Skip to content

Example private data from backend #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
davidcheung merged 14 commits into from
Nov 19, 2020
Merged

Example private data from backend #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
089e204
add example auth-data to show in frontend
davidcheung Nov 13, 2020
05855d8
reorganize routes to leverage templating feature
davidcheung Nov 16, 2020
127e3bd
organize routes into folders
davidcheung Nov 16, 2020
bbdc3af
address comments
davidcheung Nov 16, 2020
2410132
fixup! address comments
davidcheung Nov 16, 2020
cacd782
oathkeeper rules
davidcheung Nov 17, 2020
b5ad8c2
fixup! oathkeeper rules
davidcheung Nov 17, 2020
fdf81a3
revert namespace changes
davidcheung Nov 17, 2020
d32360a
auth.yml should be merge instead of resource
davidcheung Nov 17, 2020
01cb153
add explanation for commenting out ingress
davidcheung Nov 17, 2020
679c006
add explanation on oathkeeper rules
davidcheung Nov 18, 2020
8de5ebd
comments in overlay as a guide updating the rules
davidcheung Nov 18, 2020
3c88127
default to private backend instead of public
davidcheung Nov 18, 2020
20e5089
infra to create oathkeeper proxy rules for kratos
davidcheung Nov 18, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions templates/kubernetes/base/auth.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
## Backend public endpoint
# pattern: http://<proxy>/<not [/.ory/kratos and /api]>
# In example this is serves the infoPanel data, and the status endpoints that don't require user auth
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: public-backend-endpoints
spec:
upstream:
url: http://<% .Name %>.<% .Name %>
preserveHost: true
match:
# url: http://<backend_service_domain>/<(?!(api|\.ory\/kratos)).*>
methods:
- GET
- POST
authenticators:
- handler: noop
authorizer:
handler: allow
mutators:
- handler: noop
---
## Backend User-restricted endpoint
# pattern: http://<proxy>//api
# In example this is serves the /userInfo endpoint returning the user-session's info (user_id / email)
# Note the authenticators is `cookie_session`,
# oathkeeper will verify the validity of session then pass along user-id/email in the Request Header
# these can be configured via infra's `oathkeeper-values.yml`
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: authenticated-backend-endpoints
spec:
upstream:
preserveHost: true
url: http://<% .Name %>.<% .Name %>
match:
# url: <backend_service_domain>/api/<.*>
methods:
- GET
- POST
authenticators:
- handler: cookie_session
authorizer:
handler: allow
mutators:
- handler: id_token
- handler: header
2 changes: 2 additions & 0 deletions templates/kubernetes/base/kustomization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ resources:
- deployment.yml
- service.yml
- cronjob.yml
<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
<% end %>

configMapGenerator:
- name: <% .Name %>-config
Expand Down
25 changes: 25 additions & 0 deletions templates/kubernetes/overlays/production/auth.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
## Backend public endpoint
# pattern: http://<proxy>/status/*
# In example this is serves the infoPanel data, and the status endpoints that don't require user auth
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: public-backend-endpoints
spec:
match:
url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/status/<.*>
---
## Backend User-restricted endpoint
# pattern: http://<proxy>/<not [/.ory/kratos and /status]>
# In example this is serves the /userInfo endpoint returning the user-session's info (user_id / email)
# Note the authenticators is `cookie_session`,
# oathkeeper will verify the validity of session then pass along user-id/email in the Request Header
# these can be configured via infra's `oathkeeper-values.yml`
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: authenticated-backend-endpoints
spec:
match:
url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/<(?!(status|\.ory\/kratos)).*>

7 changes: 5 additions & 2 deletions templates/kubernetes/overlays/production/kustomization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,13 @@ kind: Kustomization

patchesStrategicMerge:
- deployment.yml

<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
<% end %>
resources:
- ../../base
- ingress.yml
<%if eq (index .Params `userAuth`) "yes" %>## userAuth enabled - Oathkeeper proxies to backend instead of ingress
# - ingress.yml
<% else %>- ingress.yml<% end %>
- pdb.yml

configMapGenerator:
Expand Down
24 changes: 24 additions & 0 deletions templates/kubernetes/overlays/staging/auth.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
## Backend public endpoint
# pattern: http://<proxy>/status/*
# In example this is serves the infoPanel data, and the status endpoints that don't require user auth
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: public-backend-endpoints
spec:
match:
url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/status/<.*>
---
## Backend User-restricted endpoint
# pattern: http://<proxy>//api
# In example this is serves the /userInfo endpoint returning the user-session's info (user_id / email)
# Note the authenticators is `cookie_session`,
# oathkeeper will verify the validity of session then pass along user-id/email in the Request Header
# these can be configured via infra's `oathkeeper-values.yml`
apiVersion: oathkeeper.ory.sh/v1alpha1
kind: Rule
metadata:
name: authenticated-backend-endpoints
spec:
match:
url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/<(?!(status|\.ory\/kratos)).*>
7 changes: 5 additions & 2 deletions templates/kubernetes/overlays/staging/kustomization.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,13 @@ kind: Kustomization

patchesStrategicMerge:
- deployment.yml

<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
<% end %>
resources:
- ../../base
- ingress.yml
<%if eq (index .Params `userAuth`) "yes" %>## userAuth enabled - Oathkeeper proxies to backend instead of ingress
# - ingress.yml
<% else %>- ingress.yml<% end %>

configMapGenerator:
- name: <% .Name %>-config
Expand Down
63 changes: 10 additions & 53 deletions templates/src/app.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,63 +1,20 @@
var aws = require("aws-sdk");
var cfsign = require("aws-cloudfront-sign");
var dotenv = require("dotenv");
var express = require("express");
var morgan = require("morgan");

var { connect } = require("./db");

const statusRoutes = require("./app/status");
<%if eq (index .Params `fileUploads`) "yes" %>const fileRoutes = require("./app/file");
<% end %><%if eq (index .Params `userAuth`) "yes" %>const authRoutes = require("./app/auth");
<% end %>
dotenv.config();
var app = express();
app.use(morgan("combined"));
var s3 = new aws.S3();

app.get("/presigned/:key", (req, res) => {
var params = {
Bucket: process.env.S3_BUCKET,
Fields: {
key: req.params.key,
},
};

s3.createPresignedPost(params, (err, data) => {
if (err) {
console.error(err);
res.sendStatus(500);
} else {
console.log(data);
res.send(data);
}
});
});

app.get("/:key", (req, res) => {
var params = {
keypairId: process.env.CF_KEYPAIR_ID,
privateKeyString: process.env.CF_KEYPAIR_SECRET_KEY,
expireTime: new Date().getTime() + 30000, // defaults to 30s
};

var url = cfsign.getSignedUrl(
`https://files.${process.env.DOMAIN}/${req.params.key}`,
params
);

console.log(url);
res.redirect(url);
});

app.get("/status/ready", (req, res) => {
res.send("OK");
});

app.get("/status/alive", (req, res) => {
res.send("OK");
});

app.get("/status/about", (req, res) => {
res.send({
podName: process.env.POD_NAME,
});
});

app.use("/status", statusRoutes);
<%if eq (index .Params `userAuth`) "yes" %>app.use("/auth", authRoutes);
<% end %><%if eq (index .Params `fileUploads`) "yes" %>app.use("/file", fileRoutes);
<% end %>
var port = process.env.SERVER_PORT;
if (!port) {
port = 3000;
Expand Down
11 changes: 11 additions & 0 deletions templates/src/app/auth/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
var { Router } = require("express");

var { authMiddleware } = require("../../middleware/auth");

var router = Router()

router.get("/userInfo", authMiddleware, (req, res) => {
res.json(req.user);
});

module.exports = router;
43 changes: 43 additions & 0 deletions templates/src/app/file/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
var { Router } = require("express");
var aws = require("aws-sdk");
var cfsign = require("aws-cloudfront-sign");

var router = Router()
var s3 = new aws.S3();

router.get("/presigned/:key", (req, res) => {
var params = {
Bucket: process.env.S3_BUCKET,
Fields: {
key: req.params.key,
},
};

s3.createPresignedPost(params, (err, data) => {
if (err) {
console.error(err);
res.sendStatus(500);
} else {
console.log(data);
res.send(data);
}
});
});

router.get("/:key", (req, res) => {
var params = {
keypairId: process.env.CF_KEYPAIR_ID,
privateKeyString: process.env.CF_KEYPAIR_SECRET_KEY,
expireTime: new Date().getTime() + 30000, // defaults to 30s
};

var url = cfsign.getSignedUrl(
`https://files.${process.env.DOMAIN}/${req.params.key}`,
params
);

console.log(url);
res.redirect(url);
});

module.exports = router;
19 changes: 19 additions & 0 deletions templates/src/app/status/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
var { Router } = require("express");

var router = Router()

router.get("/ready", (req, res) => {
res.send("OK");
});

router.get("/alive", (req, res) => {
res.send("OK");
});

router.get("/about", (req, res) => {
res.send({
podName: process.env.POD_NAME,
});
});

module.exports = router;
25 changes: 25 additions & 0 deletions templates/src/middleware/auth/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
const authMiddleware = (req, res, next) => {
/** Expecting oathkeeper to pass on user identity in headers
* (note nodejs converts all headers to lowercase)
* 1. X-User-Id
* 2. X-User-Email
* */
const hasUserData = req.headers["x-user-id"] && req.headers["x-user-email"];
if (!hasUserData) {
res.status(401);
res.json({
success: false,
message: "unauthenticated",
});
} else {
req.user = {
id: req.headers["x-user-id"],
email: req.headers["x-user-email"],
};
next();
}
};

module.exports = {
authMiddleware,
};
22 changes: 22 additions & 0 deletions zero-module.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,3 +84,25 @@ parameters:
options:
- "yes"
- "no"
- field: userAuth
label: Enable user management using Kratos and authentication using the Oathkeeper access proxy?
default: yes
options:
- "yes"
- "no"

conditions:
- action: ignoreFile
matchField: fileUploads
whenValue: "no"
data:
- src/app/file
- action: ignoreFile
matchField: userAuth
whenValue: "no"
data:
- src/middleware/auth
- src/app/auth
- kubernetes/base/auth.yml
- kubernetes/overlays/staging/auth.yml
- kubernetes/overlays/production/auth.yml