From decfbcb2b526cd50b624f25ee7f71e8186764cc3 Mon Sep 17 00:00:00 2001 From: "Mahesh.Binayak" Date: Mon, 5 Feb 2024 17:45:03 +0530 Subject: [PATCH] [Took selective changes from develop for release-1.2.0.1] --- .github/workflows/push-trigger.yml | 4 +- Dockerfile | 2 +- README.md | 8 +- certs/create-jwks.sh | 4 +- certs/create-signing-certs.sh | 11 +- default-auth-policy.json | 138 ++++++------- default-datashare-policy.json | 316 ++++++++++++++--------------- default.sh | 19 +- demo-oidc-policy.json | 119 +++++++++++ oidc-policy.json | 2 +- 10 files changed, 375 insertions(+), 248 deletions(-) create mode 100644 demo-oidc-policy.json diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index f58db50..4cce918 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -20,6 +20,8 @@ on: - 1.* - master - MOSIP* + + jobs: build-dockers: strategy: @@ -28,7 +30,7 @@ jobs: - SERVICE_LOCATION: './' SERVICE_NAME: 'partner-onboarder' fail-fast: false - name: ${{ matrix.SERVICE_NAME }} + name: ${{ matrix.SERVICE_NAME }} uses: mosip/kattu/.github/workflows/docker-build.yml@master with: SERVICE_LOCATION: ${{ matrix.SERVICE_LOCATION }} diff --git a/Dockerfile b/Dockerfile index 2ec695c..df0c47a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -60,4 +60,4 @@ ENV s3-bucket-name= ENV ns_mimoto= ENV ns_esignet= -ENTRYPOINT ["./entrypoint.sh"] +ENTRYPOINT ["./entrypoint.sh"] \ No newline at end of file diff --git a/README.md b/README.md index a9b7231..c196dd6 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,17 @@ # Partner Onboarding Utils ## Overview -This repository contains Postman collection to onboard partners on to MOSIP. +This repository contains Postman collection to onboard partners on to MOSIP. * `run-onboard.sh`: Onboard any partner. -* `default.sh`: Onboard default partners that are required to run a sandbox. +* `default.sh`: Onboard default partners that are required to run a sandbox. ## Docker Docker to run `default.sh` is created to facilitate easy onboarding during installion. Refer `docker-build.sh` and `docker-run.sh`. Use this docker while installing MOSIP on Kubernetes. The docker runs an HTTP server to view the reports. Although this is a one-time job, the docker is run as Kubernetes Deployment with long sleep time set to review reports. If you restart the docker it will run the onboarding again. -The scripts assume a Keycloak client `mosip-deployment-client` with roles `GLOBAL_ADMIN`, `ID_AUTHENTICATION`, `PARTNER_ADMIN` is already created. +The scripts assume a Keycloak client `mosip-deployment-client` with roles `GLOBAL_ADMIN`, `ID_AUTHENTICATION`, `PARTNER_ADMIN` is already created. + +If the `ENABLE_INSECURE` environment variable is set to `true`, the script will proceed with downloading an SSL certificate and subsequently provide it for utilization in **Newman** collections and **curl** API calls during execution. This functionality is designed for scenarios where the script is required to be used on a server that possesses self-signed SSL certificates. ## License This project is licensed under the terms of [Mozilla Public License 2.0](LICENSE). diff --git a/certs/create-jwks.sh b/certs/create-jwks.sh index dcb811b..777573a 100644 --- a/certs/create-jwks.sh +++ b/certs/create-jwks.sh @@ -14,7 +14,7 @@ echo "AUTHMANAGER URL : $AUTHMANAGER_URL" echo "KEYMANAGER URL : $KEYMANAGER_URL" #echo "* Request for authorization" -curl -s -D - -o /dev/null -X "POST" \ +curl $ADD_SSL_CURL -s -D - -o /dev/null -X "POST" \ "$AUTHMANAGER_URL/v1/authmanager/authenticate/clientidsecretkey" \ -H "accept: */*" \ -H "Content-Type: application/json" \ @@ -40,7 +40,7 @@ fi echo -e "\nGot Authorization token from authmanager" -curl -X "GET" \ +curl $ADD_SSL_CURL -X "GET" \ -H "Accept: application/json" \ --cookie "Authorization=$TOKEN" \ "$KEYMANAGER_URL/v1/keymanager/getCertificate?applicationId=RESIDENT&referenceId=" > result.txt diff --git a/certs/create-signing-certs.sh b/certs/create-signing-certs.sh index 7b1f17d..f838942 100644 --- a/certs/create-signing-certs.sh +++ b/certs/create-signing-certs.sh @@ -17,10 +17,10 @@ path=$1 # orgnisation=$(prop 'partner-org-name') # email_id=$(prop 'partner-kc-user-email') # common_name=$pname -# keystore_passowrd=$(prop 'keystore-passowrd') +# keystore_password=$(prop 'keystore-password') -partner_name=$( printenv PARTNER_KC_USERNAME ) +partner_name=$( printenv PARTNER_KC_USERNAME ) echo "$partner_name is the name of the partner." country=IN state=Kar @@ -28,7 +28,9 @@ locality=Blr orgnisation=IITB email_id=user_$(date +%s%N)@example.com common_name=$partner_name -keystore_passowrd= +keystore_password=mosip123 +export keystore_password +echo "$keystore_password" > key.pwd echo "updating conf" sed -i 's/\(^C =\).*/\1 '$country'/' $path/certs/root-openssl.cnf @@ -64,9 +66,8 @@ else openssl req -new -key $cert_path/Client.key -out $cert_path/Client.csr -config $path/certs/client-openssl.cnf openssl x509 -req -days 1825 -extensions v3_req -extfile $path/certs/client-openssl.cnf -in $cert_path/Client.csr -CA $cert_path/RootCA.pem -CAkey $cert_path/RootCA.key -CAcreateserial -out $cert_path/Client.pem - openssl pkcs12 -export -in $cert_path/Client.pem -inkey $cert_path/Client.key -out $cert_path/keystore.p12 -name $partner_name -password pass:$keystore_passowrd + openssl pkcs12 -export -in $cert_path/Client.pem -inkey $cert_path/Client.key -out $cert_path/keystore.p12 -name $partner_name -password pass:$keystore_password echo "Cert generation complete"$'\n' fi - diff --git a/default-auth-policy.json b/default-auth-policy.json index 0b2cd36..83fd2dd 100644 --- a/default-auth-policy.json +++ b/default-auth-policy.json @@ -1,72 +1,72 @@ [ -{ - "id": "string", - "metadata": {}, - "request": { - "desc": "{{policy-name}} Policy", - "name": "{{policy-name}}", - "version" : "1.0", - "policies": { - "allowedAuthTypes": [ - { - "authSubType": "IRIS", - "authType": "bio", - "mandatory": false - }, - { - "authSubType": "FINGER", - "authType": "bio", - "mandatory": false - }, - { - "authSubType": "FACE", - "authType": "bio", - "mandatory": false - }, - { - "authSubType": "", - "authType": "otp", - "mandatory": false - }, - { - "authSubType": "", - "authType": "otp-request", - "mandatory": false - }, - { - "authSubType": "", - "authType": "kyc", - "mandatory": false - }, - { - "authSubType": "", - "authType": "demo", - "mandatory": false - } - ], - "allowedKycAttributes": [ - { - "attributeName": "fullName" - }, - { - "attributeName": "gender" - }, - { - "attributeName": "residenceStatus" - }, - { - "attributeName": "dateOfBirth" - }, - { - "attributeName": "photo" - } - ], - "authTokenType": "policy" + { + "id": "string", + "metadata": {}, + "request": { + "desc": "{{policy-name}} Policy", + "name": "{{policy-name}}", + "version" : "1.0", + "policies": { + "allowedAuthTypes": [ + { + "authSubType": "IRIS", + "authType": "bio", + "mandatory": false + }, + { + "authSubType": "FINGER", + "authType": "bio", + "mandatory": false + }, + { + "authSubType": "FACE", + "authType": "bio", + "mandatory": false + }, + { + "authSubType": "", + "authType": "otp", + "mandatory": false + }, + { + "authSubType": "", + "authType": "otp-request", + "mandatory": false + }, + { + "authSubType": "", + "authType": "kyc", + "mandatory": false + }, + { + "authSubType": "", + "authType": "demo", + "mandatory": false + } + ], + "allowedKycAttributes": [ + { + "attributeName": "fullName" + }, + { + "attributeName": "gender" + }, + { + "attributeName": "residenceStatus" + }, + { + "attributeName": "dateOfBirth" + }, + { + "attributeName": "photo" + } + ], + "authTokenType": "policy" + }, + "policyGroupName": "{{policy-group-name}}", + "policyType": "Auth" }, - "policyGroupName": "{{policy-group-name}}", - "policyType": "Auth" - }, - "requesttime": "{{request-time}}", - "version": "LTS" -} + "requesttime": "{{request-time}}", + "version": "LTS" + } ] \ No newline at end of file diff --git a/default-datashare-policy.json b/default-datashare-policy.json index 3f57a6f..50da2c8 100644 --- a/default-datashare-policy.json +++ b/default-datashare-policy.json @@ -1,165 +1,165 @@ [ { - "id": "string", - "version": "string", - "requesttime": "{{$isoTimestamp}}", - "metadata": {}, - "request": { - "policyId": "", - "policyGroupName": "{{policy-group-name}}", - "policyType": "Datashare", - "name": "{{policy-name}}", - "desc": "{{policy-name}} policy", - "version": "1.0", - "policies": { - "shareableAttributes": [ - { - "attributeName": "fullName", - "source": [ - { - "attribute": "fullName" - } - ], - "encrypted": true - }, - { - "attributeName": "dateOfBirth", - "source": [ - { - "attribute": "dateOfBirth" - } - ], - "encrypted": true - }, - { - "attributeName": "gender", - "source": [ - { - "attribute": "gender" - } - ], - "encrypted": true - }, - { - "attributeName": "phone", - "source": [ - { - "attribute": "phone" - } - ], - "encrypted": true - }, - { - "attributeName": "email", - "source": [ - { - "attribute": "email" - } - ], - "encrypted": true - }, - { - "attributeName": "addressLine1", - "source": [ - { - "attribute": "addressLine1" - } - ], - "encrypted": true - }, - { - "attributeName": "addressLine2", - "source": [ - { - "attribute": "addressLine2" - } - ], - "encrypted": true - }, - { - "attributeName": "addressLine3", - "source": [ - { - "attribute": "addressLine3" - } - ], - "encrypted": true - }, - { - "attributeName": "region", - "source": [ - { - "attribute": "region" - } - ], - "encrypted": true - }, - { - "attributeName": "province", - "source": [ - { - "attribute": "province" - } - ], - "encrypted": true - }, - { - "attributeName": "city", - "source": [ - { - "attribute": "city" - } - ], - "encrypted": true - }, - { - "attributeName": "postalCode", - "source": [ - { - "attribute": "postalCode" - } - ], - "encrypted": true - }, - { - "attributeName": "zone", - "source": [ - { - "attribute": "zone" - } - ], - "encrypted": true - }, - { - "attributeName": "preferredLang", - "source": [ - { - "attribute": "preferredLang" - } - ], - "encrypted": false - }, - { - "attributeName": "individualBiometrics", - "group": "CBEFF", - "source": [ - { - "attribute": "individualBiometrics" - } - ], - "encrypted": true, - "format": "extraction" + "id": "string", + "version": "string", + "requesttime": "{{$isoTimestamp}}", + "metadata": {}, + "request": { + "policyId": "", + "policyGroupName": "{{policy-group-name}}", + "policyType": "Datashare", + "name": "{{policy-name}}", + "desc": "{{policy-name}} policy", + "version": "1.0", + "policies": { + "shareableAttributes": [ + { + "attributeName": "fullName", + "source": [ + { + "attribute": "fullName" + } + ], + "encrypted": true + }, + { + "attributeName": "dateOfBirth", + "source": [ + { + "attribute": "dateOfBirth" + } + ], + "encrypted": true + }, + { + "attributeName": "gender", + "source": [ + { + "attribute": "gender" + } + ], + "encrypted": true + }, + { + "attributeName": "phone", + "source": [ + { + "attribute": "phone" + } + ], + "encrypted": true + }, + { + "attributeName": "email", + "source": [ + { + "attribute": "email" + } + ], + "encrypted": true + }, + { + "attributeName": "addressLine1", + "source": [ + { + "attribute": "addressLine1" + } + ], + "encrypted": true + }, + { + "attributeName": "addressLine2", + "source": [ + { + "attribute": "addressLine2" + } + ], + "encrypted": true + }, + { + "attributeName": "addressLine3", + "source": [ + { + "attribute": "addressLine3" + } + ], + "encrypted": true + }, + { + "attributeName": "region", + "source": [ + { + "attribute": "region" + } + ], + "encrypted": true + }, + { + "attributeName": "province", + "source": [ + { + "attribute": "province" + } + ], + "encrypted": true + }, + { + "attributeName": "city", + "source": [ + { + "attribute": "city" + } + ], + "encrypted": true + }, + { + "attributeName": "postalCode", + "source": [ + { + "attribute": "postalCode" + } + ], + "encrypted": true + }, + { + "attributeName": "zone", + "source": [ + { + "attribute": "zone" + } + ], + "encrypted": true + }, + { + "attributeName": "preferredLang", + "source": [ + { + "attribute": "preferredLang" + } + ], + "encrypted": false + }, + { + "attributeName": "individualBiometrics", + "group": "CBEFF", + "source": [ + { + "attribute": "individualBiometrics" + } + ], + "encrypted": true, + "format": "extraction" + } + ], + "dataSharePolicies": { + "typeOfShare": "Data Share", + "validForInMinutes": "30", + "transactionsAllowed": "2", + "encryptionType": "Partner Based", + "shareDomain": "datashare-service", + "source": "ID Repository" } - ], - "dataSharePolicies": { - "typeOfShare": "Data Share", - "validForInMinutes": "30", - "transactionsAllowed": "2", - "encryptionType": "Partner Based", - "shareDomain": "datashare-service", - "source": "ID Repository" } } } -} ] \ No newline at end of file diff --git a/default.sh b/default.sh index 946a863..440fac6 100644 --- a/default.sh +++ b/default.sh @@ -235,9 +235,10 @@ onboard_esignet_partner() { $ADD_SSL_NEWMAN \ --export-environment ./config-secrets.json -d ./default-misp-policy.json -r cli,htmlextra --reporter-htmlextra-export ./reports/e-signet.html --reporter-htmlextra-showEnvironmentData MISP_LICENSE_KEY=$(jq -r '.values[] | select(.key == "mpartner-default-esignet-misp-license-key") | .value' config-secrets.json) - if [ -z "$MISP_LICENSE_KEY" ]; then - MISP_LICENSE_KEY=$(jq -r '.values[] | select(.key | contains("mpartner-default-esignet-misp-license-key")) | .value' config-secrets.json) - fi + +if [ -z "$MISP_LICENSE_KEY" ]; then + MISP_LICENSE_KEY=$(jq -r '.values[] | select(.key | contains("mpartner-default-esignet-misp-license-key")) | .value' config-secrets.json) +fi } onboard_relying_party_with_demo_oidc_client(){ @@ -285,7 +286,7 @@ onboard_relying_party_with_demo_oidc_client(){ --folder create-oidc-client \ --folder delete-user \ $ADD_SSL_NEWMAN \ - --export-environment ./config-secrets.json -d ./oidc-policy.json -r cli,htmlextra --reporter-htmlextra-export ./reports/demo-oidc.html --reporter-htmlextra-showEnvironmentData + --export-environment ./config-secrets.json -d ./demo-oidc-policy.json -r cli,htmlextra --reporter-htmlextra-export ./reports/demo-oidc.html --reporter-htmlextra-showEnvironmentData privateandpublickeypair=$(jq -r '.values[] | select(.key == "privateandpublickeypair") | .value' config-secrets.json) privateandpublickeypair=$(echo -n "$privateandpublickeypair" | base64) mpartnerdefaultdemooidcclientID=$(jq -r '.values[] | select(.key == "mpartner-default-demo-oidc-clientID") | .value' "config-secrets.json") @@ -342,7 +343,7 @@ echo "Onboarding resident oidc client" --folder get-keyid-from-keymanager \ --folder create-oidc-client \ --folder delete-user \ - $ADD_SSL_NEWMAN \ + $ADD_SSL_NEWMAN \ --export-environment ./config-secrets.json -d ./oidc-policy.json -r cli,htmlextra --reporter-htmlextra-export ./reports/resident-oidc.html --reporter-htmlextra-showEnvironmentData mpartnerdefaultresidentoidcclientID=$(jq -r '.values[] | select(.key == "mpartner-default-resident-oidc-clientID") | .value' "config-secrets.json") } @@ -354,8 +355,8 @@ onboard_mimoto_keybinding_partner(){ echo $root_ca_cert echo $partner_cert newman run onboarding.postman_collection.json --delay-request 2000 -e onboarding.postman_environment.json --bail \ - --env-var url="$URL" \ - --env-var request-time="$DATE" \ + --env-var url="$URL" \ + --env-var request-time="$DATE" \ --env-var partner-manager-username=$PARTNER_KC_USERNAME \ --env-var partner-manager-password=$PARTNER_KC_USERPASSWORD \ --env-var application-id=$APPLICATION_ID \ @@ -396,8 +397,9 @@ onboard_mimoto_oidc_partner(){ root_ca_cert=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' $root_cert_path) partner_cert=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' $client_cert_path) sh $MYDIR/certs/convert.sh $MYDIR + mv $MYDIR/certs/$PARTNER_KC_USERNAME/keystore.p12 $MYDIR/certs/$PARTNER_KC_USERNAME/oidckeystore.p12 - kubectl -n $ns_mimoto create secret generic mimoto --from-file=$MYDIR/certs/$PARTNER_KC_USERNAME/keystore.p12 --dry-run=client -o yaml | kubectl apply -f - + kubectl -n $ns_mimoto create secret generic mimotooidc --from-file=$MYDIR/certs/$PARTNER_KC_USERNAME/oidckeystore.p12 --dry-run=client -o yaml | kubectl apply -f - if [ $? -gt 0 ]; then echo "JWK Key generation failed; EXITING"; @@ -474,6 +476,7 @@ if [ "$ENABLE_INSECURE" = "true" ]; then openssl s_client -servername "$HOST" -connect "$HOST":443 > "$MYDIR/$HOST.cer" 2>/dev/null & sleep 2 ; sed -i -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "$MYDIR/$HOST.cer"; cat "$MYDIR/$HOST.cer"; + export ADD_SSL_CURL="--cacert $MYDIR/$HOST.cer" export ADD_SSL_NEWMAN="--ssl-extra-ca-certs $MYDIR/$HOST.cer" fi diff --git a/demo-oidc-policy.json b/demo-oidc-policy.json new file mode 100644 index 0000000..0557d0e --- /dev/null +++ b/demo-oidc-policy.json @@ -0,0 +1,119 @@ +[ + { + "id": "", + "metadata": null, + "request": { + "name": "{{policy-name}}", + "desc": "{{policy-name}} Policy", + "policies": { + "authTokenType": "policy", + "allowedKycAttributes": [ + { + "attributeName": "fullName" + }, + { + "attributeName": "gender" + }, + { + "attributeName": "phone" + }, + { + "attributeName": "email" + }, + { + "attributeName": "dateOfBirth" + }, + { + "attributeName": "city" + }, + { + "attributeName": "face" + }, + { + "attributeName": "addressLine1" + }, + { + "attributeName": "individual_id" + } + ], + "allowedAuthTypes": [ + { + "authSubType": "IRIS", + "authType": "bio", + "mandatory": false + }, + { + "authSubType": "FINGER", + "authType": "bio", + "mandatory": false + }, + { + "authSubType": "", + "authType": "otp", + "mandatory": false + }, + { + "authSubType": "FACE", + "authType": "bio", + "mandatory": false + }, + { + "authSubType": "", + "authType": "otp-request", + "mandatory": false + }, + { + "authSubType": "", + "authType": "kyc", + "mandatory": false + }, + { + "authSubType": "", + "authType": "demo", + "mandatory": false + }, + { + "authSubType": "", + "authType": "kycauth", + "mandatory": false + }, + { + "authSubType": "", + "authType": "kycexchange", + "mandatory": false + }, + { + "authSubType": "", + "authType": "keybinding", + "mandatory": false + }, + { + "authSubType": "", + "authType": "kbt", + "mandatory": false + }, + { + "authSubType": "", + "authType": "wla", + "mandatory": false + }, + { + "authSubType": "", + "authType": "vciexchange", + "mandatory": false + }, + { + "authSubType": "", + "authType": "pwd", + "mandatory": false + } + ] + }, + "policyGroupName": "{{policy-group-name}}", + "policyType": "Auth", + "version": "1.1" + }, + "version": "1.0", + "requesttime": "{{$isoTimestamp}}" + } +] \ No newline at end of file diff --git a/oidc-policy.json b/oidc-policy.json index 9f2f234..580cd75 100644 --- a/oidc-policy.json +++ b/oidc-policy.json @@ -77,7 +77,7 @@ "authSubType": "", "authType": "vciexchange", "mandatory": false - }] + }] }, "policyGroupName": "{{policy-group-name}}", "policyType": "Auth",