Create docker-compose file for custom installation
Adding the maven docker container build command via Maven. This ensures that we don't need to local Docker daemon to build the container. Also, the container layers are smaller because of the usage of `jib` a maven-plugin by Google. Read more at: https://phauer.com/2019/no-fat-jar-in-docker-image/
Also adding seed data for MongoDB that allows us to ship with existing data in the database when users install our app.
See merge request theappsmith/internal-tools-server!41
Note that we have to delete the Mongo volume for the inidtb script to take effect. Else, it will not execute. To be used only for testing right now. Will figure out a more robust solution later.
Also using Google's JIB Maven plugin to reduce our Docker image footprint. Will make container upload and download much faster
Serving static bundle for ACL in Open Policy Agent
Open Policy Agent requires the server to serve a static bundle (tar.gz) file that contains the list of policies and data (if any) on which the authorization will be conducted on. This has been implemented using RouterFunctions (for lack of a better implementation) and at the moment, the bundle is served without any authentication.
TODO: In the future, add authentication just for this endpoint so that only the OPA server can access this bundle.
Also optimizing the AclFilter to make a single MongoDB query instead of multiple for each group that the user is a part of.
See merge request theappsmith/internal-tools-server!39
Open Policy Agent requires a bundle in the form of tar.gz in order to bootstrap itself with base policy and data. The server will serve this policy under the public domain. In the future, we will enable a Basic Authentication scheme in order to lock down this pocliy.
ACL Framework for limiting access to various controllers
We use open policy agent (OPA) in order to control ACL. The policy file is present in `src/main/resources/acl.policy` file.
The `ACLFilter` will apply the ACL policy for all endpoints. In the future, we'll add a regex to the URL matcher to ensure that public URLs do not have ACL filters applying to them. The actual API call to OPA side-car is made through `ACLService`
For permissions, the hierarchy of data is org -> groups -> permissions. Users will be part of groups and also have individual permissions (if required). While evaluating their ACL, we will consider a union of the resolved permissions from groups and user-specific permissions. All control will then be applied on those permissions only.
Also adding a `signupController` & `SignupService` that creates the org, default groups for the org and assigns the admin user to the org. This will ensure that on user signup, the user becomes the admin of their created or. This flow will undergo more changes as we develop the signup flow with the client.
See merge request theappsmith/internal-tools-server!36
Currently, ACLFilter communicates with the OPA daemon to determine if the request should be validated or not based on the resource and permissions in user and group
This also fixes the logic for multiple ResponseDTOs that were being sent when the service level response was a Flux. Now we only return a single array inside a Mono ResponseDTO object.
