Merge branch 'main' into expose-context-auth-methods

opentdf · Dec 17, 2024 · 5248a6d · 5248a6d
2 parents b774ebc + 7828aeb
commit 5248a6d
Show file tree

Hide file tree

Showing 12 changed files with 384 additions and 55 deletions.
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -4,5 +4,5 @@
   "lib/flattening": "0.1.2",
   "protocol/go": "0.2.22",
   "sdk": "0.3.23",
-  "service": "0.4.32"
+  "service": "0.4.34"
 }
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -48,7 +48,7 @@ services:
       - "8888:8888"
       - "8443:8443"
     healthcheck:
-      test: 
+      test:
         - CMD-SHELL
         - |
           [ -f /tmp/HealthCheck.java ] || echo "public class HealthCheck { 
@@ -66,23 +66,10 @@ services:
               java.net.HttpURLConnection conn = (java.net.HttpURLConnection)new java.net.URL(args[0]).openConnection(); 
               System.exit(java.net.HttpURLConnection.HTTP_OK == conn.getResponseCode() ? 0 : 1); 
             } 
-          }" > /tmp/HealthCheck.java && java /tmp/HealthCheck.java https://localhost:9001/auth/health/live      
+          }" > /tmp/HealthCheck.java && java /tmp/HealthCheck.java https://localhost:9001/auth/health/live
       timeout: 10s
       retries: 3
       start_period: 2m
-  keycloakdb:
-    image: postgres:15-alpine
-    restart: always
-    user: postgres
-    environment:
-      POSTGRES_PASSWORD: changeme
-      POSTGRES_USER: postgres
-      POSTGRES_DB: keycloak
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready"]
-      interval: 5s
-      timeout: 5s
-      retries: 10
   opentdfdb:
     image: postgres:15-alpine
     restart: always

diff --git a/opentdf-dev.yaml b/opentdf-dev.yaml
@@ -24,9 +24,9 @@ services:
   entityresolution:
     log_level: info
     url: http://localhost:8888/auth
-    clientid: 'tdf-entity-resolution'
-    clientsecret: 'secret'
-    realm: 'opentdf'
+    clientid: "tdf-entity-resolution"
+    clientsecret: "secret"
+    realm: "opentdf"
     legacykeycloak: true
     inferid:
       from:
@@ -45,8 +45,8 @@ server:
   auth:
     enabled: true
     enforceDPoP: false
-    public_client_id: 'opentdf-public'
-    audience: 'http://localhost:8080'
+    public_client_id: "opentdf-public"
+    audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:
       ## Dot notation is used to access nested claims (i.e. realm_access.roles)
@@ -78,10 +78,9 @@ server:
       #  [matchers]
       #  m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
   cors:
-    enabled: false
     # "*" to allow any origin or a specific domain like "https://yourdomain.com"
     allowedorigins:
-      - '*'
+      - "*"
     # List of methods. Examples: "GET,POST,PUT"
     allowedmethods:
       - GET

diff --git a/opentdf-ers-mode.yaml b/opentdf-ers-mode.yaml
@@ -9,9 +9,9 @@ services:
   entityresolution:
     log_level: info
     url: http://localhost:8888/auth
-    clientid: 'tdf-entity-resolution'
-    clientsecret: 'secret'
-    realm: 'opentdf'
+    clientid: "tdf-entity-resolution"
+    clientsecret: "secret"
+    realm: "opentdf"
     legacykeycloak: true
     inferid:
       from:
@@ -21,8 +21,8 @@ server:
   auth:
     enabled: true
     enforceDPoP: false
-    public_client_id: 'opentdf-public'
-    audience: 'http://localhost:8080'
+    public_client_id: "opentdf-public"
+    audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:
       ## Default policy for all requests
@@ -61,10 +61,9 @@ server:
       #  [matchers]
       #  m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
   cors:
-    enabled: false
     # "*" to allow any origin or a specific domain like "https://yourdomain.com"
     allowedorigins:
-      - '*'
+      - "*"
     # List of methods. Examples: "GET,POST,PUT"
     allowedmethods:
       - GET

diff --git a/opentdf-example.yaml b/opentdf-example.yaml
@@ -15,9 +15,9 @@ services:
     rsacertid: r1
   entityresolution:
     url: http://keycloak:8888/auth
-    clientid: 'tdf-entity-resolution'
-    clientsecret: 'secret'
-    realm: 'opentdf'
+    clientid: "tdf-entity-resolution"
+    clientsecret: "secret"
+    realm: "opentdf"
     legacykeycloak: true
     inferid:
       from:
@@ -32,8 +32,8 @@ server:
   auth:
     enabled: true
     enforceDPoP: false
-    public_client_id: 'opentdf-public'
-    audience: 'http://localhost:8080'
+    public_client_id: "opentdf-public"
+    audience: "http://localhost:8080"
     issuer: http://keycloak:8888/auth/realms/opentdf
     policy:
       ## Dot notation is used to access nested claims (i.e. realm_access.roles)
@@ -65,10 +65,9 @@ server:
       #  [matchers]
       #  m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
   cors:
-    enabled: false
     # "*" to allow any origin or a specific domain like "https://yourdomain.com"
     allowedorigins:
-      - '*'
+      - "*"
     # List of methods. Examples: "GET,POST,PUT"
     allowedmethods:
       - GET

diff --git a/service/CHANGELOG.md b/service/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## [0.4.34](https://github.com/opentdf/platform/compare/service/v0.4.33...service/v0.4.34) (2024-12-11)
+
+
+### Bug Fixes
+
+* **core:** properly chain grpc-gateway middleware order ([#1820](https://github.com/opentdf/platform/issues/1820)) ([5b9f054](https://github.com/opentdf/platform/commit/5b9f0541f39c6141ea060d699146482959fb32f7))
+
+## [0.4.33](https://github.com/opentdf/platform/compare/service/v0.4.32...service/v0.4.33) (2024-12-06)
+
+
+### Bug Fixes
+
+* **core:** Allow more users to rewrap ([#1813](https://github.com/opentdf/platform/issues/1813)) ([4d47475](https://github.com/opentdf/platform/commit/4d474750c20a9a6fe0f00487195851a606e24076))
+* **core:** Handle multiple modes including entityresolution mode ([#1816](https://github.com/opentdf/platform/issues/1816)) ([32d6938](https://github.com/opentdf/platform/commit/32d6938549bd9fc7e9e2fc7ec0157537bddafcc9))
+
 ## [0.4.32](https://github.com/opentdf/platform/compare/service/v0.4.31...service/v0.4.32) (2024-12-04)
 
 

diff --git a/service/go.mod b/service/go.mod
@@ -151,7 +151,7 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 

diff --git a/service/internal/server/server.go b/service/internal/server/server.go
@@ -96,11 +96,12 @@ type CORSConfig struct {
 	// Enable CORS for the server (default: true)
 	Enabled          bool     `mapstructure:"enabled" json:"enabled" default:"true"`
 	AllowedOrigins   []string `mapstructure:"allowedorigins" json:"allowedorigins"`
-	AllowedMethods   []string `mapstructure:"allowedmethods" json:"allowedmethods"`
-	AllowedHeaders   []string `mapstructure:"allowedheaders" json:"allowedheaders"`
+	AllowedMethods   []string `mapstructure:"allowedmethods" json:"allowedmethods" default:"[\"GET\",\"POST\",\"PATCH\",\"DELETE\",\"OPTIONS\"]"`
+	AllowedHeaders   []string `mapstructure:"allowedheaders" json:"allowedheaders" default:"[\"Accept\",\"Content-Type\",\"Content-Length\",\"Accept-Encoding\",\"X-CSRF-Token\",\"Authorization\",\"X-Requested-With\",\"Dpop\"]"`
 	ExposedHeaders   []string `mapstructure:"exposedheaders" json:"exposedheaders"`
 	AllowCredentials bool     `mapstructure:"allowcredentials" json:"allowedcredentials" default:"true"`
 	MaxAge           int      `mapstructure:"maxage" json:"maxage" default:"3600"`
+	Debug            bool     `mapstructure:"debug" json:"debug"`
 }
 
 type ConnectRPC struct {
@@ -264,6 +265,14 @@ func newHTTPServer(c Config, connectRPC http.Handler, originalGrpcGateway http.H
 		originalGrpcGateway.ServeHTTP(grpcRW, r)
 	})
 
+	// Add authN interceptor to extra handlers
+	if c.Auth.Enabled {
+		grpcGateway = a.MuxHandler(grpcGateway)
+	} else {
+		l.Error("disabling authentication. this is deprecated and will be removed. if you are using an IdP without DPoP set `enforceDPoP = false`")
+	}
+
+	// Note: The grpc-gateway handlers are getting chained together in reverse. So the last handler is the first to be called.
 	// CORS
 	if c.CORS.Enabled {
 		corsHandler := cors.New(cors.Options{
@@ -283,20 +292,14 @@ func newHTTPServer(c Config, connectRPC http.Handler, originalGrpcGateway http.H
 			ExposedHeaders:   c.CORS.ExposedHeaders,
 			AllowCredentials: c.CORS.AllowCredentials,
 			MaxAge:           c.CORS.MaxAge,
+			Debug:            c.CORS.Debug,
 		})
 
 		// Apply CORS to connectRPC and extra handlers
 		connectRPC = corsHandler.Handler(connectRPC)
 		grpcGateway = corsHandler.Handler(grpcGateway)
 	}
 
-	// Add authN interceptor to extra handlers
-	if c.Auth.Enabled {
-		grpcGateway = a.MuxHandler(grpcGateway)
-	} else {
-		l.Error("disabling authentication. this is deprecated and will be removed. if you are using an IdP without DPoP set `enforceDPoP = false`")
-	}
-
 	// Enable pprof
 	if c.EnablePprof {
 		grpcGateway = pprofHandler(grpcGateway)

diff --git a/service/pkg/server/start.go b/service/pkg/server/start.go
@@ -157,11 +157,15 @@ func Start(f ...StartOptions) error {
 		oidcconfig *auth.OIDCConfiguration
 	)
 
-	// If the mode is not all or entityresolution, we need to have a valid SDK config
+	// If the mode is not all, does not include both core and entityresolution, or is not entityresolution on its own, we need to have a valid SDK config
 	// entityresolution does not connect to other services and can run on its own
-	if !slices.Contains(cfg.Mode, "all") && !slices.Contains(cfg.Mode, "entityresolution") && cfg.SDKConfig == (config.SDKConfig{}) {
-		logger.Error("mode is not all or entityresolution, but no sdk config provided")
-		return errors.New("mode is not all or entityresolution, but no sdk config provided")
+	// core only connects to entityresolution
+	if !(slices.Contains(cfg.Mode, "all") || // no config required for all mode
+		(slices.Contains(cfg.Mode, "core") && slices.Contains(cfg.Mode, "entityresolution")) || // or core and entityresolution modes togethor
+		(slices.Contains(cfg.Mode, "entityresolution") && len(cfg.Mode) == 1)) && // or entityresolution on its own
+		cfg.SDKConfig == (config.SDKConfig{}) {
+		logger.Error("mode is not all, entityresolution, or a combination of core and entityresolution, but no sdk config provided")
+		return errors.New("mode is not all, entityresolution, or a combination of core and entityresolution, but no sdk config provided")
 	}
 
 	// If client credentials are provided, use them
@@ -186,7 +190,7 @@ func Start(f ...StartOptions) error {
 		sdkOptions = append(sdkOptions, sdk.WithCustomCoreConnection(otdf.ConnectRPCInProcess.Conn()))
 
 		// handle ERS connection for core mode
-		if slices.Contains(cfg.Mode, "core") {
+		if slices.Contains(cfg.Mode, "core") && !slices.Contains(cfg.Mode, "entityresolution") {
 			logger.Info("core mode")
 
 			if cfg.SDKConfig.EntityResolutionConnection.Endpoint == "" {