From 983ce716055d3217a6e14046b66a94b9254f24fe Mon Sep 17 00:00:00 2001 From: Jake Van Vorhis <83739412+jakedoublev@users.noreply.github.com> Date: Mon, 29 Apr 2024 17:52:46 -0400 Subject: [PATCH] fix(config): update docs for enforce dpop config and clean up markdown tables (#697) Closes https://github.com/opentdf/platform/issues/696 --- docs/configuration.md | 78 ++++++++++++++++----------------- opentdf-dev.yaml | 1 + opentdf-example-no-kas.yaml | 1 + opentdf-example.yaml | 1 + opentdf-with-hsm.yaml | 1 + service/internal/auth/config.go | 11 ++++- 6 files changed, 52 insertions(+), 41 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 25b20ee67..d7b7107cf 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -6,16 +6,16 @@ This guide provides details about the configuration setup for our application, i - [Server Configuration](#server-configuration) - [Database Configuration](#database-configuration) - [OPA Configuration](#opa-configuration) --[Services Configuration](#services-configuration) +- [Services Configuration](#services-configuration) ## Logger Configuration The logger configuration is used to define how the application logs its output. -| Field | Description | Default | -| --- | --- | --- | -| `level` | The logging level. | `info` | -| `type` | The format of the log output. | `json` | +| Field | Description | Default | +| -------- | -------------------------------- | -------- | +| `level` | The logging level. | `info` | +| `type` | The format of the log output. | `json` | | `output` | The output destination for logs. | `stdout` | Example: @@ -31,17 +31,17 @@ logger: The server configuration is used to define how the application runs its server. -| Field | Description | Default | -| --- | --- | --- | -| `port` | The port number for the server. | `9000` | -| `host` | The host address for the server. | `""` | -| `grpc.reflection` | The configuration for the grpc server. | `true` | -| `tls.enabled` | Enable tls. | `false` | -| `tls.cert` | The path to the tls certificate. | | -| `tls.key` | The path to the tls key. | | -| `auth.audience` | The audience for the IDP. | | -| `auth.issuer` | The issuer for the IDP. | | -| `auth.enforceDPoP` | If false, we allow access tokens that do not have DPoP bindings. | `true` | +| Field | Description | Default | +| ------------------ | ----------------------------------------------------- | ------- | +| `port` | The port number for the server. | `9000` | +| `host` | The host address for the server. | `""` | +| `grpc.reflection` | The configuration for the grpc server. | `true` | +| `tls.enabled` | Enable tls. | `false` | +| `tls.cert` | The path to the tls certificate. | | +| `tls.key` | The path to the tls key. | | +| `auth.audience` | The audience for the IDP. | | +| `auth.issuer` | The issuer for the IDP. | | +| `auth.enforceDPoP` | If true, DPoP bindings on Access Tokens are enforced. | `false` | Example: @@ -64,16 +64,16 @@ server: The database configuration is used to define how the application connects to its database. -| Field | Description | Default | -| --- | --- | --- | -| `host` | The host address for the database. | `localhost` | -| `port` | The port number for the database. | `5432` | -| `database` | The name of the database. | `opentdf` | -| `user` | The username for the database. | `postgres` | -| `password` | The password for the database. | `changeme` | -| `sslmode` | The ssl mode for the database | `prefer` | -| `schema` | The schema for the database. | `opentdf` | -| `runMigration` | Whether to run the database migration or not. | `true` | +| Field | Description | Default | +| -------------- | --------------------------------------------- | ----------- | +| `host` | The host address for the database. | `localhost` | +| `port` | The port number for the database. | `5432` | +| `database` | The name of the database. | `opentdf` | +| `user` | The username for the database. | `postgres` | +| `password` | The password for the database. | `changeme` | +| `sslmode` | The ssl mode for the database | `prefer` | +| `schema` | The schema for the database. | `opentdf` | +| `runMigration` | Whether to run the database migration or not. | `true` | Example: @@ -91,10 +91,10 @@ db: ## OPA Configuration -| Field | Description | Default | -| --- | --- | --- | -| `embedded` | Whether to use the embedded OPA Bundle server or not. This is only used for local development. | `false` | -| `path` | The path to the OPA configuration file. | `./opa/opa.yaml` | +| Field | Description | Default | +| ---------- | ---------------------------------------------------------------------------------------------- | ---------------- | +| `embedded` | Whether to use the embedded OPA Bundle server or not. This is only used for local development. | `false` | +| `path` | The path to the OPA configuration file. | `./opa/opa.yaml` | Example: @@ -108,9 +108,9 @@ opa: ### Key Access Server (KAS) -| Field | Description | Default | -| --- | --- | --- | -| `enabled` | Enable the Key Access Server | `true` | +| Field | Description | Default | +| --------- | ---------------------------- | ------- | +| `enabled` | Enable the Key Access Server | `true` | Example: @@ -122,9 +122,9 @@ services: ### Policy -| Field | Description | Default | -| --- | --- | --- | -| `enabled` | Enable the Policy Service | `true` | +| Field | Description | Default | +| --------- | ------------------------- | ------- | +| `enabled` | Enable the Policy Service | `true` | Example: @@ -136,6 +136,6 @@ services: ### Authorization -| Field | Description | Default | -| --- | --- | --- | -| `enabled` | Enable the Authorization +| Field | Description | Default | +| --------- | ------------------------ | ------- | +| `enabled` | Enable the Authorization | diff --git a/opentdf-dev.yaml b/opentdf-dev.yaml index d497f81e8..91e09bd0b 100644 --- a/opentdf-dev.yaml +++ b/opentdf-dev.yaml @@ -23,6 +23,7 @@ services: server: auth: enabled: true + enforceDPoP: false audience: "http://localhost:8080" issuer: http://localhost:8888/auth/realms/opentdf policy: diff --git a/opentdf-example-no-kas.yaml b/opentdf-example-no-kas.yaml index 124ae29eb..85799352c 100644 --- a/opentdf-example-no-kas.yaml +++ b/opentdf-example-no-kas.yaml @@ -16,6 +16,7 @@ services: server: auth: enabled: false + enforceDPoP: false audience: "http://localhost:8080" issuer: http://localhost:8888/auth/realms/tdf grpc: diff --git a/opentdf-example.yaml b/opentdf-example.yaml index 12d2fe5f5..fddc0f43f 100644 --- a/opentdf-example.yaml +++ b/opentdf-example.yaml @@ -23,6 +23,7 @@ services: server: auth: enabled: true + enforceDPoP: false audience: "http://localhost:8080" issuer: http://keycloak:8888/auth/realms/opentdf policy: diff --git a/opentdf-with-hsm.yaml b/opentdf-with-hsm.yaml index 013c76a10..dc8f4ce4d 100644 --- a/opentdf-with-hsm.yaml +++ b/opentdf-with-hsm.yaml @@ -23,6 +23,7 @@ services: server: auth: enabled: true + enforceDPoP: false audience: "http://localhost:8080" issuer: http://localhost:8888/auth/realms/opentdf clients: diff --git a/service/internal/auth/config.go b/service/internal/auth/config.go index 9ec3b5c45..b442115a9 100644 --- a/service/internal/auth/config.go +++ b/service/internal/auth/config.go @@ -1,6 +1,9 @@ package auth -import "fmt" +import ( + "fmt" + "log/slog" +) // AuthConfig pulls AuthN and AuthZ together type Config struct { @@ -11,7 +14,7 @@ type Config struct { // AuthNConfig is the configuration need for the platform to validate tokens type AuthNConfig struct { - EnforceDPoP bool `yaml:"enforceDPoP" json:"enforceDPoP" default:"true"` + EnforceDPoP bool `yaml:"enforceDPoP" json:"enforceDPoP" mapstructure:"enforceDPoP" default:"false"` Issuer string `yaml:"issuer" json:"issuer"` Audience string `yaml:"audience" json:"audience"` OIDCConfiguration `yaml:"-" json:"-"` @@ -36,5 +39,9 @@ func (c AuthNConfig) validateAuthNConfig() error { return fmt.Errorf("config Auth.Audience is required") } + if !c.EnforceDPoP { + slog.Warn("config Auth.EnforceDPoP is false. DPoP will not be enforced.") + } + return nil }