OPS-413: Add blacklisting by user id in token for phony api keys (#38)

* added blacklisting by user id in token for phony api keys

* fixed format

Author: WWWcool

rebar.config

@@ -51,7 +51,8 @@
 {plugins, [
     {rebar3_lint, "1.0.1"},
     {erlfmt, "1.0.0"},
-    {covertool, "2.0.4"}
+    {covertool, "2.0.4"},
+    {rebar3_thrift_compiler, {git, "https://github.com/valitydev/rebar3-thrift-compiler.git", {tag, "0.4"}}}
 ]}.
 
 %% Linter config.

src/tk_blacklist.erl

@@ -5,6 +5,7 @@
 %% API
 
 -export([is_blacklisted/2]).
+-export([is_user_blacklisted/2]).
 
 %% Supervisor callbacks
 
@@ -23,6 +24,7 @@
 %%
 
 -define(TAB, ?MODULE).
+-define(USER_TAB, user_blacklist).
 
 %%
 
@@ -34,50 +36,58 @@ child_spec(Options) ->
         type => supervisor
     }.
 
--spec is_blacklisted(tk_token:token_id(), tk_authdata:authority_id()) -> boolean().
+-spec is_blacklisted(tk_token:token_id(), tk_token:authority_id()) -> boolean().
 is_blacklisted(TokenID, AuthorityID) ->
-    check_entry({AuthorityID, TokenID}).
+    check_entry(?TAB, {AuthorityID, TokenID}).
+
+-spec is_user_blacklisted(binary(), tk_token:authority_id()) -> boolean().
+is_user_blacklisted(UserID, AuthorityID) ->
+    check_entry(?USER_TAB, {AuthorityID, UserID}).
 
 %%
 
 -spec init(options()) -> {ok, {supervisor:sup_flags(), [supervisor:child_spec()]}}.
 init(Options) ->
-    _ = init_tab(),
+    _ = init_tab(?TAB),
+    _ = init_tab(?USER_TAB),
     _ = load_blacklist_conf(maps:get(path, Options, undefined)),
     {ok, {#{}, []}}.
 
-init_tab() ->
-    ets:new(?TAB, [set, protected, named_table, {read_concurrency, true}]).
+init_tab(Name) ->
+    ets:new(Name, [set, protected, named_table, {read_concurrency, true}]).
 
 -define(ENTRIES_KEY, "entries").
+-define(USER_ENTRIES_KEY, "user_entries").
 
 load_blacklist_conf(undefined) ->
     _ = logger:warning("No token blacklist file specified! Blacklisting functionality will be disabled."),
     ok;
 load_blacklist_conf(Filename) ->
     [Mappings] = yamerl_constr:file(Filename),
     Entries = process_entries(proplists:get_value(?ENTRIES_KEY, Mappings)),
-    put_entires(Entries).
+    put_entires(?TAB, Entries),
+    UserEntries = process_entries(proplists:get_value(?USER_ENTRIES_KEY, Mappings)),
+    put_entires(?USER_TAB, UserEntries).
 
 process_entries(Entries) ->
     lists:foldl(
-        fun({AuthorityID, TokenIDs}, Acc) ->
-            Acc ++ [make_ets_entry(AuthorityID, ID) || ID <- TokenIDs]
+        fun({AuthorityID, IDs}, Acc) ->
+            Acc ++ [make_ets_entry(AuthorityID, ID) || ID <- IDs]
         end,
         [],
         Entries
     ).
 
-make_ets_entry(AuthorityID, TokenID) ->
-    {{list_to_binary(AuthorityID), list_to_binary(TokenID)}, true}.
+make_ets_entry(AuthorityID, ID) ->
+    {{list_to_binary(AuthorityID), list_to_binary(ID)}, true}.
 
 %%
 
-put_entires(Entries) ->
-    ets:insert_new(?TAB, Entries).
+put_entires(Name, Entries) ->
+    ets:insert_new(Name, Entries).
 
-check_entry(Key) ->
-    case ets:lookup(?TAB, Key) of
+check_entry(Name, Key) ->
+    case ets:lookup(Name, Key) of
         [_Entry] -> true;
         [] -> false
     end.

src/tk_context_extractor_phony_api_key.erl

@@ -20,17 +20,33 @@
 %% API functions
 
 -spec extract_context(tk_token:token_data(), opts()) -> tk_context_extractor:extracted_context() | undefined.
-extract_context(#{id := TokenID, payload := Payload}, Opts) ->
+extract_context(#{id := TokenID, payload := Payload} = TokenData, Opts) ->
     case extract_party_data(Payload) of
         {ok, PartyID} ->
-            create_context_and_metadata(TokenID, PartyID, Opts);
+            case check_blacklist(PartyID, TokenData) of
+                ok ->
+                    create_context_and_metadata(TokenID, PartyID, Opts);
+                {error, blacklisted} ->
+                    _ = logger:warning("phony_api_key context was extract, but it blacklisted for user id: ~p", [
+                        PartyID
+                    ]),
+                    undefined
+            end;
         {error, Reason} ->
             _ = logger:warning("Could not extract phony_api_key context, reason: ~p", [Reason]),
             undefined
     end.
 
 %%
 
+check_blacklist(PartyID, #{authority_id := AuthorityID}) ->
+    case tk_blacklist:is_user_blacklisted(PartyID, AuthorityID) of
+        false ->
+            ok;
+        true ->
+            {error, blacklisted}
+    end.
+
 create_context_and_metadata(TokenID, PartyID, Opts) ->
     {
         create_context(TokenID, PartyID),

test/token_keeper_SUITE.erl

@@ -29,6 +29,7 @@
 -export([authenticate_user_session_token_w_resource_access/1]).
 -export([authenticate_blacklisted_jti_fail/1]).
 -export([authenticate_non_blacklisted_jti_ok/1]).
+-export([authenticate_blacklisted_user_fail/1]).
 -export([authenticate_ephemeral_claim_token_ok/1]).
 -export([issue_ephemeral_token_ok/1]).
 -export([authenticate_offline_token_not_found_fail/1]).
@@ -118,7 +119,8 @@ groups() ->
         ]},
         {blacklist, [parallel], [
             authenticate_blacklisted_jti_fail,
-            authenticate_non_blacklisted_jti_ok
+            authenticate_non_blacklisted_jti_ok,
+            authenticate_blacklisted_user_fail
         ]}
     ].
 
@@ -482,6 +484,14 @@ authenticate_non_blacklisted_jti_ok(C) ->
     Token = issue_token_with(Claims, get_filename("keys/secondary/private.pem", C)),
     ?assertMatch(#token_keeper_AuthData{}, call_authenticate(Token, ?TOKEN_SOURCE_CONTEXT, C)).
 
+-spec authenticate_blacklisted_user_fail(config()) -> _.
+authenticate_blacklisted_user_fail(C) ->
+    JTI = unique_id(),
+    SubjectID = <<"PARTYID">>,
+    Claims = get_phony_api_key_claims(JTI, SubjectID),
+    Token = issue_token_with(Claims, get_filename("keys/local/private.pem", C)),
+    ?assertThrow(#token_keeper_AuthDataNotFound{}, call_authenticate(Token, ?TOKEN_SOURCE_CONTEXT, C)).
+
 -spec authenticate_ephemeral_claim_token_ok(config()) -> _.
 authenticate_ephemeral_claim_token_ok(C) ->
     JTI = unique_id(),

test/token_keeper_SUITE_data/blacklisted_keys.yaml

@@ -1,3 +1,6 @@
 entries:
   blacklisting_authority:
     - "MYCOOLKEY"
+user_entries:
+  blacklisting_authority:
+    - "PARTYID"