Merge branch 'dev' into ui-november

Former-commit-id: 646d08ee

.gitlab-ci/deploy

 #!/bin/bash
-scp ./.rhel-prod/install_cert dbrepo.ossdip.at:
-scp ./.rhel-prod/docker-compose.yml dbrepo.ossdip.at:
-ssh dbrepo.ossdip.at "docker-compose down"
-ssh dbrepo.ossdip.at "ENV=${ENV} ./install_cert"
-ssh dbrepo.ossdip.at "ENV=${ENV} docker-compose up -d"
\ No newline at end of file
+#scp ./.rhel-prod/install_cert dbrepo.ossdip.at:
+#scp ./.rhel-prod/docker-compose.yml dbrepo.ossdip.at:
+#ssh dbrepo.ossdip.at "docker-compose down"
+#ssh dbrepo.ossdip.at "ENV=${ENV} ./install_cert"
+#ssh dbrepo.ossdip.at "ENV=${ENV} docker-compose up -d"
\ No newline at end of file

.rhel-prod/fda-authentication-service/install_cert

+#!/bin/bash
+TMP_CERT_LOCATION="/root/keys/cert.p12"
+TMP_SAML_LOCATION="/root/keys/saml.p12"
+KEY_STORE_LOCATION="/tmp/dbrepo.jks"
+KEY_STORE_PASS="dbrepo"
+CERT_LOCATION="/etc/letsencrypt/live/dbrepo.ossdip.at"
+SAML_KEY="/root/keys/saml_sign.key"
+SAML_PUB="/root/keys/saml_sign.cer"
+
+# REQUEST
+sudo certbot certonly --standalone --preferred-challenges http -d dbrepo.ossdip.at \
+		-m martin.weise@tuwien.ac.at --agree-tos --keep-until-expiring
+
+# CONVERT PKCS12
+sudo openssl pkcs12 -export -out "${TMP_SAML_LOCATION}" -in "${SAML_PUB}" \
+  -inkey "${SAML_KEY}" -passout "pass:${KEY_STORE_PASS}"
+
+# CONVERT PKCS12
+sudo openssl pkcs12 -export -out "${TMP_CERT_LOCATION}" -in "${CERT_LOCATION}/cert.pem" \
+  -inkey "${CERT_LOCATION}/privkey.pem" -passout "pass:${KEY_STORE_PASS}"
+
+# FIX PERMISSIONS
+sudo chmod 644 "${TMP_CERT_LOCATION}"
+sudo chmod 644 "${TMP_SAML_LOCATION}"
+
+# IMPORT
+sudo keytool -noprompt -importkeystore -deststorepass "${KEY_STORE_PASS}" -destkeypass "${KEY_STORE_PASS}" \
+  -destkeystore "${KEY_STORE_LOCATION}" -srckeystore "${TMP_CERT_LOCATION}" -srcstoretype PKCS12 \
+  -srcstorepass "${KEY_STORE_PASS}" -alias 1 -destalias ssl
+
+# IMPORT
+sudo keytool -noprompt -importkeystore -deststorepass "${KEY_STORE_PASS}" -destkeypass "${KEY_STORE_PASS}" \
+  -destkeystore "${KEY_STORE_LOCATION}" -srckeystore "${TMP_SAML_LOCATION}" -srcstoretype PKCS12 \
+  -srcstorepass "${KEY_STORE_PASS}" -alias 1 -destalias saml
+
+# TRUST LET'S ENCRYPT
+sudo keytool -noprompt -import -alias letsencrypt -keystore "${KEY_STORE_LOCATION}" \
+  -file "${CERT_LOCATION}/chain.pem"
\ No newline at end of file

.gitlab-ci/frontend/install_cert → .rhel-prod/fda-ui/install_cert

 #!/bin/bash
 CA_PATH="/etc/letsencrypt/live/dbrepo.ossdip.at"
-CERT_PATH="./fda-ui/.prod/"
-USER="rocky"
-
-if [ "$ENV" != "prod" ]; then
-  echo "WARN: environment must be prod"
-  exit 0
-fi
 
 sudo certbot certonly --standalone --preferred-challenges http -d dbrepo.ossdip.at \
                 -m martin.weise@tuwien.ac.at --agree-tos --keep-until-expiring
 
-sudo cp "${CA_PATH}/cert.pem" "${CERT_PATH}"
-sudo cp "${CA_PATH}/privkey.pem" "${CERT_PATH}"
-
-mv ./fda-ui/secure.conf ./fda-ui/.prod/default.conf
-
-mkdir -p "${CERT_PATH}"
-sudo chown -R "${USER}:docker" "${CERT_PATH}"
+KEY=$(sudo sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' "${CA_PATH}/privkey.pem")
+CERT=$(sudo sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' "${CA_PATH}/cert.pem")
 
-ls -la "${CERT_PATH}"
+cat << EOF > .env
+UI_KEY="${KEY}"
+UI_CERT="${CERT}"
+EOF
\ No newline at end of file

.rhel-prod/hosts

+# FDA USERDB
+172.28.0.2      fda-userdb-weather-aus
+172.28.0.3      fda-userdb-infection
+172.28.0.4      fda-userdb-air
+172.28.0.5      fda-userdb-u01
+172.28.0.6      fda-userdb-u02
+172.28.0.7      fda-userdb-u03
\ No newline at end of file

.rhel-prod/install_cert

-#!/bin/bash
-CERT_STORE_LOCATION="/tmp/cert.p12"
-KEY_STORE_LOCATION="/tmp/dbrepo.jks"
-KEY_STORE_PASS="dbrepo"
-CERT_LOCATION="/etc/letsencrypt/live/dbrepo.ossdip.at"
-
-# REQUEST
-sudo certbot certonly --standalone --preferred-challenges http -d dbrepo.ossdip.at \
-		-m martin.weise@tuwien.ac.at --agree-tos --keep-until-expiring
-
-# CONVERT PKCS12
-sudo openssl pkcs12 -export -out "${CERT_STORE_LOCATION}" -in "${CERT_LOCATION}/cert.pem" \
-  -inkey "${CERT_LOCATION}/privkey.pem" -passout "pass:${KEY_STORE_PASS}"
-
-# FIX PERMISSIONS
-sudo chmod 644 "${CERT_STORE_LOCATION}"
-
-# IMPORT
-keytool -importkeystore -deststorepass "${KEY_STORE_PASS}" -destkeypass "${KEY_STORE_PASS}" \
-  -destkeystore "${KEY_STORE_LOCATION}" -srckeystore "${CERT_STORE_LOCATION}" -srcstoretype PKCS12 \
-  -srcstorepass "${KEY_STORE_PASS}" -alias 1
\ No newline at end of file

Makefile

@@ -3,13 +3,14 @@ REGISTRY=docker.ossdip.at
 all:
 
 config-backend:
-	./.rhel-prod/install_cert
+	./.rhel-prod/fda-authentication-service/install_cert
 
 config-registry:
 	./.rhel-registry/install_cert
 
 config-frontend:
-	./.gitlab-ci/frontend/install_cert
+	./.rhel-prod/fda-ui/install_cert
+	docker-compose -f docker-compose.prod.yml config
 
 config-docker:
 	docker image pull -q postgres:13.4-alpine || true > /dev/null
@@ -23,28 +24,28 @@ build-backend-metadata:
 	mvn -f ./fda-metadata-db/pom.xml clean install
 
 build-backend-authentication:
-	mvn -f ./fda-authentication-service/pom.xml -q clean package -DskipTests > /dev/null
+	mvn -f ./fda-authentication-service/pom.xml clean package -DskipTests
 
 build-backend-citation:
-	mvn -f ./fda-citation-service/pom.xml -q clean package -DskipTests > /dev/null
+	mvn -f ./fda-citation-service/pom.xml clean package -DskipTests
 
 build-backend-container:
-	mvn -f ./fda-container-service/pom.xml -q clean package -DskipTests > /dev/null
+	mvn -f ./fda-container-service/pom.xml clean package -DskipTests
 
 build-backend-database:
-	mvn -f ./fda-database-service/pom.xml -q clean package -DskipTests > /dev/null
+	mvn -f ./fda-database-service/pom.xml clean package -DskipTests
 
 build-backend-discovery:
-	mvn -f ./fda-discovery-service/pom.xml -q clean package -DskipTests > /dev/null
+	mvn -f ./fda-discovery-service/pom.xml clean package -DskipTests
 
 build-backend-gateway:
-	mvn -f ./fda-gateway-service/pom.xml -q clean package -DskipTests > /dev/null
+	mvn -f ./fda-gateway-service/pom.xml clean package -DskipTests
 
 build-backend-query:
-	mvn -f ./fda-query-service/pom.xml -q clean package -DskipTests > /dev/null
+	mvn -f ./fda-query-service/pom.xml clean package -DskipTests
 
 build-backend-table:
-	mvn -f ./fda-table-service/pom.xml -q clean package -DskipTests > /dev/null
+	mvn -f ./fda-table-service/pom.xml clean package -DskipTests
 
 build-backend: build-backend-metadata build-backend-authentication build-backend-citation build-backend-container build-backend-database build-backend-discovery build-backend-gateway build-backend-query build-backend-table
 
@@ -52,12 +53,18 @@ build-docker: config-docker
 	docker-compose build fda-metadata-db
 	docker-compose build
 
+build-docker-sandbox: config-docker
+	docker-compose -f docker-compose.prod.yml build fda-metadata-db
+	docker-compose -f docker-compose.prod.yml build
+
 build-frontend:
 	npm --prefix ./fda-ui install
 	npm --prefix ./fda-ui run build
 
 build: clean build-backend build-frontend build-docker
 
+build-sandbox: clean build-backend build-frontend build-docker-sandbox
+
 test-backend: test-backend-auth test-backend-citation test-backend-container test-backend-database test-backend-discovery test-backend-gateway test-backend-query test-backend-table
 
 test-backend-auth:
@@ -100,7 +107,7 @@ run-frontend:
 run:
 	docker-compose up -d
 
-run-sandbox:
+run-sandbox: config-frontend
 	docker-compose -f docker-compose.prod.yml up -d
 
 deploy-registry: config-registry
@@ -169,7 +176,7 @@ teardown:
 re-deploy: teardown deploy-staging
 
 deploy-stable: registry-stable
-	ENV=prod NGINX_PORT=443 ./.gitlab-ci/deploy
+	./.gitlab-ci/deploy
 
 deploy-staging: registry-staging
-	ENV=prod NGINX_PORT=443 ./.gitlab-ci/deploy
+	./.gitlab-ci/deploy

docker-compose.prod.yml

@@ -34,12 +34,12 @@ services:
       - fda-public
     volumes:
       - fda-metadata-db-data:/var/lib/postgresql/data
-    ports:
-      - "5432:5432"
     environment:
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: postgres
       POSTGRES_DB: fda
+    logging:
+      driver: json-file
 
   fda-discovery-service:
     restart: on-failure
@@ -51,8 +51,8 @@ services:
       - fda-public
     environment:
       SPRING_PROFILES_ACTIVE: docker
-    ports:
-      - "9090:9090"
+    logging:
+      driver: json-file
 
   fda-gateway-service:
     restart: on-failure
@@ -66,8 +66,6 @@ services:
           - fda-gateway-service
     environment:
       SPRING_PROFILES_ACTIVE: docker
-    ports:
-      - "9095:9095"
     depends_on:
       fda-container-service:
         condition: service_healthy
@@ -91,8 +89,6 @@ services:
       - fda-public
     environment:
       SPRING_PROFILES_ACTIVE: docker,seeder,sandbox
-    ports:
-      - "9092:9092"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     depends_on:
@@ -117,8 +113,6 @@ services:
       - fda-public
     environment:
       SPRING_PROFILES_ACTIVE: docker,seeder,sandbox
-    ports:
-      - "9091:9091"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     depends_on:
@@ -129,27 +123,27 @@ services:
     logging:
       driver: json-file
 
-#  fda-authentication-service:
-#    restart: on-failure
-#    container_name: fda-authentication-service
-#    hostname: fda-authentication-service
-#    build: ./fda-authentication-service
-#    image: fda-authentication-service
-#    networks:
-#      - fda-public
-#    volumes:
-#      - /tmp:/tmp
-#    environment:
-#      SERVER_NAME: dbrepo.local
-#      SPRING_PROFILES_ACTIVE: docker
-#      KEY_STORE_PASSWORD: ${KEY_STORE_PASSWORD}
-#    ports:
-#      - "9097:9097"
-#    depends_on:
-#      fda-discovery-service:
-#        condition: service_healthy
-#    logging:
-#      driver: json-file
+  fda-authentication-service:
+    restart: on-failure
+    container_name: fda-authentication-service
+    hostname: fda-authentication-service
+    build: ./fda-authentication-service
+    image: fda-authentication-service
+    networks:
+      - fda-public
+    volumes:
+      - /tmp:/tmp
+    environment:
+      SERVER_NAME: dbrepo.ossdip.at
+      SPRING_PROFILES_ACTIVE: sandbox
+      KEY_STORE_PASSWORD: ${KEY_STORE_PASSWORD}
+    ports:
+      - "9097:9097"
+    depends_on:
+      fda-discovery-service:
+        condition: service_healthy
+    logging:
+      driver: json-file
 
   fda-query-service:
     restart: on-failure
@@ -161,9 +155,7 @@ services:
       - fda-public
       - fda-userdb
     environment:
-      SPRING_PROFILES_ACTIVE: docker
-    ports:
-      - "9093:9093"
+      SPRING_PROFILES_ACTIVE: docker,seeder,sandbox
     volumes:
       - /tmp:/tmp
     depends_on:
@@ -171,6 +163,8 @@ services:
         condition: service_healthy
       fda-container-service:
         condition: service_healthy
+      fda-table-service:
+        condition: service_healthy
       fda-metadata-db:
         condition: service_healthy
     logging:
@@ -186,10 +180,8 @@ services:
       - fda-public
       - fda-userdb
     environment:
-      SPRING_PROFILES_ACTIVE: docker
+      SPRING_PROFILES_ACTIVE: docker,seeder,sandbox
       multipart.location: /tmp
-    ports:
-      - "9094:9094"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - /tmp:/tmp
@@ -202,6 +194,10 @@ services:
         condition: service_healthy
       fda-database-service:
         condition: service_healthy
+      fda-search-service:
+        condition: service_started
+    logging:
+      driver: json-file
 
 #  fda-citation-service:
 #    restart: on-failure
@@ -236,8 +232,6 @@ services:
     command: sh -c "/wait && flask run" # docker-compose should not test the implementation
     environment:
       EUREKA_SERVER: http://fda-discovery-service:9090/eureka/
-    ports:
-      - "5000:5000"
     volumes:
       - /tmp:/tmp
       - /var/run/docker.sock:/var/run/docker.sock
@@ -257,17 +251,17 @@ services:
     image: fda-broker-service
     networks:
       - fda-public
-    ports:
-      - "5672:5672"
-      - "15672:15672"
     volumes:
       - fda-broker-service-data:/var/lib/rabbitmq/
+    logging:
+      driver: json-file
 
   fda-search-service:
     restart: always
     container_name: fda-search-service
     hostname: fda-search-service
     image: elasticsearch:7.13.4
+    command: ["elasticsearch"]
     networks:
       - fda-public
     environment:
@@ -277,11 +271,8 @@ services:
     depends_on:
       fda-discovery-service:
         condition: service_healthy
-      fda-table-service:
-        condition: service_healthy
-    ports:
-      - "9200:9200"
-      - "9600:9600"
+    logging:
+      driver: json-file
 
   fda-ui:
     restart: on-failure
@@ -301,4 +292,7 @@ services:
     environment:
       HOST: 0.0.0.0
       API: http://fda-gateway-service:9095
-      SECURE: https
+      KEY: "${UI_KEY}"
+      CERT: "${UI_CERT}"
+    logging:
+      driver: json-file

docker-compose.yml

@@ -40,6 +40,8 @@ services:
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: postgres
       POSTGRES_DB: fda
+    logging:
+      driver: json-file
 
   fda-discovery-service:
     restart: on-failure
@@ -53,6 +55,8 @@ services:
       SPRING_PROFILES_ACTIVE: docker
     ports:
       - "9090:9090"
+    logging:
+      driver: json-file
 
   fda-gateway-service:
     restart: on-failure
@@ -71,6 +75,8 @@ services:
     depends_on:
       fda-container-service:
         condition: service_healthy
+      fda-authentication-service:
+        condition: service_healthy
       fda-database-service:
         condition: service_healthy
       fda-table-service:
@@ -129,27 +135,27 @@ services:
     logging:
       driver: json-file
 
-#  fda-authentication-service:
-#    restart: on-failure
-#    container_name: fda-authentication-service
-#    hostname: fda-authentication-service
-#    build: ./fda-authentication-service
-#    image: fda-authentication-service
-#    networks:
-#      - fda-public
-#    volumes:
-#      - /tmp:/tmp
-#    environment:
-#      SERVER_NAME: dbrepo.local
-#      SPRING_PROFILES_ACTIVE: docker
-#      KEY_STORE_PASSWORD: ${KEY_STORE_PASSWORD}
-#    ports:
-#      - "9097:9097"
-#    depends_on:
-#      fda-discovery-service:
-#        condition: service_healthy
-#    logging:
-#      driver: json-file
+  fda-authentication-service:
+    restart: on-failure
+    container_name: fda-authentication-service
+    hostname: fda-authentication-service
+    build: ./fda-authentication-service
+    image: fda-authentication-service
+    networks:
+      - fda-public
+    volumes:
+      - /tmp:/tmp
+    environment:
+      SERVER_NAME: dbrepo.local
+      SPRING_PROFILES_ACTIVE: docker
+      KEY_STORE_PASSWORD: ${KEY_STORE_PASSWORD:-dbrepo}
+    ports:
+      - "9097:9097"
+    depends_on:
+      fda-discovery-service:
+        condition: service_healthy
+    logging:
+      driver: json-file
 
   fda-query-service:
     restart: on-failure
@@ -161,7 +167,7 @@ services:
       - fda-public
       - fda-userdb
     environment:
-      SPRING_PROFILES_ACTIVE: docker
+      SPRING_PROFILES_ACTIVE: docker,seeder
     ports:
       - "9093:9093"
     volumes:
@@ -171,6 +177,8 @@ services:
         condition: service_healthy
       fda-container-service:
         condition: service_healthy
+      fda-table-service:
+        condition: service_healthy
       fda-metadata-db:
         condition: service_healthy
     logging:
@@ -186,7 +194,7 @@ services:
       - fda-public
       - fda-userdb
     environment:
-      SPRING_PROFILES_ACTIVE: docker
+      SPRING_PROFILES_ACTIVE: docker,seeder
       multipart.location: /tmp
     ports:
       - "9094:9094"
@@ -204,6 +212,8 @@ services:
         condition: service_healthy
       fda-search-service:
         condition: service_started
+    logging:
+      driver: json-file
 
 #  fda-citation-service:
 #    restart: on-failure
@@ -264,6 +274,8 @@ services:
       - "15672:15672"
     volumes:
       - fda-broker-service-data:/var/lib/rabbitmq/
+    logging:
+      driver: json-file
 
   fda-search-service:
     restart: always
@@ -301,6 +313,10 @@ services:
     depends_on:
       fda-gateway-service:
         condition: service_healthy
+      fda-discovery-service:
+        condition: service_healthy
     environment:
       HOST: 0.0.0.0
       API: http://fda-gateway-service:9095
+    logging:
+      driver: json-file

fda-authentication-service/Dockerfile

@@ -15,8 +15,6 @@ COPY ./rest-service ./rest-service
 COPY ./services ./services
 COPY ./report ./report
 
-ARG CI_JOB_STAGE
-
 # Make sure it compiles
 RUN mvn -q clean package -DskipTests > /dev/null
 
@@ -25,11 +23,13 @@ FROM openjdk:11-jre-slim as runtime
 
 VOLUME /tmp
 
-COPY --from=build ./rest-service/target/rest-service-*.jar ./rest-service.jar
 COPY ./service_ready /usr/bin
+RUN chmod +x /usr/bin/service_ready
 
 HEALTHCHECK --interval=10s --timeout=3s --retries=6 CMD service_ready
 
-EXPOSE 9091
+COPY --from=build ./rest-service/target/rest-service-*.jar ./rest-service.jar
+
+EXPOSE 9097
 
 ENTRYPOINT ["java", "-jar", "./rest-service.jar"]

fda-authentication-service/README.md

@@ -20,7 +20,7 @@ set KEY_STORE_PASSWORD "..."
 
 The key store is a secure container that contains the SSL/TLS certificate:
 
-1. Let's Encrypt private key for `dbrepo.ossdip.at` with alias `1`
+1. Let's Encrypt private key for `dbrepo.ossdip.at` with alias `ssl`
 
 ## Development
 

fda-authentication-service/pom.xml

@@ -110,6 +110,12 @@
             <artifactId>jacoco-maven-plugin</artifactId>
             <version>${jacoco.version}</version>
         </dependency>
+        <!-- DataSource -->
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <scope>runtime</scope>
+        </dependency>
         <!-- IDE -->
         <dependency>
             <groupId>org.projectlombok</groupId>

fda-authentication-service/rest-service/src/main/java/at/tuwien/FdaAuthenticationServiceApplication.java

@@ -10,8 +10,7 @@ import springfox.documentation.oas.annotations.EnableOpenApi;
 
 @EnableOpenApi
 @EnableWebSecurity
-@SpringBootApplication(exclude = {DataSourceAutoConfiguration.class,
-        DataSourceTransactionManagerAutoConfiguration.class, HibernateJpaAutoConfiguration.class})
+@SpringBootApplication
 public class FdaAuthenticationServiceApplication {
 
     public static void main(String[] args) {

fda-authentication-service/services/src/main/java/at/tuwien/config/ReadyConfig.java → fda-authentication-service/rest-service/src/main/java/at/tuwien/config/ReadyConfig.java

 package at.tuwien.config;
 
 import com.google.common.io.Files;
+import lombok.extern.log4j.Log4j2;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.context.event.ApplicationReadyEvent;
 import org.springframework.context.annotation.Configuration;
@@ -9,6 +10,7 @@ import org.springframework.context.event.EventListener;
 import java.io.File;
 import java.io.IOException;
 
+@Log4j2
 @Configuration
 public class ReadyConfig {
 

fda-authentication-service/rest-service/src/main/java/at/tuwien/config/SamlConfig.java

@@ -3,7 +3,7 @@ package at.tuwien.config;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
 import org.apache.velocity.app.VelocityEngine;
-import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
+import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.xml.parse.StaticBasicParserPool;
@@ -19,6 +19,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.saml.*;
 import org.springframework.security.saml.context.SAMLContextProvider;
+import org.springframework.security.saml.context.SAMLContextProviderImpl;
 import org.springframework.security.saml.context.SAMLContextProviderLB;
 import org.springframework.security.saml.key.JKSKeyManager;
 import org.springframework.security.saml.key.KeyManager;
@@ -38,8 +39,6 @@ import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuc
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
-import java.io.File;
-import java.io.IOException;
 import java.util.*;
 
 @Configuration
@@ -50,6 +49,12 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
     @Value("${fda.idp.metadata}")
     private String idpProviderMetadata;
 
+    @Value("${fda.idp.entity-id}")
+    private String idpEntityId;
+
+    @Value("${fda.saml.signkey}")
+    private String samlSignKey;
+
     @Value("${fda.base-url}")
     private String baseUrl;
 
@@ -135,15 +140,25 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
     @Bean
     public SAMLEntryPoint samlEntryPoint() {
         final SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
+        samlEntryPoint.setSamlLogger(samlLogger());
+        samlEntryPoint.setContextProvider(samlContextProvider());
+        samlEntryPoint.setWebSSOprofile(webSSOprofile());
         samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
         return samlEntryPoint;
     }
 
+    @Bean
+    public SAMLContextProvider samlContextProvider() {
+        return new SAMLContextProviderImpl();
+    }
+
     @Bean
     public ExtendedMetadata extendedMetadata() {
         final ExtendedMetadata extendedMetadata = new ExtendedMetadata();
         extendedMetadata.setIdpDiscoveryEnabled(true);
-        extendedMetadata.setSignMetadata(false);
+        extendedMetadata.setSignMetadata(true);
+        extendedMetadata.setSigningKey(samlSignKey);
+//        extendedMetadata.setEncryptionKey(samlSignKey);
         return extendedMetadata;
     }
 
@@ -153,11 +168,11 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
     }
 
     @Bean
-    public ExtendedMetadataDelegate extendedMetadataProvider() throws MetadataProviderException, IOException {
-        ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(pivotalTestMetadataProvider(),
+    public ExtendedMetadataDelegate extendedMetadataProvider() throws MetadataProviderException {
+        ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(metadataProvider(),
                 extendedMetadata());
         extendedMetadataDelegate.setMetadataTrustCheck(true);
-        extendedMetadataDelegate.setMetadataRequireSignature(false);
+        extendedMetadataDelegate.setMetadataRequireSignature(true);
         return extendedMetadataDelegate;
     }
 
@@ -173,6 +188,11 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
         return new MetadataDisplayFilter();
     }
 
+    @Bean
+    public Timer timer() {
+        return new Timer();
+    }
+
     @Bean
     public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
         final SAMLProcessingFilter samlWebSSOProcessingFilter = new SAMLProcessingFilter();
@@ -232,14 +252,14 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http.requiresChannel()
-                .anyRequest().requiresSecure();
+                .anyRequest()
+                .requiresSecure();
         http.httpBasic()
                 .authenticationEntryPoint(samlEntryPoint());
         http.csrf()
                 .disable();
         http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class)
                 .addFilterAfter(samlFilter(), BasicAuthenticationFilter.class);
-        /* allow metadata and saml stuff */
         http.authorizeRequests()
                 .antMatchers("/saml/**").permitAll()
                 .antMatchers("/health").permitAll()
@@ -248,11 +268,8 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
     }
 
     @Bean
-    public MetadataProvider pivotalTestMetadataProvider() throws MetadataProviderException, IOException {
-        final DefaultResourceLoader loader = new DefaultResourceLoader();
-        final Resource storeFile = loader.getResource("classpath:saml/sp_metadata.xml");
-        final File tuMetadata = storeFile.getFile();
-        final FilesystemMetadataProvider provider = new FilesystemMetadataProvider(tuMetadata);
+    public MetadataProvider metadataProvider() throws MetadataProviderException {
+        final HTTPMetadataProvider provider = new HTTPMetadataProvider(timer(), httpClient(), idpProviderMetadata);
         provider.setParserPool(parserPool());
         return provider;
     }
@@ -260,7 +277,7 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
     @Bean
     public MetadataGenerator metadataGenerator() {
         final MetadataGenerator metadataGenerator = new MetadataGenerator();
-        metadataGenerator.setEntityId("at:tuwien");
+        metadataGenerator.setEntityId(idpEntityId);
         metadataGenerator.setRequestSigned(false);
         metadataGenerator.setExtendedMetadata(extendedMetadata());
         metadataGenerator.setIncludeDiscoveryExtension(false);
@@ -275,6 +292,8 @@ public class SamlConfig extends WebSecurityConfigurerAdapter {
         final SAMLContextProviderLB contextProvider = new SAMLContextProviderLB();
         contextProvider.setScheme("https");
         contextProvider.setServerName(serverName + ":" + serverPort);
+        contextProvider.setServerPort(Integer.parseInt(serverPort));
+        contextProvider.setIncludeServerPortInRequestURL(false);
         contextProvider.setContextPath("/");
         return contextProvider;
     }

fda-authentication-service/rest-service/src/main/java/at/tuwien/endpoints/AuthenticationEndpoint.java

@@ -5,16 +5,17 @@ import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 
-@RestController("/api/auth")
 @Log4j2
+@RestController
+@CrossOrigin(origins = "*")
 public class AuthenticationEndpoint {
 
-    @GetMapping("/")
+    @GetMapping("/api/auth")
     public String index() {
         return "Index";
     }
 
-    @GetMapping("/info")
+    @GetMapping("/api/auth/info")
     public ResponseEntity<Object> info(Authentication authentication) {
         return ResponseEntity.ok(authentication.getName());
     }

fda-authentication-service/rest-service/src/main/resources/application-docker.yml

 spring:
   main.banner-mode: off
   datasource:
-    url: jdbc:postgresql://fda-metadata-db:5432/fda
-    driver-class-name: org.postgresql.Driver
-    username: postgres
-    password: postgres
+    url: jdbc:h2:mem:testdb
+    driver-class-name: org.h2.Driver
+    username: sa
+    password: sa
   jpa:
     show-sql: false
-    database-platform: org.hibernate.dialect.PostgreSQLDialect
+    database-platform: org.hibernate.dialect.H2Dialect
     hibernate:
-      ddl-auto: validate
+      ddl-auto: create-drop
     open-in-view: false
   application:
     name: fda-authentication-service
   cloud:
-    discovery.enabled: false
     loadbalancer.ribbon.enabled: false
-  security:
-    saml2:
-      relyingparty:
-        registration:
-          tu-saml:
-            identityprovider:
-              entity-id: at:tuwien
-#              signing.credentials:
-#                - certificate-location:
-#                  private-key-location:
-              verification.credentials:
-                - certificate-location: classpath:ssl/tu.cer
-              singlesignon.url: https://idp.zid.tuwien.ac.at/simplesaml/saml2/idp/SSOService.php
-              singlesignon.sign-request: false
 server:
   port: 9097
-  name: ${SERVER_NAME}
   ssl:
     enabled: true
     key-alias: 1
-    key-store: classpath:ssl/dbrepo.jks
+    key-store: classpath:saml/dbrepo.jks
     key-store-password: ${KEY_STORE_PASSWORD}
     key-store-type: jks
 logging:
@@ -49,5 +33,8 @@ eureka:
   client.serviceUrl.defaultZone: http://fda-discovery-service:9090/eureka/
 fda:
   ready.path: /ready
-  idp.metadata: https://idp.zid.tuwien.ac.at/saml2
-  base-url: https://dbrepo.ossdip.at:9097
\ No newline at end of file
+  idp:
+    entity-id: "at:tuwien"
+    metadata: https://idp.zid.tuwien.ac.at/saml2
+  saml.signkey: saml
+  base-url: https://fda-authentication-service
\ No newline at end of file

fda-authentication-service/rest-service/src/main/resources/application.yml → fda-authentication-service/rest-service/src/main/resources/application-sandbox.yml

 spring:
   main.banner-mode: off
   datasource:
-    url: jdbc:postgresql://localhost:5432/fda
-    driver-class-name: org.postgresql.Driver
-    username: postgres
-    password: postgres
+    url: jdbc:h2:mem:testdb
+    driver-class-name: org.h2.Driver
+    username: sa
+    password: sa
   jpa:
     show-sql: false
-    database-platform: org.hibernate.dialect.PostgreSQLDialect
+    database-platform: org.hibernate.dialect.H2Dialect
     hibernate:
-      ddl-auto: validate
+      ddl-auto: create-drop
     open-in-view: false
   application:
     name: fda-authentication-service
   cloud:
-    discovery.enabled: false
     loadbalancer.ribbon.enabled: false
-  security:
-    saml2:
-      relyingparty:
-        registration:
-          tu-saml:
-            identityprovider:
-              entity-id: at:tuwien
-#              signing.credentials:
-#                - certificate-location:
-#                  private-key-location:
-              verification.credentials:
-                - certificate-location: classpath:ssl/tu.cer
-              singlesignon.url: https://idp.zid.tuwien.ac.at/simplesaml/saml2/idp/SSOService.php
-              singlesignon.sign-request: true
 server:
   port: 9097
-  name: ${SERVER_NAME}
   ssl:
     enabled: true
-    key-alias: 1
-    key-store: classpath:ssl/dbrepo.jks
-    key-store-password: ${KEY_STORE_PASSWORD}
+    key-alias: ssl
+    key-store: file:/tmp/dbrepo.jks
+    key-store-password: "${KEY_STORE_PASSWORD}"
     key-store-type: jks
 logging:
   pattern.console: "%d %highlight(%-5level) %msg%n"
   level:
-    root: warn
+    root: debug
     at.tuwien.: debug
 eureka:
   instance.hostname: fda-authentication-service
-  client.serviceUrl.defaultZone: http://localhost:9090/eureka/
+  client.serviceUrl.defaultZone: http://fda-discovery-service:9090/eureka/
 fda:
   ready.path: /ready
-  idp.metadata: https://idp.zid.tuwien.ac.at/saml2
+  idp:
+    entity-id: "at:tuwien"
+    metadata: https://idp.zid.tuwien.ac.at/saml2
+  saml.signkey: saml
   base-url: https://dbrepo.ossdip.at:9097
\ No newline at end of file

fda-authentication-service/rest-service/src/main/resources/bin/install_selfsigned_cert → fda-authentication-service/rest-service/src/main/resources/bin/gen_jks

@@ -27,17 +27,3 @@ keytool -importkeystore -srckeystore "${KEY_STORE_LOCATION}" -destkeystore "${JK
   -deststoretype jks -srcstorepass "${KEY_STORE_PASS}" -deststorepass "${KEY_STORE_PASS}" \
   -srcalias "${KEY_STORE_ALIAS}" -destalias "${KEY_STORE_ALIAS}" -srckeypass "${SSL_PASS}" \
   -destkeypass "${SSL_PASS}"
-
-# COMBINE CERTIFICATE AND PRIVATE KEY
-echo "Import SAML keys ..."
-openssl pkcs12 -export -out "${SAML_STORE_LOCATION}" -in "${SAML_CERTIFICATE}" -inkey "${SAML_KEY}" \
-  -passout "pass:${SAML_PASS}"
-keytool -importkeystore -srckeystore "${SAML_STORE_LOCATION}" -destkeystore "${JKS_LOCATION}" -srcstoretype PKCS12 \
-  -trustcacerts -noprompt -deststoretype jks -srcstorepass "${KEY_STORE_PASS}" -deststorepass "${KEY_STORE_PASS}" \
-  -srcalias "1" -destalias "${SAML_ALIAS}" -srckeypass "${SAML_PASS}" \
-  -destkeypass "${SAML_PASS}"
-
-# IMPORT TU WIEN CERTIFICATE
-echo "Import TU certificate ..."
-keytool -importcert -trustcacerts -noprompt -keystore "${JKS_LOCATION}" -storepass "${KEY_STORE_PASS}" \
-  -alias "${TU_ALIAS}" -file ./fda-authentication-service/rest-service/src/main/resources/saml/tu.cer

fda-authentication-service/rest-service/src/main/resources/bin/install_saml_keys

-#!/bin/bash
-SIGN_KEYS_LOCATION="./rest-service/src/main/resources/saml"
-
-# CREATE SIGNING KEYS
-openssl req -newkey rsa:4096 -new \
-  -subj "/C=AT/ST=Vienna/L=Vienna/O=TU Wien/OU=Zentrum für Forschungsdatenmanagement/CN=FAIR Data Austria" \
-  -nodes -x509 -days 3650 -keyout "${SIGN_KEYS_LOCATION}/saml_sign_priv.key" \
-  -out "${SIGN_KEYS_LOCATION}/saml_sign_public.cer"
\ No newline at end of file