Skip to content

Commit

Permalink
Add docker-compose with onboarding instructions
Browse files Browse the repository at this point in the history
  • Loading branch information
Brutus5000 committed Dec 28, 2024
1 parent e5eb344 commit 6c1d3db
Show file tree
Hide file tree
Showing 3 changed files with 159 additions and 17 deletions.
47 changes: 30 additions & 17 deletions README.MD
Original file line number Diff line number Diff line change
@@ -1,42 +1,55 @@
# FAF User Service

This service aims to cover the domain of login and account management in FAForever.
This service aims to cover the domain of login and account management in FAForever:
* OAuth 2.0 / OIDC login backend for Ory Hydra
* IRC login for Ergochat
* User Control Panel with manual login

## Technology stack
## Developer information

### Technology stack

- Kotlin
- Quarkus
- Hibernate (Panache)
- Vaadin

### Dependencies

## Motivation and architecture considerations
The FAF user service requires
* A [MariaDB](https://mariadb.org/) server running a matching version of the [faf-db](https://github.com/FAForever/db). (Latest develop should always work)
* An [Ory Hydra](https://github.com/ory/hydra) server running in a matching version

### Yet another FAF API?
### Developer setup

For local development you need
* a working Kotlin setup (e.g. install IntelliJ Community and download the required JDK from IntellIJ directly)
* Docker Compose

Setup all docker depencies along with test data by simply running:
```shell
docker compose up -d
```
This will insert the faf db testdata into the faf-db and a faf-client OAuhth client into Ory Hydra.

> The faf-java-api already offers OAuth2 login and user management. Why do we need yet another service?

There are multiple reasons that led to this decision:
Hint: The docker compose stack is **not** persisting to disk. Deleting containers manually or via `docker compose down` will wipe all data.

## Architecture considerations

### Yet another FAF API?

1. **Application perspective:** The faf-java-api uses the
[Spring Security OAuth](https://spring.io/projects/spring-security-oauth) library.
1. With the release of Spring 5 this got deprecated in favour of a newer one. Unfortunately with this transition
the support for OAuth2 identity server was dropped completely. It receives no more updates.
1. Since the library is deprecated we lack support for the improved OAuth2 PKCE login flow, which improves overall
security compared to the previous implicit flow.
1. The current library seems to have issues when trying to login with certified libraries from the Angular ecosystem.
It just doesn't work in some cases, where we need it to work. (But nobody will fix it since it's deprecated.)
2. **Architecture perspective:** The faf-java-api is the FAF swiss army knife. It basically bundles every feature
1. **Architecture perspective:** The faf-java-api is the FAF swiss army knife. It basically bundles every feature
outside of the lobby server protocol. This makes it very complex to maintain and configure. It also causes very high
startup times causing unnecessary downtimes on deployments. This does not match our desired architecture.
A new microservice focussing on one particular topic (and security is a very important topic which is also hard to get
right) simplifies that.
3. **GDPR and DevOps implications:** Currently FAF runs almost all applications on one server. An admin on that server
1. **GDPR and DevOps implications:** Currently FAF runs almost all applications on one server. An admin on that server
has access to all personal data. Adding new admins is a large hassle due to GDPR requirements. Due to this many
FAF maintainers have no access to their application logs and configuration, which makes fixing bugs etc. much more
complicated and adds additional work onto the few admins. This new service might
be a first step into moving the whole account management out of the main server.
4. **Long running perspective:** In a perfect world we would migrate all authorization related stuff into a dedicated
1. **Long running perspective:** In a perfect world we would migrate all authorization related stuff into a dedicated
(trusted) 3rd party software, so we can't mess up on security.

### Additional goals
Expand Down
106 changes: 106 additions & 0 deletions docker-compose.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
services:
# Set up the faf db
faf-db:
image: mariadb:11
environment:
MARIADB_DATABASE: faf
MARIADB_USER: faf-user-service
MARIADB_PASSWORD: banana
MARIADB_ROOT_PASSWORD: banana
healthcheck:
test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
interval: 10s
timeout: 5s
retries: 5
ports:
- "3306:3306"

faf-db-migrations:
image: faforever/faf-db-migrations:v135
command: migrate
environment:
FLYWAY_URL: jdbc:mysql://faf-db/faf?useSSL=false
FLYWAY_USER: root
FLYWAY_PASSWORD: banana
FLYWAY_DATABASE: faf
depends_on:
faf-db:
condition: service_healthy

faf-db-testdata:
image: mariadb:11
entrypoint: sh -c "apt-get update && apt-get install -y curl && curl -s https://raw.githubusercontent.com/FAForever/db/refs/heads/develop/test-data.sql | mariadb -h faf-db -uroot -pbanana -D faf"
depends_on:
faf-db-migrations:
condition: service_completed_successfully

hydra-db:
image: postgres:16
environment:
- POSTGRES_USER=hydra
- POSTGRES_PASSWORD=banana
- POSTGRES_DB=hydra
healthcheck:
test: ["CMD-SHELL", "pg_isready", "-U", "postgres"]
interval: 10s
timeout: 5s
retries: 5

hydra-migrate:
image: oryd/hydra:v1.11.10
command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes
environment:
- DSN=postgres://hydra:banana@hydra-db:5432/hydra?sslmode=disable
volumes:
- type: bind
source: ./hydra.yml
target: /etc/config/hydra/hydra.yml
depends_on:
hydra-db:
condition: service_healthy

hydra:
image: oryd/hydra:v1.11.10
ports:
- "4444:4444" # Public port
- "4445:4445" # Admin port
command: serve -c /etc/config/hydra/hydra.yml all --dangerous-force-http
environment:
- DSN=postgres://hydra:banana@hydra-db:5432/hydra?sslmode=disable
volumes:
- type: bind
source: ./hydra.yml
target: /etc/config/hydra/hydra.yml
depends_on:
hydra-db:
condition: service_healthy
hydra-migrate:
condition: service_completed_successfully
healthcheck:
test: ["CMD-SHELL", "hydra", "clients", "list", "--endpoint", "http://hydra:4445"]
interval: 10s
timeout: 5s
retries: 5

hydra-testdata:
image: oryd/hydra:v1.11.10
entrypoint: >
hydra clients create
--skip-tls-verify
--endpoint http://hydra:4445
--fake-tls-termination
--id faf-client
--name faf-client
--logo-uri https://faforever.com/images/faf-logo.png
--grant-types authorization_code,refresh_token
--response-types code
--scope openid,offline,public_profile,lobby,upload_map,upload_mod
--callbacks http://127.0.0.1
--token-endpoint-auth-method none
depends_on:
hydra:
condition: service_healthy
hydra-migrate:
condition: service_completed_successfully


23 changes: 23 additions & 0 deletions hydra.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Config file for Hydra in docker-compose.yaml
serve:
cookies:
same_site_mode: Lax

urls:
self:
issuer: http://127.0.0.1:4444
consent: http://127.0.0.1:8080/oauth2/consent
login: http://127.0.0.1:8080/oauth2/login
logout: http://127.0.0.1:8080/oauth2/logout

secrets:
system:
- bananapineapplepizza

oidc:
subject_identifiers:
supported_types:
- pairwise
- public
pairwise:
salt: bananapineapplepizza

0 comments on commit 6c1d3db

Please sign in to comment.