diff --git a/.dev/auth.keystore b/.dev/auth.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..80f27648a5bd46021659ce72acbf5863e769d0ed
Binary files /dev/null and b/.dev/auth.keystore differ
diff --git a/.dev/chain.jks b/.dev/chain.jks
new file mode 100644
index 0000000000000000000000000000000000000000..64146799b61fdbc5d96a9cad70d8db3e4e20f01e
Binary files /dev/null and b/.dev/chain.jks differ
diff --git a/.dev/generate-jks.sh b/.dev/generate-jks.sh
new file mode 100644
index 0000000000000000000000000000000000000000..a506bee8402dd51e0ced1d02aa9cd1346b86b6f9
--- /dev/null
+++ b/.dev/generate-jks.sh
@@ -0,0 +1,117 @@
+#!/bin/bash
+# ----------------
+# https://blogs.oracle.com/blogbypuneeth/post/create-an-internal-certification-authority-ca-using-keytool-and-sign-your-server-certificate
+# ----------------
+STORE_PASS=password
+KEY_PASS=password
+
+declare -A services
+services[9091]=container
+services[9092]=database
+services[9093]=query
+services[9094]=table
+services[9095]=gateway
+services[9096]=identifier
+services[9097]=authentication
+services[9098]=user
+services[9099]=metadata
+
+function generate () {
+ if [ -z "$2" ]; then
+ CN="$1"
+ else
+ CN="$1-$2"
+ fi
+ echo "... generate $CN certificate"
+ keytool -genkeypair -storepass ${STORE_PASS} -keypass ${KEY_PASS} -storetype PKCS12 -keyalg RSA -keysize 2048 \
+ -dname "CN=$CN, OU=DS-IFS, O=TU Wien, C=AT" -alias "$CN" -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
+ -keystore ./server.keystore
+}
+
+function sign () {
+ if [ -z "$2" ]; then
+ CN="$1"
+ else
+ CN="$1-$2"
+ fi
+ echo "... sign $CN certificate"
+ keytool -alias "$CN" -certreq -storepass ${STORE_PASS} -keyalg RSA \
+ -keystore ./server.keystore | keytool -alias intermediate -gencert -storepass ${STORE_PASS} \
+ -keyalg RSA | keytool -alias "$CN" -importcert -storepass ${STORE_PASS} -keyalg RSA \
+ -keystore ./server.keystore -noprompt -trustcacerts
+}
+
+function crt () {
+ echo "... export $1 certificate"
+ keytool -exportcert -alias "$1" -rfc -storepass ${STORE_PASS} -keystore "$2" > "./$1.crt"
+}
+
+function move () {
+ if [ -z "$2" ]; then
+ CN="$1"
+ else
+ CN="$1-$2"
+ fi
+ echo "... move jks to the $CN"
+ cp ./server.keystore "../dbrepo-$CN/server.keystore"
+}
+
+echo "Remove old JKS(s)"
+rm -f ./server.keystore ./auth.keystore ./chain.jks ./*.crt
+
+echo "Generate root certificate"
+keytool -alias root -dname "CN=RootCA, OU=DS-IFS, O=TU Wien, C=AT" -genkeypair -ext KeyUsage="keyCertSign" \
+ -ext BasicConstraints:"critical=ca:true" -validity 3600 -storepass ${STORE_PASS} -keyalg RSA
+
+echo "Generate intermediate certificate"
+keytool -alias intermediate -dname "CN=IntermediateCA, OU=DS-IFS, O=TU Wien, C=AT" -genkeypair \
+ -ext KeyUsage="keyCertSign" -ext BasicConstraints:"critical=ca:true" -validity 1800 -storepass ${STORE_PASS} \
+ -keyalg RSA
+
+echo "Sign the intermediate certificate"
+keytool -alias intermediate -certreq -storepass ${STORE_PASS} -keyalg RSA | keytool -alias root -gencert \
+ -ext KeyUsage="keyCertSign" -ext BasicConstraints:"critical=ca:true" -storepass ${STORE_PASS} \
+ -keyalg RSA | keytool -alias intermediate -importcert -storepass ${STORE_PASS} -keyalg RSA
+
+echo "Import the root certificate to the JKS"
+keytool -export -alias root -storepass ${STORE_PASS} | keytool -import -alias root -keystore ./server.keystore \
+ -storepass ${STORE_PASS} -noprompt -trustcacerts
+
+echo "Import the intermediate certificate to the JKS"
+keytool -export -alias intermediate -storepass ${STORE_PASS} | keytool -import -alias intermediate -keystore ./server.keystore \
+ -storepass ${STORE_PASS} -noprompt -trustcacerts
+
+echo "Generating the certificate key pairs"
+for key in "${!services[@]}"; do
+ generate "${services[$key]}" "service"
+done
+generate "ui"
+
+echo "Sign the certificates with intermediate certificate"
+for key in "${!services[@]}"; do
+ sign "${services[$key]}" "service"
+done
+sign "ui"
+
+echo "Export the trusted keystore"
+keytool -export -alias intermediate -storepass ${STORE_PASS} | keytool -import -alias intermediate \
+ -keystore ./chain.jks -storepass ${STORE_PASS} -trustcacerts -noprompt
+keytool -export -alias root -storepass ${STORE_PASS} | keytool -import -alias root -keystore ./chain.jks \
+ -storepass ${STORE_PASS} -trustcacerts -noprompt
+
+echo "Export CRTs"
+crt root ./chain.jks
+crt intermediate ./chain.jks
+
+echo "Copy the JKS(s)"
+for key in "${!services[@]}"; do
+ move "${services[$key]}" "service"
+done
+move "ui"
+
+echo "Create the authentication service JKS"
+echo "... import private key into the key store"
+keytool -importkeystore -srckeystore ./server.keystore -srcstorepass ${STORE_PASS} -srcalias "authentication-service" \
+ -destkeystore ./auth.keystore -deststorepass ${STORE_PASS} -deststoretype PKCS12 -destalias "server" -trustcacerts \
+ -noprompt
+rm -f ../dbrepo-authentication-service/auth.keystore && cp ./auth.keystore ../dbrepo-authentication-service/auth.keystore
diff --git a/.dev/intermediate.crt b/.dev/intermediate.crt
new file mode 100644
index 0000000000000000000000000000000000000000..7dfeab98046414c7d2ddde9af6923bc49ac0e5ee
--- /dev/null
+++ b/.dev/intermediate.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIECTYCTTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJB
+VDEQMA4GA1UEChMHVFUgV2llbjEPMA0GA1UECxMGRFMtSUZTMQ8wDQYDVQQDEwZS
+b290Q0EwHhcNMjMwNTA4MTgyNjQ2WhcNMjMwODA2MTgyNjQ2WjBJMQswCQYDVQQG
+EwJBVDEQMA4GA1UEChMHVFUgV2llbjEPMA0GA1UECxMGRFMtSUZTMRcwFQYDVQQD
+Ew5JbnRlcm1lZGlhdGVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKPTnhNdSjVJvRT6jBQuNWOYAeukC1hVAAuiOtU6QqQANFLRHACFQGs/QJkh1LRt
+HoNvN2W0EEljUQ5pgSym76xPXCg38OYmsV4w0gcSe34QyCCWkB82eBi48MEmsb6s
+x7n3uM+SaSwaFqxZFTQszsEVOJcnfRDBhYkT3juiuW0HzmMCuDa/V1sl1HgxbKRc
+zEXEk3PjDY12gsYNzF1jgB33Nwh692npdBca5MXJ+Gi0zvnM+1JgrfIYayC37+ZF
+UG10LYTSV4rG4NS9UzF/cBK9naddMgCgqIMGHnU5Z5N+PNPiHZ4WkX4Xf4Zu1WTg
+YGlsVjgNKTX6CYytrRwbWKUCAwEAAaNgMF4wHQYDVR0OBBYEFF5md9arqKs42p+W
+jhWXGwgVMmDKMAsGA1UdDwQEAwICBDAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQY
+MBaAFJ0un4jfS4HiMAw/U+dkuiXFsX8DMA0GCSqGSIb3DQEBCwUAA4IBAQCCyhop
+e3l6rF19EdiS5wjGE3YJl0FPYVjFVcmSXaNXaYh+v5rxyQN9Tv7kPN3EOTeWkj+n
+Lbhls7hpJa2ydmmcPXEDF/+Bn5cgRcCh/ayk8/W5WaxIX7dkFYKmFE/+CkXDSpGN
+kawYi99eDaB8wZbGh+SNN7oZpS6kg4L5WqrE4vrrrBMhZuUINFymbzybX4WMRZKr
+9n9G3RenYXVSJvWxyQAe/GuWrsO1xDpwz/k6zeMf0qYXAStbIIC3QK3tsRnRf/F9
+A8QKjOS/25k0waMDFPZ7p5T/Xay50uYGXG1BSHILta5IQ5vr7BzGi4u8pgyiDA4V
+PIDnZiCN3dbPUPnB
+-----END CERTIFICATE-----
diff --git a/.dev/server.keystore b/.dev/server.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..16ebda54a77aae0da96cd72b13c4ce70859bd205
Binary files /dev/null and b/.dev/server.keystore differ
diff --git a/.env.unix.example b/.env.unix.example
index 890b2385aadbda123203fa85546631e1e42cace4..2e3275ab7986e30872700af49080e70bab2ff008 100644
--- a/.env.unix.example
+++ b/.env.unix.example
@@ -15,7 +15,7 @@ KEYCLOAK_ADMIN=fda
KEYCLOAK_ADMIN_PASSWORD=fda
BROKER_CONSUMERS=2
WEBSITE=http://localhost
-GATEWAY_ENDPOINT=http://gateway-service
+GATEWAY_ENDPOINT=https://gateway-service
TOKEN_MAX=5
LOG_LEVEL=trace # error, warning, info, debug, trace
DOI_URL="https://doi.org"
diff --git a/.gitignore b/.gitignore
index c6ecbb307e2005da46e879e0e33f70d1708bf4aa..adaba20ca20e566206398534c2931f787cab3f28 100644
--- a/.gitignore
+++ b/.gitignore
@@ -32,6 +32,9 @@ fda-ui/
# Environment
.env
+# X509
+root.crt
+
# scanning
.trivy/trivy-*.json
diff --git a/dbrepo-authentication-service/auth.keystore b/dbrepo-authentication-service/auth.keystore
index e5fbb780a18153b3ccd70ed3e4a21c0203fbf86c..80f27648a5bd46021659ce72acbf5863e769d0ed 100644
Binary files a/dbrepo-authentication-service/auth.keystore and b/dbrepo-authentication-service/auth.keystore differ
diff --git a/dbrepo-authentication-service/server.keystore b/dbrepo-authentication-service/server.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..16ebda54a77aae0da96cd72b13c4ce70859bd205
Binary files /dev/null and b/dbrepo-authentication-service/server.keystore differ
diff --git a/dbrepo-container-service/server.keystore b/dbrepo-container-service/server.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..16ebda54a77aae0da96cd72b13c4ce70859bd205
Binary files /dev/null and b/dbrepo-container-service/server.keystore differ
diff --git a/dbrepo-database-service/server.keystore b/dbrepo-database-service/server.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..16ebda54a77aae0da96cd72b13c4ce70859bd205
Binary files /dev/null and b/dbrepo-database-service/server.keystore differ
diff --git a/dbrepo-gateway-service/dbrepo.conf b/dbrepo-gateway-service/dbrepo.conf
index 8bada96c72d9d89d4d8f20dee5866a9b808e6ac6..a9d201eb78bee1c2eca0ebf6a1eb3a4a58856f99 100644
--- a/dbrepo-gateway-service/dbrepo.conf
+++ b/dbrepo-gateway-service/dbrepo.conf
@@ -133,7 +133,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database/(.*)/query {
+ location ~ ^/api/container/[0-9]+/database/[0-9]+/query {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -142,7 +142,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database/(.*)/view {
+ location ~ ^/api/container/[0-9]+/database/[0-9]+/view {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -151,7 +151,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database/(.*)/table/(.*)/history {
+ location ~ ^/api/container/[0-9]+/database/[0-9]+/table/[0-9]+/history {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -160,7 +160,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database/(.*)/table/(.*)/data {
+ location ~ ^/api/container/[0-9]+/database/[0-9]+/table/[0-9]+/data {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -169,7 +169,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database/(.*)/table/(.*)/query {
+ location ~ ^/api/container/[0-9]+/database/[0-9]+/table/[0-9]+/query {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -178,7 +178,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database/(.*)/table/(.*)/export {
+ location ~ ^/api/container/[0-9]+/database/[0-9]+/table/[0-9]+/export {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -187,7 +187,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database/(.*)/table/(.*)/consumer {
+ location ~ ^/api/container/[0-9]+/database/[0-9]+/table/[0-9]+/consumer {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -196,7 +196,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database/(.*)/version {
+ location ~ ^/api/container/[0-9]+/database/[0-9]+/version {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -205,7 +205,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database/(.*)/table {
+ location ~ ^/api/container/[0-9]+/database/[0-9]+/table {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -214,7 +214,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database {
+ location ~ ^/api/container/[0-9]+/database {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -223,7 +223,7 @@ server {
proxy_read_timeout 90;
}
- location /api/container/(.*)/database/(.*)/access {
+ location ~ ^/api/container/[0-9]+/database/[0-9]+/access {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/dbrepo-gateway-service/server.keystore b/dbrepo-gateway-service/server.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..16ebda54a77aae0da96cd72b13c4ce70859bd205
Binary files /dev/null and b/dbrepo-gateway-service/server.keystore differ
diff --git a/dbrepo-identifier-service/server.keystore b/dbrepo-identifier-service/server.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..16ebda54a77aae0da96cd72b13c4ce70859bd205
Binary files /dev/null and b/dbrepo-identifier-service/server.keystore differ
diff --git a/dbrepo-metadata-service/server.keystore b/dbrepo-metadata-service/server.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..16ebda54a77aae0da96cd72b13c4ce70859bd205
Binary files /dev/null and b/dbrepo-metadata-service/server.keystore differ
diff --git a/dbrepo-query-service/server.keystore b/dbrepo-query-service/server.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..16ebda54a77aae0da96cd72b13c4ce70859bd205
Binary files /dev/null and b/dbrepo-query-service/server.keystore differ
diff --git a/dbrepo-table-service/server.keystore b/dbrepo-table-service/server.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..16ebda54a77aae0da96cd72b13c4ce70859bd205
Binary files /dev/null and b/dbrepo-table-service/server.keystore differ
diff --git a/dbrepo-user-service/server.keystore b/dbrepo-user-service/server.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..16ebda54a77aae0da96cd72b13c4ce70859bd205
Binary files /dev/null and b/dbrepo-user-service/server.keystore differ