User Authentication Implementation

web-server/Dockerfile

@@ -0,0 +1,31 @@
+# Use the official Node.js 14 image as the base image
+FROM node:18
+
+RUN apt update && apt install -y authbind \
+        && rm -rf /var/lib/apt/lists/* \
+        && rm -rf /var/cache/apk/*
+# Set the working directory
+WORKDIR /usr/src/app
+
+# Copy package.json and package-lock.json (if available)
+COPY package*.json ./
+
+# Install dependencies
+RUN npm install
+# Copy the rest of the application code
+COPY . .
+
+# Build the TypeScript code
+RUN npm run build \
+    && touch /etc/authbind/byport/443 \
+    && chown root /etc/authbind/byport/443 \
+    && chmod 777 /etc/authbind/byport/443 \
+    && touch /etc/authbind/byport/80 \
+    && chown root /etc/authbind/byport/80 \
+    && chmod 777 /etc/authbind/byport/80
+
+# Expose the port the app runs on
+EXPOSE 1337
+
+# Define the command to run the app
+CMD ["authbind", "npm", "start"]

web-server/docker-compose.yaml

@@ -0,0 +1,76 @@
+services:
+# marquez-web
+  web:
+    build:
+      context: ../web
+      dockerfile: Dockerfile
+    container_name: marquez-web
+    environment:
+      - MARQUEZ_HOST=marquez-api
+      - MARQUEZ_PORT=5000
+      - WEB_PORT=3000
+    expose:
+      - "3000"
+    stdin_open: true
+    tty: true
+    depends_on:
+      - api
+    networks:
+      - app-network
+
+# marquez-web-server
+  marquez-web-server:
+    build:
+      dockerfile: ./Dockerfile
+    container_name: marquez-web-server
+    ports:
+      - "1337:1337"
+    environment:
+      - SESSION_SECRET=your_secret_key
+    depends_on:
+      - web
+    networks:
+      - app-network
+
+  # OAuth2 proxy
+  oauth2-proxy:
+    build:
+      context: ./oauth2-proxy
+      dockerfile: Dockerfile
+    container_name: oauth2-proxy
+    # volumes:
+    #   - ./docker/oauth2-proxy/oauth2_proxy.cfg:/etc/oauth2_proxy.cfg
+    ports:
+      - "4180:4180"
+    env_file:
+      - .env
+    depends_on:
+      - web
+      - marquez-web-server
+    networks:
+      - app-network
+
+  nginx-proxy:
+    build:
+      context: ./nginx
+      dockerfile: Dockerfile
+    container_name: nginx-proxy
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/certs/certs:/etc/nginx/certs:ro
+      - ./nginx/logs:/var/log/nginx
+    # environment:
+    #   - BASIC_AUTH_USER=testuser
+    #   - BASIC_AUTH_PASSWORD=password
+    depends_on:
+      - oauth2-proxy
+      - web
+    networks:
+      - app-network
+
+networks:
+  app-network:
+    driver: bridge

web-server/nginx/Dockerfile

@@ -0,0 +1,25 @@
+# Use the official NGINX base image
+FROM nginx:1.27.2-alpine
+
+# Remove the default NGINX configuration
+RUN rm -f /etc/nginx/conf.d/default.conf
+
+# Update and install required packages, including aws-cli and PyYAML
+RUN apk update && \
+    apk add --no-cache python3 py3-pip py3-yaml aws-cli openssl bash
+
+# Copy your custom NGINX configuration
+COPY nginx.conf /etc/nginx/nginx.conf
+
+# Copy and set permissions for init.sh
+COPY init.sh /init.sh
+RUN chmod +x /init.sh
+
+# Expose ports (optional)
+EXPOSE 80 443
+
+# Set the entrypoint
+ENTRYPOINT ["/init.sh"]
+
+# Start NGINX
+CMD ["nginx", "-g", "daemon off;"]

web-server/nginx/domain.ext

@@ -0,0 +1,8 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage=serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = *.nubank.world

web-server/nginx/init.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -eu
+
+mkdir -p /etc/nginx/certs
+aws s3 cp --region us-west-2 s3://nu-keysets-data-staging/certificates/pri/global/keystore.p12-2022-2023 /etc/nginx/certs
+cd /etc/nginx/certs
+openssl pkcs12 -in keystore.p12 -passin pass:nubankp12 -nocerts -nodes | sed -n '/BEGIN/,$p' > nubank_key.pem
+openssl pkcs12 -in keystore.p12 -passin pass:nubankp12 -nokeys > nubank_cert.pem
+
+rm /etc/nginx/certs/keystore.p12
+chmod 400 /etc/nginx/certs/nubank_key.pem
+
+envsubst '${DOMAIN} ${ES_INDEX} ${REDIRECTS}' < /templates/nginx.conf.template > /etc/nginx/nginx.conf
+
+echo "Starting nginx"
+
+exec "$@"

web-server/nginx/nginx.conf

@@ -0,0 +1,133 @@
+events {
+    worker_connections 4096;
+}
+
+http {
+    server_tokens off;
+
+    # Include mime types
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    # Logging Settings
+    access_log  /dev/stdout;
+    error_log   /dev/stderr;
+
+    # Keepalive Timeout
+    keepalive_timeout 65;
+
+    # Redirect HTTP to HTTPS
+    server {
+        listen 80;
+        server_name staging-marquez-web.nubank.world;
+        return 301 https://$host$request_uri;
+    }
+
+    # HTTPS Server Block
+    server {
+        listen 443 ssl;
+        server_name staging-marquez-web.nubank.world;
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:...
+        ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
+        ssl_session_timeout 10m;
+        ssl_session_tickets off;
+        ssl_stapling on;
+
+        # SSL Certificate Settings
+        ssl_certificate     /etc/nginx/certs/nubank_cert.pem;
+        ssl_certificate_key /etc/nginx/certs/nubank_key.pem;
+
+        # Security Headers
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Cache-Control "no-cache";
+
+        # Health Check Endpoint
+        location /healthcheck {
+            access_log off;
+            return 200 'OK';
+            add_header Content-Type text/plain;
+        }
+
+        # OAuth2 Proxy Configuration
+        location /oauth2/ {
+            proxy_pass         http://marquez-web-oauth2-proxy.data-lineage.svc.cluster.local:4180;
+            proxy_set_header   Host              $host;
+            proxy_set_header   X-Real-IP         $remote_addr;
+            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header   X-Forwarded-Proto $scheme;
+        }
+
+        # Authentication Start Endpoint
+        location /oauth2/start {
+            proxy_pass         http://marquez-web-oauth2-proxy.data-lineage.svc.cluster.local:4180/start;
+            proxy_set_header   Host                   $host;
+            proxy_set_header   X-Real-IP              $remote_addr;
+            proxy_set_header   X-Forwarded-For        $proxy_add_x_forwarded_for;
+            proxy_set_header   X-Forwarded-Proto      $scheme;
+            proxy_set_header   X-Auth-Request-Redirect $request_uri;
+        }
+
+        # OAuth2 Authentication Request
+        location /oauth2/auth {
+            internal;
+            proxy_pass          http://marquez-web-oauth2-proxy.data-lineage.svc.cluster.local:4180/auth;
+            proxy_set_header    Host             $host;
+            proxy_set_header    X-Real-IP        $remote_addr;
+            proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Proto $scheme;
+            proxy_set_header    Content-Length   "";
+            proxy_pass_request_body off;
+        }
+
+        # Sign-Out Endpoint
+        location /logout {
+            proxy_pass          http://marquez-web-oauth2-proxy.data-lineage.svc.cluster.local:4180/sign_out?rd=https://staging-marquez-web.nubank.world;
+            proxy_set_header    Host                   $host;
+            proxy_set_header    X-Real-IP              $remote_addr;
+            proxy_set_header    X-Forwarded-For        $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Proto      $scheme;
+            proxy_set_header    X-Auth-Request-Redirect $request_uri;
+        }
+
+        # Protect Frontend Routes
+        location / {
+            auth_request /oauth2/auth;
+            error_page 401 = /oauth2/start;
+            proxy_pass         http://marquez-web-ui:443;
+            proxy_set_header   Host              $host;
+            proxy_set_header   X-Real-IP         $remote_addr;
+            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header   X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+
+            # Pass user information to the backend
+            auth_request_set $user   $upstream_http_x_auth_request_user;
+            proxy_set_header X-User  $user;
+        }
+
+        # Protected API Endpoint
+        location /proxy/ {
+            # Authentication
+            auth_request /oauth2/auth;
+            error_page 401 = /oauth2/start;
+
+            # Proxy to your service
+            proxy_pass http://marquez-web-auth-server:1337;
+
+            # Proxy settings
+            proxy_set_header Host              $host;
+            proxy_set_header X-Real-IP         $remote_addr;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Pass user information to the backend
+            auth_request_set $user $upstream_http_x_auth_request_user;
+            proxy_set_header X-Auth-Request-User $user;
+        }
+    }
+}