Merge pull request #279 from Moopli/req-url

fix: use auth server's external url when validating http signatures
trustbloc · Jul 28, 2022 · edf6413 · edf6413
2 parents 474b50c + c6f855c
commit edf6413
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 7 deletions.
diff --git a/pkg/restapi/gnap/operations.go b/pkg/restapi/gnap/operations.go
@@ -110,6 +110,7 @@ type Operation struct {
 	cachedOIDCProvLock  sync.RWMutex
 	tlsConfig           *tls.Config
 	callbackURL         string
+	baseURL             string
 	timeout             uint64
 	transientStore      storage.Store
 	bootstrapStore      storage.Store
@@ -199,6 +200,7 @@ func New(config *Config) (*Operation, error) {
 		bootstrapConfig:     config.BootstrapConfig,
 		introspectHandler:   introspectHandler,
 		gnapRSClient:        gnapRSClient,
+		baseURL:             config.BaseURL,
 	}, nil
 }
 
@@ -228,6 +230,15 @@ func (o *Operation) SetIntrospectHandler(i common.Introspecter) {
 func (o *Operation) authRequestHandler(w http.ResponseWriter, req *http.Request) {
 	logger.Debugf("handling auth request to URL: %s", req.URL.String())
 
+	prevURL := req.URL
+
+	var err error
+
+	req.URL, err = url.Parse(o.baseURL + req.URL.Path)
+	if err != nil {
+		req.URL = prevURL
+	}
+
 	authRequest := &gnap.AuthRequest{}
 
 	bodyBytes, err := ioutil.ReadAll(req.Body)
@@ -502,9 +513,18 @@ func (o *Operation) oidcCallbackHandler(w http.ResponseWriter, r *http.Request)
 	}
 }
 
-func (o *Operation) authContinueHandler(w http.ResponseWriter, req *http.Request) {
+func (o *Operation) authContinueHandler(w http.ResponseWriter, req *http.Request) { // nolint: funlen
 	logger.Debugf("handling continue request to URL: %s", req.URL.String())
 
+	prevURL := req.URL
+
+	var err error
+
+	req.URL, err = url.Parse(o.baseURL + req.URL.Path)
+	if err != nil {
+		req.URL = prevURL
+	}
+
 	tokHeader := strings.Split(strings.Trim(req.Header.Get("Authorization"), " "), " ")
 
 	if len(tokHeader) < 2 || tokHeader[0] != "GNAP" {
@@ -660,6 +680,15 @@ func (o *Operation) InternalIntrospectHandler() common.Introspecter {
 func (o *Operation) authIntrospectHandler(w http.ResponseWriter, req *http.Request) {
 	logger.Debugf("handling introspect request to URL: %s", req.URL.String())
 
+	prevURL := req.URL
+
+	var err error
+
+	req.URL, err = url.Parse(o.baseURL + req.URL.Path)
+	if err != nil {
+		req.URL = prevURL
+	}
+
 	introspectRequest := &gnap.IntrospectRequest{}
 
 	bodyBytes, err := ioutil.ReadAll(req.Body)

diff --git a/pkg/restapi/gnap/operations_test.go b/pkg/restapi/gnap/operations_test.go
@@ -44,6 +44,10 @@ import (
 	"github.com/trustbloc/auth/spi/gnap/proof/httpsig"
 )
 
+const (
+	baseURL = "http://test.auth"
+)
+
 func TestNew(t *testing.T) {
 	t.Run("success", func(t *testing.T) {
 		o, err := New(config(t))
@@ -156,7 +160,7 @@ func TestOperation_authRequestHandler(t *testing.T) {
 
 		rw := httptest.NewRecorder()
 
-		req := httptest.NewRequest(http.MethodPost, AuthRequestPath, bytes.NewReader(authReqBytes))
+		req := httptest.NewRequest(http.MethodPost, baseURL+AuthRequestPath, bytes.NewReader(authReqBytes))
 
 		req, err = httpsig.Sign(req, authReqBytes, priv, "sha-256")
 		require.NoError(t, err)
@@ -328,7 +332,7 @@ func TestOperation_authIntrospectHandler(t *testing.T) {
 
 		rw := httptest.NewRecorder()
 
-		req := httptest.NewRequest(http.MethodPost, AuthIntrospectPath, bytes.NewReader(intReqBytes))
+		req := httptest.NewRequest(http.MethodPost, baseURL+AuthIntrospectPath, bytes.NewReader(intReqBytes))
 
 		req, err = httpsig.Sign(req, intReqBytes, priv, "sha-256")
 		require.NoError(t, err)
@@ -1278,7 +1282,7 @@ func Test_Full_Flow(t *testing.T) {
 
 		rw := httptest.NewRecorder()
 
-		req := httptest.NewRequest(http.MethodPost, AuthRequestPath, bytes.NewReader(authReqBytes))
+		req := httptest.NewRequest(http.MethodPost, baseURL+AuthRequestPath, bytes.NewReader(authReqBytes))
 
 		req, err = httpsig.Sign(req, authReqBytes, userPriv, "sha-256")
 		require.NoError(t, err)
@@ -1374,7 +1378,7 @@ func Test_Full_Flow(t *testing.T) {
 
 		rw := httptest.NewRecorder()
 
-		req := httptest.NewRequest(http.MethodPost, AuthRequestPath, bytes.NewReader(contReqBytes))
+		req := httptest.NewRequest(http.MethodPost, baseURL+AuthRequestPath, bytes.NewReader(contReqBytes))
 		req.Header.Add("Authorization", "GNAP "+authResp.Continue.AccessToken.Value)
 
 		req, err = httpsig.Sign(req, contReqBytes, userPriv, "sha-256")
@@ -1405,7 +1409,7 @@ func Test_Full_Flow(t *testing.T) {
 
 		rw := httptest.NewRecorder()
 
-		req := httptest.NewRequest(http.MethodPost, AuthIntrospectPath, bytes.NewReader(intReqBytes))
+		req := httptest.NewRequest(http.MethodPost, baseURL+AuthIntrospectPath, bytes.NewReader(intReqBytes))
 
 		req, err = httpsig.Sign(req, intReqBytes, rsPriv, "sha-256")
 		require.NoError(t, err)
@@ -1550,7 +1554,7 @@ func config(t *testing.T) *Config {
 	return &Config{
 		StoreProvider:      storeProv,
 		AccessPolicyConfig: apConfig,
-		BaseURL:            "example.com",
+		BaseURL:            baseURL,
 		InteractionHandler: interact,
 		OIDC: &oidcmodel.Config{
 			CallbackURL: "http://test.com",