Merge pull request #303 from oracle-devrel/vch-api-fn-authorizer

added reusable assets for authorizer functions.

Author: MarcelStraka

app-dev/app-integration-and-automation/oci-api-management/README.md

@@ -2,31 +2,40 @@
 
 Oracle Cloud Infrastructure (OCI) provides a comprehensive set of services to manage the lifecycle of APIs.
 
-Developers can prototype APIs easily using the integrated **Code Editor** to create API descriptions in OpenAPI format which is supported by OCI API Gateway. Code Editor comes with Git integration and built-in integration with OCI services.
+**Oracle API Gateway** is a highly available virtual network appliance that can receive API calls at scale and route them to back-end services, such as Serverless Functions, services running on Oracle Kubernetes Engine, Oracle Integration, ORDS and more.
 
-**OCI API Management** is a fully Oracle-managed, regional service that is used to provide a policy enforcement layer for HTTP traffic. The API Gateway service enables you to publish protected APIs for HTTP/s services such as Serverless Functions, services running on Oracle Kubernetes Engine, Oracle Integration, ORDS, and other services on Oracle Cloud Infrastructure and beyond.
+Developers can choose from a wide range of tools to create API descriptions in OpenAPI format which is supported by OCI API Gateway.
+
+API Gateway provides policy enforcement such as limit the number of requests sent to back-end services, enable CORS, provide authentication and authorization, add mTLS support, modify incoming requests and outgoing responses, cache responses to improve performance and reduce load on back-end services.
 
 API managers can create Usage Plans within API Gateway and define API access tiers. API teams can monitor the traffic and analytics of their APIs based on the usage plan and subscriptions. This enables customers to analyze usage patterns as well as unlock new revenue streams by monetizing APIs.
 
 ## Useful Links
 
-- [OCI API Management Oracle.com Page](https://www.oracle.com/cloud/cloud-native/api-management/)
-- [OCI API Management Documentation](https://docs.oracle.com/iaas/Content/APIGateway/home.htm)
-- [Price List](https://www.oracle.com/cloud/price-list/#api)
 - [Quick Start Guide](https://docs.oracle.com/en-us/iaas/Content/APIGateway/Tasks/apigatewayquickstartsetupcreatedeploy.htm)
 - YouTube Videos
   - [API Gateway Overview by Product Management](https://youtu.be/10U6kTh_0Lc)
   - [Hands on lab - how to create an API Gateway](https://youtu.be/hES55nIQH0Y)
-- [Blogs](https://blogs.oracle.com/author/robert-wunderlich) by PM Robert Wunderlich
+- [Articles](https://blogs.oracle.com/author/robert-wunderlich) by Product Management
 - [Terraform examples](https://github.com/oracle/terraform-provider-oci/tree/master/examples/api_gateway)
 - Oracle Functions Samples – API Gateway Authorizer Functions
   - https://github.com/oracle-samples/oracle-functions-samples → See section Functions and API Gateway
   - https://github.com/oracle-samples/sample.fusion-ords-identityprop
-- [Oracle Architecture Center](https://docs.oracle.com/solutions/?q=&cType=reference-architectures&product=API%20Gateway&sort=date-desc&lang=en) - Reference Architectures with API Gateway
+- [Oracle Architecture Center](https://docs.oracle.com/solutions/?q=&cType=reference-architectures&product=API%20Gateway&sort=date-desc&lang=en)
+  - Reference Architectures with API Gateway
+
+### General Product Links
+
+- [API Management Product Page](https://www.oracle.com/cloud/cloud-native/api-management/)
+- [API Gateway Documentation](https://docs.oracle.com/iaas/Content/APIGateway/home.htm)
 
 ## Reusable Assets Overview
 
-Relevant reusable assets can be found in subfolders.
+Reusable assets can be found in subfolders:
+- [fn-authorizer-apigw-oic](fn-authorizer-apigw-oic)
+  - Example authorizer function for API Gateway with OIC backend. 
+- [fn-authorizer-apigw-ords](fn-authorizer-apigw-ords)
+  - Example authorizer function for API Gateway with ORDS backend.
 
 # License
 

app-dev/app-integration-and-automation/oci-api-management/fn-authorizer-apigw-oic/LICENSE

@@ -0,0 +1,35 @@
+Copyright (c) 2023 Oracle and/or its affiliates.
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any
+person obtaining a copy of this software, associated documentation and/or data
+(collectively the "Software"), free of charge and under any and all copyright
+rights in the Software, and any and all patent rights owned or freely
+licensable by each licensor hereunder covering either (i) the unmodified
+Software as contributed to or provided by such licensor, or (ii) the Larger
+Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+one is included with the Software (each a "Larger Work" to which the Software
+is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create
+derivative works of, display, perform, and distribute the Software and make,
+use, sell, offer for sale, import, export, have made, and have sold the
+Software and the Larger Work(s), and to sublicense the foregoing rights on
+either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at
+a minimum a reference to the UPL must be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

app-dev/app-integration-and-automation/oci-api-management/fn-authorizer-apigw-oic/README.md

@@ -0,0 +1,19 @@
+# fn-authorizer-apigw-oic
+ 
+*Example authorizer function for API Gateway with OIC backend.*
+ 
+# When to use this asset?
+ 
+Use this asset as an example, when you want to decouple the client authentication in API Gateway from the OIC native mechanism, by using a different Identity Provider (IdP) or a different authentication mechanism. This example is using IDCS as Identity Provider for the client authentication. You can adapt to use any OAuth compliant IdP.
+ 
+# How to use this asset?
+ 
+This asset is provided as an example. Please tailor the code according to your needs and your context.
+
+See [oci-apigw-oic-auth/README.md](oci-apigw-oic-auth/README.md) for asset details.
+ 
+# License
+ 
+Copyright (c)  2023,  Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0 as shown at https://oss.oracle.com/licenses/upl.

app-dev/app-integration-and-automation/oci-api-management/fn-authorizer-apigw-oic/oci-apigw-oic-auth/README.md

@@ -0,0 +1,28 @@
+# FN App Configuration
+* idcs_introspection_endpoint https://<idcs_host>/oauth2/v1/introspect
+* introspection_idcs_app_client_id
+* introspection_idcs_app_client_secret_ocid
+* idcs_token_endpoint         https://<idcs_host>/oauth2/v1/token
+* oic_idcs_app_client_id
+* oic_idcs_app_client_secret_ocid
+* oic_scope
+
+![configuration](images/fn-app-configuration.png)
+
+# Deploy and test the function
+
+    cd oci-apigw-oic-auth
+    fn -v deploy --app <my-fn-app>
+
+    echo -n '{"data": {"token": "Bearer <token-value>"}}' | fn invoke <my-fn-app> oci-apigw-oic-auth | jq .
+
+# Inspiration and Credits
+* [OIC & OAuth 2.0 - Part 3](http://niallcblogs.blogspot.com/2022/04/908-oic-oauth-20-part-3.html)
+* [Protect OIC REST APIs with OCI API Gateway and OAuth2 – 2/2](https://mytechretreat.com/protect-oic-rest-apis-with-oci-api-gateway-and-oauth2-2-2/)
+* [Authenticating Oracle Integration flows using OAuth token from 3rd party provider](https://blogs.oracle.com/integration/post/authenticating-oic-flows-through-third-party-bearer-token)
+
+# Licence
+
+Copyright (c)  2023,  Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0 as shown at https://oss.oracle.com/licenses/upl.

app-dev/app-integration-and-automation/oci-api-management/fn-authorizer-apigw-oic/oci-apigw-oic-auth/func.py

@@ -0,0 +1,151 @@
+# Copyright (c) 2023 Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+import datetime
+import io
+import json
+import logging
+from datetime import timedelta
+
+import requests
+from fdk import response
+from requests.auth import HTTPBasicAuth
+
+import ociVault
+
+oauth_apps = {}
+
+def initContext(context):
+    # This method takes elements from the Application Context and from OCI Vault to create the OAuth App Clients object.
+    if (len(oauth_apps) < 2):
+        logging.getLogger().info('Retriving details about the API and backend OAuth Apps')
+        try:
+            logging.getLogger().info('initContext: Initializing context')
+            
+            # Using ociVault
+            oauth_apps['apigw'] = {'introspection_endpoint': context['idcs_introspection_endpoint'], 
+                                  'client_id': context['introspection_idcs_app_client_id'], 
+                                  'client_secret': ociVault.getSecret(context['introspection_idcs_app_client_secret_ocid'])}
+            oauth_apps['oic'] = {'token_endpoint': context['idcs_token_endpoint'], 
+                                  'client_id': context['oic_idcs_app_client_id'], 
+                                  'client_secret': ociVault.getSecret(context['oic_idcs_app_client_secret_ocid']), 'scope': context['oic_scope']}
+
+        except Exception as ex:
+            logging.getLogger().error('initContext: Failed to get config or secrets')
+            print("ERROR [initContext]: Failed to get the configs", ex, flush=True)
+            raise
+    else:
+        logging.getLogger().info('initContext: OAuth Apps already stored')
+
+def introspectToken(access_token, introspection_endpoint, client_id, client_secret):
+    # This method handles the introspection of the received auth token to IDCS.  
+    payload = {'token': access_token}
+    headers = {'Content-Type' : 'application/x-www-form-urlencoded;charset=UTF-8', 
+               'Accept': 'application/json'}
+               
+    try:
+        token = requests.post(introspection_endpoint, 
+                              data=payload, 
+                              headers=headers, 
+                              auth=HTTPBasicAuth(client_id, client_secret))
+
+    except Exception as ex:
+        logging.getLogger().error("introspectToken: Failed to introspect token" + ex)
+        raise
+
+    return token.json()
+
+def getBackEndAuthToken(token_endpoint, client_id, client_secret, scope):
+    # This method gets the token from the back-end system (oic in this case)
+    payload = {'grant_type': 'client_credentials', 'scope': scope}
+    headers = {'Content-Type' : 'application/x-www-form-urlencoded;charset=UTF-8', 
+               'Accept': 'application/json'}
+    
+    try:
+        backend_token = requests.post(token_endpoint,
+                                    data=payload,
+                                    headers=headers,
+                                    auth=HTTPBasicAuth(client_id, client_secret))
+
+        logging.getLogger().info("getBackEndAuthToken: Got the backend token " + backend_token.text)
+
+    except Exception as ex:
+        logging.getLogger().error("getBackEndAuthToken: Failed to get the backend token" + ex)
+        raise
+    
+    return backend_token.json()
+
+def getAuthContext(token, client_apps):
+    # This method populates the Auth Context that will be returned to the gateway.
+    auth_context = {}
+
+    # Calling IDCS to validate the token and retrieve the client info
+    try:
+        token_info = introspectToken(token[len('Bearer '):], client_apps['apigw']['introspection_endpoint'], client_apps['apigw']['client_id'], client_apps['apigw']['client_secret'])
+
+    except Exception as ex:
+            logging.getLogger().error("getAuthContext: Failed to introspect token" + ex)
+            raise
+
+    # If IDCS confirmed the token is valid and active, we can proceed to populate the auth context
+    if (token_info['active'] == True):
+        auth_context['active'] = True
+        # auth_context['principal'] = token_info['sub']
+        auth_context['client_id'] = token_info['client_id']
+        auth_context['scope'] = token_info['scope']
+        
+        # Retrieving the back-end Token
+        backend_token = getBackEndAuthToken(client_apps['oic']['token_endpoint'], client_apps['oic']['client_id'], client_apps['oic']['client_secret'], client_apps['oic']['scope'])
+
+        # The maximum TTL for this auth is the lesser of the API Client Auth (IDCS) and the Gateway Client Auth (oic)
+        if (datetime.datetime.fromtimestamp(token_info['exp']) < (datetime.datetime.utcnow() + timedelta(seconds=backend_token['expires_in']))):
+            auth_context['expiresAt'] = (datetime.datetime.fromtimestamp(token_info['exp'])).replace(tzinfo=datetime.timezone.utc).astimezone().replace(microsecond=0).isoformat()
+        else:
+            auth_context['expiresAt'] = (datetime.datetime.utcnow() + timedelta(seconds=backend_token['expires_in'])).replace(tzinfo=datetime.timezone.utc).astimezone().replace(microsecond=0).isoformat()
+
+        # Storing the back_end_token in the context of the auth decision so we can map it to Authorization header using the request/response transformation policy
+        auth_context['context'] = {'back_end_token': ('Bearer ' + str(backend_token['access_token']))}
+
+    else:
+        # API Client token is not active, so we will go ahead and respond with the wwwAuthenticate header
+        auth_context['active'] = False
+        auth_context['wwwAuthenticate'] = 'Bearer realm=\"identity.oraclecloud.com\"'
+
+    return(auth_context)
+
+def handler(ctx, data: io.BytesIO=None):
+    logging.getLogger().info('Entered Handler')
+    initContext(dict(ctx.Config()))
+      
+    auth_context = {}
+    try:
+        gateway_auth = json.loads(data.getvalue())
+
+        auth_context = getAuthContext(gateway_auth['data']['token'], oauth_apps)
+
+        if (auth_context['active']):
+            logging.getLogger().info('Authorizer returning 200...')
+            return response.Response(
+                ctx,
+                response_data=json.dumps(auth_context),
+                status_code = 200,
+                headers={"Content-Type": "application/json"}
+                )
+        else:
+            logging.getLogger().info('Authorizer returning 401...')
+            return response.Response(
+                ctx,
+                response_data=json.dumps(str(auth_context)),
+                status_code = 401,
+                headers={"Content-Type": "application/json"}
+                )
+
+    except (Exception, ValueError) as ex:
+        logging.getLogger().info('error parsing json payload: ' + str(ex))
+
+        return response.Response(
+            ctx,
+            response_data=json.dumps(str(auth_context)),
+            status_code = 401,
+            headers={"Content-Type": "application/json"}
+            )
+

app-dev/app-integration-and-automation/oci-api-management/fn-authorizer-apigw-oic/oci-apigw-oic-auth/func.yaml

@@ -0,0 +1,8 @@
+# Copyright (c) 2023 Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+schema_version: 20180708
+name: oci-apigw-oic-auth
+version: 0.0.1
+runtime: python
+entrypoint: /python/bin/fdk /function/func.py handler
+memory: 256

app-dev/app-integration-and-automation/oci-api-management/fn-authorizer-apigw-oic/oci-apigw-oic-auth/images/fn-app-configuration.png

@@ -0,0 +1,20 @@
+# Copyright (c) 2023 Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+#
+# Utility Function to get secrets from OCI Vault
+import logging
+import oci
+import base64
+
+def getSecret(ocid):
+    signer = oci.auth.signers.get_resource_principals_signer()
+    try:
+        client = oci.secrets.SecretsClient({}, signer=signer)
+        secret_content = client.get_secret_bundle(ocid).data.secret_bundle_content.content.encode('utf-8')
+        decrypted_secret_content = base64.b64decode(secret_content).decode('utf-8')
+    except Exception as ex:
+        logging.getLogger().error("getSecret: Failed to get Secret" + ex)
+        print("Error [getSecret]: failed to retrieve", ex, flush=True)
+        raise
+    return decrypted_secret_content
+

app-dev/app-integration-and-automation/oci-api-management/fn-authorizer-apigw-oic/oci-apigw-oic-auth/ociVault.py

@@ -0,0 +1,5 @@
+# Copyright (c) 2023 Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+fdk
+oci
+requests

app-dev/app-integration-and-automation/oci-api-management/fn-authorizer-apigw-oic/oci-apigw-oic-auth/requirements.txt

@@ -0,0 +1,35 @@
+Copyright (c) 2023 Oracle and/or its affiliates.
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any
+person obtaining a copy of this software, associated documentation and/or data
+(collectively the "Software"), free of charge and under any and all copyright
+rights in the Software, and any and all patent rights owned or freely
+licensable by each licensor hereunder covering either (i) the unmodified
+Software as contributed to or provided by such licensor, or (ii) the Larger
+Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+one is included with the Software (each a "Larger Work" to which the Software
+is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create
+derivative works of, display, perform, and distribute the Software and make,
+use, sell, offer for sale, import, export, have made, and have sold the
+Software and the Larger Work(s), and to sublicense the foregoing rights on
+either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at
+a minimum a reference to the UPL must be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.