From dd9126b41f68347ba05cf118a77667310a591e68 Mon Sep 17 00:00:00 2001 From: Tim Hess Date: Thu, 20 Jun 2024 10:46:37 -0500 Subject: [PATCH] Use cloudfoundry/uaa as a base for the Steeltoe UAA server, add GHA (#35) Co-authored-by: Bart Koelman <104792814+bart-vmware@users.noreply.github.com> --- .github/workflows/build_uaa_server.yaml | 51 ++++++++ uaa-server/Dockerfile | 17 ++- uaa-server/README.adoc | 13 -- uaa-server/README.md | 26 ++++ uaa-server/log4j2.properties | 30 +++++ uaa-server/metadata/ADDITIONAL_TAGS | 1 + uaa-server/metadata/IMAGE_REVISION | 0 uaa-server/metadata/IMAGE_VERSION | 1 + uaa-server/uaa.yml | 161 ++++++++++++------------ 9 files changed, 200 insertions(+), 100 deletions(-) create mode 100644 .github/workflows/build_uaa_server.yaml delete mode 100644 uaa-server/README.adoc create mode 100644 uaa-server/README.md create mode 100644 uaa-server/log4j2.properties create mode 100644 uaa-server/metadata/ADDITIONAL_TAGS create mode 100644 uaa-server/metadata/IMAGE_REVISION create mode 100644 uaa-server/metadata/IMAGE_VERSION diff --git a/.github/workflows/build_uaa_server.yaml b/.github/workflows/build_uaa_server.yaml new file mode 100644 index 0000000..29cff72 --- /dev/null +++ b/.github/workflows/build_uaa_server.yaml @@ -0,0 +1,51 @@ +name: Build UAA Server + +on: + pull_request: + branches: + - main + paths: + - 'uaa-server/**' + push: + branches: + - main + paths: + - 'uaa-server/**' + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: 'read' + +env: + IMAGE_NAME: uaa-server + REGISTRY: ${{ github.event_name == 'pull_request' && vars.DOCKER_REGISTRY || 'steeltoeoss' }} + +jobs: + build-push: + name: Build and push image + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Build Image + run: ./build.ps1 -Name ${{ env.IMAGE_NAME }} -Registry ${{ env.REGISTRY }} + + - name: Login to private container registry + if: ${{ github.event_name == 'pull_request' }} + uses: docker/login-action@v3 + with: + registry: "${{ vars.DOCKER_REGISTRY }}" + username: "${{ secrets.DOCKER_USERNAME }}" + password: "${{ secrets.DOCKER_PASSWORD }}" + - name: Login to Docker Hub + if: ${{ github.event_name != 'pull_request' }} + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Push image + run: docker push --all-tags ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} diff --git a/uaa-server/Dockerfile b/uaa-server/Dockerfile index 36fd254..b73204f 100644 --- a/uaa-server/Dockerfile +++ b/uaa-server/Dockerfile @@ -1,11 +1,10 @@ -FROM adoptopenjdk/openjdk11 as source -RUN apt-get update && apt-get install -y git -RUN git clone -b v75.0.0 https://github.com/cloudfoundry/uaa.git -COPY uaa.yml /uaa/uaa/src/main/resources/uaa.yml -WORKDIR /uaa -RUN ./gradlew assemble +# ----------------------------------------------------------------------------- +# UAA Server Build +# ----------------------------------------------------------------------------- -FROM source as run -WORKDIR /uaa +FROM cloudfoundry/uaa:77.10.0 +COPY uaa.yml /uaa/uaa.yml +COPY log4j2.properties /uaa/log4j2.properties +ENV CLOUDFOUNDRY_CONFIG_PATH /uaa +ENV SPRING_PROFILES hsql,default EXPOSE 8080 -CMD ["./gradlew", "run"] \ No newline at end of file diff --git a/uaa-server/README.adoc b/uaa-server/README.adoc deleted file mode 100644 index 4963a43..0000000 --- a/uaa-server/README.adoc +++ /dev/null @@ -1,13 +0,0 @@ -= steeltoeoss/sample-uaa-server -:toc: preamble -:toclevels: 1 -:!toc-title: -:linkattrs: - -SteeltoeOSS https://github.com/cloudfoundry/uaa[CloudFoundry User Account and Authentication (UAA)] Docker image. - -== Running - ----- -$ docker run -it -p 8080:8080 steeltoeoss/sample-uaa-server ----- diff --git a/uaa-server/README.md b/uaa-server/README.md new file mode 100644 index 0000000..4469b68 --- /dev/null +++ b/uaa-server/README.md @@ -0,0 +1,26 @@ +# UAA Server for Steeltoe Samples + +This directory contains resources for building a [CloudFoundry User Account and Authentication (UAA)](https://github.com/cloudfoundry/uaa) Docker image that is customized to work with [Steeltoe Samples](https://github.com/SteeltoeOSS/Samples). + +## Running Local + +To run this image locally: + +```shell +docker run -it -p 8080:8080 --name steeltoe-uaa steeltoe.azurecr.io/uaa-server:77.10 +``` + +## Customizing for your Cloud Foundry environment + +These instructions will help you build and deploy a custom image to use as an identity provider for [Single Sign-On for VMware Tanzu Application Service](https://docs.vmware.com/en/Single-Sign-On-for-VMware-Tanzu-Application-Service/index.html): + +1. Clone this repository. +1. (Operator task) Create an [identity zone](https://docs.vmware.com/en/VMware-Tanzu-Application-Service/6.0/tas-for-vms/uaa-concepts.html#identity-zones-0) +1. Change the `redirect-uri` entry for `ssotile` in [uaa.yml](uaa.yml#132) to match your identity zone. +1. (OPTIONAL) Customize the name of the image you're about to build by renaming the `uaa-server` directory +1. `.\build.ps1 .\uaa-server`. +1. Push the image to an image repository accessible from your Cloud Foundry environment. +1. Deploy the image with a command similar to this: + * `cf push steeltoe-uaa --docker-image steeltoe.azurecr.io/uaa-server:77.10` +1. (Operator task) [Add the new identity provider with OpenID Connect](https://docs.vmware.com/en/Single-Sign-On-for-VMware-Tanzu-Application-Service/1.14/sso/GUID-configure-external-id.html#config-ext-oidc) + * Use the `ssotile` credentials from uaa.yml diff --git a/uaa-server/log4j2.properties b/uaa-server/log4j2.properties new file mode 100644 index 0000000..2e22eaa --- /dev/null +++ b/uaa-server/log4j2.properties @@ -0,0 +1,30 @@ +status = error +dest = err +name = UaaLog + +property.log_pattern=[%d{yyyy-MM-dd'T'HH:mm:ss.nnnnnn}{GMT+0}Z] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{}%n + +appender.uaaDefaultAppender.type = File +appender.uaaDefaultAppender.name = UaaDefaultAppender +appender.uaaDefaultAppender.fileName = logs/uaa.log +appender.uaaDefaultAppender.layout.type = PatternLayout +appender.uaaDefaultAppender.layout.pattern = ${log_pattern} + +appender.uaaAuditAppender.type = File +appender.uaaAuditAppender.name = UaaAuditAppender +appender.uaaAuditAppender.fileName = logs/uaa_events.log +appender.uaaAuditAppender.layout.type = PatternLayout +appender.uaaAuditAppender.layout.pattern = ${log_pattern} + +rootLogger.level = debug +rootLogger.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender + +logger.UAAAudit.name = UAA.Audit +logger.UAAAudit.level = info +logger.UAAAudit.additivity = true +logger.UAAAudit.appenderRef.auditEventLog.ref = UaaAuditAppender + +logger.cfIdentity.name = org.cloudfoundry.identity +logger.cfIdentity.level = info +logger.cfIdentity.additivity = false +logger.cfIdentity.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender diff --git a/uaa-server/metadata/ADDITIONAL_TAGS b/uaa-server/metadata/ADDITIONAL_TAGS new file mode 100644 index 0000000..d4bb72b --- /dev/null +++ b/uaa-server/metadata/ADDITIONAL_TAGS @@ -0,0 +1 @@ +-t uaa-server:77.10 -t uaa-server:77 diff --git a/uaa-server/metadata/IMAGE_REVISION b/uaa-server/metadata/IMAGE_REVISION new file mode 100644 index 0000000..e69de29 diff --git a/uaa-server/metadata/IMAGE_VERSION b/uaa-server/metadata/IMAGE_VERSION new file mode 100644 index 0000000..6bdac7f --- /dev/null +++ b/uaa-server/metadata/IMAGE_VERSION @@ -0,0 +1 @@ +77.10.0 diff --git a/uaa-server/uaa.yml b/uaa-server/uaa.yml index 94354fe..4e7e3e1 100644 --- a/uaa-server/uaa.yml +++ b/uaa-server/uaa.yml @@ -1,10 +1,15 @@ + # This file defines UAA configuration that is compatible with Steeltoe Sample applications. + # Samples can be found in the repository at https://github.com/SteeltoeOSS/Samples + logging: + config: /uaa/log4j2.properties + issuer: uri: http://localhost:8080/uaa encryption: encryption_keys: - - label: uaa-encryption-key-1 - passphrase: password + - label: uaa-encryption-key-1 + passphrase: password active_key_label: uaa-encryption-key-1 scim: @@ -33,14 +38,23 @@ uaa.admin: Act as an administrator throughout the UAA uaa.none: Forbid acting as a user uaa.offline_token: Allow offline access + # ----- ----- # order.me: Permission to read personal orders order.admin: Permission to read all orders menu.read: Permission to read all menu items menu.write: Permission to create, update, and delete menu items + # ----- ----- # + # ----- ----- # + sampleapi.read: Permission to access a specific endpoint in the Steeltoe App Security Samples + # ----- ----- # users: - - admin|password|admin@testapp.com|Administrative|Account|uaa - - customer|password|customer@testapp.com|John|Doe|menu.read,order.me|uaa - - manager|password|manager@testapp.com|Jonathan|Doe|menu.read,menu.write,order.admin|uaa + # ----- ----- # + - customer|password|customer@testapp.com|Jon|Doe|menu.read,order.me + - manager|password|manager@testapp.com|Jonathan|Doe|menu.read,menu.write,order.admin + # ----- ----- # + # ----- ----- # + - testuser|password|user@testapp.com|Jane|Doe|sampleapi.read + # ----- ----- # userids_enabled: true user: override: true @@ -64,39 +78,73 @@ - roles - user_attributes - uaa.offline_token - clients: - admin-portal: - authorized-grant-types: authorization_code - scope: openid,menu.read,menu.write,order.admin - authorities: uaa.resource - redirect-uri: http://localhost:63757/signin-cloudfoundry - app-launch-url: http://localhost:63757/Home/ - show-on-homepage: true - secret: adminportal_secret - description: "UI Admin Portal for administering orders" - order-service: - authorized-grant-types: client_credentials - scope: openid,menu.write,order.admin - authorities: uaa.resource - secret: orderservice_secret - description: "API Service for administering orders" - customer-portal: - secret: secret - authorized-grant-types: authorization_code - scope: openid,menu.read,order.me - authorities: uaa.resource - redirect-uri: http://localhost:8082/login + # Always override clients on startup + client: + override: true + # List of OAuth clients + clients: + # ----- ----- # + admin-portal: + app-launch-url: http://localhost:63757/Home/ + authorities: uaa.resource + authorized-grant-types: authorization_code + description: "UI Admin Portal for administering orders" + redirect-uri: http://localhost:63757/signin-cloudfoundry + scope: openid,menu.read,menu.write,order.admin + secret: adminportal_secret + show-on-homepage: true + order-service: + authorities: uaa.resource + authorized-grant-types: client_credentials + description: "API Service for administering orders" + scope: openid,menu.write,order.admin + secret: orderservice_secret + customer-portal: + authorities: uaa.resource + authorized-grant-types: authorization_code + redirect-uri: http://localhost:8082/login + scope: openid,menu.read,order.me + secret: customerportal_secret + # ----- ---- # + # --- --- # + steeltoesamplesserver: + authorities: uaa.resource, sampleapi.read + authorized-grant-types: client_credentials + description: Steeltoe application security Sample Server + secret: server_secret + steeltoesamplesclient: + app-launch-url: https://localhost:7072 + authorized-grant-types: authorization_code, client_credentials + autoapprove: + - openid + - profile + description: Steeltoe application security Sample Client + redirect-uri: https://localhost:7072/signin-oidc + resource_ids: sampleapi.read + scope: openid,profile,sampleapi.read + secret: client_secret + ssotile: + authorized-grant-types: authorization_code, client_credentials + autoapprove: + - openid + - profile + description: Credentials for use with UAA server in Cloud Foundry environment + + # CHANGE THIS VALUE TO MATCH YOUR ENVIRONMENT + redirect-uri: https://steeltoe.login.sys.dhaka.cf-app.com/** + + resource_ids: sampleapi.read + scope: openid,profile,sampleapi.read + secret: sso_secret + # --- --- # jwt: token: refresh: format: opaque policy: - accessTokenValiditySeconds: 43200 - refreshTokenValiditySeconds: 2592000 - global: - accessTokenValiditySeconds: 43200 - refreshTokenValiditySeconds: 2592000 + # Will override global validity policies for the default zone only. + #accessTokenValiditySeconds: 600 activeKeyId: uaa-jwt-key-1 keys: uaa-jwt-key-1: @@ -135,7 +183,7 @@ N+l4lnMda79eSp3OMmq9AkA0p79BvYsLshUJJnvbk76pCjR28PK4dV1gSDUEqQMB qy45ptdwJLqLJCeNoR0JUcDNIRhOCuOPND7pcMtX6hI/ -----END RSA PRIVATE KEY----- - # serviceProviderKeyPassword: "" # TODO: Remove this when UAA defaults this value + serviceProviderKeyPassword: "" serviceProviderCertificate: | -----BEGIN CERTIFICATE----- MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO @@ -157,48 +205,5 @@ KdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK RpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0= -----END CERTIFICATE----- - assetBaseUrl: /resources/oss - - zones: - internal: - hostnames: - - localhost:8080/uaa - - uaa: - # The hostname of the UAA that this login server will connect to - url: http://localhost:8080/uaa - token: - url: http://localhost:8080/uaa/oauth/token - approvals: - url: http://localhost:8080/uaa/approvals - login: - url: http://localhost:8080/uaa/authenticate - limitedFunctionality: - enabled: false - whitelist: - endpoints: - - /oauth/authorize/** - - /oauth/token/** - - /check_token/** - - /login/** - - /login.do - - /logout/** - - /logout.do - - /saml/** - - /autologin/** - - /authenticate/** - - /idp_discovery/** - methods: - - GET - - HEAD - - OPTIONS - - ldap: - profile: - file: ldap/ldap-search-and-bind.xml - base: - url: 'ldap://localhost:389/' - userDn: 'cn=admin,dc=test,dc=com' - password: 'password' - searchBase: 'dc=test,dc=com' - searchFilter: 'cn={0}' \ No newline at end of file + #The secret that an external login server will use to authenticate to the uaa using the id `login` + LOGIN_SECRET: loginsecret