[New #126] Add oidc authentication

.env.development.keycloak-auth

@@ -0,0 +1,9 @@
+FTA_FMEA_BASENAME=''
+FTA_FMEA_API_URL=http://localhost:1235/services/fta-fmea-server
+FTA_FMEA_ADMIN_REGISTRATION_ONLY=false
+FTA_FMEA_TITLE='Development FTA/FMEA Tool'
+FTA_FMEA_AUTHENTICATION: oidc
+
+// TODO: Define auth env variables
+# FTA_FMEA_AUTH_SERVER_URL:
+# FTA_FMEA_AUTH_CLIENT_ID:

deploy/.docker/config.js.template

@@ -4,4 +4,7 @@ window.__config__ = {
   FTA_FMEA_API_URL:'${FTA_FMEA_API_URL}',
   FTA_FMEA_ADMIN_REGISTRATION_ONLY:'${FTA_FMEA_ADMIN_REGISTRATION_ONLY}',
   FTA_FMEA_TITLE:'${FTA_FMEA_TITLE}'
+  FTA_FMEA_AUTHENTICATION:'${FTA_FMEA_AUTHENTICATION}'
+  FTA_FMEA_AUTH_SERVER_URL:'${FTA_FMEA_AUTH_SERVER_URL}'
+  FTA_FMEA_AUTH_CLIENT_ID:'${FTA_FMEA_AUTH_CLIENT_ID}'
 }

deploy/.docker/docker-entrypoint.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 set -eu
 
-envsubst '${FTA_FMEA_BASENAME} ${FTA_FMEA_API_URL} ${FTA_FMEA_ADMIN_REGISTRATION_ONLY} ${FTA_FMEA_TITLE}' < /etc/nginx/config.js.template > /usr/share/nginx/html/config.js
+envsubst '${FTA_FMEA_BASENAME} ${FTA_FMEA_API_URL} ${FTA_FMEA_ADMIN_REGISTRATION_ONLY} ${FTA_FMEA_TITLE} ${FTA_FMEA_AUTHENTICATION} ${FTA_FMEA_AUTH_SERVER_URL} ${FTA_FMEA_AUTH_CLIENT_ID}' < /etc/nginx/config.js.template > /usr/share/nginx/html/config.js
 
 exec "$@"

deploy/keycloak-auth/.env

@@ -0,0 +1,15 @@
+# Prefix for name of all docker containers. By default it is set to "ff".
+RECORD_SET_NAME=ff-iauth-demo
+
+# Host machine port that provides main entrypoint for the application. The application will be locally accessible at http://localhost:$INTERNAL_HOST_PORT/$FTA_FMEA_PATH (by default it is set to "1235")
+INTERNAL_HOST_PORT=1235
+
+# Public origin of URL where FTA/FMEA tool UI will run, e.g. https://kbss.fel.cvut.cz, https://kbss.fel.cvut.cz:8080, http://localhost. ! This option can be used only with running reverse proxy pointing to http://localhost:$INTERNAL_HOST_PORT !
+#PUBLIC_ORIGIN=http://localhost
+
+# Root path for all applications and services, e.g., "" or "/my-company". By default it is set to "". MUST start with slash and MUST NOT end with slash.
+#APP_ROOT_PATH=/ff-demo
+
+# Relative path for root FTA/FMEA tool application starting from APP_ROOT_PATH (by default it is set to "/fta-fmea"). MUST start with slash and MUST NOT end with slash.
+#FTA_FMEA_PATH=/fta-fmea-demo
+

deploy/keycloak-auth/docker-compose.yml

@@ -0,0 +1,132 @@
+version: "3.9"
+
+# Provide access to fta-fmea-ui that runs locally in dev mode
+x-access-for-local-development: &local-dev-env
+  cors.allowedOrigins: "http://localhost:4173,http://localhost:5173"
+
+# Provide logging to Java application (e.g. fta-fmea-server)
+x-logging-java-application: &logging-java
+  LOGGING_LEVEL_ROOT: "debug"
+
+# Expose port to access db-server directly, bypassing nginx
+x-access-db-server-development-port: &db-server-dev-port
+  ports:
+    - "127.0.0.1:${DB_SERVER_DEV_PORT:-7205}:7200"
+
+services:
+  nginx:
+    image: nginx:latest
+    container_name: ${RECORD_SET_NAME:-ff}-nginx
+    ports:
+      - "127.0.0.1:${INTERNAL_HOST_PORT:-1235}:80"
+    restart: always
+    depends_on:
+      - fta-fmea
+      - fta-fmea-server
+      - db-server
+    environment:
+      NGINX_ENVSUBST_OUTPUT_DIR: /etc/nginx
+      APP_ORIGIN: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}"
+      APP_ROOT_PATH: "${APP_ROOT_PATH:-}"
+      FTA_FMEA_PATH: "${FTA_FMEA_PATH:-/fta-fmea}"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/templates/nginx.conf.template:ro
+      - ../shared/nginx/error.html:/usr/share/nginx/html/error.html:ro
+
+  fta-fmea:
+    image: ghcr.io/kbss-cvut/fta-fmea-ui:latest
+    container_name: ${RECORD_SET_NAME:-ff}-fta-fmea
+    expose:
+      - "80"
+    depends_on:
+      - fta-fmea-server
+    environment:
+      FTA_FMEA_API_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${APP_ROOT_PATH:-}/services/fta-fmea-server"
+      FTA_FMEA_BASENAME: "${APP_ROOT_PATH:-}${FTA_FMEA_PATH:-/fta-fmea}"
+      FTA_FMEA_ADMIN_REGISTRATION_ONLY: ${ADMIN_REGISTRATION_ONLY:-false}
+      FTA_FMEA_AUTHENTICATION: "oidc"
+      FTA_FMEA_AUTH_SERVER_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${APP_ROOT_PATH:-}/services/auth/realms/fta-fmea"
+      FTA_FMEA_AUTH_CLIENT_ID: "fta-fmea"
+
+  fta-fmea-server:
+    image: ghcr.io/kbss-cvut/fta-fmea:latest
+    container_name: ${RECORD_SET_NAME:-ff}-fta-fmea-server
+    expose:
+      - "9999"
+    depends_on:
+      - db-server
+    restart: always
+    environment:
+      <<: *local-dev-env
+      REPOSITORY_URL: ${REPOSITORY_URL:-http://db-server:7200/repositories/fta-fmea}
+      server.servlet.context-path: "/fta-fmea"
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUERURI: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${APP_ROOT_PATH:-}/services/auth/realms/fta-fmea"
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWKSETURI: "http://auth-server:8080/realms/fta-fmea/protocol/openid-connect/certs"
+      SERVER_MAXHTTPREQUESTHEADERSIZE: "40KB"
+
+  db-server:
+    <<: *db-server-dev-port
+    image: ${RECORD_SET_NAME:-ff}-db-server
+    container_name: ${RECORD_SET_NAME:-ff}-db-server
+    build:
+      context: ../shared/db-server
+    environment:
+      GDB_JAVA_OPTS: "-Dgraphdb.external-url=${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${APP_ROOT_PATH:-}/services/db-server"
+    expose:
+      - "7200"
+    restart: always
+    volumes:
+      - ../shared/db-server/init-data:/root/graphdb-import:ro
+      - db-server:/opt/graphdb/home
+
+  auth-server-db:
+    image: postgres:13
+    container_name: ${RECORD_SET_NAME:-rm}-auth-server-db
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: keycloak
+    volumes:
+      - auth-server-db:/var/lib/postgresql/data
+
+  auth-server:
+    image: ghcr.io/kbss-cvut/keycloak-graphdb-user-replicator/keycloak-graphdb:latest
+    container_name: ${RECORD_SET_NAME:-rm}-auth-server
+    command:
+      - start --import-realm --features="token-exchange,admin-fine-grained-authz"
+    environment:
+      KC_IMPORT: realm-export.json
+      KC_HOSTNAME_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${APP_ROOT_PATH:-}/services/auth/"
+      KC_HOSTNAME_ADMIN_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${APP_ROOT_PATH:-}/services/auth/"
+      KC_HOSTNAME_STRICT_BACKCHANNEL: false
+      KC_HTTP_ENABLED: true
+      KEYCLOAK_ADMIN: ${KC_ADMIN_USER}
+      KEYCLOAK_ADMIN_PASSWORD: ${KC_ADMIN_PASSWORD}
+      DB_VENDOR: POSTGRES
+      DB_ADDR: auth-server-db
+      DB_DATABASE: keycloak
+      DB_USER: keycloak
+      DB_PASSWORD: keycloak
+      DB_SCHEMA: "public"
+      DB_SERVER_URL: "http://db-server:7200"
+      DB_SERVER_REPOSITORY_ID: "record-manager-app"
+      REPOSITORY_LANGUAGE: "en"
+      VOCABULARY_USER_TYPE: "http://onto.fel.cvut.cz/ontologies/record-manager/user"
+      VOCABULARY_USER_FIRST_NAME: "http://xmlns.com/foaf/0.1/firstName"
+      VOCABULARY_USER_LAST_NAME: "http://xmlns.com/foaf/0.1/lastName"
+      VOCABULARY_USER_USERNAME: "http://xmlns.com/foaf/0.1/accountName"
+      VOCABULARY_USER_EMAIL: "http://xmlns.com/foaf/0.1/mbox"
+      ADD_ACCOUNTS: false
+      REALM_ID: "fta-fmea-tool"
+    expose:
+      - "8080"
+    volumes:
+      - auth-server:/opt/keycloak/data
+      - ./keycloak:/opt/keycloak/data/import
+    depends_on:
+      - auth-server-db
+
+volumes:
+  db-server:
+  auth-server:
+  auth-server-db:

deploy/keycloak-auth/nginx/nginx.conf

@@ -0,0 +1,92 @@
+worker_processes  1;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+
+    client_max_body_size 100M;
+
+    include mime.types;
+    default_type application/octet-stream;
+
+    map $status $status_text {
+        400 'Bad Request';
+        401 'Unauthorized';
+        403 'Forbidden';
+        404 'Not Found';
+        405 'Method Not Allowed';
+        406 'Not Acceptable';
+        413 'Payload Too Large';
+        414 'URI Too Long';
+        431 'Request Header Fields Too Large';
+        500 'Internal Server Error';
+        501 'Not Implemented';
+        502 'Bad Gateway';
+        503 'Service Unavailable';
+        504 'Gateway Timeout';
+    }
+
+    server {
+        listen 80;
+        server_name  localhost;
+
+        error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414
+            415 416 417 418 421 422 423 424 426 428 429 431 451 500 501 502 503
+            504 505 506 507 508 510 511 /error.html;
+
+        location = /error.html {
+            ssi on;
+            internal;
+            root /usr/share/nginx/html;
+        }
+
+        location = ${FTA_FMEA_PATH} {
+            return 302 ${APP_ORIGIN}${APP_ROOT_PATH}${FTA_FMEA_PATH}/;
+        }
+
+        location ${FTA_FMEA_PATH}/ {
+            proxy_pass http://fta-fmea/; # keep the trailing slash to cut off matched prefix
+        }
+
+        location /services/fta-fmea-server/ {
+            proxy_pass http://fta-fmea-server:9999/fta-fmea/; # keep the trailing slash to cut off matched prefix
+            proxy_cookie_path /fta-fmea ${APP_ROOT_PATH}/services;
+        }
+
+        location = /services/db-server {
+            return 302 ${APP_ORIGIN}${APP_ROOT_PATH}/services/db-server/;
+        }
+
+        location /services/db-server/ {
+            proxy_pass http://db-server:7200/; # keep the trailing slash to cut off matched prefix
+        }
+
+        location = /services/auth {
+            return 302 ${APP_ORIGIN}${APP_ROOT_PATH}/services/auth/;
+        }
+
+        location /services/auth/ {
+            proxy_pass http://auth-server:8080/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-Host $server_name;
+            proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header Cookie $http_cookie;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+            # Increase buffer sizes to handle large headers sent by Keycloak and its clients
+            proxy_buffer_size   128k;
+            proxy_buffers       4 256k;
+            proxy_busy_buffers_size 256k;
+        }
+
+        location /health-check {
+            return 200;
+            access_log off;
+        }
+    }
+}