First commit

Author: fdonnet

.github/workflows/push-to-main.yml

@@ -0,0 +1,49 @@
+name: Integration_Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    env:
+      ASPNETCORE_ENVIRONMENT: 'Development'
+      # Parameters__auth-base-url: ${{ secrets.AUTH_BASE_URL }}
+      # Parameters__test-auth0-client-id: ${{ secrets.TEST_AUTH0_CLIENT_ID }}
+      # Parameters__test-auth0-client-secret: ${{ secrets.TEST_AUTH0_CLIENT_SECRET }}
+      # Parameters__auth0-audience: ${{ secrets.AUTH0_AUDIENCE }}
+      # Parameters__test-auth0-admin-username: ${{ secrets.TEST_AUTH0_ADMIN_USERNAME }}
+      # Parameters__test-auth0-admin-password: ${{ secrets.TEST_AUTH0_ADMIN_PASSWORD }}
+      # Parameters__test-auth0-user1-username: ${{ secrets.TEST_AUTH0_USER1_USERNAME }}
+      # Parameters__test-auth0-user1-password: ${{ secrets.TEST_AUTH0_USER1_PASSWORD }}
+      # Parameters__test-auth0-user2-username: ${{ secrets.TEST_AUTH0_USER2_USERNAME }}
+      # Parameters__test-auth0-user2-password: ${{ secrets.TEST_AUTH0_USER2_PASSWORD }}
+      # Parameters__test-auth0-userinactive-username: ${{ secrets.TEST_AUTH0_USERINACTIVE_USERNAME }}
+      # Parameters__test-auth0-userinactive-password: ${{ secrets.TEST_AUTH0_USERINACTIVE_PASSWORD }}
+      # ConnectionStrings__messaging: ${{ secrets.MESSAGING_URL }}
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: '9.0.x'
+
+    - name: Restore dependencies
+      run: dotnet restore
+
+    - name: Build
+      run: dotnet build --no-restore --configuration Release
+
+    - name: Run tests
+      if: ${{ success() }}
+      run: dotnet test --no-build --configuration Release
+

README.md

@@ -1,2 +1,64 @@
-# yarp-security-api-and-ui
-Security layer (API) that you can use to protect your Yarp routes and the apis behind it. A Blazor ui is available to configure your thing. Subscriptions and tenants management included.
+# Yarp-security-api-and-ui (alpha)
+
+![Yarp Security API and UI](./best-schema.png)
+
+- A security API to protect your backend.
+- Yarp proxy as an entry point.
+- Compatible with any OAuth/OpenID Connect provider (e.g., Keycloak).
+- Optional security UI for quick bootstrapping (Blazor, and components in auto mode).
+- **Designed to manage subscriptions and multi-tenants.**
+
+## Goal
+
+This project allows you to choose any OAuth provider and remain independent in terms of your security design. You can add any frontend (Blazor, Next.js, SvelteKit) or backend APIs in front or behind this security layer. For a full SPA, you can modify Yarp to be a full BFF (Backend for Frontend).
+
+## Usage
+
+Consider this project as a draft template rather than a complete setup. Customize it based on your needs.
+
+*Yarp, with the support of the Security API, will protect your backend with its powerful authorization handler mechanism and will forward your calls to your backends with the needed information (userid, tenantid) encoded in the headers.*
+
+> **Warning:** Never use any of the secrets exposed here and never use the Keycloak realm file to protect a real project exposed on the web. Always recreate your own secrets and configurations.
+
+> **Warning:** It's an alpha project, don't go on prod before strong validation on your side...
+
+## Running the Project
+
+1. Run the Aspire AppHost.
+2. Access the Blazor Security UI.
+
+User accounts for login in Security UI:
+
+| User | Password | Actions |
+|------|-------------|------|
+| adminuser | admin | can manage system roles and authorizations |
+| user1| user | manage subscription and tenant |
+
+Don't remove the "TenantManger" role on the user1, or detatch him from the subscription, or your will be locked out of your tenant.
+(implements your own better rules).
+
+3. Play and deep dive in the code...
+
+*If you want to run the integration test project, pls comment this line: 
+`await Task.Delay(120000);` in AspireFixiture.cs it's only there for github actions (waiting for Keycloak to be up).*
+
+## Customization
+
+You can modify the setup based on your requirements. The project is configured with Keycloak and RabbitMQ (for revoke cache requests) but is compatible with other systems like Azure Service Bus (tested) and OAuth (tested). You can also remove some parts if needed (caching, service bus)
+
+## Dependencies
+
+Show your support for the following dependencies on their GitHub pages:
+- [Blazor FluentUI](https://github.com/microsoft/fluentui-blazor)
+- [MassTransit](https://github.com/MassTransit/MassTransit)
+- [LanguageExt](https://github.com/louthy/language-ext)
+- ...
+
+## Subscriptions and multi-tenants
+
+For your backend APIs, in the EF Core pooled DbContext factory, the user is injected (see Security API), so you can easily use EF Core query filters for a simple setup or implement your own methods to inject a DbConnection string by tenant...
+
+## How You Can Help
+
+If you find this project useful, you can help by reviewing the implementation or contributing to make it more generic (user onboarding from oauth provider via webhook or other stuff). It's a side project on a boring and not "sexy" topic for me, but I hope it can be helpful to some of you. This project aims to avoid fully managed pricey solutions because, in the end, we only need simple OAuth authentication and to manage our authorization layer by ourselves. Help on that will be appreciated.
+

UbikLink.AppHost/Program.cs

@@ -0,0 +1,102 @@
+//TODO: implement for dev and prod environnement
+
+var builder = DistributedApplication.CreateBuilder(args);
+
+//Secret
+var postgresUsername = builder.AddParameter("postgres-username", secret: true);
+var postgresPassword = builder.AddParameter("postgres-password", secret: true);
+var securitytoken = builder.AddParameter("security-api-token", secret: true);
+var authBaseUrl = builder.AddParameter("auth-base-url", secret: true);
+var authMetadataUrl = builder.AddParameter("auth-metadata-url", secret: true);
+var authTokenUrl = builder.AddParameter("auth-token-url", secret: true);
+var authAudience = builder.AddParameter("auth0-audience", secret: true);
+var securityClientAppId = builder.AddParameter("auth-security-client-app-id", secret: true);
+var securityClientAppSecret = builder.AddParameter("auth-security-client-app-secret", secret: true);
+var messagebusConnectionString = builder.AddParameter("messaging-url", secret: true);
+var rabbitUser = builder.AddParameter("rabbit-username", secret: true);
+var rabbitPassword = builder.AddParameter("rabbit-password", secret: true);
+var transportType = builder.AddParameter("transport-type", secret: false);
+
+//Postgres (local)
+var db = builder.AddPostgres("ubiklink-postgres", postgresUsername, postgresPassword)
+    .WithDataVolume(isReadOnly: false)
+    .WithEnvironment("POSTGRES_DB", "postgres")
+    .WithPgAdmin()
+    .WithLifetime(ContainerLifetime.Persistent);
+
+//Azure Service Bus or rabbitmq (option)
+var serviceBus = builder.AddConnectionString("messaging");
+
+//RabbitMQ (local)
+var rabbitmq = builder.AddRabbitMQ("ubiklink-rabbitmq", rabbitUser, rabbitPassword)
+    .WithManagementPlugin()
+    .WithLifetime(ContainerLifetime.Persistent);
+
+//oAuth/openIdc (local) with keycloack
+var keycloak = builder.AddKeycloak("keycloak", 8080)
+    .WithRealmImport("./Realm")
+    .WithLifetime(ContainerLifetime.Persistent);
+
+//Azure redis cache (for prod)
+//var cache = builder.AddAzureRedis("cache");
+
+//Redis cache (local)
+var cache = builder.AddRedis("cache")
+    .WithLifetime(ContainerLifetime.Persistent);
+
+//Security API
+var securityDB = db.AddDatabase("ubiklink-security-db", "ubiklink_security_db");
+var securityApi = builder.AddProject<Projects.UbikLink_Security_Api>("ubiklink-security-api")
+    .WithEnvironment("Proxy__Token", securitytoken)
+    .WithEnvironment("ConnectionStrings__messaging", messagebusConnectionString)
+    .WithEnvironment("Messaging__Transport", transportType)
+    .WithEnvironment("Messaging__RabbitUser", rabbitUser)
+    .WithEnvironment("Messaging__RabbitPassword", rabbitPassword)
+    .WithReference(securityDB)
+    .WaitFor(securityDB)
+    .WithReference(rabbitmq)
+    .WithReference(serviceBus);
+
+//Proxy
+var proxy = builder.AddProject<Projects.UbikLink_Proxy>("ubiklink-proxy")
+    .WithEnvironment("Proxy__Token",securitytoken)
+    .WithEnvironment("Parameters__auth-base-url", authBaseUrl)
+    .WithEnvironment("Parameters__auth0-audience", authAudience)
+    .WithEnvironment("ConnectionStrings__messaging", messagebusConnectionString)
+    .WithEnvironment("Messaging__Transport", transportType)
+    .WithEnvironment("Messaging__RabbitUser", rabbitUser)
+    .WithEnvironment("Messaging__RabbitPassword", rabbitPassword)
+    .WithReference(securityApi)
+    .WithReference(keycloak)
+    .WithReference(cache)
+    .WithReference(serviceBus)
+    .WithReference(rabbitmq)
+    .WaitFor(cache)
+    .WaitFor(securityApi)
+    .WaitFor(keycloak);
+    
+//.WithReference(rabbitmq)
+// .WaitFor(rabbitmq)
+
+//Security UI
+builder.AddProject<Projects.UbikLink_Security_UI>("ubiklink-security-ui")
+    .WithReference(cache)
+    .WaitFor(cache)
+    .WithReference(proxy)
+    .WaitFor(proxy)
+    .WithReference(serviceBus)
+    .WithReference(rabbitmq)
+    .WithReference(keycloak)
+    .WaitFor(keycloak)
+    .WithEnvironment("ConnectionStrings__messaging", messagebusConnectionString)
+    .WithEnvironment("AuthConfig__MetadataAddress", authMetadataUrl)
+    .WithEnvironment("AuthConfig__Authority", authBaseUrl)
+    .WithEnvironment("AuthConfig__Audience", authAudience)
+    .WithEnvironment("AuthConfig__TokenUrl", authTokenUrl)
+    .WithEnvironment("AuthConfig__ClientId", securityClientAppId)
+    .WithEnvironment("AuthConfig__ClientSecret", securityClientAppSecret)
+    .WithEnvironment("Messaging__Transport", transportType)
+    .WithEnvironment("Messaging__RabbitUser", rabbitUser)
+    .WithEnvironment("Messaging__RabbitPassword", rabbitPassword);
+
+await builder.Build().RunAsync();

UbikLink.AppHost/Properties/launchSettings.json

@@ -0,0 +1,27 @@
+{
+  "profiles": {
+    "https": {
+      "commandName": "Project",
+      "launchBrowser": false,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "DOTNET_ENVIRONMENT": "Development",
+        "DOTNET_DASHBOARD_OTLP_ENDPOINT_URL": "https://localhost:21123",
+        "DOTNET_RESOURCE_SERVICE_ENDPOINT_URL": "https://localhost:22164"
+      },
+      "dotnetRunMessages": true,
+      "applicationUrl": "https://localhost:17150;http://localhost:15030"
+    },
+    "http": {
+      "commandName": "Project",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "DOTNET_ENVIRONMENT": "Development",
+        "DOTNET_DASHBOARD_OTLP_ENDPOINT_URL": "http://localhost:19169",
+        "DOTNET_RESOURCE_SERVICE_ENDPOINT_URL": "http://localhost:20212"
+      },
+      "dotnetRunMessages": true,
+      "applicationUrl": "http://localhost:15030"
+    }
+  }
+}