Skip to content

Commit

Permalink
Merge branch 'master' into feature/grpc-discovery
Browse files Browse the repository at this point in the history
  • Loading branch information
@loafoe
loafoe authored Aug 23, 2024
2 parents 6bbd1ff + 2919dfd commit cf4ec26
Show file tree
Hide file tree
Showing 16 changed files with 1,318 additions and 20 deletions.
159 changes: 159 additions & 0 deletions .github/workflows/artifacts-fork.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
name: Fork Artifacts

on:
push:
branches:
- master
tags:
- '*'
pull_request:

jobs:
cf-images:
name: Cloudfoundry images
runs-on: ubuntu-latest
strategy:
matrix:
variant:
- alpine

steps:
- name: Checkout
uses: actions/checkout@v3

- name: Gather metadata
id: meta
uses: docker/metadata-action@v4
with:
images: |
ghcr.io/philips-forks/dex
flavor: |
latest = false
tags: |
type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
type=ref,event=pr,enable=${{ matrix.variant == 'alpine' }}
type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && matrix.variant == 'alpine' }}
type=ref,event=branch,suffix=-${{ matrix.variant }}
type=ref,event=pr,suffix=-${{ matrix.variant }}
type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}-cf
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }},suffix=-${{ matrix.variant }}-cf
labels: |
org.opencontainers.image.documentation=https://dexidp.io/docs/
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ github.token }}
if: github.event_name == 'push'

- name: Build and push
uses: docker/build-push-action@v4
with:
context: .
platforms: linux/amd64
provenance: false
sbom: false
push: ${{ github.event_name == 'push' }}
tags: ${{ steps.meta.outputs.tags }}
build-args: |
BASE_IMAGE=${{ matrix.variant }}
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
labels: ${{ steps.meta.outputs.labels }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: "ghcr.io/philips-forks/dex:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}"
format: "sarif"
output: "trivy-results.sarif"
if: github.event_name == 'push'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
if: github.event_name == 'push'

container-images:
name: Container images
runs-on: ubuntu-latest
strategy:
matrix:
variant:
- alpine
- distroless

steps:
- name: Checkout
uses: actions/checkout@v3

- name: Gather metadata
id: meta
uses: docker/metadata-action@v4
with:
images: |
ghcr.io/philips-forks/dex
flavor: |
latest = false
tags: |
type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
type=ref,event=pr,enable=${{ matrix.variant == 'alpine' }}
type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && matrix.variant == 'alpine' }}
type=ref,event=branch,suffix=-${{ matrix.variant }}
type=ref,event=pr,suffix=-${{ matrix.variant }}
type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }},suffix=-${{ matrix.variant }}
labels: |
org.opencontainers.image.documentation=https://dexidp.io/docs/
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: all

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ github.token }}
if: github.event_name == 'push'

- name: Build and push
uses: docker/build-push-action@v4
with:
context: .
platforms: linux/amd64,linux/arm64
# cache-from: type=gha
# cache-to: type=gha,mode=max
push: ${{ github.event_name == 'push' }}
tags: ${{ steps.meta.outputs.tags }}
build-args: |
BASE_IMAGE=${{ matrix.variant }}
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
labels: ${{ steps.meta.outputs.labels }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: "ghcr.io/philips-forks/dex:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}"
format: "sarif"
output: "trivy-results.sarif"
if: github.event_name == 'push'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
if: github.event_name == 'push'
2 changes: 2 additions & 0 deletions cmd/dex/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,8 @@ type OAuth2 struct {
AlwaysShowLoginScreen bool `json:"alwaysShowLoginScreen"`
// This is the connector that can be used for password grant
PasswordConnector string `json:"passwordConnector"`
// List of additional scope prefixes to allow
AllowedScopePrefixes []string `json:"allowedScopePrefixes"`
}

// Web is the config format for the HTTP server.
Expand Down
4 changes: 4 additions & 0 deletions cmd/dex/serve.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,9 @@ func runServe(options serveOptions) error {
if len(c.Web.AllowedOrigins) > 0 {
logger.Info("config allowed origins", "origins", c.Web.AllowedOrigins)
}
if len(c.OAuth2.AllowedScopePrefixes) > 0 {
logger.Info("config allowed scope prefixes", "scopes", strings.Join(c.OAuth2.AllowedScopePrefixes, ","))
}

// explicitly convert to UTC.
now := func() time.Time { return time.Now().UTC() }
Expand All @@ -295,6 +298,7 @@ func runServe(options serveOptions) error {
Headers: c.Web.Headers.ToHTTPHeader(),
AllowedOrigins: c.Web.AllowedOrigins,
AllowedHeaders: c.Web.AllowedHeaders,
AllowedScopePrefixes: c.OAuth2.AllowedScopePrefixes,
Issuer: c.Issuer,
Storage: s,
Web: c.Frontend,
Expand Down
5 changes: 5 additions & 0 deletions connector/connector.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,3 +103,8 @@ type RefreshConnector interface {
type TokenIdentityConnector interface {
TokenIdentity(ctx context.Context, subjectTokenType, subjectToken string) (Identity, error)
}

// PayloadExtender allows connectors to enhance the payload before signing
type PayloadExtender interface {
ExtendPayload(scopes []string, payload []byte, connectorData []byte) ([]byte, error)
}
121 changes: 121 additions & 0 deletions connector/hsdp/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
# HSP IAM connector

This connector allows you to use the HSP IAM service as an identity provider for your Cloud Foundry applications.

## Configuration

There are a few steps required to configure the HSP IAM Dex connector, specifically for CODE1 integration. In the below
example we'll assume you are going to install Dex on the following URL:

`https://dex.example.com`

### 1. Create HSP IAM OAuth2 OAuth2

Create an OAuth2 Client in your HSP IAM Organization. Set the `RedirectURI` to the Dex callback URL:

`https://dex.example.com/callback`

Add the following scopes, also include these as default scopes:
- auth_iam_introspect
- auth_iam_organization
- openid
- profile
- email
- name

The `ClientId` and `ClientSecret` are required in the config step below

### 2. Open a SNOW ticket to allow-list the Dex callback URL and to request the SAML2 login URL

Open a General service request in SNOW to allow-list the Dex callback URL. This is required to allow the Dex callback URL to be used in the HSP IAM service.
The RedirectURI pattern to allow-list should be this:

```https://dex.example.com/*?*```

Note the `*?*` at the end. This is required to allow the HSP IAM service to pass the OAuth2 code back to Dex.

In the same SNOW ticket also request the IAM team to share the `CODE1 SAML2 Login URL`. This URL is the value to use for saml2LoginURL in the config below.
It should look like something like this:

```https://iam-integration.iam-region.philips-healthsuite.com/authorize/saml2/login?idp_id=https://sts.windows.net/1a407a2d-7675-4d17-8692-b3ac285306e4/&client_id=sp-philips-hspiam-region&api-version=1```

### 3. Create one or more static clients in Dex

Create one ore more static clients in Dex. These clients are used in your app
to integrated with Dex itself. Example:

```yaml
config:
staticClients:
- id: example-app
secret: SecretHere
name: 'Example App'
# Where the app will be running.
redirectURIs:
- 'https://your-app.example.com/callback'
```
### 4. Create a hsdp connector in Dex
```yaml
config:
connectors:
- type: hsdp
id: hsdp
name: HSP IAM Code1
config:
trustedOrgID: 8a67a785-73bb-46d5-b73f-d951a6d3cb43
audienceTrustMap:
example-app: 8a67a785-73bb-46d5-b73f-d951a6d3cb43
issuer: 'https://iam-client-test.us-east.philips-healthsuite.com/authorize/oauth2/v2'
insecureIssuer: 'https://iam-client-test.us-east.philips-healthsuite.com/oauth2/access_token'
saml2LoginURL: 'https://iam-integration.us-east.philips-healthsuite.com/authorize/saml2/login?idp_id=https://sts.windows.net/1a407a2d-7675-4d17-8692-b3ac285306e4/&client_id=sp-philips-hspiam-useast-ct&api-version=1'
clientID: ClientId # The OAuth2 Client ID from step 1
clientSecret: ClientSecret # The OAuth2 Client Secret from step 1
iamURL: 'https://iam-client-test.us-east.philips-healthsuite.com'
idmURL: 'https://idm-client-test.us-east.philips-healthsuite.com'
redirectURI: https://dex.example.com/callback
getUserInfo: true
userNameKey: sub
scopes:
- auth_iam_introspect
- auth_iam_organization
- openid
- profile
- email
- name
```
#### argument description
| Argument | Type | Description |
|--------------------|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
| `trustedOrgID` | string | The default HSP IAM Organization ID to trust. This is the Organization ID of the HSP IAM Org. |
| `audienceTrustMap` | map(string) | A mapping of static clients to trusted Organization ID. Use this to override the default `trustedOrgId` for a given client |
| `issuer` | string | The HSP IAM OAuth2 issuer URL. |
| `insecureIssuer` | string | The HSP IAM OAuth2 issuer URL for introspection. |
| `saml2LoginURL` | string | The HSP IAM SAML2 login URL. |
| `clientID` | string | The OAuth2 Client ID from step 1. |
| `clientSecret` | string | The OAuth2 Client Secret from step 1. |
| `iamURL` | string | The HSP IAM URL. |
| `idmURL` | string | The HSP IDM URL. |
| `redirectURI` | string | The Dex redirect URI. |
| `getUserInfo` | bool | Whether to get user info. |
| `userNameKey` | bool | The key to use for the user name. |
| `scopes` | list(string) The scopes to request. |


You are now set. Dex will integrate with HSP IAM Code1 and your apps can now
integrate with Dex through OIDC. All roles assigned in the trusted HSP IAM Org will
be exposed as `claims` to your app.

## Custom scopes

The connector supports custom scopes. To use them, you need to create a custom scope in the HSP IAM service and then add it to the `scopes` array in the `manifest.yml` file.

| Scope | Description |
|----------------------|--------------------------------------------|
| `hsp:iam:introspect` | Returns introspect response as a claim. |
| `hsp:iam:token` | Returns a HSP IAM access token as a claim. |

> All the above-mentioned scopes are optional but must be specified in the `allowed_scopes` settings for them to become available.
Loading

0 comments on commit cf4ec26

Please sign in to comment.