From 63417cafb869e95f8070a8b6c77473df8eaa5ad4 Mon Sep 17 00:00:00 2001 From: Jason Fox Date: Fri, 31 May 2024 11:48:45 +0200 Subject: [PATCH] Remove tutorial from master --- .env | 24 - .gitpod.yml | 41 - ...RE Securing Access.postman_collection.json | 624 -------------- README.ja.md | 737 ---------------- README.md | 658 +------------- ...l-dckr-site-0000-xpresswebapp-oidc-csr.pem | 18 - ...l-dckr-site-0000-xpresswebapp-oidc-key.pem | 27 - docker-compose.yml | 183 ---- mysql-data/backup.sql | 805 ------------------ secrets.txt | 1 - services | 104 +-- 11 files changed, 23 insertions(+), 3199 deletions(-) delete mode 100644 .env delete mode 100644 .gitpod.yml delete mode 100644 FIWARE Securing Access.postman_collection.json delete mode 100644 README.ja.md delete mode 100644 certs/tutorial-dckr-site-0000-xpresswebapp-oidc-csr.pem delete mode 100644 certs/tutorial-dckr-site-0000-xpresswebapp-oidc-key.pem delete mode 100644 docker-compose.yml delete mode 100644 mysql-data/backup.sql delete mode 100644 secrets.txt diff --git a/.env b/.env deleted file mode 100644 index 9fe7837..0000000 --- a/.env +++ /dev/null @@ -1,24 +0,0 @@ -# Project name -COMPOSE_PROJECT_NAME=fiware - -# Orion variables -ORION_PORT=1026 -ORION_VERSION=3.11.0 - -# MongoDB variables -MONGO_DB_PORT=27017 -MONGO_DB_VERSION=6.0 - -# Tutorial variables -TUTORIAL_APP_PORT=3000 -TUTORIAL_DUMMY_DEVICE_PORT=3001 - -# Keyrock variables -KEYROCK_VERSION=8.4.0-distroless -KEYROCK_PORT=3005 -KEYROCK_HTTPS_PORT=3443 -IDM_HTTPS_ENABLED=false - -# MySQL variables -MYSQL_DB_VERSION=8.0 -MYSQL_DB_PORT=3306 diff --git a/.gitpod.yml b/.gitpod.yml deleted file mode 100644 index 6fb63c9..0000000 --- a/.gitpod.yml +++ /dev/null @@ -1,41 +0,0 @@ -tasks: - - name: Pull Images - init: ./services create - -ports: - - name: Orion - description: Context Broker - port: 1026 - onOpen: notify - - name: Wilma - description: PEP Proxy - port: 1027 - onOpen: ignore - - name: Tutorial App - description: Web app displaying context data - port: 3000 - onOpen: open-preview - - name: Tutorial Devices - description: Dummy IoT Sensors over HTTP - port: 3001 - onOpen: ignore - - name: Keyrock - description: Identity Manager - port: 3005 - onOpen: open-preview - - name: MySQL - description: Database for Keyrock - port: 3306 - onOpen: ignore - - name: IoT Agent (North Port) - description: NGSI data and device provisioning - port: 4041 - onOpen: ignore - - name: IoT Agent (South Port) - description: Ultralight HTTP measures - port: 7896 - onOpen: ignore - - name: MongoDB - description: Database for Orion + IoT Agent - port: 27017 - onOpen: ignore \ No newline at end of file diff --git a/FIWARE Securing Access.postman_collection.json b/FIWARE Securing Access.postman_collection.json deleted file mode 100644 index 6fa588b..0000000 --- a/FIWARE Securing Access.postman_collection.json +++ /dev/null @@ -1,624 +0,0 @@ -{ - "info": { - "_postman_id": "322a0fc2-45c0-47c4-bd8f-088f8470af41", - "name": "FIWARE Securing Access", - "description": "[![FIWARE Security](https://img.shields.io/badge/FIWARE-Security-ff7059.svg?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABsAAAAVCAYAAAC33pUlAAAABHNCSVQICAgIfAhkiAAAA8NJREFUSEuVlUtIFlEUx+eO+j3Uz8wSLLJ3pBiBUljRu1WLCAKXbXpQEUFERSQF0aKVFAUVrSJalNXGgmphFEhQiZEIPQwKLbEUK7VvZrRvbr8zzjfNl4/swplz7rn/8z/33HtmRhn/MWzbXmloHVeG0a+VSmAXorXS+oehVD9+0zDN9mgk8n0sWtYnHo5tT9daH4BsM+THQC8naK02jCZ83/HlKaVSzBey1sm8BP9nnUpdjOfl/Qyzj5ust6cnO5FItJLoJqB6yJ4QuNcjVOohegpihshS4F6S7DTVVlNtFFxzNBa7kcaEwUGcbVnH8xOJD67WG9n1NILuKtOsQG9FngOc+lciic1iQ8uQGhJ1kVAKKXUs60RoQ5km93IfaREvuoFj7PZsy9rGXE9G/NhBsDOJ63Acp1J82eFU7OIVO1OxWGwpSU5hb0GqfMydMHYSdiMVnncNY5Vy3VbwRUEydvEaRxmAOSSqJMlJISTxS9YWTYLcg3B253xsPkc5lXk3XLlwrPLuDPKDqDIutzYaj3eweMkPeCCahO3+fEIF8SfLtg/5oI3Mh0ylKM4YRBaYzuBgPuRnBYD3mmhA1X5Aka8NKl4nNz7BaKTzSgsLCzWbvyo4eK9r15WwLKRAmmCXXDoA1kaG2F4jWFbgkxUnlcrB/xj5iHxFPiBN4JekY4nZ6ccOiQ87hgwhe+TOdogT1nfpgEDTvYAucIwHxBfNyhpGrR+F8x00WD33VCNTOr/Wd+9C51Ben7S0ZJUq3qZJ2OkZz+cL87ZfWuePlwRcHZjeUMxFwTrJZAJfSvyWZc1VgORTY8rBcubetdiOk+CO+jPOcCRTF+oZ0okUIyuQeSNL/lPrulg8flhmJHmE2gBpE9xrJNkwpN4rQIIyujGoELCQz8ggG38iGzjKkXufJ2Klun1iu65bnJub2yut3xbEK3UvsDEInCmvA6YjMeE1bCn8F9JBe1eAnS2JksmkIlEDfi8R46kkEkMWdqOv+AvS9rcp2bvk8OAESvgox7h4aWNMLd32jSMLvuwDAwORSE7Oe3ZRKrFwvYGrPOBJ2nZ20Op/mqKNzgraOTPt6Bnx5citUINIczX/jUw3xGL2+ia8KAvsvp0ePoL5hXkXO5YvQYSFAiqcJX8E/gyX8QUvv8eh9XUq3h7mE9tLJoNKqnhHXmCO+dtJ4ybSkH1jc9XRaHTMz1tATBe2UEkeAdKu/zWIkUbZxD+veLxEQhhUFmbnvOezsJrk+zmqMo6vIL2OXzPvQ8v7dgtpoQnkF/LP8Ruu9zXdJHg4igAAAABJRU5ErkJgggA=)](https://www.fiware.org/developers/catalogue/)\n\n\nThis tutorial secures access to a FIWARE application using the entities created in the [previous tutorial](https://github.com/Fiware/tutorials.Roles-Permissions). The tutorial explains appropriate use of the various OAuth2 grant flows, and how to use\nthe **Keyrock** generic enabler as an Authorization Server to identify users. **Keyrock** is also used as a Policy Decision\nPoint (PDP) to restrict access.\n\nThe `docker-compose` files for this tutorial can be found on GitHub: \n\n![GitHub](https://fiware.github.io/tutorials.Securing-Access/icon/GitHub-Mark-32px.png) [FIWARE 403: Securing Access](https://github.com/Fiware/tutorials.Securing-Access)\n\n\n# Securing Access\n\n> \"When a person or party approaches your post, you should challenge them at a distance that is sufficient\n> for you to react if they turn out to have hostile intentions. You should say in a firm voice, loud enough\n> to be easily heard, *\"Halt! Who goes there?\"* (or *\"Who is there?\"*). Once the person answers, you should then say\n> *\"Advance to be recognized.\"* ... If you have identified the person or persons approaching, permit them to pass.\n> If you are not satisfied with that person's identification, you must detain the person and call the petty officer\n> of the watch.\"\n>\n> — 11th General Order of the US Marine Corps\n\nIn order to secure access to application resources, it is necessary to know two things. Firstly, who is making the\nrequest and secondly is the requestor permitted to access the resource? The FIWARE **Keyrock** generic enabler uses\nuses [OAuth2](https://oauth.net/2/) to enable third-party applications to obtain limited access to services.\n**OAuth2** is the open standard for access delegation to grant access rights. It allows notifying a resource provider\n(e.g. the Knowage Generic Enabler) that the resource owner (e.g. you) grants permission to a third-party\n(e.g. a Knowage Application) access to their information (e.g. the list of entities).\n\nThere are several common OAuth 2.0 grant flows, the details of which can be found below:\n\n* [Authorization Code](https://oauth.net/2/grant-types/authorization-code)\n* [Implicit](https://oauth.net/2/grant-types/implicit)\n* [Password](https://oauth.net/2/grant-types/password)\n* [Client Credentials](https://oauth.net/2/grant-types/client-credentials)\n* [Device Code](https://oauth.net/2/grant-types/device-code)\n* [Refresh Token](https://oauth.net/2/grant-types/refresh-token)\n\nThe primary concept is that both **Users** and **Applications** must first identify themselves using\na standard OAuth2 Challenge-Response mechanism. Thereafter a user is assigned a token which they\nappend to every subsequent request. This token identifies the user, the application and the rights the\nuser is able to exercise. **Keyrock** can then be used with other enablers can be used to limit and\nlock-down access. The details of the access flows are discussed below and in subsequent tutorials.\n\nThe reasoning behind OAuth2 is that you never need to expose your own username and password to a\nthird party to give them full access - you merely permit the relevant access which can be either Read-Only\nor Read-Write and such access can be defined down to a granular level. Furthermore there is provision for\nrevoking access at any time, leaving the resource owner in control of who can access what.\n\nOnce the application is able to authenticate users, it is also possible to lock down access using access control\nmechanisms. Access control requires having an access policy - in other words defining who can do what.\nWe have already defined roles and permisions within the [previous tutorial](https://github.com/Fiware/tutorials.Roles-Permissions),\nand now need to programatically enforce this policy by adding in a simple\nPolicy Decision Point (PDP) – which evaluates and issues authorization decisions, and then secure access by enforcing\nthe decision using a Policy Enforcement Point (PEP).\n\n## Standard Concepts of Identity Management\n\nThe following common objects are found with the **Keyrock** Identity Management database:\n\n* **User** - Any signed up user able to identify themselves with an eMail and password. Users can be assigned\n rights individually or as a group\n* **Application** - Any securable FIWARE application consisting of a series of microservices\n* **Organization** - A group of users who can be assigned a series of rights. Altering the rights of the organization\n effects the access of all users of that organization\n* **OrganizationRole** - Users can either be members or admins of an organization - Admins are able to add and remove users\n from their organization, members merely gain the roles and permissions of an organization. This allows each organization\n to be responsible for their members and removes the need for a super-admin to administer all rights\n* **Role** - A role is a descriptive bucket for a set of permissions. A role can be assigned to either a single user\n or an organization. A signed-in user gains all the permissions from all of their own roles plus all of the roles associated\n to their organization\n* **Permission** - An ability to do something on a resource within the system\n\nAdditionally two further non-human application objects can be secured within a FIWARE application:\n\n* **IoTAgent** - a proxy between IoT Sensors and the Context Broker\n* **PEPProxy** - a middleware for use between generic enablers challenging the rights of a user.\n\n\n The relationship between the objects can be seen below - the entities marked in red are used directly within this tutorial:\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/entities.png)\n\n## OAuth2\n\n**Keyrock** uses [OAuth2](https://oauth.net/2/) to enable third-party applications\nto obtain limited access to services. **OAuth2** is the open standard for access delegation to\ngrant access rights. It allows notifying a resource provider (e.g. the Knowage Generic Enabler)\nthat the resource owner (e.g. you) grants permission to a third-party (e.g. a Knowage Application)\naccess to their information (e.g. the list of entities).\n\nThere are several common OAuth 2.0 grant flows, the details of which can be found below:\n\n* [Authorization Code](https://oauth.net/2/grant-types/authorization-code)\n* [Implicit](https://oauth.net/2/grant-types/implicit)\n* [Password](https://oauth.net/2/grant-types/password)\n* [Client Credentials](https://oauth.net/2/grant-types/client-credentials)\n* [Device Code](https://oauth.net/2/grant-types/device-code)\n* [Refresh Token](https://oauth.net/2/grant-types/refresh-token)\n\nThe primary concept is that both **Users** and **Applications** must first identify themselves using\na standard OAuth2 Challenge-Response mechanism. Thereafter a user is assigned a token which they\nappend to every subsequent request. This token identifies the user, the application and the rights the\nuser is able to exercise. **Keyrock** can then be used with other enablers can be used to limit and\nlock-down access. The details of the access flows are discussed below and in subsequent tutorials.\n\nThe reasoning behind OAuth2 is that you never need to expose your own username and password to a\nthird party to give them full access - you merely permit the relevant access which can be either Read-Only\nor Read-Write and such access can be defined down to a granular level. Furthermore there is provision for\nrevoking access at any time, leaving the resource owner in control of who can access what.\n\n\n# Prerequisites\n\n## Docker\n\nTo keep things simple both components will be run using [Docker](https://www.docker.com). **Docker** is a\ncontainer technology which allows to different components isolated into their respective environments.\n\n* To install Docker on Windows follow the instructions [here](https://docs.docker.com/docker-for-windows/)\n* To install Docker on Mac follow the instructions [here](https://docs.docker.com/docker-for-mac/)\n* To install Docker on Linux follow the instructions [here](https://docs.docker.com/install/)\n\n**Docker Compose** is a tool for defining and running multi-container Docker applications. A\n[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.Identity-Management/master/docker-compose.yml) is used\nconfigure the required services for the application. This means all container services can be brought up in a single\ncommand. Docker Compose is installed by default as part of Docker for Windows and Docker for Mac, however Linux users\nwill need to follow the instructions found [here](https://docs.docker.com/compose/install/)\n\n## Cygwin\n\nWe will start up our services using a simple bash script. Windows users should download [cygwin](http://www.cygwin.com/) to provide a\ncommand line functionality similar to a Linux distribution on Windows.\n\n# Architecture\n\n\nThis application adds OAuth2-driven security into the existing Stock Management and Sensors-based application\ncreated in [previous tutorials](https://github.com/Fiware/tutorials.IoT-Agent/) by using the data created in the first [security tutorial](https://github.com/Fiware/tutorials.Identity-Management/) and reading it programatically. It\nwill make use of three FIWARE components - the [Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/),the [IoT Agent for UltraLight 2.0](http://fiware-iotagent-ul.readthedocs.io/en/latest/) and integrates the use of the [Keyrock](http://fiware-idm.readthedocs.io/) Generic enabler. Usage of the Orion Context Broker is sufficient for an application to qualify as *“Powered by FIWARE”*.\n\nBoth the Orion Context Broker and the IoT Agent rely on open source [MongoDB](https://www.mongodb.com/) technology to keep persistence of the information they hold. We will also be using the dummy IoT devices created in the [previous tutorial](https://github.com/Fiware/tutorials.IoT-Sensors/). **Keyrock** uses its own [MySQL](https://www.mysql.com/) database.\n\nTherefore the overall architecture will consist of the following elements:\n\n* The FIWARE [Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/) which will receive requests using [NGSI](https://fiware.github.io/specifications/OpenAPI/ngsiv2)\n* The FIWARE [IoT Agent for UltraLight 2.0](http://fiware-iotagent-ul.readthedocs.io/en/latest/) which will receive southbound requests using [NGSI](https://fiware.github.io/specifications/OpenAPI/ngsiv2) and convert them to [UltraLight 2.0](http://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual) commands for the devices\n* FIWARE [Keyrock](http://fiware-idm.readthedocs.io/) offer a complement Identity Management System including:\n * An OAuth2 authentication system for Applications and Users\n * A website graphical front-end for Identity Management Administration\n * An equivalent REST API for Identity Management via HTTP requests\n* The underlying [MongoDB](https://www.mongodb.com/) database :\n * Used by the **Orion Context Broker** to hold context data information such as data entities, subscriptions and registrations\n * Used by the **IoT Agent** to hold device information such as device URLs and Keys\n* A [MySQL](https://www.mysql.com/) database :\n * Used to persist user identities, applications, roles and permissions\n* The **Stock Management Frontend** does the following:\n * Displays store information\n * Shows which products can be bought at each store\n * Allows users to \"buy\" products and reduce the stock count.\n * Allows authorized users into restricted areas\n* A webserver acting as set of [dummy IoT devices](https://github.com/Fiware/tutorials.IoT-Sensors) using the [UltraLight 2.0](http://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual) protocol running over HTTP - access to certain resources is restricted.\n\n\nSince all interactions between the elements are initiated by HTTP requests, the entities can be containerized and run from exposed ports.\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/architecture.png)\n\nThe necessary configuration information for adding security to the **Stock Management Frontend** can be found in the `context-provider` section of the associated `docker-compose.yml` file - only the relevant variables are shown below:\n\n## Context-Provider Security Configuration\n\n```yaml\n context-provider:\n image: quay.io/fiware/tutorials.context-provider\n hostname: context-provider\n container_name: context-provider\n networks:\n default:\n ipv4_address: 172.18.1.7\n expose:\n - \"3000\"\n - \"3001\"\n ports:\n - \"3000:3000\"\n - \"3001:3001\"\n environment:\n - \"DEBUG=tutorial:*\"\n - \"WEB_APP_PORT=3000\"\n - \"KEYROCK_URL=http://localhost\"\n - \"KEYROCK_IP_ADDRESS=http://172.18.1.5\"\n - \"KEYROCK_PORT=3005\"\n - \"KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp\"\n - \"KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret\"\n - \"CALLBACK_URL=http://localhost:3000/login\"\n```\n\nThe `context-provider` container is listening on two ports:\n\n* Port `3000` is exposed so we can see the web-page displaying the Dummy IoT devices.\n* Port `3001` is exposed purely for tutorial access - so that cUrl or Postman can make UltraLight commands\n without being part of the same network.\n\n\nThe `context-provider` container is driven by environment variables as shown:\n\n| Key |Value|Description|\n|-----|-----|-----------|\n|DEBUG|`tutorial:*`| Debug flag used for logging |\n|WEB_APP_PORT|`3000`|Port used by web-app which displays the login screen & etc.|\n|KEYROCK_URL|`http://localhost`| This is URL of the **Keyrock** Web Front-End itself, used for redirection when forwarding users |\n|KEYROCK_IP_ADDRESS|`http://172.18.1.5`| This is URL of the **Keyrock** OAuth Communications |\n|KEYROCK_PORT|`3005` | This is the port that **Keyrock** is listening on.|\n|KEYROCK_CLIENT_ID|`tutorial-dckr-site-0000-xpresswebapp`| The Client ID defined by Keyrock for this application |\n|KEYROCK_CLIENT_SECRET|`tutorial-dckr-site-0000-clientsecret`| The Client Secret defined by Keyrock for this application |\n|CALLBACK_URL|`http://localhost:3000/login`| The callback URL used by Keyrock when a challenge has succeeded.|\n\nThe other `context-provider` container configuration values described in the YAML file have been described in previous tutorials\n\nThe separate `KEYROCK_URL` and `KEYROCK_IP_ADDRESS` are only necessary because of the simplified\nDocker containerization used within the tutorial. The `KEYROCK_URL` variable with the value `localhost` is referring\nto the location externally exposed by the container, the `KEYROCK_IP_ADDRESS` variable refers to the same location\nbut accessed from within the Docker network. Similarly the `CALLBACK_URL` contains `localhost` as it\nis assumed that the browser will be accessed from the same machine. All of these values should be replaced\nwith appropriate proxies and DNS settings for a production environment, but production deployment is beyond\nthe scope of this tutorial.\n\n\n# Start Up\n\nTo start the installation, do the following:\n\n```console\ngit clone git@github.com:Fiware/tutorials.Securing-Access.git\ncd tutorials.Securing-Access\n\n./services create\n```\n\n>**Note** The initial creation of Docker images can take up to three minutes\n\n\nThereafter, all services can be initialized from the command line by running the [services](https://github.com/Fiware/tutorials.Securing-Access/blob/master/services) Bash script provided within the repository:\n\n```console\n./services \n```\n\nWhere `` will vary depending upon the exercise we wish to activate.\n\n>:information_source: **Note:** If you want to clean up and start over again you can do so with the following command:\n>\n>```console\n>./services stop\n>```\n>\n\n\n### Dramatis Personae\n\nThe following people at `test.com` legitimately have accounts within the Application\n\n* Alice, she will be the Administrator of the **Keyrock** Application\n* Bob, the Regional Manager of the supermarket chain - he has several store managers under him:\n * Manager1\n * Manager2\n* Charlie, the Head of Security of the supermarket chain - he has several store detectives under him:\n * Detective1\n * Detective2\n\n| Name |eMail |Password |\n|------------|----------------------------|---------|\n| alice | alice-the-admin@test.com | `test` |\n| bob | bob-the-manager@test.com | `test` |\n| charlie | charlie-security@test.com | `test` |\n| manager1 | manager1@test.com | `test` |\n| manager2 | manager2@test.com | `test` |\n| detective1 | detective1@test.com | `test` |\n| detective2 | detective2@test.com | `test` |\n\n\nThe following people at `example.com` have signed up for accounts, but have no reason to be granted access\n\n* Eve - Eve the Eavesdropper\n* Mallory - Mallory the malicious attacker\n* Rob - Rob the Robber\n\n\n| Name |eMail |Password |\n|------------|----------------------------|---------|\n| eve | eve@example.com | `test` |\n| mallory | mallory@example.com | `test` |\n| rob | rob@example.com | `test` |\n\n\nTwo organizations have also been set up by Alice:\n\n| Name | Description | UUID |\n|------------|-------------------------------------|--------------------------------------|\n| Security | Security Group for Store Detectives |`security-0000-0000-0000-000000000000`|\n| Management | Management Group for Store Managers |`managers-0000-0000-0000-000000000000`|\n\nOne application, with appropriate roles and permissions has also been created:\n\n| Key | Value |\n|---------------|----------------------------------------|\n| Client ID | `tutorial-dckr-site-0000-xpresswebapp` |\n| Client Secret | `tutorial-dckr-site-0000-clientsecret` |\n| URL | `http://localhost:3000` |\n| RedirectURL | `http://localhost:3000` |\n\n\nTo save time, the data creating users and organizations from the [previous tutorial](https://github.com/Fiware/tutorials.Identity-Management) has been downloaded and is automatically persisted to the MySQL\ndatabase on start-up so the asigned UUIDs do not change and the data does not need to be entered again.\n\nTo refresh your memory about how to create users and organizations and applications, you can log in at `http://localhost:3005/idm`\nusing the account `alice-the-admin@test.com` with a password of `test`.\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/log-in.png)\n\nand look around.", - "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" - }, - "item": [ - { - "name": "User Credentials Flow", - "item": [ - { - "name": "OAuth Password Flow (Alice)", - "request": { - "method": "POST", - "header": [ - { - "key": "Authorization", - "value": "Basic {{Authorization}}", - "description": "base64 concatenation of Client Id and Client Secret" - }, - { - "key": "Content-Type", - "value": "application/x-www-form-urlencoded" - }, - { - "key": "Accept", - "value": "application/json" - } - ], - "body": { - "mode": "raw", - "raw": "username=alice-the-admin@test.com&password=test&grant_type=password" - }, - "url": { - "raw": "http://{{keyrock}}/oauth2/token", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "oauth2", - "token" - ] - }, - "description": "To log in using the user-credentials flow send a POST request to the `oauth2/token` endpoint with the `grant_type=password`\n\n The response returns an access code to identify the user\n\n The access code can then be used with a GET request to the `/user` endpoint to obtain user details." - }, - "response": [] - }, - { - "name": "OAuth Password Flow (Bob)", - "request": { - "method": "POST", - "header": [ - { - "key": "Authorization", - "value": "Basic {{Authorization}}", - "description": "base64 concatenation of Client Id and Client Secret" - }, - { - "key": "Content-Type", - "value": "application/x-www-form-urlencoded" - }, - { - "key": "Accept", - "value": "application/json" - } - ], - "body": { - "mode": "raw", - "raw": "username=bob-the-manager@test.com&password=test&grant_type=password" - }, - "url": { - "raw": "http://{{keyrock}}/oauth2/token", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "oauth2", - "token" - ] - }, - "description": "To log in using the user-credentials flow send a POST request to the `oauth2/token` endpoint with the `grant_type=password`\n\n The response returns an access code to identify the user\n\n The access code can then be used with a GET request to the `/user` endpoint to obtain user details." - }, - "response": [] - }, - { - "name": "OAuth Password Flow (Eve)", - "request": { - "method": "POST", - "header": [ - { - "key": "Authorization", - "value": "Basic {{Authorization}}", - "description": "base64 concatenation of Client Id and Client Secret" - }, - { - "key": "Content-Type", - "value": "application/x-www-form-urlencoded" - }, - { - "key": "Accept", - "value": "application/json" - } - ], - "body": { - "mode": "raw", - "raw": "username=eve@example.com&password=test&grant_type=password" - }, - "url": { - "raw": "http://{{keyrock}}/oauth2/token", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "oauth2", - "token" - ] - }, - "description": "To log in using the user-credentials flow send a POST request to the `oauth2/token` endpoint with the `grant_type=password`\n\n The response returns an access code to identify the user\n\n The access code can then be used with a GET request to the `/user` endpoint to obtain user details." - }, - "response": [] - }, - { - "name": "Get User Details", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/user?access_token={{access-token-alice}}", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "user" - ], - "query": [ - { - "key": "access_token", - "value": "{{access-token-alice}}" - } - ] - }, - "description": "The access code received from a previous request can be used with a GET request to \nthe `/user` endpoint to obtain user details, for example, if the `access_token`\nused had been assigned to Alice, the username (Alice) and other user details are returned\nin the response." - }, - "response": [] - } - ], - "description": "The user credentials grant flow, also known as the password grant should only be used when:\n\n* A User wants to log into an application via a web-app client\n* The web-app client is absolutely trusted\n\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/user-credentials.png)\n\nThis is the most appropriate usage within the Supermarket Tutorial Application, as the Web-App has been written by us and we can\ntrust it to pass on credentials to an instance of **Keyrock** also owned by us. As you can\nsee from the diagram, the user must type their own password into the web-app client itself\n\n\n### User Credentials - Sample Code\n\n\nThe code delegates all the OAuth2 calls to a separate library function, `oa.getOAuthPasswordCredentials()`, the user is retrieve using a separate `oa.get()` call as shown:\n\n```javascript\nfunction userCredentialGrant(req, res){\n const email = req.body.email;\n const password = req.body.password;\n\n oa.getOAuthPasswordCredentials(email, password)\n .then(results => {\n logAccessToken(req, results.access_token);\n return getUserFromAccessToken(req, results.access_token)\n })\n .then(user =>{\n // Store User and return\n });\n}\n```\n```javascript\nfunction getUserFromAccessToken(req, accessToken){\n return new Promise(function(resolve, reject) {\n oa.get(keyrockIPAddress + '/user', accessToken)\n .then(response => {\n const user = JSON.parse(response);\n return resolve(user);\n })\n .catch(error => {\n req.flash('error', 'User not found');\n return reject (error)\n });\n });\n}\n```\n\n\n### User Credentials - Running the Example\n\nIt is possible to invoke the User Credentials grant flow programmatically, by bringing up the page `http://localhost:3000/` and filling out the user name and password form.\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/tutorial-log-in.png)\n\nThe response displays the user on the top right of the screen, details of the token are also flashed onto the screen:\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/tutorial-reponse.png)\n", - "event": [ - { - "listen": "prerequest", - "script": { - "id": "a326d505-489b-4525-8ab4-2d753c8ed0d3", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "d572e8a6-6d44-43e3-9e8e-46b6b6e62f74", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - }, - { - "name": "Authorization Code Grant", - "item": [], - "description": "The Authorization Code grant flow can be used where the client (in our case the Tutorial Web-application) doesn't need\naccess to any passwords directly - it just needs to know who the user is. With the Authorization Code grant, the\nuser is redirected to an Authorization Server such as **Keyrock**, logs in there and permits access. The response returns\nan access-code which can be exchanged for an access-token which then identifies the user.\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/authcode-flow.png)\n\nThis is an example of the sort of flow used when a third party (such as Travis-CI) asks you to log in\nusing your github account. Travis never gains access to your password, but does receive details that you\nare who you claim to be from Github.\n\n\n### Authorization Code - Sample Code\n\nA user must first be redirected to **Keyrock**, requesting a `code`:\n\n```javascript\nfunction authCodeGrant(req, res){\n const path = oa.getAuthorizeUrl('code');\n return res.redirect(path);\n}\n```\n\nThe after the User authorizes access, the response is handled in the code below, an access code is received from **Keyrock**\nand second request is made to obtain a usable access token.\n\n```javascript\nfunction authCodeGrantCallback(req,res){\n return oa.getOAuthAccessToken(req.query.code)\n .then(results => {\n return getUserFromAccessToken(req, results.access_token);\n })\n .then (user => {\n // Store User and return\n });\n}\n```\n\n### Authorization Code - Running the Example\n\nIt is possible to invoke the User Credentials grant flow programmatically, by bringing up the page `http://localhost:3000/`\nand clicking on the Authorization Code Button\n\nThe user is first is redirected to **Keyrock**, and must log in\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-log-in.png)\n\nThe user must then authorize the request\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-authorize.png)\n\nThe response displays the user on the top right of the screen, details of the token are also flashed onto the screen.\n\n> **Note** Unless you deliberately log out of **Keyrock** `http://localhost:3005`, the existing **Keyrock** session which has already\n> permitted access will be used for subsequent authorization request.\n\n", - "event": [ - { - "listen": "prerequest", - "script": { - "id": "0fc6ebc8-6d3b-4e72-8ee4-bba47c103a33", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "eb163ab5-78bc-4666-ad46-d4799f4752b0", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - }, - { - "name": "Implicit Grant", - "item": [], - "description": "The Implicit grant flow is a simplified form of the Authorization grant flow where **Keyrock** returns an\naccess-token directly rather than returning an acces-code. This is less secure than the Authcode flow but\ncould be used in some client-side applications\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/implicit-flow.png)\n\n\n### Implicit Grant - Sample Code\n\nA user must first be redirected to **Keyrock**, requesting a `token`:\n\n```javascript\nfunction implicitGrant(req, res){\n const path = oa.getAuthorizeUrl('token');\n return res.redirect(path);\n}\n```\n\nThe after the User authorizes access, the response is handled in the code below,\na usable access token is received from **Keyrock**\n\n```javascript\nfunction implicitGrantCallback(req,res){\n return getUserFromAccessToken(req, req.query.token)\n .then (user => {\n // Store User and return\n })\n}\n```\n\n\n### Implicit Grant - Running the Example\n\nIt is possible to invoke the Implicit grant flow programmatically, by bringing up the page `http://localhost:3000/`\nand clicking on the Implicit Grant Button\n\nThe user is first is redirected to **Keyrock**, and must log in\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-log-in.png)\n\nThe user must then authorize the request\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-authorize.png)\n\nThe response displays the user on the top right of the screen, details of the token are also flashed onto the screen.\n\n\n> **Note** Unless you deliberately log out of **Keyrock** `http://localhost:3005`, the existing **Keyrock** session which has already\n> permitted access will be used for subsequent authorization request.", - "event": [ - { - "listen": "prerequest", - "script": { - "id": "180e6be1-5b8c-4781-a8f4-9cf21daa96de", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "b635b904-53c2-4311-9616-7c187952f8d4", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - }, - { - "name": "Client Credentials Grant", - "item": [ - { - "name": "OAuth Client Credentials Flow", - "request": { - "method": "POST", - "header": [ - { - "key": "Authorization", - "value": "Basic {{Authorization}}", - "description": "base64 concatenation of Client Id and Client Secret" - }, - { - "key": "Content-Type", - "value": "application/x-www-form-urlencoded" - }, - { - "key": "Accept", - "value": "application/json" - } - ], - "body": { - "mode": "raw", - "raw": "grant_type=client_credentials" - }, - "url": { - "raw": "http://{{keyrock}}/oauth2/token", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "oauth2", - "token" - ] - }, - "description": "To log in using the client credentials flow send a POST request to the `oauth2/token` endpoint with the `grant_type=client_credentials`\n\nThe response returns an access code to identify the application itself." - }, - "response": [] - } - ], - "description": "The final grant flow does not need a user. It is sometimes necessary for an application to identify itself\nso that the application (rather than the user) is granted access to resources. There are no\nresources secured in such a manner within this tutorial, but the flow has been included for completeness.\n\n![](https://fiware.github.io/tutorials.Securing-Access/img/client-credentials.png)\n\n### Client Credentials Grant - Sample Code\n\nThe code is similar to the User Credential Grant, but without an explicit username or password.\n\n\n```javascript\nfunction clientCredentialGrant(req, res){\n oa.getOAuthClientCredentials()\n .then(results => {\n // Store Access token\n });\n}\n```\n\n### Client Credentials Grant - Running the Example\n\nIt is possible to invoke the Client Credentials grant flow programmatically, by bringing up the page `http://localhost:3000/`\nand clicking on the Client Credentials Button\n\nThe response displays the details of the token. No User is involved.", - "event": [ - { - "listen": "prerequest", - "script": { - "id": "e871402a-6b43-435f-95ba-804ab57d0a25", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "d3268975-e320-446e-bec4-bad61cde1999", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - }, - { - "name": "Refresh Token", - "item": [ - { - "name": "Availability Check", - "request": { - "method": "POST", - "header": [ - { - "key": "Authorization", - "value": "Basic {{Authorization}}", - "description": "base64 concatenation of Client Id and Client Secret" - }, - { - "key": "Content-Type", - "value": "application/x-www-form-urlencoded" - }, - { - "key": "Accept", - "value": "application/json" - } - ], - "body": { - "mode": "raw", - "raw": "username=alice-the-admin@test.com&password=test&grant_type=password" - }, - "url": { - "raw": "http://{{keyrock}}/oauth2/token", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "oauth2", - "token" - ] - }, - "description": "Check to see if Refresh Token flow is available, merely log in using one of the other grant types,\nfor example to log in using the user-credentials flow send a POST request to the `oauth2/token` endpoint\n with the `grant_type=password`\n \n Along with the `access_token` identifying the user, the response returns an `refresh_token`" - }, - "response": [] - }, - { - "name": "Refresh Access Token", - "request": { - "method": "POST", - "header": [ - { - "key": "Authorization", - "value": "Basic {{Authorization}}", - "description": "base64 concatenation of Client Id and Client Secret" - }, - { - "key": "Content-Type", - "value": "application/x-www-form-urlencoded" - }, - { - "key": "Accept", - "value": "application/json" - } - ], - "body": { - "mode": "raw", - "raw": "username=alice-the-admin@test.com&password=test&grant_type=password" - }, - "url": { - "raw": "http://{{keyrock}}/oauth2/token", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "oauth2", - "token" - ] - }, - "description": "The `refresh_token=05e386edd9f95ed0e599c5004db8573e86dff874` from the response above \nis stored for later use. To obtain a new `access_token` (for example once the previous\none has expired) the `refresh_token` is used in the OAuth2 refresh token flow and a `grant_type=refresh_token`\n\n**Note** - this request will only be successful if the value of the `refresh_token` \nhas been updated." - }, - "response": [] - } - ], - "description": "Once a User has identified themselves (using any appropriate grant type), they should not need to log-in again,\neven though the `access_token` they are using is time-limited. To provide continued access, an addition\n[Refresh Token](https://tools.ietf.org/html/rfc6749#section-1.5) flow has been defined, allowing a User to\nexchange an expired token for a new one. Offering this exchange is not mandatory for OAuth2 Authorization Servers,\nand is not appropriate for all grant types.", - "event": [ - { - "listen": "prerequest", - "script": { - "id": "7cdb7dc7-d4a6-4df4-8429-71f1fb556e91", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "ce4fd0e1-8c7c-467b-a78c-618a7f57432c", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - }, - { - "name": "PDP- Access Control", - "item": [ - { - "name": "Resource Access (Alice)", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/user?access_token={{access-token-alice}}&action={{action}}&resource={{resource}}&app_id={{app-id}}", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "user" - ], - "query": [ - { - "key": "access_token", - "value": "{{access-token-alice}}" - }, - { - "key": "action", - "value": "{{action}}" - }, - { - "key": "resource", - "value": "{{resource}}" - }, - { - "key": "app_id", - "value": "{{app-id}}" - } - ] - }, - "description": "If a user has logged in, the `access_token` can be used in combiniation with the `/user` endpoint\nto obtain access permissions to a resouce. This example retrieves Alice's permissions to a given\nresource." - }, - "response": [] - }, - { - "name": "Resource Access (Bob)", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/user?access_token={{access-token-bob}}&action={{action}}&resource={{resource}}&app_id={{app-id}}", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "user" - ], - "query": [ - { - "key": "access_token", - "value": "{{access-token-bob}}" - }, - { - "key": "action", - "value": "{{action}}" - }, - { - "key": "resource", - "value": "{{resource}}" - }, - { - "key": "app_id", - "value": "{{app-id}}" - } - ] - }, - "description": "If a user has logged in, the `access_token` can be used in combiniation with the `/user` endpoint\nto obtain access permissions to a resouce. This example retrieves Bob-the-Manager's permissions to a given\nresource.\n\nThe response will include his role(s) within the application and whether access is pemitted or denied." - }, - "response": [] - }, - { - "name": "Resource Access (Eve)", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - } - ], - "body": {}, - "url": { - "raw": "http://{{keyrock}}/user?access_token={{access-token-eve}}&action={{action}}&resource={{resource}}&app_id={{app-id}}", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "user" - ], - "query": [ - { - "key": "access_token", - "value": "{{access-token-eve}}" - }, - { - "key": "action", - "value": "{{action}}" - }, - { - "key": "resource", - "value": "{{resource}}" - }, - { - "key": "app_id", - "value": "{{app-id}}" - } - ] - }, - "description": "If a user has logged in, the `access_token` can be used in combiniation with the `/user` endpoint\nto obtain access permissions to a resouce. This example retrieves Eve's permissions to a given\nresource - no permissions have been granted.\n\nThe response will have no roles and access is denied." - }, - "response": [] - } - ], - "description": "If we are using our own trusted instance of **Keyrock**, once a user has signed in and obtained an `access_token`, the\n`access_token` can be stored in session and used to retrieve user details on demand. The request for user details may be extended\nto include resource permissions. Using this information it is possible to permit or deny access to individual resources.\n\nAs a reminder, **Keyrock** permissions are based on `resource` (e.g. URL) and `action` (which can be mapped to an HTTP\nverb). We can retrieve extended user details including access permisions by adding additional parameters to a `/user` GET request\n\n### Access Control - Sample Code\n\nKeyrock can therefore be used as a PDP on its own, we merely need to check if the user has access to the resource and set a flag:\n\n```javascript\nfunction accessControl (req, res , next, url=req.url){\n const keyrockUserUrl = keyrockIPAddress + '/user' +\n '?access_token=' + req.session.access_token +\n '&action='+ req.method +\n '&resource='+ url +\n '&app_id=' + clientId;\n return oa.get(keyrockUserUrl)\n .then(response => {\n const user = JSON.parse(response);\n res.locals.authorized = (user.authorization_decision === 'Permit' );\n return next();\n })\n .catch(error => {\n debug(error);\n res.locals.authorized = false;\n return next();\n });\n}\n```\n\nA secured Web Page needs to check if the `authorized` flag has been set, and redirect the user if disallowed\n\n```javascript\nfunction priceChange(req, res) {\n\tif(!res.locals.authorized){\n\t\treq.flash('error', 'Access Denied');\n\t\treturn res.redirect('/');\n\t}\n\t/// Continue with the normal flow of execution...\n}\n```\n\nSimilarly a secured command can fail fast and return an error code if the user is not authorized,\n\n```javascript\nfunction sendCommand (req, res) {\n\tif(!res.locals.authorized){\n\t\tres.setHeader('Content-Type', 'application/json');\n\t\treturn res.status(403).send({ message: 'Forbidden' });\n\t}\n\t/// Continue with the normal flow of execution...\n```\n\n### Access Control - Running the Example\n\n> **Note** Only four resources have been secured:\n> * sending the unlock door command\n> * sending the ring bell command\n> * access to the price-change area\n> * access to the order-stock area\n\n\n#### Bob The Regional Manager\n\n* Log in as `bob-the-manager@test.com` with the password `test`\n* Click on the restricted access links at the base of the page - access is **permitted** - This is a management only permission\n* Open the Device Monitor on `http://localhost:3000/device/monitor`\n * Unlock a door - access is **denied**. - This is a security only permission\n * Ring a bell - access is **permitted** - This is permitted to all users\n\n#### Charlie the Security Manager\n* Log in as `security@test.com` with the password `test`\n* Click on the restricted access links at the base of the page - access is **denied** - This is a management only permission\n* Open the Device Monitor on `http://localhost:3000/device/monitor`\n * Unlock a door - access is **permitted** - This is a security only permission\n * Ring a bell - access is **permitted** - This is permitted to all users\n\n\n#### Anonymous Access\n\n* Ensure that you are not signed in as any user.\n* Click on the restricted access links at the base of the page - access is **denied**\n* Open the Device Monitor on `http://localhost:3000/device/monitor`\n * Unlock a door - access is **denied**\n * Ring a bell - access is **denied**\n\n\n#### Eve the Eavesdropper\n\nLog in as `eve@example.com` with the password `test`\n* Click on the restricted access links at the base of the page - access is **denied**\n* Open the Device Monitor on `http://localhost:3000/device/monitor`\n * Unlock a door - access is **denied**\n * Ring a bell - access is **denied**\n\n\n\n" - } - ], - "event": [ - { - "listen": "prerequest", - "script": { - "id": "f32d4f4e-6a77-4b0a-9cd1-7fdc58c14247", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "453a7383-bb2a-4e01-8ed4-7355fb12520f", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ], - "variable": [ - { - "id": "e057bce6-a8b2-4e5a-bb93-15633b95f379", - "key": "keyrock", - "value": "localhost:3005", - "type": "string" - }, - { - "id": "a359a5ba-1952-4278-bc39-857a840ee70c", - "key": "Authorization", - "value": "dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA==", - "type": "string" - }, - { - "id": "922b5082-ba8c-4532-9960-cb32ff9eceb1", - "key": "access-token-alice", - "value": "e233f07c18bf1f9f532b66e848c9b0128eaea304", - "type": "string" - }, - { - "id": "f8563409-b371-4319-8efc-f4613053a39c", - "key": "access-token-bob", - "value": "6c1f1ac938f644c655b9c46c67d9f8b068345e89", - "type": "string" - }, - { - "id": "ca723b2a-8f96-4f2d-8770-88a3c90f088b", - "key": "access-token-eve", - "value": "e41786eea0c2663d8490bf41e3e0aa841e8ca2e5", - "type": "string" - }, - { - "id": "906b1dd4-dd9f-47b7-94c3-4745d0726572", - "key": "action", - "value": "GET", - "type": "string" - }, - { - "id": "287659f1-9677-446e-b0c0-bdc94e839fbd", - "key": "resource", - "value": "/app/price-change", - "type": "string" - }, - { - "id": "46725591-25a4-453d-9472-64f1499ef9b9", - "key": "app-id", - "value": "tutorial-dckr-site-0000-xpresswebapp", - "type": "string" - }, - { - "id": "ba484148-158f-427d-af75-695b97938d38", - "key": "refresh-token", - "value": "c64a49b2adbb659c0a7e1fe9e391544949ca0b94", - "type": "string" - } - ] -} \ No newline at end of file diff --git a/README.ja.md b/README.ja.md deleted file mode 100644 index 82a3118..0000000 --- a/README.ja.md +++ /dev/null @@ -1,737 +0,0 @@ -[![FIWARE Banner](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/fiware.png)](https://www.fiware.org/developers) - -[![FIWARE Security](https://nexus.lab.fiware.org/repository/raw/public/badges/chapters/security.svg)](https://github.com/FIWARE/catalogue/blob/master/security/README.md) -[![License: MIT](https://img.shields.io/github/license/fiware/tutorials.Securing-Access.svg)](https://opensource.org/licenses/MIT) -[![Support badge](https://img.shields.io/badge/tag-fiware-orange.svg?logo=stackoverflow)](https://stackoverflow.com/questions/tagged/fiware) -[![OpenID 1.0](https://img.shields.io/badge/OpenID-1.0-ff7059.svg)](https://openid.net/specs/openid-connect-core-1_0.html) -
[![Documentation](https://img.shields.io/readthedocs/fiware-tutorials.svg)](https://fiware-tutorials.rtfd.io) - -このチュートリアルは、以前の -[セキュリティで保護されたアクセスのチュートリアル](https://github.com/FIWARE/tutorials.Securing-Access) -を補足するものです。このチュートリアルでは、FIWARE アプリケーションへのアクセスも保護しますが、さまざまな -OpenID Connect フローを使用してユーザを認証します。 - -## コンテンツ - -
-詳細 - -- [ID の認証](#authenticating-identities) - - [:arrow_forward: ビデオ: OpenID Connect とは何ですか?](#arrow_forward-video-what-is-openid-connect) - - [JSON Web Tokens の標準概念](#standard-concepts-of-json-web-tokens) -- [前提条件](#prerequisites) - - [Docker](#docker) - - [Cygwin](#cygwin) -- [アーキテクチャ](#architecture) - - [チュートリアルのセキュリティ設定](#tutorial-security-configuration) -- [起動](#start-up) - - [登場人物 (Dramatis Personae)](#dramatis-personae) -- [OIDC フロー](#oidc-flows) - - [OpenID Connect の有効化](#enable-openid-connect) - - [GUI](#gui) - - [REST API](#rest-api) - - [認可コード・フロー (Authorization Code Flow)](#authorization-code-flow) - - [認可コード - サンプル・コード](#authorization-code---sample-code) - - [認可コード - サンプルの実行](#authorization-code---running-the-example) - - [暗黙フロー](#implicit-flow) - - [暗黙フロー - サンプル・コード](#implicit-flow---sample-code) - - [暗黙フロー - サンプルの実行](#implicit-flow---running-the-example) - - [ハイブリッド・フロー](#hybrid-flow) - - [ハイブリッド - サンプル・コード](#authorization-code---sample-code) - - [ハイブリッド - サンプルの実行](#authorization-code---running-the-example) -- [次のステップ](#next-steps) - -
- - - -# ID の認証 (Authenticating Identities) - -> "Yes, your home is your castle, but it is also your identity -> and your possibility to be open to others. -> -> — David Soul - -デジタル ID (Digital identities) は、人々の特性とインターネット上で実行されるアクションの両方を表します。 -アプリケーションを保護するためには、ID が本当に本人であることを認証する必要があります。FIWARE **Keyrock** -generic enabler は OAuth 2.0 に加えて、[OpenID Connect](https://openid.net/connect/) (OIDC) をサポートし、 -サードパーティ・アプリケーションがユーザを認証できるようにします。**OpenID Connect** は、OAuth 2.0 プロトコルの上に -あるシンプルな ID レイヤです。[JSON Web Tokens](https://jwt.io/) を使用して、ユーザの身元を確認し、 -これらのユーザに関する基本的なプロファイルを取得できます。 - -OpenID Connect フローは、次の3つの OAuth 2.0 グラント・フローの上に構築されています: - -- [認可コード (Authorization Code)](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) -- [暗黙 (Implicit)](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth) -- [ハイブリッド (Hybrid)](https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth) - -認可 (Authorization) と認証 (Authentication) は2つのまったく異なるものです。1つ目は特定のデータへのアクセスを -許可または禁止し、2つ目はサイン・インについてです。OAuth2.0 は認可プロセスを有効にしますが、ユーザを識別および -認証する方法がありません。OIDC は、OAuth 2.0 認証の問題を解決するために作成されました。OAuth 2.0 と OIDC -は、ユーザ名とパスワードの公開を避けてユーザを識別するトークンを生成します。特に、OIDC は JSON Web Token (JWT) -を生成します。これは、アプリケーションが本質的にそれ自体からユーザ情報を検証して直接取得できるものです。 - - - -## :arrow_forward: ビデオ: OpenID Connect とは何ですか? - -[![](https://fiware.github.io/tutorials.Step-by-Step/img/video-logo.png)](https://www.youtube.com/watch?v=Kb56GzQ2pSk "OpenID connect") - -上の画像をクリックして、OpenID Connect と Identity に関するビデオをご覧ください。 - -OAuth2 は、アクセス権を付与するためのメカニズムです。具体的には、**認証** (Authorization) です - -(_これを実行できますか?_)。技術的には、OAuth プロトコル内には、**ID** (Identity) 自体の概念がないため、 -モバイル・アプリのログインのような、特定の**認証**のユースケースを実行できる場合でも、実際には**認証** -(_私は User X です_) 向けに設計されていません。OpenID は OAuth2 の拡張機能を提供し、アプリケーションが -標準的な方法でユーザ情報を取得できるようにします。 - -OpenID 接続は、(**Keyrock** など) 複数のエンティティ・プロバイダで機能し、JSON Web tokens を使用して -操作されます。いくつかの基本的なユーザ情報を保持する追加の ID token をレスポンスに追加します。 -追加のユーザ情報は、標準化された `/userinfo` エンドポイントからリクエストできます。 - -OpenID connect リクエストは、OAuth2 リクエストと非常によく似たフローに従います。これらは、最初の -リクエストを行うときに `openid` スコープを使用して区別されます。レスポンスには、以下に説明する要素を -保持するエンコードされた JSON Web Token (JWT) が含まれます。 - -| 名前 | 説明 | -| ----- | -------------------------------------------- | -| `iss` | レスポンスの発行者の発行者 ID | -| `sub` | サブジェクト識別子 | -| `aud` | この ID token の対象となるオーディエンス (s) | -| `exp` | 有効期限 | -| `iat` | JWT が発行された時刻 | - -他のエントリも追加される場合があります。完全な OpenID 仕様は -[こちら](https://openid.net/specs/openid-connect-core-1_0.html) にあります。 - - - -## JSON Web Tokens の標準概念 - -JSON Web Token (JWT) の構造は次のとおりです: - -- ヘッダー。これは JSON Web Token の署名に使用されるアルゴリズムを識別します。 - -```json -{ - "alg": "HS256", - "typ": "JWT" -} -``` - -- ペイロード。トークンが作成された時期と作成者に関する情報だけでなく、ユーザ・データも含まれています。 - -```json -{ - "sub": "1234567890", - "iss": "https://fiware-idm.com", - "iat": 1516239022, - "username": "Alice", - "gravatar": true -} -``` - -- 署名 (Signature)。次のように生成されます: - -```text -Crypto-Algorithm ( base64urlEncoding(header) + '.' + base64urlEncoding(payload), secret) -``` - -JWT は、Base64 を使用して各部分をエンコードし、それらをポイント (.) で連結した結果です。例えば: - -```text -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaXNzIjoiaHR0cHM6Ly9maXdhcmUtaWRtLmNvbSIsImlhdCI6MTUxNjIzOTAyMiwidXNlcm5hbWUiOiJBbGljZSIsImdyYXZhdGFyIjp0cnVlfQ.dZ7z0u_4FZC7xiVQDtGAl7NRT0fK8_5hJqYa9E-4xGE -``` - - - -# 前提条件 - - - -## Docker - -物事を単純にするために、両方のコンポーネントが [Docker](https://www.docker.com) を使用して実行されます。**Docker** -は、さまざまコンポーネントをそれぞれの環境に分離することを可能にするコンテナ・テクノロジです。 - -- Docker Windows にインストールするには、 - [こちら](https://docs.docker.com/docker-for-windows/)の手順に従ってください -- Docker Mac にインストールするには、 - [こちら](https://docs.docker.com/docker-for-mac/)の手順に従ってください -- Docker Linux にインストールするには、 - [こちら](https://docs.docker.com/install/)の手順に従ってください - -**Docker Compose** は、マルチコンテナ Docker アプリケーションを定義して実行するためのツールです。 -[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.Securing-Access-OpenID-Connect/master/docker-compose.yml) -ファイルは、アプリケーションのために必要なサービスを構成するために使用します。つまり、すべてのコンテナ・サービスは -1つのコマンドで呼び出すことができます。Docker Compose は、デフォルトで Docker for Windows と Docker for Mac の一部と -してインストールされますが、Linux ユーザは[ここ](https://docs.docker.com/compose/install/)に記載されている手順に従う -必要があります。 - - - -## Cygwin - -シンプルな bash スクリプトを使用してサービスを開始します。Windows ユーザは [cygwin](http://www.cygwin.com/) を -ダウンロードして、Windows 上の Linux ディストリビューションと同様のコマンドライン機能を提供する必要があります。 - - - -# アーキテクチャ - -このアプリケーションは、最初の[セキュリティ・チュートリアル](https://github.com/FIWARE/tutorials.Identity-Management/) -で作成されたデータを使用してプログラムで読み取ることにより、 -[以前のチュートリアル](https://github.com/FIWARE/tutorials.Identity-Management/)で作成された既存の在庫管理および -センサ・ベースのアプリケーションに OIDC ドリブンのセキュリティを追加します。これは、1つの FIWARE コンポーネント - -[Keyrock](https://fiware-idm.readthedocs.io/en/latest/) Generic enabler を使用します。**Keyrock** は独自の -[MySQL](https://www.mysql.com/) データベースを使用します。 このチュートリアルでは、OIDC を使用して JWT -を付与することにのみ焦点を当てています。 -[セキュリティで保護されたアクセスのチュートリアル](https://github.com/FIWARE/tutorials.Securing-Access) -では、トークンを使用してセンサ情報に安全にアクセスする方法を学習できます。 - -したがって、全体的なアーキテクチャは次の要素で構成されます: - -- FIWARE [Keyrock](https://fiware-idm.readthedocs.io/en/latest/) は、以下を含んだ、補完的な ID 管理システムを - 提供します: - - アプリケーションとユーザのための OAuth2 認可システム - - アプリケーションとユーザのための OIDC 認証システム - - ID 管理のための Web サイトのグラフィカル・フロントエンド - - HTTP リクエストによる ID 管理用の同等の REST API -- [MySQL](https://www.mysql.com/) データベース : - - ユーザ ID、アプリケーション、ロール、および権限を保持するために使用されます -- **在庫管理フロントエンド**には、次のことを行います: - - 店舗情報を表示します - - 各店舗でどの商品を購入できるかを示します - - ユーザが製品を"購入"して在庫数を減らすことができます - - 許可されたユーザを制限されたエリアに入れることができます - -要素間のすべての対話は HTTP リクエストによって開始されるため、エンティティはコンテナ化され、公開されたポートから実行 -されます。 - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/architecture.png) - -**在庫管理フロントエンド**にセキュリティを追加するために必要な設定情報は、関連する `docker-compose.yml` ファイルの -`tutorial` セクションにあります。関連する変数を以下に示します。 - - - -## チュートリアルのセキュリティ設定 - -```yaml -tutorial: - image: quay.io/fiware/tutorials.context-provider - hostname: iot-sensors - container_name: fiware-tutorial - networks: - default: - ipv4_address: 172.18.1.7 - expose: - - "3000" - - "3001" - ports: - - "3000:3000" - - "3001:3001" - environment: - - "DEBUG=tutorial:*" - - "SECURE_ENDPOINTS=true" - - "OIDC_ENABLED=true" - - "WEB_APP_PORT=3000" - - "KEYROCK_URL=http://localhost" - - "KEYROCK_IP_ADDRESS=http://172.18.1.5" - - "KEYROCK_PORT=3005" - - "KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp" - - "KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret" - - "KEYROCK_JWT_SECRET=jsonwebtokenpass" - - "CALLBACK_URL=http://localhost:3000/login" -``` - -`tutorial` コンテナは、2 つのポートでリッスンしています : - -- ポート `3000` が公開されているので、ダミー IoT デバイスを表示する Web ページが表示されます -- ポート `3001` は純粋にチュートリアルアクセスのために公開されているため、cUrl または Postman は同じネットワークの - 一部ではなくても、UltraLight コマンドを作成できます - -`tutorial` コンテナは、次に示すように環境変数によってドライブされます: - -| キー | 値 | 説明 | -| --------------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------- | -| DEBUG | `tutorial:*` | ロギングに使用されるデバッグ・フラグ | -| OIDC_ENABLED | `true` | チュートリアルでOpenID Connectを有効化 | -| KEYROCK_CLIENT_ID | `tutorial-dckr-site-0000-xpresswebapp` | このアプリケーションで Keyrock によって定義された、Client ID | -| KEYROCK_CLIENT_SECRET | `tutorial-dckr-site-0000-clientsecret` | このアプリケーションで Keyrock によって定義された、Client Secret | -| KEYROCK_JWT_SECRET | `jsonwebtokenpass` | このアプリケーションが id_tokens を検証するために Keyrock によって定義された JWT Secret | -| CALLBACK_URL | `http://localhost:3000/login` | チャレンジが成功したときに Keyrock が使用するコールバック URL | - -YAML ファイルに記述されている、他の `tutorial`コンテナの設定値は、以前のチュートリアルで説明しています - - - -# 起動 - -インストールを開始するには、次の手順を実行します: - -```console -git clone https://github.com/FIWARE/tutorials.Securing-Access-OpenID-Connect.git -cd tutorials.Securing-Access-OpenID-Connect -git checkout NGSI-v2 - -./services create -``` - -> **注** Docker イメージの最初の作成には最大 3 分かかります - -その後、リポジトリ内で提供される -[services](https://github.com/FIWARE/tutorials.Securing-Access-OpenID-Connect/blob/NGSI-v2/services) Bash -スクリプトを実行することによって、コマンドラインからすべてのサービスを初期化することができます: - -```console -./services -``` - -ここで、`` は、私たちがアクティベートしたいエクササイズに応じて変わります。 - -> :information_source: **注:** クリーンアップをやり直したい場合は、次のコマンドを使用して再起動することができます: -> -> ```console -> ./services stop -> ``` - - - -### 登場人物 (Dramatis Personae) - -次の `test.com` のメンバは、合法的にアプリケーション内にアカウントを持っています - -- Alice, **Keyrock** アプリケーションの管理者です -- Bob, スーパー・マーケット・チェーンの地域マネージャで、数人のマネージャがいます : - - Manager1 (マネージャ 1) - - Manager2 (マネージャ 2) -- Charlie, スーパー・マーケット・チェーンのセキュリティ責任者。彼の下に数人の警備員がいます : - - Detective1 (警備員 1) - - Detective2 (警備員 2) - -次の`example.com` のメンバはアカウントにサインアップしましたが、アクセスを許可する理由はありません - -- Eve - 盗聴者のイブ -- Mallory - 悪意のある攻撃者のマロリー -- Rob - 強盗のロブ - -
- - 詳細 (クリックして拡大) - - -| 名前 | E メール | パスワード | -| ---------- | --------------------------- | ---------- | -| alice | `alice-the-admin@test.com` | `test` | -| bob | `bob-the-manager@test.com` | `test` | -| charlie | `charlie-security@test.com` | `test` | -| manager1 | `manager1@test.com` | `test` | -| manager2 | `manager2@test.com` | `test` | -| detective1 | `detective1@test.com` | `test` | -| detective2 | `detective2@test.com` | `test` | - -| 名前 | E メール | パスワード | -| ------- | --------------------- | ---------- | -| eve | `eve@example.com` | `test` | -| mallory | `mallory@example.com` | `test` | -| rob | `rob@example.com` | `test` | - -
- -Alice によって 2 つの組織 (organizations) が設定されました: - -| 名前 | 説明 | UUID | -| ---------- | ----------------------------------- | -------------------------------------- | -| Security | Security Group for Store Detectives | `security-team-0000-0000-000000000000` | -| Management | Management Group for Store Managers | `managers-team-0000-0000-000000000000` | - -適切なロールと権限を持つ 1 つのアプリケーション も作成されました: - -| Key | Value | -| ------------- | -------------------------------------- | -| Client ID | `tutorial-dckr-site-0000-xpresswebapp` | -| Client Secret | `tutorial-dckr-site-0000-clientsecret` | -| JWT Secret | `jsonwebtokenpass` | -| URL | `http://localhost:3000` | -| RedirectURL | `http://localhost:3000/login` | - -時間を節約するために、 -[以前のチュートリアル](https://github.com/FIWARE/tutorials.Roles-Permissions)の users と organizations を作成する -データがダウンロードされ、起動時に自動的に MySQL データベースに保存されるため、割り当てられた UUIDs は変更されず、 -データを再度入力する必要もありません。 - -**Keyrock** MySQL データベースは、ユーザ、パスワードなどの格納を含むアプリケーション・セキュリティのあらゆる側面を -扱います。アクセス権を定義し、OAuth2 認証プロトコルを扱います。完全なデータベース関係図は -[ここ](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-db.png)にあります。 - -ユーザ (users) や組織 (organizations)、アプリケーション (applications) を作成する方法について思い出すには、 -アカウント `alice-the-admin@test.com` と パスワード `test` を使用して、`http://localhost:3005/idm` -にログインします。 - -![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-log-in.png) - -そして、周りを見回してください。 - - - -# OIDC フロー (OIDC Flows) - -FIWARE **Keyrock** は、[OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0.html) -で説明されている OIDC 標準に準拠しています。そこで定義されている3つの標準認証フローすべてをサポートします。 - -OIDC は OAuth 2.0 の最上位に構築されているため、OAuth トークン・エンドポイントにリクエストを送信すると、 -`Authorization` ヘッダは、**Keyrock** によって提供されるアプリケーションの Client ID と Client Secret -の認証情報を `:` で区切り、Base64 でエンコードして作成されます。 値は次のように生成できます: - -```console -echo tutorial-dckr-site-0000-xpresswebapp:tutorial-dckr-site-0000-clientsecret | base64 -``` - -``` -dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldAo= -``` - - - -## OpenID Connect の有効化 - -OpenID Connect は、GUI または REST API を介して Keyrock のアプリケーションで有効にできます。 - - - -### GUI - -サイン・インすると、ユーザは Web ページを通じてアプリケーションで OIDC をアクティブ化できます。 - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/edit-OIDC.png) - -JSON Web トークンを検証するときに使用される Secret は、アプリケーション情報の Web ページにあります。 - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/jwtsecret-OIDC.png) - -JWT secret は、OAuth2 クレデンシャル・セクションの "Secret をリセット" ボタンをクリックして更新することもできます。 - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/jwtsecret-reset-OIDC.png) - - - -### REST API - -Keyrock でアプリケーションを作成するときに、OIDC を有効にすることもできます。 -[ロールとパーミッションのチュートリアル](https://github.com/FIWARE/tutorials.Roles-Permissions) で説明されているように、 -`/v1/applications` への POST リクエストを介して作成でき、`scope` 属性に `openid` を含めます。 - -```console -curl -iX POST \ - 'http://localhost:3005/v1/applications' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' \ - -d '{ - "application": { - "name": "Tutorial Application", - "description": "FIWARE Application protected by OAuth2 and Keyrock", - "redirect_uri": "http://tutorial/login", - "url": "http://tutorial", - "grant_type": [ - "authorization_code", - "implicit", - "password" - ], - "scope": "openid", - "token_types": ["permanent"] - } -}' -``` - -アプリケーションがすでに作成されている場合は、PATCH リクエストを行うことにより、コマンドラインから行うこともできます。 - -```console -curl -X PATCH \ - 'http://localhost:3005/v1/applications/{{application-id}}' \ - -H 'Content-Type: application/json' \ - -H 'X-Auth-token: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' \ - -d '{ - "application": { - "scope": "openid" - } -}' -``` - - - -## 認可コード・フロー (Authorization Code Flow) - -[認可コード](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)・フローは、 -認証メカニズムをサポートするように調整できます。 OIDC は、自動化コード自体のフローを変更するのではなく、 -以下に示すように、認可エンドポイントへのリクエストにパラメータを追加するだけです。レスポンスは、id_token -と交換できるアクセス・コード (access-code) を返します。これにより、ユーザが識別されます。 - -![](https://fiware.github.io/tutorials.Securing-Access/img/authcode-flow.png) - -これは、Travis-CI などのサード・パーティが GitHub アカウントを使用してログインするように要求するときに使用される -種類のフローの例です。 Travis があなたのパスワードにアクセスすることはありませんが、GitHub からあなたが主張している -人物であるという詳細を受け取ります。 - - - -### 認可コード - サンプル・コード - -ユーザは最初に **Keyrock** にリダイレクトされ、 `code` をリクエストする必要があります。`oa.getAuthorizeUrl()` は -`/oauth/authorize?response_type=code&client_id={{client-id}}&state=oic&redirect_uri={{callback_url}}&scope=openid` -形式の URL を返します - -"openid" の値は、これが OIDC リクエストであることを Keyrock に示すために、リクエストのスコープ・パラメータに -含まれています。このチュートリアルの状態値は、"oauth2" と "oic" の場合があります。 この値は、Keyrock -からの回答を管理する方法を示します。 - -```javascript -function authCodeOICGrant(req, res) { - const path = oa.getAuthorizeUrl("code", "openid", "oic"); - return res.redirect(path); -} -``` - -ユーザがアクセスを承認した後、レスポンスは `redirect_uri` によって受信され、以下のコードで処理されます。 -**Keyrock** から暫定アクセス・コードを受け取り、使用可能な `id_token` を取得するために2番目のリクエストを -行う必要があります。 - - -```javascript -function authCodeOICGrantCallback(req, res) { - return oa - .getOAuthAccessToken(req.query.code, "authorization_code") - .then((results) => { - return getUserFromIdToken(req, results.id_token); - }) - .then((user) => { - // Store user - }); -} -``` - -id_tokenは、環境変数を介してアプリケーションで事前構成した JWT Secret を使用して検証し、その id_token -からユーザ情報を取得できる JWT にすぎません。 - -```javascript -function getUserFromIdToken(req, idToken) { - return new Promise(function (resolve, reject) { - jwt.verify(idToken, jwtSecret, function (error, decoded) { - // Decoded --> Json with user, token and issuer information - }); - }); -} -``` - -デコードされた json は、次のように返されます: - -```json -{ - "alg": "HS256", - "typ": "JWT" -} -``` - -```json -{ - "organizations": [], - "displayName": "", - "roles": [], - "app_id": "tutorial-dckr-site-0000-xpresswebapp", - "trusted_apps": [], - "isGravatarEnabled": false, - "email": "alice-the-admin@test.com", - "id": "aaaaaaaa-good-0000-0000-000000000000", - "app_azf_domain": "", - "username": "alice", - "trusted_applications": [], - "iss": "https://fiware-idm.com", - "sub": "aaaaaaaa-good-0000-0000-000000000000", - "aud": "tutorial-dckr-site-0000-xpresswebapp", - "exp": 1516238462, - "iat": 1516239022 -} -``` - -JWT を自分でデコードするには、トークンを[JWTサイト](https://jwt.io/) に貼り付けることができます - -トークンの署名に使用される署名は `59de900a973fa2e0` であり、サイトに貼り付けて、 エンコードされた -ID は Keyrock から来ました。 - -```text -HMACSHA256( - base64UrlEncode(header) + "." + - base64UrlEncode(payload), - 59de900a973fa2e0 -) -``` - - - -### 認可コード - サンプルの実行 - -`http://localhost:3000/` のページを表示し、Authorization Code ボタンをクリックすることで、 -認可コード・グラント・フロー (Authorization Code grant flow) をプログラムで呼び出すことができます。 - -ユーザは最初に **Keyrock** にリダイレクトされ、ログインする必要があります - -![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-log-in.png) - -次に、ユーザはリクエストを承認する必要があります - -![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-authorize.png) - -レスポンスでは、画面の右上にユーザが表示され、トークンの詳細が画面に表示されます: - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/authCode-OIDC-web.png) - -> **注** **Keyrock** > `http://localhost:3005` から故意にログアウトしない限り、すでにアクセスを許可している既存の -> **Keyrock** セッションが後続の認証リクエストに使用されるため、 **Keyrock** ログイン画面が再び表示されることは -> ありません。 - - - -## 暗黙フロー (Implicit Flow) - -[暗黙](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth)フローは、 -認証メカニズムをサポートするように調整することもできます。OIDC は、認可コード・グラントと同様に、 -フローを変更せずに、リクエストの response_type を変更します。このフローは、暫定的なアクセスコードを返すのではなく、 -`id_token` を直接返します。これは 認可コード・フローほど安全ではありませんが、一部のクライアント側 -アプリケーションで使用できます。 - -![](https://fiware.github.io/tutorials.Securing-Access/img/implicit-flow.png) - - - -### 暗黙フロー - サンプル・コード - -ユーザは最初に **Keyrock** にリダイレクトされ、`token` をリクエストする必要があります。`oa.getAuthorizeUrl()` は、 -`/oauth/authorize?response_type=id_token&client_id={{client-id}}&state=oic&redirect_uri={{callback_url}}` 形式の -URL を返します。OIDC フローに従う場合、レスポンスのタイプは "id_token" であることに注意してください。 - -```javascript -function implicitOICGrant(req, res) { - const path = oa.getAuthorizeUrl("id_token", null, "oic"); - return res.redirect(path); -} -``` - -ユーザがアクセスを承認した後、レスポンスは `redirect_uri` によって受信され、以下のコードで処理され、 -使用可能なアクセス・トークンが **Keyrock** から受信されます。 - -```javascript -function implicitOICGrantCallback(req, res) { - return getUserFromIdToken(req, req.query.id_token).then((user) => { - // Store User and return - }); -} -``` - -id_token は、認可コードのセクションで説明したように、JWT Secret を使用して検証できる単なる JWT です。 - - - -### 暗黙フロー - サンプルの実行 - -`http://localhost:3000/` のページを表示し、Implicit Grant ボタンをクリックすることにより、プログラムで -暗黙グラント・フロー (Implicit grant flow) を呼び出すことができます。 - -ユーザは最初に **Keyrock** にリダイレクトされ、ログインする必要があります。 - -![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-log-in.png) - -ユーザはリクエストを承認する必要があります。 - -![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-authorize.png) - -レスポンスでは、画面の右上にユーザが表示され、トークンの詳細も画面に表示されます: - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/implicit-OIDC-web.png) - -> **注** **Keyrock** > `http://localhost:3005` から故意にログアウトしない限り、すでにアクセスを許可している既存の -> **Keyrock** セッションが後続の認証リクエストに使用されます。 - - - -## ハイブリッド・フロー (Hybrid Flow) - -[ハイブリッド](https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth)・フローは、認可コードと -暗黙グラントを組み合わせています。 アプリケーションのフロント・エンドとバック・エンドでプロセスを並列化すると -便利な場合があります。フローは認可コード・グラントに似ていますが、この場合、トークンは認可エンドポイントと -トークン・エンドポイントの両方で生成されます。 - - - -### ハイブリッド - サンプル・コード - -ユーザは最初に **Keyrock** にリダイレクトされ、`code` をリクエストする必要があります。`oa.getAuthorizeUrl()` は -`/oauth/authorize?response_type=code id_token token&client_id={{client-id}}&state=oic&redirect_uri={{callback_url}}&scope=openid` -形式の URL を返します。ハイブリッド・フローでは、すべての response_types (code, token, id_token) -を含める必要があることに注意してください。最初のリクエストでは、これにより認可コード、アクセス・トークン、および -id_token が生成されます。 スコープ "openid" も含める場合、以前に生成された認可コードを使用すると、Keyrock -は新しいアクセス・トークンと新しい id_token を生成します。 - -```javascript -function hybridOICGrant(req, res) { - const path = oa.getAuthorizeUrl("code id_token token", "openid", "oic"); - return res.redirect(path); -} - -``` - -ユーザがアクセスを承認した後、レスポンスは `redirect_uri` によって受信され、以下のコードで処理されます。 -暫定アクセス・コード (A interim access code) は **Keyrock** から受信され、使用可能な `id_token` -を取得するために2番目のリクエストを行う必要があります。 - -```javascript -function authCodeOICGrantCallback(req, res) { - return oa - .getOAuthAccessToken(req.query.code, "hybrid") - .then((results) => { - return getUserFromIdToken(req, results.id_token); - }) - .then((user) => { - // Store User and return - }) -} -``` - -id_token は、認可コードのセクションで説明したように、JWT Secret を使用して検証できる単なる JWT です。 - - - -### ハイブリッド - サンプルの実行 - -`http://localhost:3000/` のページを表示し、Authorization Code ボタンをクリックすることにより、 -プログラムでハイブリッド・フローを呼び出すことができます。 - -ユーザは最初に **Keyrock** にリダイレクトされ、ログインする必要があります。 - - -![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-log-in.png) - -ユーザはリクエストを承認する必要があります。 - -![](https://fiware.github.io/tutorials.Securing-Access/img/keyrock-authorize.png) - -レスポンスでは、画面の右上にユーザが表示され、トークンの詳細も画面に表示されます: - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/hybrid-OIDC-web.png) - -> **注** **Keyrock** > `http://localhost:3005` から故意にログアウトしない限り、すでにアクセスを許可している既存の -> **Keyrock** セッションが後続の認証リクエストに使用されるため、 **Keyrock** ログイン画面が再び表示されることは -> ありません。 - - - -# 次のステップ - -高度な機能を追加することで、アプリケーションに複雑さを加える方法を知りたいですか -?このシリーズ -の[他のチュートリアル](https://www.letsfiware.jp/fiware-tutorials)を読むことで見 -つけることができます。 - ---- - -## License - -[MIT](LICENSE) © 2018-2024 FIWARE Foundation e.V. diff --git a/README.md b/README.md index e6a683c..c8aef20 100644 --- a/README.md +++ b/README.md @@ -1,246 +1,18 @@ -[![FIWARE Banner](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/fiware.png)](https://www.fiware.org/developers) +[![FIWARE Banner](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect-OpenID-Connect/img/fiware.png)](https://www.fiware.org/developers) [![FIWARE Security](https://nexus.lab.fiware.org/repository/raw/public/badges/chapters/security.svg)](https://github.com/FIWARE/catalogue/blob/master/security/README.md) -[![License: MIT](https://img.shields.io/github/license/fiware/tutorials.Securing-Access.svg)](https://opensource.org/licenses/MIT) +[![License: MIT](https://img.shields.io/github/license/fiware/tutorials.Securing-Access-OpenID-Connect.svg)](https://opensource.org/licenses/MIT) [![Support badge](https://img.shields.io/badge/tag-fiware-orange.svg?logo=stackoverflow)](https://stackoverflow.com/questions/tagged/fiware) [![OpenID 1.0](https://img.shields.io/badge/OpenID-1.0-ff7059.svg)](https://openid.net/specs/openid-connect-core-1_0.html) -
[![Documentation](https://img.shields.io/readthedocs/fiware-tutorials.svg)](https://fiware-tutorials.rtfd.io) -This tutorial complements the previous [Securing Access tutorial](https://github.com/FIWARE/tutorials.Securing-Access). +This tutorial complements the previous [Securing Access tutorial](https://github.com/FIWARE/tutorials.Securing-Access-OpenID-Connect). This tutorial also secures access to a FIWARE application but using various OpenID Connect flows to authenticate users. -- このチュートリアルは[日本語](README.ja.md)でもご覧いただけます。 +# Start-Up -## Contents +## NGSI-v2 Smart Supermarket -
-Details - -- [Authenticating Identities](#authenticating-identities) - - [:arrow_forward: Video: What is OpenID Connect?](#arrow_forward-video-what-is-openid-connect) - - [Standard Concepts of Json Web Tokens](#standard-concepts-of-json-web-tokens) -- [Prerequisites](#prerequisites) - - [Docker](#docker) - - [Cygwin](#cygwin) -- [Architecture](#architecture) - - [Tutorial Security Configuration](#tutorial-security-configuration) -- [Start Up](#start-up) - - [Dramatis Personae](#dramatis-personae) -- [OIDC Flows](#oidc-flows) - - [Enable OpenID Connect](#enable-openid-connect) - - [GUI](#gui) - - [REST API](#rest-api) - - [Authorization Code Flow](#authorization-code-flow) - - [Authorization Code - Sample Code](#authorization-code---sample-code) - - [Authorization Code - Running the Example](#authorization-code---running-the-example) - - [Implicit Flow](#implicit-flow) - - [Implicit Flow - Sample Code](#implicit-flow---sample-code) - - [Implicit Flow - Running the Example](#implicit-flow---running-the-example) - - [Hybrid Flow](#hybrid-flow) - - [Hybrid - Sample Code](#authorization-code---sample-code) - - [Hybrid - Running the Example](#authorization-code---running-the-example) - -
- -# Authenticating Identities - -> "Yes, your home is your castle, but it is also your identity and your possibility to be open to others. -> -> — David Soul - -Digital identities represent both the characteristics of people and the actions they carry out on the Internet. In order -to secure an application it is necessary to authenticate that the identity is really who it says it is. In addition to -OAuth 2.0, the FIWARE **Keyrock** generic enabler supports [OpenID Connect](https://openid.net/connect/) (OIDC) to -enable third-party applications to authenticate users. **OpenID Connect** is a simple identity layer on top of the OAuth -2.0 protocol. It enables to verify the identity of users and to obtain a basic profile about these users by using -[Json Web Tokens](https://jwt.io/). - -The OpenID Connect flows are build on the top of these three OAuth 2.0 grant flows: - -- [Authorization Code](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) -- [Implicit](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth) -- [Hybrid](https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth) - -Authorization and authentication are two completely different things. The first one allows or not to access certain data -while the second one is about sign in. OAuth 2.0 enables authorization processes, but it lacks ways to identify and -authenticate users. OIDC was created to solve OAuth 2.0 authentication issue. Either OAuth 2.0 and OIDC generate a token -that identifies the user avoiding exposing the username and password. Particularly, OIDC generates a Json Web Token -(JWT) that applications can intrinsically validate and obtain user information directly from itself. - -## :arrow_forward: Video: What is OpenID Connect? - -[![](https://fiware.github.io/tutorials.Step-by-Step/img/video-logo.png)](https://www.youtube.com/watch?v=Kb56GzQ2pSk 'OpenID connect') - -Click on the image above to watch a video on OpenID connect and identity. - -OAuth2 is a mechanism for granting access - specifically **Authorization** - _Can I do this?_). Technically, within the -OAuth protocol there is no concept of **Identity** per-se and therefore it is not really designed for **Authentication** -(_I am User X_) even if it is able to fulfil certain **Authentication** use cases such mobile app log in. OpenID -provides an extension to OAuth2 enabling applications to obtain user information in a standard manner. - -OpenID connect works across multiple entity providers (such as **Keyrock**) and is operated using JSON Web tokens. It -adds an additional ID token to the response which holds some basic user information, additional user information can be -requested from the standardized `/userinfo` endpoint. - -OpenID connect requests follow a very similar flow to OAuth2 requests. They are distinguished by using the `openid` -scope when making the initial request. The response contains an encoded JWT token holding elements described below: - -| name | description | -| ----- | ------------------------------------------------- | -| `iss` | Issuer Identifier for the Issuer of the response. | -| `sub` | Subject Identifier. | -| `aud` | Audience(s) that this ID Token is intended for. | -| `exp` | Expiration time. | -| `iat` | Time at which the JWT was issued. | - -Other entries may also be addded. The full OpenID specification can be found -[here](https://openid.net/specs/openid-connect-core-1_0.html) - -## Standard Concepts of Json Web Tokens - -A JSON Web Token (JWT) has the following structure: - -- Header. It identifies the algorithm used to sign the Json Web Token. - -```json -{ - "alg": "HS256", - "typ": "JWT" -} -``` - -- Payload. It contains user data, as well as information on when the token was created and who created it. - -```json -{ - "sub": "1234567890", - "iss": "https://fiware-idm.com", - "iat": 1516239022, - "username": "Alice", - "gravatar": true -} -``` - -- Signature. It is generated as follows: - -```text -Crypto-Algorithm ( base64urlEncoding(header) + '.' + base64urlEncoding(payload), secret) -``` - -The JWT is the result of encoding each part using base64 and concatenating them with points. For instance: - -```text -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaXNzIjoiaHR0cHM6Ly9maXdhcmUtaWRtLmNvbSIsImlhdCI6MTUxNjIzOTAyMiwidXNlcm5hbWUiOiJBbGljZSIsImdyYXZhdGFyIjp0cnVlfQ.dZ7z0u_4FZC7xiVQDtGAl7NRT0fK8_5hJqYa9E-4xGE -``` - -# Prerequisites - -## Docker - -To keep things simple both components will be run using [Docker](https://www.docker.com). **Docker** is a container -technology which allows to different components isolated into their respective environments. - -- To install Docker on Windows follow the instructions [here](https://docs.docker.com/docker-for-windows/) -- To install Docker on Mac follow the instructions [here](https://docs.docker.com/docker-for-mac/) -- To install Docker on Linux follow the instructions [here](https://docs.docker.com/install/) - -**Docker Compose** is a tool for defining and running multi-container Docker applications. A -[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.Securing-Access-OpenID-Connect/master/docker-compose.yml) -is used configure the required services for the application. This means all container services can be brought up in a -single command. Docker Compose is installed by default as part of Docker for Windows and Docker for Mac, however Linux -users will need to follow the instructions found [here](https://docs.docker.com/compose/install/) - -## Cygwin - -We will start up our services using a simple bash script. Windows users should download [cygwin](http://www.cygwin.com/) -to provide a command-line functionality similar to a Linux distribution on Windows. - -# Architecture - -This application adds OIDC-driven security into the existing Stock Management and Sensors-based application created in -[previous tutorials](https://github.com/FIWARE/tutorials.IoT-Agent/) by using the data created in the first -[security tutorial](https://github.com/FIWARE/tutorials.Identity-Management/) and reading it programmatically. It will -make use of one FIWARE component - the [Keyrock](https://fiware-idm.readthedocs.io/en/latest/) Generic enabler. -**Keyrock** uses its own [MySQL](https://www.mysql.com/) database. This tutorial only focus on granting JWT by the use -of OIDC. You can practice using the tokens to securely access sensor information in the tutorial -[Securing Access tutorial](https://github.com/FIWARE/tutorials.Securing-Access). - -Therefore the overall architecture will consist of the following elements: - -- FIWARE [Keyrock](https://fiware-idm.readthedocs.io/en/latest/) offer a complement Identity Management System - including: - - An OAuth2 authorization system for Applications and Users - - An OIDC authentication system for Applications and Users - - A site graphical frontend for Identity Management Administration - - An equivalent REST API for Identity Management via HTTP requests -- A [MySQL](https://www.mysql.com/) database : - - Used to persist user identities, applications, roles and permissions -- The **Stock Management Frontend** does the following: - - Displays store information - - Shows which products can be bought at each store - - Allows users to "buy" products and reduce the stock count. - - Allows authorized users into restricted areas - -Since all interactions between the elements are initiated by HTTP requests, the entities can be containerized and run -from exposed ports. - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/architecture.png) - -The necessary configuration information for adding security to the **Stock Management Frontend** can be found in the -`tutorial` section of the associated `docker-compose.yml` file - only the relevant variables are shown below: - -## Tutorial Security Configuration - -```yaml -tutorial: - image: quay.io/fiware/tutorials.context-provider - hostname: iot-sensors - container_name: fiware-tutorial - networks: - default: - ipv4_address: 172.18.1.7 - expose: - - '3000' - - '3001' - ports: - - '3000:3000' - - '3001:3001' - environment: - - 'DEBUG=tutorial:*' - - 'SECURE_ENDPOINTS=true' - - 'OIDC_ENABLED=true' - - 'WEB_APP_PORT=3000' - - 'KEYROCK_URL=http://localhost' - - 'KEYROCK_IP_ADDRESS=http://172.18.1.5' - - 'KEYROCK_PORT=3005' - - 'KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp' - - 'KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret' - - 'KEYROCK_JWT_SECRET=jsonwebtokenpass' - - 'CALLBACK_URL=http://localhost:3000/login' -``` - -The `tutorial` container is listening on two ports: - -- Port `3000` is exposed so we can see the web page displaying the Dummy IoT devices. -- Port `3001` is exposed purely for tutorial access - so that cUrl or Postman can make Ultralight commands without - being part of the same network. - -The `tutorial` container is driven by environment variables as shown: - -| Key | Value | Description | -| --------------------- | -------------------------------------- | ---------------------------------------------------------------------------- | -| DEBUG | `tutorial:*` | Debug flag used for logging | -| OIDC_ENABLED | `true` | Enable OpenID Connect in the tutorial | -| KEYROCK_CLIENT_ID | `tutorial-dckr-site-0000-xpresswebapp` | The Client ID defined by Keyrock for this application | -| KEYROCK_CLIENT_SECRET | `tutorial-dckr-site-0000-clientsecret` | The Client Secret defined by Keyrock for this application | -| KEYROCK_JWT_SECRET | `jsonwebtokenpass` | The JWT Secret defined by Keyrock for this application to validate id_tokens | -| CALLBACK_URL | `http://localhost:3000/login` | The callback URL used by Keyrock when a challenge has succeeded. | - -The other `tutorial` container configuration values described in the YAML file have been described in previous tutorials - -# Start Up - -To start the installation, do the following: +**NGSI-v2** offers JSON based interoperability used in individual Smart Systems. To run this tutorial with **NGSI-v2**, use the `NGSI-v2` branch. ```console git clone https://github.com/FIWARE/tutorials.Securing-Access-OpenID-Connect.git @@ -248,421 +20,33 @@ cd tutorials.Securing-Access-OpenID-Connect git checkout NGSI-v2 ./services create +./services start ``` -> [!NOTE] -> The initial creation of Docker images can take up to three minutes - -Thereafter, all services can be initialized from the command-line by running the -[services](https://github.com/FIWARE/tutorials.Securing-Access-OpenID-Connect/blob/NGSI-v2/services) Bash script -provided within the repository: - -```console -./services -``` - -Where `` will vary depending upon the exercise we wish to activate. - -> [!NOTE] -> If you want to clean up and start over again you can do so with the following command: -> -> ```console -> ./services stop -> ``` - -### Dramatis Personae - -The following people at `test.com` legitimately have accounts within the Application - -- Alice, she will be the Administrator of the **Keyrock** Application -- Bob, the Regional Manager of the supermarket chain - he has several store managers under him: - - Manager1 - - Manager2 -- Charlie, the Head of Security of the supermarket chain - he has several store detectives under him: - - Detective1 - - Detective2 - -The following people at `example.com` have signed up for accounts, but have no reason to be granted access +| [![NGSI v2](https://img.shields.io/badge/NGSI-v2-5dc0cf.svg)](https://fiware-ges.github.io/orion/api/v2/stable/) | :books: [Documentation](https://github.com/FIWARE/tutorials.Securing-Access-OpenID-Connect/tree/NGSI-v2) | [Postman Collection](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/) | +| --- | --- | --- | -- Eve - Eve the Eavesdropper -- Mallory - Mallory the malicious attacker -- Rob - Rob the Robber -
- - For more details (Click to expand) - + Json with user, token and issuer information - }); - }); -} -``` - -The decoded json is return as shown: - -```json -{ - "alg": "HS256", - "typ": "JWT" -} -``` - -```json -{ - "organizations": [], - "displayName": "", - "roles": [], - "app_id": "tutorial-dckr-site-0000-xpresswebapp", - "trusted_apps": [], - "isGravatarEnabled": false, - "email": "alice-the-admin@test.com", - "id": "aaaaaaaa-good-0000-0000-000000000000", - "app_azf_domain": "", - "username": "alice", - "trusted_applications": [], - "iss": "https://fiware-idm.com", - "sub": "aaaaaaaa-good-0000-0000-000000000000", - "aud": "tutorial-dckr-site-0000-xpresswebapp", - "exp": 1516238462, - "iat": 1516239022 -} -``` - -To decode the JWT yourself, you can paste the token into the [JWT site](https://jwt.io/) - The signature used to sign -the token is `59de900a973fa2e0` and can be pasted into the site to verify that the encoded identity came from Keyrock - -```text -HMACSHA256( - base64UrlEncode(header) + "." + - base64UrlEncode(payload), - 59de900a973fa2e0 -) -``` - -### Authorization Code - Running the Example - -It is possible to invoke the Authorization Code grant flow programmatically, by bringing up the page -`http://localhost:3000/` and clicking on the Authorization Code Button - -The user is initially redirected to **Keyrock**, and must log in - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/keyrock-log-in.png) - -The user must then authorize the request - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/keyrock-authorize.png) - -The response displays the user on the top right of the screen, details of the token are flashed onto the screen: - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/authCode-OIDC-web.png) - -> **Note** Unless you deliberately log out of **Keyrock** > `http://localhost:3005`, the existing **Keyrock** session -> which has already permitted access will be used for subsequent authorization requests, so the **Keyrock** login screen -> will not be shown again. - -## Implicit Flow - -The [Implicit](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth) flow can also be adapted to -support authentication mechanisms. As well as in the authorization code grant, OIDC does not modify the flow but changes -the response_type of the requests. This flow returns an `id_token` directly rather than returning an interim -access-code. This is less secure than the Authcode flow but can be used in some client-side applications - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/implicit-flow.png) - -### Implicit Flow - Sample Code - -A user must first be redirected to **Keyrock**, requesting a `token`, `oa.getAuthorizeUrl()` is returning a URL of the -form `/oauth/authorize?response_type=id_token&client_id={{client-id}}&state=oic&redirect_uri={{callback_url}}` Note that -to follow an OIDC flow the response type is "id_token". - -```javascript -function implicitOICGrant(req, res) { - const path = oa.getAuthorizeUrl('id_token', null, 'oic'); - return res.redirect(path); -} -``` - -The after the User authorizes access, the response is received by the `redirect_uri` and is handled in the code below, a -usable access token is received from **Keyrock** - -```javascript -function implicitOICGrantCallback(req, res) { - return getUserFromIdToken(req, req.query.id_token).then((user) => { - // Store User and return - }); -} -``` - -The id_token is just a JWT that we can validate using the JWT Secret as it was explained in the authorization code -section. - -### Implicit Flow - Running the Example - -It is possible to invoke the Implicit grant flow programmatically, by bringing up the page `http://localhost:3000/` and -clicking on the Implicit Grant Button - -The user is initially redirected to **Keyrock**, and must log in - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/keyrock-log-in.png) - -The user must then authorize the request - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/keyrock-authorize.png) - -The response displays the user on the top right of the screen, details of the token are also flashed onto the screen: - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/implicit-OIDC-web.png) - -> [!NOTE] -> Unless you deliberately log out of **Keyrock** > `http://localhost:3005`, the existing **Keyrock** session -> which has already permitted access will be used for subsequent authorization request. - -## Hybrid Flow - -The [Hybrid](https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth) flow combines the authorization code -and the implicit grant. It could be useful to parallelize process in the frontend and the backend of applications. The -flow is similar to the authorization code grant but in this case tokens are generated in both authorization and token -endpoint. - -### Hybrid - Sample Code - -A user must first be redirected to **Keyrock**, requesting a `code`, `oa.getAuthorizeUrl()` is returning a URL of the -form -`/oauth/authorize?response_type=code id_token token&client_id={{client-id}}&state=oic&redirect_uri={{callback_url}}&scope=openid` -Note that in a hybrid flow is required to include all the response_types: code, token and id_token. In the first request -this will generate an authorization code, an access token and an id_token. If we also include the scope "openid", when -using authorization code previously generated, Keyrock generates a new access token and a new id_token. - -```javascript -function hybridOICGrant(req, res) { - const path = oa.getAuthorizeUrl('code id_token token', 'openid', 'oic'); - return res.redirect(path); -} -``` - -The after the User authorizes access, the response is received by the `redirect_uri` and is handled in the code below, a -interim access code is received from **Keyrock** and second request must be made to obtain a usable `id_token`. +git clone https://github.com/FIWARE/tutorials.Securing-Access-OpenID-Connect.git +cd tutorials.Securing-Access-OpenID-Connect +git checkout NGSI-LD -```javascript -function authCodeOICGrantCallback(req, res) { - return oa - .getOAuthAccessToken(req.query.code, 'hybrid') - .then((results) => { - return getUserFromIdToken(req, results.id_token); - }) - .then((user) => { - // Store User and return - }); -} +./services create +./services start ``` -The id_token is just a JWT that we can validate using the JWT Secret as it was explained in the authorization code -section. - -### Hybrid - Running the Example - -It is possible to invoke the Hybrid flow programmatically, by bringing up the page `http://localhost:3000/` and clicking -on the Authorization Code Button - -The user is initially redirected to **Keyrock**, and must log in - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/keyrock-log-in.png) - -The user must then authorize the request - -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/keyrock-authorize.png) - -The response displays the user on the top right of the screen, details of the token are flashed onto the screen: +| [![NGSI LD](https://img.shields.io/badge/NGSI-LD-d6604d.svg)](https://www.etsi.org/deliver/etsi_gs/CIM/001_099/009/01.08.01_60/gs_cim009v010801p.pdf) | :books: [Documentation](https://github.com/FIWARE/tutorials.Securing-Access-OpenID-Connect/tree/NGSI-LD) | [Postman Collection](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/ngsi-ld.html) | +| --- | --- | --- | -![](https://fiware.github.io/tutorials.Securing-Access-OpenID-Connect/img/hybrid-OIDC-web.png) +--> -> [!NOTE] -> Unless you deliberately log out of **Keyrock** > `http://localhost:3005`, the existing **Keyrock** session -> which has already permitted access will be used for subsequent authorization requests, so the **Keyrock** login screen -> will not be shown again. +--- ## License diff --git a/certs/tutorial-dckr-site-0000-xpresswebapp-oidc-csr.pem b/certs/tutorial-dckr-site-0000-xpresswebapp-oidc-csr.pem deleted file mode 100644 index 2c84476..0000000 --- a/certs/tutorial-dckr-site-0000-xpresswebapp-oidc-csr.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIC4jCCAcoCAQAwgZwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzAN -BgNVBAcMBkJlcmxpbjEaMBgGA1UECgwRRklXQVJFIEZvdW5kYXRpb24xEjAQBgNV -BAsMCVR1dG9yaWFsczETMBEGA1UEAwwKZml3YXJlLm9yZzEmMCQGCSqGSIb3DQEJ -ARYXcHJlc3Mtb2ZmaWNlQGZpd2FyZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQC9igG+B+yW0x2AXcoJSIntAOmf6OJljuX24bcxQhI32GJpxj68 -eiboLb2HiI/+oLiyMzZTRr2OClnI3idvfg/PrEEnYsKirFbSH6JUN0c50pS6n6Uj -pXsHZpiPWnO38IHx3vQcVUDV7b37y5focwt/4x6iQZN44iHdsNAX2poLLZo6Mf3l -flc/EkTRltOUG9nj9058c7FlQBiNroRmnvMKQbC8YUovRP3kdy13YZHnSvwCeyoo -YiuvvTXWDgErC/iz3vULel6d/hrhuwnbRutFce+ptyqb5cZ6E91I/cLCUQS7Nij1 -xwEIdVjJqi3bv/ZqeyfNbht3yhOaYSsPGfMjAgMBAAGgADANBgkqhkiG9w0BAQsF -AAOCAQEAgv+IRAjVGOytLmOqcwGUTsuaFjd6vWD4Y7vX99EYK02lAXii7S3ikI7g -0l9hqqGTRkvYmMK5UiKyp1CXlZuo5RABWSVv0P1znPUfu9yNz9LXWNbHW9InO3+m -j363D9yznUIlp/6056JgOZ/8JXTzvD8UO/ndPbqfv+YOtZj284welF5D6Ok9K9Lu -67f9NEIIYpYK33ENPh3EFEK9mCiVKnYLcF+Dlt8yID/MHKzQwySZJ/LGxTZTccGH -B9zjwIB+kxvr2PQp+B1dfQeRSOEFRRWYwgnY6jAyqB5CwqTdnyaG+3IVT+UtddJS -niQ1BNE2N4p/SooHDFSd7d1kSrdsnA== ------END CERTIFICATE REQUEST----- diff --git a/certs/tutorial-dckr-site-0000-xpresswebapp-oidc-key.pem b/certs/tutorial-dckr-site-0000-xpresswebapp-oidc-key.pem deleted file mode 100644 index d087405..0000000 --- a/certs/tutorial-dckr-site-0000-xpresswebapp-oidc-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAvYoBvgfsltMdgF3KCUiJ7QDpn+jiZY7l9uG3MUISN9hiacY+ -vHom6C29h4iP/qC4sjM2U0a9jgpZyN4nb34Pz6xBJ2LCoqxW0h+iVDdHOdKUup+l -I6V7B2aYj1pzt/CB8d70HFVA1e29+8uX6HMLf+MeokGTeOIh3bDQF9qaCy2aOjH9 -5X5XPxJE0ZbTlBvZ4/dOfHOxZUAYja6EZp7zCkGwvGFKL0T95Hctd2GR50r8Ansq -KGIrr7011g4BKwv4s971C3penf4a4bsJ20brRXHvqbcqm+XGehPdSP3CwlEEuzYo -9ccBCHVYyaot27/2ansnzW4bd8oTmmErDxnzIwIDAQABAoIBADyit+f5VQDzTQ7R -8l6B7E376sGTmUnwKzWOBDMn9fgTq3g3Sb62PVgtueJwF9DXzf6ET67YhK+6M/sE -xwzuAVTowHc/KxErnSLfp+jVPl4LNjV1+TisKe22Lrw9raN8t7WPI/0kcPd/dTXm -bhSZKWaiXByAahNUFI19kTTwZDOKt/f8SDxuByDfNGQr0zNZLkWv0JsTfbm3To0s -w622Wkkz3zkrllTvUag8bGmjzr3slyRNj69yYbzVarhs7PH0E9kkSjJwEeuPpSUi -eEXo9sNWwN6CoPqcRyWbDy6ojsxKr+y+I756PoIwXZqpY+JXZTDb0uEz11Ph7A1H -S7E8D6ECgYEA65httF7ad8DiXIAxxCXhAXXVEqSTCyZUysXq1N7xAJ7Y9edfWcVU -CeaADK+DFBjsfAEEaOEoXpPPM2e5t5u0F9skU1FbmY1+iuilOeJ1obgMAC+CEprp -kSHK7ZL3LNb4ano0qrt4X0eVPzNZtmHQxpHWjwUztE2d2FQgOkmrQNsCgYEAzfRt -UrlI9f9kUqcCp0NLQrjVvsZqa4YwoV2kLD1X1x91nl6VLSQm14XwCcae+BUyW/M+ -GX9FHiuX9QarKKFgpc6wxiEMnvkVl+AuVnmxmxBxxuAFxelUr9CmpxBDOnRHMCdj -UMxRQdlPQ7lxef6xYmTBXgnQEdfJhlQPKOIOZVkCgYEAgEZfPP0EUH26Aglej2Dc -cPIaUGtBEKoPMtSuNrcoW2Eh2kne9b7mMfnJsJ6DbRbg8+eN4hjt5QjvoRqR2PGz -DeYokiDTEfkjdDiVdb3itGnERvmXBdBI6dePaOlDIavuV/Mv5+Ho+V+9WEr6Rr5d -cTCItRhs/XfhQJ8VaQchck8CgYAG1PrjaZ4P+v7a9wtRfRv8BKGiiHZzRqpKUA7o -IMjPLA38yOpt6usW7yx9Rodzd1CKWFFRCzXBwHRz/lqjKGdKWMboa6Q9icm7lgYz -fCn2GN+NV1UZsZnLk0JT/GgegkjyQfw7a+uuIYVNm9M11ssPloQLmIu8a8oVmKhA -FO+hUQKBgDSlESpS2d9pe5V3R+vzkuHNU+HX71k01cu+Udchkj4jigOkzInnDQi9 -kHXsjntmZ/W12KGvC4nDDDcd2oCZZyM6ZwE47+UJA9UAj9U4jXoslbi8MZ6GtTNo -a09ShWC65Nzksi1pCcWufg/kIsezLXQx1D3N7gnNd6F9hbU53TS5 ------END RSA PRIVATE KEY----- diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index 2ae9dbb..0000000 --- a/docker-compose.yml +++ /dev/null @@ -1,183 +0,0 @@ -# WARNING: Do not deploy this tutorial configuration directly to a production environment -# -# The tutorial docker-compose files have not been written for production deployment and will not -# scale. A proper architecture has been sacrificed to keep the narrative focused on the learning -# goals, they are just used to deploy everything onto a single Docker machine. All FIWARE components -# are running at full debug and extra ports have been exposed to allow for direct calls to services. -# They also contain various obvious security flaws - passwords in plain text, no load balancing, -# no use of HTTPS and so on. -# -# This is all to avoid the need of multiple machines, generating certificates, encrypting secrets -# and so on, purely so that a single docker-compose file can be read as an example to build on, -# not use directly. -# -# When deploying to a production environment, please refer to the Helm Repository -# for FIWARE Components in order to scale up to a proper architecture: -# -# see: https://github.com/FIWARE/helm-charts/ -# -version: "3.8" -services: - # Orion is an NGSI-v2 context broker - orion-v2: - labels: - org.fiware: 'tutorial' - image: quay.io/fiware/orion:${ORION_VERSION} - container_name: fiware-orion - depends_on: - - mongo-db - networks: - - default - expose: - - "${ORION_PORT}" - ports: - - "${ORION_PORT}:${ORION_PORT}" # localhost:1026 - command: -dbhost mongo-db -logLevel DEBUG - healthcheck: - test: curl --fail -s http://orion:${ORION_PORT}/version || exit 1 - interval: 5s - # Keyrock is an Identity Management Front-End - keyrock: - labels: - org.fiware: 'tutorial' - image: quay.io/fiware/idm:${KEYROCK_VERSION} - container_name: fiware-keyrock - hostname: keyrock - networks: - default: - ipv4_address: 172.18.1.5 - depends_on: - - mysql-db - ports: - - "${KEYROCK_PORT}:${KEYROCK_PORT}" # localhost:3005 - - "${KEYROCK_HTTPS_PORT}:${KEYROCK_HTTPS_PORT}" # localhost:3443 - environment: - - DEBUG=idm:* - - IDM_DB_HOST=mysql-db - - IDM_DB_PASS_FILE=/run/secrets/my_secret_data - - IDM_DB_USER=root - - IDM_HOST=http://localhost:${KEYROCK_PORT} - - IDM_PORT=${KEYROCK_PORT} - - IDM_HTTPS_ENABLED=${IDM_HTTPS_ENABLED} - - IDM_HTTPS_PORT=${KEYROCK_HTTPS_PORT} - - IDM_ADMIN_USER=alice - - IDM_ADMIN_EMAIL=alice-the-admin@test.com - - IDM_ADMIN_PASS=test - - IDM_CSP_FORM_ACTION=* - secrets: - - my_secret_data - volumes: - - ./certs:/opt/fiware-idm/certs/applications:ro # Preload Keyrock Certs - - healthcheck: - interval: 5s - - - # Tutorial acts as a series of dummy IoT Sensors over HTTP - tutorial: - labels: - org.fiware: 'tutorial' - image: quay.io/fiware/tutorials.context-provider - hostname: iot-sensors - container_name: fiware-tutorial - depends_on: - - keyrock - - orion-v2 - networks: - default: - ipv4_address: 172.18.1.7 - aliases: - - tutorial - - context-provider - expose: - - "${TUTORIAL_APP_PORT}" - - "${TUTORIAL_DUMMY_DEVICE_PORT}" - ports: - - "${TUTORIAL_APP_PORT}:${TUTORIAL_APP_PORT}" # localhost:3000 - - "${TUTORIAL_DUMMY_DEVICE_PORT}:${TUTORIAL_DUMMY_DEVICE_PORT}" # localhost:3001 - environment: - - "MONGO_URL=mongodb://mongo-db:27017" - - "DEBUG=tutorial:*" - - "WEB_APP_PORT=${TUTORIAL_APP_PORT}" # Port used by the content provider proxy and web-app for viewing data - - "IOTA_HTTP_HOST=iot-agent" - - "IOTA_HTTP_PORT=${IOTA_SOUTH_PORT}" - - "IOTA_DEFAULT_RESOURCE=/iot/d" - - "DUMMY_DEVICES_PORT=${TUTORIAL_DUMMY_DEVICE_PORT}" # Port used by the dummy IOT devices to receive commands - - "DUMMY_DEVICES_TRANSPORT=HTTP" # Default transport used by dummy Io devices - - "CONTEXT_BROKER=http://orion:${ORION_PORT}/v2" # URL of the context broker to update context - - "OPENWEATHERMAP_KEY_ID=" - - "TWITTER_CONSUMER_KEY=" - - "TWITTER_CONSUMER_SECRET=" - - "NGSI_LD_PREFIX=" - - "SECURE_ENDPOINTS=true" - - "OIDC_ENABLED=true" - - "KEYROCK_URL=http://localhost" - - "KEYROCK_IP_ADDRESS=http://172.18.1.5" - - "KEYROCK_PORT=${KEYROCK_PORT}" - - "KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp" - - "KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret" - - "KEYROCK_JWT_SECRET=59de900a973fa2e0" - - "CALLBACK_URL=http://localhost:${TUTORIAL_APP_PORT}/login" - - - - # Databases - mongo-db: - labels: - org.fiware: 'tutorial' - image: mongo:${MONGO_DB_VERSION} - hostname: mongo-db - container_name: db-mongo - expose: - - "${MONGO_DB_PORT}" - ports: - - "${MONGO_DB_PORT}:${MONGO_DB_PORT}" # localhost:27017 - networks: - - default - volumes: - - mongo-db:/data - healthcheck: - test: ["CMD","mongosh", "--eval", "db.adminCommand('ping')"] - interval: 5s - timeout: 5s - retries: 3 - start_period: 5s - - - mysql-db: - restart: always - labels: - org.fiware: 'tutorial' - image: mysql:${MYSQL_DB_VERSION} - hostname: mysql-db - container_name: db-mysql - expose: - - "${MYSQL_DB_PORT}" - ports: - - "${MYSQL_DB_PORT}:${MYSQL_DB_PORT}" # localhost:3306 - networks: - default: - ipv4_address: 172.18.1.6 - environment: - - "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data" - - "MYSQL_ROOT_HOST=172.18.1.5" # Allow Keyrock to access this database - volumes: - - mysql-db:/var/lib/mysql - - ./mysql-data:/docker-entrypoint-initdb.d/:ro # Preload Keyrock Users - secrets: - - my_secret_data - -networks: - default: - labels: - org.fiware: 'tutorial' - ipam: - config: - - subnet: 172.18.1.0/24 -volumes: - mysql-db: ~ - mongo-db: ~ - -secrets: - my_secret_data: - file: ./secrets.txt diff --git a/mysql-data/backup.sql b/mysql-data/backup.sql deleted file mode 100644 index 2ce47cf..0000000 --- a/mysql-data/backup.sql +++ /dev/null @@ -1,805 +0,0 @@ --- MySQL dump 10.13 Distrib 5.7.22, for Linux (x86_64) --- --- Host: localhost Database: idm --- ------------------------------------------------------ --- Server version 5.7.22 - -/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; -/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; -/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; -/*!40101 SET NAMES utf8 */; -/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; -/*!40103 SET TIME_ZONE='+00:00' */; -/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; -/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; -/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; -/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; - --- --- Table structure for table `SequelizeMeta` --- - -CREATE DATABASE idm; -USE idm - -DROP TABLE IF EXISTS `SequelizeMeta`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `SequelizeMeta` ( - `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`name`), - UNIQUE KEY `name` (`name`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `SequelizeMeta` --- - -LOCK TABLES `SequelizeMeta` WRITE; -/*!40000 ALTER TABLE `SequelizeMeta` DISABLE KEYS */; -INSERT INTO `SequelizeMeta` VALUES ('201802190000-CreateUserTable.js'),('201802190003-CreateUserRegistrationProfileTable.js'),('201802190005-CreateOrganizationTable.js'),('201802190008-CreateOAuthClientTable.js'),('201802190009-CreateUserAuthorizedApplicationTable.js'),('201802190010-CreateRoleTable.js'),('201802190015-CreatePermissionTable.js'),('201802190020-CreateRoleAssignmentTable.js'),('201802190025-CreateRolePermissionTable.js'),('201802190030-CreateUserOrganizationTable.js'),('201802190035-CreateIotTable.js'),('201802190040-CreatePepProxyTable.js'),('201802190045-CreateAuthZForceTable.js'),('201802190050-CreateAuthTokenTable.js'),('201802190060-CreateOAuthAuthorizationCodeTable.js'),('201802190065-CreateOAuthAccessTokenTable.js'),('201802190070-CreateOAuthRefreshTokenTable.js'),('201802190075-CreateOAuthScopeTable.js'),('20180405125424-CreateUserTourAttribute.js'),('20180612134640-CreateEidasTable.js'); -/*!40000 ALTER TABLE `SequelizeMeta` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `auth_token` --- - -DROP TABLE IF EXISTS `auth_token`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `auth_token` ( - `access_token` varchar(255) NOT NULL, - `expires` datetime DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `pep_proxy_id` varchar(255) DEFAULT NULL, - PRIMARY KEY (`access_token`), - UNIQUE KEY `access_token` (`access_token`), - KEY `user_id` (`user_id`), - KEY `pep_proxy_id` (`pep_proxy_id`), - CONSTRAINT `auth_token_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `auth_token_ibfk_2` FOREIGN KEY (`pep_proxy_id`) REFERENCES `pep_proxy` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `auth_token` --- - -LOCK TABLES `auth_token` WRITE; -/*!40000 ALTER TABLE `auth_token` DISABLE KEYS */; -INSERT INTO `auth_token` VALUES -('aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa','2036-07-30 12:04:45',1,'aaaaaaaa-good-0000-0000-000000000000',NULL), -('bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb','2036-07-30 12:38:13',1,'bbbbbbbb-good-0000-0000-000000000000',NULL), -('cccccccc-cccc-cccc-cccc-cccccccccccc','2036-07-31 09:36:13',1,'cccccccc-good-0000-0000-000000000000',NULL), -('51f2e380-c959-4dee-a0af-380f730137c3','2036-07-30 13:02:37',1,'admin',NULL); -/*!40000 ALTER TABLE `auth_token` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `authzforce` --- - -DROP TABLE IF EXISTS `authzforce`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `authzforce` ( - `az_domain` varchar(255) NOT NULL, - `policy` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `version` int(11) DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`az_domain`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `authzforce_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `authzforce` --- - -LOCK TABLES `authzforce` WRITE; -/*!40000 ALTER TABLE `authzforce` DISABLE KEYS */; -INSERT INTO `authzforce` VALUES -('NYP5CukQEei0BgJCrBIBDA','d72f7c1c-b250-431a-82c5-c3afe65a96e8',1,'tutorial-dckr-site-0000-xpresswebapp'); -/*!40000 ALTER TABLE `authzforce` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `delegation_evidence` --- - -DROP TABLE IF EXISTS `delegation_evidence`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `delegation_evidence` ( - `policy_issuer` varchar(255) NOT NULL, - `access_subject` varchar(255) NOT NULL, - `policy` json NOT NULL, - PRIMARY KEY (`policy_issuer`,`access_subject`), - UNIQUE KEY `policy_issuer_access_subject_unique` (`policy_issuer`,`access_subject`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `delegation_evidence` --- - -LOCK TABLES `delegation_evidence` WRITE; -/*!40000 ALTER TABLE `delegation_evidence` DISABLE KEYS */; -/*!40000 ALTER TABLE `delegation_evidence` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `eidas_credentials` --- - -DROP TABLE IF EXISTS `eidas_credentials`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `eidas_credentials` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `support_contact_person_name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `support_contact_person_surname` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `support_contact_person_email` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `support_contact_person_telephone_number` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `support_contact_person_company` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `technical_contact_person_name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `technical_contact_person_surname` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `technical_contact_person_email` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `technical_contact_person_telephone_number` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `technical_contact_person_company` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `organization_name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `organization_url` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `organization_nif` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `sp_type` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `attributes_list` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - PRIMARY KEY (`id`), - UNIQUE KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `eidas_credentials_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `eidas_credentials` --- - -LOCK TABLES `eidas_credentials` WRITE; -/*!40000 ALTER TABLE `eidas_credentials` DISABLE KEYS */; -/*!40000 ALTER TABLE `eidas_credentials` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `iot` --- - -DROP TABLE IF EXISTS `iot`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `iot` ( - `id` varchar(255) NOT NULL, - `password` varchar(40) DEFAULT NULL, - `salt` varchar(40) DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `iot_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `iot` --- - -LOCK TABLES `iot` WRITE; -/*!40000 ALTER TABLE `iot` DISABLE KEYS */; -/*!40000 ALTER TABLE `iot` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_access_token` --- - -DROP TABLE IF EXISTS `oauth_access_token`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_access_token` ( - `access_token` text NOT NULL, - `expires` datetime DEFAULT NULL, - `scope` varchar(255) DEFAULT NULL, - `refresh_token` varchar(255) DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `extra` json DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `iot_id` varchar(255) DEFAULT NULL, - `authorization_code` varchar(255) DEFAULT NULL, - `hash` char(64) NOT NULL, - PRIMARY KEY (`hash`), - UNIQUE KEY `oauth_access_token_hash_uk` (`hash`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `user_id` (`user_id`), - KEY `iot_id` (`iot_id`), - CONSTRAINT `oauth_access_token_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_access_token_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_access_token_ibfk_3` FOREIGN KEY (`iot_id`) REFERENCES `iot` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_access_token` --- - -LOCK TABLES `oauth_access_token` WRITE; -/*!40000 ALTER TABLE `oauth_access_token` DISABLE KEYS */; -INSERT INTO `oauth_access_token` VALUES -('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa','alice',NULL,NULL, '12661599e24923dc17384a28644fbd2c0e30fa1cc7295772470d22729b054c8b'), -('bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb','bob',NULL,NULL, '8d94b35f8eea7e1577e30fc75646dfeb4dd0982a083635028998d53ef590c7ec'), -('cccccccccccccccccccccccccccccccccccccccc','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'cccccccc-cccc-cccc-cccc-cccccccccccc','charlie',NULL,NULL, 'f57858edab011913ac0a5d92f04987f4b34eab0d702c8198c1900871d7d87198'), -('d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'d1d1d1d1-dddd-dddd-dddd-d1d1d1d1d1d1','detective1',NULL,NULL, '18a4605f12def28bbbbab7bbef23fe6e204d73432d9aee8514fc168037945221'), -('d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'d2d2d2d2-dddd-dddd-dddd-d2d2d2d2d2d2','detective2',NULL,NULL, '1df5d6346470cc81d7a533f67a8399c052b5fc608b94972557138e10a335c5e1'), -('m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'m1m1m1m1-mmmm-mmmm-mmmm-m1m1m1m1m1m1','manager1',NULL,NULL, '853d6a374a92501e3e93d28184f9217941793ff646b636c04b35d20169c0d3b7'), -('m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'m2m2m2m2-mmmm-mmmm-mmmm-m2m2m2m2m2m2','manager2',NULL,NULL, '5603ade3a9d2303dbf3f28a35023a53c28297dc7db955784ac09b4c294ecae8b'); - -/*!40000 ALTER TABLE `oauth_access_token` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_authorization_code` --- - -DROP TABLE IF EXISTS `oauth_authorization_code`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_authorization_code` ( - `authorization_code` varchar(256) NOT NULL, - `expires` datetime DEFAULT NULL, - `redirect_uri` varchar(2000) DEFAULT NULL, - `scope` varchar(255) DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `extra` json DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `nonce` varchar(255) DEFAULT NULL, - PRIMARY KEY (`authorization_code`), - - UNIQUE KEY `authorization_code` (`authorization_code`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `user_id` (`user_id`), - CONSTRAINT `oauth_authorization_code_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_authorization_code_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_authorization_code` --- - -LOCK TABLES `oauth_authorization_code` WRITE; -/*!40000 ALTER TABLE `oauth_authorization_code` DISABLE KEYS */; -/*!40000 ALTER TABLE `oauth_authorization_code` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_client` --- - -DROP TABLE IF EXISTS `oauth_client`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_client` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `secret` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `url` varchar(2000) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `redirect_uri` varchar(2000) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `redirect_sign_out_uri` varchar(2000) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `image` varchar(255) DEFAULT 'default', - `grant_type` varchar(255) DEFAULT NULL, - `response_type` varchar(255) DEFAULT NULL, - `client_type` varchar(15) DEFAULT NULL, - `scope` varchar(80) DEFAULT NULL, - `extra` json DEFAULT NULL, - `token_types` varchar(2000) DEFAULT 'bearer', - `jwt_secret` varchar(2000) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_client` --- - -LOCK TABLES `oauth_client` WRITE; -/*!40000 ALTER TABLE `oauth_client` DISABLE KEYS */; -INSERT INTO `oauth_client` VALUES -('tutorial-dckr-site-0000-xpresswebapp','FIWARE Tutorial', - 'FIWARE Application protected by OAuth2 and Keyrock','tutorial-dckr-site-0000-clientsecret', - 'http://localhost:3000','http://localhost:3000/login',NULL,'default', - 'authorization_code,implicit,password,client_credentials,refresh_token,hybrid','code,id_token,token',NULL,'openid',NULL,'jwt,bearer', 'jsonwebtokenpass'), -('tutorial-lcal-host-0000-xpresswebapp','localhost App', - 'Localhost Callback protected by OAuth2 and Keyrock','tutorial-lcal-host-0000-clientsecret', - 'http://localhost:3000','http://localhost:3000/login',NULL,'default', - 'authorization_code,implicit,password,client_credentials,refresh_token','code',NULL,NULL,NULL,'bearer', NULL); - -/*!40000 ALTER TABLE `oauth_client` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_refresh_token` --- - -DROP TABLE IF EXISTS `oauth_refresh_token`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_refresh_token` ( - `refresh_token` varchar(256) NOT NULL, - `expires` datetime DEFAULT NULL, - `scope` varchar(255) DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `iot_id` varchar(255) DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `authorization_code` varchar(255) DEFAULT NULL, - PRIMARY KEY (`refresh_token`), - UNIQUE KEY `refresh_token` (`refresh_token`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `user_id` (`user_id`), - KEY `iot_id` (`iot_id`), - CONSTRAINT `oauth_refresh_token_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_refresh_token_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_refresh_token_ibfk_3` FOREIGN KEY (`iot_id`) REFERENCES `iot` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_refresh_token` --- - -LOCK TABLES `oauth_refresh_token` WRITE; -/*!40000 ALTER TABLE `oauth_refresh_token` DISABLE KEYS */; -INSERT INTO `oauth_refresh_token` VALUES ('4eb1f99f80f37c81a8ef85d92eae836919887e1e','2018-08-13 11:14:21',NULL,'8ca60ce9-32f9-42d6-a013-a19b3af0c13d','admin',NULL,NULL,NULL); -/*!40000 ALTER TABLE `oauth_refresh_token` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_scope` --- - -DROP TABLE IF EXISTS `oauth_scope`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_scope` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `scope` varchar(255) DEFAULT NULL, - `is_default` tinyint(1) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `id` (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_scope` --- - -LOCK TABLES `oauth_scope` WRITE; -/*!40000 ALTER TABLE `oauth_scope` DISABLE KEYS */; -/*!40000 ALTER TABLE `oauth_scope` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `organization` --- - -DROP TABLE IF EXISTS `organization`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `organization` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `name` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `website` varchar(2000) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `image` varchar(255) DEFAULT 'default', - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `organization` --- - -LOCK TABLES `organization` WRITE; -/*!40000 ALTER TABLE `organization` DISABLE KEYS */; -INSERT INTO `organization` VALUES -('security-team-0000-0000-000000000000','Security','Security Group for Store Detectives',NULL,'default'), -('managers-team-0000-0000-000000000000','Management','Management Group for Store Managers',NULL,'default'); -/*!40000 ALTER TABLE `organization` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `pep_proxy` --- - -DROP TABLE IF EXISTS `pep_proxy`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `pep_proxy` ( - `id` varchar(255) NOT NULL, - `password` varchar(40) DEFAULT NULL, - `salt` varchar(40) DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `pep_proxy_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `pep_proxy` --- - -LOCK TABLES `pep_proxy` WRITE; -/*!40000 ALTER TABLE `pep_proxy` DISABLE KEYS */; -/*!40000 ALTER TABLE `pep_proxy` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `permission` --- - -DROP TABLE IF EXISTS `permission`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `permission` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `is_internal` tinyint(1) DEFAULT '0', - `action` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `resource` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `xml` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `is_regex` tinyint(1) NOT NULL DEFAULT '0', - `authorization_service_header` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `use_authorization_service_header` tinyint(1) NOT NULL DEFAULT '0', - `regex_entity_ids` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `regex_attributes` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `regex_types` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `permission_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `permission` --- - -LOCK TABLES `permission` WRITE; -/*!40000 ALTER TABLE `permission` DISABLE KEYS */; -INSERT INTO `permission` VALUES -('1','Get and assign all internal application roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('2','Manage the application',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('3','Manage roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('4','Manage authorizations',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('5','Get and assign all public application roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('6','Get and assign only public owned roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('increase-stck-0000-0000-000000000000','Order Stock','Increase Stock Count',0,'GET','/app/order-stock',NULL,'tutorial-dckr-site-0000-xpresswebapp',0,NULL,0,NULL,NULL,NULL), -('entrance-open-0000-0000-000000000000','Unlock','Unlock main entrance',0,'POST','/door/unlock',NULL,'tutorial-dckr-site-0000-xpresswebapp',0,NULL,0,NULL,NULL,NULL), -('alrmbell-ring-0000-0000-000000000000','Ring Alarm Bell',NULL,0,'POST','/bell/ring',NULL,'tutorial-dckr-site-0000-xpresswebapp',0,NULL,0,NULL,NULL,NULL), -('pricechg-stck-0000-0000-000000000000','Access Price Changes',NULL,0,'GET','/app/price-change',NULL,'tutorial-dckr-site-0000-xpresswebapp',0,NULL,0,NULL,NULL,NULL); -/*!40000 ALTER TABLE `permission` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `role` --- - -DROP TABLE IF EXISTS `role`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `role` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `name` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `is_internal` tinyint(1) DEFAULT '0', - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `role_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `role` --- - -LOCK TABLES `role` WRITE; -/*!40000 ALTER TABLE `role` DISABLE KEYS */; -INSERT INTO `role` VALUES -('security-role-0000-0000-000000000000','Security Team',0,'tutorial-dckr-site-0000-xpresswebapp'), -('managers-role-0000-0000-000000000000','Management',0,'tutorial-dckr-site-0000-xpresswebapp'), -('provider','Provider',1,'idm_admin_app'),('purchaser','Purchaser',1,'idm_admin_app'); -/*!40000 ALTER TABLE `role` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `role_assignment` --- - -DROP TABLE IF EXISTS `role_assignment`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `role_assignment` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `role_organization` varchar(255) DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `role_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `organization_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `role_id` (`role_id`), - KEY `organization_id` (`organization_id`), - KEY `user_id` (`user_id`), - CONSTRAINT `role_assignment_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_assignment_ibfk_2` FOREIGN KEY (`role_id`) REFERENCES `role` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_assignment_ibfk_3` FOREIGN KEY (`organization_id`) REFERENCES `organization` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_assignment_ibfk_4` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=14 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `role_assignment` --- - -LOCK TABLES `role_assignment` WRITE; -/*!40000 ALTER TABLE `role_assignment` DISABLE KEYS */; -INSERT INTO `role_assignment` VALUES -(1,NULL,'8ca60ce9-32f9-42d6-a013-a19b3af0c13d','provider',NULL,'96154659-cb3b-4d2d-afef-18d6aec0518e'), -(2,'member','8ca60ce9-32f9-42d6-a013-a19b3af0c13d','provider','74f5299e-3247-468c-affb-957cda03f0c4',NULL), -(3,NULL,'222eda27-958b-4f0c-a5cb-e4114fb170c3','provider',NULL,'admin'), -(4,NULL,'222eda27-958b-4f0c-a5cb-e4114fb170c3','provider',NULL,'96154659-cb3b-4d2d-afef-18d6aec0518e'), -(5,NULL,'tutorial-dckr-site-0000-xpresswebapp','provider',NULL,'aaaaaaaa-good-0000-0000-000000000000'), -(6,NULL,'tutorial-lcal-host-0000-xpresswebapp','provider',NULL,'aaaaaaaa-good-0000-0000-000000000000'), -(10,NULL,'tutorial-dckr-site-0000-xpresswebapp','security-role-0000-0000-000000000000',NULL,'cccccccc-good-0000-0000-000000000000'), -(11,'member','tutorial-dckr-site-0000-xpresswebapp','security-role-0000-0000-000000000000','security-team-0000-0000-000000000000',NULL), -(12,NULL,'tutorial-dckr-site-0000-xpresswebapp','managers-role-0000-0000-000000000000',NULL,'bbbbbbbb-good-0000-0000-000000000000'), -(13,'member','tutorial-dckr-site-0000-xpresswebapp','managers-role-0000-0000-000000000000','managers-team-0000-0000-000000000000',NULL); - -/*!40000 ALTER TABLE `role_assignment` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `role_permission` --- - -DROP TABLE IF EXISTS `role_permission`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `role_permission` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `role_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `permission_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `role_id` (`role_id`), - KEY `permission_id` (`permission_id`), - CONSTRAINT `role_permission_ibfk_1` FOREIGN KEY (`role_id`) REFERENCES `role` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_permission_ibfk_2` FOREIGN KEY (`permission_id`) REFERENCES `permission` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=13 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `role_permission` --- - -LOCK TABLES `role_permission` WRITE; -/*!40000 ALTER TABLE `role_permission` DISABLE KEYS */; -INSERT INTO `role_permission` VALUES -(1,'provider','1'),(2,'provider','2'),(3,'provider','3'),(4,'provider','4'),(5,'provider','5'),(6,'provider','6'), -(7,'purchaser','5'), -(8,'security-role-0000-0000-000000000000','alrmbell-ring-0000-0000-000000000000'), -(9,'security-role-0000-0000-000000000000','entrance-open-0000-0000-000000000000'), -(10,'managers-role-0000-0000-000000000000','alrmbell-ring-0000-0000-000000000000'), -(11,'managers-role-0000-0000-000000000000','increase-stck-0000-0000-000000000000'), -(12,'managers-role-0000-0000-000000000000','pricechg-stck-0000-0000-000000000000'); - - - - -/*!40000 ALTER TABLE `role_permission` ENABLE KEYS */; -UNLOCK TABLES; - - --- --- Table structure for table `trusted_application` --- - -DROP TABLE IF EXISTS `trusted_application`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `trusted_application` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `trusted_oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `trusted_oauth_client_id` (`trusted_oauth_client_id`), - CONSTRAINT `trusted_application_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `trusted_application_ibfk_2` FOREIGN KEY (`trusted_oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `trusted_application` --- - -LOCK TABLES `trusted_application` WRITE; -/*!40000 ALTER TABLE `trusted_application` DISABLE KEYS */; -/*!40000 ALTER TABLE `trusted_application` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user` --- - -DROP TABLE IF EXISTS `user`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `username` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `website` varchar(2000) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `image` varchar(255) DEFAULT 'default', - `gravatar` tinyint(1) DEFAULT '0', - `email` varchar(255) DEFAULT NULL, - `password` varchar(40) DEFAULT NULL, - `salt` varchar(40) DEFAULT NULL, - `date_password` datetime DEFAULT NULL, - `enabled` tinyint(1) DEFAULT '0', - `admin` tinyint(1) DEFAULT '0', - `extra` json DEFAULT NULL, - `scope` varchar(80) DEFAULT NULL, - `starters_tour_ended` tinyint(1) DEFAULT '0', - `eidas_id` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `email` (`email`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user` --- - -LOCK TABLES `user` WRITE; -/*!40000 ALTER TABLE `user` DISABLE KEYS */; -INSERT INTO `user` VALUES - ('aaaaaaaa-good-0000-0000-000000000000','alice','Alice is the admin',NULL,'default',0,'alice-the-admin@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,1,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('bbbbbbbb-good-0000-0000-000000000000','bob','Bob is the regional manager','','default',0,'bob-the-manager@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('cccccccc-good-0000-0000-000000000000','charlie','Charlie is head of security',NULL,'default',0,'charlie-security@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('detective1-good-0000-0000-0000000000','detective1','Detective works for Charlie',NULL,'default',0,'detective1@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('detective2-good-0000-0000-0000000000','detective2','Detective works for Charlie',NULL,'default',0,'detective2@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('eve-evil-0000-0000-000000000000','eve','Eve the Eavesdropper',NULL,'default',0,'eve@example.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('mallory-evil-0000-0000-000000000000','mallory','Mallory the malicious attacker',NULL,'default',0,'mallory@example.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('manager1-good-0000-0000-000000000000','manager1','Manager works for Bob',NULL,'default',0,'manager1@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('manager2-good-0000-0000-000000000000','manager2','Manager works for Bob',NULL,'default',0,'manager2@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('rob-evil-0000-0000-000000000000','rob','Rob the Robber',NULL,'default',0,'rob@example.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL); -/*!40000 ALTER TABLE `user` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_authorized_application` --- - -DROP TABLE IF EXISTS `user_authorized_application`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_authorized_application` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `shared_attributes` char(255) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `login_date` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `user_id` (`user_id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `user_authorized_application_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `user_authorized_application_ibfk_2` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_authorized_application` --- - -LOCK TABLES `user_authorized_application` WRITE; -/*!40000 ALTER TABLE `user_authorized_application` DISABLE KEYS */; -INSERT INTO `user_authorized_application` VALUES -(1,'admin','8ca60ce9-32f9-42d6-a013-a19b3af0c13d', NULL, NULL); -/*!40000 ALTER TABLE `user_authorized_application` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_organization` --- - -DROP TABLE IF EXISTS `user_organization`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_organization` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `role` varchar(10) DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `organization_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `user_id` (`user_id`), - KEY `organization_id` (`organization_id`), - CONSTRAINT `user_organization_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `user_organization_ibfk_2` FOREIGN KEY (`organization_id`) REFERENCES `organization` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_organization` --- - -LOCK TABLES `user_organization` WRITE; -/*!40000 ALTER TABLE `user_organization` DISABLE KEYS */; -INSERT INTO `user_organization` VALUES -(2,'owner', 'aaaaaaaa-good-0000-0000-000000000000','security-team-0000-0000-000000000000'), -(3,'owner', 'aaaaaaaa-good-0000-0000-000000000000','managers-team-0000-0000-000000000000'), -(4,'owner', 'bbbbbbbb-good-0000-0000-000000000000','managers-team-0000-0000-000000000000'), -(5,'member','manager1-good-0000-0000-000000000000','managers-team-0000-0000-000000000000'), -(6,'member','manager2-good-0000-0000-000000000000','managers-team-0000-0000-000000000000'), -(7,'owner', 'cccccccc-good-0000-0000-000000000000','security-team-0000-0000-000000000000'), -(8,'member','detective1-good-0000-0000-000000000000','security-team-0000-0000-000000000000'), -(9,'member','detective2-good-0000-0000-000000000000','security-team-0000-0000-000000000000'); -/*!40000 ALTER TABLE `user_organization` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_registration_profile` --- - -DROP TABLE IF EXISTS `user_registration_profile`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_registration_profile` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `activation_key` varchar(255) DEFAULT NULL, - `activation_expires` datetime DEFAULT NULL, - `reset_key` varchar(255) DEFAULT NULL, - `reset_expires` datetime DEFAULT NULL, - `verification_key` varchar(255) DEFAULT NULL, - `verification_expires` datetime DEFAULT NULL, - `user_email` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `user_email` (`user_email`), - CONSTRAINT `user_registration_profile_ibfk_1` FOREIGN KEY (`user_email`) REFERENCES `user` (`email`) ON DELETE CASCADE ON UPDATE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_registration_profile` --- - -LOCK TABLES `user_registration_profile` WRITE; -/*!40000 ALTER TABLE `user_registration_profile` DISABLE KEYS */; -INSERT INTO `user_registration_profile` VALUES (1,'b26roiin0r','2018-07-31 10:03:53',NULL,NULL,NULL,NULL,'eve@test.com'); -/*!40000 ALTER TABLE `user_registration_profile` ENABLE KEYS */; -UNLOCK TABLES; -/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; - -/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; -/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; -/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; -/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; -/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; -/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; -/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; - --- Dump completed on 2018-08-10 9:03:58 diff --git a/secrets.txt b/secrets.txt deleted file mode 100644 index 536aca3..0000000 --- a/secrets.txt +++ /dev/null @@ -1 +0,0 @@ -secret \ No newline at end of file diff --git a/services b/services index 0d6868c..539a89b 100755 --- a/services +++ b/services @@ -2,108 +2,8 @@ # # Command Line Interface to start all services associated with the Tutorial # -# For this tutorial the commands are merely a convenience script to run docker or docker-compose -# -# Each services script can be run using either docker-compose (the external tool with the hyphen -) -# or docker compose (the newer version directly bundled with Docker with a space ) -# -# if you start up with the following command: -# -# ./services start legacy -# -# This will force the script to use docker-compose which may be more reliable in -# some cases (or if an older version of Docker is being used) set -e -dockerCmd="docker compose" -if (( $# == 2 )); then - dockerCmd="docker-compose" -fi - -if (( $# < 1 )); then - echo "Illegal number of parameters" - echo "usage: services [create|start|stop]" - exit 1 -fi - -waitForKeyrock () { - echo -e "⏳ Waiting for \033[1;31mKeyrock\033[0m to be available\n" - - while ! [ `docker inspect --format='{{.State.Health.Status}}' fiware-keyrock` == "healthy" ] - do - echo -e "Keyrock HTTP state: " `curl -s -o /dev/null -w %{http_code} 'http://localhost:3005/version'` " (waiting for 200)" - sleep 5 - done - echo -e " \033[1;32mdone\033[0m" -} - - -displayServices () { - echo "" - docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" --filter name=fiware-* - (gp ports list 2> /dev/null) || true - echo "" -} - - -startContainers () { - echo "" - export IDM_HTTPS_ENABLED="$1" - ${dockerCmd} up -d --remove-orphans - echo "" -} - -stoppingContainers () { - CONTAINERS=$(docker ps --filter "label=org.fiware=tutorial" -aq) - if [[ -n $CONTAINERS ]]; then - echo "Stopping containers" - docker rm -f $CONTAINERS || true - fi - VOLUMES=$(docker volume ls -qf dangling=true) - if [[ -n $VOLUMES ]]; then - echo "Removing old volumes" - docker volume rm $VOLUMES || true - fi - NETWORKS=$(docker network ls --filter "label=org.fiware=tutorial" -q) - if [[ -n $NETWORKS ]]; then - echo "Removing tutorial networks" - docker network rm $NETWORKS || true - fi -} - -command="$1" -case "${command}" in - "help") - echo "usage: services [create|start|stop]" - ;; - "start") - export $(cat .env | grep "#" -v) - stoppingContainers - echo -e "Starting containers: \033[1;31mKeyrock\033[0m, \033[1mTutorial\033[0m and and \033[1mMySQL\033[0m databases." - echo -e "- \033[1mTutorial\033[0m acts as a series of dummy IoT Sensors over HTTP" - echo -e "- \033[1;31mKeyrock\033[0m is an Identity Management Front-End" - startContainers false - waitForKeyrock - displayServices - echo -e "Now open \033[4mhttp://localhost:3000\033[0m" - ;; - "stop") - export $(cat .env | grep "#" -v) - stoppingContainers - ;; - "create") - export $(cat .env | grep "#" -v) - echo "Pulling Docker images" - docker pull -q quay.io/curl/curl - ${dockerCmd} pull --ignore-pull-failures - ;; - *) - echo "Command not Found." - echo "usage: services [create|start|stop]" - exit 127; - ;; -esac - - - +echo -e "Checkout the \033[1;36mNGSI-v2\033[0m branch of this repository to run the Smart Supermarket tutorial.\n" +# echo -e "Checkout the \033[1;31mNGSI-LD\033[0m branch of this repository to run the Smart Farm tutorial.\n"