diff --git a/.env b/.env deleted file mode 100644 index 036bb89..0000000 --- a/.env +++ /dev/null @@ -1,36 +0,0 @@ -# Project name -COMPOSE_PROJECT_NAME=fiware - -# Orion variables -ORION_PORT=1026 -ORION_VERSION=3.11.0 - -# MongoDB variables -MONGO_DB_PORT=27017 -MONGO_DB_VERSION=6.0 - -# Tutorial variables -TUTORIAL_APP_PORT=3000 -TUTORIAL_DUMMY_DEVICE_PORT=3001 -IOTA_SOUTH_PORT=7896 - -# IoT Agent Ultralight Variables -ULTRALIGHT_VERSION=3.1.0-distroless -IOTA_NORTH_PORT=4041 - -# Keyrock variables -KEYROCK_VERSION=8.3.0-distroless -KEYROCK_PORT=3005 -KEYROCK_HTTPS_PORT=3443 - -# MySQL variables -MYSQL_DB_VERSION=8.0 -MYSQL_DB_PORT=3306 - -# Authzforce variables -AUTHZFORCE_VERSION=release-10.0.0 -AUTHZFORCE_PORT=8080 - -# PEP Proxy variables -WILMA_VERSION=8.4.0-distroless -ORION_PROXY_PORT=1027 \ No newline at end of file diff --git a/.gitpod.yml b/.gitpod.yml deleted file mode 100644 index 6fb63c9..0000000 --- a/.gitpod.yml +++ /dev/null @@ -1,41 +0,0 @@ -tasks: - - name: Pull Images - init: ./services create - -ports: - - name: Orion - description: Context Broker - port: 1026 - onOpen: notify - - name: Wilma - description: PEP Proxy - port: 1027 - onOpen: ignore - - name: Tutorial App - description: Web app displaying context data - port: 3000 - onOpen: open-preview - - name: Tutorial Devices - description: Dummy IoT Sensors over HTTP - port: 3001 - onOpen: ignore - - name: Keyrock - description: Identity Manager - port: 3005 - onOpen: open-preview - - name: MySQL - description: Database for Keyrock - port: 3306 - onOpen: ignore - - name: IoT Agent (North Port) - description: NGSI data and device provisioning - port: 4041 - onOpen: ignore - - name: IoT Agent (South Port) - description: Ultralight HTTP measures - port: 7896 - onOpen: ignore - - name: MongoDB - description: Database for Orion + IoT Agent - port: 27017 - onOpen: ignore \ No newline at end of file diff --git a/FIWARE XACML Rules.postman_collection.json b/FIWARE XACML Rules.postman_collection.json deleted file mode 100644 index 78992e8..0000000 --- a/FIWARE XACML Rules.postman_collection.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "info": { - "_postman_id": "6554748b-8871-4e83-8c4d-7ab315f9894a", - "name": "FIWARE XACML Rules", - "description": "[![FIWARE Security](https://nexus.lab.fiware.org/repository/raw/public/badges/chapters/security.svg)](https://github.com/FIWARE/catalogue/blob/master/security/README.md)\n\nThis tutorial introduces an additional security generic enabler - **Authzforce**\nand adds fine grained control to the security rules generated by **Keyrock**.\nAccess to the entities created in the\n[previous tutorial](https://github.com/Fiware/tutorials.PEP-Proxy) is now\nconfigured and controlled using an XACML access control policy - this creates a\nflexible ruleset which can be uploaded and reinterpreted on the fly so complex\nbusiness rules can be created and changed according to current circumstances.\n\nThe tutorial discusses code showing how to integrate **Authzforce** within a web\napplication and demonstrates examples of **Authzforce** XACML Server-PDP\ninteractions. [cUrl](https://ec.haxx.se/) commands are used to show the\ninteractions between generic enablers.\n\nThe `docker-compose` files for this tutorial can be found on GitHub: \n\n![GitHub](https://fiware.github.io/tutorials.XACML-Access-Rules/icon/GitHub-Mark-32px.png) [FIWARE 405: Ruleset Based Permissions](https://github.com/Fiware/tutorials.XACML-Access-Rules)\n\n\n# Ruleset Based Permissions\n\n> \"Say: Come, I will rehearse what _Allah_ hath prohibited you from:\n>\n> - Join not anything as equal with _Him_\n> - Be good to your parents\n> - Kill not your children on a plea of want - _We_ provide sustenance for you\n> and for them\n> - Come not nigh to shameful deeds. Whether open or secret\n> - Take not life, which _Allah_ hath made sacred, except by way of justice\n> and law\n>\n> thus doth _He_ command you, that ye may learn wisdom.\"\n>\n> — Quran 6.151, Sūrat al-Anʻām\n\n[Previous tutorials](https://github.com/Fiware/tutorials.Securing-Access) have\nintroduced a simple access control system based on authentication (level 1) or\nbasic authorization access to resources based on a role (level 2). These\npolicies are easy to create, but the rules within them are very black and white,\nrules cannot rely on one another, have exception clauses or offer access based\non time limits or attribute values. There is also no mechanism to resolve\ndifferent rules in the case of conflict.\n\nTo satisfy a complex access control scenario, an additional arbitration\nmicroservice is required, which is able to come to a judgement on each\nPermit/Deny policy decision by reading and interpreting the full set of access\ncontrol rules, and based their judgement on the evidence provided by the\nrequesting service.\n\nFIWARE [Authzforce](https://authzforce-ce-fiware.readthedocs.io/) is a service\nwhich is able to provide such an interpretive Policy Decision Point (PDP). It is\nan advanced access control Generic Enabler which is able to interpret rules\nsupplied using the\n[XACML standard](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml).\nRulesets can be amended and uploaded at any time providing a flexible method to\nmaintain security policies which can change according to business need.\nFurthermore the language used to describe the access policy is designed to be\nhighly extensible and cover any access control scenario.\n\n## What is XACML\n\neXtensible Access Control Markup Language (XACML) is a vendor neutral\ndeclarative access control policy language. It was created to promote common\naccess control terminology and interoperability. The architectural naming\nconventions for elements such as Policy Execution Point (PEP) and Policy\nDecision Point (PDP) come from the XACML specifications.\n\nXACML policies are split into a hierarchy of three levels - ``,\n`` and ``, the `` is a collection of ``\nelements each of which contain one or more `` elements.\n\nEach `` within a `` is evaluated as to whether it should grant\naccess to a resource - the overall `` result is defined by the overall\nresult of all `` elements processed in turn. Separate `` results\nare then evaluated against each other using combining alogorthms define which\n`` wins in case of conflict.\n\nA `` element consists of a `` and a ``. This is an\nexample ``, it states access will be granted (`Effect=\"Permit\"`) when a\nPOST request is sent to the `/bell/ring` endpoint, provided that the\n`subject:role` has been provided and that the\n`role=security-role-0000-0000-000000000000` :\n\n```xml\n\n Ring Alarm Bell\n \n \n \n \n /bell/ring\n \n \n \n \n \n \n \n POST\n \n \n \n \n \n \n \n \n security-role-0000-0000-000000000000\n \n \n \n\n```\n\nThis is a very verbose method for creating a simple Verb-Resource access rule,\nbut unlike simple Verb-Resource rules, with XACML, other more complex\ncomparisons can be made, for example checking that time is before a certain hour\nof day, or checking that a URL starts with or contains a certain string.\nConditions can be specified down to the attribute level or combined to make\ncomplex calculations, for example - an XACML `` could be created to apply\nthe following policy:\n\n> _A store manager is able to amend Product prices only the first of the month,\n> and can only alter prices of products she or her immediate superior has\n> created in the first place_\n\nSuch a `` would require that the `` includes separate\nclauses/clarifications for the following:\n\n- What is the User's role? (e.g. `manager`)\n- What action is being invoked? (e.g PATCH or PUT)\n- Which resource is being protected URL string? (e.g. `/v2/entities`)\n- What other information must be present in the body of the request? (e.g.\n Entity `type` must equal `Product`)\n- When is the resource being requested? (e.g. the current date)\n- What other additional information must be retrieved from elsewhere prior to\n making the request\n - Who created the entity? Is it me or my manager?\n\nAs you can see these rules can quickly become very complex. For this initial\nintroduction to XACML, the basic rule set used will be kept as simple as\npossible to avoid unnecessary confusion, suffice it to say that an access policy\nbased on XACML can be expanded to fit the security needs of any complex system.\n\n# Prerequisites\n\n## Docker\n\nTo keep things simple all components will be run using\n[Docker](https://www.docker.com). **Docker** is a container technology which\nallows to different components isolated into their respective environments.\n\n- To install Docker on Windows follow the instructions\n [here](https://docs.docker.com/docker-for-windows/)\n- To install Docker on Mac follow the instructions\n [here](https://docs.docker.com/docker-for-mac/)\n- To install Docker on Linux follow the instructions\n [here](https://docs.docker.com/install/)\n\n**Docker Compose** is a tool for defining and running multi-container Docker\napplications. A\n[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.Identity-Management/master/docker-compose.yml)\nis used configure the required services for the application. This means all\ncontainer services can be brought up in a single command. Docker Compose is\ninstalled by default as part of Docker for Windows and Docker for Mac, however\nLinux users will need to follow the instructions found\n[here](https://docs.docker.com/compose/install/)\n\n## Cygwin\n\nWe will start up our services using a simple bash script. Windows users should\ndownload [cygwin](http://www.cygwin.com/) to provide a command-line\nfunctionality similar to a Linux distribution on Windows.\n\n# Architecture\n\nThis application adds level 3 Advanced Authorization security into the existing\nStock Management and Sensors-based application created in\n[previous tutorials](https://github.com/Fiware/tutorials.Securing-Access/) and\nsecures access to the context broker behind a\n[PEP Proxy](https://github.com/Fiware/tutorials.PEP-Proxy/). It will make use of\nfive FIWARE components - the\n[Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/),the\n[IoT Agent for UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/),\nthe [Keyrock](https://fiware-idm.readthedocs.io/en/latest/) Identity Manager,\nthe [Wilma]() PEP Proxy and the\n[Authzforce](https://authzforce-ce-fiware.readthedocs.io) XACML Server. All\naccess control decisions will be delegated to **Authzforce** which will read the\nruleset from a previously uploaded policy domain.\n\nBoth the Orion Context Broker and the IoT Agent rely on open source\n[MongoDB](https://www.mongodb.com/) technology to keep persistence of the\ninformation they hold. We will also be using the dummy IoT devices created in\nthe [previous tutorial](https://github.com/Fiware/tutorials.IoT-Sensors/).\n**Keyrock** uses its own [MySQL](https://www.mysql.com/) database.\n\nTherefore the overall architecture will consist of the following elements:\n\n- The FIWARE\n [Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/) which\n will receive requests using\n [NGSI](https://fiware.github.io/specifications/OpenAPI/ngsiv2)\n- The FIWARE\n [IoT Agent for UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/)\n which will receive southbound requests using\n [NGSI](https://fiware.github.io/specifications/OpenAPI/ngsiv2) and convert\n them to\n [UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual)\n commands for the devices\n- FIWARE [Keyrock](https://fiware-idm.readthedocs.io/en/latest/) offer a\n complement Identity Management System including:\n - An OAuth2 authentication system for Applications and Users\n - A site graphical frontend for Identity Management Administration\n - An equivalent REST API for Identity Management via HTTP requests\n- FIWARE [Authzforce](https://authzforce-ce-fiware.readthedocs.io/) is a XACML\n Server providing an interpretive Policy Decision Point (PDP) access to the\n **Orion** and/or **IoT Agent** microservices\n- FIWARE [Wilma](https://fiware-pep-proxy.rtfd.io/) is a PEP Proxy securing\n access to the **Orion** microservices, it delegates the passing of\n authorisation decisions to **Authzforce** PDP\n- The underlying [MongoDB](https://www.mongodb.com/) database :\n - Used by the **Orion Context Broker** to hold context data information\n such as data entities, subscriptions and registrations\n - Used by the **IoT Agent** to hold device information such as device URLs\n and Keys\n- A [MySQL](https://www.mysql.com/) database :\n - Used to persist user identities, applications, roles and permissions\n- The **Stock Management Frontend** does the following:\n - Displays store information\n - Shows which products can be bought at each store\n - Allows users to \"buy\" products and reduce the stock count.\n - Allows authorized users into restricted areas, it also delegates\n authoriation decisions to the **Authzforce** PDP\n- A webserver acting as set of\n [dummy IoT devices](https://github.com/Fiware/tutorials.IoT-Sensors) using\n the\n [UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual)\n protocol running over HTTP - access to certain resources is restricted.\n\nSince all interactions between the elements are initiated by HTTP requests, the\nentities can be containerized and run from exposed ports.\n\n![](https://fiware.github.io/tutorials.XACML-Access-Rules/img/architecture.png)\n\nThe specific architecture of each section of the tutorial is discussed below.\n\n## Keyrock Configuration\n\n```yaml\nkeyrock:\n image: quay.io/fiware/idm\n container_name: fiware-keyrock\n hostname: keyrock\n networks:\n default:\n ipv4_address: 172.18.1.5\n depends_on:\n - mysql-db\n - authzforce\n ports:\n - \"3005:3005\"\n environment:\n - DEBUG=idm:*\n - DATABASE_HOST=mysql-db\n - IDM_DB_PASS_FILE=/run/secrets/my_secret_data\n - IDM_DB_USER=root\n - IDM_HOST=http://localhost:3005\n - IDM_PORT=3005\n - IDM_ADMIN_USER=alice\n - IDM_ADMIN_EMAIL=alice-the-admin@test.com\n - IDM_ADMIN_PASS=test\n - IDM_PDP_LEVEL=advanced\n - IDM_AUTHZFORCE_ENABLED=true\n - IDM_AUTHZFORCE_HOST=authzforce\n - IDM_AUTHZFORCE_PORT=8080\n secrets:\n - my_secret_data\n```\n\nThe `keyrock` container is a web application server listening on a single port:\n\n- Port `3005` has been exposed for HTTP traffic so we can display the web page\n and interact with the REST API.\n\nThe `keyrock` container is connecting to **Authzforce** and is driven by\nenvironment variables as shown:\n\n| Key | Value | Description |\n| ---------------------- | ------------ | ---------------------------------------------------------------------------- |\n| IDM_PDP_LEVEL | `advanced` | Flag indicating that **Keyrock** should delegate PDP decisions to Authzforce |\n| IDM_AUTHZFORCE_ENABLED | `true` | Flag indicating that **Authzforce** is available |\n| IDM_AUTHZFORCE_HOST | `authzforce` | This is URL where the **Authzforce** is found |\n| IDM_AUTHZFORCE_PORT | `8080` | Port that **Authzforce** is listening on |\n\nThe other `keyrock` container configuration values described in the YAML file\nhave been described in previous tutorials\n\n## PEP Proxy Configuration\n\n```yaml\norion-proxy:\n image: quay.io/fiware/pep-proxy\n container_name: fiware-orion-proxy\n hostname: orion-proxy\n networks:\n default:\n ipv4_address: 172.18.1.10\n depends_on:\n - keyrock\n - authzforce\n ports:\n - \"1027:1027\"\n expose:\n - \"1027\"\n environment:\n - PEP_PROXY_APP_HOST=orion\n - PEP_PROXY_APP_PORT=1026\n - PEP_PROXY_PORT=1027\n - PEP_PROXY_IDM_HOST=keyrock\n - PEP_PROXY_HTTPS_ENABLED=false\n - PEP_PROXY_IDM_SSL_ENABLED=false\n - PEP_PROXY_IDM_PORT=3005\n - PEP_PROXY_APP_ID=tutorial-dckr-site-0000-xpresswebapp\n - PEP_PROXY_USERNAME=pep_proxy_00000000-0000-0000-0000-000000000000\n - PEP_PASSWORD=test\n - PEP_PROXY_PDP=authzforce\n - PEP_PROXY_AUTH_ENABLED=true\n - PEP_PROXY_MAGIC_KEY=1234\n - PEP_PROXY_AZF_PROTOCOL=http\n - PEP_PROXY_AZF_HOST=authzforce\n - PEP_PROXY_AZF_PORT=8080\n```\n\nThe `orion-proxy` container is an instance of FIWARE **Wilma** listening on port\n`1027`, it is configured to forward traffic to `orion` on port `1026`, which is\nthe default port that the Orion Context Broker is listening to for NGSI\nRequests.\n\nThe `orion-proxy` container is delegating PDP decisions to **Authzforce** and is\ndriven by environment variables as shown:\n\n| Key | Value | Description |\n| ---------------------- | ------------ | --------------------------------------------------------- |\n| PEP_PROXY_PDP | `authzforce` | Flag ensuring that the PEP Proxy uses Authzforce as a PDP |\n| PEP_PROXY_AZF_PROTOCOL | `http` | Flag to enable use of the XACML PDP |\n| PEP_PROXY_AZF_HOST | `authzforce` | This is URL where the **Authzforce** is found users |\n| PEP_PROXY_AZF_PORT | `8080` | Port that **Authzforce** is listening on |\n\nThe other `orion-proxy` container configuration values described in the YAML\nfile have been described in previous tutorials\n\n## Authzforce Configuration\n\n```yaml\nauthzforce:\n image: fiware/authzforce-ce-server\n hostname: authzforce\n container_name: fiware-authzforce\n networks:\n default:\n ipv4_address: 172.18.1.12\n ports:\n - \"8080:8080\"\n volumes:\n - ./authzforce/domains:/opt/authzforce-ce-server/data/domains\n```\n\nThe `authzforce` container is listening on port `8080`, where it receives\nrequests to make PDP decisions. A volume has been exposed to upload a\npre-configured domain so that a set of XACML access control policies has already\nbeen supplied.\n\n## Tutorial Security Configuration\n\n```yaml\ntutorial:\n image: quay.io/fiware/tutorials.context-provider\n hostname: iot-sensors\n container_name: fiware-tutorial\n networks:\n default:\n ipv4_address: 172.18.1.7\n expose:\n - \"3000\"\n - \"3001\"\n ports:\n - \"3000:3000\"\n - \"3001:3001\"\n environment:\n - \"DEBUG=tutorial:*\"\n - \"WEB_APP_PORT=3000\"\n - \"KEYROCK_URL=http://localhost\"\n - \"KEYROCK_IP_ADDRESS=http://172.18.1.5\"\n - \"KEYROCK_PORT=3005\"\n - \"KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp\"\n - \"KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret\"\n - \"CALLBACK_URL=http://localhost:3000/login\"\n - \"AUTHZFORCE_ENABLED=true\"\n - \"AUTHZFORCE_URL=http://authzforce\"\n - \"AUTHZFORCE_PORT=8080\"\n```\n\nThe `tutorial` container is listening on two ports:\n\n- Port `3000` is exposed so we can see the web page displaying the Dummy IoT\n devices.\n- Port `3001` is exposed purely for tutorial access - so that cUrl or Postman\n can make UltraLight commands without being part of the same network.\n\nThe `tutorial` container is now secured by **Authforce**, and is driven by\nenvironment variables as shown:\n\n| Key | Value | Description |\n| ------------------ | ------------------- | --------------------------------------------------- |\n| AUTHZFORCE_ENABLED | `true` | Flag to enable use of the XACML PDP |\n| AUTHZFORCE_URL | `http://authzforce` | This is URL where the **Authzforce** is found users |\n| AUTHZFORCE_PORT | `8080` | Port that **Authzforce** is listening on |\n\nThe other `tutorial` container configuration values described in the YAML file\nhave been described in previous tutorials\n\n# Start Up\n\nTo start the installation, do the following:\n\n```console\ngit clone git@github.com:Fiware/tutorials.XACML-Access-Rules.git\ncd tutorials.XACML-Access-Rules\n\n./services create\n```\n\n> **Note** The initial creation of Docker images can take up to three minutes\n\nThereafter, all services can be initialized from the command-line by running the\n[services](https://github.com/Fiware/tutorials.XACML-Access-Rules/blob/master/services)\nBash script provided within the repository:\n\n```console\n./services start\n```\n\n> :information_source: **Note:** If you want to clean up and start over again\n> you can do so with the following command:\n>\n> ```console\n> ./services stop\n> ```\n\n### Dramatis Personae\n\nThe following people at `test.com` legitimately have accounts within the\nApplication\n\n- Alice, she will be the Administrator of the **Keyrock** Application\n- Bob, the Regional Manager of the supermarket chain - he has several store\n managers under him:\n - Manager1\n - Manager2\n- Charlie, the Head of Security of the supermarket chain - he has several\n store detectives under him:\n - Detective1\n - Detective2\n\n| Name | eMail | Password |\n| ---------- | ------------------------- | -------- |\n| alice | alice-the-admin@test.com | `test` |\n| bob | bob-the-manager@test.com | `test` |\n| charlie | charlie-security@test.com | `test` |\n| manager1 | manager1@test.com | `test` |\n| manager2 | manager2@test.com | `test` |\n| detective1 | detective1@test.com | `test` |\n| detective2 | detective2@test.com | `test` |\n\nThe following people at `example.com` have signed up for accounts, but have no\nreason to be granted access\n\n- Eve - Eve the Eavesdropper\n- Mallory - Mallory the malicious attacker\n- Rob - Rob the Robber\n\n| Name | eMail | Password |\n| ------- | ------------------- | -------- |\n| eve | eve@example.com | `test` |\n| mallory | mallory@example.com | `test` |\n| rob | rob@example.com | `test` |\n", - "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" - }, - "item": [ - { - "name": "Reading XACML Access Rules", - "item": [ - { - "name": "Authzforce - Obtain Version Information", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/xml", - "type": "text" - } - ], - "body": { - "mode": "raw", - "raw": "" - }, - "url": { - "raw": "http://{{authzforce}}/authzforce-ce/version", - "protocol": "http", - "host": [ - "{{authzforce}}" - ], - "path": [ - "authzforce-ce", - "version" - ] - }, - "description": "Once **Authzforce** is running, you can check the status by making an HTTP\nrequest to the exposed administration port (usually `8080`. If the response is\nblank, this is usually because **Authzforce** is not running or is listening on\nanother port.\n\nThe response returns information about the version of Authzforce." - }, - "response": [] - }, - { - "name": "List all domains", - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "raw", - "raw": "" - }, - "url": { - "raw": "http://{{authzforce}}/authzforce-ce/domains", - "protocol": "http", - "host": [ - "{{authzforce}}" - ], - "path": [ - "authzforce-ce", - "domains" - ] - }, - "description": "To request domain information from **Authzforce**, make a request to the\n`/authzforce-ce/domains` endpoint.\n\nThe response lists the domains which are available in **Authzforce**. This\ncorresponds to the directory structure uploaded to **Authzforce** on start-up." - }, - "response": [] - }, - { - "name": "Read a single domain", - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "raw", - "raw": "" - }, - "url": { - "raw": "http://{{authzforce}}/authzforce-ce/domains/{{domain-id}}", - "protocol": "http", - "host": [ - "{{authzforce}}" - ], - "path": [ - "authzforce-ce", - "domains", - "{{domain-id}}" - ] - }, - "description": "To read information about a domain, and to explore further, make a request to\nthe `authzforce-ce/domains/{{domain-id}}` endpoint. The following request\nobtains information about the `gQqnLOnIEeiBFQJCrBIBDA` domain, which has been\ngenerated using using a random key by an external Policy Adminstration Point in\nthis case **Keyrock** has been used as the PAP, and pre-generated the rule sets.\n\nThe response lists more information about the domain, including the id used\nwithin **Keyrock** (`tutorial-dckr-site-0000-xpresswebapp`)" - }, - "response": [] - }, - { - "name": "List all PolicySets available within a Domain", - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "raw", - "raw": "" - }, - "url": { - "raw": "http://{{authzforce}}/authzforce-ce/domains/{{domain-id}}/pap/policies", - "protocol": "http", - "host": [ - "{{authzforce}}" - ], - "path": [ - "authzforce-ce", - "domains", - "{{domain-id}}", - "pap", - "policies" - ] - }, - "description": "To list the generated ids for all of the PolicySets found within a domain make a\nrequest to the `authzforce-ce/domains/{{domain-id}}/pap/policies` endpoint. The\nfollowing request obtains a list of a given policy ids found within the\n`gQqnLOnIEeiBFQJCrBIBDA` domain.\n\nThe response returns a list of available revisions of the given policy which are\navailable within. the **Authzforce** container. This corresponds the named XML\nfiles `1.xml`, `2.xml` etc." - }, - "response": [] - }, - { - "name": "List the available revisions of a PolicySet", - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "raw", - "raw": "" - }, - "url": { - "raw": "http://{{authzforce}}/authzforce-ce/domains/{{domain-id}}/pap/policies/{{policy-id}}", - "protocol": "http", - "host": [ - "{{authzforce}}" - ], - "path": [ - "authzforce-ce", - "domains", - "{{domain-id}}", - "pap", - "policies", - "{{policy-id}}" - ] - }, - "description": "To list the available revisions of a policy, make a request to the\n`authzforce-ce/domains/{{domain-id}}/pap/policies/{{policy-id}}` endpoint.\nAvailable policy id are randomly generated, and can be obtained by drilling down\nusing the previous request. The following request obtains a list revision of a\ngiven policy found within the `gQqnLOnIEeiBFQJCrBIBDA` domain.\n\nThe response returns a list of available revisions of the given policy which are\navailable within the **Authzforce** container. This corresponds the named XML\nfiles `1.xml`, `2.xml` etc." - }, - "response": [] - }, - { - "name": "Read a single version of a PolicySet", - "request": { - "method": "GET", - "header": [], - "body": { - "mode": "raw", - "raw": "" - }, - "url": { - "raw": "http://{{authzforce}}/authzforce-ce/domains/{{domain-id}}/pap/policies/{{policy-id}}/2", - "protocol": "http", - "host": [ - "{{authzforce}}" - ], - "path": [ - "authzforce-ce", - "domains", - "{{domain-id}}", - "pap", - "policies", - "{{policy-id}}", - "2" - ] - }, - "description": "To obtain a single revison of a ``, make a request to the\n`authzforce-ce/domains/{{domain-id}}/pap/policies/{{policy-id}}/{{revision-number}}`\nendpoint. The following request obtains the second revision of the given policy\nfound within the `gQqnLOnIEeiBFQJCrBIBDA` domain.\n\nThe response contains the full `` for the given revision. This is a\ncopy of\n[the file](https://github.com/Fiware/tutorials.XACML-Access-Rules/blob/master/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/2.xml)\nheld within **Authzforce**." - }, - "response": [] - } - ], - "description": "A single XACML server can be used to administrate access control policies for\nmultiple applications. **Authzforce** is implicitly multi-tenant, in that it\nallows separate organizations to work on their policies in isolation from one\nanother. This is done by separating the security policies for each application\ninto a separate **domain** where they can access their own ``. A\ndomain holds meta data about the secured application along with versions of the\npolicies themselves (effectively a series of files which can be accessed by a\nfile server). The domain management API can be used to query **Authzforce**\nabout the domains served and policies held.", - "event": [ - { - "listen": "prerequest", - "script": { - "id": "a4c41e34-093d-4739-b5e1-13736c5a803c", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "62d13514-54db-4270-a2c2-beed012e7404", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - }, - { - "name": "Requesting Policy Decisions", - "item": [ - { - "name": "Permit Access to a Resource", - "request": { - "method": "POST", - "header": [ - { - "key": "Content-Type", - "value": "application/xml", - "type": "text" - } - ], - "body": { - "mode": "raw", - "raw": "\n\n \n \n managers-role-0000-0000-000000000000\n \n \n \n \n tutorial-dckr-site-0000-xpresswebapp\n \n \n /app/price-change\n \n \n \n \n GET\n \n \n \n" - }, - "url": { - "raw": "http://{{authzforce}}/authzforce-ce/domains/{{domain-id}}/pdp", - "protocol": "http", - "host": [ - "{{authzforce}}" - ], - "path": [ - "authzforce-ce", - "domains", - "{{domain-id}}", - "pdp" - ] - }, - "description": "To request a decision from Authzforce, make a POST requets to the\n`domains/{domain-id}/pdp` endpoint. In this case the user has the\n`managers-role-0000-0000-000000000000` and is requesting access the the\n`/app/price-change` resource.\n\nThe `managers-role-0000-0000-000000000000` permits access to the\n`/app/price-change` endpoint. The response for a successful request includes a\n`` element to `Permit` access to the resource." - }, - "response": [] - }, - { - "name": "Deny Access to a Resource", - "request": { - "method": "POST", - "header": [ - { - "key": "Content-Type", - "value": "application/xml", - "type": "text" - } - ], - "body": { - "mode": "raw", - "raw": "\n\n \n \n security-role-0000-0000-000000000000\n \n \n \n \n tutorial-dckr-site-0000-xpresswebapp\n \n \n /app/price-change\n \n \n \n \n GET\n \n \n \n" - }, - "url": { - "raw": "http://{{authzforce}}/authzforce-ce/domains/{{domain-id}}/pdp", - "protocol": "http", - "host": [ - "{{authzforce}}" - ], - "path": [ - "authzforce-ce", - "domains", - "{{domain-id}}", - "pdp" - ] - }, - "description": "To request a decision from Authzforce, make a POST requets to the\n`domains/{domain-id}/pdp` endpoint. In this case the user has the\n`security-role-0000-0000-000000000000` and is requesting access the the\n`/app/price-change` resource.\n\nThe `security-role-0000-0000-000000000000` does not permit access to the\n`/app/price-change` endpoint. The response for an unsuccessful request includes\na `` element which will `Deny` access to the resource." - }, - "response": [] - } - ], - "description": "For the purpose of this tutorial, **Authzforce** has been just been supplied\nwith a simple set of basic role-based rules in a similar fashion to the level 2\nauthorization example found in the previous Securing Access tutorial:\n\n- The unlock door command can only be sent by **Security** staff.\n- Access to the price-change and order-stock areas are only available to\n **Managers**\n- People with either the **Manager** or **Security** role can ring the bell\n- Both **Manager** or **Security** can access and interact with the store data\n\nThe only difference is that access to all store entities is now restricted to\nusers with an assigned role rather than being based on level 1 authentication\naccess.\n\nTo request a decision from Authzforce, a structured request containing all\nrelevant information must be sent to the `domains/{domain-id}/pdp` endpoint. In\nthis case, the Body of the request includes information such as the roles that\nthe User has, the application id that is being requested\n(`tutorial-dckr-site-0000-xpresswebapp`) and the HTTP verb and resource that are\nbeing requested ( a GET request on the `/app/price-change` URL). Obviously the\ninformation passed in the Body can be expanded as the rules become more complex.", - "event": [ - { - "listen": "prerequest", - "script": { - "id": "7b40d496-0a0f-424d-a300-d7a4c7946cf7", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "121f1a38-45b2-4245-9fdc-97dfd34c1f5b", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - }, - { - "name": "PDP - Advanced Authorization", - "item": [ - { - "name": "Keyrock - User Obtains an Access Token", - "request": { - "method": "POST", - "header": [ - { - "key": "Authorization", - "value": "Basic {{Authorization}}", - "description": "base64 concatenation of Client Id and Client Secret" - }, - { - "key": "Content-Type", - "value": "application/x-www-form-urlencoded" - }, - { - "key": "Accept", - "value": "application/json" - } - ], - "body": { - "mode": "raw", - "raw": "username=bob-the-manager@test.com&password=test&grant_type=password" - }, - "url": { - "raw": "http://{{keyrock}}/oauth2/token", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "oauth2", - "token" - ] - }, - "description": "In order to identify themselves, every user must obtain an access token, in\norder to do so, they must use one of the OAuth2 access grants described in a\n[previous tutorial](https://github.com/Fiware/tutorials.Securing-Access).\n\nTo log in using the user-credentials flow send a POST request to the\n`oauth2/token` endpoint of **Keyrock** with the `grant_type=password`\n\nThe response returns an `access_token` to identify the user (in this case Bob\nthe Manager)" - }, - "response": [] - }, - { - "name": "Keyrock - Obtain Roles and Domain", - "request": { - "method": "GET", - "header": [ - { - "key": "Accept", - "value": "application/json", - "disabled": true - } - ], - "body": { - "mode": "raw", - "raw": "" - }, - "url": { - "raw": "http://{{keyrock}}/user?access_token={{access-token-bob}}&app_id={{app-id}}&authzforce=true", - "protocol": "http", - "host": [ - "{{keyrock}}" - ], - "path": [ - "user" - ], - "query": [ - { - "key": "access_token", - "value": "{{access-token-bob}}" - }, - { - "key": "app_id", - "value": "{{app-id}}" - }, - { - "key": "authzforce", - "value": "true" - } - ] - }, - "description": "If a user has logged in, the `access_token` can be used in combiniation with the `/user` endpoint\nto obtain access permissions to a resouce. This example retrieves Bobs's permissions to a given\nresource.\n\nWhere :\n\n- `{{access-token}}` is the current access token of a logged in user (e.g.\n `08fef363c429cb34cfff3f56dfe751a8d1890690`)\n- `{{app-id}}` holds the application to request\n `tutorial-dckr-site-0000-xpresswebapp` and `authzforce=true` indicates that\n we want to obtain an **Authzforce** Domain from **Keyrock**\n\nThe response include an `authorization_decision` attribute which denies direct\naccess for the request, but includes additional information so that an\nadditional request a decision from **Authzforce**\n\nIn the example below the access token used belonged to Bob the manager, and his\nroles and the `app_azf_domain` associated to the `app-id` are returned." - }, - "response": [] - }, - { - "name": "Authzforce - Apply a Policy to a Request", - "request": { - "method": "POST", - "header": [ - { - "key": "Content-Type", - "value": "application/xml", - "type": "text" - } - ], - "body": { - "mode": "raw", - "raw": "\n\n \n \n managers-role-0000-0000-000000000000\n \n \n \n \n tutorial-dckr-site-0000-xpresswebapp\n \n \n /v2/entities\n \n \n \n \n POST\n \n \n \n" - }, - "url": { - "raw": "http://{{authzforce}}/authzforce-ce/domains/{{domain-id}}/pdp", - "protocol": "http", - "host": [ - "{{authzforce}}" - ], - "path": [ - "authzforce-ce", - "domains", - "{{domain-id}}", - "pdp" - ] - }, - "description": "To request a decision from Authzforce, a structured request containing all\nrelevant information must be sent to the `domains/{domain-id}/pdp` endpoint. In\nthis case, the Body of the request includes information such as the roles that\nthe User has (`managers-role-0000-0000-000000000000`), the application id that\nis being requested (`tutorial-dckr-site-0000-xpresswebapp`) and the HTTP verb\nand resource that are being requested ( a POST request on the `/v2/entities`\nURL)\n\nThe response includes a `` element which will either `Permit` or\n`Deny` the request." - }, - "response": [] - } - ], - "description": "As a reminder, there are three Levels of PDP Access Control:\n\n- Level 1: Authentication Access - Allow all actions to every signed in user\n and no actions to an anonymous user.\n- Level 2: Basic Authorization - Check which resources and verbs the currently\n logged in user should have access to\n- Level 3: Advanced Authorization - Fine grained control through\n [XACML](https://en.wikipedia.org/wiki/XACML)\n\nWithin FIWARE, Level 3 access control can be provided by adding **Authzforce**\nto the existing security microservices (IDM and PEP Proxy) within the Smart\nApplication infrastructure. Access control levels 1 and 2 have been covered in\n[previous tutorials](https://github.com/Fiware/tutorials.Securing-Access) and\ncan be fulfilled using **Keyrock** alone or with or without an associated PEP\nProxy.\n\nAdvanced Authorization is able to deal with complex rulesets. Permissions are no\nlonger merely based on a fixed role, resource and an action, but can be extended\nas necessary.\n\nFor example users in role `XXX` can access URL **starting with** `YYY` provided\nthat the HTTP verb **is either** `GET`, `PUT` or `POST`. Such users may also\n`DELETE` **provided that** they were the creator in the first place.\n\nWithin the tutorial programatic example we are using our own trusted instance of\n**Keyrock** - once a user has signed in and obtained an `access_token`, the\n`access_token` can be stored in session and used to retrieve user details on\ndemand. All access to the Orion context broker is hidden behind a PEP Proxy.\nWhenever a request is made to Orion, the `access_token` is passed in the header\nof the request, and the PEP proxy handles the decision to whether to execute the\nrequest.", - "event": [ - { - "listen": "prerequest", - "script": { - "id": "d0b2c33c-4bd4-4144-b0c4-6ff68f7c4b51", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "1c0f1529-fe24-44cf-a947-6cc4d9132580", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ] - }, - { - "name": "Advanced Authorization - Sample Code", - "item": [], - "description": "Programmatically, any Policy Execution Point consists of two parts, an oAuth\nrequest to Keyrock retrieves information about the user (such as the assigned\nroles) as well as the policy domain to be queried.\n\nA second request is sent to the relevant domain endpoint within Authzforce,\nproviding all of the information necessary for Authzforce to provide a\njudgement. Authzforce responds with a **permit** or **deny** response, and the\ndecision whether to continue can be made thereafter.\n\n```javascript\nfunction authorizeAdvancedXACML(req, res, next, resource = req.url) {\n const keyrockUserUrl =\n \"http://keyrock/user?access_token=\" +\n req.session.access_token +\n \"&app_id=\" +\n clientId +\n \"&authzforce=true\";\n\n return oa\n .get(keyrockUserUrl)\n .then(response => {\n const user = JSON.parse(response);\n return azf.policyDomainRequest(\n user.app_azf_domain,\n user.roles,\n resource,\n req.method\n );\n })\n .then(authzforceResponse => {\n res.locals.authorized = authzforceResponse === \"Permit\";\n return next();\n })\n .catch(error => {\n debug(error);\n res.locals.authorized = false;\n return next();\n });\n}\n```\n\nThe full code to supply each request to Authzforce can be found within the\ntutorials'\n[Git Repository](https://github.com/Fiware/tutorials.Step-by-Step/blob/master/context-provider/lib/azf.js) -\nthe actual information to supply will depend on business use case - it could be\nexpanded to include temporal information, relationships between records and so\non, but in this very simple example only roles are necessary.\n\n```javascript\nconst xml2js = require(\"xml2js\");\nconst request = require(\"request\");\n\nfunction policyDomainRequest(domain, roles, resource, action) {\n let body =\n '\\n' +\n '\\n';\n // Code to create the XML body for the request is omitted\n body = body + \"\";\n\n const options = {\n method: \"POST\",\n url: \"http://authzforceUrl/authzforce-ce/domains/\" + domain + \"/pdp\",\n headers: { \"Content-Type\": \"application/xml\" },\n body\n };\n\n return new Promise((resolve, reject) => {\n request(options, function(error, response, body) {\n let decision;\n xml2js.parseString(\n body,\n { tagNameProcessors: [xml2js.processors.stripPrefix] },\n function(err, jsonRes) {\n // The decision is found within the /Response/Result[0]/Decision[0] XPath\n decision = jsonRes.Response.Result[0].Decision[0];\n }\n );\n decision = String(decision);\n return error ? reject(error) : resolve(decision);\n });\n });\n}\n```\n\n### Advanced Authorization - PEP Proxy\n\nApplying advanced authorization within a PEP proxy requires very similar code to\nthe programmatic example described above. The **Wilma** generic enabler extracts\na token from the header supplied by the request and makes a request to\n**Keyrock** to obtain further information about the user. A PDP request is then\nmade to **Authzforce** to decide whether to procede.\n\nObviously any scalable solution should also cache information about the PDP\nrequests made and the responses to avoid making unnecessary requests.\n\n## PDP - Advanced Authorization - Running the Example\n\n> **Note** Five resources have been secured at level 3:\n>\n> - sending the unlock door command\n> - sending the ring bell command\n> - access to the price-change area\n> - access to the order-stock area\n> - access to Orion (behind a PEP Proxy)\n\n#### Eve the Eavesdropper\n\nEve has an account, but no roles in the application.\n\n> **Note** As Eve has a recognized account, she gains full authentication\n> access. This means she is able to _view_ the Store page, even though her\n> account has no roles attached.\n\n- From `http://localhost:3000`, log in as `eve@example.com` with the password\n `test`\n\n##### Level 3 : Advanced Authorization Access\n\n- Click on any store page - access to view the page is **permitted** for any\n logged in users, however access to retrieve Orion data is now **denied**\n since Eve has no role which permits access.\n\n- Click on the restricted access links at `http://localhost:3000` - access is\n **denied**\n- Open the Device Monitor on `http://localhost:3000/device/monitor`\n - Unlock a door - access is **denied**\n - Ring a bell - access is **denied**\n\n#### Bob The Regional Manager\n\nBob has the **management** role\n\n- From `http://localhost:3000`, log in as `bob-the-manager@test.com` with the\n password `test`\n\n##### Level 3 : Advanced Authorization Access\n\n- Click on the restricted access links at `http://localhost:3000` - access is\n **permitted** - This is a management only permission\n- Open the Device Monitor on `http://localhost:3000/device/monitor`\n - Unlock a door - access is **denied**. - This is a security only\n permission\n - Ring a bell - access is **permitted** - This is permitted to management\n users\n\n#### Charlie the Security Manager\n\nCharlie has the **security** role\n\n- From `http://localhost:3000`, log in as `charlie-security@test.com` with the\n password `test`\n\n##### Level 3: Advanced Authorization Access\n\n- Click on the restricted access links at `http://localhost:3000` - access is\n **denied** - This is a management only permission\n- Open the Device Monitor on `http://localhost:3000/device/monitor`\n - Unlock a door - access is **permitted** - This is a security only\n permission\n - Ring a bell - access is **permitted** - This is permitted to security\n users" - } - ], - "event": [ - { - "listen": "prerequest", - "script": { - "id": "bf821021-7bc2-471e-9ab7-a55ecb9e663f", - "type": "text/javascript", - "exec": [ - "" - ] - } - }, - { - "listen": "test", - "script": { - "id": "1269e342-1093-4844-83cb-f8fed192c512", - "type": "text/javascript", - "exec": [ - "" - ] - } - } - ], - "variable": [ - { - "id": "a4fd4d74-91c2-40c8-90db-dd2105f84229", - "key": "authzforce", - "value": "localhost:8080", - "type": "string" - }, - { - "id": "db7a18f9-a324-4891-abb0-f6c3dbee9d25", - "key": "keyrock", - "value": "localhost:3005", - "type": "string" - }, - { - "id": "2123a7a0-b227-4aca-b995-743f03cd9042", - "key": "domain-id", - "value": "gQqnLOnIEeiBFQJCrBIBDA", - "type": "string" - }, - { - "id": "5ee42927-62ef-4f24-88fb-a504e5113abf", - "key": "policy-id", - "value": "f8194af5-8a07-486a-9581-c1f05d05483c", - "type": "string" - }, - { - "id": "1741a020-4e63-4e42-b2b2-febf5a2d8fbb", - "key": "Authorization", - "value": "dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA==", - "type": "string" - }, - { - "id": "ff8fdcb9-68d2-46da-84fd-ef9a63d13827", - "key": "access-token-bob", - "value": "1b88827586409b3b4dc67378e6b945c99b94c6cf", - "type": "string" - }, - { - "id": "366811f5-3689-417b-ba2a-463bcfb2f7c5", - "key": "app-id", - "value": "tutorial-dckr-site-0000-xpresswebapp", - "type": "string" - } - ] -} \ No newline at end of file diff --git a/README.ja.md b/README.ja.md deleted file mode 100644 index 75ae87c..0000000 --- a/README.ja.md +++ /dev/null @@ -1,1344 +0,0 @@ -[![FIWARE Banner](https://fiware.github.io/tutorials.XACML-Access-Rules/img/fiware.png)](https://www.fiware.org/developers) - -[![FIWARE Security](https://nexus.lab.fiware.org/repository/raw/public/badges/chapters/security.svg)](https://github.com/FIWARE/catalogue/blob/master/security/README.md) -[![License: MIT](https://img.shields.io/github/license/fiware/tutorials.XACML-Access-Rules.svg)](https://opensource.org/licenses/MIT) -[![Support badge](https://img.shields.io/badge/tag-fiware-orange.svg?logo=stackoverflow)](https://stackoverflow.com/questions/tagged/fiware) -[![XACML 3.0](https://img.shields.io/badge/XACML-3.0-ff7059.svg)](https://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html) -
[![Documentation](https://img.shields.io/readthedocs/fiware-tutorials.svg)](https://fiware-tutorials.rtfd.io) - - - -このチュートリアルでは、追加のセキュリティ Generic Enabler の **Authzforce** -を紹介し、**Keyrock** によって生成されたセキュリティ・ルールにきめ細かい制御を -追加します。[以前のチュートリアル](https://github.com/FIWARE/tutorials.PEP-Proxy) -で作成したエンティティへのアクセスは、XACML アクセス制御ポリシーを使用して構成 -および制御されます。これにより、実行中にアップロードおよび再解釈できる柔軟な -ルールセットが作成されるため、複雑なビジネス・ルールを作成および変更できます。 - -チュートリアルでは、**Authzforce** を Web アプリケーションに統合する方法を示す -コードについて説明し、**Authzforce** XACML Server-PDP とのやり取りの例を示します -。[cUrl](https://ec.haxx.se/) コマンドは、Generic Enablers 間の相互作用を示す -ために使用されます。 -[Postman documentation](https://fiware.github.io/tutorials.XACML-Access-Rules/) -が利用できます。 - -[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/724e8e1ab1af11063d15) -[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/FIWARE/tutorials.XACML-Access-Rules/tree/NGSI-v2) - -## コンテンツ - -
-詳細 (クリックして拡大) - -- [ルールセットベースの権限](#ruleset-based-permissions) - - [XACML とは](#what-is-xacml) -- [前提条件](#prerequisites) - - [Docker](#docker) - - [Cygwin](#cygwin) -- [アーキテクチャ](#architecture) - - [Keyrock の設定](#keyrock-configuration) - - [PEP Proxy の設定](#pep-proxy-configuration) - - [Authzforce の設定](#authzforce-configuration) - - [チュートリアルのセキュリティ設定](#tutorial-security-configuration) -- [起動](#start-up) - - [登場人物 (Dramatis Personae)](#dramatis-personae) - - [Authzforce - バージョン情報の取得](#authzforce---obtain-version-information) -- [XACML サーバを使用](#using-an-xacml-server) - - [XACML ルールセットの読み込み](#reading-xacml-rulesets) - - [すべてのドメインをリスト](#two-list-all-domains) - - [単一ドメインを読み込み](#read-a-single-domain) - - [ドメイン内で利用可能なすべてのポリシーセットをリスト](#list-all-policysets-available-within-a-domain) - - [PolicySet の利用可能なリビジョンをリスト](#list-the-available-revisions-of-a-policyset) - - [PolicySet の単一バージョンを読み込む](#read-a-single-version-of-a-policyset) - - [ポリシー決定のリクエスト](#requesting-policy-decisions) - - [リソースへのアクセスを許可](#permit-access-to-a-resource) - - [リソースへのアクセスを拒否](#deny-access-to-a-resource) -- [PDP - 高度な認可](#pdp---advanced-authorization) - - [高度な認可](#advanced-authorization) - - [ユーザがアクセス・トークンを取得](#user-obtains-an-access-token) - - [ロールとドメインを取得](#obtain-roles-and-domain) - - [ポリシーをリクエストに適用](#apply-a-policy-to-a-request) - - [高度な認可 - サンプル・コード](#advanced-authorization---sample-code) - - [高度な認可 - PEP Proxy](#advanced-authorization---pep-proxy) - - [PDP - 高度な許可 - 例の実行](#pdp---advanced-authorization---running-the-example) -- [次のステップ](#next-steps) - -
- - - -# ルールセットベースの権限 - -> "Say: Come, I will rehearse what _Allah_ hath prohibited you from: -> -> - Join not anything as equal with _Him_ -> - Be good to your parents -> - Kill not your children on a plea of want - _We_ provide sustenance for you -> and for them -> - Come not nigh to shameful deeds. Whether open or secret -> - Take not life, which _Allah_ hath made sacred, except by way of justice -> and law -> -> thus doth _He_ command you, that ye may learn wisdom." -> -> — Quran 6.151, Sūrat al-Anʻām - -[以前のチュートリアル](https://github.com/FIWARE/tutorials.Securing-Access) -では、認証に基づく単純なアクセス制御システム (レベル1)、またはロールに基づく -リソースへの基本的な認可アクセス (レベル2) を紹介しました。これらのポリシーは -簡単に作成できますが、その中のルールは非常に白と黒で、ルールを相互に依存したり、 -例外条項を設定したり、期限や属性値に基づいてアクセスしたりすることはできません。 -衝突が発生した場合に異なるルールを解決するメカニズムもありません。 - -複雑なアクセス制御シナリオを満たすには、追加の調停マイクロサービスが必要です。 -これは、アクセス制御ルールの全セットを読んで解釈し、リクエストしているサービス -によって提供された証拠に基づいて、各許可/拒否ポリシー決定に関する判断を下すこと -ができます。 - -FIWARE [Authzforce](https://authzforce-ce-fiware.readthedocs.io/) は、 -そのような解釈的なポリシー決定ポイント (PDP : Policy Decision Point) を提供する -ことができるサービスです。これは、 -[XACML 標準](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml) -を使用して提供されたルールを解釈できる高度なアクセス制御の Generic Enabler です -。ルールセットはいつでも修正およびアップロードでき、ビジネス・ニーズに応じて -変更できるセキュリティ・ポリシーを維持するための柔軟な方法を提供します。さらに、 -アクセス・ポリシーを記述するために使用される言語は、非常に拡張性が高く、 -あらゆるアクセス制御シナリオをカバーするように設計されています。 - - - -## XACML とは - -eXtensible Access Control Markup Language (XACML) は、ベンダーに依存しない -宣言型アクセス制御ポリシー言語です。これは、一般的なアクセス制御の用語と -相互運用性を促進するために作成されました。ポリシー実行ポイント -(PEP : Policy Execution Point) やポリシー決定ポイント (PDP) などの要素の -アーキテクチャの命名ルールは、XACML 仕様に基づいています。 - -XACML ポリシーは、``, `` と `` の3つのレベルの -階層に分けられます。`` は、それぞれが一つ以上の `` 要素を -含む `` 要素の集合です。 - -`` 内の各 `` は、それがリソースへのアクセスを許可すべきか -どうかに関して評価されます。総合的な `` 結果は、順番に処理された -すべての `` 要素の総合的な結果によって定義されます。そして、別々の -`` 結果は、衝突の場合にどちらの `` が勝つかを定義する -組み合わせアルゴリズムを使用してお互いに対して評価されます。 - -`` 要素は `` と `` から成ります。これは `` -の例です。POST リクエストが `/bell/ring` エンドポイントに送信され、 -`subject:role` に `role=security-role-0000-0000-000000000000` が提供されて -いれば、アクセスには、(`Effect="Permit"`) を与えられることを示しています。 - -```xml - - Ring Alarm Bell - - - - - /bell/ring - - - - - - - - POST - - - - - - - - - security-role-0000-0000-000000000000 - - - - -``` - -これは、XACML を使用した単純な Verb-Resource アクセス・ルールを作成するための -非常に冗長な方法ですが、単純な Verb-Resource ルールとは異なり、より複雑な -比較を行うことができます。たとえば、時刻が特定の時間より前であることを確認 -したり、URL が特定の文字列で始まっていたり、特定の文字列を含んでいたりする -ことを確認します。条件は属性レベルまで指定することも、複雑な計算をするために -組み合わせることもできます。 -たとえば、次のポリシーを適用するために XACML の `` を作成できます。 - -> _ストア・マネージャは、月の初めにのみ商品の価格を修正することができます。 -> また、直属の上司が最初に作成した商品の価格のみを変更することができます_ - -そのような `` は、`` が次のために別々の条項/明確化を -含むことを要求するでしょう : - -- ユーザのロールは何ですか? (例 : `manager`) -- どんなアクションが呼び出されていますか? (例 : PATCH または PUT) -- どのリソースが保護されている URL 文字列ですか。 (例 : `/v2/entities`) -- リクエストのボディには他にどのような情報が必要ですか? - (例 : エンティティ `type` は `Product` に等しくなければなりません) -- リソースはいつリクエストされていますか? (例 : 現在の日付) -- リクエストを出す前に、他の場所から他にどのような追加情報を取得する - 必要がありますか - - 誰がエンティティを作成しましたか? - 私ですか、それともマネージャ (上司) ですか? - -ご覧のとおり、これらのルールはすぐに非常に複雑になることがあります。この -XACML の最初のイントロダクションでは、不要な混乱を避けるために使用される基本的 -なルールセットはできるだけ単純に保ちます。XACML に基づくアクセスポリシーは、 -複雑なシステムのセキュリティ・ニーズに合わせて拡張できると言うために十分です。 - - - -# 前提条件 - - - -## Docker - - -物事を単純にするために、両方のコンポーネントが [Docker](https://www.docker.com) -を使用して実行されます。**Docker** は、さまざまコンポーネントをそれぞれの環境に -分離することを可能にするコンテナ・テクノロジです。 - -- Docker Windows にインストールするには - 、[こちら](https://docs.docker.com/docker-for-windows/)の手順に従ってくださ - い -- Docker Mac にインストールするには - 、[こちら](https://docs.docker.com/docker-for-mac/)の手順に従ってください -- Docker Linux にインストールするには - 、[こちら](https://docs.docker.com/install/)の手順に従ってください - -**Docker Compose** は、マルチコンテナ Docker アプリケーションを定義して実行する -ためのツールです。 -[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.Identity-Management/master/docker-compose.yml) -ファイルは、アプリケーションのために必要なサービスを構成するために使用します。つ -まり、すべてのコンテナ・サービスは 1 つのコマンドで呼び出すことができます -。Docker Compose は、デフォルトで Docker for Windows と Docker for Mac の一部と -してインストールされますが、Linux ユーザは -[ここ](https://docs.docker.com/compose/install/)に記載されている手順に従う必要 -があります。 - - - -## Cygwin - -シンプルな bash スクリプトを使用してサービスを開始します。Windows ユーザは -[cygwin](http://www.cygwin.com/) をダウンロードして、Windows 上の Linux -ディストリビューションと同様のコマンドライン機能を提供する必要があります。 - - - -# アーキテクチャ - -このアプリケーションは、 -[以前のチュートリアル](https://github.com/FIWARE/tutorials.Securing-Access/) -で作成した既存の在庫管理 およびセンサ・ベースのアプリケーションにレベル3の -高度な認可のセキュリティを追加し、 -[PEP Proxy](https://github.com/FIWARE/tutorials.PEP-Proxy/) の背後にある -Context Broker へのアクセスを保護します。 -[Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/), -[IoT Agent for UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/), -[Keyrock](https://fiware-idm.readthedocs.io/en/latest/) Identity Manager, -[Wilma](https://fiware-pep-proxy.readthedocs.io/en/latest/) PEP Proxy, -[Authzforce](https://authzforce-ce-fiware.readthedocs.io) XACML Server -の5つの​​ FIWARE コンポーネントを利用します。すべてのアクセス制御の決定は、 -以前にアップロードされたポリシー・ドメインからルールセットを読み取る -**Authzforce** に委任されます。 - -Orion Context Brokerと IoT Agent はどちらも、オープンソースの -[MongoDB](https://www.mongodb.com/) テクノロジを使用して、保持している情報を -永続化します。また、 -[以前のチュートリアル](https://github.com/FIWARE/tutorials.IoT-Sensors/) -で作成したダミー IoT デバイスも使用します。**Keyrock** は、独自に -[MySQL](https://www.mysql.com/) データベースを使用しています。 - -したがって、アーキテクチャ全体は次の要素から構成されます : - -- FIWARE - [Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/) は - 、[NGSI](https://fiware.github.io/specifications/ngsiv2/latest/) を使用 - してリクエストを受信します -- FIWARE - [IoT Agent for Ultralight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/) - は、 - [Ultralight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual) - フォーマットのダミー IoT デバイスからノース・バウンドの測定値を受信し、 - Context Broker がコンテキスト・エンティティの状態を変更するための - [NGSI-v2](https://fiware.github.io/specifications/OpenAPI/ngsiv2) - リクエストに変換します -- FIWARE [Keyrock](https://fiware-idm.readthedocs.io/en/latest/) は、以下を含 - んだ、補完的な ID 管理システムを提供します : - - アプリケーションとユーザのための OAuth2 認証システム - - ID 管理のための Web サイトのグラフィカル・フロントエンド - - HTTP リクエストによる ID 管理用の同等の REST API -- FIWARE - [Authzforce](https://authzforce-ce-fiware.readthedocs.io/) - **Orion** やチュートリアル・アプリケーションなどのリソースへのアクセスを - 保護する解釈可能な Policy Decision Point (PDP) を提供する XACML Server です -- FIWARE - [Wilma](https://fiware-pep-proxy.rtfd.io/) - **Orion** マイクロサービスへのアクセスを保護する PEP Proxy プロキシです。 - 認可決定の受渡しを **Authzforce** PDP に委任します -- [MongoDB](https://www.mongodb.com/) データベース : - - **Orion Context Broker** が、データ・エンティティ、サブスクリプション、 - レジストレーションなどのコンテキスト・データ情報を保持するために使用しま - す - - デバイスの URLs や Keys などのデバイス情報を保持するために **IoT Agent** - によって使用されます -- [MySQL](https://www.mysql.com/) データベース : - - ユーザ ID、アプリケーション、ロール、および権限を保持するために使用され - ます -- **在庫管理フロントエンド**には、次のことを行います : - - 店舗情報を表示します - - 各店舗でどの商品を購入できるかを示します - - ユーザが製品を"購入"して在庫数を減らすことができます - - 許可されたユーザを制限されたエリアに入れることができます。認可の決定を - **Authzforce** PDP に委任します -- HTTP を介して実行されている - [UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual) - プロトコルを使用す - る[ダミー IoT デバイス](https://github.com/FIWARE/tutorials.IoT-Sensors/tree/NGSI-v2)のセ - ットとして機能する Web サーバ。特定のリソースへのアクセスが制限されています - 。 -要素間のやり取りはすべて HTTP リクエストによって開始されるため、 -エンティティをコンテナ化して公開ポートから実行することができます。 - -![](https://fiware.github.io/tutorials.XACML-Access-Rules/img/architecture.png) - -チュートリアルの各セクションの具体的なアーキテクチャについては、 -以下で説明します。 - - - -## Keyrock の設定 - -```yaml -keyrock: - image: quay.io/fiware/idm - container_name: fiware-keyrock - hostname: keyrock - networks: - default: - ipv4_address: 172.18.1.5 - depends_on: - - mysql-db - - authzforce - ports: - - "3005:3005" - environment: - - DEBUG=idm:* - - DATABASE_HOST=mysql-db - - IDM_DB_PASS_FILE=/run/secrets/my_secret_data - - IDM_DB_USER=root - - IDM_HOST=http://localhost:3005 - - IDM_PORT=3005 - - IDM_ADMIN_USER=alice - - IDM_ADMIN_EMAIL=alice-the-admin@test.com - - IDM_ADMIN_PASS=test - - IDM_PDP_LEVEL=advanced - - IDM_AUTHZFORCE_ENABLED=true - - IDM_AUTHZFORCE_HOST=authzforce - - IDM_AUTHZFORCE_PORT=8080 - secrets: - - my_secret_data -``` - - -`keyrock` コンテナは、単一のポートでリッスンしている、Web -アプリケーション・サーバです : - -- ポート `3005` は HTTP トラフィック用に公開されているため、Web - ページを表示して REST API で対話できます - -`keyrock` コンテナは、**Authzforce** に接続していて、次のように、環境変数によって駆動されます。 - -| キー | 値 | 説明 | -| ---------------------- | ------------ | ---------------------------------------------------------------------------- | -| IDM_PDP_LEVEL | `advanced` | **Keyrock** が PDP の決定を Authzforce に委任すべきであることを示すフラグ | -| IDM_AUTHZFORCE_ENABLED | `true` | **Authzforce** が利用可能であることを示すフラグ | -| IDM_AUTHZFORCE_HOST | `authzforce` | **Authzforce** の URL | -| IDM_AUTHZFORCE_PORT | `8080` | **Authzforce** がリッスンしているポート | - - -YAML ファイルに記述されている他の `keyrock` -コンテナ設定値は以前のチュートリアルで説明されています。 - - - -## PEP Proxy の設定 - -```yaml -orion-proxy: - image: quay.io/fiware/pep-proxy - container_name: fiware-orion-proxy - hostname: orion-proxy - networks: - default: - ipv4_address: 172.18.1.10 - depends_on: - - keyrock - - authzforce - ports: - - "1027:1027" - expose: - - "1027" - environment: - - PEP_PROXY_APP_HOST=orion - - PEP_PROXY_APP_PORT=1026 - - PEP_PROXY_PORT=1027 - - PEP_PROXY_IDM_HOST=keyrock - - PEP_PROXY_HTTPS_ENABLED=false - - PEP_PROXY_IDM_SSL_ENABLED=false - - PEP_PROXY_IDM_PORT=3005 - - PEP_PROXY_APP_ID=tutorial-dckr-site-0000-xpresswebapp - - PEP_PROXY_USERNAME=pep_proxy_00000000-0000-0000-0000-000000000000 - - PEP_PASSWORD=test - - PEP_PROXY_PDP=authzforce - - PEP_PROXY_AUTH_ENABLED=true - - PEP_PROXY_MAGIC_KEY=1234 - - PEP_PROXY_AZF_PROTOCOL=http - - PEP_PROXY_AZF_HOST=authzforce - - PEP_PROXY_AZF_PORT=8080 -``` - -`orion-proxy` コンテナは ポート `1027` でリッスンしている、FIWARE **Wilma** のインスタンスです。`orion` の ポート `1026` にトラフィックを転送するように設定されています。これは、Orion Context Broker が NGSI リクエストを待ち受けているデフォルト・ポートです。 - -`orion-proxy` コンテナは、PDP の決定を **Authzforce** を委任しており、次に示すように環境変数によって駆動されます。 - -| キー | 値 | 説明 | -| ---------------------- | ------------ | ------------------------------------------------------------------- | -| PEP_PROXY_PDP | `authzforce` | PEP Proxy が Authzforce を PDP として使用するようにするためのフラグ | -| PEP_PROXY_AZF_PROTOCOL | `http` | **Authzforce** が使用するプロトコル | -| PEP_PROXY_AZF_HOST | `authzforce` | **Authzforce** の URL | -| PEP_PROXY_AZF_PORT | `8080` | **Authzforce** がリッスンしているポート | - -YAML ファイルに記述されている他の `orion-proxy` コンテナの設定値は、 -以前のチュートリアルで説明されています。 - - - -## Authzforce の設定 - -```yaml -authzforce: - image: fiware/authzforce-ce-server - hostname: authzforce - container_name: fiware-authzforce - networks: - default: - ipv4_address: 172.18.1.12 - ports: - - "8080:8080" - volumes: - - ./authzforce/domains:/opt/authzforce-ce-server/data/domains -``` - -`authzforce` コンテナは、ポート `8080` で待機しています。これは PDP -の決定を行うためにリクエストを受け取ります。一連の XACML -アクセス制御ポリシーがすでに提供されているように、volume -は事前構成されたドメインをアップロードするために公開されています。 - - - -## チュートリアルのセキュリティ設定 - -```yaml -tutorial: - image: quay.io/fiware/tutorials.context-provider - hostname: iot-sensors - container_name: fiware-tutorial - networks: - default: - ipv4_address: 172.18.1.7 - expose: - - "3000" - - "3001" - ports: - - "3000:3000" - - "3001:3001" - environment: - - "DEBUG=tutorial:*" - - "WEB_APP_PORT=3000" - - "KEYROCK_URL=http://localhost" - - "KEYROCK_IP_ADDRESS=http://172.18.1.5" - - "KEYROCK_PORT=3005" - - "KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp" - - "KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret" - - "CALLBACK_URL=http://localhost:3000/login" - - "AUTHZFORCE_ENABLED=true" - - "AUTHZFORCE_URL=http://authzforce" - - "AUTHZFORCE_PORT=8080" -``` - - -`tutorial` コンテナは、2つのポートでリッスンしています : - -- ポート `3000` は公開されているため、Web ページにダミー - IoT デバイスが表示されます -- ポート `3001`は純粋にチュートリアル・アクセスのために公開されているので、 - cUrl や Postman は同じネットワークの一部でなくても Ultra Light - コマンドを作成できます - -`tutorial` コンテナは、**Authzforce** によってセキュリティが保護されており、 -以下に示すように環境変数によって駆動されます。 - -| キー | 値 | 説明 | -| ------------------ | ------------------- | --------------------------------------------------- | -| AUTHZFORCE_ENABLED | `true` | XACML PDP の使用を有効にするためのフラグ | -| AUTHZFORCE_URL | `http://authzforce` | **Authzforce** の URL | -| AUTHZFORCE_PORT | `8080` | **Authzforce** がリッスンしているポート | - - -YAMLファイルに記述されている他の `tutorial` コンテナ設定値は -以前のチュートリアルで説明されています。 - - - -# 起動 - -インストールを開始するには、次の手順に従います : - -```console -git clone https://github.com/FIWARE/tutorials.XACML-Access-Rules.git -cd tutorials.XACML-Access-Rules -git checkout NGSI-v2 - -./services create -``` - -> **注:** Docker イメージの最初の作成には最大 3 分かかります - -[services](https://github.com/FIWARE/tutorials.XACML-Access-Rules/blob/NGSI-v2/services) -Bash スクリプトを実行することによって、コマンドラインからすべてのサービスを初期 -化することができます : - -```console -./services start -``` - -> :information_source: **注:** クリーンアップをやり直したい場合は、次のコマンド -> を使用して再起動することができます : -> -> ```console -> ./services stop -> ``` - - - -### 登場人物 (Dramatis Personae) - -次の `test.com` のメンバは、合法的にアプリケーション内にアカウントを持っています - -- Alice, **Keyrock** アプリケーションの管理者です -- Bob, スーパー・マーケット・チェーンの地域マネージャで、数人のマネージャがい - ます : - - Manager1 (マネージャ 1) - - Manager2 (マネージャ 2) -- Charlie, スーパー・マーケット・チェーンのセキュリティ責任者。彼の下に数人の - 警備員がいます : - - Detective1 (警備員 1) - - Detective2 (警備員 2) - -次の`example.com` のメンバはアカウントにサインアップしましたが、アクセスを許可す -る理由はありません - -- Eve - 盗聴者のイブ -- Mallory - 悪意のある攻撃者のマロリー -- Rob - 強盗のロブ - -
- - 詳細(クリックして拡大) - - -| 名前 | E メール | パスワード | -| ---------- | ------------------------- | ---------- | -| alice | alice-the-admin@test.com | `test` | -| bob | bob-the-manager@test.com | `test` | -| charlie | charlie-security@test.com | `test` | -| manager1 | manager1@test.com | `test` | -| manager2 | manager2@test.com | `test` | -| detective1 | detective1@test.com | `test` | -| detective2 | detective2@test.com | `test` | - - -| 名前 | E メール | パスワード | -| ------- | ------------------- | ---------- | -| eve | eve@example.com | `test` | -| mallory | mallory@example.com | `test` | -| rob | rob@example.com | `test` | - -
- - - -### Authzforce - バージョン情報の取得 - -**Authzforce** を実行すると、公開されている管理ポートに HTTP リクエストを -送信することでステータスを確認できます (通常 `8080`)。レスポンスがブランクの -場合、これは通常 **Authzforce** が実行されていないか別のポートで待機している -ためです。 - -#### 1️⃣ リクエスト - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/version \ - -H 'Accept: application/xml' -``` - -#### レスポンス - -レスポンスは **Authzforce** のバージョンに関する情報を返します。 - -```xml - - -``` - - - -# XACML サーバを使用 - -**Authzforce** は、ポリシー決定ポイント (PDP : Policy Decision Point) -Generic Enablerであり、 -[XACML](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml) -で書かれた `` 情報に基づいて認可の決定を下します。 -この例は、既存の一連のルールを含む実行中の XACML server から開始します。 -XACML server は、ポリシーを管理し、アクセス制御ポリシー決定を呼び出すための -API を提供する必要があります。このチュートリアルは主に意思決定側に関係します。 -アクセス制御ポリシーの作成と管理は後のチュートリアルで扱います。 - - - -## XACML ルールセットの読み込み - -単一の XACML server を使用して、複数のアプリケーションに対するアクセス制御 -ポリシーを管理できます。**Authzforce** は暗黙のうちにマルチテナントなって -います。つまり、別々の組織が互いから独立して彼らのポリシーを実現することが -できます。これは、各アプリケーションのセキュリティ・ポリシーを、別々の -**ドメイン** に分割し、そこでそれぞれ独自の `` にアクセスできる -ようにすることで行います。ドメインは、セキュリティで保護されたアプリケーション -に関するメタデータとポリシー自体のバージョン (事実上、ファイル・サーバから -アクセスできる一連のファイル) を保持します。ドメイン管理 API を使用して、 -提供されるドメインと保持されているポリシーについて **Authzforce** -に問い合わせることができます。 - - - -### すべてのドメインをリスト - -**Authzforce** にドメイン情報をリクエストするには、 -`/authzforce-ce/domains` エンドポイントにリクエストを出します。 - -#### 2️⃣ リクエスト - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/domains -``` - -#### レスポンス - -レスポンスには、**Authzforce** で利用可能なドメインがリストされます。これは -起動時に **Authzforce** にアップロードされたディレクトリ構造に対応します。 - -```xml - - - - -``` - - - -### 単一ドメインを読み込み - -ドメインに関する情報を読み、さらに詳しく調べるには、 -`authzforce-ce/domains/{{domain-id}}` エンドポイントにリクエストを出します。 -次のリクエストでは、外部の Policy Administration Point によってランダム・キーを -使用して生成された `gQqnLOnIEeiBFQJCrBIBDA` ドメインに関する情報が取得されます。 -この場合、**Keyrock** が PAP として使用され、 -ルールセットが事前に生成されています。 - -#### 3️⃣ リクエスト - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA -``` - -#### レスポンス - -レスポンスには、**Keyrock** (`tutorial-dckr-site-0000-xpresswebapp`) -内で使用されている id など、ドメインに関する詳細情報がリストされます。 - -```xml - - - - - - - - - -``` - - - -### ドメイン内で利用可能なすべてのポリシーセットをリスト - -ドメイン内で見つかったすべての PolicySets に対して生成された ids をリストする -には、`authzforce-ce/domains/{{domain-id}}/pap/policies` エンドポイントに -リクエストを出します。次のリクエストは、`gQqnLOnIEeiBFQJCrBIBDA` -ドメイン内で見つかった特定ポリシーの ids のリストを取得します。 - -#### 4️⃣ リクエスト - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies -``` - -#### レスポンス - -レスポンスは、**Authzforce** コンテナ内で利用可能な、指定されたポリシーの -利用可能なリビジョンのリストを返します。これは、`1.xml`, `2.xml` -などの名前付き XML ファイルに対応します。 - -```xml - - - - - -``` - - - -### PolicySet の利用可能なリビジョンをリスト - -ポリシーの利用可能なリビジョンをリストするには、 -`authzforce-ce/domains/{{domain-id}}/pap/policies/{{policy-id}}` -エンドポイントにリクエストを出します。使用可能なポリシー id はランダムに -生成され、前のリクエストを使用してドリル・ダウンすることによって取得できます。 -次のリクエストは、`gQqnLOnIEeiBFQJCrBIBDA` ドメイン内で見つかった特定ポリシー -のリビジョンのリストを取得します。 - -#### 5️⃣ リクエスト - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies/f8194af5-8a07-486a-9581-c1f05d05483c -``` - -#### レスポンス - -レスポンスは、**Authzforce** コンテナ内で利用可能な、指定されたポリシーの -利用可能なリビジョンのリストを返します。これは、`1.xml`, `2.xml` -などの名前付き XML ファイルに対応します。 - -```xml - - - - - -``` - - - -### PolicySet の単一バージョンを読み込む - -`` の単一のリビジョンを取得するには、 -`authzforce-ce/domains/{{domain-id}}/pap/policies/{{policy-id}}/{{revision-number}}` -エンドポイントにリクエストを出します。次のリクエストは、`gQqnLOnIEeiBFQJCrBIBDA` -ドメイン内で見つかった特定のポリシーの2番目のリビジョンを取得します。 - -#### 6️⃣ リクエスト - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies/f8194af5-8a07-486a-9581-c1f05d05483c/2 -``` - -#### レスポンス - -レスポンスには、与えられたリビジョンのフルの `` が含まれています。 -これは **Authzforce** 内に保持されている -[ファイル](https://github.com/FIWARE/tutorials.XACML-Access-Rules/blob/NGSI-v2/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/2.xml) -のコピーです 。 - -```xml - - - Policy Set for application tutorial-dckr-site-0000-xpresswebapp - - - Role security-role-0000-0000-000000000000 from application tutorial-dckr-site-0000-xpresswebapp - - ...etc - - - ...etc - - ..etc - - -``` - - - -## ポリシー決定のリクエスト - -このチュートリアルの目的のために、**Authzforce** には、以前の Securing Access -チュートリアルに見られるレベル2の認可の例と同様に、 -単純な基本的なロール・ベースのルールのシンプル・セットが提供されています。 - -- ドアのロック解除コマンドは、**セキュリティ**・スタッフのみが送信できます -- 価格変更およびオーダー在庫エリアへのアクセスは、**マネージャ**だけが - 可能です -- **マネージャ**または**セキュリティ**のロールを持つ人は、ベルを鳴らすこと - ができます -- **マネージャ**と**セキュリティ**の両方がストア・データにアクセスして - インタラクトすることができます。 - -唯一の違いは、すべてのストア・エンティティへのアクセスが、レベル1認証アクセス -に基づくのではなく、割り当てられたロールを持つユーザに制限されるように -なったことです。 - -**Authzforce** に決定をリクエストするには、すべての関連情報を含む -構造化リクエストを `domains/{domain-id}/pdp` エンドポイントに送信する必要が -あります。この場合、リクエストのボディには、ユーザが持つロール、リクエスト -されているアプリケーション id (`tutorial-dckr-site-0000-xpresswebapp`)、 -リクエストされている HTTP 動詞とリソース (`/app/price-change` URL に対する -GET リクエスト) などの情報が含まれています。明らかに、ボディで渡される情報は、 -ルールが複雑になるにつれて拡張できます。 - - - -### リソースへのアクセスを許可 - -**Authzforce** に決定をリクエストするには、`domains/{domain-id}/pdp` -エンドポイントに POST リクエストを出します。この場合、ユーザは -`managers-role-0000-0000-000000000000` を持ち、 -リソース `/app/price-change` へのアクセスをリクエストしています。 - -#### 7️⃣ リクエスト - -```console -curl -X POST \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp \ - -H 'Content-Type: application/xml' \ - -d ' - - - - managers-role-0000-0000-000000000000 - - - - - tutorial-dckr-site-0000-xpresswebapp - - - /app/price-change - - - - - GET - - - -' -``` - -#### レスポンス - -`managers-role-0000-0000-000000000000` は `/app/price-change` -エンドポイントへのアクセスを許可します。成功したリクエストに対するレスポンスは -リソースへのアクセスを許可するための `` 要素を含みます。 - -```xml - - - - Permit - - -``` - - - -### リソースへのアクセスを拒否 - -**Authzforce** に決定をリクエストするには、 -`domains/{domain-id}/pdp` エンドポイントに POST リクエストを -出します。この場合、ユーザは `security-role-0000-0000-000000000000` -を持ち、リソース `/app/price-change` へのアクセスをリクエスト -しています。 - -#### 8️⃣ リクエスト - -```console -curl -X POST \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp \ - -H 'Content-Type: application/xml' \ - -d ' - - - - security-role-0000-0000-000000000000 - - - - - tutorial-dckr-site-0000-xpresswebapp - - - /app/price-change - - - - - GET - - - -' -``` - -#### レスポンス - -`security-role-0000-0000-000000000000` は、 `/app/price-change` エンドポイント -へのアクセスを許可しません。失敗したリクエストに対するレスポンスには、 -リソースへのアクセスを `Deny` (拒否) する `` 要素が含まれています。 - -```xml - - - - Deny - - -``` - - - -# PDP - 高度な認可 - - -復習ですが、PDP アクセス制御には3つのレベルがあります。 - -- レベル1 :認証アクセス - サイン・インしているすべてのユーザにすべての - アクションを許可し、匿名ユーザにはアクションを許可しません -- レベル2 :基本認可 - 現在ログインしているユーザがアクセスできるリソース - と動詞を確認します -- レベル3 :高度な認可 - [XACML](https://en.wikipedia.org/wiki/XACML) に - よるきめ細かい制御をします - -FIWARE では、スマート・アプリケーション・インフラストラクチャ内の既存の -セキュリティ・マイクロサービス (IDM および PEP Proxy) に **Authzforce** を -追加することで、レベル3のアクセス制御を提供できます。アクセス制御レベル1と2は、 -[以前のチュートリアル](https://github.com/FIWARE/tutorials.Securing-Access) -で取り上げてきましたが、**Keyrock** を単独で使用して、関連する PEP Proxy -を使用してもしなくても実行できます。 - - - -## 高度な認可 - - -高度な認可 (Advanced Authorization) は複雑なルールセットを扱うことができます。 -権限は、もはや固定のロール、リソース、およびアクションに基づいているだけでなく、 -必要に応じて拡張することもできます。 - -たとえば、ロール `XXX` のユーザは、HTTP 動詞が `GET`, `PUT`, `POST` の -**いずれか**であれば、`YYY` **で始まる** URL にアクセスできます。 -そのようなユーザは、彼らがそもそも作成者であることを**条件として** -`DELETE` を実行することもできます。 - -チュートリアルのプログラム例の中で私たちは **Keyrock** の私達の自身の信頼された -インスタンスを使用しています。一度ユーザがサインインして `access_token` -を取得すると、`access_token` はセッションに保存されリクエストに応じてユーザの -詳細を取得するために使われます。Orion Context Broker へのすべてのアクセスは、 -PEP Proxy の背後に隠されています。リクエストが Orion に行われるたびに、 -`access_token` がリクエストのヘッダで渡され、PEP Proxy がそのリクエストを -実行するかどうかの決定を処理します。 - - - -### ユーザがアクセス・トークンを取得 - -自分自身を識別するためには、すべてのユーザがアクセス・トークンを -取得する必要があります。そのためには、 -[以前のチュートリアル](https://github.com/FIWARE/tutorials.Securing-Access) -で説明した OAuth2 アクセス許可のいずれかを使用する必要があります。 - -ユーザ資格情報フローを使用してログインするには、`grant_type=password` -を指定して **Keyrock** の `oauth2/token` エンドポイントに POST -リクエストを送信します。 - -#### 9️⃣ リクエスト - -```console -curl -X POST \ - http://localhost:3005/oauth2/token \ - -H 'Accept: application/json' \ - -H 'Authorization: Basic dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA==' \ - -H 'Content-Type: application/x-www-form-urlencoded' \ - -d 'username=bob-the-manager@test.com&password=test&grant_type=password' -``` - -#### レスポンス - -レスポンスはユーザを識別するために `access_token` を返します -(この場合は Bob マネージャ) - -```json -{ - "access_token": "08fef363c429cb34cfff3f56dfe751a8d1890690", - "token_type": "Bearer", - "expires_in": 3599, - "refresh_token": "35a644094b598cb0d720fcb323369a53820a6a44", - "scope": ["bearer"] -} -``` - - - -### ロールとドメインを取得 - -ユーザがログインしている場合、`access_token` は `/user` エンドポイントと組み合わせて -リソースへのアクセス許可を得るために使用できます。 -この例では、特定のリソースに対する Bob の権限を取得します。 - -#### 1️⃣0️⃣ リクエスト - -```console -curl -X GET \ - 'http://localhost:3005/user?access_token={{access_token}}&app_id={{app-id}}&authzforce=true' -``` - -ここで : - -- `{{access-token}}` は、ログインしているユーザの現在のアクセス・トークンです - (例 : `08fef363c429cb34cfff3f56dfe751a8d1890690`) -- `{{app-id}}` は `tutorial-dckr-site-0000-xpresswebapp` をリクエストする - アプリケーションを保持し、`authzforce=true` は **Keyrock** から - **Authzforce** ドメインを取得したいことを示します - -#### レスポンス - -レスポンスには、リクエストへの直接アクセスを拒否する `authorization_decision` -属性を含みますが、追加のリクエストが **Authzforce** からの決定になるように -追加の情報が含まれています。 - -以下の例では、使用されたアクセス・トークンはマネージャの Bob に属し、 -そのロールと `app-id` に関連付けられた `app_azf_domain` が返されます。 - -```json -{ - "organizations": [], - "displayName": "", - "roles": [ - { - "id": "managers-role-0000-0000-000000000000", - "name": "Management" - } - ], - "app_id": "tutorial-dckr-site-0000-xpresswebapp", - "trusted_apps": [], - "isGravatarEnabled": false, - "email": "bob-the-manager@test.com", - "id": "bbbbbbbb-good-0000-0000-000000000000", - "authorization_decision": "", - "app_azf_domain": "gQqnLOnIEeiBFQJCrBIBDA", - "eidas_profile": {}, - "username": "bob" -} -``` - - - -### ポリシーをリクエストに適用 - -**Authzforce** に決定をリクエストするには、すべての関連情報を含む構造化 -リクエストを `domains/{domain-id}/pdp` エンドポイントに送信する必要があります。 -この場合、リクエストのボディには、ユーザが持つロール -(`managers-role-0000-0000-000000000000`)、リクエストされているアプリケーション -id (`tutorial-dckr-site-0000-xpresswebapp`)、リクエストされている HTTP 動詞と -リソース (`/v2/entities` URL に対する POST リクエスト) などの情報が含まれます。 - -#### 1️⃣1️⃣ リクエスト - -```console -curl -X POST \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp \ - -H 'Content-Type: application/xml' \ - -d ' - - - - managers-role-0000-0000-000000000000 - - - - - tutorial-dckr-site-0000-xpresswebapp - - - /v2/entities - - - - - POST - - - -' -``` - -#### レスポンス - -レスポンスには、リクエストを `Permit` (許可) または `Deny` (拒否)するための -`` 要素が含まれています。 - -```xml - - - - Permit - - -``` - - - -### 高度な認可 - サンプル・コード - -プログラム的には、Policy Execution Point は2つの部分から構成されます。 -Keyrock に対する OAuth リクエストは、ユーザに関する情報 -(割り当てられたロールなど) と、照会されるポリシー・ドメインを取得します。 - -2番目のリクエストが Authzforce 内の関連ドメイン・エンドポイントに送信され、 -Authzforce が判断を下すために必要なすべての情報が提供されます。Authzforce -は **permit** (許可) または **deny** (拒否) のレスポンスで応答し、 -続行するかどうかの決定はその後行うことができます。 - -```javascript -function authorizeAdvancedXACML(req, res, next, resource = req.url) { - const keyrockUserUrl = - "http://keyrock/user?access_token=" + req.session.access_token + "&app_id=" + clientId + "&authzforce=true"; - - return oa - .get(keyrockUserUrl) - .then((response) => { - const user = JSON.parse(response); - return azf.policyDomainRequest(user.app_azf_domain, user.roles, resource, req.method); - }) - .then((authzforceResponse) => { - res.locals.authorized = authzforceResponse === "Permit"; - return next(); - }) - .catch((error) => { - debug(error); - res.locals.authorized = false; - return next(); - }); -} -``` - -各リクエストを Authzforce に提供するための完全なコードはチュートリアルの -[Git リポジトリ](https://github.com/FIWARE/tutorials.Step-by-Step/blob/master/context-provider/lib/azf.js) -にあります。提供する実際の情報はビジネス・ユースケースに依存します。 -一時的な情報、レコード間の関係などを含むように拡張できます。 -非常に単純な例ではロールだけが必要です。 - -```javascript -const xml2js = require("xml2js"); -const request = require("request"); - -function policyDomainRequest(domain, roles, resource, action) { - let body = - '\n' + - '\n'; - // Code to create the XML body for the request is omitted - body = body + ""; - - const options = { - method: "POST", - url: "http://authzforceUrl/authzforce-ce/domains/" + domain + "/pdp", - headers: { "Content-Type": "application/xml" }, - body - }; - - return new Promise((resolve, reject) => { - request(options, function (error, response, body) { - let decision; - xml2js.parseString(body, { tagNameProcessors: [xml2js.processors.stripPrefix] }, function (err, jsonRes) { - // The decision is found within the /Response/Result[0]/Decision[0] XPath - decision = jsonRes.Response.Result[0].Decision[0]; - }); - decision = String(decision); - return error ? reject(error) : resolve(decision); - }); - }); -} -``` - - - -### 高度な認可 - PEP Proxy - -PEP Proxy 内で高度な認証を適用するには、上記のプログラム例と非常によく似た -コードが必要です。**Wilma** Generic Enablerは、リクエストによって供給される -ヘッダからトークンを抽出し、リクエスト行う **Keyrock** ユーザに関するさらなる -情報を得るために。次に PDP リクエストが**Authzforce** に対して行われ、 -続行するかどうかが決定されます。 - -明らかに、スケーラブルなソリューションであれば、不要なリクエストを避けるために、 -行われた PDP リクエストとレスポンスに関する情報もキャッシュする必要があります。 - - - -## PDP - 高度な許可 - 例の実行 - -> **注** レベル3では5つのリソースが確保されています : -> -> - ドアのロック解除コマンドを送信 -> - ring bell コマンドを送信 -> - 価格変更エリアへのアクセス -> - オーダー在庫エリアへのアクセス -> - Orion へのアクセス (PEP Proxy の背後) - -#### Eve 盗聴者 - -Eve はアカウントを持っていますが、アプリケーション内にロールはありません。 - -> **注** Eve は認識されたアカウントを持っているので、完全な認証アクセスを -> 得ます。これは、自分のアカウントにロールがアタッチされていなくても、 -> 自分がストア・ページを_view_ (表示) できることを意味します。 - -- `http://localhost:3000`から、`eve@example.com` として、パスワード - `test` でログインします - -##### レベル 3 : 高度な認可アクセス - -- ストア・ページをクリック - ログインしたユーザはそのページを見るための - アクセスを許可されますが、Eve にはアクセスを許可するロールがないため、 - Orion データを取得するためのアクセスは**拒否**されます - -- `http://localhost:3000` で制限されたアクセス・リンクをクリック - - アクセスは**拒否**されます -- `http://localhost:3000/device/monitor` でデバイス・モニタをオープン - - ドアのロックを解除 - アクセスは**拒否**されます - - ベルを鳴らす - アクセスは**拒否**されます - -#### Bob 地域マネージャ - -Bob は、**management** ロールを持っています - -- `http://localhost:3000` から、`bob-the-manager@test.com` として、 - パスワード `test` でログインします - -##### レベル 3 : 高度な認可アクセス - -- `http://localhost:3000` で制限されたアクセス・リンクをクリック - - アクセスは**許可**されます - これは management のみの権限です -- `http://localhost:3000/device/monitor` でデバイス・モニタを開きます - - ドアのロックを解除 - アクセスは**拒否**されます - - これは security のみの許可です - - ベルを鳴らす - アクセスは**許可**されます - - これは management ユーザに許可されます - -#### Charlie セキュリティ・マネージャ - -Charlie は、the **security** ロールを持っています - -- `http://localhost:3000` から、`charlie-security@test.com` として、 - パスワード `test` でログインします - -##### Level 3: Advanced Authorization Access - -- `http://localhost:3000` で制限されたアクセス・リンクをクリック - - アクセスは**拒否**されます - これは management のみの権限です -- `http://localhost:3000/device/monitor` でデバイス・モニタを開きます - - ドアのロックを解除 - アクセスは**許可**されます - - これは security のみの許可です - - ベルを鳴らす - アクセスが**許可**されます - - これは security ユーザに許可されます - - - -# 次のステップ - -高度な機能を追加することで、アプリケーションに複雑さを加える方法を知りたいですか -?このシリーズの -[他のチュートリアル](https://www.letsfiware.jp/fiware-tutorials)を -読むことで見つけることができます。 - ---- - -## License - -[MIT](LICENSE) © 2018-2024 FIWARE Foundation e.V. - ---- - -### Footnotes - - - -- [Wikipedia: XACML](https://en.wikipedia.org/wiki/XACML) - "eXtensible Access Control Markup Language" の略です。 diff --git a/README.md b/README.md index 8a3f0fd..1293f25 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,6 @@ [![License: MIT](https://img.shields.io/github/license/fiware/tutorials.XACML-Access-Rules.svg)](https://opensource.org/licenses/MIT) [![Support badge](https://img.shields.io/badge/tag-fiware-orange.svg?logo=stackoverflow)](https://stackoverflow.com/questions/tagged/fiware) [![XACML 3.0](https://img.shields.io/badge/XACML-3.0-ff7059.svg)](https://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html) -
[![Documentation](https://img.shields.io/readthedocs/fiware-tutorials.svg)](https://fiware-tutorials.rtfd.io) This tutorial introduces an additional security generic enabler - **Authzforce** and adds fine grained control to the security rules generated by **Keyrock**. Access to the entities created in the @@ -14,427 +13,14 @@ business rules can be created and changed according to current circumstances. The tutorial discusses code showing how to integrate **Authzforce** within a web application and demonstrates examples of **Authzforce** XACML Server-PDP interactions. [cUrl](https://ec.haxx.se/) commands are used to show the interactions -between generic enablers. [Postman documentation](https://fiware.github.io/tutorials.XACML-Access-Rules/) is available. +between generic enablers. [Postman documentation](https://www.postman.com/downloads/) is also available. -[![Run in Postman](https://run.pstmn.io/button.svg)](https://app.getpostman.com/run-collection/724e8e1ab1af11063d15) -[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/FIWARE/tutorials.XACML-Access-Rules/tree/NGSI-v2) -- このチュートリアルは[日本語](README.ja.md)でもご覧いただけます。 +# Start-Up -## Contents +## NGSI-v2 Smart Supermarket -
-Details - -- [Ruleset Based Permissions](#ruleset-based-permissions) - - [What is XACML](#what-is-xacml) -- [Prerequisites](#prerequisites) - - [Docker](#docker) - - [Cygwin](#cygwin) -- [Architecture](#architecture) - - [Keyrock Configuration](#keyrock-configuration) - - [PEP Proxy Configuration](#pep-proxy-configuration) - - [Authzforce Configuration](#authzforce-configuration) - - [Tutorial Security Configuration](#tutorial-security-configuration) -- [Start Up](#start-up) - - [Dramatis Personae](#dramatis-personae) - - [Authzforce - Obtain Version Information](#authzforce---obtain-version-information) -- [Using an XACML Server](#using-an-xacml-server) - - [Reading XACML Rulesets](#reading-xacml-rulesets) - - [List all domains](#two-list-all-domains) - - [Read a single domain](#read-a-single-domain) - - [List all PolicySets available within a Domain](#list-all-policysets-available-within-a-domain) - - [List the available revisions of a PolicySet](#list-the-available-revisions-of-a-policyset) - - [Read a single version of a PolicySet](#read-a-single-version-of-a-policyset) - - [Requesting Policy Decisions](#requesting-policy-decisions) - - [Permit Access to a Resource](#permit-access-to-a-resource) - - [Deny Access to a Resource](#deny-access-to-a-resource) -- [PDP - Advanced Authorization](#pdp---advanced-authorization) - - [Advanced Authorization](#advanced-authorization) - - [User Obtains an Access Token](#user-obtains-an-access-token) - - [Obtain Roles and Domain](#obtain-roles-and-domain) - - [Apply a Policy to a Request](#apply-a-policy-to-a-request) - - [Advanced Authorization - Sample Code](#advanced-authorization---sample-code) - - [Advanced Authorization - PEP Proxy](#advanced-authorization---pep-proxy) - - [PDP - Advanced Authorization - Running the Example](#pdp---advanced-authorization---running-the-example) -- [Next Steps](#next-steps) - -
- -# Ruleset Based Permissions - -> "Say: Come, I will rehearse what _Allah_ hath prohibited you from: -> -> - Join not anything as equal with _Him_ -> - Be good to your parents -> - Kill not your children on a plea of want - _We_ provide sustenance for you and for them -> - Come not nigh to shameful deeds. Whether open or secret -> - Take not life, which _Allah_ hath made sacred, except by way of justice and law -> -> thus doth _He_ command you, that ye may learn wisdom." -> -> — Quran 6.151, Sūrat al-Anʻām - -[Previous tutorials](https://github.com/FIWARE/tutorials.Securing-Access) have introduced a simple access control system -based on _authentication_ (level 1) or _basic authorization_ access to resources based on a role (level 2). These -policies are easy to create, but the rules within them are very black and white, rules cannot rely on one another, have -exception clauses or offer access based on time limits or attribute values. There is also no mechanism to resolve -different rules in the case of conflict. - -To satisfy a complex access control scenario, an additional arbitration microservice is required, which is able to come -to a judgement on each Permit/Deny policy decision by reading and interpreting the full set of access control rules, and -based their judgement on the evidence provided by the requesting service. - -FIWARE [Authzforce](https://authzforce-ce-fiware.readthedocs.io/) is a service which is able to provide such an -interpretive Policy Decision Point (PDP). It is an advanced access control Generic Enabler which is able to interpret -rules supplied using the [XACML standard](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml). Rulesets -can be amended and uploaded at any time providing a flexible method to maintain security policies which can change -according to business need. Furthermore the language used to describe the access policy is designed to be highly -extensible and cover any access control scenario. - -## What is XACML - -eXtensible Access Control Markup Language (XACML) is a vendor neutral declarative access control policy language. It was -created to promote common access control terminology and interoperability.[1](#footnote1) The architectural -naming conventions for elements such as Policy Execution Point (PEP) and Policy Decision Point (PDP) come from the XACML -specifications. - -XACML policies are split into a hierarchy of three levels - ``, `` and ``, the `` is -a collection of `` elements each of which contain one or more `` elements. - -Each `` within a `` is evaluated as to whether it should grant access to a resource - the overall -`` result is defined by the overall result of all `` elements processed in turn. Separate `` -results are then evaluated against each other using combining algorithms define which `` wins in case of -conflict. - -A `` element consists of a `` and a ``. This is an example ``, it states access will be -granted (`Effect="Permit"`) when a POST request is sent to the `/bell/ring` endpoint, provided that the `subject:role` -has been provided and that the `role=security-role-0000-0000-000000000000` : - -```xml - - Ring Alarm Bell - - - - - /bell/ring - - - - - - - - POST - - - - - - - - - security-role-0000-0000-000000000000 - - - - -``` - -This is a very verbose method for creating a simple Verb-Resource access rule, but unlike simple Verb-Resource rules, -with XACML, other more complex comparisons can be made, for example checking that time is before a certain hour of day, -or checking that a URL starts with or contains a certain string. Conditions can be specified down to the attribute level -or combined to make complex calculations, for example - an XACML `` could be created to apply the following -policy: - -> _A store manager is able to amend Product prices only the first of the month, and can only alter prices of products -> she or her immediate superior has created in the first place_ - -Such a `` would require that the `` includes separate clauses/clarifications for the following: - -- What is the User's role? (e.g. `manager`) -- What action is being invoked? (e.g. PATCH or PUT) -- Which resource is being protected URL string? (e.g. `/v2/entities`) -- What other information must be present in the body of the request? (e.g. Entity `type` must equal `Product`) -- When is the resource being requested? (e.g. the current date) -- What other additional information must be retrieved from elsewhere prior to making the request - - Who created the entity? Is it me or my manager? - -As you can see these rules can quickly become very complex. For this initial introduction to XACML, the basic rule set -used will be kept as simple as possible to avoid unnecessary confusion, suffice it to say that an access policy based on -XACML can be expanded to fit the security needs of any complex system. - -Further information can be found within the -[XACML standard](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml) and -[additional resources](https://www.webfarmr.eu/xacml-tutorial-axiomatics/) can be found on the web. - -# Prerequisites - -## Docker - -To keep things simple all components will be run using [Docker](https://www.docker.com). **Docker** is a container -technology which allows to different components isolated into their respective environments. - -- To install Docker on Windows follow the instructions [here](https://docs.docker.com/docker-for-windows/) -- To install Docker on Mac follow the instructions [here](https://docs.docker.com/docker-for-mac/) -- To install Docker on Linux follow the instructions [here](https://docs.docker.com/install/) - -**Docker Compose** is a tool for defining and running multi-container Docker applications. A -[YAML file](https://raw.githubusercontent.com/Fiware/tutorials.Identity-Management/master/docker-compose.yml) is used -configure the required services for the application. This means all container services can be brought up in a single -command. Docker Compose is installed by default as part of Docker for Windows and Docker for Mac, however Linux users -will need to follow the instructions found [here](https://docs.docker.com/compose/install/) - -## Cygwin - -We will start up our services using a simple bash script. Windows users should download [cygwin](http://www.cygwin.com/) -to provide a command-line functionality similar to a Linux distribution on Windows. - -# Architecture - -This application adds level 3 _Advanced Authorization_ security into the existing Stock Management and Sensors-based -application created in [previous tutorials](https://github.com/FIWARE/tutorials.Securing-Access/) and secures access to -the context broker behind a [PEP Proxy](https://github.com/FIWARE/tutorials.PEP-Proxy/). It will make use of five FIWARE -components - the [Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/),the -[IoT Agent for UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/), the -[Keyrock](https://fiware-idm.readthedocs.io/en/latest/) Identity Manager, the -[Wilma](https://fiware-pep-proxy.readthedocs.io/en/latest/) PEP Proxy and the -[Authzforce](https://authzforce-ce-fiware.readthedocs.io) XACML Server. All access control decisions will be delegated -to **Authzforce** which will read the ruleset from a previously uploaded policy domain. - -Both the Orion Context Broker and the IoT Agent rely on open source [MongoDB](https://www.mongodb.com/) technology to -keep persistence of the information they hold. We will also be using the dummy IoT devices created in the -[previous tutorial](https://github.com/FIWARE/tutorials.IoT-Sensors/). **Keyrock** uses its own -[MySQL](https://www.mysql.com/) database. - -Therefore the overall architecture will consist of the following elements: - -- The FIWARE [Orion Context Broker](https://fiware-orion.readthedocs.io/en/latest/) which will receive requests using - [NGSI-v2](https://fiware.github.io/specifications/OpenAPI/ngsiv2) -- The FIWARE [IoT Agent for UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/) which will receive - southbound requests using [NGSI-v2](https://fiware.github.io/specifications/OpenAPI/ngsiv2) and convert them to - [UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual) - commands for the devices -- FIWARE [Keyrock](https://fiware-idm.readthedocs.io/en/latest/) offer a complement Identity Management System - including: - - An OAuth2 authentication system for Applications and Users - - A site graphical frontend for Identity Management Administration - - An equivalent REST API for Identity Management via HTTP requests -- FIWARE [Authzforce](https://authzforce-ce-fiware.readthedocs.io/) is a XACML Server providing an interpretive Policy - Decision Point (PDP) protecting access to resources such as **Orion** and the tutorial application. -- FIWARE [Wilma](https://fiware-pep-proxy.rtfd.io/) is a PEP Proxy securing access to the **Orion** microservices, it - delegates the passing of authorization decisions to **Authzforce** PDP -- The underlying [MongoDB](https://www.mongodb.com/) database : - - Used by the **Orion Context Broker** to hold context data information such as data entities, subscriptions and - registrations - - Used by the **IoT Agent** to hold device information such as device URLs and Keys -- A [MySQL](https://www.mysql.com/) database : - - Used to persist user identities, applications, roles and permissions -- The **Stock Management Frontend** does the following: - - Displays store information - - Shows which products can be bought at each store - - Allows users to "buy" products and reduce the stock count. - - Allows authorized users into restricted areas, it also delegates authorization decisions to the **Authzforce** - PDP -- A webserver acting as set of [dummy IoT devices](https://github.com/FIWARE/tutorials.IoT-Sensors/tree/NGSI-v2) using - the - [UltraLight 2.0](https://fiware-iotagent-ul.readthedocs.io/en/latest/usermanual/index.html#user-programmers-manual) - protocol running over HTTP - access to certain resources is restricted. - -Since all interactions between the elements are initiated by HTTP requests, the entities can be containerized and run -from exposed ports. - -![](https://fiware.github.io/tutorials.XACML-Access-Rules/img/architecture.png) - -The specific architecture of each section of the tutorial is discussed below. - -## Keyrock Configuration - -```yaml -keyrock: - image: quay.io/fiware/idm - container_name: fiware-keyrock - hostname: keyrock - networks: - default: - ipv4_address: 172.18.1.5 - depends_on: - - mysql-db - - authzforce - ports: - - '3005:3005' - environment: - - DEBUG=idm:* - - DATABASE_HOST=mysql-db - - IDM_DB_PASS_FILE=/run/secrets/my_secret_data - - IDM_DB_USER=root - - IDM_HOST=http://localhost:3005 - - IDM_PORT=3005 - - IDM_ADMIN_USER=alice - - IDM_ADMIN_EMAIL=alice-the-admin@test.com - - IDM_ADMIN_PASS=test - - IDM_PDP_LEVEL=advanced - - IDM_AUTHZFORCE_ENABLED=true - - IDM_AUTHZFORCE_HOST=authzforce - - IDM_AUTHZFORCE_PORT=8080 - secrets: - - my_secret_data -``` - -The `keyrock` container is a web application server listening on a single port: - -- Port `3005` has been exposed for HTTP traffic so we can display the web page and interact with the REST API. - -The `keyrock` container is connecting to **Authzforce** and is driven by environment variables as shown: - -| Key | Value | Description | -| ---------------------- | ------------ | ---------------------------------------------------------------------------- | -| IDM_PDP_LEVEL | `advanced` | Flag indicating that **Keyrock** should delegate PDP decisions to Authzforce | -| IDM_AUTHZFORCE_ENABLED | `true` | Flag indicating that **Authzforce** is available | -| IDM_AUTHZFORCE_HOST | `authzforce` | This is URL where the **Authzforce** is found | -| IDM_AUTHZFORCE_PORT | `8080` | Port that **Authzforce** is listening on | - -The other `keyrock` container configuration values described in the YAML file have been described in previous tutorials - -## PEP Proxy Configuration - -```yaml -orion-proxy: - image: quay.io/fiware/pep-proxy - container_name: fiware-orion-proxy - hostname: orion-proxy - networks: - default: - ipv4_address: 172.18.1.10 - depends_on: - - keyrock - - authzforce - ports: - - '1027:1027' - expose: - - '1027' - environment: - - PEP_PROXY_APP_HOST=orion - - PEP_PROXY_APP_PORT=1026 - - PEP_PROXY_PORT=1027 - - PEP_PROXY_IDM_HOST=keyrock - - PEP_PROXY_HTTPS_ENABLED=false - - PEP_PROXY_IDM_SSL_ENABLED=false - - PEP_PROXY_IDM_PORT=3005 - - PEP_PROXY_APP_ID=tutorial-dckr-site-0000-xpresswebapp - - PEP_PROXY_USERNAME=pep_proxy_00000000-0000-0000-0000-000000000000 - - PEP_PASSWORD=test - - PEP_PROXY_PDP=authzforce - - PEP_PROXY_AUTH_ENABLED=true - - PEP_PROXY_MAGIC_KEY=1234 - - PEP_PROXY_AZF_PROTOCOL=http - - PEP_PROXY_AZF_HOST=authzforce - - PEP_PROXY_AZF_PORT=8080 -``` - -The `orion-proxy` container is an instance of FIWARE **Wilma** listening on port `1027`, it is configured to forward -traffic to `orion` on port `1026`, which is the default port that the Orion Context Broker is listening to for NGSI -Requests. - -The `orion-proxy` container is delegating PDP decisions to **Authzforce** and is driven by environment variables as -shown: - -| Key | Value | Description | -| ---------------------- | ------------ | --------------------------------------------------------- | -| PEP_PROXY_PDP | `authzforce` | Flag ensuring that the PEP Proxy uses Authzforce as a PDP | -| PEP_PROXY_AZF_PROTOCOL | `http` | Protocol that **Authzforce** uses | -| PEP_PROXY_AZF_HOST | `authzforce` | This is URL where the **Authzforce** is found | -| PEP_PROXY_AZF_PORT | `8080` | Port that **Authzforce** is listening on | - -The other `orion-proxy` container configuration values described in the YAML file have been described in previous -tutorials - -## Authzforce Configuration - -```yaml -authzforce: - image: fiware/authzforce-ce-server - hostname: authzforce - container_name: fiware-authzforce - networks: - default: - ipv4_address: 172.18.1.12 - ports: - - '8080:8080' - volumes: - - ./authzforce/domains:/opt/authzforce-ce-server/data/domains -``` - -The `authzforce` container is listening on port `8080`, where it receives requests to make PDP decisions. A volume has -been exposed to upload a pre-configured domain so that a set of XACML access control policies has already been supplied. - -## Tutorial Security Configuration - -```yaml -tutorial: - image: quay.io/fiware/tutorials.context-provider - hostname: iot-sensors - container_name: fiware-tutorial - networks: - default: - ipv4_address: 172.18.1.7 - expose: - - '3000' - - '3001' - ports: - - '3000:3000' - - '3001:3001' - environment: - - 'DEBUG=tutorial:*' - - 'WEB_APP_PORT=3000' - - 'KEYROCK_URL=http://localhost' - - 'KEYROCK_IP_ADDRESS=http://172.18.1.5' - - 'KEYROCK_PORT=3005' - - 'KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp' - - 'KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret' - - 'CALLBACK_URL=http://localhost:3000/login' - - 'AUTHZFORCE_ENABLED=true' - - 'AUTHZFORCE_URL=http://authzforce' - - 'AUTHZFORCE_PORT=8080' -``` - -The `tutorial` container is listening on two ports: - -- Port `3000` is exposed so we can see the web page displaying the Dummy IoT devices. -- Port `3001` is exposed purely for tutorial access - so that cUrl or Postman can make UltraLight commands without - being part of the same network. - -The `tutorial` container is now secured by **Authzforce**, and is driven by environment variables as shown: - -| Key | Value | Description | -| ------------------ | ------------------- | --------------------------------------------- | -| AUTHZFORCE_ENABLED | `true` | Flag to enable use of the XACML PDP | -| AUTHZFORCE_URL | `http://authzforce` | This is URL where the **Authzforce** is found | -| AUTHZFORCE_PORT | `8080` | Port that **Authzforce** is listening on | - -The other `tutorial` container configuration values described in the YAML file have been described in previous tutorials - -# Start Up - -To start the installation, do the following: +**NGSI-v2** offers JSON based interoperability used in individual Smart Systems. To run this tutorial with **NGSI-v2**, use the `NGSI-v2` branch. ```console git clone https://github.com/FIWARE/tutorials.XACML-Access-Rules.git @@ -442,736 +28,11 @@ cd tutorials.XACML-Access-Rules git checkout NGSI-v2 ./services create -``` - -> [!NOTE] -> The initial creation of Docker images can take up to three minutes - -Thereafter, all services can be initialized from the command-line by running the -[services](https://github.com/FIWARE/tutorials.XACML-Access-Rules/blob/NGSI-v2/services) Bash script provided within the -repository: - -```console ./services start ``` -> [!NOTE] -> If you want to clean up and start over again you can do so with the following command: -> -> ```console -> ./services stop -> ``` - -### Dramatis Personae - -The following people at `test.com` legitimately have accounts within the Application - -- Alice, she will be the Administrator of the **Keyrock** Application -- Bob, the Regional Manager of the supermarket chain - he has several store managers under him: - - Manager1 - - Manager2 -- Charlie, the Head of Security of the supermarket chain - he has several store detectives under him: - - Detective1 - - Detective2 - -The following people at `example.com` have signed up for accounts, but have no reason to be granted access - -- Eve - Eve the Eavesdropper -- Mallory - Mallory the malicious attacker -- Rob - Rob the Robber - -
- - For more details (Click to expand) - - -| Name | eMail | Password | -| ---------- | --------------------------- | -------- | -| alice | `alice-the-admin@test.com` | `test` | -| bob | `bob-the-manager@test.com` | `test` | -| charlie | `charlie-security@test.com` | `test` | -| manager1 | `manager1@test.com` | `test` | -| manager2 | `manager2@test.com` | `test` | -| detective1 | `detective1@test.com` | `test` | -| detective2 | `detective2@test.com` | `test` | - -| Name | eMail | Password | -| ------- | --------------------- | -------- | -| eve | `eve@example.com` | `test` | -| mallory | `mallory@example.com` | `test` | -| rob | `rob@example.com` | `test` | - -
- -### Authzforce - Obtain Version Information - -Once **Authzforce** is running, you can check the status by making an HTTP request to the exposed administration port -(usually `8080`). If the response is blank, this is usually because **Authzforce** is not running or is listening on -another port. - -#### 1️⃣ Request - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/version \ - -H 'Accept: application/xml' -``` - -#### Response - -The response returns information about the version of Authzforce. - -```xml - - -``` - -# Using an XACML Server - -**Authzforce** is a Policy Decision Point (PDP) Generic Enabler, which makes authorization decisions based on -`` information written in [XACML](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml). This -example starts with a running XACML server containing an existing set of rules. An XACML server should offer an API to -administrate policies and invoke access control policy decisions. This tutorial is mainly concerned with the decision -making side - the creation and administration of access control policies will be dealt with in a subsequent tutorial. - -## Reading XACML Rulesets - -A single XACML server can be used to administrate access control policies for multiple applications. **Authzforce** is -implicitly multi-tenant, in that it allows separate organizations to work on their policies in isolation from one -another. This is done by separating the security policies for each application into a separate **domain** where they can -access their own ``. A domain holds metadata about the secured application along with versions of the -policies themselves (effectively a series of files which can be accessed by a file server). The domain management API -can be used to query **Authzforce** about the domains served and policies held. - -### List all domains - -To request domain information from **Authzforce**, make a request to the `/authzforce-ce/domains` endpoint. - -#### 2️⃣ Request - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/domains -``` - -#### Response - -The response lists the domains which are available in **Authzforce**. This corresponds to the directory structure -uploaded to **Authzforce** on start-up. - -```xml - - - - -``` - -### Read a single domain - -To read information about a domain, and to explore further, make a request to the `authzforce-ce/domains/{{domain-id}}` -endpoint. The following request obtains information about the `gQqnLOnIEeiBFQJCrBIBDA` domain, which has been generated -using a random key by an external Policy Administration Point in this case **Keyrock** has been used as the PAP, and -pre-generated the rule sets. - -#### 3️⃣ Request - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA -``` - -#### Response - -The response lists more information about the domain, including the ID used within **Keyrock** -(`tutorial-dckr-site-0000-xpresswebapp`) - -```xml - - - - - - - - - -``` - -### List all PolicySets available within a Domain - -To list the generated IDs for all of the PolicySets found within a domain make a request to the -`authzforce-ce/domains/{{domain-id}}/pap/policies` endpoint. The following request obtains a list of a given policy IDs -found within the `gQqnLOnIEeiBFQJCrBIBDA` domain. - -#### 4️⃣ Request - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies -``` - -#### Response - -The response returns a list of available revisions of the given policy which are available within the **Authzforce** -container. This corresponds the named XML files `1.xml`, `2.xml` etc. - -```xml - - - - - -``` - -### List the available revisions of a PolicySet - -To list the available revisions of a policy, make a request to the -`authzforce-ce/domains/{{domain-id}}/pap/policies/{{policy-id}}` endpoint. Available policy ID are randomly generated, -and can be obtained by drilling down using the previous request. The following request obtains a list revision of a -given policy found within the `gQqnLOnIEeiBFQJCrBIBDA` domain. - -#### 5️⃣ Request - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies/f8194af5-8a07-486a-9581-c1f05d05483c -``` - -#### Response - -The response returns a list of available revisions of the given policy which are available within the **Authzforce** -container. This corresponds the named XML files `1.xml`, `2.xml` etc. - -```xml - - - - - -``` - -### Read a single version of a PolicySet - -To obtain a single revision of a ``, make a request to the -`authzforce-ce/domains/{{domain-id}}/pap/policies/{{policy-id}}/{{revision-number}}` endpoint. The following request -obtains the second revision of the given policy found within the `gQqnLOnIEeiBFQJCrBIBDA` domain. - -#### 6️⃣ Request - -```console -curl -X GET \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pap/policies/f8194af5-8a07-486a-9581-c1f05d05483c/2 -``` - -#### Response - -The response contains the full `` for the given revision. This is a copy of -[the file](https://github.com/FIWARE/tutorials.XACML-Access-Rules/blob/NGSI-v2/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/2.xml) -held within **Authzforce**. - -```xml - - - Policy Set for application tutorial-dckr-site-0000-xpresswebapp - - - Role security-role-0000-0000-000000000000 from application tutorial-dckr-site-0000-xpresswebapp - - ...etc - - - ...etc - - ..etc - - -``` - -## Requesting Policy Decisions - -For the purpose of this tutorial, **Authzforce** has been just been supplied with a simple set of basic role-based rules -in a similar fashion to the level 2 authorization example found in the previous Securing Access tutorial: - -- The unlock door command can only be sent by **Security** staff. -- Access to the price-change and order-stock areas are only available to **Managers** -- People with either the **Manager** or **Security** role can ring the bell -- Both **Manager** or **Security** can access and interact with the store data - -The only difference is that access to all store entities is now restricted to users with an assigned role rather than -being based on level 1 authentication access. - -To request a decision from Authzforce, a structured request containing all relevant information must be sent to the -`domains/{domain-id}/pdp` endpoint. In this case, the Body of the request includes information such as the roles that -the User has, the application ID that is being requested (`tutorial-dckr-site-0000-xpresswebapp`) and the HTTP verb and -resource that are being requested ( a GET request on the `/app/price-change` URL). Obviously the information passed in -the Body can be expanded as the rules become more complex. - -### Permit Access to a Resource - -To request a decision from Authzforce, make a POST request to the `domains/{domain-id}/pdp` endpoint. In this case the -user has the `managers-role-0000-0000-000000000000` and is requesting access the `/app/price-change` resource. - -#### 7️⃣ Request - -```console -curl -X POST \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp \ - -H 'Content-Type: application/xml' \ - -d ' - - - - managers-role-0000-0000-000000000000 - - - - - tutorial-dckr-site-0000-xpresswebapp - - - /app/price-change - - - - - GET - - - -' -``` - -#### Response - -The `managers-role-0000-0000-000000000000` permits access to the `/app/price-change` endpoint. The response for a -successful request includes a `` element to `Permit` access to the resource. - -```xml - - - - Permit - - -``` - -### Deny Access to a Resource - -To request a decision from Authzforce, make a POST request to the `domains/{domain-id}/pdp` endpoint. In this case the -user has the `security-role-0000-0000-000000000000` and is requesting access the `/app/price-change` resource. - -#### 8️⃣ Request - -```console -curl -X POST \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp \ - -H 'Content-Type: application/xml' \ - -d ' - - - - security-role-0000-0000-000000000000 - - - - - tutorial-dckr-site-0000-xpresswebapp - - - /app/price-change - - - - - GET - - - -' -``` - -#### Response - -The `security-role-0000-0000-000000000000` does not permit access to the `/app/price-change` endpoint. The response for -an unsuccessful request includes a `` element which will `Deny` access to the resource. - -```xml - - - - Deny - - -``` - -# PDP - Advanced Authorization - -As a reminder, there are three Levels of PDP Access Control: - -- Level 1: _Authentication Access_ - Allow all actions to every signed in user and no actions to an anonymous user. -- Level 2: _Basic Authorization_ - Check which resources and verbs the currently logged in user should have access to -- Level 3: _Advanced Authorization_ - Fine grained control through [XACML](https://en.wikipedia.org/wiki/XACML) - -Within FIWARE, Level 3 access control can be provided by adding **Authzforce** to the existing security microservices -(IDM and PEP Proxy) within the Smart Application infrastructure. Access control levels 1 and 2 have been covered in -[previous tutorials](https://github.com/FIWARE/tutorials.Securing-Access) and can be fulfilled using **Keyrock** alone -or with or without an associated PEP Proxy. - -## Advanced Authorization - -_Advanced Authorization_ is able to deal with complex rulesets. Permissions are no longer merely based on a fixed role, -resource and an action, but can be extended as necessary. - -For example users in role `XXX` can access URL **starting with** `YYY` provided that the HTTP verb **is either** `GET`, -`PUT` or `POST`. Such users may also `DELETE` **provided that** they were the creator in the first place. - -Within the tutorial programmatic example we are using our own trusted instance of **Keyrock** - once a user has signed -in and obtained an `access_token`, the `access_token` can be stored in session and used to retrieve user details on -demand. All access to the Orion context broker is hidden behind a PEP Proxy. Whenever a request is made to Orion, the -`access_token` is passed in the header of the request, and the PEP proxy handles the decision to whether to execute the -request. - -### User Obtains an Access Token - -In order to identify themselves, every user must obtain an access token, in order to do so, they must use one of the -OAuth2 access grants described in a [previous tutorial](https://github.com/FIWARE/tutorials.Securing-Access). - -To log in using the user-credentials flow send a POST request to the `oauth2/token` endpoint of **Keyrock** with the -`grant_type=password` - -#### 9️⃣ Request - -```console -curl -X POST \ - http://localhost:3005/oauth2/token \ - -H 'Accept: application/json' \ - -H 'Authorization: Basic dHV0b3JpYWwtZGNrci1zaXRlLTAwMDAteHByZXNzd2ViYXBwOnR1dG9yaWFsLWRja3Itc2l0ZS0wMDAwLWNsaWVudHNlY3JldA==' \ - -H 'Content-Type: application/x-www-form-urlencoded' \ - -d 'username=bob-the-manager@test.com&password=test&grant_type=password' -``` - -#### Response - -The response returns an `access_token` to identify the user (in this case Bob the Manager) - -```json -{ - "access_token": "08fef363c429cb34cfff3f56dfe751a8d1890690", - "token_type": "Bearer", - "expires_in": 3599, - "refresh_token": "35a644094b598cb0d720fcb323369a53820a6a44", - "scope": ["bearer"] -} -``` - -### Obtain Roles and Domain - -If a user has logged in, the `access_token` can be used in combination with the `/user` endpoint to obtain access -permissions to a resource. This example retrieves Bob's permissions to a given resource. - -#### 1️⃣0️⃣ Request - -```console -curl -X GET \ - 'http://localhost:3005/user?access_token={{access_token}}&app_id={{app-id}}&authzforce=true' -``` - -Where : - -- `{{access-token}}` is the current access token of a logged in user (e.g. `08fef363c429cb34cfff3f56dfe751a8d1890690`) -- `{{app-id}}` holds the application to request `tutorial-dckr-site-0000-xpresswebapp` and `authzforce=true` indicates - that we want to obtain an **Authzforce** Domain from **Keyrock** - -#### Response - -The response include an `authorization_decision` attribute which denies direct access for the request, but includes -additional information so that an additional request a decision from **Authzforce** - -In the example below the access token used belonged to Bob the manager, and his roles and the `app_azf_domain` -associated to the `app-id` are returned. - -```json -{ - "organizations": [], - "displayName": "", - "roles": [ - { - "id": "managers-role-0000-0000-000000000000", - "name": "Management" - } - ], - "app_id": "tutorial-dckr-site-0000-xpresswebapp", - "trusted_apps": [], - "isGravatarEnabled": false, - "email": "bob-the-manager@test.com", - "id": "bbbbbbbb-good-0000-0000-000000000000", - "authorization_decision": "", - "app_azf_domain": "gQqnLOnIEeiBFQJCrBIBDA", - "eidas_profile": {}, - "username": "bob" -} -``` - -### Apply a Policy to a Request - -To request a decision from Authzforce, a structured request containing all relevant information must be sent to the -`domains/{domain-id}/pdp` endpoint. In this case, the Body of the request includes information such as the roles that -the User has (`managers-role-0000-0000-000000000000`), the application ID that is being requested -(`tutorial-dckr-site-0000-xpresswebapp`) and the HTTP verb and resource that are being requested ( a POST request on the -`/v2/entities` URL) - -#### 1️⃣1️⃣ Request - -```console -curl -X POST \ - http://localhost:8080/authzforce-ce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp \ - -H 'Content-Type: application/xml' \ - -d ' - - - - managers-role-0000-0000-000000000000 - - - - - tutorial-dckr-site-0000-xpresswebapp - - - /v2/entities - - - - - POST - - - -' -``` - -#### Response - -The response includes a `` element which will either `Permit` or `Deny` the request. - -```xml - - - - Permit - - -``` - -### Advanced Authorization - Sample Code - -Programmatically, any Policy Execution Point consists of two parts, an OAuth request to Keyrock retrieves information -about the user (such as the assigned roles) as well as the policy domain to be queried. - -A second request is sent to the relevant domain endpoint within Authzforce, providing all of the information necessary -for Authzforce to provide a judgement. Authzforce responds with a **permit** or **deny** response, and the decision -whether to continue can be made thereafter. - -```javascript -function authorizeAdvancedXACML(req, res, next, resource = req.url) { - const keyrockUserUrl = - 'http://keyrock/user?access_token=' + req.session.access_token + '&app_id=' + clientId + '&authzforce=true'; - - return oa - .get(keyrockUserUrl) - .then((response) => { - const user = JSON.parse(response); - return azf.policyDomainRequest(user.app_azf_domain, user.roles, resource, req.method); - }) - .then((authzforceResponse) => { - res.locals.authorized = authzforceResponse === 'Permit'; - return next(); - }) - .catch((error) => { - debug(error); - res.locals.authorized = false; - return next(); - }); -} -``` - -The full code to supply each request to Authzforce can be found within the tutorials' -[Git Repository](https://github.com/FIWARE/tutorials.Step-by-Step/blob/master/context-provider/lib/azf.js) - the actual -information to supply will depend on business use case - it could be expanded to include temporal information, -relationships between records and so on, but in this very simple example only roles are necessary. - -```javascript -const xml2js = require('xml2js'); -const request = require('request'); - -function policyDomainRequest(domain, roles, resource, action) { - let body = - '\n' + - '\n'; - // Code to create the XML body for the request is omitted - body = body + ''; - - const options = { - method: 'POST', - url: 'http://authzforceUrl/authzforce-ce/domains/' + domain + '/pdp', - headers: { 'Content-Type': 'application/xml' }, - body - }; - - return new Promise((resolve, reject) => { - request(options, function (error, response, body) { - let decision; - xml2js.parseString(body, { tagNameProcessors: [xml2js.processors.stripPrefix] }, function (err, jsonRes) { - // The decision is found within the /Response/Result[0]/Decision[0] XPath - decision = jsonRes.Response.Result[0].Decision[0]; - }); - decision = String(decision); - return error ? reject(error) : resolve(decision); - }); - }); -} -``` - -### Advanced Authorization - PEP Proxy - -Applying _advanced authorization_ within a PEP proxy requires very similar code to the programmatic example described -above. The **Wilma** generic enabler extracts a token from the header supplied by the request and makes a request to -**Keyrock** to obtain further information about the user. A PDP request is then made to **Authzforce** to decide whether -to proceed. - -Obviously any scalable solution should also cache information about the PDP requests made and the responses to avoid -making unnecessary requests. - -## PDP - Advanced Authorization - Running the Example - -> [!NOTE] -> Five resources have been secured at level 3: -> -> - sending the unlock door command -> - sending the ring bell command -> - access to the price-change area -> - access to the order-stock area -> - access to Orion (behind a PEP Proxy) - -#### Eve the Eavesdropper - -Eve has an account, but no roles in the application. - -> [!NOTE] -> As Eve has a recognized account, she gains full authentication access. This means she is able to _view_ the -> Store page, even though her account has no roles attached. - -- From `http://localhost:3000`, log in as `eve@example.com` with the password `test` - -##### Level 3 : Advanced Authorization Access - -- Click on any store page - access to view the page is **permitted** for any logged in users, however access to - retrieve Orion data is now **denied** since Eve has no role which permits access. - -- Click on the restricted access links at `http://localhost:3000` - access is **denied** -- Open the Device Monitor on `http://localhost:3000/device/monitor` - - Unlock a door - access is **denied** - - Ring a bell - access is **denied** - -#### Bob The Regional Manager - -Bob has the **management** role - -- From `http://localhost:3000`, log in as `bob-the-manager@test.com` with the password `test` - -##### Level 3 : Advanced Authorization Access - -- Click on the restricted access links at `http://localhost:3000` - access is **permitted** - This is a management - only permission -- Open the Device Monitor on `http://localhost:3000/device/monitor` - - Unlock a door - access is **denied**. - This is a security only permission - - Ring a bell - access is **permitted** - This is permitted to management users - -#### Charlie the Security Manager - -Charlie has the **security** role - -- From `http://localhost:3000`, log in as `charlie-security@test.com` with the password `test` - -##### Level 3: Advanced Authorization Access - -- Click on the restricted access links at `http://localhost:3000` - access is **denied** - This is a management only - permission -- Open the Device Monitor on `http://localhost:3000/device/monitor` - - Unlock a door - access is **permitted** - This is a security only permission - - Ring a bell - access is **permitted** - This is permitted to security users - -# Next Steps - -Want to learn how to add more complexity to your application by adding advanced features? You can find out by reading -the other [tutorials in this series](https://fiware-tutorials.rtfd.io) +| [![NGSI v2](https://img.shields.io/badge/NGSI-v2-5dc0cf.svg)](https://fiware-ges.github.io/orion/api/v2/stable/) | :books: [Documentation](https://github.com/FIWARE/tutorials.XACML-Access-Rules/tree/NGSI-v2) | [Postman Collection](https://fiware.github.io/tutorials.XACML-Access-Rules/) | +| --- | --- | --- | --- @@ -1179,10 +40,3 @@ the other [tutorials in this series](https://fiware-tutorials.rtfd.io) [MIT](LICENSE) © 2018-2024 FIWARE Foundation e.V. ---- - -### Footnotes - - - -- [Wikipedia: XACML](https://en.wikipedia.org/wiki/XACML) - stands for "eXtensible Access Control Markup Language". diff --git a/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp.xml b/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp.xml deleted file mode 100644 index 7c49f57..0000000 --- a/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/pdp.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - - - f8194af5-8a07-486a-9581-c1f05d05483c - - diff --git a/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/1.xml b/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/1.xml deleted file mode 100644 index 841ad06..0000000 --- a/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/1.xml +++ /dev/null @@ -1,171 +0,0 @@ - - - Policy Set for application tutorial-dckr-site-0000-xpresswebapp - - - Role security-role-0000-0000-000000000000 from application tutorial-dckr-site-0000-xpresswebapp - - - - - tutorial-dckr-site-0000-xpresswebapp - - - - - - - Ring Alarm Bell - - - - - /bell/ring - - - - - - - - POST - - - - - - - - - security-role-0000-0000-000000000000 - - - - - - Unlock - - - - - /door/unlock - - - - - - - - POST - - - - - - - - - security-role-0000-0000-000000000000 - - - - - - - Role managers-role-0000-0000-000000000000 from application tutorial-dckr-site-0000-xpresswebapp - - - - - tutorial-dckr-site-0000-xpresswebapp - - - - - - - Ring Alarm Bell - - - - - /bell/ring - - - - - - - - POST - - - - - - - - - managers-role-0000-0000-000000000000 - - - - - - Order Stock - - - - - /app/order-stock - - - - - - - - GET - - - - - - - - - managers-role-0000-0000-000000000000 - - - - - - Access Price Changes - - - - - /app/price-change - - - - - - - - GET - - - - - - - - - managers-role-0000-0000-000000000000 - - - - - - \ No newline at end of file diff --git a/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/2.xml b/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/2.xml deleted file mode 100644 index 28876c3..0000000 --- a/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/2.xml +++ /dev/null @@ -1,217 +0,0 @@ - - - Policy Set for application tutorial-dckr-site-0000-xpresswebapp - - - Role security-role-0000-0000-000000000000 from application tutorial-dckr-site-0000-xpresswebapp - - - - - tutorial-dckr-site-0000-xpresswebapp - - - - - - - Ring Alarm Bell - - - - - /bell/ring - - - - - - - - POST - - - - - - - - - security-role-0000-0000-000000000000 - - - - - - Unlock - - - - - /door/unlock - - - - - - - - POST - - - - - - - - - security-role-0000-0000-000000000000 - - - - - - - - Context Broker Access - - - - - /v2/entities - - - - - - - - - security-role-0000-0000-000000000000 - - - - - - - - - - Role managers-role-0000-0000-000000000000 from application tutorial-dckr-site-0000-xpresswebapp - - - - - tutorial-dckr-site-0000-xpresswebapp - - - - - - - Ring Alarm Bell - - - - - /bell/ring - - - - - - - - POST - - - - - - - - - managers-role-0000-0000-000000000000 - - - - - - Order Stock - - - - - /app/order-stock - - - - - - - - GET - - - - - - - - - managers-role-0000-0000-000000000000 - - - - - - Access Price Changes - - - - - /app/price-change - - - - - - - - GET - - - - - - - - - managers-role-0000-0000-000000000000 - - - - - - - Context Broker Access - - - - - /v2/entities - - - - - - - - - managers-role-0000-0000-000000000000 - - - - - - \ No newline at end of file diff --git a/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/cm9vdA/0.1.0.xml b/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/cm9vdA/0.1.0.xml deleted file mode 100644 index 613d426..0000000 --- a/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/cm9vdA/0.1.0.xml +++ /dev/null @@ -1,10 +0,0 @@ - - - - - - - - \ No newline at end of file diff --git a/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/properties.xml b/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/properties.xml deleted file mode 100644 index 458aeb2..0000000 --- a/authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/properties.xml +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index 7e0f00e..0000000 --- a/docker-compose.yml +++ /dev/null @@ -1,281 +0,0 @@ -# WARNING: Do not deploy this tutorial configuration directly to a production environment -# -# The tutorial docker-compose files have not been written for production deployment and will not -# scale. A proper architecture has been sacrificed to keep the narrative focused on the learning -# goals, they are just used to deploy everything onto a single Docker machine. All FIWARE components -# are running at full debug and extra ports have been exposed to allow for direct calls to services. -# They also contain various obvious security flaws - passwords in plain text, no load balancing, -# no use of HTTPS and so on. -# -# This is all to avoid the need of multiple machines, generating certificates, encrypting secrets -# and so on, purely so that a single docker-compose file can be read as an example to build on, -# not use directly. -# -# When deploying to a production environment, please refer to the Helm Repository -# for FIWARE Components in order to scale up to a proper architecture: -# -# see: https://github.com/FIWARE/helm-charts/ -# -version: "3.8" -services: - # Orion is an NGSI-v2 context broker - orion-v2: - labels: - org.fiware: 'tutorial' - image: quay.io/fiware/orion:${ORION_VERSION} - hostname: orion - container_name: fiware-orion - depends_on: - - mongo-db - networks: - default: - ipv4_address: 172.18.1.9 - expose: - - "${ORION_PORT}" - ports: - - "${ORION_PORT}:${ORION_PORT}" # localhost:1026 - command: -dbhost mongo-db -logLevel DEBUG - healthcheck: - test: curl --fail -s http://orion:${ORION_PORT}/version || exit 1 - interval: 5s - - # IoT-Agent is configured for the UltraLight Protocol - iot-agent: - labels: - org.fiware: 'tutorial' - image: quay.io/fiware/iotagent-ul:${ULTRALIGHT_VERSION} - hostname: iot-agent - container_name: fiware-iot-agent - depends_on: - - mongo-db - - orion-v2 - networks: - - default - ports: - - "${IOTA_NORTH_PORT}:${IOTA_NORTH_PORT}" # localhost:4041 - - "${IOTA_SOUTH_PORT}:${IOTA_SOUTH_PORT}" # localhost:7896 - environment: - - IOTA_CB_HOST=orion # name of the context broker to update context - - IOTA_CB_PORT=${ORION_PORT} # port the context broker listens on to update context - - IOTA_NORTH_PORT=${IOTA_NORTH_PORT} - - IOTA_REGISTRY_TYPE=mongodb #Whether to hold IoT device info in memory or in a database - - IOTA_LOG_LEVEL=DEBUG # The log level of the IoT Agent - - IOTA_TIMESTAMP=true # Supply timestamp information with each measurement - - IOTA_CB_NGSI_VERSION=v2 # use NGSIv2 when sending updates for active attributes - - IOTA_AUTOCAST=true # Ensure Ultralight number values are read as numbers not strings - - IOTA_MONGO_HOST=mongo-db # The host name of MongoDB - - IOTA_MONGO_PORT=${MONGO_DB_PORT} # The port mongoDB is listening on - - IOTA_MONGO_DB=iotagentul # The name of the database used in mongoDB - - IOTA_HTTP_PORT=${IOTA_SOUTH_PORT} # The port used for device traffic over HTTP - - IOTA_PROVIDER_URL=http://iot-agent:${IOTA_NORTH_PORT} - healthcheck: - interval: 5s - - - # Keyrock is an Identity Management Front-End - keyrock: - labels: - org.fiware: 'tutorial' - image: quay.io/fiware/idm:${KEYROCK_VERSION} - container_name: fiware-keyrock - hostname: keyrock - networks: - default: - ipv4_address: 172.18.1.5 - depends_on: - - mysql-db - - authzforce - ports: - - "${KEYROCK_PORT}:${KEYROCK_PORT}" # localhost:3005 - environment: - - DEBUG=idm:* - - IDM_DB_HOST=mysql-db - - IDM_DB_PASS_FILE=/run/secrets/my_secret_data - - IDM_DB_USER=root - - IDM_HOST=http://localhost:${KEYROCK_PORT} - - IDM_PORT=${KEYROCK_PORT} - - IDM_ADMIN_USER=alice - - IDM_ADMIN_EMAIL=alice-the-admin@test.com - - IDM_ADMIN_PASS=test - - IDM_PDP_LEVEL=advanced - - IDM_AUTHZFORCE_ENABLED=true - - IDM_AUTHZFORCE_HOST=authzforce - - IDM_AUTHZFORCE_PORT=${AUTHZFORCE_PORT} - - IDM_CSP_FORM_ACTION=* - secrets: - - my_secret_data - healthcheck: - interval: 5s - - # Authzforce is a XACML Server PDP - authzforce: - labels: - org.fiware: 'tutorial' - image: fiware/authzforce-ce-server:release-8.1.0 - container_name: fiware-authzforce - networks: - default: - ipv4_address: 172.18.1.12 - ports: - - "${AUTHZFORCE_PORT}:${AUTHZFORCE_PORT}" # localhost:8080 - volumes: - - ./authzforce/domains:/opt/authzforce-ce-server/data/domains - healthcheck: - test: curl --fail -s http://authzforce:${AUTHZFORCE_PORT}/authzforce-ce/version || exit 1 - - - # PEP Proxy - orion-proxy: - labels: - org.fiware: 'tutorial' - image: quay.io/fiware/pep-proxy:${WILMA_VERSION} - container_name: fiware-orion-proxy - hostname: orion-proxy - networks: - default: - ipv4_address: 172.18.1.10 - depends_on: - keyrock: - condition: service_started - authzforce: - condition: service_started - deploy: - restart_policy: - condition: on-failure - ports: - - "${ORION_PROXY_PORT}:${ORION_PROXY_PORT}" # localhost:1027 - expose: - - "${ORION_PROXY_PORT}" - environment: - - DEBUG=pep-proxy:* - - PEP_PROXY_DEBUG=true - - PEP_PROXY_APP_HOST=orion - - PEP_PROXY_APP_PORT=${ORION_PORT} - - PEP_PROXY_PORT=${ORION_PROXY_PORT} - - PEP_PROXY_IDM_HOST=keyrock - - PEP_PROXY_HTTPS_ENABLED=false - - PEP_PROXY_IDM_SSL_ENABLED=false - - PEP_PROXY_IDM_PORT=${KEYROCK_PORT} - - PEP_PROXY_APP_ID=tutorial-dckr-site-0000-xpresswebapp - - PEP_PROXY_USERNAME=pep_proxy_00000000-0000-0000-0000-000000000000 - - PEP_PROXY_PUBLIC_PATHS=/version - - PEP_PASSWORD=test - - PEP_PROXY_PDP=authzforce - - PEP_PROXY_AUTH_ENABLED=true - - PEP_PROXY_MAGIC_KEY=1234 - - PEP_PROXY_AZF_PROTOCOL=http - - PEP_PROXY_AZF_HOST=authzforce - - PEP_PROXY_AZF_PORT=${AUTHZFORCE_PORT} - healthcheck: - interval: 50s - - # Tutorial acts as a series of dummy IoT Sensors over HTTP - tutorial: - labels: - org.fiware: 'tutorial' - image: quay.io/fiware/tutorials.context-provider - hostname: iot-sensors - container_name: fiware-tutorial - depends_on: - orion-proxy: - condition: service_started - iot-agent: - condition: service_started - keyrock: - condition: service_started - networks: - default: - ipv4_address: 172.18.1.7 - aliases: - - tutorial - - context-provider - expose: - - "${TUTORIAL_APP_PORT}" - - "${TUTORIAL_DUMMY_DEVICE_PORT}" - ports: - - "${TUTORIAL_APP_PORT}:${TUTORIAL_APP_PORT}" # localhost:3000 - - "${TUTORIAL_DUMMY_DEVICE_PORT}:${TUTORIAL_DUMMY_DEVICE_PORT}" # localhost:3001 - environment: - - "MONGO_URL=mongodb://mongo-db:27017" - - "DEBUG=tutorial:*" - - "WEB_APP_PORT=${TUTORIAL_APP_PORT}" # Port used by the content provider proxy and web-app for viewing data - - "IOTA_HTTP_HOST=iot-agent" - - "IOTA_HTTP_PORT=${IOTA_SOUTH_PORT}" - - "IOTA_DEFAULT_RESOURCE=/iot/d" - - "DUMMY_DEVICES_PORT=${TUTORIAL_DUMMY_DEVICE_PORT}" # Port used by the dummy IOT devices to receive commands - - "DUMMY_DEVICES_TRANSPORT=HTTP" # Default transport used by dummy Io devices - - "CONTEXT_BROKER=http://orion-proxy:${ORION_PROXY_PORT}/v2" # URL of the PEP Proxy to update context - - "OPENWEATHERMAP_KEY_ID=" - - "TWITTER_CONSUMER_KEY=" - - "TWITTER_CONSUMER_SECRET=" - - "NGSI_LD_PREFIX=" - - "SECURE_ENDPOINTS=true" - - "KEYROCK_URL=http://localhost" - - "KEYROCK_IP_ADDRESS=http://172.18.1.5" - - "KEYROCK_PORT=${KEYROCK_PORT}" - - "KEYROCK_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp" - - "KEYROCK_CLIENT_SECRET=tutorial-dckr-site-0000-clientsecret" - - "CALLBACK_URL=http://localhost:${TUTORIAL_APP_PORT}/login" - - "AUTHZFORCE_ENABLED=true" - - "AUTHZFORCE_URL=http://authzforce" - - "AUTHZFORCE_PORT=${AUTHZFORCE_PORT}" - - # Databases - mongo-db: - labels: - org.fiware: 'tutorial' - image: mongo:${MONGO_DB_VERSION} - hostname: mongo-db - container_name: db-mongo - expose: - - "${MONGO_DB_PORT}" - ports: - - "${MONGO_DB_PORT}:${MONGO_DB_PORT}" # localhost:27017 - networks: - - default - volumes: - - mongo-db:/data - healthcheck: - test: ["CMD","mongosh", "--eval", "db.adminCommand('ping')"] - interval: 5s - timeout: 5s - retries: 3 - start_period: 5s - - - mysql-db: - restart: always - labels: - org.fiware: 'tutorial' - image: mysql:${MYSQL_DB_VERSION} - hostname: mysql-db - container_name: db-mysql - expose: - - "${MYSQL_DB_PORT}" - ports: - - "${MYSQL_DB_PORT}:${MYSQL_DB_PORT}" # localhost:3306 - networks: - default: - ipv4_address: 172.18.1.6 - environment: - - "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data" - - "MYSQL_ROOT_HOST=172.18.1.5" # Allow Keyrock to access this database - volumes: - - mysql-db:/var/lib/mysql - - ./mysql-data:/docker-entrypoint-initdb.d/:ro # Preload Keyrock Users - secrets: - - my_secret_data -networks: - default: - labels: - org.fiware: 'tutorial' - ipam: - config: - - subnet: 172.18.1.0/24 -volumes: - mysql-db: ~ - mongo-db: ~ - -secrets: - my_secret_data: - file: ./secrets.txt diff --git a/import-data b/import-data deleted file mode 100755 index a1bf58a..0000000 --- a/import-data +++ /dev/null @@ -1,524 +0,0 @@ -#!/bin/bash -# -# curl commands to reload the data from the previous tutorial -# -# - -set -e - -printf "⏳ Loading context data " - -# -# Create four Store Entities in various locations across Berlin -# -curl -s -o /dev/null -X POST \ - 'http://orion:1026/v2/op/update' \ - -H 'Content-Type: application/json' \ - -g -d '{ - "actionType": "APPEND", - "entities": [ - { - "id":"urn:ngsi-ld:Store:001","type":"Store", - "address":{"type":"PostalAddress","value":{"streetAddress":"Bornholmer Straße 65","addressRegion":"Berlin","addressLocality":"Prenzlauer Berg","postalCode":"10439"}}, - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.3986,52.5547]}}, - "name":{"type":"Text","value":"Bösebrücke Einkauf"} - }, - { - "id":"urn:ngsi-ld:Store:002","type":"Store", - "address":{"type":"PostalAddress","value":{"streetAddress":"Friedrichstraße 44","addressRegion":"Berlin","addressLocality":"Kreuzberg","postalCode":"10969"}}, - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.3903,52.5075]}}, - "name":{"type":"Text","value":"Checkpoint Markt"}}, - { - "id":"urn:ngsi-ld:Store:003","type":"Store", - "address":{"type":"PostalAddress","value":{"streetAddress":"Mühlenstrasse 10","addressRegion":"Berlin","addressLocality":"Friedrichshain","postalCode":"10243"}}, - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.4447,52.5031]}}, - "name":{"type":"Text","value":"East Side Galleria"} - }, - { - "id":"urn:ngsi-ld:Store:004","type":"Store", - "address":{"type":"PostalAddress","value":{"streetAddress":"Panoramastraße 1A","addressRegion":"Berlin","addressLocality":"Mitte","postalCode":"10178"}}, - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.4094,52.5208]}}, - "name":{"type":"Text","value":"Tower Trödelmarkt"} - } - ] -}' - -# -# Add Weather and Twitter Responses for Store 1 using random values -# -curl -s -o /dev/null -X POST \ - http://orion:1026/v2/registrations \ - -H 'Content-Type: application/json' \ - -d '{ - "description": "Weather Conditions", - "dataProvided": { - "entities": [ - { - "id" : "urn:ngsi-ld:Store:001", - "type": "Store" - } - ], - "attrs": [ - "temperature", "relativeHumidity" - ] - }, - "provider": { - "http": { - "url": "http://context-provider:3000/proxy/v1/random/weatherConditions" - }, - "legacyForwarding": true - }, - "status": "active" -}' - -curl -s -o /dev/null -X POST \ - http://orion:1026/v2/registrations \ - -H 'Content-Type: application/json' \ - -d '{ - "description": "Tweeting Cat Facts", - "dataProvided": { - "entities": [ - { - "id" : "urn:ngsi-ld:Store:001", - "type": "Store" - } - ], - "attrs": [ - "tweets" - ] - }, - "provider": { - "http": { - "url": "http://context-provider:3000/proxy/v1/catfacts/tweets" - }, - "legacyForwarding": true - }, - "status": "active" -}' - -# -# Add Weather and Twitter Responses for Store 2 using real sources -# -# curl -s -o /dev/null -X POST \ -# 'http://orion:1026/v2/registrations' \ -# -H 'Content-Type: application/json' \ -# -d '{ -# "description": "Store:002 - Real Temperature and Humidity", -# "dataProvided": { -# "entities": [ -# { -# "id": "urn:ngsi-ld:Store:002", -# "type": "Store" -# } -# ], -# "attrs": [ -# "temperature", -# "relativeHumidity" -# ] -# }, -# "provider": { -# "http": { -# "url": "http://context-provider:3000/proxy/weather/number/temperature:temp,relativeHumidity:humidity/berlin%2cde" -# }, -# "legacyForwarding": true -# } -# }' - -# curl -s -o /dev/null -X POST \ -# 'http://orion:1026/v2/registrations' \ -# -H 'Content-Type: application/json' \ -# -d '{ -# "description": "Store:002 Real Tweets", -# "dataProvided": { -# "entities": [ -# { -# "id": "urn:ngsi-ld:Store:002", -# "type": "Store" -# } -# ], -# "attrs": [ -# "tweets" -# ] -# }, -# "provider": { -# "http": { -# "url": "http://context-provider:3000/proxy/twitter/list/tweets:text/FIWARE" -# }, -# "legacyForwarding": true -# } -# }' - -# -# Create a series of Shelf Entities and place the in each Store. -# Each shelf is designed to hold one product. -# -curl -s -o /dev/null -X POST \ - 'http://orion:1026/v2/op/update' \ - -H 'Content-Type: application/json' \ - -g -d '{ - "actionType": "APPEND", - "entities": [ - { - "id":"urn:ngsi-ld:Shelf:unit001","type":"Shelf", - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.3986112,52.554699]}}, - "maxCapacity":{"type":"Integer","value":50}, - "name":{"type":"Text","value":"Corner Unit"}, - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:001"} - }, - { - "id":"urn:ngsi-ld:Shelf:unit002","type":"Shelf", - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.3987221,52.554664]}}, - "maxCapacity":{"type":"Integer","value":100}, - "name":{"type":"Text","value":"Wall Unit 1"}, - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:001"} - }, - { - "id":"urn:ngsi-ld:Shelf:unit003","type":"Shelf", - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.3987221,52.554664]}}, - "maxCapacity":{"type":"Integer","value":100}, - "name":{"type":"Text","value":"Wall Unit 2"}, - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:001"} - }, - { - "id":"urn:ngsi-ld:Shelf:unit004","type":"Shelf", - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.390311,52.507522]}}, - "maxCapacity":{"type":"Integer","value":50}, - "name":{"type":"Text","value":"Corner Unit"}, - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:002"} - }, - { - "id":"urn:ngsi-ld:Shelf:unit005","type":"Shelf", - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.390309,52.50751]}}, - "maxCapacity":{"type":"Integer","value":200}, - "name":{"type":"Text","value":"Long Wall Unit"}, - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:002"} - }, - { - "id":"urn:ngsi-ld:Shelf:unit006","type":"Shelf", - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.4447112,52.503199]}}, - "maxCapacity":{"type":"Integer","value":50}, - "name":{"type":"Text","value":"Corner Unit"}, - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:003"} - }, - { - "id":"urn:ngsi-ld:Shelf:unit007","type":"Shelf", - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.4447221,52.503164]}}, - "maxCapacity":{"type":"Integer","value":100}, - "name":{"type":"Text","value":"Wall Unit 1"}, - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:003"} - }, - { - "id":"urn:ngsi-ld:Shelf:unit008","type":"Shelf", - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.4447221,52.503164]}}, - "maxCapacity":{"type":"Integer","value":100}, - "name":{"type":"Text","value":"Wall Unit 2"}, - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:003"} - }, - { - "id":"urn:ngsi-ld:Shelf:unit009","type":"Shelf", - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.444711,52.503122]}}, - "maxCapacity":{"type":"Integer","value":50}, - "name":{"type":"Text","value":"Corner Unit"}, - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:003"} - }, - { - "id":"urn:ngsi-ld:Shelf:unit010","type":"Shelf", - "location":{"type":"geo:json","value":{"type":"Point","coordinates":[13.4094111,52.5208028]}}, - "maxCapacity":{"type":"Integer","value":200}, - "name":{"type":"Text","value":"Long Wall Unit"}, - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:004"} - } - ] -}' - -# -# Create a series of Product Entities. -# These are a series of alcoholc and non-alcoholic drinks which are available to sell. -# -curl -s -o /dev/null -X POST \ - 'http://orion:1026/v2/op/update' \ - -H 'Content-Type: application/json' \ - -d '{ - "actionType":"APPEND", - "entities":[ - { - "id":"urn:ngsi-ld:Product:001", "type":"Product", - "name":{"type":"Text", "value":"Apples"}, - "size":{"type":"Text", "value": "S"}, - "price":{"type":"Integer", "value": 99} - }, - { - "id":"urn:ngsi-ld:Product:002", "type":"Product", - "name":{"type":"Text", "value":"Bananas"}, - "size":{"type":"Text", "value": "M"}, - "price":{"type":"Integer", "value": 1099} - }, - { - "id":"urn:ngsi-ld:Product:003", "type":"Product", - "name":{"type":"Text", "value":"Coconuts"}, - "size":{"type":"Text", "value": "M"}, - "price":{"type":"Integer", "value": 1499} - }, - { - "id":"urn:ngsi-ld:Product:004", "type":"Product", - "name":{"type":"Text", "value":"Melons"}, - "size":{"type":"Text", "value": "XL"}, - "price":{"type":"Integer", "value": 5000} - }, - { - "id":"urn:ngsi-ld:Product:005", "type":"Product", - "name":{"type":"Text", "value":"Kiwi Fruits"}, - "size":{"type":"Text", "value": "S"}, - "price":{"type":"Integer", "value": 99} - }, - { - "id":"urn:ngsi-ld:Product:006", "type":"Product", - "name":{"type":"Text", "value":"Strawberries"}, - "size":{"type":"Text", "value": "S"}, - "price":{"type":"Integer", "value": 99} - }, - { - "id":"urn:ngsi-ld:Product:007", "type":"Product", - "name":{"type":"Text", "value":"Raspberries"}, - "size":{"type":"Text", "value": "S"}, - "price":{"type":"Integer", "value": 99} - }, - { - "id":"urn:ngsi-ld:Product:008", "type":"Product", - "name":{"type":"Text", "value":"Pineapples"}, - "size":{"type":"Text", "value": "S"}, - "price":{"type":"Integer", "value": 99} - }, - { - "id":"urn:ngsi-ld:Product:009", "type":"Product", - "name":{"type":"Text", "value":"Oranges"}, - "size":{"type":"Text", "value": "S"}, - "price":{"type":"Integer", "value": 99} - } - ] -}' - - -# -# Create a series of InventoryItems Entities. -# These the drinks on order in Store:001 -# -curl -s -o /dev/null -X POST \ - 'http://orion:1026/v2/op/update' \ - -H 'Content-Type: application/json' \ - -d '{ - "actionType":"APPEND", - "entities":[ - { - "id":"urn:ngsi-ld:InventoryItem:001","type":"InventoryItem", - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:001"}, - "refShelf":{"type":"Relationship","value":"urn:ngsi-ld:Shelf:unit001"}, - "refProduct":{"type":"Relationship","value":"urn:ngsi-ld:Product:001"}, - "stockCount":{"type":"Integer","value":10000}, - "shelfCount":{"type":"Integer","value":15} - }, - { - "id":"urn:ngsi-ld:InventoryItem:002","type":"InventoryItem", - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:001"}, - "refShelf":{"type":"Relationship","value":"urn:ngsi-ld:Shelf:unit002"}, - "refProduct":{"type":"Relationship","value":"urn:ngsi-ld:Product:003"}, - "stockCount":{"type":"Integer","value":10000}, - "shelfCount":{"type":"Integer","value":50} - }, - { - "id":"urn:ngsi-ld:InventoryItem:003","type":"InventoryItem", - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:001"}, - "refShelf":{"type":"Relationship","value":"urn:ngsi-ld:Shelf:unit003"}, - "refProduct":{"type":"Relationship","value":"urn:ngsi-ld:Product:004"}, - "stockCount":{"type":"Integer","value":10000}, - "shelfCount":{"type":"Integer","value":50} - } - - ] -}' -# -# Create a series of InventoryItems Entities. -# These the drinks on order in Store:002 -# -curl -s -o /dev/null -X POST \ - 'http://orion:1026/v2/op/update' \ - -H 'Content-Type: application/json' \ - -d '{ - "actionType":"APPEND", - "entities":[ - { - "id":"urn:ngsi-ld:InventoryItem:004","type":"InventoryItem", - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:002"}, - "refShelf":{"type":"Relationship","value":"urn:ngsi-ld:Shelf:unit004"}, - "refProduct":{"type":"Relationship","value":"urn:ngsi-ld:Product:001"}, - "stockCount":{"type":"Integer","value":10000}, - "shelfCount":{"type":"Integer","value":15} - }, - { - "id":"urn:ngsi-ld:InventoryItem:005","type":"InventoryItem", - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:002"}, - "refShelf":{"type":"Relationship","value":"urn:ngsi-ld:Shelf:unit005"}, - "refProduct":{"type":"Relationship","value":"urn:ngsi-ld:Product:002"}, - "stockCount":{"type":"Integer","value":10000}, - "shelfCount":{"type":"Integer","value":15} - } - ] -}' -# -# Create a series of InventoryItems Entities. -# These the drinks on order in Store:003 -# Note that Shelf Unit009 is currently unused -# -curl -s -o /dev/null -X POST \ - 'http://orion:1026/v2/op/update' \ - -H 'Content-Type: application/json' \ - -d '{ - "actionType":"APPEND", - "entities":[ - { - "id":"urn:ngsi-ld:InventoryItem:006","type":"InventoryItem", - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:003"}, - "refShelf":{"type":"Relationship","value":"urn:ngsi-ld:Shelf:unit006"}, - "refProduct":{"type":"Relationship","value":"urn:ngsi-ld:Product:001"}, - "stockCount":{"type":"Integer","value":10000}, - "shelfCount":{"type":"Integer","value":50} - }, - { - "id":"urn:ngsi-ld:InventoryItem:007","type":"InventoryItem", - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:003"}, - "refShelf":{"type":"Relationship","value":"urn:ngsi-ld:Shelf:unit007"}, - "refProduct":{"type":"Relationship","value":"urn:ngsi-ld:Product:008"}, - "stockCount":{"type":"Integer","value":10000}, - "shelfCount":{"type":"Integer","value":50} - }, - { - "id":"urn:ngsi-ld:InventoryItem:008","type":"InventoryItem", - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:003"}, - "refShelf":{"type":"Relationship","value":"urn:ngsi-ld:Shelf:unit008"}, - "refProduct":{"type":"Relationship","value":"urn:ngsi-ld:Product:009"}, - "stockCount":{"type":"Integer","value":10000}, - "shelfCount":{"type":"Integer","value":50} - } - - ] -}' -# -# Create a series of InventoryItems Entities. -# These the drinks on order in Store:004 -# -curl -s -o /dev/null -X POST \ - 'http://orion:1026/v2/op/update' \ - -H 'Content-Type: application/json' \ - -d '{ - "actionType":"APPEND", - "entities":[ - { - "id":"urn:ngsi-ld:InventoryItem:401","type":"InventoryItem", - "refStore":{"type":"Relationship","value":"urn:ngsi-ld:Store:004"}, - "refShelf":{"type":"Relationship","value":"urn:ngsi-ld:Shelf:unit010"}, - "refProduct":{"type":"Relationship","value":"urn:ngsi-ld:Product:001"}, - "stockCount":{"type":"Integer","value":10000}, - "shelfCount":{"type":"Integer","value":50} - } - - ] -}' - -# -# Ensure that actuators are minimally provisioned. -# -curl -X POST \ - 'http://orion:1026/v2/op/update' \ - -H 'Content-Type: application/json' \ - -H 'fiware-service: openiot' \ - -d '{ - "actionType":"APPEND", - "entities":[ - { - "id": "Bell:001", - "type": "Bell", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:001" - } - }, - { - "id": "Door:001", - "type": "Door", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:001" - } - }, - { - "id": "Lamp:001", - "type": "Lamp", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:001" - } - }, - { - "id": "Bell:002", - "type": "Bell", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:002" - } - }, - { - "id": "Door:002", - "type": "Door", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:002" - } - }, - { - "id": "Lamp:002", - "type": "Lamp", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:002" - } - }, - { - "id": "Bell:003", - "type": "Bell", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:003" - } - }, - { - "id": "Door:003", - "type": "Door", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:003" - } - }, - { - "id": "Lamp:003", - "type": "Lamp", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:003" - } - }, - { - "id": "Bell:004", - "type": "Bell", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:004" - } - }, - { - "id": "Door:004", - "type": "Door", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:004" - } - }, - { - "id": "Lamp:004", - "type": "Lamp", - "refStore": { - "type": "Relationship","value": "urn:ngsi-ld:Store:004" - } - } - ] -}' - -echo -e " \033[1;32mdone\033[0m" diff --git a/mysql-data/backup.sql b/mysql-data/backup.sql deleted file mode 100644 index 8d282ec..0000000 --- a/mysql-data/backup.sql +++ /dev/null @@ -1,813 +0,0 @@ --- MySQL dump 10.13 Distrib 5.7.22, for Linux (x86_64) --- --- Host: localhost Database: idm --- ------------------------------------------------------ --- Server version 5.7.22 - -/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; -/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; -/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; -/*!40101 SET NAMES utf8 */; -/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; -/*!40103 SET TIME_ZONE='+00:00' */; -/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; -/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; -/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; -/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; - --- --- Table structure for table `SequelizeMeta` --- - -CREATE DATABASE idm; -USE idm - -DROP TABLE IF EXISTS `SequelizeMeta`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `SequelizeMeta` ( - `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`name`), - UNIQUE KEY `name` (`name`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `SequelizeMeta` --- - -LOCK TABLES `SequelizeMeta` WRITE; -/*!40000 ALTER TABLE `SequelizeMeta` DISABLE KEYS */; -INSERT INTO `SequelizeMeta` VALUES ('201802190000-CreateUserTable.js'),('201802190003-CreateUserRegistrationProfileTable.js'),('201802190005-CreateOrganizationTable.js'),('201802190008-CreateOAuthClientTable.js'),('201802190009-CreateUserAuthorizedApplicationTable.js'),('201802190010-CreateRoleTable.js'),('201802190015-CreatePermissionTable.js'),('201802190020-CreateRoleAssignmentTable.js'),('201802190025-CreateRolePermissionTable.js'),('201802190030-CreateUserOrganizationTable.js'),('201802190035-CreateIotTable.js'),('201802190040-CreatePepProxyTable.js'),('201802190045-CreateAuthZForceTable.js'),('201802190050-CreateAuthTokenTable.js'),('201802190060-CreateOAuthAuthorizationCodeTable.js'),('201802190065-CreateOAuthAccessTokenTable.js'),('201802190070-CreateOAuthRefreshTokenTable.js'),('201802190075-CreateOAuthScopeTable.js'),('20180405125424-CreateUserTourAttribute.js'),('20180612134640-CreateEidasTable.js'); -/*!40000 ALTER TABLE `SequelizeMeta` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `auth_token` --- - -DROP TABLE IF EXISTS `auth_token`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `auth_token` ( - `access_token` varchar(255) NOT NULL, - `expires` datetime DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `pep_proxy_id` varchar(255) DEFAULT NULL, - PRIMARY KEY (`access_token`), - UNIQUE KEY `access_token` (`access_token`), - KEY `user_id` (`user_id`), - KEY `pep_proxy_id` (`pep_proxy_id`), - CONSTRAINT `auth_token_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `auth_token_ibfk_2` FOREIGN KEY (`pep_proxy_id`) REFERENCES `pep_proxy` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - - - --- --- Dumping data for table `auth_token` --- - -LOCK TABLES `auth_token` WRITE; -/*!40000 ALTER TABLE `auth_token` DISABLE KEYS */; -INSERT INTO `auth_token` VALUES -('aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa','2036-07-30 12:04:45',1,'aaaaaaaa-good-0000-0000-000000000000',NULL), -('bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb','2036-07-30 12:38:13',1,'bbbbbbbb-good-0000-0000-000000000000',NULL), -('cccccccc-cccc-cccc-cccc-cccccccccccc','2036-07-31 09:36:13',1,'cccccccc-good-0000-0000-000000000000',NULL), -('51f2e380-c959-4dee-a0af-380f730137c3','2036-07-30 13:02:37',1,'admin',NULL); -/*!40000 ALTER TABLE `auth_token` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `authzforce` --- - -DROP TABLE IF EXISTS `authzforce`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `authzforce` ( - `az_domain` varchar(255) NOT NULL, - `policy` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `version` int(11) DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`az_domain`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `authzforce_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `authzforce` --- - -LOCK TABLES `authzforce` WRITE; -/*!40000 ALTER TABLE `authzforce` DISABLE KEYS */; -INSERT INTO `authzforce` VALUES -('gQqnLOnIEeiBFQJCrBIBDA','f8194af5-8a07-486a-9581-c1f05d05483c',2,'tutorial-dckr-site-0000-xpresswebapp'); -/*!40000 ALTER TABLE `authzforce` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `delegation_evidence` --- - -DROP TABLE IF EXISTS `delegation_evidence`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `delegation_evidence` ( - `policy_issuer` varchar(255) NOT NULL, - `access_subject` varchar(255) NOT NULL, - `policy` json NOT NULL, - PRIMARY KEY (`policy_issuer`,`access_subject`), - UNIQUE KEY `policy_issuer_access_subject_unique` (`policy_issuer`,`access_subject`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `delegation_evidence` --- - -LOCK TABLES `delegation_evidence` WRITE; -/*!40000 ALTER TABLE `delegation_evidence` DISABLE KEYS */; -/*!40000 ALTER TABLE `delegation_evidence` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `eidas_credentials` --- - -DROP TABLE IF EXISTS `eidas_credentials`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `eidas_credentials` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `support_contact_person_name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `support_contact_person_surname` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `support_contact_person_email` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `support_contact_person_telephone_number` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `support_contact_person_company` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `technical_contact_person_name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `technical_contact_person_surname` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `technical_contact_person_email` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `technical_contact_person_telephone_number` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `technical_contact_person_company` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `organization_name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `organization_url` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `organization_nif` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `sp_type` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `attributes_list` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - PRIMARY KEY (`id`), - UNIQUE KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `eidas_credentials_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `eidas_credentials` --- - -LOCK TABLES `eidas_credentials` WRITE; -/*!40000 ALTER TABLE `eidas_credentials` DISABLE KEYS */; -/*!40000 ALTER TABLE `eidas_credentials` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `iot` --- - -DROP TABLE IF EXISTS `iot`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `iot` ( - `id` varchar(255) NOT NULL, - `password` varchar(40) DEFAULT NULL, - `salt` varchar(40) DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `iot_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `iot` --- - -LOCK TABLES `iot` WRITE; -/*!40000 ALTER TABLE `iot` DISABLE KEYS */; -/*!40000 ALTER TABLE `iot` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_access_token` --- - -DROP TABLE IF EXISTS `oauth_access_token`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_access_token` ( - `access_token` text NOT NULL, - `expires` datetime DEFAULT NULL, - `scope` varchar(255) DEFAULT NULL, - `refresh_token` varchar(255) DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `extra` json DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `iot_id` varchar(255) DEFAULT NULL, - `authorization_code` varchar(255) DEFAULT NULL, - `hash` char(64) NOT NULL, - PRIMARY KEY (`hash`), - UNIQUE KEY `oauth_access_token_hash_uk` (`hash`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `user_id` (`user_id`), - KEY `iot_id` (`iot_id`), - CONSTRAINT `oauth_access_token_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_access_token_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_access_token_ibfk_3` FOREIGN KEY (`iot_id`) REFERENCES `iot` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_access_token` --- - -LOCK TABLES `oauth_access_token` WRITE; -/*!40000 ALTER TABLE `oauth_access_token` DISABLE KEYS */; -INSERT INTO `oauth_access_token` VALUES -('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa','alice',NULL,NULL, '12661599e24923dc17384a28644fbd2c0e30fa1cc7295772470d22729b054c8b'), -('bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb','bob',NULL,NULL, '8d94b35f8eea7e1577e30fc75646dfeb4dd0982a083635028998d53ef590c7ec'), -('cccccccccccccccccccccccccccccccccccccccc','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'cccccccc-cccc-cccc-cccc-cccccccccccc','charlie',NULL,NULL, 'f57858edab011913ac0a5d92f04987f4b34eab0d702c8198c1900871d7d87198'), -('d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1d1','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'d1d1d1d1-dddd-dddd-dddd-d1d1d1d1d1d1','detective1',NULL,NULL, '18a4605f12def28bbbbab7bbef23fe6e204d73432d9aee8514fc168037945221'), -('d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'d2d2d2d2-dddd-dddd-dddd-d2d2d2d2d2d2','detective2',NULL,NULL, '1df5d6346470cc81d7a533f67a8399c052b5fc608b94972557138e10a335c5e1'), -('m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1m1','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'m1m1m1m1-mmmm-mmmm-mmmm-m1m1m1m1m1m1','manager1',NULL,NULL, '853d6a374a92501e3e93d28184f9217941793ff646b636c04b35d20169c0d3b7'), -('m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2m2','2036-07-30 12:14:21',NULL,NULL,NULL,NULL,'m2m2m2m2-mmmm-mmmm-mmmm-m2m2m2m2m2m2','manager2',NULL,NULL, '5603ade3a9d2303dbf3f28a35023a53c28297dc7db955784ac09b4c294ecae8b'); - -/*!40000 ALTER TABLE `oauth_access_token` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_authorization_code` --- - -DROP TABLE IF EXISTS `oauth_authorization_code`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_authorization_code` ( - `authorization_code` varchar(256) NOT NULL, - `expires` datetime DEFAULT NULL, - `redirect_uri` varchar(2000) DEFAULT NULL, - `scope` varchar(255) DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `extra` json DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `nonce` varchar(255) DEFAULT NULL, - PRIMARY KEY (`authorization_code`), - - UNIQUE KEY `authorization_code` (`authorization_code`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `user_id` (`user_id`), - CONSTRAINT `oauth_authorization_code_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_authorization_code_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_authorization_code` --- - -LOCK TABLES `oauth_authorization_code` WRITE; -/*!40000 ALTER TABLE `oauth_authorization_code` DISABLE KEYS */; -/*!40000 ALTER TABLE `oauth_authorization_code` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_client` --- - -DROP TABLE IF EXISTS `oauth_client`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_client` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `secret` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `url` varchar(2000) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `redirect_uri` varchar(2000) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `redirect_sign_out_uri` varchar(2000) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `image` varchar(255) DEFAULT 'default', - `grant_type` varchar(255) DEFAULT NULL, - `response_type` varchar(255) DEFAULT NULL, - `client_type` varchar(15) DEFAULT NULL, - `scope` varchar(80) DEFAULT NULL, - `extra` json DEFAULT NULL, - `token_types` varchar(2000) DEFAULT 'bearer', - `jwt_secret` varchar(2000) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_client` --- - -LOCK TABLES `oauth_client` WRITE; -/*!40000 ALTER TABLE `oauth_client` DISABLE KEYS */; -INSERT INTO `oauth_client` VALUES -('tutorial-dckr-site-0000-xpresswebapp','FIWARE Tutorial', - 'FIWARE Application protected by OAuth2 and Keyrock','tutorial-dckr-site-0000-clientsecret', - 'http://localhost:3000','http://localhost:3000/login',NULL,'default', - 'authorization_code,implicit,password,client_credentials,refresh_token','code',NULL,NULL,NULL,'bearer', NULL), -('tutorial-lcal-host-0000-xpresswebapp','localhost App', - 'Localhost Callback protected by OAuth2 and Keyrock','tutorial-lcal-host-0000-clientsecret', - 'http://localhost:3000','http://localhost:3000/login',NULL,'default', - 'authorization_code,implicit,password,client_credentials,refresh_token','code',NULL,NULL,NULL,'bearer', NULL); - -/*!40000 ALTER TABLE `oauth_client` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_refresh_token` --- - -DROP TABLE IF EXISTS `oauth_refresh_token`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_refresh_token` ( - `refresh_token` varchar(256) NOT NULL, - `expires` datetime DEFAULT NULL, - `scope` varchar(255) DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `iot_id` varchar(255) DEFAULT NULL, - `valid` tinyint(1) DEFAULT NULL, - `authorization_code` varchar(255) DEFAULT NULL, - PRIMARY KEY (`refresh_token`), - UNIQUE KEY `refresh_token` (`refresh_token`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `user_id` (`user_id`), - KEY `iot_id` (`iot_id`), - CONSTRAINT `oauth_refresh_token_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_refresh_token_ibfk_2` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `oauth_refresh_token_ibfk_3` FOREIGN KEY (`iot_id`) REFERENCES `iot` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_refresh_token` --- - -LOCK TABLES `oauth_refresh_token` WRITE; -/*!40000 ALTER TABLE `oauth_refresh_token` DISABLE KEYS */; -INSERT INTO `oauth_refresh_token` VALUES ('4eb1f99f80f37c81a8ef85d92eae836919887e1e','2018-08-13 11:14:21',NULL,'8ca60ce9-32f9-42d6-a013-a19b3af0c13d','admin',NULL, NULL, NULL); -/*!40000 ALTER TABLE `oauth_refresh_token` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `oauth_scope` --- - -DROP TABLE IF EXISTS `oauth_scope`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `oauth_scope` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `scope` varchar(255) DEFAULT NULL, - `is_default` tinyint(1) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `id` (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `oauth_scope` --- - -LOCK TABLES `oauth_scope` WRITE; -/*!40000 ALTER TABLE `oauth_scope` DISABLE KEYS */; -/*!40000 ALTER TABLE `oauth_scope` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `organization` --- - -DROP TABLE IF EXISTS `organization`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `organization` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `name` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `website` varchar(2000) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `image` varchar(255) DEFAULT 'default', - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `organization` --- - -LOCK TABLES `organization` WRITE; -/*!40000 ALTER TABLE `organization` DISABLE KEYS */; -INSERT INTO `organization` VALUES -('security-team-0000-0000-000000000000','Security','Security Group for Store Detectives',NULL,'default'), -('managers-team-0000-0000-000000000000','Management','Management Group for Store Managers',NULL,'default'); -/*!40000 ALTER TABLE `organization` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `pep_proxy` --- - -DROP TABLE IF EXISTS `pep_proxy`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `pep_proxy` ( - `id` varchar(255) NOT NULL, - `password` varchar(40) DEFAULT NULL, - `salt` varchar(40) DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `pep_proxy_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `pep_proxy` --- - -LOCK TABLES `pep_proxy` WRITE; -/*!40000 ALTER TABLE `pep_proxy` DISABLE KEYS */; -INSERT INTO `pep_proxy` VALUES ('pep_proxy_00000000-0000-0000-0000-000000000000','e9f7c64ec2895eec281f8fd36e588d1bc762bcca',NULL,'tutorial-dckr-site-0000-xpresswebapp'); -/*!40000 ALTER TABLE `pep_proxy` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `permission` --- - -DROP TABLE IF EXISTS `permission`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `permission` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `name` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `is_internal` tinyint(1) DEFAULT '0', - `action` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `resource` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `xml` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `is_regex` tinyint(1) NOT NULL DEFAULT '0', - `authorization_service_header` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `use_authorization_service_header` tinyint(1) NOT NULL DEFAULT '0', - `regex_entity_ids` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `regex_attributes` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `regex_types` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `permission_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `permission` --- - -LOCK TABLES `permission` WRITE; -/*!40000 ALTER TABLE `permission` DISABLE KEYS */; -INSERT INTO `permission` VALUES -('1','Get and assign all internal application roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('2','Manage the application',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('3','Manage roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('4','Manage authorizations',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('5','Get and assign all public application roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('6','Get and assign only public owned roles',NULL,1,NULL,NULL,NULL,'idm_admin_app',0,NULL,0,NULL,NULL,NULL), -('increase-stck-0000-0000-000000000000','Order Stock','Increase Stock Count',0,'GET','/app/order-stock',NULL,'tutorial-dckr-site-0000-xpresswebapp',0,NULL,0,NULL,NULL,NULL), -('entrance-open-0000-0000-000000000000','Unlock','Unlock main entrance',0,'POST','/door/unlock',NULL,'tutorial-dckr-site-0000-xpresswebapp',0,NULL,0,NULL,NULL,NULL), -('alrmbell-ring-0000-0000-000000000000','Ring Alarm Bell',NULL,0,'POST','/bell/ring',NULL,'tutorial-dckr-site-0000-xpresswebapp',0,NULL,0,NULL,NULL,NULL), -('pricechg-stck-0000-0000-000000000000','Access Price Changes',NULL,0,'GET','/app/price-change',NULL,'tutorial-dckr-site-0000-xpresswebapp',0,NULL,0,NULL,NULL,NULL), -('managers-prxy-cbkr-0000-000000000000','Managers Context Broker Access','Proxy access for Managers',0,NULL,NULL,'\nContext Broker Access\n\n\n\n\n/v2/entities\n\n\n\n\n\n\n\n\nmanagers-role-0000-0000-000000000000\n\n\n\n','tutorial-dckr-site-0000-xpresswebapp',0,NULL,0,NULL,NULL,NULL), -('security-prxy-cbkr-0000-000000000000','Security Context Broker Access','Proxy access for Security',0,NULL,NULL,'\nContext Broker Access\n\n\n\n\n/v2/entities\n\n\n\n\n\n\n\n\nsecurity-role-0000-0000-000000000000\n\n\n\n','tutorial-dckr-site-0000-xpresswebapp',0,NULL,0,NULL,NULL,NULL); -/*!40000 ALTER TABLE `permission` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `role` --- - -DROP TABLE IF EXISTS `role`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `role` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `name` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `is_internal` tinyint(1) DEFAULT '0', - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `role_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `role` --- - -LOCK TABLES `role` WRITE; -/*!40000 ALTER TABLE `role` DISABLE KEYS */; -INSERT INTO `role` VALUES -('security-role-0000-0000-000000000000','Security Team',0,'tutorial-dckr-site-0000-xpresswebapp'), -('managers-role-0000-0000-000000000000','Management',0,'tutorial-dckr-site-0000-xpresswebapp'), -('provider','Provider',1,'idm_admin_app'),('purchaser','Purchaser',1,'idm_admin_app'); -/*!40000 ALTER TABLE `role` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `role_assignment` --- - -DROP TABLE IF EXISTS `role_assignment`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `role_assignment` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `role_organization` varchar(255) DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `role_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `organization_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `role_id` (`role_id`), - KEY `organization_id` (`organization_id`), - KEY `user_id` (`user_id`), - CONSTRAINT `role_assignment_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_assignment_ibfk_2` FOREIGN KEY (`role_id`) REFERENCES `role` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_assignment_ibfk_3` FOREIGN KEY (`organization_id`) REFERENCES `organization` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_assignment_ibfk_4` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=14 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `role_assignment` --- - -LOCK TABLES `role_assignment` WRITE; -/*!40000 ALTER TABLE `role_assignment` DISABLE KEYS */; -INSERT INTO `role_assignment` VALUES -(1,NULL,'8ca60ce9-32f9-42d6-a013-a19b3af0c13d','provider',NULL,'96154659-cb3b-4d2d-afef-18d6aec0518e'), -(2,'member','8ca60ce9-32f9-42d6-a013-a19b3af0c13d','provider','74f5299e-3247-468c-affb-957cda03f0c4',NULL), -(3,NULL,'222eda27-958b-4f0c-a5cb-e4114fb170c3','provider',NULL,'admin'), -(4,NULL,'222eda27-958b-4f0c-a5cb-e4114fb170c3','provider',NULL,'96154659-cb3b-4d2d-afef-18d6aec0518e'), -(5,NULL,'tutorial-dckr-site-0000-xpresswebapp','provider',NULL,'aaaaaaaa-good-0000-0000-000000000000'), -(6,NULL,'tutorial-lcal-host-0000-xpresswebapp','provider',NULL,'aaaaaaaa-good-0000-0000-000000000000'), -(10,NULL,'tutorial-dckr-site-0000-xpresswebapp','security-role-0000-0000-000000000000',NULL,'cccccccc-good-0000-0000-000000000000'), -(11,'member','tutorial-dckr-site-0000-xpresswebapp','security-role-0000-0000-000000000000','security-team-0000-0000-000000000000',NULL), -(12,NULL,'tutorial-dckr-site-0000-xpresswebapp','managers-role-0000-0000-000000000000',NULL,'bbbbbbbb-good-0000-0000-000000000000'), -(13,'member','tutorial-dckr-site-0000-xpresswebapp','managers-role-0000-0000-000000000000','managers-team-0000-0000-000000000000',NULL); - -/*!40000 ALTER TABLE `role_assignment` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `role_permission` --- - -DROP TABLE IF EXISTS `role_permission`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `role_permission` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `role_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `permission_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `role_id` (`role_id`), - KEY `permission_id` (`permission_id`), - CONSTRAINT `role_permission_ibfk_1` FOREIGN KEY (`role_id`) REFERENCES `role` (`id`) ON DELETE CASCADE, - CONSTRAINT `role_permission_ibfk_2` FOREIGN KEY (`permission_id`) REFERENCES `permission` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=13 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `role_permission` --- - -LOCK TABLES `role_permission` WRITE; -/*!40000 ALTER TABLE `role_permission` DISABLE KEYS */; -INSERT INTO `role_permission` VALUES -(1,'provider','1'),(2,'provider','2'),(3,'provider','3'),(4,'provider','4'),(5,'provider','5'),(6,'provider','6'), -(7,'purchaser','5'), -(8,'security-role-0000-0000-000000000000','alrmbell-ring-0000-0000-000000000000'), -(9,'security-role-0000-0000-000000000000','entrance-open-0000-0000-000000000000'), -(10,'managers-role-0000-0000-000000000000','alrmbell-ring-0000-0000-000000000000'), -(11,'managers-role-0000-0000-000000000000','increase-stck-0000-0000-000000000000'), -(12,'managers-role-0000-0000-000000000000','pricechg-stck-0000-0000-000000000000'), -(13,'managers-role-0000-0000-000000000000','managers-prxy-cbkr-0000-000000000000'), -(14,'security-role-0000-0000-000000000000','security-prxy-cbkr-0000-000000000000'); - - - - -/*!40000 ALTER TABLE `role_permission` ENABLE KEYS */; -UNLOCK TABLES; - - --- --- Table structure for table `trusted_application` --- - -DROP TABLE IF EXISTS `trusted_application`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `trusted_application` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `trusted_oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `oauth_client_id` (`oauth_client_id`), - KEY `trusted_oauth_client_id` (`trusted_oauth_client_id`), - CONSTRAINT `trusted_application_ibfk_1` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE, - CONSTRAINT `trusted_application_ibfk_2` FOREIGN KEY (`trusted_oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `trusted_application` --- - -LOCK TABLES `trusted_application` WRITE; -/*!40000 ALTER TABLE `trusted_application` DISABLE KEYS */; -/*!40000 ALTER TABLE `trusted_application` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user` --- - -DROP TABLE IF EXISTS `user`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user` ( - `id` char(36) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL, - `username` varchar(64) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `description` text CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci, - `website` varchar(2000) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci DEFAULT NULL, - `image` varchar(255) DEFAULT 'default', - `gravatar` tinyint(1) DEFAULT '0', - `email` varchar(255) DEFAULT NULL, - `password` varchar(40) DEFAULT NULL, - `salt` varchar(40) DEFAULT NULL, - `date_password` datetime DEFAULT NULL, - `enabled` tinyint(1) DEFAULT '0', - `admin` tinyint(1) DEFAULT '0', - `extra` json DEFAULT NULL, - `scope` varchar(80) DEFAULT NULL, - `starters_tour_ended` tinyint(1) DEFAULT '0', - `eidas_id` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `email` (`email`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user` --- - -LOCK TABLES `user` WRITE; -/*!40000 ALTER TABLE `user` DISABLE KEYS */; -INSERT INTO `user` VALUES - ('aaaaaaaa-good-0000-0000-000000000000','alice','Alice is the admin',NULL,'default',0,'alice-the-admin@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,1,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('bbbbbbbb-good-0000-0000-000000000000','bob','Bob is the regional manager','','default',0,'bob-the-manager@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('cccccccc-good-0000-0000-000000000000','charlie','Charlie is head of security',NULL,'default',0,'charlie-security@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('detective1-good-0000-0000-0000000000','detective1','Detective works for Charlie',NULL,'default',0,'detective1@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('detective2-good-0000-0000-0000000000','detective2','Detective works for Charlie',NULL,'default',0,'detective2@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('eve-evil-0000-0000-000000000000','eve','Eve the Eavesdropper',NULL,'default',0,'eve@example.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('mallory-evil-0000-0000-000000000000','mallory','Mallory the malicious attacker',NULL,'default',0,'mallory@example.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('manager1-good-0000-0000-000000000000','manager1','Manager works for Bob',NULL,'default',0,'manager1@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('manager2-good-0000-0000-000000000000','manager2','Manager works for Bob',NULL,'default',0,'manager2@test.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL), - ('rob-evil-0000-0000-000000000000','rob','Rob the Robber',NULL,'default',0,'rob@example.com','89e48c55e4e4b3b86141fb15f5e6abf70f8c32c0','fbba54b6750b16e8','2018-07-30 11:41:14',1,0,'{\"visible_attributes\": [\"username\", \"description\", \"identity_attributes\"]}',NULL,0,NULL); -/*!40000 ALTER TABLE `user` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_authorized_application` --- - -DROP TABLE IF EXISTS `user_authorized_application`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_authorized_application` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `oauth_client_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `shared_attributes` char(255) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `login_date` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `user_id` (`user_id`), - KEY `oauth_client_id` (`oauth_client_id`), - CONSTRAINT `user_authorized_application_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `user_authorized_application_ibfk_2` FOREIGN KEY (`oauth_client_id`) REFERENCES `oauth_client` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_authorized_application` --- - -LOCK TABLES `user_authorized_application` WRITE; -/*!40000 ALTER TABLE `user_authorized_application` DISABLE KEYS */; -INSERT INTO `user_authorized_application` VALUES -(1,'admin','8ca60ce9-32f9-42d6-a013-a19b3af0c13d', NULL, NULL), -(2,'aaaaaaaa-good-0000-0000-000000000000','tutorial-dckr-site-0000-xpresswebapp', 'username,email', NULL); -/*!40000 ALTER TABLE `user_authorized_application` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_organization` --- - -DROP TABLE IF EXISTS `user_organization`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_organization` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `role` varchar(10) DEFAULT NULL, - `user_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - `organization_id` char(36) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `user_id` (`user_id`), - KEY `organization_id` (`organization_id`), - CONSTRAINT `user_organization_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `user` (`id`) ON DELETE CASCADE, - CONSTRAINT `user_organization_ibfk_2` FOREIGN KEY (`organization_id`) REFERENCES `organization` (`id`) ON DELETE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_organization` --- - -LOCK TABLES `user_organization` WRITE; -/*!40000 ALTER TABLE `user_organization` DISABLE KEYS */; -INSERT INTO `user_organization` VALUES -(2,'owner', 'aaaaaaaa-good-0000-0000-000000000000','security-team-0000-0000-000000000000'), -(3,'owner', 'aaaaaaaa-good-0000-0000-000000000000','managers-team-0000-0000-000000000000'), -(4,'owner', 'bbbbbbbb-good-0000-0000-000000000000','managers-team-0000-0000-000000000000'), -(5,'member','manager1-good-0000-0000-000000000000','managers-team-0000-0000-000000000000'), -(6,'member','manager2-good-0000-0000-000000000000','managers-team-0000-0000-000000000000'), -(7,'owner', 'cccccccc-good-0000-0000-000000000000','security-team-0000-0000-000000000000'), -(8,'member','detective1-good-0000-0000-000000000000','security-team-0000-0000-000000000000'), -(9,'member','detective2-good-0000-0000-000000000000','security-team-0000-0000-000000000000'); -/*!40000 ALTER TABLE `user_organization` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_registration_profile` --- - -DROP TABLE IF EXISTS `user_registration_profile`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_registration_profile` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `activation_key` varchar(255) DEFAULT NULL, - `activation_expires` datetime DEFAULT NULL, - `reset_key` varchar(255) DEFAULT NULL, - `reset_expires` datetime DEFAULT NULL, - `verification_key` varchar(255) DEFAULT NULL, - `verification_expires` datetime DEFAULT NULL, - `user_email` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `user_email` (`user_email`), - CONSTRAINT `user_registration_profile_ibfk_1` FOREIGN KEY (`user_email`) REFERENCES `user` (`email`) ON DELETE CASCADE ON UPDATE CASCADE -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_registration_profile` --- - -LOCK TABLES `user_registration_profile` WRITE; -/*!40000 ALTER TABLE `user_registration_profile` DISABLE KEYS */; -INSERT INTO `user_registration_profile` VALUES (1,'b26roiin0r','2018-07-31 10:03:53',NULL,NULL,NULL,NULL,'eve@test.com'); -/*!40000 ALTER TABLE `user_registration_profile` ENABLE KEYS */; -UNLOCK TABLES; -/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; - -/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; -/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; -/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; -/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; -/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; -/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; -/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; - --- Dump completed on 2018-08-10 9:03:58 diff --git a/provision-devices b/provision-devices deleted file mode 100755 index 31eb090..0000000 --- a/provision-devices +++ /dev/null @@ -1,332 +0,0 @@ -#!/bin/bash -# -# curl commands to reload the data from the previous tutorial -# -# - -set -e - - - - - -printf "⏳ Provisioning IoT devices " - - -# -# Create a service groups for all UltraLight IoT devices -# - -curl -s -o /dev/null -X POST \ - "http://iot-agent:$IOTA_NORTH_PORT/iot/services" \ - -H 'Content-Type: application/json' \ - -H 'fiware-service: openiot' \ - -H 'fiware-servicepath: /' \ - -d '{ - "services": [ - { - "apikey": "1068318794", - "cbroker": "'"http://orion:$ORION_PORT"'", - "entity_type": "Motion", - "resource": "/iot/d", - "protocol": "PDI-IoTA-UltraLight", - "transport": "HTTP", - "timezone": "Europe/Berlin", - "attributes": [ - { "object_id": "c", "name":"count", "type":"Integer"} - ], - "static_attributes": [ - {"name": "category", "type":"Text", "value": ["sensor"]}, - {"name": "controlledProperty", "type": "Text", "value": "motion"}, - {"name": "function", "type": "Text", "value":["sensing"]}, - {"name": "supportedProtocol", "type": "Text", "value": ["ul20"]}, - {"name": "supportedUnits", "type": "Text", "value": "C62"} - ] - }, - { - "apikey": "3020035", - "cbroker": "'"http://orion:$ORION_PORT"'", - "entity_type": "Bell", - "resource": "/iot/d", - "protocol": "PDI-IoTA-UltraLight", - "transport": "HTTP", - "timezone": "Europe/Berlin", - "commands": [ - { - "name": "ring", - "type": "command" - } - ], - "static_attributes": [ - {"name": "category", "type":"Text", "value": ["actuator"]}, - {"name": "controlledProperty", "type": "Text", "value": "noiseLevel"}, - {"name": "function", "type": "Text", "value":["onOff"]}, - {"name": "supportedProtocol", "type": "Text", "value": ["ul20"]} - ] - }, - { - "apikey": "3314136", - "cbroker": "'"http://orion:$ORION_PORT"'", - "entity_type": "Lamp", - "resource": "/iot/d", - "protocol": "PDI-IoTA-UltraLight", - "transport": "HTTP", - "timezone": "Europe/Berlin", - "commands": [ - {"name": "on","type": "command"}, - {"name": "off","type": "command"} - ], - "attributes": [ - {"object_id": "s", "name": "state", "type":"Text"}, - {"object_id": "l", "name": "luminosity", "type":"Integer"} - ], - "static_attributes": [ - {"name": "category", "type":"Text", "value": ["actuator","sensor"]}, - {"name": "controlledProperty", "type": "Text", "value": "light"}, - {"name": "function", "type": "Text", "value":["onOff", "sensing"]}, - {"name": "supportedProtocol", "type": "Text", "value": ["ul20"]}, - {"name": "supportedUnits", "type": "Text", "value": "CDL"} - ] - }, - { - "apikey": "3089326", - "cbroker": "'"http://orion:$ORION_PORT"'", - "entity_type": "Door", - "resource": "/iot/d", - "protocol": "PDI-IoTA-UltraLight", - "transport": "HTTP", - "timezone": "Europe/Berlin", - "commands": [ - {"name": "unlock","type": "command"}, - {"name": "open","type": "command"}, - {"name": "close","type": "command"}, - {"name": "lock","type": "command"} - ], - "attributes": [ - {"object_id": "s", "name": "state", "type":"Text"} - ], - "static_attributes": [ - {"name": "category", "type":"Text", "value": ["actuator", "sensor"]}, - {"name": "controlledProperty", "type": "Text", "value": "state"}, - {"name": "function", "type": "Text", "value":["openClose", "eventNotification"]}, - {"name": "supportedProtocol", "type": "Text", "value": ["ul20"]} - ] - } - ] -}' - -#################################################### -# -# Provision sensors for Store 001 -# - -curl -s -o /dev/null -X POST \ - "http://iot-agent:$IOTA_NORTH_PORT/iot/devices" \ - -H 'Content-Type: application/json' \ - -H 'fiware-service: openiot' \ - -H 'fiware-servicepath: /' \ - -d '{ - "devices": [ - { - "device_id": "motion001", - "entity_name": "Motion:001", - "entity_type": "Motion", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:001"} - ] - }, - { - "device_id": "bell001", - "entity_name": "Bell:001", - "entity_type": "Bell", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/bell001"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:001"} - ] - }, - { - "device_id": "door001", - "entity_name": "Door:001", - "entity_type": "Door", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/door001"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:001"} - ] - }, - { - "device_id": "lamp001", - "entity_name": "Lamp:001", - "entity_type": "Lamp", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/lamp001"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:001"} - ] - } - ] -} -' - -#################################################### -# -# -# Provision sensors for Store 002 -# - -curl -s -o /dev/null -X POST \ - "http://iot-agent:$IOTA_NORTH_PORT/iot/devices" \ - -H 'Content-Type: application/json' \ - -H 'fiware-service: openiot' \ - -H 'fiware-servicepath: /' \ - -d '{ - "devices": [ - { - "device_id": "motion002", - "entity_name": "Motion:002", - "entity_type": "Motion", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:002"} - ] - }, - { - "device_id": "bell002", - "entity_name": "Bell:002", - "entity_type": "Bell", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/bell002"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:002"} - ] - }, - { - "device_id": "door002", - "entity_name": "Door:002", - "entity_type": "Door", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/door002"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:002"} - ] - }, - { - "device_id": "lamp002", - "entity_name": "Lamp:002", - "entity_type": "Lamp", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/lamp002"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:002"} - ] - } - ] -} -' - - - - - -#################################################### -# -# -# Provision sensors for Store 3 -# - -curl -s -o /dev/null -X POST \ - "http://iot-agent:$IOTA_NORTH_PORT/iot/devices" \ - -H 'Content-Type: application/json' \ - -H 'fiware-service: openiot' \ - -H 'fiware-servicepath: /' \ - -d '{ - "devices": [ - { - "device_id": "motion003", - "entity_name": "Motion:003", - "entity_type": "Motion", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:003"} - ] - }, - { - "device_id": "bell003", - "entity_name": "Bell:003", - "entity_type": "Bell", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/bell003"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:003"} - ] - }, - { - "device_id": "door003", - "entity_name": "Door:003", - "entity_type": "Door", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/door003"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:003"} - ] - }, - { - "device_id": "lamp003", - "entity_name": "Lamp:003", - "entity_type": "Lamp", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/lamp003"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:003"} - ] - } - ] -} -' - - - - -#################################################### -# -# -# Provision sensors for Store 4 -# - -curl -s -o /dev/null -X POST \ - "http://iot-agent:$IOTA_NORTH_PORT/iot/devices" \ - -H 'Content-Type: application/json' \ - -H 'fiware-service: openiot' \ - -H 'fiware-servicepath: /' \ - -d '{ - "devices": [ - { - "device_id": "motion004", - "entity_name": "Motion:004", - "entity_type": "Motion", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:004"} - ] - }, - { - "device_id": "bell004", - "entity_name": "Bell:004", - "entity_type": "Bell", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/bell004"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:004"} - ] - }, - { - "device_id": "door004", - "entity_name": "Door:004", - "entity_type": "Door", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/door004"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:004"} - ] - }, - { - "device_id": "lamp004", - "entity_name": "Lamp:004", - "entity_type": "Lamp", - "endpoint": "'"http://iot-sensors:$TUTORIAL_DUMMY_DEVICE_PORT/iot/lamp004"'", - "static_attributes": [ - {"name": "refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:004"} - ] - } - ] -} -' - -echo -e " \033[1;32mdone\033[0m" \ No newline at end of file diff --git a/secrets.txt b/secrets.txt deleted file mode 100644 index 536aca3..0000000 --- a/secrets.txt +++ /dev/null @@ -1 +0,0 @@ -secret \ No newline at end of file diff --git a/services b/services index bddbfd2..aaaba5f 100755 --- a/services +++ b/services @@ -2,178 +2,7 @@ # # Command Line Interface to start all services associated with the Tutorial # -# For this tutorial the commands are merely a convenience script to run docker or docker-compose -# -# Each services script can be run using either docker-compose (the external tool with the hyphen -) -# or docker compose (the newer version directly bundled with Docker with a space ) -# -# if you start up with the following command: -# -# ./services start legacy -# -# This will force the script to use docker-compose which may be more reliable in -# some cases (or if an older version of Docker is being used) set -e -dockerCmd="docker compose" -if (( $# == 2 )); then - dockerCmd="docker-compose" -fi - -if (( $# < 1 )); then - echo "Illegal number of parameters" - echo "usage: services [create|start|stop]" - exit 1 -fi - -loadData () { - docker run --rm -v $(pwd)/import-data:/import-data \ - --network fiware_default \ - -e ORION_PORT="${ORION_PORT}" \ - -e TUTORIAL_APP_PORT="${TUTORIAL_APP_PORT}" \ - --entrypoint /bin/ash quay.io/curl/curl /import-data - waitForIoTAgent - docker run --rm -v $(pwd)/provision-devices:/provision-devices \ - --network fiware_default \ - -e ORION_PORT="${ORION_PORT}" \ - -e TUTORIAL_APP_PORT="${TUTORIAL_APP_PORT}" \ - -e TUTORIAL_DUMMY_DEVICE_PORT="${TUTORIAL_DUMMY_DEVICE_PORT}" \ - -e IOTA_NORTH_PORT="${IOTA_NORTH_PORT}" \ - --entrypoint /bin/ash quay.io/curl/curl /provision-devices - echo "" -} - -waitForMongo () { - echo -e "\n⏳ Waiting for \033[1mMongoDB\033[0m to be available\n" - while ! [ `docker inspect --format='{{.State.Health.Status}}' db-mongo` == "healthy" ] - do - sleep 1 - done -} - -waitForOrion () { - echo -e "\n⏳ Waiting for \033[1;34mOrion\033[0m to be available\n" - - while ! [ `docker inspect --format='{{.State.Health.Status}}' fiware-orion` == "healthy" ] - do - echo -e "Context Broker HTTP state: " `curl -s -o /dev/null -w %{http_code} 'http://localhost:1026/version'` " (waiting for 200)" - sleep 1 - done -} - -waitForKeyrock () { - echo -e "⏳ Waiting for \033[1;31mKeyrock\033[0m to be available\n" - - while ! [ `docker inspect --format='{{.State.Health.Status}}' fiware-keyrock` == "healthy" ] - do - echo -e "Keyrock HTTP state: " `curl -s -o /dev/null -w %{http_code} 'http://localhost:3005/version'` " (waiting for 200)" - sleep 5 - done - echo -e " \033[1;32mdone\033[0m" -} - -waitForIoTAgent () { - echo -e "\n⏳ Waiting for \033[1;36mIoT-Agent\033[0m to be available\n" - while ! [ `docker inspect --format='{{.State.Health.Status}}' fiware-iot-agent` == "healthy" ] - - do - echo -e "IoT Agent HTTP state: " `curl -s -o /dev/null -w %{http_code} 'http://localhost:4041/version'` " (waiting for 200)" - sleep 1 - done -} - -displayServices () { - echo "" - docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" --filter name=fiware-* - (gp ports list 2> /dev/null) || true - echo "" -} - -addDatabaseIndex () { - printf "Adding appropriate \033[1mMongoDB\033[0m indexes for \033[1;34mOrion\033[0m ..." - docker exec db-mongo mongosh --eval ' - conn = new Mongo();db.createCollection("orion"); - db = conn.getDB("orion"); - db.createCollection("entities"); - db.entities.createIndex({"_id.servicePath": 1, "_id.id": 1, "_id.type": 1}, {unique: true}); - db.entities.createIndex({"_id.type": 1}); - db.entities.createIndex({"_id.id": 1});' > /dev/null - - docker exec db-mongo mongosh --eval ' - conn = new Mongo();db.createCollection("orion-openiot"); - db = conn.getDB("orion-openiot"); - db.createCollection("entities"); - db.entities.createIndex({"_id.servicePath": 1, "_id.id": 1, "_id.type": 1}, {unique: true}); - db.entities.createIndex({"_id.type": 1}); - db.entities.createIndex({"_id.id": 1});' > /dev/null - echo -e " \033[1;32mdone\033[0m" - -} - -startContainers () { - echo "" - export IDM_HTTPS_ENABLED="$1" - ${dockerCmd} -f docker-compose.yml up -d --remove-orphans - echo "" -} - -stoppingContainers () { - echo "Stopping running containers" - ${dockerCmd} -f docker-compose.yml down -v --remove-orphans - echo "" - echo "Removing Authzforce Domains" - for dir in ./authzforce/domains/*; do - [ "$dir" = "./authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA" ] && continue - rm -rf "$dir" - done - for file in ./authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/*; do - [ "$file" = "./authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/1.xml" ] && continue - [ "$file" = "./authzforce/domains/gQqnLOnIEeiBFQJCrBIBDA/policies/ZjgxOTRhZjUtOGEwNy00ODZhLTk1ODEtYzFmMDVkMDU0ODNj/2.xml" ] && continue - rm "$file" - done -} - -command="$1" -case "${command}" in - "help") - echo "usage: services [create|start|stop]" - ;; - "start") - export $(cat .env | grep "#" -v) - stoppingContainers - echo -e "Starting containers: \033[1;34mOrion\033[0m, \033[1;36mIoT-Agent\033[0m, \033[1;31mKeyrock\033[0m, \033[1;31mWilma\033[0m, \033[1mTutorial\033[0m and \033[1mMongoDB\033[0m and \033[1mMySQL\033[0m databases." - echo -e "- \033[1;34mOrion\033[0m is the context broker" - echo -e "- \033[1;36mIoT-Agent\033[0m is configured for the UltraLight Protocol" - echo -e "- \033[1mTutorial\033[0m acts as a series of dummy IoT Sensors over HTTP" - echo -e "- \033[1;31mKeyrock\033[0m is an Identity Management Front-End" - echo -e "- \033[1;31mWilma\033[0m is a PEP Proxy for Orion" - echo -e "- \033[1;31mAuthZforce\033[0m is a XACML Authorization Server" - startContainers false - waitForMongo - addDatabaseIndex - waitForOrion - loadData - waitForKeyrock - displayServices - echo -e "Now open \033[4mhttp://localhost:3000\033[0m" - ;; - "stop") - export $(cat .env | grep "#" -v) - stoppingContainers - ;; - "create") - export $(cat .env | grep "#" -v) - echo "Pulling Docker images" - docker pull -q quay.io/curl/curl - ${dockerCmd} pull --ignore-pull-failures - ;; - *) - echo "Command not Found." - echo "usage: services [create|start|stop|stop]" - exit 127; - ;; -esac - - - +echo -e "Please checkout the \033[1;36mNGSI-v2\033[0m branch of this repository to run this tutorial."