Updates #1 #6

.keto/access-policy.json

@@ -1,26 +1,38 @@
 [
   {
-    "subjects": ["admin"],
+    "subjects": ["admin", "secy", "coordi"],
     "resources": ["courses", "files"],
-    "actions": ["delete", "create"],
+    "actions": ["create", "modify"],
     "effect": "allow"
   },
   {
-    "subjects": ["admin", "user"],
-    "resources": ["courses"],
+    "subjects": ["admin", "coordi"],
+    "resources": ["courses", "files"],
+    "actions": ["delete"],
+    "effect": "allow"
+  },
+  {
+    "subjects": ["admin", "user", "secy", "coordi"],
+    "resources": ["courses", "files"],
     "actions": ["read"],
     "effect": "allow"
   },
   {
-    "subjects": ["admin"],
+    "subjects": ["admin", "secy", "coordi"],
     "resources": ["cpanel"],
     "actions": ["login"],
     "effect": "allow"
   },
   {
-    "subjects": ["admin", "user"],
+    "subjects": ["admin", "user", "secy", "coordi"],
     "resources": ["portal"],
     "actions": ["login"],
     "effect": "allow"
+  },
+  {
+    "subjects": ["admin", "coordi"],
+    "resources": ["coordi", "secy"],
+    "actions": ["create", "delete"],
+    "effect": "allow"
   }
 ]

.kratos/.kratos.yml

@@ -0,0 +1,54 @@
+session:
+  lifespan: 24h
+serve:
+  public:
+    base_url: http://127.0.0.1:3001/.ory/kratos/public
+  admin:
+    base_url: http://kratos:4434/
+selfservice:
+  default_browser_return_url: http://127.0.0.1:3000/
+  whitelisted_return_urls:
+    - http://127.0.0.1:3000
+  flows:
+    error:
+      ui_url: http://127.0.0.1:3000/error
+    settings:
+      ui_url: http://127.0.0.1:3000/settings
+      privileged_session_max_age: 15m
+    recovery:
+      enabled: true
+      ui_url: http://127.0.0.1:3000/recovery
+    verification:
+      enabled: true
+      ui_url: http://127.0.0.1:3000/verify
+      after:
+        default_browser_return_url: http://127.0.0.1:3000/
+    logout:
+      after:
+        default_browser_return_url: http://127.0.0.1:3000/
+    login:
+      ui_url: http://127.0.0.1:3000/login
+    registration:
+      ui_url: http://127.0.0.1:3000/registration
+      after:
+        password:
+          hooks:
+            - hook: session
+log:
+  level: debug
+  leak_sensitive_values: true
+secrets:
+  cookie:
+    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
+hashers:
+  argon2:
+    parallelism: 1
+    memory: 131072
+    iterations: 2
+    salt_length: 16
+    key_length: 16
+identity:
+  default_schema_url: file:///etc/config/kratos/identity.traits.schema.json
+courier:
+  smtp:
+    connection_uri: smtps://anc.courses@gmail.com:AnC@2020@smtp.gmail.com:465/?skip_ssl_verify=true

.kratos/identity.traits.schema.json

@@ -0,0 +1,34 @@
+{
+  "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Person",
+  "type": "object",
+  "properties": {
+    "traits": {
+      "type": "object",
+      "properties": {
+        "email": {
+          "type": "string",
+          "format": "email",
+          "title": "E-Mail",
+          "minLength": 3,
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            },
+            "verification": {
+              "via": "email"
+            },
+            "recovery": {
+              "via": "email"
+            }
+          }
+        }
+      },
+      "required": ["email"],
+      "additionalProperties": false
+    }
+  }
+}

.nginx/nginx.conf

@@ -1,14 +1,45 @@
 server {
-    listen      $PORT;
+    listen 3001;
+    proxy_hide_header "Access-Control-Allow-Origin";
+    add_header 'Access-Control-Allow-Origin' 'http://127.0.0.1:3000' always;
+    add_header 'Access-Control-Allow-Credentials' 'true' always;
+    add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
+    add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
 
     location / {
-            proxy_set_header                        Host                    $host;
-            proxy_set_header                        X-Forwarded-For         $remote_addr;
-            proxy_set_header                        X-Forwarded-Proto       $scheme;
-            proxy_set_header                        X-Real-IP               $remote_addr;
-            proxy_pass                              http://127.0.0.1:4433;
+        if ($request_method = 'OPTIONS') {
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'text/plain; charset=utf-8';
+            add_header 'Content-Length' 0;
+            return 204;
+        }
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_cache_bypass $http_upgrade;
+        proxy_pass http://oathkeeper:4455;
     }
 
-    access_log              /var/log/nginx/gateway.access.log main;
-    error_log               /var/log/nginx/gateway.error.log;
+    # location = /.commento {
+    #     return 302 /.commento/;
+    # }
+
+    # location = /.commento/ {
+    #     proxy_set_header Host $host;
+    #     proxy_set_header X-Forwarded-For $remote_addr;
+    #     proxy_set_header X-Forwarded-Proto $scheme;
+    #     proxy_set_header X-Real-IP $remote_addr;
+    #     proxy_http_version 1.1;
+    #     proxy_set_header Upgrade $http_upgrade;
+    #     proxy_set_header Connection 'upgrade';
+    #     proxy_cache_bypass $http_upgrade;
+    #     proxy_pass http://commento:8080/;
+    # }
+
+    access_log /var/log/nginx/gateway.access.log main;
+    error_log /var/log/nginx/gateway.error.log;
 }

.oathkeeper/access-rules.yaml

@@ -0,0 +1,73 @@
+- id: "ory:kratos:public"
+  upstream:
+    preserve_host: true
+    url: "http://kratos:4433"
+    strip_path: /.ory/kratos/public
+  match:
+    url: "http://<**>/.ory/kratos/public/<**>"
+    methods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+      - PATCH
+  authenticators:
+    - handler: noop
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop
+
+- id: "ory:kratos-ss-ui-react:anonymous"
+  upstream:
+    preserve_host: true
+    url: "http://kratos-ss-ui-react:4435"
+  match:
+    url: "http://127.0.0.1:4455/<{error,recovery,verify,auth/*,**.css,**.js}{/,}>"
+    methods:
+      - GET
+  authenticators:
+    - handler: anonymous
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop
+
+- id: "ory:kratos-ss-ui-react:protected"
+  upstream:
+    preserve_host: true
+    url: "http://kratos-ss-ui-react:4435"
+  match:
+    url: "http://127.0.0.1:4455/<{,callback,debug,dashboard,settings}>"
+    methods:
+      - GET
+  authenticators:
+    - handler: cookie_session
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: id_token
+  errors:
+    - handler: redirect
+      config:
+        to: http://127.0.0.1:4455/auth/login
+
+- id: "commento:public"
+  upstream:
+    preserve_host: true
+    url: "http://commento:8080"
+    # strip_path: /.commento
+  match:
+    url: "http://<**>/.commento/<**>"
+    methods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+      - PATCH
+  authenticators:
+    - handler: noop
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop

.oathkeeper/oathkeeper.yaml → .oathkeeper/oathkeeper.yml

@@ -1,26 +1,12 @@
 log:
   level: debug
   format: json
+  # leak_sensitive_values: true
 
 serve:
   proxy:
     cors:
-      enabled: true
-      allowed_origins:
-        - "anciitk.in,127.0.0.1"
-      allowed_methods:
-        - POST
-        - GET
-        - PUT
-        - PATCH
-        - DELETE
-      allowed_headers:
-        - Authorization
-        - Content-Type
-      exposed_headers:
-        - Content-Type
-      allow_credentials: true
-      debug: true
+      enabled: false
 
 errors:
   fallback:
@@ -48,7 +34,7 @@ errors:
 access_rules:
   matching_strategy: glob
   repositories:
-    - file:///.oathkeeper/access-rules.yaml
+    - file:///etc/config/oathkeeper/access-rules.yaml
 
 authenticators:
   anonymous:

Dockerfile

@@ -2,6 +2,14 @@ FROM golang:latest
 LABEL MAINTAINER="Shivam Malhotra"
 LABEL VERSION="0.1.0"
 
+# Build the server
+RUN mkdir /server
+WORKDIR /server
+COPY ./ ./
+RUN make install
+
+FROM nginx:mainline-alpine
+COPY --from=0 /server/bin/main /main
 RUN apt-get clean && apt-get update 
 
 # Initialize Locale and TZ
@@ -15,10 +23,7 @@ ENV LANG=en_US.UTF-8
 ENV LC_CTYPE=en_US.UTF-8
 RUN locale-gen en_US.UTF-8 
 
-RUN apt-get install -y gnupg gosu curl ca-certificates zip unzip git zlibc
-
-# Install NGINX
-RUN apt-get install -y nginx 
+RUN apt-get install -y gnupg gosu curl ca-certificates 
 
 # Install ORY Stack
 SHELL ["/bin/bash", "-c"]
@@ -31,12 +36,6 @@ RUN  mv ./oathkeeper /usr/local/bin/
 RUN bash <(curl https://raw.githubusercontent.com/ory/keto/master/install.sh) -b . v0.5.7-alpha.1
 RUN mv ./keto /usr/local/bin
 
-# Build the server
-RUN mkdir /server
-WORKDIR /server
-COPY ./ ./
-RUN go mod install
-RUN go build main.go
 
 # Install Supervisor
 RUN apt-get install -y supervisor

Makefile

@@ -14,4 +14,8 @@ buildweb:
 
 purge:
 	rm -rf ./bin
-	rm -rf ./web/build
+	rm -rf ./web/build
+
+install
+	go mod download
+	go build -o bin/main main.go

commento.Dockerfile

@@ -0,0 +1,5 @@
+FROM nginx:mainline
+RUN apt update && apt install wget -y
+RUN wget https://dl.commento.io/release/commento-v1.8.0-linux-glibc-amd64.tar.gz
+RUN tar xvf commento-v1.8.0-linux-glibc-amd64.tar.gz -C /
+COPY ./.nginx/commento.nginx.conf /etc/nginx/conf.d/default.conf