#52: fix docker build

.travis.yml

@@ -1,8 +1,9 @@
 language: java
-
 cache:
- directories:
-   - $HOME/.m2
-
+  directories:
+    - $HOME/.m2
 jdk:
-   - oraclejdk8
+  - oraclejdk8
+branches:
+  only:
+    - master

README.md

@@ -7,12 +7,19 @@ built on top of light-4j and light-rest-4j frameworks.
 
 [![Build Status](https://travis-ci.org/networknt/light-oauth2.svg?branch=master)](https://travis-ci.org/networknt/light-oauth2)
 
+Light platform follows security first design and we have provided an OAuth 2.0 provider
+light-oauth2 which is based on light-4j and light-rest-4j frameworks with 7 microservices.
+Some of the services implement the OAuth 2.0 specifications and others implement some
+extensions to make OAuth more suitable to protect service to service communication, other 
+styles of services like GraphQL, RPC and Event Driven, Key management and distribution,
+service registration, token scope calculation and token exchange.    
+
 ## Why this OAuth 2.0 Authorization Server
 
 ### Fast and small memory footprint to lower production cost.
 
-The authorization code service can support 60000 user login and get authorization code redirected in a second on a Mac Book Pro.
-The token service can generate 700 JWT access tokens signed by PKI per second on a Mac Book Pro. 
+It can support 60000 user login and get authorization code redirect and can generate 
+700 access tokens per second on my laptop. 
 
 It has 7 microservices connected with in-memory data grid and each service can be
 scaled individually.
@@ -24,29 +31,36 @@ OAuth 2.0 is just a specification and a lot of details are in the individual
 implementation. Our implementation has a lot of extensions and enhancements 
 for additional security and prevent users making mistakes. For example, we
 have added an additional client type called "trusted" and only this type of
-client can issue resource owner password credentials grant type and any custom
-grant types. Also, when expose your OAuth 2.0 services the Internet, you only
-need to expose authorization code service for user login and token service for
-client to get access token. Other services can only be accessed internal. 
+client can issue resource owner password credentials grant type. 
+
+### More deployment options
+
+You can deploy all services or just deploy the services for your use cases. You can
+deploy token and code service to DMZ and all others internal for maximum security.
+You can have several token services or deploy token service as sidecar pattern in
+each node. You can start more instance of key service on the day that your public
+key certificate for signature verification is changed and shutdown all of the but
+one the next day. You can take the full advantages of microservices deployment.  
 
 ### Seamlessly integration with Light-Java framework
 
 * Built on top of light-4j and light-rest-4j
-* light-4j client and security modules manages all the communication with OAuth2
-* Support service on-boarding from Light-Portal
-* Support client on-boarding from Light-Portal
-* Support user management from Light-Portal
+* Light-4j Client and Security modules manages most of the communications with OAuth2
+* Support service on-boarding from light-portal
+* Support client on-boarding from light-portal
+* Support user management from light-portal
 * Open sourced OpenAPI specifications for all microserivces
 
 ### Easy to integrate with your APIs or services
 
-The OAuth2 services can be started in a docker compose for your local development
-and can be managed by Kubernetes on official environment.
+The OAuth2 services can be started in a docker-compose for your local development and 
+can be managed by Kubernetes on official test and production environment. It exposes
+RESTful APIs and can be access from all languages and applications. 
 
 ### Support multiple databases and can be extended and customized easily
 
 Out of the box, it supports Mysql, Postgres and Oracle XE and H2 for unit tests. Other
-databases can be easily added with configuration change in service.yml config file.
+databases can be easily added with configuration change in service.yml.
 
 
 ### Public key certificate distribution
@@ -55,23 +69,73 @@ With distributed security verification, JWT signature public key certificates mu
 but distributed to all resource servers. The traditional push approach is not
 working with microservices architecture and pull approach is adopted. There is a 
 key service with endpoint to retrieve public key certificate from microservices 
-during runtime based on the key_id from JWT header. For more details on key service,
-please refer to [key distribution][] 
+during runtime based on the key_id from JWT header.  
+
+### Two tokens to support microservices architecture
+
+Each service in a microservices application needs a subject token which identifies the
+original caller (the person who logged in the original client) and an access token
+which identifies the immediate caller (might be another microservices). Both tokens
+will be verified with scopes to the API endpoint level. Additional claims in these
+tokens will be used for fine-grained authorization which happens within the business
+context. 
 
-### Additional documents
+### Token exchange for high security
 
-Along with the documentation on each [light-oauth2 service][], there are
-[light-oauth2 tutorial][] to help user to get started.  
+Even with two tokens, we can only verify who is the original calller and which client is
+the immediate caller. For some highly protected service like payment or fund transfer,
+we need to ensure that the call is routed through some known services. light-oauth2
+token service support token exchange and chaining so that a service can verify the
+entire call tree to authorize if the call is authorized or not. 
 
+### Service registration for scope calculation
 
-### OAuth2 server, portal and light Java to form ecosystem
+light-oauth2 has a service registration to allow all service to be registered with service
+id and all endpoints as well as scopes for the endpoint. During client registration, you
+can link a client to services/endpoints and the scope of the client can be calculated
+and updated in client table. This avoids developers to pass in scopes when getting
+access token as there might be hundreds of them for a client that accesses dozens of
+microservices. 
+
+### All activities are audited 
+
+A database audit handler has been wired into all light-oauth2 services to log each
+activity across services with sensitive info masked. In the future we will put these
+logs into AI stream processing to identify abnormal behaviors just like normal service
+log processing.  
+
+### OAuth2 server, portal and light-4j to form ecosystem
 
 [light-java](https://github.com/networknt/light-java) to build API
 
 [light-oauth2](https://github.com/networknt/light-oauth2) to control API access
 
 [light-portal](https://github.com/networknt/light-portal) to manage clients and APIs
 
-[key distribution]: https://doc.networknt.com/service/oauth/service/key/
-[light-oauth2 service]: https://doc.networknt.com/service/oauth/service/
-[light-oauth2 tutorial]: https://doc.networknt.com/tutorial/oauth/
+## Introduction
+
+This [introduction](https://doc.networknt.com/service/oauth/introduction/) document contains all the basic concept of OAuth 2.0 specification and how it work in general. 
+
+## Getting started
+
+The easiest way to start using light-oauth2 in your development environment is through
+docker-compose in light-docker repository. Please refer to [getting started](https://doc.networknt.com/getting-started/light-oauth2/) for more information. 
+
+## Architecture
+
+There are some key decision points that are documented in [architecture](https://doc.networknt.com/service/oauth/architecture/) section.
+
+## Documentation
+
+The detailed [service document](https://doc.networknt.com/service/oauth/service/) help users to understand how each individual service
+works and the specification for each services. It also contains information on which scenarios will trigger what kind of errors. 
+
+## Tutorial
+
+There are [tutorials](https://doc.networknt.com/tutorial/oauth/) for each service that shows how to use the most common use cases with examples. 
+
+## Reference
+
+There are vast amount of information about OAuth 2.0 specifications and implementations. 
+Here are some important [references](https://doc.networknt.com/service/oauth/reference/) that can help you to understand OAuth 2.0 Authorization.
+

authorize/build.sh

@@ -42,7 +42,7 @@ cleanup() {
 
 publish() {
     echo "Building Docker image with version $VERSION"
-    docker build -t $IMAGE_NAME:$VERSION -t $IMAGE_NAME:latest -f ./docker/Dockerfile . --no-cache=true
+    docker build -t $IMAGE_NAME:$VERSION -t $IMAGE_NAME:latest -f ./Dockerfile . --no-cache=true
     docker build -t $IMAGE_NAME:$VERSION-redhat -f ./docker/Dockerfile-Redhat . --no-cache=true
     echo "Images built with version $VERSION"
     echo "Pushing image to DockerHub"

authorize/docker/Dockerfile-Redhat

@@ -2,27 +2,30 @@ FROM registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift
 
 USER root
 
-ENV APP_DIR=/app \
+ENV APP_DIR=app \
     GROUP_NAME=networknt \
     GROUP_ID=1000 \
     USER_NAME=networknt \
     USER_UID=1000
 
 RUN groupadd -g ${GROUP_ID} -r ${GROUP_NAME} && \
-    useradd -u ${USER_UID} -g ${GROUP_NAME} -d "${APP_DIR}" -s /sbin/nologin -c "${USER_NAME} user" ${USER_NAME}
+    useradd -u ${USER_UID} -g ${GROUP_NAME} -d "/${APP_DIR}" -s /sbin/nologin -c "${USER_NAME} user" ${USER_NAME}
 
 # Add the jar file into the container at /app
-ADD target/oauth2-authorize.jar ${APP_DIR}/server.jar
+ADD target/oauth2-authorize.jar ./${APP_DIR}/server.jar
 
 # change permissions of app directory
-RUN chown -R ${USER_NAME}:${GROUP_NAME} "${APP_DIR}"
+RUN mkdir -p ./${APP_DIR}/config && \
+    chown -R ${USER_NAME}:0 "./${APP_DIR}/config" && \
+    find "./${APP_DIR}/config" -type d -exec chmod 750 {} \; && \
+    find "./${APP_DIR}/config" -type f -exec chmod 640 {} \;
 
 # Port available to the world outside of this container
-EXPOSE 6881
+EXPOSE 8080
 
 USER ${USER_UID}
 
 # Set the working directory to /app
-WORKDIR ${APP_DIR}
+WORKDIR ./${APP_DIR}
 
-CMD ["/bin/sh","-c","java -Dlight-4j-config-dir=/config -Dlogback.configurationFile=/config/logback.xml -jar server.jar"]
+CMD ["/bin/sh","-c","java -Dlight-4j-config-dir=/config -Dlogback.configurationFile=/config/logback.xml -jar server.jar"]

authorize/src/main/resources/logback.xml

@@ -28,15 +28,15 @@
         <!-- encoders are assigned the type
              ch.qos.logback.classic.encoder.PatternLayoutEncoder by default -->
         <encoder>
-            <pattern>%d{HH:mm:ss.SSS} [%thread] %X{cId} %-5level %logger{36} - %msg%n</pattern>
+            <pattern>%d{HH:mm:ss.SSS} [%thread] %X{sId} %X{cId} %-5level %class{36}:%L %M - %msg%n</pattern>
         </encoder>
     </appender>
 
     <appender name="log" class="ch.qos.logback.core.FileAppender">
         <File>target/test.log</File>
         <Append>false</Append>
         <layout class="ch.qos.logback.classic.PatternLayout">
-            <Pattern>%d{HH:mm:ss.SSS} [%thread] %X{cId} %-5level %class{36}:%L %M - %msg%n</Pattern>
+            <pattern>%d{HH:mm:ss.SSS} [%thread] %X{sId} %X{cId} %-5level %class{36}:%L %M - %msg%n</pattern>
         </layout>
     </appender>
 

authorize/src/test/resources/create_h2.sql

@@ -1,8 +1,8 @@
-DROP table IF EXISTS users;
-DROP table IF EXISTS  clients;
-DROP table IF EXISTS  services;
+DROP table IF EXISTS user_profile;
+DROP table IF EXISTS  client;
+DROP table IF EXISTS  service;
 
-create table users (
+create table user_profile (
   user_id varchar PRIMARY KEY,
   user_type varchar,  -- admin, customer, employee, partner
   first_name varchar,
@@ -13,13 +13,13 @@ create table users (
   update_dt DATE
 );
 
-CREATE UNIQUE INDEX email_idx ON users(email);
+CREATE UNIQUE INDEX email_idx ON user_profile(email);
 
-create table clients (
+create table client (
   client_id VARCHAR PRIMARY KEY,
-  client_type VARCHAR,
   client_secret VARCHAR,
-  client_profile VARCHAR,
+  client_type VARCHAR,  -- public, confidential, trusted
+  client_profile VARCHAR, -- server, mobile, service, batch, browser
   client_name VARCHAR,
   client_desc VARCHAR,
   scope VARCHAR,
@@ -30,7 +30,7 @@ create table clients (
   update_dt DATE
 );
 
-create table services (
+create table service (
   service_id VARCHAR PRIMARY KEY,
   service_type VARCHAR,  -- api, ms
   service_name VARCHAR,
@@ -41,10 +41,10 @@ create table services (
   update_dt DATE
 );
 
-INSERT INTO users(user_id, user_type, first_name, last_name, email, password) VALUES('admin', 'admin', 'admin', 'admin', 'admin@networknt.com', '1000:5b39342c202d37372c203132302c202d3132302c2034372c2032332c2034352c202d34342c202d31362c2034372c202d35392c202d35362c2039302c202d352c202d38322c202d32385d:949e6fcf9c4bb8a3d6a8c141a3a9182a572fb95fe8ccdc93b54ba53df8ef2e930f7b0348590df0d53f242ccceeae03aef6d273a34638b49c559ada110ec06992');
+INSERT INTO user_profile(user_id, user_type, first_name, last_name, email, password) VALUES('admin', 'admin', 'admin', 'admin', 'admin@networknt.com', '1000:5b39342c202d37372c203132302c202d3132302c2034372c2032332c2034352c202d34342c202d31362c2034372c202d35392c202d35362c2039302c202d352c202d38322c202d32385d:949e6fcf9c4bb8a3d6a8c141a3a9182a572fb95fe8ccdc93b54ba53df8ef2e930f7b0348590df0d53f242ccceeae03aef6d273a34638b49c559ada110ec06992');
 
-INSERT INTO clients (client_id, client_type, client_secret, client_profile, client_name, client_desc, scope, redirect_uri, authenticate_class, owner_id) VALUES('f7d42348-c647-4efb-a52d-4c5787421e72', 'public', '1000:5b37332c202d36362c202d36392c203131362c203132362c2036322c2037382c20342c202d37382c202d3131352c202d35332c202d34352c202d342c202d3132322c203130322c2033325d:29ad1fe88d66584c4d279a6f58277858298dbf9270ffc0de4317a4d38ba4b41f35f122e0825c466f2fa14d91e17ba82b1a2f2a37877a2830fae2973076d93cc2', 'mobile', 'PetStore Web Server', 'PetStore Web Server that calls PetStore API', 'petstore.r petstore.w', 'http://localhost:8080/authorization', null, 'admin' );
-INSERT INTO clients (client_id, client_type, client_secret, client_profile, client_name, client_desc, scope, redirect_uri, authenticate_class, owner_id) VALUES('59f347a0-c92d-11e6-9d9d-cec0c932ce01', 'public', '1000:5b37332c202d36362c202d36392c203131362c203132362c2036322c2037382c20342c202d37382c202d3131352c202d35332c202d34352c202d342c202d3132322c203130322c2033325d:29ad1fe88d66584c4d279a6f58277858298dbf9270ffc0de4317a4d38ba4b41f35f122e0825c466f2fa14d91e17ba82b1a2f2a37877a2830fae2973076d93cc2', 'mobile', 'PetStore Web Server', 'PetStore Web Server that calls PetStore API', 'petstore.r petstore.w', 'http://localhost:8080/authorization', null, 'admin' );
+INSERT INTO client (client_id, client_type, client_secret, client_profile, client_name, client_desc, scope, redirect_uri, authenticate_class, owner_id) VALUES('f7d42348-c647-4efb-a52d-4c5787421e72', 'public', '1000:5b37332c202d36362c202d36392c203131362c203132362c2036322c2037382c20342c202d37382c202d3131352c202d35332c202d34352c202d342c202d3132322c203130322c2033325d:29ad1fe88d66584c4d279a6f58277858298dbf9270ffc0de4317a4d38ba4b41f35f122e0825c466f2fa14d91e17ba82b1a2f2a37877a2830fae2973076d93cc2', 'mobile', 'PetStore Web Server', 'PetStore Web Server that calls PetStore API', 'petstore.r petstore.w', 'http://localhost:8080/authorization', null, 'admin' );
+INSERT INTO client (client_id, client_type, client_secret, client_profile, client_name, client_desc, scope, redirect_uri, authenticate_class, owner_id) VALUES('59f347a0-c92d-11e6-9d9d-cec0c932ce01', 'public', '1000:5b37332c202d36362c202d36392c203131362c203132362c2036322c2037382c20342c202d37382c202d3131352c202d35332c202d34352c202d342c202d3132322c203130322c2033325d:29ad1fe88d66584c4d279a6f58277858298dbf9270ffc0de4317a4d38ba4b41f35f122e0825c466f2fa14d91e17ba82b1a2f2a37877a2830fae2973076d93cc2', 'mobile', 'PetStore Web Server', 'PetStore Web Server that calls PetStore API', 'petstore.r petstore.w', 'http://localhost:8080/authorization', null, 'admin' );
 
-INSERT INTO services (service_id, service_type, service_name, service_desc, scope, owner_id) VALUES ('AACT0001', 'ms', 'Account Service', 'A microservice that serves account information', 'a.r b.r', 'admin');
+INSERT INTO service (service_id, service_type, service_name, service_desc, scope, owner_id) VALUES ('AACT0001', 'ms', 'Account Service', 'A microservice that serves account information', 'a.r b.r', 'admin');
 

cache/src/main/java/com/networknt/oauth/cache/CacheStartupHookProvider.java

@@ -3,10 +3,7 @@
 import com.hazelcast.config.*;
 import com.hazelcast.core.Hazelcast;
 import com.hazelcast.core.HazelcastInstance;
-import com.networknt.oauth.cache.model.ClientDataSerializableFactory;
-import com.networknt.oauth.cache.model.RefreshTokenDataSerializableFactory;
-import com.networknt.oauth.cache.model.ServiceDataSerializableFactory;
-import com.networknt.oauth.cache.model.UserDataSerializableFactory;
+import com.networknt.oauth.cache.model.*;
 import com.networknt.server.StartupHookProvider;
 
 /**
@@ -25,6 +22,7 @@ public void onStartup() {
         config.getSerializationConfig().addDataSerializableFactory(2, new ClientDataSerializableFactory());
         config.getSerializationConfig().addDataSerializableFactory(3, new ServiceDataSerializableFactory());
         config.getSerializationConfig().addDataSerializableFactory(4, new RefreshTokenDataSerializableFactory());
+        config.getSerializationConfig().addDataSerializableFactory(5, new ServiceEndpointDataSerializableFactory());
 
         // service map with near cache.
         MapConfig serviceConfig = new MapConfig();
@@ -41,6 +39,21 @@ public void onStartup() {
 
         config.addMapConfig(serviceConfig);
 
+        // service endpoint map with near cache.
+        MapConfig serviceEndpointConfig = new MapConfig();
+        serviceEndpointConfig.setName("serviceEndpoints");
+        NearCacheConfig serviceEndpointCacheConfig = new NearCacheConfig();
+        serviceEndpointCacheConfig.setEvictionPolicy("NONE");
+        serviceEndpointCacheConfig.setInMemoryFormat(InMemoryFormat.OBJECT);
+        serviceEndpointCacheConfig.setCacheLocalEntries(true); // this enables the local caching
+        serviceEndpointConfig.setNearCacheConfig(serviceEndpointCacheConfig);
+
+        serviceEndpointConfig.getMapStoreConfig()
+                .setEnabled(true)
+                .setClassName("com.networknt.oauth.cache.ServiceEndpointMapStore");
+
+        config.addMapConfig(serviceEndpointConfig);
+
         // client map with near cache.
         MapConfig clientConfig = new MapConfig();
         clientConfig.setName("clients");