wip

invaliduser · invaliduser · commit 028c2fe8d5da · 2025-03-05T14:13:56.000-06:00
diff --git a/doc/env_vars.md b/doc/env_vars.md
@@ -197,6 +197,12 @@ These config vars enable and configure browser security response headers from th
 | `LRSQL_SEC_HEAD_CROSS_DOMAIN` | `secHeadCrossDomain` | `X-Permitted-Cross-Domain-Policies` | `none`                                |
 | `LRSQL_SEC_HEAD_CONTENT`      | `secHeadContent`     | `Content-Security-Policy`           | `object-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;` |
 
+#### Proxy Settings
+
+| Env Var                           | Config                   | Description                                                                                                                                                                                                      | Default |
+| --------------------------------- | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `LRSQL_AUTH_BY_CRED_Id` | `authByCredId` | Authorization workaround for when lrsql is running behind a proxy                                                                                                                              | `false` |
+
 #### Admin Features
 
 | Env Var                           | Config                   | Description                                                                                                                                                                                                      | Default |
diff --git a/resources/lrsql/config/prod/default/webserver.edn b/resources/lrsql/config/prod/default/webserver.edn
@@ -45,4 +45,6 @@
  :oidc-enable-local-admin   #boolean #or [#env LRSQL_OIDC_ENABLE_LOCAL_ADMIN false]
  :enable-clamav             #boolean #or [#env LRSQL_ENABLE_CLAMAV false]
  :clamav-host               #or [#env LRSQL_CLAMAV_HOST "localhost"]
- :clamav-port               #long #or [#env LRSQL_CLAMAV_PORT 3310]}
+ :clamav-port               #long #or [#env LRSQL_CLAMAV_PORT 3310]
+ :auth-by-cred-id           #boolean #or [#env LRSQL_AUTH_BY_CRED_ID false]
+ }
diff --git a/resources/lrsql/config/test/default/webserver.edn b/resources/lrsql/config/test/default/webserver.edn
@@ -35,4 +35,6 @@
  :oidc-enable-local-admin   false
  :enable-clamav             false
  :clamav-host               "localhost"
- :clamav-port               3310}
+ :clamav-port               3310
+ :auth-by-cred-id           false ;may need to be set to true if lrsql behind proxy
+ }
diff --git a/src/db/postgres/lrsql/postgres/record.clj b/src/db/postgres/lrsql/postgres/record.clj
@@ -221,6 +221,8 @@
     (query-credential-ids tx input))
   (-query-credential-scopes [_ tx input]
     (query-credential-scopes tx input))
+  (-query-credential-by-id [_ tx input]
+    (query-credential-by-id tx input))
 
   bp/BackendIOSetter
   (-set-read! [_]
diff --git a/src/db/postgres/lrsql/postgres/sql/query.sql b/src/db/postgres/lrsql/postgres/sql/query.sql
@@ -286,7 +286,7 @@ WHERE oidc_issuer IS NULL;
 -- :command :query
 -- :result :many
 -- :doc Query all credentials associated with `:account-id`.
-SELECT api_key, secret_key FROM lrs_credential
+SELECT id, api_key, secret_key FROM lrs_credential
 WHERE account_id = :account-id;
 
 -- :name query-credential-ids
@@ -305,6 +305,13 @@ SELECT scope FROM credential_to_scope
 WHERE api_key = :api-key
 AND secret_key = :secret-key;
 
+-- :name query-credential-by-id
+-- :command :query
+-- :result :one
+-- :doc Get credential by id
+SELECT id, api_key, secret_key, account_id FROM lrs_credential
+WHERE id = :id;
+
 /* LRS Status */
 
 -- :name query-statement-count
diff --git a/src/db/sqlite/lrsql/sqlite/record.clj b/src/db/sqlite/lrsql/sqlite/record.clj
@@ -262,6 +262,8 @@
     (query-credential-ids tx input))
   (-query-credential-scopes [_ tx input]
     (query-credential-scopes tx input))
+  (-query-credential-by-id [_ tx input]
+    (query-credential-by-id tx input))
 
   bp/BackendIOSetter
   (-set-read! [_]
diff --git a/src/db/sqlite/lrsql/sqlite/sql/query.sql b/src/db/sqlite/lrsql/sqlite/sql/query.sql
@@ -262,7 +262,7 @@ WHERE oidc_issuer IS NULL
 -- :command :query
 -- :result :many
 -- :doc Query all credentials associated with `:account-id`.
-SELECT api_key, secret_key FROM lrs_credential
+SELECT id, api_key, secret_key FROM lrs_credential
 WHERE account_id = :account-id
 
 -- :name query-credential-ids
@@ -281,6 +281,13 @@ SELECT scope FROM credential_to_scope
 WHERE api_key = :api-key
 AND secret_key = :secret-key
 
+-- :name query-credential-by-id
+-- :command :query
+-- :result :one
+-- :doc Get credential by id
+SELECT id, api_key, secret_key, account_id FROM lrs_credential
+WHERE id = :id
+
 /* LRS Status */
 
 -- :name query-statement-count
diff --git a/src/dev/lrsql/user.clj b/src/dev/lrsql/user.clj
@@ -5,7 +5,6 @@
             [next.jdbc :as jdbc]
             [com.yetanalytics.lrs.protocol :as lrsp]
             [lrsql.admin.protocol :as adp]
-            [lrsql.util :as u]
             [lrsql.util.actor :as a-util]))
 
 
diff --git a/src/main/lrsql/admin/interceptors/ui.clj b/src/main/lrsql/admin/interceptors/ui.clj
@@ -35,7 +35,8 @@
            no-val?
            no-val-logout-url
            stmt-get-max
-           proxy-path]
+           proxy-path
+           auth-by-cred-id]
     :or   {enable-admin-delete-actor false
            enable-admin-status false
            enable-reactions    false
@@ -61,7 +62,8 @@
                           :no-val?                   no-val?
                           :admin-language-code       admin-language-code
                           :custom-language           (custom-language-map)
-                          :stmt-get-max              stmt-get-max}
+                          :stmt-get-max              stmt-get-max
+                          :auth-by-cred-id           auth-by-cred-id}
                    (and no-val?
                         (not-empty no-val-logout-url))
                    (assoc :no-val-logout-url no-val-logout-url))
diff --git a/src/main/lrsql/admin/routes.clj b/src/main/lrsql/admin/routes.clj
@@ -342,7 +342,8 @@
            enable-reaction-routes
            oidc-interceptors
            oidc-ui-interceptors
-           head-opts]
+           head-opts
+           auth-by-cred-id]
     :or   {oidc-interceptors     []
            oidc-ui-interceptors  []
            enable-account-routes true}}
@@ -373,7 +374,9 @@
                     :proxy-path                proxy-path
                     :stmt-get-max              stmt-get-max
                     :enable-admin-delete-actor enable-admin-delete-actor
-                    :admin-language-code       admin-language-code}))
+                    :admin-language-code       admin-language-code
+                    :auth-by-cred-id           auth-by-cred-id
+                    }))
                 (when enable-admin-status
                   (admin-status-routes
                    common-interceptors-oidc secret leeway no-val-opts))
diff --git a/src/main/lrsql/auth/interceptor.clj b/src/main/lrsql/auth/interceptor.clj
@@ -0,0 +1,24 @@
+(ns lrsql.auth.interceptor
+  (:require
+   [lrsql.input.auth :as auth-input]
+   [lrsql.ops.query.auth :as auth-q]
+   [lrsql.util :as util]
+   [next.jdbc :as jdbc]))
+
+(defn auth-by-cred-id-interceptor [lrs]
+  {:name ::auth-by-cred-id-interceptor
+   :enter (fn auth-by-cred-id-interceptor [ctx]
+            (let [modded-ctx
+                  (when-let [cred-id (get-in ctx [:request :params :credentialID])]
+                    (let [conn (-> lrs :connection :conn-pool)
+                          backend (:backend lrs)
+                          input (auth-input/query-credential-by-id-input cred-id)
+                          {api-key :api_key secret-key :secret_key}
+                          (jdbc/with-transaction [tx conn]
+                            (auth-q/query-credential-by-id backend tx input))]
+                      (when (and api-key secret-key)
+                        (let [base64 (util/str->base64encoded-str (str api-key ":" secret-key))]
+                          (-> ctx (update-in [:request :params] dissoc :credentialID)
+                              (assoc-in [:request :headers "authorization"]
+                                        (str "Basic " base64)))))))]
+              (or modded-ctx ctx)))})
diff --git a/src/main/lrsql/backend/protocol.clj b/src/main/lrsql/backend/protocol.clj
@@ -117,7 +117,8 @@
   ;; Queries
   (-query-credentials [this tx input])
   (-query-credential-ids [this tx input])
-  (-query-credential-scopes [this tx input]))
+  (-query-credential-scopes [this tx input])
+  (-query-credential-by-id [this tx input]))
 
 (defprotocol AdminStatusBackend
   ;; Queries
diff --git a/src/main/lrsql/input/auth.clj b/src/main/lrsql/input/auth.clj
@@ -125,3 +125,10 @@
     :secret-key    secret-key
     :authority-fn  authority-fn
     :authority-url authority-url}))
+
+(s/fdef query-credential-by-id-input
+  :args (s/cat :id string?)
+  :ret (s/keys :req-un [::id]))
+
+(defn query-credential-by-id-input [id]
+  {:id id})
diff --git a/src/main/lrsql/ops/query/auth.clj b/src/main/lrsql/ops/query/auth.clj
@@ -79,8 +79,8 @@
   [bk tx input]
   (let [creds  (->> input
                     (bp/-query-credentials bk tx)
-                    (map (fn [{ak :api_key sk :secret_key}]
-                           {:api-key ak :secret-key sk})))
+                    (map (fn [{id :id ak :api_key sk :secret_key}]
+                           {:id id :api-key ak :secret-key sk})))
         scopes (doall (map (fn [cred]
                              (->> cred
                                   (bp/-query-credential-scopes bk tx)
@@ -90,3 +90,17 @@
             (assoc cred :scopes (set cred-scopes)))
           creds
           scopes)))
+
+#_(s/fdef query-credential-by-id
+  :args (s/cat :bk as/credential-backend?
+               :tx transaction?
+               :input as/query-cred-by-id-input-spec)
+  :ret (s/keys :req-un [::id string?
+                        ::api-key string?
+                        ::secret-key string?
+                        ::account-id string?]))
+
+(defn query-credential-by-id
+  "Given an input containing `:id`, return a map containing `:id`, `:api-key`, `:secret-key`, `:account-id`"
+  [bk tx input]
+  (bp/-query-credential-by-id bk tx input))
diff --git a/src/main/lrsql/spec/auth.clj b/src/main/lrsql/spec/auth.clj
@@ -86,7 +86,8 @@
 (def scoped-key-pair-spec
   (s/keys :req-un [::api-key
                    ::secret-key
-                   ::scopes]))
+                   ::scopes]
+          :opt-un [::id]))
 
 (def key-pair-args-spec
   (s/alt :map  key-pair-spec
@@ -154,3 +155,6 @@
                    ::secret-key
                    ::ats/authority-url
                    ::ats/authority-fn]))
+
+(def query-cred-by-id-input-spec
+  (s/keys :req-un [::id]))
diff --git a/src/main/lrsql/system/webserver.clj b/src/main/lrsql/system/webserver.clj
@@ -6,6 +6,7 @@
             [com.yetanalytics.lrs.pedestal.routes :refer [build]]
             [com.yetanalytics.lrs.pedestal.interceptor :as i]
             [lrsql.admin.routes :refer [add-admin-routes add-openapi-route]]
+            [lrsql.auth.interceptor :as auth-interceptor]
             [lrsql.init.oidc :as oidc]
             [lrsql.init.clamav :as clamav]
             [lrsql.init.git-data :refer [read-version]]
@@ -51,10 +52,12 @@
                 jwt-common-secret
                 enable-clamav
                 clamav-host
-                clamav-port]
+                clamav-port
+                auth-by-cred-id]
          jwt-exp :jwt-exp-time
          jwt-lwy :jwt-exp-leeway
          jwt-ref :jwt-refresh-exp-time}
+
         config
         ;; Keystore and private key
         ;; The private key is used as the JWT symmetric secret
@@ -83,10 +86,12 @@
         routes
         (->> (build {:lrs               lrs
                      :path-prefix       url-prefix
-                     :wrap-interceptors (into
-                                         [i/error-interceptor
-                                          (handle-json-parse-exn)]
-                                         oidc-resource-interceptors)
+                     :wrap-interceptors
+                     (vec (apply concat
+                                (when auth-by-cred-id [(auth-interceptor/auth-by-cred-id-interceptor lrs)])
+                                [i/error-interceptor
+                                 (handle-json-parse-exn)]
+                                oidc-resource-interceptors))
                      :file-scanner      (when enable-clamav
                                           (clamav/init-file-scanner
                                            {:clamav-host clamav-host
@@ -115,7 +120,9 @@
                :enable-reaction-routes    enable-reactions
                :oidc-interceptors         oidc-admin-interceptors
                :oidc-ui-interceptors      oidc-admin-ui-interceptors
-               :head-opts                 head-opts})
+               :head-opts                 head-opts
+               :auth-by-cred-id           auth-by-cred-id})
+
              (add-openapi-route
               {:lrs lrs
                :head-opts head-opts
diff --git a/src/test/lrsql/admin/protocol_test.clj b/src/test/lrsql/admin/protocol_test.clj
@@ -326,10 +326,11 @@
                   :scopes     #{"all" "all/read"}}
                  key-pair))
           (testing "and credential retrieval"
-            (is (= [{:api-key    api-key
-                     :secret-key secret-key
-                     :scopes     #{"all" "all/read"}}]
-                   (adp/-get-api-keys lrs acc-id))))
+            (is (let [[result] (adp/-get-api-keys lrs acc-id)]
+                  (= {:api-key api-key
+                      :secret-key secret-key
+                      :scopes #{"all" "all/read"}}
+                     (dissoc result :id)))))
           (testing "and credential update"
             (is (= {:api-key    api-key
                     :secret-key secret-key
@@ -342,12 +343,13 @@
                     api-key
                     secret-key
                     #{"all/read" "statements/read" "statements/read/mine"})))
-            (is (= [{:api-key    api-key
-                     :secret-key secret-key
-                     :scopes     #{"all/read"
-                                   "statements/read"
-                                   "statements/read/mine"}}]
-                   (adp/-get-api-keys lrs acc-id))))
+            (is (let [[result] (adp/-get-api-keys lrs acc-id)]
+                  (= {:api-key api-key
+                      :secret-key secret-key
+                      :scopes #{"all/read"
+                                "statements/read"
+                                "statements/read/mine"}}
+                     (dissoc result :id)))))
           (testing "and credential deletion"
             (adp/-delete-api-keys lrs acc-id api-key secret-key)
             (is (= []
diff --git a/src/test/lrsql/admin/route_test.clj b/src/test/lrsql/admin/route_test.clj
@@ -692,7 +692,8 @@
                          (u/parse-json :object? false)
                          (#(filter (fn [cred] (= (get cred "api-key") api-key))
                                    %))
-                         first)))))
+                         first
+                         (dissoc "id") )))))
           (testing "and updating"
             (let [req-scopes
                   ["all/read" "statements/read" "statements/read/mine"]
@@ -772,3 +773,4 @@
                              edn-res)))))))
       (finally
         (component/stop sys')))))
+
