Use cloudfoundry/uaa as a base for the Steeltoe UAA server, add GHA (#35)
Co-authored-by: Bart Koelman <104792814+bart-vmware@users.noreply.github.com>
This commit is contained in:
Родитель
244e17137f
Коммит
dd9126b41f
|
@ -0,0 +1,51 @@
|
|||
name: Build UAA Server
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- 'uaa-server/**'
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- 'uaa-server/**'
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
contents: 'read'
|
||||
|
||||
env:
|
||||
IMAGE_NAME: uaa-server
|
||||
REGISTRY: ${{ github.event_name == 'pull_request' && vars.DOCKER_REGISTRY || 'steeltoeoss' }}
|
||||
|
||||
jobs:
|
||||
build-push:
|
||||
name: Build and push image
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Build Image
|
||||
run: ./build.ps1 -Name ${{ env.IMAGE_NAME }} -Registry ${{ env.REGISTRY }}
|
||||
|
||||
- name: Login to private container registry
|
||||
if: ${{ github.event_name == 'pull_request' }}
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: "${{ vars.DOCKER_REGISTRY }}"
|
||||
username: "${{ secrets.DOCKER_USERNAME }}"
|
||||
password: "${{ secrets.DOCKER_PASSWORD }}"
|
||||
- name: Login to Docker Hub
|
||||
if: ${{ github.event_name != 'pull_request' }}
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||
|
||||
- name: Push image
|
||||
run: docker push --all-tags ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
@ -1,11 +1,10 @@
|
|||
FROM adoptopenjdk/openjdk11 as source
|
||||
RUN apt-get update && apt-get install -y git
|
||||
RUN git clone -b v75.0.0 https://github.com/cloudfoundry/uaa.git
|
||||
COPY uaa.yml /uaa/uaa/src/main/resources/uaa.yml
|
||||
WORKDIR /uaa
|
||||
RUN ./gradlew assemble
|
||||
# -----------------------------------------------------------------------------
|
||||
# UAA Server Build
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
FROM source as run
|
||||
WORKDIR /uaa
|
||||
FROM cloudfoundry/uaa:77.10.0
|
||||
COPY uaa.yml /uaa/uaa.yml
|
||||
COPY log4j2.properties /uaa/log4j2.properties
|
||||
ENV CLOUDFOUNDRY_CONFIG_PATH /uaa
|
||||
ENV SPRING_PROFILES hsql,default
|
||||
EXPOSE 8080
|
||||
CMD ["./gradlew", "run"]
|
|
@ -1,13 +0,0 @@
|
|||
= steeltoeoss/sample-uaa-server
|
||||
:toc: preamble
|
||||
:toclevels: 1
|
||||
:!toc-title:
|
||||
:linkattrs:
|
||||
|
||||
SteeltoeOSS https://github.com/cloudfoundry/uaa[CloudFoundry User Account and Authentication (UAA)] Docker image.
|
||||
|
||||
== Running
|
||||
|
||||
----
|
||||
$ docker run -it -p 8080:8080 steeltoeoss/sample-uaa-server
|
||||
----
|
|
@ -0,0 +1,26 @@
|
|||
# UAA Server for Steeltoe Samples
|
||||
|
||||
This directory contains resources for building a [CloudFoundry User Account and Authentication (UAA)](https://github.com/cloudfoundry/uaa) Docker image that is customized to work with [Steeltoe Samples](https://github.com/SteeltoeOSS/Samples).
|
||||
|
||||
## Running Local
|
||||
|
||||
To run this image locally:
|
||||
|
||||
```shell
|
||||
docker run -it -p 8080:8080 --name steeltoe-uaa steeltoe.azurecr.io/uaa-server:77.10
|
||||
```
|
||||
|
||||
## Customizing for your Cloud Foundry environment
|
||||
|
||||
These instructions will help you build and deploy a custom image to use as an identity provider for [Single Sign-On for VMware Tanzu Application Service](https://docs.vmware.com/en/Single-Sign-On-for-VMware-Tanzu-Application-Service/index.html):
|
||||
|
||||
1. Clone this repository.
|
||||
1. (Operator task) Create an [identity zone](https://docs.vmware.com/en/VMware-Tanzu-Application-Service/6.0/tas-for-vms/uaa-concepts.html#identity-zones-0)
|
||||
1. Change the `redirect-uri` entry for `ssotile` in [uaa.yml](uaa.yml#132) to match your identity zone.
|
||||
1. (OPTIONAL) Customize the name of the image you're about to build by renaming the `uaa-server` directory
|
||||
1. `.\build.ps1 .\uaa-server`.
|
||||
1. Push the image to an image repository accessible from your Cloud Foundry environment.
|
||||
1. Deploy the image with a command similar to this:
|
||||
* `cf push steeltoe-uaa --docker-image steeltoe.azurecr.io/uaa-server:77.10`
|
||||
1. (Operator task) [Add the new identity provider with OpenID Connect](https://docs.vmware.com/en/Single-Sign-On-for-VMware-Tanzu-Application-Service/1.14/sso/GUID-configure-external-id.html#config-ext-oidc)
|
||||
* Use the `ssotile` credentials from uaa.yml
|
|
@ -0,0 +1,30 @@
|
|||
status = error
|
||||
dest = err
|
||||
name = UaaLog
|
||||
|
||||
property.log_pattern=[%d{yyyy-MM-dd'T'HH:mm:ss.nnnnnn}{GMT+0}Z] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
|
||||
|
||||
appender.uaaDefaultAppender.type = File
|
||||
appender.uaaDefaultAppender.name = UaaDefaultAppender
|
||||
appender.uaaDefaultAppender.fileName = logs/uaa.log
|
||||
appender.uaaDefaultAppender.layout.type = PatternLayout
|
||||
appender.uaaDefaultAppender.layout.pattern = ${log_pattern}
|
||||
|
||||
appender.uaaAuditAppender.type = File
|
||||
appender.uaaAuditAppender.name = UaaAuditAppender
|
||||
appender.uaaAuditAppender.fileName = logs/uaa_events.log
|
||||
appender.uaaAuditAppender.layout.type = PatternLayout
|
||||
appender.uaaAuditAppender.layout.pattern = ${log_pattern}
|
||||
|
||||
rootLogger.level = debug
|
||||
rootLogger.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender
|
||||
|
||||
logger.UAAAudit.name = UAA.Audit
|
||||
logger.UAAAudit.level = info
|
||||
logger.UAAAudit.additivity = true
|
||||
logger.UAAAudit.appenderRef.auditEventLog.ref = UaaAuditAppender
|
||||
|
||||
logger.cfIdentity.name = org.cloudfoundry.identity
|
||||
logger.cfIdentity.level = info
|
||||
logger.cfIdentity.additivity = false
|
||||
logger.cfIdentity.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender
|
|
@ -0,0 +1 @@
|
|||
-t uaa-server:77.10 -t uaa-server:77
|
|
@ -0,0 +1 @@
|
|||
77.10.0
|
|
@ -1,10 +1,15 @@
|
|||
# This file defines UAA configuration that is compatible with Steeltoe Sample applications.
|
||||
# Samples can be found in the repository at https://github.com/SteeltoeOSS/Samples
|
||||
logging:
|
||||
config: /uaa/log4j2.properties
|
||||
|
||||
issuer:
|
||||
uri: http://localhost:8080/uaa
|
||||
|
||||
encryption:
|
||||
encryption_keys:
|
||||
- label: uaa-encryption-key-1
|
||||
passphrase: password
|
||||
- label: uaa-encryption-key-1
|
||||
passphrase: password
|
||||
active_key_label: uaa-encryption-key-1
|
||||
|
||||
scim:
|
||||
|
@ -33,14 +38,23 @@
|
|||
uaa.admin: Act as an administrator throughout the UAA
|
||||
uaa.none: Forbid acting as a user
|
||||
uaa.offline_token: Allow offline access
|
||||
# ----- <Freddy's BBQ> ----- #
|
||||
order.me: Permission to read personal orders
|
||||
order.admin: Permission to read all orders
|
||||
menu.read: Permission to read all menu items
|
||||
menu.write: Permission to create, update, and delete menu items
|
||||
# ----- </Freddy's BBQ> ----- #
|
||||
# ----- <Steeltoe Security Samples> ----- #
|
||||
sampleapi.read: Permission to access a specific endpoint in the Steeltoe App Security Samples
|
||||
# ----- </Steeltoe Security Samples> ----- #
|
||||
users:
|
||||
- admin|password|admin@testapp.com|Administrative|Account|uaa
|
||||
- customer|password|customer@testapp.com|John|Doe|menu.read,order.me|uaa
|
||||
- manager|password|manager@testapp.com|Jonathan|Doe|menu.read,menu.write,order.admin|uaa
|
||||
# ----- <Freddy's BBQ> ----- #
|
||||
- customer|password|customer@testapp.com|Jon|Doe|menu.read,order.me
|
||||
- manager|password|manager@testapp.com|Jonathan|Doe|menu.read,menu.write,order.admin
|
||||
# ----- </Freddy's BBQ> ----- #
|
||||
# ----- <Steeltoe Security Samples> ----- #
|
||||
- testuser|password|user@testapp.com|Jane|Doe|sampleapi.read
|
||||
# ----- </Steeltoe Security Samples> ----- #
|
||||
userids_enabled: true
|
||||
user:
|
||||
override: true
|
||||
|
@ -64,39 +78,73 @@
|
|||
- roles
|
||||
- user_attributes
|
||||
- uaa.offline_token
|
||||
clients:
|
||||
admin-portal:
|
||||
authorized-grant-types: authorization_code
|
||||
scope: openid,menu.read,menu.write,order.admin
|
||||
authorities: uaa.resource
|
||||
redirect-uri: http://localhost:63757/signin-cloudfoundry
|
||||
app-launch-url: http://localhost:63757/Home/
|
||||
show-on-homepage: true
|
||||
secret: adminportal_secret
|
||||
description: "UI Admin Portal for administering orders"
|
||||
order-service:
|
||||
authorized-grant-types: client_credentials
|
||||
scope: openid,menu.write,order.admin
|
||||
authorities: uaa.resource
|
||||
secret: orderservice_secret
|
||||
description: "API Service for administering orders"
|
||||
customer-portal:
|
||||
secret: secret
|
||||
authorized-grant-types: authorization_code
|
||||
scope: openid,menu.read,order.me
|
||||
authorities: uaa.resource
|
||||
redirect-uri: http://localhost:8082/login
|
||||
# Always override clients on startup
|
||||
client:
|
||||
override: true
|
||||
|
||||
# List of OAuth clients
|
||||
clients:
|
||||
# ----- <Freddy's BBQ> ----- #
|
||||
admin-portal:
|
||||
app-launch-url: http://localhost:63757/Home/
|
||||
authorities: uaa.resource
|
||||
authorized-grant-types: authorization_code
|
||||
description: "UI Admin Portal for administering orders"
|
||||
redirect-uri: http://localhost:63757/signin-cloudfoundry
|
||||
scope: openid,menu.read,menu.write,order.admin
|
||||
secret: adminportal_secret
|
||||
show-on-homepage: true
|
||||
order-service:
|
||||
authorities: uaa.resource
|
||||
authorized-grant-types: client_credentials
|
||||
description: "API Service for administering orders"
|
||||
scope: openid,menu.write,order.admin
|
||||
secret: orderservice_secret
|
||||
customer-portal:
|
||||
authorities: uaa.resource
|
||||
authorized-grant-types: authorization_code
|
||||
redirect-uri: http://localhost:8082/login
|
||||
scope: openid,menu.read,order.me
|
||||
secret: customerportal_secret
|
||||
# ----- </Freddy's BBQ> ---- #
|
||||
# --- <Steeltoe Security Samples> --- #
|
||||
steeltoesamplesserver:
|
||||
authorities: uaa.resource, sampleapi.read
|
||||
authorized-grant-types: client_credentials
|
||||
description: Steeltoe application security Sample Server
|
||||
secret: server_secret
|
||||
steeltoesamplesclient:
|
||||
app-launch-url: https://localhost:7072
|
||||
authorized-grant-types: authorization_code, client_credentials
|
||||
autoapprove:
|
||||
- openid
|
||||
- profile
|
||||
description: Steeltoe application security Sample Client
|
||||
redirect-uri: https://localhost:7072/signin-oidc
|
||||
resource_ids: sampleapi.read
|
||||
scope: openid,profile,sampleapi.read
|
||||
secret: client_secret
|
||||
ssotile:
|
||||
authorized-grant-types: authorization_code, client_credentials
|
||||
autoapprove:
|
||||
- openid
|
||||
- profile
|
||||
description: Credentials for use with UAA server in Cloud Foundry environment
|
||||
|
||||
# CHANGE THIS VALUE TO MATCH YOUR ENVIRONMENT
|
||||
redirect-uri: https://steeltoe.login.sys.dhaka.cf-app.com/**
|
||||
|
||||
resource_ids: sampleapi.read
|
||||
scope: openid,profile,sampleapi.read
|
||||
secret: sso_secret
|
||||
# --- </Steeltoe Security Samples> --- #
|
||||
jwt:
|
||||
token:
|
||||
refresh:
|
||||
format: opaque
|
||||
policy:
|
||||
accessTokenValiditySeconds: 43200
|
||||
refreshTokenValiditySeconds: 2592000
|
||||
global:
|
||||
accessTokenValiditySeconds: 43200
|
||||
refreshTokenValiditySeconds: 2592000
|
||||
# Will override global validity policies for the default zone only.
|
||||
#accessTokenValiditySeconds: 600
|
||||
activeKeyId: uaa-jwt-key-1
|
||||
keys:
|
||||
uaa-jwt-key-1:
|
||||
|
@ -135,7 +183,7 @@
|
|||
N+l4lnMda79eSp3OMmq9AkA0p79BvYsLshUJJnvbk76pCjR28PK4dV1gSDUEqQMB
|
||||
qy45ptdwJLqLJCeNoR0JUcDNIRhOCuOPND7pcMtX6hI/
|
||||
-----END RSA PRIVATE KEY-----
|
||||
# serviceProviderKeyPassword: "" # TODO: Remove this when UAA defaults this value
|
||||
serviceProviderKeyPassword: ""
|
||||
serviceProviderCertificate: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO
|
||||
|
@ -157,48 +205,5 @@
|
|||
KdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK
|
||||
RpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=
|
||||
-----END CERTIFICATE-----
|
||||
assetBaseUrl: /resources/oss
|
||||
|
||||
zones:
|
||||
internal:
|
||||
hostnames:
|
||||
- localhost:8080/uaa
|
||||
|
||||
uaa:
|
||||
# The hostname of the UAA that this login server will connect to
|
||||
url: http://localhost:8080/uaa
|
||||
token:
|
||||
url: http://localhost:8080/uaa/oauth/token
|
||||
approvals:
|
||||
url: http://localhost:8080/uaa/approvals
|
||||
login:
|
||||
url: http://localhost:8080/uaa/authenticate
|
||||
limitedFunctionality:
|
||||
enabled: false
|
||||
whitelist:
|
||||
endpoints:
|
||||
- /oauth/authorize/**
|
||||
- /oauth/token/**
|
||||
- /check_token/**
|
||||
- /login/**
|
||||
- /login.do
|
||||
- /logout/**
|
||||
- /logout.do
|
||||
- /saml/**
|
||||
- /autologin/**
|
||||
- /authenticate/**
|
||||
- /idp_discovery/**
|
||||
methods:
|
||||
- GET
|
||||
- HEAD
|
||||
- OPTIONS
|
||||
|
||||
ldap:
|
||||
profile:
|
||||
file: ldap/ldap-search-and-bind.xml
|
||||
base:
|
||||
url: 'ldap://localhost:389/'
|
||||
userDn: 'cn=admin,dc=test,dc=com'
|
||||
password: 'password'
|
||||
searchBase: 'dc=test,dc=com'
|
||||
searchFilter: 'cn={0}'
|
||||
#The secret that an external login server will use to authenticate to the uaa using the id `login`
|
||||
LOGIN_SECRET: loginsecret
|
||||
|
|
Загрузка…
Ссылка в новой задаче