
 	case errors.Is(err, projectapp.ErrInvalidProviderConfig):
 		return api.ErrInvalidProviderConfig
 	case errors.Is(err, projectapp.ErrUnknownProviderType):
@@ -34,6 +36,8 @@ func fromApplicationError(err error) *api.Error {
 		return api.ErrAllowedOriginNotFound
 	case errors.Is(err, projectapp.ErrEncryptionNotConfigured):
 		return api.ErrEncryptionNotConfigured
+	case errors.Is(err, projectapp.ErrJWKPemConflict):
+		return api.ErrJWKPemConflict
 	default:
 		return api.ErrInternal
 	}