Feature/oidf 63

.docker/admin-server/Dockerfile

@@ -1,4 +1,4 @@
-FROM openjdk:21-jdk as builder
+FROM openjdk:21-jdk AS builder
 RUN microdnf install findutils
 
 WORKDIR /app
@@ -9,10 +9,17 @@ RUN chmod +x ./gradlew
 
 RUN ./gradlew :modules:admin-server:bootJar -x test -x allTests -x jsBrowserTest
 
-FROM openjdk:21-jdk as runner
+FROM openjdk:21-jdk AS runner
+RUN microdnf install curl
 
 WORKDIR /app
 
-COPY --from=builder /app/modules/admin-server/build/libs/admin-server-0.1.2-SNAPSHOT.jar ./admin-server-0.1.2.jar
+COPY --from=builder /app/modules/admin-server/build/libs/admin-server-*.jar ./admin-server.jar
+HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost:8080/status || exit 1
 
-ENTRYPOINT ["java", "-jar", "admin-server-0.1.2.jar"]
+# Create non-root user
+RUN useradd -r -u 1002 -g root admin-server
+USER admin-server
+
+ENTRYPOINT ["java"]
+CMD ["-XX:MaxRAMPercentage=75.0", "-XX:InitialRAMPercentage=50.0", "-XX:+UseG1GC", "-jar", "admin-server.jar"]

.docker/federation-server/Dockerfile

@@ -1,4 +1,4 @@
-FROM openjdk:21-jdk as builder
+FROM openjdk:21-jdk AS builder
 RUN microdnf install findutils
 
 WORKDIR /app
@@ -9,10 +9,17 @@ RUN chmod +x ./gradlew
 
 RUN ./gradlew :modules:federation-server:bootJar -x test -x allTests -x jsBrowserTest
 
-FROM openjdk:21-jdk as runner
+FROM openjdk:21-jdk AS runner
+RUN microdnf install curl
 
 WORKDIR /app
 
-COPY --from=builder /app/modules/federation-server/build/libs/federation-server-0.1.2-SNAPSHOT.jar ./federation-server-0.1.2.jar
+COPY --from=builder /app/modules/federation-server/build/libs/federation-server-*.jar ./federation-server.jar
+HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost:8080/status || exit 1
 
-ENTRYPOINT ["java", "-jar", "federation-server-0.1.2.jar"]
+# Create non-root user
+RUN useradd -r -u 1001 -g root federation-server
+USER federation-server
+
+ENTRYPOINT ["java"]
+CMD ["-XX:MaxRAMPercentage=75.0", "-XX:InitialRAMPercentage=50.0", "-XX:+UseG1GC", "-jar", "federation-server.jar"]

.github/workflows/ci.yml

@@ -1,10 +1,13 @@
 name: Run CI
+
 on:
   push:
   workflow_dispatch:
 
 jobs:
   gradle:
+    outputs:
+      success: ${{ steps.build.outcome == 'success' }}
     strategy:
       matrix:
         # Removed windows, because build failing with docker network. "bridge" network driver is not supported for Windows containers
@@ -18,34 +21,15 @@ jobs:
           distribution: temurin
           java-version: 21
 
-      - name: Run database
-        run: docker compose -f docker-compose.yaml up db -d
-        env:
-          DATASOURCE_USER: ${{ secrets.DATASOURCE_USER }}
-          DATASOURCE_PASSWORD: ${{ secrets.DATASOURCE_PASSWORD }}
-          DATASOURCE_URL: ${{ secrets.DATASOURCE_URL }}
-
-      - name: Run local KMS database
-        run: docker compose -f docker-compose.yaml up local-kms-db -d
-        env:
-          DATASOURCE_USER: ${{ secrets.LOCAL_KMS_DATASOURCE_USER }}
-          DATASOURCE_PASSWORD: ${{ secrets.LOCAL_KMS_DATASOURCE_PASSWORD }}
-          DATASOURCE_URL: ${{ secrets.LOCAL_KMS_DATASOURCE_URL }}
-
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v4
 
       - name: Grant execute permission for Gradlew (Linux/Mac)
         if: runner.os != 'Windows'
         run: chmod +x ./gradlew
 
-      - name: Execute Gradle build
-        run: |
-          ./gradlew build
-          ./gradlew :modules:openapi:jsPublicPackageJson
-          ./gradlew :modules:openid-federation-common:jsPublicPackageJson
-          ./gradlew publishJsPackageToNpmjsRegistry
-          ./gradlew publishAllPublicationsToSphereon-opensourceRepository
+      - name: Execute build
+        id: build
         env:
           APP_KEY: ${{ secrets.APP_KEY }}
           DATASOURCE_USER: ${{ secrets.DATASOURCE_USER }}
@@ -58,3 +42,147 @@ jobs:
           NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           KMS_PROVIDER: local
+        run: |
+          ./gradlew build
+          ./gradlew :modules:openapi:jsPublicPackageJson
+          ./gradlew :modules:openid-federation-common:jsPublicPackageJson
+          ./gradlew publishJsPackageToNpmjsRegistry
+          ./gradlew publishAllPublicationsToSphereon-opensourceRepository
+
+  auto-tag:
+    needs: gradle
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.get_version_info.outputs.new_version }}
+    if: github.event_name == 'repository_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged == true) || (github.event_name == 'push' && needs.gradle.outputs.success == 'true')
+    permissions:
+      contents: write
+      actions: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get version info
+        id: get_version_info
+        run: |
+          git config --local user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+          git config --local user.name "${GITHUB_ACTOR}"
+          EVENT_NAME="${{ github.event_name }}"
+          if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            BRANCH_NAME="${{ github.event.pull_request.head.ref }}"
+          else
+            BRANCH_NAME="${GITHUB_REF#refs/heads/}"
+          fi
+          if [[ $BRANCH_NAME == "develop" ]]; then
+            PREFIX="dev"
+          elif [[ $BRANCH_NAME == "main" ]]; then
+            PREFIX="main"
+          elif [[ $BRANCH_NAME == feature/* ]]; then
+            PREFIX="feat"
+          elif [[ $BRANCH_NAME == hotfix/* ]]; then
+            PREFIX="fix"
+          elif [[ $BRANCH_NAME == release/* ]]; then
+            PREFIX="rel"
+          else
+            PREFIX="build"
+          fi
+          GRADLE_VERSION=$(grep 'version = ' build.gradle.kts | sed 's/.*version = "\(.*\)".*/\1/')
+          GRADLE_VERSION=${GRADLE_VERSION%-SNAPSHOT}
+          COMMIT_SHA=$(git rev-parse --short HEAD)
+          PR_NUMBER=${{ github.event.pull_request.number }}
+          if [[ -n $PR_NUMBER ]]; then
+            NEW_VERSION="v${GRADLE_VERSION}-${PREFIX}.pr${PR_NUMBER}.${COMMIT_SHA}"
+          else
+            NEW_VERSION="v${GRADLE_VERSION}-${PREFIX}.${COMMIT_SHA}"
+          fi
+          echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT
+          git tag -a ${NEW_VERSION} -m "Release ${NEW_VERSION}"
+          git push origin ${NEW_VERSION}
+
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  docker-publish:
+    needs: [gradle, auto-tag]
+    if: needs.gradle.outputs.success == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Debug Event
+        run: |
+          echo "Event name: ${{ github.event_name }}"
+          echo "Ref type: ${{ github.ref_type }}"
+          echo "Ref: ${{ github.ref }}"
+          echo "SHA: ${{ github.sha }}"
+          echo "Base ref: ${{ github.base_ref }}"
+          echo "Head ref: ${{ github.head_ref }}"
+          echo "Workflow ref: ${{ github.workflow_ref }}"
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract metadata (federation-server)
+        id: meta-federation
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-server
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=${{ needs.auto-tag.outputs.version }}
+
+      - name: Build and push federation-server
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./.docker/federation-server/Dockerfile
+          push: true
+          tags: ${{ steps.meta-federation.outputs.tags }}
+          labels: ${{ steps.meta-federation.outputs.labels }}
+          cache-from: |
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-server:latest
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-base:latest
+          cache-to: |
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-server:latest,mode=max
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-base:latest,mode=max
+
+      - name: Extract metadata (admin-server)
+        id: meta-admin
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-admin-server
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=${{ needs.auto-tag.outputs.version }}
+
+      - name: Build and push admin-server
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./.docker/admin-server/Dockerfile
+          push: true
+          tags: ${{ steps.meta-admin.outputs.tags }}
+          labels: ${{ steps.meta-admin.outputs.labels }}
+          cache-from: |
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-admin-server:latest
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-base:latest
+          cache-to: |
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-admin-server:latest,mode=max
+            type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/openid-federation-base:latest,mode=max

.gitignore

@@ -26,3 +26,9 @@ kotlin-js-store/
 .env.local
 /.docker/keycloak-dev/
 /modules/admin-server/logs/
+/logs/*
+/logs/admin-server/*
+/logs/federation-server/*
+!logs/.gitkeep
+!logs/admin-server/.gitkeep
+!logs/federation-server/.gitkeep

README.md

@@ -3,8 +3,17 @@
   <a href="https://www.sphereon.com"><img src="https://sphereon.com/content/themes/sphereon/assets/img/logo.svg" alt="Sphereon" width="400"></a>
   <br>OpenID Federation Monorepo
   <br>
+  <br>
 </h1>
 
+<div align="center">
+
+[![Snyk Security](https://snyk.io/test/github/Sphereon-Opensource/OpenID-Federation/badge.svg)](https://snyk.io/test/github/Sphereon-Opensource/OpenID-Federation)
+[![Docker Pulls](https://img.shields.io/docker/pulls/sphereon/openid-federation-server.svg)](https://hub.docker.com/r/sphereon/openid-federation-server)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
+
+</div>
+
 # Background
 
 OpenID Federation is a framework designed to facilitate the secure and interoperable interaction of entities within a
@@ -255,7 +264,8 @@ To create a new tenant account, follow these steps:
    }
    ```
 
-Note: All subsequent requests will use the `X-Account-Username` header to specify the account context. If not provided, it defaults to the root account.
+Note: All subsequent requests will use the `X-Account-Username` header to specify the account context. If not provided,
+it defaults to the root account.
 
 ## Step 5: Delete a Tenant Account
 
@@ -267,6 +277,7 @@ To delete a tenant account, follow these steps:
    DELETE http://localhost:8081/accounts
    X-Account-Username: {username} # root account cannot be deleted
    ```
+
 ## Step 6: Create and Manage Keys
 
 ### Create a New Key Pair
@@ -346,6 +357,7 @@ To assign metadata to your entity, follow these steps:
    DELETE http://localhost:8081/metadata/{id}
    X-Account-Username: {username}  # Optional, defaults to root
    ```
+
 ---
 
 ## Step 8: Create and Manage Subordinates
@@ -384,6 +396,7 @@ To assign metadata to your entity, follow these steps:
    DELETE http://localhost:8081/subordinates/{id}
    X-Account-Username: {username}  # Optional, defaults to root
    ```
+
 ---
 
 ## Step 9: Manage Subordinate Metadata
@@ -423,7 +436,9 @@ To assign metadata to your entity, follow these steps:
    DELETE http://localhost:8081/subordinates/{subordinateId}/metadata/{id}
    X-Account-Username: {username}  # Optional, defaults to root
    ```
+
 ---
+
 ## Step 10: Manage Subordinate JWKS
 
 ### Add a JWKS for a Subordinate
@@ -464,6 +479,7 @@ To assign metadata to your entity, follow these steps:
    ```
 
 ---
+
 ## Step 11: Get Subordinate Statement Object
 
 1. Send a `GET` request to retrieve the statement for a subordinate:
@@ -514,13 +530,15 @@ To assign metadata to your entity, follow these steps:
    X-Account-Username: {username}  # Optional, defaults to root
    ```
 
-2. Optionally, include a `dryRun` parameter in the request body to test the statement publication without making changes:
+2. Optionally, include a `dryRun` parameter in the request body to test the statement publication without making
+   changes:
 
    ```json
    {
        "dryRun": true
    }
    ```
+
 # Trust Marks
 
 ## Trust Mark Workflow
@@ -624,10 +642,11 @@ GET http://localhost:8080/trust-mark-issuer/trust-mark-status
     "sub": "https://example.com/holder"
 }
 ```
+
 # API Reference
 
 For the complete API documentation, please
-visit [the API Reference](https://github.com/Sphereon-Opensource/OpenID-Federation/)
+visit [the API Reference](https://app.swaggerhub.com/apis-docs/SphereonInt/OpenIDFederationAPI)
 
 # License