GoSec_Cloud/gscMy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: bootstrap gscMy on @gsc/web-kit + PAM/JIT request flow

Browse Source 
Initial commit for gscMy carved out as its own repo (was tracked
loosely under the monorepo's web/ which is gitignored).

What this contains:
- Auth: next-auth v5 via @gsc/web-kit createAuth (Keycloak only,
  identity sourced from claims, no admin.users writes)
- Chrome: @gsc/web-kit AdminShell — replaces the legacy MyShell.
  Sidebar JSON config carried over and mapped to DbMenuItem.
- Middleware: createAuthMiddleware. Public: /access-denied,
  /auth/keycloak, /signed-out, /api/health, /api/pam/approve.
- RP-initiated signout at /api/auth/signout → Keycloak end_session →
  /signed-out (mirrors gscAdmin).
- Phosphor-iconned access-denied + signed-out landing pages.

PAM/JIT request flow (ported from gscAdmin's pre-strip git history):
- /access page (Active + Eligible tables, request modal with
  duration slider + justification + optional MFA)
- API: /api/pam/{eligible, active, audit, request, approve/:token,
  revoke/:id}
- src/lib/{authz, pam, pam-mail, pam-mfa}.ts — same files as
  gscAdmin had before the strip. PAM tables (admin.privilege_*)
  are shared with gscAdmin; gscMy uses the same Prisma model defs.
- Top-bar widget shows active grants with countdown + revoke.

Build/Deploy: Dockerfile (monorepo-root context), k8s manifests for
my.gosec.internal, self-signed TLS placeholder, DNS A record.
Keycloak gsc-my client extended to include my.gosec.internal/* in
redirect_uris + web_origins.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Super User
2026-05-18 13:46:13 +02:00
commit be1c4fe5f9
96 changed files with 49849 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
.env.example Normal file
View File

@@ -0,0 +1,23 @@
# NextAuth
AUTH_SECRET="your-auth-secret-generate-with-openssl-rand-base64-32"
AUTH_TRUST_HOST=true
AUTH_URL="https://my.gosec.cloud"
# Keycloak OIDC
AUTH_KEYCLOAK_ID="gsc-my"
AUTH_KEYCLOAK_SECRET="your-keycloak-client-secret"
AUTH_KEYCLOAK_ISSUER="https://auth.gosec.cloud/realms/gosecCloud"
# Default tenant (optional)
DEFAULT_TENANT_ID="a0000000-0000-0000-0000-000000000003"
# Set to "true" to bypass authentication (for development)
SKIP_AUTH="false"
# Bicameral Chat API
BICAMERAL_API_URL="https://bicameral.gosec.cloud/api/v1"
NEXT_PUBLIC_BICAMERAL_WS_URL="wss://bicameral.gosec.cloud/ws"
# Ops API (personal agent config)
OPS_API_URL="https://172.17.8.20:8443"
OPS_API_KEY="your-ops-api-key"