Updated install script

8dc6d365 · Martin Weise · 35027178 · 8dc6d365 · 8dc6d365 · 8dc6d365
Verified Commit 8dc6d365 authored Jul 18, 2024 by Martin Weise
--- a/.docker/.env
+++ b/.docker/.env
+# general
+BASE_URL=
 ADMIN_EMAIL=support@example.com
-# password for cn=admin,dc=dbrepo,dc=at
-IDENTITY_SERVICE_ADMIN_PASSWORD=fbfef87364fe1f0d5bcc016de0be2005
+# password for the identity service admin user
+IDENTITY_SERVICE_ADMIN_PASSWORD=admin
+# password for the auth service admin user
+AUTH_SERVICE_ADMIN_PASSWORD=admin
 # passwords for root user of the databases
-METADATA_DB_PASSWORD=f37fa4ba8c1f2d90ed37218275736018
-DATA_DB_PASSWORD=92ff19f31fb55ef6f1d7f27f2015504f
-AUTH_DB_PASSWORD=32c0bf0611c5bd0c53c21bea87a432b6
-SEARCH_DB_PASSWORD=72c28aa831ce2da8d63d87af6761b8c1
+METADATA_DB_PASSWORD=dbrepo
+DATA_DB_PASSWORD=dbrepo
+AUTH_DB_PASSWORD=dbrepo
+SEARCH_DB_PASSWORD=dbrepo
 # storage service
-S3_ACCESS_KEY_ID=672093d6ab952654b8cffd64bdbf64d2
-S3_SECRET_ACCESS_KEY=f84039188daf247c49012a7931be4535
-# internal user
-SYSTEM_PASSWORD=efe287c82818692e9ac25117487c9eb7
+S3_ACCESS_KEY_ID=seaweedfsadmin
+S3_SECRET_ACCESS_KEY=seaweedfsadmin
+# internal admin user, requires a change of the value of auth_ldap.dn_lookup_bind.password in dist/rabbitmq.conf
+SYSTEM_PASSWORD=admin
--- a/.docker/docker-compose.yml
+++ b/.docker/docker-compose.yml
@@ -26,7 +26,7 @@ services:
      MARIADB_DATABASE: "${METADATA_DB:-dbrepo}"
      MARIADB_ROOT_PASSWORD: "${METADATA_DB_PASSWORD:-dbrepo}"
    healthcheck:
-      test: mysqladmin ping --user="${METADATA_USERNAME:-root}" --password="${METADATA_DB_PASSWORD:-dbrepo}" --silent
+      test: mysqladmin ping --user=root --password="${METADATA_DB_PASSWORD:-dbrepo}" --silent
      interval: 10s
      timeout: 5s
      retries: 12
@@ -431,10 +431,8 @@ services:
      BROKER_EXCHANGE_NAME: ${BROKER_EXCHANGE_NAME:-dbrepo}
      BROKER_QUEUE_NAME: ${BROKER_QUEUE_NAME:-dbrepo}
      BROKER_HOST: "${BROKER_ENDPOINT:-broker-service}"
-      BROKER_PASSWORD: ${BROKER_PASSWORD:-admin}
      BROKER_PORT: ${BROKER_PORT:-5672}
      BROKER_SERVICE_ENDPOINT: ${BROKER_SERVICE_ENDPOINT:-http://gateway-service/admin/broker}
-      BROKER_USERNAME: ${BROKER_USERNAME:-admin}
      BROKER_VIRTUALHOST: "${BROKER_VIRTUALHOST:-dbrepo}"
      CONNECTION_TIMEOUT: ${CONNECTION_TIMEOUT:-60000}
      EXCHANGE_NAME: ${EXCHANGE_NAME:-dbrepo}

--- a/.docs/images/architecture.drawio
+++ b/.docs/images/architecture.drawio
-<mxfile host="Electron" modified="2024-07-17T12:02:57.588Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/24.6.4 Chrome/124.0.6367.207 Electron/30.0.6 Safari/537.36" etag="O7nthEdDByNBwN0tnA1g" version="24.6.4" type="device" pages="8">
+<mxfile host="Electron" modified="2024-07-18T03:24:43.687Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/24.6.4 Chrome/124.0.6367.207 Electron/30.0.6 Safari/537.36" etag="yfnnaSFCfO3oi8Cn43Ov" version="24.6.4" type="device" pages="8">
  <diagram id="mvBsv1rP8O80Qe3yGnn_" name="docker-compose">
-    <mxGraphModel dx="1687" dy="967" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0">
+    <mxGraphModel dx="683" dy="391" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0">
      <root>
        <mxCell id="0" />
        <mxCell id="1" parent="0" />
@@ -274,6 +274,11 @@
        <mxCell id="f61RwCrreTIYbJ5Vt7fi-17" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;startArrow=classic;startFill=1;" edge="1" parent="1" source="f61RwCrreTIYbJ5Vt7fi-3" target="O_ELZSFbvl3Butg3bv_j-1">
          <mxGeometry relative="1" as="geometry" />
        </mxCell>
+        <mxCell id="f61RwCrreTIYbJ5Vt7fi-18" value="idp" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" vertex="1" connectable="0" parent="f61RwCrreTIYbJ5Vt7fi-17">
+          <mxGeometry x="-0.1676" y="1" relative="1" as="geometry">
+            <mxPoint x="4" as="offset" />
+          </mxGeometry>
+        </mxCell>
        <mxCell id="f61RwCrreTIYbJ5Vt7fi-3" value="Identity Service&lt;div&gt;(OpenLDAP)&lt;/div&gt;" style="rounded=1;whiteSpace=wrap;html=1;fillColor=#E6E6E6;fontColor=#000000;strokeColor=#000000;" vertex="1" parent="1">
          <mxGeometry x="30" y="470" width="130" height="40" as="geometry" />
        </mxCell>

--- a/.docs/images/screenshots/secure-auth-service-1.png
+++ b/.docs/images/screenshots/secure-auth-service-1.png
--- a/.docs/images/screenshots/secure-auth-service-2.png
+++ b/.docs/images/screenshots/secure-auth-service-2.png
--- a/.docs/installation.md
+++ b/.docs/installation.md
@@ -36,14 +36,26 @@ SSL/TLS certificate is recommended. Follow the [secure install](#secure-install)

 ## Secure Installation

-Execute the install script to download only the environment and save it to `dist`.
+1. Execute the install script to download only the environment and save it to `dist`.

    ```shell
    curl -sSL https://gitlab.phaidra.org/fair-data-austria-db-repository/fda-services/-/raw/release-1.4.5/install.sh | DOWNLOAD_ONLY=1 bash
    ```

-To secure your deployment traffic with **SSL/TLS**, tell the Gateway Service to use your certificate secret (e.g. from 
-Let's Encrypt):
+2. Call the helper script to regenerate the client secret of the `dbrepo-client` and set it as value of the
+   `AUTH_SERVICE_CLIENT_SECRET` variable in the `.env` file.
+
+    ```bash
+    curl -sSL "https://gitlab.phaidra.org/fair-data-austria-db-repository/fda-services/-/raw/release-1.4.5/.scripts/reg-client-secret.sh" | bash
+    ```
+
+3. Finally, update the rest of the default secrets in the `.env` file to secure passwords. You can use `openssl` for
+   that, e.g. `openssl rand -hex 16`. 
+
+    Set `auth_ldap.dn_lookup_bind.password` in `dist/rabbitmq.conf` to the value of `SYSTEM_PASSWORD`.
+
+4. To secure your deployment traffic with SSL/TLS, tell the Gateway Service to use your certificate secret (e.g.
+   from Let's Encrypt):

    ```yaml title="docker-compose.yml"
    services:
@@ -74,29 +86,6 @@ server {
    }
    ```

-Afterwards, briefly start DBRepo with `docker compose up -d` and change the client secret of the `dbrepo-client` of the
-Auth Service by calling [https://localhost/api/auth](https://localhost/api/auth) and logging into the Auth Service.
-
-Change the realm :material-numeric-1-circle-outline: to "dbrepo" and navigate to :material-numeric-2-circle-outline:
-"Clients". In the list, select the "dbrepo-client" client and then select the "Credentials" tab 
-:material-numeric-3-circle-outline:. Finally, open the generation confirmation dialog by clicking the "Regenerate" 
-button :material-numeric-4-circle-outline: (c.f. Figure 1).
-
-<figure markdown>
-![](../images/screenshots/secure-auth-service-1.png){ .img-border }
-<figcaption>Figure 1: Page to open the client secret regeneration.</figcaption>
-</figure>
-
-Finally, confirm the secret recreation by clicking the "Yes" button :material-numeric-1-circle-outline: (c.f. Figure 2).
-
-<figure markdown>
-![](../images/screenshots/secure-auth-service-2.png){ .img-border }
-<figcaption>Figure 2: Regeneration confirmation dialog.</figcaption>
-</figure>
-
-Set the `AUTH_SERVICE_CLIENT_SECRET` variable to the newly generated secret in your `.env` file. Finally, update the
-**default secrets** in `.env` to secure passwords. You can use `openssl` for that, e.g. `openssl rand -hex 16`.
-
 ## Troubleshooting

 In case the deployment is unsuccessful, we have explanations on their origin and solutions to the most common errors:

--- a/.scripts/docker-prune.sh
+++ b/.scripts/docker-prune.sh
-#!/bin/bash
-if [[ "$CI_COMMIT_BRANCH" =~ (dev|master) ]]; then
-  echo "pruning for branch ${CI_COMMIT_BRANCH} ..."
-  docker system prune -f -a --volumes
-fi
\ No newline at end of file
--- a/.scripts/reg-client-secret.sh
+++ b/.scripts/reg-client-secret.sh
+#!/bin/bash
+USERNAME=""
+PASSWORD=""
+
+fancy () {
+  printf "\e[1;34m$1\e[m"
+}
+
+printf "This is a utility script to re-generate the client secret of the %s client.\n" $(fancy dbrepo-client)
+fancy "Your credentials are never transmitted outside your machine!\n\n"
+read -rp "Username: " USERNAME
+read -rp "Password: " PASSWORD
+
+# get admin token
+ADMIN_ACCESS_TOKEN=$(curl -fsSL -X POST -d "username=${USERNAME}&password=${PASSWORD}&grant_type=password&client_id=admin-cli" http://localhost/api/auth/realms/master/protocol/openid-connect/token | jq -r .access_token)
+printf "\nSuccessfully obtained admin token."
+
+# re-generate client secret
+SECRET=$(curl -fsSL -X POST -H "Authorization: Bearer ${ADMIN_ACCESS_TOKEN}" http://localhost/api/auth/admin/realms/dbrepo/clients/6b7ef364-4132-4831-b4e2-b6e9e9dc63ee/client-secret | jq -r .value)
+printf "\nSuccessfully re-generated client secret: %s" $(fancy $SECRET)
--- a/dbrepo-broker-service/advanced.config
+++ b/dbrepo-broker-service/advanced.config
@@ -5,7 +5,7 @@
      {
        tag_queries, [
          {
-            administrator, {in_group_nested, "cn=system,ou=users,dn=dbrepo,dn=at", "member"}
+            administrator, {in_group_nested, "cn=system,ou=users,dc=dbrepo,dc=at", "member"}
          },
          {
            management, {constant, true}

--- a/dbrepo-metadata-service/rest-service/src/main/resources/application.yml
+++ b/dbrepo-metadata-service/rest-service/src/main/resources/application.yml
@@ -6,7 +6,7 @@ spring:
    url: "jdbc:mariadb://${METADATA_HOST:metadata-db}:3306/${METADATA_DB:dbrepo}${METADATA_JDBC_EXTRA_ARGS}"
    driver-class-name: org.mariadb.jdbc.Driver
    username: "${METADATA_USERNAME:root}"
-    password: "${METADATA_PASSWORD:dbrepo}"
+    password: "${METADATA_DB_PASSWORD:dbrepo}"
  jpa:
    show-sql: false
    database-platform: org.hibernate.dialect.MariaDBDialect

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -377,6 +377,7 @@ services:
      - '1389:1389'
      - '1636:1636'
    environment:
+      BITNAMI_DEBUG: true
      LDAP_ADMIN_USERNAME: "${IDENTITY_SERVICE_ADMIN_USERNAME:-admin}"
      LDAP_ADMIN_PASSWORD: "${IDENTITY_SERVICE_ADMIN_PASSWORD:-admin}"
      LDAP_USERS: "${SYSTEM_USERNAME:-admin}"
@@ -496,10 +497,10 @@ services:
      BROKER_EXCHANGE_NAME: ${BROKER_EXCHANGE_NAME:-dbrepo}
      BROKER_QUEUE_NAME: ${BROKER_QUEUE_NAME:-dbrepo}
      BROKER_HOST: "${BROKER_ENDPOINT:-broker-service}"
-      BROKER_PASSWORD: ${BROKER_PASSWORD:-admin}
+      BROKER_PASSWORD: ${SYSTEM_USERNAME:-admin}
      BROKER_PORT: ${BROKER_PORT:-5672}
      BROKER_SERVICE_ENDPOINT: ${BROKER_SERVICE_ENDPOINT:-http://gateway-service/admin/broker}
-      BROKER_USERNAME: ${BROKER_USERNAME:-admin}
+      BROKER_USERNAME: ${SYSTEM_PASSWORD:-admin}
      BROKER_VIRTUALHOST: "${BROKER_VIRTUALHOST:-dbrepo}"
      CONNECTION_TIMEOUT: ${CONNECTION_TIMEOUT:-60000}
      EXCHANGE_NAME: ${EXCHANGE_NAME:-dbrepo}