Skip to content

Commit

Permalink
update bundle
Browse files Browse the repository at this point in the history
  • Loading branch information
@jkralik
jkralik committed Aug 11, 2024
1 parent 803d5ed commit 32adebe
Show file tree
Hide file tree
Showing 18 changed files with 238 additions and 149 deletions.
3 changes: 2 additions & 1 deletion bundle/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,8 @@ ENV SCYLLA_DEVELOPER_MODE=true
ENV SCYLLA_PORT=29142
ENV SNIPPET_SERVICE_PORT=9091
ENV HTTP_SNIPPET_SERVICE_PORT=9092
ENV M2M_OAUTH_SERVER_PORT=9080
ENV M2M_OAUTH_SERVER_PORT=9079
ENV HTTP_M2M_OAUTH_SERVER_PORT=9080

# OAuth
ENV DEVICE_PROVIDER=plgd
Expand Down
15 changes: 14 additions & 1 deletion bundle/nginx/nginx.conf.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ http {
proxy_set_header Host $host;
}
location ~ ^(/m2m-oauth-server) {
set $upstream_oauth_server https://127.0.0.1:REPLACE_M2M_OAUTH_SERVER_PORT;
set $upstream_oauth_server https://127.0.0.1:REPLACE_HTTP_M2M_OAUTH_SERVER_PORT;
proxy_pass $upstream_oauth_server;
proxy_ssl_certificate /data/certs/internal/endpoint.crt;
proxy_ssl_certificate_key /data/certs/internal/endpoint.key;
Expand All @@ -51,6 +51,19 @@ http {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
}
location ~ ^(/m2moauthserver.pb.M2MOAuthService) {
set $upstream_grpc_oauth_server grpcs://127.0.0.1:REPLACE_M2M_OAUTH_SERVER_PORT;
grpc_pass $upstream_grpc_oauth_server;
grpc_ssl_certificate /data/certs/internal/endpoint.crt;
grpc_ssl_certificate_key /data/certs/internal/endpoint.key;
grpc_ssl_trusted_certificate /data/certs/root_ca.crt;
grpc_read_timeout 31536000s;
grpc_send_timeout 31536000s;
client_body_timeout 31536000s;
grpc_socket_keepalive on;
proxy_ssl_trusted_certificate /data/certs/root_ca.crt;
proxy_ssl_verify on;
}
location ~ ^(/certificateauthority.pb.CertificateAuthority) {
set $upstream_grpc_gateway grpcs://127.0.0.1:REPLACE_CERTIFICATE_AUTHORITY_PORT;
grpc_pass $upstream_grpc_gateway;
Expand Down
109 changes: 78 additions & 31 deletions bundle/run.sh
View file

Large diffs are not rendered by default.

25 changes: 13 additions & 12 deletions certificate-authority/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,19 +31,20 @@ apis:
clientCertificateRequired: true
authorization:
ownerClaim: "sub"
authority: ""
audience: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: "30s"
timeout: "10s"
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
endpoints:
- authority: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: "30s"
timeout: "10s"
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
tokenTrustVerification:
cacheExpiration: 30s
http:
Expand Down
25 changes: 13 additions & 12 deletions cloud2cloud-gateway/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,19 +19,20 @@ apis:
certFile: "/secrets/public/cert.crt"
clientCertificateRequired: true
authorization:
authority: ""
audience: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: 30s
timeout: 10s
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
endpoints:
- authority: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: "30s"
timeout: "10s"
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
tokenTrustVerification:
cacheExpiration: 30s
clients:
Expand Down
14 changes: 14 additions & 0 deletions coap-gateway/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,20 @@ apis:
authorization:
ownerClaim: "sub"
deviceIDClaim: ""
audience: ""
endpoints:
- authority: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: "30s"
timeout: "10s"
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
providers:
- name: "plgd.web"
clientID: ""
Expand Down
25 changes: 13 additions & 12 deletions grpc-gateway/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,19 +32,20 @@ apis:
clientCertificateRequired: true
authorization:
ownerClaim: "sub"
authority: ""
audience: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: 30s
timeout: 10s
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
endpoints:
- authority: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: "30s"
timeout: "10s"
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
tokenTrustVerification:
cacheExpiration: 30s
clients:
Expand Down
27 changes: 14 additions & 13 deletions http-gateway/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,20 @@ apis:
streamBodyLimit: 262144
pingFrequency: 10s
authorization:
authority: ""
audience: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: 30s
timeout: 10s
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
endpoints:
- authority: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: "30s"
timeout: "10s"
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
tokenTrustVerification:
cacheExpiration: 30s
clients:
Expand Down Expand Up @@ -109,6 +110,6 @@ ui:
integrations: false
deviceFirmwareUpdate: false
deviceLogs: false
apiTokens: false
apiTokens: true
schemaHub: false
snippetService: true
27 changes: 14 additions & 13 deletions identity-store/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,19 +31,20 @@ apis:
clientCertificateRequired: true
authorization:
ownerClaim: "sub"
authority:
audience:
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: 30s
timeout: 10s
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
audience: ""
endpoints:
- authority: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: "30s"
timeout: "10s"
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
tokenTrustVerification:
cacheExpiration: 30s
clients:
Expand Down
25 changes: 13 additions & 12 deletions m2m-oauth-server/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,19 +30,20 @@ apis:
clientCertificateRequired: true
authorization:
ownerClaim: "sub"
authority: ""
audience: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: "30s"
timeout: "10s"
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
endpoints:
- authority: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: "30s"
timeout: "10s"
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
tokenTrustVerification:
cacheExpiration: 30s
clients:
Expand Down
4 changes: 4 additions & 0 deletions m2m-oauth-server/oauthSigner/oauthSigner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ func (s *OAuthSigner) GetDomain() string {
return s.config.GetDomain()
}

func (s *OAuthSigner) GetAuthority() string {
return s.config.GetAuthority()
}

func (s *OAuthSigner) GetOwnerClaim() string {
return s.config.OwnerClaim
}
Expand Down
2 changes: 1 addition & 1 deletion m2m-oauth-server/service/grpc/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,10 @@ func errCannotCreateToken(err error) error {

func (s *M2MOAuthServiceServer) CreateToken(ctx context.Context, req *pb.CreateTokenRequest) (*pb.CreateTokenResponse, error) {
tokenReq := tokenRequest{
host: s.signer.GetDomain(),
tokenType: oauthsigner.AccessTokenType_JWT,
issuedAt: time.Now(),
CreateTokenRequest: req,
issuer: s.signer.GetAuthority(),
}
clientCfg := s.signer.GetClients().Find(tokenReq.CreateTokenRequest.GetClientId())
if clientCfg == nil {
Expand Down
7 changes: 4 additions & 3 deletions m2m-oauth-server/service/grpc/token.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"errors"
"fmt"
"strings"
"time"

goJwt "github.com/golang-jwt/jwt/v5"
Expand All @@ -28,11 +29,11 @@ func makeAccessToken(clientCfg *oauthsigner.Client, tokenReq tokenRequest) (jwt.
claims := map[string]interface{}{
jwt.JwtIDKey: tokenReq.id,
jwt.SubjectKey: tokenReq.subject,
jwt.AudienceKey: tokenReq.host,
jwt.AudienceKey: strings.Join(tokenReq.Audience, " "),
jwt.IssuedAtKey: tokenReq.issuedAt,
uri.ScopeKey: tokenReq.scopes,
uri.ClientIDKey: clientCfg.ID,
jwt.IssuerKey: tokenReq.host,
jwt.IssuerKey: tokenReq.issuer,
}
for key, val := range claims {
if err := token.Set(key, val); err != nil {
Expand Down Expand Up @@ -150,14 +151,14 @@ type tokenRequest struct {
deviceID string `json:"-"`
owner string `json:"-"`
subject string `json:"-"`
host string `json:"-"`
scopes string `json:"-"`
ownerClaim string `json:"-"`
deviceIDClaim string `json:"-"`
tokenType oauthsigner.AccessTokenType `json:"-"`
originalTokenClaims goJwt.MapClaims `json:"-"`
issuedAt time.Time `json:"-"`
expiration time.Time `json:"-"`
issuer string `json:"-"`
}

func sliceContains[T comparable](s []T, sub []T) bool {
Expand Down
2 changes: 1 addition & 1 deletion m2m-oauth-server/service/http/getOpenIDConfiguration.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (

func GetOpenIDConfiguration(domain string) openid.Config {
return openid.Config{
Issuer: domain,
Issuer: domain + uri.Base,
TokenURL: domain + uri.Token,
JWKSURL: domain + uri.JWKs,
PlgdTokensEndpoint: domain + uri.Tokens,
Expand Down
2 changes: 1 addition & 1 deletion m2m-oauth-server/service/service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ func New(ctx context.Context, config Config, fileWatcher *fsnotify.Watcher, logg
return openid.GetConfiguration(ctx, c, authority)
}
customTokenIssuerClients := map[string]jwt.TokenIssuerClient{
config.OAuthSigner.GetDomain(): &tokenIssuerClient{
config.OAuthSigner.GetAuthority(): &tokenIssuerClient{
store: db,
ownerClaim: config.OAuthSigner.OwnerClaim,
},
Expand Down
25 changes: 13 additions & 12 deletions resource-aggregate/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,19 +32,20 @@ apis:
clientCertificateRequired: true
authorization:
ownerClaim: "sub"
authority: ""
audience: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: 30s
timeout: 10s
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
endpoints:
- authority: ""
http:
maxIdleConns: 16
maxConnsPerHost: 32
maxIdleConnsPerHost: 16
idleConnTimeout: "30s"
timeout: "10s"
tls:
caPool: "/secrets/public/rootca.crt"
keyFile: "/secrets/private/cert.key"
certFile: "/secrets/public/cert.crt"
useSystemCAPool: false
tokenTrustVerification:
cacheExpiration: 30s
clients:
Expand Down
Loading

0 comments on commit 32adebe

Please sign in to comment.