Merge v1.6 into main (#402)

.github/actions/build/action.yaml

@@ -0,0 +1,83 @@
+name: 'Build Image'
+description: 'Builds and pushes images'
+inputs: 
+  image-tag-prefix: # prefix the tag with this
+    description: 'IMAGE_TAG_PREFIX'
+    required: false
+    default: ''
+  backend-dockerfile: # dockerfile for backend build
+    description: 'DOCKERFILE_BACKEND'
+    required: false
+    default: Dockerfile.backend-container
+  frontend-dockerfile: # dockerfile for frontend build
+    description: 'DOCKERFILE_FRONTEND'
+    required: false
+    default: frontend/Dockerfile.frontend-container
+  tag-version: # set to true if tagging official version
+    description: 'VERSION'
+    required: false
+    default: false
+runs:
+  using: "composite"
+  steps:
+    - name: Set image tag prefix
+      shell: bash
+      run: echo "IMAGE_TAG_PREFIX=${{ inputs.image-tag-prefix }}" >> $GITHUB_ENV
+    - name: Set backend dockerfile
+      shell: bash
+      run: echo "DOCKERFILE_BACKEND=${{ inputs.backend-dockerfile }}" >> $GITHUB_ENV
+    - name: Set frontend dockerfile
+      shell: bash
+      run: echo "DOCKERFILE_FRONTEND=${{ inputs.frontend-dockerfile }}" >> $GITHUB_ENV
+
+    - name: Install Golang
+      uses: actions/setup-go@v5.0.0
+      with:
+        go-version-file: go.mod
+        check-latest: true
+        cache: true
+
+    - name: Download modules
+      shell: bash
+      run: go mod download
+
+    - uses: actions/setup-node@v4.0.2
+      with:
+        node-version: '18'
+
+    # https://github.com/docker/setup-qemu-action
+    #- name: Set up QEMU
+    #  uses: docker/setup-qemu-action@v3
+    # https://github.com/docker/setup-buildx-action
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Download modules
+      shell: bash
+      run: go mod download
+
+    - name: golangci-lint
+      uses: golangci/golangci-lint-action@v4.0.0
+      with:
+        version: v1.57.2
+        args: --timeout 7m
+
+    # set repo and GITHUB SHA 
+    - name: Set github commit id
+      shell: bash
+      run: echo "GITHUB_SHA=$GITHUB_SHA" >> $GITHUB_ENV      
+    - name: Set release repo
+      shell: bash
+      run: echo "REPO=ghcr.io/${{ github.repository_owner }}" >> $GITHUB_ENV
+    # override version with GITHUB_SHA if tag-version set to false
+    # this way only GITHUBSHA is tagged with this build
+    - name: Override version if not official build
+      shell: bash
+      if: ${{ inputs.tag-version == 'false' }}
+      run: echo "VERSION=$GITHUB_SHA" >> $GITHUB_ENV
+
+    # build and push images tagged with GITHUB_SHA, version
+    - name: Build and push tornjak images
+      shell: bash
+      run: make release-images
+

.github/workflows/ci.yaml

@@ -41,7 +41,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v4.0.0
         with:
-          version: v1.53
+          version: v1.57.2
           args: --timeout 7m
 
       - name: Build binaries

.github/workflows/master-build.yaml

@@ -1,11 +1,11 @@
 name: Tornjak Artifact push
 on:
-  push:
-    branches:
-    - main
-    - v1.5
+  push: 
+    branches-ignore:
+      - 'dependabot/**'
+  workflow_dispatch: {}
 jobs:
-  tornjak-build:
+  alpine-build:
     runs-on: ubuntu-latest
     steps:
       - name: Show trigger info
@@ -20,65 +20,60 @@ jobs:
 
       - name: Check out repository code
         uses: actions/checkout@v4.1.2
-
-      - name: Install Golang
-        uses: actions/setup-go@v5.0.0
+      - name: Log in to GHCR.io
+        uses: docker/login-action@v3.1.0
         with:
-          go-version-file: go.mod
-          check-latest: true
-          cache: true
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Download modules
-        run: go mod download
+      - name: Get branch name
+        id: branch_name
+        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
 
-      - uses: actions/setup-node@v4.0.2
+      - name: Run build
+        uses: ./.github/actions/build
         with:
-          node-version: '18'
+          tag-version: ${{ contains(fromJSON('["main", "v1.6"]'), steps.branch_name.outputs.branch) && true || false }}
 
-      # https://github.com/docker/setup-qemu-action
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      # https://github.com/docker/setup-buildx-action
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Download modules
-        run: go mod download
+      - name: Print job result
+        run: |
+          cat <<EOF >>"${GITHUB_STEP_SUMMARY}"
+          - 🍏 This job's status is ${{ job.status }}.
+          EOF
+  ubi-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Show trigger info
+        run: |
+          cat <<EOF >>"${GITHUB_STEP_SUMMARY}"
+          # Workflow job info
 
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4.0.0
-        with:
-          version: v1.53
-          args: --timeout 7m
+          - 🎉 The job was automatically triggered by a ${{ github.event_name }} event.
+          - 🐧 This job is now running on a ${{ runner.os }} server hosted by GitHub!
+          - 🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}.
+          EOF
 
+      - name: Check out repository code
+        uses: actions/checkout@v4.1.2
       - name: Log in to GHCR.io
         uses: docker/login-action@v3.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
-      # set repo and GITHUB SHA 
-      - name: Set github commit id
-        run: echo "GITHUB_SHA=$GITHUB_SHA" >> $GITHUB_ENV
-
-      - name: Set release repo
-        run: echo "REPO=ghcr.io/${{ github.repository_owner }}" >> $GITHUB_ENV
-
-      # build and push images tagged with GITHUB_SHA, version
-      - name: Build and push tornjak images
-        run: make release-images
 
-      # build and push UBI images
-      - name: Add ubi prefix
-        run: echo "IMAGE_TAG_PREFIX=ubi-" >> $GITHUB_ENV
-      - name: Set frontend Dockerfile
-        run: echo "DOCKERFILE_FRONTEND=frontend/Dockerfile.frontend-container.ubi" >> $GITHUB_ENV
-      - name: Set backend Dockerfile
-        run: echo "DOCKERFILE_BACKEND=Dockerfile.backend-container.ubi" >> $GITHUB_ENV
+      - name: Get branch name
+        id: branch_name
+        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
 
-      - name: Build and push UBI images
-        run: make release-images
+      - name: Run build
+        uses: ./.github/actions/build
+        with:
+          image-tag-prefix: ubi-
+          backend-dockerfile: Dockerfile.backend-container.ubi
+          frontend-dockerfile: frontend/Dockerfile.frontend-container.ubi
+          tag-version: ${{ contains(fromJSON('["main", "v1.6"]'), steps.branch_name.outputs.branch) && true || false }}
 
       - name: Print job result
         run: |

Dockerfile.backend-container

@@ -1,7 +1,7 @@
 # xx is helper for cross-compilation
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.3.0 AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.4.0 AS xx
 
-FROM --platform=$BUILDPLATFORM golang:1.20-alpine3.18 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.22-alpine3.19 AS builder
 RUN apk add build-base
 COPY . /usr/src/myapp
 WORKDIR /usr/src/myapp

Dockerfile.backend-container.ubi

@@ -1,7 +1,7 @@
 # xx is helper for cross-compilation
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.3.0 AS xx
 
-FROM --platform=$BUILDPLATFORM golang:1.20-alpine3.18 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.22-alpine3.19 AS builder
 RUN apk add build-base
 COPY . /usr/src/myapp
 WORKDIR /usr/src/myapp

Makefile

@@ -1,4 +1,4 @@
-VERSION=$(shell cat version.txt)
+VERSION ?= $(shell cat version.txt)
 GITHUB_SHA ?= "$(shell git rev-parse HEAD 2>/dev/null)"
 
 ## REPO defines where to push images
@@ -18,7 +18,7 @@ DOCKERFILE_FRONTEND ?= frontend/Dockerfile.frontend-container
 BINARIES=tornjak-backend tornjak-manager
 IMAGES=$(BINARIES) tornjak-frontend 
 
-GO_VERSION ?= 1.20
+GO_VERSION ?= 1.22
 
 GO_FILES := $(shell find . -type f -name '*.go' -not -name '*_test.go' -not -path './vendor/*')
 
@@ -61,7 +61,7 @@ binaries: $(addprefix bin/,$(BINARIES)) ## Build bin/tornjak-backend and bin/tor
 
 bin/tornjak-backend: cmd/agent $(GO_FILES) | vendor ## Build tornjak-backend binary
 	# Build hack because of flake of imported go module
-	docker run --rm -v "${PWD}":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=amd64 golang:$(GO_VERSION) \
+	docker run --rm -v "${PWD}":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=amd64 -e CGO_ENABLED=1 golang:$(GO_VERSION) \
 		/bin/sh -c "go build --tags 'sqlite_json' -o agent ./$</main.go; go build --tags 'sqlite_json' -mod=vendor -ldflags '-s -w -linkmode external -extldflags "-static"' -o $@ ./$</main.go"
 
 bin/tornjak-manager: cmd/manager $(GO_FILES) | vendor ## Build bin/tornjak-manager binary

USAGE.md

@@ -17,7 +17,7 @@ Please see below for compatibility charts of SPIRE server versions with Tornjak:
 | Tornjak version        | SPIRE Server version |
 | :--------------------- | :------------------- |
 | v1.1.x, v1.2.x, v1.3.x | v1.1.x, v1.2.x, v1.3.x, v1.4.x |
-| v1.4.x                 | v1.5.x, v1.6.x, v1.7.x |
+| v1.4.x, v1.5.x, v1.6.x | v1.5.x, v1.6.x, v1.7.x, v1.8.x, v1.9.x|
 
 ## Tornjak Backend
 
@@ -57,6 +57,8 @@ The frontend is meant to connect to either the Tornjak backend or the Tornjak ma
 | `NODE_OPTIONS`              | Node options for npm start | `--openssl-legacy-provider` | `--openssl-legacy-provider` | false |
 | `REACT_APP_TORNJAK_MANAGER` | Boolean for whether the connected server is a manager | `false` | `true` | false |
 | `REACT_APP_AUTH_SERVER_URI` | URI for the Keycloak instance to obtain access tokens |  | `http://localhost:8080` | false |
+| `REACT_APP_KEYCLOAK_REALM` | Name of Keycloak realm |  | 'tornjak' | false |
+| `REACT_APP_OIDC_CLIENT_ID` | Auth Client ID |  | 'tornjak' | false |
 | `PORT_FE` | Port for the frontend to run | `3000` | `3000` | true |
 | `PORT_BE` | Port for the backend to run | `10000` | `10000` | true |
 | `REACT_APP_SPIRE_HEALTH_CHECK_ENABLE` | Enable SPIRE health check component | `false` | `true` | false |

api/agent/server.go

@@ -13,7 +13,7 @@ import (
 	"time"
 	"crypto/tls"
 
-	"github.com/cenkalti/backoff/v4"
+	backoff "github.com/cenkalti/backoff/v4"
 	"github.com/gorilla/mux"
 	"github.com/hashicorp/hcl"
 	"github.com/hashicorp/hcl/hcl/ast"
@@ -765,14 +765,24 @@ func NewAuth(authPlugin *ast.ObjectItem) (auth.Auth, error) {
 
 	switch key {
 	case "KeycloakAuth":
+		// check if data is defined
+		if data == nil {
+			return nil, errors.New("KeycloakAuth UserManagement plugin ('config > plugins > UserManagement KeycloakAuth > plugin_data') no populated")
+		}
+		fmt.Printf("KeycloakAuth Usermanagement Data: %+v\n", data)
 		// decode config to struct
 		var config pluginAuthKeycloak
 		if err := hcl.DecodeObject(&config, data); err != nil {
 			return nil, errors.Errorf("Couldn't parse Auth config: %v", err)
 		}
 
+		// Log warning if audience is nil that aud claim is not checked
+		if config.Audience == "" {
+			fmt.Printf("WARNING: Auth plugin has no expected audience configured - `aud` claim will not be checked (please populate 'config > plugins > UserManagement KeycloakAuth > plugin_data > audience')")
+		}
+
 		// create verifier TODO make json an option?
-		verifier, err := auth.NewKeycloakVerifier(true, config.JwksURL, config.RedirectURL)
+		verifier, err := auth.NewKeycloakVerifier(true, config.IssuerURL, config.Audience)
 		if err != nil {
 			return nil, errors.Errorf("Couldn't configure Auth: %v", err)
 		}

api/agent/types.go

@@ -104,11 +104,11 @@ func (h HTTPSConfig) Parse() (*tls.Config, error) {
 
 /* Plugin types */
 type pluginDataStoreSQL struct {
-	Drivername string `json:"drivername"`
-	Filename   string `json:"filename"`
+	Drivername string `hcl:"drivername"`
+	Filename   string `hcl:"filename"`
 }
 
 type pluginAuthKeycloak struct {
-	JwksURL     string
-	RedirectURL string
+	IssuerURL string `hcl:"issuer"`
+	Audience  string `hcl:"audience"`
 }

cmd/agent/main.go

@@ -10,7 +10,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/spiffe/spire/pkg/common/catalog"
 	agentapi "github.com/spiffe/tornjak/api/agent"
-	"github.com/urfave/cli/v2"
+	cli "github.com/urfave/cli/v2"
 )
 
 type cliOptions struct {

docs/conf/agent/full.conf

@@ -44,17 +44,16 @@ plugins {
   # Configure Keycloak as external Authentication server
   UserManagement "KeycloakAuth" {
     plugin_data {
-      # jwksURL - URL for JWKS verification
+      # issuer - Issuer URL for OIDC
       # here is a sample for Keycloak running locally on Minikube
-      jwksURL = "http://host.minikube.internal:8080/realms/tornjak/protocol/openid-connect/certs"
+      issuer = "http://host.docker.internal:8080/realms/tornjak"
       # for cloud deployment it would be something like:
-      # jwksURL = "http://<ingress_access>/realms/tornjak/protocol/openid-connect/certs"
+      # issuer = "http://<ingress_access>/realms/tornjak"
 
-      # redirectURL - URL for redirecting after successful authentication
-      # here is a sample for Keycloak running locally on minikube
-      redirectURL = "http://localhost:8080/realms/tornjak/protocol/openid-connect/auth?client_id=Tornjak-React-auth"
-      # for a cloud deployment it would look something like:
-      # redirectURL= "http://<ingress_access>/realms/tornjak/protocol/openid-connect/auth?client_id=Tornjak-React-auth"
+      # audience - expected value for aud claim in JWT
+      # if not included or set, there will be no audience check
+      # recommended to ensure JWT was meant for Tornjak Backend resource server
+      audience = "tornjak-backend"
     }
   }
 

docs/config-tornjak-server.md

@@ -75,7 +75,7 @@ For examples on enabling TLS and mTLS connections, please see [our TLS and mTLS
 | Type | Name | Description |
 | ---- | ---- | ----------- |
 | DataStore | [sql]() | Default SQL storage for Tornjak metadata |
-| UserManagement | [keycloak](/docs/plugin_server_auth_keycloak.md) | Requires JWT Bearer Access Token provided for each request. More details in [our auth feature doc](/docs/feature_auth.md) |
+| UserManagement | [keycloak](/docs/plugin_server_auth_keycloak.md) | Requires JWT Bearer Access Token provided for each request. More details in [our auth feature doc](/docs/user-management.md) |
 
 ### Plugin configuration