Skip to content
This repository has been archived by the owner on Nov 14, 2023. It is now read-only.

Feature/files api #540

Draft
wants to merge 27 commits into
base: master
Choose a base branch
from
Draft

Feature/files api #540

wants to merge 27 commits into from

Conversation

dbampalikis
Copy link
Contributor

@dbampalikis dbampalikis commented Feb 27, 2023

The PR creates an endpoint in the API service for retrieving information about the files a user has submitted. The user is authenticated using the JWToken and currently the way to parse the token is only done through a public key file.

  • Lacks integration tests

Copy link
Collaborator

@jbygdell jbygdell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe not perfectly correct but you get the gists

cmd/api/api.go Outdated Show resolved Hide resolved
cmd/api/api.go Outdated Show resolved Hide resolved
cmd/api/api.go Outdated Show resolved Hide resolved
cmd/api/api.go Outdated Show resolved Hide resolved
internal/config/config.go Outdated Show resolved Hide resolved
internal/config/config.go Outdated Show resolved Hide resolved
internal/config/config.go Outdated Show resolved Hide resolved
@codecov-commenter
Copy link

codecov-commenter commented Feb 27, 2023

Codecov Report

Merging #540 (58e99fb) into master (1bcd776) will decrease coverage by 0.38%.
The diff coverage is 34.88%.

❗ Current head 58e99fb differs from pull request most recent head 7325bae. Consider uploading reports for the commit 7325bae to get more accurate results

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##           master     #540      +/-   ##
==========================================
- Coverage   39.38%   39.00%   -0.38%     
==========================================
  Files          13       13              
  Lines        3161     3325     +164     
==========================================
+ Hits         1245     1297      +52     
- Misses       1874     1981     +107     
- Partials       42       47       +5     
Flag Coverage Δ
unittests 39.00% <34.88%> (-0.38%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
internal/database/db.go 69.72% <0.00%> (-10.47%) ⬇️
internal/config/config.go 77.98% <4.54%> (-3.91%) ⬇️
cmd/api/api.go 56.02% <57.28%> (-2.32%) ⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

cmd/api/api.go Outdated Show resolved Hide resolved
cmd/api/api.go Outdated Show resolved Hide resolved
cmd/api/api.go Outdated Show resolved Hide resolved
internal/database/db.go Outdated Show resolved Hide resolved
Comment on lines 48 to 56
WrongTokenAlgClaims = map[string]interface{}{
"iss": "Online JWT Builder",
"iat": time.Now().Unix(),
"exp": time.Now().Add(time.Hour * 2).Unix(),
"aud": "4e9416a7-3515-447a-b848-d4ac7a57f",
"sub": "[email protected]",
"auth_time": "1632207224",
"jti": "cc847f9c-7608-4b4f-9c6f-6e734813355f",
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unused?

@pontus
Copy link
Contributor

pontus commented Mar 2, 2023

Looks OK, I notice one can have at most one key per issuer, meaning key rotation is not possible, but guess we won't have actual problems with that for now.

@dbampalikis dbampalikis marked this pull request as ready for review March 3, 2023 15:06
@pontus
Copy link
Contributor

pontus commented Mar 3, 2023

I'm not sure exactly what use case this is meant to address, but I believe it would be nice to make it easier for sda-cli to support resuming uploads, in which case it would be nice to offer submission_file_size to the user as well if there is a checksum of type UPLOADED.

Or would that be out of scope?

@dbampalikis dbampalikis force-pushed the feature/files-api branch 3 times, most recently from cd5a83b to 5832318 Compare March 3, 2023 15:20
@dbampalikis dbampalikis marked this pull request as draft March 3, 2023 15:22
@dbampalikis dbampalikis marked this pull request as ready for review March 3, 2023 15:22
Copy link
Contributor

@blankdots blankdots left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if i understand correctly the only way to match users to files is if we issue the token ... not sure how that will work from a services standpoint, for this reason I would prefer if having a local key for generating the token is not the default but an option as we can have a list of controlled issuers that we allow to generate the tokens and we can check the users against that.


if Conf.API.MQ.Connection.IsClosed() {
statusCocde = http.StatusServiceUnavailable
statusCode = http.StatusServiceUnavailable
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure i follow why we need MQ checks here,the API does not do anything with the broker.

c.JSON(200, files)
}

// getUserFromToken parses the token, validates it against the key and returns the key
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think the token check should be split, so that it is easier to integrate with sda download: see: https://github.com/neicnordic/sda-download/blob/main/pkg/auth/auth.go#L54-L90

Also it would be good to have a list of trusted issuers: https://github.com/neicnordic/sda-download/blob/main/pkg/auth/auth.go#L327-L344

@@ -511,3 +519,28 @@ func CopyHeader() bool {

return false
}

// Function for reading the ega key in []byte
func GetJwtKey(jwtpubkeypath string, jwtKeys map[string][]byte) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think we can have /jwk endpoint and serve our key there so it creates less hassle when changing the function for checking jwt signature.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that makes sense actually. I might need to leave this function as a second option though, at least until we create an endpoint for serving the key

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cmd/api/api.go Outdated

verifiedToken, err := jwt.Parse([]byte(tokenStr), jwt.WithKey(jwa.RS256, key))
if err != nil {
log.Debugf("failed to verify token as RS256 signature of token %s, %s", tokenStr, err)

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information

[Sensitive data returned by HTTP request headers](1) flows to a logging call.
cmd/api/api.go Fixed Show fixed Hide fixed
cmd/api/api.go Fixed Show fixed Hide fixed
cmd/api/api.go Fixed Show fixed Hide fixed
@jbygdell jbygdell force-pushed the feature/files-api branch from 73254ab to df1e393 Compare April 17, 2023 10:51
@jbygdell jbygdell force-pushed the feature/files-api branch from df1e393 to b3d17f4 Compare April 17, 2023 11:40
@jbygdell jbygdell force-pushed the feature/files-api branch from fb5b12d to e46bce5 Compare April 17, 2023 12:14
@jbygdell jbygdell force-pushed the feature/files-api branch 8 times, most recently from 5cdd6c5 to 7325bae Compare April 18, 2023 09:11
@kusalananda kusalananda removed the request for review from norling August 24, 2023 07:48
@jbygdell jbygdell marked this pull request as draft September 21, 2023 06:40
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants