Time to up the ante in the access-control war. We're going to require CIA clearance now before you can access HTTP resources—in case that wasn't obvious to you too, CIA stands for Control of Internet Access, of course, what else?! We have an AuthZ test server at
authzforceingress.appstorecontainerns.46.17.108.63.xip.io
with an XACML policy decision point (PDP) to eyeball credentials and give security clearance only when appropriate. The configured access policy gets evaluated on the following data Mr Adapter the Constable is supposed to snatch out of mesh-inbound HTTP requests and dutifully pass on to AuthZ
- DAPS connector ID, issuer, membership, scopes and security profile as found in the DAPS JWT contained in the IDS header.
- Application ID, AZF domain and roles from the KeyRock JWT in the
X-AUTH-TOKENheader. - FiWare service—content of
fiware-serviceheader. - Request verb and path.
With default config, the adapter won't ask AuthZ to authorise calls:
if the incoming DAPS token is valid, the request gets forwarded to
Orion. But you can change that in a flash. Edit sample_operator_cfg.yaml
to set the authz/enable flag to true, then
$ kubectl apply -f deployment/sample_operator_cfg.yaml
Now whenever a request comes in, after okaying the DAPS token in the
header header, the adapter will also validate the KeyRock token,
comb the request for all the bits and pieces listed earlier and then
pass them on to AuthZ. Since you don't want to mess with the CIA, Mr
Adapter the Constable will enforce whichever decision AuthZ makes.
KeyRock token validation rules are the same as those for DAPS JWTs
we know and love, except we verify signatures with an HS 256 shared
secret stashed away in the adapter's config.
Keen on AuthZ action? Try resubmitting the request we made earlier to get Orion's API entry points
$ source scripts/cluster-url.sh
$ curl -v "${ORION_BASE_URL}/v2" -H "header:${HEADER_VALUE}"
and, surprise, surprise, the adapter should show you the door this
time (the boy ain't got no manners!) with a 403 and a message like
PERMISSION_DENIED:
orionadapter-handler.handler.istio-system:unauthorized:
invalid AuthZ JWT data
Let's see if we can get through. First off, we're going to need DAPS
and KeyRock JWTs with enough claims to make AuthZ happy. Here's a
fitting DAPS JWT, signed with the private key in the adapter config—look
for the idsa_private_key field in sample_operator_cfg.yaml.
$ export DAPS_JWT=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRlZmF1bHQifQ.eyJpZHNfYXR0cmlidXRlcyI6eyJzZWN1cml0eV9wcm9maWxlIjp7ImF1ZGl0X2xvZ2dpbmciOjIsInBzZXVkb19zZWNvbmRfZWxlbWVudCI6Imlkc19zZWN1cml0eV9wcm9maWxlX3BzZXVkb19zZWNvbmRfZWxlbWVudCJ9LCJtZW1iZXJzaGlwIjp0cnVlLCJpZHMtdXJpIjoiaHR0cDovL3NvbWUtdXJpIiwidHJhbnNwb3J0X2NlcnRzX3NoYTI1OCI6ImJhY2I4Nzk1NzU3MzBiYjA4M2YyODNmZDViNjdhOGNiODk2OTQ0ZDFiZTI4YzdiMzIxMTdjZmM3NTdjODFlOTYifSwic2NvcGVzIjpbImlkc19jb25uZWN0b3IiLCJpZHNfc2NvcGVfcHNldWRvX3NlY29uZF9lbGVtZW50Il0sImF1ZCI6IklEU19Db25uZWN0b3IiLCJpc3MiOiJodHRwczovL2RhcHMuYWlzZWMuZnJhdW5ob2Zlci5kZSIsInN1YiI6IkM9REUsTz1GSVdBUkUsT1U9Q1RPSURTQSxDTj00ZTE2ZjAwNy1kOTU5LTRlYjItYjQ3ZC03OGRkMGM0ZWFiMGUiLCJuYmYiOjE1ODgxNjMyODMsImV4cCI6MjU4ODE2Njg4M30.dOnaOtKU6P-UM9xx_xiEaNGQhm6UFdh-AVTmL9Op6_S0LukNOnstkZVLl6yxq077QS-t0lGFjj7ofRL-q6YS2yEfK8JsZ45pynQJz-uIUo85GuHadmtuP-ODHsxFO5-qyzIXcswM8c4aTaJfW6Mi_WZ7hp2yoJPEFhlPPBwHGhExTV_vLmdTEBcGpNdK90j-rcsZSq0K5MOLAVwbQunxoke8b8DZjtIdbOwqm5l7D0banGYfKRUd3r2aFwp2OhcrSb-XeP_kFB9sYZKSimKOJOREJphrTG92XVdFu5Hls3Bwtc7i8QLJwwn-HVHHxWMD2ghzBF0mmGLodvWQNik7ww
Just like we did earlier, we use the same convenience script to get the Base64-encoded IDS header
$ export HEADER_VALUE=$(sh scripts/idsa-header-value.sh "${DAPS_JWT}")
Up next is the KeyRock JWT. Below is a good one, signed with the shared
secret in the adapter config —look for hs256_shared_secret in
sample_operator_cfg.yaml.
$ export USER_JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdhbml6YXRpb25zIjpbeyJpZCI6IjA5ZDQzOTVlLTkzMWMtNDc1Yy1hNzIzLWFmMzYyYjU2M2IxMSIsIm5hbWUiOiJPcmcyIiwiZGVzY3JpcHRpb24iOiJPcmcyIiwid2Vic2l0ZSI6bnVsbCwicm9sZXMiOlt7ImlkIjoiYTg1ZTg3ZjgtYjdlOC00NTdlLWFhYjEtZmJjM2E0ZTg4MTg1IiwibmFtZSI6InJvbGUzIn1dfSx7ImlkIjoiM2FlNmEzYTMtNTFmNS00MDI1LTk4YzMtOWNlYWViNTNjMGIyIiwibmFtZSI6Ik9yZzEiLCJkZXNjcmlwdGlvbiI6Ik9yZzEiLCJ3ZWJzaXRlIjpudWxsLCJyb2xlcyI6W3siaWQiOiI5MmMyZDM3Zi01ODBiLTQ3YmEtOTE3OC1kOWNhOGVjMTIzNzgiLCJuYW1lIjoicm9sZTQifSx7ImlkIjoiYTg1ZTg3ZjgtYjdlOC00NTdlLWFhYjEtZmJjM2E0ZTg4MTg1IiwibmFtZSI6InJvbGUzIn1dfV0sImRpc3BsYXlOYW1lIjoiIiwicm9sZXMiOlt7ImlkIjoiOTNjOWU1MDMtMDVlNi00ZmFmLTllNTQtNDUzMWMwOTQ4YzYyIiwibmFtZSI6InJvbGUxIn0seyJpZCI6IjkyYzJkMzdmLTU4MGItNDdiYS05MTc4LWQ5Y2E4ZWMxMjM3OCIsIm5hbWUiOiJyb2xlMyJ9XSwiYXBwX2lkIjoiN2JjMmI3MzUtN2ZkZC00MGVhLThjYjItYWNhZTliMjQxY2E3IiwidHJ1c3RlZF9hcHBzIjpbXSwiaXNHcmF2YXRhckVuYWJsZWQiOmZhbHNlLCJpbWFnZSI6IiIsImVtYWlsIjoiYWxpY2UtdGhlLWFkbWluQHRlc3QuY29tIiwiaWQiOiJhZG1pbiIsImF1dGhvcml6YXRpb25fZGVjaXNpb24iOiIiLCJhcHBfYXpmX2RvbWFpbiI6IndDSXdjWUZrRWVxQk5WWWJtN2M5ckEiLCJlaWRhc19wcm9maWxlIjp7fSwiYXR0cmlidXRlcyI6e30sInVzZXJuYW1lIjoiYWxpY2UiLCJ0eXBlIjoidXNlciIsImlhdCI6MTU4NzIwNjYzNiwiZXhwIjoyNTg3MjEwMjM2fQ.hbOxwJjmJ6P9654kedT0GqnbjvvtmIKPldONvV1JP9U
We're ready to try our luck
$ curl -v "${ORION_BASE_URL}/v2/" \
-H "header:${HEADER_VALUE}" \
-H "X-AUTH-TOKEN:${USER_JWT}" \
-H "Fiware-Service:service"
If everything went according to plan, you're looking at a 200
response on your terminal with the JSON body returned by Orion :-)