uwcirg · ivan-c · Feb 16, 2023 · Feb 16, 2023 · Feb 16, 2023 · Feb 16, 2023
diff --git a/dev/auth-proxy.env.default b/dev/auth-proxy.env.default
@@ -0,0 +1,14 @@
+# Example docker-compose environment file
+# Copy to auth-proxy.env and modify as necessary
+# https://docs.docker.com/compose/env-file/
+
+# Variables defined in this file will only be available to containers/images
+# ie not for interpolation in docker-compose YAML files
+
+# OAUTH2_PROXY_PROVIDER_DISPLAY_NAME=
+
+# must match __KEYCLOAK_FEMR_REALM_LOGSERVER_OPENID_CLIENT_SECRET
+OAUTH2_PROXY_CLIENT_SECRET=
+
+# generate via: python3 -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
+OAUTH2_PROXY_COOKIE_SECRET=
diff --git a/dev/docker-compose.yaml b/dev/docker-compose.yaml
@@ -220,15 +220,93 @@ services:
       - ingress
       - internal
 
+####
+  auth-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
+    environment:
+      # service settings
+      OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180
+      OAUTH2_PROXY_REVERSE_PROXY: "true"
+      OAUTH2_PROXY_SET_XAUTHREQUEST: "true"
+      OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: "true"
+      OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER: "true"
+      OAUTH2_PROXY_PASS_USER_HEADERS: "true"
+      OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true"
+      # allow validation of JWTs in Authorization HTTP header
+      # https://medium.com/in-the-weeds/service-to-service-authentication-on-kubernetes-94dcb8216cdc#20d0
+      OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS: "true"
+
+      # when authenticated, return a static 202 response
+      # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#forwardauth-with-static-upstreams-configuration
+      OAUTH2_PROXY_UPSTREAMS: static://202
+
+      # general cookie settings
+      OAUTH2_PROXY_EMAIL_DOMAINS: "*"
+      OAUTH2_PROXY_COOKIE_EXPIRE: 30m
+      OAUTH2_PROXY_COOKIE_REFRESH: 1m
+      OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL: "true"
+      # base session cookie on Keycloak username (email not always set in Keycloak)
+      OAUTH2_PROXY_USER_ID_CLAIM: preferred_username
+
+      # OIDC integration settings
+      OAUTH2_PROXY_PROVIDER: oidc
+      OAUTH2_PROXY_CLIENT_ID: logserver_openid_client
+      OAUTH2_PROXY_SCOPE: openid profile email
+      OAUTH2_PROXY_OIDC_ISSUER_URL: https://keycloak.${BASE_DOMAIN:-localtest.me}/auth/realms/fEMR
+
+      # security settings
+      OAUTH2_PROXY_COOKIE_DOMAINS: .${BASE_DOMAIN:-localtest.me}
+      OAUTH2_PROXY_WHITELIST_DOMAINS: .${BASE_DOMAIN:-localtest.me}
+    env_file:
+      - auth-proxy.env
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.auth-proxy-${COMPOSE_PROJECT_NAME}.rule=Host(`auth-proxy.${BASE_DOMAIN:-localtest.me}`) || PathPrefix(`/oauth2`)
+      - traefik.http.routers.auth-proxy-${COMPOSE_PROJECT_NAME}.entrypoints=websecure
+      - traefik.http.routers.auth-proxy-${COMPOSE_PROJECT_NAME}.tls=true
+      - traefik.http.routers.auth-proxy-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
+
+      # oauth2-proxy does not EXPOSE the ports it listens on, requiring explicit traefik configuration
+      - traefik.http.services.auth-proxy-${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=4180
+
+      - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.address=http://auth-proxy-${COMPOSE_PROJECT_NAME}:4180/
+      - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.trustForwardHeader=true
+      - traefik.http.middlewares.oidc-auth-${COMPOSE_PROJECT_NAME}.forwardAuth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Access-Token,Authorization
+    networks:
+      ingress:
+        aliases:
+          - auth-proxy-${COMPOSE_PROJECT_NAME}
+      internal:
+
+  whoami:
+    image: containous/whoami
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.whoami-${COMPOSE_PROJECT_NAME}.rule=Host(`whoami.${BASE_DOMAIN:-localtest.me}`)
+      - traefik.http.routers.whoami-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME}
+      - traefik.http.routers.whoami-${COMPOSE_PROJECT_NAME}.entrypoints=websecure
+      - traefik.http.routers.whoami-${COMPOSE_PROJECT_NAME}.tls=true
+      - traefik.http.routers.whoami-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt
+    networks:
+      ingress:
+      internal:
+###
 
   logs:
     image: postgrest/postgrest
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.logs-${COMPOSE_PROJECT_NAME}.rule=Host(`logs.${BASE_DOMAIN:-localtest.me}`)"
+      # chain postgrest-specifc middleware, after oidc-auth
+      - traefik.http.routers.logs-${COMPOSE_PROJECT_NAME}.middlewares=oidc-auth-${COMPOSE_PROJECT_NAME},remove-authz-header
       - "traefik.http.routers.logs-${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
       - "traefik.http.routers.logs-${COMPOSE_PROJECT_NAME}.tls=true"
       - "traefik.http.routers.logs-${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
+
+      # unset Authorization header on all requests to postgrest
+      # postgrest implements its own auth which conflicts with oauth2-proxy
+      - traefik.http.middlewares.remove-authz-header.headers.customrequestheaders.Authorization=
+
     environment:
       PGRST_DB_URI: postgres://postgres:postgres@db:5432/app_db
       PGRST_DB_SCHEMA: api