Merge pull request #323 from xenit-eu/ACC-1904

NielsCW · web-flow · commit 6ac6a2725d16 · 2025-03-07T08:46:57.000+01:00
[ACC-1904] Fix keycloak and opa for local gateway setup
diff --git a/README.md b/README.md
@@ -297,3 +297,19 @@ value will be selected.
 | `contentgrid.idp.client-id`   | string | OAuth Client Id to initiate OpenID Connect authentication from the gateway                                    |
 | `contentgrid.idp.secret`      | string | OAuth Client Secret to initiate OpenID Connect authentication from the gateway                                |
 
+## Local development for management gateway
+
+You can run the gateway locally with the [contentgrid-compose project](https://github.com/xenit-eu/contentgrid-compose) by executing the following Gradle task:
+
+```bash
+./gradlew consoleBootRun
+```
+
+**Note:** you need to apply the following changes to contentgrid-compose:
+
+* `compose.sh`: comment out `docker-compose.yml`
+* Comment out `gateway.environment` from `docker-compose-architect.yml`, `docker-compose-captain.yml`, `docker-compose-herald.yml`, `docker-compose-keycloak.yml` and `docker-compose-scribe.yml`
+* `docker-compose-captain.yml`: change port 8080 to 9080 in `CONTENTGRID_SERVER_NAME`, `CONTENTGRID_AUTHORIZATION_ENDPOINT` and `CONTENTGRID_AUTHORIZATION_PROFILE`
+* `docker-compose-console.yml`: change port 8080 to 9080 in `API_BASE_URL`
+* `docker-compose-herald.yml`: change port 8080 to 9080 in `CONTENTGRID_AUTHORIZATION_ENDPOINT`
+* `docker-compose-scribe.yml`: change port 8080 to 9080 in all urls of `SCRIBE_ALLOWLIST`
diff --git a/docker-compose/example-rego/example.rego b/docker-compose/example-rego/example.rego
@@ -17,8 +17,7 @@ allow {
 # Allow GET /me
 allow {
     input.method == "GET"
-    # count(input.path) = 1
-    input.path[0] = "me"
+    input.path == ["me"]
 }
 
 # admin access on /api
diff --git a/src/main/resources/application-console.yml b/src/main/resources/application-console.yml
@@ -12,28 +12,46 @@ contentgrid:
           allowedOrigins:
             - 'http://${DOCKER_HOST_IP:172.17.0.1}:8085'
             - 'http://${DOCKER_HOST_IP:172.17.0.1}:9085'
+            - 'http://localhost:8085'
+            - 'http://localhost:9085'
         '[api.contentgrid.com]':
           allowedOrigins: 'https://console.contentgrid.com'
 
+testing:
+  bootstrap:
+    enable: false
+
 spring:
   cloud:
     gateway:
       routes:
         - id: architect
           uri: http://${DOCKER_HOST_IP:172.17.0.1}:8083/
           predicates:
-            - Path=/,/orgs/**,/projects/**,/users/**,/blueprints/**,/datamodel/**
-        - id: console
-          uri: http://${DOCKER_HOST_IP:172.17.0.1}:9085/
+            - Path=/,/orgs/**,/users/**,/permalink/**,/authorize/**
+        - id: scribe
+          uri: http://${DOCKER_HOST_IP:172.17.0.1}:8084/
+          predicates:
+            - Path=/codegen/**
+        - id: captain
+          uri: http://${DOCKER_HOST_IP:172.17.0.1}:8086/
+          predicates:
+            - Path=/applications,/applications/**,/deployments/**,/artifacts/**,/zones/**,/iam/**,/services/**
+        - id: herald
+          uri: http://${DOCKER_HOST_IP:172.17.0.1}:8088/
+          predicates:
+            - Path=/invitations,/invitations/**,/invitation-static/**
+        - id: assistant
+          uri: http://${DOCKER_HOST_IP:172.17.0.1}:5002/
           predicates:
-            - Path=/**
+            - Path=/assistant,/assistant/**
   security:
     oauth2:
       client:
         provider:
           keycloak:
             user-name-attribute: preferred_username
-            issuer-uri: https://auth.content-cloud.eu/auth/realms/contentcloud-dev
+            issuer-uri: http://${DOCKER_HOST_IP:172.17.0.1}:8082/realms/contentgrid-dev
         registration:
           keycloak:
             client-id: contentcloud-gateway
@@ -45,4 +63,4 @@ spring:
 
       resourceserver:
         jwt:
-          issuer-uri: https://auth.content-cloud.eu/auth/realms/contentcloud-dev
+          issuer-uri: http://${DOCKER_HOST_IP:172.17.0.1}:8082/realms/contentgrid-dev
diff --git a/src/main/resources/application-keycloak.yml b/src/main/resources/application-keycloak.yml
@@ -7,7 +7,7 @@ spring:
         provider:
           keycloak:
             user-name-attribute: preferred_username
-            issuer-uri: http://${DOCKER_HOST_IP:172.17.0.1}:8090/auth/realms/contentcloud-gateway
+            issuer-uri: http://${DOCKER_HOST_IP:172.17.0.1}:8090/realms/contentcloud-gateway
         registration:
           keycloak:
             client-id: contentcloud-gateway
@@ -20,4 +20,4 @@ spring:
       # JWT Bearer authentication
       resourceserver:
         jwt:
-          issuer-uri: http://${DOCKER_HOST_IP:172.17.0.1}:8090/auth/realms/contentcloud-gateway
+          issuer-uri: http://${DOCKER_HOST_IP:172.17.0.1}:8090/realms/contentcloud-gateway
diff --git a/src/test/java/com/contentgrid/gateway/OpenPolicyAgentIntegrationTest.java b/src/test/java/com/contentgrid/gateway/OpenPolicyAgentIntegrationTest.java
@@ -29,7 +29,7 @@ public class OpenPolicyAgentIntegrationTest {
     private static final Logger logger = LoggerFactory.getLogger(OpenPolicyAgentIntegrationTest.class);
 
     @Container
-    private static final GenericContainer<?> openPolicyAgent = new GenericContainer<>("docker.io/openpolicyagent/opa:0.36.1-debug")
+    private static final GenericContainer<?> openPolicyAgent = new GenericContainer<>("docker.io/openpolicyagent/opa:0.70.0-debug")
             .withCopyFileToContainer(MountableFile.forClasspathResource("test.rego"), "/config/test.rego")
             .withExposedPorts(8181)
             .withLogConsumer(new Slf4jLogConsumer(logger))

Original file line number	Diff line number	Diff line change
`@@ -17,8 +17,7 @@ allow {`
`17`	`17`	`# Allow GET /me`
`18`	`18`	`allow {`
`19`	`19`	`input.method == "GET"`
`20`		`- # count(input.path) = 1`
`21`		`- input.path[0] = "me"`
	`20`	`+ input.path == ["me"]`
`22`	`21`	`}`
`23`	`22`
`24`	`23`	`# admin access on /api`