kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

Gitea 연동을 위한 Hydra Issuer 및 Oathkeeper 규칙 설정

Browse Source
This commit is contained in:
김용연
2026-01-30 16:05:23 +09:00
parent c6c6bd2092
commit 10b3d93538
8 changed files with 209 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
compose.ory.yaml
View File

@@ -160,6 +160,7 @@ services:
- "4457:4455" # Proxy - "4457:4455" # Proxy
environment: environment:
- APP_ENV=${APP_ENV:-development} - APP_ENV=${APP_ENV:-development}
- LOG_LEVEL=debug
volumes: volumes:
- ./docker/ory/oathkeeper:/etc/config/oathkeeper - ./docker/ory/oathkeeper:/etc/config/oathkeeper
- ./docker/ory/oathkeeper/logs:/var/log/oathkeeper - ./docker/ory/oathkeeper/logs:/var/log/oathkeeper

7
docker/ory/oathkeeper/entrypoint.sh
View File

@@ -24,7 +24,12 @@ if [ ! -f "$RULES_FILE" ]; then
echo "[oathkeeper] rules file not found: $RULES_FILE" echo "[oathkeeper] rules file not found: $RULES_FILE"
exit 1 exit 1
fi fi
cp "$RULES_FILE" "$RULES_ACTIVE"
# Remove existing active rules file to prevent overwrite issues (File exists/Permission denied)
if [ -f "$RULES_ACTIVE" ]; then
rm -f "$RULES_ACTIVE" || echo "[oathkeeper] Warning: Failed to remove existing rules.active.json"
fi
cp -f "$RULES_FILE" "$RULES_ACTIVE" || echo "[oathkeeper] Warning: Failed to copy rules file. Using existing if present."
LOG_DIR="/var/log/oathkeeper" LOG_DIR="/var/log/oathkeeper"
LOG_FILE="${LOG_DIR}/access.log" LOG_FILE="${LOG_DIR}/access.log"

0
docker/ory/oathkeeper/oathkeeper.yml Normal file → Executable file
View File

100
docker/ory/oathkeeper/rules.active.json Normal file → Executable file
View File

@@ -1,92 +1,114 @@
[ [
{ {
"id": "public-health", "id": "public-health",
"description": "공개 헬스체크", "description": "공개 헬스체크 (STAGE 도메인)",
"match": { "match": {
"url": "http://<.*>/health", "url": "<.*>://sso-test.hmac.kr/health",
"methods": ["GET"] "methods": ["GET"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "public-preflight", "id": "public-preflight",
"description": "CORS preflight", "description": "CORS preflight (STAGE 도메인)",
"match": { "match": {
"url": "http://<.*>/api/v1/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["OPTIONS"] "methods": ["OPTIONS"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "public-auth", "id": "public-auth",
"description": "인증/회원가입 등 공개 엔드포인트", "description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
"match": { "match": {
"url": "http://<.*>/api/v1/auth/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>",
"methods": ["GET", "POST", "OPTIONS"] "methods": ["GET", "POST", "OPTIONS"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "backend-command", "id": "backend-command",
"description": "Command 요청은 Backend로 전달 (Audit 강제)", "description": "Command 요청은 Backend로 전달 (Audit 강제)",
"match": { "match": {
"url": "http://<.*>/api/v1/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["POST", "PUT", "PATCH", "DELETE"] "methods": ["POST", "PUT", "PATCH", "DELETE"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "cookie_session" }],
{ "handler": "cookie_session" }
],
"authorizer": { "handler": "remote_json" }, "authorizer": { "handler": "remote_json" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "backend-query", "id": "backend-query",
"description": "Backend Query (admin/dev 포함)", "description": "Backend Query (admin/dev 포함)",
"match": { "match": {
"url": "http://<.*>/api/v1/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["GET"] "methods": ["GET"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "cookie_session" }],
{ "handler": "cookie_session" }
],
"authorizer": { "handler": "remote_json" }, "authorizer": { "handler": "remote_json" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" } },
] {
"id": "hydra-well-known",
"description": "Hydra OIDC Discovery & JWKS",
"match": {
"url": "<.*>://sso-test.hmac.kr/.well-known/<.*>",
"methods": ["GET", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-oauth2",
"description": "Hydra OAuth2 Endpoints",
"match": {
"url": "<.*>://sso-test.hmac.kr/oauth2/<.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-userinfo",
"description": "Hydra Userinfo",
"match": {
"url": "<.*>://sso-test.hmac.kr/userinfo",
"methods": ["GET", "POST", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
} }
] ]

48
docker/ory/oathkeeper/rules.draft.json Normal file → Executable file
View File

@@ -9,13 +9,9 @@
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "public-auth", "id": "public-auth",
@@ -27,13 +23,9 @@
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "backend-command", "id": "backend-command",
@@ -45,13 +37,9 @@
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "cookie_session" }],
{ "handler": "cookie_session" }
],
"authorizer": { "handler": "remote_json" }, "authorizer": { "handler": "remote_json" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "backend-query", "id": "backend-query",
@@ -63,13 +51,9 @@
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "cookie_session" }],
{ "handler": "cookie_session" }
],
"authorizer": { "handler": "remote_json" }, "authorizer": { "handler": "remote_json" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "kratos-public", "id": "kratos-public",
@@ -82,13 +66,9 @@
"url": "http://kratos:4433", "url": "http://kratos:4433",
"strip_path": "/kratos" "strip_path": "/kratos"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "hydra-public", "id": "hydra-public",
@@ -101,12 +81,8 @@
"url": "http://hydra:4444", "url": "http://hydra:4444",
"strip_path": "/hydra" "strip_path": "/hydra"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
} }
] ]

100
docker/ory/oathkeeper/rules.json Normal file → Executable file
View File

@@ -1,92 +1,114 @@
[ [
{ {
"id": "public-health", "id": "public-health",
"description": "공개 헬스체크", "description": "공개 헬스체크 (STAGE 도메인)",
"match": { "match": {
"url": "http://<.*>/health", "url": "<.*>://sso-test.hmac.kr/health",
"methods": ["GET"] "methods": ["GET"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "public-preflight", "id": "public-preflight",
"description": "CORS preflight", "description": "CORS preflight (STAGE 도메인)",
"match": { "match": {
"url": "http://<.*>/api/v1/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["OPTIONS"] "methods": ["OPTIONS"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "public-auth", "id": "public-auth",
"description": "인증/회원가입 등 공개 엔드포인트", "description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
"match": { "match": {
"url": "http://<.*>/api/v1/auth/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>",
"methods": ["GET", "POST", "OPTIONS"] "methods": ["GET", "POST", "OPTIONS"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "backend-command", "id": "backend-command",
"description": "Command 요청은 Backend로 전달 (Audit 강제)", "description": "Command 요청은 Backend로 전달 (Audit 강제)",
"match": { "match": {
"url": "http://<.*>/api/v1/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["POST", "PUT", "PATCH", "DELETE"] "methods": ["POST", "PUT", "PATCH", "DELETE"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "cookie_session" }],
{ "handler": "cookie_session" }
],
"authorizer": { "handler": "remote_json" }, "authorizer": { "handler": "remote_json" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "backend-query", "id": "backend-query",
"description": "Backend Query (admin/dev 포함)", "description": "Backend Query (admin/dev 포함)",
"match": { "match": {
"url": "http://<.*>/api/v1/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["GET"] "methods": ["GET"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "cookie_session" }],
{ "handler": "cookie_session" }
],
"authorizer": { "handler": "remote_json" }, "authorizer": { "handler": "remote_json" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" } },
] {
"id": "hydra-well-known",
"description": "Hydra OIDC Discovery & JWKS",
"match": {
"url": "<.*>://sso-test.hmac.kr/.well-known/<.*>",
"methods": ["GET", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-oauth2",
"description": "Hydra OAuth2 Endpoints",
"match": {
"url": "<.*>://sso-test.hmac.kr/oauth2/<.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-userinfo",
"description": "Hydra Userinfo",
"match": {
"url": "<.*>://sso-test.hmac.kr/userinfo",
"methods": ["GET", "POST", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
} }
] ]

40
docker/ory/oathkeeper/rules.prod.json Normal file → Executable file
View File

@@ -9,13 +9,9 @@
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "public-preflight", "id": "public-preflight",
@@ -27,13 +23,9 @@
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "public-auth", "id": "public-auth",
@@ -45,13 +37,9 @@
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "backend-command", "id": "backend-command",
@@ -63,13 +51,9 @@
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "cookie_session" }],
{ "handler": "cookie_session" }
],
"authorizer": { "handler": "remote_json" }, "authorizer": { "handler": "remote_json" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "backend-query", "id": "backend-query",
@@ -81,12 +65,8 @@
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "cookie_session" }],
{ "handler": "cookie_session" }
],
"authorizer": { "handler": "remote_json" }, "authorizer": { "handler": "remote_json" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
} }
] ]

94
docker/ory/oathkeeper/rules.stage.json Normal file → Executable file
View File

@@ -3,90 +3,112 @@
"id": "public-health", "id": "public-health",
"description": "공개 헬스체크 (STAGE 도메인)", "description": "공개 헬스체크 (STAGE 도메인)",
"match": { "match": {
"url": "https://sso.hmac.kr/health", "url": "<.*>://sso-test.hmac.kr/health",
"methods": ["GET"] "methods": ["GET"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "public-preflight", "id": "public-preflight",
"description": "CORS preflight (STAGE 도메인)", "description": "CORS preflight (STAGE 도메인)",
"match": { "match": {
"url": "https://sso.hmac.kr/api/v1/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["OPTIONS"] "methods": ["OPTIONS"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "public-auth", "id": "public-auth",
"description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)", "description": "인증/회원가입 등 공개 엔드포인트 (STAGE 도메인)",
"match": { "match": {
"url": "https://sso.hmac.kr/api/v1/auth/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/auth/<.*>",
"methods": ["GET", "POST", "OPTIONS"] "methods": ["GET", "POST", "OPTIONS"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "noop" }],
{ "handler": "noop" }
],
"authorizer": { "handler": "allow" }, "authorizer": { "handler": "allow" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "backend-command", "id": "backend-command",
"description": "Command 요청은 Backend로 전달 (Audit 강제)", "description": "Command 요청은 Backend로 전달 (Audit 강제)",
"match": { "match": {
"url": "https://sso.hmac.kr/api/v1/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["POST", "PUT", "PATCH", "DELETE"] "methods": ["POST", "PUT", "PATCH", "DELETE"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "cookie_session" }],
{ "handler": "cookie_session" }
],
"authorizer": { "handler": "remote_json" }, "authorizer": { "handler": "remote_json" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" }
]
}, },
{ {
"id": "backend-query", "id": "backend-query",
"description": "Backend Query (admin/dev 포함)", "description": "Backend Query (admin/dev 포함)",
"match": { "match": {
"url": "https://sso.hmac.kr/api/v1/<.*>", "url": "<.*>://sso-test.hmac.kr/api/v1/<.*>",
"methods": ["GET"] "methods": ["GET"]
}, },
"upstream": { "upstream": {
"url": "http://baron_backend:3000" "url": "http://baron_backend:3000"
}, },
"authenticators": [ "authenticators": [{ "handler": "cookie_session" }],
{ "handler": "cookie_session" }
],
"authorizer": { "handler": "remote_json" }, "authorizer": { "handler": "remote_json" },
"mutators": [ "mutators": [{ "handler": "noop" }]
{ "handler": "noop" } },
] {
"id": "hydra-well-known",
"description": "Hydra OIDC Discovery & JWKS",
"match": {
"url": "<.*>://sso-test.hmac.kr/.well-known/<.*>",
"methods": ["GET", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-oauth2",
"description": "Hydra OAuth2 Endpoints",
"match": {
"url": "<.*>://sso-test.hmac.kr/oauth2/<.*>",
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
},
{
"id": "hydra-userinfo",
"description": "Hydra Userinfo",
"match": {
"url": "<.*>://sso-test.hmac.kr/userinfo",
"methods": ["GET", "POST", "OPTIONS"]
},
"upstream": {
"url": "http://hydra:4444"
},
"authenticators": [{ "handler": "noop" }],
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
} }
] ]