fix: isolated local dev environment

misc/compose/glauth/Dockerfile

@@ -0,0 +1,3 @@
+FROM glauth/glauth:v2.1.0
+
+COPY glauth.cfg /app/config/config.cfg

misc/compose/glauth/glauth.cfg

@@ -0,0 +1,37 @@
+debug = true
+
+[ldap]
+    enabled = true
+    listen = "0.0.0.0:389"
+
+[ldaps]
+  enabled = false
+
+[backend]
+  datastore = "config"
+  baseDN = "dc=example,dc=com"
+
+[[users]]
+  name = "admin"
+  mail = "admin@localhost"
+  uidnumber = 5001
+  primarygroup = 5501
+  passsha256 = "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"   # admin
+  [[users.capabilities]]
+    action = "search"
+    object = "*"
+  [[users.customattributes]]
+    objectClass = [ "inetOrgPerson" ]
+
+[[users]]
+  name = "jdoe"
+  mail = "jdoe@localhost"
+  uidnumber = 5006
+  primarygroup = 5501
+  passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
+  [[users.customattributes]]
+    objectClass = [ "inetOrgPerson" ]
+
+[[groups]]
+  name = "webapps"
+  gidnumber = 5501

misc/compose/hydra/Dockerfile

@@ -0,0 +1,31 @@
+FROM oryd/hydra:v1.11.7
+
+ARG WAIT4X_VERSION="v1.1.0"
+
+USER root
+
+RUN apk add --no-cache gcompat jq
+
+# wait4x - utilisé pour attendre les services externes nécessaires au lancement d'hydra
+RUN /bin/sh -c "wget -q -O /usr/local/bin/wait4x https://github.com/atkrad/wait4x/releases/download/$WAIT4X_VERSION/wait4x-linux-amd64" \
+    && /bin/sh -c "chmod a+x /usr/local/bin/wait4x"
+
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN /bin/sh -c "chmod +x /usr/local/bin/docker-entrypoint.sh"
+
+COPY run-hydra.sh /usr/local/bin/run-hydra
+RUN /bin/sh -c "chmod +x /usr/local/bin/run-hydra"
+
+RUN /bin/sh -c "mkdir -p /home/ory" \
+    && /bin/sh -c "chown -R ory: /home/ory"
+
+COPY clients.d /etc/hydra/clients.d
+
+COPY reload-hydra-clients.sh /usr/local/bin/reload-hydra-clients
+RUN /bin/sh -c "chmod +x /usr/local/bin/reload-hydra-clients"
+
+USER ory
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+
+CMD ["/usr/local/bin/run-hydra"]

misc/compose/hydra/clients.d/oidc-test.json

@@ -0,0 +1,19 @@
+{
+	"client_id": "oidc-test",
+	"client_name": "OIDC Test",
+	"client_secret": "oidc-test-123456",
+	"grant_types": [
+		"authorization_code",
+		"refresh_token"
+	],
+	"jwks": {},
+	"metadata": {},
+	"token_endpoint_auth_method": "client_secret_post",
+	"post_logout_redirect_uris": ["http://localhost:8000"],
+	"redirect_uris": ["http://localhost:8000/oauth2/callback"],
+	"response_types": [
+		"code"
+	],
+	"logo_uri": "https://upload.wikimedia.org/wikipedia/commons/e/e1/Password.svg",
+	"scope": "openid profile email webhook"
+}

misc/compose/hydra/config.yml

@@ -0,0 +1,37 @@
+serve:
+  cookies:
+    same_site_mode: Lax
+
+  admin:
+    port: 4445
+    host: 0.0.0.0
+
+  public:
+    port: 4444
+    host: 0.0.0.0
+
+level: debug
+
+urls:
+  self:
+    # Adresse publique du serveur hydra
+    issuer:  http://localhost:8081
+  
+  # Configuration des login/consent/logout apps
+  consent: http://localhost:8082/auth/consent
+  login: http://localhost:8082/auth/login
+  logout: http://localhost:8082/auth/logout
+
+secrets:
+  system:
+    - youReallyNeedToChangeThis
+
+dsn: mysql://hydra:hydra@tcp(mariadb:3306)/hydra?parseTime=true
+
+oidc:
+  subject_identifiers:
+    supported_types:
+      - pairwise
+      - public
+    pairwise:
+      salt: youReallyNeedToChangeThis

misc/compose/hydra/docker-entrypoint.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+set -eo pipefail
+
+ # On attend que la base de données MySQL soit disponible
+/usr/local/bin/wait4x -t 60s mysql "hydra:hydra@tcp(mariadb:3306)/hydra"
+
+# Au premier lancement du conteneur...
+if [ ! -f "$HOME/.first-run" ]; then
+    # On exécute les migrations Hydra
+    /usr/bin/hydra migrate sql --read-from-env --yes -c /etc/hydra/config.yml
+
+    # On "marque" l'exécution
+    touch "$HOME/.first-run"
+fi
+
+# Démarrage de l'interface admin d'hydra en tâche de fond
+/usr/bin/hydra serve --dangerous-force-http admin -c /etc/hydra/config.yml &
+
+# On attend que le service hydra soit dispo
+/usr/local/bin/wait4x -t 60s http http://127.0.0.1:4445
+
+# Rechargement des clients OIDC
+/usr/local/bin/reload-hydra-clients
+
+# On stoppe l'interface admin d'hydra
+kill $(jobs -p)
+
+# On attend que le serveur Hydra soit stoppé
+/usr/local/bin/wait4x -v -t 60s http http://127.0.0.1:4445
+
+# On exécute la CMD Docker
+exec $@

misc/compose/hydra/reload-hydra-clients.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -x
+
+HYDRA_CLIENTS_DIR=/etc/hydra/clients.d
+HYDRA_ADMIN_ENDPOINT=http://127.0.0.1:4445
+
+for client_file in $HYDRA_CLIENTS_DIR/*.json; do
+    client_id=$(basename "$client_file" | cut -f 1 -d '.')
+    /usr/bin/hydra clients delete --skip-tls-verify --endpoint "$HYDRA_ADMIN_ENDPOINT" "$client_id"
+    /usr/bin/hydra clients import --skip-tls-verify --endpoint "$HYDRA_ADMIN_ENDPOINT" "$client_file"
+done

misc/compose/hydra/run-hydra.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -xeo pipefail
+
+REDIRECT_URLS=$(cat /etc/hydra/clients.d/*.json | jq -n --stream 'fromstream(inputs) | (.redirect_uris + .post_logout_redirect_uris)' | jq -r '.[]')
+
+# À NE PAS FAIRE EN PRODUCTION !
+# Voir https://www.ory.sh/docs/hydra/debug#first-aid
+export OAUTH2_EXPOSE_INTERNAL_ERRORS=true
+
+/usr/bin/hydra \
+    serve   \
+    -c /etc/hydra/config.yml \
+    --dangerous-force-http \
+    --dangerous-allow-insecure-redirect-urls "$REDIRECT_URLS" \
+    all

misc/compose/mariadb/init-db.d/create_database_hydra.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -xeo pipefail
+
+echo "CREATE DATABASE IF NOT EXISTS \`hydra\`;" | "${mysql[@]}"
+echo "GRANT ALL ON \`hydra\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}"