fix(plugins): implement plugin JWTs, ping/prune (#339)

cryostatio · Mar 27, 2024 · 1f57e15 · 1f57e15
1 parent ef9d56b
commit 1f57e15
Show file tree

Hide file tree

Showing 13 changed files with 804 additions and 102 deletions.
diff --git a/compose/auth_proxy.yml b/compose/auth_proxy.yml
@@ -4,11 +4,13 @@ services:
     expose:
       - "${CRYOSTAT_HTTP_PORT}"
     environment:
+      CRYOSTAT_HTTP_PROXY_HOST: auth
+      CRYOSTAT_HTTP_PROXY_PORT: '8080'
       QUARKUS_HTTP_PROXY_PROXY_ADDRESS_FORWARDING: 'true'
       QUARKUS_HTTP_PROXY_ALLOW_X_FORWARDED: 'true'
       QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_HOST: 'true'
       QUARKUS_HTTP_PROXY_ENABLE_FORWARDED_PREFIX: 'true'
-      QUARKUS_HTTP_PROXY_TRUSTED_PROXIES: localhost:8080,auth:8080
+      QUARKUS_HTTP_PROXY_TRUSTED_PROXIES: 127.0.0.1:${CRYOSTAT_HTTP_PORT}
     healthcheck:
       test: curl --fail http://cryostat:8181/health/liveness || exit 1
       interval: 10s

diff --git a/compose/sample-apps.yml b/compose/sample-apps.yml
@@ -4,7 +4,7 @@ services:
     depends_on:
       cryostat:
         condition: service_healthy
-    image: ${VERTX_FIB_DEMO_IMAGE:-quay.io/andrewazores/vertx-fib-demo:0.13.0}
+    image: ${VERTX_FIB_DEMO_IMAGE:-quay.io/andrewazores/vertx-fib-demo:0.13.1}
     hostname: vertx-fib-demo-1
     environment:
       HTTP_PORT: 8081
@@ -15,11 +15,13 @@ services:
       CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-1"
       CRYOSTAT_AGENT_WEBSERVER_PORT: "8910"
       CRYOSTAT_AGENT_CALLBACK: "http://sample-app-1:8910/"
-      CRYOSTAT_AGENT_BASEURI: "http://cryostat:${CRYOSTAT_HTTP_PORT}/"
+      CRYOSTAT_AGENT_BASEURI: "http://${CRYOSTAT_HTTP_HOST}:8080/"
       CRYOSTAT_AGENT_TRUST_ALL: "true"
       CRYOSTAT_AGENT_AUTHORIZATION: Basic dXNlcjpwYXNz
     ports:
       - "8081:8081"
+    expose:
+      - "8910"
     labels:
       io.cryostat.discovery: "true"
       io.cryostat.jmxHost: "sample-app-1"
@@ -35,7 +37,7 @@ services:
     depends_on:
       cryostat:
         condition: service_healthy
-    image: ${VERTX_FIB_DEMO_IMAGE:-quay.io/andrewazores/vertx-fib-demo:0.13.0}
+    image: ${VERTX_FIB_DEMO_IMAGE:-quay.io/andrewazores/vertx-fib-demo:0.13.1}
     hostname: vertx-fib-demo-2
     environment:
       HTTP_PORT: 8082
@@ -47,11 +49,13 @@ services:
       CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-2"
       CRYOSTAT_AGENT_WEBSERVER_PORT: "8911"
       CRYOSTAT_AGENT_CALLBACK: "http://sample-app-2:8911/"
-      CRYOSTAT_AGENT_BASEURI: "http://cryostat:${CRYOSTAT_HTTP_PORT}/"
+      CRYOSTAT_AGENT_BASEURI: "http://${CRYOSTAT_HTTP_HOST}:8080/"
       CRYOSTAT_AGENT_TRUST_ALL: "true"
       CRYOSTAT_AGENT_AUTHORIZATION: "Basic dXNlcjpwYXNz"
     ports:
       - "8082:8082"
+    expose:
+      - "8911"
     restart: always
     healthcheck:
       test: curl --fail http://localhost:8081 || exit 1
@@ -63,7 +67,7 @@ services:
     depends_on:
       cryostat:
         condition: service_healthy
-    image: ${VERTX_FIB_DEMO_IMAGE:-quay.io/andrewazores/vertx-fib-demo:0.13.0}
+    image: ${VERTX_FIB_DEMO_IMAGE:-quay.io/andrewazores/vertx-fib-demo:0.13.1}
     hostname: vertx-fib-demo-3
     environment:
       HTTP_PORT: 8083
@@ -74,13 +78,15 @@ services:
       CRYOSTAT_AGENT_WEBCLIENT_SSL_TRUST_ALL: "true"
       CRYOSTAT_AGENT_WEBCLIENT_SSL_VERIFY_HOSTNAME: "false"
       CRYOSTAT_AGENT_WEBSERVER_HOST: "sample-app-3"
-      CRYOSTAT_AGENT_WEBSERVER_PORT: "8910"
+      CRYOSTAT_AGENT_WEBSERVER_PORT: "8912"
       CRYOSTAT_AGENT_CALLBACK: "http://sample-app-3:8912/"
-      CRYOSTAT_AGENT_BASEURI: "http://cryostat:${CRYOSTAT_HTTP_PORT}/"
+      CRYOSTAT_AGENT_BASEURI: "http://${CRYOSTAT_HTTP_HOST}:8080/"
       CRYOSTAT_AGENT_TRUST_ALL: "true"
       CRYOSTAT_AGENT_AUTHORIZATION: "Basic dXNlcjpwYXNz"
     ports:
       - "8083:8083"
+    expose:
+      - "8912"
     restart: always
     healthcheck:
       test: curl --fail http://localhost:8081 || exit 1
@@ -104,7 +110,7 @@ services:
       CRYOSTAT_AGENT_WEBSERVER_HOST: quarkus-test-agent
       CRYOSTAT_AGENT_WEBSERVER_PORT: 9977
       CRYOSTAT_AGENT_CALLBACK: http://quarkus-test-agent:9977/
-      CRYOSTAT_AGENT_BASEURI: http://cryostat:${CRYOSTAT_HTTP_PORT}/
+      CRYOSTAT_AGENT_BASEURI: http://${CRYOSTAT_HTTP_HOST}:8080/
       CRYOSTAT_AGENT_BASEURI_RANGE: public
       CRYOSTAT_AGENT_SSL_TRUST_ALL: "true"
       CRYOSTAT_AGENT_SSL_VERIFY_HOSTNAME: "false"

diff --git a/pom.xml b/pom.xml
@@ -24,6 +24,7 @@
     <org.apache.commons.lang3.version>3.13.0</org.apache.commons.lang3.version>
     <org.apache.commons.validator.version>1.7</org.apache.commons.validator.version>
     <org.projectnessie.cel.bom.version>0.3.21</org.projectnessie.cel.bom.version>
+    <com.nimbusds.jose.jwt.version>9.31</com.nimbusds.jose.jwt.version>
     <org.testcontainers.bom.version>1.19.7</org.testcontainers.bom.version>
     <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
     <quarkus.platform.group-id>io.quarkus.platform</quarkus.platform.group-id>
@@ -165,6 +166,11 @@
       <artifactId>commons-validator</artifactId>
       <version>${org.apache.commons.validator.version}</version>
     </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>nimbus-jose-jwt</artifactId>
+      <version>${com.nimbusds.jose.jwt.version}</version>
+    </dependency>
     <dependency>
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-rest-client-reactive-jackson</artifactId>

diff --git a/schema/openapi.yaml b/schema/openapi.yaml
@@ -1155,11 +1155,6 @@ paths:
               $ref: '#/components/schemas/JsonObject'
       responses:
         "200":
-          content:
-            application/json:
-              schema:
-                additionalProperties: {}
-                type: object
           description: OK
         "401":
           description: Not Authorized

diff --git a/smoketest.bash b/smoketest.bash
@@ -18,6 +18,7 @@ OPEN_TABS=${OPEN_TABS:-false}
 
 PRECREATE_BUCKETS=${PRECREATE_BUCKETS:-archivedrecordings,archivedreports,eventtemplates}
 
+CRYOSTAT_HTTP_HOST=${CRYOSTAT_HTTP_HOST:-cryostat}
 CRYOSTAT_HTTP_PORT=${CRYOSTAT_HTTP_PORT:-8080}
 USE_PROXY=${USE_PROXY:-true}
 DEPLOY_GRAFANA=${DEPLOY_GRAFANA:-true}
@@ -97,6 +98,7 @@ fi
 
 if [ "${USE_PROXY}" = "true" ]; then
     FILES+=("${DIR}/compose/auth_proxy.yml")
+    CRYOSTAT_HTTP_HOST=auth
     CRYOSTAT_HTTP_PORT=8181
     GRAFANA_DASHBOARD_EXT_URL=http://localhost:8080/grafana/
 else
@@ -106,6 +108,7 @@ else
     fi
     GRAFANA_DASHBOARD_EXT_URL=http://grafana:3000/
 fi
+export CRYOSTAT_HTTP_HOST
 export CRYOSTAT_HTTP_PORT
 export GRAFANA_DASHBOARD_EXT_URL
 

diff --git a/src/main/java/io/cryostat/ExceptionMappers.java b/src/main/java/io/cryostat/ExceptionMappers.java
@@ -24,6 +24,7 @@
 import io.cryostat.targets.TargetConnectionManager;
 import io.cryostat.util.EntityExistsException;
 
+import com.nimbusds.jwt.proc.BadJWTException;
 import io.netty.handler.codec.http.HttpResponseStatus;
 import io.smallrye.mutiny.TimeoutException;
 import jakarta.inject.Inject;
@@ -118,6 +119,12 @@ public RestResponse<Object> mapEntityExistsException(EntityExistsException ex) {
                 .build();
     }
 
+    @ServerExceptionMapper
+    public RestResponse<Void> mapBadJwtException(BadJWTException ex) {
+        logger.warn(ex);
+        return RestResponse.status(HttpResponseStatus.UNAUTHORIZED.code());
+    }
+
     @ServerExceptionMapper
     public RestResponse<Void> mapCompletionException(CompletionException ex) throws Throwable {
         logger.warn(ex);