From 5d0b6d62049e339185a7642931827a9173b5074f Mon Sep 17 00:00:00 2001 From: Igor Balog Eng <70636468+IgorBalog-Eng@users.noreply.github.com> Date: Wed, 4 Oct 2023 16:55:38 +0200 Subject: [PATCH] Certification fixes (#30) * Add application.firewall.isEnabled property to all relevant properties files * Update .env file * Update docker-compose to use new property * Add firewall.properties to ecc and dataapp resources * Update documentation * Add information about user credentials persistence and password encoding * Added info about self decription properties * Added connectorId ecc change Fixed port for pip services * Resource management update Added JDK_JAVA_OPTIONS param * Update documentation related to the new version of UC * New UC app security related features * Fix datalake path in Data App properties file * New cosign hash values --------- Co-authored-by: Marko Stojanovic --- .env | 11 ++- README.md | 1 + SUMMARY.md | 8 +- .../application-docker.properties | 5 +- be-dataapp_resources/firewall.properties | 18 ++++ doc/PLATOON_USAGE_CONTROL.md | 2 +- doc/TEST_API.md | 2 +- doc/TRUEConnector/component-overview.md | 8 +- doc/TRUEConnector/default-configuration.md | 3 +- doc/TRUEConnector/prerequisite.md | 9 +- doc/TRUEConnector/start-stop.md | 12 +-- doc/TRUEConnector/system-requirements.md | 61 ++++++++++++- doc/advancedConfiguration/auditlogs.md | 2 +- doc/advancedConfiguration/broker.md | 2 +- doc/advancedConfiguration/extendedjwt.md | 2 +- doc/advancedConfiguration/firewall.md | 37 ++++++++ doc/contributingTC.md | 2 +- doc/cosign.md | 86 +++++++++---------- doc/exchange-data.md | 2 +- .../modify-configuration.md | 4 +- doc/rest-api.md | 2 +- doc/rest_api/REST_API.md | 4 +- doc/security.md | 2 +- .../self-description-API.md | 26 ++++-- doc/user_management.md | 5 +- docker-compose.yml | 62 +++++++++---- .../application-docker.properties | 6 ++ ecc_resources_consumer/firewall.properties | 18 ++++ .../application-docker.properties | 5 ++ ecc_resources_provider/firewall.properties | 18 ++++ .../application.properties | 12 +++ .../application.properties | 12 +++ 32 files changed, 346 insertions(+), 103 deletions(-) create mode 100644 be-dataapp_resources/firewall.properties create mode 100644 doc/advancedConfiguration/firewall.md create mode 100644 ecc_resources_consumer/firewall.properties create mode 100644 ecc_resources_provider/firewall.properties diff --git a/.env b/.env index d5fe922..3527e91 100644 --- a/.env +++ b/.env @@ -1,8 +1,8 @@ -COMPOSE_PROJECT_NAME=TRUE_Connector +COMPOSE_PROJECT_NAME=trueconnector BROKER_URL=https://broker.ids.isst.fraunhofer.de/infrastructure -#SSL settings +#TLS settings KEYSTORE_NAME=ssl-server.jks KEY_PASSWORD=changeit KEYSTORE_PASSWORD=changeit @@ -27,6 +27,7 @@ IDSCP2=false EXTRACT_PAYLOAD_FROM_RESPONSE=true ### PROVIDER Configuration +PROVIDER_ECC_SELF_DESCRIPTION_URL=https://ecc-provider PROVIDER_DAPS_KEYSTORE_NAME= PROVIDER_DAPS_KEYSTORE_PASSWORD= PROVIDER_DAPS_KEYSTORE_ALIAS= @@ -38,8 +39,12 @@ PROVIDER_DATA_APP_ENDPOINT=https://be-dataapp-provider:8083/data #PROVIDER_DATA_APP_ENDPOINT=https://be-dataapp-provider:9000/incoming-data-app/routerBodyBinary PROVIDER_WS_EDGE=false PROVIDER_ISSUER_CONNECTOR_URI=http://w3id.org/engrd/connector/provider +PROVIDER_DATA_APP_FIREWALL=false +PROVIDER_ECC_FIREWALL=false + ### CONSUMER Configuration +CONSUMER_ECC_SELF_DESCRIPTION_URL=https://ecc-consumer CONSUMER_DAPS_KEYSTORE_NAME= CONSUMER_DAPS_KEYSTORE_PASSWORD= CONSUMER_DAPS_KEYSTORE_ALIAS= @@ -49,3 +54,5 @@ CONSUMER_MULTIPART_EDGE=form CONSUMER_DATA_APP_ENDPOINT=https://be-dataapp-consumer:8083/data CONSUMER_WS_EDGE=false CONSUMER_ISSUER_CONNECTOR_URI=http://w3id.org/engrd/connector/consumer +CONSUMER_DATA_APP_FIREWALL=false +CONSUMER_ECC_FIREWALL=false diff --git a/README.md b/README.md index 1f9b98d..c6359ec 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ Please [click here](https://engineering-ing-inf-rd.gitbook.io/true-connector/), * [Usage Control](doc/advancedConfiguration/usagecontrol.md) * [MyData Usage Control](doc/advancedConfiguration/mydata.md) * [Audit logs](doc/advancedConfiguration/auditlogs.md) + * [Firewall](doc/advancedConfiguration/firewall.md) * [Contract Negotiation - simple flow](doc/contractNegotiation/contract-negotiation.md) * [Get offered resource](doc/contractNegotiation/get_offered_resource.md) * [Description Request Message](doc/contractNegotiation/description_request_message.md) diff --git a/SUMMARY.md b/SUMMARY.md index 8bb1bbb..e2e0de8 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -1,6 +1,7 @@ # Table of contents * [TRUE Connector](README.md) + * [Prerequisite](doc/TRUEConnector/prerequisite.md) * [Introduction](doc/TRUEConnector/introduction.md) * [System requirements](doc/TRUEConnector/system-requirements.md) * [Volumes](doc/TRUEConnector/volumes.md) @@ -27,6 +28,7 @@ * [Usage Control](doc/advancedConfiguration/usagecontrol.md) * [MyData Usage Control](doc/advancedConfiguration/mydata.md) * [Audit logs](doc/advancedConfiguration/auditlogs.md) + * [Firewall](doc/advancedConfiguration/firewall.md) * [Contract Negotiation - simple flow](doc/contractNegotiation/contract-negotiation.md) * [Get offered resource](doc/contractNegotiation/get_offered_resource.md) * [Description Request Message](doc/contractNegotiation/description_request_message.md) @@ -41,10 +43,8 @@ * [MYDATA\_USAGE\_CONTROL](doc/MYDATA\_USAGE\_CONTROL.md) * [PLATOON\_USAGE\_CONTROL](doc/PLATOON\_USAGE\_CONTROL.md) * [Test cases](doc/TEST\_API.md) - * [rest\_api](doc/rest\_api/README.md) - * [REST API](doc/rest\_api/REST\_API.md) - * [testbed](doc/testbed/README.md) - * [Testbed](doc/testbed/TESTBED.md) + * [REST API](doc/rest\_api/REST\_API.md) + * [Testbed](doc/testbed/TESTBED.md) * [Step to replicate True Connector installation in minikube.](kubernetes/README.md) * [Docker image signing and verification](doc/cosign.md) * [Life cycle](doc/life_cycle.md) diff --git a/be-dataapp_resources/application-docker.properties b/be-dataapp_resources/application-docker.properties index ca19878..5149f60 100644 --- a/be-dataapp_resources/application-docker.properties +++ b/be-dataapp_resources/application-docker.properties @@ -19,6 +19,9 @@ server.ssl.key-store-provider=SUN server.ssl.key-store-type=JKS server.ssl.trust-store-type=JKS +#Firewall +application.firewall.isEnabled=${FIREWALL} + application.dataapp.http.config=${DATA_APP_MULTIPART} application.ecc.protocol=https @@ -43,7 +46,7 @@ application.encodePayload=false application.extractPayloadFromResponse=${EXTRACT_PAYLOAD_FROM_RESPONSE} application.fileSenderPort=9000 -application.dataLakeDirectory=/home/nobody/data +application.dataLakeDirectory=/home/nobody/data/datalake #checkSum verification - true | false application.verifyCheckSum=false diff --git a/be-dataapp_resources/firewall.properties b/be-dataapp_resources/firewall.properties new file mode 100644 index 0000000..6d92b82 --- /dev/null +++ b/be-dataapp_resources/firewall.properties @@ -0,0 +1,18 @@ +#Set which HTTP header names should be allowed (if want to allow all header names, keep it empty) +allowedHeaderNames= +#Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty) +allowedHeaderValues= +#Set which HTTP methods should be allowed (if want to allow all header names, keep it empty) +allowedMethods=GET,POST +#Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not +allowBackSlash=true +#Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not +allowUrlEncodedSlash=true +#Set if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not +allowUrlEncodedDoubleSlash=true +#Set if semicolon is allowed in the URL (i.e. matrix variables) +allowSemicolon=true +#Set if a percent "%" that is URL encoded "%25" should be allowed in the path or not +allowUrlEncodedPercent=true +#if a period "." that is URL encoded "%2E" should be allowed in the path or not +allowUrlEncodedPeriod=true \ No newline at end of file diff --git a/doc/PLATOON_USAGE_CONTROL.md b/doc/PLATOON_USAGE_CONTROL.md index c82140c..d0523f7 100644 --- a/doc/PLATOON_USAGE_CONTROL.md +++ b/doc/PLATOON_USAGE_CONTROL.md @@ -105,5 +105,5 @@ POSTGRES_DB=usagecontrol_consumer # Usage control examples -For more information and examples of policies compatible with Platoon UC app, please check [README](https://github.com/Engineering-Research-and-Development/true-connector-uc_data_app_platoon/blob/1.7.4/README.md) +For more information and examples of policies compatible with Platoon UC app, please check [README](https://github.com/Engineering-Research-and-Development/true-connector-uc_data_app_platoon/blob/1.7.5/README.md) diff --git a/doc/TEST_API.md b/doc/TEST_API.md index 89f7b2c..3c03204 100644 --- a/doc/TEST_API.md +++ b/doc/TEST_API.md @@ -75,7 +75,7 @@ curl --location -k 'https://localhost:8090/about/version' and expected response: ``` -1.14.2 +1.14.3 ``` ## Self Description API diff --git a/doc/TRUEConnector/component-overview.md b/doc/TRUEConnector/component-overview.md index d11c376..fb44afd 100644 --- a/doc/TRUEConnector/component-overview.md +++ b/doc/TRUEConnector/component-overview.md @@ -4,10 +4,10 @@ TRUE Connector is build using Java11, and use following libraries: | Component | Version | | --------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | -| [Execution core container](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/releases/tag/1.14.2) | 1.14.2 | -| [Basic data app](https://github.com/Engineering-Research-and-Development/true-connector-basic_data_app/releases/tag/0.3.1) | 0.3.1 | -| [Usage control app](https://github.com/Engineering-Research-and-Development/true-connector-uc_data_app_platoon/releases/tag/1.7.4) | 1.7.4 | -| [Pip](https://github.com/Engineering-Research-and-Development/true-connector-uc_data_app_platoon/tree/1.7.4/Docker_Tecnalia_DataUsage/pip) | 1.0.0 | +| [Execution core container](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/releases/tag/1.14.3) | 1.14.3 | +| [Basic data app](https://github.com/Engineering-Research-and-Development/true-connector-basic_data_app/releases/tag/0.3.2) | 0.3.2 | +| [Usage control app](https://github.com/Engineering-Research-and-Development/true-connector-uc_data_app_platoon/releases/tag/1.7.5) | 1.7.5 | +| [Pip](https://github.com/Engineering-Research-and-Development/true-connector-uc_data_app_platoon/tree/1.7.5/Docker_Tecnalia_DataUsage/pip) | 1.0.0 | | [Multipart Message Library](https://github.com/Engineering-Research-and-Development/true-connector-multipart_message_library/releases/tag/1.0.17) | 1.0.17 | | [Websocket Message Streamer](https://github.com/Engineering-Research-and-Development/true-connector-websocket_message_streamer/releases/tag/1.0.17) | 1.0.17 | | [Information model](https://github.com/International-Data-Spaces-Association/InformationModel) | 4.2.7 | diff --git a/doc/TRUEConnector/default-configuration.md b/doc/TRUEConnector/default-configuration.md index cd8e0b8..ce9d93a 100644 --- a/doc/TRUEConnector/default-configuration.md +++ b/doc/TRUEConnector/default-configuration.md @@ -8,7 +8,8 @@ TRUE Connector comes pre-configured with following: * Disabled Usage control * Disabled Clearing House * Disabled validate protocol in Forward-To header -* Disabled hostname validation * Disabled CheckSum validation +* Disabled Firewall + If you wish to change this configuration, please check chapter [Modifying configuration](../modifyingConfiguration/modify-configuration.md) \ No newline at end of file diff --git a/doc/TRUEConnector/prerequisite.md b/doc/TRUEConnector/prerequisite.md index 6bd8596..ef08f4e 100644 --- a/doc/TRUEConnector/prerequisite.md +++ b/doc/TRUEConnector/prerequisite.md @@ -1,4 +1,4 @@ -# Prerequisite +## Prerequisite To have secure and certification compliant environment, following prerequisites are mandatory to be performed before setting up TRUE Connector: @@ -6,7 +6,7 @@ To have secure and certification compliant environment, following prerequisites * Docker is mandatory "OS service" for running connector * verify [System requirements](system-requirements.md) before starting the connector. -## Securing docker host +### Securing docker host * The host OS should be audited and secure; OS should be as minimal as possible and it should be preferably used to host our Docker exclusively. There should not coexist other services like web servers or web applications so that attacker could not exploit it or lead to potential exploit (minimal threat attack surface). * Monitoring mechanism (Linux auditd service for example) should be installed and configured as prerequisite before deploying connector. This will capture if someone tries to make changes on property files used by the connector. @@ -20,15 +20,16 @@ To have secure and certification compliant environment, following prerequisites * OS user for running docker should not be root user; be sure to create new user, assign new user to docker group, that user can run docker compose * disable password login to the server for newly created user and allow only key-based authentication for accessing the server where connector will run * disable access for the root user by using a password when connecting to the server via ssh (key-based auth only) +* in case of adding some additional, more configurable and robust firewall, be sure to restrict access to the /api/* endpoints to only internal network, since those endpoints should not be exposed to the outside world, but intended to be used by "internal" user, to make modifications to the self description document. * 2 types of certificate are required: DAPS and TLS. DAPS certificate should be obtained from Certified Authority responsible for the Dataspace, while TLS certificate can be self signed or signed by some CA. More information about TLS certificate can be found [here](../security.md). -# Post configuration steps +## Post configuration steps -Once TRUE Connector is successfully configured and is up and running, responsible user for setting up environment and configuring connector should generate new passwords for 2 type of users required for operating with connector. More information how to do this can be found [here](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.2/doc/SECURITY.md#change-default-password). +Once TRUE Connector is successfully configured and is up and running, responsible user for setting up environment and configuring connector should generate new passwords for 2 type of users required for operating with connector. More information how to do this can be found [here](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.3/doc/SECURITY.md#change-default-password). Make sure to update following properties to address your usecase: diff --git a/doc/TRUEConnector/start-stop.md b/doc/TRUEConnector/start-stop.md index 4cf03c7..389c34e 100644 --- a/doc/TRUEConnector/start-stop.md +++ b/doc/TRUEConnector/start-stop.md @@ -89,13 +89,13 @@ You can also check using _docker ps_ command to verify that containers are up an ``` CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES -bc693e1fdb90 rdlabengpa/ids_execution_core_container:1.14.2 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 0.0.0.0:8087->8086/tcp, :::8087->8086/tcp, 0.0.0.0:8091->8449/tcp, :::8091->8449/tcp, 0.0.0.0:8890->8889/tcp, :::8890->8889/tcp ecc-consumer -28dc87213f68 rdlabengpa/ids_be_data_app:0.3.1 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 0.0.0.0:8184->8183/tcp, :::8184->8183/tcp, 0.0.0.0:9001->9000/tcp, :::9001->9000/tcp be-dataapp-consumer -9eb157ceb37b rdlabengpa/ids_be_data_app:0.3.1 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 0.0.0.0:8183->8183/tcp, :::8183->8183/tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp be-dataapp-provider -44bc21187460 rdlabengpa/ids_execution_core_container:1.14.2 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 0.0.0.0:8086->8086/tcp, :::8086->8086/tcp, 0.0.0.0:8889->8889/tcp, :::8889->8889/tcp, 0.0.0.0:8090->8449/tcp, :::8090->8449/tcp ecc-provider -b3f4cdb77ed6 rdlabengpa/ids_uc_data_app_platoon:1.7.4 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 8080/tcp uc-dataapp-consumer +bc693e1fdb90 rdlabengpa/ids_execution_core_container:1.14.3 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 0.0.0.0:8087->8086/tcp, :::8087->8086/tcp, 0.0.0.0:8091->8449/tcp, :::8091->8449/tcp, 0.0.0.0:8890->8889/tcp, :::8890->8889/tcp ecc-consumer +28dc87213f68 rdlabengpa/ids_be_data_app:0.3.2 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 0.0.0.0:8184->8183/tcp, :::8184->8183/tcp, 0.0.0.0:9001->9000/tcp, :::9001->9000/tcp be-dataapp-consumer +9eb157ceb37b rdlabengpa/ids_be_data_app:0.3.2 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 0.0.0.0:8183->8183/tcp, :::8183->8183/tcp, 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp be-dataapp-provider +44bc21187460 rdlabengpa/ids_execution_core_container:1.14.3 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 0.0.0.0:8086->8086/tcp, :::8086->8086/tcp, 0.0.0.0:8889->8889/tcp, :::8889->8889/tcp, 0.0.0.0:8090->8449/tcp, :::8090->8449/tcp ecc-provider +b3f4cdb77ed6 rdlabengpa/ids_uc_data_app_platoon:1.7.5 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 8080/tcp uc-dataapp-consumer a36748901ce1 rdlabengpa/ids_uc_data_app_platoon_pip:v1.0.0 "java -jar pip.jar" 3 hours ago Up 3 hours 0/tcp uc-dataapp-pip-provider -d6f77ad9762d rdlabengpa/ids_uc_data_app_platoon:1.7.4 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 8080/tcp uc-dataapp-provider +d6f77ad9762d rdlabengpa/ids_uc_data_app_platoon:1.7.5 "/bin/sh -c 'java -j…" 3 hours ago Up 3 hours (healthy) 8080/tcp uc-dataapp-provider bb0bb9668931 rdlabengpa/ids_uc_data_app_platoon_pip:v1.0.0 "java -jar pip.jar" 3 hours ago Up 3 hours 0/tcp uc-dataapp-pip-consumer ``` diff --git a/doc/TRUEConnector/system-requirements.md b/doc/TRUEConnector/system-requirements.md index 7c13c5f..72c9577 100644 --- a/doc/TRUEConnector/system-requirements.md +++ b/doc/TRUEConnector/system-requirements.md @@ -3,6 +3,63 @@ In order to run TRUE Connector following minimal system requirements are needed: * CPU: newer 4 core (8 threads) -* Memory: at least 2GB dedicated to TRUE Connector (1024MB - for ECC services, 512MB for DataApp and 512MB for Usage Control services) +* Memory: at least 2GB dedicated to TRUE Connector per instance (1024MB - for ECC services, 512MB for DataApp, 256MB for Usage Control services and 256MB for Usage Control PIP services) -This values can be considered as initial values, and if required, they can be increased or reduced, keeping the functionality of TRUE Connector unchanged. \ No newline at end of file +This values can be considered as initial values, and if required, they can be increased or reduced, keeping the functionality of TRUE Connector unchanged. + +Default resources, provided to docker containers are following (defined in docker-compose.yml): + +``` + ecc-*: + deploy: + resources: + limits: + cpus: "1" + memory: 1024M + logging: + options: + max-size: "200M" +... + + uc-dataapp-*: + deploy: + resources: + limits: + cpus: "1" + memory: 256M + logging: + options: + max-size: "100M" +... + + uc-dataapp-pip-*: + deploy: + resources: + limits: + cpus: "1" + memory: 256M + logging: + options: + max-size: "100M" +... + + be-dataapp-*: + deploy: + resources: + limits: + cpus: "1" + memory: 512M + logging: + options: + max-size: "100M" +... + +``` + +In case that you need to assign more memory to some specific service, this can be done by increasing memory amount in deploy section for specific service. +In case of *java.lang.OutOfMemoryError: Java heap space* be sure to pass following environment variable to "problematic" service: + + +- "JDK_JAVA_OPTIONS=-Xmx1024m" + +Variables defined in deploy resource part and this passed to JVM needs to be correlated, meaning that you first need to delegate memory to docker service and then to assign memory JVM from that amount. diff --git a/doc/advancedConfiguration/auditlogs.md b/doc/advancedConfiguration/auditlogs.md index e19ebc4..24127e2 100644 --- a/doc/advancedConfiguration/auditlogs.md +++ b/doc/advancedConfiguration/auditlogs.md @@ -1,6 +1,6 @@ ### Audit logs -Audit logging is turned **off** by default. If you wish to configure it or even turn off please follow this [document](https://github.com/Engineering-Research-and-Development/true-connector-execution\_core\_container/blob/1.14.2/doc/AUDIT.md) . +Audit logging is turned **off** by default. If you wish to configure it or even turn off please follow this [document](https://github.com/Engineering-Research-and-Development/true-connector-execution\_core\_container/blob/1.14.3/doc/AUDIT.md) . ## Accessing audit logs diff --git a/doc/advancedConfiguration/broker.md b/doc/advancedConfiguration/broker.md index 1fc4c97..110855b 100644 --- a/doc/advancedConfiguration/broker.md +++ b/doc/advancedConfiguration/broker.md @@ -13,4 +13,4 @@ TRUE Connector can register itself on startup, and also unregister when shutting application.selfdescription.registrateOnStartup=true ``` -Information on how TRUE Connector can interact with Broker, can be found on following [link](https://github.com/Engineering-Research-and-Development/true-connector-execution\_core\_container/blob/1.14.2/doc/BROKER.md) +Information on how TRUE Connector can interact with Broker, can be found on following [link](https://github.com/Engineering-Research-and-Development/true-connector-execution\_core\_container/blob/1.14.3/doc/BROKER.md) diff --git a/doc/advancedConfiguration/extendedjwt.md b/doc/advancedConfiguration/extendedjwt.md index 5726126..98c7256 100644 --- a/doc/advancedConfiguration/extendedjwt.md +++ b/doc/advancedConfiguration/extendedjwt.md @@ -1,3 +1,3 @@ ### Extended jwt validation -TRUE Connector can check additional claims from jwToken. For more information please check the [following link](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.2/doc/TRANSPORTCERTSSHA256.md) +TRUE Connector can check additional claims from jwToken. For more information please check the [following link](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.3/doc/TRANSPORTCERTSSHA256.md) diff --git a/doc/advancedConfiguration/firewall.md b/doc/advancedConfiguration/firewall.md new file mode 100644 index 0000000..f1e4912 --- /dev/null +++ b/doc/advancedConfiguration/firewall.md @@ -0,0 +1,37 @@ +## Firewall + +TRUE Connector allows setting up HttpFirewall through Spring Security. Firewall is used both in Execution Core Container (ECC) and DataApp. To turn it on/off, please take a look at following properties in **.env** file: + + +``` +### PROVIDER Configuration +PROVIDER_DATA_APP_FIREWALL=false +PROVIDER_ECC_FIREWALL=false + +### CONSUMER Configuration +CONSUMER_DATA_APP_FIREWALL=false +CONSUMER_ECC_FIREWALL=false +``` + +If Firewall is enabled, it will read properties defined in `firewall.properties` file located in Execution Core Container (ECC) and DataApp resources folder, which easily can be modified by needs of setup. + +``` +#Set which HTTP header names should be allowed (if want to allow all header names, keep it empty) +allowedHeaderNames= +#Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty) +allowedHeaderValues= +#Set which HTTP methods should be allowed +allowedMethods=GET,POST +#Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not +allowBackSlash=true +#Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not +allowUrlEncodedSlash=true +#Set if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not +allowUrlEncodedDoubleSlash=true +#Set if semicolon is allowed in the URL (i.e. matrix variables) +allowSemicolon=true +#Set if a percent "%" that is URL encoded "%25" should be allowed in the path or not +allowUrlEncodedPercent=true +#if a period "." that is URL encoded "%2E" should be allowed in the path or not +allowUrlEncodedPeriod=true +``` \ No newline at end of file diff --git a/doc/contributingTC.md b/doc/contributingTC.md index 71e85da..d9adb87 100644 --- a/doc/contributingTC.md +++ b/doc/contributingTC.md @@ -18,4 +18,4 @@ should at least include the following information: * Steps to reproduce (system specs included) * Relevant logs and/or media (optional): e.g. an image -For more details about branches, naming conventions and some suggestions, take a look at following [Developer instructions](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/tree/1.14.2#developer-guide-section) \ No newline at end of file +For more details about branches, naming conventions and some suggestions, take a look at following [Developer instructions](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/tree/1.14.3#developer-guide-section) \ No newline at end of file diff --git a/doc/cosign.md b/doc/cosign.md index c0e24d6..58ee676 100644 --- a/doc/cosign.md +++ b/doc/cosign.md @@ -4,11 +4,11 @@ Docker images that are part of the TRUE Connector are signed using [cosign](http Signed images starts with following versions: -**rdlabengpa/ids\_execution\_core\_container:v1.14.2**\ +**rdlabengpa/ids\_execution\_core\_container:v1.14.3**\ -**rdlabengpa/ids\_be\_data\_app:v0.3.1**\ +**rdlabengpa/ids\_be\_data\_app:v0.3.2**\ -**rdlabengpa/ids\_uc\_data\_app\_platoon:v1.7.4**\ +**rdlabengpa/ids\_uc\_data\_app\_platoon:v1.7.5**\ **rdlabengpa/ids\_uc\_data\_app\_platoon\_pip:v1.0.0**\ @@ -16,74 +16,74 @@ Signed images starts with following versions: Once images are downloaded, you can verify the signature by executing following command, (trueconn.pub file can be found in the root of this repo) and response should be like following ``` -cosign verify --key trueconn.pub rdlabengpa/ids_execution_core_container:v1.14.2 +cosign verify --key trueconn.pub rdlabengpa/ids_execution_core_container:v1.14.3 -Verification for index.docker.io/rdlabengpa/ids_execution_core_container:v1.14.2 -- +Verification for index.docker.io/rdlabengpa/ids_execution_core_container:v1.14.3 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key [ - { - "critical": { - "identity": { - "docker-reference": "index.docker.io/rdlabengpa/ids_execution_core_container" - }, - "image": { - "docker-manifest-digest": "sha256:d28ec86e5ee3c9c5b992dd3445fa3301d77a83b6c244b7a8577f2b4e7b8f5d52" - }, - "type": "cosign container image signature" - }, - "optional": null - } + { + "critical": { + "identity": { + "docker-reference": "index.docker.io/rdlabengpa/ids_execution_core_container" + }, + "image": { + "docker-manifest-digest": "sha256:ef7f614c15b31cd3965224ba734bca27d3f2ee0907af05859172821907d9dd3e" + }, + "type": "cosign container image signature" + }, + "optional": null + } ] ``` ``` -cosign verify --key trueconn.pub rdlabengpa/ids_be_data_app:v0.3.1 +cosign verify --key trueconn.pub rdlabengpa/ids_be_data_app:v0.3.2 -Verification for index.docker.io/rdlabengpa/ids_be_data_app:v0.3.1 -- +Verification for index.docker.io/rdlabengpa/ids_be_data_app:v0.3.2 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key [ { - "critical": { - "identity": { - "docker-reference": "index.docker.io/rdlabengpa/ids_be_data_app" - }, - "image": { - "docker-manifest-digest": "sha256:905071836b33b7af28727f53574257a218a9b7c93c476f7c1bcaa07b0c7ac24a" - }, - "type": "cosign container image signature" - }, - "optional": null - } + "critical": { + "identity": { + "docker-reference": "index.docker.io/rdlabengpa/ids_be_data_app" + }, + "image": { + "docker-manifest-digest": "sha256:49248ba8c0dc65a97c22ed8261100eec317b7428ae90d0f323bb94354d53f200" + }, + "type": "cosign container image signature" + }, + "optional": null + } ] ``` ``` -cosign verify --key trueconn.pub rdlabengpa/ids_uc_data_app_platoon:v1.7.4 +cosign verify --key trueconn.pub rdlabengpa/ids_uc_data_app_platoon:v1.7.5 -Verification for index.docker.io/rdlabengpa/ids_uc_data_app_platoon:v1.7.4 -- +Verification for index.docker.io/rdlabengpa/ids_uc_data_app_platoon:v1.7.5 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key [ { - "critical": { - "identity": { - "docker-reference": "index.docker.io/rdlabengpa/ids_uc_data_app_platoon" - }, - "image": { - "docker-manifest-digest": "sha256:00b61c089c106750ed8e3f5d6761f9188c5c44276b47d85cef63d8c1df3e37f0" - }, - "type": "cosign container image signature" - }, - "optional": null - } + "critical": { + "identity": { + "docker-reference": "index.docker.io/rdlabengpa/ids_uc_data_app_platoon" + }, + "image": { + "docker-manifest-digest": "sha256:5b082889b0c9afbce7fd1f02ef58269c5bb1df7fdc1652800a66f8e6d2b0659a" + }, + "type": "cosign container image signature" + }, + "optional": null + } ] ``` diff --git a/doc/exchange-data.md b/doc/exchange-data.md index 1f89d9a..cdf90a1 100644 --- a/doc/exchange-data.md +++ b/doc/exchange-data.md @@ -28,7 +28,7 @@ _NOTE_: even that this curl command is exported from Postman, it is noticed seve If this happens, please check body of the request in Postman, and if body is empty, simply copy everything enclosed between\ _--data-raw '_ and _'_ -For more details on request samples, please check following link [Backend DataApp Usage](https://github.com/Engineering-Research-and-Development/market4.0-data\_app\_test\_BE/blob/0.3.1/README.md) +For more details on request samples, please check following link [Backend DataApp Usage](https://github.com/Engineering-Research-and-Development/market4.0-data\_app\_test\_BE/blob/0.3.2/README.md) Be sure to use correct configuration/ports for sender and receiver Data App and Execution Core Container (check .env file). diff --git a/doc/modifyingConfiguration/modify-configuration.md b/doc/modifyingConfiguration/modify-configuration.md index 3ccee88..7f5c3f6 100644 --- a/doc/modifyingConfiguration/modify-configuration.md +++ b/doc/modifyingConfiguration/modify-configuration.md @@ -1,3 +1,5 @@ ## Modifying configuration -If you wish to change some configuration parameters for TRUE Connector, it can be done by editing **.env** file. \ No newline at end of file +If you wish to change some configuration parameters for TRUE Connector, it can be done by editing **.env** file. + +**NOTE**: In order to apply changes in **.env** file, TRUE Connector should be stopped, and then started again. \ No newline at end of file diff --git a/doc/rest-api.md b/doc/rest-api.md index 3d7e541..39a5807 100644 --- a/doc/rest-api.md +++ b/doc/rest-api.md @@ -2,4 +2,4 @@ Detailed description of API endpoints provided by TRUE Connector can be found in [link](rest\_api/REST\_API.md) -Bare in mind that all endpoints of the TRUE Connector will require authorization. Please follow [this link](https://github.com/Engineering-Research-and-Development/true-connector-execution\_core\_container/blob/1.14.2/doc/SECURITY.md) to get more information about providing correct credentials for desired request/functionality. \ No newline at end of file +Bare in mind that all endpoints of the TRUE Connector will require authorization. Please follow [this link](https://github.com/Engineering-Research-and-Development/true-connector-execution\_core\_container/blob/1.14.3/doc/SECURITY.md) to get more information about providing correct credentials for desired request/functionality. \ No newline at end of file diff --git a/doc/rest_api/REST_API.md b/doc/rest_api/REST_API.md index a2ce7ee..26bc99e 100644 --- a/doc/rest_api/REST_API.md +++ b/doc/rest_api/REST_API.md @@ -3,7 +3,7 @@ The TRUE Connector will use two protocols (http and https) as described by the Docker Compose File. Overview of all available endpoints: -*NOTE* Endpoints are protected with credentials, for more details, please check [this link](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.2/doc/SECURITY.md) +*NOTE* Endpoints are protected with credentials, for more details, please check [this link](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.3/doc/SECURITY.md) | **Method** | **Endpoint** | **Usage** | **Returns** | | ---------- | ------------ | --------- | ----------- | @@ -38,5 +38,5 @@ Swagger UI for representation CRUD operations: ![Resource representation](Resource_Representation_Swagger.jpg "Resource representation swagger API") -On following [link](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.2/doc/SELF_DESCRIPTION.md), you can find more detailed explanation of endpoints, with example requests. +On following [link](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.3/doc/SELF_DESCRIPTION.md), you can find more detailed explanation of endpoints, with example requests. diff --git a/doc/security.md b/doc/security.md index 89006fb..c21af88 100644 --- a/doc/security.md +++ b/doc/security.md @@ -47,7 +47,7 @@ Once certificate is generated, following instruction from previous link, you can TRUE Connector has several ways to check the integrity: * [Docker cosing check](cosign.md) - * [Healthcheck](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.2/doc/HEALTHCHECK.md) + * [Healthcheck](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.3/doc/HEALTHCHECK.md) * Verification of the components itself, that will check if current version of subcomponent is verified or not; Each component (Execution Core Container, Basic DataApp and Platoon Usage Control) should on startup log somethign like following: diff --git a/doc/selfDescriptionAPI/self-description-API.md b/doc/selfDescriptionAPI/self-description-API.md index 22165af..ec10cc3 100644 --- a/doc/selfDescriptionAPI/self-description-API.md +++ b/doc/selfDescriptionAPI/self-description-API.md @@ -1,6 +1,6 @@ ## Self Description API -To manage your Self Description Document please check following [link](https://github.com/Engineering-Research-and-Development/true-connector-execution\_core\_container/blob/1.14.2/doc/SELF\_DESCRIPTION.md) +To manage your Self Description Document please check following [link](https://github.com/Engineering-Research-and-Development/true-connector-execution\_core\_container/blob/1.14.3/doc/SELF\_DESCRIPTION.md) You can copy existing valid self-description.json document to following location **/ecc\_resources\_consumer** or **/ecc\_resources\_provider** folders, for consumer or provider. @@ -14,13 +14,25 @@ application.selfdescription.filelocation= Be careful when changing this property, since it needs to be reflected inside docker container. -When connector is starting up, it will look for file named _self\_description.json_ file, and if such file exists, it will load Self Description document from file, otherwise it will create default Self Description document, from properties: +When connector is starting up, it will look for file named _self\_description.json_ file, and if such file exists, it will load Self Description document from file, otherwise it will create default Self Description document, from properties (with example default values): ``` -application.selfdescription.description= -application.selfdescription.title= -application.selfdescription.curator= -application.selfdescription.maintainer= +application.selfdescription.description=Data Connector description +application.selfdescription.title=Data Connector title +application.selfdescription.curator=http://curatorURI.com +application.selfdescription.maintainer=http://maintainerURI.com +application.selfdescription.inboundModelVersion=4.0.0,4.1.0,4.1.2,4.2.0,4.2.1,4.2.2,4.2.3,4.2.4,4.2.5,4.2.6,4.2.7 + ``` -With single offered resource, artifact and contract offer. \ No newline at end of file +With single offered resource, artifact and contract offer. + +Other elements of self description document are calculated based on configuration, like connector endpoint, public key and such. + +Cryptographic hash of Connector certificate - calculate from configured DAPS certificate + +Security profile cannot be changed, it is hardcoded in java code (user should not change it freely) + +Connector Id - from env file, PROVIDER_ISSUER_CONNECTOR_URI or CONSUMER_ISSUER_CONNECTOR_URI + +Default endpoint - calculated based on public IP address of the machine/docker configuration and configured port diff --git a/doc/user_management.md b/doc/user_management.md index 14baaf1..4fba3f5 100644 --- a/doc/user_management.md +++ b/doc/user_management.md @@ -18,7 +18,10 @@ while apiUser is present in ecc property file. application.user.api.password=$2a$10$MQ5grDaIqDpBjMlG78PFduv.AMRe9cs0CNm/V4cgUubrqdGTFCH3m ``` +Both user credentials are not persisted anywhere beside properties files, and their passwords are encoded using BcryptPasswordEncoder. + ## Modifying password for a user -Once new password is generated, (described [here](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.2/doc/SECURITY.md#change-default-password)) user should send encoded password to the operations user, which should be the only one who can modify connector property file. That user will update property file and restart TRUE Connector, so that new password will be loaded by the connector. \ No newline at end of file +Once new password is generated, (described [here](https://github.com/Engineering-Research-and-Development/true-connector-execution_core_container/blob/1.14.3/doc/SECURITY.md#change-default-password)) user should send encoded password to the operations user, which should be the only one who can modify connector property file. That user will update property file and restart TRUE Connector, so that new password will be loaded by the connector. + diff --git a/docker-compose.yml b/docker-compose.yml index 575edd5..09544d5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,7 @@ version: '3.1' services: ecc-provider: - image: rdlabengpa/ids_execution_core_container:v1.14.2 + image: rdlabengpa/ids_execution_core_container:v1.14.3 deploy: resources: limits: @@ -19,14 +19,16 @@ services: - "8889:8889" #Exposed port for receiving data from another connector (REST) - "8086:8086" #Exposed port for receiving data from another connector (WS) environment: + - "JDK_JAVA_OPTIONS=-Xmx1024m" - "SPRING_PROFILES_ACTIVE=docker" - DATA_APP_ENDPOINT=${PROVIDER_DATA_APP_ENDPOINT} #Data APP enpoint for consuming received data - MULTIPART_EDGE=${PROVIDER_MULTIPART_EDGE} #Data APP endpoint multipart/mixed content type - MULTIPART_ECC=${MULTIPART_ECC} + - CONNECTOR_ID=${PROVIDER_ISSUER_CONNECTOR_URI} - IDSCP2=${IDSCP2} - WS_EDGE=${PROVIDER_WS_EDGE} - WS_ECC=${WS_ECC} - - UC_DATAAPP_URI=http://uc-dataapp-provider:8080/platoontec/PlatoonDataUsage/1.0/ + - UC_DATAAPP_URI=https://uc-dataapp-provider:8080/platoontec/PlatoonDataUsage/1.0/ - BROKER_URL=${BROKER_URL} - CACHE_TOKEN=${CACHE_TOKEN} - FETCH_TOKEN_ON_STARTUP=${FETCH_TOKEN_ON_STARTUP} @@ -39,6 +41,7 @@ services: - DAPS_KEYSTORE_ALIAS=${PROVIDER_DAPS_KEYSTORE_ALIAS} - TRUSTORE_NAME=${TRUSTORE_NAME} - TRUSTORE_PASSWORD=${TRUSTORE_PASSWORD} + - FIREWALL=${PROVIDER_ECC_FIREWALL} - TZ=Europe/Rome volumes: - ./ecc_resources_provider:/config @@ -48,12 +51,12 @@ services: - "ecc-provider:172.17.0.1" uc-dataapp-provider: - image: rdlabengpa/ids_uc_data_app_platoon:v1.7.4 + image: rdlabengpa/ids_uc_data_app_platoon:v1.7.5 deploy: resources: limits: cpus: "1" - memory: 512M + memory: 256M logging: options: max-size: "100M" @@ -61,12 +64,20 @@ services: - provider container_name: uc-dataapp-provider environment: + - "JDK_JAVA_OPTIONS=-Xmx256m" + - ECC_PORT=8449 + - ECC_SELF_DESCRIPTION_URL=${PROVIDER_ECC_SELF_DESCRIPTION_URL} + - KEYSTORE_NAME=${KEYSTORE_NAME} + - KEY_PASSWORD=${KEY_PASSWORD} + - KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD} + - ALIAS=${ALIAS} - TZ=Europe/Rome expose: - "8080" volumes: - ./uc-dataapp_resources_provider:/etc - uc_provider_data:/data + - ./ecc_cert:/cert uc-dataapp-pip-provider: image: rdlabengpa/ids_uc_data_app_platoon_pip:v1.0.0 @@ -74,7 +85,7 @@ services: resources: limits: cpus: "1" - memory: 512M + memory: 256M logging: options: max-size: "100M" @@ -82,14 +93,15 @@ services: - provider container_name: uc-dataapp-pip-provider environment: + - "JDK_JAVA_OPTIONS=-Xmx256m" - TZ=Europe/Rome expose: - - "8085:8085" + - "8085" volumes: - ./uc-dataapp-pip_resources_provider:/etc be-dataapp-provider: - image: rdlabengpa/ids_be_data_app:v0.3.1 + image: rdlabengpa/ids_be_data_app:v0.3.2 deploy: resources: limits: @@ -103,8 +115,10 @@ services: container_name: be-dataapp-provider ports: - "8183:8183" - - "9000:9000" + expose: + - "9000" environment: + - "JDK_JAVA_OPTIONS=-Xmx512m" - "SPRING_PROFILES_ACTIVE=docker" - DATA_APP_MULTIPART=${PROVIDER_MULTIPART_EDGE} - KEYSTORE_NAME=${KEYSTORE_NAME} @@ -116,13 +130,14 @@ services: - ECC_PORT=8887 - TZ=Europe/Rome - ISSUER_CONNECTOR_URI=${PROVIDER_ISSUER_CONNECTOR_URI} + - FIREWALL=${PROVIDER_DATA_APP_FIREWALL} volumes: - ./be-dataapp_resources:/config - be_dataapp_provider_data:/home/nobody/data/ - ./ecc_cert:/cert ecc-consumer: - image: rdlabengpa/ids_execution_core_container:v1.14.2 + image: rdlabengpa/ids_execution_core_container:v1.14.3 deploy: resources: limits: @@ -140,14 +155,16 @@ services: - "8890:8889" #Exposed port for receiving data from another connector (REST) - "8087:8086" #Exposed port for receiving data from another connector (WS) environment: + - "JDK_JAVA_OPTIONS=-Xmx1024m" - "SPRING_PROFILES_ACTIVE=docker" - DATA_APP_ENDPOINT=${CONSUMER_DATA_APP_ENDPOINT} #Data APP enpoint for consuming received data - MULTIPART_EDGE=${CONSUMER_MULTIPART_EDGE} #Data APP endpoint multipart/mixed content type - MULTIPART_ECC=${MULTIPART_ECC} + - CONNECTOR_ID=${CONSUMER_ISSUER_CONNECTOR_URI} - IDSCP2=${IDSCP2} - WS_EDGE=${CONSUMER_WS_EDGE} - WS_ECC=${WS_ECC} - - UC_DATAAPP_URI=http://uc-dataapp-consumer:8080/platoontec/PlatoonDataUsage/1.0/ + - UC_DATAAPP_URI=https://uc-dataapp-consumer:8080/platoontec/PlatoonDataUsage/1.0/ - BROKER_URL=${BROKER_URL} - CACHE_TOKEN=${CACHE_TOKEN} - FETCH_TOKEN_ON_STARTUP=${FETCH_TOKEN_ON_STARTUP} @@ -160,6 +177,7 @@ services: - DAPS_KEYSTORE_ALIAS=${CONSUMER_DAPS_KEYSTORE_ALIAS} - TRUSTORE_NAME=${TRUSTORE_NAME} - TRUSTORE_PASSWORD=${TRUSTORE_PASSWORD} + - FIREWALL=${CONSUMER_ECC_FIREWALL} - TZ=Europe/Rome volumes: - ./ecc_resources_consumer:/config @@ -169,12 +187,12 @@ services: - "ecc-consumer:172.17.0.1" uc-dataapp-consumer: - image: rdlabengpa/ids_uc_data_app_platoon:v1.7.4 + image: rdlabengpa/ids_uc_data_app_platoon:v1.7.5 deploy: resources: limits: cpus: "1" - memory: 512M + memory: 256M logging: options: max-size: "100M" @@ -182,12 +200,20 @@ services: - consumer container_name: uc-dataapp-consumer environment: + - "JDK_JAVA_OPTIONS=-Xmx256m" + - ECC_PORT=8449 + - ECC_SELF_DESCRIPTION_URL=${CONSUMER_ECC_SELF_DESCRIPTION_URL} + - KEYSTORE_NAME=${KEYSTORE_NAME} + - KEY_PASSWORD=${KEY_PASSWORD} + - KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD} + - ALIAS=${ALIAS} - TZ=Europe/Rome expose: - "8080" volumes: - ./uc-dataapp_resources_consumer:/etc - uc_consumer_data:/data + - ./ecc_cert:/cert uc-dataapp-pip-consumer: image: rdlabengpa/ids_uc_data_app_platoon_pip:v1.0.0 @@ -195,7 +221,7 @@ services: resources: limits: cpus: "1" - memory: 512M + memory: 256M logging: options: max-size: "100M" @@ -203,14 +229,15 @@ services: - consumer container_name: uc-dataapp-pip-consumer environment: + - "JDK_JAVA_OPTIONS=-Xmx256m" - TZ=Europe/Rome expose: - - "8185:8085" + - "8085" volumes: - ./uc-dataapp-pip_resources_consumer:/etc be-dataapp-consumer: - image: rdlabengpa/ids_be_data_app:v0.3.1 + image: rdlabengpa/ids_be_data_app:v0.3.2 deploy: resources: limits: @@ -224,8 +251,10 @@ services: container_name: be-dataapp-consumer ports: - "8184:8183" - - "9001:9000" + expose: + - "9000" environment: + - "JDK_JAVA_OPTIONS=-Xmx512m" - "SPRING_PROFILES_ACTIVE=docker" - DATA_APP_MULTIPART=${CONSUMER_MULTIPART_EDGE} - KEYSTORE_NAME=${KEYSTORE_NAME} @@ -237,6 +266,7 @@ services: - ECC_PORT=8887 - TZ=Europe/Rome - ISSUER_CONNECTOR_URI=${CONSUMER_ISSUER_CONNECTOR_URI} + - FIREWALL=${CONSUMER_DATA_APP_FIREWALL} volumes: - ./be-dataapp_resources:/config - ./ecc_cert:/cert diff --git a/ecc_resources_consumer/application-docker.properties b/ecc_resources_consumer/application-docker.properties index cffc003..c0d3f92 100644 --- a/ecc_resources_consumer/application-docker.properties +++ b/ecc_resources_consumer/application-docker.properties @@ -83,6 +83,9 @@ application.encodeDecodePayload=false application.selfdescription.registrateOnStartup=false application.selfdescription.brokerURL=${BROKER_URL} +#Firewall +application.firewall.isEnabled=${FIREWALL} + #Clearing House application.clearinghouse.isEnabledClearingHouse=false application.clearinghouse.username= @@ -91,6 +94,9 @@ application.clearinghouse.baseUrl= application.clearinghouse.logEndpoint=/messages/log/ application.clearinghouse.processEndpoint=/process/ +#Connector ID +application.connectorid=${CONNECTOR_ID} + #Connector URIs application.uriSchema=http application.uriAuthority=//w3id.org/engrd diff --git a/ecc_resources_consumer/firewall.properties b/ecc_resources_consumer/firewall.properties new file mode 100644 index 0000000..5a9bead --- /dev/null +++ b/ecc_resources_consumer/firewall.properties @@ -0,0 +1,18 @@ +#Set which HTTP header names should be allowed (if want to allow all header names, keep it empty) +allowedHeaderNames= +#Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty) +allowedHeaderValues= +#Set which HTTP methods should be allowed +allowedMethods=GET,POST,PUT,DELETE +#Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not +allowBackSlash=true +#Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not +allowUrlEncodedSlash=true +#Set if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not +allowUrlEncodedDoubleSlash=true +#Set if semicolon is allowed in the URL (i.e. matrix variables) +allowSemicolon=true +#Set if a percent "%" that is URL encoded "%25" should be allowed in the path or not +allowUrlEncodedPercent=true +#if a period "." that is URL encoded "%2E" should be allowed in the path or not +allowUrlEncodedPeriod=true \ No newline at end of file diff --git a/ecc_resources_provider/application-docker.properties b/ecc_resources_provider/application-docker.properties index 70e3346..d82a515 100644 --- a/ecc_resources_provider/application-docker.properties +++ b/ecc_resources_provider/application-docker.properties @@ -83,6 +83,9 @@ application.encodeDecodePayload=false application.selfdescription.registrateOnStartup=false application.selfdescription.brokerURL=${BROKER_URL} +#Firewall +application.firewall.isEnabled=${FIREWALL} + #Clearing House application.clearinghouse.isEnabledClearingHouse=false application.clearinghouse.username= @@ -91,6 +94,8 @@ application.clearinghouse.baseUrl= application.clearinghouse.logEndpoint=/messages/log/ application.clearinghouse.processEndpoint=/process/ +#Connector ID +application.connectorid=${CONNECTOR_ID} #Connector URIs application.uriSchema=http application.uriAuthority=//w3id.org/engrd diff --git a/ecc_resources_provider/firewall.properties b/ecc_resources_provider/firewall.properties new file mode 100644 index 0000000..5a9bead --- /dev/null +++ b/ecc_resources_provider/firewall.properties @@ -0,0 +1,18 @@ +#Set which HTTP header names should be allowed (if want to allow all header names, keep it empty) +allowedHeaderNames= +#Set which values in header names should have the exact value and allowed (if want to allow any values keep it empty) +allowedHeaderValues= +#Set which HTTP methods should be allowed +allowedMethods=GET,POST,PUT,DELETE +#Set if a backslash "\" or a URL encoded backslash "%5C" should be allowed in the path or not +allowBackSlash=true +#Set if a slash "/" that is URL encoded "%2F" should be allowed in the path or not +allowUrlEncodedSlash=true +#Set if double slash "//" that is URL encoded "%2F%2F" should be allowed in the path or not +allowUrlEncodedDoubleSlash=true +#Set if semicolon is allowed in the URL (i.e. matrix variables) +allowSemicolon=true +#Set if a percent "%" that is URL encoded "%25" should be allowed in the path or not +allowUrlEncodedPercent=true +#if a period "." that is URL encoded "%2E" should be allowed in the path or not +allowUrlEncodedPeriod=true \ No newline at end of file diff --git a/uc-dataapp_resources_consumer/application.properties b/uc-dataapp_resources_consumer/application.properties index 01ae01c..cc3a995 100644 --- a/uc-dataapp_resources_consumer/application.properties +++ b/uc-dataapp_resources_consumer/application.properties @@ -41,3 +41,15 @@ spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true ## Endpoints management.endpoints.enabled-by-default=false + +#TLS settings +server.ssl.key-store=/cert/${KEYSTORE_NAME} +server.ssl.key-store-password=${KEYSTORE_PASSWORD} +server.ssl.key-password=${KEYSTORE_PASSWORD} +server.ssl.key-store-provider=SUN +server.ssl.key-store-type=JKS +server.ssl.key-alias=${ALIAS} + +#ECC URL and port +application.ecc.selfdescription.port=${ECC_PORT} +application.ecc.selfdescription.url=${ECC_SELF_DESCRIPTION_URL} diff --git a/uc-dataapp_resources_provider/application.properties b/uc-dataapp_resources_provider/application.properties index 0448a95..1f4da92 100644 --- a/uc-dataapp_resources_provider/application.properties +++ b/uc-dataapp_resources_provider/application.properties @@ -41,3 +41,15 @@ spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true ## Endpoints management.endpoints.enabled-by-default=false + +#TLS settings +server.ssl.key-store=/cert/${KEYSTORE_NAME} +server.ssl.key-store-password=${KEYSTORE_PASSWORD} +server.ssl.key-password=${KEYSTORE_PASSWORD} +server.ssl.key-store-provider=SUN +server.ssl.key-store-type=JKS +server.ssl.key-alias=${ALIAS} + +#ECC URL and port +application.ecc.selfdescription.port=${ECC_PORT} +application.ecc.selfdescription.url=${ECC_SELF_DESCRIPTION_URL} \ No newline at end of file