Merge branch 'main' into add-role-buttons

kbss-cvut · Dec 13, 2023 · b5118fe · b5118fe
2 parents d7262e2 + 7ffa550
commit b5118fe
Show file tree

Hide file tree

Showing 30 changed files with 424 additions and 158 deletions.
diff --git a/.env.keycloak-auth b/.env.keycloak-auth
@@ -0,0 +1,11 @@
+RECORD_MANAGER_API_URL=http://localhost:1235/record-manager/services/record-manager-server
+RECORD_MANAGER_APP_TITLE=Record Manager
+RECORD_MANAGER_DEV_SERVER_PORT=3000
+RECORD_MANAGER_PROD_SERVER_PORT=8080
+RECORD_MANAGER_LANGUAGE=cs
+RECORD_MANAGER_NAVIGATOR_LANGUAGE=true
+RECORD_MANAGER_BASENAME=/
+RECORD_MANAGER_EXTENSIONS=supplier
+RECORD_MANAGER_AUTHENTICATION=oidc
+RECORD_MANAGER_AUTH_SERVER_URL=http://localhost:1235/record-manager/services/auth/realms/record-manager
+RECORD_MANAGER_AUTH_CLIENT_ID=record-manager
diff --git a/deploy/internal-auth/docker-compose.yml b/deploy/internal-auth/docker-compose.yml
@@ -68,7 +68,7 @@ services:
     environment:
       FORMGEN_REPOSITORY_URL: "http://db-server:7200/repositories/record-manager-formgen"
     volumes:
-      - ./s-pipes-engine/scripts:/scripts/root
+      - ../shared/s-pipes-engine/scripts:/scripts/root:ro
 
   db-server:
     build:

diff --git a/deploy/keycloak-auth/.env b/deploy/keycloak-auth/.env
@@ -0,0 +1,18 @@
+# Public origin of URL where Record Manager UI will run, e.g. https://kbss.fel.cvut.cz, https://kbss.fel.cvut.cz:8080, http://localhost. ! This option can be used only with running reverse proxy pointing to http://localhost:$INTERNAL_HOST_PORT/record-manager !
+#PUBLIC_ORIGIN=http://localhost
+
+# Path to root Record Manager application (by default it is set to "/record-manager") ! This option can be used only with running reverse proxy pointing to http://localhost:$INTERNAL_HOST_PORT/record-manager !
+#RECORD_MANAGER_ROOT_PATH=/record-manager-example
+
+# Prefix for name of all docker containers
+RECORD_SET_NAME=kauth-example
+
+# Host machine port that provides main entrypoint for the application. The application will be locally accessible at http://localhost:$INTERNAL_HOST_PORT/$RECORD_MANAGER_ROOT_PATH (by default it is set to "1235") 
+#INTERNAL_HOST_PORT=1235
+
+# URL to form generation service
+FORMGEN_SERVICE_URL=http://s-pipes-engine:8080/s-pipes/service?_pId=clone-form
+
+RECORD_MANAGER_APP_TITLE=Record Manager
+
+LANGUAGE=en
diff --git a/deploy/keycloak-auth/docker-compose.yml b/deploy/keycloak-auth/docker-compose.yml
@@ -1,61 +1,94 @@
 version: '3.9'
 
+# Provide access to record-manager-ui that runs locally in dev mode
+x-access-for-local-development: &local-dev-env
+    cors.allowedOrigins: "http://localhost:3000"
+
 services:
+  nginx:
+    image: nginx:latest
+    container_name: ${RECORD_SET_NAME:-rm}-nginx
+    volumes:
+      - ./nginx/template-variables.conf:/etc/nginx/templates/variables.conf.template:ro
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/error.html:/usr/share/nginx/html/error.html:ro
+    ports:
+      - "127.0.0.1:${INTERNAL_HOST_PORT:-1235}:80"
+    restart: always
+    depends_on:
+      - record-manager
+      - record-manager-server
+      - s-pipes-engine
+      - db-server
+    environment:
+      RECORD_MANAGER_ORIGIN: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}"
+      RECORD_MANAGER_ROOT_PATH: "${RECORD_MANAGER_ROOT_PATH:-/record-manager}"
+
   record-manager:
     image: ghcr.io/kbss-cvut/kbss-cvut/record-manager-ui:latest
     container_name: ${RECORD_SET_NAME:-rm}-record-manager
-    ports:
-      - "127.0.0.1:3000:80"
+    expose:
+      - "80"
+    restart: always
     depends_on:
       - record-manager-server
     environment:
-      APP_TITLE: "Record Manager"
-      BASENAME: "./"
-      LANGUAGE: "cs"
-      NAVIGATOR_LANGUAGE: "true"
-      API_URL: "http://localhost:8080/record-manager-server"
-      APP_INFO: "<a href=\"https://github.com/kbss-cvut\" target=\"_blank\" rel=\"noopener noreferrer\" title=\"KBSS CVUT v Praze\">© KBSS CVUT v Praze, 2023</a>"
+      API_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/record-manager-server"
+      APP_INFO: "${RECORD_MANAGER_APP_INFO:-}"
+      APP_TITLE: "${RECORD_MANAGER_APP_TITLE:-Record Manager}"
+      LANGUAGE: "${LANGUAGE:-en}"
+      NAVIGATOR_LANGUAGE: "false"
+      BASENAME: "${RECORD_MANAGER_ROOT_PATH:-/record-manager}"
       AUTHENTICATION: "oidc"
-      AUTH_SERVER_URL: "http://localhost:8088/realms/record-manager"
-      AUTH_CLIENT_ID: "record-manager-ui"
-      FORCE_BASENAME: "true"
+      AUTH_SERVER_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/auth/realms/record-manager"
+      AUTH_CLIENT_ID: "record-manager"
+      EXTENSION: "${RECORD_MANAGER_EXTENSIONS:-supplier}"
 
   record-manager-server:
     image: ghcr.io/kbss-cvut/kbss-cvut/record-manager:latest
     container_name: ${RECORD_SET_NAME:-rm}-record-manager-server
-    ports:
-      - "127.0.0.1:8080:8080"
+    expose:
+      - "8080"  
+    restart: always
     depends_on:
       - s-pipes-engine
       - db-server
-      - auth-server
     environment:
-      REPOSITORYURL: "http://db-server:7200/repositories/record-manager-app"
-      FORMGENREPOSITORYURL: "http://db-server:7200/repositories/record-manager-formgen"
-      FORMGENSERVICEURL: "http://s-pipes-engine:8080/s-pipes/service?_pId=clone&sgovRepositoryUrl=https%3A%2F%2Fgraphdb.onto.fel.cvut.cz%2Frepositories%2Fkodi-slovnik-gov-cz"
+      <<: *local-dev-env
+      appContext: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}"
+      repositoryUrl: "http://db-server:7200/repositories/record-manager-app"
+      formGenRepositoryUrl: "http://db-server:7200/repositories/record-manager-formgen"
+      formGenServiceUrl: "${FORMGEN_SERVICE_URL}"
       SECURITY_PROVIDER: "oidc"
-      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUERURI: "http://localhost:8088/realms/record-manager"
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUERURI: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/auth/realms/record-manager"
       SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWKSETURI: "http://auth-server:8080/realms/record-manager/protocol/openid-connect/certs"
-      SERVER_SERVLET_CONTEXTPATH: "/record-manager-server"
 
   s-pipes-engine:
     image: ghcr.io/kbss-cvut/s-pipes/s-pipes-engine:latest
     container_name: ${RECORD_SET_NAME:-rm}-s-pipes-engine
-    ports:
-      - "127.0.0.1:8081:8080"
+    expose:
+      - "8080"  
+    restart: always
     depends_on:
       - db-server
+    environment:
+      FORMGEN_REPOSITORY_URL: "http://db-server:7200/repositories/record-manager-formgen"
+    volumes:
+      - ../shared/s-pipes-engine/scripts:/scripts/root:ro
+
   db-server:
     build:
       context: ../shared/db-server
     container_name: ${RECORD_SET_NAME:-rm}-db-server
     environment:
-      GDB_JAVA_OPTS: "-Ddefault.min.distinct.threshold=67108864"
-    ports:
-      - "127.0.0.1:7200:7200"
+      GDB_JAVA_OPTS: "-Dgraphdb.external-url=${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/db-server"
+    expose:
+      - "7200"  
+    restart: always
     volumes:
       - ../shared/db-server/init-data/forms:/root/graphdb-import/forms:ro
-      - data:/opt/graphdb/home
+      - db-server:/opt/graphdb/home
+
   auth-server-db:
     image: postgres:13
     container_name: ${RECORD_SET_NAME:-rm}-auth-server-db
@@ -65,15 +98,16 @@ services:
       POSTGRES_PASSWORD: keycloak
     volumes:
       - auth-server-db:/var/lib/postgresql/data
+
   auth-server:
     image: ghcr.io/kbss-cvut/keycloak-graphdb-user-replicator/keycloak-graphdb:latest
     container_name: ${RECORD_SET_NAME:-rm}-auth-server
     command:
-      - start --import-realm
+      - start --import-realm --features="token-exchange,admin-fine-grained-authz"
     environment:
       KC_IMPORT: realm-export.json
-      KC_HOSTNAME_URL: "http://localhost:8088"
-      KC_HOSTNAME_ADMIN_URL: "http://localhost:8088"
+      KC_HOSTNAME_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/auth/"
+      KC_HOSTNAME_ADMIN_URL: "${PUBLIC_ORIGIN:-http://localhost:${INTERNAL_HOST_PORT:-1235}}${RECORD_MANAGER_ROOT_PATH:-/record-manager}/services/auth/"
       KC_HOSTNAME_STRICT_BACKCHANNEL: false
       KC_HTTP_ENABLED: true
       KEYCLOAK_ADMIN: ${KC_ADMIN_USER}
@@ -94,15 +128,15 @@ services:
       VOCABULARY_USER_EMAIL: "http://xmlns.com/foaf/0.1/mbox"
       ADD_ACCOUNTS: false
       REALM_ID: "record-manager"
-    ports:
-      - "127.0.0.1:8088:8080"
+    expose:
+      - "8080"
     volumes:
       - auth-server:/opt/keycloak/data
-      - ./keycloak:/opt/keycloak/data/import
+      - ../shared/keycloak:/opt/keycloak/data/import
     depends_on:
       - auth-server-db
 
 volumes:
-  data:
+  db-server:
   auth-server:
   auth-server-db:
diff --git a/deploy/keycloak-auth/keycloak/realm-export.json b/deploy/keycloak-auth/keycloak/realm-export.json
@@ -418,8 +418,8 @@
           "attributes": {}
         }
       ],
-      "record-manager": [],
-      "record-manager-ui": []
+      "record-manager-server": [],
+      "record-manager": []
     }
   },
   "groups": [],
@@ -547,7 +547,9 @@
       "redirectUris": [
         "/realms/record-manager/account/*"
       ],
-      "webOrigins": [],
+      "webOrigins": [
+        "http://localhost"
+      ],
       "notBefore": 0,
       "bearerOnly": false,
       "consentRequired": false,
@@ -705,9 +707,9 @@
     },
     {
       "id": "34eebec0-1e19-4eab-af04-8729a1de47f4",
-      "clientId": "record-manager",
-      "name": "Record Manager",
-      "description": "Record Manager backend",
+      "clientId": "record-manager-server",
+      "name": "Record Manager Server",
+      "description": "Record Manager server",
       "rootUrl": "",
       "adminUrl": "",
       "baseUrl": "",
@@ -758,21 +760,21 @@
     },
     {
       "id": "d6e815c8-6fd6-4ef6-acf7-2c099b5010fc",
-      "clientId": "record-manager-ui",
-      "name": "Record Manager UI",
+      "clientId": "record-manager",
+      "name": "Record Manager",
       "description": "Record Manager frontend",
-      "rootUrl": "http://localhost:3000",
-      "adminUrl": "http://localhost:3000",
-      "baseUrl": "http://localhost:3000",
+      "rootUrl": "http://localhost",
+      "adminUrl": "http://localhost",
+      "baseUrl": "http://localhost",
       "surrogateAuthRequired": false,
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "clientAuthenticatorType": "client-secret",
       "redirectUris": [
-        "http://localhost:3000/*"
+        "http://localhost/*"
       ],
       "webOrigins": [
-        "http://localhost:3000"
+        "http://localhost"
       ],
       "notBefore": 0,
       "bearerOnly": false,

diff --git a/deploy/keycloak-auth/nginx/error.html b/deploy/keycloak-auth/nginx/error.html
@@ -0,0 +1,38 @@
+<!-- Record manager Nginx reverse proxy-->
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>
+      <!--# echo var="status" default="" -->
+      | Record manager
+    </title>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <!--# if expr="$status = 502" -->
+      <meta http-equiv="refresh" content="2">
+    <!--# endif -->
+  </head>
+  <style type="text/css">
+    body {
+      font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
+      color: #fff;
+      height: 100vh;
+      margin: 0;
+      background: #263238 linear-gradient(5deg, #057fa5 0%, #263238 100%);
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      justify-content: center;
+    }
+  </style>
+<body>
+  <!--# if expr="$status = 502" -->
+     <h1>The application is currently being updated</h1>
+     <p>You will be redirected to the new version in a few seconds.</p>
+     <p>If you see this message for more than a minute, something has gone wrong.</p>
+   <!--# else -->
+     <h1>Sorry, something went wrong.</h1>
+    <p><!--# echo var="status" default="" --></p>
+  <!--# endif -->
+</body>
+</html>