Merge pull request #414 from bstasyszyn/405

refactor: Convert /sidetree endpoints to use auth token definitions

cmd/orb-server/startcmd/params.go

@@ -14,8 +14,7 @@ import (
 
 	"github.com/spf13/cobra"
 	cmdutils "github.com/trustbloc/edge-core/pkg/utils/cmd"
-
-	aphandler "github.com/trustbloc/orb/pkg/activitypub/resthandler"
+	"github.com/trustbloc/orb/pkg/httpserver/auth"
 )
 
 const (
@@ -137,11 +136,6 @@ const (
 	kmsSecretsDatabasePrefixFlagUsage = "An optional prefix to be used when creating and retrieving " +
 		"the underlying KMS secrets database. " + commonEnvVarUsageText + kmsSecretsDatabasePrefixEnvKey
 
-	tokenFlagName  = "api-token"
-	tokenEnvKey    = "ORB_API_TOKEN" //nolint: gosec
-	tokenFlagUsage = "Check for bearer token in the authorization header (optional). " +
-		commonEnvVarUsageText + tokenEnvKey
-
 	databaseTypeMemOption     = "mem"
 	databaseTypeCouchDBOption = "couchdb"
 	databaseTypeMYSQLDBOption = "mysql"
@@ -228,7 +222,6 @@ type orbParameters struct {
 	casType                   string
 	ipfsURL                   string
 	dbParameters              *dbParameters
-	token                     string
 	logLevel                  string
 	methodContext             []string
 	baseEnabled               bool
@@ -242,7 +235,7 @@ type orbParameters struct {
 	startupDelay              time.Duration
 	signWithLocalWitness      bool
 	httpSignaturesEnabled     bool
-	authTokenDefinitions      []*aphandler.AuthTokenDef
+	authTokenDefinitions      []*auth.TokenDef
 	authTokens                map[string]string
 }
 
@@ -396,11 +389,6 @@ func getOrbParameters(cmd *cobra.Command) (*orbParameters, error) {
 		return nil, err
 	}
 
-	token, err := cmdutils.GetUserSetVarFromString(cmd, tokenFlagName, tokenEnvKey, true)
-	if err != nil {
-		return nil, err
-	}
-
 	loggingLevel, err := cmdutils.GetUserSetVarFromString(cmd, LogLevelFlagName, LogLevelEnvKey, true)
 	if err != nil {
 		return nil, err
@@ -457,7 +445,6 @@ func getOrbParameters(cmd *cobra.Command) (*orbParameters, error) {
 		batchWriterTimeout:        batchWriterTimeout,
 		anchorCredentialParams:    anchorCredentialParams,
 		dbParameters:              dbParams,
-		token:                     token,
 		logLevel:                  loggingLevel,
 		discoveryDomains:          discoveryDomains,
 		discoveryMinimumResolvers: discoveryMinimumResolvers,
@@ -548,15 +535,15 @@ func getDBParameters(cmd *cobra.Command, kmOptional bool) (*dbParameters, error)
 	}, nil
 }
 
-func getAuthTokenDefinitions(cmd *cobra.Command) ([]*aphandler.AuthTokenDef, error) {
+func getAuthTokenDefinitions(cmd *cobra.Command) ([]*auth.TokenDef, error) {
 	authTokenDefsStr, err := cmdutils.GetUserSetVarFromArrayString(cmd, authTokensDefFlagName, authTokensDefEnvKey, true)
 	if err != nil {
 		return nil, err
 	}
 
 	logger.Debugf("Auth tokens definition: %s", authTokenDefsStr)
 
-	var authTokenDefs []*aphandler.AuthTokenDef
+	var authTokenDefs []*auth.TokenDef
 
 	for _, defStr := range authTokenDefsStr {
 		parts := strings.Split(defStr, "|")
@@ -575,7 +562,7 @@ func getAuthTokenDefinitions(cmd *cobra.Command) ([]*aphandler.AuthTokenDef, err
 			writeTokens = filterEmptyTokens(strings.Split(parts[2], "&"))
 		}
 
-		def := &aphandler.AuthTokenDef{
+		def := &auth.TokenDef{
 			EndpointExpression: parts[0],
 			ReadTokens:         readTokens,
 			WriteTokens:        writeTokens,
@@ -657,8 +644,6 @@ func createFlags(startCmd *cobra.Command) {
 	startCmd.Flags().StringP(kmsSecretsDatabaseURLFlagName, kmsSecretsDatabaseURLFlagShorthand, "",
 		kmsSecretsDatabaseURLFlagUsage)
 	startCmd.Flags().StringP(kmsSecretsDatabasePrefixFlagName, "", "", kmsSecretsDatabasePrefixFlagUsage)
-
-	startCmd.Flags().StringP(tokenFlagName, "", "", tokenFlagUsage)
 	startCmd.Flags().StringP(LogLevelFlagName, LogLevelFlagShorthand, "", LogLevelPrefixFlagUsage)
 	startCmd.Flags().StringArrayP(discoveryDomainsFlagName, "", []string{}, discoveryDomainsFlagUsage)
 	startCmd.Flags().StringP(discoveryMinimumResolversFlagName, "", "", discoveryMinimumResolversFlagUsage)

cmd/orb-server/startcmd/params_test.go

@@ -268,7 +268,7 @@ func TestStartCmdWithMissingArg(t *testing.T) {
 			"--" + ipfsURLFlagName, "localhost:8081",
 			"--" + batchWriterTimeoutFlagName, "abc",
 			"--" + didNamespaceFlagName, "namespace", "--" + databaseTypeFlagName, databaseTypeMemOption,
-			"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption, "--" + tokenFlagName, "tk1",
+			"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption,
 			"--" + anchorCredentialSignatureSuiteFlagName, "suite",
 			"--" + anchorCredentialDomainFlagName, "domain.com",
 			"--" + anchorCredentialIssuerFlagName, "issuer.com",
@@ -295,7 +295,7 @@ func TestStartCmdWithMissingArg(t *testing.T) {
 			"--" + ipfsURLFlagName, "localhost:8081",
 			"--" + maxWitnessDelayFlagName, "abc",
 			"--" + didNamespaceFlagName, "namespace", "--" + databaseTypeFlagName, databaseTypeMemOption,
-			"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption, "--" + tokenFlagName, "tk1",
+			"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption,
 			"--" + anchorCredentialSignatureSuiteFlagName, "suite",
 			"--" + anchorCredentialDomainFlagName, "domain.com",
 			"--" + anchorCredentialIssuerFlagName, "issuer.com",
@@ -323,7 +323,7 @@ func TestStartCmdWithMissingArg(t *testing.T) {
 			"--" + maxWitnessDelayFlagName, "5",
 			"--" + signWithLocalWitnessFlagName, "abc",
 			"--" + didNamespaceFlagName, "namespace", "--" + databaseTypeFlagName, databaseTypeMemOption,
-			"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption, "--" + tokenFlagName, "tk1",
+			"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption,
 			"--" + anchorCredentialSignatureSuiteFlagName, "suite",
 			"--" + anchorCredentialDomainFlagName, "domain.com",
 			"--" + anchorCredentialIssuerFlagName, "issuer.com",
@@ -350,7 +350,7 @@ func TestStartCmdWithMissingArg(t *testing.T) {
 			"--" + ipfsURLFlagName, "localhost:8081",
 			"--" + startupDelayFlagName, "abc",
 			"--" + didNamespaceFlagName, "namespace", "--" + databaseTypeFlagName, databaseTypeMemOption,
-			"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption, "--" + tokenFlagName, "tk1",
+			"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption,
 			"--" + anchorCredentialSignatureSuiteFlagName, "suite",
 			"--" + anchorCredentialDomainFlagName, "domain.com",
 			"--" + anchorCredentialIssuerFlagName, "issuer.com",
@@ -375,7 +375,7 @@ func TestStartCmdWithMissingArg(t *testing.T) {
 			"--" + casTypeFlagName, "ipfs",
 			"--" + ipfsURLFlagName, "localhost:8081",
 			"--" + didNamespaceFlagName, "namespace", "--" + databaseTypeFlagName, databaseTypeMemOption,
-			"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption, "--" + tokenFlagName, "tk1",
+			"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption,
 			"--" + anchorCredentialSignatureSuiteFlagName, "suite",
 			"--" + anchorCredentialDomainFlagName, "domain.com",
 			"--" + anchorCredentialIssuerFlagName, "issuer.com",
@@ -526,7 +526,7 @@ func TestStartCmdValidArgs(t *testing.T) {
 		"--" + signWithLocalWitnessFlagName, "false",
 		"--" + startupDelayFlagName, "1",
 		"--" + didNamespaceFlagName, "namespace", "--" + databaseTypeFlagName, databaseTypeMemOption,
-		"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption, "--" + tokenFlagName, "tk1",
+		"--" + kmsSecretsDatabaseTypeFlagName, databaseTypeMemOption,
 		"--" + anchorCredentialSignatureSuiteFlagName, "suite",
 		"--" + anchorCredentialDomainFlagName, "domain.com",
 		"--" + anchorCredentialIssuerFlagName, "issuer.com",

cmd/orb-server/startcmd/start.go

@@ -45,8 +45,6 @@ import (
 	"github.com/hyperledger/aries-framework-go/spi/storage"
 	"github.com/spf13/cobra"
 	"github.com/trustbloc/edge-core/pkg/log"
-	"github.com/trustbloc/orb/pkg/activitypub/client"
-	"github.com/trustbloc/orb/pkg/activitypub/httpsig"
 	casapi "github.com/trustbloc/sidetree-core-go/pkg/api/cas"
 	"github.com/trustbloc/sidetree-core-go/pkg/api/protocol"
 	"github.com/trustbloc/sidetree-core-go/pkg/batch"
@@ -55,7 +53,9 @@ import (
 	restcommon "github.com/trustbloc/sidetree-core-go/pkg/restapi/common"
 	"github.com/trustbloc/sidetree-core-go/pkg/restapi/diddochandler"
 
+	"github.com/trustbloc/orb/pkg/activitypub/client"
 	"github.com/trustbloc/orb/pkg/activitypub/client/transport"
+	"github.com/trustbloc/orb/pkg/activitypub/httpsig"
 	aphandler "github.com/trustbloc/orb/pkg/activitypub/resthandler"
 	apservice "github.com/trustbloc/orb/pkg/activitypub/service"
 	"github.com/trustbloc/orb/pkg/activitypub/service/monitoring"
@@ -83,6 +83,7 @@ import (
 	localdiscovery "github.com/trustbloc/orb/pkg/discovery/did/local"
 	discoveryrest "github.com/trustbloc/orb/pkg/discovery/endpoint/restapi"
 	"github.com/trustbloc/orb/pkg/httpserver"
+	"github.com/trustbloc/orb/pkg/httpserver/auth"
 	"github.com/trustbloc/orb/pkg/observer"
 	"github.com/trustbloc/orb/pkg/protocolversion/factoryregistry"
 	"github.com/trustbloc/orb/pkg/resolver/document"
@@ -545,21 +546,24 @@ func startOrbServices(parameters *orbParameters) error {
 		dochandler.WithLabel("interim"),
 	)
 
+	authCfg := auth.Config{
+		AuthTokensDef: parameters.authTokenDefinitions,
+		AuthTokens:    parameters.authTokens,
+	}
+
 	apEndpointCfg := &aphandler.Config{
+		Config:                 authCfg,
 		BasePath:               activityPubServicesPath,
 		ObjectIRI:              apServiceIRI,
 		VerifyActorInSignature: parameters.httpSignaturesEnabled,
 		PageSize:               100, // TODO: Make configurable
-		AuthTokensDef:          parameters.authTokenDefinitions,
-		AuthTokens:             parameters.authTokens,
 	}
 
 	apTxnEndpointCfg := &aphandler.Config{
-		BasePath:      activityPubTransactionsPath,
-		ObjectIRI:     apTransactionsIRI,
-		PageSize:      100, // TODO: Make configurable
-		AuthTokensDef: parameters.authTokenDefinitions,
-		AuthTokens:    parameters.authTokens,
+		Config:    authCfg,
+		BasePath:  activityPubTransactionsPath,
+		ObjectIRI: apTransactionsIRI,
+		PageSize:  100, // TODO: Make configurable
 	}
 
 	orbResolver := document.NewResolveHandler(
@@ -586,8 +590,9 @@ func startOrbServices(parameters *orbParameters) error {
 
 	handlers := make([]restcommon.HTTPHandler, 0)
 
-	handlers = append(handlers, diddochandler.NewUpdateHandler(baseUpdatePath, didDocHandler, pc),
-		diddochandler.NewResolveHandler(baseResolvePath, orbResolver),
+	handlers = append(handlers,
+		auth.NewHandlerWrapper(authCfg, diddochandler.NewUpdateHandler(baseUpdatePath, didDocHandler, pc)),
+		auth.NewHandlerWrapper(authCfg, diddochandler.NewResolveHandler(baseResolvePath, orbResolver)),
 		activityPubService.InboxHTTPHandler(),
 		aphandler.NewServices(apEndpointCfg, apStore, publicKey),
 		aphandler.NewPublicKeys(apEndpointCfg, apStore, publicKey),
@@ -612,7 +617,6 @@ func startOrbServices(parameters *orbParameters) error {
 		parameters.hostURL,
 		parameters.tlsCertificate,
 		parameters.tlsKey,
-		parameters.token,
 		handlers...,
 	)
 

pkg/activitypub/resthandler/activityhandler_test.go

@@ -22,6 +22,7 @@ import (
 	"github.com/trustbloc/orb/pkg/activitypub/store/memstore"
 	"github.com/trustbloc/orb/pkg/activitypub/store/spi"
 	"github.com/trustbloc/orb/pkg/activitypub/vocab"
+	"github.com/trustbloc/orb/pkg/httpserver/auth"
 	"github.com/trustbloc/orb/pkg/internal/testutil"
 )
 
@@ -171,22 +172,24 @@ func TestActivities_Handler(t *testing.T) {
 		BasePath:  basePath,
 		ObjectIRI: serviceIRI,
 		PageSize:  4,
-		AuthTokensDef: []*AuthTokenDef{
-			{
-				EndpointExpression: "/services/orb/outbox",
-				ReadTokens:         []string{"admin", "read"},
-				WriteTokens:        []string{"admin"},
+		Config: auth.Config{
+			AuthTokensDef: []*auth.TokenDef{
+				{
+					EndpointExpression: "/services/orb/outbox",
+					ReadTokens:         []string{"admin", "read"},
+					WriteTokens:        []string{"admin"},
+				},
+				{
+					EndpointExpression: "/services/orb/inbox",
+					ReadTokens:         []string{"admin", "read"},
+					WriteTokens:        []string{"admin"},
+				},
 			},
-			{
-				EndpointExpression: "/services/orb/inbox",
-				ReadTokens:         []string{"admin", "read"},
-				WriteTokens:        []string{"admin"},
+			AuthTokens: map[string]string{
+				"read":  "READ_TOKEN",
+				"admin": "ADMIN_TOKEN",
 			},
 		},
-		AuthTokens: map[string]string{
-			"read":  "READ_TOKEN",
-			"admin": "ADMIN_TOKEN",
-		},
 	}
 
 	verifier := &mocks.SignatureVerifier{}
@@ -440,22 +443,24 @@ func TestReadOutbox_Handler(t *testing.T) {
 		BasePath:  basePath,
 		ObjectIRI: serviceIRI,
 		PageSize:  4,
-		AuthTokensDef: []*AuthTokenDef{
-			{
-				EndpointExpression: "/services/orb/outbox",
-				ReadTokens:         []string{"admin", "read"},
-				WriteTokens:        []string{"admin"},
+		Config: auth.Config{
+			AuthTokensDef: []*auth.TokenDef{
+				{
+					EndpointExpression: "/services/orb/outbox",
+					ReadTokens:         []string{"admin", "read"},
+					WriteTokens:        []string{"admin"},
+				},
+				{
+					EndpointExpression: "/services/orb/inbox",
+					ReadTokens:         []string{"admin", "read"},
+					WriteTokens:        []string{"admin"},
+				},
 			},
-			{
-				EndpointExpression: "/services/orb/inbox",
-				ReadTokens:         []string{"admin", "read"},
-				WriteTokens:        []string{"admin"},
+			AuthTokens: map[string]string{
+				"read":  "READ_TOKEN",
+				"admin": "ADMIN_TOKEN",
 			},
 		},
-		AuthTokens: map[string]string{
-			"read":  "READ_TOKEN",
-			"admin": "ADMIN_TOKEN",
-		},
 	}
 
 	t.Run("Authorized -> All items", func(t *testing.T) {
@@ -819,14 +824,16 @@ func TestActivity_Handler(t *testing.T) {
 			BasePath:               basePath,
 			ObjectIRI:              serviceIRI,
 			VerifyActorInSignature: true,
-			AuthTokensDef: []*AuthTokenDef{
-				{
-					EndpointExpression: "/services/orb/activities/.*",
-					ReadTokens:         []string{"read"},
+			Config: auth.Config{
+				AuthTokensDef: []*auth.TokenDef{
+					{
+						EndpointExpression: "/services/orb/activities/.*",
+						ReadTokens:         []string{"read"},
+					},
+				},
+				AuthTokens: map[string]string{
+					"read": "READ_TOKEN",
 				},
-			},
-			AuthTokens: map[string]string{
-				"read": "READ_TOKEN",
 			},
 		}