Merge pull request #107 from TomPallister/feature/tokens-work-across-ocelots

Feature/tokens work across ocelots
2025-04-22 14:02:49 +08:00 · 2017-06-24 13:11:18 +01:00 · 2017-06-24 13:11:18 +01:00 · 1f762601e5
commit 1f762601e5
parent bc7bfc8917 e96d66139f
15 changed files with 242 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -183,6 +183,7 @@ ClientBin/
 *.dbmdl
 *.dbproj.schemaview
 *.pfx
+!idsrv3test.pfx
 *.publishsettings
 node_modules/
 orleans.codegen.cs
--- a/src/Ocelot/Authentication/Handler/Creator/AuthenticationHandlerCreator.cs
+++ b/src/Ocelot/Authentication/Handler/Creator/AuthenticationHandlerCreator.cs
@ -1,3 +1,4 @@
+using System;
 using IdentityServer4.AccessTokenValidation;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
--- a/src/Ocelot/Configuration/Creator/IdentityServerConfigurationCreator.cs
+++ b/src/Ocelot/Configuration/Creator/IdentityServerConfigurationCreator.cs
@ -13,6 +13,8 @@ namespace Ocelot.Configuration.Creator
            var username = Environment.GetEnvironmentVariable("OCELOT_USERNAME");
            var hash = Environment.GetEnvironmentVariable("OCELOT_HASH");
            var salt = Environment.GetEnvironmentVariable("OCELOT_SALT");
+            var credentialsSigningCertificateLocation = Environment.GetEnvironmentVariable("OCELOT_CERTIFICATE");
+            var credentialsSigningCertificatePassword = Environment.GetEnvironmentVariable("OCELOT_CERTIFICATE_PASSWORD");

            return new IdentityServerConfiguration(
                "admin",
@ -28,7 +30,9 @@ namespace Ocelot.Configuration.Creator
                new List<User>
                {
                    new User("admin", username, hash, salt)
-                }
+                },
+                credentialsSigningCertificateLocation,
+                credentialsSigningCertificatePassword
            );
        }
    }
--- a/src/Ocelot/Configuration/Provider/IIdentityServerConfiguration.cs
+++ b/src/Ocelot/Configuration/Provider/IIdentityServerConfiguration.cs
@ -17,5 +17,7 @@ namespace Ocelot.Configuration.Provider
        AccessTokenType AccessTokenType {get;}
        bool RequireClientSecret {get;}
        List<User> Users {get;}
+        string CredentialsSigningCertificateLocation { get; }
+        string CredentialsSigningCertificatePassword { get; }
    }
 }
--- a/src/Ocelot/Configuration/Provider/IdentityServerConfiguration.cs
+++ b/src/Ocelot/Configuration/Provider/IdentityServerConfiguration.cs
@ -17,7 +17,7 @@ namespace Ocelot.Configuration.Provider
            IEnumerable<string>  grantType,
            AccessTokenType accessTokenType,
            bool requireClientSecret,
-            List<User> users)
+            List<User> users, string credentialsSigningCertificateLocation, string credentialsSigningCertificatePassword)
        {
            ApiName = apiName;
            RequireHttps = requireHttps;
@ -30,6 +30,8 @@ namespace Ocelot.Configuration.Provider
            AccessTokenType = accessTokenType;
            RequireClientSecret = requireClientSecret;
            Users = users;
+            CredentialsSigningCertificateLocation = credentialsSigningCertificateLocation;
+            CredentialsSigningCertificatePassword = credentialsSigningCertificatePassword;
        }

        public string ApiName { get; private set; }
@ -43,5 +45,7 @@ namespace Ocelot.Configuration.Provider
        public AccessTokenType AccessTokenType {get;private set;}
        public bool RequireClientSecret {get;private set;}
        public List<User> Users {get;private set;}
+        public string CredentialsSigningCertificateLocation { get; private set; }
+        public string CredentialsSigningCertificatePassword { get; private set; }
    }
 }
--- a/src/Ocelot/DependencyInjection/ServiceCollectionExtensions.cs
+++ b/src/Ocelot/DependencyInjection/ServiceCollectionExtensions.cs
@ -41,6 +41,8 @@ using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
 using System.Reflection;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.IdentityModel.Tokens;
 using Ocelot.Configuration;
 using FileConfigurationProvider = Ocelot.Configuration.Provider.FileConfigurationProvider;

@ -87,8 +89,10 @@ namespace Ocelot.DependencyInjection
            {
                services.TryAddSingleton<IIdentityServerConfiguration>(identityServerConfiguration);
                services.TryAddSingleton<IHashMatcher, HashMatcher>();
-                services.AddIdentityServer()
-                    .AddTemporarySigningCredential()
+                var identityServerBuilder = services
+                    .AddIdentityServer(options => {
+                        options.IssuerUri = "Ocelot";
+                    })
                    .AddInMemoryApiResources(new List<ApiResource>
                    {
                        new ApiResource
@ -120,6 +124,16 @@ namespace Ocelot.DependencyInjection
                            RequireClientSecret = identityServerConfiguration.RequireClientSecret
                        }
                    }).AddResourceOwnerValidator<OcelotResourceOwnerPasswordValidator>();
+
+                if (string.IsNullOrEmpty(identityServerConfiguration.CredentialsSigningCertificateLocation) || string.IsNullOrEmpty(identityServerConfiguration.CredentialsSigningCertificatePassword))
+                {
+                    identityServerBuilder.AddTemporarySigningCredential();
+                }
+                else
+                {
+                    var cert = new X509Certificate2(identityServerConfiguration.CredentialsSigningCertificateLocation, identityServerConfiguration.CredentialsSigningCertificatePassword);
+                    identityServerBuilder.AddSigningCredential(cert);
+                }
            }

            var assembly = typeof(FileConfigurationController).GetTypeInfo().Assembly;
--- a/src/Ocelot/Middleware/OcelotMiddlewareExtensions.cs
+++ b/src/Ocelot/Middleware/OcelotMiddlewareExtensions.cs
@ -181,7 +181,6 @@ namespace Ocelot.Middleware
                builder.Map(configuration.AdministrationPath, app =>
                {
                    var identityServerUrl = $"{baseSchemeUrlAndPort}/{configuration.AdministrationPath.Remove(0,1)}";
-
                    app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
                    {
                        Authority = identityServerUrl,
--- a/test/Ocelot.AcceptanceTests/Ocelot.AcceptanceTests.csproj
+++ b/test/Ocelot.AcceptanceTests/Ocelot.AcceptanceTests.csproj
@ -15,7 +15,7 @@
  </PropertyGroup>

  <ItemGroup>
-    <None Update="configuration.json">
+    <None Update="configuration.json;appsettings.json">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
    </None>
  </ItemGroup>
--- a/test/Ocelot.AcceptanceTests/appsettings.json
+++ b/test/Ocelot.AcceptanceTests/appsettings.json
@ -0,0 +1,10 @@
+{
+  "Logging": {
+    "IncludeScopes": true,
+    "LogLevel": {
+      "Default": "Error",
+      "System": "Error",
+      "Microsoft": "Error"
+    }
+  }
+}
--- a/test/Ocelot.IntegrationTests/AdministrationTests.cs
+++ b/test/Ocelot.IntegrationTests/AdministrationTests.cs
@ -19,15 +19,19 @@ namespace Ocelot.IntegrationTests
    public class AdministrationTests : IDisposable
    {
        private readonly HttpClient _httpClient;
+        private readonly HttpClient _httpClientTwo;
        private HttpResponseMessage _response;
        private IWebHost _builder;
        private IWebHostBuilder _webHostBuilder;
        private readonly string _ocelotBaseUrl;
        private BearerToken _token;
+        private IWebHostBuilder _webHostBuilderTwo;
+        private IWebHost _builderTwo;

        public AdministrationTests()
        {
            _httpClient = new HttpClient();
+            _httpClientTwo = new HttpClient();
            _ocelotBaseUrl = "http://localhost:5000";
            _httpClient.BaseAddress = new Uri(_ocelotBaseUrl);
        }
@ -70,6 +74,27 @@ namespace Ocelot.IntegrationTests
                 .BDDfy();
         }

+        [Fact]
+        public void should_be_able_to_use_token_from_ocelot_a_on_ocelot_b()
+        {
+            var configuration = new FileConfiguration
+            {
+                GlobalConfiguration = new FileGlobalConfiguration
+                {
+                    AdministrationPath = "/administration"
+                }
+            };
+
+            this.Given(x => GivenThereIsAConfiguration(configuration))
+                .And(x => GivenIdentityServerSigningEnvironmentalVariablesAreSet())
+                .And(x => GivenOcelotIsRunning())
+                .And(x => GivenIHaveAnOcelotToken("/administration"))
+                .And(x => GivenAnotherOcelotIsRunning("http://localhost:5007"))
+                .When(x => WhenIGetUrlOnTheSecondOcelot("/administration/configuration"))
+                .Then(x => ThenTheStatusCodeShouldBe(HttpStatusCode.OK))
+                .BDDfy();
+        }
+
        [Fact]
        public void should_return_file_configuration()
        {
@ -193,6 +218,36 @@ namespace Ocelot.IntegrationTests
                .BDDfy();
        }

+        private void GivenAnotherOcelotIsRunning(string baseUrl)
+        {
+            _httpClientTwo.BaseAddress = new Uri(baseUrl);
+
+            _webHostBuilderTwo = new WebHostBuilder()
+               .UseUrls(baseUrl)
+               .UseKestrel()
+               .UseContentRoot(Directory.GetCurrentDirectory())
+               .ConfigureServices(x => {
+                   x.AddSingleton(_webHostBuilderTwo);
+               })
+               .UseStartup<Startup>();
+
+            _builderTwo = _webHostBuilderTwo.Build();
+
+            _builderTwo.Start();
+        }
+
+        private void GivenIdentityServerSigningEnvironmentalVariablesAreSet()
+        {
+            Environment.SetEnvironmentVariable("OCELOT_CERTIFICATE", "idsrv3test.pfx");
+            Environment.SetEnvironmentVariable("OCELOT_CERTIFICATE_PASSWORD", "idsrv3test");
+        }
+
+        private void WhenIGetUrlOnTheSecondOcelot(string url)
+        {
+            _httpClientTwo.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", _token.AccessToken);
+            _response = _httpClientTwo.GetAsync(url).Result;
+        }
+
        private void WhenIPostOnTheApiGateway(string url, FileConfiguration updatedConfiguration)
        {
            var json = JsonConvert.SerializeObject(updatedConfiguration);
@ -305,6 +360,8 @@ namespace Ocelot.IntegrationTests

        public void Dispose()
        {
+            Environment.SetEnvironmentVariable("OCELOT_CERTIFICATE", "");
+            Environment.SetEnvironmentVariable("OCELOT_CERTIFICATE_PASSWORD", "");
            _builder?.Dispose();
            _httpClient?.Dispose();
        }
--- a/test/Ocelot.IntegrationTests/Ocelot.IntegrationTests.csproj
+++ b/test/Ocelot.IntegrationTests/Ocelot.IntegrationTests.csproj
@ -15,7 +15,7 @@
  </PropertyGroup>

  <ItemGroup>
-    <None Update="configuration.json;appsettings.json">
+    <None Update="configuration.json;appsettings.json;idsrv3test.pfx">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
    </None>
  </ItemGroup>
--- a/test/Ocelot.IntegrationTests/appsettings.json
+++ b/test/Ocelot.IntegrationTests/appsettings.json
@ -3,8 +3,8 @@
    "IncludeScopes": true,
    "LogLevel": {
      "Default": "Error",
-      "System": "Information",
-      "Microsoft": "Information"
+      "System": "Error",
+      "Microsoft": "Error"
    }
  }
 }
--- a/test/Ocelot.IntegrationTests/idsrv3test.pfx
+++ b/test/Ocelot.IntegrationTests/idsrv3test.pfx
--- a/test/Ocelot.UnitTests/Configuration/IdentityServerConfigurationCreatorTests.cs
+++ b/test/Ocelot.UnitTests/Configuration/IdentityServerConfigurationCreatorTests.cs
@ -0,0 +1,16 @@
+using Ocelot.Configuration.Creator;
+using Shouldly;
+using Xunit;
+
+namespace Ocelot.UnitTests.Configuration
+{
+    public class IdentityServerConfigurationCreatorTests
+    {
+        [Fact]
+        public void happy_path_only_exists_for_test_coverage_even_uncle_bob_probably_wouldnt_test_this()
+        {
+            var result = IdentityServerConfigurationCreator.GetIdentityServerConfiguration();
+            result.ApiName.ShouldBe("admin");
+        }
+    }
+}
--- a/test/Ocelot.UnitTests/Errors/ExceptionHandlerMiddlewareTests.cs
+++ b/test/Ocelot.UnitTests/Errors/ExceptionHandlerMiddlewareTests.cs
@ -0,0 +1,125 @@
+using System;
+using System.IO;
+using System.Net;
+using System.Net.Http;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.DependencyInjection;
+using Moq;
+using Ocelot.DownstreamRouteFinder;
+using Ocelot.DownstreamUrlCreator;
+using Ocelot.DownstreamUrlCreator.UrlTemplateReplacer;
+using Ocelot.Errors.Middleware;
+using Ocelot.Infrastructure.RequestData;
+using Ocelot.Logging;
+using Ocelot.Responses;
+using Ocelot.Values;
+using Shouldly;
+using TestStack.BDDfy;
+using Xunit;
+
+namespace Ocelot.UnitTests.Errors
+{
+    public class ExceptionHandlerMiddlewareTests
+    {
+        private readonly Mock<IRequestScopedDataRepository> _scopedRepository;
+        private readonly string _url;
+        private TestServer _server;
+        private HttpClient _client;
+        private HttpResponseMessage _result;
+
+        public ExceptionHandlerMiddlewareTests()
+        {
+            _url = "http://localhost:52879";
+            _scopedRepository = new Mock<IRequestScopedDataRepository>();
+        }
+        
+        [Fact]
+        public void should_call_next_middleware()
+        {
+            this.Given(_ => GivenASuccessfulRequest())
+                .When(_ => WhenIMakeTheRequest())
+                .Then(_ => ThenTheResponseIsOk())
+                .BDDfy();
+        }
+
+        [Fact]
+        public void should_call_return_error()
+        {
+            this.Given(_ => GivenAnError())
+                .When(_ => WhenIMakeTheRequest())
+                .Then(_ => ThenTheResponseIsError())
+                .BDDfy();
+        }
+
+        private void ThenTheResponseIsOk()
+        {
+            _result.StatusCode.ShouldBe(HttpStatusCode.OK);
+        }
+
+         private void ThenTheResponseIsError()
+        {
+            _result.StatusCode.ShouldBe(HttpStatusCode.InternalServerError);
+        }
+
+        private void WhenIMakeTheRequest()
+        {
+            _result = _client.GetAsync("/").Result;
+        }
+
+        private void GivenASuccessfulRequest()
+        {
+            var builder = new WebHostBuilder()
+              .ConfigureServices(x =>
+              {
+                  x.AddSingleton<IOcelotLoggerFactory, AspDotNetLoggerFactory>();
+                  x.AddLogging();
+                  x.AddSingleton(_scopedRepository.Object);
+              })
+              .UseUrls(_url)
+              .UseKestrel()
+              .UseContentRoot(Directory.GetCurrentDirectory())
+              .UseIISIntegration()
+              .UseUrls(_url)
+              .Configure(app =>
+              {
+                  app.UseExceptionHandlerMiddleware();
+                  app.Run(async context =>
+                    {
+                        context.Response.StatusCode = 200;
+                    });
+              });
+
+            _server = new TestServer(builder);
+            _client = _server.CreateClient();
+        }
+
+        private void GivenAnError()
+        {
+            var builder = new WebHostBuilder()
+              .ConfigureServices(x =>
+              {
+                  x.AddSingleton<IOcelotLoggerFactory, AspDotNetLoggerFactory>();
+                  x.AddLogging();
+                  x.AddSingleton(_scopedRepository.Object);
+              })
+              .UseUrls(_url)
+              .UseKestrel()
+              .UseContentRoot(Directory.GetCurrentDirectory())
+              .UseIISIntegration()
+              .UseUrls(_url)
+              .Configure(app =>
+              {
+                    app.UseExceptionHandlerMiddleware();
+                    app.Use(async (context, next) =>
+                    {
+                        throw new Exception("BOOM");
+                    });
+              });
+
+            _server = new TestServer(builder);
+            _client = _server.CreateClient();
+        }
+    }
+}