Skip to content

Commit

Permalink
Merge branch 'feature-oidc' into css-7081/use-secret-store
Browse files Browse the repository at this point in the history
Signed-off-by: Babak K. Shandiz <[email protected]>
  • Loading branch information
babakks committed Mar 13, 2024
2 parents 6368bdf + 0c679a6 commit 67078b7
Show file tree
Hide file tree
Showing 189 changed files with 5,354 additions and 4,425 deletions.
8 changes: 2 additions & 6 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ jobs:
run: |
touch ./local/vault/approle.json
touch ./local/vault/roleid.txt
- name: Create test certs
run: make certs
- name: Start test environment
run: docker compose up -d --wait
- name: Build and Test
Expand All @@ -65,12 +67,6 @@ jobs:
- uses: actions/setup-go@v4
with:
go-version-file: 'go.mod'
- name: Pull candid repo for test environment
run: |
git clone https://github.com/canonical/candid.git ./tmp/candid
cd ./tmp/candid
make image
docker image ls candid
- name: Add volume files
run: |
touch ./local/vault/approle.json
Expand Down
16 changes: 6 additions & 10 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -29,15 +29,17 @@ clean:
-$(RM) -r jimm-release/
-$(RM) jimm-*.tar.xz

test-env: sysdeps
certs:
@cd local/traefik/certs; ./certs.sh; cd -

test-env: sysdeps certs
@touch ./local/vault/approle.json && touch ./local/vault/roleid.txt
@docker compose up --force-recreate
@docker compose up --force-recreate -d --wait

test-env-cleanup:
@docker compose down -v --remove-orphans

dev-env-setup: sysdeps pull/candid
@cd local/traefik/certs; ./certs.sh; cd -
dev-env-setup: sysdeps certs
@touch ./local/vault/approle.json && touch ./local/vault/roleid.txt
@make version/commit.txt && make version/version.txt
@go mod vendor
Expand Down Expand Up @@ -97,11 +99,6 @@ push-microk8s: jimm-image
docker tag jimm:latest localhost:32000/jimm:latest
docker push localhost:32000/jimm:latest

pull/candid:
-git clone https://github.com/canonical/candid.git ./tmp/candid
(cd ./tmp/candid && make image)
docker image ls candid

get-local-auth:
@go run ./local/authy

Expand Down Expand Up @@ -138,7 +135,6 @@ help:
@echo 'make sysdeps - Install the development environment system packages.'
@echo 'make format - Format the source files.'
@echo 'make simplify - Format and simplify the source files.'
@echo 'make pull/candid - Pull candid for local development environment.'
@echo 'make get-local-auth - Get local auth to the API WSS endpoint locally.'

.PHONY: build check install release clean format server simplify sysdeps help FORCE
Expand Down
11 changes: 11 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,12 @@ See [here](./local/README.md) on how to get started.

## Testing

## TLDR
Run:
```
$ make test-env
$ go test ./...
```
### Pre-requisite
To check if your system has all the prequisites installed simply run `make sysdeps`.
This will check for all test prequisites and inform you how to install them if not installed.
Expand All @@ -56,6 +62,11 @@ This can be installed via: `sudo snap install juju-db`.
The latest JIMM has an upgraded dependency on Juju which requires in turn requires juju-db from channel `4.4/stable`,
this can be installed with `sudo snap install juju-db --channel=4.4/stable`

Tests inside of `cmd/` create a JIMM server and test the jimmctl and jaas CLI packages. The Juju CLI requires that it connects to
an HTTPS server, but these tests also start a Juju controller which expects to be able to fetch a JWKS and macaroon publickey
from JIMM (which is running as an HTTPS server). This would normally result in a TLS certificate error, however JIMM will
attempt to use a custom self-signed cert from the certificate generated in `local/traefik/certs`. The make command `make certs` will generate these certs and place the CA in your system's cert pool which will be picked up by the Go HTTP client.

The rest of the suite relies on PostgreSQL, OpenFGA and Hashicorp Vault which are dockerised
and as such you may simple run `make test-env` to be integration test ready.
The above command won't start a dockerised instance of JIMM as tests are normally run locally. Instead, to start a
Expand Down
13 changes: 10 additions & 3 deletions api/params/params.go
Original file line number Diff line number Diff line change
Expand Up @@ -405,7 +405,7 @@ type LoginDeviceResponse struct {
}

// GetDeviceSessionTokenResponse returns a session token to be used against
// LoginSessionToken for authentication. The session token will be base64
// LoginWithSessionToken for authentication. The session token will be base64
// encoded.
type GetDeviceSessionTokenResponse struct {
// SessionToken is a base64 encoded JWT capable of authenticating
Expand All @@ -414,14 +414,14 @@ type GetDeviceSessionTokenResponse struct {
SessionToken string `json:"session-token"`
}

// LoginSessionTokenRequest accepts a session token minted by JIMM and logs
// LoginWithSessionTokenRequest accepts a session token minted by JIMM and logs
// the user in.
//
// The login response for this login request type is that of jujuparams.LoginResult,
// such that the behaviour of previous macroon based authentication is unchanged.
// However, on unauthenticated requests, the error is different and is not a macaroon
// discharge request.
type LoginSessionTokenRequest struct {
type LoginWithSessionTokenRequest struct {
// SessionToken is a base64 encoded JWT capable of authenticating
// a user. The JWT contains the users email address in the subject,
// and this is used to identify this user.
Expand All @@ -430,6 +430,13 @@ type LoginSessionTokenRequest struct {

// Service Account related request parameters

// LoginWithClientCredentialsRequest holds the client id and secret used
// to authenticate with JIMM.
type LoginWithClientCredentialsRequest struct {
ClientID string `json:"client-id"`
ClientSecret string `json:"client-secret"`
}

// AddServiceAccountRequest holds a request to add a service account.
type AddServiceAccountRequest struct {
// ClientID holds the client id of the service account.
Expand Down
2 changes: 1 addition & 1 deletion charms/bundles/controller/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ This bundle needs to be deployed on top of an already existing controller
model.

To bootstrap an appropriate model run commands like the following:
juju bootstrap --bootstrap-constraints="cores=8 mem=8G root-disk=50G" --config identity-url=<candid URL> --config allow-model-access=true --config public-dns-address=<DNS of the controller>:443 <cloud>/<region> <name>
juju bootstrap --bootstrap-constraints="cores=8 mem=8G root-disk=50G" --config allow-model-access=true --config public-dns-address=<DNS of the controller>:443 <cloud>/<region> <name>
juju enable-ha -n 3
juju switch controller

Expand Down
12 changes: 2 additions & 10 deletions charms/how-to-deploy-jimm-k8s.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,17 +26,9 @@ juju switch jimm
make push-microk8s
//Switch to jimm-k8s charm directory
charmcraft pack
juju deploy ./juju-jimm-k8s_ubuntu-20.04-amd64.charm --resource jimm-image="localhost:32000/jimm:latest" --config uuid=ff77dbd0-ab87-444e-b9c7-768c675bf59d --config dns-name=juju-jimm-k8s-0.juju-jimm-k8s-endpoints.jimm.svc.cluster.local --config candid-url="https://api.staging.jujucharms.com/identity" --config vault-access-address="<IP>"
// The following commands can be skipped but will prevent
// JIMM from communicating with Candid.
juju config juju-jimm-k8s private-key=<removed>
juju config juju-jimm-k8s public-key=<removed>
juju config juju-jimm-k8s candid-public-key=<removed>
juju config juju-jimm-k8s candid-agent-username=<removed>
juju config juju-jimm-k8s candid-agent-public-key=<removed>
juju config juju-jimm-k8s candid-agent-private-key=<removed>
juju deploy ./juju-jimm-k8s_ubuntu-20.04-amd64.charm --resource jimm-image="localhost:32000/jimm:latest" --config uuid=ff77dbd0-ab87-444e-b9c7-768c675bf59d --config dns-name=juju-jimm-k8s-0.juju-jimm-k8s-endpoints.jimm.svc.cluster.local --config vault-access-address="<IP>"
```
Deploy OPNEFGA, make relations and run setup actions
Deploy OPENFGA, make relations and run setup actions
```
juju deploy openfga-k8s --series=jammy --channel=latest/edge --revision=5
juju relate juju-jimm-k8s openfga-k8s
Expand Down
10 changes: 10 additions & 0 deletions charms/jimm-k8s/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,17 @@ options:
type: string
description: |
Duration for the JWT expiry (defaults to 5 minutes).
This is the JWT JIMM sends to a Juju controller to authenticate
model related commands. Increase this if long running websocket
connections are failing due to authentication errors.
default: 5m
session-expiry-duration:
type: string
default: 6h
description: |
Expiry duration for JIMM session tokens. These tokens are used
by clients and their expiry determines how frequently a user
must login.
macaroon-expiry-duration:
type: string
default: 24h
Expand Down
Loading

0 comments on commit 67078b7

Please sign in to comment.