Merge branch '310-fix-some-image-vulnerabilities' into 'dev'

Large update

See merge request !159

.env.unix.example

 DBREPO_CLIENT_SECRET=MUwRc7yfXSJwX8AdRMWaQC3Nep1VjwgG
 RABBITMQ_CLIENT_SECRET=JEC2FexxrX4N65fLeDGukAl6R3Lc9y0u
-JWT_ISSUER=https://localhost:8443/realms/dbrepo
+JWT_ISSUER=http://localhost/realms/dbrepo
 JWT_PUBKEY=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqqnHQ2BWWW9vDNLRCcxD++xZg/16oqMo/c1l+lcFEjjAIJjJp/HqrPYU/U9GvquGE6PbVFtTzW1KcKawOW+FJNOA3CGo8Q1TFEfz43B8rZpKsFbJKvQGVv1Z4HaKPvLUm7iMm8Hv91cLduuoWx6Q3DPe2vg13GKKEZe7UFghF+0T9u8EKzA/XqQ0OiICmsmYPbwvf9N3bCKsB/Y10EYmZRb8IhCoV9mmO5TxgWgiuNeCTtNCv2ePYqL/U0WvyGFW0reasIK8eg3KrAUj8DpyOgPOVBn3lBGf+3KFSYi+0bwZbJZWqbC/Xlk20Go1YfeJPRIt7ImxD27R/lNjgDO/MwIDAQAB
 JWT_CERT=MIICmzCCAYMCBgGG3GWyBTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZkYnJlcG8wHhcNMjMwMzEzMTkxMzE3WhcNMzMwMzEzMTkxNDU3WjARMQ8wDQYDVQQDDAZkYnJlcG8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqqcdDYFZZb28M0tEJzEP77FmD/Xqioyj9zWX6VwUSOMAgmMmn8eqs9hT9T0a+q4YTo9tUW1PNbUpwprA5b4Uk04DcIajxDVMUR/PjcHytmkqwVskq9AZW/Vngdoo+8tSbuIybwe/3Vwt266hbHpDcM97a+DXcYooRl7tQWCEX7RP27wQrMD9epDQ6IgKayZg9vC9/03dsIqwH9jXQRiZlFvwiEKhX2aY7lPGBaCK414JO00K/Z49iov9TRa/IYVbSt5qwgrx6DcqsBSPwOnI6A85UGfeUEZ/7coVJiL7RvBlsllapsL9eWTbQajVh94k9Ei3sibEPbtH+U2OAM78zAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAASnN1Cuif1sdfEK2kWAURSXGJCohCROLWdKFjaeHPRaEfpbFJsgxW0Yj3nwX5O3bUlOWoTyENwnXSsXMQsqnNi+At32CKaKO8+AkhAbgQL9F0B+KeJwmYv3cUj5N/LYkJjBvZBzUZ4Ugu5dcxH0k7AktLAIwimkyEnxTNolOA3UyrGGpREr8MCKWVr10RFuOpF/0CsJNNwbHXzalO9D756EUcRWZ9VSg6QVNso0YYRKTnILWDn9hcTRnqGy3SHo3anFTqQZ+BB57YbgFWy6udC0LYRB3zdp6zNti87eu/VEymiDY/mmo1AB8Tm0b6vxFz4AKcL3ax5qS6YnZ9efSzk=
 SHARED_FILESYSTEM=/tmp
@@ -15,7 +15,7 @@ KEYCLOAK_ADMIN=fda
 KEYCLOAK_ADMIN_PASSWORD=fda
 BROKER_CONSUMERS=2
 WEBSITE=http://localhost
-GATEWAY_ENDPOINT=http://gateway-service:9095
+GATEWAY_ENDPOINT=http://gateway-service
 TOKEN_MAX=5
 LOG_LEVEL=trace # error, warning, info, debug, trace
 DOI_URL="https://doi.org"

.gitignore

@@ -37,6 +37,10 @@ fda-ui/
 # Environment
 .env
 
+# X509
+root.crt
+intermediate.crt
+
 # scanning
 .trivy/trivy-*.json
 

.gitlab-ci.yml

@@ -2,7 +2,7 @@ before_script:
   - "docker version"
   - "docker compose version"
   - "docker system prune -f"
-  - "bash .gitlab/set-java.sh 11"
+  - "bash .gitlab/set-java.sh 17"
   - "mvn --version"
   - "python3 --version"
   - "df / -h"
@@ -56,20 +56,6 @@ build-database-service:
   script:
     - "make build-database-service"
 
-build-discovery-service:
-  stage: build-backend
-  needs:
-    - build-metadata-db
-  script:
-    - "make build-discovery-service"
-
-build-gateway-service:
-  stage: build-backend
-  needs:
-    - build-metadata-db
-  script:
-    - "make build-gateway-service"
-
 build-query-service:
   stage: build-backend
   needs:
@@ -178,23 +164,6 @@ test-database-service:
   coverage: '/Total.*?([0-9]{1,3})%/'
   timeout: 2 hour
 
-test-discovery-service:
-  stage: test-backend
-  needs:
-    - build-discovery-service
-  script:
-    - "make test-discovery-service"
-    - "cat ./dbrepo-discovery-service/report/target/site/jacoco-aggregate/index.html | grep -o 'Total[^%]*%' | sed 's/<.*>/ /; s/Total/Jacoco Coverage Total:/'"
-  artifacts:
-    when: always
-    paths:
-      - ./dbrepo-discovery-service/report/target/site/jacoco-aggregate/
-      - ./dbrepo-discovery-service/discovery/target/surefire-reports/
-    expire_in: 1 days
-    reports:
-      junit: ./dbrepo-discovery-service/discovery/target/surefire-reports/TEST-*.xml
-  coverage: '/Total.*?([0-9]{1,3})%/'
-
 test-query-service:
   stage: test-backend
   needs:
@@ -247,23 +216,6 @@ test-metadata-service:
       junit: ./dbrepo-metadata-service/rest-service/target/surefire-reports/TEST-*.xml
   coverage: '/Total.*?([0-9]{1,3})%/'
 
-test-gateway-service:
-  stage: test-backend
-  needs:
-    - build-gateway-service
-  script:
-    - "make test-gateway-service"
-    - "echo 'Jacoco Coverage Total: 100%'"
-  artifacts:
-    when: always
-    paths:
-      - ./dbrepo-gateway-service/report/target/site/jacoco-aggregate/
-      - ./dbrepo-metadata-service/gateway/target/surefire-reports/
-    expire_in: 1 days
-    reports:
-      junit: ./dbrepo-gateway-service/gateway/target/surefire-reports/TEST-*.xml
-  coverage: '/Total.*?([0-9]{1,3})%/'
-
 test-semantics-service:
   stage: test-backend
   needs:
@@ -321,8 +273,6 @@ build-docker:
     - build-identifier-service
     - build-container-service
     - build-database-service
-    - build-discovery-service
-    - build-gateway-service
     - build-query-service
     - build-table-service
     - build-metadata-service
@@ -342,6 +292,10 @@ scan-analyse-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -360,6 +314,10 @@ scan-authentication-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -378,6 +336,10 @@ scan-broker-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -396,6 +358,10 @@ scan-container-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -414,6 +380,10 @@ scan-database-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -428,28 +398,14 @@ scan-database-service:
     reports:
       container_scanning: ./.trivy/trivy-database-service-report.json
 
-scan-discovery-service:
-  stage: scan-docker
-  needs:
-    - build-docker
-  allow_failure: true
-  before_script:
-    - docker logout ghcr.io
-  script:
-    - make scan-discovery-service
-  cache:
-    paths:
-      - .trivycache/
-  artifacts:
-    when: always
-    expire_in: 1 days
-    reports:
-      container_scanning: ./.trivy/trivy-discovery-service-report.json
-
 scan-gateway-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -468,6 +424,10 @@ scan-identifier-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -486,6 +446,10 @@ scan-metadata-db:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -504,6 +468,10 @@ scan-metadata-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -522,6 +490,10 @@ scan-proxy:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -540,6 +512,10 @@ scan-query-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -558,6 +534,10 @@ scan-search-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -576,6 +556,10 @@ scan-semantics-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -594,6 +578,10 @@ scan-table-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -612,6 +600,10 @@ scan-ui:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -630,6 +622,10 @@ scan-user-service:
   stage: scan-docker
   needs:
     - build-docker
+  only:
+    refs:
+      - dev
+      - master
   allow_failure: true
   before_script:
     - docker logout ghcr.io
@@ -652,7 +648,6 @@ release-latest:
     - scan-broker-service
     - scan-container-service
     - scan-database-service
-    - scan-discovery-service
     - scan-gateway-service
     - scan-identifier-service
     - scan-metadata-db
@@ -680,7 +675,6 @@ release-version:
     - scan-broker-service
     - scan-container-service
     - scan-database-service
-    - scan-discovery-service
     - scan-gateway-service
     - scan-identifier-service
     - scan-metadata-db

.gitlab/clean.sh

-#!/bin/bash

Makefile

@@ -5,7 +5,7 @@ TRIVY_VERSION ?= v0.41.0
 
 all:
 
-build-backend: build-metadata-db build-database-service build-query-service build-table-service build-identifier-service build-container-service build-discovery-service build-gateway-service build-metadata-service build-analyse-service build-user-service
+build-backend: build-metadata-db build-database-service build-query-service build-table-service build-identifier-service build-container-service build-metadata-service build-analyse-service build-user-service
 
 build-metadata-db:
 	mvn -f ./dbrepo-metadata-db/pom.xml clean install
@@ -22,12 +22,6 @@ build-container-service: build-metadata-db
 build-database-service: build-metadata-db
 	mvn -f ./dbrepo-database-service/pom.xml clean package -DskipTests
 
-build-discovery-service: build-metadata-db
-	mvn -f ./dbrepo-discovery-service/pom.xml clean package -DskipTests
-
-build-gateway-service: build-metadata-db
-	mvn -f ./dbrepo-gateway-service/pom.xml clean package -DskipTests
-
 build-query-service: build-metadata-db
 	mvn -f ./dbrepo-query-service/pom.xml clean package -DskipTests
 
@@ -154,7 +148,7 @@ release-search: tag-search
 release-metadata: tag-metadata
 	docker push "dbrepo/metadata-service:${TAG}"
 
-test-backend: test-container-service test-database-service test-discovery-service test-gateway-service test-query-service test-table-service test-identifier-service test-metadata-service test-semantics-service test-analyse-service test-user-service
+test-backend: test-container-service test-database-service test-query-service test-table-service test-identifier-service test-metadata-service test-semantics-service test-analyse-service test-user-service
 
 test-identifier-service: clean build-metadata-db build-identifier-service
 	mvn -f ./dbrepo-identifier-service/pom.xml clean test verify
@@ -164,14 +158,9 @@ test-container-service: clean build-metadata-db build-container-service
 
 test-database-service: clean build-metadata-db build-database-service
 	docker pull rabbitmq:3-management-alpine
+	docker pull elasticsearch:8.7.1
 	mvn -f ./dbrepo-database-service/pom.xml clean test verify
 
-test-discovery-service: clean build-metadata-db build-discovery-service
-	mvn -f ./dbrepo-discovery-service/pom.xml clean test verify
-
-test-gateway-service: clean build-metadata-db build-gateway-service
-	mvn -f ./dbrepo-gateway-service/pom.xml clean test verify
-
 test-query-service: clean build-metadata-db build-query-service
 	mvn -f ./dbrepo-query-service/pom.xml clean test verify
 

dbrepo-analyse-service/Dockerfile

-FROM python:3.9-slim
-MAINTAINER Cornelia Michlits <cornelia.michlits@tuwien.ac.at>
+FROM python:3.9-alpine
+MAINTAINER Martin Weise <martin.weise@tuwien.ac.at>
+
+RUN apk update && apk --no-cache add build-base gcc python3-dev libpq-dev libffi-dev bash curl py3-pandas \
+    py3-sqlalchemy py3-requests py3-gevent py3-psycopg2
+
+WORKDIR /app
+
+COPY ./requirements.txt ./requirements.txt
+RUN pip install -r requirements.txt > /dev/null
+
+COPY ./healthcheck.sh ./healthcheck.sh
 
 ENV FLASK_APP=app.py
 ENV FLASK_RUN_HOST=0.0.0.0
 ENV PORT_APP=5000
 ENV FLASK_ENV=production
 ENV HOSTNAME=analyse-service
-ENV EUREKA_SERVER=http://discovery-service:9090/eureka/
 
-WORKDIR /app
-
-COPY requirements.txt requirements.txt
-
-RUN pip install -r requirements.txt > /dev/null
-
-HEALTHCHECK --interval=10s --timeout=5s --retries=12 CMD ./service_ready
+HEALTHCHECK --interval=10s --timeout=5s --retries=12 CMD ["bash", "/app/healthcheck.sh"]
 
 COPY ./as-yml/ ./as-yml/
 COPY ./*.py ./
-COPY ./service_ready ./
-
-RUN chmod +x ./service_ready
 
 EXPOSE $PORT_APP
 

dbrepo-analyse-service/app.py

-import os
 from _csv import Error
 
 from flask import Flask, request, Response
 from determine_dt import determine_datatypes
 from determine_pk import determine_pk
 import logging
-import py_eureka_client.eureka_client as eureka_client
 from flasgger import Swagger
 from flasgger.utils import swag_from
 from flasgger import LazyJSONEncoder
@@ -148,11 +146,6 @@ def determinepk():
 
 
 rest_server_port = 5000
-eureka_client.init(eureka_server=os.getenv('EUREKA_SERVER', 'http://localhost:9090/eureka/'),
-                   app_name=os.getenv('HOSTNAME', 'analyse-service'),
-                   instance_ip=os.getenv('HOSTNAME', 'analyse-service'),
-                   instance_host=os.getenv('HOSTNAME', 'analyse-service'),
-                   instance_port=rest_server_port)
 
 if __name__ == '__main__':
     http_server = WSGIServer(('', 5000), app)

dbrepo-analyse-service/healthcheck.sh

+#!/bin/bash
+HTTP_CODE=$(curl --silent --output /dev/stderr --write-out "%{http_code}" 'http://0.0.0.0:5000/metrics')
+if test $HTTP_CODE -ne 200; then
+  exit 1
+fi
\ No newline at end of file

dbrepo-analyse-service/requirements.txt

+attrs==23.1.0
+certifi==2023.5.7
+chardet==5.1.0
+charset-normalizer==2.0.12
+click==8.1.3
+coverage==7.1.0
+docker==5.0.0
+exceptiongroup==1.1.1
+flasgger==0.9.5
+Flask==2.2.2
+gevent==21.8.0
+greenlet==1.1.3.post0
+html5lib==1.1
+idna==3.4
+importlib-metadata==6.6.0
+iniconfig==2.0.0
+itsdangerous==2.1.2
+Jinja2==3.1.2
+json-table-schema==0.2.1
+jsonschema==4.17.3
+lxml==4.9.2
+MarkupSafe==2.1.2
 messytables==0.15.2
+mistune==2.0.5
+numpy==1.24.3
+packaging==23.1
 pandas==1.2.3
-flask==2.1.2
-flasgger==0.9.5
+pluggy==1.0.0
+prometheus-client==0.16.0
+prometheus-flask-exporter==0.21.0
 psycopg2-binary==2.8.6
-py-eureka-client==0.9.1
-docker==5.0.0
-sqlalchemy==1.4.15
-requests==2.26.0
-gevent==21.8.0
-markupsafe==2.0.1
-prometheus_flask_exporter==0.21.0
+pyrsistent==0.19.3
 pytest==7.2.1
-coverage==7.1.0
\ No newline at end of file
+python-dateutil==2.8.2
+python-magic==0.4.27
+pytz==2023.3
+PyYAML==6.0
+requests==2.26.0
+six==1.16.0
+SQLAlchemy==1.4.15
+tomli==2.0.1
+urllib3==1.26.15
+webencodings==0.5.1
+websocket-client==1.5.1
+Werkzeug==2.3.3
+xlrd==2.0.1
+zipp==3.15.0
+zope.event==4.6
+zope.interface==6.0

dbrepo-analyse-service/service_ready

-#!/usr/local/bin/python
-import socket
-sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-result = sock.connect_ex(('127.0.0.1', 5000))
-if result == 0:
-   print("Port is open")
-   exit(0)
-else:
-   print("Port is not open")
-   exit(1)
-sock.close()
\ No newline at end of file

dbrepo-authentication-service/Dockerfile

 ###### FIRST STAGE ######
 FROM keycloak/keycloak:21.0 as config
 MAINTAINER Martin Weise <martin.weise@tuwien.ac.at>
-LABEL service=authentication
 
 # Enable health and metrics support
 ENV KC_HEALTH_ENABLED=true
@@ -13,8 +12,6 @@ ENV KC_DB=mariadb
 
 WORKDIR /opt/keycloak
 
-COPY ./auth.keystore ./conf/server.keystore
-
 RUN /opt/keycloak/bin/kc.sh build
 
 ###### SECOND STAGE ######
@@ -22,7 +19,7 @@ FROM redhat/ubi9-minimal as binary
 
 RUN microdnf update -y && microdnf install -y curl-minimal libcurl-minimal
 
-###### FOURTH STAGE ######
+###### THIRD STAGE ######
 FROM keycloak/keycloak:21.0 as runtime
 
 COPY --from=config /opt/keycloak/ /opt/keycloak/
@@ -35,8 +32,6 @@ COPY ./dbrepo-realm.json /opt/keycloak/data/import/dbrepo-realm.json
 
 WORKDIR /app
 
-COPY ./service-register.sh ./service-register.sh
-COPY ./docker-entrypoint.sh ./docker-entrypoint.sh
 COPY ./healthcheck.sh ./healthcheck.sh
 
 ENV METADATA_USERNAME=root
@@ -54,4 +49,4 @@ ENV KEYCLOAK_ADMIN_PASSWORD=fda
 
 HEALTHCHECK --interval=10s --timeout=5s --retries=12 CMD ["bash", "/app/healthcheck.sh"]
 
-ENTRYPOINT ["bash", "/app/docker-entrypoint.sh"]
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start-dev", "--import-realm"]

dbrepo-authentication-service/dbrepo-realm.json

@@ -26,7 +26,7 @@
   "oauth2DeviceCodeLifespan" : 600,
   "oauth2DevicePollingInterval" : 5,
   "enabled" : true,
-  "sslRequired" : "external",
+  "sslRequired" : "none",
   "registrationAllowed" : false,
   "registrationEmailAsUsername" : false,
   "rememberMe" : false,
@@ -909,7 +909,7 @@
   "otpPolicyLookAheadWindow" : 1,
   "otpPolicyPeriod" : 30,
   "otpPolicyCodeReusable" : false,
-  "otpSupportedApplications" : [ "totpAppGoogleName", "totpAppFreeOTPName", "totpAppMicrosoftAuthenticatorName" ],
+  "otpSupportedApplications" : [ "totpAppFreeOTPName", "totpAppMicrosoftAuthenticatorName", "totpAppGoogleName" ],
   "webAuthnPolicyRpEntityName" : "keycloak",
   "webAuthnPolicySignatureAlgorithms" : [ "ES256" ],
   "webAuthnPolicyRpId" : "",
@@ -1838,7 +1838,40 @@
   "enabledEventTypes" : [ "SEND_RESET_PASSWORD", "UPDATE_CONSENT_ERROR", "GRANT_CONSENT", "VERIFY_PROFILE_ERROR", "REMOVE_TOTP", "REVOKE_GRANT", "UPDATE_TOTP", "LOGIN_ERROR", "CLIENT_LOGIN", "RESET_PASSWORD_ERROR", "IMPERSONATE_ERROR", "CODE_TO_TOKEN_ERROR", "CUSTOM_REQUIRED_ACTION", "OAUTH2_DEVICE_CODE_TO_TOKEN_ERROR", "RESTART_AUTHENTICATION", "IMPERSONATE", "UPDATE_PROFILE_ERROR", "LOGIN", "OAUTH2_DEVICE_VERIFY_USER_CODE", "UPDATE_PASSWORD_ERROR", "CLIENT_INITIATED_ACCOUNT_LINKING", "TOKEN_EXCHANGE", "AUTHREQID_TO_TOKEN", "LOGOUT", "REGISTER", "DELETE_ACCOUNT_ERROR", "CLIENT_REGISTER", "IDENTITY_PROVIDER_LINK_ACCOUNT", "DELETE_ACCOUNT", "UPDATE_PASSWORD", "CLIENT_DELETE", "FEDERATED_IDENTITY_LINK_ERROR", "IDENTITY_PROVIDER_FIRST_LOGIN", "CLIENT_DELETE_ERROR", "VERIFY_EMAIL", "CLIENT_LOGIN_ERROR", "RESTART_AUTHENTICATION_ERROR", "EXECUTE_ACTIONS", "REMOVE_FEDERATED_IDENTITY_ERROR", "TOKEN_EXCHANGE_ERROR", "PERMISSION_TOKEN", "SEND_IDENTITY_PROVIDER_LINK_ERROR", "EXECUTE_ACTION_TOKEN_ERROR", "SEND_VERIFY_EMAIL", "OAUTH2_DEVICE_AUTH", "EXECUTE_ACTIONS_ERROR", "REMOVE_FEDERATED_IDENTITY", "OAUTH2_DEVICE_CODE_TO_TOKEN", "IDENTITY_PROVIDER_POST_LOGIN", "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR", "OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR", "UPDATE_EMAIL", "REGISTER_ERROR", "REVOKE_GRANT_ERROR", "EXECUTE_ACTION_TOKEN", "LOGOUT_ERROR", "UPDATE_EMAIL_ERROR", "CLIENT_UPDATE_ERROR", "AUTHREQID_TO_TOKEN_ERROR", "UPDATE_PROFILE", "CLIENT_REGISTER_ERROR", "FEDERATED_IDENTITY_LINK", "SEND_IDENTITY_PROVIDER_LINK", "SEND_VERIFY_EMAIL_ERROR", "RESET_PASSWORD", "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR", "OAUTH2_DEVICE_AUTH_ERROR", "UPDATE_CONSENT", "REMOVE_TOTP_ERROR", "VERIFY_EMAIL_ERROR", "SEND_RESET_PASSWORD_ERROR", "CLIENT_UPDATE", "CUSTOM_REQUIRED_ACTION_ERROR", "IDENTITY_PROVIDER_POST_LOGIN_ERROR", "UPDATE_TOTP_ERROR", "CODE_TO_TOKEN", "VERIFY_PROFILE", "GRANT_CONSENT_ERROR", "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR" ],
   "adminEventsEnabled" : false,
   "adminEventsDetailsEnabled" : false,
-  "identityProviders" : [ ],
+  "identityProviders" : [ {
+    "alias" : "saml",
+    "displayName" : "",
+    "internalId" : "4a2378b1-4e46-4783-a663-b33f3bd95061",
+    "providerId" : "saml",
+    "enabled" : true,
+    "updateProfileFirstLoginMode" : "on",
+    "trustEmail" : false,
+    "storeToken" : false,
+    "addReadTokenRoleOnCreate" : false,
+    "authenticateByDefault" : false,
+    "linkOnly" : false,
+    "firstBrokerLoginFlowAlias" : "first broker login",
+    "config" : {
+      "validateSignature" : "false",
+      "postBindingLogout" : "false",
+      "nameIDPolicyFormat" : "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+      "postBindingResponse" : "false",
+      "entityId" : "https://dbrepo2.ec.tuwien.ac.at/realms/dbrepo",
+      "backchannelSupported" : "false",
+      "signSpMetadata" : "false",
+      "wantAssertionsEncrypted" : "false",
+      "loginHint" : "false",
+      "allowCreate" : "true",
+      "wantAssertionsSigned" : "false",
+      "postBindingAuthnRequest" : "false",
+      "forceAuthn" : "false",
+      "attributeConsumingServiceIndex" : "0",
+      "singleSignOnServiceUrl" : "https://idp.zid.tuwien.ac.at/",
+      "wantAuthnRequestsSigned" : "false",
+      "allowedClockSkew" : "0",
+      "principalType" : "Subject NameID"
+    }
+  } ],
   "identityProviderMappers" : [ ],
   "components" : {
     "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ {
@@ -1899,7 +1932,7 @@
       "subType" : "authenticated",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", "saml-user-property-mapper", "saml-role-list-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-property-mapper", "saml-role-list-mapper", "oidc-address-mapper", "saml-user-attribute-mapper" ]
       }
     }, {
       "id" : "3ab11d74-5e76-408a-b85a-26bf8950f979",
@@ -1908,7 +1941,7 @@
       "subType" : "anonymous",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-address-mapper", "oidc-usermodel-property-mapper" ]
+        "allowed-protocol-mapper-types" : [ "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "oidc-address-mapper", "oidc-usermodel-property-mapper", "saml-user-attribute-mapper", "oidc-full-name-mapper" ]
       }
     } ],
     "org.keycloak.keys.KeyProvider" : [ {
@@ -1960,7 +1993,7 @@
   "internationalizationEnabled" : false,
   "supportedLocales" : [ ],
   "authenticationFlows" : [ {
-    "id" : "85d85037-1863-4869-b9ab-09582853f779",
+    "id" : "7e7d6810-5b6c-4ec6-865c-5f0b62ec56d7",
     "alias" : "Account verification options",
     "description" : "Method with which to verity the existing account",
     "providerId" : "basic-flow",
@@ -1982,7 +2015,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "e89d11ed-c578-409a-aaed-d00db2951f66",
+    "id" : "6d972ab3-0618-4971-b44a-0fc0d11c7280",
     "alias" : "Authentication Options",
     "description" : "Authentication options.",
     "providerId" : "basic-flow",
@@ -2011,7 +2044,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "5bfb765d-30bf-4708-b85e-01beb0813a75",
+    "id" : "821a14e0-ef26-4b07-b716-fa34393eda56",
     "alias" : "Browser - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -2033,7 +2066,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "dfe729c0-df4b-4b9b-8170-fd29d703f691",
+    "id" : "e70eadbd-4c39-4cfd-86ac-e50acc753b1b",
     "alias" : "Direct Grant - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -2055,7 +2088,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "e52f6f8c-edd8-42eb-a956-1e642d054a09",
+    "id" : "4e35af97-acf4-4ca8-bc81-0477c1adfb6d",
     "alias" : "First broker login - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -2077,7 +2110,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "0fcdfbb3-4e4f-4c55-9e06-9baf3afef314",
+    "id" : "2e0bd063-274a-4aab-a5f0-038a0bca5b98",
     "alias" : "Handle Existing Account",
     "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
     "providerId" : "basic-flow",
@@ -2099,7 +2132,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "a3db4f3a-a772-4530-b948-c2ea688dc993",
+    "id" : "6a20fab2-44bb-4451-b29a-6fb7e14a52ce",
     "alias" : "Reset - Conditional OTP",
     "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
     "providerId" : "basic-flow",
@@ -2121,7 +2154,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "d540d238-e69c-4eb1-8238-bf43c9f59118",
+    "id" : "159d7398-74a7-4f60-a3fd-eb2df46f5ce7",
     "alias" : "User creation or linking",
     "description" : "Flow for the existing/non-existing user alternatives",
     "providerId" : "basic-flow",
@@ -2144,7 +2177,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "b0b433e3-3a58-4915-8833-ad55fef4aab7",
+    "id" : "85a66c55-4665-4ba0-bec9-7254eb8e5895",
     "alias" : "Verify Existing Account by Re-authentication",
     "description" : "Reauthentication of existing account",
     "providerId" : "basic-flow",
@@ -2166,7 +2199,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "68ec036a-f399-4980-80b7-a27867f5e650",
+    "id" : "c002e6da-2397-4fae-8d48-1eec3719ca15",
     "alias" : "browser",
     "description" : "browser based authentication",
     "providerId" : "basic-flow",
@@ -2202,7 +2235,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "aa32f681-942b-4194-b8df-124f210bcaa9",
+    "id" : "a03631cf-2fea-4a12-a35c-8137023503bd",
     "alias" : "clients",
     "description" : "Base authentication for clients",
     "providerId" : "client-flow",
@@ -2238,7 +2271,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "1169765a-7850-4a9a-9a72-9a9dcf75ac8b",
+    "id" : "a89940e4-bf4d-4a04-8fdf-dcf775336b20",
     "alias" : "direct grant",
     "description" : "OpenID Connect Resource Owner Grant",
     "providerId" : "basic-flow",
@@ -2267,7 +2300,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "60f23852-a761-4290-982b-c51876f4c382",
+    "id" : "2dc2582b-be6f-4d9a-b545-b2c0e79a3581",
     "alias" : "docker auth",
     "description" : "Used by Docker clients to authenticate against the IDP",
     "providerId" : "basic-flow",
@@ -2282,7 +2315,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "a09aa7bd-3f8f-444d-83d0-f095b5f7c6bb",
+    "id" : "09e56692-226f-4384-85e0-e33463cdb226",
     "alias" : "first broker login",
     "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
     "providerId" : "basic-flow",
@@ -2305,7 +2338,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "85d2028a-ab84-4fcb-8088-94c927051018",
+    "id" : "1439c900-92e0-4230-a1a7-ae82c3b8ddc9",
     "alias" : "forms",
     "description" : "Username, password, otp and other auth forms.",
     "providerId" : "basic-flow",
@@ -2327,7 +2360,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "43ffa27d-3940-4b9b-857d-85f2b3729710",
+    "id" : "4cc3bb1b-e85d-447e-b50e-1afbe107bafe",
     "alias" : "http challenge",
     "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes",
     "providerId" : "basic-flow",
@@ -2349,7 +2382,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "2e900379-7ae7-431d-a586-2014f7688aa0",
+    "id" : "04c49d80-30e4-4a37-b1c7-4d18c1b6a7f1",
     "alias" : "registration",
     "description" : "registration flow",
     "providerId" : "basic-flow",
@@ -2365,7 +2398,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "844942ca-41ae-4d50-b3ab-7815d9df6332",
+    "id" : "85abb75a-0774-4b2d-8a71-2a92b0cfb639",
     "alias" : "registration form",
     "description" : "registration form",
     "providerId" : "form-flow",
@@ -2401,7 +2434,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "7c108a2a-abbd-462e-a9fc-917f28b67f80",
+    "id" : "948f68c1-015b-4349-a56f-6ee177d558ce",
     "alias" : "reset credentials",
     "description" : "Reset credentials for a user if they forgot their password or something",
     "providerId" : "basic-flow",
@@ -2437,7 +2470,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "b47ae4b9-a177-44ef-b41e-c7e5da6220c7",
+    "id" : "6046d416-4a88-4af6-b440-9fbc87fba478",
     "alias" : "saml ecp",
     "description" : "SAML ECP Profile Authentication Flow",
     "providerId" : "basic-flow",
@@ -2453,13 +2486,13 @@
     } ]
   } ],
   "authenticatorConfig" : [ {
-    "id" : "81c9b7e4-2574-46b1-8a2a-e35edc716c1c",
+    "id" : "3c91aefc-127f-4722-8375-72e8434d6266",
     "alias" : "create unique user config",
     "config" : {
       "require.password.update.after.registration" : "false"
     }
   }, {
-    "id" : "14491568-0d51-4082-9bb2-216d3cb4ab34",
+    "id" : "1041c583-4682-44a8-b61b-9712bd4987c4",
     "alias" : "review profile config",
     "config" : {
       "update.profile.on.first.login" : "missing"

dbrepo-authentication-service/docker-entrypoint.sh

-#!/bin/bash
-
-/app/service-register.sh authentication-service 8443 8080
-(while sleep 60; do bash /app/service-register.sh authentication-service 8443 8080; done) &
-
-/opt/keycloak/bin/kc.sh start-dev --import-realm

dbrepo-authentication-service/service-register.sh

-#!/bin/bash
-
-# $1 is used as the host name.
-
-EUREKA_HOST="discovery-service"
-EUREKA_PORT="9090"
-EUREKA_URI="http://$EUREKA_HOST:$EUREKA_PORT"
-
-SERVICE_NAME="$1"
-SERVICE_PROTOCOL="http"
-SERVICE_HOST="$1"
-SECURE_PORT="${2:-9000}"
-SERVICE_PORT="${3:-9000}"
-
-SERVICE_URI="$SERVICE_PROTOCOL://$SERVICE_HOST:$SERVICE_PORT"
-HOME_URI="$SERVICE_URI/realms/dbrepo"
-HEALTH_URI="$SERVICE_URI/health"
-
-# This is the URL shown in the "status" field in the
-# instances section of the eureka dashboard.
-#
-# It's up to you to decide what the URL points to. Some
-# information or status endpoint might be good.
-STATUS_URI="$SERVICE_URI/health"
-
-# This is the name displayed to the right of the status
-# on the eureka dashbard. If the app (FAKE_SERVICE) is
-# registered with more than one hostname, they will be
-# displayed as a comma-separated list. This hostname
-# is part of the heartbeat message.
-#
-# If you'll have more than one host per service,
-# make sure they have different host names.
-HOST_NAME="${1:-fake01}"
-
-# Everyone of these parameters seem to be required. I don't know
-# anything about secureVipAddress and vipAddress.
-#
-# dataCenterInfo must have a name of "MyOwn" or "Amazon".
-#
-# status can be UP, DOWN, STARTING, OUT_OF_SERVICE, UNKNOWN.
-#   if the registration status is STARTING, then the service
-#   will never be evicted. Also, simply sending a Heartbeat
-#   does not change the status.
-#
-# The metadata fields can be any information you want associated
-# with a service. I recommend keeping it short.
-#
-
-cat <<EOF > /tmp/json.json
-{
-  "instance": {
-    "instanceId": "$SERVICE_NAME:$SERVICE_NAME:$SERVICE_PORT",
-    "hostName": "$HOST_NAME",
-    "app": "$SERVICE_NAME",
-    "ipAddr": "$SERVICE_HOST",
-    "status": "UP",
-    "dataCenterInfo": {
-      "@class": "com.netflix.appinfo.MyDataCenterInfo",
-      "name": "MyOwn"
-    },
-    "healthCheckUrl": "$HEALTH_URI",
-    "homePageUrl": "$HOME_URI",
-    "leaseInfo": {
-      "evictionDurationInSecs": 90
-    },
-    "metadata": {
-      "zone": "default",
-      "management.port": "8443"
-    },
-    "port": {
-      "\$": "$SERVICE_PORT",
-      "@enabled": "true"
-    },
-    "securePort": {
-      "\$": "$SECURE_PORT",
-      "@enabled": "true"
-    },
-    "vipAddress": "$SERVICE_HOST",
-    "secureVipAddress": "$SERVICE_HOST",
-    "statusPageUrl": "$STATUS_URI"
-  }
-}
-EOF
-
-curl --header "content-type: application/json" --data-binary @/tmp/json.json --silent $EUREKA_URI/eureka/apps/$SERVICE_NAME

dbrepo-broker-service/Dockerfile

@@ -5,9 +5,7 @@ MAINTAINER Martin Weise <martin.weise@tuwien.ac.at>
 ###### SECOND STAGE ######
 FROM rabbitmq:3-management-alpine as runtime
 
-ENV PYTHONUNBUFFERED=1
-ENV JWT_PUBKEY=public-key
-ENV JWT_CERT=cert
+ENV RABBITMQ_DEFAULT_VHOST=dbrepo
 
 RUN apk --no-cache add curl
 
@@ -15,13 +13,13 @@ COPY ./rabbitmq.conf /etc/rabbitmq/rabbitmq.conf
 
 WORKDIR /app
 
+ENV JWT_PUBKEY=public-key
+ENV JWT_CERT=cert
+
 COPY ./init.sh ./init.sh
-COPY ./service-register.sh ./service-register.sh
 COPY ./service_ready /usr/bin/service_ready
 COPY ./docker-entrypoint.sh ./docker-entrypoint.sh
 
-RUN chmod +x ./service-register.sh
-
 HEALTHCHECK --interval=10s --timeout=5s --retries=12 CMD service_ready
 
 ENTRYPOINT [ "bash", "/app/docker-entrypoint.sh" ]
\ No newline at end of file

dbrepo-broker-service/docker-entrypoint.sh

@@ -6,8 +6,4 @@ bash ./init.sh
 # enable prometheus plugin
 (sleep 10; rabbitmq-plugins enable rabbitmq_prometheus rabbitmq_mqtt rabbitmq_auth_backend_oauth2 rabbitmq_auth_mechanism_ssl; touch /ready) &
 
-# register with discovery service
-/app/service-register.sh broker-service 15672 15672
-(while sleep 60; do /app/service-register.sh broker-service 15672 15672; done) &
-
 rabbitmq-server
\ No newline at end of file

dbrepo-broker-service/service-register.sh

-#!/bin/bash
-
-# $1 is used as the host name.
-
-EUREKA_HOST="discovery-service"
-EUREKA_PORT="9090"
-EUREKA_URI="http://$EUREKA_HOST:$EUREKA_PORT"
-
-SERVICE_NAME="$1"
-SERVICE_PROTOCOL="http"
-SERVICE_HOST="$1"
-SECURE_PORT="${2:-9000}"
-SERVICE_PORT="${3:-9000}"
-
-SERVICE_URI="$SERVICE_PROTOCOL://$SERVICE_HOST:$SERVICE_PORT"
-HOME_URI="$SERVICE_URI/realms/dbrepo"
-HEALTH_URI="$SERVICE_URI/health"
-
-# This is the URL shown in the "status" field in the
-# instances section of the eureka dashboard.
-#
-# It's up to you to decide what the URL points to. Some
-# information or status endpoint might be good.
-STATUS_URI="$SERVICE_URI/health"
-
-# This is the name displayed to the right of the status
-# on the eureka dashbard. If the app (FAKE_SERVICE) is
-# registered with more than one hostname, they will be
-# displayed as a comma-separated list. This hostname
-# is part of the heartbeat message.
-#
-# If you'll have more than one host per service,
-# make sure they have different host names.
-HOST_NAME="${1:-fake01}"
-
-# Everyone of these parameters seem to be required. I don't know
-# anything about secureVipAddress and vipAddress.
-#
-# dataCenterInfo must have a name of "MyOwn" or "Amazon".
-#
-# status can be UP, DOWN, STARTING, OUT_OF_SERVICE, UNKNOWN.
-#   if the registration status is STARTING, then the service
-#   will never be evicted. Also, simply sending a Heartbeat
-#   does not change the status.
-#
-# The metadata fields can be any information you want associated
-# with a service. I recommend keeping it short.
-#
-
-cat <<EOF > /tmp/json.json
-{
-  "instance": {
-    "instanceId": "$SERVICE_NAME:$SERVICE_NAME:$SERVICE_PORT",
-    "hostName": "$HOST_NAME",
-    "app": "$SERVICE_NAME",
-    "ipAddr": "$SERVICE_HOST",
-    "status": "UP",
-    "dataCenterInfo": {
-      "@class": "com.netflix.appinfo.MyDataCenterInfo",
-      "name": "MyOwn"
-    },
-    "healthCheckUrl": "$HEALTH_URI",
-    "homePageUrl": "$HOME_URI",
-    "leaseInfo": {
-      "evictionDurationInSecs": 90
-    },
-    "metadata": {
-      "zone": "default",
-      "management.port": "15672"
-    },
-    "port": {
-      "\$": "$SERVICE_PORT",
-      "@enabled": "true"
-    },
-    "securePort": {
-      "\$": "$SECURE_PORT",
-      "@enabled": "false"
-    },
-    "vipAddress": "$SERVICE_HOST",
-    "secureVipAddress": "$SERVICE_HOST",
-    "statusPageUrl": "$STATUS_URI"
-  }
-}
-EOF
-
-curl --header "content-type: application/json" --data-binary @/tmp/json.json --silent $EUREKA_URI/eureka/apps/$SERVICE_NAME

dbrepo-container-service/Dockerfile

@@ -3,7 +3,8 @@ FROM dbrepo-metadata-db:latest as dependency
 MAINTAINER Martin Weise <martin.weise@tuwien.ac.at>
 
 ###### SECOND STAGE ######
-FROM maven:slim as build
+FROM maven:3-openjdk-17 as build
+MAINTAINER Martin Weise <martin.weise@tuwien.ac.at>
 
 COPY ./pom.xml ./
 
@@ -19,7 +20,10 @@ COPY ./report ./report
 RUN mvn -q clean package -DskipTests
 
 ###### THIRD STAGE ######
-FROM openjdk:11-jre-slim as runtime
+FROM openjdk:17-alpine as runtime
+MAINTAINER Martin Weise <martin.weise@tuwien.ac.at>
+
+RUN apk --no-cache add bash
 
 ENV METADATA_DB=fda
 ENV METADATA_USERNAME=root
@@ -31,7 +35,7 @@ ENV USER_NETWORK=userdb
 ENV LOG_LEVEL=debug
 ENV DBREPO_CLIENT_SECRET=client-secret
 ENV CLIENT_ID=dbrepo-client
-ENV JWT_ISSUER=http://localhost:8080/realms/dbrepo
+ENV JWT_ISSUER=http://localhost/realms/dbrepo
 ENV JWT_PUBKEY=public-key
 
 WORKDIR /app