automate OIDC setup for devicehub server & client

This commit is contained in:
pedro 2023-09-21 18:15:54 +02:00
parent 260ac90f86
commit b423a53cfe
3 changed files with 113 additions and 17 deletions

View File

@ -1,15 +1,13 @@
version: "3.9" version: "3.9"
services: services:
devicehub: devicehub-id-server:
init: true init: true
# TODO image: dkr-dsg.ac.upc.edu/devicehub/devicehub:dpp_docker__54511e1b
image: dkr-dsg.ac.upc.edu/devicehub/devicehub:dpp_docker__eafcac09
#build .
environment: environment:
- DB_USER=${DB_USER} - DB_USER=${DB_USER}
- DB_PASSWORD=${DB_PASSWORD} - DB_PASSWORD=${DB_PASSWORD}
- DB_HOST=postgres - DB_HOST=postgres-id-server
- DB_DATABASE=${DB_DATABASE} - DB_DATABASE=${DB_DATABASE}
- HOST=${HOST} - HOST=${HOST}
- EMAIL_DEMO=${EMAIL_DEMO} - EMAIL_DEMO=${EMAIL_DEMO}
@ -19,15 +17,18 @@ services:
- API_DLT=${API_DLT} - API_DLT=${API_DLT}
- API_RESOLVER=${API_RESOLVER} - API_RESOLVER=${API_RESOLVER}
- API_DLT_TOKEN=${API_DLT_TOKEN} - API_DLT_TOKEN=${API_DLT_TOKEN}
- DEVICEHUB_HOST=${DEVICEHUB_HOST} - DEVICEHUB_HOST=${SERVER_ID_DEVICEHUB_HOST}
- ID_FEDERATED=${ID_FEDERATED} - ID_FEDERATED=${SERVER_ID_FEDERATED}
- URL_MANUALS=${URL_MANUALS} - URL_MANUALS=${URL_MANUALS}
- ID_SERVICE=${SERVER_ID_SERVICE}
- AUTHORIZED_CLIENT_URL=${CLIENT_ID_DEVICEHUB_HOST}
ports: ports:
- 5000:5000 - 5000:5000
volumes: volumes:
- ${SNAPSHOTS_PATH}:/mnt/snapshots:ro - ${SNAPSHOTS_PATH}:/mnt/snapshots:ro
- shared:/shared:rw
postgres: postgres-id-server:
image: dkr-dsg.ac.upc.edu/devicehub/postgres:dpp_docker__eafcac09 image: dkr-dsg.ac.upc.edu/devicehub/postgres:dpp_docker__eafcac09
# 4. To create the database. # 4. To create the database.
# 5. Give permissions to the corresponding users in the database. # 5. Give permissions to the corresponding users in the database.
@ -36,12 +37,59 @@ services:
- POSTGRES_PASSWORD=${DB_PASSWORD} - POSTGRES_PASSWORD=${DB_PASSWORD}
- POSTGRES_USER=${DB_USER} - POSTGRES_USER=${DB_USER}
- POSTGRES_DB=${DB_DATABASE} - POSTGRES_DB=${DB_DATABASE}
# DEBUG
#ports:
# - 5432:5432
# TODO persistence
#volumes:
# - pg_data:/var/lib/postgresql/data
devicehub-id-client:
init: true
image: dkr-dsg.ac.upc.edu/devicehub/devicehub:dpp_docker__54511e1b
environment:
- DB_USER=${DB_USER}
- DB_PASSWORD=${DB_PASSWORD}
- DB_HOST=postgres-id-client
- DB_DATABASE=${DB_DATABASE}
- HOST=${HOST}
- EMAIL_DEMO=${EMAIL_DEMO}
- PASSWORD_DEMO=${PASSWORD_DEMO}
- JWT_PASS=${JWT_PASS}
- SECRET_KEY=${SECRET_KEY}
- API_DLT=${API_DLT}
- API_RESOLVER=${API_RESOLVER}
- API_DLT_TOKEN=${API_DLT_TOKEN}
- DEVICEHUB_HOST=${CLIENT_ID_DEVICEHUB_HOST}
- SERVER_ID_HOST=${SERVER_ID_DEVICEHUB_HOST}
- ID_FEDERATED=${CLIENT_ID_FEDERATED}
- URL_MANUALS=${URL_MANUALS}
- ID_SERVICE=${CLIENT_ID_SERVICE}
ports: ports:
- 5432:5432 - 5001:5001
volumes:
- ${SNAPSHOTS_PATH}:/mnt/snapshots:ro
- shared:/shared:ro
postgres-id-client:
image: dkr-dsg.ac.upc.edu/devicehub/postgres:dpp_docker__eafcac09
# 4. To create the database.
# 5. Give permissions to the corresponding users in the database.
# extra src https://github.com/docker-library/docs/blob/master/postgres/README.md#environment-variables
environment:
- POSTGRES_PASSWORD=${DB_PASSWORD}
- POSTGRES_USER=${DB_USER}
- POSTGRES_DB=${DB_DATABASE}
# DEBUG
#ports:
# - 5432:5432
# TODO persistence # TODO persistence
#volumes: #volumes:
# - pg_data:/var/lib/postgresql/data # - pg_data:/var/lib/postgresql/data
# TODO https://testdriven.io/blog/dockerizing-django-with-postgres-gunicorn-and-nginx/ # TODO https://testdriven.io/blog/dockerizing-django-with-postgres-gunicorn-and-nginx/
#nginx #nginx
volumes:
shared:

View File

@ -102,15 +102,48 @@ handle_federated_id() {
} }
main() { config_oidc() {
# TODO test allowing more than 1 client
if [ "${ID_SERVICE}" = "server_id" ]; then
gen_env_vars client_description="client identity from docker compose demo"
wait_for_postgres # in AUTHORIZED_CLIENT_URL we remove anything before ://
flask add_contract_oidc \
"${EMAIL_DEMO}" \
"${client_description}" \
"${AUTHORIZED_CLIENT_URL}" \
> /shared/client_id_${AUTHORIZED_CLIENT_URL#*://}
init_flagfile='/container_initialized' elif [ "${ID_SERVICE}" = "client_id" ]; then
# in DEVICEHUB_HOST we remove anything before ://
CLIENT_ID_CONFIG="/shared/client_id_${DEVICEHUB_HOST#*://}"
# wait that the file generated by the server_id is readable
while true; do
if [ -f "${CLIENT_ID_CONFIG}" ]; then
break
fi
sleep 1
done
client_id="$(cat "${CLIENT_ID_CONFIG}" | jq -r '.client_id')"
client_secret="$(cat "${CLIENT_ID_CONFIG}" | jq -r '.client_secret')"
flask add_client_oidc \
"${SERVER_ID_HOST}" \
"${client_id}" \
"${client_secret}"
else
big_error "Something went wrong ${ID_SERVICE} is not server_id nor client_id"
fi
}
config_phase() {
init_flagfile='/already_configured'
if [ ! -f "${init_flagfile}" ]; then if [ ! -f "${init_flagfile}" ]; then
# 7, 8, 9, 11 # 7, 8, 9, 11
init_data init_data
@ -133,9 +166,21 @@ main() {
# # 16. # # 16.
flask check_install "${EMAIL_DEMO}" ${PASSWORD_DEMO} flask check_install "${EMAIL_DEMO}" ${PASSWORD_DEMO}
# config server or client ID
config_oidc
# remain next command as the last operation for this if conditional # remain next command as the last operation for this if conditional
touch "${init_flagfile}" touch "${init_flagfile}"
fi fi
}
main() {
gen_env_vars
wait_for_postgres
config_phase
# 17. Use gunicorn # 17. Use gunicorn
# thanks https://akira3030.github.io/formacion/articulos/python-flask-gunicorn-docker.html # thanks https://akira3030.github.io/formacion/articulos/python-flask-gunicorn-docker.html

View File

@ -9,7 +9,10 @@ API_RESOLVER='http://$IP_API_RESOLVER'
ID_FEDERATED='$ID' ID_FEDERATED='$ID'
URL_MANUALS='http://$IP_MANUALS' URL_MANUALS='http://$IP_MANUALS'
DEVICEHUB_HOST='http://devicehub.example.com' SERVER_ID_DEVICEHUB_HOST='http://devicehub-server-id.example.com'
CLIENT_ID_DEVICEHUB_HOST='http://devicehub-client-id.example.com'
SERVER_ID_SERVICE='server_id'
CLIENT_ID_SERVICE='client_id'
HOST='localhost' HOST='localhost'
SCHEMA='dbtest' SCHEMA='dbtest'