Remove Auth0

Author: bxdavies

Dockerfile

@@ -0,0 +1,5 @@
+FROM quay.io/keycloak/keycloak:latest
+
+ENV KC_DB=postgres
+
+RUN /opt/keycloak/bin/kc.sh build

docker-compose.sample.yml

@@ -5,58 +5,31 @@ services:
     image: ghcr.io/lighthousenotes/server:latest
     container_name: lighthousenotes-server
     links:
-      - database
+      - postgresql
       - meilisearch
       - redis
-    volumes:
-      - ./BlinkBinaries:/app/BlinkBinaries
     environment:
     - AllowedHosts=*
-    - Auth0__DOMAIN=example.auth0.com
-    - Auth0__Audience=https://api.example.com
-    - ConnectionStrings__Database=Host=database;Database=lighthousenotes;Username=lighthousenotes;Password=CHANGEME
+    - Authentication__Authority=https://idp.example.com/realms/master
+    - Authentication__Audience=account
+    - ConnectionStrings__Database=Host=postgresql;Database=lighthousenotes;Username=lighthousenotes;Password=CHANGEME
     - ConnectionStrings__Redis=redis
     - Logging__LogLevel__Default=Warning
     - Logging__LogLevel__Microsoft.AspNetCore=Warning
     - Logging__LogLevel__Microsoft.Hosting.Lifetime=Warning
     - Sqids__MinLength=10
     - Sqids__Alphabet=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
-    - Syncfusion__LicenseKey=CHANGEME
+    - Minio__Endpoint=s3.example.com
+    - Minio__BucketName=lighthousenotes 
+    - Minio__NetworkEncryption=true
+    - Minio__AccessKey=CHAGEME
+    - Minio__SecretKey=CHAGEME
+    - Meilisearch__Url=http://meilisearch:7700
+    - Meilisearch__Key=CHAGEME
     - Urls=http://server:6000
     - WebApp=https://app.example.com
     restart: unless-stopped
 
-  # Lighthouse Notes Web - Blazor web app for Lighthouse Notes
-  web:
-    image: ghcr.io/lighthousenotes/web:latest
-    container_name: lighthousenotes-web
-    links:
-      - redis
-    volumes:
-      - ./lighthousenotes.pfx:/lighthousenotes.pfx
-    environment:
-    - AllowedHosts=*
-    - ASPNETCORE_Kestrel__Certificates__Default__Path=/lighthousenotes.pfx
-    - ASPNETCORE_Kestrel__Certificates__Default__Password=CHANGEME
-    - Auth0__DOMAIN=example.auth0.com
-    - Auth0__Auth__Audience=https://api.example.com
-    - Auth0__Auth__ClientId=CHANGEME
-    - Auth0__Auth__ClientSecret=CHANGEME
-    - Auth0__Management__Audience=https://api.example.com
-    - Auth0__Management__ClientId=CHANGEME
-    - Auth0__Management__ClientSecret=CHANGEME
-    - Auth0__Roles__user=CHANGEME
-    - Auth0__Roles__sio=CHANGEME
-    - Auth0__Roles__organization-administrator=CHANGEME
-    - Auth0__ConnectionId=CHANGEME
-    - ConnectionStrings__Redis=redis
-    - Syncfusion__LicenseKey=CHANGEME
-    - Logging__LogLevel__Default=Warning
-    - Logging__LogLevel__Microsoft.AspNetCore=Warning
-    - Urls=https://web:5000
-    - LighthouseNotesApiUrl=https://api.example.com
-    restart: unless-stopped
-
   #  Secure Web Application Gateway - Nginx & Let's Encrypt
   swag:
     image: lscr.io/linuxserver/swag:latest
@@ -72,26 +45,42 @@ services:
       - TZ=Europe/London
       - URL=example.com
       - VALIDATION=http
-      - SUBDOMAINS=app,api,s3
+      - SUBDOMAINS=api,idp,s3
       - ONLY_SUBDOMAINS=true
     volumes:
-      - ./swag:/config
+      - ./data/swag:/config
     ports:
       - 443:443
       - 80:80
     restart: unless-stopped
 
+  # Keycloak - Open Source Identity and Access Management For Modern Applications and Services 
+  keycloak:
+    build:
+      dockerfile: ./Dockerfile
+    container_name: keycloak
+    depends_on:
+      - postgresql
+    environment:
+      - KC_DB=postgres
+      - KC_DB_URL=jdbc:postgresql://postgresql/keycloak
+      - KC_DB_USER=keycloak
+      - KC_DB_PASSWORD=CHANGEME
+      - KEYCLOAK_ADMIN=admin
+      - KEYCLOAK_ADMIN_PASSWORD=CHANGEME
+      - KC_HOSTNAME=example.com
+      - KC_PROXY_HEADERS=xforwarded
+    command: start --optimized
+    restart: unless-stopped
+  
   # PostgreSQL Database - Open-source relational database
-  database:
-    image: postgres:14
-    container_name: database
+  postgresql:
+    image: postgres
+    container_name: postgresql
     volumes:
       - ./postgres:/var/lib/postgresql/data
       - ./init.sql:/docker-entrypoint-initdb.d/init.sql
     environment:
-      - POSTGRES_DB=lighthousenotes
-      - POSTGRES_USER=lighthousenotes
-      - POSTGRES_PASSWORD=CHANGEME
       - POSTGRES_ROOT_PASSWORD=CHANGEME
     restart: unless-stopped
 
@@ -103,11 +92,11 @@ services:
       - 9000:9000
       - 9001:9001
     volumes:
-      -  ./minio:/data
-      - ./swag/etc/letsencrypt/live/app.example.com/fullchain.pem:/root/.minio/certs/public.crt
-      - ./swag/etc/letsencrypt/live/app.example.com/privkey.pem:/root/.minio/certs/private.key
-      - ./swag/etc/letsencrypt/live/app.example.com/fullchain.pem:/root/.minio/certs/CAs/public.crt
-      - ./swag/etc/letsencrypt/live/app.example.com/privkey.pem:/root/.minio/certs/CAs/private.key
+      - ./data/minio:/data
+      - ./data/swag/etc/letsencrypt/live/idp.example.com/fullchain.pem:/root/.minio/certs/public.crt
+      - ./data/swag/etc/letsencrypt/live/idp.example.com/privkey.pem:/root/.minio/certs/private.key
+      - ./data/swag/etc/letsencrypt/live/idp.example.com/fullchain.pem:/root/.minio/certs/CAs/public.crt
+      - ./data/swag/etc/letsencrypt/live/idp.example.com/privkey.pem:/root/.minio/certs/CAs/private.key
     environment:
       - MINIO_SERVER_URL=https://s3.example.com:9000
       - MINIO_ROOT_USER=minio
@@ -120,7 +109,7 @@ services:
     image: redis
     container_name: redis
     volumes:
-      -  ./redis:/data
+      -  ./data/redis:/data
     command: ["redis-server"]
     healthcheck:
       test: ["CMD", "redis-cli", "ping"]
@@ -136,5 +125,5 @@ services:
     environment:
       - MEILI_MASTER_KEY=CHANGEME
     volumes:
-      - ./data.ms:/data.ms
+      - ./data/meilisearch:/data.ms
     restart: unless-stopped

gen.py

@@ -52,70 +52,36 @@ def shuffled_alphabet():
 ###############
 # User inputs #
 ###############
-print("\nPlease enter the requested data at each prompt and press enter.\n")
+print("Please enter the requested data at each prompt and press enter.\n")
 
 root_domain = input(f"Root domain (e.g., {COLOR_BLUE}example.com{COLOR_END}): ")
 
-auth0_domain = input(f"Auth0 Domain (e.g., {COLOR_BLUE}example.auth0.com{COLOR_END}): ")
-auth0_audience = input(f"Auth0 Audience (e.g., {COLOR_BLUE}https://api.example.com{COLOR_END}): ")
+#############
+# Generated #
+#############
+# Database
+api_database_password = secrets.token_urlsafe(14)
+keycloak_database_password = secrets.token_urlsafe(14)
 
-syncfusion_license_key = input (f"Syncfusion License Key {COLOR_YELLOW}(Get from: https://www.syncfusion.com/account/downloads){COLOR_END}: ")
-
-certificate_password = getpass(f"Certificate Password {COLOR_GREEN}(input will not show){COLOR_END}: ")
-
-database_password = secrets.token_urlsafe(14)
+# Meilisearch
+meilisearch_master_key = secrets.token_urlsafe(42)  
 
 ##########
 # Server #
 ##########
-# Auth0
-compose["services"]["server"]["environment"]["Auth0__DOMAIN"] = auth0_domain
-compose["services"]["server"]["environment"]["Auth0__Audience"] = auth0_audience
+# Authentication
+compose["services"]["server"]["environment"]["Authentication__Authority"] = f"https://idp.{root_domain}"
 
 # Connection string
-compose["services"]["server"]["environment"]["ConnectionStrings__Database"] = f"Host=database;Database=lighthousenotes;Username=lighthousenotes;Password={database_password}"
+compose["services"]["server"]["environment"]["ConnectionStrings__Database"] = f"Host=postgresql;Database=lighthousenotes;Username=lighthousenotes;Password={api_database_password}"
 
 # Sqids
 compose["services"]["server"]["environment"]["Sqids__Alphabet"] = shuffled_alphabet() 
 
-# Syncfusion
-compose["services"]["server"]["environment"]["Syncfusion__LicenseKey"] = syncfusion_license_key
-
-# Web app
-compose["services"]["server"]["environment"]["WebApp"] = f"https://app.{root_domain}" 
-
-#######
-# Web #
-#######
-# Certificate
-compose["services"]["web"]["environment"]["ASPNETCORE_Kestrel__Certificates__Default__Password"] = certificate_password
-
-# Auth0
-compose["services"]["web"]["environment"]["Auth0__DOMAIN"] = auth0_domain
-
-# Auth0 Authentication
-compose["services"]["web"]["environment"]["Auth0__Auth__Audience"] = auth0_audience
-compose["services"]["web"]["environment"]["Auth0__Auth__ClientId"] = input(f"Authentication client ID  {COLOR_YELLOW}(Dashboard > Applications > Applications > Lighthouse Notes){COLOR_END}: ")
-compose["services"]["web"]["environment"]["Auth0__Auth__ClientSecret"] = input(f"Authentication client secret {COLOR_YELLOW}(Dashboard > Applications > Applications > Lighthouse Notes){COLOR_END}: ")
-
-# Auth0 Management
-compose["services"]["web"]["environment"]["Auth0__Management__Audience"] = auth0_audience
-compose["services"]["web"]["environment"]["Auth0__Management__ClientId"] = input(f"Management client ID {COLOR_YELLOW}(Dashboard > Applications > Applications > Lighthouse Notes M2M){COLOR_END}: ")
-compose["services"]["web"]["environment"]["Auth0__Management__ClientSecret"] =  input(f"Management client secret {COLOR_YELLOW}(Dashboard > Applications > Applications > Lighthouse Notes M2M){COLOR_END}: ")
-
-# Auth0 Role IDs
-compose["services"]["web"]["environment"]["Auth0__Roles__user"] = input(f"User role ID {COLOR_YELLOW}(Dashboard > User Management > Roles > user){COLOR_END}: ")
-compose["services"]["web"]["environment"]["Auth0__Roles__sio"] = input(f"SIO role ID {COLOR_YELLOW}(Dashboard > User Management > Roles > sio){COLOR_END}: ")
-compose["services"]["web"]["environment"]["Auth0__Roles__organization-administrator"] = input(f"Organization-administrator role ID {COLOR_YELLOW}(Dashboard > User Management > Roles > organization-administrator){COLOR_END}: ")
-
-# Auth0 Connection ID
-compose["services"]["web"]["environment"]["Auth0__ConnectionId"] = input(f"Connection ID {COLOR_YELLOW}(Dashboard > Authentication > Database > Username-Password-Authentication){COLOR_END}: ")
-
-# Syncfusion
-compose["services"]["web"]["environment"]["Syncfusion__LicenseKey"] = syncfusion_license_key
+# Minio
+compose["services"]["server"]["environment"]["Minio__Endpoint"] = f"https://s3.{root_domain}"
+compose["services"]["server"]["environment"]["Meilisearch__Key"] = meilisearch_master_key
 
-# API Url
-compose["services"]["web"]["environment"]["LighthouseNotesApiUrl"] = f"https://api.{root_domain}"
 
 ########
 # SWAG #
@@ -125,17 +91,23 @@ def shuffled_alphabet():
 ############
 # Postgres #
 ############
-compose["services"]["database"]["environment"]["POSTGRES_PASSWORD"] = database_password
 compose["services"]["database"]["environment"]["POSTGRES_ROOT_PASSWORD"] = secrets.token_urlsafe(14)
 
+############
+# Keycloak #
+############
+compose["services"]["keycloak"]["environment"]["KC_DB_PASSWORD"] = keycloak_database_password
+compose["services"]["keyclaok"]["environment"]["KC_HOSTNAME"] = f"https://idp.{root_domain}"
+compose["services"]["keyclaok"]["environment"]["KEYCLOAK_ADMIN"] = getpass(f"Keycloak admin password {COLOR_GREEN}(input will not show){COLOR_END}: ")
+
 #########
 # Minio #
 #########
 # Certificate volumes
-compose["services"]["minio"]["volumes"][1] = f"./swag/etc/letsencrypt/live/app.{root_domain}/fullchain.pem:/root/.minio/certs/public.crt"
-compose["services"]["minio"]["volumes"][2] = f"./swag/etc/letsencrypt/live/app.{root_domain}/privkey.pem:/root/.minio/certs/private.key"
-compose["services"]["minio"]["volumes"][3] = f"./swag/etc/letsencrypt/live/app.{root_domain}/fullchain.pem:/root/.minio/certs/CAs/public.crt"
-compose["services"]["minio"]["volumes"][4] = f"./swag/etc/letsencrypt/live/app.{root_domain}/privkey.pem:/root/.minio/certs/CAs/private.key"
+compose["services"]["minio"]["volumes"][1] = f"./data/swag/etc/letsencrypt/live/api.{root_domain}/fullchain.pem:/root/.minio/certs/public.crt"
+compose["services"]["minio"]["volumes"][2] = f"./data/swag/etc/letsencrypt/live/api.{root_domain}/privkey.pem:/root/.minio/certs/private.key"
+compose["services"]["minio"]["volumes"][3] = f"./data/swag/etc/letsencrypt/live/api.{root_domain}/fullchain.pem:/root/.minio/certs/CAs/public.crt"
+compose["services"]["minio"]["volumes"][4] = f"./data/swag/etc/letsencrypt/live/api.{root_domain}/privkey.pem:/root/.minio/certs/CAs/private.key"
 
 
 compose["services"]["minio"]["environment"]["MINIO_SERVER_URL"] = f"https://s3.{root_domain}"
@@ -144,7 +116,6 @@ def shuffled_alphabet():
 ###############
 # Meilisearch #
 ###############
-meilisearch_master_key = secrets.token_urlsafe(42)  
 compose["services"]["meilisearch"]["environment"]["MEILI_MASTER_KEY"] = meilisearch_master_key
 
 ###############################
@@ -181,58 +152,41 @@ def shuffled_alphabet():
     api_site_config.write(data)
     api_site_config.truncate()
 
-
-shutil.move(f'site-confs/app.example.com.conf', f'site-confs/app.{root_domain}.conf')
-with open(f'site-confs/app.{root_domain}.conf', 'r+') as app_site_config:
-    data = app_site_config.read()
-    app_site_config.seek(0)
+shutil.move(f'site-confs/idp.example.com.conf', f'site-confs/idp.{root_domain}.conf')
+with open(f'site-confs/idp.{root_domain}.conf', 'r+') as api_site_config:
+    data = api_site_config.read()
+    api_site_config.seek(0)
     data = data.replace('example.com', root_domain)
-    app_site_config.write(data)
-    app_site_config.truncate()
-
+    api_site_config.write(data)
+    api_site_config.truncate()
 
 #######
 # SQL #
 #######
-print("\nPlease enter the requested data at each prompt and press enter.")
-print("This information will be used to generate the SQL file which seeds the database.\n")
-# Organization
-organization_id = input(f"Organization ID {COLOR_YELLOW}(Dashboard > Organizations){COLOR_END}: ")
-organization_name = input(f"Organization Name {COLOR_YELLOW}(Dashboard > Organizations){COLOR_END}: ")
-organization_display_name = input(f"Organization Display Name {COLOR_YELLOW}(Dashboard > Organizations){COLOR_END}: ")
-
-organization_sql = f"INSERT INTO \"Organization\" (\"Id\", \"Name\", \"DisplayName\", \"Created\", \"Modified\") VALUES ('{organization_id}', '{organization_name}', '{organization_display_name}', NOW(), NOW());"
-
-# User
-user_id = input(f"User ID {COLOR_YELLOW}(Dashboard > User Management > Your Name){COLOR_END}: " )
-job_title = input(f"Job Title {COLOR_GREEN}(Can be changed later){COLOR_END}: ") 
-given_name = input(f"Given Name {COLOR_GREEN}(Can be changed later){COLOR_END}: ")
-last_name = input(f"Last Name {COLOR_GREEN}(Can be changed later){COLOR_END}: ")
-email_address = input(f"Email Address {COLOR_GREEN}(Can be changed later){COLOR_END}: ") # Double check this
-profile_picture = input(f"Profile Picture URL: {COLOR_YELLOW}(Dashboard > User Management > Your Name > Identity Provider Attributes){COLOR_END}: ")
-
-user_sql = f"INSERT INTO \"User\" (\"Auth0Id\", \"JobTitle\", \"DisplayName\", \"GivenName\", \"LastName\", \"EmailAddress\", \"ProfilePicture\", \"OrganizationId\", \"Created\", \"Modified\") VALUES ('{user_id}', '{job_title}', '{given_name} {last_name}', '{given_name}', '{last_name}', '{email_address}', '{profile_picture}', '{organization_id}', NOW(), NOW());\n"
-
-# User roles
-user_roles_sql = """
-INSERT INTO "Role" ("Name", "UserId", "Created", "Modified") VALUES ('organization administrator', 1, NOW(), NOW());
-INSERT INTO "Role" ("Name", "UserId", "Created", "Modified") VALUES ('sio', 1, NOW(), NOW());
-INSERT INTO "Role" ("Name", "UserId", "Created", "Modified") VALUES ('user', 1, NOW(), NOW());
+keycloak_create_sql = f"""
+create database keycloak;
+create user keycloak with encrypted password '{keycloak_database_password}';
+grant all privileges on database keycloak to keycloak;
+ALTER DATABASE keycloak OWNER TO keycloak;
 """
 
-# User settings
-user_settings_sql = "INSERT INTO \"UserSettings\" (\"UserId\", \"TimeZone\", \"DateFormat\", \"TimeFormat\", \"Locale\", \"Created\", \"Modified\") VALUES (1, 'GMT Standard Time', 'dddd dd MMMM yyyy', 'HH:mm:ss', 'en-GB', NOW(), NOW());\n"
 
-# Organization settings
-organization_settings_sql = f"INSERT INTO \"OrganizationSettings\" (\"OrganizationId\", \"S3Endpoint\", \"S3BucketName\", \"S3NetworkEncryption\", \"S3AccessKey\", \"S3SecretKey\", \"MeilisearchUrl\", \"MeilisearchApiKey\", \"Created\", \"Modified\") VALUES ('{organization_id}', 's3.{root_domain}:9000', 'lighthouse-notes', true, 'CHANGME', 'CHANGEME', 'http://meilisearch:7700', 'CHANGME', NOW(), NOW());\n"
+lighthousenotes_create_sql = f"""
+create database lighthousenotes;
+create user lighthousenotes with encrypted password '{api_database_password}';
+grant all privileges on database lighthousenotes to lighthousenotes;
+ALTER DATABASE lighthousenotes OWNER TO lighthousenotes;
+"""
+
+with open('sample.init.sql', 'r') as sql_file:
+    existing_content = sql_file.read()
 
-with open(f'init.sql', 'a') as sql_file:
-    sql_file.write(organization_sql)
-    sql_file.write(user_sql)
-    sql_file.write(user_roles_sql)
-    sql_file.write(user_settings_sql)
-    sql_file.write(organization_settings_sql)
+# Write new content followed by the existing content
+with open('init.sql', 'w') as sql_file:
+    sql_file.write(keycloak_create_sql)
+    sql_file.write(lighthousenotes_create_sql)
+    sql_file.write(existing_content)
 
 # Final
 print (f"Meilisearch API key is: {meilisearch_master_key}")
-print (f"\n{COLOR_GREEN}docker-compose.yml file, nginx configurations and initialization database script successfully created!{COLOR_END}\n")
+print (f"\n{COLOR_GREEN}docker-compose.yml file and NGINX configurations created!\n")