Add path-based filtering support for API keys (#205)

block-core · Aug 16, 2020 · f4b3c46 · f4b3c46
1 parent 2a1d8f4
commit f4b3c46
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 13 deletions.
diff --git a/src/Features/Blockcore.Features.NodeHost/Authentication/ApiKey.cs b/src/Features/Blockcore.Features.NodeHost/Authentication/ApiKey.cs
@@ -20,5 +20,7 @@ public class ApiKey
         //public DateTime ValidTo { get; set; } // TODO: Add support for time-activated API keys.
 
         public IReadOnlyCollection<string> Roles { get; set; }
+
+        public IReadOnlyCollection<string> Paths { get; set; }
     }
 }
diff --git a/src/Features/Blockcore.Features.NodeHost/Authentication/ApiKeyAuthenticationHandler.cs b/src/Features/Blockcore.Features.NodeHost/Authentication/ApiKeyAuthenticationHandler.cs
@@ -51,6 +51,19 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
 
             if (existingApiKey != null)
             {
+                // First verify the path access is enabled, if so we'll perform a validation here.
+                if (this.Request.Path.HasValue && existingApiKey.Paths != null && existingApiKey.Paths.Count > 0)
+                {
+                    string path = this.Request.Path.Value;
+                    bool hasAccess = existingApiKey.Paths.Any(p => path.StartsWith(p));
+
+                    if (!hasAccess)
+                    {
+                        // Return NoResult and return standard 401 Unauthorized result.
+                        return AuthenticateResult.NoResult();
+                    }
+                }
+
                 var claims = new List<Claim>
                 {
                     new Claim(ClaimTypes.Name, existingApiKey.Owner)

diff --git a/src/Features/Blockcore.Features.NodeHost/Startup.cs b/src/Features/Blockcore.Features.NodeHost/Startup.cs
@@ -49,6 +49,9 @@ public void ConfigureServices(IServiceCollection services)
         {
             NodeHostSettings hostSettings = fullNode.Services.ServiceProvider.GetService<NodeHostSettings>();
 
+            // Make the configuration available to custom features.
+            services.AddSingleton(this.Configuration);
+
             services.AddLogging(loggingBuilder =>
             {
                 loggingBuilder.AddConfiguration(this.Configuration.GetSection("Logging"));

diff --git a/src/Features/Blockcore.Features.NodeHost/appsettings.json b/src/Features/Blockcore.Features.NodeHost/appsettings.json
@@ -6,18 +6,5 @@
       "System": "Information",
       "Microsoft": "Information"
     }
-  },
-  "Blockcore": {
-    "API": {
-      "Keys": [
-        {
-          "Id": 1,
-          "Enabled":  false,
-          "Owner": "Admin",
-          "Key": "1ca8f906-a23e-48b2-8b83-e95290986d0e",
-          "Roles": [ "User", "Admin" ]
-        }
-      ]
-    }
   }
 }
diff --git a/src/Node/Blockcore.Node/appsettings.json b/src/Node/Blockcore.Node/appsettings.json
@@ -0,0 +1,31 @@
+{
+  "Logging": {
+    "IncludeScopes": false,
+    "LogLevel": {
+      "Default": "Information",
+      "System": "Information",
+      "Microsoft": "Information"
+    }
+  },
+  "Blockcore": {
+    "API": {
+      "Keys": [
+        {
+          "Id": 1,
+          "Enabled": false,
+          "Owner": "Admin",
+          "Key": "1ca8f906-a23e-48b2-8b83-e95290986d0e",
+          "Roles": [ "User", "Admin" ]
+        },
+        {
+          "Id": 2,
+          "Enabled": false,
+          "Owner": "Registry",
+          "Key": "132525f1-46d2-45eb-bfe5-8a354b63ce36",
+          "Roles": [ "User" ],
+          "Paths": [ "/api/identity", "/api/storage", "/.well-known" ]
+        }
+      ]
+    }
+  }
+}