Merge pull request #72 from International-Data-Spaces-Association/feature/57_using_docker_compose

Switch to docker-compose using IDS-testbed CA certificates

Author: jfernandezsqs

.env

@@ -0,0 +1,56 @@
+COMPOSE_PROJECT_NAME=testbed
+
+# Valid values include "development" and "production"
+# "production" requires TLS certificates! (See below)
+# Set the protocol to https when changing this
+OMEJDN_ENVIRONMENT="development"
+OMEJDN_PROTOCOL="http"
+
+# Options for Omejdn itself
+# -------------------------
+
+# The docker version to pull
+OMEJDN_VERSION="1.6.0"
+
+# Your domain (e.g. sso.example.org)
+OMEJDN_DOMAIN="omejdn"
+
+# The path to mount Omejdn at.
+# This should start but not end with '/'.
+# Can be used for versioning if there are several versions (e.g. '/v3')
+OMEJDN_PATH="/auth"
+
+# Note that when you change the issuer identifier,
+# you will need to edit the NginX config to ensure that
+# the well-known server metadata endpoint for your new
+# identifier points to Omejdn's
+# /.well-known/oauth-authorization-server endpoint.
+# See RFC 8414 for more information
+OMEJDN_ISSUER="${OMEJDN_PROTOCOL}://${OMEJDN_DOMAIN}${OMEJDN_PATH}"
+
+# Admin account
+# CHANGE THE PASSWORD, or we will "hack" you
+ADMIN_USERNAME="admin"
+ADMIN_PASSWORD="password"
+
+# Options for the Admin Web UI
+# ----------------------------
+
+# The docker version to pull
+UI_VERSION="dev"
+
+# The path to mount the UI at.
+# This should never end in '/' and should not be equal to
+# the path of omejdn above. Edit the NginX config if you
+# really need them to be equal.
+UI_PATH=""
+
+# TLS settings for production
+# ---------------------------
+
+# These are necessary for production setups
+# You may want to consider getting a certificate from
+# a widely trusted certificate authority.
+TLS_KEY="${PWD}/dummy.key"
+TLS_CERT="${PWD}/dummy.cert"
+

DAPS/config/clients.yml

@@ -0,0 +1,55 @@
+---
+- client_id: 66:07:ED:E5:80:E4:29:6D:1E:DD:F7:43:CA:0E:EB:38:32:C8:3A:43:keyid:07:FC:95:17:C4:95:B9:E4:AD:09:5F:07:1E:D2:20:75:2D:89:66:85
+  client_name: testbed1
+  grant_types: client_credentials
+  token_endpoint_auth_method: private_key_jwt
+  scope: idsc:IDS_CONNECTOR_ATTRIBUTES_ALL
+  attributes:
+  - key: idsc
+    value: IDS_CONNECTOR_ATTRIBUTES_ALL
+  - key: securityProfile
+    value: idsc:BASE_SECURITY_PROFILE
+  - key: referringConnector
+    value: http://testbed1.demo
+  - key: "@type"
+    value: ids:DatPayload
+  - key: "@context"
+    value: https://w3id.org/idsa/contexts/context.jsonld
+  - key: transportCertsSha256
+    value: a1da7cfeac22ddffa4ebbe67b323d9af1c05e9d92a9d3dfbc098f6c45609caa9
+- client_id: 4B:4A:0E:81:99:6A:19:B9:3A:04:37:B6:7C:86:83:17:19:5A:6E:68:keyid:07:FC:95:17:C4:95:B9:E4:AD:09:5F:07:1E:D2:20:75:2D:89:66:85
+  client_name: testbed2
+  grant_types: client_credentials
+  token_endpoint_auth_method: private_key_jwt
+  scope: idsc:IDS_CONNECTOR_ATTRIBUTES_ALL
+  attributes:
+  - key: idsc
+    value: IDS_CONNECTOR_ATTRIBUTES_ALL
+  - key: securityProfile
+    value: idsc:BASE_SECURITY_PROFILE
+  - key: referringConnector
+    value: http://testbed2.demo
+  - key: "@type"
+    value: ids:DatPayload
+  - key: "@context"
+    value: https://w3id.org/idsa/contexts/context.jsonld
+  - key: transportCertsSha256
+    value: cf0dd49a552008eacd0b82cbf7850cbaacbf9c2a8942e542801db9bf4c2f0f5a
+- client_id: B7:6D:DD:B3:FD:6E:41:52:A8:89:95:B0:0D:8E:4C:BA:0A:1F:72:FD:keyid:07:FC:95:17:C4:95:B9:E4:AD:09:5F:07:1E:D2:20:75:2D:89:66:85
+  client_name: testbed3
+  grant_types: client_credentials
+  token_endpoint_auth_method: private_key_jwt
+  scope: idsc:IDS_CONNECTOR_ATTRIBUTES_ALL
+  attributes:
+  - key: idsc
+    value: IDS_CONNECTOR_ATTRIBUTES_ALL
+  - key: securityProfile
+    value: idsc:BASE_SECURITY_PROFILE
+  - key: referringConnector
+    value: http://testbed3.demo
+  - key: "@type"
+    value: ids:DatPayload
+  - key: "@context"
+    value: https://w3id.org/idsa/contexts/context.jsonld
+  - key: transportCertsSha256
+    value: 0d9eb3600540532c69c7345e7ab04e0f420434b693e26e415783875a93e9fc4b

DAPS/config/oauth_providers.yml

@@ -0,0 +1,14 @@
+## You may configure additional OAuth Providers as follows
+#- name: 'Some OAuth Provider'
+#  redirect_uri: 'http://localhost:4567/oauth_cb?provider=BFH'
+#  client_id: 'our_client_id'
+#  client_secret: 'our_secret'
+#  scopes:
+#    - 'email'
+#    - 'profile'
+#    - 'openid'
+#  external_userid: 'nickname'
+#  authorization_endpoint: 'https://authorize'
+#  token_endpoint: 'https://token'
+#  userinfo_endpoint: 'https://userinfo'
+# response_type: 'code'

DAPS/config/omejdn.yml

@@ -0,0 +1,29 @@
+---
+plugins:
+  user_db:
+    yaml:
+      location: config/users.yml
+  claim_mapper:
+    attribute:
+      skip_access_token: false
+      skip_id_token: true
+  api:
+    admin_v1: 
+    user_selfservice_v1:
+      allow_deletion: false
+      allow_password_change: true
+      editable_attributes: []
+user_backend_default: yaml
+environment: development
+issuer: http://omejdn/auth
+front_url: http://omejdn/auth
+bind_to: 0.0.0.0:4567
+openid: true
+default_audience: idsc:IDS_CONNECTORS_ALL
+accept_audience: idsc:IDS_CONNECTORS_ALL
+access_token:
+  expiration: 3600
+  algorithm: RS256
+id_token:
+  expiration: 3600
+  algorithm: RS256

OmejdnDAPS/config/scope_description.yml DAPS/config/scope_description.ymlOmejdnDAPS/config/scope_description.yml renamed to DAPS/config/scope_description.yml

@@ -1,6 +1,9 @@
+# Human readable descriptions for each scope.
+# These are shown to a user before authorizing a client
 profile: "Standard profile claims (e.g.: Name, picture, website, gender, birthdate, location)"
 email: "Email-Address"
 address: "Address"
 phone: "Phone-number"
-omejdn:api: "Access to the Omejdn server API"
+omejdn:read: "Read access to the Omejdn server API"
+omejdn:write: "Write access to the Omejdn server API"
 omejdn:admin: "Access to the Omejdn server admin API"

DAPS/config/scope_mapping.yml

@@ -0,0 +1,8 @@
+# Necessary IDS Claims to issue a DAT
+idsc:IDS_CONNECTOR_ATTRIBUTES_ALL:
+  - securityProfile
+  - referringConnector
+  - "@type"
+  - "@context"
+  - transportCertsSha256
+

DAPS/config/users.yml

@@ -0,0 +1,6 @@
+---
+- username: admin
+  attributes:
+  - key: omejdn
+    value: admin
+  password: "$2a$12$gigRDsS9jyjC/Kzgr1st6eoUb8RVofYXYmrz2ISsGdpddn8quIVwq"

DAPS/config/webfinger.yml

@@ -0,0 +1,5 @@
+---
+# Define a webfinger here
+#localhost.com:
+#  name: test
+#  website: http://localhost:4567

DAPS/keys/clients/.gitignore

@@ -0,0 +1 @@
+#*.cert

DAPS/keys/clients/NEI6NEE6MEU6ODE6OTk6NkE6MTk6Qjk6M0E6MDQ6Mzc6QjY6N0M6ODY6ODM6MTc6MTk6NUE6NkU6Njg6a2V5aWQ6MDc6RkM6OTU6MTc6QzQ6OTU6Qjk6RTQ6QUQ6MDk6NUY6MDc6MUU6RDI6MjA6NzU6MkQ6ODk6NjY6ODU=.cert

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAnegAwIBAgIBAjAKBggqhkjOPQQDAjBNMQswCQYDVQQGEwJFUzEMMAoG
+A1UECgwDU1FTMRAwDgYDVQQLDAdUZXN0TGFiMR4wHAYDVQQDDBVSZWZlcmVuY2VU
+ZXN0YmVkU3ViQ0EwHhcNMjExMTI0MTEwNzEzWhcNMjQxMTIzMTEwNzEzWjBAMQsw
+CQYDVQQGEwJFUzEMMAoGA1UECgwDU1FTMRAwDgYDVQQLDAdUZXN0TGFiMREwDwYD
+VQQDDAh0ZXN0YmVkMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMUc
+m93i+OU/PYTfU9yfSDV8aQ/6G1DFMsoDLBzwpzc1JM/aNanSUYA5gf4yS6QS1Yjz
+N9x94lOOYePoOdSoUrXq4vbQAYBMEzL7f0yvKuXMFcQOAANZmpl0nykWI5gA9U2g
+Av8covr8affFE/hGzZOsNd8vWcmZvEv4WXkBMyawnyvcTHCtPQ+tvoS/IK2Gsh+x
+ZhqEDRFMqEKBaU7wW7pjXka5DietU9lMU+mI2hk0866753B+Q4arDFKxdWxBADgB
+LSs1GZU4IwyTcnPgxHt1YMpiA6/KDrrlO0Wk0AJpHXou9TDfNxZo9/ZMgH2zLzqq
+LjwLMCztsYvOMYS02x0CAwEAAaOBiTCBhjAMBgNVHRMBAf8EAjAAMCAGA1UdJQEB
+/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCA6gwIAYDVR0O
+AQH/BBYEFEtKDoGZahm5OgQ3tnyGgxcZWm5oMCIGA1UdIwEB/wQYMBaAFAf8lRfE
+lbnkrQlfBx7SIHUtiWaFMAoGCCqGSM49BAMCA2kAMGYCMQC/ccMjGhmNzaqM+7Ia
+XjhvHgrpvYrZuUVyJ2bw1IjCFxi8RCejZOUW+HwVHl3lpH4CMQCWd5M99qLgYiqE
+/9qJhlTbLTbomiXAwGaZVPlynZ1KgmAJIIeWn9OYybG/4ldTfUg=
+-----END CERTIFICATE-----