HSP connector

Signed-off-by: Andy Lo-A-Foe <[email protected]>
philips-forks · Sep 12, 2024 · f8cdbb5 · f8cdbb5
1 parent c798875
commit f8cdbb5
Show file tree

Hide file tree

Showing 10 changed files with 1,116 additions and 213 deletions.
diff --git a/.github/workflows/artifacts-fork.yaml b/.github/workflows/artifacts-fork.yaml
@@ -0,0 +1,89 @@
+name: Fork Artifacts
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - '*'
+  pull_request:
+
+jobs:
+  container-images:
+    name: Container images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        variant:
+          - alpine
+          - distroless
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Gather metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/philips-forks/dex
+          flavor: |
+            latest = false
+          tags: |
+            type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
+            type=ref,event=pr,enable=${{ matrix.variant == 'alpine' }}
+            type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && matrix.variant == 'alpine' }}
+            type=ref,event=branch,suffix=-${{ matrix.variant }}
+            type=ref,event=pr,suffix=-${{ matrix.variant }}
+            type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }},suffix=-${{ matrix.variant }}
+          labels: |
+            org.opencontainers.image.documentation=https://dexidp.io/docs/
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: all
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ github.token }}
+        if: github.event_name == 'push'
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          # cache-from: type=gha
+          # cache-to: type=gha,mode=max
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          build-args: |
+            BASE_IMAGE=${{ matrix.variant }}
+            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+            COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
+            BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: "ghcr.io/philips-forks/dex:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}"
+          format: "sarif"
+          output: "trivy-results.sarif"
+        if: github.event_name == 'push'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
+        if: github.event_name == 'push'
diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
diff --git a/connector/hsdp/README.md b/connector/hsdp/README.md
@@ -0,0 +1,62 @@
+# hsdp connector
+
+This connector supports [HSP IAM](https://www.hsdp.io/documentation/identity-and-access-management-iam/getting-started) as an upstream IDP for Dex.
+
+# helm chart
+
+Dex is deployed using the [helm chart](https://artifacthub.io/packages/helm/dex/dex) from the [Artifact Hub](https://artifacthub.io/).
+
+# configuration
+
+When deploying Dex with the HSP IAM connector, you need to configure the connector in the Dex configuration file.
+Helm chart users can configure the connector in the `values.yaml` file.
+
+Connector section example:
+
+```yaml
+  connectors:
+    - type: hsdp
+      id: hsdp
+      name: Philips Code1
+      config:
+        enableRoleClaim: true
+        enableGroupClaim: false
+        trustedOrgID: 8a67a785-73bb-46d5-b73f-d951a6d3cb43
+        tenantMap:
+          dae89cf0-888d-4a26-8c1d-578e97365efc: rpi5
+          8a67a785-73bb-46d5-b73f-d951a6d3cb43: starlift
+        issuer: 'https://iam-client-test.us-east.philips-healthsuite.com/authorize/oauth2/v2'
+        insecureIssuer: 'https://iam-client-test.us-east.philips-healthsuite.com/oauth2/access_token'
+        saml2LoginURL: 'https://iam-integration.us-east.philips-healthsuite.com/authorize/saml2/login?idp_id=https://sts.windows.net/1a407a2d-7675-4d17-8692-b3ac285306e4/&client_id=sp-philips-hspiam-useast-ct&api-version=1'
+        clientID: iamclient
+        clientSecret: SecretHere
+        iamURL: 'https://iam-client-test.us-east.philips-healthsuite.com'
+        idmURL: 'https://idm-client-test.us-east.philips-healthsuite.com'
+        redirectURI: https://dex.hsp.philips.com/callback
+        getUserInfo: true
+        userNameKey: sub
+        scopes:
+          - auth_iam_introspect
+          - auth_iam_organization
+          - openid
+          - profile
+          - email
+          - name
+```
+
+The following fields are supported:
+
+| Config field     | Type        | Description                                                                |
+|------------------|-------------|----------------------------------------------------------------------------|
+| issuer           | string      | The issuer URL of the HSP IAM deployment                                   |
+| insecureIssuer   | string      | the issuer as returnd by HSP IAM. These are different in current IAM (bug) |
+| saml2LoginURL    | string      | The SAML login URL given by HSP IAM for SSO login (code1)                  |
+| clientID         | string      | An HSP IAM OAuth2 client ID                                                |
+| clientSecret     | string      | An HSP IAM OAuth2 client secret                                            |
+| redirectURI      | string      | The redirect URI of your Dex deployment. PAth should be `/callback`        |
+| getUserInfo      | bool        | Wether to inject complete userInfo as a claim in the JWT Token             |
+| userNameKey      | string      | The username key. Should be set to `sub`                                   |
+| scopes           | string      | The scopes to send to HSP IAM                                              |
+| enableGroupClaim | bool        | Enable group claim                                                         |
+| enableRoleClaim  | bool        | Enable role claim                                                          |
+| roleAsGroupClaim | bool        | Sets the roles in the group claim. Compatible with Github and other IDPs   |