From 10f9ecc038e73a5ad846b2bd1eebab07b7e31200 Mon Sep 17 00:00:00 2001 From: Siarhei_Sialitski Date: Sun, 8 Jan 2023 11:24:08 +0100 Subject: [PATCH] Ingress and security --- deploy/k8s/helm/apigwms/envoy.yaml | 302 +++++++++-------- deploy/k8s/helm/apigwws/envoy.yaml | 308 ++++++++++-------- .../Identity.API/Configuration/Config.cs | 19 +- .../shared/services/security.service.ts | 24 +- 4 files changed, 355 insertions(+), 298 deletions(-) diff --git a/deploy/k8s/helm/apigwms/envoy.yaml b/deploy/k8s/helm/apigwms/envoy.yaml index 07deca932..01ac933bb 100644 --- a/deploy/k8s/helm/apigwms/envoy.yaml +++ b/deploy/k8s/helm/apigwms/envoy.yaml @@ -6,142 +6,168 @@ admin: port_value: 8001 static_resources: listeners: - - address: - socket_address: - address: 0.0.0.0 - port_value: 8080 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - name: eshop_backend_route - virtual_hosts: - - name: eshop_backend - domains: - - ["*"] - routes: - - name: "c-short" - match: - prefix: "/c/" - route: - auto_host_rewrite: true - prefix_rewrite: "/catalog-api/" - cluster: catalog - - name: "c-long" - match: - prefix: "/catalog-api/" - route: - auto_host_rewrite: true - cluster: catalog - - name: "o-short" - match: - prefix: "/o/" - route: - auto_host_rewrite: true - prefix_rewrite: "/ordering-api/" - cluster: ordering - - name: "o-long" - match: - prefix: "/ordering-api/" - route: - auto_host_rewrite: true - cluster: ordering - - name: "h-long" - match: - prefix: "/hub/notificationhub" - route: - auto_host_rewrite: true - cluster: signalr-hub - timeout: 300s - - name: "b-short" - match: - prefix: "/b/" - route: - auto_host_rewrite: true - prefix_rewrite: "/basket-api/" - cluster: basket - - name: "b-long" - match: - prefix: "/basket-api/" - route: - auto_host_rewrite: true - cluster: basket - - name: "agg" - match: - prefix: "/" - route: - auto_host_rewrite: true - prefix_rewrite: "/" - cluster: shoppingagg - http_filters: - - name: envoy.filters.http.router + - address: + socket_address: + address: 0.0.0.0 + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + codec_type: AUTO + route_config: + name: eshop_backend_route + virtual_hosts: + - name: eshop_backend + domains: + - ["*"] + routes: + - name: "c-short" + match: + prefix: "/c/" + route: + auto_host_rewrite: true + prefix_rewrite: "/catalog-api/" + cluster: catalog + - name: "c-long" + match: + prefix: "/catalog-api/" + route: + auto_host_rewrite: true + cluster: catalog + - name: "cp-short" + match: + prefix: "/cp/" + route: + auto_host_rewrite: true + prefix_rewrite: "/coupon-api/" + cluster: coupon + - name: "cp-long" + match: + prefix: "/coupon-api/" + route: + auto_host_rewrite: true + cluster: coupon + - name: "o-short" + match: + prefix: "/o/" + route: + auto_host_rewrite: true + prefix_rewrite: "/ordering-api/" + cluster: ordering + - name: "o-long" + match: + prefix: "/ordering-api/" + route: + auto_host_rewrite: true + cluster: ordering + - name: "h-long" + match: + prefix: "/hub/notificationhub" + route: + auto_host_rewrite: true + cluster: signalr-hub + timeout: 300s + - name: "b-short" + match: + prefix: "/b/" + route: + auto_host_rewrite: true + prefix_rewrite: "/basket-api/" + cluster: basket + - name: "b-long" + match: + prefix: "/basket-api/" + route: + auto_host_rewrite: true + cluster: basket + - name: "agg" + match: + prefix: "/" + route: + auto_host_rewrite: true + prefix_rewrite: "/" + cluster: shoppingagg + http_filters: + - name: envoy.filters.http.router clusters: - - name: shoppingagg - connect_timeout: 0.25s - type: strict_dns - lb_policy: round_robin - load_assignment: - cluster_name: shoppingagg - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: webshoppingagg - port_value: 80 - - name: catalog - connect_timeout: 0.25s - type: strict_dns - lb_policy: round_robin - load_assignment: - cluster_name: catalog - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: catalog-api - port_value: 80 - - name: basket - connect_timeout: 0.25s - type: strict_dns - lb_policy: round_robin - load_assignment: - cluster_name: basket - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: basket-api - port_value: 80 - - name: ordering - connect_timeout: 0.25s - type: strict_dns - lb_policy: round_robin - load_assignment: - cluster_name: ordering - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: ordering-api - port_value: 80 - - name: signalr-hub - connect_timeout: 0.25s - type: strict_dns - lb_policy: round_robin - load_assignment: - cluster_name: signalr-hub - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: ordering-signalrhub - port_value: 80 + - name: shoppingagg + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: shoppingagg + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: webshoppingagg + port_value: 80 + - name: catalog + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: catalog + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: catalog-api + port_value: 80 + - name: coupon + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: coupon + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: coupon-api + port_value: 80 + - name: basket + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: basket + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: basket-api + port_value: 80 + - name: ordering + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: ordering + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ordering-api + port_value: 80 + - name: signalr-hub + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: signalr-hub + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ordering-signalrhub + port_value: 80 diff --git a/deploy/k8s/helm/apigwws/envoy.yaml b/deploy/k8s/helm/apigwws/envoy.yaml index 939649e60..068369222 100644 --- a/deploy/k8s/helm/apigwws/envoy.yaml +++ b/deploy/k8s/helm/apigwws/envoy.yaml @@ -6,145 +6,171 @@ admin: port_value: 8001 static_resources: listeners: - - address: - socket_address: - address: 0.0.0.0 - port_value: 8080 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: ingress_http - codec_type: AUTO - route_config: - name: eshop_backend_route - virtual_hosts: - - name: eshop_backend - domains: - - ["*"] - routes: - - name: "c-short" - match: - prefix: "/c/" - route: - auto_host_rewrite: true - prefix_rewrite: "/catalog-api/" - cluster: catalog - - name: "c-long" - match: - prefix: "/catalog-api/" - route: - auto_host_rewrite: true - cluster: catalog - - name: "o-short" - match: - prefix: "/o/" - route: - auto_host_rewrite: true - prefix_rewrite: "/ordering-api/" - cluster: ordering - - name: "o-long" - match: - prefix: "/ordering-api/" - route: - auto_host_rewrite: true - cluster: ordering - - name: "h-long" - match: - prefix: "/hub/notificationhub" - route: - auto_host_rewrite: true - cluster: signalr-hub - timeout: 300s - upgrade_configs: - upgrade_type: "websocket" - enabled: true - - name: "b-short" - match: - prefix: "/b/" - route: - auto_host_rewrite: true - prefix_rewrite: "/basket-api/" - cluster: basket - - name: "b-long" - match: - prefix: "/basket-api/" - route: - auto_host_rewrite: true - cluster: basket - - name: "agg" - match: - prefix: "/" - route: - auto_host_rewrite: true - prefix_rewrite: "/" - cluster: shoppingagg - http_filters: - - name: envoy.filters.http.router + - address: + socket_address: + address: 0.0.0.0 + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.http_connection_manager + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: ingress_http + codec_type: AUTO + route_config: + name: eshop_backend_route + virtual_hosts: + - name: eshop_backend + domains: + - ["*"] + routes: + - name: "c-short" + match: + prefix: "/c/" + route: + auto_host_rewrite: true + prefix_rewrite: "/catalog-api/" + cluster: catalog + - name: "c-long" + match: + prefix: "/catalog-api/" + route: + auto_host_rewrite: true + cluster: catalog + - name: "cp-short" + match: + prefix: "/cp/" + route: + auto_host_rewrite: true + prefix_rewrite: "/coupon-api/" + cluster: coupon + - name: "cp-long" + match: + prefix: "/coupon-api/" + route: + auto_host_rewrite: true + cluster: coupon + - name: "o-short" + match: + prefix: "/o/" + route: + auto_host_rewrite: true + prefix_rewrite: "/ordering-api/" + cluster: ordering + - name: "o-long" + match: + prefix: "/ordering-api/" + route: + auto_host_rewrite: true + cluster: ordering + - name: "h-long" + match: + prefix: "/hub/notificationhub" + route: + auto_host_rewrite: true + cluster: signalr-hub + timeout: 300s + upgrade_configs: + upgrade_type: "websocket" + enabled: true + - name: "b-short" + match: + prefix: "/b/" + route: + auto_host_rewrite: true + prefix_rewrite: "/basket-api/" + cluster: basket + - name: "b-long" + match: + prefix: "/basket-api/" + route: + auto_host_rewrite: true + cluster: basket + - name: "agg" + match: + prefix: "/" + route: + auto_host_rewrite: true + prefix_rewrite: "/" + cluster: shoppingagg + http_filters: + - name: envoy.filters.http.router clusters: - - name: shoppingagg - connect_timeout: 0.25s - type: strict_dns - lb_policy: round_robin - load_assignment: - cluster_name: shoppingagg - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: webshoppingagg - port_value: 80 - - name: catalog - connect_timeout: 0.25s - type: strict_dns - lb_policy: round_robin - load_assignment: - cluster_name: catalog - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: catalog-api - port_value: 80 - - name: basket - connect_timeout: 0.25s - type: strict_dns - lb_policy: round_robin - load_assignment: - cluster_name: basket - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: basket-api - port_value: 80 - - name: ordering - connect_timeout: 0.25s - type: strict_dns - lb_policy: round_robin - load_assignment: - cluster_name: ordering - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: ordering-api - port_value: 80 - - name: signalr-hub - connect_timeout: 0.25s - type: strict_dns - lb_policy: round_robin - load_assignment: - cluster_name: signalr-hub - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: ordering-signalrhub - port_value: 80 \ No newline at end of file + - name: shoppingagg + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: shoppingagg + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: webshoppingagg + port_value: 80 + - name: catalog + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: catalog + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: catalog-api + port_value: 80 + - name: coupon + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: coupon + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: coupon-api + port_value: 80 + - name: basket + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: basket + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: basket-api + port_value: 80 + - name: ordering + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: ordering + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ordering-api + port_value: 80 + - name: signalr-hub + connect_timeout: 0.25s + type: strict_dns + lb_policy: round_robin + load_assignment: + cluster_name: signalr-hub + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ordering-signalrhub + port_value: 80 diff --git a/src/Services/Identity/Identity.API/Configuration/Config.cs b/src/Services/Identity/Identity.API/Configuration/Config.cs index 6d5393bde..bca085300 100644 --- a/src/Services/Identity/Identity.API/Configuration/Config.cs +++ b/src/Services/Identity/Identity.API/Configuration/Config.cs @@ -6,7 +6,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration { // ApiResources define the apis in your system public static IEnumerable GetApis() - { + { return new List { new ApiResource("orders", "Orders Service"), @@ -15,6 +15,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration new ApiResource("webshoppingagg", "Web Shopping Aggregator"), new ApiResource("orders.signalrhub", "Ordering Signalr Hub"), new ApiResource("webhooks", "Webhooks registration Service"), + new ApiResource("coupon", "Coupon Service"), }; } @@ -53,7 +54,8 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration "basket", "webshoppingagg", "orders.signalrhub", - "webhooks" + "webhooks", + "coupon" }, }, new Client @@ -63,7 +65,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration AllowedGrantTypes = GrantTypes.Hybrid, //Used to retrieve the access token on the back channel. ClientSecrets = - { + { new Secret("secret".Sha256()) }, RedirectUris = { clientsUrl["Xamarin"] }, @@ -79,7 +81,8 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration "orders", "basket", "mobileshoppingagg", - "webhooks" + "webhooks", + "coupon" }, //Allow requesting refresh tokens for long lived API access AllowOfflineAccess = true, @@ -91,7 +94,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration ClientName = "MVC Client", ClientSecrets = new List { - + new Secret("secret".Sha256()) }, ClientUri = $"{clientsUrl["Mvc"]}", // public uri of the client @@ -117,7 +120,8 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration "basket", "webshoppingagg", "orders.signalrhub", - "webhooks" + "webhooks", + "coupon" }, AccessTokenLifetime = 60*60*2, // 2 hours IdentityTokenLifetime= 60*60*2 // 2 hours @@ -183,7 +187,8 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration "orders", "basket", "webshoppingagg", - "webhooks" + "webhooks", + "coupon" }, }, new Client diff --git a/src/Web/WebSPA/Client/src/modules/shared/services/security.service.ts b/src/Web/WebSPA/Client/src/modules/shared/services/security.service.ts index cf8a3fd17..9d6cf5aa2 100644 --- a/src/Web/WebSPA/Client/src/modules/shared/services/security.service.ts +++ b/src/Web/WebSPA/Client/src/modules/shared/services/security.service.ts @@ -1,11 +1,11 @@ import { Injectable } from '@angular/core'; -import { HttpClient, HttpHeaders } from '@angular/common/http'; -import { Observable, Subject } from 'rxjs'; -import { Router } from '@angular/router'; -import { ActivatedRoute } from '@angular/router'; -import { ConfigurationService } from './configuration.service'; -import { StorageService } from './storage.service'; +import { HttpClient, HttpHeaders } from '@angular/common/http'; +import { Observable, Subject } from 'rxjs'; +import { Router } from '@angular/router'; +import { ActivatedRoute } from '@angular/router'; +import { ConfigurationService } from './configuration.service'; +import { StorageService } from './storage.service'; @Injectable() export class SecurityService { @@ -69,10 +69,10 @@ export class SecurityService { this.authenticationSource.next(true); window.location.href = location.origin; }, - error => this.HandleError(error), - () => { - console.log(this.UserData); - }); + error => this.HandleError(error), + () => { + console.log(this.UserData); + }); } public Authorize() { @@ -82,7 +82,7 @@ export class SecurityService { let client_id = 'js'; let redirect_uri = location.origin + '/'; let response_type = 'id_token token'; - let scope = 'openid profile orders basket webshoppingagg orders.signalrhub'; + let scope = 'openid profile orders basket webshoppingagg orders.signalrhub coupon'; let nonce = 'N' + Math.random() + '' + Date.now(); let state = Date.now() + '' + Math.random(); @@ -198,7 +198,7 @@ export class SecurityService { if (typeof token !== 'undefined') { let encoded = token.split('.')[1]; - + data = JSON.parse(this.urlBase64Decode(encoded)); }