API Gateway Authentication

[dealako]

Summary

We want to leverage the API Gateway Authentication headers to apply role-based access to the Easy CLA services.

Background

The EasyCLA v2 system will reside behind the LF platform API Gateway. The REST services we develop will be protected by the Gateway and the ACS service. We need to leverage this by restricting access based on user roles.

Tasks

• update the swagger specification to include authentication (see org service or project service as an example)
• include the LFX Kit library, see the org service example
• Omit the security protection for api-docs and the health and status
• Auth user object will be included in the API requests
• Bind the API security to the LFX auth model in the server configuration
• Rebuild and ensure the authUser as part of the API request (like request params)
  as a function parameter
• Ensure that only LF Admins can create CLA Groups as defined in issue CLA Group Management #12
• Note: you will need to obtain an Authorization Bearer Token for API calls. We have two approaches for this:
  - Open and log into the LXF UI, from the console: https://lfx.dev.platform.linuxfoundation.org/home/dashboard

Example 1:

1. LF Admin logs in
2. Makes an API request to see the audit log
3. Code reviews the roles/access for the user, see that user is the LF Admin role
4. API allows all audit logs in the response

Example 2:

1. A company manager for Google logs in
2. Makes an API request to see the audit log
3. The code reviews the roles/access for the user, see that user is the company
   manager
4. we look up the user’s company id
5. pass the company ID to the backend to filter the audit log based on the company id

Acceptance Criteria

Demonstrate to the stakeholders.

References

See the LF Core Platform organization or the project service as an example.