diff --git a/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Main.scala b/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Main.scala index 6b1c63e152..afad59b72e 100644 --- a/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Main.scala +++ b/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Main.scala @@ -162,7 +162,9 @@ object MainApp extends ZIOAppDefault { VerificationPolicyServiceImpl.layer, WalletManagementServiceImpl.layer, // authentication - AppModule.authenticatorLayer, + AppModule.builtInAuthenticatorLayer, + AppModule.keycloakAuthenticatorLayer, + DefaultAuthenticator.layer, // grpc GrpcModule.prismNodeStubLayer, // storage diff --git a/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Modules.scala b/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Modules.scala index bb939b9e53..a8854e0a8b 100644 --- a/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Modules.scala +++ b/prism-agent/service/server/src/main/scala/io/iohk/atala/agent/server/Modules.scala @@ -43,6 +43,7 @@ import zio.* import zio.config.typesafe.TypesafeConfigSource import zio.config.{ReadError, read} import zio.http.Client +import io.iohk.atala.iam.authentication.oidc.KeycloakAuthenticator object SystemModule { val configLayer: Layer[ReadError[String], AppConfig] = ZLayer.fromZIO { @@ -62,23 +63,34 @@ object AppModule { val didJwtResolverLayer: URLayer[DIDService, JwtDidResolver] = ZLayer.fromFunction(PrismDidResolver(_)) - val authenticatorLayer: RLayer[ - AppConfig & WalletManagementService & AuthenticationRepository & EntityService & Client, - DefaultAuthenticator & ApiKeyAuthenticator + val builtInAuthenticatorLayer: URLayer[ + AppConfig & AuthenticationRepository & EntityService & WalletManagementService, + ApiKeyAuthenticator & AdminApiKeyAuthenticator ] = ZLayer.makeSome[ - AppConfig & WalletManagementService & AuthenticationRepository & EntityService & Client, - DefaultAuthenticator & ApiKeyAuthenticator + AppConfig & AuthenticationRepository & EntityService & WalletManagementService, + ApiKeyAuthenticator & AdminApiKeyAuthenticator ]( AdminConfig.layer, ApiKeyConfig.layer, - KeycloakConfig.layer, - DefaultAuthenticator.layer, AdminApiKeyAuthenticatorImpl.layer, ApiKeyAuthenticatorImpl.layer, - KeycloakAuthenticatorImpl.layer, - KeycloakClientImpl.layer ) + + val keycloakAuthenticatorLayer: RLayer[AppConfig & WalletManagementService & Client, KeycloakAuthenticator] = + ZLayer.fromZIO { + ZIO + .serviceWith[AppConfig](_.agent.authentication.keycloak.enabled) + .map { isEnabled => + if (!isEnabled) KeycloakAuthenticatorImpl.disabled + else + ZLayer.makeSome[AppConfig & WalletManagementService & Client, KeycloakAuthenticator]( + KeycloakConfig.layer, + KeycloakAuthenticatorImpl.layer, + KeycloakClientImpl.layer + ) + } + }.flatten } object GrpcModule { diff --git a/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authentication/apikey/ApiKeyAuthenticatorImpl.scala b/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authentication/apikey/ApiKeyAuthenticatorImpl.scala index b1064ecae6..68302a3668 100644 --- a/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authentication/apikey/ApiKeyAuthenticatorImpl.scala +++ b/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authentication/apikey/ApiKeyAuthenticatorImpl.scala @@ -46,7 +46,11 @@ case class ApiKeyAuthenticatorImpl( InvalidCredentials("API key is compromised") } } - } else ZIO.fail(AuthenticationMethodNotEnabled("Keycloak authentication is not enabled")) + } else { + ZIO.fail( + AuthenticationMethodNotEnabled(s"Authentication method not enabled: ${AuthenticationMethodType.ApiKey.value}") + ) + } } protected[apikey] def provisionNewEntity(apiKey: String): IO[AuthenticationRepositoryError, Entity] = synchronized { diff --git a/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authentication/oidc/KeycloakAuthenticatorImpl.scala b/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authentication/oidc/KeycloakAuthenticatorImpl.scala index 57b5a1dad7..9254a868bf 100644 --- a/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authentication/oidc/KeycloakAuthenticatorImpl.scala +++ b/prism-agent/service/server/src/main/scala/io/iohk/atala/iam/authentication/oidc/KeycloakAuthenticatorImpl.scala @@ -90,4 +90,14 @@ class KeycloakAuthenticatorImpl( object KeycloakAuthenticatorImpl { val layer: RLayer[KeycloakClient & KeycloakConfig & WalletManagementService, KeycloakAuthenticator] = ZLayer.fromFunction(KeycloakAuthenticatorImpl(_, _, _)) + + val disabled: ULayer[KeycloakAuthenticator] = + ZLayer.succeed { + val notEnabledError = ZIO.fail(AuthenticationMethodNotEnabled("Keycloak authentication is not enabled")) + new KeycloakAuthenticator { + override def isEnabled: Boolean = false + override def authenticate(token: String): IO[AuthenticationError, KeycloakEntity] = notEnabledError + override def authorize(entity: KeycloakEntity): IO[AuthenticationError, WalletId] = notEnabledError + } + } } diff --git a/prism-agent/service/server/src/test/scala/io/iohk/atala/pollux/credentialdefinition/CredentialDefinitionBasicSpec.scala b/prism-agent/service/server/src/test/scala/io/iohk/atala/pollux/credentialdefinition/CredentialDefinitionBasicSpec.scala index 86cb68e6eb..4b53450a27 100644 --- a/prism-agent/service/server/src/test/scala/io/iohk/atala/pollux/credentialdefinition/CredentialDefinitionBasicSpec.scala +++ b/prism-agent/service/server/src/test/scala/io/iohk/atala/pollux/credentialdefinition/CredentialDefinitionBasicSpec.scala @@ -7,7 +7,11 @@ import io.iohk.atala.api.http.ErrorResponse import io.iohk.atala.container.util.MigrationAspects.* import io.iohk.atala.iam.authentication.AuthenticatorWithAuthZ import io.iohk.atala.pollux.core.model.secret.CredentialDefinitionSecret -import io.iohk.atala.pollux.core.service.serdes.{ PrivateCredentialDefinitionSchemaSerDesV1, ProofKeyCredentialDefinitionSchemaSerDesV1, PublicCredentialDefinitionSerDesV1 } +import io.iohk.atala.pollux.core.service.serdes.{ + PrivateCredentialDefinitionSchemaSerDesV1, + ProofKeyCredentialDefinitionSchemaSerDesV1, + PublicCredentialDefinitionSerDesV1 +} import io.iohk.atala.pollux.credentialdefinition.controller.CredentialDefinitionController import io.iohk.atala.pollux.credentialdefinition.http.{CredentialDefinitionInput, CredentialDefinitionResponse} import sttp.client3.basicRequest