Testing WebFlux interface using WebTestClient - 401 Status on mTLS request - spring-webflux

I'm getting 401 status when trying to test WebFlux interface using WebTestClient. The endpoint requires a client certificate for authentication. I'm getting as a result 401. This is a result of making requests without a client certificate.
Is it possible to somehow setup WebTestClient for making requests with client certificates?
I saw that there is possiblity to setup WebClient, but not found a way for WebTestClient ..

Related

(SSG-WSG) How do I connect to the Mock or Test API Gateway using the certificate method?

Just using postman I can set up a certificate and connect to active subscriptions. When I try and connect to the Mock API to test the connection for, getting course runs, for example, I am getting an error
Error: error:0b000074:X.509 certificate routines:OPENSSL_internal:KEY_VALUES_MISMATCH
Is there a different way I am supposed to test certificate connections?
While it's not such a big deal with GET requests, this is going to be important for POST requests.
You don't need a certificate to call Mock APIs.
You can instead try to call it directly without the certificate as it will only display a mock response of the API.

WSO2 API Manager: setting https endpoint

I create an API where I configure the endpoint: https://ssl.croinform.ru:450/api.test
And there is a problem with https, I am not getting a response to the request. It seems the WSO2 API Manager API gateway is not proxying requests to the endpoint.
When I make requests directly, I pre-configure the infrastructure: install the openssl counterpart, install the cacer.p7b and ssl.croinform.cer certificates. After that, I successfully receive responses from the ssl.croinform.ru:450/api.test service.
Can you tell me what I need to do to make this work in WSO2 API Manager?

does flutter dart's http request have tls support?

I do not know much about computer networks but I've been dabbling with flutter and aws lambda.
I have a flutter (dart) code that uses http package to make an http request like the following:
import 'package:http/http.dart' as http
final response = await http.get('https://<address to my lambda function via api gateway>');
final body = response.body;
Looking at the http package in pub.dev, it says that the package is a A composable, Future-based library for making HTTP requests. and does not say anything about TLS(SSL). However, the url I provided in the above code is https generated by aws API gateway. So my question is, in the above code, is it using https or http? If it is using http, it is not secure hence, i need to add another layer of security to prevent hackers such as Man in the middle attack. If it is https, does that mean the data that gets sent is encrypted via TLS, hence I do not need any sort of asymmetric encryption between the client and the server?

Cloud Run - gRPC authentication through service account - Java

I've deployed to Google Cloud Run (fully managed) a gRPC server with the option "Required Authentication" set to true.
I'm trying to authenticate the calls from my gRPC client through a Google Service Account, however I'm always getting below exception.
Exception in thread "main" io.grpc.StatusRuntimeException: UNAUTHENTICATED: HTTP status code 401
Below is how I'm creating the gRPC channel and attaching the service account.
public GrpcClient(Channel channel) throws IOException {
Credentials credentials = GoogleCredentials.getApplicationDefault();
blockingStub = CalculatorServiceGrpc
.newBlockingStub(channel)
.withCallCredentials(MoreCallCredentials.from(credentials));
}
Obs.: env var GOOGLE_APPLICATION_CREDENTIALS is set with the path of the SA, and the SA has Cloud Run Invoker privilege
Is there anything that I'm missing?
When calling a Cloud Run server from a generic HTTP client, setting GOOGLE_APPLICATION_CREDENTIALS doesn't have an effect. (That only works when you call Google’s APIs with a Google client library.)
Even when deployed to Cloud Run, gRPC is just HTTP/2, so authenticating to a Cloud Run service is documented at the Service-to-Service Authentication page. In a nutshell this involves:
getting a JWT (identity token) from metadata service endpoint inside the container
setting it as a header on the request to the Cloud Run app, as Authorization: Bearer [[ID_TOKEN]].
In gRPC, headers are called "metadata", so you should find the equivalent gRPC Java method to set that. (It probably is a per-RPC option.)
Read about a Go example here, it basically explains you that gRPC servers running on Cloud Run still authenticate the same way. In this case, also make sure to tell Java:
you need to connect to domain:443 (not :80)
gRPC Java needs to use machine root CA certificates to verify validity of TLS certificate presented by Cloud Run (as opposed to skipping TLS verification)
After some more research I was able to authenticate the requests using IdTokenCredentials. See below the result.
public GrpcClient(Channel channel) throws IOException {
ServiceAccountCredentials saCreds = ServiceAccountCredentials
.fromStream(new FileInputStream("path\to\sa"));
IdTokenCredentials tokenCredential = IdTokenCredentials.newBuilder().setIdTokenProvider(saCreds)
.setTargetAudience("https://{projectId}-{hash}-uc.a.run.app").build();
blockingStub = CalculatorServiceGrpc
.newBlockingStub(channel)
.withCallCredentials(MoreCallCredentials.from(tokenCredential));
}
I came across this post looking for a Python-related answer.
So for those who want to solve this problem using a Python client:
import google.oauth2
import google.oauth2.id_token
import google.auth
import google.auth.transport
import google.auth.transport.requests
TARGET_CHANNEL = "your-app-name.run.app:443"
token = google.oauth2.id_token.fetch_id_token(google.auth.transport.requests.Request(), TARGET_CHANNEL)
call_cred = grpc.access_token_call_credentials(auth.get_identification_token(
"https://" + TARGET_CHANNEL.strip(':443')))
channel_cred = grpc.composite_channel_credentials(grpc.ssl_channel_credentials(), call_cred)
channel = grpc.secure_channel(TARGET_CHANNEL, credentials=channel_cred)`
I was also running into UNAUTHENTICATED: HTTP status code 401. I had a GCP Load Balancer all setup with HTTPS and a backend routing to a Cloud Run Service. The backend service has to be HTTP2 for grpc like the above answer. But there was one more spot that needed HTTP2. The cloud run service needs to be setup to accept HTTP2, by default it is HTTP1. You can use
gcloud run services update <SERVICE> --use-http2
to set the cloud run to use http2. This will allow the load balancers backend HTTP2 to communicate with the Cloud Run Service over HTTP which grpc is required to have.
https://cloud.google.com/run/docs/configuring/http2

Two-legged authorization with apache http server

I have an api (running in a jetty instance) where I use two-legged oauth protocol to give access to the clients. I wrote a simple java client (using oauth-signpost) to connect to the api and the connection is successful.
I would like to put the api behind an apache http server. The apache http server is configured to forward request to api.
The following works:
(without oauth) Client ---> Apache HTTP Server --> Jetty
(with oauth) Client ---> Jetty
The following doesn't work:
(with oauth) Client ---> Apache HTTP Server ---> Jetty
I receive the following error message
"Invalid signature for signature method HMAC-SHA1"
Has any of you faced this issue? Is it possible to sign the request but without the hostname and port?
Thank you.
I had a similar problem. The problem I found was that the OAuth signature and the OAuth header block need to have the Jetty URL, not the Apache URL.
I had to modify my code to pass along two URLs. The URL I was sending the request to (Apache) and the URL of the resource on the final system (Jetty URL).