Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add security at the operation level #584

Merged
merged 34 commits into from
Apr 14, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
9cc3d98
docs: fix example typo (#728)
lejenome Mar 14, 2022
d4ac103
docs: add lejenome as a contributor for doc (#733)
allcontributors[bot] Mar 14, 2022
f353b1c
docs: update README with new logo banner (#732)
pk-218 Mar 14, 2022
a93ec64
chore: add 2022-04-release branch in .releaserc (#737)
smoya Mar 17, 2022
9b8dff9
docs: update release process (#722)
dalelane Mar 17, 2022
bc68645
Update asyncapi.md
sekharbans-ebay Jul 15, 2021
4e7a033
Update asyncapi.md
sekharbans-ebay Jul 30, 2021
975fc86
Update spec/asyncapi.md
sekharbans-ebay Aug 2, 2021
3616061
Update asyncapi.md
sekharbans-ebay Aug 3, 2021
52d01b4
Update asyncapi.md
sekharbans-ebay Aug 3, 2021
521fd58
Update asyncapi.md
sekharbans-ebay Aug 3, 2021
bf3961e
Update asyncapi.md
sekharbans-ebay Jan 3, 2022
3480206
Create operation-security.yml
sekharbans-ebay Jan 5, 2022
7c44dd4
Update examples/operation-security.yml
sekharbans-ebay Jan 6, 2022
8e81651
Update spec/asyncapi.md
sekharbans-ebay Jan 6, 2022
5e3763a
Update spec/asyncapi.md
sekharbans-ebay Jan 6, 2022
4739be1
Update spec/asyncapi.md
sekharbans-ebay Jan 6, 2022
c675782
Create streetlights-operation-security.yml
sekharbans-ebay Jan 25, 2022
b373afd
updated desc for operation security
sekharbans-ebay Mar 22, 2022
fb3b9bf
Update spec/asyncapi.md
sekharbans-ebay Mar 25, 2022
3460840
Update spec/asyncapi.md
sekharbans-ebay Mar 25, 2022
d1e8017
Create multiple-server-security.yml
sekharbans-ebay Mar 30, 2022
4a964f7
Update examples/streetlights-operation-security.yml
sekharbans-ebay Mar 31, 2022
4c3d916
Update examples/streetlights-operation-security.yml
sekharbans-ebay Mar 31, 2022
7a6200f
Update examples/streetlights-operation-security.yml
sekharbans-ebay Mar 31, 2022
f8f9fcb
Update examples/streetlights-operation-security.yml
sekharbans-ebay Mar 31, 2022
9ecf2a9
Merge branch '2022-04-release' into master
sekharbans-ebay Mar 31, 2022
2874072
Update README.md
sekharbans-ebay Apr 8, 2022
a57fb91
Update streetlights-operation-security.yml
sekharbans-ebay Apr 8, 2022
514b5fe
Update streetlights-operation-security.yml
sekharbans-ebay Apr 8, 2022
0d2a2d4
Update examples/operation-security.yml
sekharbans-ebay Apr 11, 2022
9e9463a
Update examples/streetlights-operation-security.yml
sekharbans-ebay Apr 11, 2022
b221433
Delete multiple-server-security.yml
sekharbans-ebay Apr 11, 2022
5a6faeb
Update examples/streetlights-operation-security.yml
sekharbans-ebay Apr 11, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions examples/operation-security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
asyncapi: 2.4.0
info:
title: Notifications
version: 1.0.0
description: >-
This contract defines HTTP Push notification for
application authorization revocation topic
channels:
AUTHORIZATION_REVOCATION:
subscribe:
message:
$ref: '#/components/messages/message'
bindings:
http:
type: request
method: POST
headers:
type: object
properties:
Content-Type:
type: string
enum:
- application/json
security:
petstore_auth:
fmvilas marked this conversation as resolved.
Show resolved Hide resolved
- subscribe:auth_revocations
components:
messages:
message:
headers:
type: object
properties:
X-SIGNATURE:
description: ECC message signature
type: string
payload:
type: object
properties:
metadata:
$ref: '#/components/schemas/MetaData'
notification:
$ref: '#/components/schemas/Notification'
schemas:
MetaData:
type: object
properties:
topic:
type: string
description: Topic subscribed to.
schemaVersion:
type: string
description: The schema for this topic.
deprecated:
type: boolean
description: If this is a deprecated schema or topic.
default: 'false'
Notification:
type: object
properties:
notificationId:
type: string
description: The notification Id.
eventDate:
type: string
description: The event date associated with this notification in UTC.
publishDate:
type: string
description: The message publish date in UTC.
publishAttemptCount:
type: integer
description: The number of attempts made to publish this message.
data:
$ref: '#/components/schemas/AuthorizationRevocationData'
AuthorizationRevocationData:
type: object
description: The Authorization Revocation payload.
properties:
username:
type: string
description: The username for the user.
userId:
type: string
description: The immutable public userId for the user
eiasToken:
type: string
description: The legacy eiasToken specific to the user
revokeReason:
type: string
enum:
- REVOKED_BY_APP
- REVOKED_BY_USER
- REVOKED_BY_ADMIN
- PASSWORD_CHANGE
description: The reason for authorization revocation
revocationDate:
type: string
description: Date and time when the authorization was revoked
securitySchemes:
petstore_auth:
type: oauth2
description: The oauth security descriptions
flows:
clientCredentials:
tokenUrl: 'https://example.com/api/oauth/dialog'
scopes:
subscribe:auth_revocations: Scope required for authorization revocation topic
202 changes: 202 additions & 0 deletions examples/streetlights-operation-security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,202 @@
asyncapi: '2.4.0'
info:
title: Streetlights Kafka API
version: '1.0.0'
description: |
The Smartylighting Streetlights API allows you to remotely manage the city lights.

### Check out its awesome features:

* Turn a specific streetlight on/off 🌃
* Dim a specific streetlight 😎
* Receive real-time information about environmental lighting conditions 📈
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0

servers:
test:
url: test.mykafkacluster.org:8092
protocol: kafka-secure
description: Test broker
security:
- saslScram: []
test_oauth:
url: test.mykafkacluster.org:8093
protocol: kafka-secure
description: Test port for oauth
security:
- streetlights_auth:
- streetlights:write
- streetlights:read


defaultContentType: application/json

channels:
smartylighting.streetlights.1.0.event.{streetlightId}.lighting.measured:
description: The topic on which measured values may be produced and consumed.
parameters:
streetlightId:
$ref: '#/components/parameters/streetlightId'
publish:
summary: Inform about environmental lighting conditions of a particular streetlight.
operationId: receiveLightMeasurement
traits:
- $ref: '#/components/operationTraits/kafka'
message:
$ref: '#/components/messages/lightMeasured'
security:
streetlights_auth:
- streetlights:write
smartylighting.streetlights.1.0.action.{streetlightId}.turn.on:
Copy link
Member

@smoya smoya Apr 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sekharbans-ebay Would it make sense to link the channel to a server(s)?

You can do this by adding servers field. For example:

servers:
  - test_oauth

parameters:
streetlightId:
$ref: '#/components/parameters/streetlightId'
subscribe:
operationId: turnOn
traits:
- $ref: '#/components/operationTraits/kafka'
message:
$ref: '#/components/messages/turnOnOff'
security:
# This operation level security implies the ability to send a message to
# `smartylighting.streetlights.1.0.action.{streetlightId}.turn.on` with Authorization headers
# with `streetlights:read` scope. It is also possible for the same channel when using `test_auth`
Copy link
Member

@smoya smoya Apr 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sekharbans-ebay I just noticed there is a typo here. It should be: test_oauth

# server to instead use credentials for security (scramSha256 in this example) specified on the server level
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that I'm writing the release notes, this comment seems confusing to me.

The spec says:

In cases where Server Security also applies, it MUST also be satisfied.

However, by reading this comment, I understand that only one (the server or rather the operation) security requirement should be satisfied.

Would you mind clarifying this @sekharbans-ebay? Also pinging Code Owners @derberg @fmvilas @dalelane

Copy link
Author

@sekharbans-ebay sekharbans-ebay Apr 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that I'm writing the release notes, this comment seems confusing to me.

The spec says:

In cases where Server Security also applies, it MUST also be satisfied.

However, by reading this comment, I understand that only one (the server or rather the operation) security requirement should be satisfied.

Would you mind clarifying this @sekharbans-ebay? Also pinging Code Owners @derberg @fmvilas @dalelane

The example text is poorly worded - will reword this. My intention was to state that you could still operate on the channel using security credentials supported at the server level perhaps thru a different operation. Is this okay:

  _# This operation level security implies the ability to send a message to 
  # `smartylighting.streetlights.1.0.action.{streetlightId}.turn.on` with Authorization headers 
  #  that have `streetlights:read` scope. Note that the operation level security  must still satisfy 
  # security options specified at the server level._

Copy link
Member

@smoya smoya Apr 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you mind creating a PR against 2022-04-release branch with such a fix (and the others I mentioned in other comments) @sekharbans-ebay ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you mind creating a PR against 2022-04-release branch with such a fix (and the others I mentioned in other comments) @sekharbans-ebay ?

Done. Please review:
#768

streetlights_auth:
- streetlights:read

smartylighting.streetlights.1.0.action.{streetlightId}.turn.off:
parameters:
streetlightId:
$ref: '#/components/parameters/streetlightId'
subscribe:
operationId: turnOff
traits:
- $ref: '#/components/operationTraits/kafka'
message:
$ref: '#/components/messages/turnOnOff'
security:
streetlights_auth:
- streetlights:read
smartylighting.streetlights.1.0.action.{streetlightId}.dim:
parameters:
streetlightId:
$ref: '#/components/parameters/streetlightId'
subscribe:
operationId: dimLight
traits:
- $ref: '#/components/operationTraits/kafka'
message:
$ref: '#/components/messages/dimLight'
security:
# This operation level security implies the ability to send a message to
# `smartylighting.streetlights.1.0.action.{streetlightId}.turn.on` with Authorization headers
# with `streetlights:read` scope. It is also possible for the same channel when using `test_auth`
# server to instead use credentials for security (scramSha256 in this example) specified on the server level
streetlights_auth:
- streetlights:read


components:
messages:
lightMeasured:
name: lightMeasured
title: Light measured
summary: Inform about environmental lighting conditions of a particular streetlight.
contentType: application/json
traits:
- $ref: '#/components/messageTraits/commonHeaders'
payload:
$ref: "#/components/schemas/lightMeasuredPayload"
turnOnOff:
name: turnOnOff
title: Turn on/off
summary: Command a particular streetlight to turn the lights on or off.
traits:
- $ref: '#/components/messageTraits/commonHeaders'
payload:
$ref: "#/components/schemas/turnOnOffPayload"
dimLight:
name: dimLight
title: Dim light
summary: Command a particular streetlight to dim the lights.
traits:
- $ref: '#/components/messageTraits/commonHeaders'
payload:
$ref: "#/components/schemas/dimLightPayload"

schemas:
lightMeasuredPayload:
type: object
properties:
lumens:
type: integer
minimum: 0
description: Light intensity measured in lumens.
sentAt:
$ref: "#/components/schemas/sentAt"
turnOnOffPayload:
type: object
properties:
command:
type: string
enum:
- on
- off
description: Whether to turn on or off the light.
sentAt:
$ref: "#/components/schemas/sentAt"
dimLightPayload:
type: object
properties:
percentage:
type: integer
description: Percentage to which the light should be dimmed to.
minimum: 0
maximum: 100
sentAt:
$ref: "#/components/schemas/sentAt"
sentAt:
type: string
format: date-time
description: Date and time when the message was sent.

securitySchemes:
saslScram:
type: scramSha256
description: Provide your username and password for SASL/SCRAM authentication
streetlights_auth:
type: oauth2
description: The oauth security descriptions
flows:
clientCredentials:
tokenUrl: 'https://example.com/api/oauth/dialog'
scopes:
streetlights:read: Scope required for subscribing to channel
streetlights:write: Scope required for publishing to channel

parameters:
streetlightId:
description: The ID of the streetlight.
schema:
type: string

messageTraits:
commonHeaders:
headers:
type: object
properties:
my-app-header:
type: integer
minimum: 0
maximum: 100

operationTraits:
kafka:
bindings:
kafka:
clientId:
type: string
enum: ['my-app-id']
16 changes: 15 additions & 1 deletion spec/asyncapi.md
Original file line number Diff line number Diff line change
Expand Up @@ -703,7 +703,8 @@ Field Name | Type | Description
---|:---:|---
<a name="operationObjectOperationId"></a>operationId | `string` | Unique string used to identify the operation. The id MUST be unique among all operations described in the API. The operationId value is **case-sensitive**. Tools and libraries MAY use the operationId to uniquely identify an operation, therefore, it is RECOMMENDED to follow common programming naming conventions.
<a name="operationObjectSummary"></a>summary | `string` | A short summary of what the operation is about.
<a name="operationObjectDescription"></a>description | `string` | A verbose explanation of the operation. [CommonMark syntax](https://spec.commonmark.org/) can be used for rich text representation.
<a name="operationObjectDescription"></a>description | `string` | A verbose explanation of the operation. [CommonMark syntax](http://spec.commonmark.org/) can be used for rich text representation.
<a name="operationObjectSecurity"></a>security | [[Security Requirement Object](#securityRequirementObject)]| A declaration of which security mechanisms are associated with this operation. Only one of the security requirement objects MUST be satisfied to authorize an operation. In cases where Server Security also applies, it MUST also be satisfied.
<a name="operationObjectTags"></a>tags | [Tags Object](#tagsObject) | A list of tags for API documentation control. Tags can be used for logical grouping of operations.
<a name="operationObjectExternalDocs"></a>externalDocs | [External Documentation Object](#externalDocumentationObject) | Additional external documentation for this operation.
<a name="operationObjectBindings"></a>bindings | [Operation Bindings Object](#operationBindingsObject) \| [Reference Object](#referenceObject) | A map where the keys describe the name of the protocol and the values describe protocol-specific definitions for the operation.
Expand All @@ -719,6 +720,14 @@ This object can be extended with [Specification Extensions](#specificationExtens
"operationId": "registerUser",
"summary": "Action to sign a user up.",
"description": "A longer description",
"security": [
{
"petstore_auth": [
"write:pets",
"read:pets"
]
}
],
"tags": [
{ "name": "user" },
{ "name": "signup" },
Expand Down Expand Up @@ -761,6 +770,10 @@ This object can be extended with [Specification Extensions](#specificationExtens
operationId: registerUser
summary: Action to sign a user up.
description: A longer description
security:
- petstore_auth:
- write:pets
- read:pets
tags:
- name: user
- name: signup
Expand Down Expand Up @@ -802,6 +815,7 @@ Field Name | Type | Description
<a name="operationTraitObjectOperationId"></a>operationId | `string` | Unique string used to identify the operation. The id MUST be unique among all operations described in the API. The operationId value is **case-sensitive**. Tools and libraries MAY use the operationId to uniquely identify an operation, therefore, it is RECOMMENDED to follow common programming naming conventions.
<a name="operationTraitObjectSummary"></a>summary | `string` | A short summary of what the operation is about.
<a name="operationTraitObjectDescription"></a>description | `string` | A verbose explanation of the operation. [CommonMark syntax](https://spec.commonmark.org/) can be used for rich text representation.
<a name="operationTraitObjectSecurity"></a>security | [[Security Requirement Object](#securityRequirementObject)]| A declaration of which security mechanisms are associated with this operation. Only one of the security requirement objects MUST be satisfied to authorize an operation. In cases where Server Security also applies, it MUST also be satisfied.
<a name="operationTraitObjectTags"></a>tags | [Tags Object](#tagsObject) | A list of tags for API documentation control. Tags can be used for logical grouping of operations.
<a name="operationTraitObjectExternalDocs"></a>externalDocs | [External Documentation Object](#externalDocumentationObject) | Additional external documentation for this operation.
<a name="operationTraitObjectBindings"></a>bindings | [Operation Bindings Object](#operationBindingsObject) \| [Reference Object](#referenceObject) | A map where the keys describe the name of the protocol and the values describe protocol-specific definitions for the operation.
Expand Down