Cleaned up local OIDC setup

CHANGELOG.md

@@ -6,6 +6,9 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+* [PR-591](https://github.com/itk-dev/deltag.aarhus.dk/pull/591)
+  * Cleaned up local OIDC setup
+  * Added test server OIDC setup
 * [PR-587](https://github.com/itk-dev/deltag.aarhus.dk/pull/587)
   Cleaned up translations
 * [PR-586](https://github.com/itk-dev/hoeringsportal/pull/586)

README.md

@@ -17,6 +17,7 @@
 4. [Pretix setup](documentation/pretix.md)
 5. [Custom Høringsportalen theme](web/themes/custom/hoeringsportal/README.md)
 6. [Testing](documentation/Testing.md)
+7. [Server](documentation/Server.md)
 
 ## Database dumps
 

docker-compose.oidc.yml

@@ -2,24 +2,17 @@ services:
   # https://github.com/geigerzaehler/oidc-provider-mock
   idp-citizen:
     image: ghcr.io/geigerzaehler/oidc-provider-mock:latest
-    profiles:
-      - oidc
-      - test
     # Let this container be accessible both internally and externally on the same domain.
     container_name: idp-citizen.${COMPOSE_DOMAIN}
     networks:
       - app
       - frontend
-    ports:
-      - "80"
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=frontend"
       - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-idp.rule=Host(`idp-citizen.${COMPOSE_DOMAIN}`)"
     command:
       [
-        "--port",
-        "80",
         "--user-claims",
         '{"sub": "citizen1", "dk_ssn": "1111111111", "name": "Anders And", "zip": "1111"}',
         "--user-claims",
@@ -34,27 +27,19 @@ services:
         '{"sub": "aarhusianer", "dk_ssn": "2611740000", "name": "Betina Henningsentest"}',
       ]
 
-  # https://github.com/Soluto/oidc-server-mock
   idp-employee:
     image: ghcr.io/geigerzaehler/oidc-provider-mock:latest
-    profiles:
-      - oidc
-      - test
     # Let this container be accessible both internally and externally on the same domain.
     container_name: idp-employee.${COMPOSE_DOMAIN}
     networks:
       - app
       - frontend
-    ports:
-      - "80"
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=frontend"
       - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-employee.rule=Host(`idp-employee.${COMPOSE_DOMAIN}`)"
     command:
       [
-        "--port",
-        "80",
         "--user-claims",
         '{"sub": "user", "email": "user@example.com", "groups": ["authenticated"]}',
         "--user-claims",
@@ -78,7 +63,7 @@ services:
   idp_mock_api:
     image: dotronglong/faker:stable
     profiles:
-      - oidc
+      - oidc-api
     networks:
       - app
       - frontend

docker-compose.server.oidc.yml

@@ -0,0 +1,76 @@
+# Use this file to enable test OIDC login on a test server, e.g.
+#
+# ``` sh
+# # .env.docker.local
+# COMPOSE_FILES=…,docker-compose.server.oidc.yml
+# ```
+
+services:
+  idp-citizen:
+    image: ghcr.io/geigerzaehler/oidc-provider-mock:latest
+    restart: unless-stopped
+    networks:
+      - app
+      - frontend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=frontend"
+      - "traefik.http.routers.idp-citizen_${COMPOSE_PROJECT_NAME}-http.rule=Host(`idp-citizen.${COMPOSE_SERVER_DOMAIN}`)"
+      - "traefik.http.routers.idp-citizen_${COMPOSE_PROJECT_NAME}-http.entrypoints=web"
+      - "traefik.http.routers.idp-citizen_${COMPOSE_PROJECT_NAME}-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.routers.idp-citizen_${COMPOSE_PROJECT_NAME}.rule=Host(`idp-citizen.${COMPOSE_SERVER_DOMAIN}`)"
+      - "traefik.http.routers.idp-citizen_${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
+      - "traefik.http.services.idp-citizen_${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=9400"
+    command:
+      [
+        "--user-claims",
+        '{"sub": "citizen1", "dk_ssn": "1111111111", "name": "Anders And", "zip": "1111"}',
+        "--user-claims",
+        '{"sub": "citizen2", "dk_ssn": "2222222222", "name": "Bent Betjentsen", "zip": "2222"}',
+        "--user-claims",
+        '{"sub": "citizen3", "dk_ssn": "3333333333", "name": "Carsten Carlsen", "zip": "3333"}',
+        "--user-claims",
+        '{"sub": "citizen4", "dk_ssn": "4444444444", "name": "Dorte Dyhr", "zip": "4444"}',
+        "--user-claims",
+        '{"sub": "ikke-aarhusianer", "dk_ssn": "1705880000", "name": "Troels Bondetest"}',
+        "--user-claims",
+        '{"sub": "aarhusianer", "dk_ssn": "2611740000", "name": "Betina Henningsentest"}',
+      ]
+
+  idp-employee:
+    image: ghcr.io/geigerzaehler/oidc-provider-mock:latest
+    networks:
+      - app
+      - frontend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=frontend"
+      - "traefik.http.routers.idp-employee_${COMPOSE_PROJECT_NAME}-http.rule=Host(`idp-employee.${COMPOSE_SERVER_DOMAIN}`)"
+      - "traefik.http.routers.idp-employee_${COMPOSE_PROJECT_NAME}-http.entrypoints=web"
+      - "traefik.http.routers.idp-employee_${COMPOSE_PROJECT_NAME}-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.routers.idp-employee_${COMPOSE_PROJECT_NAME}.rule=Host(`idp-employee.${COMPOSE_SERVER_DOMAIN}`)"
+      - "traefik.http.routers.idp-employee_${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
+      - "traefik.http.services.idp-employee_${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=9400"
+    command:
+      [
+        "--user-claims",
+        '{"sub": "user", "email": "user@example.com", "groups": ["authenticated"]}',
+        "--user-claims",
+        '{"sub": "page_editor", "email": "page_editor@example.com", "groups": ["page_editor"]}',
+        "--user-claims",
+        '{"sub": "public_meeting_editor", "email": "public_meeting_editor@example.com", "groups": ["public_meeting_editor"]}',
+        "--user-claims",
+        '{"sub": "dialogue_editor", "email": "dialogue_editor@example.com", "groups": ["dialogue_editor"]}',
+        "--user-claims",
+        '{"sub": "decision_editor", "email": "decision_editor@example.com", "groups": ["decision_editor"]}',
+        "--user-claims",
+        '{"sub": "project_editor", "email": "project_editor@example.com", "groups": ["project_editor"]}',
+        "--user-claims",
+        '{"sub": "hearing_editor", "email": "hearing_editor@example.com", "groups": ["hearing_editor"]}',
+        "--user-claims",
+        '{"sub": "citizen_proposal_editor", "email": "citizen_proposal_editor@example.com", "groups": ["citizen_proposal_editor"]}',
+        "--user-claims",
+        '{"sub": "administrator", "email": "administrator@example.com", "groups": ["administrator"]}',
+      ]

documentation/Server.md

@@ -0,0 +1,4 @@
+# Server
+
+To easy user login (as both employee and citizen) on *test servers*, we have a test server OIDC setup in
+[`docker-compose.server.oidc.yml`](../docker-compose.server.oidc.yml), which see.

documentation/localDevelopment.md

@@ -111,8 +111,8 @@ Start docker
 ```sh
 docker compose pull
 docker compose up --detach
-# Note: If you want to start pretix and the mock OIDC IdP you have to enable the "pretix" and "oidc" profiles (cf. https://docs.docker.com/compose/profiles/):
-# docker compose --profile pretix --profile oidc up --detach
+# Note: If you want to start pretix you have to enable the "pretix" profile (cf. https://docs.docker.com/compose/profiles/):
+# docker compose --profile pretix up --detach
 docker compose exec phpfpm composer install
 docker compose exec phpfpm vendor/bin/drush --yes site:install --existing-config
 

documentation/openIdConnect.md

@@ -34,9 +34,9 @@ docker compose exec phpfpm vendor/bin/drush config:get --include-overridden open
 See the [Høringsportalen OpenID Connect module](../web/modules/custom/hoeringsportal_openid_connect/README.md) for
 details on configuring OpenID Connect authentification for citizens.
 
-For local testing we use [OpenId Connect Server Mock](https://github.com/Soluto/oidc-server-mock) for (almost) real
+For local testing we use [OpenID Provider Mock](https://github.com/geigerzaehler/oidc-provider-mock) for (almost) real
 OpenID Connect. Users and their claims are defined in
-[`docker-compose.override.yml`](../../../../docker-compose.override.yml).
+[`docker-compose.oidc.yml`](../../../../docker-compose.oidc.yml).
 
 ## Employee authentification
 
@@ -56,24 +56,16 @@ docker compose exec phpfpm vendor/bin/drush php:eval "\Drupal\taxonomy\Entity\Te
 ## Debugging OpenID Connect authentification
 
 ```sh
-docker compose --profile oidc up --detach
+docker compose up --detach
 ```
 
 ### Local OIDC test
 
-During (local) development we use [OpenId Connect Server Mock](https://github.com/Soluto/oidc-server-mock) (cf.
+During (local) development we use [OpenID Provider Mock](https://github.com/geigerzaehler/oidc-provider-mock) (cf.
 [`docker-compose.oidc.yml`](docker-compose.oidc.yml) which is
 [included](https://docs.docker.com/compose/how-tos/multiple-compose-files/include/) in
 [`docker-compose.override.yml`](docker-compose.override.yml)).
 
-#### Employees
-
-| Username            | Password             | Groups        |
-|---------------------|----------------------|---------------|
-| department1-admin   | department1-admin    | administrator |
-| department2-editor  | department2-editor   | editor        |
-| department3-editor  | department3-editor   | editor        |
-
 ## Debug OIDC
 
 During development it can be useful to see the user info we actually get during OpenID Connect authentification, and to
@@ -106,13 +98,13 @@ The json files with mock returns are located in the `mocks` folder in the root o
 To test if this works, patiently wait for:
 
 ```sh
-docker compose --profile oidc up --detach
+docker compose up --detach
 ```
 
 To test if it works, run (should return something starting with `HTTP/1.1 200 OK`)
 
 ```sh
-curl -d '{}' "http://$(docker compose --profile oidc port idp_mock_api 3030)/users"
+curl -d '{}' "http://$(docker compose port idp_mock_api 3030)/users"
 ```
 
 or
@@ -188,6 +180,6 @@ above config file (here, `userprincipalname`).
 ### Test delta sync
 
 ```sh
-docker compose --profile oidc up --detach
+docker compose --profile oidc-api up --detach
 ./test-delta-sync
 ```