Improved broker handling

- Added OAuth2.0 workflow to broker
- Added rabbitmq-client
- Updated client scopes default scopes
- Updated broker healthcheck

.python-stubs/publish_oauth2.py

+#!/bin/env python3
+import os
+
+import pika
+from dotenv import load_dotenv
+
+load_dotenv()
+
+if __name__ == "__main__":
+    token = os.getenv("TOKEN")
+    credentials = pika.credentials.PlainCredentials("mweise", token)
+    parameters = pika.ConnectionParameters('localhost', 5672, '/', credentials)
+
+    connection = pika.BlockingConnection(parameters)
+    channel = connection.channel()
+    channel.queue_declare(queue='test', durable=True)
+    channel.basic_publish(exchange='',
+                          routing_key='test',
+                          body=b'Hello World!')
+    print(" [x] Sent 'Hello World!'")
+    connection.close()

.python-stubs/requirements.txt

+pika==1.3.1
+python-dotenv==1.0.0
\ No newline at end of file

docker-compose.yml

@@ -146,8 +146,6 @@ services:
     depends_on:
       fda-discovery-service:
         condition: service_healthy
-      fda-broker-service:
-        condition: service_started
       fda-metadata-db:
         condition: service_healthy
     logging:
@@ -198,7 +196,7 @@ services:
       fda-search-service:
         condition: service_started
       fda-broker-service:
-        condition: service_started
+        condition: service_healthy
     logging:
       driver: json-file
 
@@ -303,6 +301,8 @@ services:
     depends_on:
       fda-discovery-service:
         condition: service_healthy
+      fda-authentication-service:
+        condition: service_healthy
     volumes:
       - broker-service-data:/var/lib/rabbitmq/
     logging:

fda-broker-service/Dockerfile

@@ -8,15 +8,18 @@ FROM rabbitmq:3-management-alpine as runtime
 ENV PYTHONUNBUFFERED=1
 
 COPY ./rabbitmq.conf /etc/rabbitmq/
-COPY ./docker-entrypoint.sh ./docker-entrypoint.sh
-RUN chmod +x ./docker-entrypoint.sh
 
 RUN apk --no-cache add python3 py3-pip
 COPY ./requirements.txt ./requirements.txt
 RUN pip3 install -r ./requirements.txt
 
+WORKDIR /app
+
 COPY ./init.py ./init.py
+COPY ./register.py ./register.py
+COPY ./service_ready /usr/bin/service_ready
+COPY ./docker-entrypoint.sh ./docker-entrypoint.sh
 
-EXPOSE 15692
+HEALTHCHECK --interval=10s --timeout=5s --retries=12 CMD service_ready
 
-ENTRYPOINT [ "./docker-entrypoint.sh" ]
+ENTRYPOINT [ "bash", "/app/docker-entrypoint.sh" ]
\ No newline at end of file

fda-broker-service/docker-entrypoint.sh

 #!/bin/bash
 
+# load jwt certificates
+python3 ./init.py
+
 # enable prometheus plugin
-(sleep 10; rabbitmq-plugins enable rabbitmq_prometheus rabbitmq_mqtt) &
+(sleep 10; rabbitmq-plugins enable rabbitmq_prometheus rabbitmq_mqtt; touch /ready) &
 
 # register with discovery service
-python3 ./init.py
-(while sleep 60; do python3 ./init.py; done) &
+python3 ./register.py
+(while sleep 60; do python3 ./register.py; done) &
 
 rabbitmq-server
\ No newline at end of file

fda-broker-service/init.py

-from py_eureka_client import eureka_client
+import requests as rq
 import py_eureka_client.logger as logger
 import datetime
 
 logger.set_level("ERROR")
 
 
-def register():
-    eureka_client.init(eureka_server="http://discovery-service:9090/eureka/",
-                       app_name="broker-service",
-                       instance_ip="broker-service",
-                       instance_host="broker-service",
-                       instance_port=15672)
-    log("Service registered")
+def get_cert() -> str:
+    body = rq.get("http://gateway-service:9095/api/auth/realms/dbrepo/protocol/openid-connect/certs").json()
+    for key in body["keys"]:
+        if key["alg"] != "RS256":
+            continue
+        cert = "-----BEGIN CERTIFICATE-----\n"
+        cert += key["x5c"][0]
+        cert += "\n-----END CERTIFICATE-----"
+        return cert
+
+
+def get_pubkey() -> str:
+    body = rq.get("http://gateway-service:9095/api/auth/realms/dbrepo").json()
+    pubkey = "-----BEGIN RSA PUBLIC KEY-----\n"
+    pubkey += body["public_key"]
+    pubkey += "\n-----END RSA PUBLIC KEY-----"
+    return pubkey
+
+
+def write_file(path, content):
+    with open(path, 'w') as f:
+        f.write(content)
 
 
 def log(message):
@@ -20,5 +35,10 @@ def log(message):
 
 
 if __name__ == "__main__":
-    log("Registering at discovery service ...")
-    register()
+    log("Retrieving certificate ...")
+    pem = get_cert()
+    pubkey = get_pubkey()
+    write_file("/app/cert.pem", pem)
+    log("saved cert to /app/cert.pem")
+    write_file("/app/pubkey.pem", pubkey)
+    log("saved cert to /app/pubkey.pem")

fda-broker-service/rabbitmq.conf

@@ -12,3 +12,17 @@ listeners.tcp.1 = 0.0.0.0:5672
 
 # logging
 log.file.level = warning
+
+# authentication backends
+auth_backends.1 = internal
+auth_backends.2 = oauth2
+
+# OAuth 2.0 files
+auth_oauth2.resource_server_id = rabbitmq
+#auth_oauth2.additional_scopes_key = my_custom_scope_key
+auth_oauth2.preferred_username_claims = preferred_username
+auth_oauth2.default_key = id1
+auth_oauth2.signing_keys.id1 = /app/pubkey.pem
+auth_oauth2.signing_keys.id2 = /app/cert.pem
+auth_oauth2.algorithms.1 = HS256
+auth_oauth2.algorithms.2 = RS256
\ No newline at end of file

fda-broker-service/register.py

+from py_eureka_client import eureka_client
+import py_eureka_client.logger as logger
+import datetime
+
+logger.set_level("ERROR")
+
+
+def register():
+    eureka_client.init(eureka_server="http://discovery-service:9090/eureka/",
+                       app_name="broker-service",
+                       instance_ip="broker-service",
+                       instance_host="broker-service",
+                       instance_port=15672)
+
+
+if __name__ == "__main__":
+    register()

fda-broker-service/requirements.txt

 py-eureka-client==0.11.3
+requests==2.28.2
\ No newline at end of file

fda-broker-service/service_ready

+#!/bin/bash
+if [ -f /ready ]; then
+  echo "service is ready and accepting connections"
+  exit 0
+fi
+exit 1
\ No newline at end of file