Merge pull request #10 from jr200/feature/mock-oidc

feature/mock_OIDC

.dockerignore

@@ -1,12 +1,19 @@
 # .dockerignore
 
 .git
+.gitignore
+.github
 .history
 .vscode
 *.bak
 *.swp
 .DS_Store
+README.md
 
-private
+build/
+charts/
+docker/Dockerfile*
+docs/
+private/
 service/service
 test-client/test-client

Makefile

@@ -1,3 +1,5 @@
+OIDC_SERVER_VERSION?=v0.8.4
+
 # get target architecture
 LOCAL_ARCH := $(shell uname -m)
 ifeq ($(LOCAL_ARCH),x86_64)
@@ -19,8 +21,10 @@ export GOARCH ?= $(TARGET_ARCH_LOCAL)
 # get docker tag
 ifeq ($(GOARCH),amd64)
 	LATEST_TAG?=latest
+	OIDC_SERVER_ARCH?=''
 else
 	LATEST_TAG?=latest-$(GOARCH)
+	OIDC_SERVER_ARCH?='-arm64'
 endif
 
 # get target os
@@ -91,7 +95,9 @@ docker-build:
 	podman build \
 	    --layers \
 		-f docker/Dockerfile.example \
-		--build-arg BUILD_OS=linux --build-arg BUILD_ARCH=$(GOARCH) \
+		--build-arg BUILD_OS=linux \
+		--build-arg BUILD_ARCH=$(GOARCH) \
+		--build-arg OIDC_SERVER_VERSION=$(OIDC_SERVER_VERSION) \
 		-t nats-iam-broker:debug \
 		.
 
@@ -143,6 +149,13 @@ chart-dry-run:
 example-shell: docker-build
 	docker run --rm -it --entrypoint bash nats-iam-broker:debug
 
+################################################################################
+# Target: example-mock                                                        #
+################################################################################
+.PHONY: example-mock
+example-mock: docker-build
+	docker run --network=host --rm --entrypoint examples/mock/run.sh nats-iam-broker:debug -log-human -log=info
+
 ################################################################################
 # Target: example-basic                                                        #
 ################################################################################

cmd/nats-iam-broker/main.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"os"
 
-	server "github.com/jr200/nats-iam-broker/internal/server"
+	server "github.com/jr200/nats-iam-broker/internal/broker"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 )

configs/idp_mock.yaml

@@ -0,0 +1,16 @@
+idp:
+  - description: mockoidc-local
+    client_id: mockclientid
+    issuer_url: http://127.0.0.1:5557/oidc
+
+    validation:
+      claims:
+        - aud
+        - iat
+        - exp
+        - sub
+      aud:
+        - mockclientid
+      exp:
+        min: 1m0s
+        max: 2h

docker/Dockerfile

@@ -12,6 +12,10 @@ RUN go install github.com/nats-io/nsc/[email protected]
 
 WORKDIR /usr/src/app
 
+# pre-download all dependencies once for faster builds
+COPY go.sum go.mod ./
+RUN go mod download
+
 COPY . .
 
 RUN make build && \

docker/Dockerfile.example

@@ -1,27 +1,42 @@
+ARG OIDC_SERVER_ARCH
+ARG OIDC_SERVER_VERSION
 ARG GOVERSION=1.22
+
 FROM golang:${GOVERSION}-alpine AS builder
 
 ARG BUILD_ARCH
 ARG BUILD_OS
 
 RUN apk update && apk add --no-cache git bash curl jq make
 
-RUN go install github.com/nats-io/nats-server/[email protected]
-RUN go install github.com/nats-io/natscli/[email protected]
-RUN go install github.com/nats-io/nsc/[email protected]
+# https://github.com/nats-io/nats-server/releases
+RUN go install github.com/nats-io/nats-server/[email protected]
+
+# https://github.com/nats-io/natscli/releases
+RUN go install github.com/nats-io/natscli/[email protected]
+
+# https://github.com/nats-io/nsc/releases
+RUN go install github.com/nats-io/nsc/[email protected]
 
 WORKDIR /usr/src/app
 
+# pre-download all dependencies once for faster builds
+COPY go.sum go.mod ./
+RUN go mod download
+
 COPY . .
 
 RUN make build && \
     ln -s /usr/src/app/build/nats-iam-broker-${BUILD_OS}-${BUILD_ARCH} /usr/local/bin/nats-iam-broker && \
     ln -s /usr/src/app/build/test-client-${BUILD_OS}-${BUILD_ARCH} /usr/local/bin/test-client
 
+
+FROM ghcr.io/vdbulcke/oidc-server:${OIDC_SERVER_VERSION}${OIDC_SERVER_ARCH} as oidc_server
+
+
 # minimal container
 FROM alpine:3
 
-
 LABEL org.opencontainers.image.source="https://github.com/jr200/nats-iam-broker"
 LABEL org.opencontainers.image.description="nats-iam-broker runtime stage"
 
@@ -33,6 +48,9 @@ WORKDIR /usr/src/app
 COPY --from=builder /usr/local/bin/nats-iam-broker /usr/local/bin/nats-iam-broker
 COPY --from=builder /usr/local/bin/test-client /usr/local/bin/test-client
 
+COPY --from=oidc_server /app/oidc-server /usr/local/bin/oidc-server
+COPY ./docker/oidc-server/config.yaml /usr/src/app/oidc-server/config.yaml
+
 # for example programs
 COPY --from=builder /go/bin/nsc /bin/nsc
 COPY --from=builder /go/bin/nats /bin/nats

docker/oidc-server/config.yaml

@@ -0,0 +1,196 @@
+---
+# https://github.com/vdbulcke/oidc-server-demo
+
+## Client Credentials: (Mandatory)
+### NOTE: those client_id/client_secret can be passed
+###       as environment variables with: 
+###
+###    export OIDC_CLIENT_ID=my_client_id
+###    export OIDC_CLIENT_SECRET=my_client_id
+###
+client_id: mockclientid
+client_secret: mockclientsecret
+
+## Issuer Base Url (Optional)
+### Set the base url for the OIDC server
+### Issuer is generated using
+###    issuer_base_url + '/oidc'
+###
+### Default: http://127.0.0.1:5557
+# issuer_base_url: http://oidc.example.com:8080
+
+
+## Supported Scropes (optional)
+### List of supported scropes by the OIDC server
+### Default to same default as https://github.com/oauth2-proxy/mockoidc
+supported_scopes: 
+- openid
+- profile
+- email
+- roles
+- api
+- read
+
+### Supported challenge method (Optional)
+###
+### Default: 
+###  - S256
+###  - plain
+###
+pkce_challenge_methods:
+- plain
+- S256
+
+## Issue New RefreshToken on RefreshToken Grant (optional)
+### since v0.7.0
+### Default: false
+# issue_new_refresh_token_on_refresh_token: true
+
+## AccessToken TTL (optional)
+### since v0.7.0
+### Default: 10m
+# access_token_ttl_duration: 20m
+
+## RefreshToken TTL (optional)
+### since v0.7.0
+### Default: 1h
+# refresh_token_ttl_duration: 30m
+
+##
+## Vault Crypto Backend
+##
+### Since: v0.6.0
+### Use vault Transit secret engine 
+### for JWT signing and verifying
+# vault_crypto_backend: 
+#   ## The vault API address
+#   ## NOTE: can be specified with 'VAULT_ADDR' env var
+#   address: http://127.0.0.1:8200 
+#   ## The vault authentication token 
+#   ## WARNING must have the permission to 'read', 'sign', 'verify'
+#   ##         the transit key
+#   ## NOTE:can be specified with 'VAULT_TOKEN' env var
+#   token: "root-token"
+
+#   ## JWT signing alg 
+#   ### Warning: this must be a supported 
+#   ###          algorithm by your transit key
+#   ### Valid values: 
+#   ###  - RS256 RS384 RS512 ES256 ES384 ES512
+#   jwt_signing_alg: RS256
+
+#   ## Vault Transit Key name
+#   transit_key: rsa
+
+
+#   ## Vault Transit Mount 
+#   ### Default: transit/
+#   # transit_mount: alternative/path
+
+#   ## Backend key sync period duration
+#   ##   period at which the backend read the 
+#   ##   transit key info to detect if there has been 
+#   ##   key rotation
+#   ### WARNING: valid duration are 's', 'm', 'h'
+#   ### Default: 5m
+#   # sync_duration: 1h
+
+
+
+
+## Instropect Response Template  (optional)
+### since v0.8.0
+### format: map[string]interface{}
+### Use go template https://pkg.go.dev/text/template
+### syntax to template string properties on introspect
+### response based on claims from Access or Refresh token
+### WARNING: go template only works with string value
+introspect_response_template:
+  ## template standard claims
+  ## https://www.rfc-editor.org/rfc/rfc7662.html#section-2.2
+  client_id: "{{index .aud 0}}"
+  user_id: "{{ .sub }}"
+  username: "{{ .sub }}"
+
+  ## works as well with static properties 
+  foo: 
+  - bar
+  - baz
+
+
+
+## Default Mock User (Mandatory)
+## 
+mock_user:
+  ## Sub  (Mandatory)
+  ###  the user's subject
+  sub: [email protected]
+
+  ## ID Token Claims (mandatory)
+  ### Arbitrary key/values claims to 
+  ### add in the id_token
+  ### 
+  ### Empty set to '{}'
+  id_token_claims: 
+    ## example adding amr values
+    amr:
+      - eid
+      - urn:be:fedict:iam:fas:Level500
+
+    ## dummy claims
+    foo: 
+      - hello: world
+      - bar: baz
+
+    hello: world
+
+  ## Access Token Claims (Optional)
+  ### Arbitrary key/values claims to 
+  ### add in the access_token
+  ### 
+  access_token_claims: 
+    amr:
+      - eid
+      - urn:be:fedict:iam:fas:Level500
+
+    foo: 
+      - hello: world
+      - bar: baz
+
+    ## scope: space-separated list of scopes
+    ## https://www.rfc-editor.org/rfc/rfc7662#section-2.2
+    scope: "openid profile email roles api read"
+
+  ## Refresh Token Claims (Optional)
+  ### Arbitrary key/values claims to 
+  ### add in the refresh_token
+  ### since v0.7.0
+  # refresh_token_claims: 
+  #   foo: 
+  #     - hello: world
+  #     - bar: baz
+
+  ## Userinfo Claims (optional)
+  ### Arbitrary key/values claims to 
+  ### add in the userinfo response
+  ### 
+  ### Empty set to '{}'
+  userinfo_claims: 
+
+    ## Mandatory claim
+    sub: [email protected]
+
+    ## example 
+    fedid: "73691e9e7beee3becdf78fc9394d28fe548fe249"
+    surname: Bob
+
+    foo: 
+      - hello: world
+      - bar: baz
+
+
+##
+## Additional Mock Users
+##  since version v0.3.0
+### Users loaded in the UserQueue
+# mock_user_folder: ./example/users

examples/basic/basic_simulate_login.sh

@@ -1,19 +1,19 @@
 #!/bin/bash
 
 SCRIPT_DIR=$(dirname -- "$(readlink -f -- "$BASH_SOURCE")")
-source ${SCRIPT_DIR}/../../scripts/idp-mock-toolkit.sh
+source ${SCRIPT_DIR}/../../scripts/idp-oidctest-toolkit.sh
 
 NATS_URL="nats://localhost:4222"
 SECRET_STORE="/usr/src/app/secrets/basic"
 
-JWT_DWHO=`idp_mock_login_public dwho dwho`
+JWT_DWHO=`idp_oidctest_login_public dwho dwho`
 test-client \
     -url=${NATS_URL} \
     -creds=${SECRET_STORE}/MINT/user-nobody.creds \
     -jwt $JWT_DWHO \
     -run-test "pubsub basic.public.ZHdobw== hello-from-dwho"
 
-JWT_RTYLER=`idp_mock_login_public rtyler rtyler`
+JWT_RTYLER=`idp_oidctest_login_public rtyler rtyler`
 test-client \
     -url=${NATS_URL} \
     -creds=${SECRET_STORE}/MINT/user-nobody.creds \

examples/mock/mock_initial_setup.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+SCRIPT_DIR=$(dirname -- "$(readlink -f -- "$BASH_SOURCE")")
+source ${SCRIPT_DIR}/../../scripts/nsc-toolkit.sh
+
+SECRET_STORE="/usr/src/app/secrets"
+
+# setup mock accounts
+create_minting_account mock MINT
+create_plain_account mock APP1
+account_enable_jetstream mock APP1
+
+create_user mock APP1 debug
+
+# Push the app accounts up to the server.
+nsc push -A