Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
*.crt
download
curlresponse.txt
create-schema.sql

# License downloads
curity-book-cli*
Expand Down Expand Up @@ -44,5 +45,4 @@ resources/apigateway/helm-values.yaml

## SPIFFE
chapter-10-workload-identities/base/authorizationserver/resources/signing*
chapter-10-workload-identities/base/authorizationserver/resources/postgres-schema.sql
!chapter-10-workload-identities/demoapi/gradle/wrapper/gradle-wrapper.jar
4 changes: 2 additions & 2 deletions chapter-09-entitlements/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -166,8 +166,8 @@ Both API requests are then authorized, and responses include different authorize

The authorization rules are based on these data relationships:

- [Dana's user account](https://github.com/curityio/cloud-native-oauth-security-examples/tree/main/resources/authorizationserver/data-backup.sql#L339) has `customer_id=2099` and `role=customer`.
- [Kims's user account](https://github.com/curityio/cloud-native-oauth-security-examples/tree/main/resources/authorizationserver/data-backup.sql#L340) has a `role=admin` and `region=USA`.
- [Dana's user account](https://github.com/curityio/cloud-native-oauth-security-examples/tree/main/resources/authorizationserver/user-import.sql#5) has `customer_id=2099` and `role=customer`.
- [Kims's user account](https://github.com/curityio/cloud-native-oauth-security-examples/tree/main/resources/authorizationserver/user-import.sql#L10) has a `role=admin` and `region=USA`.
- The client requests an [order with an ID of 20882](https://github.com/curityio/cloud-native-oauth-security-examples/tree/main/chapter-12-platform-specific-apps/console-app/src/index.ts#L19).
- The [order 20882 resource](https://github.com/curityio/cloud-native-oauth-security-examples/tree/main/chapter-05-secure-api-development/data/orderSummary.json#L11) has `customer_id=3044` and `region=USA`.
- Dana is not authorized to access the order since it is for another customer.
Expand Down
18 changes: 15 additions & 3 deletions chapter-10-workload-identities/base/authorizationserver/install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,23 @@ if [ $? -ne 0 ]; then
fi

#
# Create a configmap for the database schema of the authorization server
# Copy in the latest schema creation script from the Curity Docker image
#
docker pull curity.azurecr.io/curity/idsvr
docker run --name curity -d -e PASSWORD=Password1 curity.azurecr.io/curity/idsvr
docker cp curity:/opt/idsvr/etc/postgres-create_database.sql ./create-schema.sql
docker rm --force curity 1>/dev/null
if [ ! -f ./create-schema.sql ]; then
echo 'Problem encountered getting the schema creation script'
exit 1
fi

#
kubectl -n authorizationserver create configmap postgres-configmap --from-file='resources/postgres-schema.sql'
# Create a configmap with the schema creation script
#
kubectl -n authorizationserver create configmap postgres-configmap --from-file='create-schema.sql'
if [ $? -ne 0 ]; then
echo '*** Problem encountered creating the postgres config map'
echo 'Problem encountered creating the postgres configmap'
exit 1
fi

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@ ADMIN_PASSWORD=$(openssl passwd -5 $ADMIN_PASSWORD_RAW)
#
# Plaintext database details
#
DB_NAME='idsvrdb'
DB_USER='idsvruser'
DB_NAME='idsvr'
DB_USER='postgres'
DB_PASSWORD_RAW='Password1'
DB_CONNECTION_RAW="jdbc:postgresql://postgres-svc/$DB_NAME"

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,22 +38,22 @@ spec:
spec:
containers:
- name: postgres
image: postgres:17.6
image: postgres:18.4
volumeMounts:
- mountPath: /docker-entrypoint-initdb.d
name: init-script
name: init-scripts
readOnly: true
env:
- name: POSTGRES_USER
value: idsvruser
value: postgres
- name: POSTGRES_PASSWORD
value: Password1
- name: POSTGRES_DB
value: idsvrdb
value: idsvr
ports:
- containerPort: 5432
name: postgres
volumes:
- name: init-script
- name: init-scripts
configMap:
name: postgres-configmap
Original file line number Diff line number Diff line change
@@ -1,20 +1,23 @@
#########################################################################################
##############################################################################################################
# Parameters for the istiod Helm chart, which injects sidecars into workloads
# - https://artifacthub.io/packages/helm/istio-official/istiod?modal=values
#
# Implement the technique from the istio-spire-config.yaml file:
# - https://github.com/istio/istio/tree/master/samples/security/spire
#
# - Set the trust domain for the mesh
# - Mount the SPIFFE CSI driver so that sidecars and the gateway receive SVIDs from SPIRE
#########################################################################################
# Integrate Istio with SPIRE, by mounting the CSI driver at the path from which Istio gets workload identities
# - https://istio.io/latest/docs/ops/integrations/spire/#install-istio
##############################################################################################################
meshConfig:
trustDomain: democluster.internal

sidecarInjectorWebhook:
templates:
spire: |
spec:
initContainers:
- name: istio-proxy
volumeMounts:
- name: workload-socket
mountPath: /run/secrets/workload-spiffe-uds
readOnly: true
volumes:
- name: workload-socket
csi:
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading