feat: add auth

Signed-off-by: Abirdcfly <[email protected]>

Author: Abirdcfly

cmd/depository/main.go

@@ -23,10 +23,11 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/bestchains/bc-explorer/pkg/auth"
 	"github.com/bestchains/bc-explorer/pkg/network"
 	"github.com/bestchains/bc-saas/pkg/contracts"
 	handler "github.com/bestchains/bc-saas/pkg/handlers"
-	listener "github.com/bestchains/bc-saas/pkg/listener"
+	"github.com/bestchains/bc-saas/pkg/listener"
 	"github.com/bestchains/bc-saas/pkg/models"
 	"github.com/go-pg/pg/v10"
 	"github.com/go-pg/pg/v10/orm"
@@ -37,15 +38,15 @@ import (
 )
 
 var (
-	profile  = flag.String("profile", "./network.json", "profile to connect with blockchain network")
-	contract = flag.String("contract", "depository", "contract name")
-	addr     = flag.String("addr", ":9999", "used to listen and serve http requests")
-	db       = flag.String("db", "pg", "which database to use, default is pg(postgresql)")
-	dsn      = flag.String("dsn", "postgres://bestchains:[email protected]:5432/bc-saas?sslmode=disable", "database connection string")
+	profile    = flag.String("profile", "./network.json", "profile to connect with blockchain network")
+	contract   = flag.String("contract", "depository", "contract name")
+	addr       = flag.String("addr", ":9999", "used to listen and serve http requests")
+	db         = flag.String("db", "pg", "which database to use, default is pg(postgresql)")
+	dsn        = flag.String("dsn", "postgres://bestchains:[email protected]:5432/bc-saas?sslmode=disable", "database connection string")
+	authMethod = flag.String("auth", "none", "user authentication method, none, oidc or kubernetes")
 )
 
 func main() {
-	klog.InitFlags(nil)
 	flag.Parse()
 
 	if err := run(); err != nil {
@@ -89,6 +90,10 @@ func run() error {
 	app.Use(logger.New(logger.Config{
 		Format: "[${ip}]:${port} ${status} - ${method} ${path}\n",
 	}))
+	app.Use(auth.New(context.TODO(), auth.Config{
+		AuthMethod:    *authMethod,
+		SkipAuthorize: true,
+	}))
 	depository := app.Group("depository")
 
 	// hyperledger handlers

deploy/deploy.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bc-saas
+  namespace: baas-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bc-saas
+  template:
+    metadata:
+      labels:
+        app: bc-saas
+    spec:
+      serviceAccountName: bc-saas
+      volumes:
+        - name: network-json
+          secret:
+            secretName: bc-saas-secret
+        - name: oidc-server-ca
+          secret:
+            defaultMode: 420
+            items:
+              - key: ca.crt
+                path: ca.pem
+            secretName: oidc-server-root-secret
+      containers:
+        - name: depository
+          image: hyperledgerk8s/bc-saas:6b0ed39
+          command:
+            - depository
+          args:
+            - -v=5
+            - -profile=/opt/depository/network.json
+            - -contract=depository
+            - -auth=oidc
+          ports:
+            - containerPort: 9999
+          env:
+          - name: OIDC_CA_FILE
+            value: "/etc/oidc/oidc-server/ca.pem"
+          - name: OIDC_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                key: oidc.client-id
+                name: kube-oidc-proxy-config
+          - name: OIDC_ISSUER_URL
+            valueFrom:
+              secretKeyRef:
+                key: oidc.issuer-url
+                name: kube-oidc-proxy-config
+          - name: OIDC_USERNAME_CLAIM
+            valueFrom:
+              secretKeyRef:
+                key: oidc.username-claim
+                name: kube-oidc-proxy-config
+          - name: OIDC_GROUPS_CLAIM
+            valueFrom:
+              secretKeyRef:
+                key: oidc.group-claim
+                name: kube-oidc-proxy-config
+          volumeMounts:
+            - name: network-json
+              mountPath: /opt/depository
+            - mountPath: /etc/oidc/oidc-server
+              name: oidc-server-ca
+              readOnly: true

deploy/network.json

@@ -0,0 +1,23 @@
+{
+  "id": "network-sample3",
+  "platform": "bestchains",
+  "fabProfile": {
+    "channel": "channelid",
+    "organization": "org1",
+    "user": {
+      "name": "org1admin",
+      "key": {
+        "pem": "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgnaTsH8cPOcV0Vgvn\nx4Z1hIUpV1Kg2kjzu1x3E7oM59mhRANCAAQ9Mjwd16DmSeyEiZV5kQ04tUFrJMxk\nslTDmBrc1vFkPqzMH1LGCsn2w8gKwcisboz8eC7mJPfS8eR9wK4w/aQx\n-----END PRIVATE KEY-----\n"
+      },
+      "cert": {
+        "pem": "-----BEGIN CERTIFICATE-----\nMIIDDzCCAregAwIBAgIUV0lIiC3NNUr+69cVUy8v6i0gxm0wCgYIKoZIzj0EAwIw\nXzELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRAwDgYDVQQDEwdvcmcxLWNh\nMB4XDTIzMDQxODA1MzcwMFoXDTI0MDQxNzA1NDQwMFowJDEOMAwGA1UECxMFYWRt\naW4xEjAQBgNVBAMTCW9yZzFhZG1pbjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBD0yPB3XoOZJ7ISJlXmRDTi1QWskzGSyVMOYGtzW8WQ+rMwfUsYKyfbDyArByKxu\njPx4LuYk99Lx5H3ArjD9pDGjggGKMIIBhjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0T\nAQH/BAIwADAdBgNVHQ4EFgQUprvedopkGRfeYsxHLI8Cp3hoZawwHwYDVR0jBBgw\nFoAUO++ESe8aFTNvD982WCOyKxTgST0wLgYDVR0RBCcwJYIjY29udHJvbGxlci1t\nYW5hZ2VyLTVmZDhmYzc1NGMtOXRzZjkwgfUGCCoDBAUGBwgBBIHoeyJhdHRycyI6\neyJoZi5BZmZpbGlhdGlvbiI6IiIsImhmLkVucm9sbG1lbnRJRCI6Im9yZzFhZG1p\nbiIsImhmLkdlbkNSTCI6InRydWUiLCJoZi5JbnRlcm1lZGlhdGVDQSI6InRydWUi\nLCJoZi5SZWdpc3RyYXIuUm9sZXMiOiIqIiwiaGYuUmVnaXN0cmFyRGVsZWdhdGVS\nb2xlcyI6IioiLCJoZi5SZXZva2VyIjoiKiIsImhmLlR5cGUiOiJhZG1pbiIsImhm\nLmhmLlJlZ2lzdHJhci5BdHRyaWJ1dGVzIjoiKiJ9fTAKBggqhkjOPQQDAgNGADBD\nAiBpB13OjDKI/qU7/QI8L8c1KnCNJkdcD0BOcwpwKsOqMAIfEXsg0dMLjOsU1Jm0\noUCQNrlRW9wlT/oxbStXppcFNg==\n-----END CERTIFICATE-----\n"
+      }
+    },
+    "endpoint": {
+      "url": "grpcs://org1-org1peer1-peer.172.18.0.4.nip.io:443",
+      "tlsCACerts": {
+        "pem": "-----BEGIN CERTIFICATE-----\nMIICBzCCAa6gAwIBAgIUMBMS27QPxyLtVrHtGIBJcwquF00wCgYIKoZIzj0EAwIw\nYjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK\nEwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRMwEQYDVQQDEwpvcmcxLXRs\nc2NhMB4XDTIzMDQxODA1MzcwMFoXDTM4MDQxNDA1MzcwMFowYjELMAkGA1UEBhMC\nVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKEwtIeXBlcmxlZGdl\ncjEPMA0GA1UECxMGRmFicmljMRMwEQYDVQQDEwpvcmcxLXRsc2NhMFkwEwYHKoZI\nzj0CAQYIKoZIzj0DAQcDQgAElsbFDQe/QFwZoRBrbLp6zQTyxD+SGDhi/7hshCd/\ncMNYADqusdjHSIorTiTegS9/69iUz5ROeFurcSfHxGI4gaNCMEAwDgYDVR0PAQH/\nBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKlocv/Ghk9Nkq6/zzov\nubxlHrw0MAoGCCqGSM49BAMCA0cAMEQCIHoYm+ccgYhqvXng8yXDvedqS1wsJPmX\n9Y1P9Z/44i6zAiBtke6JqTrixv9yorq5JtBGs12qU/lsWig7nwKFSdQKsA==\n-----END CERTIFICATE-----\n"
+      }
+    }
+  }
+}

deploy/oidc-secret.md

@@ -0,0 +1,10 @@
+if use `oidc` auth, you need create secret `kube-oidc-proxy-config` and `oidc-server-root-secret`, the data is same with `u4a-system`.
+```bash
+kubectl get secret kube-oidc-proxy-config -n u4a-system -o json \
+ | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' \
+ | kubectl apply -n baas-system -f -
+
+kubectl get secret oidc-server-root-secret -n u4a-system -o json \
+ | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' \
+ | kubectl apply -n baas-system -f -
+```

deploy/rbac.yaml

@@ -0,0 +1,146 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bc-saas
+  namespace: baas-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: bc-saas
+rules:
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+      - persistentvolumeclaims
+      - persistentvolumes
+      - services
+      - endpoints
+      - events
+      - configmaps
+      - secrets
+      - nodes
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "batch"
+    resources:
+      - jobs
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - daemonsets
+      - replicasets
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - servicemonitors
+    verbs:
+      - get
+  - apiGroups:
+      - ibp.com
+    resources:
+      - ibpcas.ibp.com
+      - ibppeers.ibp.com
+      - ibporderers.ibp.com
+      - ibpconsoles.ibp.com
+      - organizations.ibp.com
+      - federations.ibp.com
+      - networks.ibp.com
+      - proposals.ibp.com
+      - votes.ibp.com
+      - channels.ibp.com
+      - chaincodebuilds.ibp.com
+      - ibpcas
+      - ibppeers
+      - ibporderers
+      - ibpconsoles
+      - organizations
+      - federations
+      - networks
+      - proposals
+      - votes
+      - channels
+      - chaincodebuilds
+      - ibpcas/finalizers
+      - ibppeers/finalizers
+      - ibporderers/finalizers
+      - ibpconsoles/finalizers
+      - organizations/finalizers
+      - federations/finalizers
+      - networks/finalizers
+      - proposals/finalizers
+      - votes/finalizers
+      - channels/finalizers
+      - chaincodebuilds/finalizers
+      - ibpcas/status
+      - ibppeers/status
+      - ibporderers/status
+      - ibpconsoles/status
+      - organizations/status
+      - federations/status
+      - networks/status
+      - proposals/status
+      - votes/status
+      - channels/status
+      - chaincodebuilds/status
+      - chaincodes
+      - chaincodes/status
+      - endorsepolicies
+      - endorsepolicies/status
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - iam.tenxcloud.com
+    resources:
+      - users.iam.tenxcloud.com
+      - users
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - tekton.dev
+    resources:
+      - pipelineruns
+      - taskruns
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: bc-saas
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: bc-saas
+subjects:
+  - kind: ServiceAccount
+    name: bc-saas
+    namespace: baas-system

deploy/secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  # cat networ.json | base64
+  network.json: ewogICJpZCI6ICJuZXR3b3JrLXNhbXBsZTMiLAogICJwbGF0Zm9ybSI6ICJiZXN0Y2hhaW5zIiwKICAiZmFiUHJvZmlsZSI6IHsKICAgICJjaGFubmVsIjogImNoYW5uZWxpZCIsCiAgICAib3JnYW5pemF0aW9uIjogIm9yZzEiLAogICAgInVzZXIiOiB7CiAgICAgICJuYW1lIjogIm9yZzFhZG1pbiIsCiAgICAgICJrZXkiOiB7CiAgICAgICAgInBlbSI6ICItLS0tLUJFR0lOIFBSSVZBVEUgS0VZLS0tLS1cbk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ25hVHNIOGNQT2NWMFZndm5cbng0WjFoSVVwVjFLZzJranp1MXgzRTdvTTU5bWhSQU5DQUFROU1qd2QxNkRtU2V5RWlaVjVrUTA0dFVGckpNeGtcbnNsVERtQnJjMXZGa1Bxek1IMUxHQ3NuMnc4Z0t3Y2lzYm96OGVDN21KUGZTOGVSOXdLNHcvYVF4XG4tLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tXG4iCiAgICAgIH0sCiAgICAgICJjZXJ0IjogewogICAgICAgICJwZW0iOiAiLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlERHpDQ0FyZWdBd0lCQWdJVVYwbElpQzNOTlVyKzY5Y1ZVeTh2NmkwZ3htMHdDZ1lJS29aSXpqMEVBd0l3XG5YekVMTUFrR0ExVUVCaE1DVlZNeEZ6QVZCZ05WQkFnVERrNXZjblJvSUVOaGNtOXNhVzVoTVJRd0VnWURWUVFLXG5Fd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJBd0RnWURWUVFERXdkdmNtY3hMV05oXG5NQjRYRFRJek1EUXhPREExTXpjd01Gb1hEVEkwTURReE56QTFORFF3TUZvd0pERU9NQXdHQTFVRUN4TUZZV1J0XG5hVzR4RWpBUUJnTlZCQU1UQ1c5eVp6RmhaRzFwYmpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBXG5CRDB5UEIzWG9PWko3SVNKbFhtUkRUaTFRV3NrekdTeVZNT1lHdHpXOFdRK3JNd2ZVc1lLeWZiRHlBckJ5S3h1XG5qUHg0THVZazk5THg1SDNBcmpEOXBER2pnZ0dLTUlJQmhqQU9CZ05WSFE4QkFmOEVCQU1DQjRBd0RBWURWUjBUXG5BUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVwcnZlZG9wa0dSZmVZc3hITEk4Q3AzaG9aYXd3SHdZRFZSMGpCQmd3XG5Gb0FVTysrRVNlOGFGVE52RDk4MldDT3lLeFRnU1Qwd0xnWURWUjBSQkNjd0pZSWpZMjl1ZEhKdmJHeGxjaTF0XG5ZVzVoWjJWeUxUVm1aRGhtWXpjMU5HTXRPWFJ6Wmprd2dmVUdDQ29EQkFVR0J3Z0JCSUhvZXlKaGRIUnljeUk2XG5leUpvWmk1QlptWnBiR2xoZEdsdmJpSTZJaUlzSW1obUxrVnVjbTlzYkcxbGJuUkpSQ0k2SW05eVp6RmhaRzFwXG5iaUlzSW1obUxrZGxia05TVENJNkluUnlkV1VpTENKb1ppNUpiblJsY20xbFpHbGhkR1ZEUVNJNkluUnlkV1VpXG5MQ0pvWmk1U1pXZHBjM1J5WVhJdVVtOXNaWE1pT2lJcUlpd2lhR1l1VW1WbmFYTjBjbUZ5UkdWc1pXZGhkR1ZTXG5iMnhsY3lJNklpb2lMQ0pvWmk1U1pYWnZhMlZ5SWpvaUtpSXNJbWhtTGxSNWNHVWlPaUpoWkcxcGJpSXNJbWhtXG5MbWhtTGxKbFoybHpkSEpoY2k1QmRIUnlhV0oxZEdWeklqb2lLaUo5ZlRBS0JnZ3Foa2pPUFFRREFnTkdBREJEXG5BaUJwQjEzT2pES0kvcVU3L1FJOEw4YzFLbkNOSmtkY0QwQk9jd3B3S3NPcU1BSWZFWHNnMGRNTGpPc1UxSm0wXG5vVUNRTnJsUlc5d2xUL294YlN0WHBwY0ZOZz09XG4tLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tXG4iCiAgICAgIH0KICAgIH0sCiAgICAiZW5kcG9pbnQiOiB7CiAgICAgICJ1cmwiOiAiZ3JwY3M6Ly9vcmcxLW9yZzFwZWVyMS1wZWVyLjE3Mi4xOC4wLjQubmlwLmlvOjQ0MyIsCiAgICAgICJ0bHNDQUNlcnRzIjogewogICAgICAgICJwZW0iOiAiLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tXG5NSUlDQnpDQ0FhNmdBd0lCQWdJVU1CTVMyN1FQeHlMdFZySHRHSUJKY3dxdUYwMHdDZ1lJS29aSXpqMEVBd0l3XG5ZakVMTUFrR0ExVUVCaE1DVlZNeEZ6QVZCZ05WQkFnVERrNXZjblJvSUVOaGNtOXNhVzVoTVJRd0VnWURWUVFLXG5Fd3RJZVhCbGNteGxaR2RsY2pFUE1BMEdBMVVFQ3hNR1JtRmljbWxqTVJNd0VRWURWUVFERXdwdmNtY3hMWFJzXG5jMk5oTUI0WERUSXpNRFF4T0RBMU16Y3dNRm9YRFRNNE1EUXhOREExTXpjd01Gb3dZakVMTUFrR0ExVUVCaE1DXG5WVk14RnpBVkJnTlZCQWdURGs1dmNuUm9JRU5oY205c2FXNWhNUlF3RWdZRFZRUUtFd3RJZVhCbGNteGxaR2RsXG5jakVQTUEwR0ExVUVDeE1HUm1GaWNtbGpNUk13RVFZRFZRUURFd3B2Y21jeExYUnNjMk5oTUZrd0V3WUhLb1pJXG56ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVsc2JGRFFlL1FGd1pvUkJyYkxwNnpRVHl4RCtTR0RoaS83aHNoQ2QvXG5jTU5ZQURxdXNkakhTSW9yVGlUZWdTOS82OWlVejVST2VGdXJjU2ZIeEdJNGdhTkNNRUF3RGdZRFZSMFBBUUgvXG5CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZLbG9jdi9HaGs5TmtxNi96em92XG51YnhsSHJ3ME1Bb0dDQ3FHU000OUJBTUNBMGNBTUVRQ0lIb1ltK2NjZ1locXZYbmc4eVhEdmVkcVMxd3NKUG1YXG45WTFQOVovNDRpNnpBaUJ0a2U2SnFUcml4djl5b3JxNUp0QkdzMTJxVS9sc1dpZzdud0tGU2RRS3NBPT1cbi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS1cbiIKICAgICAgfQogICAgfQogIH0KfQo=
+kind: Secret
+metadata:
+  name: bc-saas-secret
+  namespace: baas-system

deploy/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bc-saas-service
+  namespace: baas-system
+spec:
+  selector:
+    app: bc-saas
+  ports:
+    - protocol: TCP
+      port: 9999
+      targetPort: 9999