Merge pull request #49 from MZC-CSC/main

add permissions ticket and docker deploy method

.env.sample

@@ -1,28 +1,29 @@
+## MCIAMMANAGER ENV SETUP
 ADDR=0.0.0.0
-PORT=4000 # this is for DEV env { :3000 to nginx, :5000 to deploy standalone }
+PORT=4000
 
-DATABASE_USER=db_user
-DATABASE_PASS=db_password
-DATABASE_HOST=db_host
-DATABASE=db
+## DB MODE
+MODE=standalone # [standalone|docker] both are same.
 
-DEV_DATABASE_URL=postgres://${DATABASE_USER}:${DATABASE_PASS}@${DATABASE_HOST}:5432/${DATABASE} # you can directly use this line for db connection
-DATABASE_URL=postgres://${DATABASE_USER}:${DATABASE_PASS}@${DATABASE_HOST}:5432/${DATABASE} # you can directly use this line for db connection
+## Resources Permission MODE
+USE_TICKET_VALID=true # [true|false] 
 
-KEYCLOAK_HOST=https://example.com
-KEYCLAOK_REALM=mciam
-KEYCLAOK_CLIENT=mciam
-KEYCLAOK_CLIENT_SECRET=mciamclientsecret
-KEYCLAOK_ADMIN=admin
-KEYCLAOK_ADMIN_PASSWORD=admin
+## docker postgres setup
+IAM_POSTGRES_USER=mciamdb
+IAM_POSTGRES_PASSWORD=mciamdbadmin
+IAM_POSTGRES_DATABASE_HOST=mc-iam-manager-db
+IAM_POSTGRES_DB=mciamdb
 
-MCINFRAMANAGER=http://example.com:1323/tumblebug
-MCINFRAMANAGER_APIUSERNAME=default
-MCINFRAMANAGER_APIPASSWORD=default
+## mciammanager db
+DATABASE_URL=postgres://${IAM_POSTGRES_USER}:${IAM_POSTGRES_PASSWORD}@${IAM_POSTGRES_DATABASE_HOST}:5432/${IAM_POSTGRES_DB}
 
-# SECURITY TOKEN FOR POC STS
-# YOU DONT NEED BELOW LINE FOR NORMAL DEPLOY
-AWSRoleArn=arn:aws:iam::xxxxxxxxx:role/xxxxxxxxxxxx
+## Keycloak
+KEYCLOAK_HOST=http://mc-iam-manager-kc:8080
+KEYCLAOK_REALM=mciamKeycloakRealm
+KEYCLAOK_CLIENT=mciamKeycloakClient
+KEYCLAOK_CLIENT_SECRET=testsecret
 
-AlibabaOIDCProviderArn=acs:ram::xxxxxxxxx:oidc-provider/xxxxxxxxx
-AlibabaRoleArn=acs:ram::xxxxxxxxx:role/xxxxxxxxx
+## mc-infra-manager
+MCINFRAMANAGER=http://example.com:1323/tumblebug
+MCINFRAMANAGER_APIUSERNAME=default
+MCINFRAMANAGER_APIPASSWORD=default

.gitignore

@@ -30,10 +30,8 @@ generated/
 !.yarn/releases
 !.yarn/sdks
 !.yarn/versions
-database.yml
 
-scripts/nginx/
-scripts/init/init.env
-scripts/init/init.env
+scripts/dockerfiles/import/realm-import.json
+!scripts/.env
+
 
-debugconsole/assets/*

Dockerfile → Dockerfile.mciammanager

@@ -15,7 +15,9 @@ RUN wget https://github.com/gobuffalo/cli/releases/download/v0.18.14/buffalo_0.1
 
 RUN mkdir -p /src/mc-iam-manager
 WORKDIR /src/mc-iam-manager
+
 ENV GOPROXY http://proxy.golang.org
+
 COPY go.mod go.mod
 COPY go.sum go.sum
 RUN go mod download
@@ -32,6 +34,6 @@ WORKDIR /bin/
 COPY --from=builder /bin/app .
 # ENV GO_ENV=production
 ENV ADDR=0.0.0.0 \
-    PORT=3000
-EXPOSE 3000
+    PORT=5000
+EXPOSE 5000
 CMD bash -c 'until /bin/app migrate; do echo "Migration failed. Retrying in 10 seconds..."; sleep 10; done; /bin/app'

actions/app.go

@@ -2,23 +2,22 @@ package actions
 
 import (
 	"net/http"
+	"strconv"
 	"sync"
 
+	"github.com/m-cmp/mc-iam-manager/handler"
 	"github.com/m-cmp/mc-iam-manager/middleware"
 	"github.com/m-cmp/mc-iam-manager/models"
 
 	"github.com/gobuffalo/buffalo"
 	"github.com/gobuffalo/buffalo-pop/v3/pop/popmw"
-	"github.com/gobuffalo/envy"
 	contenttype "github.com/gobuffalo/mw-contenttype"
 	i18n "github.com/gobuffalo/mw-i18n/v2"
 	paramlogger "github.com/gobuffalo/mw-paramlogger"
 	"github.com/gobuffalo/x/sessions"
 	"github.com/rs/cors"
 )
 
-var ENV = envy.Get("GO_ENV", "development")
-
 var (
 	app     *buffalo.App
 	appOnce sync.Once
@@ -28,7 +27,6 @@ var (
 func App() *buffalo.App {
 	appOnce.Do(func() {
 		app = buffalo.New(buffalo.Options{
-			Env:          ENV,
 			SessionStore: sessions.Null{},
 			PreWares: []buffalo.PreWare{
 				cors.Default().Handler,
@@ -41,7 +39,11 @@ func App() *buffalo.App {
 		app.Use(popmw.Transaction(models.DB))
 		app.Use(middleware.IsAuthMiddleware)
 		app.Use(middleware.SetContextMiddleware)
-		app.Use(middleware.IsTicketValidMiddleware)
+
+		// Resources Permission MODE
+		if yn, _ := strconv.ParseBool(handler.USE_TICKET_VALID); yn {
+			app.Use(middleware.IsTicketValidMiddleware)
+		}
 
 		//Readyz skip all middleware
 		app.Middleware.Skip(middleware.IsAuthMiddleware, readyz)
@@ -52,8 +54,8 @@ func App() *buffalo.App {
 		apiPath := "/api"
 
 		authPath := app.Group(apiPath + "/auth")
-		authPath.Middleware.Skip(middleware.IsAuthMiddleware, AuthLoginHandler, AuthLoginRefreshHandler, AuthLogoutHandler, AuthGetCerts, AuthGetTokenInfo, AuthGetUserValidate)
-		authPath.Middleware.Skip(middleware.SetContextMiddleware, AuthLoginHandler, AuthLoginRefreshHandler, AuthLogoutHandler, AuthGetCerts, AuthGetTokenInfo, AuthGetUserValidate)
+		authPath.Middleware.Skip(middleware.IsAuthMiddleware, AuthLoginHandler, AuthLoginRefreshHandler, AuthLogoutHandler, AuthGetCerts)
+		authPath.Middleware.Skip(middleware.SetContextMiddleware, AuthLoginHandler, AuthLoginRefreshHandler, AuthLogoutHandler, AuthGetCerts)
 		authPath.Middleware.Skip(middleware.IsTicketValidMiddleware, AuthLoginHandler, AuthLoginRefreshHandler, AuthLogoutHandler, AuthGetCerts, AuthGetTokenInfo, AuthGetUserValidate)
 		authPath.POST("/login", AuthLoginHandler)
 		authPath.POST("/login/refresh", AuthLoginRefreshHandler)

actions/auth.go

@@ -89,7 +89,6 @@ func AuthLogoutHandler(c buffalo.Context) error {
 
 func AuthGetUserInfo(c buffalo.Context) error {
 	accessToken := c.Value("accessToken").(string)
-
 	userinfo, err := keycloak.KeycloakGetUserInfo(accessToken)
 	if err != nil {
 		log.Println(err)
@@ -101,7 +100,6 @@ func AuthGetUserInfo(c buffalo.Context) error {
 
 func AuthGetTokenInfo(c buffalo.Context) error {
 	accessToken := c.Value("accessToken").(string)
-
 	tokeninfo, err := keycloak.KeycloakTokenInfo(accessToken)
 	if err != nil {
 		log.Println(err)

actions/roles.go

@@ -3,6 +3,8 @@ package actions
 import (
 	"log"
 	"net/http"
+	"strconv"
+	"strings"
 
 	"github.com/m-cmp/mc-iam-manager/handler"
 	"github.com/m-cmp/mc-iam-manager/handler/keycloak"
@@ -15,10 +17,15 @@ import (
 )
 
 type createRoleRequset struct {
-	Name        string       `json:"name" db:"name"`
-	Description nulls.String `json:"description" db:"description"`
+	Name         string       `json:"name" db:"name"`
+	Description  nulls.String `json:"description" db:"description"`
+	PlatformRole string       `json:"platformRole"`
 }
 
+var (
+	platformRolePrefix = "platform-"
+)
+
 func CreateRole(c buffalo.Context) error {
 	accessToken := c.Value("accessToken").(string)
 
@@ -38,53 +45,82 @@ func CreateRole(c buffalo.Context) error {
 		return c.Render(http.StatusBadRequest, r.JSON(map[string]string{"error": err.Error()}))
 	}
 
-	_, err = keycloak.KeycloakCreateRole(accessToken, req.Name, req.Description.String)
+	if yn, _ := strconv.ParseBool(req.PlatformRole); yn {
+		s.Name = platformRolePrefix + req.Name
+	}
+
+	_, err = keycloak.KeycloakCreateRole(accessToken, s.Name, s.Description.String)
 	if err != nil {
 		log.Println(err)
 		return c.Render(http.StatusInternalServerError, r.JSON(map[string]string{"error": err.Error()}))
 	}
 
-	policy, err := keycloak.KeycloakCreatePolicy(accessToken, req.Name, req.Description.String)
+	policy, err := keycloak.KeycloakCreatePolicy(accessToken, s.Name, s.Description.String)
 	if err != nil {
 		log.Println(err)
 		return c.Render(http.StatusInternalServerError, r.JSON(map[string]string{"error": err.Error()}))
 	}
 	s.Policy = *policy.ID
 
 	tx := c.Value("tx").(*pop.Connection)
-	res, err := handler.CreateRole(tx, &s)
+	roleRes, err := handler.CreateRole(tx, &s)
 	if err != nil {
 		log.Println(err)
 		err = handler.IsErrorContainsThen(err, "SQLSTATE 25P02", "Role is already exist..")
 		return c.Render(http.StatusInternalServerError, r.JSON(map[string]string{"error": err.Error()}))
 	}
 
-	return c.Render(http.StatusOK, r.JSON(res))
+	return c.Render(http.StatusOK, r.JSON(roleRes))
+}
+
+func platformRoleParser(resRoles *models.Roles, isPlatformRole bool) models.Roles {
+	var resultRoles models.Roles
+	prefixCheck := strings.HasPrefix
+	if !isPlatformRole {
+		prefixCheck = func(s, prefix string) bool { return !strings.HasPrefix(s, prefix) }
+	}
+
+	for _, role := range *resRoles {
+		if prefixCheck(role.Name, platformRolePrefix) {
+			resultRoles = append(resultRoles, role)
+		}
+	}
+
+	return resultRoles
 }
 
 func SearchRolesByName(c buffalo.Context) error {
 	var err error
 	roleName := c.Param("roleName")
 	option := c.Request().URL.Query().Get("option")
+	platformRole, _ := strconv.ParseBool(c.Request().URL.Query().Get("platformRole"))
 
 	tx := c.Value("tx").(*pop.Connection)
-	res, err := handler.SearchRolesByName(tx, roleName, option)
+	resRoles, err := handler.SearchRolesByName(tx, roleName, option)
 	if err != nil {
 		log.Println(err)
 		return c.Render(http.StatusInternalServerError, r.JSON(map[string]string{"error": err.Error()}))
 	}
-	return c.Render(http.StatusOK, r.JSON(res))
+
+	resultRoles := platformRoleParser(resRoles, platformRole)
+
+	return c.Render(http.StatusOK, r.JSON(resultRoles))
 }
 
 func GetRoleList(c buffalo.Context) error {
 	var err error
 	tx := c.Value("tx").(*pop.Connection)
+	platformRole, _ := strconv.ParseBool(c.Request().URL.Query().Get("platformRole"))
+
 	res, err := handler.GetRoleList(tx)
 	if err != nil {
 		log.Println(err)
 		return c.Render(http.StatusInternalServerError, r.JSON(map[string]string{"error": err.Error()}))
 	}
-	return c.Render(http.StatusOK, r.JSON(res))
+
+	resultRoles := platformRoleParser(res, platformRole)
+
+	return c.Render(http.StatusOK, r.JSON(resultRoles))
 }
 
 func GetRoleById(c buffalo.Context) error {

database.yml

@@ -1,6 +1,6 @@
 ---
-development:
-  url: {{envOr "DEV_DATABASE_URL" "postgres://postgres:postgres@db:5432/mc_iam_manager_development?sslmode=disable"}}
+standalone:
+  url: {{envOr "DATABASE_URL" "postgres://postgres:postgres@db:5432/mc_iam_manager_development?sslmode=disable"}}
 
-production:
-  url: {{envOr "DATABASE_URL" "postgres://postgres:postgres@db:5432/mc_iam_manager_production?sslmode=disable"}}
+docker:
+  url: {{envOr "DATABASE_URL" "postgres://postgres:postgres@db:5432/mc_iam_manager_development?sslmode=disable"}}