Commit e6dcbfd1 authored by p.jbowden's avatar p.jbowden
Browse files

Big commit to prepare for adding MiCADO deployment

- Split up docker-compose.yml -> docker-compose/*.yml
- Turn make sure all container params are stored in the .env file (no
  hardcoded values in docker-compose environment config)
- Rename many environment variables for better namespacing
- remove docker-compose.bootstrap.yml entirely and move the
  functionality to the configure script
parent ff6ef672
# ===== target definition =====
# IP/host name and base url config
# These values should be updated on a per-deployment basis.
# --- HOSTS AND ENDPOINTS --- #
APP_HOST_NAME=<application's IP address>
# Public (internet/LAN accessible) hosts, urls and endpoints
APP_HOST_NAME=
APP_PROTOCOL=http
APP_BASE_URL=${APP_PROTOCOL}://${APP_HOST_NAME}
KEYCLOAK_HOST=${APP_HOST_NAME}
KEYCLOAK_PROTOCOL=http
KEYCLOAK_PORT=8181
KEYCLOAK_BASE_URL=${KEYCLOAK_PROTOCOL}://${KEYCLOAK_HOST}:${KEYCLOAK_PORT}
KEYCLOAK_AUTH_ENDPOINT=${KEYCLOAK_BASE_URL}/auth
REGISTRATION_AUTHORITY_HOST=${APP_HOST_NAME}
REGISTRATION_AUTHORITY_PROTOCOL=http
REGISTRATION_AUTHORITY_PORT=8085
REGISTRATION_AUTHORITY_BASE_URL=${REGISTRATION_AUTHORITY_PROTOCOL}://${REGISTRATION_AUTHORITY_HOST}:${REGISTRATION_AUTHORITY_PORT}
CPABE_SERVER_HOST=${APP_HOST_NAME}
CPABE_SERVER_PROTOCOL=http
CPABE_SERVER_PORT=8084
CPABE_SERVER_BASE_URL=${CPABE_SERVER_PROTOCOL}://${CPABE_SERVER_HOST}:${CPABE_SERVER_PORT}
KEYTRAY_HOST=${APP_HOST_NAME}
KEYTRAY_PROTOCOL=http
KEYTRAY_PORT=8083
KEYTRAY_BASE_URL=${KEYTRAY_PROTOCOL}://${KEYTRAY_HOST}:${KEYTRAY_PORT}
KEYTRAY_API_URL=${KEYTRAY_BASE_URL}/api/v1
ZUUL_HOST=${APP_HOST_NAME}
XNAT_HOST=${APP_HOST_NAME}:8080
KEYTRAY_HOST=${APP_HOST_NAME}:8083
CPABE_HOST=${APP_HOST_NAME}:8084
REGAUTH_HOST=${APP_HOST_NAME}:8085
KEYCLOAK_HOST=${APP_HOST_NAME}:8181
MINIO_HOST=${APP_HOST_NAME}:9000
ZUUL_PROTOCOL=http
ZUUL_PORT=80
SSE_SERVER_BASE_URL=${ZUUL_PROTOCOL}://${ZUUL_HOST}/sse
SSE_TA_BASE_URL=${ZUUL_PROTOCOL}://${ZUUL_HOST}/ta
MINIO_HOST=${APP_HOST_NAME}
MINIO_PROTOCOL=http
MINIO_PORT=9000
XNAT_HOST=${APP_HOST_NAME}
XNAT_PROTOCOL=http
XNAT_PORT=8080
XNAT_BASE_URL=${XNAT_PROTOCOL}://${XNAT_HOST}:${XNAT_PORT}
XNAT_ADMIN_URL=${XNAT_BASE_URL}/xnat
XNAT_API_URL=${XNAT_BASE_URL}/xnat/REST
SSE_SERVER_ALLOWED_HOSTS="${APP_HOST_NAME} sse"
TA_ALLOWED_HOSTS="${APP_HOST_NAME} ta"
APP_BASE_URL=http://${APP_HOST_NAME}
# Internal (docker network only) hosts, urls and endpoints.
ZUUL_URL=${APP_BASE_URL}
XNAT_URL=${APP_BASE_URL}:8080
KEYTRAY_URL=${APP_BASE_URL}:8083
CPABE_URL=${APP_BASE_URL}:8084
REGAUTH_URL=${APP_BASE_URL}:8085
KEYCLOAK_URL=${APP_BASE_URL}:8181/auth
INTERNAL_ABAC_SERVER_HOST=abac-server
INTERNAL_ABAC_SERVER_PROTOCOL=https
INTERNAL_ABAC_SERVER_PORT=7071
INTERNAL_ABAC_SERVER_BASE_URL=${INTERNAL_ABAC_SERVER_PROTOCOL}://${INTERNAL_ABAC_SERVER_HOST}:${INTERNAL_ABAC_SERVER_PORT}
INTERNAL_ABAC_SERVER_PDP_ENDPOINT=${INTERNAL_ABAC_SERVER_BASE_URL}/checkJsonAccessRequest
XNAT_API_URL=${XNAT_URL}/xnat/REST
SSE_CLIENT_TA_URL=${ZUUL_URL}/ta
SSE_CLIENT_SSE_URL=${ZUUL_URL}/sse
SSE_CLIENT_CP_ABE_URL=${APP_BASE_URL}:8084
INTERNAL_SSE_DB_HOST=sse-db
INTERNAL_SSE_DB_PORT=5432
INTERNAL_SSE_SERVER_HOST=sse-server
INTERNAL_SSE_SERVER_PROTOCOL=http
INTERNAL_SSE_SERVER_PORT=8080
INTERNAL_SSE_SERVER_BASE_URL=${INTERNAL_SSE_SERVER_PROTOCOL}://${INTERNAL_SSE_SERVER_HOST}:${INTERNAL_SSE_SERVER_PORT}
INTERNAL_SSE_TA_DB_HOST=sse-ta-db
INTERNAL_SSE_TA_DB_PORT=5432
# ===== run time =====
# These values are parameters for provisioning and run-time. `/configure` will
# create secrets and replace the below dummy values.
INTERNAL_SSE_TA_HOST=sse-ta
INTERNAL_SSE_TA_PROTOCOL=http
INTERNAL_SSE_TA_PORT=8000
INTERNAL_SSE_TA_BASE_URL=${INTERNAL_SSE_TA_PROTOCOL}://${INTERNAL_SSE_TA_HOST}:${INTERNAL_SSE_TA_PORT}
INTERNAL_KEYCLOAK_DB_HOST=keycloak-db
INTERNAL_KEYCLOAK_DB_PORT=3306
INTERNAL_KEYTRAY_DB_HOST=keytray-db
INTERNAL_KEYTRAY_DB_PORT=3306
INTERNAL_XNAT_DB_HOST=xnat-db
INTERNAL_XNAT_DB_PORT=5432
INTERNAL_TEEP_SERVER_HOST=teep-server
INTERNAL_TEEP_SERVER_PROTOCOL=coap
INTERNAL_TEEP_SERVER_PORT=5683
INTERNAL_TEEP_SERVER_ENDPOINT=${INTERNAL_TEEP_SERVER_PROTOCOL}://${INTERNAL_TEEP_SERVER_HOST}:${INTERNAL_TEEP_SERVER_PORT}/teep
# --- Common TLS certificate truststore --- #
COMMON_TRUSTSTORE_FILE=/etc/certs/common-truststore.p12
COMMON_TRUSTSTORE_PASSWORD=asclepios
AMPLE_KEYSTORE_PASSWORD=asclepios
# bcrypt hash of password "admin", obtained like this: `htpasswd -bnBC 10 "" admin | tr -d ':\n'`
AMPLE_ADMIN_PASSWORD=$2a$10$6sB2k3fzkqu/D.v/V0CwiuqAdyTsGdItpGpCO7y5dCOEYV6SS5nEy
PDP_SERVER_MYSQL_ROOT_PASSWORD=!r00t!
PDP_SERVER_MYSQL_DATABASE=apam-db
PDP_SERVER_MYSQL_USER=pdp
PDP_SERVER_MYSQL_PASSWORD=pdp
ABAC_SERVER_APAM_DB=apam_db
ABAC_SERVER_API_KEY=1234567890
# --- ABAC-SERVER --- #
# abac-server access credentials
ABAC_SERVER_ACCESS_KEY=7235687126587231675321756752657236156321765723
ABAC_SERVER_API_KEY=1234567890
# abac-server TLS certificate
ABAC_SERVER_KEYSTORE_FILE=/etc/certs/abac-server-keystore.p12
ABAC_SERVER_KEY_ALIAS=abac-server
ABAC_SERVER_KEYSTORE_PASSWORD=asclepios
KEYCLOAK_MYSQL_ROOT_PASSWORD=!r00t!
KEYCLOAK_MYSQL_DATABASE=keycloak
KEYCLOAK_MYSQL_USER=keycloak
KEYCLOAK_MYSQL_PASSWORD=keycloak
KEYCLOAK_REALM=snet
KEYCLOAK_RESOURCE=calls-gateway
KEYTRAY_MYSQL_ROOT_PASSWORD=!r00t!
KEYTRAY_MYSQL_DATABASE=store
# pdp-server application config
ABAC_SERVER_JPA_HIBERNATE_DDL_AUTO=update
ABAC_SERVER_EXT_ATTRIBUTE_FINDERS=eu.asclepios.example.contexthandlers.SNETAttributeFinder
ABAC_SERVER_LIB_PATH=/abac-server/ext/snet-asclepios-context-handler-1.0.0-SNAPSHOT-jar-with-dependencies.jar
# --- KEYCLOAK --- #
# keycloak admin access credentials
KEYCLOAK_ADMIN_USER=admin
KEYCLOAK_ADMIN_PASSWORD=admin
# keycloak database
KEYCLOAK_DB_VENDOR=mysql
KEYCLOAK_DB_DATABASE=keycloak
KEYCLOAK_DB_USER=keycloak
KEYCLOAK_DB_PASSWORD=keycloak
KEYCLOAK_DB_ROOT_PASSWORD=!r00t!
# keycloak application config
KEYCLOAK_PROXY_ADDRESS_FORWARDING=true
# keycloak data to provision manually (see README.md)
KEYCLOAK_REALM=snet
KEYCLOAK_RESOURCE=calls-gateway
KEYCLOAK_RESOURCE_SECRET=supersecret
KEYCLOAK_REALM_ADMIN_USER=dev
KEYCLOAK_REALM_ADMIN_PASSWORD=password
XNAT_DATASOURCE_DRIVER=org.postgresql.Driver
XNAT_DATASOURCE_URL=jdbc:postgresql://xnat-db/xnat
XNAT_HIBERNATE_DIALECT=org.hibernate.dialect.PostgreSQL9Dialect
TOMCAT_XNAT_FOLDER=xnat
XNAT_ROOT=/data/xnat
XNAT_HOME=/data/xnat/home
XNAT_DATASOURCE_USERNAME=xnat
XNAT_DATASOURCE_PASSWORD=xnat
XNAT_DATASOURCE_DBNAME=xnat
# --- REGISTRATION_AUTHORITY --- #
# registration-authority application config
REGISTRATION_AUTHORITY_MODE=dev
REGISTRATION_AUTHORITY_AZ_CALL_DISABLED=true
# --- ABAC-ZUUL-PROXY --- #
# abac-zuul-proxy application config
ABAC_ZUUL_PROXY_PDP_JWT_SECRET=asclepios
ABAC_ZUUL_PROXY_PDP_LOAD_BALANCE_METHOD=ORDER
ABAC_ZUUL_PROXY_PDP_RETRY_COUNT=1
ABAC_ZUUL_PROXY_KEYCLOAK_ENABLED=true
# --- SSE --- #
# sse server database
SSE_DB_NAME=ssedb
SSE_DB_USER=sseadmin
SSE_DB_PASSWORD=sseadmin
# sse-server application config
SSE_SERVER_DJANGO_LOGLEVEL=DEBUG
SSE_SERVER_DJANGO_DEBUG=True
SSE_SERVER_DJANGO_SECRET_KEY=kl#rqhxq^m8s@vcve3o2-r7rvunKu=&8o+h@1e+n9m-*6_v6kW
# sse-server minio integration config
SSE_SERVER_MINIO_BUCKET_NAME=snet
SSE_SERVER_MINIO_SSL_SECURE=False
SSE_SERVER_MINIO_EXPIRE_GET=1
SSE_SERVER_MINIO_EXPIRE_PUT=1
# trusted authority database
SSE_TA_DB_NAME=tadb
SSE_TA_DB_USER=taadmin
SSE_TA_DB_PASSWORD=taadmin
# trusted authority application config
SSE_TA_DJANGO_LOGLEVEL=DEBUG
SSE_TA_DJANGO_DEBUG=True
SSE_TA_DJANGO_SECRET_KEY=6jpu71#_4j7jaorh+_llj35pYgno7@U+!04n!#q_27b+4cv%5G
SSE_TA_HASH_LENGTH=256
SSE_TA_IV=azymblqe
SSE_TA_MODE=ccm
SSE_TA_KS=128
SSE_TA_SGX=0
# --- MINIO --- #
# minio admin credentials
MINIO_ROOT_USER=minio
MINIO_ROOT_PASSWORD=minio123
# --- KEYTRAY --- #
# keytray database
KEYTRAY_DATABASE_USER=root
KEYTRAY_DATABASE_ROOT_PASSWORD=!r00t!
KEYTRAY_DATABASE_DB=store
KEYTRAY_AZ_CALL_DISABLED=true
# --- CPABE-SERVER --- #
# cpabe-server application config
CPABE_SERVER_MODE=dev
CPABE_SERVER_KEYCLOAK_CORS=true
# --- SSE-CLIENT --- #
SSE_CLIENT_SALT=ZWdhYndlZmc=
SSE_CLIENT_IV=bGd3YmFnd2c=
......@@ -90,62 +243,43 @@ SSE_CLIENT_AUTH=true
SSE_CLIENT_DEBUG=true
SSE_CLIENT_SMALL_FILE=0
SSE_SERVER_DJANGO_LOGLEVEL=DEBUG
SSE_SERVER_DJANGO_DEBUG=True
SSE_SERVER_DJANGO_SECRET_KEY=kl#rqhxq^m8s@vcve3o2-r7rvunKu=&8o+h@1e+n9m-*6_v6kW
SSE_SERVER_TA_SERVER=http://ta:8000
SSE_SERVER_DB_NAME=ssedb
SSE_SERVER_DB_USER=sseadmin
SSE_SERVER_DB_PASSWORD=sseadmin
SSE_SERVER_DB_HOST=sse-db
SSE_SERVER_DB_PORT=5432
TA_DJANGO_LOGLEVEL=DEBUG
TA_DJANGO_DEBUG=True
TA_DJANGO_SECRET_KEY=6jpu71#_4j7jaorh+_llj35pYgno7@U+!04n!#q_27b+4cv%5G
TA_HASH_LENGTH=256
TA_IV=azymblqe
TA_MODE=ccm
TA_KS=128
TA_TEEP_SERVER=coap://teep-server:5683/teep
TA_SGX=0
TA_DB_NAME=tadb
TA_DB_USER=taadmin
TA_DB_PASSWORD=taadmin
TA_DB_HOST=ta-db
TA_DB_PORT=5432
MINIO_BUCKET_NAME=snet
MINIO_SSL_SECURE=False
MINIO_EXPIRE_GET=1
MINIO_EXPIRE_PUT=1
MINIO_ACCESS_KEY=minio
MINIO_SECRET_KEY=minio123
CPABE_PUBLIC_KEY=AAABZ3R5cGUgYQpxIDg3ODA3MTA3OTk2NjMzMTI1MjI0Mzc3ODE5ODQ3NTQwNDk4MTU4MDY4ODMxOTk0MTQyMDgyMTEwMjg2NTMzOTkyNjY0NzU2MzA4ODAyMjI5NTcwNzg2MjUxNzk0MjI2NjIyMjE0MjMxNTU4NTg3Njk1ODIzMTc0NTkyNzc3MTMzNjczMTc0ODEzMjQ5MjUxMjk5OTgyMjQ3OTEKaCAxMjAxNjAxMjI2NDg5MTE0NjA3OTM4ODgyMTM2Njc0MDUzNDIwNDgwMjk1NDQwMTI1MTMxMTgyMjkxOTYxNTEzMTA0NzIwNzI4OTM1OTcwNDUzMTEwMjg0NDgwMjE4MzkwNjUzNzc4Njc3NgpyIDczMDc1MDgxODY2NTQ1MTYyMTM2MTExOTI0NTU3MTUwNDkwMTQwNTk3NjU1OTYxNwpleHAyIDE1OQpleHAxIDEwNwpzaWduMSAxCnNpZ24wIDEKAAAAgFT6/ewlA9ebVp9rH3FrMl8jjcZeIaLqIOUWH0kbC5Cp0duwpkJnBkV2TpbNOK/AzLMtdwlg4PtDH57CtBy+mF0zm0MsWbDDIgriRNWx/1/MP6+VCwg8Tk5K5O113Vcohu00HtF6nEuv+KQ5IN41bKxVBGbfAoSoEA+aajT8SAXAAAAAgCCXNvTwGbcXNCaro0YE3N95dd4OliqTJf5BT9iCD9xm8t94BOnTrDmHb0gao4F6dPF0y254CxeomEGR5k5PlqaYLrm5Ncett7baMSuXjCuPQvC7W/x9wn4PhnC+F7B52vnbgpLbILGKcZJMu3cz+qbEWiQFVI9ty5oPHtC97YV7AAAAgCoaGJCdP4WMmEP3/MvHTkzNH+YuOpwOwKnoN+y+6IZEVjT1Nm2MnRB6gyhz4QWVexk0UTXzWAb5M4lp/6lM0hUaSOxv49rufJeeHsGUBMO7rXpkhjn4sHFAKYP/tvfJPLDSH7rFmNf3z6Pmc3SA2O00w0MWcoprOuO8fjQSaZG+AAAAgJ1bhn48TUZEH+Puv313gB2ujD/WPNmr8GMR991JtGiG8L/WgUqPNHpX4PLmzkDhO6a8Wt5h3unMuI9jMsUjX7oTng6I7DQTnE15Ws9jo8caTNAq/iCxfzNGlbaB6VGFI04K+TSGuCfdCmYTQ2biiIrjgM03yMUTxsUB8F9W57ty
CPABE_MASTER_KEY=AAAAFD3/m1YKeHfeHxgRjpmWDmo1SAkwAAAAgJH6Z/MSMNr4yU7VCDw3RlqsiyImXlX2bF9Mzr7EH7iRKFQLPUmZnAcReGThOl8GrFZ5w8WMwdZ+aHnRw52is0pX9WuRZo+fKyyI7jlkNN/wUw2PyD2xUxQQM8vu0bXajNp0Z4PWt4KNGomoqxjgx0erAYlK1i0so1us1y7hE6OA
# --- XNAT --- #
# xnat admin credentials, must be provisioned manually (see README.md)
# ===== test fixtures =====
# These variables are used for automated e2e testing. You must still manually
# set the above the variables below before running tests.
XNAT_ADMIN_USER=admin
XNAT_ADMIN_PASSWORD=admin
# project name must not contain any special characters (including '-' and '_')
TEST_PROJECT=asclepiostestproject
# xnat database
TEST_KEYCLOAK_USER=testrunner
XNAT_DATASOURCE_DRIVER=org.postgresql.Driver
XNAT_DATASOURCE_URL=jdbc:postgresql://xnat-db/xnat
XNAT_HIBERNATE_DIALECT=org.hibernate.dialect.PostgreSQL9Dialect
XNAT_DATASOURCE_DBNAME=xnat
XNAT_DATASOURCE_USERNAME=xnat
XNAT_DATASOURCE_PASSWORD=xnat
# xnat application config
# ===== manually set =====
# These variables do not get provisioned and need to be manually set after
# deployment. As soon as you have set them, please add them to the /.env.d/
# directory so future provisions will not overwrite them with the below default
# values.
TEST_KEYCLOAK_PASSWORD=password
XNAT_ROOT=/data/xnat
XNAT_HOME=/data/xnat/home
XNAT_TOMCAT_FOLDER=xnat
XNAT_CATALINA_OPTS="-Xms128m -Xmx2048m -Dxnat.home=${XNAT_HOME} -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8000"
XNAT_ADMIN_USER=admin
XNAT_ADMIN_PASSWORD=admin
KEYCLOAK_REALM_ADMIN_USER=dev
KEYCLOAK_REALM_ADMIN_PASSWORD=password
# --- CPABE MASTER KEY --- #
CPABE_PUBLIC_KEY=AAABZ3R5cGUgYQpxIDg3ODA3MTA3OTk2NjMzMTI1MjI0Mzc3ODE5ODQ3NTQwNDk4MTU4MDY4ODMxOTk0MTQyMDgyMTEwMjg2NTMzOTkyNjY0NzU2MzA4ODAyMjI5NTcwNzg2MjUxNzk0MjI2NjIyMjE0MjMxNTU4NTg3Njk1ODIzMTc0NTkyNzc3MTMzNjczMTc0ODEzMjQ5MjUxMjk5OTgyMjQ3OTEKaCAxMjAxNjAxMjI2NDg5MTE0NjA3OTM4ODgyMTM2Njc0MDUzNDIwNDgwMjk1NDQwMTI1MTMxMTgyMjkxOTYxNTEzMTA0NzIwNzI4OTM1OTcwNDUzMTEwMjg0NDgwMjE4MzkwNjUzNzc4Njc3NgpyIDczMDc1MDgxODY2NTQ1MTYyMTM2MTExOTI0NTU3MTUwNDkwMTQwNTk3NjU1OTYxNwpleHAyIDE1OQpleHAxIDEwNwpzaWduMSAxCnNpZ24wIDEKAAAAgFT6/ewlA9ebVp9rH3FrMl8jjcZeIaLqIOUWH0kbC5Cp0duwpkJnBkV2TpbNOK/AzLMtdwlg4PtDH57CtBy+mF0zm0MsWbDDIgriRNWx/1/MP6+VCwg8Tk5K5O113Vcohu00HtF6nEuv+KQ5IN41bKxVBGbfAoSoEA+aajT8SAXAAAAAgCCXNvTwGbcXNCaro0YE3N95dd4OliqTJf5BT9iCD9xm8t94BOnTrDmHb0gao4F6dPF0y254CxeomEGR5k5PlqaYLrm5Ncett7baMSuXjCuPQvC7W/x9wn4PhnC+F7B52vnbgpLbILGKcZJMu3cz+qbEWiQFVI9ty5oPHtC97YV7AAAAgCoaGJCdP4WMmEP3/MvHTkzNH+YuOpwOwKnoN+y+6IZEVjT1Nm2MnRB6gyhz4QWVexk0UTXzWAb5M4lp/6lM0hUaSOxv49rufJeeHsGUBMO7rXpkhjn4sHFAKYP/tvfJPLDSH7rFmNf3z6Pmc3SA2O00w0MWcoprOuO8fjQSaZG+AAAAgJ1bhn48TUZEH+Puv313gB2ujD/WPNmr8GMR991JtGiG8L/WgUqPNHpX4PLmzkDhO6a8Wt5h3unMuI9jMsUjX7oTng6I7DQTnE15Ws9jo8caTNAq/iCxfzNGlbaB6VGFI04K+TSGuCfdCmYTQ2biiIrjgM03yMUTxsUB8F9W57ty
CPABE_MASTER_KEY=AAAAFD3/m1YKeHfeHxgRjpmWDmo1SAkwAAAAgJH6Z/MSMNr4yU7VCDw3RlqsiyImXlX2bF9Mzr7EH7iRKFQLPUmZnAcReGThOl8GrFZ5w8WMwdZ+aHnRw52is0pX9WuRZo+fKyyI7jlkNN/wUw2PyD2xUxQQM8vu0bXajNp0Z4PWt4KNGomoqxjgx0erAYlK1i0so1us1y7hE6OA
# --- TEST-FIXTURES --- #
# project may not contain any spaces or special characters (including '-' and '_')
# password must be provisioned manually (see README.md)
TEST_PROJECT=asclepiostestproject
TEST_KEYCLOAK_USER=testrunner
TEST_KEYCLOAK_PASSWORD=password
......@@ -6,16 +6,15 @@
# You should not add any files in /data/ to the git repo.
/data/
# The /.env and /.env.d/ are managed by the configure script.
# The /certs/ /.env and /.env.d/ are managed by the configure script.
/certs/
/.env
/.env.d/
# Docker creates a /log file which obviously should not persist in git.
/log
# ignore python cache
__pycache__
conf-bin/env.sh
test_failures.log
# snet-asclepios-docker-compose
# snet-asclepios-deployment
Encrypted sleep research on [docker](https://www.docker.com/). Includes [XNAT](https://xnat.org/) with [snet-asclepios-plugin](https://gitlab.com/indie-sleep-demo/snet-asclepios-plugin), [snet-asclepios-editor](https://gitlab.com/indie-sleep-demo/snet-asclepios-editor) and [snet-asclepios-search](https://gitlab.com/indie-sleep-demo/snet-asclepios-search) and a number of services from the ASCLEPIOS framework.
Encrypted sleep research platform. This repositiory contains tools and definitions for provisioning and deploying the ASCLEPIOS project sleep healthcare demonstrator.
The deployed stack includes [XNAT](https://xnat.org/) with [snet-asclepios-plugin](https://gitlab.com/indie-sleep-demo/snet-asclepios-plugin), [snet-asclepios-editor](https://gitlab.com/indie-sleep-demo/snet-asclepios-editor) and [snet-asclepios-search](https://gitlab.com/indie-sleep-demo/snet-asclepios-search) along with a number of services from the ASCLEPIOS framework.
### Running everything thing on a single node (for development)
### Run
- Run `export APP_HOST_NAME="<your IP address>"` with your machine's IPv4 address.
- Run `./configure` and follow instructions until you get a green success message.
- Start the software with `docker-compose up -d`.
- Run `docker network create snet-asclepios`
- Run `find docker-compose/ -name *.yml -exec docker-compose -f {} up -d \;` to bring up the whole stack.
### Set up Keycloak
You need to manually import `conf/realm-export.json` using the keycloak admin ui, but before you can do that you need to make a minor change the keycloak database schema, specifically, you need to modify the `USER_ATTRIBUTE.text` column to allow the storage of strings greater than 255 characters. The change is necessary to faciliate the storage of cpabe keys as user attributes, as a cpabe key is usually more than 1000 characters in length.
You need to import `conf/realm-export.json` in order to provision the keycloak realm, but before you can do that you need to make a minor change the keycloak database schema, specifically, you need to modify the `USER_ATTRIBUTE.text` column to allow the storage of strings greater than 255 characters.
The change is necessary to faciliate the storage of cpabe keys as user attributes, as a cpabe key is usually more than 1000 characters in length.
- Execute the following command:
```sh
docker-compose exec keycloak-db mysql --user="root" --password="$(cat .env.d/KEYCLOAK_MYSQL_ROOT_PASSWORD)" --database=keycloak --execute='ALTER TABLE USER_ATTRIBUTE MODIFY value text CHARACTER SET utf8 COLLATE utf8_general_ci'
docker -it keycloak-db mysql --user="root" --password="$(cat .env.d/KEYCLOAK_DB_ROOT_PASSWORD)" --database=keycloak --execute='ALTER TABLE USER_ATTRIBUTE MODIFY value text CHARACTER SET utf8 COLLATE utf8_general_ci;'
```
* Go to `http://<YOUR_IP_ADDDRESS_HERE>:8181` and login to keycloak with the credentials in your `env.sh` file
* Click `Add Realm` at the top left under `Master`
* Click `Import -> Select File` and select the file at `./conf/realm-export.json` in this repository
Now you can import the realm manually using the keycloak admin UI
* Open the Keycloak admin interface in a web browser.
For example, run `firefox $(grep '^KEYCLOAK_AUTH_ENDPOINT' .env | awk -F= '{print $2}')`
- Run `cat .env.d/KEYCLOAK_ADMIN_PASSWORD`
- Login with the credentials output by the previous command
- Click `Add Realm` at the top left under `Master`
- Click `Import -> Select File` and select the file at `./conf/realm-export.json` in this repository
Next you will need to create a realm admin user so that you can use the Registration Authority
* Go to `Users->Add User` and create a new user using the value of `KEYCLOAK_REALM_ADMIN_USER` in your `.env` file as the username/
* On the user screen go to `Credentials` and set the password to the value of `KEYCLOAK_REALM_ADMIN_PASSWORD` in your `.env` file.
* On the user screen go to `Role Mappings` and assign the `admin` realm role.
- Run `cat .env.d/KEYCLOAK_REALM_ADMIN_USER`
- Go to `Users->Add User` and create a new user using the value output by the previous command
- Run `cat .env.d/KEYCLOAK_REALM_ADMIN_PASSWORD`
- On the user screen go to `Credentials` and set the password to the value by output the previous command
- On the user screen go to `Role Mappings` and assign the `admin` realm role.
Optionally, you can provision the realm admin with a CPABE key using the following script:
```
python3 -m utils.init_realm_admin
usage: init_realm_admin.py [-h] username project
init_realm_admin.py: error: the following arguments are required: username, project
```
Finally, if you want to run the automated end-to-end tests, you need to set a password for the test runner.
* Go to `Users->View All Users` in the sidebar, and then for "testrunner" go to the `Credentials` tab and set the password to the value of `TEST_KEYCLOAK_PASSWORD` in your .env file
- Run `cat .env.d/TEST_KEYCLOAK_USER`
- Go to `Users->View All Users` in the sidebar, and then for "testrunner" go to the `Credentials` tab and set the password to the value output by the previous command
### Set up XNAT
XNAT's database is provisioned using a SQL dump. This SQL dump contains the default XNAT admin user, with the password 'admin' (just like on a default xnat installation).
* Go to `http://<YOUR_IP_ADDRESS_HERE>:8080/xnat` and login with the credentials `username=admin, password=admin`
* Go to `Adminster -> Users -> admin -> Change Password` and set a new password
* Open the XNAT admin interface in a web browser.
For example, run `firefox $(grep '^XNAT_ADMIN_URL' .env.tpl | awk -F= '{print $2}')`
* Login with the credentials `username=admin,password=admin`
- Run `cat .env.d/XNAT_ADMIN_PASSWORD`
* Go to `Adminster -> Users -> admin -> Change Password` and set the password to value output by the previous command.
You can now use the admin user to create new projects and activtate new user accounts.
......@@ -44,7 +72,7 @@ When creating a new project, you must add an ASCLEPIOS `keyid` field for subject
### Adding new users
* New users can be added to keycloak via the Registration Authority using the following utlity script (role should be one of `owner`, `member` or `collaborator`)
New users can be added to keycloak via the Registration Authority using the following utlity script. `role` should be one of `owner`, `member` or `collaborator`
```
python3 -m utils.create_user
......@@ -54,7 +82,7 @@ create_user.py: error: the following arguments are required: username, firstName
* Once a user has been created, set there password to a tempory password in the keycloak admin interface.
* They can now attempt to log into XNAT using the `login with keycloak` button, they should get a registration successful message.
* Use the XNAT admin user to manually activate their account, and add them to the correct project.
* An administrator must use the XNAT admin user to manually activate their account, and add them to the correct project.
### Adding a new data subject
......@@ -66,12 +94,12 @@ usage: create_subject.py [-h] label project
create_subject.py: error: the following arguments are required: label, project
```
### Other Applications
### Browser Applications
You should now be able to access the following applications and login with keycloak:
* `snet-asclepios-editor` at `http://<YOUR_IP_ADDRESS_HERE>:8080/sn-editor`
* `snet-asclepios-search` at `http://<YOUR_IP_ADDRESS_HERE>:8080/asclepios-search`
* `snet-asclepios-editor` at `$XNAT_BASE_URL/sn-editor`
* `snet-asclepios-search` at `$XNAT_BASE_URL/asclepios-search`
### Run tests
......
#!/bin/sh
find docker-compose/ -name *.yml -exec docker-compose --env-file=.env -f {} up -d \;
#!/bin/sh
set -o nounset
set -o pipefail
# If something goes wrong, this script does not run forever but times out
TIMEOUT_SECONDS=300
# Logfile for the keycloak export instance
LOGFILE=/tmp/standalone.sh.log
# destionation export file
JSON_EXPORT_FILE=/tmp/realms-export-single-file.json
JSON_EXPORT_FILE=/tmp/keycloak-realms-export.json
rm -f ${LOGFILE} ${JSON_EXPORT_FILE}
......
#!/bin/sh
set -eu
SERVICE_NAME=$1
KEYSTORE_PASSWORD=$2
COMMON_TRUSTSTORE_PASS=$3
BASEDIR=$4
KEY_ALIAS=${SERVICE_NAME}
DNAME="CN=$SERVICE_NAME,OU=Information Management Unit (IMU),O=Institute of Communication and Computer Systems (ICCS),L=Athens,ST=Attika,C=GR"
SAN="dns:$SERVICE_NAME,dns:localhost,ip:127.0.0.1"
KEY_ALG=RSA
KEY_SIZE=2048
VALIDITY=3650
SERVICEDIR=$BASEDIR/$SERVICE_NAME
CERTIFICATE_FILE=$SERVICEDIR/$SERVICE_NAME.crt
KEYSTORE_FILE=$SERVICEDIR/$SERVICE_NAME-keystore.p12
KEYSTORE_PASS=${KEYSTORE_PASSWORD}
KEYSTORE_TYPE=PKCS12
TRUSTSTORE_FILE=$SERVICEDIR/$SERVICE_NAME-truststore.p12
TRUSTSTORE_PASS=${KEYSTORE_PASSWORD}
TRUSTSTORE_TYPE=PKCS12
COMMONDIR=$BASEDIR/common
COMMON_TRUSTSTORE_FILE=$COMMONDIR/common-truststore.p12
COMMON_TRUSTSTORE_TYPE=PKCS12
mkdir -p $SERVICEDIR $COMMONDIR
if [ -f "$KEYSTORE_FILE" ]; then
echo "$KEYSTORE_FILE exists. doing nothing..."
else
echo "generating $SERVICE_NAME keystore..."
keytool -genkey -alias $KEY_ALIAS -keyalg $KEY_ALG -keysize $KEY_SIZE -storetype $KEYSTORE_TYPE -storepass $KEYSTORE_PASS -dname "$DNAME" -ext "SAN=$SAN" -keystore $KEYSTORE_FILE -startdate -1d -validity $VALIDITY
echo "exporting $SERVICE_NAME certificate..."
keytool -export -storetype PKCS12 -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASS -alias $KEY_ALIAS -file $CERTIFICATE_FILE
echo "generating $SERVICE_NAME Truststore..."
keytool -importcert -alias $KEY_ALIAS -file $CERTIFICATE_FILE -storetype $TRUSTSTORE_TYPE -keystore $TRUSTSTORE_FILE -storepass $TRUSTSTORE_PASS -noprompt
echo "appending $SERVICE_NAME to common truststore..."
keytool -importcert -alias $KEY_ALIAS -file $CERTIFICATE_FILE -storetype $COMMON_TRUSTSTORE_TYPE -keystore $COMMON_TRUSTSTORE_FILE -storepass $COMMON_TRUSTSTORE_PASS -noprompt
fi
#!/bin/sh
SERVICE_NAME=$1
KEYSTORE_PASSWORD=$2
KEY_ALIAS=${SERVICE_NAME}
KEY_ALG=RSA
KEY_SIZE=2048
DNAME="CN=$SERVICE_NAME,OU=Information Management Unit (IMU),O=Institute of Communication and Computer Systems (ICCS),L=Athens,ST=Attika,C=GR"
SAN="dns:$SERVICE_NAME,dns:localhost,ip:127.0.0.1"
VALIDITY=3650
BASEDIR=/mnt/certs
SERVICEDIR=$BASEDIR/$SERVICE_NAME
CERTIFICATE_FILE=$SERVICEDIR/$SERVICE_NAME.crt
KEYSTORE_FILE=$SERVICEDIR/$SERVICE_NAME-keystore.p12
KEYSTORE_PASS=${KEYSTORE_PASSWORD}
KEYSTORE_TYPE=PKCS12
TRUSTSTORE_FILE=$SERVICEDIR/$SERVICE_NAME-truststore.p12
TRUSTSTORE_PASS=${KEYSTORE_PASSWORD}
TRUSTSTORE_TYPE=PKCS12
COMMON_TRUSTSTORE_FILE=$BASEDIR/common/common-truststore.p12
COMMON_TRUSTSTORE_PASS=$3
COMMON_TRUSTSTORE_TYPE=PKCS12
#echo SERVICE_NAME: $SERVICE_NAME
#echo KEYSTORE_PASSWORD: $KEYSTORE_PASSWORD
#echo KEY_ALIAS: $KEY_ALIAS
#echo KEY_ALG: $KEY_ALG
#echo KEY_SIZE: $KEY_SIZE
#echo DNAME: $DNAME
#echo SAN: $SAN
#echo VALIDITY: $VALIDITY
#echo BASEDIR: $BASEDIR
#echo CERTIFICATE_FILE: $CERTIFICATE_FILE
#echo KEYSTORE_FILE: $KEYSTORE_FILE
#echo KEYSTORE_PASS: $KEYSTORE_PASS
#echo KEYSTORE_TYPE: $KEYSTORE_TYPE
#echo TRUSTSTORE_FILE: $TRUSTSTORE_FILE
#echo TRUSTSTORE_PASS: $TRUSTSTORE_PASS
#echo TRUSTSTORE_TYPE: $TRUSTSTORE_TYPE
#echo COMMON_TRUSTSTORE_FILE: $COMMON_TRUSTSTORE_FILE
#echo COMMON_TRUSTSTORE_PASS: $COMMON_TRUSTSTORE_PASS
#echo COMMON_TRUSTSTORE_TYPE: $COMMON_TRUSTSTORE_TYPE
echo "--------------------------------------------------------"
echo "Generating $SERVICE_NAME Keystore..."
mkdir -p $SERVICEDIR
rm -rf $SERVICEDIR/*
keytool -genkey -alias $KEY_ALIAS -keyalg $KEY_ALG -keysize $KEY_SIZE -storetype $KEYSTORE_TYPE -storepass $KEYSTORE_PASS -dname "$DNAME" -ext "SAN=$SAN" -keystore $KEYSTORE_FILE -startdate -1d -validity $VALIDITY
echo "Exporting $SERVICE_NAME Certificate..."
keytool -export -storetype PKCS12 -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASS -alias $KEY_ALIAS -file $CERTIFICATE_FILE
echo "Generating $SERVICE_NAME Truststore..."
keytool -importcert -alias $KEY_ALIAS -file $CERTIFICATE_FILE -storetype $TRUSTSTORE_TYPE -keystore $TRUSTSTORE_FILE -storepass $TRUSTSTORE_PASS -noprompt
echo "Appending $SERVICE_NAME to Common Truststore..."
keytool -importcert -alias $KEY_ALIAS -file $CERTIFICATE_FILE -storetype $COMMON_TRUSTSTORE_TYPE -keystore $COMMON_TRUSTSTORE_FILE -storepass $COMMON_TRUSTSTORE_PASS -noprompt
touch $SERVICEDIR/.ready
echo "done"
echo "--------------------------------------------------------"