From e960c5cfa595b0e91d1cae6452c84796192e3045 Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Mon, 15 Sep 2025 00:21:49 +0530 Subject: [PATCH 01/12] Final cahnges to add OIDC, setting groups and authorities --- build.gradle | 1 + docker-compose.yaml | 2 + .../Config/AuthoritiesToGroupMapping.java | 28 ++++++++++++ .../Config/CustomOidcUserConfiguration.java | 45 +++++++++++++++++++ .../Config/Security/SecuirtyConfig.java | 39 ++++++++++++++++ .../Controllers/TunnelController.java | 27 +++++++++-- .../CFTunnels/Models/Authorities.java | 10 +++++ .../hithomelabs/CFTunnels/Models/Groups.java | 10 +++++ src/main/resources/application.properties | 12 +++++ 9 files changed, 171 insertions(+), 3 deletions(-) create mode 100644 src/main/java/com/hithomelabs/CFTunnels/Config/AuthoritiesToGroupMapping.java create mode 100644 src/main/java/com/hithomelabs/CFTunnels/Config/CustomOidcUserConfiguration.java create mode 100644 src/main/java/com/hithomelabs/CFTunnels/Config/Security/SecuirtyConfig.java create mode 100644 src/main/java/com/hithomelabs/CFTunnels/Models/Authorities.java create mode 100644 src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java diff --git a/build.gradle b/build.gradle index 49a3976..bfc0540 100644 --- a/build.gradle +++ b/build.gradle @@ -23,6 +23,7 @@ repositories { dependencies { implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.8.5' + implementation group: 'org.springframework.boot', name:'spring-boot-starter-oauth2-client', version: '3.5.5' implementation 'org.springframework.boot:spring-boot-starter-web' testImplementation 'org.springframework.boot:spring-boot-starter-test' testRuntimeOnly 'org.junit.platform:junit-platform-launcher' diff --git a/docker-compose.yaml b/docker-compose.yaml index 1c03e48..7cac007 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -7,6 +7,8 @@ services: - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY} - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL} - ENV=${ENV} + - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID} + - OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET} ports: - 5002:8080 restart: unless-stopped \ No newline at end of file diff --git a/src/main/java/com/hithomelabs/CFTunnels/Config/AuthoritiesToGroupMapping.java b/src/main/java/com/hithomelabs/CFTunnels/Config/AuthoritiesToGroupMapping.java new file mode 100644 index 0000000..b323700 --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Config/AuthoritiesToGroupMapping.java @@ -0,0 +1,28 @@ +package com.hithomelabs.CFTunnels.Config; + +import com.hithomelabs.CFTunnels.Models.Authorities; +import com.hithomelabs.CFTunnels.Models.Groups; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; + +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +@Configuration +public class AuthoritiesToGroupMapping { + + public Map> getAuthorityForGroup(){ + HashMap> mappings = new HashMap<>(); + mappings.put(Groups.GITEA_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER)))); + mappings.put(Groups.POWER_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER)))); + mappings.put(Groups.HOMELAB_DEVELOPER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_DEVELOPER)))); + mappings.put(Groups.SYSTEM_ADMIN, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_APPROVER), new SimpleGrantedAuthority(Authorities.ROLE_ADMIN)))); + return mappings; + } + + + +} diff --git a/src/main/java/com/hithomelabs/CFTunnels/Config/CustomOidcUserConfiguration.java b/src/main/java/com/hithomelabs/CFTunnels/Config/CustomOidcUserConfiguration.java new file mode 100644 index 0000000..22a4e64 --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Config/CustomOidcUserConfiguration.java @@ -0,0 +1,45 @@ +package com.hithomelabs.CFTunnels.Config; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest; +import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService; +import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser; +import org.springframework.security.oauth2.core.oidc.user.OidcUser; + +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +@Configuration +public class CustomOidcUserConfiguration extends OidcUserService { + + @Autowired + AuthoritiesToGroupMapping authoritiesToGroupMapping; + + @Override + public OidcUser loadUser(OidcUserRequest userRequest) { + // * * Delegate to the default implementation for loading user and claims + OidcUser oidcUser = super.loadUser(userRequest); + + // * * Copy existing authorities (e.g. scopes → authorities) + Set mappedAuthorities = new HashSet<>(); + + // * * Extract your custom claim (change "roles" to your claim name) + List groups = oidcUser.getClaimAsStringList("groups"); + if (groups != null) { + groups.forEach(group -> + mappedAuthorities.addAll(authoritiesToGroupMapping.getAuthorityForGroup().get(group)) + ); + } + + // * * Return a new DefaultOidcUser with merged authorities + return new DefaultOidcUser( + mappedAuthorities, + oidcUser.getIdToken(), + oidcUser.getUserInfo() + ); + } + } + diff --git a/src/main/java/com/hithomelabs/CFTunnels/Config/Security/SecuirtyConfig.java b/src/main/java/com/hithomelabs/CFTunnels/Config/Security/SecuirtyConfig.java new file mode 100644 index 0000000..7bd9c1e --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Config/Security/SecuirtyConfig.java @@ -0,0 +1,39 @@ +package com.hithomelabs.CFTunnels.Config.Security; + +import com.hithomelabs.CFTunnels.Config.CustomOidcUserConfiguration; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer; +import org.springframework.security.web.SecurityFilterChain; + + +@Configuration +@EnableWebSecurity +@EnableMethodSecurity( + prePostEnabled = true, + securedEnabled = true, + jsr250Enabled = true +) +public class SecuirtyConfig { + + @Autowired + private CustomOidcUserConfiguration customOidcUserConfiguration; + + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + http + .authorizeHttpRequests(auth -> auth + .anyRequest().authenticated() + ) + .with(new OAuth2LoginConfigurer<>(), oauth2 -> oauth2.userInfoEndpoint(u -> u.oidcUserService(customOidcUserConfiguration))); + + + return http.build(); + } + +} diff --git a/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java b/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java index 9e8ad9c..fc8819f 100644 --- a/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java +++ b/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java @@ -1,8 +1,7 @@ package com.hithomelabs.CFTunnels.Controllers; import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.fasterxml.jackson.databind.SerializationFeature; +import com.hithomelabs.CFTunnels.Config.AuthoritiesToGroupMapping; import com.hithomelabs.CFTunnels.Config.CloudflareConfig; import com.hithomelabs.CFTunnels.Config.RestTemplateConfig; import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader; @@ -11,7 +10,10 @@ import com.hithomelabs.CFTunnels.Models.Ingress; import com.hithomelabs.CFTunnels.Models.TunnelResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.*; -import org.springframework.http.converter.HttpMessageConverter; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.annotation.AuthenticationPrincipal; +import org.springframework.security.oauth2.core.oidc.user.OidcUser; import org.springframework.web.bind.annotation.*; import org.springframework.web.client.RestTemplate; @@ -25,6 +27,8 @@ public class TunnelController { private final RestTemplate restTemplate = new RestTemplate(); + @Autowired + private AuthoritiesToGroupMapping authoritiesToGroupMapping; @Autowired private CloudflareConfig cloudflareConfig; @@ -34,6 +38,20 @@ public class TunnelController { @Autowired private RestTemplateConfig restTemplateConfig; + @PreAuthorize("hasAnyRole('USER')") + @GetMapping("/whoami") + public Map whoAmI(@AuthenticationPrincipal OidcUser oidcUser) { + + List authorities = oidcUser.getAuthorities().stream() + .map(GrantedAuthority::getAuthority) + .toList(); + return Map.of( + "username", oidcUser.getPreferredUsername(), + "roles", authorities + ); + } + + @PreAuthorize("hasAnyRole('USER')") @GetMapping("/tunnels") public ResponseEntity> getTunnels(){ @@ -50,6 +68,7 @@ public class TunnelController { return ResponseEntity.ok(jsonResponse); } + @PreAuthorize("hasAnyRole('DEVELOPER')") @GetMapping("/tunnel/{tunnelId}") public ResponseEntity> getTunnelConfigurations(@PathVariable String tunnelId) throws JsonProcessingException { @@ -67,6 +86,7 @@ public class TunnelController { } // 50df9101-f625-4618-b7c5-100338a57124 + @PreAuthorize("hasAnyRole('ADMIN')") @PutMapping("/tunnel/{tunnelId}/add") public ResponseEntity> addTunnelconfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException { @@ -95,6 +115,7 @@ public class TunnelController { return ResponseEntity.ok(jsonResponse); } + @PreAuthorize("hasAnyRole('DEVELOPER')") @PutMapping("/tunnel/{tunnelId}/delete") public ResponseEntity> deleteTunnelConfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException { diff --git a/src/main/java/com/hithomelabs/CFTunnels/Models/Authorities.java b/src/main/java/com/hithomelabs/CFTunnels/Models/Authorities.java new file mode 100644 index 0000000..f26a17b --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Models/Authorities.java @@ -0,0 +1,10 @@ +package com.hithomelabs.CFTunnels.Models; + +public class Authorities { + + public static final String ROLE_ADMIN = "ROLE_ADMIN"; + public static final String ROLE_DEVELOPER = "ROLE_DEVELOPER"; + public static final String ROLE_USER = "ROLE_USER"; + public static final String ROLE_APPROVER = "ROLE_APPROVER"; + +} diff --git a/src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java b/src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java new file mode 100644 index 0000000..f7c213d --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java @@ -0,0 +1,10 @@ +package com.hithomelabs.CFTunnels.Models; + +public class Groups { + + public static final String HOMELAB_DEVELOPER = "homelab developer"; + public static final String SYSTEM_ADMIN = "authentik Admins"; + public static final String POWER_USER = "arr premium"; + public static final String GITEA_USER = "gitrestricted"; + +} diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 9b04cc9..3ba3827 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -3,3 +3,15 @@ cloudflare.accountId=${CLOUDFLARE_ACCOUNT_ID} cloudflare.apiKey=${CLOUDFLARE_API_KEY} cloudflare.email=${CLOUDFLARE_EMAIL} spring.profiles.active=${ENV} + +spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID} +spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET} +spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code +spring.security.oauth2.client.registration.cftunnels.redirect-uri={baseUrl}/login/oauth2/code/cftunnels +spring.security.oauth2.client.registration.cftunnels.scope=openid,profile,email,offline_access,cftunnels + +spring.security.oauth2.client.provider.cftunnels.authorization-uri=https://auth.hithomelabs.com/application/o/authorize/ +spring.security.oauth2.client.provider.cftunnels.token-uri=https://auth.hithomelabs.com/application/o/token/ +spring.security.oauth2.client.provider.cftunnels.user-info-uri=https://auth.hithomelabs.com/application/o/userinfo/ +spring.security.oauth2.client.provider.cftunnels.jwk-set-uri=https://auth.hithomelabs.com/application/o/cftunnels/jwks/ +spring.security.oauth2.client.provider.cftunnels.issuer-uri=https://auth.hithomelabs.com/application/o/cftunnels/ \ No newline at end of file -- 2.45.2 From 674d541d7848519b421217649ce46641ada95799 Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Mon, 15 Sep 2025 00:59:13 +0530 Subject: [PATCH 02/12] Trying to address the issue of redirect_uri --- src/main/resources/application-test.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/application-test.properties b/src/main/resources/application-test.properties index e5c014b..9f52712 100644 --- a/src/main/resources/application-test.properties +++ b/src/main/resources/application-test.properties @@ -1 +1 @@ -api.baseUrl=https://testcf.hithomelabs.com \ No newline at end of file +api.baseUrl=http://192.168.0.100:5002 \ No newline at end of file -- 2.45.2 From f1ec120715c93f9c82bd4230fea3acd7b811b799 Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Mon, 15 Sep 2025 01:17:29 +0530 Subject: [PATCH 03/12] Tinkering with redirect-uri --- src/main/resources/application-test.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/application-test.properties b/src/main/resources/application-test.properties index 9f52712..e5c014b 100644 --- a/src/main/resources/application-test.properties +++ b/src/main/resources/application-test.properties @@ -1 +1 @@ -api.baseUrl=http://192.168.0.100:5002 \ No newline at end of file +api.baseUrl=https://testcf.hithomelabs.com \ No newline at end of file -- 2.45.2 From 37a57279fdd8c31730d896e359ab816439a2a8d8 Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Mon, 15 Sep 2025 01:43:31 +0530 Subject: [PATCH 04/12] Trying something seeing if it works --- src/main/resources/application.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 3ba3827..1b13697 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -7,7 +7,7 @@ spring.profiles.active=${ENV} spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID} spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET} spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code -spring.security.oauth2.client.registration.cftunnels.redirect-uri={baseUrl}/login/oauth2/code/cftunnels +spring.security.oauth2.client.registration.cftunnels.redirect-uri=http://localhost:8080/login/oauth2/code/cftunnels spring.security.oauth2.client.registration.cftunnels.scope=openid,profile,email,offline_access,cftunnels spring.security.oauth2.client.provider.cftunnels.authorization-uri=https://auth.hithomelabs.com/application/o/authorize/ -- 2.45.2 From e46974870a00aa41022ade71a76811636186bd39 Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Mon, 15 Sep 2025 01:57:34 +0530 Subject: [PATCH 05/12] Trying to avoid clash with baseUrl variable --- .../com/hithomelabs/CFTunnels/Config/OpenApiConfig.java | 6 +++--- src/main/resources/application-local.properties | 2 +- src/main/resources/application-prod.properties | 2 +- src/main/resources/application-test.properties | 2 +- src/main/resources/application.properties | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/main/java/com/hithomelabs/CFTunnels/Config/OpenApiConfig.java b/src/main/java/com/hithomelabs/CFTunnels/Config/OpenApiConfig.java index e24e6f5..ef3b098 100644 --- a/src/main/java/com/hithomelabs/CFTunnels/Config/OpenApiConfig.java +++ b/src/main/java/com/hithomelabs/CFTunnels/Config/OpenApiConfig.java @@ -11,12 +11,12 @@ import java.util.ArrayList; @Configuration public class OpenApiConfig { - @Value("${api.baseUrl}") - private String baseUrl; + @Value("${api.corsResolveUrl}") + private String corsResolveUrl; @Bean public OpenAPI openAPI(){ - Server httpsServer = new Server().url(baseUrl); + Server httpsServer = new Server().url(corsResolveUrl); OpenAPI openApi = new OpenAPI(); ArrayList servers = new ArrayList<>(); servers.add(httpsServer); diff --git a/src/main/resources/application-local.properties b/src/main/resources/application-local.properties index fdb25ce..9001ed2 100644 --- a/src/main/resources/application-local.properties +++ b/src/main/resources/application-local.properties @@ -1 +1 @@ -api.baseUrl=http://localhost:8080 \ No newline at end of file +api.corsResolveUrl=http://localhost:8080 \ No newline at end of file diff --git a/src/main/resources/application-prod.properties b/src/main/resources/application-prod.properties index dec0f4b..5126249 100644 --- a/src/main/resources/application-prod.properties +++ b/src/main/resources/application-prod.properties @@ -1 +1 @@ -api.baseUrl=https://cftunnels.hithomelabs.com \ No newline at end of file +api.corsResolveUrl=https://cftunnels.hithomelabs.com \ No newline at end of file diff --git a/src/main/resources/application-test.properties b/src/main/resources/application-test.properties index e5c014b..1ea328b 100644 --- a/src/main/resources/application-test.properties +++ b/src/main/resources/application-test.properties @@ -1 +1 @@ -api.baseUrl=https://testcf.hithomelabs.com \ No newline at end of file +api.corsResolveUrl=https://testcf.hithomelabs.com \ No newline at end of file diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 1b13697..3ba3827 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -7,7 +7,7 @@ spring.profiles.active=${ENV} spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID} spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET} spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code -spring.security.oauth2.client.registration.cftunnels.redirect-uri=http://localhost:8080/login/oauth2/code/cftunnels +spring.security.oauth2.client.registration.cftunnels.redirect-uri={baseUrl}/login/oauth2/code/cftunnels spring.security.oauth2.client.registration.cftunnels.scope=openid,profile,email,offline_access,cftunnels spring.security.oauth2.client.provider.cftunnels.authorization-uri=https://auth.hithomelabs.com/application/o/authorize/ -- 2.45.2 From e04ac4b73d8889c59c926652af94fd364ab5b6fb Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Tue, 16 Sep 2025 00:27:12 +0530 Subject: [PATCH 06/12] Adding config to make sping boot return an https redirect URI --- src/main/resources/application.properties | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 3ba3827..c3fb4db 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -4,6 +4,8 @@ cloudflare.apiKey=${CLOUDFLARE_API_KEY} cloudflare.email=${CLOUDFLARE_EMAIL} spring.profiles.active=${ENV} +server.forward-headers-strategy=framework + spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID} spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET} spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code -- 2.45.2 From 30ec013002f19d63eec69f5302e502ae5bf5e10f Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Tue, 16 Sep 2025 01:30:02 +0530 Subject: [PATCH 07/12] Trying to do everythng via http --- src/main/resources/application-test.properties | 3 ++- src/main/resources/application.properties | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/main/resources/application-test.properties b/src/main/resources/application-test.properties index 1ea328b..fb3cd9e 100644 --- a/src/main/resources/application-test.properties +++ b/src/main/resources/application-test.properties @@ -1 +1,2 @@ -api.corsResolveUrl=https://testcf.hithomelabs.com \ No newline at end of file +api.corsResolveUrl=https://testcf.hithomelabs.com +spring.security.oauth2.client.registration.cftunnels.redirect-uri=http://192.168.0.100:5002/login/oauth2/code/cftunnels \ No newline at end of file diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index c3fb4db..3ba3827 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -4,8 +4,6 @@ cloudflare.apiKey=${CLOUDFLARE_API_KEY} cloudflare.email=${CLOUDFLARE_EMAIL} spring.profiles.active=${ENV} -server.forward-headers-strategy=framework - spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID} spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET} spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code -- 2.45.2 From b3b3d4a441052f91724faca8deed41b6405eff47 Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Sat, 20 Sep 2025 20:29:48 +0530 Subject: [PATCH 08/12] Trying to fix OIDC configuration with TLS termination behind reverse proxy --- src/main/resources/application-test.properties | 3 +-- src/main/resources/application.properties | 8 ++------ 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/src/main/resources/application-test.properties b/src/main/resources/application-test.properties index fb3cd9e..1ea328b 100644 --- a/src/main/resources/application-test.properties +++ b/src/main/resources/application-test.properties @@ -1,2 +1 @@ -api.corsResolveUrl=https://testcf.hithomelabs.com -spring.security.oauth2.client.registration.cftunnels.redirect-uri=http://192.168.0.100:5002/login/oauth2/code/cftunnels \ No newline at end of file +api.corsResolveUrl=https://testcf.hithomelabs.com \ No newline at end of file diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 3ba3827..03b15a5 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -4,14 +4,10 @@ cloudflare.apiKey=${CLOUDFLARE_API_KEY} cloudflare.email=${CLOUDFLARE_EMAIL} spring.profiles.active=${ENV} +server.forward-headers-strategy=framework spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID} spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET} spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code spring.security.oauth2.client.registration.cftunnels.redirect-uri={baseUrl}/login/oauth2/code/cftunnels spring.security.oauth2.client.registration.cftunnels.scope=openid,profile,email,offline_access,cftunnels - -spring.security.oauth2.client.provider.cftunnels.authorization-uri=https://auth.hithomelabs.com/application/o/authorize/ -spring.security.oauth2.client.provider.cftunnels.token-uri=https://auth.hithomelabs.com/application/o/token/ -spring.security.oauth2.client.provider.cftunnels.user-info-uri=https://auth.hithomelabs.com/application/o/userinfo/ -spring.security.oauth2.client.provider.cftunnels.jwk-set-uri=https://auth.hithomelabs.com/application/o/cftunnels/jwks/ -spring.security.oauth2.client.provider.cftunnels.issuer-uri=https://auth.hithomelabs.com/application/o/cftunnels/ \ No newline at end of file +spring.security.oauth2.client.provider.cftunnels.issuer-uri=https://auth.hithomelabs.com/application/o/cftunnels \ No newline at end of file -- 2.45.2 From 84b2b5aead9df6e7664ff1753ffc58a8786223fb Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Sat, 20 Sep 2025 20:40:19 +0530 Subject: [PATCH 09/12] Fixing breaking build --- src/main/resources/application.properties | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 03b15a5..b95f4d1 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -10,4 +10,8 @@ spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIEN spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code spring.security.oauth2.client.registration.cftunnels.redirect-uri={baseUrl}/login/oauth2/code/cftunnels spring.security.oauth2.client.registration.cftunnels.scope=openid,profile,email,offline_access,cftunnels -spring.security.oauth2.client.provider.cftunnels.issuer-uri=https://auth.hithomelabs.com/application/o/cftunnels \ No newline at end of file +spring.security.oauth2.client.provider.cftunnels.authorization-uri=https://auth.hithomelabs.com/application/o/authorize/ +spring.security.oauth2.client.provider.cftunnels.token-uri=https://auth.hithomelabs.com/application/o/token/ +spring.security.oauth2.client.provider.cftunnels.user-info-uri=https://auth.hithomelabs.com/application/o/userinfo/ +spring.security.oauth2.client.provider.cftunnels.jwk-set-uri=https://auth.hithomelabs.com/application/o/cftunnels/jwks/ +spring.security.oauth2.client.provider.cftunnels.issuer-uri=https://auth.hithomelabs.com/application/o/cftunnels/ \ No newline at end of file -- 2.45.2 From 77a43bfde89ae2758a6720f60c3a50a812160eb9 Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Sat, 20 Sep 2025 21:00:58 +0530 Subject: [PATCH 10/12] Adding new URL mapping that redirects / to swagger UI --- .../hithomelabs/CFTunnels/Controllers/TunnelController.java | 5 +++++ src/main/resources/application.properties | 2 ++ 2 files changed, 7 insertions(+) diff --git a/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java b/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java index fc8819f..8c9d145 100644 --- a/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java +++ b/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java @@ -38,6 +38,11 @@ public class TunnelController { @Autowired private RestTemplateConfig restTemplateConfig; + @GetMapping("/") + public String redirectToSwagger() { + return "redirect:/swagger-ui/index.html"; + } + @PreAuthorize("hasAnyRole('USER')") @GetMapping("/whoami") public Map whoAmI(@AuthenticationPrincipal OidcUser oidcUser) { diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index b95f4d1..4774989 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -4,7 +4,9 @@ cloudflare.apiKey=${CLOUDFLARE_API_KEY} cloudflare.email=${CLOUDFLARE_EMAIL} spring.profiles.active=${ENV} +/ * * Masking sure app works behind a reverse proxy server.forward-headers-strategy=framework + spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID} spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET} spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code -- 2.45.2 From 40168545148990ba216f2e94b67e7d26ea1a8abb Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Sat, 20 Sep 2025 21:29:53 +0530 Subject: [PATCH 11/12] Adding a new HomeController to redirect to swagger UI --- .../CFTunnels/Controllers/HomeController.java | 32 +++++++++++++++++++ .../Controllers/TunnelController.java | 9 ++---- 2 files changed, 35 insertions(+), 6 deletions(-) create mode 100644 src/main/java/com/hithomelabs/CFTunnels/Controllers/HomeController.java diff --git a/src/main/java/com/hithomelabs/CFTunnels/Controllers/HomeController.java b/src/main/java/com/hithomelabs/CFTunnels/Controllers/HomeController.java new file mode 100644 index 0000000..43ea57a --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Controllers/HomeController.java @@ -0,0 +1,32 @@ +package com.hithomelabs.CFTunnels.Controllers; + + +import org.springframework.boot.web.servlet.error.ErrorController; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; + +@Controller +public class HomeController implements ErrorController { + + private static final String ERROR_PATH = "/error"; + + /** + * Redirects the root (including any query params like ?continue=…) + * straight into Swagger UI. + */ + @GetMapping("/") + public String rootRedirect() { + return "redirect:/swagger-ui/index.html"; + } + + /** + * Catches any errors (404s, unhandled paths) and punts them + * into the same Swagger UI page. + */ + @RequestMapping(ERROR_PATH) + public String onError() { + return "redirect:/swagger-ui/index.html"; + } + +} diff --git a/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java b/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java index 8c9d145..612fc78 100644 --- a/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java +++ b/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java @@ -9,6 +9,7 @@ import com.hithomelabs.CFTunnels.Models.Config; import com.hithomelabs.CFTunnels.Models.Ingress; import com.hithomelabs.CFTunnels.Models.TunnelResponse; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.web.servlet.error.ErrorController; import org.springframework.http.*; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.GrantedAuthority; @@ -23,9 +24,10 @@ import java.util.Map; @RestController @RequestMapping("/cloudflare") -public class TunnelController { +public class TunnelController implements ErrorController { private final RestTemplate restTemplate = new RestTemplate(); + private static final String ERROR_PATH = "/error"; @Autowired private AuthoritiesToGroupMapping authoritiesToGroupMapping; @@ -38,11 +40,6 @@ public class TunnelController { @Autowired private RestTemplateConfig restTemplateConfig; - @GetMapping("/") - public String redirectToSwagger() { - return "redirect:/swagger-ui/index.html"; - } - @PreAuthorize("hasAnyRole('USER')") @GetMapping("/whoami") public Map whoAmI(@AuthenticationPrincipal OidcUser oidcUser) { -- 2.45.2 From c8ba9ef6a965091567d02464b6b46f189c7afd21 Mon Sep 17 00:00:00 2001 From: hitanshu310 Date: Sat, 20 Sep 2025 23:31:18 +0530 Subject: [PATCH 12/12] Incrementing minor version and building an PROD image when PR merged to main --- .gitea/workflows/prod_image_build_push.yaml | 64 +++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 .gitea/workflows/prod_image_build_push.yaml diff --git a/.gitea/workflows/prod_image_build_push.yaml b/.gitea/workflows/prod_image_build_push.yaml new file mode 100644 index 0000000..ec31a2c --- /dev/null +++ b/.gitea/workflows/prod_image_build_push.yaml @@ -0,0 +1,64 @@ +name: Promote image with tag test to prod +run-name: Build started by $ {{gitea.actor}} +on: + push: + branches: [main] +jobs: + tag: + runs-on: ubuntu-latest + outputs: + new_version: ${{ steps.new_version.outputs.new_version }} + steps: + - name: Check out repository code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Get new version + id: new_version + run: | + VERSION=$(git describe --tags --abbrev=0) + echo ${VERSION} + MAJOR=$(echo ${VERSION} | cut -d "." -f 1) + MINOR=$(echo ${VERSION} | cut -d "." -f 2) + PATCH=0 + NEW_MINOR=$(( ${MINOR} + 1)) + echo ${NEW_MINOR} + echo "new_version=$(echo "${MAJOR}.${NEW_MINOR}.${PATCH}")" >> $GITHUB_OUTPUT + build_tag_push: + runs-on: ubuntu-latest + needs: tag + container: + image: catthehacker/ubuntu:act-latest + steps: + - name: Check out repository code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: JDK setup + uses: actions/setup-java@v4 + with: + distribution: 'zulu' + java-version: '17' + - name: Validate Gradle Wrapper + uses: gradle/actions/wrapper-validation@v3 + - name: Create and push tag + run: | + echo "NEW_VERSION=${{ needs.tag.outputs.new_version }}" + git config --global user.name "${{gitea.actor}}" + git config --global user.email "${{ gitea.actor }}@users.noreply.github.com" + git tag -a ${{ needs.tag.outputs.new_version }} -m "Pushing new version ${{ needs.tag.outputs.new_version }}" + git push origin ${{ needs.tag.outputs.new_version }} + - name: Log in to Gitea Docker Registry + uses: docker/login-action@v3 + with: + registry: 'http://192.168.0.100:8928' + username: hitanshu + password: ${{ secrets.TOKEN }} + - name: Gradle build + run: ./gradlew bootBuildImage --imageName=192.168.0.100:8928/hithomelabs/cftunnels:${{ needs.tag.outputs.new_version }} + - name: Tag image as test + run: docker tag 192.168.0.100:8928/hithomelabs/cftunnels:${{ needs.tag.outputs.new_version }} 192.168.0.100:8928/hithomelabs/cftunnels:prod + - name: Push to Gitea Registry + run: | + docker push 192.168.0.100:8928/hithomelabs/cftunnels:prod + docker push 192.168.0.100:8928/hithomelabs/cftunnels:${{ needs.tag.outputs.new_version }} -- 2.45.2