Certificate option name consistency

aserto-dev · Jul 3, 2024 · 11b9648 · 11b9648
1 parent cf7c409
commit 11b9648
Show file tree

Hide file tree

Showing 12 changed files with 345 additions and 100 deletions.
diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ type AuthorizerConfig = {
   tenantId?: string;
   authorizerApiKey?: string;
   token?: string;
-  authorizerCertFile?: string;
+  caFile?: string;
   insecure?: boolean;
 };
 ```
@@ -63,14 +63,14 @@ const authClient = new Authorizer({
 - `authorizerServiceUrl`: hostname:port of authorizer service (_required_)
 - `authorizerApiKey`: API key for authorizer service (_required_ if using hosted authorizer)
 - `tenantId`: Aserto tenant ID (_required_ if using hosted authorizer)
-- `authorizerCertFile`: Path to the authorizer CA file. (optional)
+- `caFile`: Path to the authorizer CA file. (optional)
 - `insecure`: Skip server certificate and domain verification. (NOT SECURE!). Defaults to `false`.
 
 ### Topaz
 ```ts
 const authClient = new Authorizer({
   authorizerServiceUrl: "localhost:8282",
-  authorizerCertFile: `${process.env.HOME}/.local/share/topaz/certs/grpc-ca.crt`
+  caFile: `${process.env.HOME}/.local/share/topaz/certs/grpc-ca.crt`
 });
 ```
 
@@ -86,7 +86,7 @@ import {
 const authClient = new Authorizer(
   {
     authorizerServiceUrl: "localhost:8282",
-    authorizerCertFile: `${process.env.HOME}/.local/share/topaz/certs/grpc-ca.crt`
+    caFile: `${process.env.HOME}/.local/share/topaz/certs/grpc-ca.crt`
   },
 );
 
@@ -820,7 +820,7 @@ By default, `jwtAuthz` derives the policy file name and resource key from the Ex
 - `instanceLabel`: instance label (_required_ if using hosted authorizer)
 - `authorizerApiKey`: API key for authorizer service (_required_ if using hosted authorizer)
 - `tenantId`: Aserto tenant ID (_required_ if using hosted authorizer)
-- `authorizerCertFile`: location on the filesystem of the CA certificate that signed the Aserto authorizer self-signed certificate. See the "Certificates" section for more information.
+- `caFile`: location on the filesystem of the CA certificate that signed the Aserto authorizer self-signed certificate. See the "Certificates" section for more information.
 - `disableTlsValidation`: ignore TLS certificate validation when creating a TLS connection to the authorizer. Defaults to false.
 - `failWithError`: When set to `true`, will forward errors to `next` instead of ending the response directly.
 - `useAuthorizationHeader`: When set to `true`, will forward the Authorization header to the authorizer. The authorizer will crack open the JWT and use that as the identity context. Defaults to `true`.
@@ -869,7 +869,7 @@ app.use(displayStateMap(options));
 - `instanceLabel`: instance label (_required_ if using hosted authorizer)
 - `authorizerApiKey`: API key for authorizer service (_required_ if using hosted authorizer)
 - `tenantId`: Aserto tenant ID (_required_ if using hosted authorizer)
-- `authorizerCertFile`: location on the filesystem of the CA certificate that signed the Aserto authorizer self-signed certificate. See the "Certificates" section for more information.
+- `caFile`: location on the filesystem of the CA certificate that signed the Aserto authorizer self-signed certificate. See the "Certificates" section for more information.
 - `disableTlsValidation`: ignore TLS certificate validation when creating a TLS connection to the authorizer. Defaults to false.
 - `endpointPath`: display state map endpoint path, defaults to `/__displaystatemap`.
 - `failWithError`: When set to `true`, will forward errors to `next` instead of ending the response directly. Defaults to `false`.
@@ -932,7 +932,7 @@ The Express request object.
 - `instanceLabel`: instance label (_required_ if using hosted authorizer)
 - `authorizerApiKey`: API key for authorizer service (_required_ if using hosted authorizer)
 - `tenantId`: Aserto tenant ID (_required_ if using hosted authorizer)
-- `authorizerCertFile`: location on the filesystem of the CA certificate that signed the Aserto authorizer self-signed certificate. See the "Certificates" section for more information.
+- `caFile`: location on the filesystem of the CA certificate that signed the Aserto authorizer self-signed certificate. See the "Certificates" section for more information.
 - `disableTlsValidation`: ignore TLS certificate validation when creating a TLS connection to the authorizer. Defaults to false.
 - `useAuthorizationHeader`: When set to `true`, will forward the Authorization header to the authorizer. The authorizer will crack open the JWT and use that as the identity context. Defaults to `true`.
 - `identityHeader`: the name of the header from which to extract the `identity` field to pass into the `authorize` call. This only happens if `useAuthorizationHeader` is false. Defaults to 'identity'.
@@ -963,9 +963,9 @@ For a hosted authorizer that has a TLS certificate that is signed by a trusted C
 
 In a development environment, [topaz](github.com/aserto-dev/topaz) automatically creates a set of self-signed certificates and certificates of the CA (certificate authority) that signed them. It places them in a well-known location on the filesystem, defaulting to `$HOME/.local/share/topaz/certs/` (or `$HOMEPATH\AppData\Local\topaz\certs\` on Windows).
 
-In order for the `aserto-node` package to perform the TLS handshake, it needs to verify the TLS certificate of Topaz using the certificate of the CA that signed it - which was placed in `$HOME/.local/share/topaz/certs/grpc-ca.crt`. Therefore, in order for this middleware to work successfully, either the `authorizerCertFile` must be set to the correct path for the CA cert file, or the `disableTlsValidation` flag must be set to `true`. The same is true for the `caFile` argument of the `DirectoryClient`.
+In order for the `aserto-node` package to perform the TLS handshake, it needs to verify the TLS certificate of Topaz using the certificate of the CA that signed it - which was placed in `$HOME/.local/share/topaz/certs/grpc-ca.crt`. Therefore, in order for this middleware to work successfully, either the `caFile` must be set to the correct path for the CA cert file, or the `disableTlsValidation` flag must be set to `true`. The same is true for the `caFile` argument of the `DirectoryClient`.
 
-Furthermore, when packaging a policy for deployment (e.g. in a Docker container) which uses `aserto-node` to communicate with an authorizer that has a self-signed TLS certificate, you must copy this CA certificate into the container as part of the Docker build (typically performed in the Dockerfile). When you do that, you'll need to override the `authorizerCertFile` option that is passed into any of the API calls defined above with the location of this cert file.
+Furthermore, when packaging a policy for deployment (e.g. in a Docker container) which uses `aserto-node` to communicate with an authorizer that has a self-signed TLS certificate, you must copy this CA certificate into the container as part of the Docker build (typically performed in the Dockerfile). When you do that, you'll need to override the `caFile` option that is passed into any of the API calls defined above with the location of this cert file.
 
 Alternately, to ignore TLS certificate validation when creating a TLS connection to the authorizer, you can set the `disableTlsValidation` option to `true` and avoid TLS certificate validation. This option is **not recommended for production**.
 

diff --git a/__tests__/integration/index.test.ts b/__tests__/integration/index.test.ts
@@ -1,9 +1,14 @@
+import express, { Express } from "express";
+import nJwt from "njwt";
+import request from "supertest";
+
 import {
   AnonymousIdentityMapper,
   Authorizer,
   createAsyncIterable,
   DirectoryServiceV3,
   DirectoryV3,
+  displayStateMap,
   EtagMismatchError,
   ImportMsgCase,
   ImportOpCode,
@@ -502,7 +507,7 @@ types:
     beforeEach(async () => {
       authorizerClient = new Authorizer({
         authorizerServiceUrl: "localhost:8282",
-        authorizerCertFile: await topaz.caCert(),
+        caFile: await topaz.caCert(),
       });
     });
 
@@ -530,4 +535,108 @@ types:
       });
     });
   });
+
+  describe("DisplayStateMap", () => {
+    const app: Express = express();
+    const jwt = nJwt.create({ sub: "[email protected]" }, "signingKey");
+
+    it("returns the correct data", async () => {
+      const options = {
+        policyRoot: "todoApp",
+        instanceLabel: "todo",
+        instanceName: "todo",
+        authorizerServiceUrl: "localhost:8282",
+        caFile: await topaz.caCert(),
+        failWithError: true,
+      };
+      app.use(
+        displayStateMap(
+          options,
+          undefined,
+          () => {
+            return AnonymousIdentityMapper();
+          },
+          () => {
+            return new Promise((resolve) => {
+              resolve(policyContext("todoApp", ["allowed"]));
+            });
+          }
+        )
+      );
+
+      const response = await request(app)
+        .get("/__displaystatemap")
+        .set("Content-type", "application/json")
+        .set("Authorization", `Bearer ${jwt}`);
+      expect(response.body).toEqual({
+        "todoApp/DELETE/todos/__id": {
+          allowed: false,
+        },
+        "todoApp/GET/todos": {
+          allowed: true,
+        },
+        "todoApp/GET/users/__userID": {
+          allowed: true,
+        },
+        "todoApp/POST/todos": {
+          allowed: false,
+        },
+        "todoApp/PUT/todos/__id": {
+          allowed: false,
+        },
+      });
+    });
+  });
+
+  describe("DisplayStateMap Legacy `authorizerCertCAFile`", () => {
+    const app: Express = express();
+    const jwt = nJwt.create({ sub: "[email protected]" }, "signingKey");
+
+    it("returns the correct data", async () => {
+      const options = {
+        policyRoot: "todoApp",
+        instanceLabel: "todo",
+        instanceName: "todo",
+        authorizerServiceUrl: "localhost:8282",
+        authorizerCertCAFile: await topaz.caCert(),
+        failWithError: true,
+      };
+      app.use(
+        displayStateMap(
+          options,
+          undefined,
+          () => {
+            return AnonymousIdentityMapper();
+          },
+          () => {
+            return new Promise((resolve) => {
+              resolve(policyContext("todoApp", ["allowed"]));
+            });
+          }
+        )
+      );
+
+      const response = await request(app)
+        .get("/__displaystatemap")
+        .set("Content-type", "application/json")
+        .set("Authorization", `Bearer ${jwt}`);
+      expect(response.body).toEqual({
+        "todoApp/DELETE/todos/__id": {
+          allowed: false,
+        },
+        "todoApp/GET/todos": {
+          allowed: true,
+        },
+        "todoApp/GET/users/__userID": {
+          allowed: true,
+        },
+        "todoApp/POST/todos": {
+          allowed: false,
+        },
+        "todoApp/PUT/todos/__id": {
+          allowed: false,
+        },
+      });
+    });
+  });
 });
diff --git a/__tests__/is.test.ts b/__tests__/is.test.ts
@@ -39,7 +39,7 @@ describe("should succeed", () => {
       policyId: "123",
       authorizerServiceUrl: "localhost:8282",
       identityHeader: "Authorization",
-      authorizerCertCAFile: process.env.CA_FILE!,
+      caFile: process.env.CA_FILE!,
     };
 
     const allowed = await is(decision, req, options, packageName, resourceMap);
@@ -66,7 +66,7 @@ describe("should succeed", () => {
       policyId: "123",
       authorizerServiceUrl: "localhost:8282",
       identityHeader: "Authorization",
-      authorizerCertCAFile: process.env.CA_FILE!,
+      caFike: process.env.CA_FILE!,
     };
 
     const allowed = await is(decision, req, options);

diff --git a/__tests__/jwtAuthz.test.ts b/__tests__/jwtAuthz.test.ts
diff --git a/__tests__/middleware.test.ts b/__tests__/middleware.test.ts
@@ -51,7 +51,6 @@ describe("Middleware", () => {
       const response = middleware.Check(options);
 
       await response(request, res, next);
-      expect(next).toBeCalled();
 
       expect(next).toHaveBeenCalled();
     });
@@ -97,7 +96,7 @@ describe("Middleware", () => {
       const response = middleware.Check(options);
 
       await response(request, res, next);
-      expect(next).toBeCalledWith({
+      expect(next).toHaveBeenCalledWith({
         statusCode: 403,
         error: "Forbidden",
         message: `aserto-node: Forbidden by policy examplePolicy.check`,
@@ -148,7 +147,7 @@ describe("Middleware", () => {
       const response = middleware.Check(options);
 
       await response(request, res, next);
-      expect(next).toBeCalledWith({
+      expect(next).toHaveBeenCalledWith({
         statusCode: 403,
         error: "Forbidden",
         message: `aserto-node: Authorizer service unavailable`,
@@ -188,7 +187,6 @@ describe("Middleware", () => {
       const response = middleware.Authz();
 
       await response(request, res, next);
-      expect(next).toBeCalled();
 
       expect(next).toHaveBeenCalled();
     });
@@ -228,7 +226,7 @@ describe("Middleware", () => {
       const response = middleware.Authz();
 
       await response(request, res, next);
-      expect(next).toBeCalledWith({
+      expect(next).toHaveBeenCalledWith({
         statusCode: 403,
         error: "Forbidden",
         message: `aserto-node: Forbidden by policy examplePolicy.GET.todos`,
@@ -272,7 +270,7 @@ describe("Middleware", () => {
       const response = middleware.Authz();
 
       await response(request, res, next);
-      expect(next).toBeCalledWith({
+      expect(next).toHaveBeenCalledWith({
         statusCode: 403,
         error: "Forbidden",
         message: `aserto-node: Authorizer service unavailable`,

diff --git a/lib/authorizer/index.ts b/lib/authorizer/index.ts
@@ -24,6 +24,7 @@ type AuthorizerConfig = {
   authorizerApiKey?: string;
   token?: string;
   authorizerCertFile?: string;
+  caFile?: string;
   insecure?: boolean;
 };
 
@@ -50,9 +51,8 @@ export class Authorizer {
 
     const baseServiceUrl =
       config.authorizerServiceUrl || "authorizer.prod.aserto.com:8443";
-    const baseCaFile = !!config.authorizerCertFile
-      ? readFileSync(config.authorizerCertFile)
-      : undefined;
+    const caFilePath = config.authorizerCertFile || config.caFile;
+    const baseCaFile = !!caFilePath ? readFileSync(caFilePath) : undefined;
 
     const insecure = config?.insecure || false;
     const baseNodeOptions = {

diff --git a/lib/displayStateMap.ts b/lib/displayStateMap.ts
@@ -1,6 +1,7 @@
 import { NextFunction, Request, Response } from "express";
 import { IdentityContext } from "@aserto/node-authorizer/src/gen/cjs/aserto/authorizer/v2/api/identity_context_pb";
 
+import { AuthzOptions } from ".";
 import { Authorizer } from "./authorizer";
 import BodyResourceMapper from "./authorizer/mapper/resource/body";
 import {
@@ -15,22 +16,9 @@ import { errorHandler } from "./errorHandler";
 import identityContext from "./identityContext";
 import processOptions from "./processOptions";
 
-interface DisplayStateMapOptions {
-  policyRoot: string;
-  instanceName: string;
-  instanceLabel?: string;
-  authorizerServiceUrl: string;
-  authorizerApiKey?: string;
-  tenantId?: string;
-  authorizerCertCAFile?: string;
-  disableTlsValidation?: boolean;
-  useAuthorizationHeader?: boolean;
-  identityHeader?: string;
-  failWithError?: boolean;
-  customUserKey?: string;
-  customSubjectKey?: string;
+type DisplayStateMapOptions = AuthzOptions & {
   endpointPath?: string;
-}
+};
 const displayStateMap = (
   optionsParam: DisplayStateMapOptions,
   resourceMapper?: ResourceMapper,
@@ -81,7 +69,7 @@ const displayStateMap = (
         authorizerServiceUrl: authorizerUrl,
         tenantId: tenantId!,
         authorizerApiKey: authorizerApiKey!,
-        authorizerCertFile: authorizerCertCAFile,
+        caFile: authorizerCertCAFile,
         insecure: disableTlsValidation,
       });