diff --git a/deployment/kubernetes/client-registration-api.yaml b/deployment/kubernetes/client-registration-api.yaml index d8245a7..ffcc4ea 100644 --- a/deployment/kubernetes/client-registration-api.yaml +++ b/deployment/kubernetes/client-registration-api.yaml @@ -48,70 +48,6 @@ spec: secretKeyRef: name: auth-secrets key: user_auth_realm - initContainers: - - name: client-registration-auth - image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1 - restartPolicy: Always - imagePullPolicy: IfNotPresent - ports: - - containerPort: 4181 - env: - - name: OAUTH2_PROXY_PROVIDER - value: "keycloak-oidc" - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - name: auth-secrets - key: user_client_id - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: auth-secrets - key: user_client_secret - - name: OAUTH2_PROXY_COOKIE_SECRET - valueFrom: - secretKeyRef: - name: auth-secrets - key: user_cookie_secret - - name: OAUTH2_PROXY_REDIRECT_URL - value: /client-registration/oauth2/callback - - name: OAUTH2_PROXY_OIDC_ISSUER_URL - valueFrom: - secretKeyRef: - name: auth-secrets - key: user_auth_url - - name: OAUTH2_PROXY_COOKIE_SECURE - value: "true" - - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL - value: "true" - - name: OAUTH2_PROXY_HTTP_ADDRESS - value: "0.0.0.0:4181" - - name: OAUTH2_PROXY_UPSTREAMS - value: "static://200" - - name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON - value: "true" - - name: OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY - value: "true" - - name: OAUTH2_PROXY_SCOPE - value: "openid email profile" - - name: OAUTH2_PROXY_SET_XAUTHREQUEST - value: "true" - - name: OAUTH2_PROXY_REVERSE_PROXY - value: "true" - - name: OAUTH2_PROXY_COOKIE_DOMAINS - value: ".openepi.io" - - name: OAUTH2_PROXY_EMAIL_DOMAINS - value: "*" - - name: OAUTH2_PROXY_SESSION_COOKIE_MINIMAL - value: "true" - - name: OAUTH2_PROXY_PROXY_PREFIX - value: "/client-registration/oauth2" - - name: OAUTH2_PROXY_ALLOW_RELATIVE_REDIRECT_URL - value: "true" - - name: OAUTH2_PROXY_FORCE_JSON_ERRORS - value: "true" - - name: OAUTH2_PROXY_COOKIE_NAME - value: "__Secure-openepi_user" --- apiVersion: v1 kind: Service @@ -139,36 +75,6 @@ spec: forceSlash: true --- apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: client-registration-auth -spec: - forwardAuth: - address: http://client-registration-api.apps.svc.cluster.local:4181 - trustForwardHeader: true - authResponseHeaders: - - X-Forwarded-User - - X-Auth-Request-Access-Token - - X-Auth-Request-Email - - X-Auth-Request-User - - X-Auth-Request-Username - - X-Auth-Request-Preferred-Username - - Authorization ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: cors-client-registration -spec: - headers: - accessControlAllowMethods: - - "GET" - accessControlAllowHeaders: - - "*" - accessControlAllowOriginList: - - "*" ---- -apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: client-registration-api @@ -177,18 +83,12 @@ spec: - websecure routes: - kind: Rule - match: PathPrefix(`/client-registration`) && !PathPrefix(`/client-registration/metrics`) && !PathPrefix(`/client-registration/oauth2`) + match: PathPrefix(`/client-registration`) && !PathPrefix(`/client-registration/metrics`) services: - kind: Service name: client-registration-api port: 80 middlewares: - name: traefikmiddleware-cors-for-internal-apps@kubernetescrd - - name: client-registration-auth + - name: traefikmiddleware-jwt@kubernetescrd - name: stripprefix-client-registration - - kind: Rule - match: PathPrefix(`/client-registration/oauth2`) && !PathPrefix(`/client-registration/oauth2/metrics`) - services: - - kind: Service - name: client-registration-api - port: 4181 diff --git a/middleware/user.go b/middleware/user.go index a8ead62..71f3405 100644 --- a/middleware/user.go +++ b/middleware/user.go @@ -1,13 +1,14 @@ package middleware import ( - "github.com/gin-gonic/gin" "net/http" + + "github.com/gin-gonic/gin" ) func UserRequired() gin.HandlerFunc { return func(c *gin.Context) { - username := c.Request.Header.Get("X-Auth-Request-Preferred-Username") + username := c.Request.Header.Get("X-Preferred-Username") if username == "" { c.JSON(http.StatusForbidden, gin.H{ "error": "Not supported without user", diff --git a/tests/unit/middleware/user_test.go b/tests/unit/middleware/user_test.go index e708d9f..9656a32 100644 --- a/tests/unit/middleware/user_test.go +++ b/tests/unit/middleware/user_test.go @@ -1,12 +1,13 @@ package middleware import ( - "github.com/gin-gonic/gin" - "github.com/openearthplatforminitiative/client-registration-api/middleware" - "github.com/stretchr/testify/assert" "net/http" "net/http/httptest" "testing" + + "github.com/gin-gonic/gin" + "github.com/openearthplatforminitiative/client-registration-api/middleware" + "github.com/stretchr/testify/assert" ) func TestUserRequired(t *testing.T) { @@ -51,7 +52,7 @@ func TestUserRequired(t *testing.T) { req, _ := http.NewRequest("GET", "/test", nil) if tc.usernameHeader != "" { - req.Header.Set("X-Auth-Request-Preferred-Username", tc.usernameHeader) + req.Header.Set("X-Preferred-Username", tc.usernameHeader) } router.ServeHTTP(w, req)