[release/4.x] Cherry pick: Update TypeScript to expose COSE authentic…

…ation policies (#5403) (#5404)
microsoft · Jun 29, 2023 · 92d08bc · 92d08bc
1 parent 959ed5d
commit 92d08bc
Show file tree

Hide file tree

Showing 9 changed files with 117 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [4.0.4]
+
+[4.0.4]: https://github.com/microsoft/CCF/releases/tag/ccf-4.0.4
+
+- Added TypeScript interfaces `UserCOSESign1AuthnIdentity` and `MemberCOSESign1AuthnIdentity`, to be used with `user_cose_sign1` and `member_cose_sign1` authentication policies.
+
 ## [4.0.3]
 
 [4.0.3]: https://github.com/microsoft/CCF/releases/tag/ccf-4.0.3

diff --git a/doc/build_apps/api.rst b/doc/build_apps/api.rst
@@ -60,6 +60,12 @@ Policies
 .. doxygenvariable:: ccf::user_cert_auth_policy
    :project: CCF
 
+.. doxygenvariable:: ccf::member_cert_auth_policy
+   :project: CCF
+
+.. doxygenvariable:: ccf::member_cose_sign1_auth_policy
+   :project: CCF
+
 .. doxygenvariable:: ccf::user_cose_sign1_auth_policy
    :project: CCF
 
@@ -73,6 +79,18 @@ Identities
    :project: CCF
    :members:
 
+.. doxygenstruct:: ccf::MemberCertAuthnIdentity
+   :project: CCF
+   :members:
+
+.. doxygenstruct:: ccf::UserCOSESign1AuthnIdentity
+   :project: CCF
+   :members:
+
+.. doxygenstruct:: ccf::MemberCOSESign1AuthnIdentity
+   :project: CCF
+   :members:
+
 .. doxygenstruct:: ccf::JwtAuthnIdentity
    :project: CCF
    :members:

diff --git a/include/ccf/endpoint.h b/include/ccf/endpoint.h
@@ -132,6 +132,9 @@ namespace ccf::endpoints
      * Identity of the caller to be used by the endpoint. This can be
      * retrieved inside the endpoint with ctx.get_caller<IdentType>(),
      * @see ccf::UserCertAuthnIdentity
+     * @see ccf::MemberCertAuthnIdentity
+     * @see ccf::UserCOSESign1tAuthnIdentity
+     * @see ccf::MemberCOSESign1AuthnIdentity
      * @see ccf::JwtAuthnIdentity
      *
      * @see ccf::empty_auth_policy

diff --git a/js/ccf-app/src/endpoints.ts b/js/ccf-app/src/endpoints.ts
@@ -141,6 +141,16 @@ export interface MemberCertAuthnIdentity extends UserMemberAuthnIdentityCommon {
   policy: "member_cert";
 }
 
+export interface MemberCOSESign1AuthnIdentity
+  extends UserMemberAuthnIdentityCommon {
+  policy: "member_cose_sign1";
+}
+
+export interface UserCOSESign1AuthnIdentity
+  extends UserMemberAuthnIdentityCommon {
+  policy: "user_cose_sign1";
+}
+
 export interface JwtAuthnIdentity extends AuthnIdentityCommon {
   policy: "jwt";
 
@@ -175,7 +185,9 @@ export type AuthnIdentity =
   | EmptyAuthnIdentity
   | UserCertAuthnIdentity
   | MemberCertAuthnIdentity
-  | JwtAuthnIdentity;
+  | JwtAuthnIdentity
+  | MemberCOSESign1AuthnIdentity
+  | UserCOSESign1AuthnIdentity;
 
 /** See {@linkcode Response.body}. */
 export type ResponseBodyType<T> = string | ArrayBuffer | JsonCompatible<T>;

diff --git a/src/apps/js_generic/named_auth_policies.h b/src/apps/js_generic/named_auth_policies.h
@@ -70,6 +70,10 @@ namespace ccfapp
     {
       return ccf::UserCOSESign1AuthnPolicy::SECURITY_SCHEME_NAME;
     }
+    else if constexpr (std::is_same_v<T, ccf::MemberCOSESign1AuthnIdentity>)
+    {
+      return ccf::MemberCOSESign1AuthnPolicy::SECURITY_SCHEME_NAME;
+    }
     else if constexpr (std::is_same_v<T, ccf::EmptyAuthnIdentity>)
     {
       return ccf::EmptyAuthnPolicy::SECURITY_SCHEME_NAME;

diff --git a/tests/js-modules/modules.py b/tests/js-modules/modules.py
@@ -1077,6 +1077,29 @@ def test_js_exception_output(network, args):
     return network
 
 
+@reqs.description("Test User Cose authentication")
+def test_user_cose_authentication(network, args):
+    primary, _ = network.find_nodes()
+
+    with primary.client() as c:
+        r = c.put("/app/cose", {})
+        assert r.status_code == http.HTTPStatus.UNAUTHORIZED, r
+
+    with primary.client("user0") as c:
+        r = c.put("/app/cose", {})
+        assert r.status_code == http.HTTPStatus.UNAUTHORIZED, r
+
+    with primary.client("user0", headers={"content-type": "application/cose"}) as c:
+        r = c.put("/app/cose", {})
+        assert r.status_code == http.HTTPStatus.INTERNAL_SERVER_ERROR, r
+
+    with primary.client(None, None, "user0") as c:
+        r = c.put("/app/cose", {})
+        assert r.status_code == http.HTTPStatus.OK, r
+        assert r.body.text() == network.users[0].service_id
+    return network
+
+
 def run(args):
     with infra.network.network(
         args.nodes, args.binary_dir, args.debug_nodes, args.perf_nodes, pdb=args.pdb
@@ -1090,6 +1113,7 @@ def run(args):
         network = test_npm_app(network, args)
         network = test_js_execution_time(network, args)
         network = test_js_exception_output(network, args)
+        network = test_user_cose_authentication(network, args)
 
 
 if __name__ == "__main__":

diff --git a/tests/npm-app/app.json b/tests/npm-app/app.json
@@ -1284,6 +1284,35 @@
           }
         }
       }
+    },
+    "/cose": {
+      "put": {
+        "js_module": "endpoints/auth.js",
+        "js_function": "checkUserCOSESign1Auth",
+        "forwarding_required": "sometimes",
+        "authn_policies": ["user_cose_sign1"],
+        "mode": "readwrite",
+        "openapi": {
+          "requestBody": {
+            "required": true,
+            "content": {
+              "application/cose": {
+                "schema": {}
+              }
+            }
+          },
+          "responses": {
+            "200": {
+              "description": "",
+              "content": {
+                "application/json": {
+                  "schema": {}
+                }
+              }
+            }
+          }
+        }
+      }
     }
   }
 }
diff --git a/tests/npm-app/src/endpoints/all.ts b/tests/npm-app/src/endpoints/all.ts
@@ -5,3 +5,4 @@ export * from "./partition";
 export * from "./proto";
 export * from "./log";
 export * from "./rpc";
+export * from "./auth";
diff --git a/tests/npm-app/src/endpoints/auth.ts b/tests/npm-app/src/endpoints/auth.ts
@@ -0,0 +1,19 @@
+import * as ccfapp from "@microsoft/ccf-app";
+
+// Note: this is also tested more generically on the multi_auth endpoint
+// of the logging application, but not with TypeScript types.
+export function checkUserCOSESign1Auth(
+  request: ccfapp.Request
+): ccfapp.Response {
+  if (request.caller === null || request.caller === undefined) {
+    return { status: 401 };
+  }
+
+  const caller = request.caller;
+  if (caller.policy !== "user_cose_sign1") {
+    return { status: 401 };
+  }
+
+  const id: ccfapp.UserCOSESign1AuthnIdentity = caller;
+  return { status: 200, body: id.id };
+}