Merge branch 'main' into feat/limit-offset-svc

Author: jakedoublev

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,12 @@
+### Proposed Changes
+
+*
+
+### Checklist
+
+- [ ] I have added or updated unit tests
+- [ ] I have added or updated integration tests (if appropriate)
+- [ ] I have added or updated documentation
+
+### Testing Instructions
+

.github/workflows/checks.yaml

@@ -90,6 +90,8 @@ jobs:
   integration:
     name: integration tests
     runs-on: ubuntu-22.04
+    env:
+      TLS_ENABLED: "true"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
@@ -105,9 +107,18 @@ jobs:
         run: ./.github/scripts/work-init.sh
       - run: go mod download
       - run: go mod verify
+      - name: Install mkcert
+        run: |
+          sudo apt-get install -y libnss3-tools
+          curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64"
+          chmod +x mkcert-v*-linux-amd64
+          sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert
       - run: |
           .github/scripts/init-temp-keys.sh
+          mkcert -install
+          mkcert -cert-file ./keys/platform.crt -key-file ./keys/platform-key.pem localhost
           cp opentdf-dev.yaml opentdf.yaml
+          yq eval '.server.tls.enabled = true' -i opentdf.yaml
       - name: Added Trusted Certs
         run: |
           sudo chmod -R 777 ./keys

.release-please-manifest.json

@@ -1,8 +1,8 @@
 {
-  "lib/fixtures": "0.2.7",
-  "lib/ocrypto": "0.1.6",
-  "lib/flattening": "0.1.1",
-  "protocol/go": "0.2.20",
-  "sdk": "0.3.17",
-  "service": "0.4.26"
+  "lib/fixtures": "0.2.9",
+  "lib/ocrypto": "0.1.7",
+  "lib/flattening": "0.1.2",
+  "protocol/go": "0.2.22",
+  "sdk": "0.3.21",
+  "service": "0.4.29"
 }

docker-compose.yaml

@@ -8,7 +8,7 @@ services:
     - ./keys/localhost.key:/etc/x509/tls/localhost.key
     - ./keys/ca.jks:/truststore/truststore.jks
     # This is kc 24.0.1 with opentdf protocol mapper on board
-    image: cgr.dev/chainguard/keycloak@sha256:37895558d2e0e93ffff75da5900f9ae7e79ec6d1c390b18b2ecea6cee45ec26f
+    image: keycloak/keycloak:25.0
     restart: always
     command:
     - "start-dev"
@@ -32,6 +32,7 @@ services:
       KC_HTTP_ENABLED: "true"
       KC_HTTP_PORT: "8888"
       KC_HTTPS_PORT: "8443"
+      KC_HTTP_MANAGEMENT_PORT: "9001"
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: changeme
       #KC_HOSTNAME_URL: http://localhost:8888/auth
@@ -43,11 +44,29 @@ services:
       KC_HTTPS_CERTIFICATE_KEY_FILE: "/etc/x509/tls/localhost.key"
       KC_HTTPS_CLIENT_AUTH: "request"
     ports:
+      - "9001:9001"
       - "8888:8888"
       - "8443:8443"
     healthcheck:
-      test: ['CMD-SHELL', '[ -f /tmp/HealthCheck.java ] || echo "public class HealthCheck { public static void main(String[] args) throws java.lang.Throwable { System.exit(java.net.HttpURLConnection.HTTP_OK == ((java.net.HttpURLConnection)new java.net.URL(args[0]).openConnection()).getResponseCode() ? 0 : 1); } }" > /tmp/HealthCheck.java && java /tmp/HealthCheck.java http://localhost:8888/auth/health/live']
-      interval: 5s
+      test: 
+        - CMD-SHELL
+        - |
+          [ -f /tmp/HealthCheck.java ] || echo "public class HealthCheck { 
+            public static void main(String[] args) throws java.lang.Throwable { 
+              javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true); 
+              javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance(\"SSL\"); 
+              sc.init(null, new javax.net.ssl.TrustManager[]{ 
+                new javax.net.ssl.X509TrustManager() { 
+                  public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } 
+                  public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {} 
+                  public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {} 
+                } 
+              }, new java.security.SecureRandom()); 
+              javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); 
+              java.net.HttpURLConnection conn = (java.net.HttpURLConnection)new java.net.URL(args[0]).openConnection(); 
+              System.exit(java.net.HttpURLConnection.HTTP_OK == conn.getResponseCode() ? 0 : 1); 
+            } 
+          }" > /tmp/HealthCheck.java && java /tmp/HealthCheck.java https://localhost:9001/auth/health/live      
       timeout: 10s
       retries: 3
       start_period: 2m

docs/configuration.md

@@ -274,19 +274,10 @@ server:
       map:
         standard: opentdf-standard
         admin: opentdf-admin
-        org-admin: opentdf-org-admin
 
       ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
       csv: |
-        p, role:org-admin, policy:attributes, *, *, allow
-        p, role:org-admin, policy:subject-mappings, *, *, allow
-        p, role:org-admin, policy:resource-mappings, *, *, allow
-        p, role:org-admin, policy:kas-registry, *, *, allow
-        p, role:org-admin, policy:unsafe, *, *, allow
-        p, role:admin, policy:attributes, read, allow
-        p, role:admin, policy:subject-mappings, read, allow
-        p, role:admin, policy:resource-mappings, read, allow
-        p, role:admin, policy:kas-registry, read, allow
+        p, role:admin, *, *, allow
         p, role:standard, policy:attributes, read, allow
         p, role:standard, policy:subject-mappings, read, allow
         p, role:standard, policy:resource-mappings, read, allow