chore: add devcontainer

.devcontainer/.env_template

@@ -0,0 +1,2 @@
+GITLAB_CLIENT_ID=
+GITLAB_CLIENT_SECRET=

.devcontainer/devcontainer.json

@@ -0,0 +1,16 @@
+{
+	"name": "gateway",
+	"service": "api",
+	"dockerComposeFile": "docker-compose.yaml",
+	"workspaceFolder": "/workspaces/${localWorkspaceFolderBasename}",
+	"features": {
+		"ghcr.io/devcontainers-contrib/features/poetry:2": {},
+		"ghcr.io/devcontainers/features/git:1": {},
+		"ghcr.io/jungaretti/features/make:1": {},
+		"ghcr.io/devcontainers/features/go:1": {},
+		"ghcr.io/devcontainers-contrib/features/bash-command:1": {
+			"command": "mkdir -p /go/pkg && chmod -R a+w /go/pkg"
+		}
+	},
+	"postCreateCommand": "poetry install --with dev && go mod download"
+}

.devcontainer/docker-compose.yaml

@@ -0,0 +1,64 @@
+version: '3.8'
+
+services:
+  api:
+    build:
+      context: ..
+      dockerfile: Dockerfile
+    volumes:
+      - ../..:/workspaces:cached
+    entrypoint: sleep infinity
+    environment:
+      REDIS_HOST: redis
+      REDIS_PASSWORD: renku
+      KEYCLOAK_URL: http://127.0.0.1:8080/auth
+      OIDC_CLIENT_ID: renku
+      OIDC_CLIENT_SECRET: kfclJaMDwcUIUSx3vSRRZLxXtALLOLzz
+      GITLAB_URL: https://gitlab.dev.renku.ch
+      GATEWAY_SECRET_KEY: 8cdd6e7afbc6eeba6ae9f6230a8af5415e02e6e630d01e6edb461d42c57a2d59
+      GITLAB_CLIENT_ID: ${GITLAB_CLIENT_ID}
+      GITLAB_CLIENT_SECRET: ${GITLAB_CLIENT_SECRET}
+      OAUTHLIB_INSECURE_TRANSPORT: 1
+      HOST_NAME: http://127.0.0.1:5000
+    network_mode: service:redis
+    depends_on:
+      - redis
+
+  redis:
+    image: bitnami/redis
+    restart: unless-stopped
+    environment:
+      REDIS_PASSWORD: renku
+    volumes:
+      - redis-data:/bitnami/redis
+    ports:
+      - "5000:5000"
+      - "8080:8080"
+      - "6379:6379"
+      - "5432:5432"
+
+  keycloak:
+    image: bitnami/keycloak
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: renku
+      KEYCLOAK_DATABASE_USER: postgres
+      KEYCLOAK_DATABASE_PASSWORD: renku
+      KEYCLOAK_DATABASE_NAME: postgres
+      KEYCLOAK_HTTP_RELATIVE_PATH: /auth
+      KEYCLOAK_DATABASE_HOST: 127.0.0.1
+    network_mode: service:redis
+    depends_on:
+      - postgresql
+
+  postgresql:
+    image: bitnami/postgresql
+    volumes:
+      - postgresql-data:/bitnami/postgresql
+    environment:
+      POSTGRESQL_PASSWORD: renku
+    network_mode: service:redis
+
+volumes:
+  redis-data:
+  postgresql-data:

.devcontainer/renku.json

@@ -0,0 +1,73 @@
+{
+  "clientId": "renku",
+  "name": "renku",
+  "description": "",
+  "rootUrl": "http://127.0.0.1:5000",
+  "adminUrl": "http://127.0.0.1:5000",
+  "baseUrl": "http://127.0.0.1:5000",
+  "surrogateAuthRequired": false,
+  "enabled": true,
+  "alwaysDisplayInConsole": false,
+  "clientAuthenticatorType": "client-secret",
+  "secret": "kfclJaMDwcUIUSx3vSRRZLxXtALLOLzz",
+  "redirectUris": [
+    "",
+    "http://127.0.0.1:5000/*"
+  ],
+  "webOrigins": [
+    "http://127.0.0.1:5000"
+  ],
+  "notBefore": 0,
+  "bearerOnly": false,
+  "consentRequired": false,
+  "standardFlowEnabled": true,
+  "implicitFlowEnabled": false,
+  "directAccessGrantsEnabled": true,
+  "serviceAccountsEnabled": false,
+  "publicClient": false,
+  "frontchannelLogout": true,
+  "protocol": "openid-connect",
+  "attributes": {
+    "oidc.ciba.grant.enabled": "false",
+    "client.secret.creation.time": "1713360798",
+    "backchannel.logout.session.required": "true",
+    "post.logout.redirect.uris": "http://127.0.0.1:5000/*",
+    "oauth2.device.authorization.grant.enabled": "false",
+    "backchannel.logout.revoke.offline.tokens": "false"
+  },
+  "authenticationFlowBindingOverrides": {},
+  "fullScopeAllowed": true,
+  "nodeReRegistrationTimeout": -1,
+  "defaultClientScopes": [
+    "web-origins",
+    "acr",
+    "roles",
+    "profile",
+    "email"
+  ],
+  "optionalClientScopes": [
+    "address",
+    "phone",
+    "offline_access",
+    "microprofile-jwt"
+  ],
+  "access": {
+    "view": true,
+    "configure": true,
+    "manage": true
+  },
+  "protocolMappers": [
+    {
+      "name": "audience for renku",
+      "protocol": "openid-connect",
+      "protocolMapper": "oidc-audience-mapper",
+      "consentRequired": false,
+      "config": {
+        "included.client.audience": "renku",
+        "id.token.claim": "false",
+        "access.token.claim": "true",
+        "userinfo.token.claim": "false"
+      }
+    }
+  ]
+}

Makefile

@@ -1,14 +1,14 @@
 PKG_NAME=github.com/SwissDataScienceCenter/renku-gateway
 
-.PHONY: build clean tests
+.PHONY: build clean tests auth_tests run_auth run_revproxy
 
 auth_tests:
 	poetry run flake8 -v
 	poetry run pytest
 
-build: internal/login/spec.gen.go
+build:
 	go mod download
-	go build -o gateway $(PKG_NAME)/cmd/gateway 
+	go build -o revproxy $(PKG_NAME)/cmd/revproxy
 
 clean:
 	go clean
@@ -22,3 +22,8 @@ tests:
 internal/login/spec.gen.go: apispec.yaml
 	oapi-codegen -generate types,server,spec -package login $< > $@ 
 
+run_auth:
+	poetry run gunicorn -b 0.0.0.0:5000 app:app
+
+run_revproxy:
+	go run $(PKG_NAME)/cmd/revproxy

README.md

@@ -30,6 +30,24 @@ and `models` are the packages that are most commonly used by other packages. The
 or any other checks or guards in place to enforce this. Hopefully a convention / agreement like this
 is enough to avoid problems.
 
+## Developing
+
+1. Create a client in a Gitlab deployment, for example https://gitlab.dev.renku.ch, with the following configuration:
+  - name: renku-gateway
+  - callbacks:
+    - `http://127.0.0.1:5000/login/redirect/gitlab`
+    - `http://127.0.0.1:5000/auth/gitlab/token`
+  - scopes: api, read_user, read_repository, read_registry, openid
+2. Copy the `.env_template` file inside the `.devcontainer` folder as a file called `.env`
+3. Replace the contents of `.devcontainer/.env` with the Gitlab cliend ID and secret from step 1
+4. Login as admin to Keycloak at `http://127.0.0.1:5000/auth`
+5. Create a real called `Renku` (this is case sensitive in Keycloak and all other applications)
+6. Create a client by loading the `.devcontainer/renku.json` file into Keycloak
+
+NOTE: When visiting the address in the browser make sure to use `127.0.0.1` as the host.
+The configuration and setup steps here use that as well. Even using localhost instead of `127.0.0.1`
+will lead to problems and the login will not complete.
+
 ## Oauth2 flows
 
 ```mermaid