From 6f852d092fc356d738e7731954ca9413e0e3210e Mon Sep 17 00:00:00 2001 From: "David H. Lam" Date: Thu, 17 Oct 2024 14:39:04 +0200 Subject: [PATCH 1/5] Config needed for using ias and sms --- app/xs-app.json | 26 ++--- mta-multi-tenant.yaml | 147 +++++++++++++++--------- mtx/sidecar/package.json | 3 + srv/src/main/resources/application.yaml | 1 + 4 files changed, 108 insertions(+), 69 deletions(-) diff --git a/app/xs-app.json b/app/xs-app.json index f6adf5a4..a485a915 100644 --- a/app/xs-app.json +++ b/app/xs-app.json @@ -7,66 +7,66 @@ "cacheControl": "no-cache, no-store, must-revalidate", "target": "$1", "localDir": "./", - "authenticationType": "xsuaa" + "authenticationType": "ias" }, { "source": "^/appconfig/(.*)$", "localDir": "./", - "authenticationType": "xsuaa" + "authenticationType": "ias" }, { "source": "^/browse/webapp/(.*)$", "localDir": "./", - "authenticationType": "xsuaa" + "authenticationType": "ias" }, { "source": "^/admin/webapp/(.*)$", "localDir": "./", - "authenticationType": "xsuaa" + "authenticationType": "ias" }, { "source": "^/orders/webapp/(.*)$", "localDir": "./", - "authenticationType": "xsuaa" + "authenticationType": "ias" }, { "source": "^/reviews/webapp/(.*)$", "localDir": "./", - "authenticationType": "xsuaa" + "authenticationType": "ias" }, { "source": "^/notes/webapp/(.*)$", "localDir": "./", - "authenticationType": "xsuaa" + "authenticationType": "ias" }, { "source": "^/addresses/webapp/(.*)$", "localDir": "./", - "authenticationType": "xsuaa" + "authenticationType": "ias" }, { "source": "^/vue/(.*)$", "localDir": "./", - "authenticationType": "xsuaa" + "authenticationType": "ias" }, { "source": "^/api/admin/(.*)", - "authenticationType": "xsuaa", + "authenticationType": "ias", "destination": "backend" }, { "source": "^/api/browse/(.*)", - "authenticationType": "xsuaa", + "authenticationType": "ias", "destination": "backend" }, { "source": "^/api/review/(.*)", - "authenticationType": "xsuaa", + "authenticationType": "ias", "destination": "backend" }, { "source": "^/api/notes/(.*)", - "authenticationType": "xsuaa", + "authenticationType": "ias", "destination": "backend" }, { diff --git a/mta-multi-tenant.yaml b/mta-multi-tenant.yaml index e42d3ad2..c20c68db 100644 --- a/mta-multi-tenant.yaml +++ b/mta-multi-tenant.yaml @@ -1,19 +1,22 @@ _schema-version: '2.1' -ID: bookshop-mt +ID: bookshop-mt-ias version: 1.0.0 description: "Multitenant Bookshop CAP Java Project with UI" parameters: enable-parallel-deployments: true modules: -# --------------------- SERVER MODULE ------------------------ - - name: bookshop-mt-srv -# ------------------------------------------------------------ + # --------------------- SERVER MODULE ------------------------ + - name: bookshop-mt-ias-srv + # ------------------------------------------------------------ type: java path: srv parameters: memory: 1024M disk-quota: 512M buildpack: sap_java_buildpack_jakarta + routes: + - route: '${default-url}' + - route: '${default-host}.cert.${default-domain}' properties: SPRING_PROFILES_ACTIVE: cloud,sandbox CDS_MULTITENANCY_APPUI_TENANTSEPARATOR: "-" @@ -25,9 +28,16 @@ modules: - mvn clean package -DskipTests=true build-result: target/*-exec.jar requires: - - name: bookshop-mt-service-manager - - name: bookshop-mt-uaa - - name: bookshop-mt-saas-registry + - name: bookshop-service-manager + - name: bookshop-sms + - name: bookshop-identity + parameters: + config: + credential-type: "X509_GENERATED" + key-length: 2048 + validity: 30 + validity-type: "DAYS" + app-identifier: "microservice1" - name: mtx-api properties: CDS_MULTITENANCY_SIDECAR_URL: ~{mtx-url} @@ -39,9 +49,10 @@ modules: - name: srv-api properties: srv-url: '${default-url}' -# --------------------- SIDECAR MODULE ----------------------- - - name: bookshop-mt-sidecar -# ------------------------------------------------------------ + srv-cert-url: '${protocol}://${default-host}.cert.${default-domain}' + # --------------------- SIDECAR MODULE ----------------------- + - name: bookshop-mt-ias-sidecar + # ------------------------------------------------------------ type: nodejs path: mtx/sidecar parameters: @@ -53,18 +64,25 @@ modules: commands: - npm run build requires: - - name: bookshop-mt-srv + - name: bookshop-mt-ias-srv requires: - - name: bookshop-mt-service-manager - - name: bookshop-mt-uaa + - name: bookshop-service-manager + - name: bookshop-identity + parameters: + config: + credential-type: "X509_GENERATED" + key-length: 2048 + validity: 30 + validity-type: "DAYS" + app-identifier: "microservice1" - name: cf-logging provides: - name: mtx-api properties: mtx-url: ${default-url} -# --------------------- APPROUTER MODULE --------------------- - - name: bookshop-mt-app -# ------------------------------------------------------------ + # --------------------- APPROUTER MODULE --------------------- + - name: bookshop-mt-ias-app + # ------------------------------------------------------------ type: approuter.nodejs path: app parameters: @@ -72,64 +90,81 @@ modules: disk-quota: 512M keep-existing-routes: true properties: - TENANT_HOST_PATTERN: ^(.*)-${default-uri} # testing only, use custom domain with wildcard for production + TENANT_HOST_PATTERN: ^(.*)-${default-host}.${default-domain} # testing only, use custom domain with wildcard for production requires: - - name: srv-api - group: destinations - properties: - name: backend - url: ~{srv-url} - forwardAuthToken: true - strictSSL: true - - name: bookshop-mt-uaa + - name: srv-api + group: destinations + properties: + name: backend + url: ~{srv-cert-url} + forwardAuthCertificates: true + forwardAuthToken: true + strictSSL: true + - name: bookshop-identity + parameters: + config: + credential-type: "X509_GENERATED" + key-length: 2048 + validity: 30 + validity-type: "DAYS" + app-identifier: "microservice1" + - name: bookshop-sms provides: - name: app-api properties: app-url: '${default-url}' - app-domain: '${domain}' + app-domain: '${default-domain}' # --------------------- RESOURCES --------------------- resources: -# ----------------------------------------------------- - - name: bookshop-mt-uaa - type: org.cloudfoundry.managed-service - parameters: - service: xsuaa - service-plan: application - path: ./xs-security-mt.json - config: # override xsappname as it needs to be unique - xsappname: bookshop-mt-${org}-${space} - oauth2-configuration: - redirect-uris: - - https://*.~{app-api/app-domain}/** - requires: - - name: app-api - - name: bookshop-mt-service-manager + # ----------------------------------------------------- + - name: bookshop-service-manager type: org.cloudfoundry.managed-service parameters: service: service-manager service-plan: container - - name: bookshop-mt-saas-registry + - name: bookshop-identity type: org.cloudfoundry.managed-service parameters: - service: saas-registry + service: identity service-plan: application config: - appName: bookshop-mt-${org}-${space} # this is the text on the tile - xsappname: bookshop-mt-${org}-${space} # this is the value from xsuaa.parameters.config.xsappname - appUrls: - getDependencies: ~{srv-api/srv-url}/mt/v1.0/subscriptions/dependencies - onSubscription: ~{srv-api/srv-url}/mt/v1.0/subscriptions/tenants/{tenantId} - onSubscriptionAsync: true - onUnSubscriptionAsync: true - onUpdateDependenciesAsync: true - callbackTimeoutMillis: 3600000 - displayName: bookshop-java - description: A simple CAP Java project. - category: 'Category' + authorization: + enabled: true + value_help_url: "https://vhp-srv-develop.cert.cfapps.sap.hana.ondemand.com/odata/v4/ExampleValueHelpService/" + oauth2-configuration: + redirect-uris: [ + "https://*.cfapps.sap.hana.ondemand.com/**", + "https://*.internal.cfapps.sap.hana.ondemand.com/node/signin-oidc/*", + "http://localhost:5000/login/callback?authType=ias" + ] + xsuaa-cross-consumption: true + display-name: bookshop-identity + multi-tenant: true + - name: bookshop-sms + type: org.cloudfoundry.managed-service + parameters: + service: subscription-manager + service-plan: provider + config: + iasServiceInstanceName: bookshop-identity + applicationType: application + appName: bookshop-mt-ias + appCallbacks: + dependenciesCallbacks: + url: ~{srv-api/srv-cert-url}/mt/sms/subscriptions/tenants/{app_tid}/dependencies + subscriptionCallbacks: + url: ~{srv-api/srv-cert-url}/mt/sms/subscriptions/tenants/{app_tid} + subscribeEnable: true + unSubscribeEnable: true + timeoutInMillis: 60000 + displayName: bookshop-mt-ias + description: "Bookshop Identity" + category: "Application Development and Automation" requires: - name: srv-api + processed-after: [ bookshop-identity ] - name: cf-logging type: org.cloudfoundry.managed-service parameters: service: application-logs - service-plan: lite + service-plan: lite \ No newline at end of file diff --git a/mtx/sidecar/package.json b/mtx/sidecar/package.json index 13462cc9..842b6175 100644 --- a/mtx/sidecar/package.json +++ b/mtx/sidecar/package.json @@ -17,6 +17,9 @@ "profiles": ["mtx-sidecar", "java"], "[development]": { "requires": { "auth": "dummy" } + }, + "requires": { + "auth": "ias" } }, "scripts": { diff --git a/srv/src/main/resources/application.yaml b/srv/src/main/resources/application.yaml index dad875b3..0775a4c2 100644 --- a/srv/src/main/resources/application.yaml +++ b/srv/src/main/resources/application.yaml @@ -51,6 +51,7 @@ cds: kind: enterprise-messaging format: cloudevents subscribe-prefix: sap/S4HANAOD/java/ce/ + security.authorization.deep.enabled: true --- spring: From 4abfd341fb85e4616f16db47b50eaf6ae2a1065b Mon Sep 17 00:00:00 2001 From: "David H. Lam" Date: Fri, 18 Oct 2024 11:15:25 +0200 Subject: [PATCH 2/5] Separated mta file for IAS & AMS scenario --- mta-multi-tenant-ias-ams.yaml | 170 ++++++++++++++++++++++++++++++++++ 1 file changed, 170 insertions(+) create mode 100644 mta-multi-tenant-ias-ams.yaml diff --git a/mta-multi-tenant-ias-ams.yaml b/mta-multi-tenant-ias-ams.yaml new file mode 100644 index 00000000..9b0a7c71 --- /dev/null +++ b/mta-multi-tenant-ias-ams.yaml @@ -0,0 +1,170 @@ +_schema-version: '2.1' +ID: bookshop-mt-ias +version: 1.0.0 +description: "Multitenant Bookshop CAP Java Project with UI" +parameters: + enable-parallel-deployments: true +modules: + # --------------------- SERVER MODULE ------------------------ + - name: bookshop-mt-ias-srv + # ------------------------------------------------------------ + type: java + path: srv + parameters: + memory: 1024M + disk-quota: 512M + buildpack: sap_java_buildpack_jakarta + routes: + - route: '${default-url}' + - route: '${default-host}.cert.${default-domain}' + properties: + SPRING_PROFILES_ACTIVE: cloud,sandbox + CDS_MULTITENANCY_APPUI_TENANTSEPARATOR: "-" + JBP_CONFIG_COMPONENTS: "jres: ['com.sap.xs.java.buildpack.jre.SAPMachineJRE']" + JBP_CONFIG_SAP_MACHINE_JRE: '{ version: 21.+ }' + build-parameters: + builder: custom + commands: + - mvn clean package -DskipTests=true + build-result: target/*-exec.jar + requires: + - name: bookshop-mt-ias-service-manager + - name: bookshop-mt-ias-sms + - name: bookshop-mt-ias-identity + parameters: + config: + credential-type: "X509_GENERATED" + key-length: 2048 + validity: 30 + validity-type: "DAYS" + app-identifier: "microservice1" + - name: mtx-api + properties: + CDS_MULTITENANCY_SIDECAR_URL: ~{mtx-url} + - name: app-api + properties: + CDS_MULTITENANCY_APPUI_URL: ~{app-url} + - name: cf-logging + provides: + - name: srv-api + properties: + srv-url: '${default-url}' + srv-cert-url: '${protocol}://${default-host}.cert.${default-domain}' + # --------------------- SIDECAR MODULE ----------------------- + - name: bookshop-mt-ias-sidecar + # ------------------------------------------------------------ + type: nodejs + path: mtx/sidecar + parameters: + memory: 256M + disk-quota: 1024M + build-parameters: + builder: custom + build-result: gen + commands: + - npm run build + requires: + - name: bookshop-mt-ias-srv + requires: + - name: bookshop-mt-ias-service-manager + - name: bookshop-mt-ias-identity + parameters: + config: + credential-type: "X509_GENERATED" + key-length: 2048 + validity: 30 + validity-type: "DAYS" + app-identifier: "microservice1" + - name: cf-logging + provides: + - name: mtx-api + properties: + mtx-url: ${default-url} + # --------------------- APPROUTER MODULE --------------------- + - name: bookshop-mt-ias-app + # ------------------------------------------------------------ + type: approuter.nodejs + path: app + parameters: + memory: 256M + disk-quota: 512M + keep-existing-routes: true + properties: + TENANT_HOST_PATTERN: ^(.*)-${default-host}.${default-domain} # testing only, use custom domain with wildcard for production + requires: + - name: srv-api + group: destinations + properties: + name: backend + url: ~{srv-cert-url} + forwardAuthCertificates: true + forwardAuthToken: true + strictSSL: true + - name: bookshop-mt-ias-identity + parameters: + config: + credential-type: "X509_GENERATED" + key-length: 2048 + validity: 30 + validity-type: "DAYS" + app-identifier: "microservice1" + - name: bookshop-mt-ias-sms + provides: + - name: app-api + properties: + app-url: '${default-url}' + app-domain: '${default-domain}' +# --------------------- RESOURCES --------------------- +resources: +# ----------------------------------------------------- + - name: bookshop-mt-ias-service-manager + type: org.cloudfoundry.managed-service + parameters: + service: service-manager + service-plan: container + - name: bookshop-mt-ias-identity + type: org.cloudfoundry.managed-service + parameters: + service: identity + service-plan: application + config: + authorization: + enabled: true + value_help_url: "https://vhp-srv-develop.cert.cfapps.sap.hana.ondemand.com/odata/v4/ExampleValueHelpService/" + oauth2-configuration: + redirect-uris: [ + "https://*.cfapps.sap.hana.ondemand.com/**", + "https://*.internal.cfapps.sap.hana.ondemand.com/node/signin-oidc/*", + "http://localhost:5000/login/callback?authType=ias" + ] + xsuaa-cross-consumption: true + display-name: bookshop-mt-ias-identity + multi-tenant: true + - name: bookshop-mt-ias-sms + type: org.cloudfoundry.managed-service + parameters: + service: subscription-manager + service-plan: provider + config: + iasServiceInstanceName: bookshop-mt-ias-identity + applicationType: application + appName: bookshop-mt-ias + appCallbacks: + dependenciesCallbacks: + url: ~{srv-api/srv-cert-url}/mt/sms/subscriptions/tenants/{app_tid}/dependencies + subscriptionCallbacks: + url: ~{srv-api/srv-cert-url}/mt/sms/subscriptions/tenants/{app_tid} + subscribeEnable: true + unSubscribeEnable: true + timeoutInMillis: 60000 + displayName: bookshop-mt-ias + description: "MT Bookshop using IAS & AMS" + category: "Application Development and Automation" + requires: + - name: srv-api + processed-after: [ bookshop-mt-ias-identity ] + - name: cf-logging + type: org.cloudfoundry.managed-service + parameters: + service: application-logs + service-plan: lite \ No newline at end of file From 9bb70f97cc37c70c4ad777e9c565e8e1d43caf20 Mon Sep 17 00:00:00 2001 From: "David H. Lam" Date: Fri, 18 Oct 2024 11:18:04 +0200 Subject: [PATCH 3/5] Restored version from main --- mta-multi-tenant.yaml | 119 +++++++++++++++--------------------------- 1 file changed, 42 insertions(+), 77 deletions(-) diff --git a/mta-multi-tenant.yaml b/mta-multi-tenant.yaml index c20c68db..75c5b774 100644 --- a/mta-multi-tenant.yaml +++ b/mta-multi-tenant.yaml @@ -1,12 +1,12 @@ _schema-version: '2.1' -ID: bookshop-mt-ias +ID: bookshop-mt version: 1.0.0 description: "Multitenant Bookshop CAP Java Project with UI" parameters: enable-parallel-deployments: true modules: # --------------------- SERVER MODULE ------------------------ - - name: bookshop-mt-ias-srv + - name: bookshop-mt-srv # ------------------------------------------------------------ type: java path: srv @@ -14,9 +14,6 @@ modules: memory: 1024M disk-quota: 512M buildpack: sap_java_buildpack_jakarta - routes: - - route: '${default-url}' - - route: '${default-host}.cert.${default-domain}' properties: SPRING_PROFILES_ACTIVE: cloud,sandbox CDS_MULTITENANCY_APPUI_TENANTSEPARATOR: "-" @@ -28,16 +25,9 @@ modules: - mvn clean package -DskipTests=true build-result: target/*-exec.jar requires: - - name: bookshop-service-manager - - name: bookshop-sms - - name: bookshop-identity - parameters: - config: - credential-type: "X509_GENERATED" - key-length: 2048 - validity: 30 - validity-type: "DAYS" - app-identifier: "microservice1" + - name: bookshop-mt-service-manager + - name: bookshop-mt-uaa + - name: bookshop-mt-saas-registry - name: mtx-api properties: CDS_MULTITENANCY_SIDECAR_URL: ~{mtx-url} @@ -49,9 +39,8 @@ modules: - name: srv-api properties: srv-url: '${default-url}' - srv-cert-url: '${protocol}://${default-host}.cert.${default-domain}' # --------------------- SIDECAR MODULE ----------------------- - - name: bookshop-mt-ias-sidecar + - name: bookshop-mt-sidecar # ------------------------------------------------------------ type: nodejs path: mtx/sidecar @@ -64,24 +53,17 @@ modules: commands: - npm run build requires: - - name: bookshop-mt-ias-srv + - name: bookshop-mt-srv requires: - - name: bookshop-service-manager - - name: bookshop-identity - parameters: - config: - credential-type: "X509_GENERATED" - key-length: 2048 - validity: 30 - validity-type: "DAYS" - app-identifier: "microservice1" + - name: bookshop-mt-service-manager + - name: bookshop-mt-uaa - name: cf-logging provides: - name: mtx-api properties: mtx-url: ${default-url} # --------------------- APPROUTER MODULE --------------------- - - name: bookshop-mt-ias-app + - name: bookshop-mt-app # ------------------------------------------------------------ type: approuter.nodejs path: app @@ -90,79 +72,62 @@ modules: disk-quota: 512M keep-existing-routes: true properties: - TENANT_HOST_PATTERN: ^(.*)-${default-host}.${default-domain} # testing only, use custom domain with wildcard for production + TENANT_HOST_PATTERN: ^(.*)-${default-uri} # testing only, use custom domain with wildcard for production requires: - name: srv-api group: destinations properties: name: backend - url: ~{srv-cert-url} - forwardAuthCertificates: true + url: ~{srv-url} forwardAuthToken: true strictSSL: true - - name: bookshop-identity - parameters: - config: - credential-type: "X509_GENERATED" - key-length: 2048 - validity: 30 - validity-type: "DAYS" - app-identifier: "microservice1" - - name: bookshop-sms + - name: bookshop-mt-uaa provides: - name: app-api properties: app-url: '${default-url}' - app-domain: '${default-domain}' + app-domain: '${domain}' # --------------------- RESOURCES --------------------- resources: # ----------------------------------------------------- - - name: bookshop-service-manager + - name: bookshop-mt-uaa + type: org.cloudfoundry.managed-service + parameters: + service: xsuaa + service-plan: application + path: ./xs-security-mt.json + config: # override xsappname as it needs to be unique + xsappname: bookshop-mt-${org}-${space} + oauth2-configuration: + redirect-uris: + - https://*.~{app-api/app-domain}/** + requires: + - name: app-api + - name: bookshop-mt-service-manager type: org.cloudfoundry.managed-service parameters: service: service-manager service-plan: container - - name: bookshop-identity + - name: bookshop-mt-saas-registry type: org.cloudfoundry.managed-service parameters: - service: identity + service: saas-registry service-plan: application config: - authorization: - enabled: true - value_help_url: "https://vhp-srv-develop.cert.cfapps.sap.hana.ondemand.com/odata/v4/ExampleValueHelpService/" - oauth2-configuration: - redirect-uris: [ - "https://*.cfapps.sap.hana.ondemand.com/**", - "https://*.internal.cfapps.sap.hana.ondemand.com/node/signin-oidc/*", - "http://localhost:5000/login/callback?authType=ias" - ] - xsuaa-cross-consumption: true - display-name: bookshop-identity - multi-tenant: true - - name: bookshop-sms - type: org.cloudfoundry.managed-service - parameters: - service: subscription-manager - service-plan: provider - config: - iasServiceInstanceName: bookshop-identity - applicationType: application - appName: bookshop-mt-ias - appCallbacks: - dependenciesCallbacks: - url: ~{srv-api/srv-cert-url}/mt/sms/subscriptions/tenants/{app_tid}/dependencies - subscriptionCallbacks: - url: ~{srv-api/srv-cert-url}/mt/sms/subscriptions/tenants/{app_tid} - subscribeEnable: true - unSubscribeEnable: true - timeoutInMillis: 60000 - displayName: bookshop-mt-ias - description: "Bookshop Identity" - category: "Application Development and Automation" + appName: bookshop-mt-${org}-${space} # this is the text on the tile + xsappname: bookshop-mt-${org}-${space} # this is the value from xsuaa.parameters.config.xsappname + appUrls: + getDependencies: ~{srv-api/srv-url}/mt/v1.0/subscriptions/dependencies + onSubscription: ~{srv-api/srv-url}/mt/v1.0/subscriptions/tenants/{tenantId} + onSubscriptionAsync: true + onUnSubscriptionAsync: true + onUpdateDependenciesAsync: true + callbackTimeoutMillis: 3600000 + displayName: bookshop-java + description: A simple CAP Java project. + category: 'Category' requires: - name: srv-api - processed-after: [ bookshop-identity ] - name: cf-logging type: org.cloudfoundry.managed-service parameters: From 41cdd3dce380fbcb8caf651ed29652a39a7af031 Mon Sep 17 00:00:00 2001 From: "David H. Lam" Date: Fri, 18 Oct 2024 11:20:04 +0200 Subject: [PATCH 4/5] Restored file formatting --- mta-multi-tenant.yaml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/mta-multi-tenant.yaml b/mta-multi-tenant.yaml index 75c5b774..e42d3ad2 100644 --- a/mta-multi-tenant.yaml +++ b/mta-multi-tenant.yaml @@ -5,9 +5,9 @@ description: "Multitenant Bookshop CAP Java Project with UI" parameters: enable-parallel-deployments: true modules: - # --------------------- SERVER MODULE ------------------------ +# --------------------- SERVER MODULE ------------------------ - name: bookshop-mt-srv - # ------------------------------------------------------------ +# ------------------------------------------------------------ type: java path: srv parameters: @@ -39,9 +39,9 @@ modules: - name: srv-api properties: srv-url: '${default-url}' - # --------------------- SIDECAR MODULE ----------------------- +# --------------------- SIDECAR MODULE ----------------------- - name: bookshop-mt-sidecar - # ------------------------------------------------------------ +# ------------------------------------------------------------ type: nodejs path: mtx/sidecar parameters: @@ -62,9 +62,9 @@ modules: - name: mtx-api properties: mtx-url: ${default-url} - # --------------------- APPROUTER MODULE --------------------- +# --------------------- APPROUTER MODULE --------------------- - name: bookshop-mt-app - # ------------------------------------------------------------ +# ------------------------------------------------------------ type: approuter.nodejs path: app parameters: @@ -74,14 +74,14 @@ modules: properties: TENANT_HOST_PATTERN: ^(.*)-${default-uri} # testing only, use custom domain with wildcard for production requires: - - name: srv-api - group: destinations - properties: - name: backend - url: ~{srv-url} - forwardAuthToken: true - strictSSL: true - - name: bookshop-mt-uaa + - name: srv-api + group: destinations + properties: + name: backend + url: ~{srv-url} + forwardAuthToken: true + strictSSL: true + - name: bookshop-mt-uaa provides: - name: app-api properties: @@ -89,7 +89,7 @@ modules: app-domain: '${domain}' # --------------------- RESOURCES --------------------- resources: - # ----------------------------------------------------- +# ----------------------------------------------------- - name: bookshop-mt-uaa type: org.cloudfoundry.managed-service parameters: @@ -100,7 +100,7 @@ resources: xsappname: bookshop-mt-${org}-${space} oauth2-configuration: redirect-uris: - - https://*.~{app-api/app-domain}/** + - https://*.~{app-api/app-domain}/** requires: - name: app-api - name: bookshop-mt-service-manager @@ -132,4 +132,4 @@ resources: type: org.cloudfoundry.managed-service parameters: service: application-logs - service-plan: lite \ No newline at end of file + service-plan: lite From 9de2705698782331e80c1719a2ee18791dad0262 Mon Sep 17 00:00:00 2001 From: David H Lam Date: Mon, 21 Oct 2024 14:25:57 +0200 Subject: [PATCH 5/5] Added AMS integration to the IAS variant (#383) --- mta-multi-tenant-ias-ams.yaml | 5 ++++- pom.xml | 14 ++++++++++++++ srv/pom.xml | 11 +++++++++++ srv/src/main/resources/ams/bookshop/bookshop.dcl | 7 +++++++ srv/src/main/resources/ams/schema.dcl | 2 ++ 5 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 srv/src/main/resources/ams/bookshop/bookshop.dcl create mode 100644 srv/src/main/resources/ams/schema.dcl diff --git a/mta-multi-tenant-ias-ams.yaml b/mta-multi-tenant-ias-ams.yaml index 9b0a7c71..5c432ba2 100644 --- a/mta-multi-tenant-ias-ams.yaml +++ b/mta-multi-tenant-ias-ams.yaml @@ -13,7 +13,9 @@ modules: parameters: memory: 1024M disk-quota: 512M - buildpack: sap_java_buildpack_jakarta + buildpacks: + - https://github.com/SAP/cloud-authorization-buildpack/releases/latest/download/opa_buildpack.zip + - sap_java_buildpack_jakarta routes: - route: '${default-url}' - route: '${default-host}.cert.${default-domain}' @@ -22,6 +24,7 @@ modules: CDS_MULTITENANCY_APPUI_TENANTSEPARATOR: "-" JBP_CONFIG_COMPONENTS: "jres: ['com.sap.xs.java.buildpack.jre.SAPMachineJRE']" JBP_CONFIG_SAP_MACHINE_JRE: '{ version: 21.+ }' + AMS_DCL_ROOT: "/BOOT-INF/classes/ams/" build-parameters: builder: custom commands: diff --git a/pom.xml b/pom.xml index 246fda1a..a666f11f 100644 --- a/pom.xml +++ b/pom.xml @@ -28,6 +28,7 @@ 3.5.3 3.8.4 8.3.0 + 1.7.0 @@ -71,6 +72,19 @@ 4.0.0 + + + com.sap.cloud.security.ams.client + jakarta-ams + 1.7.0 + + + + com.sap.cloud.security.ams.client + cap-support + 1.7.0 + + diff --git a/srv/pom.xml b/srv/pom.xml index 10125ea9..08276ba3 100644 --- a/srv/pom.xml +++ b/srv/pom.xml @@ -133,6 +133,17 @@ spring-boot-devtools true + + + + com.sap.cloud.security.ams.client + jakarta-ams + + + + com.sap.cloud.security.ams.client + cap-support + diff --git a/srv/src/main/resources/ams/bookshop/bookshop.dcl b/srv/src/main/resources/ams/bookshop/bookshop.dcl new file mode 100644 index 00000000..ffdcb0df --- /dev/null +++ b/srv/src/main/resources/ams/bookshop/bookshop.dcl @@ -0,0 +1,7 @@ +POLICY Admin { + GRANT admin ON $SCOPES; +} + +POLICY Expert { + GRANT expert ON $SCOPES; +} diff --git a/srv/src/main/resources/ams/schema.dcl b/srv/src/main/resources/ams/schema.dcl new file mode 100644 index 00000000..35db1e21 --- /dev/null +++ b/srv/src/main/resources/ams/schema.dcl @@ -0,0 +1,2 @@ +SCHEMA { +} \ No newline at end of file