-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
VAULT_DEV_ROOT_TOKEN_ID= | ||
EDC_API_PW= | ||
PG_USER= | ||
PG_PW= |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
*.key | ||
*.cert | ||
*.keys | ||
local/.env |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
# Initial Setup | ||
1. generate keys | ||
```shell | ||
cd local | ||
sh generate-keys.sh | ||
>> outputs transportCertsSha256 | ||
``` | ||
2. update daps/config/clients.yaml with the respective transportCertsSha256 | ||
3. define remaining secrets in .env | ||
- set root token for vault instance VAULT_DEV_ROOT_TOKEN_ID (e.g. "4Ko6r3UcHM4dXnOGmPKTHds3") | ||
- set password for edc control plane EDC_API_PW (e.g. "password") | ||
- set user PG_USER and password PG_PW for postgres (e.g. "edc-pg-user" and "edc-pg-passw0rd") | ||
- set vault secrets dir as mapped via volume (e.g. "/vault/secrets"/) | ||
|
||
# Start | ||
```shell | ||
cd local | ||
docker-compose up | ||
|
||
# or use | ||
sh restart.sh | ||
``` | ||
|
||
## Notes on debugging | ||
|
||
### DAPS | ||
The omejdn-daps does not provide any further logging configuration. | ||
It may make sense to log the whole tokens or responses to decode the JWT or similar. | ||
|
||
Requires ruby, which can be installed on Ubuntu as follows: | ||
```shell | ||
sudo apt-get install ruby | ||
``` | ||
|
||
Then download the respective [omejdn release](https://github.com/Fraunhofer-AISEC/omejdn-server/releases/tag/v1.7.1) and unzip it. | ||
In the omejdn-server/omejdn.rb | ||
- search for token POST endpoint ("endpoint '/token', ['POST'],") | ||
- go to end of endpoint definition (most left-hand end) | ||
- add your echo / log upfront the status codes return (e.g. "puts.response.compact.to_json") | ||
- build the omejdn server | ||
```shell | ||
docker build -t omejdn-server:local | ||
``` | ||
|
||
Finally update the ./daps/docker-compose.yaml to use this image instead. | ||
|
||
### Vault & Certs | ||
When having problems with the certs or the vault, one need to delete the vault container. | ||
Following script helps faster restarting | ||
```shell | ||
cd local | ||
sh restart.sh | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
--- | ||
# Customer | ||
- client_id: customer | ||
name: customer | ||
import_certfile: keys/clients/customer.cert | ||
token_endpoint_auth_method: private_key_jwt | ||
grant_types: client_credentials | ||
scope: idsc:IDS_CONNECTOR_ATTRIBUTES_ALL | ||
attributes: | ||
- key: idsc | ||
value: IDS_CONNECTOR_ATTRIBUTES_ALL | ||
- key: securityProfile | ||
value: idsc:BASE_SECURITY_PROFILE | ||
- key: referringConnector | ||
value: http://customer-control-plane/ | ||
- key: "@type" | ||
value: ids:datPayload | ||
- key: "@context" | ||
value: https://w3id.org/idsa/contexts/context.jsonld | ||
- key: transportCertsSha256 | ||
value: ea3593699acad45973321dbe0011122fa965062ce68c0edcd7a8198d493be91d | ||
# Supplier | ||
- client_id: supplier | ||
name: supplier | ||
import_certfile: keys/clients/supplier.cert | ||
token_endpoint_auth_method: private_key_jwt | ||
grant_types: client_credentials | ||
scope: idsc:IDS_CONNECTOR_ATTRIBUTES_ALL | ||
attributes: | ||
- key: idsc | ||
value: IDS_CONNECTOR_ATTRIBUTES_ALL | ||
- key: securityProfile | ||
value: idsc:BASE_SECURITY_PROFILE | ||
- key: referringConnector | ||
value: http://supplier-control-plane/ #TODO | ||
- key: "@type" | ||
value: ids:datPayload | ||
- key: "@context" | ||
value: https://w3id.org/idsa/contexts/context.jsonld | ||
- key: transportCertsSha256 | ||
value: 89ab21422a70a198bd891d03e165297ce930a766b0c7eee0e24adb5e9bc92115 |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
--- | ||
host: http://ids-daps:4567/ | ||
path_prefix: '' | ||
bind_to: 0.0.0.0 | ||
allow_origin: "*" | ||
issuer: http://ids-daps:4567/ | ||
openid: false | ||
accept_audience: idsc:IDS_CONNECTORS_ALL | ||
default_audience: | ||
- idsc:IDS_CONNECTORS_ALL | ||
app_env: debug | ||
environment: development | ||
access_token: | ||
expiration: 3600 | ||
algorithm: RS256 | ||
id_token: | ||
expiration: 3600 | ||
algorithm: RS256 | ||
front_url: http://ids-daps:4567/ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
--- | ||
plugins: | ||
admin_api: | ||
user_selfservice: | ||
allow_deletion: false | ||
allow_password_change: true | ||
editable_attributes: [] | ||
token_user_attributes: | ||
skip_id_token: true |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
--- | ||
omejdn:read: Read access to the Omejdn server API | ||
omejdn:write: Write access to the Omejdn server API | ||
omejdn:admin: Access to the Omejdn server admin API | ||
profile: 'Standard profile claims (e.g.: Name, picture, website, gender, birthdate, | ||
location)' | ||
email: Email-Address | ||
address: Address | ||
phone: Phone-number |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
--- | ||
idsc:IDS_CONNECTOR_ATTRIBUTES_ALL: | ||
- securityProfile | ||
- referringConnector |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
--- {} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# | ||
# Copyright (c) 2023 Volkswagen AG | ||
# Copyright (c) 2023 Fraunhofer-Gesellschaft zur Foerderung der angewandten Forschung e.V. (represented by Fraunhofer ISST) | ||
# Copyright (c) 2023 Contributors to the Eclipse Foundation | ||
# | ||
# See the NOTICE file(s) distributed with this work for additional | ||
# information regarding copyright ownership. | ||
# | ||
# This program and the accompanying materials are made available under the | ||
# terms of the Apache License, Version 2.0 which is available at | ||
# https://www.apache.org/licenses/LICENSE-2.0. | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
# | ||
# SPDX-License-Identifier: Apache-2.0 | ||
# | ||
version: '1' | ||
services: | ||
omejdn-daps: | ||
Check warning Code scanning / KICS Healthcheck Not Set Warning
Healthcheck is not defined.
Check warning Code scanning / KICS Host Namespace is Shared Warning
There is no pid declared
Check warning Code scanning / KICS Memory Not Limited Warning
There is no mem_limit declared.
Check warning Code scanning / KICS Networks Not Set Warning
There is no network declared for the service 'omejdn-daps'
Check warning Code scanning / KICS Pids Limit Not Set Warning
Pids_limit is not defined.
Check warning Code scanning / KICS Security Opt Not Set Warning
Docker compose file does not have 'security_opt' attribute
Check notice Code scanning / KICS Container Capabilities Unrestricted Note
Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.
Check notice Code scanning / KICS Cpus Not Limited Note
There is no cpus priority declared.
|
||
image: ghcr.io/fraunhofer-aisec/omejdn-server:1.7.1 | ||
container_name: omejdn-daps | ||
ports: | ||
Check warning on line 26 in local/daps/docker-compose.yaml GitHub Actions / Analyze[MEDIUM] Container Traffic Not Bound To Host Interface
Check warning Code scanning / KICS Container Traffic Not Bound To Host Interface Warning
Docker compose file doesn't have 'ports' attribute bound to a specific host interface
|
||
- 4567:4567 | ||
# networks: | ||
# - ids-network | ||
environment: | ||
OMEJDN_JWT_AUD_OVERRIDE: idsc:IDS_CONNECTORS_ALL | ||
OMEJDN_PLUGINS: config/plugins.yml | ||
volumes: | ||
- ./config:/opt/config | ||
- ./keys:/opt/keys/omejdn | ||
|
||
#networks: | ||
# ids-network: | ||
# driver: bridge |