alternative login button, all localhost urls to 127.0.0.1 and update …

…the schemas and configs

docker-compose.yml

@@ -6,10 +6,15 @@ services:
   # Management Portal                                                         #
   #---------------------------------------------------------------------------#
   managementportal:
-    image: radarbase/management-portal:2.0.0
+#    image: radarbase/management-portal:2.0.0
+    image: managementportal
     depends_on:
       - mp-postgresql
     environment:
+      MANAGEMENTPORTAL_IDENTITYSERVER_SERVERURL: http://kratos
+      MANAGEMENTPORTAL_IDENTITYSERVER_ADMINEMAIL: [email protected]
+      MANAGEMENTPORTAL_OAUTH_REQUIREAAL2: false
+      SPRING_LIQUIBASE_CONTEXTS: dev #includes testing_data, remove for production builds
       SPRING_PROFILES_ACTIVE: prod
       SPRING_DATASOURCE_URL: jdbc:postgresql://mp-postgresql:5432/managementportal
       SPRING_DATASOURCE_USERNAME: radarcns
@@ -21,7 +26,7 @@ services:
       MANAGEMENTPORTAL_CATALOGUE_SERVER_ENABLE_AUTO_IMPORT: 'false'
       MANAGEMENTPORTAL_OAUTH_SIGNING_KEY_ALIAS: 'radarbase-managementportal-ec'
       SERVER_SERVLET_SESSION_COOKIE_SECURE: "false"
-      JAVA_OPTS: -Xmx256m  # maximum heap size for the JVM running ManagementPortal, increase this as necessary
+      JAVA_OPTS: -Xmx512m  # maximum heap size for the JVM running ManagementPortal, increase this as necessary
     volumes:
       - ./etc/mp-config/:/mp-includes/config
     labels:
@@ -70,7 +75,10 @@ services:
   app-config-frontend:
     build:
       context: radar-app-config-frontend
-    image: radarbase/radar-app-config-frontend:dev
+    #    image: radarbase/radar-app-config-frontend:dev
+    environment:
+      - AUTH_URL=http://127.0.0.1:8080/managementportal/oauth
+      - AUTH_CALLBACK_URL=http://127.0.0.1:8080/appconfig/login
     depends_on:
       - app-config
     labels:
@@ -84,3 +92,64 @@ services:
     command: --api.insecure=true --providers.docker
     ports:
       - "8080:80"
+
+  ## ORY
+
+  # Kratos
+  kratos-selfservice-ui-node:
+    image:
+      oryd/kratos-selfservice-ui-node
+    environment:
+      - LOG_LEAK_SENSITIVE_VALUES=true
+      - KRATOS_PUBLIC_URL=http://kratos:4433
+      - KRATOS_ADMIN_URL=http://kratos:4434
+      - SECURITY_MODE=standalone
+      - KRATOS_BROWSER_URL=http://127.0.0.1:4433
+      - COOKIE_SECRET=unsafe_cookie_secret
+      - CSRF_COOKIE_NAME=radar
+      - CSRF_COOKIE_SECRET=unsafe_csrf_cookie_secret
+    ports:
+      - "3000:3000"
+    volumes:
+      - /tmp/ui-node/logs:/root/.npm/_logs
+
+  kratos:
+    depends_on:
+      - kratos-migrate
+    image: oryd/kratos:v1.0.0
+    ports:
+      - "4433:4433" # public
+      - "4434:4434" # admin, should be closed in production
+    restart: unless-stopped
+    environment:
+      - DSN=postgres://kratos:secret@postgresd-kratos/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
+    command: serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
+    volumes:
+      - type: bind
+        source: ./etc/mp-config/kratos
+        target: /etc/config/kratos
+
+  kratos-migrate:
+    image:
+      oryd/kratos:v1.0.0
+    environment:
+      - DSN=postgres://kratos:secret@postgresd-kratos/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
+    volumes:
+      - type: bind
+        source: ./etc/mp-config/kratos
+        target: /etc/config/kratos
+    command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
+    restart: on-failure
+
+  postgresd-kratos:
+    image: postgres:11.8
+    environment:
+      - POSTGRES_USER=kratos
+      - POSTGRES_PASSWORD=secret
+      - POSTGRES_DB=kratos
+
+  mailslurper:
+    image: oryd/mailslurper:latest-smtps
+    ports:
+      - "4436:4436"
+      - "4437:4437"

etc/mp-config/kratos/identities/identity.schema.user.json

@@ -0,0 +1,37 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "user",
+  "title": "user",
+  "type": "object",
+  "properties": {
+    "traits": {
+      "type": "object",
+      "properties": {
+        "email": {
+          "type": "string",
+          "format": "email",
+          "title": "E-Mail",
+          "minLength": 5,
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              },
+              "totp": {
+                "account_name": true
+              }
+            },
+            "verification": {
+              "via": "email"
+            },
+            "recovery": {
+              "via": "email"
+            }
+          }
+        }
+      },
+      "required": ["email"]
+    }
+  },
+  "additionalProperties": false
+}

etc/mp-config/kratos/kratos.yml

@@ -0,0 +1,107 @@
+dsn: memory
+
+
+
+
+serve:
+  public:
+    base_url: http://127.0.0.1:4433/
+    cors:
+      enabled: true
+  admin:
+    base_url: http://kratos:4434/
+
+selfservice:
+  default_browser_return_url: http://127.0.0.1:3000/
+  allowed_return_urls:
+    - http://127.0.0.1:3000/
+    - http://127.0.0.1:8081/
+    - http://127.0.0.1:8080/
+
+  methods:
+    password:
+      enabled: true
+    oidc:
+      config:
+        providers:
+          # social sign-in for google. This needs to be tied to a google account. values below were added by bastiaan
+          - id: google_d292689d # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET! current google callback: http://127.0.0.1:4433/self-service/methods/oidc/callback/google_d292689d
+            provider: google
+            client_id: 922854293804-r3fhl9tom6uutcq5c8fm4592l1t6s3mh.apps.googleusercontent.com # Replace this with the Client ID
+            client_secret:  # Replace this with the Client secret
+            issuer_url: https://accounts.google.com # Replace this with the providers issuer URL
+            mapper_url: "base64://bG9jYWwgY2xhaW1zID0gewogIGVtYWlsX3ZlcmlmaWVkOiBmYWxzZSwKfSArIHN0ZC5leHRWYXIoJ2NsYWltcycpOwoKewogIGlkZW50aXR5OiB7CiAgICB0cmFpdHM6IHsKICAgICAgW2lmICdlbWFpbCcgaW4gY2xhaW1zICYmIGNsYWltcy5lbWFpbF92ZXJpZmllZCB0aGVuICdlbWFpbCcgZWxzZSBudWxsXTogY2xhaW1zLmVtYWlsLAogICAgfSwKICB9LAp9"
+            # currently: GitHub example from: https://www.ory.sh/docs/kratos/social-signin/data-mapping
+            # Alternatively, use an URL:
+            # mapper_url: https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17
+            scope:
+              - email
+            # supported scopes can be found in your providers dev docs
+      enabled: true
+    totp:
+      config:
+        issuer: Kratos
+      enabled: true
+    link:
+      enabled: true
+
+  flows:
+    error:
+      ui_url: http://127.0.0.1:3000/error
+
+    settings:
+      ui_url: http://127.0.0.1:3000/settings
+
+    recovery:
+      enabled: true
+      ui_url: http://127.0.0.1:3000/recovery
+      use: link
+
+    verification:
+      # our current flow necessitates that users reset their password after they activate an account in managementportal,
+      # this works as verification
+      ui_url: http://127.0.0.1:3000/verification
+      enabled: true
+      use: link
+      after:
+        default_browser_return_url: http://127.0.0.1:3000
+
+    logout:
+      after:
+        default_browser_return_url: http://127.0.0.1:3000/login
+
+    login:
+      ui_url: http://127.0.0.1:3000/login
+
+    registration:
+      ui_url: http://127.0.0.1:3000/registration
+      after:
+        password:
+          hooks:
+            - hook: session
+        oidc:
+          hooks:
+            - hook: session
+
+log:
+  level: debug
+  format: text
+
+hashers:
+  argon2:
+    parallelism: 1
+    memory: 128KB
+    iterations: 2
+    salt_length: 16
+    key_length: 16
+
+identity:
+  default_schema_id: user
+  schemas:
+    - id: user
+      url: file:///etc/config/kratos/identities/identity.schema.user.json
+
+courier:
+  smtp:
+    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true&disable_starttls=true
+    from_address: [email protected]

etc/mp-config/oauth_client_details.csv

@@ -1,5 +1,5 @@
 client_id;resource_ids;client_secret;scope;authorized_grant_types;redirect_uri;authorities;access_token_validity;refresh_token_validity;additional_information;autoapprove
 pRMT;res_ManagementPortal,res_gateway;;MEASUREMENT.CREATE,SUBJECT.UPDATE,SUBJECT.READ,PROJECT.READ,SOURCETYPE.READ,SOURCE.READ,SOURCETYPE.READ,SOURCEDATA.READ,USER.READ,ROLE.READ;refresh_token,authorization_code;;;43200;7948800;{"dynamic_registration": true};
 appconfig;res_ManagementPortal,res_appconfig;test;SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,SUBJECT.READ,OAUTHCLIENTS.READ;client_credentials;;;3600;78000;;
-appconfig_frontend;res_appconfig;;SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,PROJECT.CREATE,PROJECT.UPDATE,SUBJECT.READ,SUBJECT.UPDATE,OAUTHCLIENTS.READ;authorization_code,refresh_token;http://localhost:8080/appconfig/login,http://localhost:4200/login;;3600;78000;;
+appconfig_frontend;res_appconfig;;SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,PROJECT.CREATE,PROJECT.UPDATE,SUBJECT.READ,SUBJECT.UPDATE,OAUTHCLIENTS.READ;authorization_code,refresh_token;http://localhost:8080/appconfig/login,http://127.0.0.1:8080/appconfig/login,http://localhost:4200/login;;3600;78000;;
 appconfig_cli;res_appconfig;test;SOURCETYPE.READ,MEASUREMENT.CREATE,PROJECT.READ,SUBJECT.READ,OAUTHCLIENTS.READ,PROJECT.UPDATE,PROJECT.CREATE;password;;;3600;78000;;

radar-app-config-frontend/src/app/auth/containers/login/login.component.html

@@ -11,7 +11,8 @@ <h2 class="text-center">{{'common.loading' | translate}}</h2>
   </div>
   <div class="row">
     <div class="col-md-4 text-center mx-auto">
-      <button class="btn btn-outline-primary btn-block" (click)="login()">{{'login.loginButton' | translate}}</button>
+      <button class="btn btn-outline-primary btn-block" (click)="login()">Authorize managementportal (log in first)</button>
     </div>
   </div>
+  <button (click)="redirect()">login to managementportal</button>
 </div>

radar-app-config-frontend/src/app/auth/containers/login/login.component.ts

@@ -7,66 +7,71 @@ import {TranslateService} from '@app/shared/services/translate.service';
 import {of, Subscription} from 'rxjs';
 
 @Component({
-  selector: 'app-login',
-  templateUrl: './login.component.html',
+    selector: 'app-login',
+    templateUrl: './login.component.html',
 })
 
 export class LoginComponent implements OnInit, OnDestroy {
-  // __ = strings;
+    // __ = strings;
 
-  loading = false;
-  private subscriptions: Subscription = new Subscription();
+    loading = false;
+    private subscriptions: Subscription = new Subscription();
 
-  constructor(
-    public translate: TranslateService,
-    private authService: AuthService,
-    private activatedRoute: ActivatedRoute,
-    private router: Router
-  ) {
-  }
+    constructor(
+        public translate: TranslateService,
+        private authService: AuthService,
+        private activatedRoute: ActivatedRoute,
+        private router: Router
+    ) {
+    }
 
-  ngOnInit() {
-    this.activatedRoute.queryParams.pipe(first()).subscribe(params => {
-      const {code} = params;
-      let {returnUrl} = params;
+    ngOnInit() {
+        this.activatedRoute.queryParams.pipe(first()).subscribe(params => {
+            const {code} = params;
+            let {returnUrl} = params;
 
-      if (returnUrl) {
-        localStorage.setItem('returnUrl', returnUrl);
-      }
+            if (returnUrl) {
+                localStorage.setItem('returnUrl', returnUrl);
+            }
 
-      if (code) {
-        this.loading = true;
-        this.subscriptions.add(
-            this.authService.processLogin(code).pipe(
-                first(),
-                map(() => {
-                  const currentUser = this.authService.currentDecodedUserValue;
-                  returnUrl = localStorage.getItem('returnUrl');
-                  if (returnUrl) {
-                    return this.router.navigateByUrl(returnUrl);
-                  } else if (currentUser.role !== Roles.SYSTEM_ADMIN) {
-                      return this.router.navigateByUrl('projects');
-                  } else {
-                      return this.router.navigateByUrl('global-clients');
-                  }
-                }),
-                catchError((error) => {
-                    console.log(error);
-                    return of(error.message);
-                }),
-              )
-              .subscribe(() => this.loading = false)
-        );
-      }
-    });
-  }
+            if (code) {
+                this.loading = true;
+                this.subscriptions.add(
+                    this.authService.processLogin(code).pipe(
+                        first(),
+                        map(() => {
+                            const currentUser = this.authService.currentDecodedUserValue;
+                            returnUrl = localStorage.getItem('returnUrl');
+                            if (returnUrl) {
+                                return this.router.navigateByUrl(returnUrl);
+                            } else if (currentUser.role !== Roles.SYSTEM_ADMIN) {
+                                return this.router.navigateByUrl('projects');
+                            } else {
+                                return this.router.navigateByUrl('global-clients');
+                            }
+                        }),
+                        catchError((error) => {
+                            console.log(error);
+                            return of(error.message);
+                        }),
+                    )
+                        .subscribe(() => this.loading = false)
+                );
+            }
+        });
+    }
+
+    ngOnDestroy() {
+        this.subscriptions.unsubscribe();
+    }
 
-  ngOnDestroy() {
-      this.subscriptions.unsubscribe();
-  }
 
-  login() {
-    this.loading = true;
-    this.authService.authorize();
-  }
+    redirect() {
+        window.location.href = "http://127.0.0.1:3000/login?return_to=http://127.0.0.1:8080/appconfig";
+    }
+
+    login() {
+        this.loading = true;
+        this.authService.authorize();
+    }
 }