Update Devconf installation and docs

Use Devconf settings in the parameters.yml.dist, so devconf will work
out-of-the-box for development. Also remove the old StepupDeploy VM
parameters.yml. And update the readme to reflect the use of devconf.

README.md

@@ -42,7 +42,7 @@ Finally, when not in an environment with the debug flag enabled, you need to cle
 $ php72 ./app/console cache:clear --env=prod
 ```
 
-To setup the required tooling on the VM, the following steps might be useful:
+To setup the required tooling on the container, the following steps might be useful:
 
     cd /opt/openconext/OpenConext-engineblock/theme
     sudo curl --silent --location https://rpm.nodesource.com/setup_11.x | sudo bash -
@@ -82,12 +82,12 @@ it is only regularly tested with RedHat Enterprise Linux and CentOS._
 
 ## Installation
 
-_**Note**: you are highly encouraged to use [OpenConext-Deploy][op-dep] to deploy OpenConext installations._
+_**Note**: you are highly encouraged to use [OpenConext-Devconf][op-dev] to deploy OpenConext installations._
 
 If you are reading this then you've probably already installed a copy of EngineBlock somewhere on the destination server,
 if not, then that would be step 1 for the installation.
 
-If you do not use [OpenConext-Deploy][op-dep] and have an installed copy and your server meets all the requirements
+If you do not use [OpenConext-Devconf][op-dev] and have an installed copy and your server meets all the requirements
 above, then please follow the steps below to start your installation.
 
 ### First, create an empty database
@@ -143,11 +143,11 @@ It should also serve both the `engine.yourdomain.example` and `engine-api.yourdo
 Make sure the `ENGINEBLOCK_ENV` is set, and that the `SYMFONY_ENV` is set, this can be mapped from `ENGINEBLOCK_ENV` as:
 
 | `ENGINEBLOCK_ENV` | `SYMFONY_ENV` |
-| --- | --- |
-| production | prod |
-| acceptance | acc |
-| test | test |
-| vm | dev |
+|-------------------| --- |
+| production        | prod |
+| acceptance        | acc |
+| test              | test |
+| dev               | dev |
 
 **EXAMPLE**
 
@@ -254,7 +254,7 @@ Also, the following documentation can be found in the [docs][docs] directory:
 [notice]: NOTICE.txt
 [upgrading]: UPGRADING.md
 [comp]: https://getcomposer.org/
-[op-dep]: https://github.com/OpenConext/OpenConext-deploy
+[op-dev]: https://github.com/OpenConext/OpenConext-devconf
 [manage]: https://github.com/OpenConext/OpenConext-manage
 [eb-wiki-theme-development]: https://github.com/OpenConext/OpenConext-engineblock/wiki/Development-Guidelines#theme-development
 [wiki]: https://github.com/OpenConext/OpenConext-engineblock/wiki

app/config/parameters.yml.dist

@@ -11,11 +11,11 @@ parameters:
     ## from the Host header will be used) or set to match the domain
     ## setting. For example:
     ##
-    ##    domain = vm.openconext.org
-    ##    hostname = engine.vm.openconext.org
-    domain: vm.openconext.org
+    ##    domain = dev.openconext.local
+    ##    hostname = engine.dev.openconext.local
+    domain: dev.openconext.local
     ## Set a fixed hostname for OpenConext EngineBlock to use.
-    hostname: engine.vm.openconext.org
+    hostname: engine.dev.openconext.local
 
     ## Configure trusted proxies to use their X-Forwarded-For header.
     trusted_proxies:
@@ -36,15 +36,15 @@ parameters:
     ## * How attributes are displayed in Profile and Consent
     ## * How attributes are Normalized and Denormalized
     ## * How attributes are validated
-    attribute_definition_file_path: %kernel.project_dir%/application/configs/attributes.json
+    attribute_definition_file_path: %kernel.project_dir%/../application/configs/attributes.json
 
     ## The Signing / Encryption keys used for the SAML2 authentication and metadata
     ## When EngineBlock signs responses (when it acts as an Idp)
     ## or requests (when it acts as an SP) it uses these X.509 certs.
     encryption_keys:
         default:
-            publicFile: /etc/openconext/engineblock.crt
-            privateFile: /etc/openconext/engineblock.pem
+            publicFile: /config/engine/engineblock.crt
+            privateFile: /config/engine/engineblock.pem
 
     ## List of signature methods explicitly forbidden by EngineBlock.
     forbidden_signature_methods: {  }
@@ -73,7 +73,7 @@ parameters:
 
     ## EngineBlock API credentials
     ## The API user config, allows for configuration of multiple different users
-    api.users.metadataPush.username: serviceregistry
+    api.users.metadataPush.username: manage
     api.users.metadataPush.password: secret
     api.users.profile.username: profile
     api.users.profile.password: secret
@@ -84,7 +84,7 @@ parameters:
     ## PDP SETTINGS
     ##########################################################################################
     ## Location of PDP
-    pdp.host: 'https://pdp.vm.openconext.org'
+    pdp.host: 'https://pdp.dev.openconext.local'
 
     ## PDP uses basic auth
     pdp.username: pdp_admin
@@ -96,7 +96,7 @@ parameters:
     ## ATTRIBUTE AGGREGATION SETTINGS
     ##########################################################################################
     ## Location of AA
-    attribute_aggregation.base_url: 'https://aa.vm.openconext.org/aa/api/internal/attribute/aggregation'
+    attribute_aggregation.base_url: 'https://aa.dev.openconext.local/internal/attribute/aggregation'
     attribute_aggregation.username: eb
     attribute_aggregation.password: secret
 
@@ -119,7 +119,7 @@ parameters:
     ##########################################################################################
     ## DATABASE SETTINGS
     ##########################################################################################
-    database.host: localhost
+    database.host: mariadb
     database.port: '3306'
     database.user: ebrw
     database.password: secret
@@ -138,13 +138,13 @@ parameters:
     ## Minimum execution time in milliseconds when a received response is deemed invalid (default: 5000 ms)
     minimum_execution_time_on_invalid_received_response: 5000
     ## The value for guest qualifier. Can be overridden for specific environments
-    addgueststatus_guestqualifier: 'urn:collab:org:vm.openconext.org'
+    addgueststatus_guestqualifier: 'urn:collab:org:dev.openconext.local'
 
     ## Language cookie settings
     ## The value for the domain is also used for clearing SSO Notification cookies if the feature is enabled
     cookie.path: /
     cookie.secure: true
-    cookie.locale.domain: .vm.openconext.org
+    cookie.locale.domain: .dev.openconext.local
     cookie.locale.expiry: 5184000
     cookie.locale.http_only: false
     cookie.locale.secure: true
@@ -157,7 +157,7 @@ parameters:
     view_default_logo_height: 96
     # when set, will show a ribbon top-right to visually distinguish this install from other
     # environments in your constellation (e.g. "test", "qa"), with the given ribbon color in
-    # env_ribbon_color. You can choose from colors: crimson,darkorchid,orange,hotpink,khaki.
+    # env_ribbon_color. You can choose from colors: crimson,orange,hotpink,khaki.
     env_name: ""
     env_ribbon_color: ""
 
@@ -178,7 +178,7 @@ parameters:
 
     ## Toggle the default IdP quick link banner on the WAYF.
     wayf.display_default_idp_banner_on_wayf: true
-    wayf.default_idp_entity_id: https://default-idp.vm.openconext.org
+    wayf.default_idp_entity_id: https://default-idp.dev.openconext.local
 
     ## Toggle display & content of global site notice
     global.site_notice.show: false
@@ -221,7 +221,7 @@ parameters:
     feature_api_metadata_api: true
     feature_api_deprovision: true
     feature_run_all_manipulations_prior_to_consent: false
-    feature_block_user_on_violation: true
+    feature_block_user_on_violation: false
     feature_enable_consent: true
     feature_stepup_sfo_override_engine_entityid: false
     feature_enable_idp_initiated_flow: true
@@ -230,7 +230,7 @@ parameters:
     ## PROFILE SETTINGS
     ##########################################################################################
     ## Location of Profile
-    profile_base_url: 'https://profile.vm.openconext.org'
+    profile_base_url: 'https://profile.dev.openconext.local'
 
     ##########################################################################################
     ## SFO SETTINGS
@@ -244,26 +244,28 @@ parameters:
     ## The engineblock or gateway keys specify the LoAs identifier as will be carried in the AuthnContextClassRef of an assertion.
     stepup.loa.mapping:
         10:
-            engineblock: 'http://vm.openconext.org/assurance/loa1'
-            gateway: 'http://stepup.vm.openconext.org/assurance/loa1'
+            engineblock: 'http://dev.openconext.local/assurance/loa1'
+            gateway: 'http://dev.openconext.local/assurance/loa1'
         15:
-            engineblock: 'http://vm.openconext.org/assurance/loa1_5'
-            gateway: 'http://stepup.vm.openconext.org/assurance/loa1_5'
+            engineblock: 'http://dev.openconext.local/assurance/loa1_5'
+            gateway: 'http://dev.openconext.local/assurance/loa1_5'
         20:
-            engineblock: 'http://vm.openconext.org/assurance/loa2'
-            gateway: 'http://stepup.vm.openconext.org/assurance/loa2'
+            engineblock: 'http://dev.openconext.local/assurance/loa2'
+            gateway: 'http://dev.openconext.local/assurance/loa2'
         30:
-            engineblock: 'http://vm.openconext.org/assurance/loa3'
-            gateway: 'http://stepup.vm.openconext.org/assurance/loa3'
+            engineblock: 'http://dev.openconext.local/assurance/loa3'
+            gateway: 'http://dev.openconext.local/assurance/loa3'
     ## The fallback LoA to return when the Stepup authentication fails but is not required
-    stepup.loa.loa1: 'http://vm.openconext.org/assurance/loa1'
+    stepup.loa.loa1: 'http://dev.openconext.local/assurance/loa1'
     ## The EntityId (metadata URL) used in the callout to the SFO endpoint of the configured Stepup Gateway
-    stepup.gateway.sfo.entity_id: 'https://gateway.stepup.vm.openconext.org/second-factor-only/metadata'
+    stepup.gateway.sfo.entity_id: 'https://gateway.dev.openconext.local/second-factor-only/metadata'
     ## The single sign-on endpoint used for Stepup Gateway SFO callouts
-    stepup.gateway.sfo.sso_location: 'https://gateway.stepup.vm.openconext.org/second-factor-only/single-sign-on'
+    stepup.gateway.sfo.sso_location: 'https://gateway.dev.openconext.local/second-factor-only/single-sign-on'
     ## The public key from the Stepup Gateway IdP
-    stepup.gateway.sfo.key_file: /etc/openconext/engineblock.crt
-    stepup.sfo.override_engine_entityid: 'https://engine.vm.openconext.com/new/stepup/metadata'
+    stepup.gateway.sfo.key_file: /config/engine/engineblock.crt
+    ## You can override the default entityID used by Engineblock for its callout to stepup gateway.
+    ## You also need to enable the feature toggle feature_stepup_sfo_override_engine_entityid above.
+    stepup.sfo.override_engine_entityid: ""
 
     ##########################################################################################
     ## THEME SETTINGS
@@ -303,4 +305,3 @@ parameters:
     # used in the authentication log record. The attributeName will be searched in the response attributes and if present
     # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation.
     auth.log.attributes: []
-