From d1ffaf9d56387d93b7382bbc104cb544db18b23d Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Thu, 21 Mar 2024 18:55:02 +0100 Subject: [PATCH 01/11] feat: using azure db service --- .../tngkds-backend/templates/deployment.yaml | 254 +++++++++--------- 1 file changed, 121 insertions(+), 133 deletions(-) diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml index 7dd391f..08504a5 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml @@ -1,133 +1,121 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "tngkds-backend.fullname" . }} - labels: - {{- include "tngkds-backend.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "tngkds-backend.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "tngkds-backend.labels" . | nindent 8 }} - spec: - initContainers: - - name: liquibase - image: "{{ .Values.liquibaseImage.repository }}:{{ .Values.liquibaseImage.tag }}" - command: ["/bin/sh", "-c"] - args: - - liquibase update --changeLogFile=db/changelog.yaml; - env: - - name: LIQUIBASE_COMMAND_URL - value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - - name: LIQUIBASE_COMMAND_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "tngkds-backend.fullname" . }}-secret - key: pgUser - - name: LIQUIBASE_COMMAND_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "tngkds-backend.fullname" . }}-secret - key: pgPassword - - name: LIQUIBASE_SEARCH_PATH - value: /liquibase - - name: LIQUIBASE_LOG_LEVEL - value: ERROR - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - {{ range .Values.service.ports }} - - name: {{ .name }} - containerPort: {{ .port }} - protocol: {{ .protocol }} - {{ end }} - env: - - name: SERVER_PORT - value: "{{ .Values.server.port }}" - - name: SPRING_PROFILES_ACTIVE - value: {{ .Values.spring.profile }} - - name: SPRING_DATASOURCE_URL - value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - - name: SPRING_DATASOURCE_DRIVERCLASSNAME - value: "org.postgresql.Driver" - - name: SPRING_DATASOURCE_JNDI_NAME - value: "false" - - name: SPRING_JPA_DATABASEPLATFORM - value: "org.hibernate.dialect.PostgreSQLDialect" - - name: SPRING_DATASOURCE_USERNAME - valueFrom: - secretKeyRef: - name: {{ include "tngkds-backend.fullname" . }}-secret - key: pgUser - - name: SPRING_DATASOURCE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "tngkds-backend.fullname" . }}-secret - key: pgPassword - - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH - value: {{ .Values.gateway.connector.tls_trust_store.path }} - - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD - value: {{ .Values.gateway.connector.tls_trust_store.password }} - - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_ALIAS - value: {{ .Values.gateway.connector.tls_trust_store.alias }} - - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PATH - value: {{ .Values.gateway.connector.tls_key_store.path }} - - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PASSWORD - value: {{ .Values.gateway.connector.tls_key_store.password }} - - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_ALIAS - value: {{.Values.gateway.connector.tls_key_store.alias }} - - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PATH - value: {{ .Values.gateway.connector.trust_anchor.path }} - - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PASSWORD - value: {{ .Values.gateway.connector.trust_anchor.password }} - - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_ALIAS - value: {{ .Values.gateway.connector.trust_anchor.alias }} - - name: DGC_GATEWAY_CONNECTOR_ENABLED - value: {{ .Values.gateway.connector.enabled |quote }} - - name: DGC_GATEWAY_CONNECTOR_ENDPOINT - value: {{ .Values.gateway.connector.endpoint }} - volumeMounts: - - name: secrets-jks - mountPath: /certs - readOnly: true - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: secrets-jks - secret: - secretName: mtls-secret - items: - - key: tls_key_store.p12 - path: tls_key_store.p12 - - key: trustanchor_store.jks - path: trustanchor_store.jks - - key: tng_tls_server_truststore.p12 - path: tng_tls_server_truststore.p12 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tngkds-backend.fullname" . }} + labels: + {{- include "tngkds-backend.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "tngkds-backend.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "tngkds-backend.labels" . | nindent 8 }} + spec: + initContainers: + - name: liquibase + image: "{{ .Values.liquibaseImage.repository }}:{{ .Values.liquibaseImage.tag }}" + command: ["/bin/sh", "-c"] + args: + - liquibase update --changeLogFile=db/changelog.yaml; + env: + - name: LIQUIBASE_COMMAND_URL + value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" + - name: LIQUIBASE_COMMAND_USERNAME + value: {{ .Values.psql.username }} + - name: LIQUIBASE_COMMAND_PASSWORD + value: {{ .Values.psql.password }} + - name: LIQUIBASE_SEARCH_PATH + value: /liquibase + - name: LIQUIBASE_LOG_LEVEL + value: ERROR + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + {{ range .Values.service.ports }} + - name: {{ .name }} + containerPort: {{ .port }} + protocol: {{ .protocol }} + {{ end }} + env: + - name: SERVER_PORT + value: "{{ .Values.server.port }}" + - name: SPRING_PROFILES_ACTIVE + value: {{ .Values.spring.profile }} + - name: SPRING_DATASOURCE_URL + value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" + - name: SPRING_DATASOURCE_DRIVERCLASSNAME + value: "org.postgresql.Driver" + - name: SPRING_DATASOURCE_JNDI_NAME + value: "false" + - name: SPRING_JPA_DATABASEPLATFORM + value: "org.hibernate.dialect.PostgreSQLDialect" + - name: SPRING_DATASOURCE_USERNAME + value: {{ .Values.psql.username }} + - name: SPRING_DATASOURCE_PASSWORD + value: {{ .Values.psql.password }} + - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH + value: {{ .Values.gateway.connector.tls_trust_store.path }} + - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD + value: {{ .Values.gateway.connector.tls_trust_store.password }} + - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_ALIAS + value: {{ .Values.gateway.connector.tls_trust_store.alias }} + - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PATH + value: {{ .Values.gateway.connector.tls_key_store.path }} + - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PASSWORD + value: {{ .Values.gateway.connector.tls_key_store.password }} + - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_ALIAS + value: {{.Values.gateway.connector.tls_key_store.alias }} + - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PATH + value: {{ .Values.gateway.connector.trust_anchor.path }} + - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PASSWORD + value: {{ .Values.gateway.connector.trust_anchor.password }} + - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_ALIAS + value: {{ .Values.gateway.connector.trust_anchor.alias }} + - name: DGC_GATEWAY_CONNECTOR_ENABLED + value: {{ .Values.gateway.connector.enabled |quote }} + - name: DGC_GATEWAY_CONNECTOR_ENDPOINT + value: {{ .Values.gateway.connector.endpoint }} + volumeMounts: + - name: secrets-jks + mountPath: /certs + readOnly: true + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: secrets-jks + secret: + secretName: mtls-secret + items: + - key: tls_key_store.p12 + path: tls_key_store.p12 + - key: trustanchor_store.jks + path: trustanchor_store.jks + - key: tng_tls_server_truststore.p12 + path: tng_tls_server_truststore.p12 From 18a22054e792b9331201e5e80a0926f6122aa46a Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Fri, 22 Mar 2024 13:42:51 +0100 Subject: [PATCH 02/11] fix: value quoting --- .../charts/tngkds-backend/templates/deployment.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml index 08504a5..7bf4547 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml @@ -30,9 +30,9 @@ spec: - name: LIQUIBASE_COMMAND_URL value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - name: LIQUIBASE_COMMAND_USERNAME - value: {{ .Values.psql.username }} + value: {{ .Values.psql.username | quote }} - name: LIQUIBASE_COMMAND_PASSWORD - value: {{ .Values.psql.password }} + value: {{ .Values.psql.password | quote }} - name: LIQUIBASE_SEARCH_PATH value: /liquibase - name: LIQUIBASE_LOG_LEVEL @@ -65,9 +65,9 @@ spec: - name: SPRING_JPA_DATABASEPLATFORM value: "org.hibernate.dialect.PostgreSQLDialect" - name: SPRING_DATASOURCE_USERNAME - value: {{ .Values.psql.username }} + value: {{ .Values.psql.username | quote }} - name: SPRING_DATASOURCE_PASSWORD - value: {{ .Values.psql.password }} + value: {{ .Values.psql.password | quote }} - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH value: {{ .Values.gateway.connector.tls_trust_store.path }} - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD From d0bd1f3875388bd0d376cea1a575ef99b4791b93 Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Mon, 25 Mar 2024 18:19:48 +0100 Subject: [PATCH 03/11] fix: keeping both charts together postgreSQL as Pod can be toggled --- ...crets to container with mounted volumes.md | 126 ++++---- .../tngkds-backend/templates/configmap.yml | 15 +- .../tngkds-backend/templates/deployment.yaml | 17 +- .../tngkds-backend/templates/secrets.yml | 7 - .../tngkds/charts/tngkds-backend/values.yaml | 282 +++++++++--------- .../tngkds-postgres/templates/configmap.yml | 17 +- .../tngkds-postgres/templates/deployment.yaml | 101 ++++--- .../tngkds-postgres/templates/pv-claim.yaml | 29 +- .../tngkds-postgres/templates/secrets.yml | 17 +- .../tngkds-postgres/templates/service.yaml | 35 ++- .../tngkds/charts/tngkds-postgres/values.yaml | 184 ++++++------ k8s/helm/tngkds/values.yaml | 40 ++- 12 files changed, 462 insertions(+), 408 deletions(-) delete mode 100644 k8s/helm/tngkds/charts/tngkds-backend/templates/secrets.yml diff --git a/certs/From Files to secrets to container with mounted volumes.md b/certs/From Files to secrets to container with mounted volumes.md index 10d4903..fd4bad6 100644 --- a/certs/From Files to secrets to container with mounted volumes.md +++ b/certs/From Files to secrets to container with mounted volumes.md @@ -1,58 +1,68 @@ -### How to populate the keystores and truststores, trustanchor files in k8s cluster -A general approach how to secrets are mounted volumes can be found in the official [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume) -1.) generate the keystore, truststore trust_anchor as described in [PlaceYourGatewayAccessKeysHere.md](PlaceYourGatewayAccessKeysHere.md) -2.) combine the resulting files in a single secret with -```(bash) -kubectl create secret generic mtls-secret --dry-run=client -o yaml --from-file=tls_key_store.p12 --from-file=tng_tls_server_truststore.p12 --from-file=trustanchor_store.jks > mtls_secret.yaml -kubectl create secret generic --dry-run=client -o yaml --from-file= --from-file=.p12 --from-file= > combined_tls_secret.yaml -``` -this will result in a yaml file containing the base64 encoded file contents of that three files -```(json) -apiVersion: v1 -data: - tls_key_store.p12: MIIF3wIBAzCCBZUGDQEJFDEkHiIAYwBsAGkAZQBuAHQAYwByAGUAZABlAG4AdABpAGEAbABzMEEwMTANBglghkgBZQMEAgEFAAQgt/aPlSTVrkAIplPg++vrX...../czGzdjH1XPrutiae8EAFoECKv4c1pYD2TDAgIIAA== - trustanchor_store.jks: /u3+7QAAAAIAAAABAAAAAgAadG5nLXRscy1zZXJ2ZXItY2VydGlmaWNhdGUAAAGLVC9h5gAFWC41MDkAAAUaMIIFFjCCAv6gAwIBAgIRAJErCEr - tng_tls_server_truststore.p12: /u3+7QAAAAIAAAABAAAAAgAXoB1.....lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDsz -kind: Secret -metadata: - creationTimestamp: null - name: mtls-secret -``` -This file then can be temporarily included in your helm charts or directly applied to your cluster with -```(shell) -kubectl apply -f mtls-secret.yaml # will apply the secret to current context -``` -**Note that your secrets with keystores/truststores contain sensible data. Keep them in save place** - -In the deployment of your helm chart include the secret as volumes in the template spec -````(helm) -spec: - template: - spec: - volumes: - - name: secrets-jks - secret: - secretName: mtls-secret - items: - - key: tls_key_store.p12 - path: tls_key_store.p12 - - key: trustanchor_store.jks - path: trustanchor_store.jks - - key: tng_tls_server_truststore.p12 - path: tng_tls_server_truststore.p12 -```` -The items array is optional as long as the keynames reflect the filenames and all keys in the secret -shall be mapped to files - -The according volume mounts are defined in the container section -````(helm) -spec: - templates: - spec: - containers: - volumeMounts: - - name: secrets-jks - mountPath: /certs - readOnly: true -```` - +### How to populate the keystores and truststores, trustanchor files in k8s cluster + +A general approach how to secrets are mounted volumes can be found in the official [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume) +1.) generate the keystore, truststore trust_anchor as described in [PlaceYourGatewayAccessKeysHere.md](PlaceYourGatewayAccessKeysHere.md) +2.) combine the resulting files in a single secret with + +```(bash) +kubectl create secret generic mtls-secret --dry-run=client --namespace=kds -o yaml --from-file=tls_key_store.p12 --from-file=tng_tls_server_truststore.p12 --from-file=trustanchor_store.jks > mtls_secret.yaml +kubectl create secret generic --dry-run=client --namespace= -o yaml --from-file= --from-file=.p12 --from-file= > combined_tls_secret.yaml +``` + +this will result in a yaml file containing the base64 encoded file contents of that three files + +```(json) +apiVersion: v1 +data: + tls_key_store.p12: MIIF3wIBAzCCBZUGDQEJFDEkHiIAYwBsAGkAZQBuAHQAYwByAGUAZABlAG4AdABpAGEAbABzMEEwMTANBglghkgBZQMEAgEFAAQgt/aPlSTVrkAIplPg++vrX...../czGzdjH1XPrutiae8EAFoECKv4c1pYD2TDAgIIAA== + trustanchor_store.jks: /u3+7QAAAAIAAAABAAAAAgAadG5nLXRscy1zZXJ2ZXItY2VydGlmaWNhdGUAAAGLVC9h5gAFWC41MDkAAAUaMIIFFjCCAv6gAwIBAgIRAJErCEr + tng_tls_server_truststore.p12: /u3+7QAAAAIAAAABAAAAAgAXoB1.....lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDsz +kind: Secret +metadata: + creationTimestamp: null + name: mtls-secret +``` + +This file then can be temporarily included in your helm charts or directly applied to your cluster with + +```(shell) +kubectl apply -f mtls-secret.yaml # will apply the secret to current context +``` + +**Note that your secrets with keystores/truststores contain sensible data. Keep them in save place** + +In the deployment of your helm chart include the secret as volumes in the template spec + +```(helm) +spec: + template: + spec: + volumes: + - name: secrets-jks + secret: + secretName: mtls-secret + items: + - key: tls_key_store.p12 + path: tls_key_store.p12 + - key: trustanchor_store.jks + path: trustanchor_store.jks + - key: tng_tls_server_truststore.p12 + path: tng_tls_server_truststore.p12 +``` + +The items array is optional as long as the keynames reflect the filenames and all keys in the secret +shall be mapped to files + +The according volume mounts are defined in the container section + +```(helm) +spec: + templates: + spec: + containers: + volumeMounts: + - name: secrets-jks + mountPath: /certs + readOnly: true +``` + diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/configmap.yml b/k8s/helm/tngkds/charts/tngkds-backend/templates/configmap.yml index fb77939..fb40420 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/configmap.yml +++ b/k8s/helm/tngkds/charts/tngkds-backend/templates/configmap.yml @@ -1,7 +1,8 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "tngkds-backend.fullname" . }}-cfg -data: - host: "{{ .Values.configMap.data.host }}" - dbname: "{{ .Values.configMap.data.dbName }}" +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: {{ include "tngkds-backend.fullname" . }}-cfg +# namespace: {{ .Release.Namespace }} +# data: +# host: "{{ .Values.configMap.data.host }}" +# dbname: "{{ .Values.configMap.data.dbName }}" diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml index 7bf4547..1cb1a95 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml @@ -4,6 +4,7 @@ metadata: name: {{ include "tngkds-backend.fullname" . }} labels: {{- include "tngkds-backend.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} @@ -28,7 +29,11 @@ spec: - liquibase update --changeLogFile=db/changelog.yaml; env: - name: LIQUIBASE_COMMAND_URL + {{- if .Values.psql.asPod.enabled }} + value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" + {{ else }} value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" + {{ end -}} - name: LIQUIBASE_COMMAND_USERNAME value: {{ .Values.psql.username | quote }} - name: LIQUIBASE_COMMAND_PASSWORD @@ -57,7 +62,11 @@ spec: - name: SPRING_PROFILES_ACTIVE value: {{ .Values.spring.profile }} - name: SPRING_DATASOURCE_URL + {{- if .Values.psql.asPod.enabled }} + value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" + {{ else }} value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" + {{ end -}} - name: SPRING_DATASOURCE_DRIVERCLASSNAME value: "org.postgresql.Driver" - name: SPRING_DATASOURCE_JNDI_NAME @@ -71,23 +80,23 @@ spec: - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH value: {{ .Values.gateway.connector.tls_trust_store.path }} - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD - value: {{ .Values.gateway.connector.tls_trust_store.password }} + value: {{ .Values.gateway.connector.tls_trust_store.password | quote }} - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_ALIAS value: {{ .Values.gateway.connector.tls_trust_store.alias }} - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PATH value: {{ .Values.gateway.connector.tls_key_store.path }} - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PASSWORD - value: {{ .Values.gateway.connector.tls_key_store.password }} + value: {{ .Values.gateway.connector.tls_key_store.password | quote }} - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_ALIAS value: {{.Values.gateway.connector.tls_key_store.alias }} - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PATH value: {{ .Values.gateway.connector.trust_anchor.path }} - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PASSWORD - value: {{ .Values.gateway.connector.trust_anchor.password }} + value: {{ .Values.gateway.connector.trust_anchor.password | quote }} - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_ALIAS value: {{ .Values.gateway.connector.trust_anchor.alias }} - name: DGC_GATEWAY_CONNECTOR_ENABLED - value: {{ .Values.gateway.connector.enabled |quote }} + value: {{ .Values.gateway.connector.enabled | quote }} - name: DGC_GATEWAY_CONNECTOR_ENDPOINT value: {{ .Values.gateway.connector.endpoint }} volumeMounts: diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/secrets.yml b/k8s/helm/tngkds/charts/tngkds-backend/templates/secrets.yml deleted file mode 100644 index eead9f3..0000000 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/secrets.yml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "tngkds-backend.fullname" . }}-secret -stringData: - pgUser: "postgres" - pgPassword: "postgres" diff --git a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml b/k8s/helm/tngkds/charts/tngkds-backend/values.yaml index a8646a9..69ba80c 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/values.yaml @@ -1,138 +1,144 @@ -# Default values for tngkds-backend. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - # Create this image before your local installing with: "docker build -t kds:0.0.1" and load - # this image into your local minikube cluster with: "minikube image load kds:0.0.1" - repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "0.0.1-d890889" #"0.0.1-2840d04" - -#kubectl -n create secret docker-registry --docker-server=ghcr.io --docker-username= --docker-password= --docker-email= -o yaml -#kubectl -n kds create secret docker-registry tng-distribution-pull-secret --docker-server=ghcr.io --docker-username=anonymous --docker-password= --docker-email=anonymous@example.com -o yaml -imagePullSecrets: tng-distribution-pull-secret -nameOverride: "" -fullnameOverride: "" - -# Liquibase -liquibaseImage: - repository: ghcr.io/worldhealthorganization/tng-key-distribution/tngkds-liquibase - tag: "0.0.1" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: NodePort - ports: - - name: http - port: 8080 - targetPort: 8080 - nodePort: 30166 - protocol: TCP - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# Postgres -psql: - serviceName: postgres - port: 5432 - dbName: postgres - cluster: svc.cluster.local - -# ConfigMap -configMap: - data: - host: localhost - dbName: postgres - -# Spring -spring: - profile: cloud - -# Server port -server: - port: 8080 - -# Smart TN Gateway -gateway: - connector: - enabled: true - endpoint: - proxy: - enabled: false - max-cache-age: 300 - tls_trust_store: #CA of TNG Gateway of TLS certificate - alias: - password: - path: - tls_key_store: # client cert key pair of participant - alias: - password: - path: - trust_anchor: # TA pem file of TNG that was used for signing - alias: - password: - path: +# Default values for tngkds-backend. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + # Create this image before your local installing with: "docker build -t kds:0.0.1" and load + # this image into your local minikube cluster with: "minikube image load kds:0.0.1" + repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "0.0.1-d890889" #"0.0.1-2840d04" + +#kubectl -n create secret docker-registry --docker-server=ghcr.io --docker-username= --docker-password= --docker-email= -o yaml +#kubectl -n kds create secret docker-registry tng-distribution-pull-secret --docker-server=ghcr.io --docker-username=anonymous --docker-password= --docker-email=anonymous@example.com -o yaml +imagePullSecrets: tng-distribution-pull-secret +nameOverride: "" +fullnameOverride: "" + +# Liquibase +liquibaseImage: + repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer + tag: + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: + {} + # fsGroup: 2000 + +securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: NodePort + ports: + - name: http + port: 8080 + targetPort: 8080 + nodePort: 30166 + protocol: TCP + +ingress: + enabled: false + className: "" + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# Postgres +psql: + serviceName: postgres + port: 5432 + dbName: postgres + cluster: svc.cluster.local + username: + password: + +# ConfigMap +# configMap: +# data: +# host: localhost +# dbName: postgres + +# Spring +spring: + profile: cloud + +# Server port +server: + port: 8080 + +# Smart TN Gateway +gateway: + connector: + enabled: true + endpoint: + proxy: + enabled: false + max-cache-age: 300 + tls_trust_store: #CA of TNG Gateway of TLS certificate + alias: + password: + path: + tls_key_store: # client cert key pair of participant + alias: + password: + path: + trust_anchor: # TA pem file of TNG that was used for signing + alias: + password: + path: diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/configmap.yml b/k8s/helm/tngkds/charts/tngkds-postgres/templates/configmap.yml index 34d2e43..bf656fc 100644 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/configmap.yml +++ b/k8s/helm/tngkds/charts/tngkds-postgres/templates/configmap.yml @@ -1,7 +1,10 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "tngkds-postgres.fullname" . }}-cfg -data: - host: "{{ .Values.configMap.data.host }}" - dbname: "{{ .Values.configMap.data.dbName }}" +{{- if .Values.asPod.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "tngkds-postgres.fullname" . }}-cfg + namespace: {{ .Release.Namespace }} +data: + host: "{{ .Values.configMap.data.host }}" + dbname: "{{ .Values.configMap.data.dbName }}" +{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/deployment.yaml b/k8s/helm/tngkds/charts/tngkds-postgres/templates/deployment.yaml index 5745ff2..e13ecd8 100644 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/deployment.yaml +++ b/k8s/helm/tngkds/charts/tngkds-postgres/templates/deployment.yaml @@ -1,49 +1,52 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "tngkds-postgres.fullname" . }} - labels: - {{- include "tngkds-postgres.labels" . | nindent 4 }} - tier: database -spec: - selector: - matchLabels: - {{- include "tngkds-postgres.selectorLabels" . | nindent 6 }} - strategy: - type: Recreate - template: - metadata: - labels: - {{- include "tngkds-postgres.labels" . | nindent 8 }} - tier: database - spec: - containers: - - name: postgres - image: postgres - imagePullPolicy: "IfNotPresent" - env: - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: {{ include "tngkds-postgres.fullname" . }}-secret - key: pgUser - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "tngkds-postgres.fullname" . }}-secret - key: pgPassword - - name: POSTGRES_DB - valueFrom: - configMapKeyRef: - name: {{ include "tngkds-postgres.fullname" . }}-cfg - key: dbname - ports: - - containerPort: 5432 - name: postgres - volumeMounts: - - mountPath: /var/lib/postgresql/kds/data - name: postgres-persistance-storage - volumes: - - name: postgres-persistance-storage - persistentVolumeClaim: - claimName: {{ include "tngkds-postgres.fullname" . }}-pv-claim +{{- if .Values.asPod.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tngkds-postgres.fullname" . }} + labels: + {{- include "tngkds-postgres.labels" . | nindent 4 }} + tier: database + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + {{- include "tngkds-postgres.selectorLabels" . | nindent 6 }} + strategy: + type: Recreate + template: + metadata: + labels: + {{- include "tngkds-postgres.labels" . | nindent 8 }} + tier: database + spec: + containers: + - name: postgres + image: postgres + imagePullPolicy: "IfNotPresent" + env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: {{ include "tngkds-postgres.fullname" . }}-secret + key: pgUser + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "tngkds-postgres.fullname" . }}-secret + key: pgPassword + - name: POSTGRES_DB + valueFrom: + configMapKeyRef: + name: {{ include "tngkds-postgres.fullname" . }}-cfg + key: dbname + ports: + - containerPort: 5432 + name: postgres + volumeMounts: + - mountPath: /var/lib/postgresql/kds/data + name: postgres-persistance-storage + volumes: + - name: postgres-persistance-storage + persistentVolumeClaim: + claimName: {{ include "tngkds-postgres.fullname" . }}-pv-claim +{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/pv-claim.yaml b/k8s/helm/tngkds/charts/tngkds-postgres/templates/pv-claim.yaml index 6a6bd21..c3c4d34 100644 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/pv-claim.yaml +++ b/k8s/helm/tngkds/charts/tngkds-postgres/templates/pv-claim.yaml @@ -1,13 +1,16 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "tngkds-postgres.fullname" . }}-pv-claim - labels: - {{- include "tngkds-postgres.labels" . | nindent 4 }} - tier: database -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi +{{- if .Values.asPod.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "tngkds-postgres.fullname" . }}-pv-claim + labels: + {{- include "tngkds-postgres.labels" . | nindent 4 }} + tier: database + namespace: {{ .Release.Namespace }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/secrets.yml b/k8s/helm/tngkds/charts/tngkds-postgres/templates/secrets.yml index 1720e47..32bfca0 100644 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/secrets.yml +++ b/k8s/helm/tngkds/charts/tngkds-postgres/templates/secrets.yml @@ -1,7 +1,10 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "tngkds-postgres.fullname" . }}-secret -stringData: - pgUser: "postgres" - pgPassword: "postgres" +{{- if .Values.asPod.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "tngkds-postgres.fullname" . }}-secret + namespace: {{ .Release.Namespace }} +stringData: + pgUser: {{ .Values.dbuser | quote }} + pgPassword: {{ .Values.dbpassword | quote }} +{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/templates/service.yaml b/k8s/helm/tngkds/charts/tngkds-postgres/templates/service.yaml index e6fcc29..5f28c27 100644 --- a/k8s/helm/tngkds/charts/tngkds-postgres/templates/service.yaml +++ b/k8s/helm/tngkds/charts/tngkds-postgres/templates/service.yaml @@ -1,16 +1,19 @@ -apiVersion: v1 -kind: Service -metadata: - name: postgres - labels: - {{- include "tngkds-postgres.labels" . | nindent 4 }} - tier: database -spec: - type: NodePort - ports: - {{ range .Values.service.ports }} - - port: {{ .port }} - {{ end }} - selector: - {{- include "tngkds-postgres.selectorLabels" . | nindent 4 }} - tier: database +{{- if .Values.asPod.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: postgres + labels: + {{- include "tngkds-postgres.labels" . | nindent 4 }} + tier: database + namespace: {{ .Release.Namespace }} +spec: + type: NodePort + ports: + {{ range .Values.service.ports }} + - port: {{ .port }} + {{ end }} + selector: + {{- include "tngkds-postgres.selectorLabels" . | nindent 4 }} + tier: database +{{- end }} diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/values.yaml b/k8s/helm/tngkds/charts/tngkds-postgres/values.yaml index 2b66f43..4561a40 100644 --- a/k8s/helm/tngkds/charts/tngkds-postgres/values.yaml +++ b/k8s/helm/tngkds/charts/tngkds-postgres/values.yaml @@ -1,89 +1,95 @@ -# Default values for tngkds-postgres. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: nginx - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: NodePort - ports: - - port: 5432 - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# ConfigMap -configMap: - data: - host: localhost - dbName: postgres +# Default values for tngkds-postgres. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: nginx + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: + {} + # fsGroup: 2000 + +securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: NodePort + ports: + - port: 5432 + +ingress: + enabled: false + className: "" + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# ConfigMap +configMap: + data: + host: localhost + dbName: postgres +dbuser: +dbpassword: diff --git a/k8s/helm/tngkds/values.yaml b/k8s/helm/tngkds/values.yaml index a57c952..e74eb06 100644 --- a/k8s/helm/tngkds/values.yaml +++ b/k8s/helm/tngkds/values.yaml @@ -1,13 +1,27 @@ -# Default values for tngkds. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -tngkds-postgres: - enabled: true - path: /()(*) - port: 5432 - -tngkds-backend: - enabled: true - path: /()(*) - port: 8080 +# Default values for tngkds. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +tngkds-postgres: + path: /()(*) + port: 5432 + + asPod: + enabled: false # run db as Service or Pod,set in conjunction with tngkds-backend + +tngkds-backend: + image: + tag: + liquibaseImage: + tag: + path: /()(*) + port: 8080 + psql: + serviceName: postgresql-d01.postgres.database.azure.com + port: 5432 + dbName: kdsdb + cluster: svc.cluster.local # will be used if db is running as Pod + username: + password: + asPod: + enabled: false # run db as Service or Pod,set in conjunction with tngkds-postgres From caec9d46387401006d293673cbd3d7539db05549 Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Wed, 27 Mar 2024 00:12:33 +0100 Subject: [PATCH 04/11] fix: add gateway section --- k8s/helm/tngkds/values.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/k8s/helm/tngkds/values.yaml b/k8s/helm/tngkds/values.yaml index e74eb06..1544a3c 100644 --- a/k8s/helm/tngkds/values.yaml +++ b/k8s/helm/tngkds/values.yaml @@ -25,3 +25,22 @@ tngkds-backend: password: asPod: enabled: false # run db as Service or Pod,set in conjunction with tngkds-postgres + gateway: + connector: + enabled: true + endpoint: + proxy: + enabled: false + max-cache-age: 300 + tls_trust_store: #CA of TNG Gateway of TLS certificate + alias: tng-tls-server-certificate + password: + path: /certs/tng_tls_server_truststore.p12 + tls_key_store: # client cert key pair of participant + alias: clientcredentials + password: + path: /certs/tls_key_store.p12 + trust_anchor: # TA pem file of TNG that was used for signing + alias: trustanchor + password: + path: /certs/trustanchor_store.jks From efdde0754c05e359406c9e7ff9d598b309e1856f Mon Sep 17 00:00:00 2001 From: Felix Dittrich Date: Thu, 18 Apr 2024 16:40:57 +0200 Subject: [PATCH 05/11] Add DID Export --- .gitignore | 2 + certs/PlaceYourGatewayAccessKeysHere.md | 28 ++ pom.xml | 26 +- .../KeyDistributionServiceApplication.java | 2 +- .../clients/UniversalResolverClient.java | 20 ++ .../UniversalResolverClientConfig.java | 20 ++ .../keydistribution/config/ErrorHandler.java | 2 +- .../config/KdsConfigProperties.java | 46 ++- .../keydistribution/config/OpenApiConfig.java | 20 ++ .../config/SchedulerConfig.java | 2 +- .../config/ShedLockConfig.java | 2 +- .../keydistribution/dto/TrustedIssuerDto.java | 4 +- .../entity/DecentralizedIdentifierEntity.java | 20 ++ .../entity/EcPublicKeyJwkEntity.java | 20 ++ .../keydistribution/entity/InfoEntity.java | 2 +- .../entity/PublicKeyJwkEntity.java | 20 ++ .../entity/RsaPublicKeyJwkEntity.java | 20 ++ .../entity/ShedlockEntity.java | 2 +- .../entity/SignerInformationEntity.java | 2 +- .../entity/TrustedIssuerEntity.java | 2 +- .../entity/TrustedPartyEntity.java | 2 +- .../entity/VerificationMethodEntity.java | 20 ++ .../exception/BadRequestException.java | 2 +- .../keydistribution/mapper/DidMapper.java | 20 ++ .../keydistribution/mapper/IssuerMapper.java | 4 +- .../keydistribution/model/DidContext.java | 20 ++ .../keydistribution/model/DidDocument.java | 20 ++ .../keydistribution/model/EcPublicKeyJwk.java | 20 ++ .../model/JwkVerificationMethod.java | 20 ++ .../keydistribution/model/Proof.java | 20 ++ .../keydistribution/model/PublicKeyJwk.java | 20 ++ .../model/RsaPublicKeyJwk.java | 20 ++ .../keydistribution/model/StringOrObject.java | 20 ++ .../model/StringOrObjectDeserializer.java | 20 ++ .../model/VerificationMethod.java | 22 +- .../model/VerificationMethodModel.java | 20 ++ .../model/VerificationMethodReference.java | 20 ++ .../DecentralizedIdentifierRepository.java | 20 ++ .../repository/InfoRepository.java | 2 +- .../repository/PublicKeyJwkRepository.java | 20 ++ .../SignerInformationRepository.java | 9 +- .../repository/TrustedIssuerRepository.java | 4 +- .../repository/TrustedPartyRepository.java | 5 +- .../VerificationMethodRepository.java | 20 ++ .../restapi/controller/ContextController.java | 2 +- .../SignerInformationController.java | 2 +- .../controller/TrustedIssuerController.java | 2 +- .../CertificatesLookupResponseItemDto.java | 20 ++ .../restapi/dto/DeltaListDto.java | 20 ++ .../keydistribution/restapi/dto/KidDto.java | 2 +- .../restapi/dto/ProblemReportDto.java | 2 +- .../DecentralizedIdentifierService.java | 27 +- .../keydistribution/service/InfoService.java | 2 +- .../SignerCertificateDownloadService.java | 2 +- .../service/SignerInformationService.java | 57 +++- .../service/TrustedIssuerDownloadService.java | 4 +- .../service/TrustedIssuerService.java | 18 +- .../service/TrustedPartyService.java | 7 +- .../service/UniversalResolverService.java | 20 ++ .../service/did/DidTrustListService.java | 306 ++++++++++++++++++ .../service/did/DidUploader.java | 29 ++ .../service/did/DummyByteSigner.java | 42 +++ .../service/did/DummyDidUploader.java | 42 +++ .../service/did/LocalFileDidUploader.java | 87 +++++ .../service/did/LocalKeystoreByteSigner.java | 76 +++++ .../service/did/entity/DidTrustList.java | 41 +++ .../service/did/entity/DidTrustListEntry.java | 121 +++++++ src/main/resources/application.yml | 38 ++- .../db/changelog/add-trusted-party-table.yaml | 1 + src/main/resources/did_contexts/did_v1.json | 58 ++++ .../resources/did_contexts/jws-2020_v1.json | 82 +++++ .../keydistribution/OpenApiTest.java | 20 ++ .../ContextControllerIntegrationTest.java | 21 ++ ...trollerWithEnvironmentIntegrationTest.java | 21 ++ .../SignerInformationIntegrationTest.java | 17 +- .../TrustedIssuerIntegrationTest.java | 3 +- .../DecentralizedIdentifierServiceTest.java | 20 ++ .../service/DidTrustListServiceTest.java | 282 ++++++++++++++++ .../service/InfoServiceTest.java | 4 +- .../SignerCertificateDownloadServiceTest.java | 26 +- .../service/SignerInformationServiceTest.java | 2 +- .../TrustedIssuerDownloadServiceTest.java | 26 +- .../service/TrustedPartyServiceTest.java | 25 +- .../service/UniversalResolverServiceTest.java | 20 ++ .../testdata/CertificateTestUtils.java | 178 ++++++++++ .../testdata/SignerInformationTestHelper.java | 6 +- .../testdata/TrustedIssuerTestHelper.java | 23 +- src/test/resources/application.yml | 35 +- 88 files changed, 2366 insertions(+), 105 deletions(-) create mode 100644 src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java create mode 100644 src/main/java/tng/trustnetwork/keydistribution/service/did/DidUploader.java create mode 100644 src/main/java/tng/trustnetwork/keydistribution/service/did/DummyByteSigner.java create mode 100644 src/main/java/tng/trustnetwork/keydistribution/service/did/DummyDidUploader.java create mode 100644 src/main/java/tng/trustnetwork/keydistribution/service/did/LocalFileDidUploader.java create mode 100644 src/main/java/tng/trustnetwork/keydistribution/service/did/LocalKeystoreByteSigner.java create mode 100644 src/main/java/tng/trustnetwork/keydistribution/service/did/entity/DidTrustList.java create mode 100644 src/main/java/tng/trustnetwork/keydistribution/service/did/entity/DidTrustListEntry.java create mode 100644 src/main/resources/did_contexts/did_v1.json create mode 100644 src/main/resources/did_contexts/jws-2020_v1.json create mode 100644 src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java create mode 100644 src/test/java/tng/trustnetwork/keydistribution/testdata/CertificateTestUtils.java diff --git a/.gitignore b/.gitignore index 884883e..ae5f491 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,8 @@ target/ !**/src/main/** !**/src/test/** +application-local.yml + ### STS ### .apt_generated .classpath diff --git a/certs/PlaceYourGatewayAccessKeysHere.md b/certs/PlaceYourGatewayAccessKeysHere.md index f181094..649a702 100644 --- a/certs/PlaceYourGatewayAccessKeysHere.md +++ b/certs/PlaceYourGatewayAccessKeysHere.md @@ -29,3 +29,31 @@ Create a pkcs12 KeyStore from the TLS.pem and TLS.key: ``` openssl pkcs12 -export -out tls_key_store.p12 -inkey TLS.key -in TLS.pem -passout pass:dgcg-p4ssw0rd -name clientcredentials ``` + +# How to setup signing material for DID Signing + +KDS is able to provide a DID-Document holding the downloaded keys. The DID-Document will be signed by a private key provided in a KeyStore. + +Generate Private Key (Choose another Curve depending your needs) + +``` +openssl ecparam -name prime256v1 -genkey -noout -out did-signer.pem +``` + +Convert PEM-File to KeyStore + +``` +openssl pkcs12 -export -out did-signer.p12 -inkey did-signer.pem -nocerts -passout pass:secure-password -name did-signer +``` + +This will result in a KeyStore (P12) containing the previously generated private key stored with alias "did-signer" and secured with password "secure-password" + +```yaml +dgc: + did: + didUploadProvider: local-file + localKeyStore: + alias: did-signer + password: secure-password + path: ./did-signer.p12 +``` diff --git a/pom.xml b/pom.xml index ece58b6..37e5123 100644 --- a/pom.xml +++ b/pom.xml @@ -8,7 +8,7 @@ org.springframework.cloud spring-cloud-starter-parent - 2023.0.0 + 2023.0.1 tng.trustnetwork.keydistribution @@ -35,6 +35,7 @@ 2.1.0 1.5.5.Final 5.12.0 + 1.77 3.3.0 0.8.10 @@ -115,6 +116,10 @@ who-github https://maven.pkg.github.com/${github.organization}/* + + danubetech-maven-public + https://repo.danubetech.com/repository/maven-public/ + @@ -135,12 +140,11 @@ org.springframework spring-web - 6.1.5 + 6.1.6 org.springframework.boot spring-boot-starter-web - org.springframework.boot @@ -206,6 +210,22 @@ shedlock-spring ${shedlock.version} + + org.bouncycastle + bcpkix-jdk18on + ${bcpkix.version} + + + info.weboftrust + ld-signatures-java + 1.1.0 + + + org.bitcoinj + bitcoinj-core + + + diff --git a/src/main/java/tng/trustnetwork/keydistribution/KeyDistributionServiceApplication.java b/src/main/java/tng/trustnetwork/keydistribution/KeyDistributionServiceApplication.java index 65bcac8..dd4b75e 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/KeyDistributionServiceApplication.java +++ b/src/main/java/tng/trustnetwork/keydistribution/KeyDistributionServiceApplication.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/clients/UniversalResolverClient.java b/src/main/java/tng/trustnetwork/keydistribution/clients/UniversalResolverClient.java index f1a1822..c32a99b 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/clients/UniversalResolverClient.java +++ b/src/main/java/tng/trustnetwork/keydistribution/clients/UniversalResolverClient.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.clients; import org.springframework.cloud.openfeign.FeignClient; diff --git a/src/main/java/tng/trustnetwork/keydistribution/clients/UniversalResolverClientConfig.java b/src/main/java/tng/trustnetwork/keydistribution/clients/UniversalResolverClientConfig.java index 16fab5d..cb034e0 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/clients/UniversalResolverClientConfig.java +++ b/src/main/java/tng/trustnetwork/keydistribution/clients/UniversalResolverClientConfig.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.clients; import feign.Client; diff --git a/src/main/java/tng/trustnetwork/keydistribution/config/ErrorHandler.java b/src/main/java/tng/trustnetwork/keydistribution/config/ErrorHandler.java index dbe4f21..9f19f45 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/config/ErrorHandler.java +++ b/src/main/java/tng/trustnetwork/keydistribution/config/ErrorHandler.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/config/KdsConfigProperties.java b/src/main/java/tng/trustnetwork/keydistribution/config/KdsConfigProperties.java index ef26918..e09b3e3 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/config/KdsConfigProperties.java +++ b/src/main/java/tng/trustnetwork/keydistribution/config/KdsConfigProperties.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,9 +20,12 @@ package tng.trustnetwork.keydistribution.config; +import eu.europa.ec.dgc.gateway.connector.config.DgcGatewayConnectorConfigProperties; import eu.europa.ec.dgc.gateway.connector.model.TrustedIssuer; import java.util.ArrayList; +import java.util.HashMap; import java.util.List; +import java.util.Map; import lombok.AllArgsConstructor; import lombok.Getter; import lombok.Setter; @@ -33,12 +36,13 @@ @ConfigurationProperties("dgc") //TODO separate kds and dgc-lib properties public class KdsConfigProperties { - private List staticTrustedIssuer = new ArrayList<>(); private final CertificatesDownloader certificatesDownloader = new CertificatesDownloader(); private final TrustedIssuerDownloader trustedIssuerDownloader = new TrustedIssuerDownloader(); + private final DidConfig did = new DidConfig(); + private String context = ""; /** @@ -60,6 +64,8 @@ public static class TrustedIssuerDownloader { private boolean enabled; private Integer timeInterval; private Integer lockLimit; + private List staticTrustedIssuer = new ArrayList<>(); + private boolean enableTrustedIssuerResolving = false; } @Getter @@ -85,4 +91,40 @@ public static class Proxy { private int port; } + @Getter + @Setter + public static class DidConfig { + + private Boolean enableDidGeneration; + + private String didId; + private String didController; + + private String trustListIdPrefix; + private String trustListControllerPrefix; + + private String ldProofVerificationMethod; + private String ldProofDomain; + private String ldProofNonce; + + private String didSigningProvider; + private String didUploadProvider; + + private Map contextMapping = new HashMap<>(); + private Map virtualCountries = new HashMap<>(); + + private LocalFileConfig localFile = new LocalFileConfig(); + + private DgcGatewayConnectorConfigProperties.KeyStoreWithAlias localKeyStore = + new DgcGatewayConnectorConfigProperties.KeyStoreWithAlias(); + + @Getter + @Setter + public static class LocalFileConfig { + private String fileName; + private String directory; + } + + } + } diff --git a/src/main/java/tng/trustnetwork/keydistribution/config/OpenApiConfig.java b/src/main/java/tng/trustnetwork/keydistribution/config/OpenApiConfig.java index 51d05bb..f371ec8 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/config/OpenApiConfig.java +++ b/src/main/java/tng/trustnetwork/keydistribution/config/OpenApiConfig.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.config; import io.swagger.v3.oas.models.OpenAPI; diff --git a/src/main/java/tng/trustnetwork/keydistribution/config/SchedulerConfig.java b/src/main/java/tng/trustnetwork/keydistribution/config/SchedulerConfig.java index 0c6424b..c98d2fd 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/config/SchedulerConfig.java +++ b/src/main/java/tng/trustnetwork/keydistribution/config/SchedulerConfig.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/config/ShedLockConfig.java b/src/main/java/tng/trustnetwork/keydistribution/config/ShedLockConfig.java index 8539d9e..8f172fc 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/config/ShedLockConfig.java +++ b/src/main/java/tng/trustnetwork/keydistribution/config/ShedLockConfig.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/dto/TrustedIssuerDto.java b/src/main/java/tng/trustnetwork/keydistribution/dto/TrustedIssuerDto.java index 1c2f0ed..42e9cdf 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/dto/TrustedIssuerDto.java +++ b/src/main/java/tng/trustnetwork/keydistribution/dto/TrustedIssuerDto.java @@ -1,8 +1,8 @@ /*- * ---license-start - * WHO Digital Documentation Covid Certificate Gateway Service / ddcc-gateway + * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2022 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/DecentralizedIdentifierEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/DecentralizedIdentifierEntity.java index a52b2de..445af22 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/DecentralizedIdentifierEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/DecentralizedIdentifierEntity.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.entity; import jakarta.persistence.Column; diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/EcPublicKeyJwkEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/EcPublicKeyJwkEntity.java index b5b99d3..80d731a 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/EcPublicKeyJwkEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/EcPublicKeyJwkEntity.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.entity; import jakarta.persistence.Column; diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/InfoEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/InfoEntity.java index cbc0d9a..3a190f1 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/InfoEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/InfoEntity.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2022 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/PublicKeyJwkEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/PublicKeyJwkEntity.java index 74ad49e..e1ea9f7 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/PublicKeyJwkEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/PublicKeyJwkEntity.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.entity; import jakarta.persistence.Column; diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/RsaPublicKeyJwkEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/RsaPublicKeyJwkEntity.java index 89da47e..d463a9b 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/RsaPublicKeyJwkEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/RsaPublicKeyJwkEntity.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.entity; import jakarta.persistence.Column; diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/ShedlockEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/ShedlockEntity.java index a4f1544..2e0b209 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/ShedlockEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/ShedlockEntity.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/SignerInformationEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/SignerInformationEntity.java index 78c35fa..ea34352 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/SignerInformationEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/SignerInformationEntity.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedIssuerEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedIssuerEntity.java index 8311783..5eb8ca0 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedIssuerEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedIssuerEntity.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedPartyEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedPartyEntity.java index f0c0694..95f73e7 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedPartyEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedPartyEntity.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/VerificationMethodEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/VerificationMethodEntity.java index 5f11c73..25b9fa0 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/VerificationMethodEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/VerificationMethodEntity.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.entity; import jakarta.persistence.CascadeType; diff --git a/src/main/java/tng/trustnetwork/keydistribution/exception/BadRequestException.java b/src/main/java/tng/trustnetwork/keydistribution/exception/BadRequestException.java index 1ca09c5..a3fb5b2 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/exception/BadRequestException.java +++ b/src/main/java/tng/trustnetwork/keydistribution/exception/BadRequestException.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2022 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/mapper/DidMapper.java b/src/main/java/tng/trustnetwork/keydistribution/mapper/DidMapper.java index 1a62634..081bcbb 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/mapper/DidMapper.java +++ b/src/main/java/tng/trustnetwork/keydistribution/mapper/DidMapper.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.mapper; import java.util.List; diff --git a/src/main/java/tng/trustnetwork/keydistribution/mapper/IssuerMapper.java b/src/main/java/tng/trustnetwork/keydistribution/mapper/IssuerMapper.java index 0091ec5..7b23f61 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/mapper/IssuerMapper.java +++ b/src/main/java/tng/trustnetwork/keydistribution/mapper/IssuerMapper.java @@ -1,8 +1,8 @@ /*- * ---license-start - * WHO Digital Documentation Covid Certificate Gateway Service / ddcc-gateway-lib + * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2022 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/DidContext.java b/src/main/java/tng/trustnetwork/keydistribution/model/DidContext.java index 7082b49..8e8d2d9 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/DidContext.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/DidContext.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/DidDocument.java b/src/main/java/tng/trustnetwork/keydistribution/model/DidDocument.java index e6ba7a7..b8bc421 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/DidDocument.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/DidDocument.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/EcPublicKeyJwk.java b/src/main/java/tng/trustnetwork/keydistribution/model/EcPublicKeyJwk.java index ddb5481..83f5870 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/EcPublicKeyJwk.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/EcPublicKeyJwk.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.annotation.JsonEnumDefaultValue; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/JwkVerificationMethod.java b/src/main/java/tng/trustnetwork/keydistribution/model/JwkVerificationMethod.java index 3a67394..630850f 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/JwkVerificationMethod.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/JwkVerificationMethod.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/Proof.java b/src/main/java/tng/trustnetwork/keydistribution/model/Proof.java index c959b1e..0626a0e 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/Proof.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/Proof.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/PublicKeyJwk.java b/src/main/java/tng/trustnetwork/keydistribution/model/PublicKeyJwk.java index 74aaf20..96569a0 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/PublicKeyJwk.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/PublicKeyJwk.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/RsaPublicKeyJwk.java b/src/main/java/tng/trustnetwork/keydistribution/model/RsaPublicKeyJwk.java index 1b80591..4006ef8 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/RsaPublicKeyJwk.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/RsaPublicKeyJwk.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/StringOrObject.java b/src/main/java/tng/trustnetwork/keydistribution/model/StringOrObject.java index 59b90fc..ae961b9 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/StringOrObject.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/StringOrObject.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.databind.annotation.JsonDeserialize; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/StringOrObjectDeserializer.java b/src/main/java/tng/trustnetwork/keydistribution/model/StringOrObjectDeserializer.java index b5775ab..8cea6c7 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/StringOrObjectDeserializer.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/StringOrObjectDeserializer.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.core.JsonParser; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethod.java b/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethod.java index e5590e9..a30596b 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethod.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethod.java @@ -1,10 +1,28 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonSubTypes; import com.fasterxml.jackson.annotation.JsonTypeInfo; -import com.fasterxml.jackson.databind.annotation.JsonDeserialize; -import java.util.List; import lombok.Getter; import lombok.Setter; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethodModel.java b/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethodModel.java index d7ad453..dbbc4a7 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethodModel.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethodModel.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethodReference.java b/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethodReference.java index 5783ead..11bdabe 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethodReference.java +++ b/src/main/java/tng/trustnetwork/keydistribution/model/VerificationMethodReference.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.model; import com.fasterxml.jackson.annotation.JsonInclude; diff --git a/src/main/java/tng/trustnetwork/keydistribution/repository/DecentralizedIdentifierRepository.java b/src/main/java/tng/trustnetwork/keydistribution/repository/DecentralizedIdentifierRepository.java index ca9d120..14b4369 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/repository/DecentralizedIdentifierRepository.java +++ b/src/main/java/tng/trustnetwork/keydistribution/repository/DecentralizedIdentifierRepository.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.repository; import org.springframework.data.jpa.repository.JpaRepository; diff --git a/src/main/java/tng/trustnetwork/keydistribution/repository/InfoRepository.java b/src/main/java/tng/trustnetwork/keydistribution/repository/InfoRepository.java index 7187520..5aa2c8d 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/repository/InfoRepository.java +++ b/src/main/java/tng/trustnetwork/keydistribution/repository/InfoRepository.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2022 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/repository/PublicKeyJwkRepository.java b/src/main/java/tng/trustnetwork/keydistribution/repository/PublicKeyJwkRepository.java index b2240f7..0f057c5 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/repository/PublicKeyJwkRepository.java +++ b/src/main/java/tng/trustnetwork/keydistribution/repository/PublicKeyJwkRepository.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.repository; import org.springframework.data.jpa.repository.JpaRepository; diff --git a/src/main/java/tng/trustnetwork/keydistribution/repository/SignerInformationRepository.java b/src/main/java/tng/trustnetwork/keydistribution/repository/SignerInformationRepository.java index 0e5150a..b4cb4be 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/repository/SignerInformationRepository.java +++ b/src/main/java/tng/trustnetwork/keydistribution/repository/SignerInformationRepository.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -59,4 +59,11 @@ public interface SignerInformationRepository extends JpaRepository findFirstByIdIsNotNullAndDeletedOrderByIdAsc(boolean deleted); Optional findFirstByIdGreaterThanAndDeletedOrderByIdAsc(Long resumeToken, boolean deleted); + + @Query("SELECT DISTINCT s.country FROM SignerInformationEntity s WHERE s.deleted = false") + List getCountryList(); + + List getAllByDeletedIs(boolean deleted); + + List getAllByDeletedIsAndCountryIsIn(boolean deleted, List countries); } diff --git a/src/main/java/tng/trustnetwork/keydistribution/repository/TrustedIssuerRepository.java b/src/main/java/tng/trustnetwork/keydistribution/repository/TrustedIssuerRepository.java index a612b98..18a95c8 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/repository/TrustedIssuerRepository.java +++ b/src/main/java/tng/trustnetwork/keydistribution/repository/TrustedIssuerRepository.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2022 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,4 +29,6 @@ public interface TrustedIssuerRepository extends JpaRepository findAllByEtag(String etag); + + List findAllByUrlTypeIs(TrustedIssuerEntity.UrlType urlType); } diff --git a/src/main/java/tng/trustnetwork/keydistribution/repository/TrustedPartyRepository.java b/src/main/java/tng/trustnetwork/keydistribution/repository/TrustedPartyRepository.java index f05c3f8..e5542f4 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/repository/TrustedPartyRepository.java +++ b/src/main/java/tng/trustnetwork/keydistribution/repository/TrustedPartyRepository.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,6 +20,7 @@ package tng.trustnetwork.keydistribution.repository; +import java.util.List; import org.springframework.data.jpa.repository.JpaRepository; import org.springframework.data.jpa.repository.Modifying; import tng.trustnetwork.keydistribution.entity.TrustedPartyEntity; @@ -29,4 +30,6 @@ public interface TrustedPartyRepository extends JpaRepository findAllByCountryIsAndTypeIs(String country, TrustedPartyEntity.Type type); + } diff --git a/src/main/java/tng/trustnetwork/keydistribution/repository/VerificationMethodRepository.java b/src/main/java/tng/trustnetwork/keydistribution/repository/VerificationMethodRepository.java index 9aa01fe..0fc619f 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/repository/VerificationMethodRepository.java +++ b/src/main/java/tng/trustnetwork/keydistribution/repository/VerificationMethodRepository.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.repository; import org.springframework.data.jpa.repository.JpaRepository; diff --git a/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/ContextController.java b/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/ContextController.java index 28621ff..de3db4d 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/ContextController.java +++ b/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/ContextController.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/SignerInformationController.java b/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/SignerInformationController.java index 092db14..9c0fa11 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/SignerInformationController.java +++ b/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/SignerInformationController.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/TrustedIssuerController.java b/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/TrustedIssuerController.java index 45908a1..9acafc4 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/TrustedIssuerController.java +++ b/src/main/java/tng/trustnetwork/keydistribution/restapi/controller/TrustedIssuerController.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/CertificatesLookupResponseItemDto.java b/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/CertificatesLookupResponseItemDto.java index 5fe812c..518392a 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/CertificatesLookupResponseItemDto.java +++ b/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/CertificatesLookupResponseItemDto.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.restapi.dto; import io.swagger.v3.oas.annotations.media.Schema; diff --git a/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/DeltaListDto.java b/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/DeltaListDto.java index e7fa43e..31bc48a 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/DeltaListDto.java +++ b/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/DeltaListDto.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.restapi.dto; import io.swagger.v3.oas.annotations.media.Schema; diff --git a/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/KidDto.java b/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/KidDto.java index 39621ae..c894fcd 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/KidDto.java +++ b/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/KidDto.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/ProblemReportDto.java b/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/ProblemReportDto.java index 3a01d14..c47e3a7 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/ProblemReportDto.java +++ b/src/main/java/tng/trustnetwork/keydistribution/restapi/dto/ProblemReportDto.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/DecentralizedIdentifierService.java b/src/main/java/tng/trustnetwork/keydistribution/service/DecentralizedIdentifierService.java index f595304..37763d6 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/DecentralizedIdentifierService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/DecentralizedIdentifierService.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.service; import java.util.Objects; @@ -26,10 +46,10 @@ public class DecentralizedIdentifierService { private final DidMapper didMapper; /** - * Update list of stored DID with given Document. + * Update the list of Decentralized Identifier Documents. * - * @param didDocument Parsed DIDDocument - * @param raw RAW-JSON-Value of the DID Document. This will be stored to allow validation of LD-Proof later. + * @param didDocument parsed DID Document + * @param raw RAW JSON Representation (This is required to be able to verify integrity of DID afterwords) */ @Transactional public void updateDecentralizedIdentifierList(DidDocument didDocument, String raw) { @@ -47,5 +67,4 @@ public void updateDecentralizedIdentifierList(DidDocument didDocument, String ra verificationMethodRepository.save(verificationMethod); }); } - } diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/InfoService.java b/src/main/java/tng/trustnetwork/keydistribution/service/InfoService.java index 69e2c3a..cb09ce2 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/InfoService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/InfoService.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2022 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/SignerCertificateDownloadService.java b/src/main/java/tng/trustnetwork/keydistribution/service/SignerCertificateDownloadService.java index cbaf1dd..35f3b60 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/SignerCertificateDownloadService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/SignerCertificateDownloadService.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/SignerInformationService.java b/src/main/java/tng/trustnetwork/keydistribution/service/SignerInformationService.java index 25f2dba..b2b82fd 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/SignerInformationService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/SignerInformationService.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -50,6 +50,7 @@ public class SignerInformationService { * @return Optional holding the certificate if found. */ public Optional getCertificate(Long resumeToken) { + if (resumeToken == null) { return signerInformationRepository.findFirstByIdIsNotNullAndDeletedOrderByIdAsc(false); } else { @@ -74,7 +75,6 @@ public List getListOfValidKids() { * Method to synchronise the certificates in the db with the given List of trusted certificates. * * @param trustedCerts defines the list of trusted certificates. - * */ @Transactional public void updateTrustedCertsList(List trustedCerts) { @@ -105,9 +105,10 @@ public void updateTrustedCertsList(List trustedCerts) { } private SignerInformationEntity getSignerInformationEntity(TrustListItem cert) { + SignerInformationEntity signerEntity = new SignerInformationEntity(); signerEntity.setKid(cert.getKid()); - signerEntity.setCreatedAt(cert.getTimestamp()); + signerEntity.setCreatedAt(cert.getTimestamp() == null ? ZonedDateTime.now() : cert.getTimestamp()); signerEntity.setCountry(cert.getCountry()); signerEntity.setThumbprint((cert.getThumbprint())); signerEntity.setRawData(cert.getRawData()); @@ -117,6 +118,7 @@ private SignerInformationEntity getSignerInformationEntity(TrustListItem cert) { /** * Gets the deleted/updated state of the certificates. + * * @return state of the certificates represented by their kids */ public DeltaListDto getDeltaList() { @@ -124,16 +126,18 @@ public DeltaListDto getDeltaList() { List certs = signerInformationRepository.findAllByOrderByIdAsc(); - Map> partitioned = + Map> partitioned = certs.stream().collect(Collectors.partitioningBy(SignerInformationEntity::isDeleted, - Collectors.mapping(SignerInformationEntity::getKid, Collectors.toList()))); + Collectors.mapping(SignerInformationEntity::getKid, + Collectors.toList()))); - return new DeltaListDto(partitioned.get(Boolean.FALSE),partitioned.get(Boolean.TRUE)); + return new DeltaListDto(partitioned.get(Boolean.FALSE), partitioned.get(Boolean.TRUE)); } /** * Gets the deleted/updated state of the certificates after the given value. + * * @return state of the certificates represented by their kids */ public DeltaListDto getDeltaList(ZonedDateTime ifModifiedDateTime) { @@ -141,16 +145,18 @@ public DeltaListDto getDeltaList(ZonedDateTime ifModifiedDateTime) { List certs = signerInformationRepository.findAllByUpdatedAtAfterOrderByIdAsc(ifModifiedDateTime); - Map> partitioned = + Map> partitioned = certs.stream().collect(Collectors.partitioningBy(SignerInformationEntity::isDeleted, - Collectors.mapping(SignerInformationEntity::getKid, Collectors.toList()))); + Collectors.mapping(SignerInformationEntity::getKid, + Collectors.toList()))); - return new DeltaListDto(partitioned.get(Boolean.FALSE),partitioned.get(Boolean.TRUE)); + return new DeltaListDto(partitioned.get(Boolean.FALSE), partitioned.get(Boolean.TRUE)); } /** * Gets the raw data of the certificates for a given kid list. + * * @param requestedCertList list of kids * @return raw data of certificates */ @@ -160,10 +166,41 @@ public Map> getCertificatesData( signerInformationRepository.findAllByKidIn(requestedCertList); return certs.stream().collect(Collectors.groupingBy(SignerInformationEntity::getCountry, - Collectors.mapping(this::map, Collectors.toList()))); + Collectors.mapping(this::map, Collectors.toList()))); + } + + /** + * Returns a list of 2-Digit Country-Codes which have at least one signing certificates present in DB which is not + * marked for deletion. + * + * @return Distinct list of Country-Codes + */ + public List getCountryList() { + + return signerInformationRepository.getCountryList(); + } + + /** + * Returns a list of all active certificates. + * + * @return List of SignerInformationEntity + */ + public List getActiveCertificates() { + return signerInformationRepository.getAllByDeletedIs(false); + } + + /** + * Returns a list of active certificates for given list of countries. + * + * @param countries List of Country Codes to filter for. * + * @return List of SignerInformationEntity + */ + public List getActiveCertificatesForCountries(List countries) { + return signerInformationRepository.getAllByDeletedIsAndCountryIsIn(false, countries); } private CertificatesLookupResponseItemDto map(SignerInformationEntity entity) { + return new CertificatesLookupResponseItemDto(entity.getKid(), entity.getRawData()); } } diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadService.java b/src/main/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadService.java index c40ead7..27fca30 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadService.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -57,7 +57,7 @@ public void downloadTrustedIssuers() { log.info("Trusted issuers download started"); ArrayList trustedIssuers = new ArrayList<>(); - trustedIssuers.addAll(configProperties.getStaticTrustedIssuer()); + trustedIssuers.addAll(configProperties.getTrustedIssuerDownloader().getStaticTrustedIssuer()); trustedIssuers.addAll(downloadConnector.getTrustedIssuers()); trustedIssuerService.updateTrustedIssuersList(trustedIssuers); diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/TrustedIssuerService.java b/src/main/java/tng/trustnetwork/keydistribution/service/TrustedIssuerService.java index 9c61a28..1219d3e 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/TrustedIssuerService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/TrustedIssuerService.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,6 +29,7 @@ import lombok.extern.slf4j.Slf4j; import org.springframework.stereotype.Component; import org.springframework.transaction.annotation.Transactional; +import tng.trustnetwork.keydistribution.config.KdsConfigProperties; import tng.trustnetwork.keydistribution.entity.TrustedIssuerEntity; import tng.trustnetwork.keydistribution.mapper.IssuerMapper; import tng.trustnetwork.keydistribution.repository.TrustedIssuerRepository; @@ -48,6 +49,8 @@ public class TrustedIssuerService { private final DecentralizedIdentifierService decentralizedIdentifierService; + private final KdsConfigProperties configProperties; + /** * Get the current etag. * @@ -73,6 +76,16 @@ public List getAllIssuers(String etag) { return trustedIssuerRepository.findAllByEtag(etag); } + /** + * Method to query the db for DID documents. + * + * @return List holding the found trusted issuers. + */ + public List getAllDid() { + + return trustedIssuerRepository.findAllByUrlTypeIs(TrustedIssuerEntity.UrlType.DID); + } + /** * Method to synchronise the issuers in the db with the given List of trusted issuers. * @@ -89,7 +102,8 @@ public void updateTrustedIssuersList(List trustedIssuers) { trustedIssuerEntities.add(getTrustedIssuerEntity(newEtag, trustedIssuer)); - if (TrustedIssuer.UrlType.DID == trustedIssuer.getType()) { + if (TrustedIssuer.UrlType.DID == trustedIssuer.getType() + && configProperties.getTrustedIssuerDownloader().isEnableTrustedIssuerResolving()) { try { UniversalResolverService.DidDocumentWithRawResponse didDocument = urService.universalResolverApiCall(trustedIssuer.getUrl()); diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/TrustedPartyService.java b/src/main/java/tng/trustnetwork/keydistribution/service/TrustedPartyService.java index 6899bc4..88c175e 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/TrustedPartyService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/TrustedPartyService.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,6 +53,11 @@ public void updateCscaFromTrustList(List trustList) { .forEach(trustedPartyRepository::save); } + public List getCscaByCountry(String countryCode) { + + return trustedPartyRepository.findAllByCountryIsAndTypeIs(countryCode, TrustedPartyEntity.Type.CSCA); + } + private TrustedPartyEntity getCscaEntity(TrustListItem trustListItem) { return TrustedPartyEntity.builder() diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/UniversalResolverService.java b/src/main/java/tng/trustnetwork/keydistribution/service/UniversalResolverService.java index 59e1ede..5093b37 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/UniversalResolverService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/UniversalResolverService.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.service; import com.fasterxml.jackson.core.JsonProcessingException; diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java new file mode 100644 index 0000000..72baabc --- /dev/null +++ b/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java @@ -0,0 +1,306 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package tng.trustnetwork.keydistribution.service.did; + +import com.apicatalog.jsonld.document.JsonDocument; +import com.danubetech.keyformats.crypto.ByteSigner; +import com.fasterxml.jackson.databind.ObjectMapper; +import eu.europa.ec.dgc.utils.CertificateUtils; +import foundation.identity.jsonld.ConfigurableDocumentLoader; +import foundation.identity.jsonld.JsonLDObject; +import info.weboftrust.ldsignatures.jsonld.LDSecurityKeywords; +import info.weboftrust.ldsignatures.signer.JsonWebSignature2020LdSigner; +import java.io.IOException; +import java.io.InputStream; +import java.net.URI; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.security.PublicKey; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.interfaces.ECPublicKey; +import java.security.interfaces.RSAPublicKey; +import java.util.ArrayList; +import java.util.Base64; +import java.util.Date; +import java.util.HashMap; +import java.util.List; +import java.util.Locale; +import java.util.Map; +import java.util.MissingResourceException; +import java.util.Objects; +import java.util.Optional; +import lombok.RequiredArgsConstructor; +import lombok.extern.slf4j.Slf4j; +import net.javacrumbs.shedlock.spring.annotation.SchedulerLock; +import org.bouncycastle.cert.X509CertificateHolder; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.scheduling.annotation.Scheduled; +import org.springframework.stereotype.Service; +import tng.trustnetwork.keydistribution.config.KdsConfigProperties; +import tng.trustnetwork.keydistribution.entity.SignerInformationEntity; +import tng.trustnetwork.keydistribution.service.SignerInformationService; +import tng.trustnetwork.keydistribution.service.TrustedIssuerService; +import tng.trustnetwork.keydistribution.service.TrustedPartyService; +import tng.trustnetwork.keydistribution.service.did.entity.DidTrustList; +import tng.trustnetwork.keydistribution.service.did.entity.DidTrustListEntry; + +@Slf4j +@Service +@RequiredArgsConstructor +@ConditionalOnProperty("dgc.did.enableDidGeneration") +public class DidTrustListService { + + private static final String SEPARATOR_COLON = ":"; + + private static final String SEPARATOR_FRAGMENT = "#"; + + private static final List DID_CONTEXTS = List.of( + "https://www.w3.org/ns/did/v1", + "https://w3id.org/security/suites/jws-2020/v1"); + + private final TrustedPartyService trustedPartyService; + + private final SignerInformationService signerInformationService; + + private final KdsConfigProperties configProperties; + + private final ByteSigner byteSigner; + + private final DidUploader didUploader; + + private final ObjectMapper objectMapper; + + private final CertificateUtils certificateUtils; + + private final TrustedIssuerService trustedIssuerService; + + /** + * Create and upload DID Document holding Uploaded DSC and Trusted Issuer. + */ + @Scheduled(cron = "${dgc.did.cron}") + @SchedulerLock(name = "didTrustListGenerator") + public void job() { + + String trustList; + try { + trustList = generateTrustList(null); + } catch (Exception e) { + log.error("Failed to generate DID-TrustList: {}", e.getMessage()); + return; + } + + try { + didUploader.uploadDid(trustList.getBytes(StandardCharsets.UTF_8)); + } catch (Exception e) { + log.error("Failed to Upload DID-TrustList: {}", e.getMessage()); + return; + } + + List countries = signerInformationService.getCountryList(); + + for (String country : countries) { + String countryTrustList; + + String countryAsSubcontainer = getCountryAsLowerCaseAlpha3(country); + if (countryAsSubcontainer != null) { + try { + countryTrustList = generateTrustList(List.of(country)); + } catch (Exception e) { + log.error("Failed to generate DID-TrustList for country {} : {}", country, e.getMessage()); + continue; + } + + try { + didUploader.uploadDid(countryAsSubcontainer, countryTrustList.getBytes(StandardCharsets.UTF_8)); + } catch (Exception e) { + log.error("Failed to Upload DID-TrustList for country {} : {}", country, e.getMessage()); + } + } + } + + log.info("Finished DID Export Process"); + } + + private String getCountryAsLowerCaseAlpha3(String country) { + + if (country == null || country.length() != 2 && country.length() != 3) { + return null; + } else if (country.length() == 3) { + return country; + } + + return configProperties.getDid().getVirtualCountries().computeIfAbsent(country, (c) -> { + try { + return new Locale("en", c).getISO3Country().toLowerCase(); + } catch (MissingResourceException e) { + log.error("Country Code to alpha 3 conversion issue for country {} : {}", + c, e.getMessage()); + return c; + } + }); + } + + private String generateTrustList(List countries) throws Exception { + + DidTrustList trustList = new DidTrustList(); + trustList.setContext(DID_CONTEXTS); + trustList.setId(configProperties.getDid().getDidId()); + trustList.setController(configProperties.getDid().getDidController()); + trustList.setVerificationMethod(new ArrayList<>()); + + if (countries != null && !countries.isEmpty()) { + trustList.setId(configProperties.getDid().getDidId() + + SEPARATOR_COLON + + getCountryAsLowerCaseAlpha3(countries.get(0))); + trustList.setController(configProperties.getDid().getDidController() + + SEPARATOR_COLON + + getCountryAsLowerCaseAlpha3(countries.get(0))); + } + + // Add DSC + List signerInformationEntities = countries == null + ? signerInformationService.getActiveCertificates() + : signerInformationService.getActiveCertificatesForCountries(countries); + + for (SignerInformationEntity signerInformationEntity : signerInformationEntities) { + + X509Certificate parsedCertificate = parseCertificate(signerInformationEntity.getRawData()); + PublicKey publicKey = parsedCertificate.getPublicKey(); + + if (publicKey instanceof RSAPublicKey rsaPublicKey) { + addTrustListEntry(trustList, signerInformationEntity, + new DidTrustListEntry.RsaPublicKeyJwk( + rsaPublicKey, List.of(signerInformationEntity.getRawData())), parsedCertificate); + + } else if (publicKey instanceof ECPublicKey ecPublicKey) { + addTrustListEntry(trustList, signerInformationEntity, + new DidTrustListEntry.EcPublicKeyJwk( + ecPublicKey, List.of(signerInformationEntity.getRawData())), parsedCertificate); + + } else { + log.error("Public Key is not RSA or EC Public Key for cert {} of country {}", + signerInformationEntity.getThumbprint(), + signerInformationEntity.getCountry()); + } + } + + // Add DID References + trustedIssuerService.getAllDid() + .forEach(did -> trustList.getVerificationMethod().add(did.getUrl())); + + // Create LD-Proof Document + JsonWebSignature2020LdSigner signer = new JsonWebSignature2020LdSigner(byteSigner); + signer.setCreated(new Date()); + signer.setProofPurpose(LDSecurityKeywords.JSONLD_TERM_ASSERTIONMETHOD); + signer.setVerificationMethod(URI.create(configProperties.getDid().getLdProofVerificationMethod())); + signer.setDomain(configProperties.getDid().getLdProofDomain()); + signer.setNonce(configProperties.getDid().getLdProofNonce()); + + // Load DID-Contexts + Map contextMap = new HashMap<>(); + for (String didContext : DID_CONTEXTS) { + String didContextFile = configProperties.getDid().getContextMapping().get(didContext); + + if (didContextFile == null) { + log.error("Failed to load DID-Context Document for {}: No Mapping to local JSON-File.", didContext); + } + + try (InputStream inputStream = getClass().getClassLoader().getResourceAsStream( + "did_contexts/" + didContextFile)) { + if (inputStream != null) { + contextMap.put(URI.create(didContext), JsonDocument.of(inputStream)); + } + } catch (Exception e) { + log.error("Failed to load DID-Context Document {}: {}", didContextFile, e.getMessage()); + throw e; + } + } + JsonLDObject jsonLdObject = JsonLDObject.fromJson(objectMapper.writeValueAsString(trustList)); + jsonLdObject.setDocumentLoader(new ConfigurableDocumentLoader(contextMap)); + + signer.sign(jsonLdObject); + + return jsonLdObject.toJson(); + } + + private X509Certificate parseCertificate(String raw) { + + try { + byte[] rawDataBytes = Base64.getDecoder().decode(raw); + X509CertificateHolder certificateHolder = new X509CertificateHolder(rawDataBytes); + return certificateUtils.convertCertificate(certificateHolder); + } catch (CertificateException | IOException e) { + return null; + } + } + + private void addTrustListEntry(DidTrustList trustList, + SignerInformationEntity signerInformationEntity, + DidTrustListEntry.PublicKeyJwk publicKeyJwk, + X509Certificate dsc) { + + Optional csca = searchCsca(dsc, signerInformationEntity.getCountry()); + + if (csca.isPresent()) { + + try { + String encodedCsca = Base64.getEncoder().encodeToString(csca.get().getEncoded()); + publicKeyJwk.getEncodedX509Certificates() + .add(encodedCsca); + } catch (CertificateEncodingException e) { + throw new RuntimeException(e); + } + } + + DidTrustListEntry trustListEntry = new DidTrustListEntry(); + trustListEntry.setType("JsonWebKey2020"); + trustListEntry.setId(configProperties.getDid().getTrustListIdPrefix() + + SEPARATOR_COLON + + getCountryAsLowerCaseAlpha3(signerInformationEntity.getCountry()) + + SEPARATOR_FRAGMENT + + URLEncoder.encode(signerInformationEntity.getKid(), StandardCharsets.UTF_8)); + trustListEntry.setController(configProperties.getDid().getTrustListControllerPrefix() + + SEPARATOR_COLON + + getCountryAsLowerCaseAlpha3(signerInformationEntity.getCountry())); + trustListEntry.setPublicKeyJwk(publicKeyJwk); + + trustList.getVerificationMethod().add(trustListEntry); + } + + /** + * Search for CSCA for DSC. + * + * @param dsc DSC to search CSCA for. + * @return Optional holding the CSCA if found. + */ + private Optional searchCsca(X509Certificate dsc, String country) { + + return trustedPartyService.getCscaByCountry(country) + .stream() + .map(csca -> parseCertificate(csca.getRawData())) + .filter(Objects::nonNull) + .filter(csca -> csca.getSubjectX500Principal() + .equals(dsc.getIssuerX500Principal())) + .findFirst(); + } +} diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/DidUploader.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/DidUploader.java new file mode 100644 index 0000000..af7b243 --- /dev/null +++ b/src/main/java/tng/trustnetwork/keydistribution/service/did/DidUploader.java @@ -0,0 +1,29 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package tng.trustnetwork.keydistribution.service.did; + +public interface DidUploader { + + void uploadDid(byte[] content); + + void uploadDid(String subContainer, byte[] content); + +} diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/DummyByteSigner.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/DummyByteSigner.java new file mode 100644 index 0000000..4948215 --- /dev/null +++ b/src/main/java/tng/trustnetwork/keydistribution/service/did/DummyByteSigner.java @@ -0,0 +1,42 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package tng.trustnetwork.keydistribution.service.did; + +import com.danubetech.keyformats.crypto.ByteSigner; +import java.security.GeneralSecurityException; +import java.security.MessageDigest; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +@Service +@ConditionalOnProperty(name = "dgc.did.didSigningProvider", havingValue = "dummy") +public class DummyByteSigner extends ByteSigner { + + public DummyByteSigner() { + super("EC"); + } + + @Override + protected byte[] sign(byte[] content) throws GeneralSecurityException { + MessageDigest digest = MessageDigest.getInstance("SHA-256"); + return digest.digest(content); + } +} diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/DummyDidUploader.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/DummyDidUploader.java new file mode 100644 index 0000000..3ab9337 --- /dev/null +++ b/src/main/java/tng/trustnetwork/keydistribution/service/did/DummyDidUploader.java @@ -0,0 +1,42 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package tng.trustnetwork.keydistribution.service.did; + +import lombok.extern.slf4j.Slf4j; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; + +@ConditionalOnProperty(name = "dgc.did.didUploadProvider", havingValue = "dummy") +@Service +@Slf4j +public class DummyDidUploader implements DidUploader { + + @Override + public void uploadDid(byte[] content) { + log.info("Uploaded {} bytes", content.length); + } + + @Override + public void uploadDid(String subContainer, byte[] content) { + log.info("Uploaded {} bytes to subContainer {}", content.length, subContainer); + } + +} diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/LocalFileDidUploader.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/LocalFileDidUploader.java new file mode 100644 index 0000000..8c734af --- /dev/null +++ b/src/main/java/tng/trustnetwork/keydistribution/service/did/LocalFileDidUploader.java @@ -0,0 +1,87 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package tng.trustnetwork.keydistribution.service.did; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.nio.file.Paths; +import lombok.RequiredArgsConstructor; +import lombok.extern.slf4j.Slf4j; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; +import tng.trustnetwork.keydistribution.config.KdsConfigProperties; + +@ConditionalOnProperty(name = "dgc.did.didUploadProvider", havingValue = "local-file") +@Service +@Slf4j +@RequiredArgsConstructor +public class LocalFileDidUploader implements DidUploader { + + private final KdsConfigProperties configProperties; + + @Override + public void uploadDid(byte[] content) { + + uploadDid(null, content); + } + + @Override + public void uploadDid(String subContainer, byte[] content) { + + File targetFile; + + if (subContainer == null) { + targetFile = Paths.get( + configProperties.getDid().getLocalFile().getDirectory(), + configProperties.getDid().getLocalFile().getFileName() + ).toFile(); + } else { + targetFile = Paths.get( + configProperties.getDid().getLocalFile().getDirectory(), + subContainer, + configProperties.getDid().getLocalFile().getFileName() + ).toFile(); + } + + log.info("Storing {} bytes to {}", content.length, targetFile.getAbsolutePath()); + + if (targetFile.exists() && !targetFile.delete()) { + log.error("Failed to delete existing file."); + return; + } + + if (targetFile.getParentFile().mkdirs()) { + log.info("Created required directory {}", targetFile.getParentFile().getAbsolutePath()); + } + + try (FileOutputStream fileOutputStream = new FileOutputStream(targetFile)) { + fileOutputStream.write(content); + } catch (IOException e) { + log.error("Failed to write DID Content to file: {}", e.getMessage()); + return; + } + + log.info("Successfully saved file locally."); + + } + +} diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/LocalKeystoreByteSigner.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/LocalKeystoreByteSigner.java new file mode 100644 index 0000000..bd5b2e3 --- /dev/null +++ b/src/main/java/tng/trustnetwork/keydistribution/service/did/LocalKeystoreByteSigner.java @@ -0,0 +1,76 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package tng.trustnetwork.keydistribution.service.did; + +import com.danubetech.keyformats.crypto.ByteSigner; +import java.io.FileInputStream; +import java.io.IOException; +import java.security.GeneralSecurityException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.Signature; +import java.security.UnrecoverableKeyException; +import java.security.cert.CertificateException; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.stereotype.Service; +import org.springframework.util.ResourceUtils; +import tng.trustnetwork.keydistribution.config.KdsConfigProperties; + +@Service +@ConditionalOnProperty(name = "dgc.did.didSigningProvider", havingValue = "local-keystore") +public class LocalKeystoreByteSigner extends ByteSigner { + + private final PrivateKey signingKey; + + /** + * Initialize LocalKeyStoreByteSigner. Configured Key will be loaded. + */ + public LocalKeystoreByteSigner(KdsConfigProperties kdsConfigProperties) + throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, + UnrecoverableKeyException { + + super("EC"); + + KeyStore keyStore = KeyStore.getInstance("JKS"); + + try (FileInputStream fileInputStream = new FileInputStream( + ResourceUtils.getFile(kdsConfigProperties.getDid().getLocalKeyStore().getPath())); + ) { + keyStore.load(fileInputStream, kdsConfigProperties.getDid().getLocalKeyStore().getPassword()); + } + + signingKey = (PrivateKey) keyStore.getKey( + kdsConfigProperties.getDid().getLocalKeyStore().getAlias(), + kdsConfigProperties.getDid().getLocalKeyStore().getPassword()); + + } + + @Override + protected byte[] sign(byte[] content) throws GeneralSecurityException { + + Signature signature = Signature.getInstance("SHA256withECDSA"); + signature.initSign(signingKey); + signature.update(content); + return signature.sign(); + } +} diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/entity/DidTrustList.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/entity/DidTrustList.java new file mode 100644 index 0000000..34485ff --- /dev/null +++ b/src/main/java/tng/trustnetwork/keydistribution/service/did/entity/DidTrustList.java @@ -0,0 +1,41 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package tng.trustnetwork.keydistribution.service.did.entity; + +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.List; +import lombok.Data; + +@Data +@JsonPropertyOrder({"@context", "id", "controller", "verificationMethod"}) +public class DidTrustList { + + @JsonProperty("@context") + private List context; + + private String id; + + private String controller; + + private List verificationMethod; + +} diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/entity/DidTrustListEntry.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/entity/DidTrustListEntry.java new file mode 100644 index 0000000..8faa054 --- /dev/null +++ b/src/main/java/tng/trustnetwork/keydistribution/service/did/entity/DidTrustListEntry.java @@ -0,0 +1,121 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package tng.trustnetwork.keydistribution.service.did.entity; + +import com.fasterxml.jackson.annotation.JsonProperty; +import java.security.interfaces.ECPublicKey; +import java.security.interfaces.RSAPublicKey; +import java.util.ArrayList; +import java.util.Base64; +import java.util.List; +import lombok.Data; +import lombok.Getter; +import lombok.NoArgsConstructor; +import lombok.Setter; +import org.bouncycastle.jce.spec.ECNamedCurveSpec; + +@Data +public class DidTrustListEntry { + + private String id; + + private String type; + + private String controller; + + private PublicKeyJwk publicKeyJwk; + + @NoArgsConstructor + @Setter + @Getter + public abstract static class PublicKeyJwk { + @JsonProperty("kty") + private String keyType; + + @JsonProperty("x5c") + private List encodedX509Certificates; + + private PublicKeyJwk(String keyType, List encodedX509Certificates) { + this.keyType = keyType; + this.encodedX509Certificates = new ArrayList<>(encodedX509Certificates); + } + } + + @Getter + @Setter + public static class EcPublicKeyJwk extends PublicKeyJwk { + + @JsonProperty("crv") + private String curve; + + @JsonProperty("x") + private String valueX; + + @JsonProperty("y") + private String valueY; + + /** + * Instantiate EC PublicKey JWK Class. + * + * @param ecPublicKey EC Public Key that should be wrapped. + * @param base64EncodedCertificates List of Base64 encoded Certificates assigned to provided Public Key. + * They will be added within x5c property of JWK. + */ + public EcPublicKeyJwk(ECPublicKey ecPublicKey, List base64EncodedCertificates) { + super("EC", base64EncodedCertificates); + valueX = Base64.getEncoder().encodeToString(ecPublicKey.getW().getAffineX().toByteArray()); + valueY = Base64.getEncoder().encodeToString(ecPublicKey.getW().getAffineY().toByteArray()); + + ECNamedCurveSpec curveSpec = (ECNamedCurveSpec) ecPublicKey.getParams(); + switch (curveSpec.getName()) { + case "prime256v1" -> curve = "P-256"; + case "prime384v1" -> curve = "P-384"; + case "prime521v1" -> curve = "P-521"; + default -> curve = "UNKNOWN CURVE"; + } + } + } + + @Getter + @Setter + public static class RsaPublicKeyJwk extends PublicKeyJwk { + + @JsonProperty("e") + private String valueE; + + @JsonProperty("n") + private String valueN; + + /** + * Instantiate RSA PublicKey JWK Class. + * + * @param rsaPublicKey RSA Public Key that should be wrapped. + * @param base64EncodedCertificates List of Base64 encoded Certificates assigned to provided Public Key. + * They will be added within x5c property of JWK. + */ + public RsaPublicKeyJwk(RSAPublicKey rsaPublicKey, List base64EncodedCertificates) { + super("RSA", base64EncodedCertificates); + valueN = Base64.getEncoder().encodeToString(rsaPublicKey.getModulus().toByteArray()); + valueE = Base64.getEncoder().encodeToString(rsaPublicKey.getPublicExponent().toByteArray()); + } + } + +} diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 87b4c73..7da19cb 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -63,9 +63,16 @@ dgc: enabled: true timeInterval: 1800000 lockLimit: 3600000 + static-trusted-issuer: + - name: WHO Trustlist (DEV) + country: WH + type: did + url: did:web:tng-cdn-dev.who.int:trustlist + signature: No-Signature # required because of DB restrictions + enable-trusted-issuer-resolving: false gateway: connector: - enabled: false + enabled: true endpoint: ${DGC_GATEWAY_CONNECTOR_ENDPOINT} proxy: enabled: false @@ -81,9 +88,26 @@ dgc: alias: ${DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_ALIAS} password: ${DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_PASSWORD} path: ${DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_PATH} - static-trusted-issuer: - - name: WHO Trustlist (DEV) - country: WH - type: did - url: did:web:tng-cdn-dev.who.int:trustlist - signature: No-Signature # required because of DB restrictions + enable-ddcc-support: true + did: + cron: "0 0 2 * * *" + enableDidGeneration: true + didUploadProvider: local-file + localFile: + directory: ./did + file-name: did.json + didSigningProvider: dummy + ld-proof-verification-method: did:web:dummy.net + ld-proof-nonce: n0nc3 + did-id: did:web:abc + did-controller: did:web:def + trust-list-id-prefix: did:web:abc + trust-list-controller-prefix: did:web:abc + contextMapping: + "[https://www.w3.org/ns/did/v1]": did_v1.json + "[https://w3id.org/security/suites/jws-2020/v1]": jws-2020_v1.json + virtualCountries: + XA: XXA + XB: XXB + XO: XXO + XL: XCL diff --git a/src/main/resources/db/changelog/add-trusted-party-table.yaml b/src/main/resources/db/changelog/add-trusted-party-table.yaml index 236717a..c8ad7d0 100644 --- a/src/main/resources/db/changelog/add-trusted-party-table.yaml +++ b/src/main/resources/db/changelog/add-trusted-party-table.yaml @@ -9,6 +9,7 @@ databaseChangeLog: - column: name: id type: bigint + autoIncrement: true constraints: primaryKey: true nullable: false diff --git a/src/main/resources/did_contexts/did_v1.json b/src/main/resources/did_contexts/did_v1.json new file mode 100644 index 0000000..b447d01 --- /dev/null +++ b/src/main/resources/did_contexts/did_v1.json @@ -0,0 +1,58 @@ +{ + "@context": { + "@protected": true, + "id": "@id", + "type": "@type", + + "alsoKnownAs": { + "@id": "https://www.w3.org/ns/activitystreams#alsoKnownAs", + "@type": "@id" + }, + "assertionMethod": { + "@id": "https://w3id.org/security#assertionMethod", + "@type": "@id", + "@container": "@set" + }, + "authentication": { + "@id": "https://w3id.org/security#authenticationMethod", + "@type": "@id", + "@container": "@set" + }, + "capabilityDelegation": { + "@id": "https://w3id.org/security#capabilityDelegationMethod", + "@type": "@id", + "@container": "@set" + }, + "capabilityInvocation": { + "@id": "https://w3id.org/security#capabilityInvocationMethod", + "@type": "@id", + "@container": "@set" + }, + "controller": { + "@id": "https://w3id.org/security#controller", + "@type": "@id" + }, + "keyAgreement": { + "@id": "https://w3id.org/security#keyAgreementMethod", + "@type": "@id", + "@container": "@set" + }, + "service": { + "@id": "https://www.w3.org/ns/did#service", + "@type": "@id", + "@context": { + "@protected": true, + "id": "@id", + "type": "@type", + "serviceEndpoint": { + "@id": "https://www.w3.org/ns/did#serviceEndpoint", + "@type": "@id" + } + } + }, + "verificationMethod": { + "@id": "https://w3id.org/security#verificationMethod", + "@type": "@id" + } + } +} diff --git a/src/main/resources/did_contexts/jws-2020_v1.json b/src/main/resources/did_contexts/jws-2020_v1.json new file mode 100644 index 0000000..17186cd --- /dev/null +++ b/src/main/resources/did_contexts/jws-2020_v1.json @@ -0,0 +1,82 @@ +{ + "@context": { + "privateKeyJwk": { + "@id": "https://w3id.org/security#privateKeyJwk", + "@type": "@json" + }, + "JsonWebKey2020": { + "@id": "https://w3id.org/security#JsonWebKey2020", + "@context": { + "@protected": true, + "id": "@id", + "type": "@type", + "publicKeyJwk": { + "@id": "https://w3id.org/security#publicKeyJwk", + "@type": "@json" + } + } + }, + "JsonWebSignature2020": { + "@id": "https://w3id.org/security#JsonWebSignature2020", + "@context": { + "@protected": true, + + "id": "@id", + "type": "@type", + + "challenge": "https://w3id.org/security#challenge", + "created": { + "@id": "http://purl.org/dc/terms/created", + "@type": "http://www.w3.org/2001/XMLSchema#dateTime" + }, + "domain": "https://w3id.org/security#domain", + "expires": { + "@id": "https://w3id.org/security#expiration", + "@type": "http://www.w3.org/2001/XMLSchema#dateTime" + }, + "jws": "https://w3id.org/security#jws", + "nonce": "https://w3id.org/security#nonce", + "proofPurpose": { + "@id": "https://w3id.org/security#proofPurpose", + "@type": "@vocab", + "@context": { + "@protected": true, + + "id": "@id", + "type": "@type", + + "assertionMethod": { + "@id": "https://w3id.org/security#assertionMethod", + "@type": "@id", + "@container": "@set" + }, + "authentication": { + "@id": "https://w3id.org/security#authenticationMethod", + "@type": "@id", + "@container": "@set" + }, + "capabilityInvocation": { + "@id": "https://w3id.org/security#capabilityInvocationMethod", + "@type": "@id", + "@container": "@set" + }, + "capabilityDelegation": { + "@id": "https://w3id.org/security#capabilityDelegationMethod", + "@type": "@id", + "@container": "@set" + }, + "keyAgreement": { + "@id": "https://w3id.org/security#keyAgreementMethod", + "@type": "@id", + "@container": "@set" + } + } + }, + "verificationMethod": { + "@id": "https://w3id.org/security#verificationMethod", + "@type": "@id" + } + } + } + } +} diff --git a/src/test/java/tng/trustnetwork/keydistribution/OpenApiTest.java b/src/test/java/tng/trustnetwork/keydistribution/OpenApiTest.java index ddeac81..7b96ef4 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/OpenApiTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/OpenApiTest.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution; import eu.europa.ec.dgc.gateway.connector.DgcGatewayDownloadConnector; diff --git a/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/ContextControllerIntegrationTest.java b/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/ContextControllerIntegrationTest.java index 2909d61..23c4245 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/ContextControllerIntegrationTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/ContextControllerIntegrationTest.java @@ -1,8 +1,29 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.restapi.controller; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + import java.io.IOException; import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets; diff --git a/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/ContextControllerWithEnvironmentIntegrationTest.java b/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/ContextControllerWithEnvironmentIntegrationTest.java index f1c2f8f..e3b0ec7 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/ContextControllerWithEnvironmentIntegrationTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/ContextControllerWithEnvironmentIntegrationTest.java @@ -1,8 +1,29 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.restapi.controller; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; diff --git a/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/SignerInformationIntegrationTest.java b/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/SignerInformationIntegrationTest.java index 13d566a..7f79e08 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/SignerInformationIntegrationTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/SignerInformationIntegrationTest.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,8 +20,12 @@ package tng.trustnetwork.keydistribution.restapi.controller; -import tng.trustnetwork.keydistribution.repository.SignerInformationRepository; -import tng.trustnetwork.keydistribution.testdata.SignerInformationTestHelper; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + import java.io.UnsupportedEncodingException; import java.time.ZonedDateTime; import org.junit.jupiter.api.Assertions; @@ -33,11 +37,8 @@ import org.springframework.http.MediaType; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import tng.trustnetwork.keydistribution.repository.SignerInformationRepository; +import tng.trustnetwork.keydistribution.testdata.SignerInformationTestHelper; @SpringBootTest @AutoConfigureMockMvc diff --git a/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/TrustedIssuerIntegrationTest.java b/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/TrustedIssuerIntegrationTest.java index ecf101d..a7e2fbb 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/TrustedIssuerIntegrationTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/restapi/controller/TrustedIssuerIntegrationTest.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -24,6 +24,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; + import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/DecentralizedIdentifierServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/DecentralizedIdentifierServiceTest.java index aa2d4a7..007711e 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/DecentralizedIdentifierServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/DecentralizedIdentifierServiceTest.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.service; import com.fasterxml.jackson.core.JsonProcessingException; diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java new file mode 100644 index 0000000..dafb7bc --- /dev/null +++ b/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java @@ -0,0 +1,282 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package tng.trustnetwork.keydistribution.service; + +import static org.mockito.Mockito.doNothing; + +import com.fasterxml.jackson.databind.ObjectMapper; +import eu.europa.ec.dgc.gateway.connector.DgcGatewayDownloadConnector; +import eu.europa.ec.dgc.utils.CertificateUtils; +import foundation.identity.jsonld.JsonLDObject; +import java.math.BigInteger; +import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; +import java.security.interfaces.ECPublicKey; +import java.security.interfaces.RSAPublicKey; +import java.time.Instant; +import java.time.ZonedDateTime; +import java.util.ArrayList; +import java.util.Base64; +import java.util.LinkedHashMap; +import java.util.List; +import lombok.Data; +import lombok.Getter; +import lombok.Setter; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.ValueSource; +import org.mockito.ArgumentCaptor; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.mock.mockito.MockBean; +import tng.trustnetwork.keydistribution.entity.SignerInformationEntity; +import tng.trustnetwork.keydistribution.entity.TrustedPartyEntity; +import tng.trustnetwork.keydistribution.repository.SignerInformationRepository; +import tng.trustnetwork.keydistribution.repository.TrustedIssuerRepository; +import tng.trustnetwork.keydistribution.repository.TrustedPartyRepository; +import tng.trustnetwork.keydistribution.service.did.DidTrustListService; +import tng.trustnetwork.keydistribution.service.did.DidUploader; +import tng.trustnetwork.keydistribution.service.did.entity.DidTrustList; +import tng.trustnetwork.keydistribution.testdata.CertificateTestUtils; +import tng.trustnetwork.keydistribution.testdata.TrustedIssuerTestHelper; + +@SpringBootTest +public class DidTrustListServiceTest { + + @Autowired + ObjectMapper objectMapper; + + @Autowired + DidTrustListService didTrustListService; + + @Autowired + SignerInformationRepository signerInformationRepository; + + @Autowired + TrustedPartyRepository trustedPartyRepository; + + @Autowired + CertificateUtils certificateUtils; + + @Autowired + TrustedIssuerRepository trustedIssuerRepository; + + @Autowired + TrustedIssuerTestHelper trustedIssuerTestHelper; + + @MockBean + DidUploader didUploaderMock; + + @MockBean + DgcGatewayDownloadConnector dgcGatewayDownloadConnector; + + X509Certificate certCscaDe, certCscaEu, certDscDe, certDscEu; + + String certDscDeKid, certDscEuKid; + + + @AfterEach + public void cleanUp() { + + trustedPartyRepository.deleteAll(); + signerInformationRepository.deleteAll(); + trustedIssuerRepository.deleteAll(); + } + + void testData(CertificateTestUtils.SignerType signerType) throws Exception { + cleanUp(); + + KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(signerType.getSigningAlgorithm()); + + KeyPair cscaDeKeyPair = keyPairGenerator.generateKeyPair(); + certCscaDe = CertificateTestUtils.generateCertificate(cscaDeKeyPair, "DE", "Test", signerType); + KeyPair cscaEuKeyPair = keyPairGenerator.generateKeyPair(); + certCscaEu = CertificateTestUtils.generateCertificate(cscaEuKeyPair, "EU", "Test", signerType); + + certDscDe = CertificateTestUtils.generateCertificate(keyPairGenerator.generateKeyPair(), "DE", + "Test", certCscaDe, cscaDeKeyPair.getPrivate(), signerType); + certDscDeKid = certificateUtils.getCertKid(certDscDe); + + certDscEu = CertificateTestUtils.generateCertificate(keyPairGenerator.generateKeyPair(), "EU", + "Test", certCscaEu, cscaEuKeyPair.getPrivate(), signerType); + certDscEuKid = certificateUtils.getCertKid(certDscEu); + + trustedPartyRepository.save(new TrustedPartyEntity( + null, + Base64.getEncoder().encodeToString(certCscaDe.getEncoded()), + "DE", + certificateUtils.getCertThumbprint(certCscaDe), + TrustedPartyEntity.Type.CSCA + )); + + trustedPartyRepository.save(new TrustedPartyEntity( + null, + Base64.getEncoder().encodeToString(certCscaEu.getEncoded()), + "EU", + certificateUtils.getCertThumbprint(certCscaEu), + TrustedPartyEntity.Type.CSCA + )); + + signerInformationRepository.save(new SignerInformationEntity( + null, + certDscDeKid, + ZonedDateTime.now(), + Base64.getEncoder().encodeToString(certDscDe.getEncoded()), + "DE", + certificateUtils.getCertThumbprint(certDscDe), + ZonedDateTime.now(), + false + )); + + signerInformationRepository.save(new SignerInformationEntity( + null, + certDscEuKid, + ZonedDateTime.now(), + Base64.getEncoder().encodeToString(certDscEu.getEncoded()), + "EU", + certificateUtils.getCertThumbprint(certDscEu), + ZonedDateTime.now(), + false + )); + + trustedIssuerRepository.save(trustedIssuerTestHelper.createTrustedIssuer("DE")); + trustedIssuerRepository.save(trustedIssuerTestHelper.createTrustedIssuer("EU")); + trustedIssuerRepository.save(trustedIssuerTestHelper.createTrustedIssuer("XY")); + } + + @ParameterizedTest + @ValueSource(booleans = {true, false}) + void testTrustList(boolean isEcAlgorithm) throws Exception { + if (isEcAlgorithm) { + testData(CertificateTestUtils.SignerType.EC); + } else { + testData(CertificateTestUtils.SignerType.RSA); + } + ArgumentCaptor uploadArgumentCaptor = ArgumentCaptor.forClass(byte[].class); + doNothing().when(didUploaderMock).uploadDid(uploadArgumentCaptor.capture()); + + didTrustListService.job(); + + SignedDidTrustList parsed = + objectMapper.readValue(uploadArgumentCaptor.getValue(), SignedDidTrustList.class); + + Assertions.assertEquals("did:web:abc", parsed.getId()); + Assertions.assertEquals("did:web:def", parsed.getController()); + Assertions.assertEquals(5, parsed.getVerificationMethod().size()); + + assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(), "did:web:abc:deu#" + URLEncoder.encode(certDscDeKid, StandardCharsets.UTF_8)), + certDscDeKid, certDscDe, certCscaDe, "deu"); + assertVerificationMethod(getVerificationMethodByKid(parsed.getVerificationMethod(), "did:web:abc:xeu#" + URLEncoder.encode(certDscEuKid, StandardCharsets.UTF_8)), + certDscEuKid, certDscEu, certCscaEu, "xeu"); + + Assertions.assertTrue(parsed.getVerificationMethod().contains("did:trusted:DE:issuer")); + Assertions.assertTrue(parsed.getVerificationMethod().contains("did:trusted:EU:issuer")); + Assertions.assertTrue(parsed.getVerificationMethod().contains("did:trusted:XY:issuer")); + Assertions.assertEquals(2, parsed.getContext().size()); + Assertions.assertEquals("JsonWebSignature2020", parsed.getProof().getType()); + Assertions.assertTrue( + Instant.now().toEpochMilli() - parsed.getProof().getCreated().toInstant().toEpochMilli() < 10000); + Assertions.assertEquals("d0m4in", parsed.getProof().getDomain()); + Assertions.assertEquals("n0nc3", parsed.getProof().getNonce()); + Assertions.assertEquals("assertionMethod", parsed.getProof().getProofPurpose()); + Assertions.assertEquals("did:web:dummy.net", parsed.getProof().getVerificationMethod()); + Assertions.assertNotNull(parsed.getProof().getJws()); + Assertions.assertNotEquals("", parsed.getProof().getJws()); + + //JSON should start with "@context" due to https://www.w3.org/TR/json-ld11-streaming/#key-ordering-required + String json = JsonLDObject.fromJson(objectMapper.writeValueAsString(parsed)).toJson(); + String first10Characters = json.substring(0, Math.min(10, json.length())); + Assertions.assertTrue(first10Characters.contains("@context")); + } + + + private Object getVerificationMethodByKid(List verificationMethods, String kid) { + return verificationMethods.stream() + .filter(entry -> entry instanceof LinkedHashMap) + .map(entry -> (LinkedHashMap) entry) + .filter(entry -> entry.get("id").equals(kid)) + .findFirst() + .orElseGet(() -> Assertions.fail("Could not find VerificationMethod with KID " + kid)); + } + + private void assertVerificationMethod(Object in, String kid, X509Certificate dsc, X509Certificate csca, String country) + throws CertificateEncodingException { + LinkedHashMap jsonNode = (LinkedHashMap) in; + Assertions.assertEquals("JsonWebKey2020", jsonNode.get("type")); + Assertions.assertEquals("did:web:abc:" + country, jsonNode.get("controller")); + Assertions.assertEquals("did:web:abc:" + country + "#" + URLEncoder.encode(kid, StandardCharsets.UTF_8), jsonNode.get("id")); + + LinkedHashMap publicKeyJwk = (LinkedHashMap) jsonNode.get("publicKeyJwk"); + + if (dsc.getPublicKey().getAlgorithm().equals(CertificateTestUtils.SignerType.EC.getSigningAlgorithm())) { + Assertions.assertEquals(((ECPublicKey) dsc.getPublicKey()).getW().getAffineX(), + new BigInteger(Base64.getDecoder().decode(publicKeyJwk.get("x").toString()))); + Assertions.assertEquals(((ECPublicKey) dsc.getPublicKey()).getW().getAffineY(), + new BigInteger(Base64.getDecoder().decode(publicKeyJwk.get("y").toString()))); + Assertions.assertEquals(CertificateTestUtils.SignerType.EC.getSigningAlgorithm(), + publicKeyJwk.get("kty").toString()); + Assertions.assertEquals("P-256", publicKeyJwk.get("crv").toString()); + } else { + Assertions.assertEquals(((RSAPublicKey) dsc.getPublicKey()).getPublicExponent(), + new BigInteger(Base64.getDecoder().decode(publicKeyJwk.get("e").toString()))); + Assertions.assertEquals(((RSAPublicKey) dsc.getPublicKey()).getModulus(), + new BigInteger(Base64.getDecoder().decode(publicKeyJwk.get("n").toString()))); + Assertions.assertEquals(CertificateTestUtils.SignerType.RSA.getSigningAlgorithm(), + publicKeyJwk.get("kty").toString()); + } + ArrayList x5c = ((ArrayList) publicKeyJwk.get("x5c")); + Assertions.assertEquals(Base64.getEncoder().encodeToString(dsc.getEncoded()), x5c.get(0)); + if (csca != null) { + Assertions.assertEquals(Base64.getEncoder().encodeToString(csca.getEncoded()), x5c.get(1)); + } + } + + @Getter + @Setter + public static class SignedDidTrustList extends DidTrustList { + + private LDProof proof; + + @Data + private static class LDProof { + + private String type; + + private ZonedDateTime created; + + private String verificationMethod; + + private String proofPurpose; + + private String jws; + + private String domain; + + private String nonce; + + } + } +} diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/InfoServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/InfoServiceTest.java index 77eabde..b7a07ba 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/InfoServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/InfoServiceTest.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,6 +20,7 @@ package tng.trustnetwork.keydistribution.service; +import eu.europa.ec.dgc.gateway.connector.DgcGatewayDownloadConnector; import java.util.List; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.BeforeEach; @@ -27,7 +28,6 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.mock.mockito.MockBean; -import eu.europa.ec.dgc.gateway.connector.DgcGatewayDownloadConnector; import tng.trustnetwork.keydistribution.entity.InfoEntity; import tng.trustnetwork.keydistribution.repository.InfoRepository; diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/SignerCertificateDownloadServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/SignerCertificateDownloadServiceTest.java index 97ee85c..a2d6dde 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/SignerCertificateDownloadServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/SignerCertificateDownloadServiceTest.java @@ -1,10 +1,27 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.service; import eu.europa.ec.dgc.gateway.connector.DgcGatewayDownloadConnector; import eu.europa.ec.dgc.gateway.connector.model.TrustListItem; -import tng.trustnetwork.keydistribution.entity.SignerInformationEntity; -import tng.trustnetwork.keydistribution.repository.SignerInformationRepository; -import tng.trustnetwork.keydistribution.testdata.SignerInformationTestHelper; import java.util.ArrayList; import java.util.List; import org.junit.jupiter.api.Assertions; @@ -13,6 +30,9 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.mock.mockito.MockBean; +import tng.trustnetwork.keydistribution.entity.SignerInformationEntity; +import tng.trustnetwork.keydistribution.repository.SignerInformationRepository; +import tng.trustnetwork.keydistribution.testdata.SignerInformationTestHelper; @SpringBootTest class SignerCertificateDownloadServiceTest { diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/SignerInformationServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/SignerInformationServiceTest.java index dcaab27..7a6d356 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/SignerInformationServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/SignerInformationServiceTest.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadServiceTest.java index 74c3242..5cd8a11 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadServiceTest.java @@ -1,5 +1,28 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.service; +import eu.europa.ec.dgc.gateway.connector.DgcGatewayDownloadConnector; +import eu.europa.ec.dgc.gateway.connector.DgcGatewayTrustedIssuerDownloadConnector; +import eu.europa.ec.dgc.gateway.connector.model.TrustedIssuer; import java.util.ArrayList; import java.util.List; import org.junit.jupiter.api.Assertions; @@ -9,9 +32,6 @@ import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.mock.mockito.MockBean; import org.springframework.test.context.TestPropertySource; -import eu.europa.ec.dgc.gateway.connector.DgcGatewayDownloadConnector; -import eu.europa.ec.dgc.gateway.connector.DgcGatewayTrustedIssuerDownloadConnector; -import eu.europa.ec.dgc.gateway.connector.model.TrustedIssuer; import tng.trustnetwork.keydistribution.entity.TrustedIssuerEntity; import tng.trustnetwork.keydistribution.repository.TrustedIssuerRepository; import tng.trustnetwork.keydistribution.testdata.TrustedIssuerTestHelper; diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/TrustedPartyServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/TrustedPartyServiceTest.java index 254bac9..b2fcc8c 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/TrustedPartyServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/TrustedPartyServiceTest.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,9 +20,9 @@ package tng.trustnetwork.keydistribution.service; -import java.util.List; import eu.europa.ec.dgc.gateway.connector.DgcGatewayDownloadConnector; import eu.europa.ec.dgc.gateway.connector.model.TrustListItem; +import java.util.List; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -52,9 +52,6 @@ void clearRepositoryData() { @Test void testUpdateCsca() { - // Check DB is empty and create a dummy entity which will be deleted - Assertions.assertEquals(0, trustedPartyRepository.count()); - trustedPartyRepository.save(TrustedPartyEntity.builder() .thumbprint("thumbprint_old") .country("CO") @@ -95,4 +92,22 @@ void testUpdateCsca() { } + @Test + void testGetCscaByCountry() { + + TrustedPartyEntity tp1 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C1", "t1", TrustedPartyEntity.Type.CSCA)); + TrustedPartyEntity tp2 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C1", "t2", TrustedPartyEntity.Type.CSCA)); + TrustedPartyEntity tp3 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C2", "t3", TrustedPartyEntity.Type.CSCA)); + TrustedPartyEntity tp4 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C2", "t4", TrustedPartyEntity.Type.CSCA)); + + trustedPartyRepository.saveAll(List.of(tp1, tp2, tp3, tp4)); + + TrustedPartyEntity[] c1tp = trustedPartyService.getCscaByCountry("C1").toArray(new TrustedPartyEntity[2]); + TrustedPartyEntity[] c2tp = trustedPartyService.getCscaByCountry("C2").toArray(new TrustedPartyEntity[2]); + + Assertions.assertArrayEquals(c1tp, new TrustedPartyEntity[] { tp1, tp2 }); + Assertions.assertArrayEquals(c2tp, new TrustedPartyEntity[] { tp3, tp4 }); + + } + } diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/UniversalResolverServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/UniversalResolverServiceTest.java index 32552ee..f177628 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/UniversalResolverServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/UniversalResolverServiceTest.java @@ -1,3 +1,23 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + package tng.trustnetwork.keydistribution.service; import static org.mockito.Mockito.when; diff --git a/src/test/java/tng/trustnetwork/keydistribution/testdata/CertificateTestUtils.java b/src/test/java/tng/trustnetwork/keydistribution/testdata/CertificateTestUtils.java new file mode 100644 index 0000000..5673394 --- /dev/null +++ b/src/test/java/tng/trustnetwork/keydistribution/testdata/CertificateTestUtils.java @@ -0,0 +1,178 @@ +/*- + * ---license-start + * WorldHealthOrganization / tng-key-distribution + * --- + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors + * --- + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ---license-end + */ + +package tng.trustnetwork.keydistribution.testdata; + +import com.fasterxml.jackson.databind.node.JsonNodeFactory; +import eu.europa.ec.dgc.gateway.connector.model.ValidationRule; +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.time.Instant; +import java.time.ZonedDateTime; +import java.time.temporal.ChronoUnit; +import java.util.Date; +import java.util.List; +import lombok.AccessLevel; +import lombok.Getter; +import lombok.RequiredArgsConstructor; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x500.X500NameBuilder; +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.X509ObjectIdentifiers; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.junit.jupiter.api.Assertions; + +public class CertificateTestUtils { + + public static ValidationRule getDummyValidationRule() { + ValidationRule validationRule = new ValidationRule(); + + JsonNodeFactory jsonNodeFactory = JsonNodeFactory.instance; + + validationRule.setLogic(jsonNodeFactory.objectNode().set("field1", jsonNodeFactory.textNode("value1"))); + validationRule.setValidTo(ZonedDateTime.now().plus(1, ChronoUnit.WEEKS)); + validationRule.setValidFrom(ZonedDateTime.now().plus(3, ChronoUnit.DAYS)); + validationRule.setCertificateType("General"); + validationRule.setDescription(List.of(new ValidationRule.DescriptionItem("en", "de".repeat(10)))); + validationRule.setEngine("CERTLOGIC"); + validationRule.setEngineVersion("1.0.0"); + validationRule.setVersion("1.0.0"); + validationRule.setAffectedFields(List.of("AB", "DE")); + validationRule.setRegion("BW"); + validationRule.setSchemaVersion("1.0.0"); + validationRule.setType("Acceptance"); + validationRule.setIdentifier("GR-EU-0001"); + validationRule.setCountry("EU"); + + return validationRule; + } + + public static X509Certificate generateCertificate(KeyPair keyPair, String country, String commonName) + throws Exception { + Date validFrom = Date.from(Instant.now().minus(1, ChronoUnit.DAYS)); + Date validTo = Date.from(Instant.now().plus(365, ChronoUnit.DAYS)); + + return generateCertificate(keyPair, country, commonName, validFrom, validTo, SignerType.EC); + } + + public static X509Certificate generateCertificate(KeyPair keyPair, String country, String commonName, + SignerType signerType) throws Exception { + Date validFrom = Date.from(Instant.now().minus(1, ChronoUnit.DAYS)); + Date validTo = Date.from(Instant.now().plus(365, ChronoUnit.DAYS)); + + return generateCertificate(keyPair, country, commonName, validFrom, validTo, signerType); + } + + public static X509Certificate generateCertificate(KeyPair keyPair, String country, String commonName, + X509Certificate ca, PrivateKey caKey) throws Exception { + Date validFrom = Date.from(Instant.now().minus(1, ChronoUnit.DAYS)); + Date validTo = Date.from(Instant.now().plus(365, ChronoUnit.DAYS)); + + return generateCertificate(keyPair, country, commonName, validFrom, validTo, ca, caKey, SignerType.EC); + } + + public static X509Certificate generateCertificate(KeyPair keyPair, String country, String commonName, + X509Certificate ca, PrivateKey caKey, + SignerType signerType) throws Exception { + Date validFrom = Date.from(Instant.now().minus(1, ChronoUnit.DAYS)); + Date validTo = Date.from(Instant.now().plus(365, ChronoUnit.DAYS)); + + return generateCertificate(keyPair, country, commonName, validFrom, validTo, ca, caKey, signerType); + } + + public static X509Certificate generateCertificate(KeyPair keyPair, String country, String commonName, + Date validFrom, Date validTo, + SignerType signerType) throws Exception { + X500Name subject = new X500NameBuilder() + .addRDN(X509ObjectIdentifiers.countryName, country) + .addRDN(X509ObjectIdentifiers.commonName, commonName) + .build(); + + BigInteger certSerial = new BigInteger(Long.toString(System.currentTimeMillis())); + + ContentSigner contentSigner = new JcaContentSignerBuilder(signerType.signingMethod).build(keyPair.getPrivate()); + + JcaX509v3CertificateBuilder certBuilder = + new JcaX509v3CertificateBuilder(subject, certSerial, validFrom, validTo, subject, keyPair.getPublic()); + + BasicConstraints basicConstraints = new BasicConstraints(false); + certBuilder.addExtension(Extension.basicConstraints, true, basicConstraints); + + return new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner)); + } + + public static X509Certificate generateCertificate(KeyPair keyPair, String country, String commonName, + Date validFrom, Date validTo, X509Certificate ca, + PrivateKey caKey, SignerType signerType) throws Exception { + X500Name subject = new X500NameBuilder() + .addRDN(X509ObjectIdentifiers.countryName, country) + .addRDN(X509ObjectIdentifiers.commonName, commonName) + .build(); + + X500Name issuer = new X509CertificateHolder(ca.getEncoded()).getSubject(); + + BigInteger certSerial = new BigInteger(Long.toString(System.currentTimeMillis())); + + ContentSigner contentSigner = new JcaContentSignerBuilder(signerType.signingMethod).build(caKey); + + JcaX509v3CertificateBuilder certBuilder = + new JcaX509v3CertificateBuilder(issuer, certSerial, validFrom, validTo, subject, keyPair.getPublic()); + + BasicConstraints basicConstraints = new BasicConstraints(false); + certBuilder.addExtension(Extension.basicConstraints, true, basicConstraints); + + return new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner)); + } + + public static void assertEquals(ValidationRule v1, ValidationRule v2) { + Assertions.assertEquals(v1.getIdentifier(), v2.getIdentifier()); + Assertions.assertEquals(v1.getType(), v2.getType()); + Assertions.assertEquals(v1.getCountry(), v2.getCountry()); + Assertions.assertEquals(v1.getRegion(), v2.getRegion()); + Assertions.assertEquals(v1.getVersion(), v2.getVersion()); + Assertions.assertEquals(v1.getSchemaVersion(), v2.getSchemaVersion()); + Assertions.assertEquals(v1.getEngine(), v2.getEngine()); + Assertions.assertEquals(v1.getEngineVersion(), v2.getEngineVersion()); + Assertions.assertEquals(v1.getCertificateType(), v2.getCertificateType()); + Assertions.assertEquals(v1.getDescription(), v2.getDescription()); + Assertions.assertEquals(v1.getValidFrom().toEpochSecond(), v2.getValidFrom().toEpochSecond()); + Assertions.assertEquals(v1.getValidTo().toEpochSecond(), v2.getValidTo().toEpochSecond()); + Assertions.assertEquals(v1.getAffectedFields(), v2.getAffectedFields()); + Assertions.assertEquals(v1.getLogic(), v2.getLogic()); + } + + @RequiredArgsConstructor(access = AccessLevel.PRIVATE) + @Getter + public static class SignerType { + + private final String signingMethod; + private final String signingAlgorithm; + + public static SignerType RSA = new SignerType("SHA256withRSA", "RSA"); + public static SignerType EC = new SignerType("SHA256withECDSA", "EC"); + } +} diff --git a/src/test/java/tng/trustnetwork/keydistribution/testdata/SignerInformationTestHelper.java b/src/test/java/tng/trustnetwork/keydistribution/testdata/SignerInformationTestHelper.java index 15a449d..0ca740a 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/testdata/SignerInformationTestHelper.java +++ b/src/test/java/tng/trustnetwork/keydistribution/testdata/SignerInformationTestHelper.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,8 +22,6 @@ import eu.europa.ec.dgc.gateway.connector.model.TrustListItem; import eu.europa.ec.dgc.utils.CertificateUtils; -import tng.trustnetwork.keydistribution.entity.SignerInformationEntity; -import tng.trustnetwork.keydistribution.repository.SignerInformationRepository; import java.io.ByteArrayInputStream; import java.io.InputStream; import java.security.cert.CertificateException; @@ -33,6 +31,8 @@ import java.util.Base64; import lombok.RequiredArgsConstructor; import org.springframework.stereotype.Service; +import tng.trustnetwork.keydistribution.entity.SignerInformationEntity; +import tng.trustnetwork.keydistribution.repository.SignerInformationRepository; @Service @RequiredArgsConstructor diff --git a/src/test/java/tng/trustnetwork/keydistribution/testdata/TrustedIssuerTestHelper.java b/src/test/java/tng/trustnetwork/keydistribution/testdata/TrustedIssuerTestHelper.java index 0a9f103..0cc3c02 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/testdata/TrustedIssuerTestHelper.java +++ b/src/test/java/tng/trustnetwork/keydistribution/testdata/TrustedIssuerTestHelper.java @@ -2,7 +2,7 @@ * ---license-start * WorldHealthOrganization / tng-key-distribution * --- - * Copyright (C) 2021 T-Systems International GmbH and all other contributors + * Copyright (C) 2021 - 2024 T-Systems International GmbH and all other contributors * --- * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,16 +20,15 @@ package tng.trustnetwork.keydistribution.testdata; +import eu.europa.ec.dgc.gateway.connector.model.TrustedIssuer; import java.time.ZonedDateTime; import java.util.ArrayList; import java.util.List; - -import eu.europa.ec.dgc.gateway.connector.model.TrustedIssuer; +import lombok.RequiredArgsConstructor; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import tng.trustnetwork.keydistribution.entity.TrustedIssuerEntity; import tng.trustnetwork.keydistribution.repository.TrustedIssuerRepository; -import lombok.RequiredArgsConstructor; @Service @RequiredArgsConstructor @@ -143,4 +142,20 @@ public List getTrustedIssuerList() { return list; } + public TrustedIssuerEntity createTrustedIssuer(final String country) { + TrustedIssuerEntity trustedIssuer = new TrustedIssuerEntity(); + trustedIssuer.setUrl("did:trusted:" + country + ":issuer"); + trustedIssuer.setName("tiName"); + trustedIssuer.setCountry(country); + trustedIssuer.setUrlType(TrustedIssuerEntity.UrlType.DID); + trustedIssuer.setSslPublicKey("pubKey"); + trustedIssuer.setThumbprint("thumbprint"); + trustedIssuer.setKeyStorageType("JWKS"); + trustedIssuer.setEtag("etag"); + trustedIssuer.setSignature("sig"); + + return trustedIssuer; + } + + } diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml index c37e32f..159c29b 100644 --- a/src/test/resources/application.yml +++ b/src/test/resources/application.yml @@ -15,7 +15,7 @@ spring: jpa: database-platform: org.hibernate.dialect.H2Dialect hibernate: - ddl-auto: create-drop + ddl-auto: validate liquibase: change-log: classpath:db/changelog.yaml h2: @@ -38,22 +38,23 @@ dgc: gateway: connector: enabled: false -# endpoint: https://tng-dev.who.int -# proxy: -# enabled: false -# max-cache-age: 300 -# tls-trust-store: #CA of TNG Gateway of TLS certificate -# alias: tng-tls-server-certificate -# password: dgcg-p4ssw0rd -# path: certs/tng_tls_server_truststore.p12 -# tls-key-store: # client cert key pair of participant -# alias: clientcredentials -# password: dgcg-p4ssw0rd -# path: certs/tls_key_store.p12 -# trust-anchor: # TA pem file of TNG that was used for signing -# alias: trustanchor -# password: dgcg-p4ssw0rd -# path: certs/trustanchor_store.jks + did: + cron: "" + enableDidGeneration: true + didUploadProvider: dummy + didSigningProvider: dummy + ld-proof-verification-method: did:web:dummy.net + ld-proof-nonce: n0nc3 + ld-proof-domain: d0m4in + did-id: did:web:abc + did-controller: did:web:def + trust-list-id-prefix: did:web:abc + trust-list-controller-prefix: did:web:abc + contextMapping: + "[https://www.w3.org/ns/did/v1]": did_v1.json + "[https://w3id.org/security/suites/jws-2020/v1]": jws-2020_v1.json + virtualCountries: + EU: xeu springdoc: api-docs: path: /api/docs From d684dec0381ec1bf8ed37b92ffe4b6109c849b89 Mon Sep 17 00:00:00 2001 From: Felix Dittrich Date: Thu, 25 Apr 2024 10:27:17 +0200 Subject: [PATCH 06/11] Remove Thumbprint from TrustedParty --- .../keydistribution/entity/TrustedPartyEntity.java | 6 ------ .../service/TrustedPartyService.java | 1 - .../db/changelog/add-trusted-party-table.yaml | 5 ----- .../service/DidTrustListServiceTest.java | 2 -- .../service/TrustedPartyServiceTest.java | 13 ++++--------- 5 files changed, 4 insertions(+), 23 deletions(-) diff --git a/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedPartyEntity.java b/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedPartyEntity.java index 95f73e7..3bb70cc 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedPartyEntity.java +++ b/src/main/java/tng/trustnetwork/keydistribution/entity/TrustedPartyEntity.java @@ -63,12 +63,6 @@ public class TrustedPartyEntity { @Column(name = "country") private String country; - /** - * The thumbprint of the cert. - */ - @Column(name = "thumbprint") - private String thumbprint; - /** * Type of the TrustedParty (CSCA, UPLOAD, Authentication - currently only CSCA are supported). */ diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/TrustedPartyService.java b/src/main/java/tng/trustnetwork/keydistribution/service/TrustedPartyService.java index 88c175e..aa63cf2 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/TrustedPartyService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/TrustedPartyService.java @@ -62,7 +62,6 @@ private TrustedPartyEntity getCscaEntity(TrustListItem trustListItem) { return TrustedPartyEntity.builder() .country(trustListItem.getCountry()) - .thumbprint(trustListItem.getThumbprint()) .rawData(trustListItem.getRawData()) .type(TrustedPartyEntity.Type.CSCA) .build(); diff --git a/src/main/resources/db/changelog/add-trusted-party-table.yaml b/src/main/resources/db/changelog/add-trusted-party-table.yaml index c8ad7d0..bccf7ca 100644 --- a/src/main/resources/db/changelog/add-trusted-party-table.yaml +++ b/src/main/resources/db/changelog/add-trusted-party-table.yaml @@ -23,11 +23,6 @@ databaseChangeLog: type: varchar(2) constraints: nullable: false - - column: - name: thumbprint - type: varchar(512) - constraints: - nullable: false - column: name: type type: varchar(10) diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java index dafb7bc..24de8de 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/DidTrustListServiceTest.java @@ -128,7 +128,6 @@ void testData(CertificateTestUtils.SignerType signerType) throws Exception { null, Base64.getEncoder().encodeToString(certCscaDe.getEncoded()), "DE", - certificateUtils.getCertThumbprint(certCscaDe), TrustedPartyEntity.Type.CSCA )); @@ -136,7 +135,6 @@ void testData(CertificateTestUtils.SignerType signerType) throws Exception { null, Base64.getEncoder().encodeToString(certCscaEu.getEncoded()), "EU", - certificateUtils.getCertThumbprint(certCscaEu), TrustedPartyEntity.Type.CSCA )); diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/TrustedPartyServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/TrustedPartyServiceTest.java index b2fcc8c..bbd8962 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/TrustedPartyServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/TrustedPartyServiceTest.java @@ -53,7 +53,6 @@ void clearRepositoryData() { void testUpdateCsca() { trustedPartyRepository.save(TrustedPartyEntity.builder() - .thumbprint("thumbprint_old") .country("CO") .rawData("raw_data_old") .type(TrustedPartyEntity.Type.CSCA) @@ -61,13 +60,11 @@ void testUpdateCsca() { // Build Test-Data TrustListItem trustListItem1 = new TrustListItem(); - trustListItem1.setThumbprint("thumb1"); trustListItem1.setCountry("XX"); trustListItem1.setSignature("sig1"); trustListItem1.setRawData("raw1"); TrustListItem trustListItem2 = new TrustListItem(); - trustListItem2.setThumbprint("thumb2"); trustListItem2.setCountry("YY"); trustListItem2.setSignature("sig2"); trustListItem2.setRawData("raw2"); @@ -82,12 +79,10 @@ void testUpdateCsca() { Assertions.assertEquals(TrustedPartyEntity.Type.CSCA, persistedTrustedParties.get(0).getType()); Assertions.assertEquals(trustListItem1.getCountry(), persistedTrustedParties.get(0).getCountry()); - Assertions.assertEquals(trustListItem1.getThumbprint(), persistedTrustedParties.get(0).getThumbprint()); Assertions.assertEquals(trustListItem1.getRawData(), persistedTrustedParties.get(0).getRawData()); Assertions.assertEquals(TrustedPartyEntity.Type.CSCA, persistedTrustedParties.get(1).getType()); Assertions.assertEquals(trustListItem2.getCountry(), persistedTrustedParties.get(1).getCountry()); - Assertions.assertEquals(trustListItem2.getThumbprint(), persistedTrustedParties.get(1).getThumbprint()); Assertions.assertEquals(trustListItem2.getRawData(), persistedTrustedParties.get(1).getRawData()); } @@ -95,10 +90,10 @@ void testUpdateCsca() { @Test void testGetCscaByCountry() { - TrustedPartyEntity tp1 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C1", "t1", TrustedPartyEntity.Type.CSCA)); - TrustedPartyEntity tp2 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C1", "t2", TrustedPartyEntity.Type.CSCA)); - TrustedPartyEntity tp3 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C2", "t3", TrustedPartyEntity.Type.CSCA)); - TrustedPartyEntity tp4 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C2", "t4", TrustedPartyEntity.Type.CSCA)); + TrustedPartyEntity tp1 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C1", TrustedPartyEntity.Type.CSCA)); + TrustedPartyEntity tp2 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C1", TrustedPartyEntity.Type.CSCA)); + TrustedPartyEntity tp3 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C2", TrustedPartyEntity.Type.CSCA)); + TrustedPartyEntity tp4 = trustedPartyRepository.save(new TrustedPartyEntity(null, "", "C2", TrustedPartyEntity.Type.CSCA)); trustedPartyRepository.saveAll(List.of(tp1, tp2, tp3, tp4)); From aba5e584fe435ef057e85108f3dcda9338f7dc00 Mon Sep 17 00:00:00 2001 From: Felix Dittrich Date: Thu, 25 Apr 2024 10:27:53 +0200 Subject: [PATCH 07/11] Add cleanup to test setup --- .../service/TrustedIssuerDownloadServiceTest.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/test/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadServiceTest.java b/src/test/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadServiceTest.java index 5cd8a11..ca412b7 100644 --- a/src/test/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadServiceTest.java +++ b/src/test/java/tng/trustnetwork/keydistribution/service/TrustedIssuerDownloadServiceTest.java @@ -26,6 +26,7 @@ import java.util.ArrayList; import java.util.List; import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.mockito.Mockito; import org.springframework.beans.factory.annotation.Autowired; @@ -46,7 +47,6 @@ class TrustedIssuerDownloadServiceTest { @MockBean DgcGatewayTrustedIssuerDownloadConnector dgcGatewayDownloadConnector; - @Autowired TrustedIssuerDownloadService trustedIssuerDownloadService; @@ -56,6 +56,11 @@ class TrustedIssuerDownloadServiceTest { @Autowired TrustedIssuerTestHelper trustedIssuerTestHelper; + @BeforeEach + void cleanup() { + trustedIssuerRepository.deleteAll(); + } + @Test void downloadEmptyIssuerList() { ArrayList trustList = new ArrayList<>(); From 4a63dfa1feae6446191587d6943445ee0628d219 Mon Sep 17 00:00:00 2001 From: Felix Dittrich Date: Thu, 25 Apr 2024 10:46:55 +0200 Subject: [PATCH 08/11] Remove Country Suffix from Controller in DID Trustlist --- .../keydistribution/service/did/DidTrustListService.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java b/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java index 72baabc..78efe69 100644 --- a/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java +++ b/src/main/java/tng/trustnetwork/keydistribution/service/did/DidTrustListService.java @@ -172,9 +172,6 @@ private String generateTrustList(List countries) throws Exception { trustList.setId(configProperties.getDid().getDidId() + SEPARATOR_COLON + getCountryAsLowerCaseAlpha3(countries.get(0))); - trustList.setController(configProperties.getDid().getDidController() - + SEPARATOR_COLON - + getCountryAsLowerCaseAlpha3(countries.get(0))); } // Add DSC From 478bb0ea1c5e0198ccd2c16f35bd00ef6aff3254 Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Thu, 2 May 2024 19:18:19 +0200 Subject: [PATCH 09/11] feature (helm): update README.md, deployment.yaml - introduced new settings from did uploader --- k8s/helm/tngkds/README.md | 46 +++ .../tngkds-backend/templates/deployment.yaml | 266 ++++++++-------- .../tngkds/charts/tngkds-backend/values.yaml | 298 +++++++++--------- .../tngkds/charts/tngkds-postgres/README.md | 45 +++ 4 files changed, 381 insertions(+), 274 deletions(-) create mode 100644 k8s/helm/tngkds/README.md create mode 100644 k8s/helm/tngkds/charts/tngkds-postgres/README.md diff --git a/k8s/helm/tngkds/README.md b/k8s/helm/tngkds/README.md new file mode 100644 index 0000000..78f00e0 --- /dev/null +++ b/k8s/helm/tngkds/README.md @@ -0,0 +1,46 @@ +# tngkds + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +A Helm chart for Kubernetes + +## Requirements +The versions from umbrella chart are currently not used, please refer to to corresponding image tags in value files + +| Repository | Name | Version | +|------------|------|---------| +| | tngkds-backend | 0.1.0 | +| | tngkds-postgres | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| tngkds-backend.gateway.connector.enabled | bool | `true` | flag whether the kds is connected to the TNG | +| tngkds-backend.gateway.connector.endpoint | string | `""` | The url where the TNG can be reached | +| tngkds-backend.gateway.connector.max-cache-age | int | `300` | | +| tngkds-backend.gateway.connector.proxy.enabled | bool | `false` | used for development, when KDS is run behind a proxy. If set to true, _tngkds-backend.gateway.connector.proxy.port_ and _tngkds-backend.gateway.connector.proxy.host_ also need to be applied | +| tngkds-backend.gateway.connector.tls_key_store.alias | string | `"clientcredentials"` | | +| tngkds-backend.gateway.connector.tls_key_store.password | string | `""` | | +| tngkds-backend.gateway.connector.tls_key_store.path | string | `"/certs/tls_key_store.p12"` | | +| tngkds-backend.gateway.connector.tls_trust_store.alias | string | `"tng-tls-server-certificate"` | | +| tngkds-backend.gateway.connector.tls_trust_store.password | string | `""` | | +| tngkds-backend.gateway.connector.tls_trust_store.path | string | `"/certs/tng_tls_server_truststore.p12"` | | +| tngkds-backend.gateway.connector.trust_anchor.alias | string | `"trustanchor"` | | +| tngkds-backend.gateway.connector.trust_anchor.password | string | `""` | | +| tngkds-backend.gateway.connector.trust_anchor.path | string | `"/certs/trustanchor_store.jks"` | | +| tngkds-backend.image.tag | string | `""` | | +| tngkds-backend.liquibaseImage.tag | string | `""` | | +| tngkds-backend.path | string | `"/()(*)"` | | +| tngkds-backend.port | int | `8080` | | +| tngkds-backend.psql.asPod.enabled | bool | `false` | | +| tngkds-backend.psql.cluster | string | `"svc.cluster.local"` | | +| tngkds-backend.psql.dbName | string | `"kdsdb"` | | +| tngkds-backend.psql.password | string | `nil` | | +| tngkds-backend.psql.port | int | `5432` | | +| tngkds-backend.psql.serviceName | string | `"postgresql-d01.postgres.database.azure.com"` | | +| tngkds-backend.psql.username | string | `nil` | | +| tngkds-postgres.asPod.enabled | bool | `false` | | +| tngkds-postgres.path | string | `"/()(*)"` | | +| tngkds-postgres.port | int | `5432` | | + diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml index 1cb1a95..d261cda 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml @@ -1,130 +1,136 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "tngkds-backend.fullname" . }} - labels: - {{- include "tngkds-backend.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "tngkds-backend.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "tngkds-backend.labels" . | nindent 8 }} - spec: - initContainers: - - name: liquibase - image: "{{ .Values.liquibaseImage.repository }}:{{ .Values.liquibaseImage.tag }}" - command: ["/bin/sh", "-c"] - args: - - liquibase update --changeLogFile=db/changelog.yaml; - env: - - name: LIQUIBASE_COMMAND_URL - {{- if .Values.psql.asPod.enabled }} - value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - {{ else }} - value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - {{ end -}} - - name: LIQUIBASE_COMMAND_USERNAME - value: {{ .Values.psql.username | quote }} - - name: LIQUIBASE_COMMAND_PASSWORD - value: {{ .Values.psql.password | quote }} - - name: LIQUIBASE_SEARCH_PATH - value: /liquibase - - name: LIQUIBASE_LOG_LEVEL - value: ERROR - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - {{ range .Values.service.ports }} - - name: {{ .name }} - containerPort: {{ .port }} - protocol: {{ .protocol }} - {{ end }} - env: - - name: SERVER_PORT - value: "{{ .Values.server.port }}" - - name: SPRING_PROFILES_ACTIVE - value: {{ .Values.spring.profile }} - - name: SPRING_DATASOURCE_URL - {{- if .Values.psql.asPod.enabled }} - value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - {{ else }} - value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" - {{ end -}} - - name: SPRING_DATASOURCE_DRIVERCLASSNAME - value: "org.postgresql.Driver" - - name: SPRING_DATASOURCE_JNDI_NAME - value: "false" - - name: SPRING_JPA_DATABASEPLATFORM - value: "org.hibernate.dialect.PostgreSQLDialect" - - name: SPRING_DATASOURCE_USERNAME - value: {{ .Values.psql.username | quote }} - - name: SPRING_DATASOURCE_PASSWORD - value: {{ .Values.psql.password | quote }} - - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH - value: {{ .Values.gateway.connector.tls_trust_store.path }} - - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD - value: {{ .Values.gateway.connector.tls_trust_store.password | quote }} - - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_ALIAS - value: {{ .Values.gateway.connector.tls_trust_store.alias }} - - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PATH - value: {{ .Values.gateway.connector.tls_key_store.path }} - - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PASSWORD - value: {{ .Values.gateway.connector.tls_key_store.password | quote }} - - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_ALIAS - value: {{.Values.gateway.connector.tls_key_store.alias }} - - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PATH - value: {{ .Values.gateway.connector.trust_anchor.path }} - - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PASSWORD - value: {{ .Values.gateway.connector.trust_anchor.password | quote }} - - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_ALIAS - value: {{ .Values.gateway.connector.trust_anchor.alias }} - - name: DGC_GATEWAY_CONNECTOR_ENABLED - value: {{ .Values.gateway.connector.enabled | quote }} - - name: DGC_GATEWAY_CONNECTOR_ENDPOINT - value: {{ .Values.gateway.connector.endpoint }} - volumeMounts: - - name: secrets-jks - mountPath: /certs - readOnly: true - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: secrets-jks - secret: - secretName: mtls-secret - items: - - key: tls_key_store.p12 - path: tls_key_store.p12 - - key: trustanchor_store.jks - path: trustanchor_store.jks - - key: tng_tls_server_truststore.p12 - path: tng_tls_server_truststore.p12 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "tngkds-backend.fullname" . }} + labels: + {{- include "tngkds-backend.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "tngkds-backend.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "tngkds-backend.labels" . | nindent 8 }} + spec: + initContainers: + - name: liquibase + image: "{{ .Values.liquibaseImage.repository }}:{{ .Values.liquibaseImage.tag }}" + command: ["/bin/sh", "-c"] + args: + - liquibase update --changeLogFile=db/changelog.yaml; + env: + - name: LIQUIBASE_COMMAND_URL + {{- if .Values.psql.asPod.enabled }} + value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" + {{ else }} + value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" + {{ end -}} + - name: LIQUIBASE_COMMAND_USERNAME + value: {{ .Values.psql.username | quote }} + - name: LIQUIBASE_COMMAND_PASSWORD + value: {{ .Values.psql.password | quote }} + - name: LIQUIBASE_SEARCH_PATH + value: /liquibase + - name: LIQUIBASE_LOG_LEVEL + value: ERROR + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + {{ range .Values.service.ports }} + - name: {{ .name }} + containerPort: {{ .port }} + protocol: {{ .protocol }} + {{ end }} + env: + - name: SERVER_PORT + value: "{{ .Values.server.port }}" + - name: SPRING_PROFILES_ACTIVE + value: {{ .Values.spring.profile }} + - name: SPRING_DATASOURCE_URL + {{- if .Values.psql.asPod.enabled }} + value: "jdbc:postgresql://{{ .Values.psql.serviceName }}.{{ .Release.Namespace }}.{{ .Values.psql.cluster }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" + {{ else }} + value: "jdbc:postgresql://{{ .Values.psql.serviceName }}:{{ .Values.psql.port }}/{{ .Values.psql.dbName }}" + {{ end -}} + - name: SPRING_DATASOURCE_DRIVERCLASSNAME + value: "org.postgresql.Driver" + - name: SPRING_DATASOURCE_JNDI_NAME + value: "false" + - name: SPRING_JPA_DATABASEPLATFORM + value: "org.hibernate.dialect.PostgreSQLDialect" + - name: SPRING_DATASOURCE_USERNAME + value: {{ .Values.psql.username | quote }} + - name: SPRING_DATASOURCE_PASSWORD + value: {{ .Values.psql.password | quote }} + - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH + value: {{ .Values.gateway.connector.tls_trust_store.path }} + - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD + value: {{ .Values.gateway.connector.tls_trust_store.password | quote }} + - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_ALIAS + value: {{ .Values.gateway.connector.tls_trust_store.alias }} + - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PATH + value: {{ .Values.gateway.connector.tls_key_store.path }} + - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PASSWORD + value: {{ .Values.gateway.connector.tls_key_store.password | quote }} + - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_ALIAS + value: {{.Values.gateway.connector.tls_key_store.alias }} + - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PATH + value: {{ .Values.gateway.connector.trust_anchor.path }} + - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PASSWORD + value: {{ .Values.gateway.connector.trust_anchor.password | quote }} + - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_ALIAS + value: {{ .Values.gateway.connector.trust_anchor.alias }} + - name: DGC_GATEWAY_CONNECTOR_ENABLED + value: {{ .Values.gateway.connector.enabled | quote }} + - name: DGC_GATEWAY_CONNECTOR_ENDPOINT + value: {{ .Values.gateway.connector.endpoint }} + {{- if .Values.did.enableDidGeneration }} + {{- range $name, $val := .Values.did }} + - name: DGC_{{ $name | upper }} + value: {{ $val | quote }} + {{- end }} + {{- end }} + volumeMounts: + - name: secrets-jks + mountPath: /certs + readOnly: true + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: secrets-jks + secret: + secretName: mtls-secret + items: + - key: tls_key_store.p12 + path: tls_key_store.p12 + - key: trustanchor_store.jks + path: trustanchor_store.jks + - key: tng_tls_server_truststore.p12 + path: tng_tls_server_truststore.p12 diff --git a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml b/k8s/helm/tngkds/charts/tngkds-backend/values.yaml index 69ba80c..fff857c 100644 --- a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml +++ b/k8s/helm/tngkds/charts/tngkds-backend/values.yaml @@ -1,144 +1,154 @@ -# Default values for tngkds-backend. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - # Create this image before your local installing with: "docker build -t kds:0.0.1" and load - # this image into your local minikube cluster with: "minikube image load kds:0.0.1" - repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "0.0.1-d890889" #"0.0.1-2840d04" - -#kubectl -n create secret docker-registry --docker-server=ghcr.io --docker-username= --docker-password= --docker-email= -o yaml -#kubectl -n kds create secret docker-registry tng-distribution-pull-secret --docker-server=ghcr.io --docker-username=anonymous --docker-password= --docker-email=anonymous@example.com -o yaml -imagePullSecrets: tng-distribution-pull-secret -nameOverride: "" -fullnameOverride: "" - -# Liquibase -liquibaseImage: - repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer - tag: - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: - {} - # fsGroup: 2000 - -securityContext: - {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: NodePort - ports: - - name: http - port: 8080 - targetPort: 8080 - nodePort: 30166 - protocol: TCP - -ingress: - enabled: false - className: "" - annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# Postgres -psql: - serviceName: postgres - port: 5432 - dbName: postgres - cluster: svc.cluster.local - username: - password: - -# ConfigMap -# configMap: -# data: -# host: localhost -# dbName: postgres - -# Spring -spring: - profile: cloud - -# Server port -server: - port: 8080 - -# Smart TN Gateway -gateway: - connector: - enabled: true - endpoint: - proxy: - enabled: false - max-cache-age: 300 - tls_trust_store: #CA of TNG Gateway of TLS certificate - alias: - password: - path: - tls_key_store: # client cert key pair of participant - alias: - password: - path: - trust_anchor: # TA pem file of TNG that was used for signing - alias: - password: - path: +# Default values for tngkds-backend. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + # Create this image before your local installing with: "docker build -t kds:0.0.1" and load + # this image into your local minikube cluster with: "minikube image load kds:0.0.1" + repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "0.0.1-d890889" #"0.0.1-2840d04" + +#kubectl -n create secret docker-registry --docker-server=ghcr.io --docker-username= --docker-password= --docker-email= -o yaml +#kubectl -n kds create secret docker-registry tng-distribution-pull-secret --docker-server=ghcr.io --docker-username=anonymous --docker-password= --docker-email=anonymous@example.com -o yaml +imagePullSecrets: tng-distribution-pull-secret +nameOverride: "" +fullnameOverride: "" + +# Liquibase +liquibaseImage: + repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer + tag: + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: + {} + # fsGroup: 2000 + +securityContext: + {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: NodePort + ports: + - name: http + port: 8080 + targetPort: 8080 + nodePort: 30166 + protocol: TCP + +ingress: + enabled: false + className: "" + annotations: + {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: + {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# Postgres +psql: + serviceName: postgres + port: 5432 + dbName: postgres + cluster: svc.cluster.local + username: + password: + +# ConfigMap +# configMap: +# data: +# host: localhost +# dbName: postgres + +# Spring +spring: + profile: cloud + +# Server port +server: + port: 8080 + +# Smart TN Gateway +gateway: + connector: + enabled: true + endpoint: + proxy: + enabled: false + max-cache-age: 300 + tls_trust_store: #CA of TNG Gateway of TLS certificate + alias: + password: + path: + tls_key_store: # client cert key pair of participant + alias: + password: + path: + trust_anchor: # TA pem file of TNG that was used for signing + alias: + password: + path: +did: + enableDidGeneration: true + cron: "*/10 * * * * *" + didUploadProvider: local-file + ld_proof_verification_method: did:web:dummy.net + ld_proof_nonce: n0nc3 + did_id: did:web:abc + did_controller: did:web:def + trust_list_id_prefix: did:web:abc + trust_list_controller_prefix: did:web:abc diff --git a/k8s/helm/tngkds/charts/tngkds-postgres/README.md b/k8s/helm/tngkds/charts/tngkds-postgres/README.md new file mode 100644 index 0000000..13a1375 --- /dev/null +++ b/k8s/helm/tngkds/charts/tngkds-postgres/README.md @@ -0,0 +1,45 @@ +# tngkds-postgres + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +A Helm chart for PostgreSQL database for TNG Key Distribution Service + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | Pod autoscaling | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| configMap.data.dbName | string | `"postgres"` | used as service name when db is deployed as pod | +| configMap.data.host | string | `"localhost"` | used as host name when db is deployed as pod | +| dbpassword | string | `""` | password of the dbuser | +| dbuser | string | `""` | username of the dbuser | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"nginx"` | | +| image.tag | string | `""` | | +| imagePullSecrets | list | `[]` | | +| ingress.annotations | object | `{}` | | +| ingress.className | string | `""` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths[0].path | string | `"/"` | | +| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | +| ingress.tls | list | `[]` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.ports[0].port | int | `5432` | db service port | +| service.type | string | `"NodePort"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| tolerations | list | `[]` | | + From e09c45dfe7738f60a88919b460232310d8ec82c6 Mon Sep 17 00:00:00 2001 From: Andreas Scheibal Date: Thu, 2 May 2024 19:19:16 +0200 Subject: [PATCH 10/11] feature (helm): update README.md, deployment.yaml - introduced new settings from did uploader --- .../tngkds/charts/tngkds-backend/README.md | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 k8s/helm/tngkds/charts/tngkds-backend/README.md diff --git a/k8s/helm/tngkds/charts/tngkds-backend/README.md b/k8s/helm/tngkds/charts/tngkds-backend/README.md new file mode 100644 index 0000000..df51549 --- /dev/null +++ b/k8s/helm/tngkds/charts/tngkds-backend/README.md @@ -0,0 +1,80 @@ + +# tngkds-backend + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) + +A Helm chart for TNG Key Distribution Service + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| autoscaling.enabled | bool | `false` | | +| autoscaling.maxReplicas | int | `100` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| did.cron | string | `"*/10 * * * * *"` | spring cronjob configuration, how often shall the did file be generated | +| did.didUploadProvider | string | `"local-file"` | Upload provider for Did document, currently local-file | +| did.localFile.directory | string | `"trustlist"` | If upload provider is local-file: directory of the generated file | +| did.localFile.file-name | string | `"did.json"` | If upload provider is local-file: file-name of the generated file | +| did.did_controller | string | `"did:web:def"` | The controller that is generating the did.json / controlling its contents | +| did.did_id | string | `"did:web:abc"` | The ID of the did entry | +| did.enableDidGeneration | bool | `true` | Shall the did documents be generated | +| did.ld_proof_nonce | string | `"n0nc3"` | Nonce of the Did Document | +| did.ld_proof_verification_method | string | `"did:web:dummy.net"` | Verification Method of the DID Signer. Usually a did-link to a did.json containing the public key material that was used to sign this DID | +| did.trust_list_controller_prefix | string | `"did:web:abc"` | | +| did.trust_list_id_prefix | string | `"did:web:abc"` | | +| fullnameOverride | string | `""` | | +| gateway.connector.enabled | bool | `true` | | +| gateway.connector.endpoint | string | `""` | | +| gateway.connector.max-cache-age | int | `300` | | +| gateway.connector.proxy.enabled | bool | `false` | used for development, when your machine needs a proxy to access _tng.who.int_ | +| gateway.connector.tls_key_store.alias | string | `""` | KDS application accesses the cert via its alias | +| gateway.connector.tls_key_store.password | string | `""` | | +| gateway.connector.tls_key_store.path | string | `""` | | +| gateway.connector.tls_trust_store.alias | string | `""` |KDS application accesses the cert via its alias | +| gateway.connector.tls_trust_store.password | string | `""` | | +| gateway.connector.tls_trust_store.path | string | `""` | | +| gateway.connector.trust_anchor.alias | string | `""` | tng application access the cert via its alias | +| gateway.connector.trust_anchor.password | string | `""` | | +| gateway.connector.trust_anchor.path | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution"` | | +| image.tag | string | `"0.0.1-d890889"` | version of the container image to be used for deployment | +| imagePullSecrets | string | `"tng-distribution-pull-secret"` | | +| ingress.annotations | object | `{}` | | +| ingress.className | string | `""` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths[0].path | string | `"/"` | | +| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | +| ingress.tls | list | `[]` | | +| liquibaseImage.repository | string | `"ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution-initcontainer"` | | +| liquibaseImage.tag | string | `""` | version of the initcontainer image to be used, the tag is the same as for _image.tag_ | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podAnnotations | object | `{}` | | +| podSecurityContext | object | `{}` | | +| psql.cluster | string | `"svc.cluster.local"` | | +| psql.dbName | string | `"postgres"` | Name of the Shema to be used | +| psql.password | string | `""` | Password of the _psql.username_ | +| psql.port | int | `5432` | port where the db service is running | +| psql.serviceName | string | `"postgres"` | Name of the db service | +| psql.username | string | `""` | user that ist used to perform the liquibase actions and to r/w to the DB | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| server.port | int | `8080` | port of the kds applications api server | +| service.ports[0].name | string | `"http"` | | +| service.ports[0].nodePort | int | `30166` | | +| service.ports[0].port | int | `8080` | | +| service.ports[0].protocol | string | `"TCP"` | | +| service.ports[0].targetPort | int | `8080` | | +| service.type | string | `"NodePort"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| spring.profile | string | `"cloud"` | {_0..n_} Spring profiles to be activated, usually used for feature toggle, currently not in use (existing values will be ignored) | +| tolerations | list | `[]` | | + From 4b7a1c1516914ad3c9f0d5c1fe6297550ead7294 Mon Sep 17 00:00:00 2001 From: Torsten Egenolf Date: Wed, 8 May 2024 13:38:32 +0200 Subject: [PATCH 11/11] Delete k8s/helm/tngkds/charts/tngkds-backend/templates/configmap.yml --- .../tngkds/charts/tngkds-backend/templates/configmap.yml | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 k8s/helm/tngkds/charts/tngkds-backend/templates/configmap.yml diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/configmap.yml b/k8s/helm/tngkds/charts/tngkds-backend/templates/configmap.yml deleted file mode 100644 index fb40420..0000000 --- a/k8s/helm/tngkds/charts/tngkds-backend/templates/configmap.yml +++ /dev/null @@ -1,8 +0,0 @@ -# apiVersion: v1 -# kind: ConfigMap -# metadata: -# name: {{ include "tngkds-backend.fullname" . }}-cfg -# namespace: {{ .Release.Namespace }} -# data: -# host: "{{ .Values.configMap.data.host }}" -# dbname: "{{ .Values.configMap.data.dbName }}"