Example private data from backend (#10)

* add example auth-data to show in frontend

* reorganize routes to leverage templating feature

* organize routes into folders

* address comments

* fixup! address comments

* oathkeeper rules

* fixup! oathkeeper rules

* revert namespace changes

* auth.yml should be merge instead of resource

* add explanation for commenting out ingress

* add explanation on oathkeeper rules

* comments in overlay as a guide updating the rules

* default to private backend instead of public

* infra to create oathkeeper proxy rules for kratos

Author: davidcheung

templates/kubernetes/base/auth.yml

@@ -0,0 +1,49 @@
+## Backend public endpoint
+# pattern: http://<proxy>/<not [/.ory/kratos and /api]>
+# In example this is serves the infoPanel data, and the status endpoints that don't require user auth
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: public-backend-endpoints
+spec:
+  upstream:
+    url: http://<% .Name %>.<% .Name %>
+    preserveHost: true
+  match:
+    # url: http://<backend_service_domain>/<(?!(api|\.ory\/kratos)).*>
+    methods:
+      - GET
+      - POST
+  authenticators:
+    - handler: noop
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: noop
+---
+## Backend User-restricted endpoint
+# pattern: http://<proxy>//api
+# In example this is serves the /userInfo endpoint returning the user-session's info (user_id / email)
+# Note the authenticators is `cookie_session`,
+# oathkeeper will verify the validity of session then pass along user-id/email in the Request Header
+# these can be configured via infra's `oathkeeper-values.yml`
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: authenticated-backend-endpoints
+spec:
+  upstream:
+    preserveHost: true
+    url: http://<% .Name %>.<% .Name %>
+  match:
+    # url: <backend_service_domain>/api/<.*>
+    methods:
+      - GET
+      - POST
+  authenticators:
+    - handler: cookie_session
+  authorizer:
+    handler: allow
+  mutators:
+    - handler: id_token
+    - handler: header

templates/kubernetes/base/kustomization.yml

@@ -5,6 +5,8 @@ resources:
 - deployment.yml
 - service.yml
 - cronjob.yml
+<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
+<% end %>
 
 configMapGenerator:
 - name: <% .Name %>-config

templates/kubernetes/overlays/production/auth.yml

@@ -0,0 +1,25 @@
+## Backend public endpoint
+# pattern: http://<proxy>/status/*
+# In example this is serves the infoPanel data, and the status endpoints that don't require user auth
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: public-backend-endpoints
+spec:
+  match:
+    url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/status/<.*>
+---
+## Backend User-restricted endpoint
+# pattern: http://<proxy>/<not [/.ory/kratos and /status]>
+# In example this is serves the /userInfo endpoint returning the user-session's info (user_id / email)
+# Note the authenticators is `cookie_session`,
+# oathkeeper will verify the validity of session then pass along user-id/email in the Request Header
+# these can be configured via infra's `oathkeeper-values.yml`
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: authenticated-backend-endpoints
+spec:
+  match:
+    url: http://<% index .Params `productionBackendSubdomain` %><% index .Params `productionHostRoot` %>/<(?!(status|\.ory\/kratos)).*>
+

templates/kubernetes/overlays/production/kustomization.yml

@@ -3,10 +3,13 @@ kind: Kustomization
 
 patchesStrategicMerge:
 - deployment.yml
-
+<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
+<% end %>
 resources:
 - ../../base
-- ingress.yml
+<%if eq (index .Params `userAuth`) "yes" %>## userAuth enabled - Oathkeeper proxies to backend instead of ingress
+# - ingress.yml
+<% else %>- ingress.yml<% end %>
 - pdb.yml
 
 configMapGenerator:

templates/kubernetes/overlays/staging/auth.yml

@@ -0,0 +1,24 @@
+## Backend public endpoint
+# pattern: http://<proxy>/status/*
+# In example this is serves the infoPanel data, and the status endpoints that don't require user auth
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: public-backend-endpoints
+spec:
+  match:
+    url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/status/<.*>
+---
+## Backend User-restricted endpoint
+# pattern: http://<proxy>//api
+# In example this is serves the /userInfo endpoint returning the user-session's info (user_id / email)
+# Note the authenticators is `cookie_session`,
+# oathkeeper will verify the validity of session then pass along user-id/email in the Request Header
+# these can be configured via infra's `oathkeeper-values.yml`
+apiVersion: oathkeeper.ory.sh/v1alpha1
+kind: Rule
+metadata:
+  name: authenticated-backend-endpoints
+spec:
+  match:
+    url: http://<% index .Params `stagingBackendSubdomain` %><% index .Params `stagingHostRoot` %>/<(?!(status|\.ory\/kratos)).*>

templates/kubernetes/overlays/staging/kustomization.yml

@@ -3,10 +3,13 @@ kind: Kustomization
 
 patchesStrategicMerge:
 - deployment.yml
-
+<%if eq (index .Params `userAuth`) "yes" %>- auth.yml
+<% end %>
 resources:
 - ../../base
-- ingress.yml
+<%if eq (index .Params `userAuth`) "yes" %>## userAuth enabled - Oathkeeper proxies to backend instead of ingress
+# - ingress.yml
+<% else %>- ingress.yml<% end %>
 
 configMapGenerator:
 - name: <% .Name %>-config

templates/src/app.js

@@ -1,63 +1,20 @@
-var aws = require("aws-sdk");
-var cfsign = require("aws-cloudfront-sign");
+var dotenv = require("dotenv");
 var express = require("express");
 var morgan = require("morgan");
 
 var { connect } = require("./db");
-
+const statusRoutes = require("./app/status");
+<%if eq (index .Params `fileUploads`) "yes" %>const fileRoutes = require("./app/file");
+<% end %><%if eq (index .Params `userAuth`) "yes" %>const authRoutes = require("./app/auth");
+<% end %>
+dotenv.config();
 var app = express();
 app.use(morgan("combined"));
-var s3 = new aws.S3();
-
-app.get("/presigned/:key", (req, res) => {
-  var params = {
-    Bucket: process.env.S3_BUCKET,
-    Fields: {
-      key: req.params.key,
-    },
-  };
-
-  s3.createPresignedPost(params, (err, data) => {
-    if (err) {
-      console.error(err);
-      res.sendStatus(500);
-    } else {
-      console.log(data);
-      res.send(data);
-    }
-  });
-});
-
-app.get("/:key", (req, res) => {
-  var params = {
-    keypairId: process.env.CF_KEYPAIR_ID,
-    privateKeyString: process.env.CF_KEYPAIR_SECRET_KEY,
-    expireTime: new Date().getTime() + 30000, // defaults to 30s
-  };
-
-  var url = cfsign.getSignedUrl(
-    `https://files.${process.env.DOMAIN}/${req.params.key}`,
-    params
-  );
-
-  console.log(url);
-  res.redirect(url);
-});
-
-app.get("/status/ready", (req, res) => {
-  res.send("OK");
-});
-
-app.get("/status/alive", (req, res) => {
-  res.send("OK");
-});
-
-app.get("/status/about", (req, res) => {
-  res.send({
-    podName: process.env.POD_NAME,
-  });
-});
 
+app.use("/status", statusRoutes);
+<%if eq (index .Params `userAuth`) "yes" %>app.use("/auth", authRoutes);
+<% end %><%if eq (index .Params `fileUploads`) "yes" %>app.use("/file", fileRoutes);
+<% end %>
 var port = process.env.SERVER_PORT;
 if (!port) {
   port = 3000;

templates/src/app/auth/index.js

@@ -0,0 +1,11 @@
+var { Router } = require("express");
+
+var { authMiddleware } = require("../../middleware/auth");
+
+var router = Router()
+
+router.get("/userInfo", authMiddleware, (req, res) => {
+  res.json(req.user);
+});
+
+module.exports = router;

templates/src/app/file/index.js

@@ -0,0 +1,43 @@
+var { Router } = require("express");
+var aws = require("aws-sdk");
+var cfsign = require("aws-cloudfront-sign");
+
+var router = Router()
+var s3 = new aws.S3();
+
+router.get("/presigned/:key", (req, res) => {
+  var params = {
+    Bucket: process.env.S3_BUCKET,
+    Fields: {
+      key: req.params.key,
+    },
+  };
+
+  s3.createPresignedPost(params, (err, data) => {
+    if (err) {
+      console.error(err);
+      res.sendStatus(500);
+    } else {
+      console.log(data);
+      res.send(data);
+    }
+  });
+});
+
+router.get("/:key", (req, res) => {
+  var params = {
+    keypairId: process.env.CF_KEYPAIR_ID,
+    privateKeyString: process.env.CF_KEYPAIR_SECRET_KEY,
+    expireTime: new Date().getTime() + 30000, // defaults to 30s
+  };
+
+  var url = cfsign.getSignedUrl(
+    `https://files.${process.env.DOMAIN}/${req.params.key}`,
+    params
+  );
+
+  console.log(url);
+  res.redirect(url);
+});
+
+module.exports = router;

templates/src/app/status/index.js

@@ -0,0 +1,19 @@
+var { Router } = require("express");
+
+var router = Router()
+
+router.get("/ready", (req, res) => {
+  res.send("OK");
+});
+
+router.get("/alive", (req, res) => {
+  res.send("OK");
+});
+
+router.get("/about", (req, res) => {
+  res.send({
+    podName: process.env.POD_NAME,
+  });
+});
+
+module.exports = router;