diff --git a/.docker/oathkeeper/config.yaml b/.docker/oathkeeper/config.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1d1768eb551582b90ce753b5cbfbf6c0295b5651
--- /dev/null
+++ b/.docker/oathkeeper/config.yaml
@@ -0,0 +1,73 @@
+# see https://www.ory.sh/docs/oathkeeper/reference/configuration
+# also documents environment variables
+
+serve:
+ proxy:
+ port: 4455 # run the proxy at port 4455
+ api:
+ port: 4456 # run the api at port 4456
+
+access_rules:
+ repositories:
+ - file:///opt/config/rules.yaml
+
+errors:
+ fallback:
+ - json
+ handlers:
+ json:
+ enabled: true
+ config:
+ verbose: true
+ redirect:
+ enabled: true
+ config:
+ to: https://www.ory.sh/docs
+
+mutators:
+ header:
+ enabled: true
+ config:
+ headers:
+ X-Holi-User-ID: '{{ print .Subject }}'
+ noop:
+ enabled: true
+ id_token:
+ enabled: true
+ config:
+ issuer_url: http://oathkeeper.okuna:4456/
+ jwks_url: file:///opt/config/jwks.json
+ claims: '{
+ "aud": [ "https://project-holi.org/services/okuna/api" ],
+ "email": "{{ if .Extra.identity }}{{ .Extra.identity.traits.email }}{{ else }}anonymous{{ end }}"
+ }'
+
+authorizers:
+ allow:
+ enabled: true
+ deny:
+ enabled: true
+
+authenticators:
+ anonymous:
+ enabled: true
+ config:
+ subject: anonymous # =default
+ cookie_session:
+ enabled: true
+ config:
+ check_session_url: https://mystifying-carver-akajr6v4t8.projects.oryapis.com/sessions/whoami
+ preserve_path: true
+ extra_from: '@this'
+ subject_from: 'identity.id'
+ only:
+ - ory_kratos_session
+ bearer_token:
+ enabled: true
+ config:
+ check_session_url: https://mystifying-carver-akajr6v4t8.projects.oryapis.com/sessions/whoami
+ preserve_path: true
+ extra_from: '@this'
+ subject_from: 'identity.id'
+ token_from:
+ header: X-Session-Token
diff --git a/.docker/oathkeeper/jwks.json b/.docker/oathkeeper/jwks.json
new file mode 100644
index 0000000000000000000000000000000000000000..44c554d20b11ca4da881fe05c617470fbd4e7f34
--- /dev/null
+++ b/.docker/oathkeeper/jwks.json
@@ -0,0 +1,18 @@
+{
+ "keys": [
+ {
+ "use": "sig",
+ "kty": "RSA",
+ "kid": "803ed651-023d-4c91-95b7-04fd6c15b3da",
+ "alg": "RS256",
+ "n": "pGcGAv0MygEWI5epZkPPOtTXAjXmkXtdDHnlXAknYpUROCesgdeCTPhb__sR8qrQi3oXoq1VHk5UYA4H-7YSSUkGJfp1GEa-CYLqCwyxveL8BwxvonqYrSftSUjgVFpmR23fnwnBpWySvdyXE_pnsUEsWjk7b9WIjI-fYgzrSvLqaZXUlJK88FZxe5DMDDeQKQZyE-w-U-k_GLKhrScQlnPtgLnCi12_3_W98vS4CihuJnMLz0kCYoH1SYv0WgWeOZS3D7UowJncgExbvxEwWNbcIGyvf9Owl_ijOUKgimIt7Jp6GNKi2d5j0jOR_LVLct05D1wQAkGeB0GBqIJ2OQ",
+ "e": "AQAB",
+ "d": "CafHUZudCawgqbx5hXkMDa98ZTPXM8oj_9yU3N_owUBx_3NNDV8j1vNrK9CKEE956gckpjg53IrLJ80LKPxbfJReWRKpl-BnvtVCe52mPrm7BYr0b311xA2pQPmXuzyH70ADtypyhg2nXKE8-j5loqJqQW5FEF9hIqg4uyB5HTCo9bvkZzRQsDtvdCcOGc6urUVtriFgUhVzbHNkQtsTSik4A-uXmJJACL_7665SK6SySKGEKeIZtwPOoeG9IUzVRsJjTO0-VMpwYi9YuZnc7_1RnrtnVOC4JbezhaxEiZNYujLr2X0GjugeHhniFBx-GJAzUm5o4BbSFm-2fLX7lQ",
+ "p": "1zZ26LTnHVtymxJOFa_AgAQd8gnFGtUtb8_RNhhzVHoT5RJV0FPcIpYS6cBzLAYWMmLwPqNWm70k_rH2aLk7y40asDhmMrX7C3_Hx4NuLDNQc9cy80Lfg7PYkoIOBztQPbfyc0kQSmplcfBRUkEU3088uIiuwSqu1LF5qvNJzy8",
+ "q": "w49hjlpmyrXwB6gUVmUxQtQXMacdVOHIi8hk3V1GtsY1uGjUYa2Su-IxzJIh6hCEgPrLceRuI0NKoTaFLtfLlJRsDjPr-dSP-REHz5BmH34IqVSH4ZkzbOl0yLnhPzJ6aBad6esrfvMebAxRT10CpSKcDa-7Y0tShnmCmycOdxc",
+ "dp": "F6nPbUrm1p2FfnOGzm-itPC-8iwM1iR2eILbOB18IN_DbD6V3PA7ljn2HmmgwEhzDFtAm0KOdVVYygB7XYxwfLMpKhMpeY306pDEQLW82XNS90nEOmcx-GM__uv56uWkrwSYzgBMoEIOoXaRGoA5cUxfGtM8k9TDoHNbM2bIyNU",
+ "dq": "JDpyuzl6I4GTBwgXRG4YsyWxakxoPapaSbMFJJE8IW4U06Xv-mx6a34a9af4ynDm6zIK8H19_eBgef8sqyHlIBBi-DqcM7syNNT32ncIxDrIBf6X8a48_ac-MFVnKhsC3DecZ5Jei3UkpKWfhpFXhRolSM_OajWxAyKNlIqmvl8",
+ "qi": "LMqZ-fRAfHi8CFgZseX5GYvcHfVq1e40WgCftrs9ntyTio5D4e6fw1GDGJphzVyaZ28EMOYCl-2flEkrvW3rr610XQ_0CzySU0dSxLVi15sfPdCP4qQYAjezKtFd05XTCOrnlOIU8VYp0ZehPfYrCwjqDi_TaazmcdCRp4PdMiw"
+ }
+ ]
+}
diff --git a/.docker/oathkeeper/rules.yaml b/.docker/oathkeeper/rules.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d52769c0004593de4e290657e49ab5d9e34de962
--- /dev/null
+++ b/.docker/oathkeeper/rules.yaml
@@ -0,0 +1,25 @@
+- id: holi
+ version: v0.38.25-beta.1
+ upstream:
+ url: http://host.docker.internal:8000/
+ match:
+ url: http://<127.0.0.1|localhost>:4455/<.*>
+ methods:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - OPTIONS
+ - CONNECT
+ - TRACE
+ - PATCH
+ authenticators:
+ - handler: cookie_session
+ - handler: bearer_token
+ - handler: anonymous
+ authorizer:
+ handler: allow
+ mutators:
+ - handler: id_token
+ - handler: header
diff --git a/docker-compose-full.yml b/docker-compose-full.yml
index 54836085db382ccfb6ffd6ce7132e346b782ab37..24ddbfe07b77c4fb466ddab43fbaddd002ff62d9 100644
--- a/docker-compose-full.yml
+++ b/docker-compose-full.yml
@@ -10,11 +10,12 @@ services:
extra_hosts:
- db.okuna:172.16.16.4
- redis.okuna:172.16.16.5
+ - oathkeeper.okuna:172.16.16.6
volumes:
- ./:/opt/okuna-api
- ./.docker-cache/pip:/root/.cache/pip
ports:
- - 80:80
+ - 8000:80
working_dir: /opt/okuna-api
networks:
okuna:
@@ -24,6 +25,7 @@ services:
- redis
env_file:
- .docker-compose.env
+ hostname: webserver.okuna
worker:
container_name: okuna-worker
build:
@@ -66,6 +68,7 @@ services:
- .docker-compose.env
db:
image: postgres:14.2-alpine
+ container_name: okuna-postgres
hostname: db.okuna
volumes:
- postgres:/var/lib/postgresql/data
@@ -79,6 +82,7 @@ services:
- .docker-compose.env
redis:
image: bitnami/redis:latest
+ container_name: okuna-redis
privileged: false
ports:
- 6379
@@ -89,6 +93,23 @@ services:
- .docker-compose.env
volumes:
- redisdb:/bitnami/redis/data
+ oathkeeper:
+ container_name: okuna-oathkeeper
+ image: oryd/oathkeeper:latest
+ ports:
+ - 4455:4455
+ - 4456:4456
+ networks:
+ okuna:
+ ipv4_address: 172.16.16.6
+ env_file:
+ - .docker-compose.env
+ volumes:
+ - ./.docker/oathkeeper:/opt/config
+ command: --config /opt/config/config.yaml serve
+ hostname: oathkeeper.okuna
+ extra_hosts:
+ - webserver.okuna:172.16.16.1
volumes:
postgres:
diff --git a/docker-compose-services-only.yml b/docker-compose-services-only.yml
index f46a108934de3b636ff20416eee14053c4b2fd29..7f891ae16413387ba16f4935223b79ef1eeb73c6 100644
--- a/docker-compose-services-only.yml
+++ b/docker-compose-services-only.yml
@@ -45,6 +45,7 @@ services:
- .docker-compose.env
db:
image: postgres:14.2-alpine
+ container_name: okuna-postgres
hostname: db.okuna
volumes:
- postgres:/var/lib/postgresql/data
@@ -58,6 +59,7 @@ services:
- .docker-compose.env
redis:
image: bitnami/redis:latest
+ container_name: okuna-redis
privileged: false
ports:
- 6380:6379
@@ -68,6 +70,20 @@ services:
- .docker-compose.env
volumes:
- redisdb:/bitnami/redis/data
+ oathkeeper:
+ image: oryd/oathkeeper:latest
+ container_name: okuna-oathkeeper
+ ports:
+ - 4455:4455
+ - 4456:4456
+ networks:
+ okuna:
+ ipv4_address: 172.16.16.6
+ env_file:
+ - .docker-compose.env
+ volumes:
+ - ./.docker/oathkeeper:/opt/config
+ command: --config /opt/config/config.yaml serve
volumes:
postgres:
diff --git a/okuna-cli.py b/okuna-cli.py
index cf7c340ec6bf407cf9dea1075dbd11a7c03195fa..42a2e750167a444f515706b42a12734ec576ce7b 100755
--- a/okuna-cli.py
+++ b/okuna-cli.py
@@ -314,7 +314,7 @@ def up_full():
subprocess.run(["docker-compose", "-f", "docker-compose-full.yml", "up", "-d", "-V"])
okuna_api_address = '127.0.0.1'
- okuna_api_port = 80
+ okuna_api_port = 8000
_wait_until_api_is_running(address=okuna_api_address, port=okuna_api_port)
diff --git a/openbook/settings.py b/openbook/settings.py
index feca2ab3d9d85c2b262a42761175ca3227f7b89e..df1814d1931d499298d76238346afeb9f29eb867 100644
--- a/openbook/settings.py
+++ b/openbook/settings.py
@@ -383,8 +383,8 @@ JWT_AUTH = {
'JWT_PAYLOAD_GET_USERNAME_HANDLER': 'openbook_auth.jwt.jwt_get_username_from_payload_handler',
'JWT_DECODE_HANDLER': 'openbook_auth.jwt.jwt_decode_token',
'JWT_ALGORITHM': 'RS256',
- 'JWT_JWKS_URL': 'http://localhost:4456/.well-known/jwks.json',
- 'JWT_ISSUER': 'http://localhost:4455/',
+ 'JWT_JWKS_URL': os.environ.get('JWT_JWKS_URL', 'http://localhost:4456/.well-known/jwks.json'),
+ 'JWT_ISSUER': os.environ.get('JWT_ISSUER', 'http://localhost:4456/'),
'JWT_AUDIENCE': 'https://project-holi.org/services/okuna/api',
'JWT_AUTH_HEADER_PREFIX': 'Bearer',
}
diff --git a/templates/.docker-compose.env b/templates/.docker-compose.env
index b6875ad93619c47a7c5e89689ce26c5fb82289cd..66250c9e58905059ce9b37820d9a595088132576 100644
--- a/templates/.docker-compose.env
+++ b/templates/.docker-compose.env
@@ -100,4 +100,6 @@ POSTGRES_INITDB_ARGS='--encoding=UTF-8'
# [REQUIRED]
WAIT_HOSTS:db.okuna:5432
+JWT_JWKS_URL=http://oathkeeper.okuna:4456/.well-known/jwks.json
+JWT_ISSUER=http://oathkeeper.okuna:4456/
# ============= END DOCKER COMPOSE SPECIFIC VARIABLES ============= #
\ No newline at end of file