[#231] support core bbs

.secrets.baseline

@@ -164,50 +164,50 @@
         "filename": "driver/web/auth.go",
         "hashed_secret": "47ba63d38f624336f93ea4e976b53a00d6f0337c",
         "is_verified": false,
-        "line_number": 131,
+        "line_number": 136,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "driver/web/auth.go",
-        "hashed_secret": "bfd9e18ca4489720cec5bb4b3b28e4edad02c45a",
+        "hashed_secret": "29c5221433db8490856f84161d8fa06fc05e179b",
         "is_verified": false,
-        "line_number": 209,
+        "line_number": 227,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "driver/web/auth.go",
         "hashed_secret": "d3f775338d6d042e1b687982d84e392d041f3b0b",
         "is_verified": false,
-        "line_number": 224,
+        "line_number": 249,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "driver/web/auth.go",
         "hashed_secret": "2ae54691ede74558dc887d397903a79031def7f8",
         "is_verified": false,
-        "line_number": 281,
+        "line_number": 306,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "driver/web/auth.go",
         "hashed_secret": "32af2ceba9eb2748e8bd9f6ebd4450a6b0271a5e",
         "is_verified": false,
-        "line_number": 285,
+        "line_number": 310,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "driver/web/auth.go",
         "hashed_secret": "a23be006fadbd85ce60d87580e3f127c58a824ce",
         "is_verified": false,
-        "line_number": 295,
+        "line_number": 320,
         "is_secret": false
       }
     ]
   },
-  "generated_at": "2022-12-01T17:05:51Z"
+  "generated_at": "2023-06-06T20:05:55Z"
 }

CHANGELOG.md

@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+- Support Core BB service tokens [#231](https://github.com/rokwire/groups-building-block/issues/231)
 
 ## [1.18.2] - 2023-05-03
 - Fix research groups handling for the internal APIs [#376](https://github.com/rokwire/groups-building-block/issues/376)

Dockerfile

@@ -18,6 +18,7 @@ COPY --from=builder /groups-app/driver/web/authorization_policy.csv /driver/web/
 
 COPY --from=builder /groups-app/driver/web/permissions_authorization_policy.csv /driver/web/permissions_authorization_policy.csv
 COPY --from=builder /groups-app/driver/web/scope_authorization_policy.csv /driver/web/scope_authorization_policy.csv
+COPY --from=builder /groups-app/driver/web/bbs_permmission_policy.csv /driver/web/bbs_permmission_policy.csv
 
 COPY --from=builder /groups-app/vendor/github.com/rokwire/core-auth-library-go/v2/authorization/authorization_model_scope.conf /groups-app/vendor/github.com/rokwire/core-auth-library-go/v2/authorization/authorization_model_scope.conf
 COPY --from=builder /groups-app/vendor/github.com/rokwire/core-auth-library-go/v2/authorization/authorization_model_string.conf /groups-app/vendor/github.com/rokwire/core-auth-library-go/v2/authorization/authorization_model_string.conf

README.md

@@ -40,6 +40,7 @@ ROKWIRE_API_KEYS | < string (comma-separated) > | yes | List of API keys to be u
 AUTHMAN_ADMIN_UIN_LIST | < string (comma-separated) > | yes | List of UINs for admin users used when loading data from AuthMan
 GR_SERVICE_ACCOUNT_ID | < string > | yes | ID of Service Account for Groups BB
 GR_PRIV_KEY | < string > | yes | PEM encoded private key for Groups BB
+GR_SERVICE_ACCOUNT_ID | < string> | yes | Service account id groups building block
 
 ### Run Application
 

driven/corebb/adapter.go

@@ -25,7 +25,7 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/rokwire/core-auth-library-go/v2/authservice"
+	"github.com/rokwire/core-auth-library-go/v3/authservice"
 )
 
 // Adapter implements the Core interface

driven/notifications/adapter.go

@@ -23,7 +23,7 @@ import (
 	"log"
 	"net/http"
 
-	"github.com/rokwire/core-auth-library-go/v2/authservice"
+	"github.com/rokwire/core-auth-library-go/v3/authservice"
 )
 
 // Adapter implements the Notifications interface

driver/web/adapter.go

@@ -24,7 +24,10 @@ import (
 	"net/http"
 
 	"github.com/casbin/casbin"
-	"github.com/rokwire/core-auth-library-go/v2/authservice"
+	"github.com/rokwire/core-auth-library-go/v3/authservice"
+	"github.com/rokwire/core-auth-library-go/v3/tokenauth"
+	"github.com/rokwire/logging-library-go/v2/logs"
+	"github.com/rokwire/logging-library-go/v2/logutils"
 
 	"github.com/gorilla/mux"
 
@@ -39,8 +42,13 @@ type Adapter struct {
 	apisHandler         *rest.ApisHandler
 	adminApisHandler    *rest.AdminApisHandler
 	internalApisHandler *rest.InternalApisHandler
+	bbsAPIsHandler      *rest.BBsAPIsHandler
+
+	logger *logs.Logger
 }
 
+type handlerFunc = func(*logs.Log, *http.Request, *tokenauth.Claims) logs.HTTPResponse
+
 // @title Rokwire Groups Building Block API
 // @description Rokwire Groups Building Block API Documentation.
 // @version 1.18.2
@@ -67,7 +75,7 @@ func (we *Adapter) Start() {
 	subrouter := router.PathPrefix("/gr").Subrouter()
 	subrouter.PathPrefix("/doc/ui").Handler(we.serveDocUI())
 	subrouter.HandleFunc("/doc", we.serveDoc)
-	subrouter.HandleFunc("/version", we.wrapFunc(we.apisHandler.Version)).Methods("GET")
+	subrouter.HandleFunc("/version", we.wrapFunc(we.apisHandler.Version, nil)).Methods("GET")
 
 	//handle rest apis
 	restSubrouter := router.PathPrefix("/gr/api").Subrouter()
@@ -158,9 +166,52 @@ func (we *Adapter) Start() {
 	restSubrouter.HandleFunc("/group/{group-id}/events", we.mixedAuthWrapFunc(we.apisHandler.GetGroupEvents)).Methods("GET")
 	restSubrouter.HandleFunc("/group/{group-id}/events/v2", we.mixedAuthWrapFunc(we.apisHandler.GetGroupEventsV2)).Methods("GET")
 
+	// BB APIs
+	bbsRouter := restSubrouter.PathPrefix("/bbs").Subrouter()
+	bbsRouter.HandleFunc("/user/{identifier}/groups", we.internalKeyAuthFunc(we.bbsAPIsHandler.BBsGetUserGroupMemberships)).Methods("GET")
+	bbsRouter.HandleFunc("/group/{identifier}", we.internalKeyAuthFunc(we.bbsAPIsHandler.BBsGetGroup)).Methods("GET")
+	bbsRouter.HandleFunc("/group/title/{title}/members", we.internalKeyAuthFunc(we.bbsAPIsHandler.BBsGetGroupMembersByGroupTitle)).Methods("GET")
+	bbsRouter.HandleFunc("/authman/synchronize", we.internalKeyAuthFunc(we.bbsAPIsHandler.SynchronizeAuthman)).Methods("POST")
+	bbsRouter.HandleFunc("/stats", we.internalKeyAuthFunc(we.bbsAPIsHandler.GroupStats)).Methods("GET")
+	bbsRouter.HandleFunc("/group/{group-id}/date_updated", we.internalKeyAuthFunc(we.bbsAPIsHandler.UpdateGroupDateUpdated)).Methods("POST")
+	bbsRouter.HandleFunc("/group/{group-id}/events", we.internalKeyAuthFunc(we.bbsAPIsHandler.CreateGroupEvent)).Methods("POST")
+	bbsRouter.HandleFunc("/group/{group-id}/events/{event-id}", we.internalKeyAuthFunc(we.bbsAPIsHandler.DeleteGroupEvent)).Methods("DELETE")
+	bbsRouter.HandleFunc("/group/{group-id}/notification", we.internalKeyAuthFunc(we.bbsAPIsHandler.SendGroupNotification)).Methods("POST")
+
+	//TP APIs
+	// tpsRouter := mainRouter.PathPrefix("/tps").Subrouter()
+
 	log.Fatal(http.ListenAndServe(":80", router))
 }
 
+func (we Adapter) wrapFunc(handler handlerFunc, authorization tokenauth.Handler) http.HandlerFunc {
+	return func(w http.ResponseWriter, req *http.Request) {
+		logObj := we.logger.NewRequestLog(req)
+
+		logObj.RequestReceived()
+
+		var response logs.HTTPResponse
+		if authorization != nil {
+			responseStatus, claims, err := authorization.Check(req)
+			if err != nil {
+				logObj.SendHTTPResponse(w, logObj.HTTPResponseErrorAction(logutils.ActionValidate, logutils.TypeRequest, nil, err, responseStatus, true))
+				return
+			}
+
+			//do not crash the service if the deprecated internal auth type is used
+			if claims != nil {
+				logObj.SetContext("account_id", claims.Subject)
+			}
+			response = handler(logObj, req, claims)
+		} else {
+			response = handler(logObj, req, nil)
+		}
+
+		logObj.SendHTTPResponse(w, response)
+		logObj.RequestComplete()
+	}
+}
+
 func (we Adapter) serveDoc(w http.ResponseWriter, r *http.Request) {
 	w.Header().Add("access-control-allow-origin", "*")
 	http.ServeFile(w, r, "./docs/swagger.yaml")
@@ -171,13 +222,13 @@ func (we Adapter) serveDocUI() http.Handler {
 	return httpSwagger.Handler(httpSwagger.URL(url))
 }
 
-func (we *Adapter) wrapFunc(handler http.HandlerFunc) http.HandlerFunc {
-	return func(w http.ResponseWriter, req *http.Request) {
-		utils.LogRequest(req)
+// func (we *Adapter) wrapFunc(handler http.HandlerFunc) http.HandlerFunc {
+// 	return func(w http.ResponseWriter, req *http.Request) {
+// 		utils.LogRequest(req)
 
-		handler(w, req)
-	}
-}
+// 		handler(w, req)
+// 	}
+// }
 
 type apiKeyAuthFunc = func(string, http.ResponseWriter, *http.Request)
 
@@ -302,11 +353,20 @@ func NewWebAdapter(app *core.Application, host string, supportedClientIDs []stri
 	internalAPIKey string, serviceRegManager *authservice.ServiceRegManager, groupServiceURL string) *Adapter {
 	authorization := casbin.NewEnforcer("driver/web/authorization_model.conf", "driver/web/authorization_policy.csv")
 
-	auth := NewAuth(app, host, supportedClientIDs, appKeys, internalAPIKey, oidcProvider, oidcClientID, oidcExtendedClientIDs, oidcAdminClientID,
+	auth, err := NewAuth(app, host, supportedClientIDs, appKeys, internalAPIKey, oidcProvider, oidcClientID, oidcExtendedClientIDs, oidcAdminClientID,
 		oidcAdminWebClientID, serviceRegManager, groupServiceURL, authorization)
+	if err != nil {
+		log.Printf("error creating auth - %s", err.Error())
+	}
+
+	// auth, err := NewAuth(serviceRegManager, app)
+	// if err != nil {
+	//  logger.Fatalf("error creating auth - %s", err.Error())
+	// }
 	apisHandler := rest.NewApisHandler(app)
 	adminApisHandler := rest.NewAdminApisHandler(app)
 	internalApisHandler := rest.NewInternalApisHandler(app)
+	bbsApisHandler := rest.NewBBsAPIsHandler(app)
 
-	return &Adapter{host: host, auth: auth, apisHandler: apisHandler, adminApisHandler: adminApisHandler, internalApisHandler: internalApisHandler}
+	return &Adapter{host: host, auth: auth, apisHandler: apisHandler, adminApisHandler: adminApisHandler, internalApisHandler: internalApisHandler, bbsAPIsHandler: &bbsApisHandler}
 }

driver/web/auth.go

@@ -16,7 +16,6 @@ package web
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"groups/core"
 	"groups/core/model"
@@ -30,10 +29,13 @@ import (
 	"golang.org/x/sync/syncmap"
 
 	"github.com/casbin/casbin"
-	"github.com/rokwire/core-auth-library-go/v2/authorization"
-	"github.com/rokwire/core-auth-library-go/v2/authservice"
-	"github.com/rokwire/core-auth-library-go/v2/authutils"
-	"github.com/rokwire/core-auth-library-go/v2/tokenauth"
+	"github.com/rokwire/logging-library-go/v2/errors"
+	"github.com/rokwire/logging-library-go/v2/logutils"
+
+	"github.com/rokwire/core-auth-library-go/v3/authorization"
+	"github.com/rokwire/core-auth-library-go/v3/authservice"
+	"github.com/rokwire/core-auth-library-go/v3/authutils"
+	"github.com/rokwire/core-auth-library-go/v3/tokenauth"
 )
 
 // Auth handler
@@ -43,6 +45,9 @@ type Auth struct {
 	internalAuth *InternalAuth
 	adminAuth    *AdminAuth
 
+	bbs tokenauth.Handlers
+	tps tokenauth.Handlers
+
 	supportedClients []string
 }
 
@@ -187,7 +192,7 @@ func (auth *Auth) getIDToken(r *http.Request) *string {
 
 // NewAuth creates new auth handler
 func NewAuth(app *core.Application, host string, supportedClientIDs []string, appKeys []string, internalAPIKey string, oidcProvider string, oidcClientID string, oidcExtendedClientIDs string,
-	oidcAdminClientID string, oidcAdminWebClientID string, serviceRegManager *authservice.ServiceRegManager, groupServiceURL string, adminAuthorization *casbin.Enforcer) *Auth {
+	oidcAdminClientID string, oidcAdminWebClientID string, serviceRegManager *authservice.ServiceRegManager, groupServiceURL string, adminAuthorization *casbin.Enforcer) (*Auth, error) {
 	var tokenAuth *tokenauth.TokenAuth
 	if serviceRegManager != nil {
 		permissionAuth := authorization.NewCasbinStringAuthorization("driver/web/permissions_authorization_policy.csv")
@@ -206,8 +211,28 @@ func NewAuth(app *core.Application, host string, supportedClientIDs []string, ap
 	internalAuth := newInternalAuth(internalAPIKey)
 	adminAuth := newAdminAuth(app, oidcProvider, oidcAdminClientID, oidcAdminWebClientID, tokenAuth, adminAuthorization)
 
-	auth := Auth{apiKeysAuth: apiKeysAuth, idTokenAuth: idTokenAuth, internalAuth: internalAuth, adminAuth: adminAuth, supportedClients: supportedClientIDs}
-	return &auth
+	bbs, err := newBBsAuth(serviceRegManager)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionCreate, "bbs auth", nil, err)
+	}
+	bbsHandlers := tokenauth.NewHandlers(bbs)
+
+	tps, err := newTPSAuth(serviceRegManager)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionCreate, "tps auth", nil, err)
+	}
+	tpsHandlers := tokenauth.NewHandlers(tps)
+
+	auth := Auth{
+		apiKeysAuth:      apiKeysAuth,
+		idTokenAuth:      idTokenAuth,
+		internalAuth:     internalAuth,
+		adminAuth:        adminAuth,
+		supportedClients: supportedClientIDs,
+		bbs:              bbsHandlers,
+		tps:              tpsHandlers,
+	}
+	return &auth, nil
 }
 
 /////////////////////////////////////
@@ -223,7 +248,7 @@ func (auth *APIKeysAuth) check(apiKey *string, r *http.Request) bool {
 	//check if there is api key in the header
 	if apiKey == nil || len(*apiKey) == 0 {
 		if auth.coreTokenAuth != nil {
-			_, err := auth.coreTokenAuth.CheckRequestTokens(r)
+			_, err := auth.coreTokenAuth.CheckRequestToken(r)
 			if err == nil {
 				return true
 			}
@@ -321,7 +346,7 @@ func (auth *IDTokenAuth) check(clientID string, token *string, allowAnonymousCor
 	var coreErr error
 	if auth.coreTokenAuth != nil {
 		var claims *tokenauth.Claims
-		claims, coreErr = auth.coreTokenAuth.CheckRequestTokens(r)
+		claims, coreErr = auth.coreTokenAuth.CheckRequestToken(r)
 		if coreErr == nil && claims != nil && (allowAnonymousCoreToken || !claims.Anonymous) {
 			err := auth.coreTokenAuth.AuthorizeRequestScope(claims, r)
 			if err != nil {
@@ -520,7 +545,7 @@ func (auth *AdminAuth) check(clientID string, r *http.Request) (*model.User, boo
 	var coreErr error
 	if auth.coreTokenAuth != nil {
 		var claims *tokenauth.Claims
-		claims, coreErr = auth.coreTokenAuth.CheckRequestTokens(r)
+		claims, coreErr = auth.coreTokenAuth.CheckRequestToken(r)
 		if coreErr == nil && claims != nil && !claims.Anonymous {
 			err := auth.coreTokenAuth.AuthorizeRequestPermissions(claims, r)
 			if err != nil {
@@ -714,3 +739,49 @@ func newAdminAuth(app *core.Application, oidcProvider string, appClientID string
 		cachedUsers: cacheUsers, cachedUsersLock: lock, authorization: authorization}
 	return &auth
 }
+
+func newBBsAuth(serviceRegManager *authservice.ServiceRegManager) (*tokenauth.StandardHandler, error) {
+	bbsPermissionAuth := authorization.NewCasbinStringAuthorization("driver/web/bbs_permission_policy.csv")
+	bbsTokenAuth, err := tokenauth.NewTokenAuth(true, serviceRegManager, bbsPermissionAuth, nil)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionStart, "bbs token auth", nil, err)
+	}
+
+	check := func(claims *tokenauth.Claims, req *http.Request) (int, error) {
+		if !claims.Service {
+			return http.StatusUnauthorized, errors.ErrorData(logutils.StatusInvalid, "service claim", nil)
+		}
+
+		if !claims.FirstParty {
+			return http.StatusUnauthorized, errors.ErrorData(logutils.StatusInvalid, "first party claim", nil)
+		}
+
+		return http.StatusOK, nil
+	}
+
+	auth := tokenauth.NewStandardHandler(bbsTokenAuth, check)
+	return auth, nil
+}
+
+func newTPSAuth(serviceRegManager *authservice.ServiceRegManager) (*tokenauth.StandardHandler, error) {
+	tpsPermissionAuth := authorization.NewCasbinStringAuthorization("driver/web/tps_permission_policy.csv")
+	tpsTokenAuth, err := tokenauth.NewTokenAuth(true, serviceRegManager, tpsPermissionAuth, nil)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionStart, "tps token auth", nil, err)
+	}
+
+	check := func(claims *tokenauth.Claims, req *http.Request) (int, error) {
+		if !claims.Service {
+			return http.StatusUnauthorized, errors.ErrorData(logutils.StatusInvalid, "service claim", nil)
+		}
+
+		if claims.FirstParty {
+			return http.StatusUnauthorized, errors.ErrorData(logutils.StatusInvalid, "first party claim", nil)
+		}
+
+		return http.StatusOK, nil
+	}
+
+	auth := tokenauth.NewStandardHandler(tpsTokenAuth, check)
+	return auth, nil
+}

driver/web/bbs_permission_policy.csv

@@ -0,0 +1,12 @@
+p, all_user_identifier_groups, /gr/api/user/*/groups, (GET), All user identifer actions for Groups BB
+p, all_identifier_groups, /gr/api/group/*, (GET), All identifer actions for Groups BB
+p, all_member_title_groups, /gr/api/group/title/*/members, (GET), All group member title actions for Groups BB
+p, all_authman_groups, /gr/api/authman/synchronize, (POST), All authman actions for Groups BB
+p, all_stats_groups, /gr/api/stats, (Get), All stats actions for Groups BB
+p, all_date_groups, /gr/api/group/*/date_updated, (POST), All date actions for Groups BB
+p, all_events_groups, /gr/api/group/*/events, (POST), All date actions for Groups BB
+p, all_events_groups, /gr/api/group/*/events/*, (DELETE), All date actions for Groups BB
+p, all_notifications_groups, /gr/api/group/*/notification, (POST), All notification actions for Groups BB
+
+
+