Add a compose file for a test VOMS-aa deployment (#720)

indigo-iam · Mar 22, 2024 · 92fe11d · 92fe11d
1 parent a0922af
commit 92fe11d
Show file tree

Hide file tree

Showing 17 changed files with 2,828 additions and 0 deletions.
diff --git a/compose/voms-deploy/.env b/compose/voms-deploy/.env
@@ -0,0 +1,14 @@
+COMPOSE_PROJECT_NAME=voms
+TRUST_IMAGE=indigoiam/egi-trustanchors
+TRUST_IMAGE_TAG=igi-test-ca
+DB_IMAGE=mysql
+DB_IMAGE_TAG=5.7
+NGINX_IMAGE=baltig.infn.it:4567/cnafsd/ngx_http_voms_module/nginx-httpg-voms
+NGINX_IMAGE_TAG=latest
+VOMS_AA_IMAGE=indigoiam/voms-aa-bp
+VOMS_AA_IMAGE_TAG=v1.8.3
+GRID_CLIENTS_IMAGE=indigoiam/robot-framework
+GRID_CLIENTS_IMAGE_TAG=latest
+IAM_IMAGE=indigoiam/iam-login-service
+IAM_IMAGE_TAG=v1.8.3
+
diff --git a/compose/voms-deploy/README.md b/compose/voms-deploy/README.md
@@ -0,0 +1,70 @@
+This folder contains docker compose files for the voms-aa microservice.
+
+## Deploy voms-aa
+
+This folder contains a docker-compose file that could be useful for deployment.
+The services defined here are:
+* `trust`: docker image for the GRID CA certificates plus the `igi-test-ca` used in this deployment for test certificates
+* `db`: is a dump of the IAM db for test environment. In addition to the db populated with the iam `mysql-dev` profile, the user `test` has a certificate with DN `/C=IT/O=IGI/CN=test0` linked to his account and he also is part of the `indigo-dc` group (necessary to obtain VOMS proxies)
+* `ngx`: is an extension to NGINX, used for TLS termination, reverse proxy and possibly VOMS proxies validation. It sends requests to the `vomsaa` service
+* `vomsaa`: it is the main voms-aa microservice
+* `client`: it is an image containing GRID clients (in particular `voms-proxy-init`) used to query the `vomsaa` service.
+
+Run the docker-compose with
+
+```
+$ docker-compose up -d
+```
+
+and wait for the `trust` service to finish; `ngx` will be available afterwards.
+
+### VOMS clients
+
+To test `vomsaa` using VOMS clients, enter in the container with
+
+```
+$ docker-compose exec client bash
+```
+
+Here a p12 file for the test user encrypted with the `pass` password is present in the well-known directory (`/home/test/.globus/usercred.p12`). It can be used to obtain a VOMS proxy by `voms-aa` serving a VO named `indigo-dc` with
+
+```
+$ voms-proxy-init -voms indigo-dc
+Enter GRID pass phrase for this identity: <***>
+Contacting voms.test.example:443 [/C=IT/O=IGI/CN=*.test.example] "indigo-dc"...
+Remote VOMS server contacted succesfully.
+
+
+Created proxy in /tmp/x509up_u1000.
+
+Your proxy is valid until Sat Mar 02 00:07:01 CET 2024
+```
+
+Check the content of the proxy with
+
+```
+$ voms-proxy-info -all
+subject   : /C=IT/O=IGI/CN=test0/CN=1946803410
+issuer    : /C=IT/O=IGI/CN=test0
+identity  : /C=IT/O=IGI/CN=test0
+type      : RFC3820 compliant impersonation proxy
+strength  : 2048
+path      : /tmp/x509up_u1000
+timeleft  : 11:59:36
+key usage : Digital Signature, Non Repudiation, Key Encipherment
+=== VO indigo-dc extension information ===
+VO        : indigo-dc
+subject   : /C=IT/O=IGI/CN=test0
+issuer    : /C=IT/O=IGI/CN=*.test.example
+attribute : /indigo-dc
+timeleft  : 11:59:35
+uri       : voms.test.example:8080
+```
+
+### Further setup
+
+If you need to resolve the hostname of `vomsaa`, add a line to your `/etc/hosts` file such as
+
+```
+127.0.0.1   voms.test.example
+```
diff --git a/compose/voms-deploy/assets/certs/voms.test.example.cert.pem b/compose/voms-deploy/assets/certs/voms.test.example.cert.pem
@@ -0,0 +1,85 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 19 (0x13)
+    Signature Algorithm: sha512WithRSAEncryption
+        Issuer: C=IT, O=IGI, CN=Test CA
+        Validity
+            Not Before: Oct 19 08:55:57 2022 GMT
+            Not After : Oct 16 08:55:57 2032 GMT
+        Subject: C=IT, O=IGI, CN=*.test.example
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:e7:3a:01:a8:93:12:08:f4:a6:c9:89:10:a2:f6:
+                    6a:6a:d3:93:98:c7:31:c0:e5:8a:3a:44:9b:cf:ef:
+                    b9:3d:05:86:03:61:0e:6e:fc:c6:f9:9a:9e:35:d6:
+                    3d:38:27:48:cb:77:26:97:15:34:a0:0b:1d:97:31:
+                    dd:18:ec:bf:78:d9:32:9e:00:1a:44:6a:78:15:1f:
+                    ac:7b:3e:bb:ad:b2:b4:32:75:8c:11:d8:31:ec:19:
+                    7d:bf:ba:5d:1e:70:38:62:10:cf:3a:8a:a4:98:83:
+                    b4:df:e0:50:3b:e5:ec:24:a0:89:14:2c:19:27:48:
+                    66:c3:d4:1d:74:63:be:63:38:95:3f:64:d0:91:ac:
+                    95:f7:d9:ca:96:b5:1b:e7:71:70:7b:5f:3b:12:30:
+                    2c:b8:3a:28:79:84:9c:81:12:db:38:31:6d:2d:2a:
+                    e2:80:05:5c:29:77:53:58:10:19:ee:f9:50:e1:8d:
+                    3b:2b:e2:c0:0b:d2:9f:3c:a0:95:33:f8:33:17:ce:
+                    23:0e:31:e8:1e:3d:7e:6a:c9:6d:83:9e:0b:fa:43:
+                    d2:4a:3f:be:d3:19:07:1e:8c:e4:f6:dc:8f:c3:3e:
+                    3a:8e:66:4a:87:ef:0b:39:db:e8:3e:30:1c:91:9e:
+                    b3:1e:d3:a0:1e:1b:9a:b1:58:99:de:a5:bb:53:3b:
+                    3b:5d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                60:FA:21:CE:1C:B5:31:8D:9B:01:F6:08:5B:72:4D:59:5A:F8:71:8C
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto, Netscape Server Gated Crypto, E-mail Protection
+            X509v3 Authority Key Identifier: 
+                keyid:50:9B:6F:74:01:E3:1A:03:57:AB:D9:D5:7D:15:64:4C:25:F3:F8:F4
+
+            X509v3 Subject Alternative Name: 
+                DNS:*.test.example
+    Signature Algorithm: sha512WithRSAEncryption
+         79:82:f2:54:44:98:96:25:c2:83:c9:0f:19:69:1c:f6:a7:19:
+         0d:61:90:f9:96:23:e2:ab:5a:30:db:55:d7:4f:b0:ff:b2:7b:
+         41:da:35:97:47:86:e4:85:00:6d:11:64:ee:32:a4:64:ee:fe:
+         b2:83:a5:24:4a:ce:c3:91:ae:db:3d:5b:af:fa:7e:81:1a:1c:
+         69:d0:1a:9e:70:0e:9e:74:85:6b:48:90:6a:1b:62:ff:6e:b3:
+         84:30:b7:7f:fa:c0:3e:ee:91:70:0b:f2:13:ea:c8:2c:aa:d8:
+         cb:3c:60:b1:08:f9:8e:bf:c2:e4:ce:92:6a:7e:0a:41:49:94:
+         8f:e5:6e:71:f9:47:04:1a:18:1f:65:47:d6:1c:ea:a9:90:71:
+         82:1b:3b:1f:a5:f2:02:ce:5c:d6:2e:5d:1e:05:c4:92:9e:3d:
+         8e:ce:fa:00:83:01:d5:c3:c1:cf:e2:e5:fb:08:80:08:f4:6c:
+         26:64:96:db:cd:be:4c:e7:bc:8f:af:3d:0e:0c:f7:d2:52:15:
+         9c:d5:15:0d:51:b3:95:72:78:1d:8c:ca:37:55:7a:c0:b0:0f:
+         18:ae:de:d0:27:6f:1b:e4:5d:1d:4b:f9:4c:5d:44:49:ed:cf:
+         c2:9e:e7:c6:55:72:ce:2f:43:a7:2f:88:de:b7:da:9f:82:a6:
+         54:77:c2:2e
+-----BEGIN CERTIFICATE-----
+MIIDmTCCAoGgAwIBAgIBEzANBgkqhkiG9w0BAQ0FADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTIyMTAxOTA4NTU1N1oX
+DTMyMTAxNjA4NTU1N1owNDELMAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEXMBUG
+A1UEAwwOKi50ZXN0LmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDnOgGokxII9KbJiRCi9mpq05OYxzHA5Yo6RJvP77k9BYYDYQ5u/Mb5mp41
+1j04J0jLdyaXFTSgCx2XMd0Y7L942TKeABpEangVH6x7PrutsrQydYwR2DHsGX2/
+ul0ecDhiEM86iqSYg7Tf4FA75ewkoIkULBknSGbD1B10Y75jOJU/ZNCRrJX32cqW
+tRvncXB7XzsSMCy4Oih5hJyBEts4MW0tKuKABVwpd1NYEBnu+VDhjTsr4sAL0p88
+oJUz+DMXziMOMegePX5qyW2Dngv6Q9JKP77TGQcejOT23I/DPjqOZkqH7ws52+g+
+MByRnrMe06AeG5qxWJnepbtTOztdAgMBAAGjgbwwgbkwDAYDVR0TAQH/BAIwADAd
+BgNVHQ4EFgQUYPohzhy1MY2bAfYIW3JNWVr4cYwwDgYDVR0PAQH/BAQDAgXgMD4G
+A1UdJQQ3MDUGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4
+QgQBBggrBgEFBQcDBDAfBgNVHSMEGDAWgBRQm290AeMaA1er2dV9FWRMJfP49DAZ
+BgNVHREEEjAQgg4qLnRlc3QuZXhhbXBsZTANBgkqhkiG9w0BAQ0FAAOCAQEAeYLy
+VESYliXCg8kPGWkc9qcZDWGQ+ZYj4qtaMNtV10+w/7J7Qdo1l0eG5IUAbRFk7jKk
+ZO7+soOlJErOw5Gu2z1br/p+gRocadAannAOnnSFa0iQahti/26zhDC3f/rAPu6R
+cAvyE+rILKrYyzxgsQj5jr/C5M6San4KQUmUj+VucflHBBoYH2VH1hzqqZBxghs7
+H6XyAs5c1i5dHgXEkp49js76AIMB1cPBz+Ll+wiACPRsJmSW282+TOe8j689Dgz3
+0lIVnNUVDVGzlXJ4HYzKN1V6wLAPGK7e0CdvG+RdHUv5TF1ESe3Pwp7nxlVyzi9D
+py+I3rfan4KmVHfCLg==
+-----END CERTIFICATE-----
diff --git a/compose/voms-deploy/assets/certs/voms.test.example.key.pem b/compose/voms-deploy/assets/certs/voms.test.example.key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA5zoBqJMSCPSmyYkQovZqatOTmMcxwOWKOkSbz++5PQWGA2EO
+bvzG+ZqeNdY9OCdIy3cmlxU0oAsdlzHdGOy/eNkyngAaRGp4FR+sez67rbK0MnWM
+Edgx7Bl9v7pdHnA4YhDPOoqkmIO03+BQO+XsJKCJFCwZJ0hmw9QddGO+YziVP2TQ
+kayV99nKlrUb53Fwe187EjAsuDooeYScgRLbODFtLSrigAVcKXdTWBAZ7vlQ4Y07
+K+LAC9KfPKCVM/gzF84jDjHoHj1+asltg54L+kPSSj++0xkHHozk9tyPwz46jmZK
+h+8LOdvoPjAckZ6zHtOgHhuasViZ3qW7Uzs7XQIDAQABAoIBAAx5xL0jskVpbdZR
+3uPsB7Hb2IrVtImD2QFr0jxV4ti4A5MLGYxDdzjgbsjY1lTBSdwwgZSFQGGiN+aA
+ej1uCKaskV6VAtXOKMx6+QNtTxMAIVjXnscXsxnaBj7h/0Q1KdWgso2mDVttP8UU
+hT+2GBeh0cOU3YaREXpfZ3dwKkWQHbtO/UYwVzu+XVFt8kApPoLMMHoXZfetP6Yp
+7YSCuI6id44mwqkP7aY8iGhcUpVTkP3LD7z8nUp4LaG9my6T1Wev8x7hstb/NIsZ
+DPiXAzfDUkHWqpMthnoWyOdghGc6JzKGFeJVHqrW4byJ4hNU3WvNIdvZ8tyIEpd1
+56uP/gECgYEA92oUhzHjvw87qfo6tPDai2I8AghXJoPGB6xYYhchlirYMGPx9fU/
+rcVEGbmSBDqXMg9eZUqiXB+E/hukCOrFZJt4kt656Nm/Xy68IDwSifmf5vcUde6q
+j0pD6i0vwJFjYWBjjS7gRBK83pr/jHhy8aK1+79lZ0GfbQkLxF/2TxkCgYEA70Af
+A387tHDmct7ZH0gAZx9QKYZhtS+WWVCIoZ81028DEeGri0By83KFkU0QZ9RfWKQi
+RajBYkB35xJFv4fSX5s4+tcVaTVJKOn7V5YGmUIxrGY3IMuE77+h9SEHd8GY723q
+9qgwTF5SQP3cGiVpGFB99M44CBuHbbypFh67iuUCgYEA3Zp6QI2C/AJc4mZqZt7E
+IMwgC4IE7U5h9UV89H7banF9qfobIr5EBxUFZjU8f+Uqv3/cgMVUn0bsC94eEo6V
+twM5//LWeaVvL4Xgos6rnEGl422zOd5HjohqRDms58JRTUrUYAR4gwB1gr0530uT
+SLMAZTiNTusMLNFJZN6+8yECgYAulAY1sRSXmY9T98y/iU4CxZberrnhA2W697HR
+/WQGSMuJNK0oDCEVAku8sQsrm64AXNwLQcJ8dV6iju0jT7cGQ/sA4tTZSbV3kK4N
+LDkWp0tya+f5q4WzA1Ttm0OP7hHvMzAWW0Ij7A0JeCLcuEHQqQMMoQVJlspz89Hb
+a5pJfQKBgFZb6XnLMTSCs/SQe38PQiawIQcA+zXmhG83xkEKspQGm2KqyJL+AdKQ
+fXQKoKa/Ubyp7PKRJVZ8raX1/kvtFDQIQ+G3L/hps5rhZgDh5S2n0xd4zlbK/Sw6
+l3RjOUpHSe8oz+X3Jinl/Rwr39I9hrRAW2xj7vkFb84IE98mJu2X
+-----END RSA PRIVATE KEY-----