Merge branch 'master' into multi-language

README.md

@@ -70,6 +70,7 @@ CT_BRIDGE_DB_CONFIG_PASSWORD | db-config-password
 CT_BRIDGE_INFLUX_USERNAME | influx-username
 CT_BRIDGE_INFLUX_PASSWORD | influx-password
 CT_BRIDGE_SENTRY_DSN | sentry-dsn
+CT_BRIDGE_EVENT_BASIC_AUTH | event-basic-auth-token
 
 
 ## Usage

api/management/api.go

@@ -153,6 +153,8 @@ func ConvertToKCUser(user UserRepresentation) kc.UserRepresentation {
 	userRep.EmailVerified = user.EmailVerified
 	userRep.FirstName = user.FirstName
 	userRep.LastName = user.LastName
+	userRep.Groups = user.Groups
+	userRep.RealmRoles = user.Roles
 
 	var attributes = make(map[string][]string)
 
@@ -185,4 +187,4 @@ func ConvertToKCUser(user UserRepresentation) kc.UserRepresentation {
 	}
 
 	return userRep
-}
+}

api/management/swagger-api_management.yaml

@@ -146,7 +146,12 @@ paths:
         in: query
         schema:
           type: string
-        allowEmptyValue: true 
+        allowEmptyValue: true
+      - name: search
+        in: query
+        schema:
+          type: string
+        allowEmptyValue: true
       responses:
         200:
           description: successful operation

cmd/keycloakb/keycloak_bridge.go

@@ -208,6 +208,17 @@ func main() {
 		}
 	}
 
+	// Security - Basic AuthN token to protect internal/event endpoint
+	var eventExpectedAuthToken string
+	{
+		eventExpectedAuthToken = c.GetString("event-basic-auth-token")
+
+		if eventExpectedAuthToken == "" {
+			logger.Log("msg", "password for event endpoint (event-basic-auth-token) cannot be empty")
+			return
+		}
+	}
+
 	// Keycloak client.
 	var keycloakClient *keycloak.Client
 	{
@@ -521,6 +532,7 @@ func main() {
 			eventHandler = event.MakeHTTPEventHandler(eventEndpoints.Endpoint)
 			eventHandler = middleware.MakeHTTPCorrelationIDMW(idGenerator, tracer, logger, ComponentName, ComponentID)(eventHandler)
 			eventHandler = middleware.MakeHTTPTracingMW(tracer, ComponentName, "http_server_event")(eventHandler)
+			eventHandler = middleware.MakeHTTPBasicAuthenticationMW(eventExpectedAuthToken, logger)(eventHandler)
 		}
 		eventSubroute.Handle("/receiver", eventHandler)
 
@@ -716,7 +728,8 @@ func config(logger log.Logger) *viper.Viper {
 	v.SetDefault("account-http-host-port", "0.0.0.0:8866")
 
 	// Security - Audience check
-	v.SetDefault("audience", "")
+	v.SetDefault("audience-required", "")
+	v.SetDefault("event-basic-auth-token", "")
 
 	// CORS configuration
 	v.SetDefault("cors-allowed-origins", []string{})
@@ -726,7 +739,6 @@ func config(logger log.Logger) *viper.Viper {
 	v.SetDefault("cors-debug", false)
 
 	// Keycloak default.
-	v.SetDefault("keycloak", true)
 	v.SetDefault("keycloak-api-uri", "http://127.0.0.1:8080")
 	v.SetDefault("keycloak-oidc-uri", "http://127.0.0.1:8080")
 	v.SetDefault("keycloak-username", "")
@@ -800,6 +812,8 @@ func config(logger log.Logger) *viper.Viper {
 
 	v.BindEnv("sentry-dsn", "CT_BRIDGE_SENTRY_DSN")
 
+	v.BindEnv("event-basic-auth-token", "CT_BRIDGE_EVENT_BASIC_AUTH")
+
 	// Load and log config.
 	v.SetConfigFile(v.GetString("config-file"))
 	var err = v.ReadInConfig()
@@ -850,7 +864,7 @@ func getDbConfig(v *viper.Viper, prefix string) *dbConfig {
 func (cfg *dbConfig) openDatabase() (*sql.DB, error) {
 	var err error
 	var dbConn *sql.DB
-	dbConn, err = sql.Open("mysql", fmt.Sprintf("%s:%s@%s(%s)/%s", cfg.Username, cfg.Password, cfg.Protocol, cfg.HostPort, cfg.Database))
+	dbConn, err = sql.Open("mysql", fmt.Sprintf("%s:%s@%s(%s)/%s?time_zone='UTC'", cfg.Username, cfg.Password, cfg.Protocol, cfg.HostPort, cfg.Database))
 
 	// the config of the DB should have a max_connections > SetMaxOpenConns
 	if err == nil {

configs/authorization.json

@@ -101,96 +101,93 @@
           "integrator_agent": {}
         },
         "DEP": {
-          "*": {}
+          "end_user": {}
         }
       },
       "CreateUser": {
         "master": {
           "integrator_agent": {}
-        },
-        "DEP": {
-          "product_administrator": {}
         }
       },
       "GetUser": {
         "master": {
           "integrator_agent": {}
         },
         "DEP": {
-          "*": {}
+          "end_user": {}
         }
       },
       "GetRolesOfUser": {
         "master": {
           "integrator_agent": {}
         },
         "DEP": {
-          "*": {}
+          "end_user": {}
         }
       },
       "GetGroupsOfUser": {
         "master": {
           "integrator_agent": {}
         },
         "DEP": {
-          "*": {}
+          "end_user": {}
         }
       },
       "UpdateUser": {
         "master": {
           "integrator_agent": {}
         },
         "DEP": {
-          "*": {}
+          "end_user": {}
         }
       },
       "DeleteUser": {
         "master": {
           "integrator_agent": {}
         },
         "DEP": {
-          "*": {}
+          "end_user": {}
         }
       },
       "ResetPassword": {
         "master": {
           "integrator_agent": {}
         },
         "DEP": {
-          "*": {}
+          "end_user": {}
         }
       },
       "SendVerifyEmail": {
         "master": {
           "integrator_agent": {}
         },
         "DEP": {
-          "*": {}
+          "end_user": {}
         }
-      }, 
+      },
       "ExecuteActionsEmail": {
         "master": {
           "integrator_agent": {}
         },
         "DEP": {
-          "*": {}
-        } 
+          "end_user": {}
+        }
       },
       "GetCredentialsForUser": {
         "master": {
           "integrator_manager": {}
         },
         "DEP": {
-          "*": {}
-        } 
+          "end_user": {}
+        }
       },
       "DeleteCredentialsForUser": {
         "master": {
           "integrator_manager": {}
         },
         "DEP": {
-          "*": {}
-        } 
+          "end_user": {}
+        }
       },
       "GetRealmCustomConfiguration": {
         "DEP": {
@@ -266,7 +263,7 @@
         "DEP": {
           "*": {}
         }
-      },  
+      },
       "GetRealmCustomConfiguration": {
         "DEP": {
           "*": {}
@@ -276,7 +273,7 @@
         "DEP": {
           "*": {}
         }
-      }          
+      }
     },
     "l2_support_manager":{
       "GetRealms": {
@@ -335,7 +332,7 @@
       "GetCredentialsForUser": {
         "master": {
           "l2_support_agent": {}
-        } 
+        }
       },
       "DeleteCredentialsForUser": {
         "master": {
@@ -405,7 +402,7 @@
       "GetCredentialsForUser": {
         "master": {
           "l3_support_agent": {}
-        } 
+        }
       },
       "DeleteCredentialsForUser": {
         "master": {
@@ -557,7 +554,7 @@
         "DEP": {
           "l1_support_agent": {},
           "end_user": {}
-        } 
+        }
       },
       "DeleteCredentialsForUser": {
         "DEP": {
@@ -620,7 +617,7 @@
       "GetCredentialsForUser": {
         "DEP": {
           "end_user": {}
-        } 
+        }
       },
       "DeleteCredentialsForUser": {
         "DEP": {
@@ -631,7 +628,7 @@
         "DEP": {
           "end_user": {}
         }
-      }  
+      }
     },
     "registration_officer": {
       "CreateUser": {
@@ -642,3 +639,4 @@
     }
   }
 }
+

configs/keycloak_bridge.yml

@@ -21,10 +21,14 @@ cors-allowed-headers:
 cors-debug: true
 
 # Security
+## Audience for JWT token
 audience-required: "backofficeid"
 
+## Password used to protect /internal/event endpoint
+event-basic-auth-token: "superpasswordverylongandstrong"
+
+
 # Keycloak configs
-keycloak: false
 keycloak-api-uri: http://localhost:8080
 keycloak-oidc-uri: http://localhost:8080
 keycloak-username: admin

internal/keycloakb/http.go

@@ -109,7 +109,6 @@ func EventsErrorHandler(_ context.Context, err error, w http.ResponseWriter) {
 			w.WriteHeader(http.StatusTooManyRequests)
 		} else {
 			w.WriteHeader(http.StatusInternalServerError)
-			w.Write([]byte(err.Error()))
 		}
 	}
 }

internal/keycloakb/http_test.go

@@ -256,7 +256,6 @@ func TestEventsErrorHandler(t *testing.T) {
 	{
 		message := "500"
 		mockRespWriter.EXPECT().WriteHeader(http.StatusInternalServerError).Times(1)
-		mockRespWriter.EXPECT().Write([]byte(message)).Times(1)
 		EventsErrorHandler(context.Background(), errors.New(message), mockRespWriter)
 	}
 }

pkg/events/authorization.go

@@ -8,6 +8,12 @@ import (
 	"github.com/go-kit/kit/log"
 )
 
+const (
+	EV_GetEvents        = "EV_GetEvents"
+	EV_GetEventsSummary = "EV_GetEventsSummary"
+	EV_GetUserEvents    = "EV_GetUserEvents"
+)
+
 // Tracking middleware at component level.
 type authorizationComponentMW struct {
 	authManager security.AuthorizationManager
@@ -27,7 +33,7 @@ func MakeAuthorizationManagementComponentMW(logger log.Logger, authorizationMana
 }
 
 func (c *authorizationComponentMW) GetEvents(ctx context.Context, m map[string]string) (api.AuditEventsRepresentation, error) {
-	var action = "EV_GetEvents"
+	var action = EV_GetEvents
 	var targetRealm = "*" // For this method, there is no target realm, so we use the wildcard to express there is no constraints.
 
 	if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
@@ -38,7 +44,7 @@ func (c *authorizationComponentMW) GetEvents(ctx context.Context, m map[string]s
 }
 
 func (c *authorizationComponentMW) GetEventsSummary(ctx context.Context) (api.EventSummaryRepresentation, error) {
-	var action = "EV_GetEventsSummary"
+	var action = EV_GetEventsSummary
 	var targetRealm = "*" // For this method, there is no target realm, so we use the wildcard to express there is no constraints.
 
 	if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
@@ -49,7 +55,7 @@ func (c *authorizationComponentMW) GetEventsSummary(ctx context.Context) (api.Ev
 }
 
 func (c *authorizationComponentMW) GetUserEvents(ctx context.Context, m map[string]string) (api.AuditEventsRepresentation, error) {
-	var action = "EV_GetUserEvents"
+	var action = EV_GetUserEvents
 	var targetRealm = m["realm"] // Get the realm provided as parameter in path
 	var targetUser = m["userID"] // Get the user provided as parameter in path