mirror of
https://github.com/Unleash/unleash.git
synced 2025-01-06 00:07:44 +01:00
70499dc1d4
## About the changes When edge is configured to automatically generate tokens, it requires the token to be present in all unleash instances. It's behind a flag which enables us to turn it on on a case by case scenario. The risk of this implementation is that we'd be adding load to the database in the middleware that evaluates tokens (which are present in mostly all our API calls. We only query when the token is missing but because the /client and /frontend endpoints which will be the affected ones are high throughput, we want to be extra careful to avoid DDoSing ourselves ## Alternatives: One alternative would be that we merge the two endpoints into one. Currently, Edge does the following: If the token is not valid, it tries to create a token using a service account token and /api/admin/create-token endpoint. Then it uses the token generated (which is returned from the prior endpoint) to query /api/frontend. What if we could call /api/frontend with the same service account we use to create the token? It may sound risky but if the same application holding the service account token with permission to create a token, can call /api/frontend via the generated token, shouldn't it be able to call the endpoint directly? The purpose of the token is authentication and authorization. With the two tokens we are authenticating the same app with 2 different authorization scopes, but because it's the same app we are authenticating, can't we just use one token and assume that the app has both scopes? If the service account already has permissions to create a token and then use that token for further actions, allowing it to directly call /api/frontend does not necessarily introduce new security risks. The only risk is allowing the app to generate new tokens. Which leads to the third alternative: should we just remove this option from edge?
247 lines
8.0 KiB
TypeScript
247 lines
8.0 KiB
TypeScript
import { ApiTokenService } from './api-token-service';
|
|
import { createTestConfig } from '../../test/config/test-config';
|
|
import { IUnleashConfig, IUnleashOptions, IUser } from '../server-impl';
|
|
import { ApiTokenType, IApiTokenCreate } from '../types/models/api-token';
|
|
import FakeApiTokenStore from '../../test/fixtures/fake-api-token-store';
|
|
import FakeEnvironmentStore from '../features/project-environments/fake-environment-store';
|
|
import FakeEventStore from '../../test/fixtures/fake-event-store';
|
|
import {
|
|
ADMIN_TOKEN_USER,
|
|
API_TOKEN_CREATED,
|
|
API_TOKEN_DELETED,
|
|
API_TOKEN_UPDATED,
|
|
} from '../types';
|
|
import { addDays } from 'date-fns';
|
|
import EventService from '../features/events/event-service';
|
|
import FakeFeatureTagStore from '../../test/fixtures/fake-feature-tag-store';
|
|
import { createFakeEventsService } from '../../lib/features';
|
|
|
|
test('Should init api token', async () => {
|
|
const token = {
|
|
environment: '*',
|
|
project: '*',
|
|
secret: '*:*:some-random-string',
|
|
type: ApiTokenType.ADMIN,
|
|
tokenName: 'admin',
|
|
};
|
|
|
|
const config: IUnleashConfig = createTestConfig({
|
|
authentication: {
|
|
initApiTokens: [token],
|
|
},
|
|
experimental: {
|
|
flags: {
|
|
useMemoizedActiveTokens: true,
|
|
},
|
|
},
|
|
});
|
|
const apiTokenStore = new FakeApiTokenStore();
|
|
const environmentStore = new FakeEnvironmentStore();
|
|
const insertCalled = new Promise((resolve) => {
|
|
apiTokenStore.on('insert', resolve);
|
|
});
|
|
|
|
const eventService = createFakeEventsService(config);
|
|
|
|
new ApiTokenService(
|
|
{ apiTokenStore, environmentStore },
|
|
config,
|
|
eventService,
|
|
);
|
|
|
|
await insertCalled;
|
|
|
|
const tokens = await apiTokenStore.getAll();
|
|
|
|
expect(tokens).toHaveLength(1);
|
|
});
|
|
|
|
test("Shouldn't return frontend token when secret is undefined", async () => {
|
|
const token: IApiTokenCreate = {
|
|
environment: 'default',
|
|
projects: ['*'],
|
|
secret: '*:*:some-random-string',
|
|
type: ApiTokenType.FRONTEND,
|
|
tokenName: 'front',
|
|
expiresAt: undefined,
|
|
};
|
|
|
|
const config: IUnleashConfig = createTestConfig({});
|
|
const apiTokenStore = new FakeApiTokenStore();
|
|
const environmentStore = new FakeEnvironmentStore();
|
|
|
|
const eventService = new EventService(
|
|
{
|
|
eventStore: new FakeEventStore(),
|
|
featureTagStore: new FakeFeatureTagStore(),
|
|
},
|
|
config,
|
|
);
|
|
|
|
await environmentStore.create({
|
|
name: 'default',
|
|
enabled: true,
|
|
protected: true,
|
|
type: 'test',
|
|
sortOrder: 1,
|
|
});
|
|
|
|
const apiTokenService = new ApiTokenService(
|
|
{ apiTokenStore, environmentStore },
|
|
config,
|
|
eventService,
|
|
);
|
|
|
|
await apiTokenService.createApiTokenWithProjects(token);
|
|
await apiTokenService.fetchActiveTokens();
|
|
|
|
expect(await apiTokenService.getUserForToken('')).toEqual(undefined);
|
|
});
|
|
|
|
test('Api token operations should all have events attached', async () => {
|
|
const token: IApiTokenCreate = {
|
|
environment: 'default',
|
|
projects: ['*'],
|
|
secret: '*:*:some-random-string',
|
|
type: ApiTokenType.FRONTEND,
|
|
tokenName: 'front',
|
|
expiresAt: undefined,
|
|
};
|
|
|
|
const config: IUnleashConfig = createTestConfig({});
|
|
const apiTokenStore = new FakeApiTokenStore();
|
|
const environmentStore = new FakeEnvironmentStore();
|
|
|
|
const eventService = new EventService(
|
|
{
|
|
eventStore: new FakeEventStore(),
|
|
featureTagStore: new FakeFeatureTagStore(),
|
|
},
|
|
config,
|
|
);
|
|
|
|
await environmentStore.create({
|
|
name: 'default',
|
|
enabled: true,
|
|
protected: true,
|
|
type: 'test',
|
|
sortOrder: 1,
|
|
});
|
|
|
|
const apiTokenService = new ApiTokenService(
|
|
{ apiTokenStore, environmentStore },
|
|
config,
|
|
eventService,
|
|
);
|
|
const saved = await apiTokenService.createApiTokenWithProjects(token);
|
|
const newExpiry = addDays(new Date(), 30);
|
|
await apiTokenService.updateExpiry(saved.secret, newExpiry, 'test', -9999);
|
|
await apiTokenService.delete(saved.secret, 'test', -9999);
|
|
const { events } = await eventService.getEvents();
|
|
const createdApiTokenEvents = events.filter(
|
|
(e) => e.type === API_TOKEN_CREATED,
|
|
);
|
|
expect(createdApiTokenEvents).toHaveLength(1);
|
|
expect(createdApiTokenEvents[0].preData).toBeUndefined();
|
|
expect(createdApiTokenEvents[0].data.secret).toBeUndefined();
|
|
|
|
const updatedApiTokenEvents = events.filter(
|
|
(e) => e.type === API_TOKEN_UPDATED,
|
|
);
|
|
expect(updatedApiTokenEvents).toHaveLength(1);
|
|
expect(updatedApiTokenEvents[0].preData.expiresAt).toBeDefined();
|
|
expect(updatedApiTokenEvents[0].preData.secret).toBeUndefined();
|
|
expect(updatedApiTokenEvents[0].data.secret).toBeUndefined();
|
|
expect(updatedApiTokenEvents[0].data.expiresAt).toBe(newExpiry);
|
|
|
|
const deletedApiTokenEvents = events.filter(
|
|
(e) => e.type === API_TOKEN_DELETED,
|
|
);
|
|
expect(deletedApiTokenEvents).toHaveLength(1);
|
|
expect(deletedApiTokenEvents[0].data).toBeUndefined();
|
|
expect(deletedApiTokenEvents[0].preData).toBeDefined();
|
|
expect(deletedApiTokenEvents[0].preData.secret).toBeUndefined();
|
|
});
|
|
|
|
test('getUserForToken should get a user with admin token user id and token name', async () => {
|
|
const config = createTestConfig();
|
|
const apiTokenStore = new FakeApiTokenStore();
|
|
const environmentStore = new FakeEnvironmentStore();
|
|
|
|
const eventService = createFakeEventsService(config);
|
|
|
|
const tokenService = new ApiTokenService(
|
|
{ apiTokenStore, environmentStore },
|
|
config,
|
|
eventService,
|
|
);
|
|
const token = await tokenService.createApiTokenWithProjects(
|
|
{
|
|
environment: '*',
|
|
projects: ['*'],
|
|
type: ApiTokenType.ADMIN,
|
|
tokenName: 'admin.token',
|
|
},
|
|
ADMIN_TOKEN_USER as IUser,
|
|
);
|
|
|
|
const user = await tokenService.getUserForToken(token.secret);
|
|
expect(user).toBeDefined();
|
|
expect(user!.username).toBe(token.tokenName);
|
|
expect(user!.internalAdminTokenUserId).toBe(ADMIN_TOKEN_USER.id);
|
|
});
|
|
|
|
describe('When token is added by another instance', () => {
|
|
const setup = (options?: IUnleashOptions) => {
|
|
const token: IApiTokenCreate = {
|
|
environment: 'default',
|
|
projects: ['*'],
|
|
secret: '*:*:some-random-string',
|
|
type: ApiTokenType.CLIENT,
|
|
tokenName: 'new-token-by-another-instance',
|
|
expiresAt: undefined,
|
|
};
|
|
|
|
const config: IUnleashConfig = createTestConfig(options);
|
|
const apiTokenStore = new FakeApiTokenStore();
|
|
const environmentStore = new FakeEnvironmentStore();
|
|
|
|
const apiTokenService = new ApiTokenService(
|
|
{ apiTokenStore, environmentStore },
|
|
config,
|
|
createFakeEventsService(config),
|
|
);
|
|
return {
|
|
apiTokenService,
|
|
apiTokenStore,
|
|
token,
|
|
};
|
|
};
|
|
test('should not return the token when query db flag is disabled', async () => {
|
|
const { apiTokenService, apiTokenStore, token } = setup();
|
|
|
|
// simulate this token being inserted by another instance (apiTokenService does not know about it)
|
|
apiTokenStore.insert(token);
|
|
|
|
const found = await apiTokenService.getUserForToken(token.secret);
|
|
expect(found).toBeUndefined();
|
|
});
|
|
|
|
test('should return the token when query db flag is enabled', async () => {
|
|
const { apiTokenService, apiTokenStore, token } = setup({
|
|
experimental: {
|
|
flags: {
|
|
queryMissingTokens: true,
|
|
},
|
|
},
|
|
});
|
|
|
|
// simulate this token being inserted by another instance (apiTokenService does not know about it)
|
|
apiTokenStore.insert(token);
|
|
|
|
const found = await apiTokenService.getUserForToken(token.secret);
|
|
expect(found).toBeDefined();
|
|
expect(found?.username).toBe(token.tokenName);
|
|
});
|
|
});
|