diff --git a/README.md b/README.md index 7e70e19..a4d1df0 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,6 @@ - This repo contains MOSIP side of components in the MOSIP OpenCRVS integration. Namely: - _MOSIP side OpenCRVS Mediator_ ([`mosip-side-opencrvs-mediator`](./mediator)) receives data from OpenCRVS, creates registration packet, and uploads it to registration processor. - _OpenCRVS Registration Processor Stage_ ([`registration-processor-opencrvs-stage`](./registration-processor-opencrvs-stage)) is added as the last stage in MOSIP registration-processor pipeline, to issue the credentials back to OpenCRVS, after registration is successful. - - _MOSIP OpenCRVS Print Stage_ ([`opencrvs-print`](./opencrvs-print)) is an ephemeral component to demonstrate a credential being issued and printed successfully. - This repo is not to be confused with [OpenCRVS side MOSIP Mediator](https://github.com/opencrvs/mosip-mediator/tree/master), which is also part of MOSIP OpenCRVS integration, that receives the credential(UIN) issued by MOSIP, and processes it as required. _This is work-in-progress_. diff --git a/deployment/README.md b/deployment/README.md index 39678f9..e38fcd9 100644 --- a/deployment/README.md +++ b/deployment/README.md @@ -8,7 +8,6 @@ This document describe deployment of `mosip-side-mediator` and `registration-pro - `psql`, `kubectl`,`helm`,`bash`, `curl`, `jq` ## Installation -- Onboard a new credential type partner, with name like `opencrvs-partner`, with appropriate certificates from opencrvs, and an auth_policy that has only UIN in sharableAttributes. Use [partner onboarding scripts](https://github.com/mosip/mosip-infra/tree/develop/deployment/v3/utils/onboard/partner/). - Set up `mosip_opencrvs` db: - Navigate to [db_scripts/mosip_opencrvs](../db_scripts/mosip_opencrvs). - Configure deploy.properties, with required secrets and hostname. @@ -16,22 +15,38 @@ This document describe deployment of `mosip-side-mediator` and `registration-pro ```sh ./deploy.sh deploy.properties ``` +- Create a new transaction type `OPENCRVS_NEW` in `mosip_regprc/transaction_type` database table. +- Onboard a new credential type partner (using [partner onboarding scripts](https://github.com/mosip/mosip-onboarding/tree/master)), with; + - name like `opencrvs-partner` + - appropriate certificates from OpenCRVS + - an _auth_policy_ that has only `UIN` in _sharableAttributes_. + - _credential_type_ is `opencrvs`. +- Furthermore, change the following settings for the `opencrvs-partner` client (that was just created), in keycloak admin console, in `Mosip` realm. + - Change _Access Type_ to `public`. + - Enable _Direct Access Grants_. + - Change _Valid Redirect URIs_ to `*`. +- Apart from creating the partner keycloak client, create a new user with the same username as the partner name (that was previously given), with any password. +- Apart from the certificates obtained from OpenCRVS, create a certificate key pair for MOSIP, this public certificate will later be shared with OpenCRVS. - Run the following to install the mediator and components (The script will prompt for inputs): ```sh ./install.sh ``` - OR -- Pass the following environment variables to the above script, if it is not desired to prompt for inputs: + - OR Pass the following environment variables to the above script, if it is not desired to prompt for inputs: ```sh export OPENCRVS_AUTH_URL= - export OPENCRVS_WEBHOOKS_URL= + export OPENCRVS_RECEIVE_CREDENTIAL_URL= export OPENCRVS_CLIENT_ID= export OPENCRVS_CLIENT_SECRET= export OPENCRVS_CLIENT_SHA_SECRET= - export OPENCRVS_CALLBACK_HOST_BIRTH= - export OPENCRVS_CALLBACK_URI_BIRTH= + export MOSIP_OPENCRVS_PARTNER_CLIENT_ID= + export MOSIP_OPENCRVS_PARTNER_CLIENT_SHA_SECRET= + export MOSIP_OPENCRVS_PARTNER_USERNAME= + export MOSIP_PRIVATE_KEY_PATH= + export OPENCRVS_PUBLIC_KEY_PATH= ./install.sh ``` +- Share the details with OpenCRVS: auth_url(mosip keycloak url), partner_client_id, partner_client_sha_secret, partner_username, partner_password. +- Share MOSIP public Certificate (that was created above). ## Uploading sample birth data - Run the following in current directory, to upload sample birth data to mediator: @@ -39,10 +54,9 @@ This document describe deployment of `mosip-side-mediator` and `registration-pro curl -XPOST \ -H "content-type: application/json" \ -d @samples/sampleDataFromOpencrvs2.json \ - https:///opencrvs-mediator/birth + https:/// ``` -- Replace url with `http://localhost:4545/birth` if running locally. - +- Replace url with `http://localhost:4545/webhooks` if running locally. ## Uninstallation - Run: diff --git a/deployment/delete.sh b/deployment/delete.sh index 0e1940a..2cd6242 100755 --- a/deployment/delete.sh +++ b/deployment/delete.sh @@ -11,8 +11,11 @@ while true; do read -p "Are you sure you want to delete opencrvs-mediator helm chart?(Y/n) " yn if [ $yn = "Y" ] then + helm -n $NS delete regproc-opencrvs-stage helm -n $NS delete opencrvs-mediator - kubectl -n $NS delete secret opencrvs-client-creds + kubectl -n $NS delete --ignore-not-found=true secret opencrvs-client-creds + kubectl -n $NS delete --ignore-not-found=true secret opencrvs-partner-client-creds + kubectl -n $NS delete --ignore-not-found=true secret opencrvs-partner-certs-keys break else break diff --git a/notes.md b/notes.md index 38f5538..b01f773 100644 --- a/notes.md +++ b/notes.md @@ -60,7 +60,7 @@ ``` registration.processor.main-processes=NEW,UPDATE,LOST,RES_UPDATE,ACTIVATE,DEACTIVATE,OPENCRVS_NEW ``` -- Consider adding OPENCRVS_NEW proccess as part of `mosip_regprc/transaction_type` db table. +- Consider adding OPENCRVS_NEW proccess as part of `mosip_regprc/transaction_type` db_scripts. (For now this is created as part of installation) - While creating `opencrvs-partner`, `opencrvs` credential_type has been used. The same will be used by the opencrvs side mediator while receiving credential. The following property has been changed to include this as well, in partner-management-default.properties. ``` pmp.allowed.credential.types=auth,qrcode,euin,reprint,vercred,opencrvs @@ -75,17 +75,17 @@ - Discuss a longterm model for Registrations that would happen through partners in MOSIP. And refit this implementation to that model. - Discuss an infra model with OpenCRVS, on how the OpenCRVS webhook and MOSIP websub would communicate with each other over a secured private channel. - From mosip side, we would want OpenCRVS webhook callback to happen on the private wireguard channel. - - Plus the callback contains Authorizaiton. + - Plus the callback contains Authorization. - Plus the data is encrypted. -- Discuss how `zone`,`province`,`city`,`postal code` and other basic data about a country (masterdata) can be in sync in MOSIP and OpenCRVS. - +- Discuss how `zone`,`province`,`city`,`postal code` and other basic data about a country (masterdata) can be in sync between MOSIP and OpenCRVS. + Misc Dev Notes: - Create `mosip-opencrvs-client` in keycloak. Assign this client all the roles that are required to create and upload packets. And use that in properties. TODO -- Create a duplicate print stage called opencrvs-print stage, which will add additional opencrvs data in the credential request. TODO +- Create a duplicate print stage called opencrvs-print stage, which will add additional opencrvs data in the credential request. TODO - Onboard an `opencrvs-partner`, create a similar client and user in keycloak. DONE - - Use this above partner and subscribe to websub, for uin generated event. TODO + - Use this above partner and subscribe to websub, for uin generated event. DONE - Update postgres-init to include `mosip-opencrvs` db. CLOSED: WONT DO. - Use `kernel-auth-adapter`, and remove the dummy adapter in code. TODO. - Create docker, helm chart in mosip-helm, and add ci to github. DONE. - Create testcases. TODO. -- Analyze with sonar cloud. Publish snapshots to ossrh. TODO. +- Analyze with sonar cloud. Publish to mvn repo & snapshots to ossrh. TODO.