From 7adfd52c0410d2ae6a8e6c2bd5bb5c90ac9af771 Mon Sep 17 00:00:00 2001 From: Alex Aperis Date: Thu, 19 Sep 2024 14:24:15 +0200 Subject: [PATCH] add auth and reencrypt docs --- aggregate-mappings.json | 2 + docs/dictionary/wordlist.txt | 103 ++++++++++++++++++++++++----------- docs/services/auth.md | 99 +++++++++++++++++++++++++++++++++ docs/services/reencrypt.md | 61 +++++++++++++++++++++ 4 files changed, 234 insertions(+), 31 deletions(-) create mode 100644 docs/services/auth.md create mode 100644 docs/services/reencrypt.md diff --git a/aggregate-mappings.json b/aggregate-mappings.json index 3fa17e4..58b1950 100644 --- a/aggregate-mappings.json +++ b/aggregate-mappings.json @@ -8,6 +8,8 @@ "sda/cmd/s3inbox/s3inbox.md": "docs/services/s3inbox.md", "sda/cmd/syncapi/syncapi.md": "docs/services/syncapi.md", "sda/cmd/sync/sync.md": "docs/services/sync.md", + "sda/cmd/reencrypt/Reencrypt.md": "docs/services/reencrypt.md", + "sda/cmd/auth/auth.md": "docs/services/auth.md", "sda-sftp-inbox/README.md": "docs/services/sftpinbox.md", "./GETTINGSTARTED.md": "docs/guides/sda-dev-test-doc.md", "sda/sda.md": "docs/services/sda.md", diff --git a/docs/dictionary/wordlist.txt b/docs/dictionary/wordlist.txt index 2a874ae..163bdc9 100644 --- a/docs/dictionary/wordlist.txt +++ b/docs/dictionary/wordlist.txt @@ -1,33 +1,10 @@ -ACCESSIONROUTING -BIGINT -Bigpicture -CENTERPREFIX -DNS -FK -FS -HOSTKEY -INGESTROUTING -JWTPUBKEYURL -MAPPINGROUTING -Mina's -NSS -NetworkPolicy -PEMKEYPASS -PEMKEYPATH -PGDATA -PREFETCHCOUNT -RegisterFile -SPRINGFRAMEWORK -SYNCPUBKEYPATH -SetAccessionID -TCP -UDP aaf aai aaiconnectprofile abug accessionid accessionids +ACCESSIONROUTING accesskey ack'ed acked @@ -38,22 +15,27 @@ aissue aj amqp amqps -apiVersion apis +apiVersion +appendChild assignees assigneesreencrypts atitle auth +authURL +AUTHURL automagically autonumber backend backupArchive -backupRoutingKey backuppubkey +backupRoutingKey bbug bfac bigint +BIGINT bigpicture +Bigpicture blockquote bmi bugfix @@ -62,10 +44,12 @@ cacert ccacd cega cegamq +CENTERPREFIX centralega centralega's cgktxeg chacha +charset cheatsheet checksumed checksums @@ -77,11 +61,16 @@ clusterIssuer cmd cn commandline +conf +Conf conffile config confpath +const controlledaccessgrants copyheader +CORS +createElement creds cryptographic cscfi @@ -94,8 +83,8 @@ datasetid datasetids datasets dbPassword -dbUser dbschema +dbUser ddfqevq decrypt decryptable @@ -106,16 +95,21 @@ decryptor dev discoverable dns +DNS +DOCTYPE doi dsn ebi ecc +ECDSA ef ega -ega's egac egaf +ega's egas +EL +encodeURIComponent endcoordinate env envs @@ -127,9 +121,13 @@ fileid filepath filesystem fjddcmrvlawqmvrbly +FK formsubmission +frontend +FS funders getarchived +getElementById getheader getheaderforstableid getinboxpath @@ -140,7 +138,11 @@ golang golangci gopath gradle +grpc +gRPC +GRPC helpdesk +HOSTKEY hostname howto href @@ -149,9 +151,11 @@ https ietf img incrementing +INGESTROUTING init initd initdb +innerHTML insertfile integrationtest ipBlock @@ -161,14 +165,17 @@ jku json jsonb jwk +JWKPATH +jwks jwt jwtKey jwtPub -jwtSecret jwtpubeyurl jwtpubkeypath jwtpubkeyurl +JWTPUBKEYURL jwts +jwtSecret jwttoken keyfile keypair @@ -177,13 +184,16 @@ kube kubernetes latters lega +legas libpq lifescience localega +localhost localmq logstash makefile mapfilestodataset +MAPPINGROUTING markcompleted markready matchLabels @@ -191,6 +201,7 @@ microservice microservices migratedb mina +Mina's minio miniostorage misspelled words: @@ -209,10 +220,12 @@ namespaceSelector nbis neic neicnordic +NetworkPolicy nginx nodeport notls nss +NSS oidc ol oldpath @@ -226,13 +239,17 @@ orchestrator orgs ou pacx +params pem +PEMKEYPASS +PEMKEYPATH +PGDATA pgvolume phenome pkcs png -podSelector podman +podSelector policyTypes posix postgres @@ -240,9 +257,12 @@ postgresAdminPassword postgresql pre prefetchcount +PREFETCHCOUNT prepended +PRIVATEKEY programmatically publickey +querySelector rabbitmq rabbitmqctl readme @@ -257,9 +277,11 @@ reencrypted reencrypting reencrypts registerfile +RegisterFile repo reqs requesters +RESIGNJWT rootedfilesystem routingError routingkey @@ -268,17 +290,25 @@ samtools schemas sda sda's -secretName secretkey +secretName sequenceDiagram +servercert +SERVERCERT +serverkey +SERVERKEY setaccessionid +SetAccessionID setarchived +setAttribute sftp sftpinbox sha +SIGNATUREALG smth somedir speciffic +SPRINGFRAMEWORK src sshd ssl @@ -287,26 +317,34 @@ stableIDs startcoordinate storageType storeheader +stringify submitters svc svg syncapi +SYNCPUBKEYPATH sysdevs tada +TCP testsuite thumbsup tls todo +TOKENTTL tryggve tsd ttl +txt tz +UDP ui uio unencrypted unioslo updatedatasetevent uppsala +uri +URLSearchParams useif userinfo usit @@ -316,9 +354,12 @@ uuid vdwfq verifypeer vhost +viewport vscqc +wHPVQaYXmdDHg wjkbduq wyenrumyh +XC yaml yihkqimti yml diff --git a/docs/services/auth.md b/docs/services/auth.md new file mode 100644 index 0000000..838a8f1 --- /dev/null +++ b/docs/services/auth.md @@ -0,0 +1,99 @@ +# SDA authentication service + +This service allows users to log in both via LS-AAI (OIDC) or EGA (NSS). + +After successful authentication users will be able to get the `access token` and download the `S3 config file` needed in order to be able to upload files to the [S3Inbox service](../s3inbox/s3inbox.md). + +## Choosing provider login + +The `auth` allows for two different types of login providers: `EGA` and `LS_AAI` (OIDC). It is possible, to run the service using both or only one of the providers. + +In order to remove the `EGA` option, remove the `CEGA_ID` and `CEGA_SECRET` options from the configuration, while for removing the `LS-AAI` option, remove the `OIDC_ID` and `OIDC_SECRET` variables. + +## Configuration example for local testing + +The following settings can be configured for deploying the service, either by using environment variables or a YAML file. + +| Parameter | Description | Defined value | +| ----------------------- | ------------------------------------------------------------------------------------ | --------------------------------------- | +| `AUTH_CEGA_AUTHURL` | CEGA server endpoint | `http://cega:8443/lega/v1/legas/users/` | +| `AUTH_CEGA_ID` | CEGA server authentication id | `dummy` | +| `AUTH_CEGA_SECRET` | CEGA server authentication secret | `dummy` | +| `AUTH_CORS_CREDENTIALS` | If cookies, authorization headers, and TLS client certificates are allowed over CORS | `false` | +| `AUTH_CORS_METHODS` | Allowed Cross-Origin Resource Sharing (CORS) methods | `""` | +| `AUTH_CORS_ORIGINS` | Allowed Cross-Origin Resource Sharing (CORS) origins | `""` | +| `AUTH_JWT_ISSUER` | Issuer of JWT tokens | `http://auth:8080` | +| `AUTH_JWT_PRIVATEKEY` | Path to private key for signing the JWT token | `keys/sign-jwt.key` | +| `AUTH_JWT_SIGNATUREALG` | Algorithm used to sign the JWT token. ES256 (ECDSA) or RS256 (RSA) are supported | `ES256` | +| `AUTH_JWT_TOKENTTL` | TTL of the resigned token in hours | `168` | +| `AUTH_RESIGNJWT` | Set to `false` to serve the raw OIDC JWT, i.e. without re-signing it | `""` | +| `AUTH_S3INBOX` | S3 inbox host | `http://s3.example.com` | +| `LOG_LEVEL` | Log level | `info` | +| `OIDC_ID` | OIDC authentication id | `XC56EL11xx` | +| `OIDC_SECRET` | OIDC authentication secret | `wHPVQaYXmdDHg` | +| `OIDC_PROVIDER` | OIDC issuer URL | `http://oidc:8080` | +| `OIDC_JWKPATH` | JWK endpoint where the public key can be retrieved for token validation | `/jwks` | +| `SERVER_CERT` | Certificate file path | `""` | +| `SERVER_KEY` | Private key file path | `""` | + +## Running with Cross-Origin Resource Sharing (CORS) + +This service can be run as a backend only, and in the case where the frontend is running somewhere else, CORS is needed. + +Recommended CORS settings for a given host are: + +```txt +AUTH_CORS_ORIGINS="https://" +AUTH_CORS_METHODS="GET,OPTIONS,POST" +AUTH_CORS_CREDENTIALS="true" +``` + +A minimal CORS login (for testing purposes) can look like this: + +```html + + + + + + + CORS login test page + + + + Log in +
+ Reset + +
+

+
+
+
+
+
+```
diff --git a/docs/services/reencrypt.md b/docs/services/reencrypt.md
new file mode 100644
index 0000000..1aeaa13
--- /dev/null
+++ b/docs/services/reencrypt.md
@@ -0,0 +1,61 @@
+# reEncrypt service
+
+Reencrypts a given file header with a given crypt4gh public key.
+
+## Service Description
+
+The `reencrypt` service uses the gRPC protocol for communication.
+
+It receives the header to be encrypted as a byte array and the publickey as a base64 encoded string and returns the new header as a byte array.
+
+## Configuration
+
+There are a number of options that can be set for the `reencrypt` service.
+These settings can be set by mounting a yaml-file at `/config.yaml` with settings.
+
+ex.
+
+```yaml
+c4gh:
+    filepath: "path/to/crypt4gh/file"
+    passphrase: "passphrase to unlock the keyfile"
+grpc:
+    cacert: "path to (CA) certificate file for validating incoming request"
+    servercert: "path to the x509 certificate used by the service"
+    serverkey: "path to the x509 private key used by the service"
+log:
+  level: "debug"
+  format: "json"
+```
+
+They may also be set using environment variables like:
+
+```bash
+export LOG_LEVEL="debug"
+export LOG_FORMAT="json"
+```
+
+### Keyfile settings
+
+These settings control which crypt4gh keyfile is loaded.
+
+- `C4GH_FILEPATH`: filepath to the crypt4gh keyfile
+- `C4GH_PASSPHRASE`: passphrase to unlock the keyfile
+
+### Logging settings
+
+- `LOG_FORMAT` can be set to `json` to get logs in JSON format. All other values result in text logging.
+- `LOG_LEVEL` can be set to one of the following, in increasing order of severity:
+  - `trace`
+  - `debug`
+  - `info`
+  - `warn` (or `warning`)
+  - `error`
+  - `fatal`
+  - `panic`
+
+### TLS settings
+
+- `GRPC_CACERT`: Certificate Authority (CA) certificate for validating incoming request
+- `GRPC_SERVERCERT`: path to the x509 certificate used by the service
+- `GRPC_SERVERKEY`: path to the x509 private key used by the service