Merge branch 'main' into LRS-30_xapi_2_0_0

Author: milt

doc/env_vars.md

@@ -129,7 +129,7 @@ _NOTE:_ `LRSQL_STMT_RETRY_LIMIT` and `LRSQL_STMT_RETRY_BUDGET` are used to mitig
 | `LRSQL_SSL_PORT`                  | `sslPort`                | The HTTPS port that the webserver will be open on.                                                                                                                                                                                                     | `8443`    |
 | `LRSQL_URL_PREFIX`                | `urlPrefix`              | The prefix of the webserver URL path, e.g. the prefix in `http://0.0.0.0:8080/xapi` is `/xapi`. Used when constructing the `more` value for multi-statement queries. Cannot start with `/admin`. *(Note: Only applies to LRS xapi endpoints, not admin/ui endpoints)*              | `/xapi`   |
 | `LRSQL_PROXY_PATH`                | `proxyPath`              | This path modification is exclusively for use with a proxy, such as apache or nginx or a load balancer, where a path is added to prefix the entire application (such as `https://www.mysystem.com/mylrs/xapi/statements`). This does not actually change the routes of the application, it informs the admin frontend where to look for the server endpoints based on the proxied setup, and thus must be used in conjunction with a third party proxy. If used, the value must start with a leading `/` but not end with one (e.g. `/mylrs` is valid, as is `/mylrs/b` but `/mylrs/` is not). Use with caution. | Not Set |
-| `LRSQL_AUTH_BY_CRED_ID`                | `authByCredId`              | Allows a call to the xAPI endpoints to use the admin account credentials/authorization instead of a call with raw xAPI credentials. Necessary when the xAPI endpoint is behind additional security/SSO and cannot have custom credentials in Authorization header. | false |
+| `LRSQL_AUTH_BY_CRED_ID`                | `authByCredId`              | Allows a call to some xAPI endpoints (GET and POST) to use the admin account credentials/authorization instead of a call with raw xAPI credentials. Necessary when the xAPI endpoint is behind additional security/SSO and cannot have custom credentials in Authorization header. | false |
 
 #### TLS/SSL Certificate
 

src/main/lrsql/admin/interceptors/xapi_credentials_override.clj

@@ -56,27 +56,29 @@
               true          (conj v)))
           (empty coll) coll))
 
+;; Paths which will also allow admin credentials override
+(def override-paths
+  #{["statements" :get]
+    ["statements" :post]})
+
 (defn add-credentials-override [routes validate-jwt oidc]
   (let [[decode validate _authorize ensure req] oidc
-        [_ _ interceptors :as statements-route]
-        (->> routes (some (fn [[path method :as r]]
-                            (when (= ["statements" :get]
-                                     [(last (string/split path #"/")) method])
-                              r))))
         payload-interceptors (conj
                               ;;oidc interceptors, minus _authorize
                               (filterv identity [decode
                                                  validate
                                                  ensure
                                                  req])
-                              validate-jwt 
+                              validate-jwt
                               replace-auth)
-        
-        new-interceptors (splice-before #(= (:name %) ::ai/lrs-authenticate)
-                                        (check-for-credential-id payload-interceptors)
-                                        interceptors)
-
-        new-route (assoc statements-route 2 new-interceptors)]
-    (-> routes
-        (disj statements-route)
-        (conj new-route))))
+        inject (fn [interceptors]
+                 (splice-before #(= (:name %) ::ai/lrs-authenticate)
+                                (check-for-credential-id payload-interceptors)
+                                interceptors))
+        match? (fn [[path method & _]]
+                 (override-paths [(last (string/split path #"/")) method]))
+        update-route (fn [r]
+                       (if (match? r)
+                         (update r 2 inject)
+                         r))]
+    (into (empty routes) (map update-route routes))))

src/test/lrsql/admin/route_test.clj

@@ -9,7 +9,6 @@
             [com.yetanalytics.lrs.protocol :as lrsp]
             [lrsql.backend.protocol :as bp]
             [lrsql.test-support :as support]
-            [lrsql.lrs-test :as lt]
             [lrsql.test-constants :as tc]
             [lrsql.util :as u]
             [lrsql.util.headers :as h]
@@ -123,6 +122,13 @@
                              {"Accept" "application/json"
                               "X-Experience-API-Version" "1.0.3"})}))
 
+(defn- post-statements-via-url-param [headers credential-id body]
+  (curl/post (str "http://0.0.0.0:8080/xapi/statements?credentialID=" credential-id)
+             {:headers (merge headers
+                              {"Accept" "application/json"
+                               "X-Experience-API-Version" "1.0.3"})
+              :body body}))
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Tests
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -678,7 +684,6 @@
                [:webserver :jwt-no-val-role]     "/domain/app/ADMIN"
                [:webserver :auth-by-cred-id]     true})
         sys' (component/start sys)
-        lrs (:lrs sys')
         ds (get-in sys' [:lrs :connection :conn-pool])
         backend (:backend sys')
         ;; proxy jwt auth
@@ -720,9 +725,14 @@
               (jdbc/with-transaction [tx ds]
                 (bp/-query-credential-ids backend tx {:api-key api-key
                                                       :secret-key secret-key}))
-
-              _ (lrsp/-store-statements lrs tc/ctx auth-ident [lt/stmt-0] [])
-              {:keys [status body]} (get-statements-via-url-param headers credential-id)]
+              stmt-body 
+              (u/write-json-str 
+               (assoc stmt-0 :id "00000000-0000-4000-8000-000000000007"))
+              post-resp 
+              (post-statements-via-url-param headers credential-id stmt-body)
+              {:keys [status body]} 
+              (get-statements-via-url-param headers credential-id)]
+          (is (= (:status post-resp) 200))
           (is (= status 200))
           (is (seq ((u/parse-json body) "statements")))))