The claims check in the auth middleware was switched around: in effect,
it checked that we did not receive _more_ than we asked for, rather than
checking we receive _at least_ what we asked for.
Of course this would still not let anyone run any trigger without the
proper access token, but it would let people list running triggers and
request (or stop) trigger executions.
CHANGELOG_BEGIN
- Fix a bug in the auth middleware where insufficient credentials could
still give access to list of running triggers.
CHANGELOG_END
* Do not require redirect URI upfront
changelog_begin
changelog_end
This allows users to configure the redirect URI after the middleware
client binding occurred such that dynamic port selection can be taken
into account.
* Use port 0 in trigger service fixture
changelog_begin
changelog_end
* Update triggers/service/auth/src/test/scala/com/daml/auth/middleware/oauth2/TestMiddleware.scala
Co-authored-by: Stefano Baghino <43749967+stefanobaghino-da@users.noreply.github.com>
* Update triggers/service/auth/src/test/scala/com/daml/auth/middleware/oauth2/TestMiddleware.scala
Co-authored-by: Stefano Baghino <43749967+stefanobaghino-da@users.noreply.github.com>
* Update triggers/service/auth/src/test/scala/com/daml/auth/middleware/oauth2/TestMiddleware.scala
Co-authored-by: Stefano Baghino <43749967+stefanobaghino-da@users.noreply.github.com>
* Update triggers/service/auth/src/test/scala/com/daml/auth/middleware/oauth2/TestMiddleware.scala
Co-authored-by: Stefano Baghino <43749967+stefanobaghino-da@users.noreply.github.com>
* Update triggers/service/auth/src/test/scala/com/daml/auth/middleware/oauth2/TestMiddleware.scala
Co-authored-by: Stefano Baghino <43749967+stefanobaghino-da@users.noreply.github.com>
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
Co-authored-by: Stefano Baghino <43749967+stefanobaghino-da@users.noreply.github.com>
* check whether collection.compat is unused when compiling for Scala 2.12
- Instead of always suppressing warnings for collection.compat._,
we should only do it for Scala 2.13
- We can also reduce boilerplate by automatically adding this
option when both silencer_plugin and collection-compat are
present
CHANGELOG_BEGIN
CHANGELOG_END
* remove unused import
* remove another unused import
* remove even more unused imports
* missed compat dependency
* more missed compat dependencies
* missed compat dependency
* use scala_deps in scaladoc_jar
- #8423 inlined the major version expansion, but this seems to
have been prior to proper support by scaladoc_jar
* restore custom handling of participant-integration-api
- fixing scaladoc_jar isn't worth it for a single case, as with
deps vs scala_deps
* Switch from `@silent` to `@nowarn`.
This annotation is native to Scala 2.12.13+ and 2.13.2+. It replaces
most usages of `@silent`.
I had to get creative about a couple of use cases that didn't work.
Specifically:
1. Suppressing deprecation warnings works, but Scala 2.12 erroneously
complains that the `@nowarn` is unnecessary. I had to suppress
this warning too with `-Ywarn-unused:-nowarn`.
2. I can't seem to suppress the warning, "The outer reference in this
type test cannot be checked at run time." Instead, I have
refactored the code to remove the warning.
We still need to use the silencer plugin to suppress some warnings about
unused imports (because of compatibility between Scala 2.12 and 2.13),
but this means we no longer need the library, and therefore it is not a
transitive dependency that downstream consumers need to worry about.
CHANGELOG_BEGIN
CHANGELOG_END
* Add some comments around `@nowarn` support.
* language-support/scala: Fix a warning suppression.
* Revert to the default warnings.
Compatibility was complaining.
* Use cliopts.Http for OAuth 2.0 middleware
changelog_begin
- [OAuth 2.0 Middleware] You can now configure the address that the
middleware listens to using the ``--address`` flag.
The port that the middleware listens to is now configured using the
``--http-port`` flag, use 0 to dynamically choose a free port.
You can now configure a port file where the chosen port will be
written to using the ``--port-file`` flag.
changelog_end
* Add test-case for OAuth 2.0 middleware port file
* Don't forget to close source
* Fix integration test
* Update triggers/service/auth/src/main/scala/com/daml/auth/middleware/oauth2/Config.scala
Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
* add livez endpoint to auth middleware
* Add OAuth 2.0 middleware to Daml SDK
* unhide trigger service auth flags
changelog_begin
- [Triggers] The trigger service now supports authorization through an
auth middleware. The feature is enabled using the `--auth` and
`--auth-callback` command-line flags. Please refer to the
Authorization chapter of the trigger service documentation for further
instructions.
- [OAuth 2.0 middleware] Daml Connect now includes an implementation of
the auth middleware API that supports OAuth 2.0 Authorization Code
Grant. Please refer to the Auth Middleware and OAuth 2.0 Auth
Middleware chapters of the documentation.
changelog_end
* drop early access flag on triggers
Daml triggers, the trigger service, and the auth middleware are no
longer marked as early access features.
changelog_begin
- [Triggers] Daml Triggers and the Trigger Service are no longer in
early access status.
changelog_end
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Include auth challenge in response body
changelog_begin
changelog_end
Some browsers make it difficult to access the `WWW-Authenticate`
response header from Javascript. For example, Firefox 84.0.2 (64-bit) on
Linux does not expose the `WWW-Authenticate` header in the result of the
`fetch` function, independent of the server's access control headers.
In that case the header is only accessible through the `XMLHttpRequest`
API, which is more cumbersome to use.
This adds the challenge to the response body in JSON format as well to
avoid exposing users to any such browser related issues.
* Make Secure Set-Cookie attribute configurable
changelog_begin
changelog_end
Since Chrome 80 Set-Cookie with the Secure attribute enabled is rejected
for connections that don't use https [1]. This includes localhost.
Firefox, at least as of version 84.0.2, allows such cookies on
localhost.
This adds a command-line flag to the authorization middleware to make
the value of the Secure attribute configurable. This way it can be
disabled for development purposes.
[1]: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
* Expand description on --cookie-secure flag
* Fix TriggerServiceFixture
* Fix middleware TestFixture
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Don't always redirect to /login automatically
The redirect mode can be configured to never redirect, always redirect,
or redirect based on the request type (redirect for text/html).
In case of no redirect the auth middleware client will reply with 401
Unauthorized with a custom WWW-Authenticate challenge to login on the
auth middleware.
* Make login to redirect configurable on trigger service
By default the trigger service will redirect for HTML requests and not
redirect for JSON requests. The test suite uses automatic redirect as
the OAuth2 test server works without user interaction.
changelog_begin
changelog_end
* Preserve path and query in authMiddlewareUri
This is necessary if the auth middleware lies behind a reverse proxy
with a path prefix or a similar setup.
* Bump default auth middleware login timeout
One minute was to short for a login cycle that requires manual user
input.
* Set token cookie properties
`path = "/"` is required so that the `/login` endpoint can reliably
override the cookie value for other endoints such as `/cb` or
`/v1/triggers`.
* Test redirectToLogin modes
* Redirect on HTML
https://github.com/digital-asset/daml/pull/8532#discussion_r559368335
* Use pass/reject in onRedirectToLogin
8db2bff9af (r559370308)
* default login timeout 5min
https://github.com/digital-asset/daml/pull/8532#discussion_r559535511
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Use ActorSystem and ExecutionContext from RequestContext
* Factor out middleware server class
To avoid passing around config and state manually.
changelog_begin
changelog_end
* Depend on databricks/sjsonnet
changelog_begin
changelog_end
* Generate request params from jsonnet template
changelog_begin
changelog_end
* Split middleware test suite sources
* Add test suite for request templates
* fmt
* TriggerServiceFixture template arguments
* Use null to indicate missing applicationId claim
Addressing
https://github.com/digital-asset/daml/pull/8453/files#r555025173
* Fix invalid path on Windows
* Close request template source
* Avoid repeated re-reading of Jsonnet files
https://github.com/digital-asset/daml/pull/8453/files#r555044262
* Factor out template argument mappings
* factor out template error handling
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
This PR updates scalafmt and enables trailingCommas =
multiple. Unfortunately, scalafmt broke the version field which means
we cannot fully preserve the rest of the config. I’ve made some
attempts to stay reasonably close to the original config but couldn’t
find an exact equivalent in a lot of cases. I don’t feel strongly
about any of the settings so happy to change them to something else.
As announced, this will be merged on Saturday to avoid too many conflicts.
changelog_begin
changelog_end
* Replace many occurrences of DAML with Daml
* Update docs logo
* A few more CLI occurrences
CHANGELOG_BEGIN
- Change DAML capitalization and docs logo
CHANGELOG_END
* Fix some over-eager replacements
* A few mor occurrences in md files
* Address comments in *.proto files
* Change case in comments and strings in .ts files
* Revert changes to frozen proto files
* Also revert LF 1.11
* Update get-daml.sh
* Update windows installer
* Include .py files
* Include comments in .daml files
* More instances in the assistant CLI
* some more help texts
* Bounded auth middleware client callback store
changelog_begin
changelog_end
* Json format for login response
* Add middleware client binding to test fixture
* Test middleware client callback store size
* Make max auth callbacks and timeout configurable on trigger service
changelog_begin
changelog_end
* Bounded pending login requests at auth middleware
* Make max logins and timeout configurable on middleware
* Test middleware login store size
* fmt
* Fix Windows
failed with `"localhost" != "127.0.0.1"`. Hardcode "localhost" to avoid
platform specific resolution.
* Use FiniteDuration for login timeout
* Respond with 503 on full login request store
Addresses https://github.com/digital-asset/daml/pull/8351#pullrequestreview-560859604
* Add tests for RequestStore
* Lower DefaultMaxLoginRequests
b48050eb91 (r552649275)
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Make middleware callback URI configurable
changelog_begin
changelog_end
* Make trigger service callback URI configurable
changelog_begin
changelog_end
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Extract actor system and execution context from request context
* Extract actor system and execution context from request context
* Extract actor system, materializer, and execution context from request context
changelog_begin
changelog_end
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Factor out authorization middleware client
changelog_begin
changelog_end
* Factor out token refresh
* Factor out auth request
* Factor out auth middleware URIs
* factor out auth directive
* Factor out login directive
* Add login response type to api library
* Allow error handling in login callback
* Factor error handling out of authorize directive
* Move tagged token types into middleware api
* Factor out the auth middleware client
* Dedicated exception types in middleware client
* Handle auth middleware client exception
Restores the behavior of authorize before factoring out the client
* expose middleware URIs
* Use the middleware client in the middleware tests
* Use localhost/CALLBACK in testing
https://github.com/digital-asset/daml/pull/8244#discussion_r540328001
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Middleware test resources
- Make OAuthServer accessible
- Don't access suiteResource directly in the test-suite
* OAuth2 test server test resources
- Make Server accessible
- Don't access suiteResource directly in the test-suite
* Use a deny list in OAuth2 test server
It is simpler to configure a set of disallowed parties and extend it on
demand than switching between blanket approval and allow list modes.
changelog_begin
changelog_end
* Handle admin claims in test server
Requests with admin claims are granted by default and denied if admin
requests have been disallowed.
* reset admin state in test fixtures
* test admin tokens in OAuth2 test server
* test admin claims in OAuth2 middleware
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
This is necessary to at least attempt an upgrade to 2.13 and
generally, I want to keep our rulesets up2date. rules-scala forces the
version of scalatest so we have to bump that at the same time.
This requires changes to basically all Scala test suites since the
import structure has changed and a bunch of things (primarily
scalacheck support) got split out.
Apologies for the giant PR, I don’t see a way to keep it smaller.
changelog_begin
changelog_end
* Rename and separate auth targets and packages
Split out the API types `Request`/`Response` into their own Bazel
targets, so that the trigger service does not have to depend on the full
middleware and OAuth2 test server targets.
Also rename packages: Generic auth code goes into `com.daml.auth`,
OAuth2 specific code goes into `com.daml.auth.oauth2` or
`com.daml.auth.middleware.oauth2`.
changelog_begin
changelog_end
* Remove empty test-case
This is a left-over from #7226.
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Enable adjustable clock in trigger service tests
changelog_begin
changelog_end
* Test user side token expiry
* Test service side token refresh
* Use AccessToken wrapper in TriggerRunnerImpl
* Store refresh token in trigger DB
* add refresh token to trigger runner config
* TriggerTokenExpired message to server
* TriggerTokenRefresh message to server
* refresh trigger token and update db
* Restart trigger with fresh token
* Test second token expiry
* Refresh token on running trigger
changelog_begin
* [Triggers] UNAUTHENTICATED errors will now terminate the trigger.
These errors are no longer available for handling in the trigger DAML
code. Instead, they are forwarded to the trigger service for handling,
e.g. access token refresh.
changelog_end
* todo note
* Move triggerRunnerName and getRunner into object
* Factor out token refresh
* Factor out getActiveContracts
* factor out create command
* Add logging to token refresh
* Handle token expiry in TriggerRunner
TriggerRunnerImpl throws a dedicated exception when it fails on an
expired access token (any unauthenticated error to be precise).
The TriggerRunner supervisor reacts to this child failure by
requesting a token refresh and restart on the trigger server and
stopping itself.
The trigger server requests a new access and refresh token on the auth
middleware and restarts the trigger.
This works around an issue with actor supervisors in akka-actor-typed.
A stop supervisor wrapped within a restart supervisor will not cause a
stop as expected. Instead, the restart supervisor will trigger as well
and restart the actor. The work around uses a custom behavior
interceptor to emulate the appropriate stop supervisors as closely as
possible. We cannot properly emulate ChildFailed signals this way, so
we use dedicated messages intead.
* throw --> Future.failedo
* getOrFail helper
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Upgrade akka-http to 10.2
Follow up to #8048, I left out this upgrade to reduce noise and since
I wasn’t quite sure how involved it was going to be.
changelog_begin
changelog_end
* Reenable transparent HEAD requests
Apparently no longer on by default but we depend on this in waitForHttpServer
changelog_begin
changelog_end
fixes#7978
There is no new test in the trigger service since the existing test
for the custom application id already hits this. The difference is
that now the test authorization server will produce a token with the
application id set to what we request rather than the wildcard token
we used before.
changelog_begin
changelog_end
* Obtain refresh token from Auth0
Auth0 requires the `offline_access` scope to be set to return a refresh
token.
See https://auth0.com/docs/tokens/refresh-tokens/get-refresh-tokens
Additionally, the `audience` claim needs to be set to obtain a JWT
access token and a refresh token.
See https://auth0.com/docs/tokens/refresh-tokens
changelog_begin
changelog_end
* Implement refresh endpoint on auth middleware
Following the refresh spec [1] and Auth0 documentation [2].
[1]: https://tools.ietf.org/html/rfc6749#section-6
[2]: https://auth0.com/docs/tokens/refresh-tokens/use-refresh-tokens
* Adapt Auth0 example configuration
Ignore any requests outside the ledger-api audience.
Don't throw on missing query fields. Otherwise the unhandled exception
would prevent unrelated requests from succeeding. E.g. token refresh
requests would always fail.
* Forward unauthorized/forbidden response on refresh
* re-use precomputed token payload
* Implement token refresh in auth test server
Reuses the association between authorization code and token payload to
associate refresh tokens and token payload.
Adds an expiry to the generated token to make tokens distinguishable
across refresh.
* obtain refresh token in test client
* Test auth server refresh token
* auth test server clock configurable
The clock used to define token expiry is configurable
* Override default clock in test fixture
* implement an adjustable clock
* Test token refresh with adjustable clock
* Test token expiry on /auth backend
* Test case for auth middleware /refresh endpoint
* handle malformed code/refresh token in auth server
* Forward client errors on middleware refresh
* Test middleware refresh failure
* Clarify meaning of offline accesss
* Remove redundant testing only comment
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Factor out oauth2 test server body into a class
changelog_begin
changelog_end
* move start into class
* mutable authorized parties
* add function sfor party authorization
* manage party authorization in trigger fixture
* enable deleting cookies
* Add access denied test cases
* Track readAs and actAs claims
* Enable ignored auth tests
* fmt
* add method comments
* Update triggers/service/auth/src/main/scala/com/daml/oauth/server/Server.scala
Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
* Update triggers/service/auth/src/main/scala/com/daml/oauth/server/Server.scala
Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
* Explain party authorization modes
* inline expected status codes
* fix closing brace
* use shouldBe instead of should equal
* Use shouldBe instead of should equal
* Explain revoking access and deleting cookies
* foreach requires a total function
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
* oauth error response
* oauth server parties parameter
* implement request denial in oauth test server
* Test oauth test server for access denied
* test unauthorized party on auth middleware
* Handle OAuth2 login flow error response in auth middleware
* Forward login error to auth middleware client
* fmt
* fix server test
* fmt
* Handle login failure in trigger service
* Test unauthorized trigger start
* Cleanup authCallback
* Update authentication specification
- The auth middleware accepts an arbitrary callback URI on /login
- The auth middleware will forward OAuth2 authorization failures to the
client service.
changelog_begin
changelog_end
* Update triggers/service/authentication.md
Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
Co-authored-by: Moritz Kiefer <moritz.kiefer@purelyfunctional.org>
* Factor JWT verifier CLI flags
changelog_begin
changelog_end
* Use cli-opts in auth middleware
* Use cli-opts in sandbox cli
* Mark trigger service test as long
These have become prone to timeout on CI.
Increasing the size (timeout) is a temporary fix. A proper
solution is to a) not start a fresh sandbox per test-case and b)
separate the in-mem/db and no-auth/auth configrations into
separate Bazel test targets.
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Configure a token verifier on the auth middleware
changelog_begin
changelog_end
* Verify the token in the auth middleware
changelog_begin
changelog_end
* Test token verification in auth middleware
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* resources: Move builders into //ledger/ledger-resources.
Keep the actual constructors in a trait, but instantiate it when working
with ledger code.
This allows us to later introduce an extra "context" type parameter to
ResourceOwner.
* resources-akka: Move the builders in to //ledger/ledger-resources.
* resources: Introduce an abstract `Context` parameter for owners.
This replaces the concrete `ExecutionContext`. While it _can_ be an
execution context, it really doesn't matter as long as we can get at one
somehow.
This is being introduced so we can wrap the context in a container,
either for type tagging or to include extra information.
Because our current context _is_ `ExecutionContext`, and an implicit is
provided to extract it, we can end up with two ways to get the same
value. We use shadowing to prevent this. This problem should go away in
the near future when a new context type is added.
CHANGELOG_BEGIN
- [Integration Kit] The `ResourceOwner` type is now parameterized by a
`Context`, which is filled in by the corresponding `Context` class in
the _ledger-resources_ dependency. This allows us to pass extra
information through resource acquisition.
CHANGELOG_END
* ledger-resources: Move `ResourceOwner` here from `resources`.
* ledger-resources: Remove dependencies from outside //ledger.
* ledger-resource: Wrap the acquisition execution context in `Context`.
So we can add a logging context to it.
* resources: Pass the Context, not the ExecutionContext, to Resource.
* Avoid importing `HasExecutionContext`.
* ledger-resources: Publish to Maven Central.
* resources: Make the small changes suggested by @stefanobaghino-da.
Co-Authored-By: Stefano Baghino <43749967+stefanobaghino-da@users.noreply.github.com>
* ledger-resources: Pull out a trait for test resource contexts.
Saves a few lines of code.
* Restore some imports that were accidentally wildcarded.
* resources: Replace an `implicit def` with a couple of imports.
* participant-integration-api: Simplify the JdbcLedgerDaoBackend tests.
Try and use the right execution context where possible.
Co-authored-by: Stefano Baghino <43749967+stefanobaghino-da@users.noreply.github.com>
* Authorize trigger service on middleware
changelog_begin
changelog_end
* Trigger service auth callback handler
* Forward token
* Do not pin the application ID in the access token
The trigger service will assign an individual application ID to each
trigger based on its UUID. Requiring tokens on the granularity of
application IDs would break the idea of storing the token in a cookie to
be able to use it across multiple requests.
changelog_begin
changelog_end
* todo persist trigger token
* Add a state parameter to middleware login
* add documentation comments
* typo
* fmt
* Align Party type between middleware and trigger service
The middleware was using `com.daml.lf.data.Ref.Party` while the trigger
service is using `com.daml.ledger.api.refinements.ApiTypes.Party` which
requires conversions. This aligns the types to avoid such conversions.
* optional application id in oauth2 test server
* align party types
* configure auth middleware in trigger service tests
* handle empty cookie header
* follow redirects in trigger service tests
* keep track of cookies
* keep track of cookies
* Replace any previous Cookie header
Otherwise on old daml-ledger-token cookie might persist and be preferred
over a newly added instance.
* DEBUG
* Configure test ledger client readAs claims
* fmt
* docstrings
* remove debug output
* Avoid endless redirect loops
When the replay still fails to authorize on the middleware then we do
not want to attempt another login flow.
* Store callback routes in authCallbacks
* fmt
* Push AuthTestConfig into test target
https://github.com/digital-asset/daml/pull/7654#discussion_r506510193
* Unbind oauth2 server after middleware
https://github.com/digital-asset/daml/pull/7654/files#r506513251
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Make /login endpoint compatible to auth0
- Make the authorization and token endpoints configurable
- Use `application/x-www-form-urlencoded` as specified in
https://tools.ietf.org/html/rfc6749#section-4.1.3
- Check the status code of the token endpoint response
- Fix the type of the token's `expires_in` field
(`Int` instead of `String)
changelog_begin
changelog_end
* Add Auth0 testing instructions
* Use native application type on Auth0
* scope to claims mapping todo note
Co-authored-by: Andreas Herrmann <andreas.herrmann@tweag.io>
* Add a dummy OAuth2 authorization server
This is intended for use in the trigger service integration tests not
as an artifact that we ship to users.
changelog_begin
changelog_end
* Address review feedback
changelog_begin
changelog_end