feat(ory-hydra): first config round

Signed-off-by: Roy Scheeren <[email protected]>
ASCS-eV · Feb 19, 2024 · bf4cf9a · bf4cf9a
1 parent 497e840
commit bf4cf9a
Show file tree

Hide file tree

Showing 5 changed files with 171 additions and 28 deletions.
diff --git a/apps/ory-hydra/config/development.yml b/apps/ory-hydra/config/development.yml
@@ -0,0 +1,24 @@
+serve:
+  cookies:
+    same_site_mode: Lax
+
+urls:
+  self:
+    issuer: http://localhost:4444
+  consent: http://localhost:5002/api/consent
+  login: http://localhost:5002/login
+  logout: http://localhost:5002/logout
+
+secrets:
+  system:
+    - e5Mcyq@EU@iT=1hH
+
+oidc:
+  subject_identifiers:
+    supported_types:
+      - pairwise
+      - public
+    pairwise:
+      salt: e5Mcyq@EU@iT=1hH
+log:
+  level: debug
diff --git a/apps/ory-hydra/containers/docker-compose.yaml b/apps/ory-hydra/containers/docker-compose.yaml
@@ -1,41 +1,30 @@
-version: '3'
+version: "3.7"
 
 services:
   hydra-migrate:
     image: oryd/hydra:v2.2.0
+    environment:
+      - DSN=postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?sslmode=disable&max_conns=20&max_idle_conns=4
+    command: migrate sql -e --yes
     restart: on-failure
     networks:
       - ory-hydra-network
-    command: migrate sql -e --yes
-    environment:
-      - DSN=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
 
   hydra:
     image: oryd/hydra:v2.2.0
-    networks:
-      - ory-hydra-network
     ports:
-      - 5004:4444 # Public port
-      - 5001:4445 # Admin port
-    command: serve all --dev
+      - 4444:4444 # Public port
+      - 4445:4445 # Admin port
     environment:
-      - URLS_SELF_ISSUER=http://localhost:5004/
-      - URLS_CONSENT=http://localhost:5002/api/consent
-      - URLS_LOGIN=http://localhost:5002/login
-      - DSN=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
-      - SECRETS_SYSTEM=youReallyNeedToChangeThis
-      - OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise
-      - OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis
-      - SERVE_PUBLIC_CORS_ENABLED=true
-      - SERVE_PUBLIC_CORS_ALLOWED_METHODS=POST,GET,PUT,DELETE
-      - SERVE_ADMIN_CORS_ENABLED=true
-      - SERVE_ADMIN_CORS_ALLOWED_METHODS=POST,GET,PUT,DELETE
-      - LOG_LEVEL=debug
-      - LOG_LEAK_SENSITIVE_VALUES=true
-      - OAUTH2_EXPOSE_INTERNAL_ERRORS=1
-      - WEBFINGER_OIDC_DISCOVERY_USERINFO_URL=http://hydra:4444/userinfo
-      - OIDC_DYNAMIC_CLIENT_REGISTRATION_ENABLED=true
+      - DSN=postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?sslmode=disable&max_conns=20&max_idle_conns=4
+    command: serve -c /etc/config/hydra/${ENV}.yml all --dev
+    volumes:
+      - type: bind
+        source: ../config
+        target: /etc/config/hydra
     restart: on-failure
+    networks:
+      - ory-hydra-network
 
   redis:
     image: redis:7.2.2
@@ -44,6 +33,20 @@ services:
     ports:
       - 6379:6379
     restart: unless-stopped
+    profiles: ["development"]
+
+  postgresd:
+    image: postgres:16
+    networks:
+      - ory-hydra-network
+    ports:
+      - 5433:5432
+    environment:
+      - POSTGRES_USER=${DB_USER}
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      - POSTGRES_DB=${DB_NAME}
+    restart: on-failure
+    profiles: ["development"]
 
 networks:
   ory-hydra-network:

diff --git a/apps/ory-hydra/containers/testClient.sh b/apps/ory-hydra/containers/testClient.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+client=$(docker run --rm \
+    --network ory-hydra-net \
+    oryd/hydra:v2.2.0 \
+    create client --skip-tls-verify \
+    --name testclient \
+    --secret some-secret \
+    --grant-type authorization_code \
+    --response-type token,code,id_token \
+    --scope openid \
+    --redirect-uri http://localhost:9010/callback \
+    -e http://hydra:4445 \
+    --format json )
+
+echo $client
+
+client_id=$(echo $client | jq -r '.client_id')
+
+docker run --rm \
+    --network ory-hydra-net \
+    -p 9010:9010 \
+    oryd/hydra:v2.2.0 \
+    perform authorization-code --skip-tls-verify \
+    --port 9010 \
+    --client-id $client_id \
+    --client-secret some-secret \
+    --redirect http://localhost:9010/callback \
+    --scope openid \
+    --auth-url http://localhost:4445/oauth2/auth \
+    --token-url http://hydra:4444/oauth2/token \
+    -e http://hydra:4444
diff --git a/apps/ory-hydra/project.json b/apps/ory-hydra/project.json
@@ -66,10 +66,18 @@
         "parallel": false
       }
     },
-    "run:local": {
+    "run:local:container": {
       "executor": "nx:run-commands",
       "options": {
-        "command": "./apps/ory-hydra/src/local.sh"
+        "cwd": "apps/ory-hydra/containers",
+        "commands": ["ENV=development docker compose --profile development --env-file ../.env.development up --build"],
+        "parallel": false
+      }
+    },
+    "run:local:testClient": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "./apps/ory-hydra/containers/testClient.sh"
       }
     }
   },

diff --git a/apps/ory-hydra/stacks/OryHydra.ts b/apps/ory-hydra/stacks/OryHydra.ts
@@ -1,4 +1,4 @@
-import { aws_ec2, aws_elasticache, aws_rds } from 'aws-cdk-lib'
+import { aws_ec2, aws_ecs, aws_elasticache, aws_rds, aws_secretsmanager } from 'aws-cdk-lib'
 import * as cdk from 'aws-cdk-lib/core'
 import { StackContext } from 'sst/constructs'
 
@@ -12,6 +12,14 @@ export function OryHydra({ stack }: StackContext) {
 
   const sg = aws_ec2.SecurityGroup.fromLookupById(stack, 'HydraSG', 'sg-0e32398ab57f2a85d')
 
+  /*
+  * Create RDS Secret
+  */
+  const rdsSecret = new aws_rds.DatabaseSecret(this, 'HydraRDSSecret', {
+    username: 'postgres',
+    excludeCharacters: "%+~`#$&*()|[]{}:;<>?!'/@\"\\^,=.",
+  })
+
   /*
    * Create RDS Cluster
    */
@@ -26,6 +34,11 @@ export function OryHydra({ stack }: StackContext) {
       instanceType: 'serverless' as any,
     },
     defaultDatabaseName: 'hydra',
+    removalPolicy: cdk.RemovalPolicy.DESTROY,
+    backup: {
+      retention: cdk.Duration.days(7),
+    },
+    credentials: aws_rds.Credentials.fromSecret(rdsSecret),
   })
 
   ;(rdsCluster.node.findChild('Resource') as aws_rds.CfnDBCluster).serverlessV2ScalingConfiguration = {
@@ -78,4 +91,68 @@ export function OryHydra({ stack }: StackContext) {
   new cdk.CfnOutput(this, `HydraRedisCachePort${stack.stage}`, {
     value: redis.attrReaderEndpointPort,
   })
+
+  /*
+  * Create Hydra secret
+  */
+  const hydraSecret = new aws_secretsmanager.Secret(this, 'HydraSecret', {
+    generateSecretString: {
+      secretStringTemplate: JSON.stringify({}),
+      generateStringKey: 'hydra_secret',
+      excludeCharacters: "%+~`#$&*()|[]{}:;<>?!'/@\"\\^,=.",
+    },
+  })
+  /*
+  * Create Hydra ECS Service
+  */
+  const cluster = new aws_ecs.Cluster(this, 'HydraCluster', { vpc })
+  cluster.addCapacity('DefaultAutoScalingGroupCapacity', {
+    instanceType: new aws_ec2.InstanceType("t2.small"),
+    desiredCapacity: 1,
+  })
+  const taskDefinition = new aws_ecs.Ec2TaskDefinition(stack, 'HydraTask', {
+    networkMode: aws_ecs.NetworkMode.BRIDGE,
+  })
+
+  const DB_HOST = rdsCluster.clusterEndpoint.hostname
+  const DB_PORT = rdsCluster.clusterEndpoint.port
+  const DB_NAME = 'hydra'
+  const DB_USER = rdsCluster.secret?.secretValueFromJson('username').toString()
+  const DB_PASSWORD = rdsCluster.secret?.secretValueFromJson('password').toString()
+
+  taskDefinition.addContainer('HydraMigrateContainer', {
+    image: aws_ecs.ContainerImage.fromRegistry('oryd/hydra:v2.2.0'),
+    command: ['migrate', 'sql', '-e', '--yes'],
+    environment: {
+      DSN: `postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?sslmode=disable&max_conns=20&max_idle_conns=4`,
+    },
+    essential: false,
+    memoryLimitMiB: 512,
+    logging: new aws_ecs.AwsLogDriver({ streamPrefix: 'hydra-migrate' }),
+  })
+
+  taskDefinition.addContainer('HydraContainer', {
+    image: aws_ecs.ContainerImage.fromRegistry('oryd/hydra:v2.2.0'),
+    command: ['serve', 'all'],
+    environment: {
+      DSN: `postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}?sslmode=disable&max_conns=20&max_idle_conns=4`,
+      SECRETS_SYSTEM: hydraSecret.secretValueFromJson('hydra_secret').toString(),
+      SECRETS_DATABASE_URL: rdsCluster.secret?.secretArn || '',
+      SECRETS_REDIS_URL: `redis://${redis.attrEndpointAddress}:${redis.attrReaderEndpointPort}`,
+      SERVE_COOKIES_SAME_SITE_MODE: 'Lax',
+      URLS_SELF_ISSUER: 'http://localhost:4444',
+      URLS_CONSENT: 'http://localhost:3000/consent',
+      URLS_LOGIN: 'http://localhost:3000/login',
+      URLS_LOGOUT: 'http://localhost:3000/logout',
+      LOG_LEVEL: 'error',
+    },
+    essential: true,
+    memoryLimitMiB: 512,
+    logging: new aws_ecs.AwsLogDriver({ streamPrefix: 'hydra' }),
+  })
+
+  new aws_ecs.Ec2Service(this, 'HydraService', {
+    cluster,
+    taskDefinition,
+  })
 }