ayan.poddar/eShopOnContainers
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Ingress and security

Browse Source
This commit is contained in:
Siarhei_Sialitski 2023-01-08 11:24:08 +01:00
parent d60be0ccaa
commit 10f9ecc038
4 changed files with 355 additions and 298 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

302
deploy/k8s/helm/apigwms/envoy.yaml
View File

@ -6,142 +6,168 @@ admin:
port_value: 8001 port_value: 8001
static_resources: static_resources:
listeners: listeners:
- address: - address:
socket_address: socket_address:
address: 0.0.0.0 address: 0.0.0.0
port_value: 8080 port_value: 8080
filter_chains: filter_chains:
- filters: - filters:
- name: envoy.filters.network.http_connection_manager - name: envoy.filters.network.http_connection_manager
typed_config: typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http stat_prefix: ingress_http
codec_type: AUTO codec_type: AUTO
route_config: route_config:
name: eshop_backend_route name: eshop_backend_route
virtual_hosts: virtual_hosts:
- name: eshop_backend - name: eshop_backend
domains: domains:
- ["*"] - ["*"]
routes: routes:
- name: "c-short" - name: "c-short"
match: match:
prefix: "/c/" prefix: "/c/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
prefix_rewrite: "/catalog-api/" prefix_rewrite: "/catalog-api/"
cluster: catalog cluster: catalog
- name: "c-long" - name: "c-long"
match: match:
prefix: "/catalog-api/" prefix: "/catalog-api/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
cluster: catalog cluster: catalog
- name: "o-short" - name: "cp-short"
match: match:
prefix: "/o/" prefix: "/cp/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
prefix_rewrite: "/ordering-api/" prefix_rewrite: "/coupon-api/"
cluster: ordering cluster: coupon
- name: "o-long" - name: "cp-long"
match: match:
prefix: "/ordering-api/" prefix: "/coupon-api/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
cluster: ordering cluster: coupon
- name: "h-long" - name: "o-short"
match: match:
prefix: "/hub/notificationhub" prefix: "/o/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
cluster: signalr-hub prefix_rewrite: "/ordering-api/"
timeout: 300s cluster: ordering
- name: "b-short" - name: "o-long"
match: match:
prefix: "/b/" prefix: "/ordering-api/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
prefix_rewrite: "/basket-api/" cluster: ordering
cluster: basket - name: "h-long"
- name: "b-long" match:
match: prefix: "/hub/notificationhub"
prefix: "/basket-api/" route:
route: auto_host_rewrite: true
auto_host_rewrite: true cluster: signalr-hub
cluster: basket timeout: 300s
- name: "agg" - name: "b-short"
match: match:
prefix: "/" prefix: "/b/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
prefix_rewrite: "/" prefix_rewrite: "/basket-api/"
cluster: shoppingagg cluster: basket
http_filters: - name: "b-long"
- name: envoy.filters.http.router match:
prefix: "/basket-api/"
route:
auto_host_rewrite: true
cluster: basket
- name: "agg"
match:
prefix: "/"
route:
auto_host_rewrite: true
prefix_rewrite: "/"
cluster: shoppingagg
http_filters:
- name: envoy.filters.http.router
clusters: clusters:
- name: shoppingagg - name: shoppingagg
connect_timeout: 0.25s connect_timeout: 0.25s
type: strict_dns type: strict_dns
lb_policy: round_robin lb_policy: round_robin
load_assignment: load_assignment:
cluster_name: shoppingagg cluster_name: shoppingagg
endpoints: endpoints:
- lb_endpoints: - lb_endpoints:
- endpoint: - endpoint:
address: address:
socket_address: socket_address:
address: webshoppingagg address: webshoppingagg
port_value: 80 port_value: 80
- name: catalog - name: catalog
connect_timeout: 0.25s connect_timeout: 0.25s
type: strict_dns type: strict_dns
lb_policy: round_robin lb_policy: round_robin
load_assignment: load_assignment:
cluster_name: catalog cluster_name: catalog
endpoints: endpoints:
- lb_endpoints: - lb_endpoints:
- endpoint: - endpoint:
address: address:
socket_address: socket_address:
address: catalog-api address: catalog-api
port_value: 80 port_value: 80
- name: basket - name: coupon
connect_timeout: 0.25s connect_timeout: 0.25s
type: strict_dns type: strict_dns
lb_policy: round_robin lb_policy: round_robin
load_assignment: load_assignment:
cluster_name: basket cluster_name: coupon
endpoints: endpoints:
- lb_endpoints: - lb_endpoints:
- endpoint: - endpoint:
address: address:
socket_address: socket_address:
address: basket-api address: coupon-api
port_value: 80 port_value: 80
- name: ordering - name: basket
connect_timeout: 0.25s connect_timeout: 0.25s
type: strict_dns type: strict_dns
lb_policy: round_robin lb_policy: round_robin
load_assignment: load_assignment:
cluster_name: ordering cluster_name: basket
endpoints: endpoints:
- lb_endpoints: - lb_endpoints:
- endpoint: - endpoint:
address: address:
socket_address: socket_address:
address: ordering-api address: basket-api
port_value: 80 port_value: 80
- name: signalr-hub - name: ordering
connect_timeout: 0.25s connect_timeout: 0.25s
type: strict_dns type: strict_dns
lb_policy: round_robin lb_policy: round_robin
load_assignment: load_assignment:
cluster_name: signalr-hub cluster_name: ordering
endpoints: endpoints:
- lb_endpoints: - lb_endpoints:
- endpoint: - endpoint:
address: address:
socket_address: socket_address:
address: ordering-signalrhub address: ordering-api
port_value: 80 port_value: 80
- name: signalr-hub
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: signalr-hub
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: ordering-signalrhub
port_value: 80

308
deploy/k8s/helm/apigwws/envoy.yaml
View File

@ -6,145 +6,171 @@ admin:
port_value: 8001 port_value: 8001
static_resources: static_resources:
listeners: listeners:
- address: - address:
socket_address: socket_address:
address: 0.0.0.0 address: 0.0.0.0
port_value: 8080 port_value: 8080
filter_chains: filter_chains:
- filters: - filters:
- name: envoy.filters.network.http_connection_manager - name: envoy.filters.network.http_connection_manager
typed_config: typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http stat_prefix: ingress_http
codec_type: AUTO codec_type: AUTO
route_config: route_config:
name: eshop_backend_route name: eshop_backend_route
virtual_hosts: virtual_hosts:
- name: eshop_backend - name: eshop_backend
domains: domains:
- ["*"] - ["*"]
routes: routes:
- name: "c-short" - name: "c-short"
match: match:
prefix: "/c/" prefix: "/c/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
prefix_rewrite: "/catalog-api/" prefix_rewrite: "/catalog-api/"
cluster: catalog cluster: catalog
- name: "c-long" - name: "c-long"
match: match:
prefix: "/catalog-api/" prefix: "/catalog-api/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
cluster: catalog cluster: catalog
- name: "o-short" - name: "cp-short"
match: match:
prefix: "/o/" prefix: "/cp/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
prefix_rewrite: "/ordering-api/" prefix_rewrite: "/coupon-api/"
cluster: ordering cluster: coupon
- name: "o-long" - name: "cp-long"
match: match:
prefix: "/ordering-api/" prefix: "/coupon-api/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
cluster: ordering cluster: coupon
- name: "h-long" - name: "o-short"
match: match:
prefix: "/hub/notificationhub" prefix: "/o/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
cluster: signalr-hub prefix_rewrite: "/ordering-api/"
timeout: 300s cluster: ordering
upgrade_configs: - name: "o-long"
upgrade_type: "websocket" match:
enabled: true prefix: "/ordering-api/"
- name: "b-short" route:
match: auto_host_rewrite: true
prefix: "/b/" cluster: ordering
route: - name: "h-long"
auto_host_rewrite: true match:
prefix_rewrite: "/basket-api/" prefix: "/hub/notificationhub"
cluster: basket route:
- name: "b-long" auto_host_rewrite: true
match: cluster: signalr-hub
prefix: "/basket-api/" timeout: 300s
route: upgrade_configs:
auto_host_rewrite: true upgrade_type: "websocket"
cluster: basket enabled: true
- name: "agg" - name: "b-short"
match: match:
prefix: "/" prefix: "/b/"
route: route:
auto_host_rewrite: true auto_host_rewrite: true
prefix_rewrite: "/" prefix_rewrite: "/basket-api/"
cluster: shoppingagg cluster: basket
http_filters: - name: "b-long"
- name: envoy.filters.http.router match:
prefix: "/basket-api/"
route:
auto_host_rewrite: true
cluster: basket
- name: "agg"
match:
prefix: "/"
route:
auto_host_rewrite: true
prefix_rewrite: "/"
cluster: shoppingagg
http_filters:
- name: envoy.filters.http.router
clusters: clusters:
- name: shoppingagg - name: shoppingagg
connect_timeout: 0.25s connect_timeout: 0.25s
type: strict_dns type: strict_dns
lb_policy: round_robin lb_policy: round_robin
load_assignment: load_assignment:
cluster_name: shoppingagg cluster_name: shoppingagg
endpoints: endpoints:
- lb_endpoints: - lb_endpoints:
- endpoint: - endpoint:
address: address:
socket_address: socket_address:
address: webshoppingagg address: webshoppingagg
port_value: 80 port_value: 80
- name: catalog - name: catalog
connect_timeout: 0.25s connect_timeout: 0.25s
type: strict_dns type: strict_dns
lb_policy: round_robin lb_policy: round_robin
load_assignment: load_assignment:
cluster_name: catalog cluster_name: catalog
endpoints: endpoints:
- lb_endpoints: - lb_endpoints:
- endpoint: - endpoint:
address: address:
socket_address: socket_address:
address: catalog-api address: catalog-api
port_value: 80 port_value: 80
- name: basket - name: coupon
connect_timeout: 0.25s connect_timeout: 0.25s
type: strict_dns type: strict_dns
lb_policy: round_robin lb_policy: round_robin
load_assignment: load_assignment:
cluster_name: basket cluster_name: coupon
endpoints: endpoints:
- lb_endpoints: - lb_endpoints:
- endpoint: - endpoint:
address: address:
socket_address: socket_address:
address: basket-api address: coupon-api
port_value: 80 port_value: 80
- name: ordering - name: basket
connect_timeout: 0.25s connect_timeout: 0.25s
type: strict_dns type: strict_dns
lb_policy: round_robin lb_policy: round_robin
load_assignment: load_assignment:
cluster_name: ordering cluster_name: basket
endpoints: endpoints:
- lb_endpoints: - lb_endpoints:
- endpoint: - endpoint:
address: address:
socket_address: socket_address:
address: ordering-api address: basket-api
port_value: 80 port_value: 80
- name: signalr-hub - name: ordering
connect_timeout: 0.25s connect_timeout: 0.25s
type: strict_dns type: strict_dns
lb_policy: round_robin lb_policy: round_robin
load_assignment: load_assignment:
cluster_name: signalr-hub cluster_name: ordering
endpoints: endpoints:
- lb_endpoints: - lb_endpoints:
- endpoint: - endpoint:
address: address:
socket_address: socket_address:
address: ordering-signalrhub address: ordering-api
port_value: 80 port_value: 80
- name: signalr-hub
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
load_assignment:
cluster_name: signalr-hub
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: ordering-signalrhub
port_value: 80

19
src/Services/Identity/Identity.API/Configuration/Config.cs
View File

@ -6,7 +6,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
{ {
// ApiResources define the apis in your system // ApiResources define the apis in your system
public static IEnumerable<ApiResource> GetApis() public static IEnumerable<ApiResource> GetApis()
{ {
return new List<ApiResource> return new List<ApiResource>
{ {
new ApiResource("orders", "Orders Service"), new ApiResource("orders", "Orders Service"),
@ -15,6 +15,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
new ApiResource("webshoppingagg", "Web Shopping Aggregator"), new ApiResource("webshoppingagg", "Web Shopping Aggregator"),
new ApiResource("orders.signalrhub", "Ordering Signalr Hub"), new ApiResource("orders.signalrhub", "Ordering Signalr Hub"),
new ApiResource("webhooks", "Webhooks registration Service"), new ApiResource("webhooks", "Webhooks registration Service"),
new ApiResource("coupon", "Coupon Service"),
}; };
} }
@ -53,7 +54,8 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
"basket", "basket",
"webshoppingagg", "webshoppingagg",
"orders.signalrhub", "orders.signalrhub",
"webhooks" "webhooks",
"coupon"
}, },
}, },
new Client new Client
@ -63,7 +65,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
AllowedGrantTypes = GrantTypes.Hybrid, AllowedGrantTypes = GrantTypes.Hybrid,
//Used to retrieve the access token on the back channel. //Used to retrieve the access token on the back channel.
ClientSecrets = ClientSecrets =
{ {
new Secret("secret".Sha256()) new Secret("secret".Sha256())
}, },
RedirectUris = { clientsUrl["Xamarin"] }, RedirectUris = { clientsUrl["Xamarin"] },
@ -79,7 +81,8 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
"orders", "orders",
"basket", "basket",
"mobileshoppingagg", "mobileshoppingagg",
"webhooks" "webhooks",
"coupon"
}, },
//Allow requesting refresh tokens for long lived API access //Allow requesting refresh tokens for long lived API access
AllowOfflineAccess = true, AllowOfflineAccess = true,
@ -91,7 +94,7 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
ClientName = "MVC Client", ClientName = "MVC Client",
ClientSecrets = new List<Secret> ClientSecrets = new List<Secret>
{ {
new Secret("secret".Sha256()) new Secret("secret".Sha256())
}, },
ClientUri = $"{clientsUrl["Mvc"]}", // public uri of the client ClientUri = $"{clientsUrl["Mvc"]}", // public uri of the client
@ -117,7 +120,8 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
"basket", "basket",
"webshoppingagg", "webshoppingagg",
"orders.signalrhub", "orders.signalrhub",
"webhooks" "webhooks",
"coupon"
}, },
AccessTokenLifetime = 60*60*2, // 2 hours AccessTokenLifetime = 60*60*2, // 2 hours
IdentityTokenLifetime= 60*60*2 // 2 hours IdentityTokenLifetime= 60*60*2 // 2 hours
@ -183,7 +187,8 @@ namespace Microsoft.eShopOnContainers.Services.Identity.API.Configuration
"orders", "orders",
"basket", "basket",
"webshoppingagg", "webshoppingagg",
"webhooks" "webhooks",
"coupon"
}, },
}, },
new Client new Client

24
src/Web/WebSPA/Client/src/modules/shared/services/security.service.ts
View File

@ -1,11 +1,11 @@
import { Injectable } from '@angular/core'; import { Injectable } from '@angular/core';
import { HttpClient, HttpHeaders } from '@angular/common/http'; import { HttpClient, HttpHeaders } from '@angular/common/http';
import { Observable, Subject } from 'rxjs'; import { Observable, Subject } from 'rxjs';
import { Router } from '@angular/router'; import { Router } from '@angular/router';
import { ActivatedRoute } from '@angular/router'; import { ActivatedRoute } from '@angular/router';
import { ConfigurationService } from './configuration.service'; import { ConfigurationService } from './configuration.service';
import { StorageService } from './storage.service'; import { StorageService } from './storage.service';
@Injectable() @Injectable()
export class SecurityService { export class SecurityService {
@ -69,10 +69,10 @@ export class SecurityService {
this.authenticationSource.next(true); this.authenticationSource.next(true);
window.location.href = location.origin; window.location.href = location.origin;
}, },
error => this.HandleError(error), error => this.HandleError(error),
() => { () => {
console.log(this.UserData); console.log(this.UserData);
}); });
} }
public Authorize() { public Authorize() {
@ -82,7 +82,7 @@ export class SecurityService {
let client_id = 'js'; let client_id = 'js';
let redirect_uri = location.origin + '/'; let redirect_uri = location.origin + '/';
let response_type = 'id_token token'; let response_type = 'id_token token';
let scope = 'openid profile orders basket webshoppingagg orders.signalrhub'; let scope = 'openid profile orders basket webshoppingagg orders.signalrhub coupon';
let nonce = 'N' + Math.random() + '' + Date.now(); let nonce = 'N' + Math.random() + '' + Date.now();
let state = Date.now() + '' + Math.random(); let state = Date.now() + '' + Math.random();
@ -198,7 +198,7 @@ export class SecurityService {
if (typeof token !== 'undefined') { if (typeof token !== 'undefined') {
let encoded = token.split('.')[1]; let encoded = token.split('.')[1];
data = JSON.parse(this.urlBase64Decode(encoded)); data = JSON.parse(this.urlBase64Decode(encoded));
} }