Use cloudfoundry/uaa as a base for the Steeltoe UAA server, add GHA (#35)

Co-authored-by: Bart Koelman <104792814+bart-vmware@users.noreply.github.com>

.github/workflows/build_uaa_server.yaml

@@ -0,0 +1,51 @@
+name: Build UAA Server
+
+on:
+  pull_request:
+    branches:
+    - main
+    paths:
+    - 'uaa-server/**'
+  push:
+    branches:
+    - main
+    paths:
+    - 'uaa-server/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: 'read'
+
+env:
+  IMAGE_NAME: uaa-server
+  REGISTRY: ${{ github.event_name == 'pull_request' && vars.DOCKER_REGISTRY || 'steeltoeoss' }}
+
+jobs:
+  build-push:
+    name: Build and push image
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Build Image
+      run: ./build.ps1 -Name ${{ env.IMAGE_NAME }} -Registry ${{ env.REGISTRY }}
+
+    - name: Login to private container registry
+      if: ${{ github.event_name == 'pull_request' }}
+      uses: docker/login-action@v3
+      with:
+        registry: "${{ vars.DOCKER_REGISTRY }}"
+        username: "${{ secrets.DOCKER_USERNAME }}"
+        password: "${{ secrets.DOCKER_PASSWORD }}"
+    - name: Login to Docker Hub
+      if: ${{ github.event_name != 'pull_request' }}
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    - name: Push image
+      run: docker push --all-tags ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

uaa-server/Dockerfile

@@ -1,11 +1,10 @@
-FROM adoptopenjdk/openjdk11 as source
-RUN apt-get update && apt-get install -y git
-RUN git clone -b v75.0.0 https://github.com/cloudfoundry/uaa.git
-COPY uaa.yml /uaa/uaa/src/main/resources/uaa.yml
-WORKDIR /uaa
-RUN ./gradlew assemble
+# -----------------------------------------------------------------------------
+# UAA Server Build
+# -----------------------------------------------------------------------------
 
-FROM source as run
-WORKDIR /uaa
+FROM cloudfoundry/uaa:77.10.0
+COPY uaa.yml /uaa/uaa.yml
+COPY log4j2.properties /uaa/log4j2.properties
+ENV CLOUDFOUNDRY_CONFIG_PATH /uaa
+ENV SPRING_PROFILES hsql,default
 EXPOSE 8080
-CMD ["./gradlew", "run"]

uaa-server/README.adoc

@@ -1,13 +0,0 @@
-= steeltoeoss/sample-uaa-server
-:toc: preamble
-:toclevels: 1
-:!toc-title:
-:linkattrs:
-
-SteeltoeOSS https://github.com/cloudfoundry/uaa[CloudFoundry User Account and Authentication (UAA)] Docker image.
-
-== Running
-
-----
-$ docker run -it -p 8080:8080 steeltoeoss/sample-uaa-server
-----

uaa-server/README.md

@@ -0,0 +1,26 @@
+# UAA Server for Steeltoe Samples
+
+This directory contains resources for building a [CloudFoundry User Account and Authentication (UAA)](https://github.com/cloudfoundry/uaa) Docker image that is customized to work with [Steeltoe Samples](https://github.com/SteeltoeOSS/Samples).
+
+## Running Local
+
+To run this image locally:
+
+```shell
+docker run -it -p 8080:8080 --name steeltoe-uaa steeltoe.azurecr.io/uaa-server:77.10
+```
+
+## Customizing for your Cloud Foundry environment
+
+These instructions will help you build and deploy a custom image to use as an identity provider for [Single Sign-On for VMware Tanzu Application Service](https://docs.vmware.com/en/Single-Sign-On-for-VMware-Tanzu-Application-Service/index.html):
+
+1. Clone this repository.
+1. (Operator task) Create an [identity zone](https://docs.vmware.com/en/VMware-Tanzu-Application-Service/6.0/tas-for-vms/uaa-concepts.html#identity-zones-0)
+1. Change the `redirect-uri` entry for `ssotile` in [uaa.yml](uaa.yml#132) to match your identity zone.
+1. (OPTIONAL) Customize the name of the image you're about to build by renaming the `uaa-server` directory
+1. `.\build.ps1 .\uaa-server`.
+1. Push the image to an image repository accessible from your Cloud Foundry environment.
+1. Deploy the image with a command similar to this:
+   * `cf push steeltoe-uaa --docker-image steeltoe.azurecr.io/uaa-server:77.10`
+1. (Operator task) [Add the new identity provider with OpenID Connect](https://docs.vmware.com/en/Single-Sign-On-for-VMware-Tanzu-Application-Service/1.14/sso/GUID-configure-external-id.html#config-ext-oidc)
+   * Use the `ssotile` credentials from uaa.yml

uaa-server/log4j2.properties

@@ -0,0 +1,30 @@
+status = error
+dest = err
+name = UaaLog
+
+property.log_pattern=[%d{yyyy-MM-dd'T'HH:mm:ss.nnnnnn}{GMT+0}Z] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
+
+appender.uaaDefaultAppender.type = File
+appender.uaaDefaultAppender.name = UaaDefaultAppender
+appender.uaaDefaultAppender.fileName = logs/uaa.log
+appender.uaaDefaultAppender.layout.type = PatternLayout
+appender.uaaDefaultAppender.layout.pattern = ${log_pattern}
+
+appender.uaaAuditAppender.type = File
+appender.uaaAuditAppender.name = UaaAuditAppender
+appender.uaaAuditAppender.fileName = logs/uaa_events.log
+appender.uaaAuditAppender.layout.type = PatternLayout
+appender.uaaAuditAppender.layout.pattern = ${log_pattern}
+
+rootLogger.level = debug
+rootLogger.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender
+
+logger.UAAAudit.name = UAA.Audit
+logger.UAAAudit.level = info
+logger.UAAAudit.additivity = true
+logger.UAAAudit.appenderRef.auditEventLog.ref = UaaAuditAppender
+
+logger.cfIdentity.name = org.cloudfoundry.identity
+logger.cfIdentity.level = info
+logger.cfIdentity.additivity = false
+logger.cfIdentity.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender

uaa-server/metadata/ADDITIONAL_TAGS

@@ -0,0 +1 @@
+-t uaa-server:77.10 -t uaa-server:77

uaa-server/metadata/IMAGE_VERSION

@@ -0,0 +1 @@
+77.10.0

uaa-server/uaa.yml

@@ -1,10 +1,15 @@
+  # This file defines UAA configuration that is compatible with Steeltoe Sample applications.
+  # Samples can be found in the repository at https://github.com/SteeltoeOSS/Samples
+  logging:
+    config: /uaa/log4j2.properties
+
   issuer:
     uri: http://localhost:8080/uaa
 
   encryption:
     encryption_keys:
-      - label: uaa-encryption-key-1
-        passphrase: password
+    - label: uaa-encryption-key-1
+      passphrase: password
     active_key_label: uaa-encryption-key-1
 
   scim:
@@ -33,14 +38,23 @@
       uaa.admin: Act as an administrator throughout the UAA
       uaa.none: Forbid acting as a user
       uaa.offline_token: Allow offline access
+      # ----- <Freddy's BBQ> ----- #
       order.me: Permission to read personal orders
       order.admin: Permission to read all orders
       menu.read: Permission to read all menu items
       menu.write: Permission to create, update, and delete menu items
+      # ----- </Freddy's BBQ> ----- #
+      # ----- <Steeltoe Security Samples> ----- #
+      sampleapi.read: Permission to access a specific endpoint in the Steeltoe App Security Samples
+      # ----- </Steeltoe Security Samples> ----- #
     users:
-      - admin|password|admin@testapp.com|Administrative|Account|uaa
-      - customer|password|customer@testapp.com|John|Doe|menu.read,order.me|uaa
-      - manager|password|manager@testapp.com|Jonathan|Doe|menu.read,menu.write,order.admin|uaa
+      # ----- <Freddy's BBQ> ----- #
+      - customer|password|customer@testapp.com|Jon|Doe|menu.read,order.me
+      - manager|password|manager@testapp.com|Jonathan|Doe|menu.read,menu.write,order.admin
+      # ----- </Freddy's BBQ> ----- #
+      # ----- <Steeltoe Security Samples> ----- #
+      - testuser|password|user@testapp.com|Jane|Doe|sampleapi.read
+      # ----- </Steeltoe Security Samples> ----- #
     userids_enabled: true
     user:
       override: true
@@ -64,39 +78,73 @@
         - roles
         - user_attributes
         - uaa.offline_token
-    clients:
-      admin-portal:
-        authorized-grant-types: authorization_code
-        scope: openid,menu.read,menu.write,order.admin
-        authorities: uaa.resource
-        redirect-uri: http://localhost:63757/signin-cloudfoundry
-        app-launch-url: http://localhost:63757/Home/
-        show-on-homepage: true
-        secret: adminportal_secret
-        description: "UI Admin Portal for administering orders"
-      order-service:
-        authorized-grant-types: client_credentials
-        scope: openid,menu.write,order.admin
-        authorities: uaa.resource
-        secret: orderservice_secret
-        description: "API Service for administering orders"
-      customer-portal:
-        secret: secret
-        authorized-grant-types: authorization_code
-        scope: openid,menu.read,order.me
-        authorities: uaa.resource
-        redirect-uri: http://localhost:8082/login
+    # Always override clients on startup
+    client:
+      override: true
 
+    # List of OAuth clients
+    clients:
+      # ----- <Freddy's BBQ> ----- #
+      admin-portal:
+        app-launch-url: http://localhost:63757/Home/
+        authorities: uaa.resource
+        authorized-grant-types: authorization_code
+        description: "UI Admin Portal for administering orders"
+        redirect-uri: http://localhost:63757/signin-cloudfoundry
+        scope: openid,menu.read,menu.write,order.admin
+        secret: adminportal_secret
+        show-on-homepage: true
+      order-service:
+        authorities: uaa.resource
+        authorized-grant-types: client_credentials
+        description: "API Service for administering orders"
+        scope: openid,menu.write,order.admin
+        secret: orderservice_secret
+      customer-portal:
+        authorities: uaa.resource
+        authorized-grant-types: authorization_code
+        redirect-uri: http://localhost:8082/login
+        scope: openid,menu.read,order.me
+        secret: customerportal_secret
+      # ----- </Freddy's BBQ> ---- #
+      # --- <Steeltoe Security Samples> --- #
+      steeltoesamplesserver:
+        authorities: uaa.resource, sampleapi.read
+        authorized-grant-types: client_credentials
+        description: Steeltoe application security Sample Server
+        secret: server_secret
+      steeltoesamplesclient:
+        app-launch-url: https://localhost:7072
+        authorized-grant-types: authorization_code, client_credentials
+        autoapprove:
+        - openid
+        - profile
+        description: Steeltoe application security Sample Client
+        redirect-uri: https://localhost:7072/signin-oidc
+        resource_ids: sampleapi.read
+        scope: openid,profile,sampleapi.read
+        secret: client_secret
+      ssotile:
+        authorized-grant-types: authorization_code, client_credentials
+        autoapprove:
+        - openid
+        - profile
+        description: Credentials for use with UAA server in Cloud Foundry environment
+
+        # CHANGE THIS VALUE TO MATCH YOUR ENVIRONMENT
+        redirect-uri: https://steeltoe.login.sys.dhaka.cf-app.com/**
+
+        resource_ids: sampleapi.read
+        scope: openid,profile,sampleapi.read
+        secret: sso_secret
+      # --- </Steeltoe Security Samples> --- #
   jwt:
     token:
       refresh:
         format: opaque
       policy:
-        accessTokenValiditySeconds: 43200
-        refreshTokenValiditySeconds: 2592000
-        global:
-          accessTokenValiditySeconds: 43200
-          refreshTokenValiditySeconds: 2592000
+        # Will override global validity policies for the default zone only.
+        #accessTokenValiditySeconds: 600
         activeKeyId: uaa-jwt-key-1
         keys:
           uaa-jwt-key-1:
@@ -135,7 +183,7 @@
       N+l4lnMda79eSp3OMmq9AkA0p79BvYsLshUJJnvbk76pCjR28PK4dV1gSDUEqQMB
       qy45ptdwJLqLJCeNoR0JUcDNIRhOCuOPND7pcMtX6hI/
       -----END RSA PRIVATE KEY-----
-    # serviceProviderKeyPassword: "" # TODO: Remove this when UAA defaults this value
+    serviceProviderKeyPassword: ""
     serviceProviderCertificate: |
       -----BEGIN CERTIFICATE-----
       MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO
@@ -157,48 +205,5 @@
       KdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK
       RpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=
       -----END CERTIFICATE-----
-  assetBaseUrl: /resources/oss
-
-  zones:
-    internal:
-      hostnames:
-        - localhost:8080/uaa
-
-  uaa:
-    # The hostname of the UAA that this login server will connect to
-    url: http://localhost:8080/uaa
-    token:
-      url: http://localhost:8080/uaa/oauth/token
-    approvals:
-      url: http://localhost:8080/uaa/approvals
-    login:
-      url: http://localhost:8080/uaa/authenticate
-    limitedFunctionality:
-      enabled: false
-      whitelist:
-        endpoints:
-          - /oauth/authorize/**
-          - /oauth/token/**
-          - /check_token/**
-          - /login/**
-          - /login.do
-          - /logout/**
-          - /logout.do
-          - /saml/**
-          - /autologin/**
-          - /authenticate/**
-          - /idp_discovery/**
-        methods:
-          - GET
-          - HEAD
-          - OPTIONS
-
-  ldap:
-    profile:
-      file: ldap/ldap-search-and-bind.xml
-    base:
-      url: 'ldap://localhost:389/'
-      userDn: 'cn=admin,dc=test,dc=com'
-      password: 'password'
-      searchBase: 'dc=test,dc=com'
-      searchFilter: 'cn={0}'
+  #The secret that an external login server will use to authenticate to the uaa using the id `login`
+  LOGIN_SECRET: loginsecret