Merge pull request #1 from epam/initial-commit

Initial commit
epam · Oct 6, 2023 · 3e71b59 · 3e71b59
2 parents 56a65e1 + 53fa672
commit 3e71b59
Show file tree

Hide file tree

Showing 39 changed files with 2,247 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,13 @@
+.gradle
+!gradle/wrapper/gradle-wrapper.jar
+
+/build/
+/logs/
+/out/
+*.log
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -0,0 +1,257 @@
+include:
+  - template: Jobs/Container-Scanning.gitlab-ci.yml
+  - project: Gitlab/ci
+    ref: 0.2.22
+    file: helm/helm-environment.gitlab-ci.yml
+
+variables:
+  DOCKER_PATH: "ai/dial/dial-authproxy"
+  DOCKER_REGISTRY_SERVER: "registry-dev.deltixhub.com"
+  HELM_REPO: https://nexus.deltixhub.com/repository/epm-rtc-helm
+  SECRET_NAME: "epm-rtc-registry-dev"
+  CHART: "dial-application" # Helm chart name, e.g. "gitlab-runner"
+  VERSION: "0.1.2" # Helm chart version
+  NAMESPACE: ${CI_PROJECT_NAME}
+  HELM_EXTRA_ARGS: "-f ${HELM_SECRET_FILE}"
+  RELEASE: ${CI_PROJECT_NAME}
+  DOCKERFILE_PATH: "./src/main/docker"
+
+  development_ENV_ID: "staging"
+  development_HELM_VALUES_FILE: "helm/development.yaml"
+  development_ENV_URL: "https://dial-authproxy.staging.deltixhub.io"
+  development_AWS_ACCESS_KEY_ID: ${staging_AWS_ACCESS_KEY_ID}
+  development_AWS_SECRET_ACCESS_KEY: ${staging_AWS_SECRET_ACCESS_KEY}
+
+  staging_DEPLOY_ENV: "false"
+
+  review_DEPLOY_ENV: "true"
+  review_ENV_ID: "staging"
+  review_HELM_VALUES_FILE: "helm/review.yaml"
+  review_ENV_URL: "https://${CI_PROJECT_NAME}-mr-${CI_MERGE_REQUEST_IID}.staging.deltixhub.io"
+  review_HELM_CUSTOM_VALUES: "ingress.hosts[0]=${CI_PROJECT_NAME}-mr-${CI_MERGE_REQUEST_IID}.staging.deltixhub.io,fullnameOverride=mr-${CI_MERGE_REQUEST_IID},image.tag=mr-${CI_MERGE_REQUEST_IID},env.SERVER_HOSTURL=mr-${CI_MERGE_REQUEST_IID}.${NAMESPACE}"
+  review_RELEASE: ${CI_PROJECT_NAME}-mr-${CI_MERGE_REQUEST_IID}
+  review_SECRET_NAME: "epm-rtc-registry-test"
+  review_DOCKER_REGISTRY_SERVER: "registry-test.deltixhub.com"
+
+  JAVA_IMAGE: registry-dev.deltixhub.com/gitlabci.docker/openjdk11-gradle:7.4.2
+  PROJECT_NAME: "dial-auth-proxy"
+
+stages:
+  - tag
+  - build
+  - publish # publush docker images
+  - deploy
+  - promote # copy docker image to public repo
+  - production # Stage name used in include. Not used. ToDo - delete this
+
+deploy_development:
+  image: "registry.deltixhub.com/deltix.docker/devops/kubernetes-tools:0.17.1"
+  stage: deploy
+  rules:
+    - if: $CI_COMMIT_BRANCH == "development"
+
+destroy_development:
+  image: "registry.deltixhub.com/deltix.docker/devops/kubernetes-tools:0.17.1"
+  stage: deploy
+  rules:
+    - if: $CI_COMMIT_BRANCH == "development"
+      when: manual
+      allow_failure: true
+
+deploy_staging:
+  stage: deploy
+
+destroy_staging:
+  stage: deploy
+
+deploy_review:
+  image: "registry.deltixhub.com/deltix.docker/devops/kubernetes-tools:0.17.1"
+  stage: deploy
+  rules:
+    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "development" && $review_DEPLOY_ENV == "true"'
+
+destroy_review:
+  image: "registry.deltixhub.com/deltix.docker/devops/kubernetes-tools:0.17.1"
+  stage: deploy
+  rules:
+    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "development" && $review_DEPLOY_ENV == "true"'
+      when: manual
+      allow_failure: true
+
+"Build Java":
+  stage: build
+  image: ${JAVA_IMAGE}
+  script:
+    - ./gradlew build --parallel
+  artifacts:
+    expire_in: 1 day
+    paths:
+      - build/distributions/aidial-auth-helper-*.tar
+  cache:
+    key: ${PROJECT_NAME}"-gradle-java"
+    paths:
+      - /root/.gradle/caches
+    policy: pull-push
+  rules:
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH  == "development"
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "development"'
+  tags:
+    - AWS
+    - DockerExecutor
+
+publish:
+  image: dockerhub.deltixhub.com/docker:23.0.6
+  stage: publish
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ""
+  cache: {}
+  services:
+    - docker:23.0.6-dind
+  before_script:
+    - mkdir -p $HOME/.docker
+    # Use DOCKER_AUTH_CONFIG for login to deltix repo
+    - echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json
+  script:
+    - imageUrl=$REPOSITORY/${DOCKER_PATH}
+    - docker build -t $imageUrl:${DOCKER_TAG} -t $imageUrl:${DOCKER_ADDITIONAL_TAG} .
+    - docker push $imageUrl:${DOCKER_TAG}
+    - docker push $imageUrl:${DOCKER_ADDITIONAL_TAG}
+  rules:
+    - if: $CI_COMMIT_TAG
+      variables:
+        DOCKER_TAG: ${CI_COMMIT_TAG}
+        DOCKER_ADDITIONAL_TAG: latest
+        REPOSITORY: ${ARTIFACTORY_DOCKER_DEV_REPOSITORY}
+    - if: $CI_COMMIT_BRANCH  == "development"
+      variables:
+        DOCKER_TAG: ${CI_COMMIT_REF_SLUG}
+        DOCKER_ADDITIONAL_TAG: alpha
+        REPOSITORY: ${ARTIFACTORY_DOCKER_DEV_REPOSITORY}
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "development"'
+      variables:
+        DOCKER_TAG: gitlab-mr${CI_MERGE_REQUEST_ID}
+        DOCKER_ADDITIONAL_TAG: mr-${CI_MERGE_REQUEST_IID}
+        REPOSITORY: ${ARTIFACTORY_DOCKER_TEST_REPOSITORY}
+  tags:
+    - AWS
+    - DockerExecutor
+
+"Tag branch":
+  image: alpine/git:v2.32.0
+  stage: tag
+  script:
+    - ver=$(echo -n $CI_COMMIT_REF_NAME | cut -f 2 -d '-') || ver=0.0
+    - minor_tag=$(git describe --abbrev=0 --tags | cut -f 3 -d '.') || minor_tag=0
+    - release_tag=${ver}.$(( minor_tag+1 ))
+    - git remote set-url origin https://$GITLAB_ROBOT_NAME:$GITLAB_ROBOT_PUSH_TOKEN@$CI_SERVER_HOST/$CI_PROJECT_PATH.git
+    - git config user.name $GITLAB_ROBOT_NAME
+    - git config user.email ${GITLAB_ROBOT_EMAIL}
+    - git diff --quiet && git diff --staged --quiet || git commit -am "RobotBuild ${release_tag}"
+    - git tag ${release_tag}
+    - git push origin HEAD:${CI_COMMIT_REF_NAME} --tags
+  dependencies: []
+  rules:
+    - if: "$CI_COMMIT_REF_SLUG =~ /^release-/ && $CI_COMMIT_MESSAGE !~ /^RobotBuild/"
+  tags:
+    - kubernetes
+
+container_scanning:
+  stage: promote
+  variables:
+    GIT_STRATEGY: none
+    CS_IMAGE: ${ARTIFACTORY_DOCKER_DEV_REPOSITORY}/${DOCKER_PATH}:$CI_COMMIT_TAG
+    CS_REGISTRY_USER: ${ARTIFACTORY_USER}
+    CS_REGISTRY_PASSWORD: ${ARTIFACTORY_PASS}
+  dependencies: []
+  rules:
+    - if: $CI_COMMIT_TAG
+  tags:
+    - AWS
+    - DockerExecutor
+
+### Copy frontend and backend docker images to public repository. Run on git tag manually
+promote:
+  image: dockerhub.deltixhub.com/curlimages/curl:7.88.1
+  stage: promote
+  variables:
+    GIT_STRATEGY: none
+  script:
+    - 'curl --retry 6 --retry-all-errors --no-progress-meter --fail -X POST "${ARTIFACTORY_URL}/api/docker/epm-rtc-docker/v2/promote" -H "Content-Type: application/json" -u${ARTIFACTORY_USER}:${ARTIFACTORY_PASS} -d ''{ "targetRepo": "epm-rtc-public-docker", "dockerRepository": "''"${DOCKER_PATH}"''", "tag" : "''"$CI_COMMIT_TAG"''", "copy": true }'''
+    - >
+      if [ ! -z "$DOCKER_ADDITIONAL_TAG" ]; then
+      curl --retry 6 --retry-all-errors --no-progress-meter --fail -X POST "${ARTIFACTORY_URL}/api/docker/epm-rtc-docker/v2/promote" -H "Content-Type: application/json" -u${ARTIFACTORY_USER}:${ARTIFACTORY_PASS} -d '{ "targetRepo": "epm-rtc-public-docker", "dockerRepository": '\"${DOCKER_PATH}\"', "tag" : '\"$DOCKER_ADDITIONAL_TAG\"', "copy": true }';
+      fi
+  dependencies: []
+  rules:
+    - if: $CI_COMMIT_TAG
+      when: manual
+      variables:
+        DOCKER_ADDITIONAL_TAG: latest
+  tags:
+    - AWS
+    - DockerExecutor
+
+"Dependency Check: Java":
+  stage: promote
+  image: ${JAVA_IMAGE}
+  script:
+#    - ./gradlew -PfailOnHighCVSS=true dependencyCheckAggregate
+    - ./gradlew dependencyCheckAggregate
+  artifacts:
+    paths:
+      - build/reports/dependency-check-report.html
+  cache:
+    key: ${PROJECT_NAME}"-gradle-java"
+    paths:
+      - /root/.gradle/caches
+    policy: pull-push
+  dependencies: []
+  rules:
+    - if: $CI_COMMIT_TAG
+  tags:
+    - AWS
+    - DockerExecutor
+
+"Static Check: Java":
+  stage: promote
+  image: ${JAVA_IMAGE}
+  script:
+#    - ./gradlew -PfailOnSpotBugs check -x test
+    - ./gradlew check -x test --parallel
+    - ./gradlew collectSpotbugs
+  artifacts:
+    paths:
+      - build/reports/spotbugs
+  cache:
+    key: ${PROJECT_NAME}"-gradle-java"
+    paths:
+      - /root/.gradle/caches
+    policy: pull-push
+  dependencies: []
+  rules:
+    - if: $CI_COMMIT_TAG
+  tags:
+    - AWS
+    - DockerExecutor
+
+"License Check: Java":
+  stage: promote
+  image: ${JAVA_IMAGE}
+  script:
+    - ./gradlew downloadLicenses
+  artifacts:
+    paths:
+      - build/reports/license/license-dependency.html
+  cache:
+    key: ${PROJECT_NAME}"-gradle-java"
+    paths:
+      - /root/.gradle/caches
+    policy: pull-push
+  dependencies: []
+  rules:
+    - if: $CI_COMMIT_TAG
+  tags:
+    - AWS
+    - DockerExecutor
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,15 @@
+FROM amazoncorretto:11-alpine3.17
+
+ADD ./build/distributions/aidial-auth-helper-*.tar /opt/epam/aidial/
+RUN mv /opt/epam/aidial/aidial-auth-helper-*/* /opt/epam/aidial/
+RUN rmdir /opt/epam/aidial/aidial-auth-helper-*
+
+RUN addgroup -S aidial --gid 1801 \
+    && adduser -D -H -S aidial -G aidial -u 1801 \
+    && chown aidial:aidial -R /opt/epam/aidial
+
+USER aidial
+
+WORKDIR /opt/epam/aidial
+
+ENTRYPOINT ["/opt/epam/aidial/bin/aidial-auth-helper"]
diff --git a/LICENSE b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2023 EPAM Systems
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -198,4 +198,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.
diff --git a/README.md b/README.md
@@ -1,2 +1,81 @@
-# ai-dial-auth-helper
-Authentication helper for AI DIAL
+# Overview
+
+AuthProxy is a proxy service that implements OpenID-compatible Web API endpoints to avoid direct interaction with the AuthProviders' APIs, such as the KeyCloak API.
+
+One of the primary benefits of using AuthProxy is the enrichment of user info with additional fields such as **jobTitile** and **picture**.
+AuthProxy implements its own **user_info** route that makes a call to the target Idp configured in KeyCloak.
+
+Notes. KeyCloak should be configured to inject into the access token the additional claims:
+- **idp**. Identity provider code name. Supported values are **microsoft**.
+- **idpAlias**. The alias to Idp configured in KeyCloak realm.
+
+Currently, AuthProxy provides two public routes:
+
+**GET: http://hostname/.well-known/openid-configuration**
+- Returns the original response from AuthProvider, but replaces **userinfo_endpoint** url with its own **user_info** route.
+- The response is cached after the first request for the AuthProvider's **openid-configuration** and remains cached since the startup of the AuthProxy application.
+
+**GET: http://hostname/api/v1/user/user-info**
+- Authorization header is required in the request
+- Returns user info with additional fields like job title and picture provided by IdP in KeyCloak
+- If the claims either idp or idpAlias is not provided the user info is constructed from the claims of the access token
+- If the token has expired or failed verification, a 400 error is returned.
+
+**Please note that AuthProxy has been tested with Microsoft Graph API only.**
+
+# Developer env
+
+- Open JDK 11+
+- Gradle 7+
+
+# Build
+
+```
+ ./gradlew clean build check
+```
+
+# Test
+
+```
+ ./gradlew test
+```
+
+# Run
+
+```
+  ./gradlew run
+```
+
+# Configure
+##### application.yaml
+
+
+```yaml
+server:
+  hostUrl: "http://127.0.0.1" // Used for WellKnown userinfo_endpoint substitution, it must be complete domain url with port. 
+  port: 4088 // Spring port used to start up the application
+
+oauth2:
+  providerUri: "http://localhost:8080/realms/your_realm" // Used for getting well-known and token verification URLs
+  clientId: "your_client_id" // keyCloak client id
+  clientSecret: "your_client_secret" // KeyCloak client secret
+  jwksUriPath: "jwks_uri" // Path of custom jwks_uri node in openid-configuration, Optional.
+
+scheduled:
+  poolSize: 2
+```
+
+## License
+Copyright (C) 2023 EPAM Systems
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.