d7da1b6044
The Pinning Services API standard mandates Bearer token authentication.
This adds JWT bearer token authentication to the IPFS Cluster REST and PINSVC
APIs.
The basic_auth_credentials configuration option needs to be not null and have
at least one username/passwords entry.
A user authenticated via Basic Auth can then "POST /token" and obtain a json
object:
```json { "token" : "<JWTtoken>" } ```
The JWT token has the "iss" (issuer) field set to the Basic auth user that
authorized its creation and is HMAC-signed with its password.
When basic-auth-credentials are set, the APIs will verify that requests come
with either Basic Auth authorization header or with a Bearer token
authorization header.
Bearer tokens will be decoded and the signature will be verified against the
password of the issuer.
At the moment we provide no support to revoke tokens, set "expiration date",
"not before" etc, but this may come in the future.
30 lines
710 B
Bash
Executable File
30 lines
710 B
Bash
Executable File
#!/bin/bash
|
|
|
|
test_description="Test service + ctl SSL interaction"
|
|
|
|
config="`pwd`/config/ssl-basic_auth"
|
|
|
|
. lib/test-lib.sh
|
|
|
|
test_ipfs_init
|
|
test_cluster_init "$config"
|
|
|
|
test_expect_success "prerequisites" '
|
|
test_have_prereq IPFS && test_have_prereq CLUSTER
|
|
'
|
|
|
|
test_expect_success "ssl interaction fails with bad credentials" '
|
|
id=`cluster_id`
|
|
{ test_must_fail ipfs-cluster-ctl --no-check-certificate --basic-auth "testuser:badpass" id; } | grep -A1 "401" | grep -i "unauthorized"
|
|
'
|
|
|
|
test_expect_success "ssl interaction succeeds" '
|
|
id=`cluster_id`
|
|
ipfs-cluster-ctl --no-check-certificate --basic-auth "testuser:testpass" id | egrep -q "$id"
|
|
'
|
|
|
|
test_clean_ipfs
|
|
test_clean_cluster
|
|
|
|
test_done
|