d7da1b6044
The Pinning Services API standard mandates Bearer token authentication.
This adds JWT bearer token authentication to the IPFS Cluster REST and PINSVC
APIs.
The basic_auth_credentials configuration option needs to be not null and have
at least one username/passwords entry.
A user authenticated via Basic Auth can then "POST /token" and obtain a json
object:
```json { "token" : "<JWTtoken>" } ```
The JWT token has the "iss" (issuer) field set to the Basic auth user that
authorized its creation and is HMAC-signed with its password.
When basic-auth-credentials are set, the APIs will verify that requests come
with either Basic Auth authorization header or with a Bearer token
authorization header.
Bearer tokens will be decoded and the signature will be verified against the
password of the issuer.
At the moment we provide no support to revoke tokens, set "expiration date",
"not before" etc, but this may come in the future.
44 lines
1.4 KiB
Bash
Executable File
44 lines
1.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
test_description="Test service + ctl SSL interaction"
|
|
|
|
config="`pwd`/config/basic_auth"
|
|
|
|
. lib/test-lib.sh
|
|
|
|
test_ipfs_init
|
|
test_cluster_init "$config"
|
|
|
|
test_expect_success "prerequisites" '
|
|
test_have_prereq IPFS && test_have_prereq CLUSTER
|
|
'
|
|
|
|
test_expect_success "BasicAuth fails without credentials" '
|
|
id=`cluster_id`
|
|
{ test_must_fail ipfs-cluster-ctl id; } | grep -A1 "401" | grep -i "unauthorized"
|
|
'
|
|
|
|
test_expect_success "BasicAuth fails with bad credentials" '
|
|
id=`cluster_id`
|
|
{ test_must_fail ipfs-cluster-ctl --basic-auth "testuser" --force-http id; } | grep -A1 "401" | grep -i "unauthorized" &&
|
|
{ test_must_fail ipfs-cluster-ctl --basic-auth "testuser:badpass" --force-http id; } | grep -A1 "401" | grep -i "unauthorized" &&
|
|
{ test_must_fail ipfs-cluster-ctl --basic-auth "baduser:testpass" --force-http id; } | grep -A1 "401" | grep -i "unauthorized" &&
|
|
{ test_must_fail ipfs-cluster-ctl --basic-auth "baduser:badpass" --force-http id; } | grep -A1 "401" | grep -i "unauthorized"
|
|
'
|
|
|
|
test_expect_success "BasicAuth over HTTP succeeds with CLI flag credentials" '
|
|
id=`cluster_id`
|
|
ipfs-cluster-ctl --basic-auth "testuser:testpass" --force-http id | grep -q "$id"
|
|
'
|
|
|
|
test_expect_success "BasicAuth succeeds with env var credentials" '
|
|
id=`cluster_id`
|
|
export CLUSTER_CREDENTIALS="testuser:testpass"
|
|
ipfs-cluster-ctl --force-http id | egrep -q "$id"
|
|
'
|
|
|
|
test_clean_ipfs
|
|
test_clean_cluster
|
|
|
|
test_done
|