Merge pull request #1182 from ldclakmal/fix-security-bbes

Fix BBEs of access control category

ballerina/build.gradle

@@ -650,12 +650,11 @@ task testExamples() {
             'openapi-to-ballerina',
             'taint-checking', // Should not compile
             'secured-client-with-basic-auth',
-            'secured-client-with-jwt-auth',
-            'secured-client-with-oauth2',
-            'secured-service-with-basic-auth',
-            'secured-service-with-jwt-auth',
-            'secured-service-with-ldap',
-            'secured-service-with-oauth2',
+            'secured-client-with-bearer-token-auth',
+            'secured-client-with-self-signed-jwt-auth',
+            'secured-client-with-oauth2-client-credentials-grant-type',
+            'secured-client-with-oauth2-client-password-type',
+            'secured-client-with-oauth2-client-direct-token-type',
 
             // Disabling due to pending migration for service typing
             'websocket-cookie',
@@ -754,9 +753,10 @@ task testExamples() {
             'locks', // Output is inconsistent between runs
             'crypto', // Output with line breaks cannot be compared
             'jwt-issue-validate', // Output depends on time
-            'secured-client-with-basic-auth', // Need to run the service first
-            'secured-client-with-jwt-auth', // Need to run the service first
-            'secured-client-with-oauth2', // Need to run the service first
+            'secured-service-with-basic-auth-file-user-store', // Log output depends on time
+            'secured-service-with-basic-auth-ldap-user-store', // Log output depends on time
+            'secured-service-with-jwt-auth', // Log output depends on time
+            'secured-service-with-oauth2', // Log output depends on time
             'send-and-receive-emails',
             'task-service-timer',       // Services needs to be stopped during build
             'task-service-appointment',
@@ -824,9 +824,9 @@ task testExamples() {
     ext.buildBBE = { bbe ->
         def exitVal
         def additionalBuildParams = ""
-        if (bbe == "secured-service-with-basic-auth" || bbe == "secured-client-with-basic-auth") {
-            additionalBuildParams = "--b7a.config.file=${baseBuildPath}/${bbe}/sample-users.toml"
-        }
+//        if (bbe == "secured-service-with-basic-auth" || bbe == "secured-client-with-basic-auth") {
+//            additionalBuildParams = "--b7a.config.file=${baseBuildPath}/${bbe}/sample-users.toml"
+//        }
         println "Building example ${bbe}"
         if (Os.isFamily(Os.FAMILY_WINDOWS)) {
             //TODO: Need to verify with windows

examples/index.json

@@ -1317,17 +1317,41 @@
         "column": 3,
         "category": "Working over the network",
         "samples": [
+            {
+                "name": "Secured Service with Basic Auth LDAP User Store",
+                "url": "secured-service-with-basic-auth-ldap-user-store"
+            },
+            {
+                "name": "Secured Service with JWT Auth",
+                "url": "secured-service-with-jwt-auth"
+            },
+            {
+                "name": "Secured Service with OAuth2",
+                "url": "secured-service-with-oauth2"
+            },
             {
                 "name": "Secured Client with Basic Auth",
                 "url": "secured-client-with-basic-auth"
             },
             {
-                "name": "Secured Client with JWT Auth",
-                "url": "secured-client-with-jwt-auth"
+                "name": "Secured Client with Bearer Token Auth",
+                "url": "secured-client-with-bearer-token-auth"
+            },
+            {
+                "name": "Secured Client with Self Signed JWT Auth",
+                "url": "secured-client-with-self-signed-jwt-auth"
+            },
+            {
+                "name": "Secured Client with OAuth2 Client Credentials Grant Type",
+                "url": "secured-client-with-oauth2-client-credentials-grant-type"
+            },
+            {
+                "name": "Secured Client with OAuth2 Password Grant Type",
+                "url": "secured-client-with-oauth2-password-grant-type"
             },
             {
-                "name": "Secured Client with OAuth2",
-                "url": "secured-client-with-oauth2"
+                "name": "Secured Client with OAuth2 Direct Token Type",
+                "url": "secured-client-with-oauth2-direct-token-type"
             }
         ]
     },

examples/secured-client-with-basic-auth/secured_client_with_basic_auth.bal

@@ -1,42 +1,29 @@
-import ballerina/auth;
-import ballerina/config;
 import ballerina/http;
 import ballerina/log;
 
-// Defines the Basic Auth client endpoint to call the backend services.
-// Basic Authentication is enabled by creating an
-// `auth:OutboundBasicAuthProvider` with the `username` and `password`
-// passed as a record.
-auth:OutboundBasicAuthProvider outboundBasicAuthProvider = new({
-    username: "tom",
-    password: "1234"
-});
-
-// Creates a Basic Auth handler with the created Basic Auth provider.
-http:BasicAuthHandler outboundBasicAuthHandler =
-    new (outboundBasicAuthProvider);
-
-http:Client httpEndpoint = new("https://localhost:9090", {
-        auth: {
-            authHandler: outboundBasicAuthHandler
-        },
-        secureSocket: {
-            trustStore: {
-                path: config:getAsString("b7a.home") +
-                    "/bre/security/ballerinaTruststore.p12",
-                password: "ballerina"
-            }
+// Defines the HTTP client to call the Basic auth secured APIs.
+// The client is enriched with the `Authorization: Basic <token>` header by
+// passing the `http:CredentialsConfig` for the `auth` configuration of the
+// client.
+http:Client securedEP = checkpanic new("https://localhost:9090", {
+    auth: {
+        username: "alice",
+        password: "123"
+    },
+    secureSocket: {
+        trustStore: {
+            path: "../resources/ballerinaTruststore.p12",
+            password: "ballerina"
         }
-    });
+    }
+});
 
 public function main() {
     // Send a `GET` request to the specified endpoint.
-    var response = httpEndpoint->get("/hello/sayHello");
+    var response = securedEP->get("/foo/bar");
     if (response is http:Response) {
-        var result = response.getTextPayload();
-        log:printInfo((result is error) ?
-            "Failed to retrieve payload." : result);
-    } else {
-        log:printError("Failed to call the endpoint.", <error>response);
+        log:print(response.statusCode.toString());
+    } else if (response is http:ClientError) {
+        log:printError("Failed to call the endpoint.", err = response);
     }
 }

examples/secured-client-with-basic-auth/secured_client_with_basic_auth.description

@@ -1,11 +1,7 @@
-// A client, which is secured with Basic authentication should be used to
-// connect to a service, which is secured with Basic authentication.
-// The `auth:OutboundBasicAuthProvider` is initialized with the `username` and
-// `password` and the `http:BasicAuthHandler` is initialized by providing
-// the created `auth:OutboundBasicAuthProvider`. An additional `auth` field is
-// added to the HTTP  client endpoint initialization in order to secure the
-// simple HTTP client endpoint.
-// The `authHandler` field is defined inside the `auth` field with the value of
-// it being the reference of the created `http:BearerAuthHandler`.<br/><br/>
-// For more information on the underlying module, 
+// A client, which is secured with Basic auth can be used to connect to
+// a secured service.<br/>
+// The client is enriched with the `Authorization: Basic <token>` header by
+// passing the `http:CredentialsConfig` for the `auth` configuration of the
+// client.<br/><br/>
+// For more information on the underlying module,
 // see the [Auth module](https://ballerina.io/swan-lake/learn/api-docs/ballerina/#/ballerina/auth/latest/auth/).

examples/secured-client-with-basic-auth/secured_client_with_basic_auth.metatags

@@ -1,2 +1,2 @@
-description: BBE on how to secure HTTP client with Basic Auth in Ballerina.
+description: BBE on how to secure HTTP client with Basic auth in Ballerina.
 keywords: ballerina, ballerina by example, http, auth, basic auth

examples/secured-client-with-basic-auth/secured_client_with_basic_auth.out

@@ -1,5 +1,8 @@
-# To test the client, first start a sample service secured with Basic Auth.
-# Then start the client by executing the below command by passing Ballerina home
-# path as a system property.
-bal run secured_client_with_basic_auth.bal --b7a.home=<ballerina_home_path>
-INFO  [ballerina/log] - Hello, World!!!
+# Before testing this sample, first start a sample service secured with Basic Auth.
+# To run this sample, navigate to the directory that contains the `.bal` file,
+# and execute the `bal run` command below.
+# (You may need to change the keystore path. A sample keystore file is
+# available in the distribution.
+# The file path is <ballerina.home>/examples/resources/ballerinaKeystore.p12)
+bal run secured_client_with_basic_auth.bal
+time = 2021-01-20 20:04:13,261 level = INFO  module = "" message = "200"

examples/secured-client-with-bearer-token-auth/secured_client_with_bearer_token_auth.bal

@@ -0,0 +1,28 @@
+import ballerina/http;
+import ballerina/log;
+
+// Defines the HTTP client to call the secured APIs.
+// The client is enriched with the `Authorization: Bearer <token>` header by
+// passing the `http:BearerTokenConfig` for the `auth` configuration of the
+// client.
+http:Client securedEP = checkpanic new("https://localhost:9090", {
+    auth: {
+        token: "JlbmMiOiJBMTI4Q0JDLUhTMjU2In"
+    },
+    secureSocket: {
+        trustStore: {
+            path: "../resources/ballerinaTruststore.p12",
+            password: "ballerina"
+        }
+    }
+});
+
+public function main() {
+    // Send a `GET` request to the specified endpoint.
+    var response = securedEP->get("/foo/bar");
+    if (response is http:Response) {
+        log:print(response.statusCode.toString());
+    } else if (response is http:ClientError) {
+        log:printError("Failed to call the endpoint.", err = response);
+    }
+}

examples/secured-client-with-bearer-token-auth/secured_client_with_bearer_token_auth.description

@@ -0,0 +1,5 @@
+// A client, which is secured with Bearer token auth can be used to connect to
+// a secured service.<br/>
+// The client is enriched with the `Authorization: Bearer <token>` header by
+// passing the `http:BearerTokenConfig` for the `auth` configuration of the
+// client.

examples/secured-client-with-bearer-token-auth/secured_client_with_bearer_token_auth.metatags

@@ -0,0 +1,2 @@
+description: BBE on how to secure HTTP client with Bearer token auth in Ballerina.
+keywords: ballerina, ballerina by example, http, auth, jwt auth

examples/secured-client-with-bearer-token-auth/secured_client_with_bearer_token_auth.out

@@ -0,0 +1,8 @@
+# Before testing this sample, first start a secured sample service.
+# To run this sample, navigate to the directory that contains the `.bal` file,
+# and execute the `bal run` command below.
+# (You may need to change the keystore path. A sample keystore file is
+# available in the distribution.
+# The file path is <ballerina.home>/examples/resources/ballerinaKeystore.p12)
+bal run secured_client_with_bearer_token_auth.bal
+time = 2021-01-20 20:04:13,261 level = INFO  module = "" message = "200"