Develop

.github/workflows/api-develop.yml

@@ -0,0 +1,41 @@
+name: Build API Develop
+
+on:
+  push:
+    branches: [develop]
+  workflow_dispatch:
+jobs:
+
+  APIDockerImage:
+    name: API Image Develop
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+      - name: Configure AWS credentials
+        if: ${{ always() }}
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.CWBICI_DEVELOP_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.CWBICI_DEVELOP_AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.CWBICI_DEVELOP_AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        if: ${{ success() }}
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Build, tag, and push image to Amazon ECR (water-api)
+        if: ${{ success() }}
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: pallid-sturgeon-api
+        run: |
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
+      - name: Logout of Amazon ECR
+        if: ${{ always() }}
+        run: docker logout ${{ steps.login-ecr.outputs.registry }}

.gitignore

@@ -0,0 +1,7 @@
+# local config files
+envvars.list
+.vscode/*
+
+*.exe
+scan*.txt
+scratch

Dockerfile

@@ -1,18 +1,42 @@
-FROM golang:1.15-alpine AS builder
-# Install Git
-RUN apk update && apk add --no-cache git
-# Copy In Source Code
-WORKDIR /go/src/app
-COPY . .
-
-# Install Dependencies
-RUN go get -d -v
-# Build
-RUN go get -d -v \
-  && GOOS=linux GOARCH=amd64 CGO_ENABLED=0 \
-    go build -ldflags="-w -s" -o /go/bin/pallid_sturgeon_api
-
-# SCRATCH IMAGE
-FROM scratch
-COPY --from=builder /go/bin/pallid_sturgeon_api /go/bin/pallid_sturgeon_api
+FROM golang:1.23.2-alpine AS builder
+RUN apk add build-base
+# Install Git
+RUN apk update && apk add --no-cache git
+
+# Copy In Source Code
+WORKDIR /go/src/app
+COPY . .
+
+# Install Dependencies
+RUN go get -d -v
+# Build
+RUN go get -d -v \
+  && GOOS=linux GOARCH=amd64 CGO_ENABLED=1 \
+    go build -ldflags="-w -s" -o /go/bin/pallid_sturgeon_api
+
+# not SCRATCH IMAGE
+# remove curl -o instantclient-basiclite.zip https://download.oracle.com/otn_software/linux/instantclient/instantclient-basiclite-linuxx64.zip -SL && \
+FROM alpine:latest
+RUN apk add build-base
+RUN apk add --no-cache bash
+RUN apk --no-cache add libaio libnsl libc6-compat curl && \
+    cd /tmp && \
+    curl -o instantclient-basiclite.zip https://download.oracle.com/otn_software/linux/instantclient/2114000/instantclient-basic-linux.x64-21.14.0.0.0dbru.zip -SL && \
+    unzip instantclient-basiclite.zip && \
+    mv instantclient*/ /usr/lib/instantclient && \
+    rm instantclient-basiclite.zip && \
+    ln -s /usr/lib/instantclient/libclntsh.so.19.1 /usr/lib/libclntsh.so && \
+    ln -s /usr/lib/instantclient/libocci.so.19.1 /usr/lib/libocci.so && \
+    ln -s /usr/lib/instantclient/libociicus.so /usr/lib/libociicus.so && \
+    ln -s /usr/lib/instantclient/libnnz19.so /usr/lib/libnnz19.so && \
+    ln -s /usr/lib/libnsl.so.2 /usr/lib/libnsl.so.1 && \
+    ln -s /lib/libc.so.6 /usr/lib/libresolv.so.2 && \
+    ln -s /lib64/ld-linux-x86-64.so.2 /usr/lib/ld-linux-x86-64.so.2
+
+ENV ORACLE_BASE /usr/lib/instantclient
+ENV LD_LIBRARY_PATH /usr/lib/instantclient
+ENV TNS_ADMIN /usr/lib/instantclient
+ENV ORACLE_HOME /usr/lib/instantclient
+
+COPY --from=builder /go/bin/pallid_sturgeon_api /go/bin/pallid_sturgeon_api
 ENTRYPOINT ["/go/bin/pallid_sturgeon_api"]

README.md

@@ -23,9 +23,11 @@ Set the following environment variables and type `go run root/main.go` from the
     "DB_PASS": "",
     "DB_NAME": "",
     "LIB_DIR": "",
-    "DB_HOST": "localhost",
+    "DB_HOST": "",
     "DB_PORT": "1521",
-    "IPPK": "${workspaceFolder}/props/local.pem",
+    "IPPK": "",
 
 
 Note: When running the API locally, make sure environment variable `LAMBDA` is either **not set** or is set to `LAMBDA=FALSE`.
+IPPK is NOT in use currently in AWS Dev.
+Use the SIG key when setting IPPK value. 

auth/auth.go

@@ -3,35 +3,32 @@ package auth
 import (
 	"crypto/rsa"
 	"errors"
-	"fmt"
-	"io/ioutil"
 	"log"
 	"net/http"
-	"path/filepath"
 	"strings"
 
-	"di2e.net/cwbi/pallid_sturgeon_api/server/models"
-	"di2e.net/cwbi/pallid_sturgeon_api/server/stores"
-	"github.com/dgrijalva/jwt-go"
+	"github.com/USACE/pallid_sturgeon_api/server/models"
+	"github.com/USACE/pallid_sturgeon_api/server/stores"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/labstack/echo/v4"
 )
 
 const (
 	PUBLIC = iota
-	PM
-	TM
+	ADMIN
+	OFFICEADMIN
+	OFFICEUSER
+	READONLY
 )
 
 type Auth struct {
 	Store     *stores.AuthStore
 	VerifyKey *rsa.PublicKey
 }
 
-var verifyKeys []*rsa.PublicKey
-
 /*
 Authorize Options:
-1) Public - All CAC Users
+1) Public - All KEYCLOAK Users
 2) PM - Project Manager
 3) TM - Team Member
 */
@@ -50,39 +47,37 @@ func (a *Auth) Authorize(handler echo.HandlerFunc, roles ...int) echo.HandlerFun
 		if err != nil {
 			return err
 		}
-		c.Set("SDUSER", user)
+		role, err := a.Store.GetUserRoleOffice(user.Email)
+		if err != nil {
+			return err
+		}
+		c.Set("PSUSER", user)
 		switch {
-		case contains(roles, TM):
-			for _, role := range claims.Roles {
-				if role == "PM" || role == "TM" {
-					return handler(c)
-				}
+		case contains(roles, PUBLIC):
+			return handler(c)
+		case contains(roles, ADMIN):
+			if role.Role == "ADMINISTRATOR" {
+				return handler(c)
+			}
+		case contains(roles, OFFICEADMIN):
+			if role.Role == "OFFICE ADMIN" {
+				return handler(c)
 			}
-		case contains(roles, PM):
-			for _, role := range claims.Roles {
-				if role == "PM" {
-					return handler(c)
-				}
+		case contains(roles, OFFICEUSER):
+			if role.Role == "OFFICE USER" {
+				return handler(c)
+			}
+		case contains(roles, READONLY):
+			if role.Role == "READONLY" {
+				return handler(c)
 			}
 		}
 		return echo.NewHTTPError(http.StatusUnauthorized, "")
 	}
 }
 
-func loadKeyFile(filePath string) (*rsa.PublicKey, error) {
-	publicKeyBytes, err := ioutil.ReadFile(filePath)
-	if err != nil {
-		return nil, err
-	}
-	return jwt.ParseRSAPublicKeyFromPEM(publicKeyBytes)
-}
-
-func (a *Auth) LoadVerificationKey(filePath string) error {
-	publicKeyBytes, err := ioutil.ReadFile(filePath)
-	if err != nil {
-		return err
-	}
-	pk, err := jwt.ParseRSAPublicKeyFromPEM(publicKeyBytes)
+func (a *Auth) LoadVerificationKey(publicKey string) error {
+	pk, err := jwt.ParseRSAPublicKeyFromPEM([]byte("-----BEGIN PUBLIC KEY-----\n" + publicKey + "\n-----END PUBLIC KEY-----"))
 	if err != nil {
 		return err
 	}
@@ -100,56 +95,11 @@ func (a *Auth) marshalJwt(tokenString string) (models.JwtClaim, error) {
 	}
 	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
 		jwtUser := models.JwtClaim{
-			Sub:   claims["sub"].(string),
-			Name:  claims["name"].(string),
-			Email: claims["email"].(string),
-			Roles: claims["roles"].([]interface{}),
-		}
-		return jwtUser, nil
-	} else {
-		return models.JwtClaim{}, errors.New("Invalid Token")
-	}
-}
-
-func LoadVerificationKeys(fieldPath string) error {
-	files, err := ioutil.ReadDir(fieldPath)
-	if err != nil {
-		return err
-	}
-	for _, v := range files {
-		if ext := filepath.Ext(v.Name()); ext == ".pem" {
-			fmt.Printf("Loading Public Key: %s\n", v.Name())
-			pk, err := loadKeyFile(fieldPath + "/" + v.Name())
-			if err != nil {
-				return err
-			}
-			verifyKeys = append(verifyKeys, pk)
-		}
-	}
-	return nil
-}
-
-func marshalJwts(tokenString string) (models.JwtClaim, error) {
-	var token *jwt.Token = nil
-	var err error
-	for _, verificationKey := range verifyKeys {
-		token, err = jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-			return verificationKey, nil
-		})
-		if err == nil {
-			break
-		}
-	}
-
-	if token == nil {
-		return models.JwtClaim{}, errors.New("Invalid Token")
-	}
-	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
-		jwtUser := models.JwtClaim{
-			Sub:   claims["sub"].(string),
-			Name:  claims["name"].(string),
-			Email: claims["email"].(string),
-			Roles: claims["roles"].([]interface{}),
+			//CacUid:    claims["cacUID"].(string),
+			Name:      claims["name"].(string),
+			Email:     claims["email"].(string),
+			FirstName: claims["given_name"].(string),
+			LastName:  claims["family_name"].(string),
 		}
 		return jwtUser, nil
 	} else {