Merge pull request #21 from okp4/feat/wire-orchestration

Feat/wire orchestration

Author: amimart

README.md

@@ -22,3 +22,152 @@
 ```sh
 make build
 ```
+
+## Example
+
+Hereafter is presented an example using this proxy locally, providing all the needed elements to feed a local dataverse and interact with it.
+
+Through this example, we'll have a [Minio](https://github.com/minio/minio) instance declared as a digital storage service with an attached governance allowing usage in a specific zone. And a dataset representing a single file with a governance allowing the same zone and a specific orchestration service, the dataset will use the minio as storage service.
+
+We'll see how we can submit an execution order to set the file accessible through the proxy by being authenticated as the orchestration service.
+
+### Prerequistes
+
+Some tools are needed in order to run the example:
+
+- [docker](https://docs.docker.com/engine/install/)
+- [okp4d](https://github.com/okp4/okp4d)
+- [jsonld](https://github.com/digitalbazaar/jsonld-cli)
+
+The local chain must be running with our [contracts](https://github.com/okp4/contracts) stored.
+
+The local configuration of `okp4d` in `$OKP4D_HOME/config/client.toml` shall be self-sufficient to sign and broadcast transaction without additional command flags (e.g. `--chain-id`, `--keyring-backend`, etc..)
+
+### Steps
+
+#### Instantiate Smart contracts
+
+For each contract instantiation, keep the contract addresses, as they will be required for future interactions. You can inspect the transaction hash generated by the broadcasting process with `okp4d query tx $TX_HASH` and look for the events section.
+
+Let's begin with the objectarium:
+
+```bash
+okp4d tx wasm instantiate $OBJECTARIUM_CODE_ID \
+    --label "my-prologtarium" \
+    --from $MY_WALLET_ADDR \
+    --admin $MY_WALLET_ADDR \
+    --gas 1000000 \
+    '{"bucket":"my-prologtarium"}'
+```
+
+Now let's create the law-stones containing the minio & dataset prolog governance codes:
+
+```bash
+okp4d tx wasm instantiate $LAW_STONE_CODE_ID \
+    --label "minio-gov" \
+    --from local \
+    --admin local \
+    --gas 100000000 \
+    "{\"program\":\"$(cat example/s3-gov.pl | base64)\", \"storage_address\": \"$OBJECTARIUM_ADDR\"}"
+okp4d tx wasm instantiate 2 \
+    --label "data-gov" \
+    --from local \
+    --admin local \
+    --gas 100000000 \
+    "{\"program\":\"$(cat example/data-gov.pl | base64)\", \"storage_address\": \"$OBJECTARIUM_ADDR\"}"
+```
+
+Finally, the dataverse:
+
+```bash
+okp4d tx wasm instantiate $DATAVERSE_CODE_ID \
+    --label "my-local-dataverse" \
+    --from $MY_WALLET_ADDR \
+    --admin $MY_WALLET_ADDR \
+    --gas 1000000 \
+    "{\"name\":\"my-local-dataverse\",\"triplestore_config\":{\"code_id\":\"$COGNITARIUM_CODE_ID\",\"limits\":{}}}"
+```
+
+#### Declare resources
+
+Now let's declare the storage service and the dataset in the dataverse: we'll have for each one two verifiable credentials, one for the description and one referencing the governance. Then, another one will be needed to express that the dataset is served by our minio storage service, providing its protected proxy URL. Those verifiable credentials are available here:
+
+- [example/vc-s3-desc.jsonld]
+- [example/vc-s3-gov.jsonld]
+- [example/vc-data-desc.jsonld]
+- [example/vc-data-gov.jsonld]
+- [example/vc-publish.jsonld]
+
+Before submitting them we need to update the law stone addresses related to the governances in the [example/vc-s3-gov.jsonld] and [example/vc-data-gov.jsonld] credentials.
+
+Those VCs are not signed. For that we'll need to have some cryptographic keys to act as the issuers of those verifiable credentials. To facilitate this, we provide a keyring located at [example/keyring-test].
+You can list the keys with `okp4d --keyring-backend test --keyring-dir example keys list` if needed.
+
+To sign and submit the verifiable credentials we have a simple script that you can use:
+
+```bash
+./scripts/setup.sh $MY_WALLET_ADDR $DATAVERSE_ADDR
+```
+
+#### Run the infrastructure
+
+Here we need to run the minio and deploy our dataset on it. For that, we provide a [docker-compose.yml]: it will run a MinIO instance accessible at `http://localhost:9000`.For demonstration purposes, this setup will make the `README` file of this project available as part of the dataset at `http://localhost:9000/test/README.md`.
+You can start the compose with:
+
+```bash
+docker compose up
+```
+
+Now we'll run the proxy through which we'll connect to the dataverse with:
+
+```bash
+./target/dist/s3-auth-proxy start --listen-addr 0.0.0.0:8080 \
+    --jwt-secret-key 1d5be173d43385b984ef8c73fe4fb9e5ca5a31466f20bf8a250d06eec5f3079b \
+    --s3-endpoint localhost:9000 \
+    --s3-access-key minioadmin \
+    --s3-secret-key minioadmin \
+    --s3-insecure \
+    --grpc-no-tls \
+    --dataverse-addr $DATAVERSE_ADDR \
+    --svc-id did:key:zQ3shbn6v6Mwtc6nSe5LnBmBY44seFqdRKXtf5eH8tQknZCcw
+```
+
+#### Order an execution
+
+For this step, we'll act ourselves as the initiator of the execution order, and the orchestration service that'll fulfill the order, to demonstrate the interactions with the proxy.
+
+Let's create the execution order, and the execution containing the status and the parameters:
+
+```bash
+./scripts/order-exec.sh $MY_WALLET_ADDR $DATAVERSE_ADDR
+```
+
+#### Access the dataset
+
+At this point, submitting an authentication verifiable credential signed with the orchestration service keys we should be able to access the dataset, let's forge this credential:
+
+```bash
+./scripts/issue-auth-cred.sh > vc-auth.jsonld
+```
+
+And then issue an authentication request to obtain an access token:
+
+```bash
+curl -s -X POST -T ./vc-auth.jsonld http://localhost:8080/auth
+```
+
+Now we should be able to get through the proxy authorization layer with our access token:
+
+```bash
+curl -s -H "Authorization: Bearer $TOKEN" http://localhost:8080/test/README.md
+```
+
+#### Terminate the execution
+
+We just need to submit a credential expressing an execution status of delivered:
+
+```bash
+./scripts/end-exec.sh $MY_WALLET_ADDR $DATAVERSE_ADDR
+```
+
+At this point we're not anymore capable to access the dataset.

app/handler.go

@@ -48,7 +48,7 @@ func makeProxyHandler(s3Client *minio.Client, authenticator *auth.Authenticator)
 			return
 		}
 
-		claims, err := authenticator.Authorize(authHeader[7:])
+		claims, err := authenticator.Authorize(authHeader[7:], ctx.Request.URI())
 		if err != nil {
 			ctx.Response.SetStatusCode(fasthttp.StatusUnauthorized)
 			ctx.Response.SetBody([]byte(err.Error()))

auth/authenticator.go

@@ -3,10 +3,13 @@ package auth
 import (
 	"context"
 	"fmt"
+	"net/url"
+	"slices"
+
+	"github.com/valyala/fasthttp"
 
 	"okp4/s3-auth-proxy/dataverse"
 
-	"github.com/golang-jwt/jwt"
 	"github.com/piprate/json-gold/ld"
 )
 
@@ -34,28 +37,93 @@ func (a *Authenticator) Authenticate(ctx context.Context, raw []byte) (string, e
 		return "", fmt.Errorf("couldn't parse VC: %w", err)
 	}
 
-	zone, err := a.dataverseClient.GetExecutionOrderContext(ctx, claim.ForOrder, claim.ID)
+	execCtx, err := a.dataverseClient.GetExecutionOrderContext(ctx, claim.ForOrder, claim.ID)
 	if err != nil {
 		return "", fmt.Errorf("couldn't fetch execution order context: %w", err)
 	}
 
-	govCode, err := a.dataverseClient.GetResourceGovCode(ctx, a.serviceID)
-	if err != nil {
-		return "", fmt.Errorf("couldn't get governance code: %w", err)
+	executions := execCtx.ExecutionsInProgress()
+	if len(executions) == 0 {
+		return "", fmt.Errorf("execution order not in progress")
+	}
+
+	var resources []string
+	for _, exec := range executions {
+		consumed, err := a.dataverseClient.GetExecutionConsumedResources(ctx, claim.ForOrder, exec)
+		if err != nil {
+			return "", fmt.Errorf("couldn't fetch execution consumed resources: %w", err)
+		}
+
+		if !slices.Contains(consumed, a.serviceID) {
+			continue
+		}
+		resources = append(resources, consumed...)
 	}
 
-	res, err := a.dataverseClient.ExecGovernance(ctx, govCode, "service:use", claim.ID, zone)
+	if len(resources) == 0 {
+		return "", fmt.Errorf("not concerned by this execution order")
+	}
+
+	res, err := a.execGovernance(ctx, a.serviceID, "service:use", claim.ID, execCtx.Zone)
 	if err != nil {
-		return "", fmt.Errorf("couldn't check governance: %w", err)
+		return "", err
 	}
 	if res.Result != "permitted" {
-		return "", fmt.Errorf("governance rejected access, evidence: %s", res.Evidence)
+		return "", fmt.Errorf("access rejected by governance, evidence: %s", res.Evidence)
+	}
+
+	resourcePublications := make([]string, 0)
+	for _, r := range resources {
+		if r == a.serviceID {
+			continue
+		}
+
+		uri, err := a.dataverseClient.GetResourcePublication(ctx, r, a.serviceID)
+		if err != nil {
+			return "", fmt.Errorf("couldn't fetch resource publication: %w", err)
+		}
+		if uri == nil {
+			continue
+		}
+
+		res, err := a.execGovernance(ctx, r, "dataset:read", claim.ID, execCtx.Zone)
+		if err != nil {
+			return "", err
+		}
+		if res.Result != "permitted" {
+			return "", fmt.Errorf("access rejected by governance, evidence: %s", res.Evidence)
+		}
+		resourcePublications = append(resourcePublications, *uri)
 	}
 
-	return a.issueJwt(claim.ID)
+	return a.issueJwt(claim.ID, resourcePublications)
 }
 
 // Authorize verifies the provided jwt access token.
-func (a *Authenticator) Authorize(raw string) (*jwt.StandardClaims, error) {
-	return a.verifyJwt(raw)
+func (a *Authenticator) Authorize(token string, uri *fasthttp.URI) (*ProxyClaims, error) {
+	claims, err := a.verifyJwt(token)
+	if err != nil {
+		return nil, err
+	}
+
+	if !claims.CanRead(func(raw string) bool {
+		parsedURI, err := url.Parse(raw)
+		return err != nil && parsedURI.Host == string(uri.Host()) && parsedURI.Path == string(uri.Path())
+	}) {
+		return claims, fmt.Errorf("access to requested resource unauthorized")
+	}
+	return claims, nil
+}
+
+func (a *Authenticator) execGovernance(ctx context.Context, resource, action, subject, zone string) (*dataverse.GovernanceExecAnswer, error) {
+	govCode, err := a.dataverseClient.GetResourceGovCode(ctx, resource)
+	if err != nil {
+		return nil, fmt.Errorf("couldn't fetch governance code: %w", err)
+	}
+
+	res, err := a.dataverseClient.ExecGovernance(ctx, govCode, action, subject, zone)
+	if err != nil {
+		return nil, fmt.Errorf("couldn't exec governance: %w", err)
+	}
+	return res, nil
 }

auth/jwt.go

@@ -8,21 +8,44 @@ import (
 	"github.com/google/uuid"
 )
 
-func (a *Authenticator) issueJwt(authenticatedSvc string) (string, error) {
+type ProxyClaims struct {
+	jwt.StandardClaims
+	Can Permissions `json:"can"`
+}
+
+type Permissions struct {
+	Read []string `json:"read"`
+}
+
+func (c *ProxyClaims) CanRead(canFn func(uri string) bool) bool {
+	for _, u := range c.Can.Read {
+		if canFn(u) {
+			return true
+		}
+	}
+	return false
+}
+
+func (a *Authenticator) issueJwt(authenticatedSvc string, readURIs []string) (string, error) {
 	now := time.Now()
-	return jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.StandardClaims{
-		Audience:  authenticatedSvc,
-		ExpiresAt: now.Add(5 * time.Minute).Unix(),
-		Id:        uuid.New().String(),
-		IssuedAt:  now.Unix(),
-		Issuer:    a.serviceID,
-		NotBefore: now.Unix(),
-		Subject:   a.serviceID,
+	return jwt.NewWithClaims(jwt.SigningMethodHS256, ProxyClaims{
+		StandardClaims: jwt.StandardClaims{
+			Audience:  authenticatedSvc,
+			ExpiresAt: now.Add(5 * time.Minute).Unix(),
+			Id:        uuid.New().String(),
+			IssuedAt:  now.Unix(),
+			Issuer:    a.serviceID,
+			NotBefore: now.Unix(),
+			Subject:   authenticatedSvc,
+		},
+		Can: Permissions{
+			Read: readURIs,
+		},
 	}).SignedString(a.jwtSecretKey)
 }
 
-func (a *Authenticator) verifyJwt(raw string) (*jwt.StandardClaims, error) {
-	token, err := jwt.ParseWithClaims(raw, &jwt.StandardClaims{}, func(_ *jwt.Token) (interface{}, error) {
+func (a *Authenticator) verifyJwt(raw string) (*ProxyClaims, error) {
+	token, err := jwt.ParseWithClaims(raw, &ProxyClaims{}, func(_ *jwt.Token) (interface{}, error) {
 		return a.jwtSecretKey, nil
 	})
 	if err != nil {
@@ -33,7 +56,7 @@ func (a *Authenticator) verifyJwt(raw string) (*jwt.StandardClaims, error) {
 		return nil, fmt.Errorf("invalid token")
 	}
 
-	c, ok := token.Claims.(*jwt.StandardClaims)
+	c, ok := token.Claims.(*ProxyClaims)
 	if !ok {
 		return nil, fmt.Errorf("invalid claims")
 	}