feat(auth): remove integrated auth, delegate to proxy (#209)

cryostatio · Dec 21, 2023 · cb0ceb7 · cb0ceb7
1 parent c1fe902
commit cb0ceb7
Show file tree

Hide file tree

Showing 44 changed files with 219 additions and 673 deletions.
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,5 @@
+[allowlist]
+    description = "Global Allowlist"
+    paths = [
+        '''smoketest\/'''
+    ]
diff --git a/pom.xml b/pom.xml
@@ -98,10 +98,6 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-arc</artifactId>
     </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-elytron-security-properties-file</artifactId>
-    </dependency>
     <dependency>
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-resteasy-reactive-jackson</artifactId>

diff --git a/smoketest.bash b/smoketest.bash
@@ -9,6 +9,7 @@ DIR="$(dirname "$(readlink -f "$0")")"
 
 FILES=(
     "${DIR}/smoketest/compose/db.yml"
+    "${DIR}/smoketest/compose/auth_proxy.yml"
 )
 
 USE_USERHOSTS=${USE_USERHOSTS:-true}
@@ -79,8 +80,10 @@ FILES+=("${s3Manifest}")
 
 if [ "${ce}" = "podman" ]; then
     FILES+=("${DIR}/smoketest/compose/cryostat.yml")
+    container_engine="podman"
 elif [ "${ce}" = "docker" ]; then
     FILES+=("${DIR}/smoketest/compose/cryostat_docker.yml")
+    container_engine="docker"
 else
     echo "Unknown Container Engine selection: ${ce}"
     display_usage
@@ -107,6 +110,8 @@ cleanup() {
     docker-compose \
         "${CMD[@]}" \
         down "${downFlags[@]}"
+    ${container_engine} rm proxy_cfg_helper
+    ${container_engine} volume rm auth_proxy_cfg
     # podman kill hoster || true
     truncate -s 0 "${HOSTSFILE}"
     for i in "${PIDS[@]}"; do
@@ -117,6 +122,14 @@ cleanup() {
 trap cleanup EXIT
 cleanup
 
+createProxyCfgVolume() {
+    "${container_engine}" volume create auth_proxy_cfg
+    "${container_engine}" container create --name proxy_cfg_helper -v auth_proxy_cfg:/tmp busybox
+    "${container_engine}" cp "${DIR}/smoketest/compose/auth_proxy_htpasswd" proxy_cfg_helper:/tmp/auth_proxy_htpasswd
+    "${container_engine}" cp "${DIR}/smoketest/compose/auth_proxy_alpha_config.yaml" proxy_cfg_helper:/tmp/auth_proxy_alpha_config.yaml
+}
+createProxyCfgVolume
+
 setupUserHosts() {
     # FIXME this is broken: it puts the containers' bridge-internal IP addresses
     # into the user hosts file, but these IPs are in a subnet not reachable from the host.
@@ -157,6 +170,9 @@ openBrowserTabs() {
             local port
             if [ "${USE_USERHOSTS}" = "true" ]; then
                 host="$(echo "${yaml}" | yq ".[${i}].host" | grep -v null)"
+                if [ "${host}" = "auth" ]; then
+                  host="localhost"
+                fi
             else
                 host="localhost"
             fi
@@ -170,7 +186,16 @@ openBrowserTabs() {
     echo "Service URLs:" "${urls[@]}"
     for url in "${urls[@]}"; do
         (
-            until timeout 1s curl -s -f -o /dev/null "${url}"
+            testSvc() {
+              timeout 1s curl -s -f -o /dev/null "$1"
+              local sc="$?"
+              if [ "${sc}" = "0" ] || [ "${sc}" = "22" ]; then
+                return 0
+              else
+                return "${sc}"
+              fi
+            }
+            until testSvc "${url}"
             do
                 sleep 5
             done

diff --git a/smoketest/compose/auth_proxy.yml b/smoketest/compose/auth_proxy.yml
@@ -0,0 +1,48 @@
+version: "3"
+services:
+  cryostat:
+    environment:
+      QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: 'true'
+      QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: 'true'
+      QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: 'true'
+      QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX: 'true'
+      QUARKUS_HTTP_PROXY_TRUSTED_PROXIES: localhost:8080,auth:8080
+  auth:
+    # the proxy does not actually depend on cryostat being up, but we use this
+    # to ensure that when the smoketest tries to open the auth login page in a
+    # browser tab, it does so only after the upstream cryostat is actually
+    # available to be proxied to
+    depends_on:
+      cryostat:
+        condition: service_healthy
+    deploy:
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 32m
+    image: quay.io/oauth2-proxy/oauth2-proxy:latest
+    command: --alpha-config=/tmp/auth_proxy_alpha_config.yaml
+    volumes:
+      - auth_proxy_cfg:/tmp
+    hostname: auth
+    ports:
+      - "8080:8080"
+    labels:
+      kompose.service.expose: "auth"
+    environment:
+      OAUTH2_PROXY_HTPASSWD_FILE: /tmp/auth_proxy_htpasswd
+      OAUTH2_PROXY_HTPASSWD_USER_GROUP: write
+      OAUTH2_PROXY_REDIRECT_URL: http://localhost:8080/oauth2/callback
+      OAUTH2_PROXY_COOKIE_SECRET: __24_BYTE_COOKIE_SECRET_
+      # OAUTH2_PROXY_SKIP_AUTH_ROUTES: .*
+    restart: unless-stopped
+    healthcheck:
+      test: wget -q --spider http://localhost:8080/ping || exit 1
+      interval: 10s
+      retries: 3
+      start_period: 30s
+      timeout: 5s
+
+volumes:
+  auth_proxy_cfg:
+    external: true
diff --git a/smoketest/compose/auth_proxy_alpha_config.yaml b/smoketest/compose/auth_proxy_alpha_config.yaml
@@ -0,0 +1,14 @@
+server:
+  BindAddress: http://0.0.0.0:8080
+upstreamConfig:
+  proxyRawPath: true
+  upstreams:
+    - id: cryostat
+      path: /
+      uri: http://cryostat:8181
+providers:
+  - id: dummy
+    name: Unused - Sign In Below
+    clientId: CLIENT_ID
+    clientSecret: CLIENT_SECRET
+    provider: google
diff --git a/smoketest/compose/auth_proxy_htpasswd b/smoketest/compose/auth_proxy_htpasswd
@@ -0,0 +1 @@
+user:$2y$05$.p1/68oBWKX1FhAtZOArYOoNoMqsB4yuUNXGOeSATHPq3geKqEaZS
diff --git a/smoketest/compose/cryostat-grafana.yml b/smoketest/compose/cryostat-grafana.yml
@@ -25,5 +25,5 @@ services:
       test: curl --fail http://localhost:3000/ || exit 1
       retries: 3
       interval: 30s
-      start_period: 10s
+      start_period: 30s
       timeout: 1s
diff --git a/smoketest/compose/cryostat.yml b/smoketest/compose/cryostat.yml
@@ -9,33 +9,32 @@ services:
     deploy:
       resources:
         limits:
-          cpus: '0.5'
+          cpus: '2'
           memory: 512m
     image: quay.io/cryostat/cryostat:3.0.0-snapshot
     volumes:
-      - ${XDG_RUNTIME_DIR}/podman/podman.sock:/run/user/0/podman/podman.sock:Z
+      - ${XDG_RUNTIME_DIR}/podman/podman.sock:/run/user/1000/podman/podman.sock:Z
     security_opt:
       - label:disable
     hostname: cryostat3
-    user: "0"
+    user: "1000"
     expose:
-      - "9091"
-    ports:
-      - "8181:8181"
+      - "8181"
     labels:
       kompose.service.expose: "cryostat3"
       io.cryostat.discovery: "true"
       io.cryostat.jmxHost: "localhost"
       io.cryostat.jmxPort: "0"
       io.cryostat.jmxUrl: "service:jmx:rmi:///jndi/rmi://localhost:0/jmxrmi"
     environment:
+      QUARKUS_HTTP_HOST: "cryostat"
       CRYOSTAT_DISCOVERY_PODMAN_ENABLED: "true"
       CRYOSTAT_DISCOVERY_JDP_ENABLED: "true"
       JAVA_OPTS_APPEND: "-XX:+FlightRecorder -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false"
     restart: unless-stopped
     healthcheck:
-      test: curl --fail http://localhost:8181/health/liveness || exit 1
+      test: curl --fail http://cryostat:8181/health/liveness || exit 1
       interval: 10s
       retries: 3
-      start_period: 10s
+      start_period: 30s
       timeout: 5s
diff --git a/smoketest/compose/cryostat_docker.yml b/smoketest/compose/cryostat_docker.yml
@@ -9,15 +9,15 @@ services:
     deploy:
       resources:
         limits:
-          cpus: '0.5'
+          cpus: '2'
           memory: 512m
     image: quay.io/cryostat/cryostat:3.0.0-snapshot
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:Z
     security_opt:
       - label:disable
     hostname: cryostat3
-    user: "0"
+    user: "1000"
     expose:
       - "9091"
     ports:
@@ -29,13 +29,16 @@ services:
       io.cryostat.jmxPort: "0"
       io.cryostat.jmxUrl: "service:jmx:rmi:///jndi/rmi://localhost:0/jmxrmi"
     environment:
+      QUARKUS_HTTP_HOST: "cryostat"
+      CRYOSTAT_HTTP_PROXY_HOST: "auth"
+      CRYOSTAT_HTTP_PROXY_PORT: "8080"
       CRYOSTAT_DISCOVERY_DOCKER_ENABLED: "true"
       CRYOSTAT_DISCOVERY_JDP_ENABLED: "true"
       JAVA_OPTS_APPEND: "-XX:+FlightRecorder -XX:StartFlightRecording=name=onstart,settings=default,disk=true,maxage=5m -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false"
     restart: unless-stopped
     healthcheck:
-      test: curl --fail http://localhost:8181/health/liveness || exit 1
+      test: curl --fail http://cryostat:8181/health/liveness || exit 1
       interval: 10s
       retries: 3
-      start_period: 10s
+      start_period: 30s
       timeout: 5s
diff --git a/smoketest/compose/cryostat_k8s.yml b/smoketest/compose/cryostat_k8s.yml
@@ -8,7 +8,6 @@ services:
         condition: service_healthy
     image: quay.io/cryostat/cryostat:3.0.0-snapshot
     hostname: cryostat3
-    user: "0"
     expose:
       - "9091"
     ports:
@@ -28,5 +27,5 @@ services:
       test: curl --fail http://localhost:8181/health/liveness || exit 1
       interval: 10s
       retries: 3
-      start_period: 10s
+      start_period: 30s
       timeout: 5s
diff --git a/smoketest/compose/db-viewer.yml b/smoketest/compose/db-viewer.yml
@@ -23,7 +23,7 @@ services:
       test: wget --no-verbose --tries=1 --spider http://localhost:8989 || exit 1
       interval: 10s
       retries: 3
-      start_period: 10s
+      start_period: 30s
       timeout: 5s
 
 volumes:

diff --git a/smoketest/compose/db.yml b/smoketest/compose/db.yml
@@ -23,7 +23,7 @@ services:
       test: pg_isready -U cryostat3 -d cryostat3 || exit 1
       interval: 10s
       retries: 3
-      start_period: 10s
+      start_period: 30s
       timeout: 5s
 
 volumes:

diff --git a/smoketest/compose/db_k8s.yml b/smoketest/compose/db_k8s.yml
@@ -24,7 +24,7 @@ services:
       test: pg_isready -U cryostat3 -d cryostat3 || exit 1
       interval: 10s
       retries: 3
-      start_period: 10s
+      start_period: 30s
       timeout: 5s
   db-viewer:
     depends_on:
@@ -48,7 +48,7 @@ services:
       test: wget --no-verbose --tries=1 --spider http://localhost:8989 || exit 1
       interval: 10s
       retries: 3
-      start_period: 10s
+      start_period: 30s
       timeout: 5s
 
 volumes:

diff --git a/smoketest/compose/jfr-datasource.yml b/smoketest/compose/jfr-datasource.yml
@@ -25,5 +25,5 @@ services:
       test: curl --fail http://localhost:8080/ || exit 1
       retries: 3
       interval: 30s
-      start_period: 10s
+      start_period: 30s
       timeout: 1s
diff --git a/smoketest/compose/s3-cloudserver.yml b/smoketest/compose/s3-cloudserver.yml
@@ -34,5 +34,5 @@ services:
     #     - http://localhost:8000/
     #   interval: 10s
     #   retries: 3
-    #   start_period: 10s
+    #   start_period: 30s
     #   timeout: 5s
diff --git a/smoketest/compose/s3-localstack.yml b/smoketest/compose/s3-localstack.yml
@@ -34,7 +34,7 @@ services:
       test: curl --fail http://localhost:4566 || exit 1
       interval: 10s
       retries: 3
-      start_period: 10s
+      start_period: 30s
       timeout: 5s
 
 volumes:

diff --git a/smoketest/compose/s3-minio.yml b/smoketest/compose/s3-minio.yml
@@ -38,12 +38,11 @@ services:
         - local
       interval: 10s
       retries: 3
-      start_period: 10s
+      start_period: 30s
       timeout: 5s
 
 volumes:
   minio_data:
     driver: local
   minio_certs:
     driver: local
-
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		user:$2y$05$.p1/68oBWKX1FhAtZOArYOoNoMqsB4yuUNXGOeSATHPq3geKqEaZS