diff --git a/config/sys.config b/config/sys.config index 03f9d24..a5b2fe0 100644 --- a/config/sys.config +++ b/config/sys.config @@ -84,23 +84,13 @@ %% Configuration for how to extract said context methods => [ %% Create bouncer context from various legacy data the token has to offer - %% Avaiable options are: `phony_api_key`, `user_session_token`, - %% `invoice_template_access_token`, `detect_token` + %% Avaiable options are: `user_session_token`, `detect_token` %% - `user_session_token` requires `user_realm` option to be set - %% - `invoice_template_access_token` requires - %% `domain` option to be set (refer to legacy uac auth options) %% - `detect_token` tries to determine wether the token is an - %% `phony_api_key` or `user_session_token` based on token's source context and + %% `user_session_token` based on token's source context and %% `user_session_token_origins` option %% ALL extractor types require `metadata_ns` to be set {detect_token, #{ - %% phony_api_key options to use (can be used standalone) - phony_api_key_opts => #{ - %% Where to put metadata - metadata_mappings => #{ - party_id => <<"test.rbkmoney.party.id">> - } - }, %% user_session_token options to use (can be used standalone) user_session_token_opts => #{ %% Realm of the user diff --git a/src/tk_blacklist.erl b/src/tk_blacklist.erl index e71fb24..49304d5 100644 --- a/src/tk_blacklist.erl +++ b/src/tk_blacklist.erl @@ -5,7 +5,6 @@ %% API -export([is_blacklisted/2]). --export([is_user_blacklisted/2]). %% Supervisor callbacks @@ -24,7 +23,6 @@ %% -define(TAB, ?MODULE). --define(USER_TAB, user_blacklist). %% @@ -40,16 +38,11 @@ child_spec(Options) -> is_blacklisted(TokenID, AuthorityID) -> check_entry(?TAB, {AuthorityID, TokenID}). --spec is_user_blacklisted(binary(), tk_token:authority_id()) -> boolean(). -is_user_blacklisted(UserID, AuthorityID) -> - check_entry(?USER_TAB, {AuthorityID, UserID}). - %% -spec init(options()) -> {ok, {supervisor:sup_flags(), [supervisor:child_spec()]}}. init(Options) -> _ = init_tab(?TAB), - _ = init_tab(?USER_TAB), _ = load_blacklist_conf(maps:get(path, Options, undefined)), {ok, {#{}, []}}. @@ -57,7 +50,6 @@ init_tab(Name) -> ets:new(Name, [set, protected, named_table, {read_concurrency, true}]). -define(ENTRIES_KEY, "entries"). --define(USER_ENTRIES_KEY, "user_entries"). load_blacklist_conf(undefined) -> _ = logger:warning("No token blacklist file specified! Blacklisting functionality will be disabled."), @@ -65,9 +57,7 @@ load_blacklist_conf(undefined) -> load_blacklist_conf(Filename) -> [Mappings] = yamerl_constr:file(Filename), Entries = process_entries(proplists:get_value(?ENTRIES_KEY, Mappings)), - put_entires(?TAB, Entries), - UserEntries = process_entries(proplists:get_value(?USER_ENTRIES_KEY, Mappings, [])), - put_entires(?USER_TAB, UserEntries). + put_entires(?TAB, Entries). process_entries(Entries) -> lists:foldl( diff --git a/src/tk_context_extractor.erl b/src/tk_context_extractor.erl index f6b4541..5e17e9b 100644 --- a/src/tk_context_extractor.erl +++ b/src/tk_context_extractor.erl @@ -13,7 +13,6 @@ -type methods() :: [method_opts()]. -type method_opts() :: {detect_token, tk_context_extractor_detect_token:opts()} - | {phony_api_key, tk_context_extractor_phony_api_key:opts()} | {user_session_token, tk_context_extractor_user_session_token:opts()}. -type extracted_context() :: {context_fragment(), tk_authdata:metadata() | undefined}. @@ -27,7 +26,6 @@ -type context_fragment() :: bouncer_context_helpers:context_fragment(). -type opts() :: tk_context_extractor_detect_token:opts() - | tk_context_extractor_phony_api_key:opts() | tk_context_extractor_user_session_token:opts(). %% API functions @@ -35,9 +33,9 @@ -spec extract_context(method_opts(), token_data()) -> extracted_context() | undefined. extract_context({detect_token, Opts}, TokenData) -> tk_context_extractor_detect_token:extract_context(TokenData, Opts); -extract_context({phony_api_key, Opts}, TokenData) -> - tk_context_extractor_phony_api_key:extract_context(TokenData, Opts); +extract_context({phony_api_key, _}, _TokenData) -> + %% NOTE This clause is left behind as a fallback placeholder in place of + %% now-removed phony api key detection. + undefined; extract_context({user_session_token, Opts}, TokenData) -> tk_context_extractor_user_session_token:extract_context(TokenData, Opts). - -%% Internal functions diff --git a/src/tk_context_extractor_detect_token.erl b/src/tk_context_extractor_detect_token.erl index fc104d1..fe8bfc9 100644 --- a/src/tk_context_extractor_detect_token.erl +++ b/src/tk_context_extractor_detect_token.erl @@ -8,7 +8,6 @@ %% API Types -type opts() :: #{ - phony_api_key_opts := tk_context_extractor_phony_api_key:opts(), user_session_token_opts := tk_context_extractor_user_session_token:opts(), user_session_token_origins := list(binary()) }. @@ -42,5 +41,5 @@ make_method_opts(TokenType, Opts) -> get_opts(user_session_token, #{user_session_token_opts := Opts}) -> Opts; -get_opts(phony_api_key, #{phony_api_key_opts := Opts}) -> - Opts. +get_opts(phony_api_key, _) -> + undefined. diff --git a/src/tk_context_extractor_phony_api_key.erl b/src/tk_context_extractor_phony_api_key.erl deleted file mode 100644 index d6ef6e1..0000000 --- a/src/tk_context_extractor_phony_api_key.erl +++ /dev/null @@ -1,81 +0,0 @@ --module(tk_context_extractor_phony_api_key). --behaviour(tk_context_extractor). - --export([extract_context/2]). - -%% - --type opts() :: #{ - metadata_mappings := #{ - party_id := binary() - } -}. - --export_type([opts/0]). - -%% - --define(CLAIM_PARTY_ID, <<"sub">>). - -%% API functions - --spec extract_context(tk_token:token_data(), opts()) -> tk_context_extractor:extracted_context() | undefined. -extract_context(#{id := TokenID, payload := Payload} = TokenData, Opts) -> - case extract_party_data(Payload) of - {ok, PartyID} -> - case check_blacklist(PartyID, TokenData) of - ok -> - create_context_and_metadata(TokenID, PartyID, Opts); - {error, blacklisted} -> - _ = logger:warning("phony_api_key context was extract, but it blacklisted for user id: ~p", [ - PartyID - ]), - undefined - end; - {error, Reason} -> - _ = logger:warning("Could not extract phony_api_key context, reason: ~p", [Reason]), - undefined - end. - -%% - -check_blacklist(PartyID, #{authority_id := AuthorityID}) -> - case tk_blacklist:is_user_blacklisted(PartyID, AuthorityID) of - false -> - ok; - true -> - {error, blacklisted} - end. - -create_context_and_metadata(TokenID, PartyID, Opts) -> - { - create_context(TokenID, PartyID), - wrap_metadata( - create_metadata(PartyID), - Opts - ) - }. - -extract_party_data(#{ - ?CLAIM_PARTY_ID := PartyID -}) -> - {ok, PartyID}; -extract_party_data(_) -> - {error, {missing, ?CLAIM_PARTY_ID}}. - -create_context(TokenID, PartyID) -> - bouncer_context_helpers:add_auth( - #{ - method => <<"ApiKeyToken">>, - token => #{id => TokenID}, - scope => [#{party => #{id => PartyID}}] - }, - bouncer_context_helpers:empty() - ). - -create_metadata(PartyID) -> - #{party_id => PartyID}. - -wrap_metadata(Metadata, Opts) -> - Mappings = maps:get(metadata_mappings, Opts), - tk_utils:remap(genlib_map:compact(Metadata), Mappings). diff --git a/test/token_keeper_SUITE.erl b/test/token_keeper_SUITE.erl index 3ca36d0..2f80df0 100644 --- a/test/token_keeper_SUITE.erl +++ b/test/token_keeper_SUITE.erl @@ -22,14 +22,13 @@ -export([authenticate_invalid_token_key_fail/1]). -export([authenticate_no_payload_claims_fail/1]). -export([authenticate_user_session_token_no_payload_claims_fail/1]). --export([authenticate_phony_api_key_token_ok/1]). +-export([authenticate_user_session_token_not_detected/1]). -export([authenticate_user_session_token_ok/1]). -export([authenticate_user_session_token_w_exp_ok/1]). -export([authenticate_user_session_token_no_exp_fail/1]). -export([authenticate_user_session_token_w_resource_access/1]). -export([authenticate_blacklisted_jti_fail/1]). -export([authenticate_non_blacklisted_jti_ok/1]). --export([authenticate_blacklisted_user_fail/1]). -export([authenticate_ephemeral_claim_token_ok/1]). -export([issue_ephemeral_token_ok/1]). -export([authenticate_offline_token_not_found_fail/1]). @@ -98,7 +97,7 @@ groups() -> authenticate_invalid_token_key_fail, authenticate_no_payload_claims_fail, authenticate_user_session_token_no_payload_claims_fail, - authenticate_phony_api_key_token_ok, + authenticate_user_session_token_not_detected, authenticate_user_session_token_ok, authenticate_user_session_token_w_exp_ok, authenticate_user_session_token_no_exp_fail, @@ -130,8 +129,7 @@ groups() -> ]}, {blacklist, [parallel], [ authenticate_blacklisted_jti_fail, - authenticate_non_blacklisted_jti_ok, - authenticate_blacklisted_user_fail + authenticate_non_blacklisted_jti_ok ]} ]. @@ -441,21 +439,17 @@ authenticate_no_payload_claims_fail(C) -> Token = issue_token(Claims, C), ?assertThrow(#token_keeper_AuthDataNotFound{}, call_authenticate(Token, ?TOKEN_SOURCE_CONTEXT, C)). --spec authenticate_phony_api_key_token_ok(config()) -> _. -authenticate_phony_api_key_token_ok(C) -> +-spec authenticate_user_session_token_not_detected(config()) -> _. +authenticate_user_session_token_not_detected(C) -> JTI = unique_id(), SubjectID = unique_id(), - Claims = get_phony_api_key_claims(JTI, SubjectID), + SubjectEmail = <<"test@test.test">>, + Claims = get_user_session_token_claims(JTI, 0, SubjectID, SubjectEmail), Token = issue_token(Claims, C), - #token_keeper_AuthData{ - id = undefined, - token = Token, - status = active, - context = Context, - metadata = #{?META_PARTY_ID := SubjectID}, - authority = ?TK_AUTHORITY_KEYCLOAK - } = call_authenticate(Token, ?TOKEN_SOURCE_CONTEXT, C), - _ = assert_context({api_key_token, #{jti => JTI, subject_id => SubjectID}}, Context). + ?assertThrow( + #token_keeper_AuthDataNotFound{}, + call_authenticate(Token, ?TOKEN_SOURCE_CONTEXT, C) + ). -spec authenticate_user_session_token_ok(config()) -> _. authenticate_user_session_token_ok(C) -> @@ -556,25 +550,21 @@ authenticate_user_session_token_no_payload_claims_fail(C) -> authenticate_blacklisted_jti_fail(C) -> JTI = <<"MYCOOLKEY">>, SubjectID = unique_id(), - Claims = get_phony_api_key_claims(JTI, SubjectID), + SubjectEmail = <<"test@test.test">>, + Claims = get_user_session_token_claims(JTI, 0, SubjectID, SubjectEmail), Token = issue_token_with(Claims, get_filename("keys/local/private.pem", C)), - ?assertThrow(#token_keeper_AuthDataRevoked{}, call_authenticate(Token, ?TOKEN_SOURCE_CONTEXT, C)). + ?assertThrow( + #token_keeper_AuthDataRevoked{}, call_authenticate(Token, ?TOKEN_SOURCE_CONTEXT(?USER_TOKEN_SOURCE), C) + ). -spec authenticate_non_blacklisted_jti_ok(config()) -> _. authenticate_non_blacklisted_jti_ok(C) -> JTI = <<"MYCOOLKEY">>, SubjectID = unique_id(), - Claims = get_phony_api_key_claims(JTI, SubjectID), + SubjectEmail = <<"test@test.test">>, + Claims = get_user_session_token_claims(JTI, 0, SubjectID, SubjectEmail), Token = issue_token_with(Claims, get_filename("keys/secondary/private.pem", C)), - ?assertMatch(#token_keeper_AuthData{}, call_authenticate(Token, ?TOKEN_SOURCE_CONTEXT, C)). - --spec authenticate_blacklisted_user_fail(config()) -> _. -authenticate_blacklisted_user_fail(C) -> - JTI = unique_id(), - SubjectID = <<"PARTYID">>, - Claims = get_phony_api_key_claims(JTI, SubjectID), - Token = issue_token_with(Claims, get_filename("keys/local/private.pem", C)), - ?assertThrow(#token_keeper_AuthDataNotFound{}, call_authenticate(Token, ?TOKEN_SOURCE_CONTEXT, C)). + ?assertMatch(#token_keeper_AuthData{}, call_authenticate(Token, ?TOKEN_SOURCE_CONTEXT(?USER_TOKEN_SOURCE), C)). -spec authenticate_ephemeral_claim_token_ok(config()) -> _. authenticate_ephemeral_claim_token_ok(C) -> @@ -746,9 +736,6 @@ get_base_claims(JTI, Exp) -> <<"exp">> => Exp }. -get_phony_api_key_claims(JTI, SubjectID) -> - maps:merge(#{<<"sub">> => SubjectID}, get_base_claims(JTI)). - get_user_session_token_claims(JTI, Exp, SubjectID, SubjectEmail) -> get_user_session_token_claims(JTI, Exp, SubjectID, SubjectEmail, undefined). @@ -855,10 +842,6 @@ assert_context(TokenInfo, EncodedContextFragment) -> assert_auth({claim_token, #{jti := JTI}}, Auth) -> ?assertEqual(<<"ClaimToken">>, Auth#ctx_v1_Auth.method), ?assertMatch(#ctx_v1_Token{id = JTI}, Auth#ctx_v1_Auth.token); -assert_auth({api_key_token, #{jti := JTI, subject_id := SubjectID}}, Auth) -> - ?assertEqual(<<"ApiKeyToken">>, Auth#ctx_v1_Auth.method), - ?assertMatch(#ctx_v1_Token{id = JTI}, Auth#ctx_v1_Auth.token), - ?assertMatch([#ctx_v1_AuthScope{party = ?CTX_ENTITY(SubjectID)}], Auth#ctx_v1_Auth.scope); assert_auth({user_session_token, #{jti := JTI} = TokenInfo}, Auth) -> ?assertEqual(<<"SessionToken">>, Auth#ctx_v1_Auth.method), Exp = maps:get(exp, TokenInfo, undefined), @@ -880,8 +863,6 @@ assert_auth({user_session_token, #{jti := JTI} = TokenInfo}, Auth) -> assert_user({claim_token, _}, undefined) -> ok; -assert_user({api_key_token, _}, undefined) -> - ok; assert_user({user_session_token, #{subject_id := SubjectID, subject_email := SubjectEmail}}, User) -> ?assertEqual(SubjectID, User#ctx_v1_User.id), ?assertEqual(SubjectEmail, User#ctx_v1_User.email), @@ -961,11 +942,6 @@ extract_method_detect_token() -> {extract_context, #{ methods => [ {detect_token, #{ - phony_api_key_opts => #{ - metadata_mappings => #{ - party_id => ?META_PARTY_ID - } - }, user_session_token_opts => #{ user_realm => <<"external">>, metadata_mappings => #{ diff --git a/test/token_keeper_SUITE_data/blacklisted_keys.yaml b/test/token_keeper_SUITE_data/blacklisted_keys.yaml index ced63c2..6fadd1d 100644 --- a/test/token_keeper_SUITE_data/blacklisted_keys.yaml +++ b/test/token_keeper_SUITE_data/blacklisted_keys.yaml @@ -1,6 +1,3 @@ entries: blacklisting_authority: - "MYCOOLKEY" -user_entries: - blacklisting_authority: - - "PARTYID" \ No newline at end of file