wultra · korbelm · Nov 20, 2024 · Nov 20, 2024
diff --git a/.github/workflows/build-powerauth-fido2-tests-docker-image.yml b/.github/workflows/build-powerauth-fido2-tests-docker-image.yml
@@ -0,0 +1,73 @@
+
+name: Build and push docker image of Powerauth Fido2 Demo to Docker registry
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - 'develop'
+      - 'main'
+      - 'releases/*'
+    paths:
+      - 'powerauth-fido2-tests/**'
+  push:
+    branches:
+      - 'develop'
+    paths:
+      - 'powerauth-fido2-tests/**'
+
+jobs:
+  build:
+    runs-on: 'ubuntu-latest'
+    environment: docker-publish
+    env:
+      # these are global secrets - for readonly access to artifactory
+      INTERNAL_USERNAME: ${{ secrets.JFROG_USERNAME }}
+      INTERNAL_PASSWORD: ${{ secrets.JFROG_PASSWORD }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          sparse-checkout: powerauth-fido2-tests
+      - uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          server-id: jfrog-central
+          server-username: INTERNAL_USERNAME
+          server-password: INTERNAL_PASSWORD
+      - name: Get version
+        run: |
+          cd powerauth-fido2-tests
+          REVISION=`mvn help:evaluate -Dexpression=project.version -q -DforceStdout`
+          echo "REVISION=$REVISION" >> $GITHUB_ENV
+      - name: Build war
+        run: |
+          cd powerauth-fido2-tests
+          mvn -U -DuseInternalRepo=true --no-transfer-progress package
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          install: true
+      - name: Log in to Azure registry
+        if: ${{ github.actor != 'dependabot[bot]' && (github.event_name == 'workflow_dispatch' || github.event_name == 'push') }}
+        uses: docker/login-action@v3
+        with:
+          registry: https://powerauth.azurecr.io/
+          username: ${{ vars.ACR_USERNAME }}
+          password: ${{ secrets.ACR_PASSWORD }}
+      - name: Build and push container image to Azure registry
+        uses: docker/build-push-action@v6
+        with:
+          push: ${{ github.actor != 'dependabot[bot]' && (github.event_name == 'workflow_dispatch' || github.event_name == 'push') }}
+          platforms: linux/amd64,linux/arm64
+          tags: powerauth.azurecr.io/powerauth-fido2-tests:${{ github.sha }}
+          file: ./powerauth-fido2-tests/docker-powerauth-fido2-tests/Dockerfile
+          context: ./powerauth-fido2-tests
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - if: ${{ github.actor != 'dependabot[bot]' && (github.event_name == 'workflow_dispatch' || github.event_name == 'push') }}
+        run: |
+          echo '### 🚀 Published images' >> $GITHUB_STEP_SUMMARY
+          echo 'powerauth.azurecr.io/powerauth-fido2-tests:${{ github.sha }}' >> $GITHUB_STEP_SUMMARY
diff --git a/powerauth-fido2-tests/deploy/conf/fido2-demo.xml b/powerauth-fido2-tests/deploy/conf/fido2-demo.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Context>
+    <Parameter name="powerauth.webauthn.rpId" value="${FIDO2_DEMO_RP_ID:}"/>
+    <Parameter name="powerauth.webauthn.rpName" value="${FIDO2_DEMO_RP_NAME:Wultra FIDO2 Demo}"/>
+    <Parameter name="powerauth.webauthn.allowedOrigins" value="${FIDO2_DEMO_ALLOWED_ORIGINS:}"/>
+    <Parameter name="powerauth.webauthn.allowedTopOrigins" value="${FIDO2_DEMO_ALLOWED_TOP_ORIGINS:}"/>
+
+    <Parameter name="powerauth.fido2.test.service.hideDeveloperOptions" value="${FIDO2_DEMO_HIDE_OPTIONS:true}"/>
+    <Parameter name="powerauth.fido2.test.service.emailAddressRequired" value="${FIDO2_DEMO_EMAIL_REQUIRED:true}"/>
+
+    <Parameter name="powerauth.service.baseUrl" value="${FIDO2_DEMO_PAS_BASE_URL:}"/>
+    <Parameter name="powerauth.service.applicationId" value="${FIDO2_DEMO_PAS_APP_ID:}"/>
+    <Parameter name="powerauth.service.security.clientToken" value="${FIDO2_DEMO_PAS_CLIENT_TOKEN:}"/>
+    <Parameter name="powerauth.service.security.clientSecret" value="${FIDO2_DEMO_PAS_CLIENT_SECRET:}"/>
+
+    <Parameter name="logging.level.root" value="INFO"/>
+    <Parameter name="logging.config" value="${FIDO2_DEMO_LOGGING:}"/>
+</Context>
diff --git a/powerauth-fido2-tests/deploy/conf/logback/fido2-demo-logback.xml b/powerauth-fido2-tests/deploy/conf/logback/fido2-demo-logback.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+    <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+            <includeMdc>true</includeMdc>
+            <customFields>{"appname":"fido2-demo"}</customFields>
+        </encoder>
+    </appender>
+
+    <root level="INFO">
+        <appender-ref ref="CONSOLE"/>
+    </root>
+</configuration>
diff --git a/powerauth-fido2-tests/deploy/docker-entrypoint.sh b/powerauth-fido2-tests/deploy/docker-entrypoint.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+nginx
+
+catalina.sh run
diff --git a/powerauth-fido2-tests/deploy/nginx/html/favicon.ico b/powerauth-fido2-tests/deploy/nginx/html/favicon.ico
diff --git a/powerauth-fido2-tests/deploy/nginx/nginx.conf b/powerauth-fido2-tests/deploy/nginx/nginx.conf
@@ -0,0 +1,134 @@
+worker_processes 2;
+pid /tmp/nginx.pid;
+
+events {
+
+  use epoll;
+  accept_mutex on;
+  worker_connections 512;
+
+}
+
+http {
+
+  client_body_temp_path /tmp/client_temp;
+  proxy_temp_path       /tmp/proxy_temp_path;
+  fastcgi_temp_path     /tmp/fastcgi_temp;
+  uwsgi_temp_path       /tmp/uwsgi_temp;
+  scgi_temp_path        /tmp/scgi_temp;
+
+  server_tokens off;
+
+  tcp_nodelay on;
+  tcp_nopush on;
+
+  # Logging
+
+  # Excludes logging for requests with HTTP status codes 2xx (Success) and 3xx (Redirection)
+  map $status $loggable {
+    ~^[23]  0;
+    default 1;
+  }
+
+  log_format custom_format 'measure#nginx.service=$request_time content_type=$content_type '
+                   'content_length=$content_length request_length=$request_length request_time=$request_time '
+                   'status=$status';
+  access_log '/dev/stdout' custom_format if=$loggable;
+  error_log '/dev/stderr';
+
+  include mime.types;
+  default_type application/json;
+  sendfile on;
+
+  # Defines a timeout for reading client request body, period between two successive read operations (default 60s)
+  client_body_timeout 10s;
+
+  # Allows FastCGI server responses with codes greater than or equal to 300 to be passed to a client
+  fastcgi_intercept_errors on;
+
+  # Defines a timeout for establishing a connection with a proxied server (default 60s)
+  proxy_connect_timeout 10s;
+
+  # Defines a timeout for reading a response from the proxied server (default 60s)
+  proxy_read_timeout 29s;
+
+  # Server name must be without underscores
+  upstream demo {
+    server localhost:8080 fail_timeout=0;
+  }
+
+  server {
+    listen 8000;
+    #listen [::]:80 default_server ipv6only=on;
+
+    # error pages rewriting
+    location @401_json {
+      default_type application/json;
+      return 200 '{"status":"ERROR","responseObject":{"code":"HTTP_401","message":"Unauthorized"}}';
+    }
+
+    location @403_json {
+      default_type application/json;
+      return 200 '{"status":"ERROR","responseObject":{"code":"HTTP_403","message":"Forbidden"}}';
+    }
+
+    error_page 404 @404_json;
+
+    location @404_json {
+      default_type application/json;
+      return 404 '{"status":"ERROR","responseObject":{"code":"HTTP_404","message":"Not Found"}}';
+    }
+
+    error_page 500 502 503 504 @500_json;
+    location @500_json {
+      default_type application/json;
+      return 200 '{"status":"ERROR","responseObject":{"code":"ERROR_GENERIC","message":"Unknown Error"}}';
+    }
+
+    # Sets a $real_scheme variable whose value is the scheme passed by the load
+    # balancer in X-Forwarded-Proto, or to X-AppService-Proto in case of Azure
+    # cloud deployment.
+    set $real_scheme "http";
+    if ($http_x_forwarded_proto = "https") { # Generic proxy
+      set $real_scheme "https";
+    }
+    if ($http_x_appservice_proto = "https") { # Azure proxy
+      set $real_scheme "https";
+    }
+
+    add_header Permissions-Policy "publickey-credentials-get=*; publickey-credentials-create=*";
+
+    # global proxy configuration
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $real_scheme;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_cookie_flags ~ secure samesite=none;
+
+    proxy_intercept_errors on;
+    proxy_pass_request_headers on;
+
+    location ~ ^(/health|/fido2-demo) {
+      error_page 401 @401_json;
+
+      error_page 403 @403_json;
+
+      rewrite ^/health$ /fido2-demo/actuator/health break;
+      rewrite ^/fido2-demo$ $real_scheme://$http_host/fido2-demo/ permanent;
+
+      proxy_pass http://demo;
+    }
+
+    location = /favicon.ico {
+      alias /etc/nginx/html/favicon.ico;
+    }
+
+    location = / {
+      return 301 $real_scheme://$http_host/fido2-demo/;
+    }
+
+
+  }
+
+}