-
Notifications
You must be signed in to change notification settings - Fork 68
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Subscriptions controller: Ignore JWTs that can't be validated
Fixes #377. - For subscription requests, JWTs that can't be validated are now ignored. This allows to validate JWTs in an external service as configurable via the SUBMISSION_CHECK and SUBSCRIPTION_CHECK environment variables (which was the intention all along). - Response code changed: when connecting and subscribing at the same time, RIG replies with 403 (instead of 400) when not authorized to do so. - Ill-formed JWTs no longer cause subscription requests to fail. - Fixed SUBMISSION_CHECK=jwt_validation - it failed the check anytime, regardless of whether the JWT was valid.
- Loading branch information
1 parent
d49dfa4
commit d4eafdd
Showing
20 changed files
with
475 additions
and
68 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
61 changes: 61 additions & 0 deletions
61
test/rig_inbound_gateway/event_submission/external_check_test.exs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
defmodule RigInboundGateway.EventSubmission.ExternalCheckTest do | ||
@moduledoc """ | ||
An external service may be used to allow or deny publishing events. | ||
""" | ||
# Cannot be async because environment variables are modified: | ||
use ExUnit.Case, async: false | ||
|
||
import FakeServer | ||
alias FakeServer.Response | ||
|
||
alias HTTPoison | ||
|
||
alias RIG.JWT | ||
|
||
@hostname "localhost" | ||
@eventhub_port Confex.fetch_env!(:rig, RigInboundGatewayWeb.Endpoint)[:http][:port] | ||
@api_port Confex.fetch_env!(:rig, RigApi.Endpoint)[:http][:port] | ||
@public_submission_url "http://#{@hostname}:#{@eventhub_port}/_rig/v1/events" | ||
@private_submission_url "http://#{@hostname}:#{@api_port}/v3/messages" | ||
@fake_validation_service_port 59_349 | ||
|
||
@event_json """ | ||
{ "id": "2", "source": "nil", "specversion": "0.2", "type": "greeting" } | ||
""" | ||
|
||
@var_name "SUBMISSION_CHECK" | ||
@orig_val System.get_env(@var_name) | ||
setup_all do | ||
System.put_env(@var_name, "http://localhost:#{@fake_validation_service_port}") | ||
|
||
on_exit(fn -> | ||
case @orig_val do | ||
nil -> System.delete_env(@var_name) | ||
_ -> System.put_env(@var_name, @orig_val) | ||
end | ||
end) | ||
end | ||
|
||
test "The private API doesn't use the external service." do | ||
headers = %{"content-type" => "application/json"} | ||
assert %{status_code: 202} = HTTPoison.post!(@private_submission_url, @event_json, headers) | ||
end | ||
|
||
test_with_server "The public API allows publishing if the external service accepts.", | ||
port: @fake_validation_service_port do | ||
# The fake subscription-validation service accepts anything: | ||
route("/", Response.ok!("Ok")) | ||
|
||
headers = %{"content-type" => "application/json"} | ||
assert %{status_code: 202} = HTTPoison.post!(@public_submission_url, @event_json, headers) | ||
end | ||
|
||
test_with_server "The public API denies publishing if the external service rejects.", | ||
port: @fake_validation_service_port do | ||
# The fake subscription-validation service rejects anything: | ||
route("/", Response.forbidden!("Go away!")) | ||
|
||
headers = %{"content-type" => "application/json"} | ||
assert %{status_code: 403} = HTTPoison.post!(@public_submission_url, @event_json, headers) | ||
end | ||
end |
Oops, something went wrong.