support client certificate

Author: ikethecoder

src/services/keycloak/client-registration-service.ts

@@ -7,6 +7,7 @@ import { headers } from './keycloak-api';
 import { strict as assert } from 'assert';
 
 import { clientTemplateClientSecret } from './templates/client-template-client-secret';
+import { clientTemplateClientCertificate } from './templates/client-template-client-certificate';
 import { clientTemplateClientJwt } from './templates/client-template-client-jwt';
 import { clientTemplateSharedIdP } from './templates/client-template-shared-idp';
 import { clientTemplateSharedIdPAuthz } from './templates/client-template-shared-idp-authz';
@@ -38,6 +39,7 @@ export enum ClientAuthenticator {
   ClientJWT = 'client-jwt',
   ClientJWTwithJWKS = 'client-jwt-jwks-url',
   ClientSecret = 'client-secret',
+  ClientCertificate = 'client-certificate',
   SharedIdP = 'shared-idp',
   SharedIdPWithAuthz = 'shared-idp-authz',
 }
@@ -94,6 +96,13 @@ export class KeycloakClientRegistrationService {
           },
         });
         break;
+      case ClientAuthenticator.ClientCertificate:
+        body = Object.assign(JSON.parse(clientTemplateClientCertificate), {
+          enabled,
+          clientId,
+          secret: clientSecret,
+        });
+        break;
       case ClientAuthenticator.SharedIdP:
         body = Object.assign(JSON.parse(clientTemplateSharedIdP), {
           enabled,

src/services/keycloak/templates/client-template-client-certificate.ts

@@ -0,0 +1,65 @@
+
+export const clientTemplateClientCertificate = JSON.stringify({
+  clientId: '',
+  name: '',
+  description: '',
+  surrogateAuthRequired: false,
+  enabled: false,
+  alwaysDisplayInConsole: false,
+  clientAuthenticatorType: 'client-x509',
+  redirectUris: ['http://*', 'https://*'],
+  webOrigins: ['*'],
+  notBefore: 0,
+  bearerOnly: false,
+  consentRequired: false,
+  standardFlowEnabled: true,
+  implicitFlowEnabled: false,
+  directAccessGrantsEnabled: false,
+  serviceAccountsEnabled: true,
+  publicClient: false,
+  frontchannelLogout: false,
+  protocol: 'openid-connect',
+  attributes: {
+    "request.object.signature.alg": "any",
+    "saml.multivalued.roles": "false",
+    "saml.force.post.binding": "false",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "backchannel.logout.revoke.offline.tokens": "false",
+    "saml.server.signature.keyinfo.ext": "false",
+    "use.refresh.tokens": "true",
+    "realm_client": "false",
+    "oidc.ciba.grant.enabled": "false",
+    "backchannel.logout.session.required": "true",
+    "client_credentials.use_refresh_token": "false",
+    "saml.client.signature": "false",
+    "require.pushed.authorization.requests": "false",
+    "request.object.encryption.enc": "any",
+    "dpop.bound.access.tokens": "false",
+    "saml.assertion.signature": "false",
+    "x509.subjectdn": "CN=sdx-pub-icbc-sap.api.gov.bc.ca",
+    "request.object.encryption.alg": "any",
+    "client.introspection.response.allow.jwt.claim.enabled": "false",
+    "saml.encrypt": "false",
+    "standard.token.exchange.enabled": "true",
+    "saml.server.signature": "false",
+    "exclude.session.state.from.auth.response": "false",
+    "client.use.lightweight.access.token.enabled": "false",
+    "request.object.required": "not required",
+    "saml_force_name_id_format": "false",
+    "access.token.header.type.rfc9068": "false",
+    "acr.loa.map": "{}",
+    "tls.client.certificate.bound.access.tokens": "true",
+    "saml.authnstatement": "false",
+    "display.on.consent.screen": "false",
+    "x509.allow.regex.pattern.comparison": "false",
+    "token.response.type.bearer.lower-case": "false",
+    "saml.onetimeuse.condition": "false"
+  },
+  authenticationFlowBindingOverrides: {},
+  fullScopeAllowed: false,
+  nodeReRegistrationTimeout: -1,
+  protocolMappers: [] as any[],
+  defaultClientScopes: [] as string[],
+  optionalClientScopes: [] as string[],
+  access: { view: true, configure: true, manage: true },
+});

src/services/keystone/access-request.ts

@@ -1,10 +1,103 @@
 import { gql } from 'graphql-request';
 import { Logger } from '../../logger';
-import { AccessRequest, AccessRequestUpdateInput } from './types';
+import {
+  AccessRequest,
+  AccessRequestCreateInput,
+  AccessRequestUpdateInput,
+} from './types';
 
 const assert = require('assert').strict;
 const logger = Logger('keystone.access-req');
 
+/*
+acceptLegal
+: 
+false
+additionalDetails
+: 
+""
+applicationId
+: 
+"2"
+controls
+: 
+"{\"clientGenCertificate\":false,\"jwksUrl\":\"\",\"clientCertificate\":\"\"}"
+name
+: 
+"Sample API FOR Cope, Aidan CITZ:EX"
+productEnvironmentId
+: 
+"12"
+requestor
+: 
+"12"*/
+
+export async function addAccessRequest(
+  context: any,
+  data: any
+): Promise<AccessRequest> {
+  const query = gql`
+    mutation AddAccessRequest(
+      $name: String!
+      $controls: String
+      $requestor: ID!
+      $applicationId: ID!
+      $productEnvironmentId: ID!
+      $additionalDetails: String
+      $acceptLegal: Boolean!
+    ) {
+      acceptLegal(
+        productEnvironmentId: $productEnvironmentId
+        acceptLegal: $acceptLegal
+      ) {
+        legalsAgreed
+      }
+
+      createAccessRequest(
+        data: {
+          name: $name
+          controls: $controls
+          additionalDetails: $additionalDetails
+          requestor: { connect: { id: $requestor } }
+          application: { connect: { id: $applicationId } }
+          productEnvironment: { connect: { id: $productEnvironmentId } }
+        }
+      ) {
+        id
+      }
+    }
+  `;
+
+  logger.debug('Mutation [addAccessRequest] data %j', data);
+  const result = await context.executeGraphQL({
+    query,
+    variables: { ...data },
+  });
+  logger.debug('Mutation [addAccessRequest] result %j', result);
+  return result.data.createAccessRequest;
+}
+
+export async function collectCredentials(context: any, id: string): Promise<AccessRequest> {
+  logger.debug('Collecting credentials for access request %s', id);
+  const query = gql`
+  mutation genCredential($id: ID!) {
+    updateAccessRequest(id: $id, data: { credential: "NEW" }) {
+      credential
+    }
+  }`
+  const result = await context.executeGraphQL({
+    query,
+    variables: { id },
+  });
+  logger.debug('Mutation [collectCredentials] result %j', result);
+  assert.strictEqual(
+    'errors' in result,
+    false,
+    'Error collecting credentials'
+  );
+  return result.data.updateAccessRequest;
+}
+
 export async function getAccessRequestsByNamespace(
   context: any,
   ns: string

src/services/keystone/application.ts

@@ -41,3 +41,26 @@ export async function lookupMyApplicationsById(
   logger.debug('[lookupMyApplicationsById] result %j', result);
   return result.data.myApplications[0];
 }
+
+
+export async function createApplication(
+  context: any,
+  data: { name: string, ownerId: string, description?: string }
+): Promise<Application> {
+  logger.debug('[createApplication] %j', data);
+  const result = await context.executeGraphQL({
+    query: `mutation CreateApplication($name: String!, $description: String, $ownerId: ID!) {
+                  createApplication(data: {name: $name, owner: {connect: {id: $ownerId}}, description: $description}) {
+                      id
+                      appId
+                      name
+                      owner {
+                        name
+                      }
+                  }
+              }`,
+    variables: data,
+  });
+  logger.debug('[createApplication] result %j', result);
+  return result.data.createApplication;
+}

src/test/integrated/keystonejs/accessRequest.ts

@@ -4,25 +4,53 @@ To run:
 npm run ts-build
 npm run ts-watch
 node dist/test/integrated/keystonejs/accessRequest.js
+
+
+NEEDS:
+
+kubectl port-forward -n 1d4461-prod service/patroni-spilo 15432:5432 &
+
+export ADAPTER=knex
+export KNEX_DATABASE=keystonejs
+export KNEX_HOST=localhost
+export KNEX_PORT=15432
+export KNEX_USER=keystonejsuser
+export KNEX_PASSWORD=
+
+
+export KONG_URL="https://kong-admin-api-1d4461-prod.apps.silver.devops.gov.bc.ca"
+
+kubectl port-forward -n 1d4461-prod service/bcgov-aps-portal-feeder-generic-api 6767:80 &
+
+export FEEDER_URL=http://localhost:6767
+
+// userId is needed for Legal
+// namespace has to match requesting product if not published
+
 */
 
 import InitKeystone from './init';
 import { o } from '../util';
-import { getOpenAccessRequestsByConsumer } from '../../../services/keystone/access-request';
+import { addAccessRequest, collectCredentials, getOpenAccessRequestsByConsumer } from '../../../services/keystone/access-request';
+import { add } from 'lodash';
+import { AccessRequestCreateInput } from 'apis/shared/types/query.types';
+import { createApplication } from '../../../services/keystone/application';
 
 (async () => {
   const keystone = await InitKeystone();
 
-  const ns = 'gw-0dcd7';
-  const skipAccessControl = false;
+  const ns = 'gw-0a524';
+  const skipAccessControl = true;
+
+  const userId = '12';
 
   const identity = {
     id: null,
     username: 'sample_username',
     namespace: ns,
     roles: JSON.stringify(['api-owner']),
     scopes: [],
-    userId: null,
+    userId,
   } as any;
 
   const ctx = keystone.createContext({
@@ -32,12 +60,36 @@ import { getOpenAccessRequestsByConsumer } from '../../../services/keystone/acce
 
   // o(await getOrganizations(ctx));
 
-  const serviceAccess = await getOpenAccessRequestsByConsumer(
-    ctx,
-    ns,
-    '653860ee26683257394cfe3c'
-  );
-  o(serviceAccess);
+  const accessRequestData = {
+    acceptLegal: false,
+    additionalDetails: '',
+    //applicationId: '5', // App2
+    controls: '{"clientGenCertificate":false,"jwksUrl":"","clientCertificate":""}',
+    name: 'Sample API FOR Cope, Aidan CITZ:EX',
+    productEnvironmentId: '13',
+    requestor: userId,
+  } as any;
+
+
+  // userId is needed for Legal
+
+  const app = await createApplication(ctx, { name: 'App', description: 'App Desc', ownerId: userId });
+
+  accessRequestData.applicationId = app.id;
+
+  const result = await addAccessRequest(ctx, accessRequestData);
+  o(result);
+
+  const creds = await collectCredentials(ctx, result.id);
+  o(creds);
+  
+  // const serviceAccess = await getOpenAccessRequestsByConsumer(
+  //   ctx,
+  //   ns,
+  //   '653860ee26683257394cfe3c'
+  // );
+  // o(serviceAccess);
+
 
   await keystone.disconnect();
 })();