feat: start C4PO with docker-compose

c4po.sh

@@ -1,15 +1,5 @@
 #!/bin/bash
 baseDir=$(pwd)
-
-composeDir=$baseDir"/security-c4po-cfg"
-keycloakVolume="security-c4po-cfg/volumes/keycloak/data/*"
-mongoVolume="security-c4po-cfg/volumes/mongodb/data/*"
-
-composeKeycloak=$baseDir"/security-c4po-cfg/kc/docker-compose.keycloak.yml"
-composeDatabase=$baseDir"/security-c4po-cfg/mongodb/docker-compose.mongodb.yml"
-composeFrontend=$baseDir"/security-c4po-cfg/frontend/docker-compose.frontend.yml"
-composeBackend=$baseDir"/security-c4po-cfg/backend/docker-compose.backend.yml"
-
 compose=$baseDir"/security-c4po-cfg/docker-compose.yml"
 
 echo -e "
@@ -24,24 +14,21 @@ ______| |______ |_____  |_____| |    \_ __|__    |       |         _/_/_/     _/
 
 echo "-------------CLEAN UP Container---------------"
 echo -e "\n"
-rm -r ${keycloakVolume}
 docker rm -f c4po-keycloak
-docker rm -f c4po-keycloak-postgres
-docker rm -f c4po-db
+#docker rm -f c4po-db     ### toggle to clear database with every start ###
 docker rm -f c4po-api
 docker rm -f c4po-angular
 echo -e "\n"
+
 echo "-----------------Start Build------------------"
 echo -e "\n"
 echo " - Backend: "
-docker-compose -f ${composeBackend} build
+docker-compose -f ${compose} build c4po-api
 echo -e "\n"
 echo " - Frontend: "
-docker-compose -f ${composeFrontend} build
+docker-compose -f ${compose} build c4po-angular
 echo -e "\n"
-# docker-compose -f ${compose} up
 
 echo "------------Start Docker Container------------"
 echo -e "\n"
-docker-compose -f ${composeKeycloak} -f ${composeDatabase} -f ${composeBackend} -f ${composeFrontend} up
-# docker-compose -f ${compose} up
+docker-compose -f ${compose} up

security-c4po-angular/src/app/project-overview/project-overview.component.html

@@ -66,7 +66,7 @@
   </div>
 </div>
 
-<div *ngIf="projects$.getValue().length === 0 && loading$.getValue() === false" fxLayout="row" fxLayoutAlign="center center">
+<div *ngIf="projects$.getValue() == null || projects$.getValue().length === 0 && loading$.getValue() === false" fxLayout="row" fxLayoutAlign="center center">
   <p class="error-text">
     {{'project.overview.no.projects' | translate}}
   </p>

security-c4po-angular/src/environments/environment.prod.ts

@@ -2,7 +2,7 @@ export const environment = {
   production: true,
 
   // keycloak
-  keycloakURL: 'http://localhost:8888/auth',
+  keycloakURL: 'http://localhost:8080/auth',
   keycloakrealm: 'c4po_realm_local',
   keycloakclientId: 'c4po_local',
 

security-c4po-angular/src/environments/environment.ts

@@ -7,7 +7,7 @@ export const environment = {
   production: false,
 
   // keycloak
-  keycloakURL: 'http://localhost:8888/auth',
+  keycloakURL: 'http://localhost:8080/auth',
   keycloakrealm: 'c4po_realm_local',
   keycloakclientId: 'c4po_local',
 

security-c4po-api/Dockerfile

@@ -6,15 +6,12 @@ RUN mkdir /data
 RUN chown security-c4po-api:security-c4po-api /data
 USER security-c4po-api
 
-# GET CURRENT STAGE
-ARG STAGE
-ENV ENV_STAGE=$STAGE
-
 # COPY PACKAGE INTO IMAGE
 COPY ./build/libs/security-c4po-api-0.0.1-SNAPSHOT.jar /
 USER security-c4po-api
 EXPOSE 8443
 
-# RUN JAVA
+# WAIT FOR KEYCLOAK & RUN JAVA
+COPY ./wait-for-keycloak.sh /
 # CMD [ "java", "-jar", "security-c4po-api-0.0.1-SNAPSHOT.jar" ]
-ENTRYPOINT [ "java", "-jar", "-Dspring.profiles.active=${ENV_STAGE}", "security-c4po-api-0.0.1-SNAPSHOT.jar" ]
+ENTRYPOINT [ "./wait-for-keycloak.sh", "http://c4po-keycloak:8080/auth/realms/c4po_realm_local", "java", "-Dspring.profiles.active=${SPRING_PROFILES_ACTIVE}", "-jar", "security-c4po-api-0.0.1-SNAPSHOT.jar" ]

security-c4po-api/build.gradle.kts

@@ -91,6 +91,7 @@ dependencies {
 	testImplementation("org.springframework.restdocs:spring-restdocs-webtestclient")
 	testImplementation("com.github.spotbugs:spotbugs-annotations:4.1.2")
 	testApi("org.testcontainers:junit-jupiter:1.15.2")
+    testImplementation("com.github.dasniko:testcontainers-keycloak:2.3.0")
 }
 
 jacoco {

security-c4po-api/security-c4po-api.postman_collection.json

@@ -175,12 +175,12 @@
 						"method": "GET",
 						"header": [],
 						"url": {
-							"raw": "http://localhost:8888/auth/realms/c4po_realm_local/.well-known/openid-configuration",
+							"raw": "http://localhost:8080/auth/realms/c4po_realm_local/.well-known/openid-configuration",
 							"protocol": "http",
 							"host": [
 								"localhost"
 							],
-							"port": "8888",
+							"port": "8080",
 							"path": [
 								"auth",
 								"realms",
@@ -235,12 +235,12 @@
 							]
 						},
 						"url": {
-							"raw": "http://localhost:8888/auth/realms/c4po_realm_local/protocol/openid-connect/token",
+							"raw": "http://localhost:8080/auth/realms/c4po_realm_local/protocol/openid-connect/token",
 							"protocol": "http",
 							"host": [
 								"localhost"
 							],
-							"port": "8888",
+							"port": "8080",
 							"path": [
 								"auth",
 								"realms",

security-c4po-api/src/main/kotlin/com/securityc4po/api/configuration/security/WebSecurityConfiguration.kt

@@ -1,12 +1,20 @@
 package com.securityc4po.api.configuration.security
 
+import org.springframework.beans.factory.annotation.Value
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.ComponentScan
 import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.Profile
 import org.springframework.http.HttpMethod
 import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
 import org.springframework.security.config.web.server.ServerHttpSecurity
+import org.springframework.security.oauth2.core.OAuth2TokenValidator
+import org.springframework.security.oauth2.jwt.Jwt
+import org.springframework.security.oauth2.jwt.JwtValidators
+import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder
+import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder
+import org.springframework.security.oauth2.jwt.ReactiveJwtDecoders
 import org.springframework.security.web.server.SecurityWebFilterChain
 import org.springframework.web.cors.CorsConfiguration
 
@@ -16,6 +24,12 @@ import org.springframework.web.cors.CorsConfiguration
 @ComponentScan
 class WebSecurityConfiguration(private val userAccountDetailsService: UserAccountDetailsService) {
 
+    @Value("\${external.issuer-uri}")
+    var externalIssuerUri: String? = null
+
+    @Value("\${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
+    var internalIssuerUri: String? = null
+
     @Bean
     fun setSecurityWebFilterChains(http: ServerHttpSecurity): SecurityWebFilterChain {
         http.cors().configurationSource {
@@ -48,4 +62,13 @@ class WebSecurityConfiguration(private val userAccountDetailsService: UserAccoun
     fun appuserJwtAuthenticationConverter(): AppuserJwtAuthConverter {
         return AppuserJwtAuthConverter(userAccountDetailsService)
     }
+
+    @Bean
+    @Profile("COMPOSE")
+    fun jwtDecoder(): ReactiveJwtDecoder {
+        val jwtDecoder = ReactiveJwtDecoders.fromIssuerLocation(internalIssuerUri) as NimbusReactiveJwtDecoder
+        val withIssuer: OAuth2TokenValidator<Jwt> = JwtValidators.createDefaultWithIssuer(externalIssuerUri)
+        jwtDecoder.setJwtValidator(withIssuer)
+        return jwtDecoder
+    }
 }

security-c4po-api/src/main/resources/application-COMPOSE.properties

@@ -1,7 +1,7 @@
 ## IdentityProvider (Keycloak) ##
-spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8888/auth/realms/c4po_realm_local
-keycloakhost=localhost
-keycloak.client.url=http://localhost:8888
+spring.security.oauth2.resourceserver.jwt.issuer-uri=http://c4po-keycloak:8080/auth/realms/c4po_realm_local
+keycloakhost=c4po-keycloak
+keycloak.client.url=http://c4po-keycloak:8080
 keycloak.client.realm.path=auth/realms/c4po_realm_local/
 
 ## Database (MONGODB) Config ##

security-c4po-api/src/main/resources/application-DEV.properties

@@ -1,7 +1,7 @@
 ## IdentityProvider (Keycloak) ##
-spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8888/auth/realms/c4po_realm_local
+spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/auth/realms/c4po_realm_local
 keycloakhost=localhost
-keycloak.client.url=http://localhost:8888/
+keycloak.client.url=http://localhost:8080/
 
 ## Database (MONGODB) Config ##
 spring.data.mongodb.host=localhost

security-c4po-api/src/main/resources/application-TEST.properties

@@ -1,6 +1,4 @@
 ## IdentityProvider (Keycloak) ##
-spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:9999/auth/realms/c4po_realm_local
-keycloakhost=localhost
 keycloak.client.url=http://localhost:9999
 keycloak.client.realm.path=auth/realms/c4po_realm_local/
 

security-c4po-api/src/main/resources/application.properties

@@ -16,9 +16,10 @@ spring.data.mongodb.database=c4po
 spring.data.mongodb.auto-index-creation=true
 
 ## IdentityProvider (Keycloak) ##
-spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8888/auth/realms/c4po_realm_local
+spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/auth/realms/c4po_realm_local
+external.issuer-uri=http://localhost:8080/auth/realms/c4po_realm_local
 keycloakhost=localhost
-keycloak.client.url=http://localhost:8888
+keycloak.client.url=http://localhost:8080
 keycloak.client.realm.path=auth/realms/c4po_realm_local/
 
 ## Total number of pentests listet in the OWASP testing guide

security-c4po-api/src/test/kotlin/com/securityc4po/api/BaseContainerizedTest.kt

@@ -5,26 +5,29 @@ import com.github.dockerjava.api.model.ExposedPort
 import com.github.dockerjava.api.model.PortBinding
 import com.github.dockerjava.api.model.Ports
 import com.nimbusds.jwt.JWTParser
+import dasniko.testcontainers.keycloak.KeycloakContainer
 import org.junit.jupiter.api.TestInstance
-import org.springframework.beans.factory.annotation.Value
 import org.springframework.cloud.contract.wiremock.AutoConfigureWireMock
 import org.springframework.http.HttpEntity
 import org.springframework.http.HttpHeaders
 import org.springframework.http.MediaType
-import org.springframework.test.context.ActiveProfiles
+import org.springframework.test.context.DynamicPropertyRegistry
+import org.springframework.test.context.DynamicPropertySource
 import org.springframework.test.context.TestPropertySource
 import org.springframework.util.LinkedMultiValueMap
 import org.springframework.web.client.RestTemplate
-import org.testcontainers.shaded.com.fasterxml.jackson.databind.ObjectMapper
 import org.testcontainers.containers.GenericContainer
+import org.testcontainers.containers.wait.strategy.Wait
 import org.testcontainers.images.builder.ImageFromDockerfile
+import org.testcontainers.shaded.com.fasterxml.jackson.databind.ObjectMapper
 import org.testcontainers.utility.DockerImageName
 import org.testcontainers.utility.MountableFile
 import java.nio.file.Paths
 
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
 @AutoConfigureWireMock(port = 0)
-@TestPropertySource(properties = [
+@TestPropertySource(
+    properties = [
         "spring.data.mongodb.port=27017",
         "spring.data.mongodb.authentication-database=admin",
         "spring.data.mongodb.password=test",
@@ -32,14 +35,13 @@ import java.nio.file.Paths
         "MONGO_DB_MAX_CONNECTION_IDLE_TIME=PT25M",
         "DATA_REFRESH_THRESHOLD_DURATION=PT30M",
         "CLEANUP_BATCH_SIZE_FOR_SELECTING_EXPIRED_USERS=100"
-])
+    ]
+)
 abstract class BaseContainerizedTest {
-    @Value("\${keycloakhost}")
-    var keycloakhost: String? = null
-
     companion object {
-        val mongoDbContainer = KGenericContainer(ImageFromDockerfile("c4poapibasecontainerizedtest").withDockerfileFromBuilder {
-            it.from("mongo:4.4.6")
+        val mongoDbContainer = KGenericContainer(
+            ImageFromDockerfile("c4poapibasecontainerizedtest").withDockerfileFromBuilder {
+                it.from("mongo:latest")
                 it.env("MONGO_INITDB_ROOT_USERNAME", "root")
                 it.env("MONGO_INITDB_ROOT_PASSWORD", "cjwkbencowepoc324pon2mop3mp4")
                 it.env("MONGO_INITDB_DATABASE", "admin")
@@ -52,28 +54,29 @@ abstract class BaseContainerizedTest {
             start()
         }
 
-        val keycloakContainer = KGenericContainerFromImage(DockerImageName.parse("jboss/keycloak:11.0.3")).apply {
-            withEnv("KEYCLOAK_USER", "admin")
-            withEnv("KEYCLOAK_PASSWORD", "admin")
-            withEnv("KEYCLOAK_IMPORT", "/tmp/realm.json")
-            withEnv("DB_VENDOR", "h2")
-            withCreateContainerCmdModifier {
-                it.hostConfig?.withPortBindings(PortBinding(Ports.Binding.bindPort(8888), ExposedPort(8080)))
-            }
-            withCopyFileToContainer(MountableFile.forClasspathResource("realm-export.json", 700), "/tmp/realm.json")
-            start()
-            println("== Inserting users must wait until Keycloak is started completely ==")
-            execInContainer("sh", "/opt/jboss/create-keycloak-user.sh")
+        val keycloakContainer: KeycloakContainer = KeycloakContainer("quay.io/keycloak/keycloak:20.0.0")
+            .withAdminUsername("admin")
+            .withAdminPassword("admin")
+            .withContextPath("/auth")
+            .withRealmImportFile("realm-export.json")
+            .waitingFor(
+                Wait.forHttp("/auth")
+            )
+
+        @DynamicPropertySource
+        @JvmStatic
+        fun jwtValidationProperties(registry: DynamicPropertyRegistry) {
+            registry.add("spring.security.oauth2.resourceserver.jwt.issuer-uri") { keycloakContainer.authServerUrl + "/realms/c4po_realm_local" }
+
+            keycloakContainer.start()
         }
     }
 
     var token = "n/a"
     var tokenAdmin = "n/a"
     var tokenUser = "n/a"
-    var keycloakHost: String? = null
 
     fun getAccessToken(username: String, password: String, clientId: String, realm: String): String {
-        keycloakHost = "http://" + keycloakhost + ":" + keycloakContainer.getMappedPort(8080)
         val restTemplate = RestTemplate()
         val headers = HttpHeaders()
         headers.contentType = MediaType.APPLICATION_FORM_URLENCODED
@@ -84,8 +87,11 @@ abstract class BaseContainerizedTest {
         map.add("password", password)
         map.add("grant_type", "password")
         map.add("client_secret", "secret")
-        val responseString = restTemplate.postForObject("$keycloakHost/auth/realms/$realm/protocol/openid-connect/token",
-            HttpEntity<Any>(map, headers), String::class.java)
+        val responseString = restTemplate.postForObject(
+            keycloakContainer.authServerUrl + "/realms/$realm/protocol/openid-connect/token",
+            HttpEntity<Any>(map, headers),
+            String::class.java
+        )
         val token = ObjectMapper().readValue(responseString, KeyCloakToken::class.java)
         return token.access_token!!
     }

security-c4po-api/src/test/resources/script_local

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 cd keycloak/bin
 sleep 20
-./kcadm.sh config credentials --server http://localhost:8888/auth --realm master --user admin --password admin
+./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password admin
 
 USERID=$(./kcadm.sh create users -r c4po_realm_local -s username=test_admin \
 -s email=testadmin@test.de \

security-c4po-api/wait-for-keycloak.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+# wait-for-keycloak.sh
+
+set -e
+
+host="$1"
+shift
+
+printf 'Waiting for keycloak...'
+until $(curl --output /dev/null --silent --head --fail $host); do
+    printf '.'
+    sleep 4
+done
+
+printf '\nKeycloak is up and running - Starting C4PO API'
+
+exec "$@"

security-c4po-cfg/backend/docker-compose.backend.yml

@@ -1,15 +0,0 @@
-version: '3.1'
-
-services:
-  c4po-api:
-    build: '../../security-c4po-api'
-    image: security-c4po-api:latest
-    container_name: c4po-api
-    environment:
-      - SPRING_PROFILES_ACTIVE=COMPOSE
-    deploy:
-      resources:
-        limits:
-          memory: "1G"
-    ports:
-      - 8443:8443

security-c4po-cfg/cfg/keycloak.env

@@ -1,9 +0,0 @@
-# cfg for local keycloak
-DB_VENDOR=postgres
-DB_ADDR=c4po-keycloak-postgress
-DB_PORT=5432
-DB_USER=c4po_kc_local
-DB_PASSWORD=Test1234!
-KEYCLOAK_USER=admin
-KEYCLOAK_PASSWORD=admin
-KEYCLOAK_IMPORT=/tmp/c4po_realm_export.json

security-c4po-cfg/cfg/keycloakdb.env

@@ -1,4 +0,0 @@
-# database.env
-POSTGRES_USER=c4po_kc_local
-POSTGRES_PASSWORD=Test1234!
-POSTGRES_DB=keycloak

security-c4po-cfg/docker-compose.yml

@@ -1,27 +1,15 @@
 version: '2'
 
 volumes:
-  c4po-keycloak-postgres:
   c4po-db:
 
 services:
   # Database
-  c4po-keycloak-postgres:
-    container_name: c4po-keycloak-postgres
-    image: postgres:latest
-    env_file:
-      - cfg/keycloakdb.env
-    ports:
-      - 5433:5432
-    volumes:
-      - /volumes/keycloak/data/:/var/lib/postgres/data
-    networks:
-      - c4po
   c4po-db:
     image: mongo:latest
     container_name: c4po-db
     volumes:
-      - /volumes/mongodb/data/:/db/data
+      - ./volumes/mongodb/data/:/db/data
     deploy:
       resources:
         limits:
@@ -30,20 +18,15 @@ services:
       - 27017:27017
     networks:
       - c4po
-  # Authentity Provider
+  # Authentication Provider
   c4po-keycloak:
     container_name: c4po-keycloak
-    depends_on:
-      - c4po-keycloak-postgres
-    links:
-      - c4po-keycloak-postgres
-    image: jboss/keycloak:11.0.3
+    image: quay.io/keycloak/keycloak:20.0.0
     volumes:
-      - /cfg/c4po_realm_export.json/:/tmp/c4po_realm_export.json
+      - ./cfg/c4po_realm_export.json/:/opt/keycloak/data/import/c4po_realm_export.json
     ports:
-      - 8888:8080
-    env_file:
-      - cfg/keycloak.env
+      - 8080:8080
+    entrypoint: /opt/keycloak/bin/kc.sh start-dev --import-realm --http-relative-path=/auth
     networks:
       - c4po
   # Services
@@ -53,17 +36,14 @@ services:
     container_name: c4po-angular
     depends_on:
       - c4po-keycloak
-    links:
-      - c4po-keycloak
     deploy:
       resources:
         limits:
-          memory: "1G"
+          memory: "2G"
     ports:
       - 4200:4200
     networks:
       - c4po
-
   c4po-api:
     build: '../security-c4po-api'
     image: security-c4po-api:latest
@@ -73,13 +53,10 @@ services:
     depends_on:
       - c4po-db
       - c4po-keycloak
-    links:
-      - c4po-db
-      - c4po-keycloak
     deploy:
       resources:
         limits:
-          memory: "1G"
+          memory: "2G"
     ports:
       - 8443:8443
     networks:

security-c4po-cfg/frontend/docker-compose.frontend.yml

@@ -1,13 +0,0 @@
-version: '3.1'
-
-services:
-  c4po-angular:
-    build: '../../security-c4po-angular'
-    image: security-c4po-angular:latest
-    container_name: c4po-angular
-    deploy:
-      resources:
-        limits:
-          memory: "1G"
-    ports:
-      - 4200:4200

security-c4po-cfg/kc/docker-compose.keycloak.yml

@@ -1,21 +0,0 @@
-version: '3.1'
-
-services:
-  c4po-keycloak:
-    container_name: c4po-keycloak
-    image: jboss/keycloak:11.0.3
-    volumes:
-      - ../cfg/c4po_realm_export.json:/tmp/c4po_realm_export.json
-    ports:
-      - 8888:8080
-    env_file:
-      - ../cfg/keycloak.env
-  c4po-keycloak-postgress:
-    container_name: c4po-keycloak-postgres
-    image: postgres:10.16-alpine
-    env_file:
-      - ../cfg/keycloakdb.env
-    ports:
-      - 5433:5432
-    volumes:
-      - ../volumes/keycloak/data:/var/lib/postgres/data

security-c4po-cfg/mongodb/docker-compose.mongodb.yml

@@ -1,14 +0,0 @@
-version: '3.1'
-
-services:
-  c4po-db:
-    image: mongo:4.4.6
-    container_name: c4po-db
-    volumes:
-      - ../volumes/mongodb/data:/data/db
-    deploy:
-      resources:
-        limits:
-          memory: "1G"
-    ports:
-      - 27017:27017