diff --git a/.github/workflows/build-and-test-docker.yml b/.github/workflows/build-and-test-docker.yml new file mode 100644 index 00000000..54aba14a --- /dev/null +++ b/.github/workflows/build-and-test-docker.yml @@ -0,0 +1,18 @@ +name: Docker Image CI + +on: + push: + branches: [ master, dev ] + pull_request: + branches: [ master, dev ] + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Build the Docker image + run: docker build . --file docker/fedservice.Dockerfile --tag fedservice:$(date +%s) diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index 6935e2ae..692fdbe7 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -18,9 +18,12 @@ jobs: fail-fast: false matrix: python-version: - - '3.7' - '3.8' - '3.9' + - '3.10' + - '3.11' + - '3.12' + - '3.13-dev' steps: - uses: actions/checkout@v2 diff --git a/dc4eu_federation/bootstrap-dockers.sh b/dc4eu_federation/bootstrap-dockers.sh new file mode 100755 index 00000000..aa7ed2d5 --- /dev/null +++ b/dc4eu_federation/bootstrap-dockers.sh @@ -0,0 +1,88 @@ +#!/usr/bin/env bash +set -eo pipefail +DOMAIN="${DOMAIN:-$(hostname -f)}" +TRUST_ANCHOR="https://${DOMAIN}:7001" +TRUST_MARK_ISSUER="https://${DOMAIN}:6001" +WALLET_PROVIDER="https://${DOMAIN}:5001" + +# Get Trust Anchor +# +docker_args="run --rm -i -v .:/workdir --entrypoint python3 docker.sunet.se/fedservice:latest fedservice/dc4eu_federation" +docker $docker_args/get_info.py -k -t $TRUST_ANCHOR > trust_anchor.json + +# Add Anchor to Trust Mark Issuer +docker ${docker_args}/add_info.py -s /workdir/trust_anchor.json -t /workdir/trust_mark_issuer/trust_anchors +rm -r trust_mark_issuer/authority_hints +echo -e "${TRUST_ANCHOR}" >> trust_mark_issuer/authority_hints + +#./entity.py trust_mark_issuer & +#sleep 2 +# +docker ${docker_args}/get_info.py -k -s "${TRUST_MARK_ISSUER}" > trust_mark_issuer.json +docker ${docker_args}/add_info.py -s /workdir/trust_mark_issuer.json -t workdir/trust_anchor/subordinates + +#FIXME: Special stuff here to get the paths right +docker run --rm -i -v .:/workdir -v ./trust_mark_issuer:/trust_mark_issuer --entrypoint python3 docker.sunet.se/fedservice:latest fedservice/dc4eu_federation/issuer.py /trust_mark_issuer > trust_mark_issuers.json +docker ${docker_args}/add_info.py -s workdir/trust_mark_issuers.json -t workdir/trust_anchor/trust_mark_issuers +# +## Wallet Provider +docker ${docker_args}/add_info.py -s workdir/trust_anchor.json -t workdir/wallet_provider/trust_anchors +rm -r wallet_provider/authority_hints +echo -e "${TRUST_ANCHOR}" >> wallet_provider/authority_hints +# +#./entity.py wallet_provider & +#sleep 2 +# +docker ${docker_args}/get_info.py -k -s ${WALLET_PROVIDER} > wallet_provider.json +docker ${docker_args}/add_info.py -s /workdir/wallet_provider.json -t workdir/trust_anchor/subordinates +if [ ! -d flask_wallet/trust_anchors ]; then + mkdir flask_wallet/trust_anchors +fi +cp -a wallet_provider/trust_anchors/* flask_wallet/trust_anchors/ +echo "Place this into oidc_frontend.yaml. Add below:" +echo "config: " +echo " op: " +echo " server_info: " +echo " trust_anchors:" +docker ${docker_args}/convert_json_to_yaml.py workdir/trust_anchor.json + +echo "Also add authority_hints:" +echo " - ${TRUST_ANCHOR} " + +echo "Also add trust_marks:" +echo " " +docker run --rm -ti -v .:/workdir --entrypoint bash docker.sunet.se/fedservice:latest -c "cd workdir;/fedservice/dc4eu_federation/create_trust_mark.py -m http://dc4eu.example.com/PersonIdentificationData/se -d trust_mark_issuer -e $1" +cat << EOF +On Satosa, copy /etc/satosa/public/pid_fed_keys.json and add to +{ + "$1": { + "entity_types": [ + "federation_entity", + "openid_credential_issuer", + "oauth_authorization_server" + ], + "jwks": { +EOF + +echo "docker ${docker_args}/add_info.py -s /workdir/ci.json -t workdir/trust_anchor/subordinates" +## Query Server +#./add_info.py -s trust_anchor.json -t query_server/trust_anchors +#rm -r query_server/authority_hints +#echo -e "https://127.0.0.1:7003" >> query_server/authority_hints +# +#./entity.py query_server & +#sleep 2 +# +#./get_info.py -k -s https://127.0.0.1:6005 > tmp.json +#./add_info.py -s tmp.json -t trust_anchor/subordinates + +## PID Issuer +#./add_info.py -s trust_anchor.json -t pid_issuer/trust_anchors +#rm -r pid_issuer/authority_hints +#echo -e "https://127.0.0.1:7003" >> pid_issuer/authority_hints +# +#./entity.py pid_issuer & +#sleep 2 +# +#./get_info.py -k -s https://127.0.0.1:6001 > tmp.json +#./add_info.py -s tmp.json -t trust_anchor/subordinates diff --git a/dc4eu_federation/convert_json_to_yaml.py b/dc4eu_federation/convert_json_to_yaml.py new file mode 100755 index 00000000..9db61b47 --- /dev/null +++ b/dc4eu_federation/convert_json_to_yaml.py @@ -0,0 +1,9 @@ +#!/usr/bin/env python3 +import json +import sys + +import yaml + +fp = open(sys.argv[1], "r") +_dict = json.load(fp) +print(yaml.dump(_dict)) diff --git a/dc4eu_federation/entity.py b/dc4eu_federation/entity.py index 14a5bc67..8a6b55a8 100755 --- a/dc4eu_federation/entity.py +++ b/dc4eu_federation/entity.py @@ -44,14 +44,12 @@ def init_app(dir_name, **kwargs) -> Flask: if __name__ == "__main__": print(sys.argv) directory_name = sys.argv[1] - template_dir = os.path.join(directory_name, 'templates') - app = init_app(directory_name, template_folder=template_dir) + app = init_app(directory_name) if "logging" in app.cnf: configure_logging(config=app.cnf["logging"]) _web_conf = app.cnf["webserver"] if os.environ.get('FEDSERVICE_WEBCERT_KEY'): _web_conf['server_key'] = os.environ.get('FEDSERVICE_WEBCERT_KEY') - _web_conf['server_chain'] = os.environ.get('FEDSERVICE_WEBCERT_CHAIN') _web_conf['server_cert'] = os.environ.get('FEDSERVICE_WEBCERT_CERT') context = create_context(dir_path, _web_conf) _cert = "{}/{}".format(dir_path, lower_or_upper(_web_conf, "server_cert")) diff --git a/docker/build.sh b/docker/build.sh index 70b52871..46f6d8d4 100755 --- a/docker/build.sh +++ b/docker/build.sh @@ -1,2 +1,17 @@ #!/bin/bash +set -eo pipefail +git clone --no-checkout --depth 1 --sparse --filter=blob:none https://github.com/rohe/satosa-openid4vci +pushd satosa-openid4vci +git sparse-checkout init --cone +git sparse-checkout add example/flask_wallet/ +git checkout main +cp -a example/flask_wallet ../../dc4eu_federation +popd +rm -rf satosa-openid4vci +pushd ../dc4eu_federation/flask_wallet +mv templates templates.orig +mv templates_simplified templates +mv conf_simplified.json conf.json +#mv views_simplified.py views.py +popd docker build -t fedservice -f ./fedservice.Dockerfile .. --no-cache diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 111cae01..af9e18b5 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -5,11 +5,10 @@ services: ports: - "5001:5001" environment: - FEDSERVICE_ENTITYID: https://example.com:5001 + FEDSERVICE_ENTITYID: https://${DOMAIN:-localhost}:5001 FEDSERVICE_WEBCERT_KEY: /certs/privkey.pem - FEDSERVICE_WEBCERT_CHAIN: /certs/chain.pem - FEDSERVICE_WEBCERT_CERT: /certs/cert.pem - FEDSERVICE_SECRET_KEY: 12345678909987654321 + FEDSERVICE_WEBCERT_CERT: /certs/cert+chain.pem + FEDSERVICE_SECRET_KEY: A2345678909987654321 FEDSERVICE_DEBUG: true FEDSERVICE_PORT: 5001 FEDSERVICE_BIND: 0.0.0.0 @@ -22,11 +21,10 @@ services: ports: - "6001:6001" environment: - FEDSERVICE_ENTITYID: https://example.com:6001 + FEDSERVICE_ENTITYID: https://${DOMAIN:-localhost}:6001 FEDSERVICE_WEBCERT_KEY: /certs/privkey.pem - FEDSERVICE_WEBCERT_CHAIN: /certs/chain.pem - FEDSERVICE_WEBCERT_CERT: /certs/cert.pem - FEDSERVICE_SECRET_KEY: 12345678909987654321 + FEDSERVICE_WEBCERT_CERT: /certs/cert+chain.pem + FEDSERVICE_SECRET_KEY: B2345678909987654321 FEDSERVICE_DEBUG: true FEDSERVICE_PORT: 6001 FEDSERVICE_BIND: 0.0.0.0 @@ -39,31 +37,30 @@ services: ports: - "7001:7001" environment: - FEDSERVICE_ENTITYID: https://example.com:7001 + FEDSERVICE_ENTITYID: https://${DOMAIN:-localhost}:7001 FEDSERVICE_WEBCERT_KEY: /certs/privkey.pem - FEDSERVICE_WEBCERT_CHAIN: /certs/chain.pem - FEDSERVICE_WEBCERT_CERT: /certs/cert.pem - FEDSERVICE_SECRET_KEY: 12345678909987654321 + FEDSERVICE_WEBCERT_CERT: /certs/cert+chain.pem + FEDSERVICE_SECRET_KEY: C12345678909987654321 FEDSERVICE_DEBUG: true FEDSERVICE_PORT: 7001 FEDSERVICE_BIND: 0.0.0.0 volumes: - ./trust_anchor:/trust_anchor:rw - ./certificates:/certs:ro -# flask_wallet: -# image: fedservice -# command: "flask_wallet" -# ports: -# - "5005:5005" -# environment: -# FEDSERVICE_ENTITYID: https://example.com:5005 -# FEDSERVICE_WEBCERT_KEY: /cert/privkey.pem -# FEDSERVICE_WEBCERT_CHAIN: /cert/chain.pem -# FEDSERVICE_SECRET_KEY: 12345678909987654321 -# FEDSERVICE_DEBUG: true -# FEDSERVICE_PORT: 5005 -# FEDSERVICE_BIND: 0.0.0.0 -# volumes: -# - ./flask_wallet:/flask_wallet:rw -# - ./certificates:/certs:ro + flask_wallet: + image: fedservice + command: "flask_wallet" + ports: + - "5005:5005" + environment: + FEDSERVICE_ENTITYID: https://${DOMAIN:-localhost}:5005 + FEDSERVICE_WEBCERT_KEY: /certs/privkey.pem + FEDSERVICE_WEBCERT_CERT: /certs/cert+chain.pem + FEDSERVICE_SECRET_KEY: D12345678909987654321 + FEDSERVICE_DEBUG: true + FEDSERVICE_PORT: 5005 + FEDSERVICE_BIND: 0.0.0.0 + volumes: + - ./flask_wallet:/flask_wallet:rw + - ./certificates:/certs:ro diff --git a/docker/fedservice.Dockerfile b/docker/fedservice.Dockerfile index 5e075727..d00be961 100644 --- a/docker/fedservice.Dockerfile +++ b/docker/fedservice.Dockerfile @@ -8,7 +8,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ libffi-dev \ libssl-dev \ xmlsec1 \ - libyaml-dev + libyaml-dev \ + jq RUN pip3 install --upgrade pip setuptools COPY . /fedservice RUN pip3 install -r fedservice/docker/requirements.docker diff --git a/docker/requirements.docker b/docker/requirements.docker index dbfb91b0..5ae0c5f7 100644 --- a/docker/requirements.docker +++ b/docker/requirements.docker @@ -1,4 +1,4 @@ --e git+https://github.com/IdentityPython/idpy-oidc.git@issuer_metadata#egg=idpyoidc --e git+https://github.com/rohe/openid4v.git#egg=openid4v --e git+https://github.com/rohe/idpy-sdjwt.git#egg=idpysdjwt +git+https://github.com/IdentityPython/idpy-oidc.git@issuer_metadata#egg=idpyoidc +git+https://github.com/SUNET/openid4v.git#egg=openid4v +git+https://github.com/SUNET/idpy-sdjwt.git#egg=idpysdjwt flask diff --git a/docker/start.sh b/docker/start.sh index d9b3118d..e169937f 100755 --- a/docker/start.sh +++ b/docker/start.sh @@ -1,13 +1,17 @@ #!/bin/bash +set -eo pipefail for file in conf.json views.py; do - if [ ! -f /"${1}"/"${file}" ]; then - echo "No ${file} found, copying to /${1}/" - cp /fedservice/dc4eu_federation/"${1}"/"${file}" /"${1}"/ - else - echo "${file} found, leaving alone. Beware when upgrading." - - fi + if [ -f /"${1}"/"${file}" ]; then + echo "${file} found, leaving alone. Beware when upgrading." + continue + fi + echo "No ${file} found, copying to /${1}/" + if [ $file = conf.json ]; then + jq --arg a "$FEDSERVICE_ENTITYID" ' .entity.entity_id = $a' /fedservice/dc4eu_federation/"${1}/${file}" > "${1}/${file}" + else + cp /fedservice/dc4eu_federation/"${1}/${file}" /"${1}"/ + fi done -echo "Starting $@." +echo "Starting ${1}." /fedservice/dc4eu_federation/entity.py "$@"