From b0b160f088dceaf2f05c4ca603a655b6c917d9eb Mon Sep 17 00:00:00 2001 From: pedro Date: Wed, 3 Apr 2024 13:18:36 +0200 Subject: [PATCH] add pilot ereuse (untested on prod) README WIP --- .env.example | 12 ++-- .gitignore | 2 + Makefile | 13 ++++ README.md | 11 ++- build__pilot-ereuse.sh | 32 +++++++++ docker-compose__pilot-ereuse.yml | 115 +++++++++++++++++++++++++++++++ pull-repos.sh | 1 + 7 files changed, 178 insertions(+), 8 deletions(-) create mode 100755 build__pilot-ereuse.sh create mode 100644 docker-compose__pilot-ereuse.yml diff --git a/.env.example b/.env.example index 2d9039a..e6d1ff4 100644 --- a/.env.example +++ b/.env.example @@ -16,9 +16,10 @@ MUSICIAN_DOMAIN='musician.example.org' #### # Please fill in these three variables -DEVICEHUB_API_DLT='http://$FIXME_IP_API_DLT' -DEVICEHUB_API_DLT_TOKEN=$FIXME_TOKEN -DEVICEHUB_API_RESOLVER='http://$FIXME_IP_API_RESOLVER' +DEVICEHUB_API_DLT='http://fixme.dlt.example.com' +DEVICEHUB_API_DLT_TOKEN=fixme_apsdfiojai8gji34kjl354kljwkljfsdgoj32i4jo23jiojoi +DEVICEHUB_API_RESOLVER='http://fixme.apiresolver.example.com' +DEVICEHUB_VERIFY_URL='http://idhub2-ereuse.demo.pangea.org/promotion/select_wallet' # you might change or register ID_FEDERATED if you change DEVICEHUB_HOST DEVICEHUB_ID_FEDERATED='DH12' # TODO this should be guessed by DEVICEHUB_HOST, and avoid hardcode of ID_FEDERATED @@ -46,8 +47,8 @@ DEVICEHUB_SERVER_ID_EMAIL_DEMO='user5000@example.com' DEVICEHUB_CLIENT_ID_EMAIL_DEMO='user5001@example.com' DEVICEHUB_PASSWORD_DEMO='1234' -DEVICEHUB_JWT_PASS='uncomment-it-and-fill-this' -DEVICEHUB_SECRET_KEY='uncomment-it-and-fill-this' +DEVICEHUB_JWT_PASS='fixme_ajpfoiafjsn3nlk3n4' +DEVICEHUB_SECRET_KEY='fixme_aspijoio3j24n23nlsdlkfsadljksafdljk' # important to import snapshots (step 15) # rel path starts with ./ @@ -93,7 +94,6 @@ IDHUB_SYNC_ORG_DEV='n' IDHUB_PILOT_TEST__ADMIN_EMAIL='admin@example.com' IDHUB_PILOT_TEST__ADMIN_PASSWORD='1234' -IDHUB_PILOT_LAFEDE__ADMIN_EMAIL='masked@example.com' # AUTHENTIK aka goauthentik #### diff --git a/.gitignore b/.gitignore index 36331cf..bea627a 100644 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,8 @@ django-musician IdHub authentik ssikit_trustchain +IdHub_E2E_testing +devicehub-teal idhub__* idhub1__* diff --git a/Makefile b/Makefile index a66a47e..4784a3f 100644 --- a/Makefile +++ b/Makefile @@ -34,6 +34,9 @@ devicehub_tag := ${devicehub_branch}__${devicehub_commit} devicehub_tag := latest devicehub_image := ${project}/devicehub:${devicehub_tag} +postgres_tag := latest +postgres_image := ${project}/postgres:${postgres_tag} + #### # idhub image tag #### @@ -56,6 +59,16 @@ orchestra_build: .PHONY: musician_build musician_build: docker build -f docker/musician.Dockerfile -t ${musician_image} -t ${project}/musician:latest . +.PHONY: devicehub_build +devicehub_build: + # thanks src https://stackoverflow.com/questions/1789594/how-do-i-write-the-cd-command-in-a-makefile + cd devicehub-teal; \ + docker build -f docker/devicehub.Dockerfile -t ${devicehub_image} -t ${project}/devicehub:latest . +.PHONY: postgres_build +postgres_build: + # thanks src https://stackoverflow.com/questions/1789594/how-do-i-write-the-cd-command-in-a-makefile + cd devicehub-teal; \ + docker build -f docker/postgres.Dockerfile -t ${postgres_image} -t ${project}/postgres:latest . docker_build: docker build -f docker/orchestra.Dockerfile -t ${orchestra_image} -t ${project}/orchestra:latest . diff --git a/README.md b/README.md index 8f646ec..8b2c40f 100644 --- a/README.md +++ b/README.md @@ -28,8 +28,8 @@ - **Pangea**: - Instances: - - https://idhub1-pangea.demo.pangea.org - - https://idhub2-pangea.demo.pangea.org + - https://idhub1.demo.pangea.org + - https://idhub2.demo.pangea.org - Motivation: The case of Pangea as a web/internet service provider, with member organisations that receive services. These organisations have allocated several resources units (mail accounts, blogs, etc.). Only authorised users with a specific role should be able to access the Musician (Administration Control Panel of resources). - Scenarios: - Scenario 1-> 'Login with Organisation A (Idp)'. The staff members of organisation A, with the appropiate role, can authenticate themselves by providing their organisation credentials (username and password) to access a service in Pangea (Musician). @@ -41,6 +41,13 @@ - Scenario 2-> 'Present a verifiable credential'. The staff members of organisation A, with the appropiate credentials, present them to Pangea in order to access the Musician service. Actors-> **Pangea**: IdP (goauthentik), IdHub (as verifier), Musician, Orchestra (with also nginx API rproxy). **Organisation A**: IdHub (as user wallet) +- **ereuse**: + - Instances: + - https://idhub1-ereuse.demo.pangea.org + - https://idhub2-ereuse.demo.pangea.org + - https://devicehub.demo.pangea.org + - Motivation: TODO + - Scenarios: TODO - **generic**: https://idhub.demo.pangea.org - Motivation: For demo purposes, for showing other people different than the intended pilot what we do. It is currently similar to lafede pilot diff --git a/build__pilot-ereuse.sh b/build__pilot-ereuse.sh new file mode 100755 index 0000000..5934e23 --- /dev/null +++ b/build__pilot-ereuse.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +set -e +set -u +# DEBUG +set -x + +main() { + cd "$(dirname "${0}")" + + # includes functions: + # common_start + # common_end + . ./build__common.sh + + # vars used in common_start and end + target='pilot-ereuse' + idhubs='idhub1 idhub2' + + # TEMP, move to release when it is in release + idhub_branch='release' + + common_start + + # common_end builds idhub + # these are extra builds specific for this pilot + make postgres_build + make devicehub_build + common_end +} + +main "${@}" diff --git a/docker-compose__pilot-ereuse.yml b/docker-compose__pilot-ereuse.yml new file mode 100644 index 0000000..67889ff --- /dev/null +++ b/docker-compose__pilot-ereuse.yml @@ -0,0 +1,115 @@ +services: + + idhub1: + init: true + image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest + environment: + - DOMAIN=idhub1-ereuse.demo.pangea.org + - CREATE_TEST_USERS=true + - ENABLE_EMAIL=false + - ENABLE_2FACTOR_AUTH=false + - LANGUAGE_CODE=ca + - INITIAL_ADMIN_EMAIL=${IDHUB_PILOT_TEST__ADMIN_EMAIL} + - INITIAL_ADMIN_PASSWORD=${IDHUB_PILOT_TEST__ADMIN_PASSWORD} + - SECRET_KEY=${IDHUB_SECRET_KEY:-publicsecretisnotsecureVtmKBfxpVV47PpBCF2Nzz2H6qnbd} + - STATIC_ROOT=${IDHUB_STATIC_ROOT:-/static/} + - MEDIA_ROOT=${IDHUB_MEDIA_ROOT:-/media/} + - PORT=${IDHUB_PORT:-9001} + - DEFAULT_FROM_EMAIL=${IDHUB_DEFAULT_FROM_EMAIL} + - EMAIL_HOST=${IDHUB_EMAIL_HOST} + - EMAIL_HOST_USER=${IDHUB_EMAIL_HOST_USER} + - EMAIL_HOST_PASSWORD=${IDHUB_EMAIL_HOST_PASSWORD} + - EMAIL_PORT=${IDHUB_EMAIL_PORT} + - EMAIL_USE_TLS=${IDHUB_EMAIL_USE_TLS} + - EMAIL_BACKEND=${IDHUB_EMAIL_BACKEND} + - SUPPORTED_CREDENTIALS=['MembershipCard'] + - SYNC_ORG_DEV=${IDHUB_SYNC_ORG_DEV} + - OIDC_OIRGS=examples/organizations__pilot_ereuse.csv + - OIDC_REDIRECT=true + ports: + - 9101:9001 + volumes: + - ./idhub1__pilot-ereuse:/opt/idhub + - sharedsecret:/sharedsecret:rw + + idhub2: + init: true + image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest + environment: + - DOMAIN=idhub2-ereuse.demo.pangea.org + - ENABLE_EMAIL=false + - ENABLE_2FACTOR_AUTH=false + - LANGUAGE_CODE=ca + - INITIAL_ADMIN_EMAIL=${IDHUB_PILOT_TEST__ADMIN_EMAIL} + - INITIAL_ADMIN_PASSWORD=${IDHUB_PILOT_TEST__ADMIN_PASSWORD} + - SECRET_KEY=${IDHUB_SECRET_KEY:-publicsecretisnotsecureVtmKBfxpVV47PpBCF2Nzz2H6qnbd} + - STATIC_ROOT=${IDHUB_STATIC_ROOT:-/static/} + - MEDIA_ROOT=${IDHUB_MEDIA_ROOT:-/media/} + - PORT=${IDHUB_PORT:-9002} + - DEFAULT_FROM_EMAIL=${IDHUB_DEFAULT_FROM_EMAIL} + - EMAIL_HOST=${IDHUB_EMAIL_HOST} + - EMAIL_HOST_USER=${IDHUB_EMAIL_HOST_USER} + - EMAIL_HOST_PASSWORD=${IDHUB_EMAIL_HOST_PASSWORD} + - EMAIL_PORT=${IDHUB_EMAIL_PORT} + - EMAIL_USE_TLS=${IDHUB_EMAIL_USE_TLS} + - EMAIL_BACKEND=${IDHUB_EMAIL_BACKEND} + - SUPPORTED_CREDENTIALS=['EOperatorClaim'] + - SYNC_ORG_DEV=${IDHUB_SYNC_ORG_DEV} + - OIDC_OIRGS=examples/organizations__pilot_ereuse.csv + - OIDC_REDIRECT=true + ports: + - 9102:9001 + volumes: + - ./idhub2__pilot-ereuse:/opt/idhub + - sharedsecret:/sharedsecret:rw + + devicehub: + init: true + image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/devicehub:latest + environment: + - HOST=devicehub.demo.pangea.org + - DEVICEHUB_HOST=https://devicehub.demo.pangea.org + - ID_FEDERATED=DH9 + - DB_USER=${DEVICEHUB_DB_USER} + - DB_PASSWORD=${DEVICEHUB_DB_PASSWORD} + - DB_HOST=postgres-dh + - DB_DATABASE=${DEVICEHUB_DB_DATABASE} + - EMAIL_DEMO=${DEVICEHUB_SERVER_ID_EMAIL_DEMO} + - PASSWORD_DEMO=${DEVICEHUB_PASSWORD_DEMO} + - JWT_PASS=${DEVICEHUB_JWT_PASS} + - SECRET_KEY=${DEVICEHUB_SECRET_KEY} + - API_DLT=${DEVICEHUB_API_DLT} + - API_RESOLVER=${DEVICEHUB_API_RESOLVER} + - API_DLT_TOKEN=${DEVICEHUB_API_DLT_TOKEN} + - VERIFY_URL=${DEVICEHUB_VERIFY_URL} + - EREUSE_PILOT=y + - URL_MANUALS=${DEVICEHUB_URL_MANUALS} + - ID_SERVICE=${DEVICEHUB_SERVER_ID_SERVICE} + - AUTHORIZED_CLIENT_URL=${DEVICEHUB_CLIENT_ID_DEVICEHUB_HOST} + - DPP_MODULE=y + - CONFIG_OIDC=n + - IMPORT_SNAPSHOTS=n + ports: + - 5000:5000 + volumes: + - devicehub:/opt/devicehub:rw + + postgres-dh: + image: dkr-dsg.ac.upc.edu/ereuse/postgres:latest + # 4. To create the database. + # 5. Give permissions to the corresponding users in the database. + # extra src https://github.com/docker-library/docs/blob/master/postgres/README.md#environment-variables + environment: + - POSTGRES_PASSWORD=${DEVICEHUB_DB_PASSWORD} + - POSTGRES_USER=${DEVICEHUB_DB_USER} + - POSTGRES_DB=${DEVICEHUB_DB_DATABASE} + # DEBUG + #ports: + # - 5432:5432 + # TODO persistence + #volumes: + # - pg_data:/var/lib/postgresql/data + +volumes: + sharedsecret: + devicehub: diff --git a/pull-repos.sh b/pull-repos.sh index 3495a24..31cd809 100755 --- a/pull-repos.sh +++ b/pull-repos.sh @@ -37,6 +37,7 @@ main() { # we only use this to get idhub dependency # didkit-0.3.2-cp311-cp311-manylinux_2_34_x86_64.whl _pull 'git@gitea.pangea.org:trustchain-oc1-orchestral/ssikit_trustchain.git' 'master' + _pull 'git@gitea.pangea.org:trustchain-oc1-orchestral/devicehub-teal' 'idhub' }