mirror of
https://github.com/valitydev/token-keeper.git
synced 2024-11-06 02:15:21 +00:00
212 lines
8.7 KiB
Plaintext
212 lines
8.7 KiB
Plaintext
[
|
|
{token_keeper, [
|
|
{ip, "::"},
|
|
{port, 8022},
|
|
{protocol_opts, #{
|
|
% How much to wait for another request before closing a keepalive connection? (ms)
|
|
request_timeout => 5000
|
|
}},
|
|
{transport_opts, #{
|
|
% Maximum number of simultaneous connections. (default = 1024)
|
|
max_connections => 8000,
|
|
% Size of the acceptor pool. (default = 10)
|
|
num_acceptors => 100
|
|
}},
|
|
% How much to wait for outstanding requests completion when asked to shut down? (ms)
|
|
{shutdown_timeout, 1000},
|
|
{woody_event_handlers, [
|
|
hay_woody_event_handler,
|
|
{scoper_woody_event_handler, #{
|
|
event_handler_opts => #{
|
|
formatter_opts => #{
|
|
max_length => 1000,
|
|
max_printable_string_length => 80
|
|
}
|
|
}
|
|
}}
|
|
]},
|
|
{health_check, #{
|
|
% disk => {erl_health, disk , ["/", 99]},
|
|
% memory => {erl_health, cg_memory, [99]},
|
|
% service => {erl_health, service , [<<"bouncer">>]}
|
|
}},
|
|
{blacklist, #{
|
|
%% Path to a .yaml file containing token blacklist entries
|
|
%% Refer to `config/token-blacklist.example.yaml` for information about its format
|
|
%% Blacklisting functionality is disabled when no file path is provided
|
|
path => "token-blacklist.yaml"
|
|
}},
|
|
{authorities, #{
|
|
<<"com.rbkmoney.access.capi">> =>
|
|
#{
|
|
%% Woody service config
|
|
service => #{
|
|
path => <<"/v2/authority/com.rbkmoney.access.capi">>
|
|
},
|
|
type =>
|
|
{ephemeral, #{
|
|
%% Token issuing config
|
|
token => #{
|
|
type => jwt
|
|
}
|
|
}}
|
|
},
|
|
<<"com.rbkmoney.apikeymgmt">> =>
|
|
#{
|
|
%% Woody service config
|
|
service => #{
|
|
path => <<"/v2/authority/com.rbkmoney.apikeymgmt">>
|
|
},
|
|
%% Woody handler config
|
|
type =>
|
|
{offline, #{
|
|
%% Token issuing config
|
|
token => #{
|
|
type => jwt
|
|
},
|
|
%% Storage config
|
|
storage => #{
|
|
name => <<"com.rbkmoney.apikeymgmt">>
|
|
}
|
|
}}
|
|
}
|
|
}},
|
|
{authenticator, #{
|
|
service => #{
|
|
path => <<"/v2/authenticator">>
|
|
},
|
|
authorities => #{
|
|
<<"com.rbkmoney.keycloak">> =>
|
|
#{
|
|
sources => [
|
|
%% Create a new bouncer context using token data
|
|
{extract, #{
|
|
%% Configuration for how to extract said context
|
|
methods => [
|
|
%% Create bouncer context from various legacy data the token has to offer
|
|
%% Avaiable options are: `phony_api_key`, `user_session_token`,
|
|
%% `invoice_template_access_token`, `detect_token`
|
|
%% - `user_session_token` requires `user_realm` option to be set
|
|
%% - `invoice_template_access_token` requires
|
|
%% `domain` option to be set (refer to legacy uac auth options)
|
|
%% - `detect_token` tries to determine wether the token is an
|
|
%% `phony_api_key` or `user_session_token` based on token's source context and
|
|
%% `user_session_token_origins` option
|
|
%% ALL extractor types require `metadata_ns` to be set
|
|
{detect_token, #{
|
|
%% phony_api_key options to use (can be used standalone)
|
|
phony_api_key_opts => #{
|
|
%% Where to put metadata
|
|
metadata_mappings => #{
|
|
party_id => <<"test.rbkmoney.party.id">>
|
|
}
|
|
},
|
|
%% user_session_token options to use (can be used standalone)
|
|
user_session_token_opts => #{
|
|
%% Realm of the user
|
|
user_realm => <<"external">>,
|
|
%% Where to put metadata
|
|
metadata_mappings => #{
|
|
user_id => <<"test.rbkmoney.user.id">>,
|
|
user_email => <<"test.rbkmoney.user.email">>,
|
|
user_realm => <<"test.rbkmoney.user.realm">>
|
|
}
|
|
},
|
|
%% List of origins using which we perform token classification
|
|
user_session_token_origins => [<<"http://localhost">>]
|
|
}}
|
|
]
|
|
}}
|
|
]
|
|
},
|
|
<<"com.rbkmoney.apikeymgmt">> =>
|
|
#{
|
|
sources => [
|
|
%% Fetch from storage
|
|
{storage, #{
|
|
name => <<"com.rbkmoney.apikeymgmt">>
|
|
}}
|
|
]
|
|
},
|
|
<<"com.rbkmoney.access.capi">> =>
|
|
#{
|
|
sources => [
|
|
%% Fetch from claim
|
|
{claim, #{}}
|
|
]
|
|
}
|
|
}
|
|
}},
|
|
{tokens, #{
|
|
jwt => #{
|
|
%% Provides the mapping between key id and authority id
|
|
authority_bindings => #{
|
|
<<"key.apikeymgmt">> => <<"com.rbkmoney.apikeymgmt">>,
|
|
<<"key.access.capi">> => <<"com.rbkmoney.access.capi">>,
|
|
<<"key.keycloak">> => <<"com.rbkmoney.keycloak">>
|
|
},
|
|
%% Provides a set of keys
|
|
keyset => #{
|
|
<<"key.apikeymgmt">> => #{
|
|
source => {pem_file, "keys/apikeymgmt/private.pem"}
|
|
},
|
|
<<"key.access.capi">> => #{
|
|
source => {pem_file, "keys/capi/private.pem"}
|
|
},
|
|
<<"key.keycloak">> => #{
|
|
source => {pem_file, "keys/keycloak/public.pem"}
|
|
}
|
|
}
|
|
}
|
|
}},
|
|
{storages, #{
|
|
<<"com.rbkmoney.apikeymgmt">> =>
|
|
{machinegun, #{
|
|
namespace => apikeymgmt,
|
|
automaton => #{
|
|
url => <<"http://machinegun:8022/v1/automaton">>,
|
|
event_handler => [scoper_woody_event_handler],
|
|
transport_opts => #{}
|
|
}
|
|
}}
|
|
}},
|
|
{machinegun, #{
|
|
processor => #{
|
|
path => <<"/v2/stateproc">>
|
|
}
|
|
}}
|
|
]},
|
|
{kernel, [
|
|
{logger_level, debug},
|
|
{logger, [
|
|
{handler, default, logger_std_h, #{
|
|
config => #{
|
|
type => {file, "/var/log/token-keeper/log.json"}
|
|
},
|
|
formatter => {logger_logstash_formatter, #{}}
|
|
}}
|
|
]}
|
|
]},
|
|
% {how_are_you, [
|
|
% {metrics_publishers, [
|
|
% {hay_statsd_publisher, #{
|
|
% key_prefix => <<"bender.">>,
|
|
% host => "localhost",
|
|
% port => 8125
|
|
% }}
|
|
% ]}
|
|
% ]},
|
|
{scoper, [
|
|
{storage, scoper_storage_logger}
|
|
]},
|
|
{snowflake, [
|
|
% 1 second
|
|
{max_backward_clock_moving, 1000}
|
|
% {machine_id, hostname_hash}
|
|
]},
|
|
|
|
{prometheus, [
|
|
{collectors, [default]}
|
|
]}
|
|
].
|