Merge pull request #35 from kbss-cvut/provide-keycloak-auth-with-reve…

…rse-proxy

Provide keycloak authorization example deployment with reverse proxy

deploy/internal-auth/docker-compose.yml

@@ -68,7 +68,7 @@ services:
     environment:
       FORMGEN_REPOSITORY_URL: "http://db-server:7200/repositories/record-manager-formgen"
     volumes:
-      - ../shared/s-pipes-engine/scripts:/scripts/root
+      - ../shared/s-pipes-engine/scripts:/scripts/root:ro
 
   db-server:
     build:

deploy/keycloak-auth/.env

@@ -0,0 +1,18 @@
+# Public origin of URL where Record Manager UI will run, e.g. https://kbss.fel.cvut.cz, https://kbss.fel.cvut.cz:8080, http://localhost. ! This option can be used only with running reverse proxy pointing to http://localhost:$INTERNAL_HOST_PORT/record-manager !
+#PUBLIC_ORIGIN=http://localhost
+
+# Path to root Record Manager application (by default it is set to "/record-manager") ! This option can be used only with running reverse proxy pointing to http://localhost:$INTERNAL_HOST_PORT/record-manager !
+#RECORD_MANAGER_ROOT_PATH=/record-manager-example
+
+# Prefix for name of all docker containers
+RECORD_SET_NAME=iauth-example
+
+# Host machine port that provides main entrypoint for the application. The application will be locally accessible at http://localhost:$INTERNAL_HOST_PORT/$RECORD_MANAGER_ROOT_PATH (by default it is set to "1235") 
+#INTERNAL_HOST_PORT=1235
+
+# URL to form generation service
+FORMGEN_SERVICE_URL=http://s-pipes-engine:8080/s-pipes/service?_pId=clone-form
+
+RECORD_MANAGER_APP_TITLE=Record Manager
+
+LANGUAGE=en

deploy/keycloak-auth/docker-compose.yml

@@ -0,0 +1,140 @@
+version: '3.9'
+
+# Provide access to record-manager-ui that runs locally in dev mode
+x-access-for-local-development: &local-dev-env
+    cors.allowedOrigins: "http://localhost:3000"
+
+services:
+  nginx:
+    image: nginx:latest
+    container_name: ${RECORD_SET_NAME:-rm}-nginx
+    volumes:
+      - ./nginx/template-variables.conf:/etc/nginx/templates/variables.conf.template:ro
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/error.html:/usr/share/nginx/html/error.html:ro
+    ports:
+      - "127.0.0.1:${INTERNAL_HOST_PORT:-1235}:80"
+    restart: always
+    depends_on:
+      - record-manager
+      - record-manager-server
+      - s-pipes-engine
+      - db-server
+    environment:
+      RECORD_MANAGER_ORIGIN: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}"
+      RECORD_MANAGER_ROOT_PATH: "${RECORD_MANAGER_ROOT_PATH:-/record-manager}"
+
+  record-manager:
+    image: ghcr.io/kbss-cvut/kbss-cvut/record-manager-ui:latest
+    container_name: ${RECORD_SET_NAME:-rm}-record-manager
+    expose:
+      - "80"
+    restart: always
+    depends_on:
+      - record-manager-server
+    environment:
+      API_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/record-manager-server"
+      APP_INFO: "${RECORD_MANAGER_APP_INFO:-}"
+      APP_TITLE: "${RECORD_MANAGER_APP_TITLE:-Record Manager}"
+      LANGUAGE: "${LANGUAGE:-en}"
+      NAVIGATOR_LANGUAGE: "false"
+      BASENAME: "${RECORD_MANAGER_ROOT_PATH:-/record-manager}"
+      EXTENSION: "${RECORD_MANAGER_EXTENSIONS:-supplier}"
+      AUTHENTICATION: "oidc"
+      AUTH_SERVER_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/auth/realms/record-manager"
+      AUTH_CLIENT_ID: "record-manager"
+
+  record-manager-server:
+    image: ghcr.io/kbss-cvut/kbss-cvut/record-manager:latest
+    container_name: ${RECORD_SET_NAME:-rm}-record-manager-server
+    expose:
+      - "8080"  
+    restart: always
+    depends_on:
+      - s-pipes-engine
+      - db-server
+    environment:
+      <<: *local-dev-env
+      appContext: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}"
+      repositoryUrl: "http://db-server:7200/repositories/record-manager-app"
+      formGenRepositoryUrl: "http://db-server:7200/repositories/record-manager-formgen"
+      formGenServiceUrl: "${FORMGEN_SERVICE_URL}"
+      SECURITY_PROVIDER: "oidc"
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUERURI: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/auth/realms/record-manager"
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWKSETURI: "http://auth-server:8080/realms/record-manager/protocol/openid-connect/certs"
+
+  s-pipes-engine:
+    image: ghcr.io/kbss-cvut/s-pipes/s-pipes-engine:latest
+    container_name: ${RECORD_SET_NAME:-rm}-s-pipes-engine
+    expose:
+      - "8080"  
+    restart: always
+    depends_on:
+      - db-server
+    environment:
+      FORMGEN_REPOSITORY_URL: "http://db-server:7200/repositories/record-manager-formgen"
+    volumes:
+      - ../shared/s-pipes-engine/scripts:/scripts/root:ro
+
+  db-server:
+    build:
+      context: ../shared/db-server
+    container_name: ${RECORD_SET_NAME:-rm}-db-server
+    environment:
+      GDB_JAVA_OPTS: "-Dgraphdb.external-url=${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/db-server"
+    expose:
+      - "7200"  
+    restart: always
+    volumes:
+      - ../shared/db-server/init-data/forms:/root/graphdb-import/forms:ro
+      - db-server:/opt/graphdb/home
+
+  auth-server-db:
+    image: postgres:13
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: keycloak
+    volumes:
+      - auth-server-db:/var/lib/postgresql/data
+
+  auth-server:
+    image: "ghcr.io/kbss-cvut/keycloak-graphdb-user-replicator/keycloak-graphdb:latest"
+    command:
+      - start --import-realm --features="token-exchange,admin-fine-grained-authz"
+    environment:
+      KC_IMPORT: realm-export.json
+      KC_HOSTNAME_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/auth/"
+      KC_HOSTNAME_ADMIN_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/auth/"
+      KC_HOSTNAME_STRICT_BACKCHANNEL: false
+      KC_HTTP_ENABLED: true
+      KEYCLOAK_ADMIN: ${KC_ADMIN_USER}
+      KEYCLOAK_ADMIN_PASSWORD: ${KC_ADMIN_PASSWORD}
+      DB_VENDOR: POSTGRES
+      DB_ADDR: auth-server-db
+      DB_DATABASE: keycloak
+      DB_USER: keycloak
+      DB_PASSWORD: keycloak
+      DB_SCHEMA: "public"
+      DB_SERVER_URL: "http://db-server:7200"
+      DB_SERVER_REPOSITORY_ID: "record-manager-app"
+      REPOSITORY_LANGUAGE: "en"
+      VOCABULARY_USER_TYPE: "http://onto.fel.cvut.cz/ontologies/record-manager/user"
+      VOCABULARY_USER_FIRST_NAME: "http://xmlns.com/foaf/0.1/firstName"
+      VOCABULARY_USER_LAST_NAME: "http://xmlns.com/foaf/0.1/lastName"
+      VOCABULARY_USER_USERNAME: "http://xmlns.com/foaf/0.1/accountName"
+      VOCABULARY_USER_EMAIL: "http://xmlns.com/foaf/0.1/mbox"
+      ADD_ACCOUNTS: false
+      REALM_ID: "record-manager"
+    expose:
+      - "8080"
+    volumes:
+      - auth-server:/opt/keycloak/data
+      - ../shared/keycloak:/opt/keycloak/data/import
+    depends_on:
+      - auth-server-db
+
+volumes:
+  db-server:
+  auth-server:
+  auth-server-db: