WIP: Authorization of Delphi Management at Instance Registry

[Ayybeeshafi]

Everything seems to be in place. Still, I am facing an issue. I am not sure if its Instance Registry side issue or Delphi Management.
While hitting /authenticate endpoint using CLI commands. On CLI I get a response "The supplied authentication is invalid".
Whereas, on the logs of IR It says "Successfully parsed Delphi Token" and "Valid Delphi token"
I have generated the Basic Auth and JWT tokens using online tools to make CURL request to IR with following parameters:
BasicAuth
username:admin
password:admin
JWT Authorization:
user_id:DelphiManagement
user_type:Component

Following is the CURL request from CLI:
curl -X POST -H "Authorization:Basic YWRtaW46MTIzNDU=" -H "Delphi-Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiRGVscGhpTWFuYWdlbWVudCIsInVzZXJfdHlwZSI6IkNvbXBvbmVudCJ9.dPxLDxQfnKRNpoNE9TMi9R4iU1-xl7SugDNxI0gwGNU" http://localhost:8087/authenticate

[janniclas]

@johannesduesing or @sami-cseseu , could one of you please have a look into the usage of the authentication by @Ayybeeshafi ? I believe it's easier for you to judge if there has been a mistake there.

@Ayybeeshafi in general thank you for your work, the code looks good so far. A few general points for the pull request. This branch is obviously not ready to be merged, since the intended functionality is not working properly yet. If you know that before and still decide to open the pull request, please add the appropriate labels, like help wanted and best make it obvious in the title, so that this request is not merged by mistake (the "WIP" I added to the title stands for "Work in Progress" and is often used to mark pull requests not ready for merging).

A quick note to your code. Shouldn't the authenticate method be automatically called after starting the scala play server? The registration of the scala server as a component is independent of any user interaction on the website and therefore I don't see any need to provide this as an api endpoint right now, or am I mistaken here?

[sami-cseseu]

I actually helping @Ayybeeshafi to integrate it with API of delphi-registry we set together in Friday and I showed him how he has to do the request. He is facing a little difficulty setting up database without database user he will not get any token. He did this pull request without informing me what the problem he is facing. I think we will fix this issue soon.

[janniclas]

hey @sami-cseseu ,
I'm a little confused now, why do we need a database user in order to get a token for the management component? In this first step, our plan is to implement the registration of the management component at the registry (as a component just like the crawler and webapi). The user registration should be added at a later point as described in #105 .

When you say 'we will fix this issue soon', does that mean it's an issue in the registry and the behavior of the code on the management side is fine so far?

[sami-cseseu]

Hello @janniclas I am not sure what the delphi-management wants to achieve but /authenticate end point need a basic authorization where you need to pass username, password which should match username and password of database

[Ayybeeshafi]

Hi @sami-cseseu I am looking into the database right now.
Although, In current code, username and password are saved in Configuration file.
conf/application.conf

play.http.user="admin"
play.http.pass="admin"

Before sending them via Authorization header I am converting them into Base64 (BasicAuth)

val username = configuration.get[String]("play.http.user")
val password = configuration.get[String]("play.http.pass")
val authHeader= Authorization(BasicHttpCredentials(username, password))

So in header it actually looks something like Authorization:Basic YWRtaW46MTIzNDU=
I am confused if we still need the values in Database in order to send them over to Instance Registry.

[codecov-io]

Codecov Report

Merging #109 into develop will decrease coverage by 0.16%.
The diff coverage is 0%.

@@            Coverage Diff             @@
##           develop    #109      +/-   ##
==========================================
- Coverage     4.69%   4.52%   -0.17%     
==========================================
  Files           11      12       +1     
  Lines          213     221       +8     
  Branches        15      17       +2     
==========================================
  Hits            10      10              
- Misses         203     211       +8

Impacted Files	Coverage Δ
app/authorization/AuthProvider.scala	0% <0%> (ø)
app/controllers/InstanceRegistryController.scala	0% <0%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 70a0e93...2ed6a60. Read the comment docs.

[johannesduesing]

I thought of the interaction like this:

1. We enable the backend to generate a valid JWT.
   • Therefore we need to store the secret key that is also stored in the registry configuration
   • Set user_id=Management
   • Set user_type=Component
   • Short-lived, around 30 seconds maybe
2. When the backend queries the registry for any non-user-related data / operations:
   • Generate a new JWT like described above
   • Put it into the Authorization Header (Authorization: Bearer <JWT>)
3. When a user logs in into the frontend
   • Backend provides an endpoint /login for the frontend
   • Backend calls the registry's /authenticate endpoint with username and password received from the frontend put into the Authorization Header, and the token generated in 1. put into the Delphi-Authorization Header
   • Backend returns the user-token that was returned by the registry to the frontend
   • For sub-sequent user-specific request, this user-token is passed from frontend to backend and forwarded by the backend to the registry

@janniclas Is this how you think it should be ?

[Ayybeeshafi]

The database is set and ready on my machine. Still, the curl command is returning " invalid credentials ". Maybe there is some problem with the formatting of curl command. So now I am trying to run the authenticate method at startup of scala play server. There is some confusion on how to call a method at startup. Which I intend to get cleared in the morning.