(remove)

.gitleaksignore

@@ -0,0 +1,18 @@
+/src/docker-compose.yml:generic-api-key:43
+/src/frontend/src/component/admin/apiToken/ApiTokenIcon/ApiTokenIcon.test.tsx:generic-api-key:37
+/src/.yarn/releases/yarn-4.4.1.cjs:aws-access-token:149
+/src/.yarn/releases/yarn-4.4.1.cjs:aws-access-token:149
+/src/docker/.yarn/releases/yarn-4.3.1.cjs:aws-access-token:149
+/src/frontend/.yarn/releases/yarn-4.4.1.cjs:aws-access-token:149
+/src/docker/.yarn/releases/yarn-4.3.1.cjs:aws-access-token:149
+/src/frontend/.yarn/releases/yarn-4.4.1.cjs:aws-access-token:149
+/src/.yarn/releases/yarn-4.4.1.cjs:generic-api-key:567
+/src/docker/.yarn/releases/yarn-4.3.1.cjs:generic-api-key:567
+/src/frontend/.yarn/releases/yarn-4.4.1.cjs:generic-api-key:567
+/src/src/lib/openapi/spec/public-signup-tokens-schema.ts:generic-api-key:18
+/src/src/test/e2e/stores/api-token-store.e2e.test.ts:generic-api-key:91
+/src/website/.yarn/releases/yarn-4.4.1.cjs:aws-access-token:149
+/src/website/.yarn/releases/yarn-4.4.1.cjs:aws-access-token:149
+/src/website/docs/quickstart.mdx:generic-api-key:118
+/src/website/docs/quickstart.mdx:generic-api-key:124
+/src/website/.yarn/releases/yarn-4.4.1.cjs:generic-api-key:567

azure_pipelines.yml

@@ -0,0 +1,103 @@
+# OGCIO
+
+trigger:
+  - dev
+  - uat
+  - sta
+
+pr:
+  autoCancel: true
+  branches:
+    include:
+      - "*"
+
+parameters:
+  - name: buildBranches
+    type: object
+    default: ["dev", "sta", "uat"]
+
+  - name: validEnvironments
+    type: object
+    displayName: List of valid environments to deploy (do not change)
+    default: ['dev','sta', 'uat', 'prd']
+
+variables:
+  - name: pushArtefacts
+    value: ${{ containsValue(parameters.buildBranches, variables['Build.SourceBranchName']) }}
+  - ${{ if containsValue(parameters.validEnvironments ,variables['Build.SourceBranchName']) }}:
+    - template: pipeline-variables/${{ coalesce(variables['Build.SourceBranchName'], 'fallback') }}.yml
+  - ${{ else }}:
+    - template: pipeline-variables/dev.yml
+
+resources:
+  repositories:
+    - repository: pipeline-templates
+      type: github
+      name: ogcio/building-blocks-pipelines
+      ref: refs/tags/v0.5
+      endpoint: ogcio
+    - repository: unleash-k8s-apps
+      type: github
+      name: ogcio/unleash-k8s-apps
+      ref: main
+      endpoint: ogcio
+
+stages:
+  - stage: securityScan
+    displayName: Security Scans
+    jobs:
+      - template: security/gitleaks.yml@pipeline-templates
+  - stage: Build_Unleash
+    displayName: Build Unleash
+    dependsOn: 
+      - securityScan
+    jobs:  
+    - template: pipeline-templates/build_service.yml
+      parameters:
+        serviceName: unleash
+        pushArtefacts: ${{ variables.pushArtefacts }}
+        buildArguments: $(buildArguments)
+  - stage: EnvApproval
+    displayName: Approvals for deployments - ${{ upper(variables.environment) }}
+    dependsOn:
+      - Build_Unleash
+    condition: ${{ variables.pushArtefacts }}
+    jobs:
+    - deployment: VerifyDeployment
+      displayName: Verify conditions for deployment
+      environment: ${{ variables.environment }}
+      strategy:
+        runOnce:
+          deploy:
+            steps:
+            - script: |
+                date
+              displayName: Show current date
+  - stage: Push_Unleash
+    displayName: Push Unleash to ECR
+    dependsOn: EnvApproval
+    condition: and(${{ variables.pushArtefacts }}, succeeded())
+    jobs:
+    - template: build/push_image_ecr.yml@pipeline-templates
+      parameters:
+        awsServiceConnection: ${{ variables.awsServiceConnection }}
+        awsRegion: ${{ variables.awsRegion }}
+        serviceName: unleash
+        repositoryName: bb-unleash
+        pushTag: $(Build.BuildId)
+  - stage: Deploy_Openshift_Unleash
+    displayName: GitOps deploy Unleash
+    dependsOn:
+      - EnvApproval
+      - Push_Unleash
+    condition: succeeded()
+    jobs:
+    - template: deploy/gitops.yml@pipeline-templates
+      parameters:
+        serviceName: unleash
+        newName: ${{ variables.ecrEndpoint }}/bb-unleash
+        newTag: $(Build.BuildId)
+        ${{ if containsValue(parameters.validEnvironments ,variables['Build.SourceBranchName']) }}:
+          environment: ${{ variables['Build.SourceBranchName'] }}
+        ${{ else }}:
+          environment: dev

docker-compose.yml

@@ -18,12 +18,16 @@ services:
   # The Unleash server contains the Unleash configuration and
   # communicates with server-side SDKs and the Unleash Proxy
   web:
-    image: unleashorg/unleash-server:latest
+    build:
+      # OGCIO
+      context: .
+      dockerfile: Dockerfile
     ports:
       - "4242:4242"
+    network_mode: "host"
     environment:
       # This points Unleash to its backing database (defined in the `db` section below)
-      DATABASE_URL: "postgres://postgres:unleash@db/db"
+      DATABASE_URL: "postgres://postgres:unleash@localhost/db"
       # Disable SSL for database connections. @chriswk: why do we do this?
       DATABASE_SSL: "false"
       # Changing log levels:
@@ -35,6 +39,10 @@ services:
       # initialize Unleash with multiple tokens, separate them with a
       # comma (`token1,token2`).
       INIT_CLIENT_API_TOKENS: "default:development.unleash-insecure-api-token"
+      # OGCIO
+      AUTH_APP_ID: "43geanp0dwznxw412mxme"
+      AUTH_APP_SECRET: "unleash_app_local_secret"
+      AUTH_HOST: "http://localhost:3301"
     depends_on:
       db:
         condition: service_healthy
@@ -47,13 +55,15 @@ services:
       start_period: 15s
   db:
     expose:
-      - "5432"
+      - "5432:5432"
+    network_mode: "host"
     image: postgres:15
     environment:
       # create a database called `db`
       POSTGRES_DB: "db"
-      # trust incoming connections blindly (DON'T DO THIS IN PRODUCTION!)
-      POSTGRES_HOST_AUTH_METHOD: "trust"
+      # OGCIO
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: unleash
     healthcheck:
       test:
         [
@@ -66,4 +76,4 @@ services:
       interval: 2s
       timeout: 1m
       retries: 5
-      start_period: 10s
+      start_period: 10s

docker/index.js

@@ -1,7 +1,13 @@
 'use strict';
 
 const unleash = require('unleash-server');
+const oidcAuthHook = require('./ogcio/oidc-auth-hook');
 
-let options = {};
+const options = {
+  authentication: {
+    type: "custom",
+    customAuthHandler: oidcAuthHook,
+  }
+};
 
 unleash.start(options);

docker/ogcio/create-db.js

@@ -0,0 +1,58 @@
+const path = require("node:path");
+const fs = require("node:fs");
+const { Client } = require("pg");
+
+const configPath = path.join(__dirname, "database.json");
+const config_ = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+
+const key = config_.defaultEnv;
+const config = config_[key];
+
+const user = process.env[config.user.ENV];
+const host = process.env[config.host.ENV];
+const password = process.env[config.password.ENV];
+const port = process.env[config.port.ENV];
+const dbName = process.env[config.database.ENV];
+
+// bearer:disable javascript_lang_sql_injection
+const createDatabase = async (dbName) => {
+  const client = new Client({
+    user,
+    host,
+    password,
+    port,
+  });
+
+  // Regular expression to ensure that dbName contains only valid characters (letters, numbers, underscores)
+  if (!/^[a-zA-Z0-9_]+$/.test(dbName)) {
+    throw new Error("Invalid database name.");
+  }
+
+  try {
+    await client.connect();
+    console.log("Connected to PostgreSQL");
+
+    // Check if the database exists
+    const res = await client.query(
+      "SELECT 1 FROM pg_database WHERE datname = $1",
+      [dbName],
+    );
+
+    if (res.rowCount === 0) {
+      // Create the database if it doesn't exist
+      // PostgreSQL does not support parameterized queries for database creation directly
+      // but we're validating dbName before the query execution
+      await client.query(`CREATE DATABASE ${dbName}`);
+      console.log(`Database ${dbName} created successfully`);
+    } else {
+      console.log(`Database ${dbName} already exists`);
+    }
+  } catch (err) {
+    console.error("Error creating database", err);
+  } finally {
+    await client.end();
+    console.log("Disconnected from PostgreSQL");
+  }
+};
+
+createDatabase(dbName);

docker/ogcio/database.json

@@ -0,0 +1,12 @@
+{
+  "defaultEnv": "prd",
+  "prd": {
+    "driver": "pg",
+    "user": { "ENV": "POSTGRES_USER" },
+    "password": { "ENV": "POSTGRES_PASSWORD" },
+    "host": { "ENV": "POSTGRES_HOST" },
+    "database": { "ENV": "POSTGRES_DB_NAME" },
+    "port": { "ENV": "POSTGRES_PORT" },
+    "schema": "public"
+  }
+}

docker/ogcio/oidc-auth-hook.js

@@ -0,0 +1,81 @@
+/**
+ * OIDC hook for securing an Unleash server
+ *
+ * The implementation assumes the following environment variables:
+ *
+ *  - AUTH_APP_ID
+ *  - AUTH_APP_SECRET
+ *  - AUTH_HOST
+ */
+require("dotenv").config();
+const OpenIDConnectStrategy = require("passport-openidconnect");
+const passport = require("passport");
+
+const { AuthenticationRequired } = require("unleash-server");
+
+const { AUTH_APP_ID, AUTH_APP_SECRET, AUTH_HOST, CONTEXT_PATH } = process.env;
+const contextPath = CONTEXT_PATH || "";
+
+if (!AUTH_APP_ID || !AUTH_APP_SECRET || !AUTH_HOST) {
+  throw new Error("Missing required environment variables for OIDC authentication");
+}
+
+function enableOidcOauth(app, config, services) {
+  const { baseUriPath } = config.server;
+  const { userService } = services;
+
+  passport.use(
+    "oidc",
+    new OpenIDConnectStrategy(
+      {
+        issuer: `${AUTH_HOST}/oidc`,
+        authorizationURL: `${AUTH_HOST}/oidc/auth`,
+        tokenURL: `${AUTH_HOST}/oidc/token`,
+        userInfoURL: `${AUTH_HOST}/oidc/me`,
+        callbackURL: `${contextPath}/api/auth/callback`,
+        clientID: AUTH_APP_ID,
+        clientSecret: AUTH_APP_SECRET,
+        scope: ["profile", "offline_access", "email"],
+      },
+      async (_issuer, profile, callback) => {
+        const user = await userService.loginUserWithoutPassword(
+          profile?.emails?.[0]?.value,
+          true,
+        );
+        callback(null, user);
+      },
+    ),
+  );
+
+  app.use(passport.initialize());
+  app.use(passport.session());
+
+  passport.serializeUser((user, done) => done(null, user));
+  passport.deserializeUser((user, done) => done(null, user));
+
+  app.get("/api/admin/login", passport.authenticate("oidc"));
+
+  app.get("/api/auth/callback", passport.authenticate("oidc"), (_req, res) => {
+    res.redirect(`${contextPath}/`);
+  });
+
+  app.use("/api", (req, res, next) => {
+    if (req.user) {
+      return next();
+    }
+    // Instruct unleash-frontend to pop-up auth dialog
+    return res
+      .status(401)
+      .json(
+        new AuthenticationRequired({
+          path: `${contextPath}/api/admin/login`,
+          type: "custom",
+          message: `You have to identify yourself in order to use Unleash. 
+                        Click the button and follow the instructions.`,
+        }),
+      )
+      .end();
+  });
+}
+
+module.exports = enableOidcOauth;

package.json

@@ -45,6 +45,7 @@
     "dev": "concurrently \"yarn:dev:backend\" \"yarn:dev:frontend\"",
     "prepare:backend": "concurrently \"yarn:copy-templates\" \"yarn:build:backend\"",
     "start:dev": "yarn run clean && TZ=UTC NODE_ENV=development tsc-watch --strictNullChecks false --onSuccess \"node dist/server-dev.js\"",
+    "db:create": "node src/ogcio/create-db.js",
     "db-migrate": "db-migrate --migrations-dir ./src/migrations",
     "lint": "biome check .",
     "lint:fix": "biome check . --write",
@@ -156,6 +157,8 @@
     "openapi-types": "^12.1.3",
     "owasp-password-strength-test": "^1.3.0",
     "parse-database-url": "^0.3.0",
+    "passport": "^0.7.0",
+    "passport-openidconnect": "^0.1.2",
     "pg": "^8.12.0",
     "pg-connection-string": "^2.5.0",
     "pkginfo": "^0.4.1",