add pilot ereuse (untested on prod)

README WIP
This commit is contained in:
pedro 2024-04-03 13:18:36 +02:00
parent 300f705bf7
commit b0b160f088
7 changed files with 178 additions and 8 deletions

View file

@ -16,9 +16,10 @@ MUSICIAN_DOMAIN='musician.example.org'
#### ####
# Please fill in these three variables # Please fill in these three variables
DEVICEHUB_API_DLT='http://$FIXME_IP_API_DLT' DEVICEHUB_API_DLT='http://fixme.dlt.example.com'
DEVICEHUB_API_DLT_TOKEN=$FIXME_TOKEN DEVICEHUB_API_DLT_TOKEN=fixme_apsdfiojai8gji34kjl354kljwkljfsdgoj32i4jo23jiojoi
DEVICEHUB_API_RESOLVER='http://$FIXME_IP_API_RESOLVER' DEVICEHUB_API_RESOLVER='http://fixme.apiresolver.example.com'
DEVICEHUB_VERIFY_URL='http://idhub2-ereuse.demo.pangea.org/promotion/select_wallet'
# you might change or register ID_FEDERATED if you change DEVICEHUB_HOST # you might change or register ID_FEDERATED if you change DEVICEHUB_HOST
DEVICEHUB_ID_FEDERATED='DH12' DEVICEHUB_ID_FEDERATED='DH12'
# TODO this should be guessed by DEVICEHUB_HOST, and avoid hardcode of ID_FEDERATED # TODO this should be guessed by DEVICEHUB_HOST, and avoid hardcode of ID_FEDERATED
@ -46,8 +47,8 @@ DEVICEHUB_SERVER_ID_EMAIL_DEMO='user5000@example.com'
DEVICEHUB_CLIENT_ID_EMAIL_DEMO='user5001@example.com' DEVICEHUB_CLIENT_ID_EMAIL_DEMO='user5001@example.com'
DEVICEHUB_PASSWORD_DEMO='1234' DEVICEHUB_PASSWORD_DEMO='1234'
DEVICEHUB_JWT_PASS='uncomment-it-and-fill-this' DEVICEHUB_JWT_PASS='fixme_ajpfoiafjsn3nlk3n4'
DEVICEHUB_SECRET_KEY='uncomment-it-and-fill-this' DEVICEHUB_SECRET_KEY='fixme_aspijoio3j24n23nlsdlkfsadljksafdljk'
# important to import snapshots (step 15) # important to import snapshots (step 15)
# rel path starts with ./ # rel path starts with ./
@ -93,7 +94,6 @@ IDHUB_SYNC_ORG_DEV='n'
IDHUB_PILOT_TEST__ADMIN_EMAIL='admin@example.com' IDHUB_PILOT_TEST__ADMIN_EMAIL='admin@example.com'
IDHUB_PILOT_TEST__ADMIN_PASSWORD='1234' IDHUB_PILOT_TEST__ADMIN_PASSWORD='1234'
IDHUB_PILOT_LAFEDE__ADMIN_EMAIL='masked@example.com'
# AUTHENTIK aka goauthentik # AUTHENTIK aka goauthentik
#### ####

2
.gitignore vendored
View file

@ -8,6 +8,8 @@ django-musician
IdHub IdHub
authentik authentik
ssikit_trustchain ssikit_trustchain
IdHub_E2E_testing
devicehub-teal
idhub__* idhub__*
idhub1__* idhub1__*

View file

@ -34,6 +34,9 @@ devicehub_tag := ${devicehub_branch}__${devicehub_commit}
devicehub_tag := latest devicehub_tag := latest
devicehub_image := ${project}/devicehub:${devicehub_tag} devicehub_image := ${project}/devicehub:${devicehub_tag}
postgres_tag := latest
postgres_image := ${project}/postgres:${postgres_tag}
#### ####
# idhub image tag # idhub image tag
#### ####
@ -56,6 +59,16 @@ orchestra_build:
.PHONY: musician_build .PHONY: musician_build
musician_build: musician_build:
docker build -f docker/musician.Dockerfile -t ${musician_image} -t ${project}/musician:latest . docker build -f docker/musician.Dockerfile -t ${musician_image} -t ${project}/musician:latest .
.PHONY: devicehub_build
devicehub_build:
# thanks src https://stackoverflow.com/questions/1789594/how-do-i-write-the-cd-command-in-a-makefile
cd devicehub-teal; \
docker build -f docker/devicehub.Dockerfile -t ${devicehub_image} -t ${project}/devicehub:latest .
.PHONY: postgres_build
postgres_build:
# thanks src https://stackoverflow.com/questions/1789594/how-do-i-write-the-cd-command-in-a-makefile
cd devicehub-teal; \
docker build -f docker/postgres.Dockerfile -t ${postgres_image} -t ${project}/postgres:latest .
docker_build: docker_build:
docker build -f docker/orchestra.Dockerfile -t ${orchestra_image} -t ${project}/orchestra:latest . docker build -f docker/orchestra.Dockerfile -t ${orchestra_image} -t ${project}/orchestra:latest .

View file

@ -28,8 +28,8 @@
- **Pangea**: - **Pangea**:
- Instances: - Instances:
- https://idhub1-pangea.demo.pangea.org - https://idhub1.demo.pangea.org
- https://idhub2-pangea.demo.pangea.org - https://idhub2.demo.pangea.org
- Motivation: The case of Pangea as a web/internet service provider, with member organisations that receive services. These organisations have allocated several resources units (mail accounts, blogs, etc.). Only authorised users with a specific role should be able to access the Musician (Administration Control Panel of resources). - Motivation: The case of Pangea as a web/internet service provider, with member organisations that receive services. These organisations have allocated several resources units (mail accounts, blogs, etc.). Only authorised users with a specific role should be able to access the Musician (Administration Control Panel of resources).
- Scenarios: - Scenarios:
- Scenario 1-> 'Login with Organisation A (Idp)'. The staff members of organisation A, with the appropiate role, can authenticate themselves by providing their organisation credentials (username and password) to access a service in Pangea (Musician). - Scenario 1-> 'Login with Organisation A (Idp)'. The staff members of organisation A, with the appropiate role, can authenticate themselves by providing their organisation credentials (username and password) to access a service in Pangea (Musician).
@ -41,6 +41,13 @@
- Scenario 2-> 'Present a verifiable credential'. The staff members of organisation A, with the appropiate credentials, present them to Pangea in order to access the Musician service. - Scenario 2-> 'Present a verifiable credential'. The staff members of organisation A, with the appropiate credentials, present them to Pangea in order to access the Musician service.
Actors-> **Pangea**: IdP (goauthentik), IdHub (as verifier), Musician, Orchestra (with also nginx API rproxy). **Organisation A**: IdHub (as user wallet) Actors-> **Pangea**: IdP (goauthentik), IdHub (as verifier), Musician, Orchestra (with also nginx API rproxy). **Organisation A**: IdHub (as user wallet)
- **ereuse**:
- Instances:
- https://idhub1-ereuse.demo.pangea.org
- https://idhub2-ereuse.demo.pangea.org
- https://devicehub.demo.pangea.org
- Motivation: TODO
- Scenarios: TODO
- **generic**: https://idhub.demo.pangea.org - **generic**: https://idhub.demo.pangea.org
- Motivation: For demo purposes, for showing other people different than the intended pilot what we do. It is currently similar to lafede pilot - Motivation: For demo purposes, for showing other people different than the intended pilot what we do. It is currently similar to lafede pilot

32
build__pilot-ereuse.sh Executable file
View file

@ -0,0 +1,32 @@
#!/bin/sh
set -e
set -u
# DEBUG
set -x
main() {
cd "$(dirname "${0}")"
# includes functions:
# common_start
# common_end
. ./build__common.sh
# vars used in common_start and end
target='pilot-ereuse'
idhubs='idhub1 idhub2'
# TEMP, move to release when it is in release
idhub_branch='release'
common_start
# common_end builds idhub
# these are extra builds specific for this pilot
make postgres_build
make devicehub_build
common_end
}
main "${@}"

View file

@ -0,0 +1,115 @@
services:
idhub1:
init: true
image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest
environment:
- DOMAIN=idhub1-ereuse.demo.pangea.org
- CREATE_TEST_USERS=true
- ENABLE_EMAIL=false
- ENABLE_2FACTOR_AUTH=false
- LANGUAGE_CODE=ca
- INITIAL_ADMIN_EMAIL=${IDHUB_PILOT_TEST__ADMIN_EMAIL}
- INITIAL_ADMIN_PASSWORD=${IDHUB_PILOT_TEST__ADMIN_PASSWORD}
- SECRET_KEY=${IDHUB_SECRET_KEY:-publicsecretisnotsecureVtmKBfxpVV47PpBCF2Nzz2H6qnbd}
- STATIC_ROOT=${IDHUB_STATIC_ROOT:-/static/}
- MEDIA_ROOT=${IDHUB_MEDIA_ROOT:-/media/}
- PORT=${IDHUB_PORT:-9001}
- DEFAULT_FROM_EMAIL=${IDHUB_DEFAULT_FROM_EMAIL}
- EMAIL_HOST=${IDHUB_EMAIL_HOST}
- EMAIL_HOST_USER=${IDHUB_EMAIL_HOST_USER}
- EMAIL_HOST_PASSWORD=${IDHUB_EMAIL_HOST_PASSWORD}
- EMAIL_PORT=${IDHUB_EMAIL_PORT}
- EMAIL_USE_TLS=${IDHUB_EMAIL_USE_TLS}
- EMAIL_BACKEND=${IDHUB_EMAIL_BACKEND}
- SUPPORTED_CREDENTIALS=['MembershipCard']
- SYNC_ORG_DEV=${IDHUB_SYNC_ORG_DEV}
- OIDC_OIRGS=examples/organizations__pilot_ereuse.csv
- OIDC_REDIRECT=true
ports:
- 9101:9001
volumes:
- ./idhub1__pilot-ereuse:/opt/idhub
- sharedsecret:/sharedsecret:rw
idhub2:
init: true
image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/idhub:latest
environment:
- DOMAIN=idhub2-ereuse.demo.pangea.org
- ENABLE_EMAIL=false
- ENABLE_2FACTOR_AUTH=false
- LANGUAGE_CODE=ca
- INITIAL_ADMIN_EMAIL=${IDHUB_PILOT_TEST__ADMIN_EMAIL}
- INITIAL_ADMIN_PASSWORD=${IDHUB_PILOT_TEST__ADMIN_PASSWORD}
- SECRET_KEY=${IDHUB_SECRET_KEY:-publicsecretisnotsecureVtmKBfxpVV47PpBCF2Nzz2H6qnbd}
- STATIC_ROOT=${IDHUB_STATIC_ROOT:-/static/}
- MEDIA_ROOT=${IDHUB_MEDIA_ROOT:-/media/}
- PORT=${IDHUB_PORT:-9002}
- DEFAULT_FROM_EMAIL=${IDHUB_DEFAULT_FROM_EMAIL}
- EMAIL_HOST=${IDHUB_EMAIL_HOST}
- EMAIL_HOST_USER=${IDHUB_EMAIL_HOST_USER}
- EMAIL_HOST_PASSWORD=${IDHUB_EMAIL_HOST_PASSWORD}
- EMAIL_PORT=${IDHUB_EMAIL_PORT}
- EMAIL_USE_TLS=${IDHUB_EMAIL_USE_TLS}
- EMAIL_BACKEND=${IDHUB_EMAIL_BACKEND}
- SUPPORTED_CREDENTIALS=['EOperatorClaim']
- SYNC_ORG_DEV=${IDHUB_SYNC_ORG_DEV}
- OIDC_OIRGS=examples/organizations__pilot_ereuse.csv
- OIDC_REDIRECT=true
ports:
- 9102:9001
volumes:
- ./idhub2__pilot-ereuse:/opt/idhub
- sharedsecret:/sharedsecret:rw
devicehub:
init: true
image: dkr-dsg.ac.upc.edu/trustchain-oc1-orchestral/devicehub:latest
environment:
- HOST=devicehub.demo.pangea.org
- DEVICEHUB_HOST=https://devicehub.demo.pangea.org
- ID_FEDERATED=DH9
- DB_USER=${DEVICEHUB_DB_USER}
- DB_PASSWORD=${DEVICEHUB_DB_PASSWORD}
- DB_HOST=postgres-dh
- DB_DATABASE=${DEVICEHUB_DB_DATABASE}
- EMAIL_DEMO=${DEVICEHUB_SERVER_ID_EMAIL_DEMO}
- PASSWORD_DEMO=${DEVICEHUB_PASSWORD_DEMO}
- JWT_PASS=${DEVICEHUB_JWT_PASS}
- SECRET_KEY=${DEVICEHUB_SECRET_KEY}
- API_DLT=${DEVICEHUB_API_DLT}
- API_RESOLVER=${DEVICEHUB_API_RESOLVER}
- API_DLT_TOKEN=${DEVICEHUB_API_DLT_TOKEN}
- VERIFY_URL=${DEVICEHUB_VERIFY_URL}
- EREUSE_PILOT=y
- URL_MANUALS=${DEVICEHUB_URL_MANUALS}
- ID_SERVICE=${DEVICEHUB_SERVER_ID_SERVICE}
- AUTHORIZED_CLIENT_URL=${DEVICEHUB_CLIENT_ID_DEVICEHUB_HOST}
- DPP_MODULE=y
- CONFIG_OIDC=n
- IMPORT_SNAPSHOTS=n
ports:
- 5000:5000
volumes:
- devicehub:/opt/devicehub:rw
postgres-dh:
image: dkr-dsg.ac.upc.edu/ereuse/postgres:latest
# 4. To create the database.
# 5. Give permissions to the corresponding users in the database.
# extra src https://github.com/docker-library/docs/blob/master/postgres/README.md#environment-variables
environment:
- POSTGRES_PASSWORD=${DEVICEHUB_DB_PASSWORD}
- POSTGRES_USER=${DEVICEHUB_DB_USER}
- POSTGRES_DB=${DEVICEHUB_DB_DATABASE}
# DEBUG
#ports:
# - 5432:5432
# TODO persistence
#volumes:
# - pg_data:/var/lib/postgresql/data
volumes:
sharedsecret:
devicehub:

View file

@ -37,6 +37,7 @@ main() {
# we only use this to get idhub dependency # we only use this to get idhub dependency
# didkit-0.3.2-cp311-cp311-manylinux_2_34_x86_64.whl # didkit-0.3.2-cp311-cp311-manylinux_2_34_x86_64.whl
_pull 'git@gitea.pangea.org:trustchain-oc1-orchestral/ssikit_trustchain.git' 'master' _pull 'git@gitea.pangea.org:trustchain-oc1-orchestral/ssikit_trustchain.git' 'master'
_pull 'git@gitea.pangea.org:trustchain-oc1-orchestral/devicehub-teal' 'idhub'
} }