Improve opensearch query in order to find parts of a word in the documents
(e.g: "bee" will match bee, beehive, beetle, beer, etc...)
Signed-off-by: Fabre Florian <ffabre@hybird.org>
The previous commit has allowed to run Docs and Find projects
stacks together with a tweak : Find must use the keycloak OIDC
endpoints of Docs on the 'nginx' domain for ResourceServer authentication
and introspection.
This configuration broke the OIDC token claims validation because the iss
from the token of the 'impress' user is 'localhost' and not 'nginx'.
To fix it in deveolopment mode we add a OIDC_RS_VERIFY_CLAIMS setting that
controls the token claims validation in FinderResourceServerBackend:
- Enabled by default
- Forced in production mode
Signed-off-by: Fabre Florian <ffabre@hybird.org>
Populate a service configuration "docs" for development.
Move OIDC endpoints to the "impress" realm to allow introspection
of Docs tokens.
Upgrade version of dependencies (fix some security issues).
Signed-off-by: Fabre Florian <ffabre@hybird.org>
New fulltext search view for indexed documents with OIDC authentication
Extract token information through introspection to get the audience & user info
Limit access to documents :
- public & authenticated with linkreach to the user
- owned by the user
Check intersection between the allowed services linked to the
audience/client_id and the requested ones.
Signed-off-by: Fabre Florian <ffabre@hybird.org>
In indexation view, raise a validation error only when both the
title & content of a document are empty.
Signed-off-by: Fabre Florian <ffabre@hybird.org>
We need to make a POST to search documents so that we can post a
list of documents the current user has already "visited" This is
necessary to limited the number of documents we return among the
ones available to any authenticated or anonymous user.
We need to index the tree structure information as well as an
active field that can be set to False when the item is deleted on
the remote service. We could delete the item from our search index
but it is safer to keep all documents synchronized and not only
those which are not deleted.
We need to connect to find from the app container of another project
that wants to index documents to our index. This requires sharing a
common network and exposing our app on it with a service name that
does not clash with the other project.
While developping, we need to run find along other projects that
want to index documents to our index. For the two projects to run
along side each other, we need to avoid port conflicts.
documents can be published under one of three reaches:
- public: anybody can see them
- authenticated: only logged-in users can see them
- restricted: only users listed in the "users" field or belonging
to a group listed in the "groups" field can see them.
The create superuser job should be optional. This job should not be
deployed every time, just when we want. Also, a job can not be patch, so
we have to change its name between version, like for the migrate command
that should be trigger when the appVersion or the chart version is
changing.
We want to secure the connection to opensearch. This will also enable
authentification for the dashboard access. For now we use the default
admin user without custom configuration.
Once started, the cluster can not be paused using kind or ctlptl
command. 2 helpers are added to pause and resume docker containers
running the cluster.
Opensearch was missing in the dev dependencies when deploying in a local
k8s using Tilt. Also the secrets and values have been updated
accordingly to make it works.
docker-compose.yml file is the legacy configuration file for
docker-compose version 1. Since version 2 is a plugin for docker, they
also changed the name of the configuration file to compose.yml. So we
rename this file.
This is built from our boilerplate and adds a first working
prototype of indexing (single document or bulk) and searching
(with basic filtering and sorting. No authentication yet).
Run `make demo` to generate an index for development.