Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[INJICERT-499] Added postgres plugin config docs #83

Open
wants to merge 2 commits into
base: release-0.3.x
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions postgres-dataprovider-plugin/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
## Configuration docs for Postgres Plugin

- Pre-requisites
Authorisation Provider should expose the unique identifier in the `sub` field of the JWT token.
Eg. If one is using eSignet with mock-identity-system:0.10.0 and above it can be achieved by setting:
```mosip.mock.ida.kyc.psut.field=individualId```
where individualId will be the identifier to locate the identity in the expected identity registry.

1. Create the tables with all the fields that should be returned by the Postgres Data Provider Plugin within the certify postgres database.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This step is not mandatory, we can point to existing tables also, but both certify and these table should be inside the same DB and schema

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed this as a point and added a note in pre-requisites

- Refer the following query for insertion in DB:
```
CREATE TABLE certify.<table_name> (
attribute_1 <type> NOT NULL,
attribute_2 <type> NOT NULL,
...
CONSTRAINT pk_id_code PRIMARY KEY (<identifier>)
);
```

2. The schema context containing all the required fields should be hosted in a public url.
- Refer this link for an existing context: [Registration Receipt Schema](https://piyush7034.github.io/my-files/registration_receipt.json)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This URL is giving a 404, please host in the gh-pages branch of inji-config for all the file hosting needs.
https://mosip.github.io/inji-config/logos/StayProtectedInsurance.png
https://github.com/mosip/inji-config/blob/gh-pages/logos/StayProtectedInsurance.png

this change to be done for DID and context files also, lets create a folder with env as dev1 in the root and create the DID folder for add the did.json and keep the context directly under the dev1 folder.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File URL referred was wrong, have fixed the filename. DIDs and context schema urls will be replaced with respective public URLs once it is hosted on gh-pages branch of inji-config repo in the above specified format.

Eg: https://<username>.github.io/<project_name>/<file_name>.json
- Also change the respective credential name:
```
{
"@context": {
"@version": 1.1,
"@protected": true,
"type": "@type",
"schema": "https://schema.org/",
"<credential_name>": {
"@id": "https://<username>.github.io/<project_name>/<file_name>.json#<credential_name>"
},
<field1>: "schema:<type>"
<field2>: "schema:<type>"
...
}
}
```
- The primary_key should be a identifier that is existing in the current mock_identity_system records.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets not stress too much on the mock_identity_system, since it is only one reference impl and the actual places this plugin to be used might not sue the mock identity system

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed reference of mock-identity-system as it may not be a dependency every time.

Eg: If "1234" is present in mock_identity table, then same identifier should be used for inserting records in the certify data tables
- When the authentication is done using this particular identifier then the record from certify tables can be fetched by the postgres plugin and returned as a JSON Object.

3. Insert the templates in the DB with credential subject containing all the fields which must be the part of issued credential.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This point fits in the certify docs, can we add there and have a link here pointing to that ?

Copy link
Contributor Author

@Piyush7034 Piyush7034 Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a reference for the template_table scripts defined in db_scripts/mosip_certify/ddl folder of inji_certify.

- Eg: Find the below template for reference:
```
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://piyush7034.github.io/my-files/registration-receipt.json",
"https://w3id.org/security/suites/ed25519-2020/v1"
],
"issuer": "${issuer}",
"type": [
"VerifiableCredential",
"RegistrationReceiptCredential"
],
"issuanceDate": "${validFrom}",
"expirationDate": "${validUntil}",
"credentialSubject": {
"attributeName1": "${<attribute1>}",
"attributeName2": "${<attribute2>}"
...
}
}
```
- For referring the table creation and template insertion, see the sql scripts under certify_init.sql file: [certify-init](https://github.com/mosip/inji-certify/blob/develop/docker-compose/docker-compose-injistack/certify_init.sql)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docker compose sql file is subjected to change later, can we not point to the db_script folder scripts ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Referred the above URL to point to the db_scripts/mosip_certify/ddl folder


4. inji-config changes:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this topic is the most important topic in this read me file to call out the config specific to this plugin and how to configure each of them

- Refer to the properties file in [inji-config](https://github.com/mosip/inji-config) that corresponds to the postgres plugin implementation.
[Certify Postgres Land Registry](https://github.com/mosip/inji-config/blob/develop/certify-postgres-landregistry.properties)
- The value for the property `mosip.certify.integration.data-provider-plugin` must be set to `PostgresDataProviderPlugin`
- Refer to the below property for setting the query value against the scope for the credential that is to be issued:
```
mosip.certify.data-provider-plugin.postgres.scope-query-mapping={
`credential_scope`: `select * from certify.<table_name> where <table_id>=:id`
}
```
- Add the scope defined above and the type of credential in the well-known config of the properties file. Refer to the property `mosip.certify.key-values` for the same.
- Add the fields from the respective table in the well-known config.

5. mosip-config changes:
- Refer to the [authentication-config](https://github.com/mosip/mosip-config/pull/7653) properties file in mosip-config repo(esignet-mock in this case).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If someone is uses a different authorization server other than eSignet, then these changes are not required. Lets change the point to tell what need to be done in the authorization server high level and call out what has to be done if the authorization server is eSignet.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed direct reference of esignet and added general comment to add the respective configurations corresponding to the scope-query-mapping config defined for postgres-plugin

- Add the required scopes under `mosip.esignet.supported.credential.scopes` config.
- Also add the scopes under `mosip.esignet.credential.scope-resource-mapping` config.