- MVP: as a paas-user, once logged in, I can use a private CF space: API endpoint, org and space details displayed.
- given: a user with a account into CF UAA
- when: the user browses to the sandbox service through sandbox-ui
- then: the user is prompted in the UAA to provide his consent from sandbox-service to act on his behalf (cloudcontroler.read, openid scopes)
- and: the user is displayed with CF a CLI command to connect to a private space
Pending stories:
- paas-ops email notification:
- given: the paas-ops has configured an email address $email in the sandbox-service config and a cf instance name $cf_instance
- when: the paas-user first access the sandbox to access her private space
- then: a notification email is sent to the configured adress which includes:
- in subject: [sandbox $cf_instance]: private space created for $user_name
- in the email body: user name, user email, CC API endpoint, org & space name
- private space templating
- given: the paas-ops has configured:
- a security group with name $sec-group-name
- a space quota with name $space-quota-name
- when: the paas-user first access the sandbox to access her private space
- then: a space is allocated and bound to the specific security group $sec-group-name and the space quota $space-quota-name
- given: the paas-ops has configured:
- Simple GUI available: Sandbox-UI
Authentication process is done by Sandbox UI (details)
-
sandbox oauth roles
-
OAuth resource server (/sandbox)
-
scopes: NONE specific yet
-
OAuth client (CF resources)
-
scope: scim... cloudcountrol...
-
-
sandboxes/me GET (Bearer: AccessToken)
- 301 sandbox/guid
UAA token https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-Tokens.md#getting-started "user id" guid http://apidocs.cloudfoundry.org/219/users/get_user_summary.html ?
- preserves user identity username: LDAP DN = "orange CUID"
Inspirations for API REST
Note: If wanna use angularjs (or javascript in general) don't forget to manage CORS on UAA and API
Use maven wrapper
mvn -N io.takari:maven:0.3.0:wrapper -Dmaven=3.3.9
To be able to build this project, you have to update your maven settings. You can use the one provided here
mvn clean install
mvn clean install -PrunITs
We use OJO. Thus we can use build promotion to release our component on Jcenter.
Full release process is detailed in /src/bin/release
According to your usage, you can use Maven Jcenter or Bintray
Please use cf-manifest-reference.yml as template for your CF CLI manifest file.
$ mvn package
$ cf push sanbox-ui -p target/elpaaso-service-1.0-SNAPSHOT.jar -m manifest.yml
Or inherit cf-manifest-reference.yml and customize
`---
inherrit: cf-manifest-reference.yml
applications:
- name: my-sandbox-ui
domains:
- cf.rocks.org
- cf.rocks.com
env:
CLOUDFOUNDRY_API_URL: https://my-cloud-foundry.org
CLOUDFOUNDRY_CREDENTIALS_USER_ID: my-sandbox-admin
TRUSTED_CA_CERTIFICATE:
CLOUDFOUNDRY_CREDENTIALS_PASSWORD: <my_sandbox_admin_password>
SECURITY_OAUTH2_RESOURCE_JWT_KEY_VALUE: |
-----BEGIN PUBLIC KEY-----
ZZZZZIIIIIIGGGGGGGERSFRRRRRRRRRRRRRRRRRRTTTTTTTTTTTT2kOrV1r000Hj
2OrOv/HmuMQMDd0tvUNivz+QWA0SaDEhOmj9T7y0000000fg8f/no00rDeBk/ir+
3UwpLlw7+AZERTY4FTfp88888888888888888888889999977r2zb1Gkkij0Kd03
I2YTREZA6W96CA/u/RTHOTPB
-----END PUBLIC KEY-----
UAA public key is used to decode JWT Token signature. The easiest way to get this key, is to ask UAA! From UUA documentation, it is possible to identify the endpoint /token_key
curl https://uaa.<your_domains>/token_key
{
"alg": "SHA256withRSA",
"value": "-----BEGIN PUBLIC KEY-----\nZZZZZIIIIIIGGGGGGGERSFRRRRRRRRRRRRRRRRRRTTTTTTTTTTTT2kOrV1r000Hj\n2OrOv/HmuMQMDd0tvUNivz+QWA0SaDEhOmj9T7y0000000fg8f/no00rDeBk/ir+\n3UwpLlw7+AZERTY4FTfp88888888888888888888889999977r2zb1Gkkij0Kd03\nI2YTREZA6W96CA/u/RTHOTPB\n-----END PUBLIC KEY-----\n",
"kty": "RSA",
"use": "sig",
"n": "AL5NZWqsdffWl789798751RRTgtytrhfsssdfjjhjuk9Q2K/P5BYfghf799yhfhPvJsPLqChJfrhT+f0xisN4GTsKfghfghuXDv5bMp71T456546987bdfh9eGGTPLUFVqsdfrGlUbvuvfghUaSSKM4p0fcjY4oGNC3pb3oIff79",
"e": "AQAB"
}
Warning, the value contains multiple \n (remove it, if required)
If required, trusted Self-Signed Root CA Certificate can be added using TRUSTED_CA_CERTIFICATE env property.
Here is snippet of manifest.yml :
applications:
- name: elpaaso-sandbox-service
env:
TRUSTED_CA_CERTIFICATE: |
-----BEGIN CERTIFICATE-----
XXXXXX
-----END CERTIFICATE-----
- Cloudfoundry use, used to create space and to assign role requires at least Org Admin privilege,
- Org should exist. Creates a new one if required:
cf org-users sandboxes
- A default space should exist,