From de420a9cc400fad32a9e12e292dd8d5133791f18 Mon Sep 17 00:00:00 2001 From: bnonni Date: Tue, 10 Oct 2023 21:41:09 -0400 Subject: [PATCH] more edits to docs --- doc/config/auth.md | 34 +++++++++++++++++++++++++++++++++- doc/config/kms.md | 3 ++- pkg/server/server.go | 3 +-- 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/doc/config/auth.md b/doc/config/auth.md index 1589be9e2..51f8bbf16 100644 --- a/doc/config/auth.md +++ b/doc/config/auth.md @@ -16,5 +16,37 @@ curl -H "Authorization: Bearer $TOKEN" .... # Extending Authentication and Authorization for production environments -The server uses the [Gin framework](https://github.com/gin-gonic/gin), which allows various kinds of middleware. Look in `pkg/server/middleware/authn.go` and `pkg/server/server.go` for details on how you can wire up authentication and authorization for your use case. One such option is the https://github.com/zalando/gin-oauth2 framework. +The server uses the [Gin framework](https://github.com/gin-gonic/gin), which allows various kinds of middleware. Look in [`pkg/server/middleware/authn.go`](../../pkg/server/middleware/authn.go) and [`pkg/server/server.go`](../../pkg/server/server.go) for details on how you can wire up authentication and authorization for your use case. One such option is the https://github.com/zalando/gin-oauth2 framework. +## How to add Authentication to the SSI Service +1. Open [`pkg/server/middleware/authn.go`](../../pkg/server/middleware/authn.go) for a reference to where to add the proper code +```go +func setUpEngine(cfg config.ServerConfig, shutdown chan os.Signal) *gin.Engine { + gin.ForceConsoleColor() + middlewares := gin.HandlersChain{ + gin.Recovery(), + gin.Logger(), + middleware.Errors(shutdown), + middleware.AuthMiddleware(), + } +} +``` + +2. Open [`pkg/server/server.go`](../../pkg/server/server.go) and uncomment line 126 +```go +// uncomment the below line to enable middle ware auth, see doc/config/auth.md for details +middleware.AuthMiddleware() +``` + +3. Reference the [Authentication](#authentication) section for how to create an `AUTH_TOKEN` + +4. Update `.env` with the hash produced in step 3 +```conf +AUTH_TOKEN="8e455e42e94a0f3ac17fe27e9c6a8475800d02c123ba9d2dc0cf1063ef52bd90" +``` + +5. Build and run the server. When making API calls, pass the preimage (unhashed data) in the header +```bash +export TOKEN=hunter2 +curl -H "Authorization: Bearer $TOKEN" +``` \ No newline at end of file diff --git a/doc/config/kms.md b/doc/config/kms.md index 13149e952..eba8d5384 100644 --- a/doc/config/kms.md +++ b/doc/config/kms.md @@ -11,7 +11,8 @@ For production deployments, using external KMS is strongly recommended. To use an external KMS: 1. Create a symmetric encryption key in your KMS. You MUST select the algorithm that uses AES-256 block cipher in - Galois/Counter Mode (GCM). At the time of writing, this is the only algorithm supported by AWS and GCP. + Galois/Counter Mode (GCM). At the time of writing, this is the only algorithm supported by AWS and GCP for symmetric encrypt/decrypt. + In GCP, the algorithm will be called "Google symmetric key." It will be preselected and grayed out. 2. Set the `master_key_uri` field of the `[services.keystore]` section using the format described in [tink](https://github.com/google/tink/blob/9bc2667963e20eb42611b7581e570f0dddf65a2b/docs/KEY-MANAGEMENT.md#key-management-systems) (we use the tink library under the hood). diff --git a/pkg/server/server.go b/pkg/server/server.go index e86d38bd5..e5b836865 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -122,8 +122,7 @@ func setUpEngine(cfg config.ServerConfig, shutdown chan os.Signal) *gin.Engine { gin.Recovery(), gin.Logger(), middleware.Errors(shutdown), - // uncomment the below line to enable middle ware auth - // see doc/config/auth.md for details + // uncomment the below line to enable middle ware auth, see doc/config/auth.md for details // middleware.AuthMiddleware() } if cfg.JagerEnabled {