From 2c832c0000165c03478a1f308e6c0bdfd150777c Mon Sep 17 00:00:00 2001 From: Sia Dev Date: Wed, 9 Dec 2020 13:50:17 +0100 Subject: [PATCH] Add Oathkeeper (broken SSL on login) --- docker-compose.override.yml.DISABLED | 92 +++++++++++++++++++++ docker-compose.yml | 28 +++++-- docker/kratos/oathkeeper/access-rules.yml | 62 ++++++++++++++ docker/kratos/oathkeeper/id_token.jwks.json | 19 +++++ docker/kratos/oathkeeper/oathkeeper.yml | 91 ++++++++++++++++++++ docker/nginx/conf.d/client.conf | 10 +-- 6 files changed, 292 insertions(+), 10 deletions(-) create mode 100644 docker-compose.override.yml.DISABLED create mode 100644 docker/kratos/oathkeeper/access-rules.yml create mode 100644 docker/kratos/oathkeeper/id_token.jwks.json create mode 100644 docker/kratos/oathkeeper/oathkeeper.yml diff --git a/docker-compose.override.yml.DISABLED b/docker-compose.override.yml.DISABLED new file mode 100644 index 00000000..b30007cd --- /dev/null +++ b/docker-compose.override.yml.DISABLED @@ -0,0 +1,92 @@ +version: "3.7" + +services: + sia: + build: + args: + branch: master + + kratos-migrate: + image: oryd/kratos:v0.5.4-alpha.1 + container_name: kratos-migrate + environment: + - DSN=mysql://root:${MYSQL_ROOT_PASSWORD}@tcp(mysql:3306)/mysql?max_conns=20&max_idle_conns=4 + volumes: + - + type: volume + source: kratos-sqlite + target: /var/lib/sqlite + read_only: false + - + type: bind + source: ./docker//kratos/config + target: /etc/config/kratos + command: + -c /etc/config/kratos/kratos.yml migrate sql -e --yes + restart: on-failure + networks: + shared: + ipv4_address: 10.10.10.95 + + kratos-selfservice-ui-node: + image: oryd/kratos-selfservice-ui-node:v0.5.0-alpha.1 + container_name: kratos-selfservice-ui-node + ports: + - "4455:4455" + environment: + - PORT=4455 + - SECURITY_MODE= + - BASE_URL=https://${DOMAIN_NAME}/secure/ + - KRATOS_BROWSER_URL=https:///siasky.xyz/secure/ + - KRATOS_PUBLIC_URL=http://kratos:4433/ + - KRATOS_ADMIN_URL=http://kratos:4434/ + networks: + shared: + ipv4_address: 10.10.10.96 + restart: on-failure + + kratos: + container_name: kratos + depends_on: + - kratos-migrate + image: oryd/kratos:v0.5.4-alpha.1 + ports: + - "4433:4433" # public + - "4434:4434" # admin + restart: unless-stopped + environment: + - DSN=mysql://root:${MYSQL_ROOT_PASSWORD}@tcp(mysql:3306)/mysql?max_conns=20&max_idle_conns=4 + - LOG_LEVEL=trace + command: + serve -c /etc/config/kratos/kratos.yml + volumes: + - + type: volume + source: kratos-sqlite + target: /var/lib/sqlite + read_only: false + - + type: bind + source: ./docker/kratos/config + target: /etc/config/kratos + - + type: bind + source: ./.kratos.yml + target: /etc/config/kratos/kratos.yml + networks: + shared: + ipv4_address: 10.10.10.97 + + mysql: + image: mysql:5.7 + container_name: mysql + ports: + - "3306:3306" + environment: + - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} + networks: + shared: + ipv4_address: 10.10.10.98 + +volumes: + kratos-sqlite: diff --git a/docker-compose.yml b/docker-compose.yml index f91efad0..1fbbd103 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -209,6 +209,7 @@ services: environment: - DSN=cockroach://root@cockroachd:26257/defaultdb?sslmode=disable&max_conns=20&max_idle_conns=4 - LOG_LEVEL=trace + - SERVE_PUBLIC_BASE_URL=http://siasky.xyz/secure/.ory/kratos/public/ command: serve -c /etc/config/kratos/kratos.yml volumes: - ./docker/kratos/config:/etc/config/kratos @@ -232,19 +233,36 @@ services: container_name: kratos-selfservice-ui-node restart: on-failure logging: *default-logging - ports: - - "4455:4455" environment: - - PORT=4455 - - SECURITY_MODE= + - PORT=4435 + - SECURITY_MODE=jwks - BASE_URL=https://siasky.xyz/secure/ - - KRATOS_BROWSER_URL=https://siasky.xyz/secure/ + - KRATOS_BROWSER_URL=https://siasky.xyz/secure/.ory/kratos/public + - JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json - KRATOS_PUBLIC_URL=http://kratos:4433/ - KRATOS_ADMIN_URL=http://kratos:4434/ networks: shared: ipv4_address: 10.10.10.82 + oathkeeper: + image: oryd/oathkeeper:v0.38 + depends_on: + - kratos + expose: + - 4455 + - 4456 + command: + serve proxy -c "/etc/config/oathkeeper/oathkeeper.yml" + environment: + - LOG_LEVEL=debug + volumes: + - ./docker/kratos/oathkeeper:/etc/config/oathkeeper + restart: on-failure + networks: + shared: + ipv4_address: 10.10.10.83 + cockroachd: image: cockroachdb/cockroach:v20.1.0 container_name: cockroachd diff --git a/docker/kratos/oathkeeper/access-rules.yml b/docker/kratos/oathkeeper/access-rules.yml new file mode 100644 index 00000000..e6c5d395 --- /dev/null +++ b/docker/kratos/oathkeeper/access-rules.yml @@ -0,0 +1,62 @@ +- + id: "ory:kratos:public" + upstream: + preserve_host: true + url: "http://kratos:4433" + strip_path: /.ory/kratos/public + match: + url: "http://oathkeeper:4455/.ory/kratos/public/<**>" + methods: + - GET + - POST + - PUT + - DELETE + - PATCH + authenticators: + - + handler: noop + authorizer: + handler: allow + mutators: + - handler: noop + +- + id: "ory:kratos-selfservice-ui-node:anonymous" + upstream: + preserve_host: true + url: "http://kratos-selfservice-ui-node:4435" + match: + url: "http://oathkeeper:4455/<{error,recovery,verify,auth/*,**.css,**.js}{/,}>" + methods: + - GET + authenticators: + - + handler: anonymous + authorizer: + handler: allow + mutators: + - + handler: noop + +- + id: "ory:kratos-selfservice-ui-node:protected" + upstream: + preserve_host: true + url: "http://kratos-selfservice-ui-node:4435" + match: + url: "http://oathkeeper:4455/<{,debug,dashboard,settings}>" + methods: + - GET + authenticators: + - + handler: cookie_session + authorizer: + handler: allow + mutators: + - handler: id_token + errors: + - handler: redirect + config: + #to: http://oathkeeper:4455/auth/login + to: https://siasky.xyz/secure/auth/login + diff --git a/docker/kratos/oathkeeper/id_token.jwks.json b/docker/kratos/oathkeeper/id_token.jwks.json new file mode 100644 index 00000000..719f2c7f --- /dev/null +++ b/docker/kratos/oathkeeper/id_token.jwks.json @@ -0,0 +1,19 @@ +{ + "keys": [ + { + "use": "sig", + "kty": "RSA", + "kid": "a2aa9739-d753-4a0d-87ee-61f101050277", + "alg": "RS256", + "n": "zpjSl0ySsdk_YC4ZJYYV-cSznWkzndTo0lyvkYmeBkW60YHuHzXaviHqonY_DjFBdnZC0Vs_QTWmBlZvPzTp4Oni-eOetP-Ce3-B8jkGWpKFOjTLw7uwR3b3jm_mFNiz1dV_utWiweqx62Se0SyYaAXrgStU8-3P2Us7_kz5NnBVL1E7aEP40aB7nytLvPhXau-YhFmUfgykAcov0QrnNY0DH0eTcwL19UysvlKx6Uiu6mnbaFE1qx8X2m2xuLpErfiqj6wLCdCYMWdRTHiVsQMtTzSwuPuXfH7J06GTo3I1cEWN8Mb-RJxlosJA_q7hEd43yYisCO-8szX0lgCasw", + "e": "AQAB", + "d": "x3dfY_rna1UQTmFToBoMn6Edte47irhkra4VSNPwwaeTTvI-oN2TO51td7vo91_xD1nw-0c5FFGi4V2UfRcudBv9LD1rHt_O8EPUh7QtAUeT3_XXgjx1Xxpqu5goMZpkTyGZ-B6JzOY3L8lvWQ_Qeia1EXpvxC-oTOjJnKZeuwIPlcoNKMRU-mIYOnkRFfnUvrDm7N9UZEp3PfI3vhE9AquP1PEvz5KTUYkubsfmupqqR6FmMUm6ulGT7guhBw9A3vxIYbYGKvXLdBvn68mENrEYxXrwmu6ITMh_y208M5rC-hgEHIAIvMu1aVW6jNgyQTunsGST3UyrSbwjI0K9UQ", + "p": "77fDvnfHRFEgyi7mh0c6fAdtMEMJ05W8NwTG_D-cSwfWipfTwJJrroWoRwEgdAg5AWGq-MNUzrubTVXoJdC2T4g1o-VRZkKKYoMvav3CvOIMzCBxBs9I_GAKr5NCSk7maksMqiCTMhmkoZ5RPuMYMY_YzxKNAbjBd9qFLfaVAqs", + "q": "3KEmPA2XQkf7dvtpY1Xkp1IfMV_UBdmYk7J6dB5BYqzviQWdEFvWaSATJ_7qV1dw0JDZynOgipp8gvoL-RepfjtArhPz41wB3J2xmBYrBr1sJ-x5eqAvMkQk2bd5KTor44e79TRIkmkFYAIdUQ5JdVXPA13S8WUZfb_bAbwaCBk", + "dp": "5uyy32AJkNFKchqeLsE6INMSp0RdSftbtfCfM86fZFQno5lA_qjOnO_avJPkTILDT4ZjqoKYxxJJOEXCffNCPPltGvbE5GrDXsUbP8k2-LgWNeoml7XFjIGEqcCFQoohQ1IK4DTDN6cmRh76C0e_Pbdh15D6TydJEIlsdGuu_kM", + "dq": "aegFNYCEojFxeTzX6vIZL2RRSt8oJKK-Be__reu0EUzYMtr5-RdMhev6phFMph54LfXKRc9ZOg9MQ4cJ5klAeDKzKpyzTukkj6U20b2aa8LTvxpZec6YuTVSxxu2Ul71IGRQijTNvVIiXWLGddk409Ub6Q7JqkyQfvdwhpWnnUk", + "qi": "P68-EwgcRy9ce_PZ75c909cU7dzCiaGcTX1psJiXmQAFBcG0msWfsyHGbllOZG27pKde78ORGJDYDNk1FqTwsogZyCP87EiBmOoqXWnMvKYfJ1DOx7x42LMAGwMD3bgQj9jgRACxFJG4n3NI6uFlFruyl_CLQzwW_rQFHshLK7Q" + } + ] +} + diff --git a/docker/kratos/oathkeeper/oathkeeper.yml b/docker/kratos/oathkeeper/oathkeeper.yml new file mode 100644 index 00000000..e31ef77c --- /dev/null +++ b/docker/kratos/oathkeeper/oathkeeper.yml @@ -0,0 +1,91 @@ +log: + level: debug + format: json + +serve: + proxy: + cors: + enabled: true + allowed_origins: + - "*" + allowed_methods: + - POST + - GET + - PUT + - PATCH + - DELETE + allowed_headers: + - Authorization + - Content-Type + exposed_headers: + - Content-Type + allow_credentials: true + debug: true + +errors: + fallback: + - json + + handlers: + redirect: + enabled: true + config: + #to: http://oathkeeper:4455/auth/login + to: https://siasky.xyz/secure/auth/login + when: + - + error: + - unauthorized + - forbidden + request: + header: + accept: + - text/html + json: + enabled: true + config: + verbose: true + +access_rules: + matching_strategy: glob + repositories: + - file:///etc/config/oathkeeper/access-rules.yml + +authenticators: + anonymous: + enabled: true + config: + subject: guest + + cookie_session: + enabled: true + config: + check_session_url: http://kratos:4433/sessions/whoami + preserve_path: true + extra_from: "@this" + subject_from: "identity.id" + only: + - ory_kratos_session + + noop: + enabled: true + +authorizers: + allow: + enabled: true + +mutators: + noop: + enabled: true + + id_token: + enabled: true + config: + #issuer_url: http://oathkeeper:4455/ + issuer_url: https://siasky.xyz/ + jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json + claims: | + { + "session": {{ .Extra | toJson }} + } + diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf index d641e148..704e37a6 100644 --- a/docker/nginx/conf.d/client.conf +++ b/docker/nginx/conf.d/client.conf @@ -320,13 +320,13 @@ server { location /secure { rewrite /secure/(.*) /$1 break; - proxy_pass http://kratos-selfservice-ui-node:4455; + proxy_pass http://oathkeeper:4455; } - location /secure/self-service { - rewrite /secure/(.*) /$1 break; - proxy_pass http://kratos:4433; - } + #location /secure/self-service { + # rewrite /secure/self-service/(.*) /$1 break; + # proxy_pass http://oathkeeper:4455; + #} # include custom locations, specific to the server include /etc/nginx/conf.d/server-override/*;