fix: make keycloak not call service when disabled

Signed-off-by: Pat Losoponkul <pat.losoponkul@iohk.io>
hyperledger · Oct 11, 2023 · 495f618 · 495f618
1 parent 02df2ad
commit 495f618
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 12 deletions.
diff --git a/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Main.scala b/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Main.scala
@@ -162,7 +162,9 @@ object MainApp extends ZIOAppDefault {
           VerificationPolicyServiceImpl.layer,
           WalletManagementServiceImpl.layer,
           // authentication
-          AppModule.authenticatorLayer,
+          AppModule.builtInAuthenticatorLayer,
+          AppModule.keycloakAuthenticatorLayer,
+          DefaultAuthenticator.layer,
           // grpc
           GrpcModule.prismNodeStubLayer,
           // storage

diff --git a/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Modules.scala b/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Modules.scala
@@ -43,6 +43,7 @@ import zio.*
 import zio.config.typesafe.TypesafeConfigSource
 import zio.config.{ReadError, read}
 import zio.http.Client
+import io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticator
 
 object SystemModule {
   val configLayer: Layer[ReadError[String], AppConfig] = ZLayer.fromZIO {
@@ -62,23 +63,34 @@ object AppModule {
   val didJwtResolverLayer: URLayer[DIDService, JwtDidResolver] =
     ZLayer.fromFunction(PrismDidResolver(_))
 
-  val authenticatorLayer: RLayer[
-    AppConfig & WalletManagementService & AuthenticationRepository & EntityService & Client,
-    DefaultAuthenticator & ApiKeyAuthenticator
+  val builtInAuthenticatorLayer: URLayer[
+    AppConfig & AuthenticationRepository & EntityService & WalletManagementService,
+    ApiKeyAuthenticator & AdminApiKeyAuthenticator
   ] =
     ZLayer.makeSome[
-      AppConfig & WalletManagementService & AuthenticationRepository & EntityService & Client,
-      DefaultAuthenticator & ApiKeyAuthenticator
+      AppConfig & AuthenticationRepository & EntityService & WalletManagementService,
+      ApiKeyAuthenticator & AdminApiKeyAuthenticator
     ](
       AdminConfig.layer,
       ApiKeyConfig.layer,
-      KeycloakConfig.layer,
-      DefaultAuthenticator.layer,
       AdminApiKeyAuthenticatorImpl.layer,
       ApiKeyAuthenticatorImpl.layer,
-      KeycloakAuthenticatorImpl.layer,
-      KeycloakClientImpl.layer
     )
+
+  val keycloakAuthenticatorLayer: RLayer[AppConfig & WalletManagementService & Client, KeycloakAuthenticator] =
+    ZLayer.fromZIO {
+      ZIO
+        .serviceWith[AppConfig](_.agent.authentication.keycloak.enabled)
+        .map { isEnabled =>
+          if (!isEnabled) KeycloakAuthenticatorImpl.disabled
+          else
+            ZLayer.makeSome[AppConfig & WalletManagementService & Client, KeycloakAuthenticator](
+              KeycloakConfig.layer,
+              KeycloakAuthenticatorImpl.layer,
+              KeycloakClientImpl.layer
+            )
+        }
+    }.flatten
 }
 
 object GrpcModule {

diff --git a/...rver/src/main/scala/io/iohk/atala/iam/authentication/apikey/ApiKeyAuthenticatorImpl.scala b/...rver/src/main/scala/io/iohk/atala/iam/authentication/apikey/ApiKeyAuthenticatorImpl.scala
@@ -46,7 +46,11 @@ case class ApiKeyAuthenticatorImpl(
               InvalidCredentials("API key is compromised")
           }
       }
-    } else ZIO.fail(AuthenticationMethodNotEnabled("Keycloak authentication is not enabled"))
+    } else {
+      ZIO.fail(
+        AuthenticationMethodNotEnabled(s"Authentication method not enabled: ${AuthenticationMethodType.ApiKey.value}")
+      )
+    }
   }
 
   protected[apikey] def provisionNewEntity(apiKey: String): IO[AuthenticationRepositoryError, Entity] = synchronized {

diff --git a/...rver/src/main/scala/io/iohk/atala/iam/authentication/oidc/KeycloakAuthenticatorImpl.scala b/...rver/src/main/scala/io/iohk/atala/iam/authentication/oidc/KeycloakAuthenticatorImpl.scala
@@ -90,4 +90,14 @@ class KeycloakAuthenticatorImpl(
 object KeycloakAuthenticatorImpl {
   val layer: RLayer[KeycloakClient & KeycloakConfig & WalletManagementService, KeycloakAuthenticator] =
     ZLayer.fromFunction(KeycloakAuthenticatorImpl(_, _, _))
+
+  val disabled: ULayer[KeycloakAuthenticator] =
+    ZLayer.succeed {
+      val notEnabledError = ZIO.fail(AuthenticationMethodNotEnabled("Keycloak authentication is not enabled"))
+      new KeycloakAuthenticator {
+        override def isEnabled: Boolean = false
+        override def authenticate(token: String): IO[AuthenticationError, KeycloakEntity] = notEnabledError
+        override def authorize(entity: KeycloakEntity): IO[AuthenticationError, WalletId] = notEnabledError
+      }
+    }
 }
diff --git a/.../test/scala/io/iohk/atala/pollux/credentialdefinition/CredentialDefinitionBasicSpec.scala b/.../test/scala/io/iohk/atala/pollux/credentialdefinition/CredentialDefinitionBasicSpec.scala
@@ -7,7 +7,11 @@ import io.iohk.atala.api.http.ErrorResponse
 import io.iohk.atala.container.util.MigrationAspects.*
 import io.iohk.atala.iam.authentication.AuthenticatorWithAuthZ
 import io.iohk.atala.pollux.core.model.secret.CredentialDefinitionSecret
-import io.iohk.atala.pollux.core.service.serdes.{ PrivateCredentialDefinitionSchemaSerDesV1, ProofKeyCredentialDefinitionSchemaSerDesV1, PublicCredentialDefinitionSerDesV1 }
+import io.iohk.atala.pollux.core.service.serdes.{
+  PrivateCredentialDefinitionSchemaSerDesV1,
+  ProofKeyCredentialDefinitionSchemaSerDesV1,
+  PublicCredentialDefinitionSerDesV1
+}
 import io.iohk.atala.pollux.credentialdefinition.controller.CredentialDefinitionController
 import io.iohk.atala.pollux.credentialdefinition.http.{CredentialDefinitionInput, CredentialDefinitionResponse}
 import sttp.client3.basicRequest