Update openapi.json after refactoring Keycloak sync in katta-server.

Author: chenkins

hub/src/main/java/cloud/katta/workflows/CreateVaultService.java

@@ -120,6 +120,7 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
                     .uvfMetadataFile(uvfMetadataFile)
                     .uvfKeySet(jwks.serializePublicRecoverykey());
 
+            // create storage dto
             final String hashedRootDirId = metadataPayload.computeRootDirIdHash();
             final CreateS3STSBucketDto storageDto = new CreateS3STSBucketDto()
                     .vaultId(vaultModel.vaultId().toString())
@@ -130,6 +131,13 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
                     .region(metadataPayload.storage().getRegion());
             log.debug("Created storage dto {}", storageDto);
 
+            // (1) create vault in hub, incl. Keycloak sync
+            final boolean minio = storageProfileWrapper.getStsRoleArn() != null && storageProfileWrapper.getStsRoleArn2() == null;
+            final boolean aws = storageProfileWrapper.getStsRoleArn() != null && storageProfileWrapper.getStsRoleArn2() != null;
+            log.debug("Create vault {}, minio={}, aws={}", vaultDto, minio, aws);
+            vaultResource.apiVaultsVaultIdPut(vaultDto.getId(), vaultDto, minio, aws);
+
+            // (2) create bucket
             final HostPasswordStore keychain = PasswordStoreFactory.get();
 
             final OAuthTokens tokens = keychain.findOAuthTokens(hubSession.getHost());
@@ -156,11 +164,8 @@ public void createVault(final UserKeys userKeys, final StorageProfileDtoWrapper
                                 .awsSecretKey(stsTokens.getSecretAccessKey())
                                 .sessionToken(stsTokens.getSessionToken()));
             }
-            // create vault in hub
-            log.debug("Create vault {}", vaultDto);
-            vaultResource.apiVaultsVaultIdPut(vaultDto.getId(), vaultDto);
 
-            // upload JWE
+            // (3) upload JWE to hub
             log.debug("Upload JWE {} for vault {}", uvfMetadataFile, vaultDto);
             final UserDto userDto = users.apiUsersMeGet(false, false);
             vaultResource.apiVaultsVaultIdAccessTokensPost(vaultDto.getId(), Collections.singletonMap(userDto.getId(), jwks.toOwnerAccessToken().encryptForUser(userKeys.ecdhKeyPair().getPublic())));

hub/src/main/resources/openapi.json

@@ -8,44 +8,20 @@
                     "access_token": {
                         "type": "string"
                     },
-                    "expires_in": {
-                        "type": "integer",
-                        "format": "int64"
-                    },
-                    "refresh_expires_in": {
-                        "type": "integer",
-                        "format": "int64"
-                    },
-                    "refresh_token": {
+                    "issued_token_type": {
                         "type": "string"
                     },
                     "token_type": {
                         "type": "string"
                     },
-                    "id_token": {
-                        "type": "string"
-                    },
-                    "not-before-policy": {
+                    "expires_in": {
                         "type": "integer",
-                        "format": "int32"
-                    },
-                    "session_state": {
-                        "type": "string"
-                    },
-                    "otherClaims": {
-                        "type": "object",
-                        "additionalProperties": {}
+                        "format": "int64"
                     },
                     "scope": {
                         "type": "string"
                     },
-                    "error": {
-                        "type": "string"
-                    },
-                    "error_description": {
-                        "type": "string"
-                    },
-                    "error_uri": {
+                    "refresh_token": {
                         "type": "string"
                     }
                 }
@@ -1624,6 +1600,9 @@
                             }
                         }
                     },
+                    "400": {
+                        "description": "bad request"
+                    },
                     "401": {
                         "description": "Not Authorized"
                     },
@@ -2500,6 +2479,24 @@
                 "summary": "creates or updates a vault",
                 "description": "Creates or updates a vault with the given vault id. The creationTime in the vaultDto is always ignored. On creation, the current server time is used and the archived field is ignored. On update, only the name, description, and archived fields are considered.",
                 "parameters": [
+                    {
+                        "description": "the role to grant to this user (defaults to False)",
+                        "in": "query",
+                        "name": "minio",
+                        "schema": {
+                            "type": "boolean",
+                            "default": false
+                        }
+                    },
+                    {
+                        "description": "the role to grant to this user (defaults to False)",
+                        "in": "query",
+                        "name": "aws",
+                        "schema": {
+                            "type": "boolean",
+                            "default": false
+                        }
+                    },
                     {
                         "name": "vaultId",
                         "in": "path",

hub/src/test/java/cloud/katta/workflows/CreateVaultServiceTest.java

@@ -67,6 +67,9 @@ void createVault() throws AccessException, SecurityFailure, BackgroundException,
                         .id(storageProfileId)
                         .protocol(Protocol.S3_STS)
                         .stsEndpoint("http://audley.end.point")
+                        // AWS has both role arns filled in
+                        .stsRoleArn("arnaud")
+                        .stsRoleArn2("ducret")
 
         );
         final StorageProfileDtoWrapper storageProfileWrapper = StorageProfileDtoWrapper.coerce(storageProfile);
@@ -104,7 +107,9 @@ public String getOAuthTokenUrl() {
 
         createVaultService.createVault(userKeys, storageProfileWrapper, createVaultModel);
 
-        Mockito.verify(vaults, times(1)).apiVaultsVaultIdPut(eq(vaultId), any());
+        final boolean expectedMinio = false;
+        final boolean expectedAWS = true;
+        Mockito.verify(vaults, times(1)).apiVaultsVaultIdPut(eq(vaultId), any(), eq(expectedMinio), eq(expectedAWS));
         Mockito.verify(vaults, times(1)).apiVaultsVaultIdAccessTokensPost(eq(vaultId), any());
         Mockito.verify(storage, times(1)).apiStorageVaultIdPut(eq(vaultId), any());
     }

hub/src/test/resources/.env

@@ -1,4 +1,4 @@
-KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:1.5.0-SNAPSHOT-ci@sha256:7ccf1b2050d24ac230b88996e8caab741e3e6a7df0986c2a03de32d7887747bd
+KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:commit-226795352277656dc9a7ede0f95a620f42253e54-ci
 HUB_PORT=8080
 HUB_KEYCLOAK_URL=http://localhost:8180
 HUB_KEYCLOAK_BASEPATH=

hub/src/test/resources/.hybrid.env

@@ -1,4 +1,4 @@
-KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:1.5.0-SNAPSHOT-ci@sha256:7ccf1b2050d24ac230b88996e8caab741e3e6a7df0986c2a03de32d7887747bd
+KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:commit-226795352277656dc9a7ede0f95a620f42253e54-ci
 HUB_PORT=8280
 HUB_KEYCLOAK_URL=https://testing.katta.cloud
 HUB_KEYCLOAK_BASEPATH=/kc

hub/src/test/resources/.local.env

@@ -1,4 +1,4 @@
-KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:1.5.0-SNAPSHOT-ci@sha256:7ccf1b2050d24ac230b88996e8caab741e3e6a7df0986c2a03de32d7887747bd
+KATTA_SERVER_IMAGE=ghcr.io/shift7-ch/katta-server:commit-226795352277656dc9a7ede0f95a620f42253e54-ci
 HUB_PORT=8280
 HUB_KEYCLOAK_URL=http://localhost:8380
 HUB_KEYCLOAK_BASEPATH=