From 10b3d93538c8a23a22f4c8ce810ea905ccc8adbc Mon Sep 17 00:00:00 2001 From: kyy Date: Fri, 30 Jan 2026 16:05:23 +0900 Subject: [PATCH] =?UTF-8?q?Gitea=20=EC=97=B0=EB=8F=99=EC=9D=84=20=EC=9C=84?= =?UTF-8?q?=ED=95=9C=20Hydra=20Issuer=20=EB=B0=8F=20Oathkeeper=20=EA=B7=9C?= =?UTF-8?q?=EC=B9=99=20=EC=84=A4=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- compose.ory.yaml | 1 + docker/ory/oathkeeper/entrypoint.sh | 7 +- docker/ory/oathkeeper/oathkeeper.yml | 0 docker/ory/oathkeeper/rules.active.json | 100 +++++++++++++++--------- docker/ory/oathkeeper/rules.draft.json | 48 +++--------- docker/ory/oathkeeper/rules.json | 100 +++++++++++++++--------- docker/ory/oathkeeper/rules.prod.json | 40 +++------- docker/ory/oathkeeper/rules.stage.json | 94 +++++++++++++--------- 8 files changed, 209 insertions(+), 181 deletions(-) mode change 100644 => 100755 docker/ory/oathkeeper/oathkeeper.yml mode change 100644 => 100755 docker/ory/oathkeeper/rules.active.json mode change 100644 => 100755 docker/ory/oathkeeper/rules.draft.json mode change 100644 => 100755 docker/ory/oathkeeper/rules.json mode change 100644 => 100755 docker/ory/oathkeeper/rules.prod.json mode change 100644 => 100755 docker/ory/oathkeeper/rules.stage.json diff --git a/compose.ory.yaml b/compose.ory.yaml index 878aa29f..2b97f4c9 100644 --- a/compose.ory.yaml +++ b/compose.ory.yaml @@ -160,6 +160,7 @@ services: - "4457:4455" # Proxy environment: - APP_ENV=${APP_ENV:-development} + - LOG_LEVEL=debug volumes: - ./docker/ory/oathkeeper:/etc/config/oathkeeper - ./docker/ory/oathkeeper/logs:/var/log/oathkeeper diff --git a/docker/ory/oathkeeper/entrypoint.sh b/docker/ory/oathkeeper/entrypoint.sh index 506af8cd..fe15ce6a 100755 --- a/docker/ory/oathkeeper/entrypoint.sh +++ b/docker/ory/oathkeeper/entrypoint.sh @@ -24,7 +24,12 @@ if [ ! -f "$RULES_FILE" ]; then echo "[oathkeeper] rules file not found: $RULES_FILE" exit 1 fi -cp "$RULES_FILE" "$RULES_ACTIVE" + +# Remove existing active rules file to prevent overwrite issues (File exists/Permission denied) +if [ -f "$RULES_ACTIVE" ]; then + rm -f "$RULES_ACTIVE" || echo "[oathkeeper] Warning: Failed to remove existing rules.active.json" +fi +cp -f "$RULES_FILE" "$RULES_ACTIVE" || echo "[oathkeeper] Warning: Failed to copy rules file. Using existing if present." LOG_DIR="/var/log/oathkeeper" LOG_FILE="${LOG_DIR}/access.log" diff --git a/docker/ory/oathkeeper/oathkeeper.yml b/docker/ory/oathkeeper/oathkeeper.yml old mode 100644 new mode 100755 diff --git a/docker/ory/oathkeeper/rules.active.json b/docker/ory/oathkeeper/rules.active.json old mode 100644 new mode 100755 index e02c3382..e65e9d51 --- a/docker/ory/oathkeeper/rules.active.json +++ b/docker/ory/oathkeeper/rules.active.json @@ -1,92 +1,114 @@ [ { "id": "public-health", - "description": "공개 헬스체크", + "description": "공개 헬스체크 (STAGE 도메인)", "match": { - "url": "http://<.*>/health", + "url": "<.*>://sso-test.hmac.kr/health", "methods": ["GET"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "public-preflight", - "description": "CORS preflight", + "description": "CORS preflight (STAGE 도메인)", "match": { - "url": "http://<.*>/api/v1/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>", "methods": ["OPTIONS"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "public-auth", - "description": "인증/회원가입 등 공개 엔드포인트", + "description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)", "match": { - "url": "http://<.*>/api/v1/auth/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>", "methods": ["GET", "POST", "OPTIONS"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "backend-command", "description": "Command 요청은 Backend로 전달 (Audit 강제)", "match": { - "url": "http://<.*>/api/v1/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>", "methods": ["POST", "PUT", "PATCH", "DELETE"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "cookie_session" } - ], + "authenticators": [{ "handler": "cookie_session" }], "authorizer": { "handler": "remote_json" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "backend-query", "description": "Backend Query (admin/dev 포함)", "match": { - "url": "http://<.*>/api/v1/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>", "methods": ["GET"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "cookie_session" } - ], + "authenticators": [{ "handler": "cookie_session" }], "authorizer": { "handler": "remote_json" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] + }, + { + "id": "hydra-well-known", + "description": "Hydra OIDC Discovery & JWKS", + "match": { + "url": "<.*>://sso-test.hmac.kr/.well-known/<.*>", + "methods": ["GET", "OPTIONS"] + }, + "upstream": { + "url": "http://hydra:4444" + }, + "authenticators": [{ "handler": "noop" }], + "authorizer": { "handler": "allow" }, + "mutators": [{ "handler": "noop" }] + }, + { + "id": "hydra-oauth2", + "description": "Hydra OAuth2 Endpoints", + "match": { + "url": "<.*>://sso-test.hmac.kr/oauth2/<.*>", + "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"] + }, + "upstream": { + "url": "http://hydra:4444" + }, + "authenticators": [{ "handler": "noop" }], + "authorizer": { "handler": "allow" }, + "mutators": [{ "handler": "noop" }] + }, + { + "id": "hydra-userinfo", + "description": "Hydra Userinfo", + "match": { + "url": "<.*>://sso-test.hmac.kr/userinfo", + "methods": ["GET", "POST", "OPTIONS"] + }, + "upstream": { + "url": "http://hydra:4444" + }, + "authenticators": [{ "handler": "noop" }], + "authorizer": { "handler": "allow" }, + "mutators": [{ "handler": "noop" }] } -] +] \ No newline at end of file diff --git a/docker/ory/oathkeeper/rules.draft.json b/docker/ory/oathkeeper/rules.draft.json old mode 100644 new mode 100755 index 835689ec..95c387f5 --- a/docker/ory/oathkeeper/rules.draft.json +++ b/docker/ory/oathkeeper/rules.draft.json @@ -9,13 +9,9 @@ "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "public-auth", @@ -27,13 +23,9 @@ "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "backend-command", @@ -45,13 +37,9 @@ "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "cookie_session" } - ], + "authenticators": [{ "handler": "cookie_session" }], "authorizer": { "handler": "remote_json" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "backend-query", @@ -63,13 +51,9 @@ "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "cookie_session" } - ], + "authenticators": [{ "handler": "cookie_session" }], "authorizer": { "handler": "remote_json" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "kratos-public", @@ -82,13 +66,9 @@ "url": "http://kratos:4433", "strip_path": "/kratos" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "hydra-public", @@ -101,12 +81,8 @@ "url": "http://hydra:4444", "strip_path": "/hydra" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] } ] diff --git a/docker/ory/oathkeeper/rules.json b/docker/ory/oathkeeper/rules.json old mode 100644 new mode 100755 index e02c3382..e65e9d51 --- a/docker/ory/oathkeeper/rules.json +++ b/docker/ory/oathkeeper/rules.json @@ -1,92 +1,114 @@ [ { "id": "public-health", - "description": "공개 헬스체크", + "description": "공개 헬스체크 (STAGE 도메인)", "match": { - "url": "http://<.*>/health", + "url": "<.*>://sso-test.hmac.kr/health", "methods": ["GET"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "public-preflight", - "description": "CORS preflight", + "description": "CORS preflight (STAGE 도메인)", "match": { - "url": "http://<.*>/api/v1/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>", "methods": ["OPTIONS"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "public-auth", - "description": "인증/회원가입 등 공개 엔드포인트", + "description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)", "match": { - "url": "http://<.*>/api/v1/auth/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>", "methods": ["GET", "POST", "OPTIONS"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "backend-command", "description": "Command 요청은 Backend로 전달 (Audit 강제)", "match": { - "url": "http://<.*>/api/v1/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>", "methods": ["POST", "PUT", "PATCH", "DELETE"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "cookie_session" } - ], + "authenticators": [{ "handler": "cookie_session" }], "authorizer": { "handler": "remote_json" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "backend-query", "description": "Backend Query (admin/dev 포함)", "match": { - "url": "http://<.*>/api/v1/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>", "methods": ["GET"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "cookie_session" } - ], + "authenticators": [{ "handler": "cookie_session" }], "authorizer": { "handler": "remote_json" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] + }, + { + "id": "hydra-well-known", + "description": "Hydra OIDC Discovery & JWKS", + "match": { + "url": "<.*>://sso-test.hmac.kr/.well-known/<.*>", + "methods": ["GET", "OPTIONS"] + }, + "upstream": { + "url": "http://hydra:4444" + }, + "authenticators": [{ "handler": "noop" }], + "authorizer": { "handler": "allow" }, + "mutators": [{ "handler": "noop" }] + }, + { + "id": "hydra-oauth2", + "description": "Hydra OAuth2 Endpoints", + "match": { + "url": "<.*>://sso-test.hmac.kr/oauth2/<.*>", + "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"] + }, + "upstream": { + "url": "http://hydra:4444" + }, + "authenticators": [{ "handler": "noop" }], + "authorizer": { "handler": "allow" }, + "mutators": [{ "handler": "noop" }] + }, + { + "id": "hydra-userinfo", + "description": "Hydra Userinfo", + "match": { + "url": "<.*>://sso-test.hmac.kr/userinfo", + "methods": ["GET", "POST", "OPTIONS"] + }, + "upstream": { + "url": "http://hydra:4444" + }, + "authenticators": [{ "handler": "noop" }], + "authorizer": { "handler": "allow" }, + "mutators": [{ "handler": "noop" }] } -] +] \ No newline at end of file diff --git a/docker/ory/oathkeeper/rules.prod.json b/docker/ory/oathkeeper/rules.prod.json old mode 100644 new mode 100755 index d6537966..ef5524d5 --- a/docker/ory/oathkeeper/rules.prod.json +++ b/docker/ory/oathkeeper/rules.prod.json @@ -9,13 +9,9 @@ "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "public-preflight", @@ -27,13 +23,9 @@ "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "public-auth", @@ -45,13 +37,9 @@ "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "backend-command", @@ -63,13 +51,9 @@ "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "cookie_session" } - ], + "authenticators": [{ "handler": "cookie_session" }], "authorizer": { "handler": "remote_json" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "backend-query", @@ -81,12 +65,8 @@ "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "cookie_session" } - ], + "authenticators": [{ "handler": "cookie_session" }], "authorizer": { "handler": "remote_json" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] } ] diff --git a/docker/ory/oathkeeper/rules.stage.json b/docker/ory/oathkeeper/rules.stage.json old mode 100644 new mode 100755 index 3dabd9a0..e65e9d51 --- a/docker/ory/oathkeeper/rules.stage.json +++ b/docker/ory/oathkeeper/rules.stage.json @@ -3,90 +3,112 @@ "id": "public-health", "description": "공개 헬스체크 (STAGE 도메인)", "match": { - "url": "https://sso.hmac.kr/health", + "url": "<.*>://sso-test.hmac.kr/health", "methods": ["GET"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "public-preflight", "description": "CORS preflight (STAGE 도메인)", "match": { - "url": "https://sso.hmac.kr/api/v1/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>", "methods": ["OPTIONS"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "public-auth", "description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)", "match": { - "url": "https://sso.hmac.kr/api/v1/auth/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>", "methods": ["GET", "POST", "OPTIONS"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "noop" } - ], + "authenticators": [{ "handler": "noop" }], "authorizer": { "handler": "allow" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "backend-command", "description": "Command 요청은 Backend로 전달 (Audit 강제)", "match": { - "url": "https://sso.hmac.kr/api/v1/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>", "methods": ["POST", "PUT", "PATCH", "DELETE"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "cookie_session" } - ], + "authenticators": [{ "handler": "cookie_session" }], "authorizer": { "handler": "remote_json" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] }, { "id": "backend-query", "description": "Backend Query (admin/dev 포함)", "match": { - "url": "https://sso.hmac.kr/api/v1/<.*>", + "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>", "methods": ["GET"] }, "upstream": { "url": "http://baron_backend:3000" }, - "authenticators": [ - { "handler": "cookie_session" } - ], + "authenticators": [{ "handler": "cookie_session" }], "authorizer": { "handler": "remote_json" }, - "mutators": [ - { "handler": "noop" } - ] + "mutators": [{ "handler": "noop" }] + }, + { + "id": "hydra-well-known", + "description": "Hydra OIDC Discovery & JWKS", + "match": { + "url": "<.*>://sso-test.hmac.kr/.well-known/<.*>", + "methods": ["GET", "OPTIONS"] + }, + "upstream": { + "url": "http://hydra:4444" + }, + "authenticators": [{ "handler": "noop" }], + "authorizer": { "handler": "allow" }, + "mutators": [{ "handler": "noop" }] + }, + { + "id": "hydra-oauth2", + "description": "Hydra OAuth2 Endpoints", + "match": { + "url": "<.*>://sso-test.hmac.kr/oauth2/<.*>", + "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"] + }, + "upstream": { + "url": "http://hydra:4444" + }, + "authenticators": [{ "handler": "noop" }], + "authorizer": { "handler": "allow" }, + "mutators": [{ "handler": "noop" }] + }, + { + "id": "hydra-userinfo", + "description": "Hydra Userinfo", + "match": { + "url": "<.*>://sso-test.hmac.kr/userinfo", + "methods": ["GET", "POST", "OPTIONS"] + }, + "upstream": { + "url": "http://hydra:4444" + }, + "authenticators": [{ "handler": "noop" }], + "authorizer": { "handler": "allow" }, + "mutators": [{ "handler": "noop" }] } -] +] \ No newline at end of file