Merge 8240bed into 496223c

i4Trust · May 30, 2023 · 8981b78 · 8981b78
2 parents 496223c + 8240bed
commit 8981b78
Show file tree

Hide file tree

Showing 40 changed files with 2,144 additions and 2,346 deletions.
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -11,12 +11,36 @@ on:
 
 env:
   IMAGE_NAME: i4trust/activation-service
+  IMAGE_NAME_QUAY: quay.io/i4trust/activation-service
 
 jobs:
 
-  prerelease:
+  test:
+    name: Tests
     runs-on: ubuntu-latest
 
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Python 3.10
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Run pytest
+        run: |
+          pytest
+  
+  prerelease:
+    runs-on: ubuntu-latest
+    needs: ["test"]
+
     steps:
       - uses: actions/checkout@v2
 
@@ -56,6 +80,12 @@ jobs:
           docker build -t ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} .
           docker push ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
 
+      - name: Push to quay.io
+        run: |
+          echo "${{ secrets.QUAY_TOKEN }}" | docker login quay.io -u "${{ secrets.QUAY_USERNAME }}" --password-stdin
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} ${{ env.IMAGE_NAME_QUAY }}:${{ env.IMAGE_TAG }}
+          docker push ${{ env.IMAGE_NAME_QUAY }}:${{ env.IMAGE_TAG }}
+
       - uses: "marvinpinto/action-automatic-releases@latest"
         with:
           repo_token: "${{ secrets.GITHUB_TOKEN }}"

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ on:
 
 env:
   IMAGE_NAME: i4trust/activation-service
+  IMAGE_NAME_QUAY: quay.io/i4trust/activation-service
 
 jobs:
 
@@ -47,8 +48,12 @@ jobs:
         run: |
           docker build -t ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} .
           docker push ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
-          docker tag ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} ${{ env.IMAGE_NAME }}:latest
-          docker push ${{ env.IMAGE_NAME }}:latest
+
+      - name: Push to quay.io
+        run: |
+          echo "${{ secrets.QUAY_TOKEN }}" | docker login quay.io -u "${{ secrets.QUAY_USERNAME }}" --password-stdin
+          docker tag ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} ${{ env.IMAGE_NAME_QUAY }}:${{ env.IMAGE_TAG }}
+          docker push ${{ env.IMAGE_NAME_QUAY }}:${{ env.IMAGE_TAG }}
           
       - uses: "marvinpinto/action-automatic-releases@latest"
         with:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,27 @@
+name: Test
+
+on:
+  push
+
+jobs:
+
+  test:
+    name: Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Python 3.10
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Run pytest
+        run: |
+          pytest
diff --git a/Dockerfile b/Dockerfile
@@ -1,16 +1,20 @@
-FROM node:10
+FROM python:3.7-alpine
 
-# User
-RUN groupadd --gid 5000 aservice \
-    && useradd --home-dir /home/aservice --create-home --uid 5000 \
-        --gid 5000 --shell /bin/sh --skel /dev/null aservice
-COPY . /home/aservice
-USER aservice
-WORKDIR /home/aservice
+ENV AS_PORT=8080
+
+RUN apk update && \
+    apk add gcc build-base libc-dev libffi-dev openssl-dev bash curl
+
+RUN addgroup --gid 5000 aservice \
+    && adduser --uid 5000 -G aservice -D -s /bin/sh -k /dev/null aservice
 
-# npm
-RUN npm install
+WORKDIR /var/aservice
+COPY ./ ./
+RUN pip install --no-cache-dir -r requirements.txt
+
+USER aservice
+WORKDIR /var/aservice
 
-# Start
-EXPOSE 7000
-CMD [ "npm", "start" ]
+HEALTHCHECK CMD curl --fail http://localhost:${AS_PORT}/health || exit 1
+EXPOSE $AS_PORT
+CMD [ "./bin/run.sh" ]
diff --git a/README.md b/README.md
@@ -1,45 +1,80 @@
 # activation-service
-Service allowing to activate services and create policies in an iSHARE authorisation registry during the acquisition step.
+Service allowing to activate services and create access rights during the acquisition step via:
+* creating policies in an iSHARE authorisation registry 
+* creating entries at a trusted issuer list (TBD)
 
-## Configuration
+It is based on Python Flask using gunicorn. The service requires to store data in an SQL database. 
+It ca be configured to use external databases (e.g., MySQL, PostgreSQL) or SQLite.
+
+
+## Preparation
+
+Requirements:
+* python >= 3.7
+* [./requirements.txt](./requirements.txt)
+
+Required python modules can be installed with 
+```shell
+pip install -r requirements.txt
+```
+
+
+
+### Configuration
 
 Configuration is done in the file `config/as.yml`. You need to modify the values according to your 
-environment and add your private key and certificate chain.
+environment and add your private key and certificate chain for the iSHARE flow.
 
 Private key and certificate chain can be also provided as ENVs as given below. In this case, the values from 
 `config/as.yml` would be overwritten.
 * Private key: `AS_CLIENT_KEY`
 * Certificate chain: `AS_CLIENT_CRT`
 
-In case of very large JWTs in the `Authorization` header, one needs to increase the max. HTTP header size 
-of the node server application. This can be done by setting the following ENV (here: max. `32kb`):
-* `AS_MAX_HEADER_SIZE=32768` (Default: 8192)
+In case of very large JWTs in the Authorization header, one needs to increase the max. HTTP header size of 
+gunicorn. This can be done by setting the following ENV (here: max. 32kb):
+
+* `AS_MAX_HEADER_SIZE=32768` (Default: 32768)
+
+When using a file-based SQLite, make sure that the volume is writeable.
+
+Further ENVs control the execution of the activation service. Below is a list of the supported ENVs:
+
+| ENV                                    | Default      | Description |
+|:---------------------------------------|:------------:|:------------|
+| AS_PORT                         | 8080         | Listen port |
+| AS_GUNICORN_WORKERS             | 1            | Number of workers that should be created (note that multiple workers can result in conflicts when using in-memory or file-based databases) |
+| AS_MAX_HEADER_SIZE              | 32768        | Maximum header size in bytes |
+| AS_LOG_LEVEL                    | 'info'       | Log level |
+| AS_DATABASE_URI                 |              | Database URI to use instead of config from configuration file |
+| AS_CLIENT_KEY                          |              | iSHARE private key provided as ENV (compare to [config/as.yml](./config/as.yml#L8)) |
+| AS_CLIENT_CERTS                        |              | iSHARE certificate chain provided as ENV (compare to [config/as.yml](./config/as.yml#L10)) |
 
 
 ## Usage
 
 ### Local
 
-Run locally using `node.js`:
+After placing a configuration file at `config/as.yml`, the activation service can be started with 
 ```shell
-npm install
-npm start
+bin/run.sh
 ```
 
 
 ### Docker
 
-A Dockerfile is provided for building the image:
-```shell
-docker build -t activation-service:my-tag .
-```
+A Dockerfile is provided to build a docker image. Releases automatically create Docker images 
+at [DockerHub](https://hub.docker.com/r/i4trust/activation-service) and 
+[quay.io](https://quay.io/repository/i4trust/activation-service).
 
-Make a copy of the configuration file `config/as.yml` and modify according to your environment. 
-Then run the image:
+Using Docker, the activation service can be run with:
 ```shell
-docker run --rm -it -p 7000:7000 -v <PATH_TO_FILE>/as.yml:/home/aservice/config/as.yml activation-service:my-tag
+docker run --rm -p 8080:8080 -v $PWD/config/as.yml:/var/aservice/config/as.yml quay.io/i4trust/activation-service:{RELEASE}
 ```
 
+To enable DEBUG output, add the ENV:
+* `-e "AS_LOG_LEVEL=DEBUG"`
+
+
 ### Kubernetes
 
 A Helm chart is provided on [GitHub](https://github.com/i4Trust/helm-charts/tree/main/charts/activation-service) 
@@ -50,24 +85,31 @@ and [Artifacthub](https://artifacthub.io/packages/helm/i4trust/activation-servic
 ## Endpoints
 
 * `/health`: Get health output of web server
-* `/token`: Forwards a token request to the `/token` endpoint at the locally configured authorisation registry
-* `/createpolicy`: Activates the service by creating a policy at the locally configured authorisation registry
+* `/token`: Forwards a token request to the `/token` endpoint at the locally configured authorisation registry (iSHARE flow)
+* `/createpolicy`: Activates the service by creating a policy at the locally configured authorisation registry (iSHARE flow)
 
 
 ## Extend
 
-This version just allows to create policies at the local authorisation registry when the `/createpolicy` endpoint 
-is called. 
+This version just allows to create policies at the local authorisation registry or entries at a trusted issuer list 
+during acquisition/activation. 
 
 However, depending on the service provided, it might be needed that further steps are required when activating 
-a service, e.g. booting worker nodes or adding other resources. Such steps could be added as additional 
-modules in the `./activation/` folder and be integrated in the `/createpolicy` endpoint implementation 
-in `server.js`.
+a service, e.g. booting worker nodes or adding other resources. Such steps require to extend this activation service 
+adding the necessary steps into the execution chain of the corresponding route.
 
 
 ## Debug
 
 Enable debugging by setting the environment variable:
 ```shell
-DEBUG="as:*"
+AS_LOG_LEVEL=DEBUG"
+```
+
+
+## Tests
+
+Tests can be run with `pytest` via
+```shell
+pytest
 ```