Feature Shared IdP (#641)

Co-authored-by: Joshua Jones <joshua@general-metrics.com>
bcgov · Dec 29, 2022 · 00232e2 · 00232e2
1 parent d453301
commit 00232e2
Show file tree

Hide file tree

Showing 60 changed files with 1,549 additions and 553 deletions.
diff --git a/.github/workflows/ci-build-deploy.yaml b/.github/workflows/ci-build-deploy.yaml
@@ -97,7 +97,7 @@ jobs:
           image:
             registry: docker.pkg.github.com
             repository: bcgov-dss/api-serv-infra/mongodb
-            tag: 4.4.15-2941ec1e
+            tag: 5.0-7a639fba
             pullPolicy: IfNotPresent
             pullSecrets:
               - dev-github-read-packages-creds
@@ -111,7 +111,17 @@ jobs:
           rbac:
               create: true
 
-          strategyType: Recreate
+          updateStrategy:
+            type: RollingUpdate
+            rollingUpdate:
+              maxSurge: 0
+              maxUnavailable: 100%
+
+          readinessProbe:
+            timeoutSeconds: 20
+
+          livenessProbe:
+            timeoutSeconds: 20
 
           persistence:
               enabled: true
@@ -134,7 +144,7 @@ jobs:
               runAsUser: ${{ secrets.RUNNING_UID_GID }}
           ' > values.yaml
           helm repo add bitnami https://charts.bitnami.com/bitnami
-          helm upgrade --install proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db --version 10.31.5 -f values.yaml bitnami/mongodb
+          helm upgrade --install proto-asp-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}-db --version 12.1.31 -f values.yaml bitnami/mongodb
 
       - name: 'Deploy Backend'
         if: github.ref != 'refs/heads/dev'

diff --git a/local/db/keystone-init.sql b/local/db/keystone-init.sql
@@ -2326,3 +2326,23 @@ ALTER TABLE public."Activity"
  ADD COLUMN "filterKey2" text,
  ADD COLUMN "filterKey3" text,
  ADD COLUMN "filterKey4" text;
+
+ALTER TABLE public."Metric"
+ ADD COLUMN "namespace" text;
+
+ALTER TABLE public."CredentialIssuer"
+ ADD COLUMN "isShared" boolean NOT NULL DEFAULT false,
+ ADD COLUMN "inheritFrom" integer;
+
+--
+-- Name: credentialissuer_inheritfrom_index; Type: INDEX; Schema: public; Owner: keystonejsuser
+--
+
+CREATE INDEX credentialissuer_inheritfrom_index ON public."CredentialIssuer" USING btree ("inheritFrom");
+
+--
+-- Name: CredentialIssuer credentialissuer_inheritfrom_foreign; Type: FK CONSTRAINT; Schema: public; Owner: keystonejsuser
+--
+
+ALTER TABLE ONLY public."CredentialIssuer"
+    ADD CONSTRAINT credentialissuer_inheritfrom_foreign FOREIGN KEY ("inheritFrom") REFERENCES public."CredentialIssuer"(id);
diff --git a/local/feeder-init/init.sh b/local/feeder-init/init.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-
 apk add --no-cache curl
 cd /tmp
 
@@ -13,20 +12,21 @@ while true; do
         curl http://feeder.localtest.me:6000/push -F yaml=@developer-user.yaml
         curl http://feeder.localtest.me:6000/push -F yaml=@mark-user.yaml
         curl http://feeder.localtest.me:6000/push -F yaml=@platform-authz-profile.yaml
+        curl http://feeder.localtest.me:6000/push -F yaml=@shared-idp.yaml
         curl http://feeder.localtest.me:6000/push -F yaml=@platform-gwa-api.yaml
         curl http://feeder.localtest.me:6000/push -F yaml=@organization-unit.yaml
         curl http://feeder.localtest.me:6000/push -F yaml=@dataset-gwa.yaml
-        curl http://feeder.localtest.me:6000/push -F yaml=@product-initializer.yaml
-        curl http://feeder.localtest.me:6000/push -F yaml=@product-initializer-permission.yaml
+#        curl http://feeder.localtest.me:6000/push -F yaml=@product-initializer.yaml
+#        curl http://feeder.localtest.me:6000/push -F yaml=@product-initializer-permission.yaml
         curl http://feeder.localtest.me:6000/push -F yaml=@cc-dataset-gwa.yaml
-        curl http://feeder.localtest.me:6000/push -F yaml=@cc-product-initializer.yaml
+#        curl http://feeder.localtest.me:6000/push -F yaml=@cc-product-initializer.yaml
         curl http://feeder.localtest.me:6000/push -F yaml=@cr-dataset-gwa.yaml
-        curl http://feeder.localtest.me:6000/push -F yaml=@cr-product-initializer.yaml      
+#        curl http://feeder.localtest.me:6000/push -F yaml=@cr-product-initializer.yaml      
         curl http://feeder.localtest.me:6000/push -F yaml=@permission-dataset-gwa.yaml
         curl http://feeder.localtest.me:6000/push -F yaml=@api-dataset-gwa.yaml
-        curl http://feeder.localtest.me:6000/push -F yaml=@product-initializer-api.yaml
+#        curl http://feeder.localtest.me:6000/push -F yaml=@product-initializer-api.yaml
         curl http://feeder.localtest.me:6000/push -F yaml=@preview-dataset-gwa.yaml
-        curl http://feeder.localtest.me:6000/push -F yaml=@preview-product-initializer.yaml
+#        curl http://feeder.localtest.me:6000/push -F yaml=@preview-product-initializer.yaml
         break
 
     else

diff --git a/local/feeder-init/shared-idp.yaml b/local/feeder-init/shared-idp.yaml
@@ -0,0 +1,19 @@
+entity: CredentialIssuer
+record:
+  id: 'Sample Shared IdP'
+  namespace: newplatform
+  description: 'A Shared IdP for Teams to use'
+  flow: client-credentials
+  mode: auto
+  clientAuthenticator: client-secret
+  authPlugin: jwt-keycloak
+  clientRoles: []
+  availableScopes: []
+  owner: janis@idir
+  isShared: true
+  environmentDetails:
+    - environment: prod
+      issuerUrl: http://keycloak.localtest.me:9080/auth/realms/master
+      clientId: gwa-api
+      clientRegistration: managed
+      clientSecret: '18900468-3db1-43f7-a8af-e75f079eb742'
diff --git a/local/oauth2-proxy/oauth2-proxy-local.cfg b/local/oauth2-proxy/oauth2-proxy-local.cfg
@@ -22,7 +22,7 @@ skip_jwt_bearer_tokens="false"
 set_authorization_header="false"
 pass_authorization_header="false"
 skip_auth_regex="/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/feed/|/signout|^[/]$"
-whitelist_domains="*"
+whitelist_domains="keycloak.localtest.me:9080"
 upstreams=["http://apsportal.localtest.me:3000"]
 skip_provider_button='true'
 redis_connection_url="redis://redis-master:6379"

diff --git a/src/authz/graphql-whitelist/httplocalhost4180managerauthorizationprofiles-274a66.gql b/src/authz/graphql-whitelist/httplocalhost4180managerauthorizationprofiles-274a66.gql
@@ -0,0 +1,26 @@
+
+  query GetCredentialIssuers {
+    allCredentialIssuersByNamespace {
+      id
+      name
+      flow
+      mode
+      owner {
+        name
+        username
+        email
+      }
+      environmentDetails
+      inheritFrom {
+        name
+      }
+      availableScopes
+      clientAuthenticator
+      clientRoles
+      clientMappers
+      apiKeyName
+      resourceType
+      resourceScopes
+      resourceAccessScope
+    }
+  }
diff --git a/src/authz/graphql-whitelist/httplocalhost4180managerauthorizationprofiles-681d06.gql b/src/authz/graphql-whitelist/httplocalhost4180managerauthorizationprofiles-681d06.gql
@@ -0,0 +1,26 @@
+
+  query GetCredentialIssuers {
+    allCredentialIssuersByNamespace {
+      id
+      name
+      flow
+      mode
+      owner {
+        name
+        username
+        email
+      }
+      environmentDetails
+      inheritFrom {
+        environmentDetails
+      }
+      availableScopes
+      clientAuthenticator
+      clientRoles
+      clientMappers
+      apiKeyName
+      resourceType
+      resourceScopes
+      resourceAccessScope
+    }
+  }
diff --git a/src/authz/graphql-whitelist/httplocalhost4180managerauthorizationprofiles-a7c98d.gql b/src/authz/graphql-whitelist/httplocalhost4180managerauthorizationprofiles-a7c98d.gql
@@ -0,0 +1,8 @@
+
+  query SharedIdPPreview($profileName: String) {
+    sharedIdPs(profileName: $profileName) {
+      id
+      name
+      environmentDetails
+    }
+  }
diff --git a/src/authz/matrix.csv b/src/authz/matrix.csv
@@ -50,6 +50,7 @@ CREDENTIAL ADMIN,,,CredentialIssuer,create,,,,,credential-admin,,,allow,
 CREDENTIAL ADMIN,,,CredentialIssuer,read,,,,,credential-admin,,,allow,filterByUserNS
 CREDENTIAL ADMIN,,,CredentialIssuer,update,,namespace,,,credential-admin,,,deny,
 CREDENTIAL ADMIN,,,CredentialIssuer,,"create,read",namespace,,,credential-admin,,,allow,
+CREDENTIAL ADMIN,,sharedIdPs,,,,,,,credential-admin,,,allow,
 CREDENTIAL ADMIN,,OwnedCredentialIssuer,,,,,,,credential-admin,,,allow,
 CREDENTIAL ADMIN,,allCredentialIssuersByNamespace,,,,,,,credential-admin,,,allow,filterByUserNS
 CREDENTIAL ADMIN,,,User,read,,,,,credential-admin,,,allow,

diff --git a/src/batch/data-rules.js b/src/batch/data-rules.js
@@ -464,6 +464,8 @@ const metadata = {
       'resourceScopes',
       'resourceType',
       'resourceAccessScope',
+      'isShared',
+      'inheritFrom',
       'apiKeyName',
       'owner',
     ],
@@ -473,9 +475,15 @@ const metadata = {
       clientRoles: { name: 'toStringDefaultArray' },
       clientMappers: { name: 'toStringDefaultArray' },
       environmentDetails: { name: 'toString' },
+      inheritFrom: {
+        name: 'connectOne',
+        list: 'allCredentialIssuers',
+        refKey: 'name',
+      },
       owner: { name: 'connectOne', list: 'allUsers', refKey: 'username' },
     },
     validations: {
+      isShared: { type: 'boolean' },
       flow: {
         type: 'enum',
         values: ['client-credentials'],

diff --git a/src/batch/feed-worker.ts b/src/batch/feed-worker.ts
@@ -469,6 +469,7 @@ export const syncRecords = async function (
       }
     }
     if (Object.keys(data).length === 0) {
+      logger.debug('[%s] [%s] no update', entity, localRecord.id);
       return {
         status: 200,
         result: 'no-change',

diff --git a/src/controllers/v2/openapi.yaml b/src/controllers/v2/openapi.yaml
@@ -277,6 +277,8 @@ components:
                 clientRegistration: managed
                 clientId: a-client-id
                 clientSecret: a-client-secret
+        CredentialIssuerRefID:
+            type: string
         UserRefID:
             type: string
         CredentialIssuer:
@@ -315,6 +317,8 @@ components:
                     type: string
                 resourceAccessScope:
                     type: string
+                isShared:
+                    type: boolean
                 apiKeyName:
                     type: string
                 availableScopes:
@@ -333,6 +337,8 @@ components:
                     items:
                         type: string
                     type: array
+                inheritFrom:
+                    $ref: '#/components/schemas/CredentialIssuerRefID'
                 owner:
                     $ref: '#/components/schemas/UserRefID'
             type: object
@@ -508,8 +514,6 @@ components:
             type: string
         LegalRefID:
             type: string
-        CredentialIssuerRefID:
-            type: string
         Environment:
             properties:
                 appId:

diff --git a/src/controllers/v2/routes.ts b/src/controllers/v2/routes.ts
@@ -185,6 +185,11 @@ const models: TsoaRoute.Models = {
         "additionalProperties": false,
     },
     // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
+    "CredentialIssuerRefID": {
+        "dataType": "refAlias",
+        "type": {"dataType":"string","validators":{}},
+    },
+    // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
     "UserRefID": {
         "dataType": "refAlias",
         "type": {"dataType":"string","validators":{}},
@@ -204,11 +209,13 @@ const models: TsoaRoute.Models = {
             "environmentDetails": {"dataType":"array","array":{"dataType":"refObject","ref":"IssuerEnvironmentConfig"}},
             "resourceType": {"dataType":"string"},
             "resourceAccessScope": {"dataType":"string"},
+            "isShared": {"dataType":"boolean"},
             "apiKeyName": {"dataType":"string"},
             "availableScopes": {"dataType":"array","array":{"dataType":"string"}},
             "resourceScopes": {"dataType":"array","array":{"dataType":"string"}},
             "clientRoles": {"dataType":"array","array":{"dataType":"string"}},
             "clientMappers": {"dataType":"array","array":{"dataType":"string"}},
+            "inheritFrom": {"ref":"CredentialIssuerRefID"},
             "owner": {"ref":"UserRefID"},
         },
         "additionalProperties": false,
@@ -326,11 +333,6 @@ const models: TsoaRoute.Models = {
         "type": {"dataType":"string","validators":{}},
     },
     // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
-    "CredentialIssuerRefID": {
-        "dataType": "refAlias",
-        "type": {"dataType":"string","validators":{}},
-    },
-    // WARNING: This file was auto-generated with tsoa. Please do not modify it. Re-run tsoa to re-generate this file: https://github.com/lukeautry/tsoa
     "Environment": {
         "dataType": "refObject",
         "properties": {

diff --git a/src/controllers/v2/types.ts b/src/controllers/v2/types.ts
@@ -330,11 +330,13 @@ export interface CredentialIssuer {
   environmentDetails?: IssuerEnvironmentConfig[];
   resourceType?: string;
   resourceAccessScope?: string;
+  isShared?: boolean;
   apiKeyName?: string;
   availableScopes?: string[];
   resourceScopes?: string[];
   clientRoles?: string[];
   clientMappers?: string[];
+  inheritFrom?: CredentialIssuerRefID;
   owner?: UserRefID;
 }
 
@@ -455,8 +457,13 @@ export interface Activity {
   refId?: string;
   namespace?: string;
   blob?: string;
+  filterKey1?: string;
+  filterKey2?: string;
+  filterKey3?: string;
+  filterKey4?: string;
   updatedAt?: DateTime;
   createdAt?: DateTime;
+  context?: any; // toString
   actor?: UserRefID;
 }