Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add auth #12

Merged
merged 1 commit into from
Apr 24, 2023
Merged

feat: add auth #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 12 additions & 7 deletions cmd/depository/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,11 @@ import (
"fmt"
"os"

"github.com/bestchains/bc-explorer/pkg/auth"
"github.com/bestchains/bc-explorer/pkg/network"
"github.com/bestchains/bc-saas/pkg/contracts"
handler "github.com/bestchains/bc-saas/pkg/handlers"
listener "github.com/bestchains/bc-saas/pkg/listener"
"github.com/bestchains/bc-saas/pkg/listener"
"github.com/bestchains/bc-saas/pkg/models"
"github.com/go-pg/pg/v10"
"github.com/go-pg/pg/v10/orm"
Expand All @@ -37,15 +38,15 @@ import (
)

var (
profile = flag.String("profile", "./network.json", "profile to connect with blockchain network")
contract = flag.String("contract", "depository", "contract name")
addr = flag.String("addr", ":9999", "used to listen and serve http requests")
db = flag.String("db", "pg", "which database to use, default is pg(postgresql)")
dsn = flag.String("dsn", "postgres://bestchains:[email protected]:5432/bc-saas?sslmode=disable", "database connection string")
profile = flag.String("profile", "./network.json", "profile to connect with blockchain network")
contract = flag.String("contract", "depository", "contract name")
addr = flag.String("addr", ":9999", "used to listen and serve http requests")
db = flag.String("db", "pg", "which database to use, default is pg(postgresql)")
dsn = flag.String("dsn", "postgres://bestchains:[email protected]:5432/bc-saas?sslmode=disable", "database connection string")
authMethod = flag.String("auth", "none", "user authentication method, none, oidc or kubernetes")
)

func main() {
klog.InitFlags(nil)
flag.Parse()

if err := run(); err != nil {
Expand Down Expand Up @@ -89,6 +90,10 @@ func run() error {
app.Use(logger.New(logger.Config{
Format: "[${ip}]:${port} ${status} - ${method} ${path}\n",
}))
app.Use(auth.New(context.TODO(), auth.Config{
AuthMethod: *authMethod,
SkipAuthorize: true,
}))
depository := app.Group("depository")

// hyperledger handlers
Expand Down
68 changes: 68 additions & 0 deletions deploy/deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: bc-saas
namespace: baas-system
spec:
replicas: 1
selector:
matchLabels:
app: bc-saas
template:
metadata:
labels:
app: bc-saas
spec:
serviceAccountName: bc-saas
volumes:
- name: network-json
secret:
secretName: bc-saas-secret
- name: oidc-server-ca
secret:
defaultMode: 420
items:
- key: ca.crt
path: ca.pem
secretName: oidc-server-root-secret
containers:
- name: depository
image: hyperledgerk8s/bc-saas:6b0ed39
command:
- depository
args:
- -v=5
- -profile=/opt/depository/network.json
- -contract=depository
- -auth=oidc
ports:
- containerPort: 9999
env:
- name: OIDC_CA_FILE
value: "/etc/oidc/oidc-server/ca.pem"
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
key: oidc.client-id
name: kube-oidc-proxy-config
- name: OIDC_ISSUER_URL
valueFrom:
secretKeyRef:
key: oidc.issuer-url
name: kube-oidc-proxy-config
- name: OIDC_USERNAME_CLAIM
valueFrom:
secretKeyRef:
key: oidc.username-claim
name: kube-oidc-proxy-config
- name: OIDC_GROUPS_CLAIM
valueFrom:
secretKeyRef:
key: oidc.group-claim
name: kube-oidc-proxy-config
volumeMounts:
- name: network-json
mountPath: /opt/depository
- mountPath: /etc/oidc/oidc-server
name: oidc-server-ca
readOnly: true
23 changes: 23 additions & 0 deletions deploy/network.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"id": "network-sample3",
"platform": "bestchains",
"fabProfile": {
"channel": "channelid",
"organization": "org1",
"user": {
"name": "org1admin",
"key": {
"pem": "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgnaTsH8cPOcV0Vgvn\nx4Z1hIUpV1Kg2kjzu1x3E7oM59mhRANCAAQ9Mjwd16DmSeyEiZV5kQ04tUFrJMxk\nslTDmBrc1vFkPqzMH1LGCsn2w8gKwcisboz8eC7mJPfS8eR9wK4w/aQx\n-----END PRIVATE KEY-----\n"
},
"cert": {
"pem": "-----BEGIN CERTIFICATE-----\nMIIDDzCCAregAwIBAgIUV0lIiC3NNUr+69cVUy8v6i0gxm0wCgYIKoZIzj0EAwIw\nXzELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRAwDgYDVQQDEwdvcmcxLWNh\nMB4XDTIzMDQxODA1MzcwMFoXDTI0MDQxNzA1NDQwMFowJDEOMAwGA1UECxMFYWRt\naW4xEjAQBgNVBAMTCW9yZzFhZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBD0yPB3XoOZJ7ISJlXmRDTi1QWskzGSyVMOYGtzW8WQ+rMwfUsYKyfbDyArByKxu\njPx4LuYk99Lx5H3ArjD9pDGjggGKMIIBhjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0T\nAQH/BAIwADAdBgNVHQ4EFgQUprvedopkGRfeYsxHLI8Cp3hoZawwHwYDVR0jBBgw\nFoAUO++ESe8aFTNvD982WCOyKxTgST0wLgYDVR0RBCcwJYIjY29udHJvbGxlci1t\nYW5hZ2VyLTVmZDhmYzc1NGMtOXRzZjkwgfUGCCoDBAUGBwgBBIHoeyJhdHRycyI6\neyJoZi5BZmZpbGlhdGlvbiI6IiIsImhmLkVucm9sbG1lbnRJRCI6Im9yZzFhZG1p\nbiIsImhmLkdlbkNSTCI6InRydWUiLCJoZi5JbnRlcm1lZGlhdGVDQSI6InRydWUi\nLCJoZi5SZWdpc3RyYXIuUm9sZXMiOiIqIiwiaGYuUmVnaXN0cmFyRGVsZWdhdGVS\nb2xlcyI6IioiLCJoZi5SZXZva2VyIjoiKiIsImhmLlR5cGUiOiJhZG1pbiIsImhm\nLmhmLlJlZ2lzdHJhci5BdHRyaWJ1dGVzIjoiKiJ9fTAKBggqhkjOPQQDAgNGADBD\nAiBpB13OjDKI/qU7/QI8L8c1KnCNJkdcD0BOcwpwKsOqMAIfEXsg0dMLjOsU1Jm0\noUCQNrlRW9wlT/oxbStXppcFNg==\n-----END CERTIFICATE-----\n"
}
},
"endpoint": {
"url": "grpcs://org1-org1peer1-peer.172.18.0.4.nip.io:443",
"tlsCACerts": {
"pem": "-----BEGIN CERTIFICATE-----\nMIICBzCCAa6gAwIBAgIUMBMS27QPxyLtVrHtGIBJcwquF00wCgYIKoZIzj0EAwIw\nYjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRMwEQYDVQQDEwpvcmcxLXRs\nc2NhMB4XDTIzMDQxODA1MzcwMFoXDTM4MDQxNDA1MzcwMFowYjELMAkGA1UEBhMC\nVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdl\ncjEPMA0GA1UECxMGRmFicmljMRMwEQYDVQQDEwpvcmcxLXRsc2NhMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAElsbFDQe/QFwZoRBrbLp6zQTyxD+SGDhi/7hshCd/\ncMNYADqusdjHSIorTiTegS9/69iUz5ROeFurcSfHxGI4gaNCMEAwDgYDVR0PAQH/\nBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKlocv/Ghk9Nkq6/zzov\nubxlHrw0MAoGCCqGSM49BAMCA0cAMEQCIHoYm+ccgYhqvXng8yXDvedqS1wsJPmX\n9Y1P9Z/44i6zAiBtke6JqTrixv9yorq5JtBGs12qU/lsWig7nwKFSdQKsA==\n-----END CERTIFICATE-----\n"
}
}
}
}
10 changes: 10 additions & 0 deletions deploy/oidc-secret.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
if use `oidc` auth, you need create secret `kube-oidc-proxy-config` and `oidc-server-root-secret`, the data is same with `u4a-system`.
```bash
kubectl get secret kube-oidc-proxy-config -n u4a-system -o json \
| jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' \
| kubectl apply -n baas-system -f -

kubectl get secret oidc-server-root-secret -n u4a-system -o json \
| jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' \
| kubectl apply -n baas-system -f -
```
146 changes: 146 additions & 0 deletions deploy/rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: bc-saas
namespace: baas-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: bc-saas
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- ""
resources:
- pods
- pods/log
- persistentvolumeclaims
- persistentvolumes
- services
- endpoints
- events
- configmaps
- secrets
- nodes
- serviceaccounts
verbs:
- get
- list
- watch
- apiGroups:
- "batch"
resources:
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- apiGroups:
- ibp.com
resources:
- ibpcas.ibp.com
- ibppeers.ibp.com
- ibporderers.ibp.com
- ibpconsoles.ibp.com
- organizations.ibp.com
- federations.ibp.com
- networks.ibp.com
- proposals.ibp.com
- votes.ibp.com
- channels.ibp.com
- chaincodebuilds.ibp.com
- ibpcas
- ibppeers
- ibporderers
- ibpconsoles
- organizations
- federations
- networks
- proposals
- votes
- channels
- chaincodebuilds
- ibpcas/finalizers
- ibppeers/finalizers
- ibporderers/finalizers
- ibpconsoles/finalizers
- organizations/finalizers
- federations/finalizers
- networks/finalizers
- proposals/finalizers
- votes/finalizers
- channels/finalizers
- chaincodebuilds/finalizers
- ibpcas/status
- ibppeers/status
- ibporderers/status
- ibpconsoles/status
- organizations/status
- federations/status
- networks/status
- proposals/status
- votes/status
- channels/status
- chaincodebuilds/status
- chaincodes
- chaincodes/status
- endorsepolicies
- endorsepolicies/status
verbs:
- get
- list
- watch
- apiGroups:
- iam.tenxcloud.com
resources:
- users.iam.tenxcloud.com
- users
verbs:
- get
- list
- watch
- apiGroups:
- tekton.dev
resources:
- pipelineruns
- taskruns
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: bc-saas
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: bc-saas
subjects:
- kind: ServiceAccount
name: bc-saas
namespace: baas-system
8 changes: 8 additions & 0 deletions deploy/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
data:
# cat networ.json | base64
network.json: ewogICJpZCI6ICJuZXR3b3JrLXNhbXBsZTMiLAogICJwbGF0Zm9ybSI6ICJiZXN0Y2hhaW5zIiwKICAiZmFiUHJvZmlsZSI6IHsKICAgICJjaGFubmVsIjogImNoYW5uZWxpZCIsCiAgICAib3JnYW5pemF0aW9uIjogIm9yZzEiLAogICAgInVzZXIiOiB7CiAgICAgICJuYW1lIjogIm9yZzFhZG1pbiIsCiAgICAgICJrZXkiOiB7CiAgICAgICAgInBlbSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ25hVHNIOGNQT2NWMFZndm5cbng0WjFoSVVwVjFLZzJranp1MXgzRTdvTTU5bWhSQU5DQUFROU1qd2QxNkRtU2V5RWlaVjVrUTA0dFVGckpNeGtcbnNsVERtQnJjMXZGa1Bxek1IMUxHQ3NuMnc4Z0t3Y2lzYm96OGVDN21KUGZTOGVSOXdLNHcvYVF4XG4tLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tXG4iCiAgICAgIH0sCiAgICAgICJjZXJ0IjogewogICAgICAgICJwZW0iOiAiLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlERHpDQ0FyZWdBd0lCQWdJVVYwbElpQzNOTlVyKzY5Y1ZVeTh2NmkwZ3htMHdDZ1lJS29aSXpqMEVBd0l3XG5YekVMTUFrR0ExVUVCaE1DVlZNeEZ6QVZCZ05WQkFnVERrNXZjblJvSUVOaGNtOXNhVzVoTVJRd0VnWURWUVFLXG5Fd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJBd0RnWURWUVFERXdkdmNtY3hMV05oXG5NQjRYRFRJek1EUXhPREExTXpjd01Gb1hEVEkwTURReE56QTFORFF3TUZvd0pERU9NQXdHQTFVRUN4TUZZV1J0XG5hVzR4RWpBUUJnTlZCQU1UQ1c5eVp6RmhaRzFwYmpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBXG5CRDB5UEIzWG9PWko3SVNKbFhtUkRUaTFRV3NrekdTeVZNT1lHdHpXOFdRK3JNd2ZVc1lLeWZiRHlBckJ5S3h1XG5qUHg0THVZazk5THg1SDNBcmpEOXBER2pnZ0dLTUlJQmhqQU9CZ05WSFE4QkFmOEVCQU1DQjRBd0RBWURWUjBUXG5BUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVwcnZlZG9wa0dSZmVZc3hITEk4Q3AzaG9aYXd3SHdZRFZSMGpCQmd3XG5Gb0FVTysrRVNlOGFGVE52RDk4MldDT3lLeFRnU1Qwd0xnWURWUjBSQkNjd0pZSWpZMjl1ZEhKdmJHeGxjaTF0XG5ZVzVoWjJWeUxUVm1aRGhtWXpjMU5HTXRPWFJ6Wmprd2dmVUdDQ29EQkFVR0J3Z0JCSUhvZXlKaGRIUnljeUk2XG5leUpvWmk1QlptWnBiR2xoZEdsdmJpSTZJaUlzSW1obUxrVnVjbTlzYkcxbGJuUkpSQ0k2SW05eVp6RmhaRzFwXG5iaUlzSW1obUxrZGxia05TVENJNkluUnlkV1VpTENKb1ppNUpiblJsY20xbFpHbGhkR1ZEUVNJNkluUnlkV1VpXG5MQ0pvWmk1U1pXZHBjM1J5WVhJdVVtOXNaWE1pT2lJcUlpd2lhR1l1VW1WbmFYTjBjbUZ5UkdWc1pXZGhkR1ZTXG5iMnhsY3lJNklpb2lMQ0pvWmk1U1pYWnZhMlZ5SWpvaUtpSXNJbWhtTGxSNWNHVWlPaUpoWkcxcGJpSXNJbWhtXG5MbWhtTGxKbFoybHpkSEpoY2k1QmRIUnlhV0oxZEdWeklqb2lLaUo5ZlRBS0JnZ3Foa2pPUFFRREFnTkdBREJEXG5BaUJwQjEzT2pES0kvcVU3L1FJOEw4YzFLbkNOSmtkY0QwQk9jd3B3S3NPcU1BSWZFWHNnMGRNTGpPc1UxSm0wXG5vVUNRTnJsUlc5d2xUL294YlN0WHBwY0ZOZz09XG4tLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tXG4iCiAgICAgIH0KICAgIH0sCiAgICAiZW5kcG9pbnQiOiB7CiAgICAgICJ1cmwiOiAiZ3JwY3M6Ly9vcmcxLW9yZzFwZWVyMS1wZWVyLjE3Mi4xOC4wLjQubmlwLmlvOjQ0MyIsCiAgICAgICJ0bHNDQUNlcnRzIjogewogICAgICAgICJwZW0iOiAiLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlDQnpDQ0FhNmdBd0lCQWdJVU1CTVMyN1FQeHlMdFZySHRHSUJKY3dxdUYwMHdDZ1lJS29aSXpqMEVBd0l3XG5ZakVMTUFrR0ExVUVCaE1DVlZNeEZ6QVZCZ05WQkFnVERrNXZjblJvSUVOaGNtOXNhVzVoTVJRd0VnWURWUVFLXG5Fd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJNd0VRWURWUVFERXdwdmNtY3hMWFJzXG5jMk5oTUI0WERUSXpNRFF4T0RBMU16Y3dNRm9YRFRNNE1EUXhOREExTXpjd01Gb3dZakVMTUFrR0ExVUVCaE1DXG5WVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbGNteGxaR2RsXG5jakVQTUEwR0ExVUVDeE1HUm1GaWNtbGpNUk13RVFZRFZRUURFd3B2Y21jeExYUnNjMk5oTUZrd0V3WUhLb1pJXG56ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVsc2JGRFFlL1FGd1pvUkJyYkxwNnpRVHl4RCtTR0RoaS83aHNoQ2QvXG5jTU5ZQURxdXNkakhTSW9yVGlUZWdTOS82OWlVejVST2VGdXJjU2ZIeEdJNGdhTkNNRUF3RGdZRFZSMFBBUUgvXG5CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZLbG9jdi9HaGs5TmtxNi96em92XG51YnhsSHJ3ME1Bb0dDQ3FHU000OUJBTUNBMGNBTUVRQ0lIb1ltK2NjZ1locXZYbmc4eVhEdmVkcVMxd3NKUG1YXG45WTFQOVovNDRpNnpBaUJ0a2U2SnFUcml4djl5b3JxNUp0QkdzMTJxVS9sc1dpZzdud0tGU2RRS3NBPT1cbi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS1cbiIKICAgICAgfQogICAgfQogIH0KfQo=
kind: Secret
metadata:
name: bc-saas-secret
namespace: baas-system
12 changes: 12 additions & 0 deletions deploy/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: bc-saas-service
namespace: baas-system
spec:
selector:
app: bc-saas
ports:
- protocol: TCP
port: 9999
targetPort: 9999
Loading