From 52cbae133646a50e73c53d4ceb38139e0f54a11c Mon Sep 17 00:00:00 2001 From: chenkins Date: Thu, 11 May 2023 20:26:10 +0200 Subject: [PATCH] Improve local dev setup description in README. Add user-001 to dev-realm.json. Add configuration with alternative host proxyman.local instead of localhost name as requests to localhost are bypassing configured proxies. --- backend/README.md | 9 ++++ .../src/main/resources/application.properties | 18 +++++-- backend/src/main/resources/dev-realm.json | 54 +++++++++++++++++-- frontend/vite.config.ts | 2 + 4 files changed, 77 insertions(+), 6 deletions(-) diff --git a/backend/README.md b/backend/README.md index 1337db8b..8fbc0071 100644 --- a/backend/README.md +++ b/backend/README.md @@ -13,6 +13,15 @@ mvn clean quarkus:dev > **_NOTE:_** Quarkus now ships with a Dev UI, which is available in dev mode only at http://localhost:8080/q/dev/. +To use proxyman for debgging, add the following lines to `/etc/hosts`: +``` +127.0.0.1 proxyman.local +::1 proxyman.local +``` +Some browsers do not forward any requests to `localhost`, see [Proxyman Documentation](https://docs.proxyman.io/troubleshooting/couldnt-see-any-request-from-localhost-server) for more information. +Caveat: `Proxyman` seems to modify some requests and invalidate JWT signatures. To be confirmed. + + ### Accessing Keycloak (Port 8180) During development, Keycloak is started as a Quarkus Dev Service using port 8180. When using alternative ports, you can also find it via [http://localhost:8080/q/dev](http://localhost:8080/q/dev). diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties index d0b5fb98..284f2c7a 100644 --- a/backend/src/main/resources/application.properties +++ b/backend/src/main/resources/application.properties @@ -11,8 +11,15 @@ hub.public-root-path=${quarkus.http.root-path} # Connection Params for Keycloak Public Client (quarkus.oidc.auth-server-url may use network-private hostname) # `public-url` is used in the frontend (js), `local-url` in the backend. Maybe the same URL, but does not have to be. + +# If using proxyman.local for use with proxyman, start keycloak separately, see docker-compose.yml +# uncomment to use proxyman.local setup hub.keycloak.public-url=http://localhost:8180 hub.keycloak.local-url=http://localhost:8180 + +#hub.keycloak.public-url=http://proxyman.local:8180 +#hub.keycloak.local-url=http://proxyman.local:8180 +#quarkus.oidc.auth-server-url=http://proxyman.local:8180/realms/cryptomator hub.keycloak.realm=cryptomator hub.managed-instance=false @@ -20,7 +27,12 @@ hub.managed-instance=false quarkus.resteasy-reactive.path=/api %test.quarkus.resteasy-reactive.path=/ +# uncomment to use proxyman.local setup +quarkus.http.host=proxyman.local quarkus.http.port=8080 +quarkus.http.access-log.enabled=true +%dev.quarkus.log.level=INFO +#%dev.quarkus.log.level=TRACE quarkus.oidc.application-type=service quarkus.oidc.client-id=cryptomatorhub @@ -70,15 +82,15 @@ quarkus.flyway.locations=classpath:org/cryptomator/hub/flyway # Allow cross-origin requests in DEV profile %dev.quarkus.http.cors=true -%dev.quarkus.http.cors.origins=http://localhost:3000,http//localhost:8080 +%dev.quarkus.http.cors.origins=http://localhost:3000,http//localhost:8080,http://proxyman.local:3000,http//proxyman.local:8080 %test.quarkus.application.version=TEST_VERSION_3000 # HTTP Security Headers see e.g. https://owasp.org/www-project-secure-headers/#div-bestpractices quarkus.http.header."Content-Security-Policy".value=default-src 'self'; connect-src 'self' api.cryptomator.org; object-src 'none'; child-src 'self'; img-src * data:; frame-ancestors 'none' -%dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self'; connect-src 'self' api.cryptomator.org localhost:8180; object-src 'none'; child-src 'self'; img-src * data:; frame-ancestors 'none' +%dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self'; connect-src 'self' api.cryptomator.org localhost:8180 proxyman.local:8180; object-src 'none'; child-src 'self'; img-src * data:; frame-ancestors 'none' # dev-ui needs very permissive CSP: -# %dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self' api.cryptomator.org localhost:8180; +# %dev.quarkus.http.header."Content-Security-Policy".value=default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; connect-src 'self' api.cryptomator.org localhost:8180 proxyman.local:8180; quarkus.http.header."Referrer-Policy".value=no-referrer quarkus.http.header."Strict-Transport-Security".value=max-age=31536000; includeSubDomains quarkus.http.header."X-Content-Type-Options".value=nosniff diff --git a/backend/src/main/resources/dev-realm.json b/backend/src/main/resources/dev-realm.json index bbfe8e1a..bb70d746 100644 --- a/backend/src/main/resources/dev-realm.json +++ b/backend/src/main/resources/dev-realm.json @@ -79,6 +79,23 @@ "realmRoles": [ "syncer" ] + }, + { + "username": "user001", + "email": "user001@localhost", + "enabled": true, + "attributes": { + "picture": "https://cryptomator.org/img/logo.svg" + }, + "credentials": [ + { + "type": "password", + "value": "1234" + } + ], + "realmRoles": [ + "user" + ] } ], "scopeMappings": [ @@ -99,7 +116,9 @@ "enabled": true, "redirectUris": [ "http://localhost:8080/*", - "http://localhost:3000/*" + "http://localhost:3000/*", + "http://proxyman.local:3000/*", + "http://proxyman.local:8080/*" ], "webOrigins": [ "+" @@ -145,7 +164,8 @@ "name": "Cryptomator App", "enabled": true, "redirectUris": [ - "http://127.0.0.1/*" + "http://127.0.0.1/*", + "http://proxyman.local:8080/*" ], "webOrigins": [ "+" @@ -155,7 +175,35 @@ "protocol": "openid-connect", "attributes": { "pkce.code.challenge.method": "S256" - } + }, + "directAccessGrantsEnabled": true, + "protocolMappers": [ + { + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String", + "multivalued": "true" + } + }, + { + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true", + "usermodel.clientRoleMapping.clientId": "cryptomatorhub" + } + } + ] } ], "browserSecurityHeaders": { diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts index 9f5b244e..be698c97 100644 --- a/frontend/vite.config.ts +++ b/frontend/vite.config.ts @@ -33,6 +33,8 @@ export default defineConfig({ port: 3000, strictPort: true, proxy: { + // uncomment to use proxyman.local setup: + //'/api/': 'http://proxyman.local:8080' '/api/': 'http://127.0.0.1:8080' } }