Compare revisions

Maarten de Waard · Maarten de Waard · Varac · Arie Peterson · Arie Peterson · Varac
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -61,6 +61,7 @@ integration_test:
  only:
    changes:
      - test/integration_tests/test/**/*
+      - test/integration_tests/test/Dockerfile
      - .gitlab-ci.yml

 pylint:

--- a/README.md
+++ b/README.md
-Please refer to the [online documentation](...) for all the details
+Please refer to the [online documentation](https://docs.openappstack.net/projects/single-sign-on/) for all the details
--- a/consent_provider/Dockerfile
+++ b/consent_provider/Dockerfile
-FROM python:3.7-alpine
+FROM python:3.9-alpine

 RUN apk add gcc libc-dev libffi-dev


--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,13 +7,13 @@
 version: '3'
 services:
  hydra:
-    image: oryd/hydra:latest
+    image: oryd/hydra:v1.8
    ports:
      - "4444:4444" # Public port
      - "4445:4445" # Admin port
      - "5555:5555" # Port for hydra token user
    command:
-      serve all --dangerous-force-http --dangerous-allow-insecure-redirect-urls "http://127.0.0.1:13337/callback, http://127.0.0.1:13337/"
+      serve all --dangerous-force-http --dangerous-allow-insecure-redirect-urls "http://localhost:13337/callback, http://localhost:13337/"
    environment:
      - URLS_SELF_ISSUER=http://localhost:4444/
      - URLS_CONSENT=http://localhost:5001/consent
@@ -73,16 +73,18 @@ services:
      - "5432:5432"
  oauth:
    build: ./test/integration_tests
+    network_mode: host
+    depends_on:
+      - hydra
    environment:
      - BASE_URL=http://localhost:4444/
      - KEY=testapp
      - SECRET=secret
      - FLASK_ENV=development
    # with this settings run:
-    ## `bash test/create-hydra-client.bash testapp clientsecret http://localhost:4445 http://127.0.0.1:13337/callback http://127.0.0.1:13337 http:/127.0.0.1:13337/logout
+    ## `bash test/create-hydra-client.bash testapp clientsecret http://localhost:4445 http://localhost:13337/callback http://localhost:13337/ http://localhost:13337/logout
    ## to register a corresponding oauth client with hydra
    ports:
      - "13337:13337"
-    command: flask run --port 13337 --host "0.0.0.0"
+    command: flask run --port 13337
    restart: unless-stopped
-
--- a/helmchart/single-sign-on/Chart.yaml
+++ b/helmchart/single-sign-on/Chart.yaml
 apiVersion: v1
 description: A Helm chart for OpenAppStack's Signle sign-on components
 name: single-sign-on
-version: 0.2.2
+version: 0.2.11
--- a/helmchart/single-sign-on/templates/cronjob-create-oauth-clients.yaml
+++ b/helmchart/single-sign-on/templates/cronjob-create-oauth-clients.yaml
@@ -50,7 +50,7 @@ spec:
              value: "{{- range .grantTypes }}\"{{ . }}\",{{- end }}"
            command: ["/bin/bash", "-c"]
            args:
-            - >
+            - |
              curl http://{{ $.Release.Name }}-hydra-admin:4445/health/ready \
                  --silent \
                  --write-out "\nCheck Hydra health: HTTP %{http_code}" \

--- a/helmchart/single-sign-on/templates/deployment-consent.yaml
+++ b/helmchart/single-sign-on/templates/deployment-consent.yaml
@@ -3,7 +3,7 @@ kind: Deployment
 metadata:
  name: {{ include "single-sign-on.fullname" . }}-consent
  labels:
-{{ include "single-sign-on.labels" . | indent 4 }}
+    {{- include "single-sign-on.labels" . | nindent 4 }}
 spec:
  replicas: 1
  selector:

--- a/helmchart/single-sign-on/templates/deployment-userbackend.yaml
+++ b/helmchart/single-sign-on/templates/deployment-userbackend.yaml
@@ -3,7 +3,10 @@ kind: Deployment
 metadata:
  name: {{ include "single-sign-on.fullname" . }}-userbackend
  labels:
-{{ include "single-sign-on.labels" . | indent 4 }}
+    {{- include "single-sign-on.labels" . | nindent 4 }}
+    {{- if .Values.userbackend.deploymentLabels }}
+    {{- toYaml .Values.userbackend.deploymentLabels | nindent 4 }}
+    {{- end }}
 spec:
  replicas: 1
  selector:
@@ -13,6 +16,9 @@ spec:
    metadata:
      labels:
        app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-userbackend
+        {{- if .Values.userbackend.podLabels }}
+        {{- toYaml .Values.userbackend.podLabels | nindent 8 }}
+        {{- end }}
      annotations:
        {{- toYaml .Values.userbackend.podAnnotations | nindent 8 }}
    spec:

--- a/helmchart/single-sign-on/templates/job-create-oauth-clients.yaml
+++ b/helmchart/single-sign-on/templates/job-create-oauth-clients.yaml
@@ -51,9 +51,8 @@ spec:
          value: "{{- range .grantTypes }}\"{{ . }}\",{{- end }}"
        command: ["/bin/bash", "-c"]
        args:
-        - >
-          curl http://{{ $.Release.Name }}-hydra-admin:4445/clients &&
-          curl --header "Content-Type: application/json" \
+        - |
+          curl http://{{ $.Release.Name }}-hydra-admin:4445/clients && curl --header "Content-Type: application/json" \
               --request POST \
               --data "{\"client_id\": \"$CLIENT_ID\",
                        \"client_name\": \"$CLIENT_NAME\",

--- a/helmchart/single-sign-on/values.yaml
+++ b/helmchart/single-sign-on/values.yaml
@@ -3,31 +3,34 @@ consentProvider:
    # consentProvider.image.tag and consentProvider.image.pullPolicy should be the same as
    # loginProvider.image.tag and loginProvider.image.pullPolicy as the images are released
    # together in order to guarantee compatibility
-    << : &IMAGE_DEFAULTS_SSO { tag: "master", pullPolicy: "Always" }
+    tag: "master"
+    pullPolicy: "Always"
    repository: "open.greenhost.net:4567/openappstack/single-sign-on/consent_provider"
  podAnnotations: {}

 loginProvider:
  image:
-    << : *IMAGE_DEFAULTS_SSO
+    tag: "master"
+    pullPolicy: "Always"
    repository: "open.greenhost.net:4567/openappstack/single-sign-on/login_provider"
  podAnnotations: {}

 # singleSignOnHost is the FQDN that will be used by the ingress to make the consent and
 # the login provider accessible by user agents. For now it is recommended to set it to the
 # same value as hydra.ingress.public.hosts[0].host
-singleSignOnHost: &SSO_HOST sso.oas.example.net
+singleSignOnHost: sso.oas.example.net

 userpanel:
  # userpanel.applicationName is the name of the application. This is a duplicate of
  # userbackend.applications[0].name but helm < 3.0 doesn't supprt direct references to
  # list items in template files so we need to keep it for now
-  applicationName: &USER_PANEL user-panel
+  applicationName: user-panel
  image:
    # userpanel.image.tag and userpanel.image.pullPolicy should be the same as
    # userbackend.image.tag and userpanel.image.pullPolicy as the images are released
    # together in order to guarantee compatibility
-    << : &IMAGE_DEFAULTS_USER_PANEL { tag: "master", pullPolicy: "Always" }
+    tag: "master"
+    pullPolicy: "Always"
    repository: "open.greenhost.net:4567/openappstack/user-panel/frontend"
  ingress:
    # userpanel.ingress.host is the FQDN of the userpanel application
@@ -36,13 +39,14 @@ userpanel:

 userbackend:
  image:
-    << : *IMAGE_DEFAULTS_USER_PANEL
+    tag: "master"
+    pullPolicy: "Always"
    repository: "open.greenhost.net:4567/openappstack/user-panel/backend"
  # userbackend.username is the username of the admin user that will be create
  # after the installation of the user backend.
  username: "admin"
  applications:
-    - name: *USER_PANEL
+    - name: user-panel
      description: Administration interface to manage user accounts
  # username.password is the password of the admin user
  password: "YouReallyNeedToChangeThis"
@@ -61,6 +65,8 @@ userbackend:
    size: 1Gi
    storageClass: "-"
    annotations: {}
+  deploymentLabels: {}
+  podLabels: {}
  podAnnotations: {}

 hydra:
@@ -101,13 +107,13 @@ hydra:
      hosts:
        # hydra.ingress.public.hosts[0].hosts.host is the FQDN of the single sign-on system
        # that will be used by oAuth clients to retrieve userinfo and redirect their users to.
-        - host: *SSO_HOST
+        - host: sso.oas.example.net
          paths: ["/"]
      tls:
        # oAuth2 only works via https. You really need to configure your ingress service to
        # provide access to hydra via https.
        - hosts:
-          - *SSO_HOST
+          - sso.oas.example.net
          secretName: hydra-public.tls
    # hydra.ingress.admin is the ingress resource that controls access to the hydra
    # admin API server. It can be activated using the same options as in
@@ -121,7 +127,7 @@ hydra:
 oAuthClients:
  # oauthClients[].clientName is the name of the oauth client that needs to be the same as
  # the application name in userbackend.applications[].name
- clientName: *USER_PANEL
+- clientName: user-panel
  # oauthClients[].clientSecret is the secret the client uses to authenticate
  clientSecret: "YouReallyNeedToChangeThis"
  # oAuthClients[].redirectUri is the url the user will be redirected to by hydra when the

--- a/login_provider/Dockerfile
+++ b/login_provider/Dockerfile
-FROM python:3.7-alpine
+FROM python:3.9-alpine

-RUN apk add gcc libc-dev libffi-dev
+RUN apk add gcc libc-dev libffi-dev g++

 WORKDIR /usr/src/app


--- a/logout_provider/Dockerfile
+++ b/logout_provider/Dockerfile
-FROM python:3.7-alpine
+FROM python:3.9-alpine

 RUN apk add gcc libc-dev libffi-dev


--- a/test/create-hydra-client.bash
+++ b/test/create-hydra-client.bash
 #!/bin/bash

 if [[ $1 == "" ]] || [[ $1 == "-h" ]] || [[ $1 == "--help" ]]; then
-    echo "usage: $0 OAUTH_CLIENT_ID OAUCH_CLIENT_SECRET HOST_URL REDIRECT_URI";
+    echo "usage: $0 OAUTH_CLIENT_ID OAUTH_CLIENT_SECRET HOST_URL REDIRECT_URI";
    exit 0;
 fi


--- a/test/integration_tests/Dockerfile
+++ b/test/integration_tests/Dockerfile
-FROM python:3.7-alpine
+FROM python:3.9-alpine

 WORKDIR /usr/src/app


--- a/test/integration_tests/README.md
+++ b/test/integration_tests/README.md
@@ -4,15 +4,18 @@ work together according to [OpenID Connect Standards](https://openid.net/develop
 ## Prerequisites

 The single sign-on application needs to be up and running. Instructions on how to accomplish
-that can be found in `../../README.md`.
+that can be found [in the
+documentation](https://docs.openappstack.net/projects/single-sign-on/en/latest/local_development.html).

 ### Create oAuth Client
+
 You also need to create an oAuth2-Client to enable this application to communicate with the
 oAuth server.

 To do that you can run the `create-hydra-client` script in this repository:
+
 ```
-bash ../create-hydra-client.bash testapplication clientsecret http://localhost:4445 http://localhost:13337/callback http://localhost:13337/ http://localhost:13337/logout
+bash ../create-hydra-client.bash testapp clientsecret http://localhost:4445 http://localhost:13337/callback http://localhost:13337/ http://localhost:13337/logout
 ```

 `http://localhost:4445` refers to the hydra-admin service. `http://localhost:13337/callback` is the
@@ -34,11 +37,11 @@ out for is called `--dangerous-allow-insecure-redirect-urls`:
 In the default setup, users can be created by executing the scripts contained in `../../user-panel/backend/utils/`

 ```
-bash ../../user-panel/backend/utils/create-user.bash admin <choose-password-here> admin@example.net
-bash ../../user-panel/backend/utils/create-application.bash testapplication
-bash ../../user-panel/backend/utils/grant-access.bash admin testapplication
-bash ../../user-panel/backend/utils/create-role.bash admin
-bash ../../user-panel/backend/utils/assign-role.bash admin admin
+docker-compose exec backend ./utils/create-user.bash admin <choose-password-here> admin@example.net
+docker-compose exec backend ./utils/create-application.bash testapp "this is a test application"
+docker-compose exec backend ./utils/grant-access.bash admin testapp
+docker-compose exec backend ./utils/create-role.bash admin
+docker-compose exec backend ./utils/assign-role.bash admin admin
 ```
 ## Installation

@@ -50,24 +53,8 @@ python3 -m venv venv
 pip3 install -r requrements.txt
 ```

-## Configuration
-
-Make sure you export the following
-environment variables with values according to your setup. Use the default values provided here
-if you run your setup locally.
-
-```
-export BASE_URL=http://localhost:4444/                         # Hydra public API Base
-export KEY=testapplication                                     # name of your oauth/openID Connect client (application)
-export SECRET=clientsecret                                     # secret of your oauth/openID Connect client (application)
-```
-
-
 ## Run the tests
-Start the application with:
-```
-flask run --port=13337
-```
+
 Navigate to `http://localhost:13337/` to trigger the openID connect authentication flow. During the login
 process your agent's browser will be redirected multiple times. If successful, you will see a
 json reply containing your oAuth token.
@@ -78,6 +65,7 @@ Connect scopes.
 ### Run auto tests

 Run the following commands to run the tests
+
 ```
 export TESTUSER_USERNAME=user
 export TESTUSER_PASSWORD=secret
@@ -86,8 +74,8 @@ export TESTUSER_EMAIL=test@example.net
 export ROLE=admin
 bash ../../user-panel/utils/create-user.bash $TESTUSER_USERNAME $TESTUSER_PASSWORD $TESTUSER_EMAIL
 bash ../../user-panel/utils/create-user.bash $TESTUSER_USERNAME2 RANDOMPW $TESTUSER_EMAIL
-bash ../../user-panel/utils/create-application.bash testapplication
-bash ../../user-panel/utils/grant-access.bash $TESTUSER_USERNAME testapplication
+bash ../../user-panel/utils/create-application.bash testapp
+bash ../../user-panel/utils/grant-access.bash $TESTUSER_USERNAME testapp
 bash ../../user-panel/utils/create-role.bash $ROLE
 bash ../../user-panel/utils/assign-role.bash $TESTUSER_USERNAME $ROLE
 python3 -m behave \
@@ -99,4 +87,5 @@ python3 -m behave \
 -D email=${TESTUSER_EMAIL} \
 -D role=${ROLE}
 ```
-Note: You need to have chromedriver isntalled to run the tests
+
+Note: You need to have chromedriver installed to run the tests
--- a/test/lint/pylint/Dockerfile
+++ b/test/lint/pylint/Dockerfile
-FROM python:3.7-alpine
+FROM python:3.9-alpine

 RUN apk add build-base git bc


--- a/user-panel @ 9a160559
+++ b/user-panel @ 9a160559
-Subproject commit 1d91df409b144ac2a0a707b90209c3042028e42e
+Subproject commit 9a16055973a2b36acf361e853eb55b4cfbd0c6f4
No results found