... | ... | @@ -25,10 +25,15 @@ After cloning the git repo please prepare your environment |
|
|
|
|
|
```bash
|
|
|
export KEYROCK_HOST=5.53.108.182
|
|
|
export FIWARE_PROXY_HOST=5.53.108.182
|
|
|
export ORION_HOST=5.53.108.182
|
|
|
export PROXY_HOST=5.53.108.182
|
|
|
cd scripts
|
|
|
```
|
|
|
|
|
|
Note, here we use different HOST IPs cause each service could run in different machines.\
|
|
|
This is also so the reader understands with which service is being used at each time when lunching a script.\
|
|
|
For simpler configuration we will have later on a single entrypoint, "the naiades server", which will run every service in the same machine, no need to set up several all this variables.
|
|
|
|
|
|
## User credentials
|
|
|
|
|
|
Each platform client uses credentials (email and password) for authenticating against the identity manager (IdM,)
|
... | ... | @@ -50,6 +55,8 @@ The `Authorization` header is `Authorization: Basic NDU3ODhiM2YtMzRjNy00YThlLTkw |
|
|
|
|
|
Please look at the first script created for getting a token with curl:
|
|
|
|
|
|
### Request
|
|
|
|
|
|
```bash
|
|
|
>> cat security_01_get_token_with_password.sh
|
|
|
|
... | ... | @@ -62,6 +69,9 @@ curl -iX POST \ |
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
### Response
|
|
|
|
|
|
Now, lets try it out using the `development` deployment of keyrock:
|
|
|
|
|
|
```bash
|
... | ... | @@ -87,6 +97,20 @@ As indicated in the output of this command, you need to export the `access_token |
|
|
## Sending request **without** a token, seeing it fail
|
|
|
First, lets see what would happen if we didnt use the token for getting a entity from the context manager:
|
|
|
|
|
|
### Request
|
|
|
|
|
|
```bash
|
|
|
>> cat security_02_request_without_token.sh
|
|
|
curl -iX POST \
|
|
|
"http://$KEYROCK_HOST:3005/oauth2/token" \
|
|
|
-H 'Accept: application/json' \
|
|
|
-H 'Authorization: Basic NDU3ODhiM2YtMzRjNy00YThlLTkwZGMtZGZiODdlOGFkMGNjOjVmMmI0YTQ5LTJkMDUtNDQ2Ny04NDQ4LTI1ZDA0OWQwMzQ5OQ==' \
|
|
|
-H 'Content-Type: application/x-www-form-urlencoded' \
|
|
|
--data-raw 'grant_type=password&username=test-user@example.com&password=test&scope=permanent'
|
|
|
|
|
|
```
|
|
|
|
|
|
### Response
|
|
|
|
|
|
```bash
|
|
|
>> ./security_02_request_without_token.sh
|
... | ... | @@ -98,13 +122,90 @@ In simple words, this is: "you cannot open the door if you dont have the key" |
|
|
|
|
|
## Sending request **with** a token
|
|
|
|
|
|
### Request
|
|
|
|
|
|
```bash
|
|
|
curl -X GET \
|
|
|
"http://$PROXY_HOST:1027/v2/entities/urn:ngsi-ld:FlowerBed:FlowerBed-1/attrs/soilMoistureVwc/value"\
|
|
|
--header "Fiware-Service: carouge" \
|
|
|
--header "Fiware-ServicePath: /Watering" \
|
|
|
--header "X-Auth-Token: $KEYROCK_TOKEN"
|
|
|
```
|
|
|
|
|
|
### Response
|
|
|
|
|
|
```bash
|
|
|
>> ./security_03_request_with_token.sh
|
|
|
Querying Fiware entrypoint (PEP_PROXY) at: 5.53.108.182
|
|
|
8%
|
|
|
```
|
|
|
|
|
|
Woo-hoo! we managed to update an entity attribute with our token! We have been granted to do this cause our token was generate with a user with privileges to do so (access control).
|
|
|
|
|
|
Here there is a snapshot of the keyrock dashboard for this (for those of you who are curious about how this is managed) :
|
|
|
|
|
|
configuring roles:
|
|
|
|
|
|
![image](uploads/dc5b97808d0cb32a32e31e9b24afefe0/image.png)
|
|
|
|
|
|
configuring permissions:
|
|
|
|
|
|
![image](uploads/7d3eb2463e3a7c787e71c131e1753691/image.png)
|
|
|
|
|
|
## Advanced: users without writing rights to write certain entities (wms)
|
|
|
|
|
|
change in script `security_01...` user to `wms-1@example.com`, same password.
|
|
|
repeat `security_01...`, now `security_03...` returns requested value, but `./security_04_update_entity_with_token.sh` returns:
|
|
|
|
|
|
`User access-token not authorized`
|
|
|
|
|
|
Viola! our wms-1 user doesnt have the right to write to this specific entity, this demonstrates how access control works in the NAIADES context.
|
|
|
|
|
|
## Advanced: using the JWT scope
|
|
|
|
|
|
Instead of using a bearer token, we can use JWT, which has some added advantages, this demonstrates one of them:
|
|
|
|
|
|
### Request token using jwp
|
|
|
|
|
|
Note we can use `&scope=jwt` as query param:
|
|
|
|
|
|
```bash
|
|
|
curl -iX POST \
|
|
|
"http://$KEYROCK_HOST:3005/oauth2/token" \
|
|
|
-H 'Accept: application/json' \
|
|
|
-H 'Authorization: Basic NDU3ODhiM2YtMzRjNy00YThlLTkwZGMtZGZiODdlOGFkMGNjOjVmMmI0YTQ5LTJkMDUtNDQ2Ny04NDQ4LTI1ZDA0OWQwMzQ5OQ==' \
|
|
|
-H 'Content-Type: application/x-www-form-urlencoded' \
|
|
|
--data-raw 'grant_type=password&username=city-pilot-1@example.com&password=test&scope=jwt'
|
|
|
|
|
|
```
|
|
|
|
|
|
### Response jwt
|
|
|
|
|
|
Returns a bigger token containing our roles in the platform!
|
|
|
|
|
|
```bash
|
|
|
>> ./security_01_get_token_with_password_jwt.sh
|
|
|
Querying Identity Managed (Keyrock) at: 5.53.108.182
|
|
|
HTTP/1.1 200 OK
|
|
|
Cache-Control: no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0
|
|
|
Content-Type: application/json; charset=utf-8
|
|
|
Content-Length: 1013
|
|
|
ETag: W/"3f5-jf2XD7ISOVcd9Zb0Y2hn/CYVWoY"
|
|
|
Set-Cookie: session=eyJyZWRpciI6Ii8ifQ==; path=/; expires=Tue, 16 Jun 2020 15:31:51 GMT; httponly
|
|
|
Set-Cookie: session.sig=TqcHvLKCvDVxuMk5xVfrKEP-GSQ; path=/; expires=Tue, 16 Jun 2020 15:31:51 GMT; httponly
|
|
|
Date: Tue, 16 Jun 2020 14:31:51 GMT
|
|
|
Connection: keep-alive
|
|
|
|
|
|
{"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdhbml6YXRpb25zIjpbeyJpZCI6ImJjNmIzNjIxLWM0NGYtNGI1YS1hZmYwLWYwYTVjMGFiZmMyZCIsIm5hbWUiOiJuYWlhZGVzLWRhdGEtY29sbGVjdG9ycyIsImRlc2NyaXB0aW9uIjoibmFpYWRlcyBJb1QgZGF0YSBjb2xsZWN0b3IgY29tcG9uZW50cyIsIndlYnNpdGUiOm51bGwsInJvbGVzIjpbeyJpZCI6IjkyM2U5ZTcxLTBjYjAtNDBjYi05ZDZhLTk2ZWUxNmVjMjBkOSIsIm5hbWUiOiJkYXRhLWNvbGxlY3RvciJ9XX1dLCJkaXNwbGF5TmFtZSI6IiIsInJvbGVzIjpbXSwiYXBwX2lkIjoiNDU3ODhiM2YtMzRjNy00YThlLTkwZGMtZGZiODdlOGFkMGNjIiwidHJ1c3RlZF9hcHBzIjpbXSwiaXNHcmF2YXRhckVuYWJsZWQiOmZhbHNlLCJpbWFnZSI6IiIsImVtYWlsIjoiY2l0eS1waWxvdC0xQGV4YW1wbGUuY29tIiwiaWQiOiJlYWU1MmZiZS1kYzQ2LTQ2ODUtOWQzYi1kZTE3Zjk5N2UwOTEiLCJhdXRob3JpemF0aW9uX2RlY2lzaW9uIjoiIiwiYXBwX2F6Zl9kb21haW4iOiIiLCJlaWRhc19wcm9maWxlIjp7fSwiYXR0cmlidXRlcyI6e30sInVzZXJuYW1lIjoiY2l0eS1waWxvdC0xIiwidHlwZSI6InVzZXIiLCJpYXQiOjE1OTIzMTc5MTEsImV4cCI6MTU5MjMyMTUxMX0.nqurtvdVMaJ_oqnyNkBk_c-m7MuivZ2uZCouuh1eyX0","token_type":"jwt","refresh_token":"899663e3c36f9b2a9d8f3582f4d12d0d30246401","scope":["jwt"]}
|
|
|
|
|
|
(!) Please export obtained <access_token> as KEYROCK_TOKEN, e.g. 'export KEYROCK_TOKEN=<put_the_received_access_token_here!>'
|
|
|
```
|
|
|
|
|
|
### decoding jwt with [jwt.io](jwt.io)
|
|
|
|
|
|
If you check on the right column we have information on what are our roles in the NAIADES platform
|
|
|
|
|
|
![image](uploads/f31972c7f761ad43615ab3615dd265db/image.png)
|
|
|
|
|
|
## Other issues you may find
|
|
|
/security_03_request_with_token.sh
|
... | ... | |