service: Add admin user concept and app def scaling endpoint (#400)

* service: Add admin user support via annotation

- Introduce the `@AdminOnly` annotation to mark REST resources or methods as accessible only to admin users.
- Implement AdminOnlyFilter that intercepts requests and aborts non-admin users with a 403 Forbidden response.
- Update ApplicationProperties to include a configurable admin group name property ("theia.cloud.auth.admin.group")
  with a default value of "theia-cloud/admin".
- Enhance TheiaCloudUser by adding an admin flag.
- Modify TheiaCloudUserProducer to derive the admin status from the MicroProfile JWT's groups claim.
- Add tests for the new admin-only filter, properties, and user producer functionality.
- Extend service Dockerfile to allow configuring the admin group name via environment variable.

* service: Add admin endpoint to update app def's min/max instances

- Add new resource AdminAppDefinitionAdminResource for all admin endpoints regarding app definitions
- Minor extensions in K8SUtil, AppDefinitionSpec to allow editing min/max instances
- Add tests for AdminAppDefintionAdminResource
- Add RootAdminResource with a ping endpoint that only returns if the user is an admin
- Regenerate OpenAPI definition, docs and common code

* terrafom: Add admin user group and outputs for Keycloak module

Extend Keycloak terraform module:
- Define an admin group with the default name
- Export realm, admin group and test users via outputs

Test setup:
- Add test user foo to the admin group
- Document how to get a Keycloak access token on the command line

* fix: Update Keycloak URL in tasks.json to include realm path

This is required for the Quarkus dev server to discover the OIDC config.
Also see the official documentation:
https://quarkus.io/guides/security-oidc-configuration-properties-reference#quarkus-oidc_quarkus-oidc-auth-server-url

Author: lucas-koehler

.vscode/tasks.json

@@ -60,7 +60,7 @@
         "-Dtheia.cloud.app.id=asdfghjkl",
         "-Dquarkus.http.port=8081",
         "-Dtheia.cloud.use.keycloak=true",
-        "-Dquarkus.oidc.auth-server-url=${input:keycloakURL}",
+        "-Dquarkus.oidc.auth-server-url=${input:keycloakURL}/realms/TheiaCloud",
         "-Dquarkus.oidc.client-id=theia-cloud",
         "-Dquarkus.oidc.credentials.secret=publicbutoauth2proxywantsasecret"
       ],
@@ -101,7 +101,7 @@
       "type": "promptString",
       "id": "keycloakURL",
       "description": "Provide the keycloak url",
-      "default": "https://192.168.59.101.nip.io/keycloak/"
+      "default": "https://192.168.59.101.nip.io/keycloak"
     }
   ]
 }

dockerfiles/service/Dockerfile

@@ -22,9 +22,11 @@ ENV KEYCLOAK_ENABLE true
 ENV KEYCLOAK_SERVERURL https://keycloak.url/auth/realms/TheiaCloud
 ENV KEYCLOAK_CLIENTID theia-cloud
 ENV KEYCLOAK_CLIENTSECRET publicbutoauth2proxywantsasecret
+ENV KEYCLOAK_ADMIN_GROUP theia-cloud/admin
 
 ENTRYPOINT java -Dtheia.cloud.app.id=${APPID} \
     -Dquarkus.http.port=${SERVICE_PORT} \
+    -Dtheia.cloud.auth.admin.group=${KEYCLOAK_ADMIN_GROUP} \
     -Dtheia.cloud.use.keycloak=${KEYCLOAK_ENABLE} \
     -Dquarkus.oidc.auth-server-url=${KEYCLOAK_SERVERURL} \
     -Dquarkus.oidc.client-id=${KEYCLOAK_CLIENTID} \

documentation/api/Apis/AppDefinitionAdminResourceApi.md

@@ -0,0 +1,37 @@
+# AppDefinitionAdminResourceApi
+
+All URIs are relative to *http://localhost*
+
+| Method | HTTP request | Description |
+|------------- | ------------- | -------------|
+| [**serviceAdminAppdefinitionAppDefinitionNamePatch**](AppDefinitionAdminResourceApi.md#serviceAdminAppdefinitionAppDefinitionNamePatch) | **PATCH** /service/admin/appdefinition/{appDefinitionName} | Updates an app definition |
+
+
+<a name="serviceAdminAppdefinitionAppDefinitionNamePatch"></a>
+# **serviceAdminAppdefinitionAppDefinitionNamePatch**
+> AppDefinition serviceAdminAppdefinitionAppDefinitionNamePatch(appDefinitionName, AppDefinitionUpdateRequest)
+
+Updates an app definition
+
+    Updates an app definition&#39;s properties. Allowed properties to update are defined by AppDefinitionUpdateRequest.
+
+### Parameters
+
+|Name | Type | Description  | Notes |
+|------------- | ------------- | ------------- | -------------|
+| **appDefinitionName** | **String**| The K8S resource name of the app definition to update. | [default to null] |
+| **AppDefinitionUpdateRequest** | [**AppDefinitionUpdateRequest**](../Models/AppDefinitionUpdateRequest.md)|  | |
+
+### Return type
+
+[**AppDefinition**](../Models/AppDefinition.md)
+
+### Authorization
+
+No authorization required
+
+### HTTP request headers
+
+- **Content-Type**: application/json
+- **Accept**: application/json
+

documentation/api/Apis/RootAdminResourceApi.md

@@ -0,0 +1,36 @@
+# RootAdminResourceApi
+
+All URIs are relative to *http://localhost*
+
+| Method | HTTP request | Description |
+|------------- | ------------- | -------------|
+| [**serviceAdminAppIdGet**](RootAdminResourceApi.md#serviceAdminAppIdGet) | **GET** /service/admin/{appId} | Admin Ping |
+
+
+<a name="serviceAdminAppIdGet"></a>
+# **serviceAdminAppIdGet**
+> Boolean serviceAdminAppIdGet(appId)
+
+Admin Ping
+
+    Replies with success if the service is available and the user an admin.
+
+### Parameters
+
+|Name | Type | Description  | Notes |
+|------------- | ------------- | ------------- | -------------|
+| **appId** | **String**|  | [default to null] |
+
+### Return type
+
+**Boolean**
+
+### Authorization
+
+No authorization required
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: text/plain
+

documentation/api/Apis/RootResourceApi.md

@@ -47,7 +47,7 @@ Launch Session
 
 |Name | Type | Description  | Notes |
 |------------- | ------------- | ------------- | -------------|
-| **LaunchRequest** | [**LaunchRequest**](../Models/LaunchRequest.md)|  | [optional] |
+| **LaunchRequest** | [**LaunchRequest**](../Models/LaunchRequest.md)|  | |
 
 ### Return type
 

documentation/api/Apis/SessionResourceApi.md

@@ -51,7 +51,7 @@ Stop session
 
 |Name | Type | Description  | Notes |
 |------------- | ------------- | ------------- | -------------|
-| **SessionStopRequest** | [**SessionStopRequest**](../Models/SessionStopRequest.md)|  | [optional] |
+| **SessionStopRequest** | [**SessionStopRequest**](../Models/SessionStopRequest.md)|  | |
 
 ### Return type
 
@@ -78,7 +78,7 @@ Report session activity
 
 |Name | Type | Description  | Notes |
 |------------- | ------------- | ------------- | -------------|
-| **SessionActivityRequest** | [**SessionActivityRequest**](../Models/SessionActivityRequest.md)|  | [optional] |
+| **SessionActivityRequest** | [**SessionActivityRequest**](../Models/SessionActivityRequest.md)|  | |
 
 ### Return type
 
@@ -133,7 +133,7 @@ Start a new session
 
 |Name | Type | Description  | Notes |
 |------------- | ------------- | ------------- | -------------|
-| **SessionStartRequest** | [**SessionStartRequest**](../Models/SessionStartRequest.md)|  | [optional] |
+| **SessionStartRequest** | [**SessionStartRequest**](../Models/SessionStartRequest.md)|  | |
 
 ### Return type
 

documentation/api/Apis/WorkspaceResourceApi.md

@@ -49,7 +49,7 @@ Delete workspace
 
 |Name | Type | Description  | Notes |
 |------------- | ------------- | ------------- | -------------|
-| **WorkspaceDeletionRequest** | [**WorkspaceDeletionRequest**](../Models/WorkspaceDeletionRequest.md)|  | [optional] |
+| **WorkspaceDeletionRequest** | [**WorkspaceDeletionRequest**](../Models/WorkspaceDeletionRequest.md)|  | |
 
 ### Return type
 
@@ -76,7 +76,7 @@ Create workspace
 
 |Name | Type | Description  | Notes |
 |------------- | ------------- | ------------- | -------------|
-| **WorkspaceCreationRequest** | [**WorkspaceCreationRequest**](../Models/WorkspaceCreationRequest.md)|  | [optional] |
+| **WorkspaceCreationRequest** | [**WorkspaceCreationRequest**](../Models/WorkspaceCreationRequest.md)|  | |
 
 ### Return type
 

documentation/api/Models/AppDefinition.md

@@ -0,0 +1,21 @@
+# AppDefinition
+## Properties
+
+| Name | Type | Description | Notes |
+|------------ | ------------- | ------------- | -------------|
+| **apiVersion** | **String** |  | [optional] [default to null] |
+| **kind** | **String** |  | [optional] [default to null] |
+| **metadata** | [**ObjectMeta**](ObjectMeta.md) |  | [optional] [default to null] |
+| **spec** | [**AppDefinitionSpec**](AppDefinitionSpec.md) |  | [optional] [default to null] |
+| **status** | [**AppDefinitionStatus**](AppDefinitionStatus.md) |  | [optional] [default to null] |
+| **singular** | **String** |  | [optional] [default to null] |
+| **crdName** | **String** |  | [optional] [default to null] |
+| **scope** | **String** |  | [optional] [default to null] |
+| **plural** | **String** |  | [optional] [default to null] |
+| **served** | **Boolean** |  | [optional] [default to null] |
+| **storage** | **Boolean** |  | [optional] [default to null] |
+| **deprecated** | **Boolean** |  | [optional] [default to null] |
+| **deprecationWarning** | **String** |  | [optional] [default to null] |
+
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+

documentation/api/Models/AppDefinitionStatus.md

@@ -0,0 +1,10 @@
+# AppDefinitionStatus
+## Properties
+
+| Name | Type | Description | Notes |
+|------------ | ------------- | ------------- | -------------|
+| **operatorStatus** | **String** |  | [optional] [default to null] |
+| **operatorMessage** | **String** |  | [optional] [default to null] |
+
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+

documentation/api/Models/AppDefinitionUpdateRequest.md

@@ -0,0 +1,11 @@
+# AppDefinitionUpdateRequest
+## Properties
+
+| Name | Type | Description | Notes |
+|------------ | ------------- | ------------- | -------------|
+| **appId** | **String** | The App Id of this Theia Cloud instance. Request without a matching Id will be denied. | [default to null] |
+| **minInstances** | **Integer** | The minimum number of instances to run. | [optional] [default to null] |
+| **maxInstances** | **Integer** | The maximum number of instances to run. | [optional] [default to null] |
+
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+

documentation/api/Models/ManagedFieldsEntry.md

@@ -0,0 +1,15 @@
+# ManagedFieldsEntry
+## Properties
+
+| Name | Type | Description | Notes |
+|------------ | ------------- | ------------- | -------------|
+| **apiVersion** | **String** |  | [optional] [default to null] |
+| **fieldsType** | **String** |  | [optional] [default to null] |
+| **fieldsV1** | [**Object**](.md) |  | [optional] [default to null] |
+| **manager** | **String** |  | [optional] [default to null] |
+| **operation** | **String** |  | [optional] [default to null] |
+| **subresource** | **String** |  | [optional] [default to null] |
+| **time** | **String** |  | [optional] [default to null] |
+
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+

documentation/api/Models/ObjectMeta.md

@@ -0,0 +1,23 @@
+# ObjectMeta
+## Properties
+
+| Name | Type | Description | Notes |
+|------------ | ------------- | ------------- | -------------|
+| **annotations** | **Map** |  | [optional] [default to null] |
+| **creationTimestamp** | **String** |  | [optional] [default to null] |
+| **deletionGracePeriodSeconds** | **Long** |  | [optional] [default to null] |
+| **deletionTimestamp** | **String** |  | [optional] [default to null] |
+| **finalizers** | **List** |  | [optional] [default to null] |
+| **generateName** | **String** |  | [optional] [default to null] |
+| **generation** | **Long** |  | [optional] [default to null] |
+| **labels** | **Map** |  | [optional] [default to null] |
+| **managedFields** | [**List**](ManagedFieldsEntry.md) |  | [optional] [default to null] |
+| **name** | **String** |  | [optional] [default to null] |
+| **namespace** | **String** |  | [optional] [default to null] |
+| **ownerReferences** | [**List**](OwnerReference.md) |  | [optional] [default to null] |
+| **resourceVersion** | **String** |  | [optional] [default to null] |
+| **selfLink** | **String** |  | [optional] [default to null] |
+| **uid** | **String** |  | [optional] [default to null] |
+
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+

documentation/api/Models/OwnerReference.md

@@ -0,0 +1,14 @@
+# OwnerReference
+## Properties
+
+| Name | Type | Description | Notes |
+|------------ | ------------- | ------------- | -------------|
+| **apiVersion** | **String** |  | [optional] [default to null] |
+| **kind** | **String** |  | [optional] [default to null] |
+| **blockOwnerDeletion** | **Boolean** |  | [optional] [default to null] |
+| **controller** | **Boolean** |  | [optional] [default to null] |
+| **name** | **String** |  | [optional] [default to null] |
+| **uid** | **String** |  | [optional] [default to null] |
+
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+

documentation/api/README.md

@@ -7,7 +7,9 @@ All URIs are relative to *http://localhost*
 
 | Class | Method | HTTP request | Description |
 |------------ | ------------- | ------------- | -------------|
+| *AppDefinitionAdminResourceApi* | [**serviceAdminAppdefinitionAppDefinitionNamePatch**](Apis/AppDefinitionAdminResourceApi.md#serviceadminappdefinitionappdefinitionnamepatch) | **PATCH** /service/admin/appdefinition/{appDefinitionName} | Updates an app definition |
 | *AppDefinitionResourceApi* | [**serviceAppdefinitionAppIdGet**](Apis/AppDefinitionResourceApi.md#serviceappdefinitionappidget) | **GET** /service/appdefinition/{appId} | List app definitions |
+| *RootAdminResourceApi* | [**serviceAdminAppIdGet**](Apis/RootAdminResourceApi.md#serviceadminappidget) | **GET** /service/admin/{appId} | Admin Ping |
 | *RootResourceApi* | [**serviceAppIdGet**](Apis/RootResourceApi.md#serviceappidget) | **GET** /service/{appId} | Ping |
 *RootResourceApi* | [**servicePost**](Apis/RootResourceApi.md#servicepost) | **POST** /service | Launch Session |
 | *SessionResourceApi* | [**serviceSessionAppIdUserGet**](Apis/SessionResourceApi.md#servicesessionappiduserget) | **GET** /service/session/{appId}/{user} | List sessions |
@@ -24,11 +26,17 @@ All URIs are relative to *http://localhost*
 ## Documentation for Models
 
  - [ActivityTracker](./Models/ActivityTracker.md)
+ - [AppDefinition](./Models/AppDefinition.md)
  - [AppDefinitionListRequest](./Models/AppDefinitionListRequest.md)
  - [AppDefinitionSpec](./Models/AppDefinitionSpec.md)
+ - [AppDefinitionStatus](./Models/AppDefinitionStatus.md)
+ - [AppDefinitionUpdateRequest](./Models/AppDefinitionUpdateRequest.md)
  - [EnvironmentVars](./Models/EnvironmentVars.md)
  - [LaunchRequest](./Models/LaunchRequest.md)
+ - [ManagedFieldsEntry](./Models/ManagedFieldsEntry.md)
  - [Monitor](./Models/Monitor.md)
+ - [ObjectMeta](./Models/ObjectMeta.md)
+ - [OwnerReference](./Models/OwnerReference.md)
  - [PingRequest](./Models/PingRequest.md)
  - [SessionActivityRequest](./Models/SessionActivityRequest.md)
  - [SessionListRequest](./Models/SessionListRequest.md)