.env.dist

.env.dist

@@ -0,0 +1,23 @@
+TRACING_PROVIDER=jaeger
+TRACING_PROVIDERS_JAEGER_SAMPLING_SERVER_URL=http://jaeger:5778/sampling
+TRACING_PROVIDERS_JAEGER_LOCAL_AGENT_ADDRESS=jaeger:6831
+TRACING_PROVIDERS_JAEGER_SAMPLING_TYPE=const
+TRACING_PROVIDERS_JAEGER_SAMPLING_VALUE=1
+LOG_LEAK_SENSITIVE_VALUES=true
+URLS_SELF_ISSUER=http://127.0.0.1:4444
+
+#URLS_CONSENT=http://hydra-login-consent-node.service.consul:3000/consent
+#URLS_LOGIN=http://hydra-login-consent-node.service.consul:3000/login
+#URLS_LOGOUT=http://hydra-login-consent-node.service.consul:3000/logout
+
+URLS_CONSENT=http://127.0.0.1:3000/consent
+URLS_LOGIN=http://127.0.0.1:3000/login
+URLS_LOGOUT=http://127.0.0.1:3000/logout
+
+STRATEGIES_ACCESS_TOKEN=jwt
+SECRETS_SYSTEM=dUjs9EV7BuyXUcckKBVrYOdacsggIkna
+OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public
+OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=dUjs9EV7BuyXUcckKBVrYOdacsggIkna
+SERVE_COOKIES_SAME_SITE_MODE=None
+SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND=true
+DSN=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4

.gitignore

@@ -0,0 +1 @@
+.env

Makefile

@@ -0,0 +1,49 @@
+
+.PHONY: help
+.DEFAULT_GOAL := help
+
+# Uppercase vars for internal use.
+UC = $(shell echo '$1' | tr '[:lower:]' '[:upper:]')
+LOG_ERROR = @printf "\n>> \e[0;31m$1\e[0;00m\n\n"
+LOG_WARN = @printf "\n>> \e[0;33m$1\e[0;00m\n\n"
+LOG_INFO = @printf "\n>> \e[0;34m$1\e[0;00m\n\n"
+LOG_SUCCESS = @printf "\n>> \e[0;36m$1\e[0;00m\n\n"
+LOG_SUBLINE = @printf "   \e[0;34m$1\e[0;00m\n\n"
+HYDRA_COMMAND = docker-compose -p kraken -f docker-compose.yml exec hydra
+
+help:
+	@perl -nle'print $& if m{^[a-zA-Z_-]+:.*?## .*$$}' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-10s\033[0m %s\n", $$1, $$2}'
+
+up: ## Docker: start compose stack
+	$(call LOG_INFO,Up (daemon))
+	docker-compose -p kraken up -d
+
+stop: ## Docker: stop compose stack
+	$(call LOG_INFO,Stop docker stack)
+	docker-compose -p kraken stop
+
+ps: ## Docker: show containers
+	$(call LOG_INFO, Docker containers)
+	docker-compose  -p kraken ps
+
+logs: ## Docker: show logs
+	docker-compose -p kraken logs -f
+
+generate_keys: ## Generowanie kluczy klienckich
+	${HYDRA_COMMAND} hydra clients create \
+    --endpoint http://127.0.0.1:4445 \
+    --id auth-code-client \
+    --secret secret \
+    --grant-types authorization_code,refresh_token \
+    --response-types code,id_token \
+    --scope openid,offline \
+    --callbacks http://127.0.0.1:5555/callback
+
+
+token_flow: ## Generowanie kluczy klienckich
+	${HYDRA_COMMAND} hydra token user \
+    --client-id auth-code-client \
+    --client-secret secret \
+    --endpoint http://127.0.0.1:4444/ \
+    --port 5555 \
+    --scope openid,offline

README.md

@@ -1,7 +1,29 @@
 # KrakenD api gateway playground
 
-Poszczególne etapy pracy i poznawania krakend w osobnych brancz'ach.
+## etap2 (JWT)
 
-Całość oparta do docker.
+Tutaj już będzie deko więcej roboty. Backend z etapu1, czyli prosty nie zabezpieczony serwer REST.
+
+Do naszej infrastruktury dodajemy usługę [Hydra](https://www.ory.sh/hydra/docs/), która jest dostawcą protokołu **OAuth2** oraz **OpenID** aby zabezpieczyć nasze api za pomocą [JWT](https://jwt.io/).
+
+W poprzednim przykładzie (etap1) KrakenD posłóżył nam do sekwencji zapytań do api i jednej odpowiedzi
+W tym etapie wprowadzimy nowy request zabezpieczony tokenem JWT:
+
+```mermaid
+sequenceDiagram
+    Użytkownik->>KrakenD: /jwt_access <br/>[Authorizaion: Bearer token]
+    KrakenD->>Hydra: .well-known/jwks.json
+    Hydra-->>KrakenD: jwk
+    KrakenD-->>KrakenD: validator <br/>[issuer]
+    KrakenD->>Backend: /users/1.json
+    Backend-->>KrakenD: response_0
+    KrakenD->>+Użytkownik: Response
+```
+
+Flow jest typowo testowy, na razie nie ma revoke jwt, a samo pobranie tokenu należy zrobić za pomocą pliku `Makefile`.
+
+
+Przykład wykorzystania KrakenD do zabezpieczenia bakendu za pomocą JWT:
+
+[![asciicast](https://asciinema.org/a/Py3dbR2m5Jt3FdhGI7eINtpdu.png)](https://asciinema.org/a/Py3dbR2m5Jt3FdhGI7eINtpdu)
 
-- etap1 (podstawka)

api-mocks/projects/1.json

@@ -0,0 +1,4 @@
+{
+	"owner": 1,
+	"name": "Simple project"
+}

api-mocks/users/1.json

@@ -0,0 +1,4 @@
+{
+	"id": 1,
+	"username": "test"
+}

api-mocks/users/2.json

@@ -0,0 +1,4 @@
+{
+	"id": 2,
+	"username": "test2"
+}

docker-compose.yml

@@ -0,0 +1,68 @@
+version: "3.8"
+services:
+
+  jaeger:
+    image: jaegertracing/all-in-one:latest
+    ports:
+      - "16686:16686"
+      - "14268:14268"
+
+  api:
+    image: paramah/lwan
+    volumes:
+      - ./api-mocks:/opt/lwan/wwwroot
+    ports:
+      - "8000:8080"
+  
+  hydra-migrate:
+    image: oryd/hydra:v1.8.5
+    environment:
+      - DSN=postgres://hydra:secret@postgresd:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4
+    command:
+      migrate sql -e --yes
+    restart: on-failure
+
+  postgresd:
+    image: postgres:9.6
+    ports:
+      - "5432:5432"
+    environment:
+      - POSTGRES_USER=hydra
+      - POSTGRES_PASSWORD=secret
+      - POSTGRES_DB=hydra
+
+  hydra:
+    image: oryd/hydra:v1.8.5
+    ports:
+      - "4444:4444" # Public port
+      - "4445:4445" # Admin port
+      - "5555:5555" # Port for hydra token user
+    command:
+      serve all --dangerous-force-http
+    env_file: ./.env
+    restart: unless-stopped
+    depends_on:
+      - hydra-migrate
+
+  consent:
+    #image: oryd/hydra-login-consent-node:latest
+    image: paramah/consent:latest
+    environment:
+      - HYDRA_ADMIN_URL=http://hydra:4445
+      - BASE_URL=http://consent.service.consul:3000
+    ports:
+      - "3000:3000"
+    restart: unless-stopped
+
+  kraken:
+    image: devopsfaith/krakend:config-watcher
+    volumes:
+      - ./krakend:/etc/krakend
+    ports:
+      - "1234:1234"
+      - "8080:8080"
+      - "8091:8091"
+    depends_on:
+      - api
+      - jaeger
+

krakend/krakend.json

@@ -0,0 +1,95 @@
+{
+  "version": 2,
+  "timeout": "3000ms",
+  "cache_ttl": "300s",
+  "host": [
+    "http://api:8080"
+  ],
+  "extra_config": {
+    "github_com/devopsfaith/krakend-metrics": {
+      "listen_address": ":8091"
+    },
+    "github_com/devopsfaith/krakend-gologging": {
+      "level": "DEBUG",
+      "prefix": "[KRAKEND]",
+      "syslog": false,
+      "stdout": true
+    },
+    "github_com/devopsfaith/krakend-opencensus": {
+      "sample_rate": 100,
+      "reporting_period": 1,
+      "exporters": {
+        "jaeger": {
+          "endpoint": "http://jaeger:14268",
+          "service_name": "krakend"
+        }
+      }
+    },
+    "github_com/devopsfaith/krakend-cors": {
+      "allow_origins": [
+        "http://localhost:8000"
+      ],
+      "allow_methods": [
+        "POST",
+        "GET"
+      ],
+      "allow_headers": [
+        "Origin",
+        "Authorization",
+        "Content-Type"
+      ],
+      "expose_headers": [
+        "Content-Length"
+      ],
+      "max_age": "12h"
+    }
+  },
+  "endpoints":[
+    {
+      "endpoint": "/sequential/{id}",
+      "backend": [
+        {
+          "url_pattern": "/users/{id}.json",
+          "whitelist": [
+            "id",
+            "username"
+          ],
+          "extra_config": {},
+          "encoding": "json",
+          "blacklist": [
+            "id"
+          ]
+        },
+        {
+          "url_pattern": "/projects/{resp0_id}.json",
+          "whitelist": [
+            "name"
+          ],
+          "group": "projects"
+        }
+      ],
+      "extra_config": {
+        "github.com/devopsfaith/krakend/proxy": {
+          "sequential": true
+        }
+      }
+    },
+    {
+      "endpoint": "/jwt_access",
+      "backend": [
+        {
+          "url_pattern": "/users/1.json"
+        }
+      ],
+      "extra_config": {
+        "github.com/devopsfaith/krakend-jose/validator": {
+          "alg": "RS256",
+          "issuer": "http://127.0.0.1:4444/",
+          "jwk-url": "http://hydra:4444/.well-known/jwks.json",
+          "disable_jwk_security": true
+        }
+      }
+    }
+  ]
+}
+