{"id":14904253,"url":"https://github.com/axone-protocol/s3-auth-proxy","last_synced_at":"2025-05-16T08:11:23.887Z","repository":{"id":231085302,"uuid":"770855495","full_name":"axone-protocol/s3-auth-proxy","owner":"axone-protocol","description":"🛡️ S3 auth proxy to the Axone protocol","archived":false,"fork":false,"pushed_at":"2025-05-05T17:37:09.000Z","size":708,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-05-05T18:52:26.014Z","etag":null,"topics":["authentication","jwt","proxy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/axone-protocol.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-03-12T09:30:10.000Z","updated_at":"2025-05-05T17:37:13.000Z","dependencies_parsed_at":"2024-04-02T12:01:04.423Z","dependency_job_id":"70183a83-3900-4837-aef7-bb3d6faf1897","html_url":"https://github.com/axone-protocol/s3-auth-proxy","commit_stats":null,"previous_names":["okp4/s3-auth-proxy","axone-protocol/s3-auth-proxy"],"tags_count":0,"template":false,"template_full_name":"okp4/template-go","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/axone-protocol%2Fs3-auth-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/axone-protocol%2Fs3-auth-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/axone-protocol%2Fs3-auth-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/axone-protocol%2Fs3-auth-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/axone-protocol","download_url":"https://codeload.github.com/axone-protocol/s3-auth-proxy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254493368,"owners_count":22080127,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","jwt","proxy"],"created_at":"2024-09-22T13:01:22.924Z","updated_at":"2025-05-16T08:11:23.882Z","avatar_url":"https://github.com/axone-protocol.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# S3 auth proxy\n\n\u003e S3 proxy ensuring authentication and authorization layer based on Axone.\n\n[![version](https://img.shields.io/github/v/release/axone-protocol/s3-auth-proxy?style=for-the-badge\u0026logo=github)](https://github.com/axone-protocol/s3-auth-proxy/releases)\n[![lint](https://img.shields.io/github/actions/workflow/status/axone-protocol/s3-auth-proxy/lint.yml?branch=main\u0026label=lint\u0026style=for-the-badge\u0026logo=github)](https://github.com/axone-protocol/s3-auth-proxy/actions/workflows/lint.yml)\n[![build](https://img.shields.io/github/actions/workflow/status/axone-protocol/s3-auth-proxy/build.yml?branch=main\u0026label=build\u0026style=for-the-badge\u0026logo=github)](https://github.com/axone-protocol/s3-auth-proxy/actions/workflows/build.yml)\n[![test](https://img.shields.io/github/actions/workflow/status/axone-protocol/s3-auth-proxy/test.yml?branch=main\u0026label=test\u0026style=for-the-badge\u0026logo=github)](https://github.com/axone-protocol/s3-auth-proxy/actions/workflows/test.yml)\n[![codecov](https://img.shields.io/codecov/c/github/axone-protocol/s3-auth-proxy?style=for-the-badge\u0026token=6NL9ICGZQS\u0026logo=codecov)](https://codecov.io/gh/axone-protocol/s3-auth-proxy)\n[![conventional commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-yellow.svg?style=for-the-badge\u0026logo=conventionalcommits)](https://conventionalcommits.org)\n[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg?style=for-the-badge)](https://github.com/semantic-release/semantic-release)\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg?style=for-the-badge)](https://github.com/axone-protocol/.github/blob/main/CODE_OF_CONDUCT.md)\n[![License](https://img.shields.io/badge/License-BSD_3--Clause-blue.svg?style=for-the-badge)](https://opensource.org/licenses/BSD-3-Clause)\n\n## Overview\n\nThe S3 proxy is a service that exposes files stored on an S3 server to the Axone protocol. It acts as an authentication and authorization layer, ensuring that access requests comply with the decentralized governance rules established on-chain.\n\n```mermaid\nflowchart LR\n    actor@{ shape: circle, label: \"🧑\" }\n    s3Proxy@{ shape: lin-cyl, label: \"S3 Proxy\" }\n    s3@{shape: lin-cyl, label: \"S3\u003cbr\u003eserver\"}\n    files@{ shape: docs, label: \"files\" }\n    axone@{ shape: das, label: \"Axone chain\" }\n    s3 --\u003e files\n\n    actor -- access --\u003e s3Proxy\n\n    s3Proxy ~~~\n\n    s3Proxy -. ① check .-\u003e axone\n    s3Proxy -. ② access .-\u003e s3\n```\n\n## Build\n\n- Be sure you have [Golang](https://go.dev/doc/install) installed.\n- [Docker](https://docs.docker.com/engine/install/) as well if you want to use the Makefile.\n\n```sh\nmake build\n```\n\n## Example\n\n\u003e ⚠️ **The following example may be outdated**.\n\nHereafter is presented an example using this proxy locally, providing all the needed elements to feed a local dataverse and interact with it.\n\nThrough this example, we'll have a [Minio](https://github.com/minio/minio) instance declared as a digital storage service with an attached governance allowing usage in a specific zone. And a dataset representing a single file with a governance allowing the same zone and a specific orchestration service, the dataset will use the minio as storage service.\n\nWe'll see how we can submit an execution order to set the file accessible through the proxy by being authenticated as the orchestration service.\n\n### Prerequistes\n\nSome tools are needed in order to run the example:\n\n- [docker](https://docs.docker.com/engine/install/)\n- [axoned](https://github.com/axone-protocol/axoned)\n- [jsonld](https://github.com/digitalbazaar/jsonld-cli)\n\nThe local chain must be running with our [contracts](https://github.com/axone-protocol/contracts) stored.\n\nThe local configuration of `axoned` in `$AXONED_HOME/config/client.toml` shall be self-sufficient to sign and broadcast transaction without additional command flags (e.g. `--chain-id`, `--keyring-backend`, etc..)\n\n### Steps\n\n#### Instantiate Smart contracts\n\nFor each contract instantiation, keep the contract addresses, as they will be required for future interactions. You can inspect the transaction hash generated by the broadcasting process with `axoned query tx $TX_HASH` and look for the events section.\n\nLet's begin with the objectarium:\n\n```bash\naxoned tx wasm instantiate $OBJECTARIUM_CODE_ID \\\n    --label \"my-prologtarium\" \\\n    --from $MY_WALLET_ADDR \\\n    --admin $MY_WALLET_ADDR \\\n    --gas 1000000 \\\n    '{\"bucket\":\"my-prologtarium\"}'\n```\n\nNow let's create the law-stones containing the minio \u0026 dataset prolog governance codes:\n\n```bash\naxoned tx wasm instantiate $LAW_STONE_CODE_ID \\\n    --label \"minio-gov\" \\\n    --from local \\\n    --admin local \\\n    --gas 100000000 \\\n    \"{\\\"program\\\":\\\"$(cat example/s3-gov.pl | base64)\\\", \\\"storage_address\\\": \\\"$OBJECTARIUM_ADDR\\\"}\"\naxoned tx wasm instantiate 2 \\\n    --label \"data-gov\" \\\n    --from local \\\n    --admin local \\\n    --gas 100000000 \\\n    \"{\\\"program\\\":\\\"$(cat example/data-gov.pl | base64)\\\", \\\"storage_address\\\": \\\"$OBJECTARIUM_ADDR\\\"}\"\n```\n\nFinally, the dataverse:\n\n```bash\naxoned tx wasm instantiate $DATAVERSE_CODE_ID \\\n    --label \"my-local-dataverse\" \\\n    --from $MY_WALLET_ADDR \\\n    --admin $MY_WALLET_ADDR \\\n    --gas 1000000 \\\n    \"{\\\"name\\\":\\\"my-local-dataverse\\\",\\\"triplestore_config\\\":{\\\"code_id\\\":\\\"$COGNITARIUM_CODE_ID\\\",\\\"limits\\\":{}}}\"\n```\n\n#### Declare resources\n\nNow let's declare the storage service and the dataset in the dataverse: we'll have for each one two verifiable credentials, one for the description and one referencing the governance. Then, another one will be needed to express that the dataset is served by our minio storage service, providing its protected proxy URL. Those verifiable credentials are available here:\n\n- [example/vc-s3-desc.jsonld](example/vc-s3-desc.jsonld)\n- [example/vc-s3-gov.jsonld](example/vc-s3-gov.jsonld)\n- [example/vc-data-desc.jsonld](example/vc-data-desc.jsonld)\n- [example/vc-data-gov.jsonld](example/vc-data-gov.jsonld)\n- [example/vc-publish.jsonld](example/vc-publish.jsonld)\n\nBefore submitting them we need to update the law stone addresses related to the governances in the [example/vc-s3-gov.jsonld](example/vc-s3-gov.jsonld) and [example/vc-data-gov.jsonld](example/vc-data-gov.jsonld) credentials.\n\nThose VCs are not signed. For that we'll need to have some cryptographic keys to act as the issuers of those verifiable credentials. To facilitate this, we provide a keyring located at [example/keyring-test](example/keyring-test).\nYou can list the keys with `axoned --keyring-backend test --keyring-dir example keys list` if needed.\n\nTo sign and submit the verifiable credentials we have a simple script that you can use:\n\n```bash\n./scripts/setup.sh $MY_WALLET_ADDR $DATAVERSE_ADDR\n```\n\n#### Run the infrastructure\n\nHere we need to run the minio and deploy our dataset on it. For that, we provide a [docker-compose.yml](docker-compose.yml): it will run a MinIO instance accessible at `http://localhost:9000`.For demonstration purposes, this setup will make the `README` file of this project available as part of the dataset at `http://localhost:9000/test/README.md`.\nYou can start the compose with:\n\n```bash\ndocker compose up\n```\n\nNow we'll run the proxy through which we'll connect to the dataverse with:\n\n```bash\n./target/dist/s3-auth-proxy start --listen-addr 0.0.0.0:8080 \\\n    --jwt-secret-key 1d5be173d43385b984ef8c73fe4fb9e5ca5a31466f20bf8a250d06eec5f3079b \\\n    --s3-endpoint localhost:9000 \\\n    --s3-access-key minioadmin \\\n    --s3-secret-key minioadmin \\\n    --s3-insecure \\\n    --grpc-no-tls \\\n    --dataverse-addr $DATAVERSE_ADDR \\\n    --svc-id did:key:zQ3shbn6v6Mwtc6nSe5LnBmBY44seFqdRKXtf5eH8tQknZCcw\n```\n\n#### Order an execution\n\nFor this step, we'll act ourselves as the initiator of the execution order, and the orchestration service that'll fulfill the order, to demonstrate the interactions with the proxy.\n\nLet's create the execution order, and the execution containing the status and the parameters:\n\n```bash\n./scripts/order-exec.sh $MY_WALLET_ADDR $DATAVERSE_ADDR\n```\n\n#### Access the dataset\n\nAt this point, submitting an authentication verifiable credential signed with the orchestration service keys we should be able to access the dataset, let's forge this credential:\n\n```bash\n./scripts/issue-auth-cred.sh \u003e vc-auth.jsonld\n```\n\nAnd then issue an authentication request to obtain an access token:\n\n```bash\ncurl -s -X POST -T ./vc-auth.jsonld http://localhost:8080/auth\n```\n\nNow we should be able to get through the proxy authorization layer with our access token:\n\n```bash\ncurl -s -H \"Authorization: Bearer $TOKEN\" http://localhost:8080/test/README.md\n```\n\n#### Terminate the execution\n\nWe just need to submit a credential expressing an execution status of delivered:\n\n```bash\n./scripts/end-exec.sh $MY_WALLET_ADDR $DATAVERSE_ADDR\n```\n\nAt this point we're not anymore capable to access the dataset.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faxone-protocol%2Fs3-auth-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faxone-protocol%2Fs3-auth-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faxone-protocol%2Fs3-auth-proxy/lists"}