From 1eb096193701e040be6cbd4007730ad35a4748bf Mon Sep 17 00:00:00 2001 From: Alex Date: Sat, 12 Nov 2022 21:48:38 +0200 Subject: [PATCH] tests: upgrade oidc-server-mock to run tests on Mac M1 --- deployments/dev/docker-compose.e2e.yml | 2 ++ deployments/dev/docker-compose.override.yml | 10 ++++++++-- deployments/dev/gateway/config/gateway.json | 6 +++--- .../dev/gateway/config/gateway.local.json | 6 +++--- .../dev/gateway/config/gateway.test.json | 6 +++--- deployments/dev/https/aspnetapp.pfx | Bin 0 -> 2477 bytes deployments/dev/tilt.yml | 13 ++++++++----- deployments/kubernetes/README.md | 2 +- .../kubernetes/infra/gateway-config.yaml | 6 +++--- .../kubernetes/infra/oidc-server-mock.yaml | 4 ++-- docs/pages/4.security/02.examples.md | 6 +++--- services/gateway/appConfig/appConfig.go | 4 ++++ services/gateway/security/jwkCache.go | 4 +++- services/gateway/utils/httpClient.go | 18 ++++++++++++++++++ services/gateway/version.go | 2 +- .../security/subject_extraction_rules.rego | 2 +- 16 files changed, 63 insertions(+), 28 deletions(-) create mode 100644 deployments/dev/https/aspnetapp.pfx create mode 100644 services/gateway/utils/httpClient.go diff --git a/deployments/dev/docker-compose.e2e.yml b/deployments/dev/docker-compose.e2e.yml index 0ff925a44..8dab00402 100644 --- a/deployments/dev/docker-compose.e2e.yml +++ b/deployments/dev/docker-compose.e2e.yml @@ -76,6 +76,7 @@ services: - editor environment: + - NODE_TLS_REJECT_UNAUTHORIZED=0 - GATEWAY_URL=http://gateway - EDITOR_URL=http://gateway - AUTH_DIGEST_CREDENTIALS=user:pwd @@ -90,6 +91,7 @@ services: depends_on: - gateway environment: + - NODE_TLS_REJECT_UNAUTHORIZED=0 - GATEWAY_URL=http://gateway - MINIO_HOST=minio - MINIO_PORT=9000 diff --git a/deployments/dev/docker-compose.override.yml b/deployments/dev/docker-compose.override.yml index 9106ea8fd..272aa75df 100644 --- a/deployments/dev/docker-compose.override.yml +++ b/deployments/dev/docker-compose.override.yml @@ -72,6 +72,7 @@ services: - "5859:5858" - "4005:3000" environment: + - NODE_TLS_REJECT_UNAUTHORIZED=0 - GIT_USER=git - GIT_URL=ssh://git@publishing/tweek/repo - GIT_PUBLIC_KEY_PATH=/run/secrets/tweek_ssh_public_key @@ -112,11 +113,16 @@ services: oidc-server-mock: container_name: oidc-server-mock - image: soluto/oidc-server-mock:0.1.0 + image: ghcr.io/soluto/oidc-server-mock:0.5.2 ports: - - "8082:80" + - "8082:443" + volumes: + - ./https:/https:ro environment: ASPNETCORE_ENVIRONMENT: Development + ASPNETCORE_URLS: https://+:443 + ASPNETCORE_Kestrel__Certificates__Default__Password: oidc-server-mock-pwd + ASPNETCORE_Kestrel__Certificates__Default__Path: /https/aspnetapp.pfx CLIENTS_CONFIGURATION_INLINE: | [ { diff --git a/deployments/dev/gateway/config/gateway.json b/deployments/dev/gateway/config/gateway.json index f65a5dfb6..432593487 100644 --- a/deployments/dev/gateway/config/gateway.json +++ b/deployments/dev/gateway/config/gateway.json @@ -10,9 +10,9 @@ "providers": { "mock": { "name": "Mock OpenId Connect server", - "issuer": "http://localhost:8082", - "authority": "http://localhost:8082", - "jwks_uri": "http://oidc-server-mock/.well-known/openid-configuration/jwks", + "issuer": "https://localhost:8082", + "authority": "https://localhost:8082", + "jwks_uri": "https://oidc-server-mock/.well-known/openid-configuration/jwks", "client_id": "tweek-openid-mock-client", "login_info": { "login_type": "oidc", diff --git a/deployments/dev/gateway/config/gateway.local.json b/deployments/dev/gateway/config/gateway.local.json index 15e2c22ba..d510fd526 100644 --- a/deployments/dev/gateway/config/gateway.local.json +++ b/deployments/dev/gateway/config/gateway.local.json @@ -9,9 +9,9 @@ "providers": { "mock": { "name": "Mock OpenId Connect server", - "issuer": "http://localhost:8082", - "authority": "http://localhost:8082", - "jwks_uri": "http://localhost:8082/.well-known/openid-configuration/jwks", + "issuer": "https://localhost:8082", + "authority": "https://localhost:8082", + "jwks_uri": "https://localhost:8082/.well-known/openid-configuration/jwks", "client_id": "tweek-openid-mock-client", "login_info": { "login_type": "oidc", diff --git a/deployments/dev/gateway/config/gateway.test.json b/deployments/dev/gateway/config/gateway.test.json index 0fe4f1575..785b79f97 100644 --- a/deployments/dev/gateway/config/gateway.test.json +++ b/deployments/dev/gateway/config/gateway.test.json @@ -4,9 +4,9 @@ "providers": { "mock": { "name": "Mock OpenId Connect server", - "issuer": "http://oidc-server-mock", - "authority": "http://oidc-server-mock", - "jwks_uri": "http://oidc-server-mock/.well-known/openid-configuration/jwks", + "issuer": "https://oidc-server-mock", + "authority": "https://oidc-server-mock", + "jwks_uri": "https://oidc-server-mock/.well-known/openid-configuration/jwks", "client_id": "tweek-openid-mock-client", "login_info": { "login_type": "oidc", diff --git a/deployments/dev/https/aspnetapp.pfx b/deployments/dev/https/aspnetapp.pfx new file mode 100644 index 0000000000000000000000000000000000000000..fb2b1859617154058f973badec057dd72825c15b GIT binary patch literal 2477 zcmY+EWmpr87ROhxQ6r=U$7lw)jTDd&6bTuvlynM8hafddiI;NV0I4y`0U{F84HAl! zK{!fE@{3Ok^yb2-;D*oV4NP&2`|?xRuZ)nXMEoUgu}akQ#XNf9pY zd&d~(H|5@-aBw7HTPgO(xn`@o4O4=BC$)oqty->x4i)s!O8egX7s@w;gChw0cSS7A ze=h%=^_CoX1v?qC(Q~^YZA&1J(HqAifAMjN1b6AYI@~2q*57%a+Lyf zYLi3XZ~NsF;v$SSXUt)i?zT1uvmFtve*zWc`INOuU8f(S8pfn0ex$`jO)79Dv_S*a z+86p+r70SHUQYI^p17qr8A?l}$ip1R`L`ZkI93j2kP`EgN@b$IC0l?dV8(U-y?=3C z2Rx#&f|?mpSdpS}n{xO`*tfIcKuPHy^t>Y@Byu}Boq8HOD`_bznlH`@`NOhkr(le9 z9_phWP@=4MmWz ztsYX()q>4H8@)=%V=!MoG~825m#ZviOFFH0-|A}EF`2x?d?biXtR$WPO5W2&eII$2 zq@v*lbaPGSkx5WolbfD01CU2f$^yIerYk37s?zOE>b)M#Q1(RDH$)~XVB=PZ($`sB z;n|%Tp!$ykK$bF*vFn6pS|39XYr;mMQ*8uWK%|X|rc_hHbXnALUTjUPgT&0MDxJ6S zZk-`WFG7FQM0nJ-oQ`IZv?8}m-#bYblm}Ij{MiG~OU33aKj<%&AKvOuAML=75DkYm zlsl+?+trKF_p^OlGuq0!GT#`w_flJn)$+Z=-f!FIU_(lr8GE?5wE7NDZKF$;G-O!j zO$*s13SU6(a_>h{r)1mdm10>RQGm^Faok>v(A5}>NDkkE#4#TJ=_ zg&H?B%JgLw({CoP&SrrC!e_Wp8fiVz$Z+>h!#p?AnVuRPU&E$%;l|k`x_H$? z;ys^TblIb&FLh^MlL1kR|TZ0*y zBf7asX{045abB15H#w1VDRH@@mNyMve7`lV+@s$Us;Kql9Fx?V%UpHC1hw?Hj0?g8 z&ikuYk;5c5*?h8K+nrA;dw!bJn}2p&dlj0P^<;Elk*C;D@R7~cX?jhQ>rrA(2GvM% z{!cfgcx!t^0r}>Ysg8-PLmP9?=qtO!_f!+ajPaqwO$Xy1|C)l+UvEgw}B1dpjSxDbbQKqt2>e~x} zeMjx7k)oYWCQ{{9R2D!c~jMry>$puB~gyEF6Q%0IA z)tXw^3@dqT*aaMBSFpiF{3=Ka9`6Vr~)f0gI%2$gXeQkb7$(G)UodmXQ-B zdTZ~XeE~i?*E31)tT<|VpHovnAu{NZAkFA%+RkY|Bc;lSc zomIhI3M-4I{1Y{&UD8VVu{KsI9-0(=u`e6Jc&rDM7+hEX zIo13Uee#7g-dLup`aQ*F+OD0seR_k4t?VcA}^MHVUzMns;(375H^$&EI+0WDpmwmrSu{kMmFwDp={BM5Z|G zd_bakp4oWg5Xbt~Mg)e(M4cLF|8ylD{oK6laV+qLjMH3iUIEi`sea2n;Trfwvxxzn z!)|^T@*pdLnoN!@h)b2)+K^Q-S(z$M->ytxY*^Wq`m8Gi9@aFRw;Y-C zI;ha>Oh}hQS(B+?d8ytlgZ#@$$@hp|0?g%WV|-(wPms3r3MsR(x{JGyCZ`N>d|6F)|zj8E}5)~FVrm(OImX@XvRWM7oQoy(w^4Cssq0D z3NQ=?X<=`(b?<)2m(0#iwFSp&-i_e z&_9bDSWXE0F?Mq)LH?^8X9**Gv+Qc4^mF473n?e{{pI*f4Beu literal 0 HcmV?d00001 diff --git a/deployments/dev/tilt.yml b/deployments/dev/tilt.yml index b5d738ffd..7ac3f103a 100644 --- a/deployments/dev/tilt.yml +++ b/deployments/dev/tilt.yml @@ -48,6 +48,7 @@ services: depends_on: - publishing environment: + NODE_TLS_REJECT_UNAUTHORIZED: '0' GIT_PRIVATE_KEY_PATH: /run/secrets/tweek_ssh_private_key GIT_PUBLIC_KEY_PATH: /run/secrets/tweek_ssh_public_key GIT_URL: ssh://git@publishing/tweek/repo @@ -136,10 +137,12 @@ services: target: 8222 oidc-server-mock: container_name: oidc-server-mock + image: ghcr.io/soluto/oidc-server-mock:0.5.2 environment: ASPNETCORE_ENVIRONMENT: Development - OIDC_CLIENT_ID: tweek-openid-mock-client - REDIRECT_URIS: http://localhost:8081/auth-result/oidc + ASPNETCORE_URLS: https://+:443 + ASPNETCORE_Kestrel__Certificates__Default__Password: oidc-server-mock-pwd + ASPNETCORE_Kestrel__Certificates__Default__Path: /https/aspnetapp.pfx CLIENTS_CONFIGURATION_INLINE: | [ { @@ -177,10 +180,10 @@ services: "Password":"pwd" } ] - image: soluto/oidc-server-mock:0.1.0 ports: - - published: 8082 - target: 80 + - 8082:443 + volumes: + - ./https:/https:ro publishing: build: args: diff --git a/deployments/kubernetes/README.md b/deployments/kubernetes/README.md index d1a395679..bdceaaffd 100644 --- a/deployments/kubernetes/README.md +++ b/deployments/kubernetes/README.md @@ -29,7 +29,7 @@ If using Minikube/Microk8s create port forwarding: ```bash kubectl port-forward deployment/gateway 8081:80 -kubectl port-forward deployment/oidc-server-mock 8082:80 +kubectl port-forward deployment/oidc-server-mock 8082:443 ``` Finally, open in browser [http://localhost:8081](http://localhost:8081). diff --git a/deployments/kubernetes/infra/gateway-config.yaml b/deployments/kubernetes/infra/gateway-config.yaml index 7303300ed..ca720c660 100644 --- a/deployments/kubernetes/infra/gateway-config.yaml +++ b/deployments/kubernetes/infra/gateway-config.yaml @@ -16,9 +16,9 @@ data: "providers": { "mock": { "name": "Mock OpenId Connect server", - "issuer": "http://localhost:8082", - "authority": "http://localhost:8082", - "jwks_uri": "http://oidc-server-mock:8082/.well-known/openid-configuration/jwks", + "issuer": "https://localhost:8082", + "authority": "https://localhost:8082", + "jwks_uri": "https://oidc-server-mock:8082/.well-known/openid-configuration/jwks", "client_id": "tweek-openid-mock-client", "login_info": { "login_type": "oidc", diff --git a/deployments/kubernetes/infra/oidc-server-mock.yaml b/deployments/kubernetes/infra/oidc-server-mock.yaml index ceeff573c..1639b9b10 100644 --- a/deployments/kubernetes/infra/oidc-server-mock.yaml +++ b/deployments/kubernetes/infra/oidc-server-mock.yaml @@ -11,7 +11,7 @@ spec: spec: containers: - name: oidc-mock - image: soluto/oidc-server-mock:0.1.0 + image: ghcr.io/soluto/oidc-server-mock:0.5.2 env: - name: ASPNETCORE_ENVIRONMENT value: Development @@ -34,5 +34,5 @@ spec: app: oidc-server-mock ports: - port: 8082 - targetPort: 80 + targetPort: 443 --- \ No newline at end of file diff --git a/docs/pages/4.security/02.examples.md b/docs/pages/4.security/02.examples.md index df6903168..9cab4f076 100644 --- a/docs/pages/4.security/02.examples.md +++ b/docs/pages/4.security/02.examples.md @@ -43,9 +43,9 @@ Can be edited via k8s configmap, mounted config file, or using environment varia }, "oidc": { "name": "Mock OpenId Connect server", - "issuer": "http://localhost:4011", - "authority": "http://localhost:4011", - "jwks_uri": "http://oidc-server-mock/.well-known/openid-configuration/jwks", + "issuer": "https://localhost:4011", + "authority": "https://localhost:4011", + "jwks_uri": "https://oidc-server-mock/.well-known/openid-configuration/jwks", "client_id": "tweek-openid-mock-client", "login_info": { "login_type": "oidc", diff --git a/services/gateway/appConfig/appConfig.go b/services/gateway/appConfig/appConfig.go index 5bc9f9f99..69aebf348 100644 --- a/services/gateway/appConfig/appConfig.go +++ b/services/gateway/appConfig/appConfig.go @@ -159,3 +159,7 @@ func HandleEnvInlineOrPath(envValue *EnvInlineOrPath) ([]byte, error) { } return value, nil } + +func IsProduction() bool { + return configor.ENV() == "production" +} diff --git a/services/gateway/security/jwkCache.go b/services/gateway/security/jwkCache.go index 2f98012f5..0503a2781 100644 --- a/services/gateway/security/jwkCache.go +++ b/services/gateway/security/jwkCache.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "time" + "tweek-gateway/utils" "github.com/lestrrat-go/jwx/jwk" "github.com/sirupsen/logrus" @@ -70,8 +71,9 @@ func loadEndpoint(endpoint string) *jwkRecord { } func loadEndpointWithRetry(endpoint string, retryCount uint) *jwkRecord { + rec := &jwkRecord{} - rec.set, rec.err = jwk.Fetch(context.Background(), endpoint) + rec.set, rec.err = jwk.Fetch(context.Background(), endpoint, jwk.WithHTTPClient(utils.GetHttpClient())) jwkCache[endpoint] = rec if rec.err != nil { diff --git a/services/gateway/utils/httpClient.go b/services/gateway/utils/httpClient.go new file mode 100644 index 000000000..b1fba758c --- /dev/null +++ b/services/gateway/utils/httpClient.go @@ -0,0 +1,18 @@ +package utils + +import ( + "crypto/tls" + "net/http" + "tweek-gateway/appConfig" +) + +func GetHttpClient() *http.Client { + // Ignore TLS errors for development + if !appConfig.IsProduction() { + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + return &http.Client{Transport: tr} + } + return http.DefaultClient +} diff --git a/services/gateway/version.go b/services/gateway/version.go index 44b83ef03..93dc9bbeb 100644 --- a/services/gateway/version.go +++ b/services/gateway/version.go @@ -1,3 +1,3 @@ package main -const Version = "1.0.0-rc22" +const Version = "1.0.0-rc23" diff --git a/services/git-service/BareRepository/source/security/subject_extraction_rules.rego b/services/git-service/BareRepository/source/security/subject_extraction_rules.rego index c744076b0..4c4b78d14 100644 --- a/services/git-service/BareRepository/source/security/subject_extraction_rules.rego +++ b/services/git-service/BareRepository/source/security/subject_extraction_rules.rego @@ -3,7 +3,7 @@ package rules default subject = { "user": null, "group": null } subject = { "user": "admin-app", "group": "externalapps"} { - startswith(input.iss, "http://localhost:") + startswith(input.iss, "https://localhost:") input.aud = "tweek-openid-mock-client" input.sub = "user" } else = { "user": input.sub, "group": "default" } {