diff --git a/.env b/.env deleted file mode 100644 index 1e68e910f..000000000 --- a/.env +++ /dev/null @@ -1,5 +0,0 @@ -PROFILE=docker - -# Version of Elastic products -ELK_VERSION=7.17.4 -STACK_VERSION=7.17.4 diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 40de9c9ea..000000000 --- a/Jenkinsfile +++ /dev/null @@ -1,66 +0,0 @@ -def pipelineContext = [:] - -pipeline { - agent any - - options { - skipDefaultCheckout(true) - } - - stages { - stage('Checkout') { - steps { - checkout scm - } - } - stage('Build API') { - steps { - script { - pipelineContext.apiImage = docker.build("open-dmp-api:${env.BUILD_ID}", "-f dmp-backend/Dockerfile.CI dmp-backend/") - } - } - } - stage('Build WebApp') { - steps { - script { - pipelineContext.webappImage = docker.build("open-dmp-webapp:${env.BUILD_ID}", "-f dmp-frontend/Dockerfile.CI dmp-frontend/") - } - } - } - //stage('SonarQube analysis') { - // steps { - // script { - // def scannerHome = tool 'SonarQube Scanner 4.3'; - // withSonarQubeEnv('SonarQube') { // If you have configured more than one global server connection, you can specify its name - // sh "${scannerHome}/bin/sonar-scanner" - // } - // } - // } - //} - //// waiting for sonar results based into the configured web hook in Sonar server which push the status back to jenkins - //stage('SonarQube scan result check') { - // steps { - // timeout(time: 2, unit: 'MINUTES') { - // retry(3) { - // script { - // def qg = waitForQualityGate() - // if (qg.status != 'OK') { - // error "Pipeline aborted due to quality gate failure: ${qg.status}" - // } - // } - // } - // } - // } - //} - stage('Pushing to Docker Registry') { - steps { - script { - docker.withRegistry('http://drepo.local.cite.gr', 'b2c651c1-9a3b-4a98-a6da-e1dd7a20f512') { - pipelineContext.apiImage.push() - pipelineContext.webappImage.push() - } - } - } - } - } -} \ No newline at end of file diff --git a/deployment/.env b/deployment/.env new file mode 100644 index 000000000..c686f26fb --- /dev/null +++ b/deployment/.env @@ -0,0 +1,26 @@ +###################### GENERAL ######################### +#User that is used to deploy the containers +DEPLOY_USER=root + +#version selections +PROXY_TAG=mainline-alpine +MAIN_APP_TAG=2.1.3 +NOTIFICATION_APP_TAG=2.1.3 +ANNOTATION_APP_TAG=2.1.3 +DOCX_APP_TAG=0.0.8 +JSON_APP_TAG=0.0.6 +ZENODO_APP_TAG=2.0.4 +ELK_VERSION=8.13.12 +KEYCLOAK_TAG=24.0.2 +GOTENBERG_TAG=8.4.0 +POSTGRES_TAG=16-alpine + +#Application configuration +DOCKER_REGISTRY=crepo.cite.gr/ +PROFILE=staging + +#port speficiations +SERVER_PORT=8080 +PROXY_APP_PORT=8081 +PROXY_MS_PORT=8082 +POSTGRES_PORT=5432 \ No newline at end of file diff --git a/deployment/docker-compose.override.yml b/deployment/docker-compose.override.yml new file mode 100644 index 000000000..b9af6b701 --- /dev/null +++ b/deployment/docker-compose.override.yml @@ -0,0 +1,314 @@ +version: "2.4" + +services: +############################## PROXY ######################################## + opendmp.proxy: + user: ${DEPLOY_USER}:${DEPLOY_USER} + restart: unless-stopped + cpus: 1 + mem_limit: 256m + ports: + - "${PROXY_APP_PORT}:8081" + - "${PROXY_MS_PORT}:8082" + env_file: + - /proxy/proxy.env + volumes: + - /proxy/nginx.conf:/etc/nginx/nginx.conf + - /proxy/ProxyNginx.conf:/etc/nginx/conf.d/default.conf + - /proxy/nginx-selfsigned.crt:/certifcates/cert.crt + - /proxy/nginx-selfsigned.key:/certifcates/key.key + - /logs/proxy:/tmp/logs + networks: + - opendmp-proxy-network + +############################## OPENDMP APP ################################# + opendmp.backend: + user: ${DEPLOY_USER}:${DEPLOY_USER} + restart: unless-stopped + cpus: 1 + mem_limit: 2048m + environment: + - PROFILE=${PROFILE} + ports: + - "8080" + volumes: + - /opendmp/backend/config:/config + - /opendmp/backend/certificates:/certificates + - /opendmp/backend/i18n:/i18n + - /opendmp/backend/material:/material + - /opendmp/backend/Semantics.json:/Semantics.json + - /storage/backend:/storage + - /logs/backend:/logs + networks: + - opendmp-proxy-network + - opendmp-backend-network + - opendmp-plugins-network + - opendmp-gotenberg-shared-network + - opendmp-elastic-shared-network + - opendmp-keycloak-shared-network + - opendmp-postgres-shared-network + - opendmp-rabbitmq-shared-network + + opendmp.frontend: + restart: unless-stopped + cpus: 1 + mem_limit: 2048m + ports: + - "8080" + volumes: + - /opendmp/webapp/config.json:/usr/share/nginx/html/assets/config/config.json + - /opendmp/webapp/nginx.conf:/etc/nginx/nginx.conf + - /opendmp/webapp/WebAppNginx.conf:/etc/nginx/conf.d/default.conf + networks: + - opendmp-proxy-network + + opendmp.notification: + user: ${DEPLOY_USER}:${DEPLOY_USER} + cpus: 1 + mem_limit: 1024m + restart: unless-stopped + ports: + - "8080" + environment: + - PROFILE=${PROFILE} + volumes: + - /opendmp/notification-api/config:/config + - /opendmp/notification-api/messages:/messages + - /opendmp/notification-api/notification_templates:/notification_templates + - /logs/notification-api:/logs + networks: + - opendmp-proxy-network + - opendmp-backend-network + - opendmp-plugins-network + - opendmp-rabbitmq-shared-network + - opendmp-keycloak-shared-network + - opendmp-postgres-shared-network + + opendmp.annotation: + user: ${DEPLOY_USER}:${DEPLOY_USER} + cpus: 1 + mem_limit: 1024m + restart: unless-stopped + ports: + - "8080" + environment: + - PROFILE=${PROFILE} + volumes: + - /opendmp/annotation-api/config:/config + - /opendmp/annotation-api/messages:/messages + - /logs/annotation-api:/logs + networks: + - opendmp-proxy-network + - opendmp-backend-network + - opendmp-plugins-network + - opendmp-rabbitmq-shared-network + - opendmp-keycloak-shared-network + - opendmp-postgres-shared-network + +############################## FILE-TRANSFORMER ################################# + + opendmp.file.transformer.docx: + user: ${DEPLOY_USER}:${DEPLOY_USER} + restart: unless-stopped + cpus: 1 + mem_limit: 1024m + expose: + - "8080" + environment: + - SERVER_PORT=${SERVER_PORT} + - PROFILE=${PROFILE} + volumes: + - /opendmp/file-transformer-docx/config:/config + - /logs/file-transformer-docx:/logs + - /storage/file-transformer-docx:/storage + networks: + - opendmp-backend-network + - opendmp-plugins-network + - opendmp-gotenberg-shared-network + + opendmp.file.transformer.rdajson: + user: ${DEPLOY_USER}:${DEPLOY_USER} + restart: unless-stopped + cpus: 1 + mem_limit: 1024m + expose: + - "8080" + environment: + - SERVER_PORT=${SERVER_PORT} + - PROFILE=${PROFILE} + volumes: + - /opendmp/file-transformer-rda-json/config:/config + - /opendmp/file-transformer-rda-json/internal:/internal + - /logs/file-transformer-rda-json:/logs + - /storage/file-transformer-rda-json:/storage + networks: + - opendmp-backend-network + - opendmp-plugins-network + +############################## ZENODO ####################################### + # opendmp.zenodo: + # user: ${DEPLOY_USER}:${DEPLOY_USER} + # restart: unless-stopped + # cpus: 1 + # mem_limit: 1024m + # expose: + # - "8080" + # environment: + # - PROFILE=${PROFILE} + # volumes: + # - /opendmp/zenodo/config:/config + # - /opendmp/zenodo/zenodo.jpg:/zenodo.jpg + # - /logs/zenodo:/logs + # networks: + # - opendmp-plugins-network + # - opendmp-keycloak-shared-network + +############################## POSTGRES 16 ################################# + + opendmp.postgres: + user: ${DEPLOY_USER}:${DEPLOY_USER} + restart: unless-stopped + mem_limit: 2048M + ports: + # - "127.0.0.1:${POSTGRES_PORT}:5432" + - "${POSTGRES_PORT}:5432" + env_file: + - postgres/postgres.env + volumes: + - /postgres/opendmp_init.sql:/docker-entrypoint-initdb.d/opendmp_init.sql + - /postgres/keycloak_init.sql:/docker-entrypoint-initdb.d/keycloak_init.sql + - /storage/postgres/data:/var/lib/postgresql/data + networks: + - opendmp-keycloak-shared-network + +################################# ELK ################################################# + opendmp.elasticsearch: + user: ${DEPLOY_USER}:${DEPLOY_USER} + group_add: + - 0 + restart: unless-stopped + cpus: 2 + mem_limit: 1024m + env_file: + - /elk/config-elk/elasticsearch/elastic.env + environment: + - "ES_JAVA_OPTS=-Xmx512m -Xms512m" + ulimits: + nproc: 65535 + memlock: + soft: -1 + hard: -1 + volumes: + - /elk/config-elk/elasticsearch/certificates:/usr/share/elasticsearch/config/certificates + - /elk/config-elk/elasticsearch/config/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro + - /elk/config-elk/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro + - /elk/data-elk/elasticsearch-data:/usr/share/elasticsearch/data + - /elk/data-elk/elasticsearch-log:/usr/share/elasticsearch/logs + expose: + - "9200" + - "9300" + networks: + - opendmp-elastic-network + - opendmp-elastic-shared-network + healthcheck: + test: curl --cacert /usr/share/elasticsearch/config/certificates/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi + interval: 30s + timeout: 10s + retries: 5 + + # opendmp.logstash: + # volumes: + # - /elk/data-elk/logstash-log:/usr/share/logstash/logs + + opendmp.kibana: + user: ${DEPLOY_USER}:${DEPLOY_USER} + restart: unless-stopped + cpus: 2 + mem_limit: 1024m + environment: + - xpack.license.self_generated.type=basic + - xpack.security.enabled=true + volumes: + - /elk/config-elk/kibana/certificates:/usr/share/kibana/certificates + - /elk/config-elk/kibana/certificates/ca:/usr/share/kibana/certificate_authorities + - /elk/config-elk/kibana/config:/usr/share/kibana/config:ro + expose: + - "5601" + networks: + - opendmp-elastic-network + + # opendmp.filebeat: + + +############################## KEYCLOAK ############################################### + opendmp.keycloak: + restart: unless-stopped + command: ["start", "--log=console,file", "--log-file=/tmp/logs/keycloak.log", "--import-realm"] + cpus: 1 + mem_limit: 1024M + security_opt: + - seccomp:unconfined + env_file: + - /keycloak/keycloak.env + environment: + - JAVA_OPTS_APPEND="-Djava.net.preferIPv4Stack=true" + volumes: + - /logs/keycloak:/tmp/logs + - /keycloak/imports/opendmp-realm.json:/opt/keycloak/data/import/opendmp-realm.json + - /keycloak/certs/keycloak-selfsigned.crt:/tmp/keycloak-selfsigned.crt:ro + - /keycloak/certs/keycloak-selfsigned.key:/tmp/keycloak-selfsigned.key:ro + expose: + - "8443" + networks: + - opendmp-proxy-network + - opendmp-keycloak-shared-network + +############################## RABBITMQ ############################################### + opendmp.rabbitmq: + labels: + NAME: "rabbitmq" + cpus: 1 + mem_limit: 512m + restart: unless-stopped + expose: + - "15672" + - "5672" + env_file: + - /rabbitmq/rabbitmq.env +# volumes: +# - /rabbitmq/rabbitmq.config:/etc/rabbitmq/rabbitmq.config:ro + networks: + - opendmp-proxy-network + - opendmp-rabbitmq-shared-network + +############################## GOTENBERG ############################################## + opendmo.gotenberg: + mem_limit: 2048m + restart: unless-stopped + expose: + - "3000" + hostname: gotenberg + env_file: + - /gotenberg/gotenberg.env + networks: + - opendmp-gotenberg-shared-network + +networks: + opendmp-proxy-network: + opendmp-backend-network: + opendmp-plugins-network: + opendmp-keycloak-shared-network: + external: + name: opendmp-keycloak-shared-network + opendmp-gotenberg-shared-network: + external: + name: opendmp-gotenberg-shared-network + opendmp-rabbitmq-shared-network: + external: + name: opendmp-rabbitmq-shared-network + opendmp-elastic-shared-network: + external: + name: opendmp-elastic-shared-network + opendmp-postgres-shared-network: + external: + name: opendmp-postgres-shared-network \ No newline at end of file diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml new file mode 100644 index 000000000..1d9db08fa --- /dev/null +++ b/deployment/docker-compose.yml @@ -0,0 +1,115 @@ +version: "2.4" + +services: +############################## PROXY ######################################## + opendmp.proxy: + container_name: opendmp.proxy + image: nginx:${PROXY_TAG} + +############################## OPENDMP APP ################################# + + opendmp.frontend: + container_name: opendmp.frontend + image: ${DOCKER_REGISTRY}open-dmp-webapp:${MAIN_APP_TAG} + depends_on: + - opendmp.backend + - opendmp.notification + - opendmp.annotation + + opendmp.backend: + container_name: opendmp.backend + image: ${DOCKER_REGISTRY}open-dmp-api:${MAIN_APP_TAG} + depends_on: + - opendmp.postgres + + opendmp.notification: + container_name: opendmp.notification + image: ${DOCKER_REGISTRY}open-dmp-notification-api:${NOTIFICATION_APP_TAG} + depends_on: + - opendmp.postgres + + opendmp.annotation: + container_name: opendmp.annotation + image: ${DOCKER_REGISTRY}open-dmp-annotation-api:${ANNOTATION_APP_TAG} + depends_on: + - opendmp.postgres + +############################## FILE-TRANSFORMERS ####################################### + + opendmp.file.transformer.docx: + container_name: opendmp.file.transformer.docx + image: ${DOCKER_REGISTRY}file-transformation-docx-api:${DOCX_APP_TAG} + depends_on: + - opendmp.backend + + opendmp.file.transformer.rdajson: + container_name: opendmp.file.transformer.rdajson + image: ${DOCKER_REGISTRY}file-transformation-rda-json-api:${JSON_APP_TAG} + depends_on: + - opendmp.backend + +################################ ZENODO ############################################### + # opendmp.zenodo: + # container_name: opendmp.zenodo + # image: ${DOCKER_REGISTRY}repository-deposit-zenodo:${ZENODO_APP_TAG} + # depends_on: + # - opendmp.backend + +############################## POSTGRES 16 ############################################ + opendmp.postgres: + container_name: opendmp.postgres + image: postgres:${POSTGRES_TAG} + +################################# ELK ################################################# + opendmp.elasticsearch: + container_name: opendmp.elasticsearch + image: elasticsearch + build: + context: /elk/elasticsearch/ + args: + ELK_VERSION: $ELK_VERSION + + # opendmp.logstash: + # container_name: opendmp.logstash + # image: logstash + # build: + # context: /elk/logstash/ + # args: + # ELK_VERSION: $ELK_VERSION + # depends_on: + # - opendmp.elasticsearch + + opendmp.kibana: + container_name: opendmp.kibana + image: kibana + build: + context: /elk/kibana/ + args: + ELK_VERSION: $ELK_VERSION + depends_on: + - opendmp.elasticsearch + + # opendmp.filebeat: + # container_name: opendmp.filebeat + # image: filebeat + # build: + # context: /elk/filebeat/ + # args: + # ELK_VERSION: $ELK_VERSION + # depends_on: + # - opendmp.logstash + +############################## KEYCLOAK ############################################### + opendmp.keycloak: + container_name: opendmp.keycloak + image: quay.io/keycloak/keycloak:${KEYCLOAK_TAG} + +############################## RABBITMQ ############################################### + opendmp.rabbitmq: + container_name: opendmp.rabbitmq + image: rabbitmq:${RABBITMQ_TAG} + +############################## GOTENBERG ############################################## + opendmp.gotenberg: + image: gotenberg/gotenberg:${GOTENBERG_TAG} + container_name: opendmp.gotenberg diff --git a/deployment/elk/config-elk/elasticsearch/certificates/ca/ca-key.pem b/deployment/elk/config-elk/elasticsearch/certificates/ca/ca-key.pem new file mode 100644 index 000000000..fa1b4b8b1 --- /dev/null +++ b/deployment/elk/config-elk/elasticsearch/certificates/ca/ca-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC3Ijv7bT86kta/ +1wx0nMbtZvXF5Hfmt1n3087NcOi/JdjnSmF7JfTCXjzKQtOKrv2tLGkaXfrzerL+ +yPBKuffTMk80vHSixmrH71IX0DriKNxnW6RNg1j3R3igVVsGTNdUbI26dc3RZpKR +gb7u/HqR1GTLD6EfrcL655aitCmywvyzLQ/x1BWZ3WjaMONT1DdU7I1GXhqv96be +Sbi2dQUdogNFGhiK9WwFrKJpeSERlOl6jPBqoYRZjBlgJ/DlmWhvlKwj91ilYeOd +ifsB9e7F9lwUbADsSGTOKKqBIX29ZcFkXwJshtm6CIQXWnvz+jl46mu5ScEU+iwr +mvILVUIJAgMBAAECggEAEgO3WEp9FYczwj/GfSMd62T9KLgKdmLTYg5PEcT5VDJG +JaxarflEHCmWe8P6mLIRiKstdJdJlBFeEbOU9ZjZEMiqY3LlW0y+3MeFMQv9+tjP +o4gvf6N7ySlZ65Wx5EsDRI4AHBcyBZb8NH2JmWszKGy29IWnUR0v6KwG1J752hhq +vTO9aMaz3MTstKTal0cDJRaTjPctzXVSyJSTeClNpl8mFDYbCUR/PPklZbAx9CyY +K6orDCUBGOH2wK85+l9uFaUWOcupKBhg99MKZTpX/6tIgqbCuBfN8FBk0LztJ/Uo +SZAHf5QIt6eTmcBtarlbsTV0TeJj5llVUGynHTBvQQKBgQC+ZTbTkbfHIgbVqDeU +YkBiKul4M8xzIOsogNtZVevL7R2KSco1TUmcY7SDq8flshtZJb6utXUXCUprNsZl +OOM7QpXxfnYKTjv39NTM4eCCzvMcDpBRmBQmQkka+2NbAxMTy91T709EAiqgia+m +tszU93IGIle9abv9Fo1giw/lqQKBgQD2PHhwtmVT3B/H/ywtadCmyfHm+kHi8IWR +y//EvLjDgI+SzwIgM2ABLAkKqg1VXkgZ741AxaQkkcP+NgJ2saY0cJCKBr/SPyRe +jTfbWWfH89Mf3EVl2fxkG3YL1EJu+boup3l9L1rGpK9japAIMNOXh8S4A5WCOZLr +Hk6FuTF1YQKBgEr8K9qpcjrQMObm6HTdOUQwaGD57ZSOK295SGpnx4U6Lr8vDp9t +gAdC0W5mMkVJnzG+BtpiBup6sz+EhCCLhhrpv4or5ytp4n5mg4TplPWPsfmj1rz7 +6zuiMY6Z4WiPzmymhtWu04YSYF13vKEpL4TUq6i0z99+jBZCUo3qVul5AoGAcYNG +8o7i/1nGvOgBcZ4KNhl6jsRngzrmGGQ2sHdfpaCqjz8m97k3VNL8CBKEuwoPqwUn +1OhH1yPrelFjqVwUBrCtsTOTUlURaxUm3tPEaAUbGuDsjRuEopGWRbXAOnCdR8yk +0PT3oANjZy1E4MHBiWVpZnsgfTwVYpZCFJtfFYECgYBkyF06DC0DhZZ0AEZpJHxf +xbP/1gq7KlBzR6WSSRzPxX/3VOdBuGs7qYP1orDEF9wG/0Jk35Ek+PcT97j6s0gE +a4Zd8iYpSdgd36L+5uBxgRsavr/Xf4lQECRTQYfKUVhKhhCT1xjOUAAr52Vl+8V/ +5sIcUBUzbXDpZvyR/67pxQ== +-----END PRIVATE KEY----- diff --git a/deployment/elk/config-elk/elasticsearch/certificates/ca/ca.crt b/deployment/elk/config-elk/elasticsearch/certificates/ca/ca.crt new file mode 100644 index 000000000..9266570ad --- /dev/null +++ b/deployment/elk/config-elk/elasticsearch/certificates/ca/ca.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDcTCCAlmgAwIBAgIUE5s/YTgomqob7mc88HmQUn/sHkswDQYJKoZIhvcNAQEL +BQAwRzELMAkGA1UEBhMCR1IxDTALBgNVBAgMBENJVEUxDDAKBgNVBAcMA0FUSDEN +MAsGA1UECgwEQ0lURTEMMAoGA1UEAwwDZWxrMCAXDTIyMDkwODA3Mzg0NFoYDzIx +MjIwODE1MDczODQ0WjBHMQswCQYDVQQGEwJHUjENMAsGA1UECAwEQ0lURTEMMAoG +A1UEBwwDQVRIMQ0wCwYDVQQKDARDSVRFMQwwCgYDVQQDDANlbGswggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3Ijv7bT86kta/1wx0nMbtZvXF5Hfmt1n3 +087NcOi/JdjnSmF7JfTCXjzKQtOKrv2tLGkaXfrzerL+yPBKuffTMk80vHSixmrH +71IX0DriKNxnW6RNg1j3R3igVVsGTNdUbI26dc3RZpKRgb7u/HqR1GTLD6EfrcL6 +55aitCmywvyzLQ/x1BWZ3WjaMONT1DdU7I1GXhqv96beSbi2dQUdogNFGhiK9WwF +rKJpeSERlOl6jPBqoYRZjBlgJ/DlmWhvlKwj91ilYeOdifsB9e7F9lwUbADsSGTO +KKqBIX29ZcFkXwJshtm6CIQXWnvz+jl46mu5ScEU+iwrmvILVUIJAgMBAAGjUzBR +MB0GA1UdDgQWBBQSAI1g3+gAsT5BHVfaWPlNFy9IgjAfBgNVHSMEGDAWgBQSAI1g +3+gAsT5BHVfaWPlNFy9IgjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA +A4IBAQCmR4cz47QtGX1xn2Rrl1NdLX2wiS2y7P4xRGzKeAYZIHLZWW/GaJDb+yw9 +Cz9qjhuBhGqfIeh8QryRgPotd64Oef0MscC+oFfprWxQA0svP83sITr9BazGb4A4 +LcIToVHZtIMnak119k1RsNYpzADDBxnaaODs3xCe21dfCVI/ea+wSPiUY3vvZZDn +KejJclhRnQFV3yQ7hMdR9tq0BndWtqHrappa3oX2JU1yi/x3Ndi6dOMk+x7+kc4Q +OAtzcXa29kowAyLUMHhGYwcsJp8ysa6Xlltqt/kkI+3CgbTl/egUU9igysMKDyMM +0LQcef+IQwmeHfD1RAW2ksW2OOx5 +-----END CERTIFICATE----- diff --git a/deployment/elk/config-elk/elasticsearch/certificates/elasticsearch/elasticsearch.crt b/deployment/elk/config-elk/elasticsearch/certificates/elasticsearch/elasticsearch.crt new file mode 100644 index 000000000..ebce955cd --- /dev/null +++ b/deployment/elk/config-elk/elasticsearch/certificates/elasticsearch/elasticsearch.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDXDCCAkSgAwIBAgIUK8FEbNAIdyPoRF/pTyqNuL3kP54wDQYJKoZIhvcNAQEL +BQAwRzELMAkGA1UEBhMCR1IxDTALBgNVBAgMBENJVEUxDDAKBgNVBAcMA0FUSDEN +MAsGA1UECgwEQ0lURTEMMAoGA1UEAwwDZWxrMCAXDTIyMDkwODA4MjgxM1oYDzIx +MjIwODE1MDgyODEzWjAYMRYwFAYDVQQDDA1lbGFzdGljc2VhcmNoMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoC6DoPC1kesTH0cKs1blVW8ddsQ3VmFO +ROJiUorhDIHB3sXJhCSw0hxZFNZtqgG35CTa5w3XiQMT1fr6Ar/ztOQmARg9CMQa +mOf8gR+tMTSwP7zr7WBR/1Q+GseeOnthFOfvfq7LLpRs8VNb/mhcSIjJsT9kMNXN +5iHIyEuGhQSwPZDUYx+6Ag4belQLvic+QYDhwvujtPFWj8qLSG7kTpbBK5ahH/5E +mvT5mpOYTR10f3LG4DKw7t6qG9tzh4WkwR0JYmlgxpAA/HBSa/QjS7CGxLrA4Sop +gQF8KQPEP/0w98EbYpBUPS5jqbkBr6093M7Epksi86oRjtbcXAT0qwIDAQABo20w +azApBgNVHREEIjAggg1lbGFzdGljc2VhcmNogglsb2NhbGhvc3SHBH8AAAEwHQYD +VR0OBBYEFC/cKMOAVbx8bwyoKdg2Oiej9xoSMB8GA1UdIwQYMBaAFBIAjWDf6ACx +PkEdV9pY+U0XL0iCMA0GCSqGSIb3DQEBCwUAA4IBAQBo42FOuxIMeIiMaKa347gc +WsHpkazYOA6iHK5xXPsVUU1xSCLKp5HLCC04FU5P9njCDyZo1e/SR6rirQJJHEtT +SAn7iabREE+vy0oN3JnyV+eJPmKWxlqeFr9Cs9uIXQbgjwyyj9rxT06eLr3M1MA1 +IsARV2eyxcgS5sCC8JBCEpKR4jLRrpAs0tGJOeIh1cmf/1id+NQaDa14sLFKHBH1 +3+6TfBPrhJoGqFz92jV2airr7dppyCXgmWymVc66iD00Nak6Bvchg6ARTkqJnfoZ +2/Tz7asHV2V052ZLiow7Si34nS/9Hp8F8vUaj+FYXowvGwQUXLQIg/53KXh7piuW +-----END CERTIFICATE----- diff --git a/deployment/elk/config-elk/elasticsearch/certificates/elasticsearch/elasticsearch.key b/deployment/elk/config-elk/elasticsearch/certificates/elasticsearch/elasticsearch.key new file mode 100644 index 000000000..2dfbc1141 --- /dev/null +++ b/deployment/elk/config-elk/elasticsearch/certificates/elasticsearch/elasticsearch.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCgLoOg8LWR6xMf +RwqzVuVVbx12xDdWYU5E4mJSiuEMgcHexcmEJLDSHFkU1m2qAbfkJNrnDdeJAxPV ++voCv/O05CYBGD0IxBqY5/yBH60xNLA/vOvtYFH/VD4ax546e2EU5+9+rssulGzx +U1v+aFxIiMmxP2Qw1c3mIcjIS4aFBLA9kNRjH7oCDht6VAu+Jz5BgOHC+6O08VaP +yotIbuROlsErlqEf/kSa9Pmak5hNHXR/csbgMrDu3qob23OHhaTBHQliaWDGkAD8 +cFJr9CNLsIbEusDhKimBAXwpA8Q//TD3wRtikFQ9LmOpuQGvrT3czsSmSyLzqhGO +1txcBPSrAgMBAAECggEAJdOmMPj3H9zgGKhJrh1Mrha94gCnQsZa2eiOKIj0aWQx +GL8jfgm+Gfgoz0NuBVI/j2hmq1648fmgkw0gQkr7LdIc6XBEZZAN6eMK3aFR4Idd +QcgG/PkclAvcWK2gP5ZIUEwPYh68C6VwbrLtTBBwDo8C9lEOg3vSElETHb28KCgZ +sC0wLres01crLF0Azh+m3cx+p/6TBLfpBIrM0HQn1Lmn/dP6BKcRDoncE+GcKjE1 +JZcgypdC4Juq2WctMNbBvgt+7AjVB1n9ejrUN5rlK+JP3Xa7D4zvc79CDX+BP2C2 +X57ZT4Pff5mPF70zrlqGQNnBep09UxZTRnHDRMWzZQKBgQDfMT+G+x49TZYuaiQC +gKguQ0k8F6nnrmz0rz2MNJiZ9oTYAtz5wRQ25KkbqTc7beKecSykp5izoluzgSJu +dTFh11SO1i63kMzpFFyBui3rSoUjAq+sMzRY5ERyUsG90tsaAl2a9PT3M9b5a0XC +8f1cDhKt+JQtaYRiZZJsC4Ru1wKBgQC3uirv92/dq1RcuWBf/yt2n6/JY9+9k1NI +vDzQtVI0Q3OZfRX9Rn9/+h3fSXTG3w7p5FqfNguHYPbLNzO+6WxxeuDveAL3Nx4/ +HSURjbiK+ppYDwyeY4IgKgeq2mRrIZC4rSqEsrJMLnNiDRYaVTWZczqGLT5oZ5cT +lBLDD6+STQKBgDhi68bBOIGKUW/GdvR+5n5Rl3XsEIusoHAsuaLrQsZa5nLgPk2G +vwGjQSnw1ThZaZBXzUyH3uc7FGnELRu01dX/Hai8aa8MkQgtkbVggOtZt0sCCbm6 +cfYnLTeourOnSp1GjblxO1YcranztPssQbL5BzUWgPD8IGrveE99lWafAoGAG6q4 +PoynVt0vBguQXMRjOijP4ubcUYL2/rQCAHfdmisyJEH25r4QAyiaCP7Zy/zZFRWj +I+iSkd9jKrT0YOJrxyb26njLEYlGT8DGzT7nNF6KkYoqn0ti1A8gOnVKu+tBDN5e +0b7LJLe1/mT0GCEOwj3c6Um05Sn8USFyNdeN290CgYBSdmwqJYUGJXVGTCn2Ff4Z +jdFtN/Q9kFDhCCYVV1XAJ5mdX4k77HIw5EAlDXM0EZnhQAec+RSKIO7Oc+9krmFq +R1lCT/s7UDsitQBDmkQs+12PEILuk+Qbdan+CwTLwCik06vj+VzZhHylFoOMJLdm +lf4Bnd2TNNykAsd2jy5cAg== +-----END PRIVATE KEY----- diff --git a/deployment/elk/config-elk/elasticsearch/certificates/elasticsearch/v3.ext b/deployment/elk/config-elk/elasticsearch/certificates/elasticsearch/v3.ext new file mode 100644 index 000000000..e1300cc32 --- /dev/null +++ b/deployment/elk/config-elk/elasticsearch/certificates/elasticsearch/v3.ext @@ -0,0 +1,12 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +req_extensions = req_ext +[ req_distinguished_name ] +commonName = elasticsearch +[ req_ext ] +subjectAltName = @alt_names +[alt_names] +DNS.1 = elasticsearch +DNS.2 = localhost +IP.1 = 127.0.0.1 \ No newline at end of file diff --git a/deployment/elk/config-elk/elasticsearch/config/elasticsearch.yml b/deployment/elk/config-elk/elasticsearch/config/elasticsearch.yml new file mode 100644 index 000000000..1de846498 --- /dev/null +++ b/deployment/elk/config-elk/elasticsearch/config/elasticsearch.yml @@ -0,0 +1,19 @@ +--- +## Default Elasticsearch configuration from elasticsearch-docker. +## from https://github.com/elastic/elasticsearch-docker/blob/master/build/elasticsearch/elasticsearch.yml +# +network.host: 0.0.0.0 + +# minimum_master_nodes need to be explicitly set when bound on a public IP +# set to 1 to allow single node clusters +# Details: https://github.com/elastic/elasticsearch/pull/17288 +# discovery.zen.minimum_master_nodes: 1 + +## Use single node discovery in order to disable production mode and avoid bootstrap checks +## see https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html +# +discovery.type: single-node +## Search Guard +# + + diff --git a/deployment/elk/config-elk/elasticsearch/config/log4j2.properties b/deployment/elk/config-elk/elasticsearch/config/log4j2.properties new file mode 100644 index 000000000..b4e59ffb8 --- /dev/null +++ b/deployment/elk/config-elk/elasticsearch/config/log4j2.properties @@ -0,0 +1,179 @@ +#https://github.com/elastic/elasticsearch/blob/7.4/distribution/src/config/log4j2.properties + +status = error + +# log action execution errors for easier debugging +logger.action.name = org.elasticsearch.action +logger.action.level = debug + +appender.console.type = Console +appender.console.name = console +appender.console.layout.type = PatternLayout +appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +######## Server JSON ############################ +appender.rolling.type = RollingFile +appender.rolling.name = rolling +appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_server.json +appender.rolling.layout.type = ESJsonLayout +appender.rolling.layout.type_name = server + +appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.json.gz +appender.rolling.policies.type = Policies +appender.rolling.policies.time.type = TimeBasedTriggeringPolicy +appender.rolling.policies.time.interval = 1 +appender.rolling.policies.time.modulate = true +appender.rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.rolling.policies.size.size = 128MB +appender.rolling.strategy.type = DefaultRolloverStrategy +appender.rolling.strategy.fileIndex = nomax +appender.rolling.strategy.action.type = Delete +appender.rolling.strategy.action.basepath = ${sys:es.logs.base_path} +appender.rolling.strategy.action.condition.type = IfFileName +appender.rolling.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-* +appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize +appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB +################################################ +######## Server - old style pattern ########### +appender.rolling_old.type = RollingFile +appender.rolling_old.name = rolling_old +appender.rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log +appender.rolling_old.layout.type = PatternLayout +appender.rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz +appender.rolling_old.policies.type = Policies +appender.rolling_old.policies.time.type = TimeBasedTriggeringPolicy +appender.rolling_old.policies.time.interval = 1 +appender.rolling_old.policies.time.modulate = true +appender.rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.rolling_old.policies.size.size = 128MB +appender.rolling_old.strategy.type = DefaultRolloverStrategy +appender.rolling_old.strategy.fileIndex = nomax +appender.rolling_old.strategy.action.type = Delete +appender.rolling_old.strategy.action.basepath = ${sys:es.logs.base_path} +appender.rolling_old.strategy.action.condition.type = IfFileName +appender.rolling_old.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-* +appender.rolling_old.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize +appender.rolling_old.strategy.action.condition.nested_condition.exceeds = 2GB +################################################ + +rootLogger.level = info +rootLogger.appenderRef.console.ref = console +rootLogger.appenderRef.rolling.ref = rolling +rootLogger.appenderRef.rolling_old.ref = rolling_old + +######## Deprecation JSON ####################### +appender.deprecation_rolling.type = RollingFile +appender.deprecation_rolling.name = deprecation_rolling +appender.deprecation_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.json +appender.deprecation_rolling.layout.type = ESJsonLayout +appender.deprecation_rolling.layout.type_name = deprecation +appender.deprecation_rolling.layout.esmessagefields=x-opaque-id + +appender.deprecation_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.json.gz +appender.deprecation_rolling.policies.type = Policies +appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.deprecation_rolling.policies.size.size = 1GB +appender.deprecation_rolling.strategy.type = DefaultRolloverStrategy +appender.deprecation_rolling.strategy.max = 4 +################################################# +######## Deprecation - old style pattern ####### +appender.deprecation_rolling_old.type = RollingFile +appender.deprecation_rolling_old.name = deprecation_rolling_old +appender.deprecation_rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log +appender.deprecation_rolling_old.layout.type = PatternLayout +appender.deprecation_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.deprecation_rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _deprecation-%i.log.gz +appender.deprecation_rolling_old.policies.type = Policies +appender.deprecation_rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.deprecation_rolling_old.policies.size.size = 1GB +appender.deprecation_rolling_old.strategy.type = DefaultRolloverStrategy +appender.deprecation_rolling_old.strategy.max = 4 +################################################# +logger.deprecation.name = org.elasticsearch.deprecation +logger.deprecation.level = warn +logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling +logger.deprecation.appenderRef.deprecation_rolling_old.ref = deprecation_rolling_old +logger.deprecation.additivity = false + +######## Search slowlog JSON #################### +appender.index_search_slowlog_rolling.type = RollingFile +appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling +appender.index_search_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs\ + .cluster_name}_index_search_slowlog.json +appender.index_search_slowlog_rolling.layout.type = ESJsonLayout +appender.index_search_slowlog_rolling.layout.type_name = index_search_slowlog +appender.index_search_slowlog_rolling.layout.esmessagefields=message,took,took_millis,total_hits,types,stats,search_type,total_shards,source,id + +appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs\ + .cluster_name}_index_search_slowlog-%i.json.gz +appender.index_search_slowlog_rolling.policies.type = Policies +appender.index_search_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.index_search_slowlog_rolling.policies.size.size = 1GB +appender.index_search_slowlog_rolling.strategy.type = DefaultRolloverStrategy +appender.index_search_slowlog_rolling.strategy.max = 4 +################################################# +######## Search slowlog - old style pattern #### +appender.index_search_slowlog_rolling_old.type = RollingFile +appender.index_search_slowlog_rolling_old.name = index_search_slowlog_rolling_old +appender.index_search_slowlog_rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_search_slowlog.log +appender.index_search_slowlog_rolling_old.layout.type = PatternLayout +appender.index_search_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.index_search_slowlog_rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_search_slowlog-%i.log.gz +appender.index_search_slowlog_rolling_old.policies.type = Policies +appender.index_search_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.index_search_slowlog_rolling_old.policies.size.size = 1GB +appender.index_search_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy +appender.index_search_slowlog_rolling_old.strategy.max = 4 +################################################# +logger.index_search_slowlog_rolling.name = index.search.slowlog +logger.index_search_slowlog_rolling.level = trace +logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref = index_search_slowlog_rolling +logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling_old.ref = index_search_slowlog_rolling_old +logger.index_search_slowlog_rolling.additivity = false + +######## Indexing slowlog JSON ################## +appender.index_indexing_slowlog_rolling.type = RollingFile +appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling +appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_indexing_slowlog.json +appender.index_indexing_slowlog_rolling.layout.type = ESJsonLayout +appender.index_indexing_slowlog_rolling.layout.type_name = index_indexing_slowlog +appender.index_indexing_slowlog_rolling.layout.esmessagefields=message,took,took_millis,doc_type,id,routing,source + +appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_indexing_slowlog-%i.json.gz +appender.index_indexing_slowlog_rolling.policies.type = Policies +appender.index_indexing_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy +appender.index_indexing_slowlog_rolling.policies.size.size = 1GB +appender.index_indexing_slowlog_rolling.strategy.type = DefaultRolloverStrategy +appender.index_indexing_slowlog_rolling.strategy.max = 4 +################################################# +######## Indexing slowlog - old style pattern ## +appender.index_indexing_slowlog_rolling_old.type = RollingFile +appender.index_indexing_slowlog_rolling_old.name = index_indexing_slowlog_rolling_old +appender.index_indexing_slowlog_rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_indexing_slowlog.log +appender.index_indexing_slowlog_rolling_old.layout.type = PatternLayout +appender.index_indexing_slowlog_rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n + +appender.index_indexing_slowlog_rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ + _index_indexing_slowlog-%i.log.gz +appender.index_indexing_slowlog_rolling_old.policies.type = Policies +appender.index_indexing_slowlog_rolling_old.policies.size.type = SizeBasedTriggeringPolicy +appender.index_indexing_slowlog_rolling_old.policies.size.size = 1GB +appender.index_indexing_slowlog_rolling_old.strategy.type = DefaultRolloverStrategy +appender.index_indexing_slowlog_rolling_old.strategy.max = 4 +################################################# + +logger.index_indexing_slowlog.name = index.indexing.slowlog.index +logger.index_indexing_slowlog.level = trace +logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref = index_indexing_slowlog_rolling +logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling_old.ref = index_indexing_slowlog_rolling_old +logger.index_indexing_slowlog.additivity = false diff --git a/deployment/elk/config-elk/elasticsearch/elastic.env b/deployment/elk/config-elk/elasticsearch/elastic.env new file mode 100644 index 000000000..cff43da64 --- /dev/null +++ b/deployment/elk/config-elk/elasticsearch/elastic.env @@ -0,0 +1,16 @@ +cluster.name=opendmp-cluster +bootstrap.memory_lock=true +xpack.license.self_generated.type=basic +xpack.monitoring.collection.enabled=true +xpack.ml.enabled=false +xpack.security.enabled=true +xpack.security.http.ssl.enabled=true +xpack.security.http.ssl.verification_mode=certificate +xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certificates/elasticsearch/elasticsearch.key +xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certificates/ca/ca.crt +xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certificates/elasticsearch/elasticsearch.crt +xpack.security.transport.ssl.enabled=true +xpack.security.transport.ssl.verification_mode=certificate +xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certificates/ca/ca.crt +xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certificates/elasticsearch/elasticsearch.crt +xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certificates/elasticsearch/elasticsearch.key \ No newline at end of file diff --git a/deployment/elk/config-elk/kibana/certificates/ca/ca.crt b/deployment/elk/config-elk/kibana/certificates/ca/ca.crt new file mode 100644 index 000000000..0acb12315 --- /dev/null +++ b/deployment/elk/config-elk/kibana/certificates/ca/ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUXMpiJCPQnPeOHA1FjYo12FaHO1UwDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMTkwOTAzMTUyMDM1WhcNMjIwOTAyMTUyMDM1WjA0MTIwMAYD +VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI1ci/DoagopzxemkP21UmnP +wv2Yoo267y6CR/okrT3a0lARDjPl28YaNsEQ2skAnPu3gNqqDWW9j1aWEtWwNuEA +PudVCdc6irgFEbPlwU6Dh05LVB99FCw70UKM5G4CSH7gMQvzPcvjJT4ROKoDCh3W +I+pWYqhqU9xEiMzwsPdC2uy2Om2I0bZ2A03WmMr8Ts58qmBqVOMBLIY008jFetj7 +ZH67WDT92pqfG9/xRKH9ELdZNlNw/2fSTb4KBek06MZIzPkHk0iMhw7bMLwEYyDy +J14Rym4Up9akgr8J6XwyACek5oht1lQlJjYhUuf2ZSzVJ54LhYoTGg1ybYT9qx8C +AwEAAaNTMFEwHQYDVR0OBBYEFAxdsx3VcEsMaPWe7GvbyHOEnftTMB8GA1UdIwQY +MBaAFAxdsx3VcEsMaPWe7GvbyHOEnftTMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBADltg11WpSg0tYVXrAowySy68CkcK9t/XYioeRYRAvfSD5mB +ONMFegqwJVqUzu6HbxkhpVBf/JykGqSkf0Cu5BRUYT7A+egpDNAPAIa1/SbSchjP +mbFMbpLRXFfP60xqgVem0C5wKcMEFFg+0YRDkSf/232aCwb0sS63V52ssmnEDN6v +k4Cn2k/MZjAi/seWNnphaTyU71Eu3ObftIpOGc4ZJ875KiUZQtCXrP36QICUdFAM +ay+z2gEVQQE2zKbtaEeE0Sxyas9eRnGHXzbx/yoz706lME9QmzPmcvfVlHQH8N/o +2nU+I07j6TDoHn/WRIgbWR0jrWv0hlTqzxOyCDM= +-----END CERTIFICATE----- diff --git a/deployment/elk/config-elk/kibana/certificates/kibana.crt b/deployment/elk/config-elk/kibana/certificates/kibana.crt new file mode 100644 index 000000000..ae8d7a7c5 --- /dev/null +++ b/deployment/elk/config-elk/kibana/certificates/kibana.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUjCCAjqgAwIBAgIUKTnOSL0Rtnm8ZQkfSUvpQiBNGnMwDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMTkwOTAzMTUyMDM1WhcNMjIwOTAyMTUyMDM1WjAYMRYwFAYD +VQQDEw1lbGFzdGljc2VhcmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAkB1OMRBRUDUxQ6fIv5gv0myKDZgVJFnEEjIjU6YjMpf/htTsvu8zdpBoWhg6 +7IsflSkUPynDG4geFjQ/WtxVeqxjnmtIB2fMDAHppX882as3tYjBlHj1sU0/OwwI +Ga5/OtxOubGswrzCEEjIgZwTtSX2Yzx3tE2UzwjWsYwGCBM/ssN8Wc1vlqq20+Qr +Lsggk+dXapN2wL9FABrxrJfV2SxXb2qKLKVd3EIfs+HVqIt9dVrpcFRV3Lwexg+Z +wlJv58EPsynphczssBhMOhlmVqpRY8z88fqsbqDVdqHIF8hqn7czWFqeCRldnb7W +LWaYaOG0Jd6SM7OpHnfNgBST4wIDAQABo3gwdjAdBgNVHQ4EFgQUCkDAcWSJ6H2G +UFFh9dhk+mG0L08wHwYDVR0jBBgwFoAUDF2zHdVwSwxo9Z7sa9vIc4Sd+1MwKQYD +VR0RBCIwIIIJbG9jYWxob3N0hwR/AAABgg1lbGFzdGljc2VhcmNoMAkGA1UdEwQC +MAAwDQYJKoZIhvcNAQELBQADggEBAAQpkdkGl2H0ylgbmmNiIlrQX+U2i4ag4sJ6 +xsVR5OWxuyB/aMWhuOHkgueMh2wElufn60jK0Mh25b2U7oO/0Nq+28rhhP9HURLz +7/TwCbLcglTAgHQPWItwn5r5WKDFNCPNpZXFU/oG5H6hUJqTvuaTN6G/PQ6V9Yp3 +J00NbPuFq8tjNAc/kQnhC7zdC/7YQ/fanHBPkvQnkGbac5+VAF/se/JYbxRpSz23 +5a+v6BDb/kjs82QgV8dzsyFmntO+Neesu9tTJurBbQD5T3xMgoGSWLgnTCq3/drl +PMBLgUQHik629dU+7o8ePCdyULruGMR6CIBqO7ZKQASulhkxdUo= +-----END CERTIFICATE----- diff --git a/deployment/elk/config-elk/kibana/certificates/kibana.key b/deployment/elk/config-elk/kibana/certificates/kibana.key new file mode 100644 index 000000000..93418fad0 --- /dev/null +++ b/deployment/elk/config-elk/kibana/certificates/kibana.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAkB1OMRBRUDUxQ6fIv5gv0myKDZgVJFnEEjIjU6YjMpf/htTs +vu8zdpBoWhg67IsflSkUPynDG4geFjQ/WtxVeqxjnmtIB2fMDAHppX882as3tYjB +lHj1sU0/OwwIGa5/OtxOubGswrzCEEjIgZwTtSX2Yzx3tE2UzwjWsYwGCBM/ssN8 +Wc1vlqq20+QrLsggk+dXapN2wL9FABrxrJfV2SxXb2qKLKVd3EIfs+HVqIt9dVrp +cFRV3Lwexg+ZwlJv58EPsynphczssBhMOhlmVqpRY8z88fqsbqDVdqHIF8hqn7cz +WFqeCRldnb7WLWaYaOG0Jd6SM7OpHnfNgBST4wIDAQABAoIBACRGPBg9czotKWlO +IkmXlPHyQA2L6kZsEd5CoIG9n75sY/UcQzsMGngNgTasQqinnBt/a4k6idG0QV51 +aD0GmL14BtspRcgXaFTdZmIx1K81WaBn+9HTYIRwXSoPrTpJody+91HmVwXtXSuc +Jlv5XTyLgakY30iS/pHeN6wZAqulS7p6DkCH+W3c15BvNYnsjDX5vYZLgmktNl62 +LoHymTt54rLhxheZiwFeiHePsl9IanvnDEjCl2jBFnFB402NeapTex84ZnOgPYEV +5w81MUYMeLy1aaziWEICPP1TU62T2oYKUFC1kQKUgCYp3t1UUkLsF6KfybJ+baMs ++Nm5IQECgYEAzy4kQ9wo2x+3teQgMR+QLIN2cgfDCgI1BXUzhIr607kpo6F12Jf0 +zT5sC+9OzSPh3dPkyvnWtg2K3ld3L+ATqGvpWC42OgSI0HK6rnfL8Q3cYld8KLwn +C8lbSQuDFo+hMJoGU7V+QTXM8j1e+2KoxgwGfceeiwql5GpqqcHFSJkCgYEAshLP +QYOBaimhOlY1m1B9YgXrgNKoj66njhHJLTD9rD4BvMsntGo8UaBrZxpcQKaDO778 +UtuRPM8Pfrg2Q2fR6SHAydoQpiGQ0XrkUXNmh3v9YOBlFzdg1PhKSCRZRv75KjnC +Z4jyL8GVYMhB+vWl/bQJO5o5YYHR7OdJCs8p4dsCgYEAnTQl0Ff9qEco3pt60cth +WmVmOqApHi8OjFWiAbBzIrQdJEwfX3nuBs6WrXeoE4BmoitmL53jjcA43vz/MxST +1fgL1x05iExog8KKZFgCJ6ac0wIO89nQxuDCo2pYzYWuiXJV2q6cXl60ZBqtN5Jk +/eGiC06svlQWDHuy85xUVgECgYEAm8jk1FWtxCiDSjvdTfEOn9C6BMtGd9y97QYW +T5jKdAMTFg1MwQMnnemPzHU9O7nwmTYuHHbGCsLCtYOGxVVwSFolBPHnGs/Gl9zB +HZitm92W/0eQaM0jw20r3w0dpYSuiohZUKZ36dubST4oqtp4ywjUAvabOHiQJIb6 +WaB+7X0CgYEAptNxensUEn+hSKfMVCxS36U1QL2njRfGiCfqVHVOKeu6+oLB4N/N +0mZngesMGV1HxzYivwkXW07U0drgfqv+iHBIF5HYRM6PkFNpop6PJAlVpFaATx0s +tDvtrcmgz3hunhHURvr/VlXcGuYo4mpySPhHDTeF6Ad/9Ml16vO7uW0= +-----END RSA PRIVATE KEY----- diff --git a/deployment/elk/config-elk/kibana/config/kibana.yml b/deployment/elk/config-elk/kibana/config/kibana.yml new file mode 100644 index 000000000..be65ad19c --- /dev/null +++ b/deployment/elk/config-elk/kibana/config/kibana.yml @@ -0,0 +1,15 @@ +--- +## Default Kibana configuration from kibana-docker. +## from https://github.com/elastic/kibana-docker/blob/master/build/kibana/config/kibana.yml +# +server.name: opendmp.kibana +server.host: "0.0.0.0" +## Custom configuration +elasticsearch.hosts: [ "https://opendmp.elasticsearch:9200" ] +elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/certificate_authorities/ca.crt" ] + +elasticsearch.username: "kibana" +elasticsearch.password: "2VzNck1n3uCed9d27wHn" +server.ssl.enabled: false +server.ssl.key: "/usr/share/kibana/certificates/kibana.key" +server.ssl.certificate: "/usr/share/kibana/certificates/kibana.crt" diff --git a/deployment/elk/elasticsearch/Dockerfile b/deployment/elk/elasticsearch/Dockerfile new file mode 100644 index 000000000..75a663384 --- /dev/null +++ b/deployment/elk/elasticsearch/Dockerfile @@ -0,0 +1,18 @@ +ARG ELK_VERSION +ARG DEPLOY_USER + +# https://github.com/elastic/elasticsearch-docker +FROM docker.elastic.co/elasticsearch/elasticsearch:${ELK_VERSION} + +RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-icu && \ + /usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-phonetic +USER root +RUN groupmod -g ${DEPLOY_USER} elasticsearch +RUN usermod -u ${DEPLOY_USER} -g ${DEPLOY_USER} elasticsearch +RUN chown -R elasticsearch /usr/share/elasticsearch +RUN sed -i -e 's/--userspec=1000/--userspec=${DEPLOY_USER}/g' \ + -e 's/UID 1000/UID ${DEPLOY_USER}/' \ + -e 's/chown -R 1000/chown -R ${DEPLOY_USER}/' /usr/local/bin/docker-entrypoint.sh +RUN chown elasticsearch /usr/local/bin/docker-entrypoint.sh + +ENV JAVA_HOME /usr/share/elasticsearch/jdk \ No newline at end of file diff --git a/deployment/elk/filebeat/Dockerfile b/deployment/elk/filebeat/Dockerfile new file mode 100644 index 000000000..7c3d5e6f5 --- /dev/null +++ b/deployment/elk/filebeat/Dockerfile @@ -0,0 +1,14 @@ +ARG ELK_VERSION + +FROM docker.elastic.co/beats/filebeat:${ELK_VERSION} + +USER root +RUN groupmod -g 1008 filebeat +RUN usermod -u 1008 -g 1008 filebeat +RUN chown -R filebeat /usr/share/filebeat +RUN sed -i -e 's/--userspec=1000/--userspec=1008/g' \ + -e 's/UID 1000/UID 1008/' \ + -e 's/chown -R 1000/chown -R 1008/' /usr/local/bin/docker-entrypoint +RUN chown filebeat /usr/local/bin/docker-entrypoint + +USER 1008:1008 \ No newline at end of file diff --git a/deployment/elk/kibana/Dockerfile b/deployment/elk/kibana/Dockerfile new file mode 100644 index 000000000..e1148d762 --- /dev/null +++ b/deployment/elk/kibana/Dockerfile @@ -0,0 +1,14 @@ +ARG ELK_VERSION + +# https://github.com/elastic/kibana-docker +FROM docker.elastic.co/kibana/kibana:${ELK_VERSION} + +USER root +RUN groupmod -g 1008 kibana +RUN usermod -u 1008 -g 1008 kibana +RUN chown -R kibana /usr/share/kibana + +USER 1008:1008 + +# Add your kibana plugins setup here +# Example: RUN kibana-plugin install diff --git a/deployment/elk/logstash/Dockerfile b/deployment/elk/logstash/Dockerfile new file mode 100644 index 000000000..ff9179adc --- /dev/null +++ b/deployment/elk/logstash/Dockerfile @@ -0,0 +1,19 @@ +ARG ELK_VERSION + +# https://github.com/elastic/logstash-docker +FROM docker.elastic.co/logstash/logstash:${ELK_VERSION} + +USER root +RUN groupmod -g 1008 logstash +RUN usermod -u 1008 -g 1008 logstash +RUN chown -R logstash /usr/share/logstash +RUN sed -i -e 's/--userspec=1000/--userspec=1008/g' \ + -e 's/UID 1000/UID 1008/' \ + -e 's/chown -R 1000/chown -R 1008/' /usr/local/bin/docker-entrypoint +RUN chown logstash /usr/local/bin/docker-entrypoint + +USER 1008:1008 + +# Add your logstash plugins setup here +# Example: RUN logstash-plugin install logstash-filter-json +RUN logstash-plugin update logstash-input-beats \ No newline at end of file diff --git a/deployment/gotenberg/gotenberg.env b/deployment/gotenberg/gotenberg.env new file mode 100644 index 000000000..54edddab2 --- /dev/null +++ b/deployment/gotenberg/gotenberg.env @@ -0,0 +1,4 @@ +DEFAULT_WAIT_TIMEOUT=40 +MAXIMUM_WAIT_DELAY=40 +MAXIMUM_WAIT_TIMEOUT=40 +DISABLE_GOOGLE_CHROME=1 \ No newline at end of file diff --git a/deployment/keycloak/certs/keycloak-selfsigned.crt b/deployment/keycloak/certs/keycloak-selfsigned.crt new file mode 100644 index 000000000..71b5cdf87 --- /dev/null +++ b/deployment/keycloak/certs/keycloak-selfsigned.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDvzCCAqegAwIBAgIUL9YHiVgQxrFPSGq4nMe6KbMznaowDQYJKoZIhvcNAQEL +BQAwbzELMAkGA1UEBhMCR1IxDzANBgNVBAgMBkF0dGljYTEPMA0GA1UEBwwGQXRo +ZW5zMQwwCgYDVQQKDANOTEcxDjAMBgNVBAsMBU9TRFlFMSAwHgYDVQQDDBdubGct +b3NkeWUubG9jYWwuY2l0ZS5ncjAeFw0yMDExMjcxODMzNTJaFw0yMTExMjcxODMz +NTJaMG8xCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdHRpY2ExDzANBgNVBAcMBkF0 +aGVuczEMMAoGA1UECgwDTkxHMQ4wDAYDVQQLDAVPU0RZRTEgMB4GA1UEAwwXbmxn +LW9zZHllLmxvY2FsLmNpdGUuZ3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCYsoKFVSg67/NckladOuqFDeJWMYOYa1MhMTCpLL5UksoYM+BiKbWvXmRH +AGZAjIO2sGf6vTFO7SN6LdjCRRqJfS9zQVKHZKUdvfxkGnPaAIqWAwQkM4fFUlZF +e5jsGd7owCoEEFAirJpz53z27Xa0En5CLSI5eLGBqLNz31zi1Rdh5BPLAtgLGEoS +kOhlDXwgGtTmBAS82sXRr51J6DQr5stKsN68+DCwJiY6GU3Kun2Kyl+bepkEtHLM +SOxe5Du3F93kC4TwFckG+JSLrq8neXNbyoBOLYNxPzAGLg9vmD7nX02hFfONdX5p +zeGMD+0oyujL0HtH8nKkv9OtvYP1AgMBAAGjUzBRMB0GA1UdDgQWBBTrvPpWYBX6 +spVt2gpkpDW6yzrBZzAfBgNVHSMEGDAWgBTrvPpWYBX6spVt2gpkpDW6yzrBZzAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqfOJiorxiszfKKeD2 +eVda5pBU+qDnUOewRKizAktPm7V+cjM7bTEkmEHQ/oKlsT0FX5nsa8YfZCYgdotd +cDWC9KqYy9itXPESoJIZ/gMJ57v1BaVDly8tHedXEltob9ywrUyf7OF55eP0fWwb +AK90PfnRsxaurVYU5nfI9U/2jpi/LdsEYlJ7zUj7KM/Z2MwPA+be4EqjNcYLT/NB +bavhjLgZNoTkI7wYOJug+ouPn6xJJcj06RS1Q4FxtfrsnAuT+L33HemUludEUE00 +TJwYWJN9hOgbyzTf5EsHxxME1gIhcYLYPMeBr9VIyJxdAEuuDJbn87oOB094sCA+ +nvpp +-----END CERTIFICATE----- diff --git a/deployment/keycloak/certs/keycloak-selfsigned.key b/deployment/keycloak/certs/keycloak-selfsigned.key new file mode 100644 index 000000000..649f42b0a --- /dev/null +++ b/deployment/keycloak/certs/keycloak-selfsigned.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCYsoKFVSg67/Nc +kladOuqFDeJWMYOYa1MhMTCpLL5UksoYM+BiKbWvXmRHAGZAjIO2sGf6vTFO7SN6 +LdjCRRqJfS9zQVKHZKUdvfxkGnPaAIqWAwQkM4fFUlZFe5jsGd7owCoEEFAirJpz +53z27Xa0En5CLSI5eLGBqLNz31zi1Rdh5BPLAtgLGEoSkOhlDXwgGtTmBAS82sXR +r51J6DQr5stKsN68+DCwJiY6GU3Kun2Kyl+bepkEtHLMSOxe5Du3F93kC4TwFckG ++JSLrq8neXNbyoBOLYNxPzAGLg9vmD7nX02hFfONdX5pzeGMD+0oyujL0HtH8nKk +v9OtvYP1AgMBAAECggEAajxoCpPAtaCT1GgL0sBWwdNzETzJrZWd9I3gqRL0KKsn +58bP6fvS5/voEG36thYM3WHGNfDDCYJ7GFolYKPrXpS2Gp3r6T7gkdzIaGzvBVEz +GkNm8jjX0TUDyLvBHSKyr4RitwkSd81WeCUqEDIOUCI9rZTxJsMN3IOetpNEcJt1 +xR2kVuTkQiIs5evQCQ2arqTf/VQFb7FuVTtmrOggsTn33FnrUDujTAAsbEoglgvw +w1A2AYtMdGcrFIsUMJFdECkQGPVeqzKHddi1k1hv3DmOx5Rf4xJCdTL9ZYzbU1lw +ydSAM88UA7MTZWNYCGb4HjqEeDRnMUN/Qbi4f80PgQKBgQDKWLxsCBBgFRoH6nlh +TmBwYOmdQkBE09txpcpAFVZVv3eq/syZnT5+pcyj7EUexhu/p78UHPPkXDfnIKKe +C+7VOEmSM9cPMZU6cqB1x4+YZkyiU1rPD2SG46ZxBBTKsPWauJNvtuhW3K6kwMCT +ECiwG1f9EAmf9q7YKqdXGgUL3QKBgQDBL5WDIRtqHBdIPgHMue/teM+fP8I0/GKV +D3oJjBLE+I7JNp0lpeVhDvqfAL0AgZ5023hjlPobUNtpWyuLufzY6S2Pv1scyM3A +xW/LVXtC7QzdPmhrPxZkHEmRFA1zXdYo0xH4O+KDXVmYuzpIPfgrQkzt1EvP5jxv +tbjY935C+QKBgHZhr+rsVNhBwDb9YQIi3p0gtcyBZCRgZjR5MHiJgzcri5GI/J6q +tlNWIQGOS2oTsUxRkaLsxWvG4BXirAEXLiWkhrZ4icuj0JCfW21M0Z/xycf2SFx3 +vvKD4W6hWqCzIx3f+rITKp8XAT32XzQq8gMGHFY7ucXShryFR93XpTgpAoGALaAF +WaDaDqdvwDoUxrsrNRSRRHUUctsglT/AfLy+OhLR9ieV2axijhexjRfpi1MRj1u+ +BRbMMuNXznwfvrJASyJXBloVNKkgHuUCUC1yHQ5LOX1hv+J4cVBU95Sa0KJaz+15 +kvzhtFC5tl6Rlzo7gEv6SzkWZpVjtKZgb62T/lECgYBr6PyDcGVGc8rbjxugnUnm +rShh7nMRUiTMLpWrucf7Mfr4cwFgejCoEMXPgxJF5Q1acppL0dKQzfmLVqazNX58 +0XM0+fNDIeGyYKAbqtnqfmyI7O/Lb1jXPFuCNujzDxfeJX0yxoo38US4ZCD2iUrW +ZK/FFkm5ncXTenBhpHOANQ== +-----END PRIVATE KEY----- diff --git a/deployment/keycloak/imports/opendmp-realm.json b/deployment/keycloak/imports/opendmp-realm.json new file mode 100644 index 000000000..aff096da3 --- /dev/null +++ b/deployment/keycloak/imports/opendmp-realm.json @@ -0,0 +1,3368 @@ +{ + "id": "8ca42ab4-2c36-4f48-b25e-7d96a00cbc1c", + "realm": "OpenDMP", + "displayName": "", + "displayNameHtml": "", + "notBefore": 0, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "enabled": true, + "sslRequired": "external", + "registrationAllowed": false, + "registrationEmailAsUsername": false, + "rememberMe": false, + "verifyEmail": true, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": false, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxTemporaryLockouts": 0, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "roles": { + "realm": [ + { + "id": "c7dcf3a3-1974-42a2-82d7-e3cb37be8467", + "name": "uma_authorization", + "description": "${role_uma_authorization}", + "composite": false, + "clientRole": false, + "containerId": "8ca42ab4-2c36-4f48-b25e-7d96a00cbc1c", + "attributes": {} + }, + { + "id": "ea1273c9-d2bc-49bb-8c92-fe0dcbd9cc31", + "name": "default-roles-dmp-staging", + "description": "${role_default-roles}", + "composite": true, + "composites": { + "realm": [ + "offline_access", + "uma_authorization" + ], + "client": { + "account": [ + "manage-account", + "view-profile" + ] + } + }, + "clientRole": false, + "containerId": "8ca42ab4-2c36-4f48-b25e-7d96a00cbc1c", + "attributes": {} + }, + { + "id": "cf094a74-edef-42dd-94e6-e4dd090a657d", + "name": "Admin", + "description": "", + "composite": false, + "clientRole": false, + "containerId": "8ca42ab4-2c36-4f48-b25e-7d96a00cbc1c", + "attributes": {} + }, + { + "id": "9067ecb6-e0fa-4ba9-95d9-8b4f2a7bf2a9", + "name": "User", + "description": "", + "composite": false, + "clientRole": false, + "containerId": "8ca42ab4-2c36-4f48-b25e-7d96a00cbc1c", + "attributes": {} + }, + { + "id": "b43525ac-c594-42ab-89dc-9314cab33b85", + "name": "offline_access", + "description": "${role_offline-access}", + "composite": false, + "clientRole": false, + "containerId": "8ca42ab4-2c36-4f48-b25e-7d96a00cbc1c", + "attributes": {} + } + ], + "client": { + "dmp_webapp": [], + "realm-management": [ + { + "id": "599486f8-ace5-4389-9752-51f8d3059be7", + "name": "manage-authorization", + "description": "${role_manage-authorization}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "ef6546e6-7910-4be8-b826-a7302241f07d", + "name": "realm-admin", + "description": "${role_realm-admin}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "manage-authorization", + "view-identity-providers", + "query-groups", + "view-events", + "manage-events", + "view-users", + "query-clients", + "manage-users", + "manage-realm", + "impersonation", + "create-client", + "query-users", + "view-realm", + "query-realms", + "view-clients", + "manage-clients", + "view-authorization", + "manage-identity-providers" + ] + } + }, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "ecbf3dbb-1a14-4072-894d-d3d4c6ec09f8", + "name": "view-identity-providers", + "description": "${role_view-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "297ace12-7c3c-4930-bbc6-8ebff7a0d3da", + "name": "query-groups", + "description": "${role_query-groups}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "b23d1020-bfed-447c-80a0-4dc29e1c9cc0", + "name": "view-events", + "description": "${role_view-events}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "7aa6617f-dc99-4205-8085-1423b2f8ada2", + "name": "manage-events", + "description": "${role_manage-events}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "7769e962-d9fe-41d2-82ab-8d215ca4168b", + "name": "view-users", + "description": "${role_view-users}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-users", + "query-groups" + ] + } + }, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "7c6a107a-70f7-4293-8fab-6a466094d741", + "name": "query-clients", + "description": "${role_query-clients}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "edb5f914-a65c-4651-9412-4cd3b0382833", + "name": "manage-users", + "description": "${role_manage-users}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "432d4a16-2f32-4f18-81e1-4e17cc9b9673", + "name": "impersonation", + "description": "${role_impersonation}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "16b08c8c-efd6-4762-9df4-4478ef61cf84", + "name": "manage-realm", + "description": "${role_manage-realm}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "eca529e8-6864-424c-b9fd-42a34cec434c", + "name": "create-client", + "description": "${role_create-client}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "a0d68861-91d0-4cf6-8769-a702c69672d7", + "name": "query-users", + "description": "${role_query-users}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "54ab46ba-c370-4bea-b333-86b30474e736", + "name": "view-realm", + "description": "${role_view-realm}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "d7083f59-21b9-4d39-85f9-f3b31a8567b5", + "name": "query-realms", + "description": "${role_query-realms}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "76854cd6-d964-4ca8-9df8-56ca8969f861", + "name": "view-clients", + "description": "${role_view-clients}", + "composite": true, + "composites": { + "client": { + "realm-management": [ + "query-clients" + ] + } + }, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "0a240e40-f696-43ee-8f8f-d4d41e767036", + "name": "manage-clients", + "description": "${role_manage-clients}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "8d85f653-e3e4-4e7a-b54c-ce2b6aa12e75", + "name": "manage-identity-providers", + "description": "${role_manage-identity-providers}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + }, + { + "id": "8e55d13c-9c40-423b-997a-90897471c327", + "name": "view-authorization", + "description": "${role_view-authorization}", + "composite": false, + "clientRole": true, + "containerId": "8094376d-fcf3-4366-a812-26301583cc98", + "attributes": {} + } + ], + "dmp_annotation": [ + { + "id": "8efa8a18-11aa-4fbf-91ea-862a7af419c8", + "name": "Admin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "e590dbb7-591d-4eca-93d1-6a349b9f0ccf", + "attributes": {} + }, + { + "id": "5147c4d0-31fd-4f42-a66d-d4ff1512477a", + "name": "User", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "e590dbb7-591d-4eca-93d1-6a349b9f0ccf", + "attributes": {} + } + ], + "security-admin-console": [], + "admin-cli": [], + "dmp_plugins": [ + { + "id": "803d8611-0781-4d72-a9d5-add8e3622c5a", + "name": "app-service", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "fc60067c-3b77-4172-917c-6116ac1d91af", + "attributes": {} + } + ], + "dmp_notification": [ + { + "id": "b29aa0e2-ea83-4646-9730-cd32daa315fc", + "name": "User", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "01b43587-5af0-4761-a2af-e9059bc3a396", + "attributes": {} + }, + { + "id": "743d40ff-a039-4d78-8ed6-2c951426e239", + "name": "Admin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "01b43587-5af0-4761-a2af-e9059bc3a396", + "attributes": {} + } + ], + "dmp_web": [ + { + "id": "191fff97-b18b-41bd-9013-512b91fdedaf", + "name": "User", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "c82150e9-a9e5-4a5f-bd0f-5f25460b3e08", + "attributes": {} + }, + { + "id": "57253b8e-69bf-44bb-950f-fbfcd4785206", + "name": "Admin", + "description": "", + "composite": false, + "clientRole": true, + "containerId": "c82150e9-a9e5-4a5f-bd0f-5f25460b3e08", + "attributes": {} + } + ], + "account-console": [], + "broker": [ + { + "id": "cda05d95-c7fc-4139-bbc8-b86500b41060", + "name": "read-token", + "description": "${role_read-token}", + "composite": false, + "clientRole": true, + "containerId": "79a9e8f4-f09d-4d30-bd44-3f433309c3c6", + "attributes": {} + } + ], + "account": [ + { + "id": "73b916bf-b0d9-4e87-bf15-9131d131583f", + "name": "manage-consent", + "description": "${role_manage-consent}", + "composite": true, + "composites": { + "client": { + "account": [ + "view-consent" + ] + } + }, + "clientRole": true, + "containerId": "a3291f71-8f8e-4ffe-a1b3-5e08dc93d77f", + "attributes": {} + }, + { + "id": "387e5e06-fbf9-467d-9364-b28d95fe7c83", + "name": "view-consent", + "description": "${role_view-consent}", + "composite": false, + "clientRole": true, + "containerId": "a3291f71-8f8e-4ffe-a1b3-5e08dc93d77f", + "attributes": {} + }, + { + "id": "3fb552e7-43b5-48da-a740-d113478cd0e8", + "name": "view-applications", + "description": "${role_view-applications}", + "composite": false, + "clientRole": true, + "containerId": "a3291f71-8f8e-4ffe-a1b3-5e08dc93d77f", + "attributes": {} + }, + { + "id": "078f56b7-3943-4c14-b420-9ece9b2dbe43", + "name": "view-groups", + "description": "${role_view-groups}", + "composite": false, + "clientRole": true, + "containerId": "a3291f71-8f8e-4ffe-a1b3-5e08dc93d77f", + "attributes": {} + }, + { + "id": "0a36d427-1013-4168-a802-a4a5b470e6cd", + "name": "delete-account", + "description": "${role_delete-account}", + "composite": false, + "clientRole": true, + "containerId": "a3291f71-8f8e-4ffe-a1b3-5e08dc93d77f", + "attributes": {} + }, + { + "id": "842c8adb-7c3b-4e4a-87a4-84dc81b7a404", + "name": "manage-account", + "description": "${role_manage-account}", + "composite": true, + "composites": { + "client": { + "account": [ + "manage-account-links" + ] + } + }, + "clientRole": true, + "containerId": "a3291f71-8f8e-4ffe-a1b3-5e08dc93d77f", + "attributes": {} + }, + { + "id": "de9d924f-aca7-44f4-8efc-e397fc6ec79f", + "name": "manage-account-links", + "description": "${role_manage-account-links}", + "composite": false, + "clientRole": true, + "containerId": "a3291f71-8f8e-4ffe-a1b3-5e08dc93d77f", + "attributes": {} + }, + { + "id": "d4e26324-81bb-42da-9147-15bb2464e8f7", + "name": "view-profile", + "description": "${role_view-profile}", + "composite": false, + "clientRole": true, + "containerId": "a3291f71-8f8e-4ffe-a1b3-5e08dc93d77f", + "attributes": {} + } + ] + } + }, + "groups": [ + { + "id": "e2bfeb5c-880a-43fa-a822-4b7dba87defb", + "name": "opendmp-app", + "path": "/opendmp-app", + "subGroups": [ + { + "id": "935ab34d-700a-407f-bb7b-8a00ddcef1d8", + "name": "role-admin", + "path": "/opendmp-app/role-admin", + "parentId": "e2bfeb5c-880a-43fa-a822-4b7dba87defb", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": { + "dmp_annotation": [ + "Admin" + ], + "dmp_web": [ + "Admin" + ], + "dmp_notification": [ + "Admin" + ] + } + }, + { + "id": "011269bd-9eec-445f-926d-1ebd1f45b5aa", + "name": "role-user", + "path": "/opendmp-app/role-user", + "parentId": "e2bfeb5c-880a-43fa-a822-4b7dba87defb", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": { + "dmp_annotation": [ + "User" + ], + "dmp_web": [ + "User" + ], + "dmp_notification": [ + "User" + ] + } + }, + { + "id": "01195be1-f754-415b-8225-3cc470744d62", + "name": "tenant-role-admin", + "path": "/opendmp-app/tenant-role-admin", + "parentId": "e2bfeb5c-880a-43fa-a822-4b7dba87defb", + "subGroups": [ + { + "id": "70fdec04-4dce-455c-939b-4146bed4bd4c", + "name": "tenant-default", + "path": "/opendmp-app/tenant-role-admin/tenant-default", + "parentId": "01195be1-f754-415b-8225-3cc470744d62", + "subGroups": [], + "attributes": { + "tenant_role": [ + "TenantAdmin:default" + ] + }, + "realmRoles": [], + "clientRoles": {} + } + ], + "attributes": {}, + "realmRoles": [ + "User" + ], + "clientRoles": {} + }, + { + "id": "1bfe8064-4e44-4ec1-a69e-836364a36e37", + "name": "tenant-role-description-template-editor", + "path": "/opendmp-app/tenant-role-description-template-editor", + "parentId": "e2bfeb5c-880a-43fa-a822-4b7dba87defb", + "subGroups": [ + { + "id": "b84e92ec-452d-4912-90c6-813b3d2e2076", + "name": "tenant-default", + "path": "/opendmp-app/tenant-role-description-template-editor/tenant-default", + "parentId": "1bfe8064-4e44-4ec1-a69e-836364a36e37", + "subGroups": [], + "attributes": { + "tenant_role": [ + "TenantDescriptionTemlateEditor:default" + ] + }, + "realmRoles": [], + "clientRoles": {} + } + ], + "attributes": {}, + "realmRoles": [ + "User" + ], + "clientRoles": {} + }, + { + "id": "735f22f1-a0cc-4afd-af4c-dba6bb2e7415", + "name": "tenant-role-manager", + "path": "/opendmp-app/tenant-role-manager", + "parentId": "e2bfeb5c-880a-43fa-a822-4b7dba87defb", + "subGroups": [ + { + "id": "88fb621e-499e-481b-8695-77dc7527451e", + "name": "tenant-default", + "path": "/opendmp-app/tenant-role-manager/tenant-default", + "parentId": "735f22f1-a0cc-4afd-af4c-dba6bb2e7415", + "subGroups": [], + "attributes": { + "tenant_role": [ + "TenantManager:default" + ] + }, + "realmRoles": [], + "clientRoles": {} + } + ], + "attributes": {}, + "realmRoles": [ + "User" + ], + "clientRoles": {} + }, + { + "id": "64c07220-0d92-44e5-be6e-d9edf6c10a56", + "name": "tenant-role-user", + "path": "/opendmp-app/tenant-role-user", + "parentId": "e2bfeb5c-880a-43fa-a822-4b7dba87defb", + "subGroups": [ + { + "id": "2094ae4c-804b-4a40-9c20-0efa6d384f27", + "name": "tenant-default", + "path": "/opendmp-app/tenant-role-user/tenant-default", + "parentId": "64c07220-0d92-44e5-be6e-d9edf6c10a56", + "subGroups": [], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + } + ], + "attributes": { + "tenant_role": [ + "TenantUser:default" + ] + }, + "realmRoles": [ + "User" + ], + "clientRoles": {} + } + ], + "attributes": {}, + "realmRoles": [], + "clientRoles": {} + } + ], + "defaultRole": { + "id": "ea1273c9-d2bc-49bb-8c92-fe0dcbd9cc31", + "name": "default-roles-dmp-staging", + "description": "${role_default-roles}", + "composite": true, + "clientRole": false, + "containerId": "8ca42ab4-2c36-4f48-b25e-7d96a00cbc1c" + }, + "defaultGroups": [ + "/opendmp-app/role-user", + "/opendmp-app/tenant-role-user/tenant-default" + ], + "requiredCredentials": [ + "password" + ], + "otpPolicyType": "totp", + "otpPolicyAlgorithm": "HmacSHA1", + "otpPolicyInitialCounter": 0, + "otpPolicyDigits": 6, + "otpPolicyLookAheadWindow": 1, + "otpPolicyPeriod": 30, + "otpPolicyCodeReusable": false, + "otpSupportedApplications": [ + "totpAppFreeOTPName", + "totpAppGoogleName", + "totpAppMicrosoftAuthenticatorName" + ], + "localizationTexts": {}, + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyExtraOrigins": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": [ + "ES256" + ], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "webAuthnPolicyPasswordlessExtraOrigins": [], + "users": [ + { + "id": "bc33b6b1-5017-4314-a644-ee55e5aa7dd6", + "username": "service-account-dmp_annotation", + "emailVerified": false, + "createdTimestamp": 1712653226491, + "enabled": true, + "totp": false, + "serviceAccountClientId": "dmp_annotation", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-dmp-staging" + ], + "notBefore": 0, + "groups": [] + }, + { + "id": "7965e6d2-ea1b-4c61-a9ab-42541b3f7afa", + "username": "service-account-dmp_notification", + "emailVerified": false, + "createdTimestamp": 1712653503012, + "enabled": true, + "totp": false, + "serviceAccountClientId": "dmp_notification", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-dmp-staging" + ], + "notBefore": 0, + "groups": [] + }, + { + "id": "0ce5a953-2242-44a3-9f63-2977dd2cd7ab", + "username": "service-account-dmp_plugins", + "emailVerified": false, + "createdTimestamp": 1712654040557, + "enabled": true, + "totp": false, + "serviceAccountClientId": "dmp_plugins", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-dmp-staging" + ], + "notBefore": 0, + "groups": [] + }, + { + "id": "d939b8ee-1fee-416b-b535-24eae8828625", + "username": "service-account-dmp_web", + "emailVerified": false, + "createdTimestamp": 1712653775771, + "enabled": true, + "totp": false, + "serviceAccountClientId": "dmp_web", + "disableableCredentialTypes": [], + "requiredActions": [], + "realmRoles": [ + "default-roles-dmp-staging" + ], + "notBefore": 0, + "groups": [] + } + ], + "scopeMappings": [ + { + "clientScope": "dmp_web", + "roles": [ + "User", + "Admin" + ] + }, + { + "clientScope": "offline_access", + "roles": [ + "offline_access" + ] + }, + { + "clientScope": "dmp_annotation", + "roles": [ + "User", + "Admin" + ] + }, + { + "clientScope": "dmp_notification", + "roles": [ + "User", + "Admin" + ] + } + ], + "clientScopeMappings": { + "account": [ + { + "client": "account-console", + "roles": [ + "manage-account", + "view-groups" + ] + } + ] + }, + "clients": [ + { + "id": "a3291f71-8f8e-4ffe-a1b3-5e08dc93d77f", + "clientId": "account", + "name": "${client_account}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/OpenDMP/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/OpenDMP/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "28e4d2ef-28e5-42cf-8960-180b6026c4a5", + "clientId": "account-console", + "name": "${client_account-console}", + "rootUrl": "${authBaseUrl}", + "baseUrl": "/realms/OpenDMP/account/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/realms/OpenDMP/account/*" + ], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "6e9cba55-8e6d-42cb-a850-502169e461e5", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": {} + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "79efd221-a8e9-4485-81cc-797384a1d142", + "clientId": "admin-cli", + "name": "${client_admin-cli}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "79a9e8f4-f09d-4d30-bd44-3f433309c3c6", + "clientId": "broker", + "name": "${client_broker}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "e590dbb7-591d-4eca-93d1-6a349b9f0ccf", + "clientId": "dmp_annotation", + "name": "dmp_annotation", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "client.secret.creation.time": "1712653226", + "backchannel.logout.session.required": "true", + "display.on.consent.screen": "false", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "9118fd84-e77b-4452-8777-bbb191099cea", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "f4c21a2e-c1d7-42af-83b2-1bd773bb1d24", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "2e823e2f-bfb7-426e-a55c-90c89e6a9b95", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "01b43587-5af0-4761-a2af-e9059bc3a396", + "clientId": "dmp_notification", + "name": "dmp_notification", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1712653503", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "use.refresh.tokens": "true", + "oidc.ciba.grant.enabled": "false", + "client.use.lightweight.access.token.enabled": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "acr.loa.map": "{}", + "require.pushed.authorization.requests": "false", + "tls.client.certificate.bound.access.tokens": "false", + "display.on.consent.screen": "false", + "token.response.type.bearer.lower-case": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "fa2a3f16-d87e-4122-8a13-781d46987f92", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "b94faa61-3757-448e-bacd-e232fdb1d1ba", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + }, + { + "id": "fa13a201-56f0-4ddf-b757-54556bc4c403", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "fc60067c-3b77-4172-917c-6116ac1d91af", + "clientId": "dmp_plugins", + "name": "dmp_plugins", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oidc.ciba.grant.enabled": "false", + "oauth2.device.authorization.grant.enabled": "false", + "client.secret.creation.time": "1712654040", + "backchannel.logout.session.required": "true", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "3dab7e1b-7a8d-4fe2-9126-cb34aa902ad5", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "0525ff56-61da-4e46-b03b-f9e9efac675d", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "b8376624-5481-4047-bacf-047b38fdb569", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "c82150e9-a9e5-4a5f-bd0f-5f25460b3e08", + "clientId": "dmp_web", + "name": "dmp_web", + "description": "", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "secret": "**********", + "redirectUris": [ + "/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": false, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": true, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "client.secret.creation.time": "1712653775", + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "use.refresh.tokens": "true", + "oidc.ciba.grant.enabled": "false", + "client.use.lightweight.access.token.enabled": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "tls.client.certificate.bound.access.tokens": "false", + "require.pushed.authorization.requests": "false", + "acr.loa.map": "{}", + "display.on.consent.screen": "false", + "token.response.type.bearer.lower-case": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "protocolMappers": [ + { + "id": "f6e04c1b-cfdd-435a-8ced-4b1f74575203", + "name": "Client ID", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "client_id", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "client_id", + "jsonType.label": "String" + } + }, + { + "id": "b43fefcd-c57c-41bd-8b81-0df8eb0b9ac3", + "name": "Client IP Address", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientAddress", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientAddress", + "jsonType.label": "String" + } + }, + { + "id": "638dfefd-24a6-4830-9f22-447a9b58b58d", + "name": "Client Host", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "clientHost", + "introspection.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "clientHost", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "dmp_plugins", + "microprofile-jwt" + ] + }, + { + "id": "94d2efc9-1fad-46b6-a89a-d2edd303994b", + "clientId": "dmp_webapp", + "name": "dmp_webapp", + "description": "", + "rootUrl": "https://test.opendmp.eu/home", + "adminUrl": "", + "baseUrl": "https://test.opendmp.eu/home", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://test.opendmp.eu/*" + ], + "webOrigins": [ + "https://test.opendmp.eu" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "oauth2.device.authorization.grant.enabled": "false", + "backchannel.logout.revoke.offline.tokens": "false", + "use.refresh.tokens": "true", + "oidc.ciba.grant.enabled": "false", + "client.use.lightweight.access.token.enabled": "false", + "backchannel.logout.session.required": "true", + "client_credentials.use_refresh_token": "false", + "tls.client.certificate.bound.access.tokens": "false", + "require.pushed.authorization.requests": "false", + "acr.loa.map": "{}", + "display.on.consent.screen": "false", + "token.response.type.bearer.lower-case": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "identity_provider", + "roles", + "profile", + "email", + "tenant_role" + ], + "optionalClientScopes": [ + "address", + "dmp_annotation", + "phone", + "offline_access", + "dmp_web", + "dmp_notification", + "microprofile-jwt" + ] + }, + { + "id": "8094376d-fcf3-4366-a812-26301583cc98", + "clientId": "realm-management", + "name": "${client_realm-management}", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [], + "webOrigins": [], + "notBefore": 0, + "bearerOnly": true, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": false, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": {}, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + }, + { + "id": "7f40ff61-1137-4430-82fb-57cfcc54f1ac", + "clientId": "security-admin-console", + "name": "${client_security-admin-console}", + "rootUrl": "${authAdminUrl}", + "baseUrl": "/admin/OpenDMP/console/", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "/admin/OpenDMP/console/*" + ], + "webOrigins": [ + "+" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": false, + "protocol": "openid-connect", + "attributes": { + "post.logout.redirect.uris": "+", + "pkce.code.challenge.method": "S256" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "nodeReRegistrationTimeout": 0, + "protocolMappers": [ + { + "id": "7b0b7a33-dbf1-4a9e-9a84-4db2d2d67d9e", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ] + } + ], + "clientScopes": [ + { + "id": "b5b320c3-eddc-4b7e-9be3-968542e2fa14", + "name": "tenant_role", + "description": "tenant_role", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "14d68445-3964-48a6-a045-0bec491533de", + "name": "Tenant role", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "aggregate.attrs": "true", + "introspection.token.claim": "true", + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "tenant_role", + "id.token.claim": "true", + "lightweight.claim": "false", + "access.token.claim": "true", + "claim.name": "tenant_roles", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "bf01169f-984e-4632-81bf-b4c916ae453d", + "name": "profile", + "description": "OpenID Connect built-in scope: profile", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${profileScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "73fb5445-eae5-4447-9047-7f54055fb22b", + "name": "picture", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "picture", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "picture", + "jsonType.label": "String" + } + }, + { + "id": "c479bf22-e264-4c00-b8d1-7357b67e53fd", + "name": "locale", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "locale", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "locale", + "jsonType.label": "String" + } + }, + { + "id": "5d00fe6a-4cdd-46d6-bd57-d008b2403ad6", + "name": "family name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "lastName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "family_name", + "jsonType.label": "String" + } + }, + { + "id": "022d1a9f-5534-4e8e-a63c-e91238eb3b67", + "name": "gender", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "gender", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "gender", + "jsonType.label": "String" + } + }, + { + "id": "73ab53b4-0efd-49fc-a3b7-54c9d8b6fb40", + "name": "full name", + "protocol": "openid-connect", + "protocolMapper": "oidc-full-name-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "access.token.claim": "true", + "introspection.token.claim": "true", + "userinfo.token.claim": "true" + } + }, + { + "id": "41cfe68d-7ae4-4e13-ae34-2be00f238324", + "name": "given name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "firstName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "given_name", + "jsonType.label": "String" + } + }, + { + "id": "d3ac8d95-881b-4ed3-a37d-b62e537d9268", + "name": "website", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "website", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "website", + "jsonType.label": "String" + } + }, + { + "id": "fa31e780-3b6d-44c2-a084-6efcab21cfde", + "name": "nickname", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "nickname", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "nickname", + "jsonType.label": "String" + } + }, + { + "id": "93859d51-f106-4596-9520-0483ee7f5308", + "name": "username", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "preferred_username", + "jsonType.label": "String" + } + }, + { + "id": "c36562fc-901f-41b1-a7ae-079fa5bac69f", + "name": "birthdate", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "birthdate", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "birthdate", + "jsonType.label": "String" + } + }, + { + "id": "493b316c-97f7-42b8-9548-09d5d874ab17", + "name": "profile", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "profile", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "profile", + "jsonType.label": "String" + } + }, + { + "id": "77326698-db87-4fae-b1a6-f862173a9a4c", + "name": "updated at", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "updatedAt", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "updated_at", + "jsonType.label": "long" + } + }, + { + "id": "66c0e5d7-d7cb-441c-b1c9-88f51c7e05dc", + "name": "zoneinfo", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "zoneinfo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "zoneinfo", + "jsonType.label": "String" + } + }, + { + "id": "c761fe65-855c-4933-84ce-1e994ce53cf9", + "name": "middle name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "middleName", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "middle_name", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "a908ffe3-5be1-4f66-b737-132085fedee9", + "name": "dmp_web", + "description": "", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "f5cd6093-9cc0-476d-aad1-d8cd30bdd8ce", + "name": "Client Id Audience", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "consentRequired": false, + "config": { + "included.client.audience": "dmp_web", + "introspection.token.claim": "true", + "userinfo.token.claim": "false", + "id.token.claim": "false", + "lightweight.claim": "false", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "0db5db44-ef7a-4bbc-a770-3a34b4aa5f58", + "name": "acr", + "description": "OpenID Connect scope for add acr (authentication context class reference) to the token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "bb50b0bc-17cd-4980-92dc-3179fe6ffaeb", + "name": "acr loa level", + "protocol": "openid-connect", + "protocolMapper": "oidc-acr-mapper", + "consentRequired": false, + "config": { + "id.token.claim": "true", + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "64963b49-1a94-4fad-8b8a-329f8e25873e", + "name": "dmp_plugins", + "description": "", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "79169ea5-5635-41ca-997a-2ceaf6fb0431", + "name": "Client Id Audience", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "consentRequired": false, + "config": { + "included.client.audience": "dmp_plugins", + "id.token.claim": "false", + "lightweight.claim": "false", + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "6c1655da-fb82-45b7-9bc6-4774f44aa504", + "name": "email", + "description": "OpenID Connect built-in scope: email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${emailScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "7cb5006e-0b00-4659-a84f-4817f49bcbe9", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + }, + { + "id": "b9c82303-ac4b-4d45-bb31-07d174c2f338", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "f4700d8f-a939-4627-828d-aef6473619ba", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "34b4f62a-a50d-44e5-ae0f-6430af1b4fbe", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "introspection.token.claim": "true", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "f7971816-d301-462b-b160-48a088ac6643", + "name": "role_list", + "description": "SAML role list", + "protocol": "saml", + "attributes": { + "consent.screen.text": "${samlRoleListScopeConsentText}", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "a09729c9-52f7-4925-a1ea-f6f93d2745be", + "name": "role list", + "protocol": "saml", + "protocolMapper": "saml-role-list-mapper", + "consentRequired": false, + "config": { + "single": "false", + "attribute.nameformat": "Basic", + "attribute.name": "Role" + } + } + ] + }, + { + "id": "c49d0064-73f8-461a-aa3c-fa025a415446", + "name": "roles", + "description": "OpenID Connect scope for add user roles to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "true", + "consent.screen.text": "${rolesScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "2ee26d6b-fad4-422f-9582-1646b964ab15", + "name": "audience resolve", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-resolve-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + }, + { + "id": "d2c7786d-b1e2-4354-9969-941a9d9bc0aa", + "name": "realm roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "realm_access.roles", + "jsonType.label": "String" + } + }, + { + "id": "e1f6b0f6-c829-4f78-a515-3fbcf37ad1ae", + "name": "client roles", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-client-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "user.attribute": "foo", + "access.token.claim": "true", + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "9cc28f08-d4c7-4aba-8c80-eededcd11a46", + "name": "phone", + "description": "OpenID Connect built-in scope: phone", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${phoneScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "e4e2fd1f-ada0-4483-a224-444aa6b2cefd", + "name": "phone number", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "phoneNumber", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number", + "jsonType.label": "String" + } + }, + { + "id": "4819d3cb-2655-4d8f-baf0-f1fa052c5742", + "name": "phone number verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "phoneNumberVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "phone_number_verified", + "jsonType.label": "boolean" + } + } + ] + }, + { + "id": "cb33ebdb-cecb-4999-9d3c-ded4c8af97f8", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "4c83af62-84e3-4b2c-937a-d6b0ded5279b", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + }, + { + "id": "3be3f9d8-2ee6-43ff-92a3-374b1c39921e", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "multivalued": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + } + ] + }, + { + "id": "03b4e370-be59-41a3-9053-a970479b0ea0", + "name": "offline_access", + "description": "OpenID Connect built-in scope: offline_access", + "protocol": "openid-connect", + "attributes": { + "consent.screen.text": "${offlineAccessScopeConsentText}", + "display.on.consent.screen": "true" + } + }, + { + "id": "d5f27ae9-d3b3-404d-bc45-ce9aae728bef", + "name": "identity_provider", + "description": "", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "361d74ff-711a-4621-92d8-59d99b8b34b2", + "name": "identity_provider", + "protocol": "openid-connect", + "protocolMapper": "oidc-usersessionmodel-note-mapper", + "consentRequired": false, + "config": { + "user.session.note": "identity_provider", + "introspection.token.claim": "true", + "userinfo.token.claim": "true", + "id.token.claim": "true", + "lightweight.claim": "false", + "access.token.claim": "true", + "claim.name": "identity_provider", + "jsonType.label": "String", + "access.tokenResponse.claim": "true" + } + } + ] + }, + { + "id": "053f9ffc-ab71-432d-b6b8-7cc1d5ee9fc7", + "name": "web-origins", + "description": "OpenID Connect scope for add allowed web origins to the access token", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "false", + "display.on.consent.screen": "false", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "ff47565c-cfee-4aff-ace2-6101aced8863", + "name": "allowed web origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-allowed-origins-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "601c48ac-d1f9-4cdc-8268-d04871729536", + "name": "dmp_annotation", + "description": "", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "12a858df-5ae6-4735-8ec1-dfc2b20d63a1", + "name": "Client Id Audience", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "consentRequired": false, + "config": { + "included.client.audience": "dmp_annotation", + "introspection.token.claim": "true", + "userinfo.token.claim": "false", + "id.token.claim": "false", + "lightweight.claim": "false", + "access.token.claim": "true" + } + } + ] + }, + { + "id": "708a6370-64e3-44e0-9138-15ca16de1f93", + "name": "dmp_notification", + "description": "", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "gui.order": "", + "consent.screen.text": "" + }, + "protocolMappers": [ + { + "id": "fc20664f-1359-41f9-b127-f121e88edeb4", + "name": "Client Id Audience", + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "consentRequired": false, + "config": { + "included.client.audience": "dmp_notification", + "id.token.claim": "false", + "lightweight.claim": "false", + "introspection.token.claim": "true", + "access.token.claim": "true" + } + } + ] + } + ], + "defaultDefaultClientScopes": [ + "role_list", + "profile", + "email", + "roles", + "web-origins", + "acr" + ], + "defaultOptionalClientScopes": [ + "offline_access", + "address", + "phone", + "microprofile-jwt", + "tenant_role" + ], + "browserSecurityHeaders": { + "contentSecurityPolicyReportOnly": "", + "xContentTypeOptions": "nosniff", + "referrerPolicy": "no-referrer", + "xRobotsTag": "none", + "xFrameOptions": "SAMEORIGIN", + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", + "xXSSProtection": "1; mode=block", + "strictTransportSecurity": "max-age=31536000; includeSubDomains" + }, + "smtpServer": { + "replyToDisplayName": "", + "starttls": "true", + "auth": "true", + "envelopeFrom": "", + "ssl": "false", + "password": "**********", + "port": "587", + "host": "smtp.office365.com", + "replyTo": "", + "from": "no-reply@openaire.eu", + "fromDisplayName": "", + "user": "no-reply@openaire.eu" + }, + "eventsEnabled": true, + "eventsListeners": [ + "jboss-logging" + ], + "enabledEventTypes": [ + "UPDATE_CONSENT_ERROR", + "UPDATE_TOTP", + "PERMISSION_TOKEN_ERROR", + "IDENTITY_PROVIDER_RETRIEVE_TOKEN_ERROR", + "IMPERSONATE_ERROR", + "CUSTOM_REQUIRED_ACTION", + "RESTART_AUTHENTICATION", + "CLIENT_INFO", + "IMPERSONATE", + "LOGIN", + "CLIENT_INITIATED_ACCOUNT_LINKING", + "OAUTH2_EXTENSION_GRANT", + "USER_DISABLED_BY_PERMANENT_LOCKOUT", + "USER_DISABLED_BY_TEMPORARY_LOCKOUT_ERROR", + "TOKEN_EXCHANGE", + "REGISTER", + "DELETE_ACCOUNT_ERROR", + "IDENTITY_PROVIDER_LINK_ACCOUNT", + "INTROSPECT_TOKEN_ERROR", + "USER_DISABLED_BY_TEMPORARY_LOCKOUT", + "DELETE_ACCOUNT", + "UPDATE_PASSWORD", + "IDENTITY_PROVIDER_FIRST_LOGIN", + "VERIFY_EMAIL", + "CLIENT_LOGIN_ERROR", + "RESTART_AUTHENTICATION_ERROR", + "EXECUTE_ACTIONS", + "REMOVE_FEDERATED_IDENTITY_ERROR", + "TOKEN_EXCHANGE_ERROR", + "UNREGISTER_NODE", + "SEND_IDENTITY_PROVIDER_LINK_ERROR", + "USER_INFO_REQUEST_ERROR", + "EXECUTE_ACTION_TOKEN_ERROR", + "OAUTH2_EXTENSION_GRANT_ERROR", + "SEND_VERIFY_EMAIL", + "IDENTITY_PROVIDER_RESPONSE", + "EXECUTE_ACTIONS_ERROR", + "IDENTITY_PROVIDER_RETRIEVE_TOKEN", + "OAUTH2_DEVICE_CODE_TO_TOKEN", + "USER_DISABLED_BY_PERMANENT_LOCKOUT_ERROR", + "UNREGISTER_NODE_ERROR", + "VALIDATE_ACCESS_TOKEN_ERROR", + "OAUTH2_DEVICE_VERIFY_USER_CODE_ERROR", + "REVOKE_GRANT_ERROR", + "UPDATE_EMAIL_ERROR", + "UPDATE_PROFILE", + "USER_INFO_REQUEST", + "SEND_IDENTITY_PROVIDER_LINK", + "SEND_VERIFY_EMAIL_ERROR", + "CLIENT_INITIATED_ACCOUNT_LINKING_ERROR", + "OAUTH2_DEVICE_AUTH_ERROR", + "REMOVE_TOTP_ERROR", + "VERIFY_EMAIL_ERROR", + "CLIENT_UPDATE", + "UPDATE_TOTP_ERROR", + "VERIFY_PROFILE", + "GRANT_CONSENT_ERROR", + "SEND_RESET_PASSWORD", + "GRANT_CONSENT", + "REGISTER_NODE_ERROR", + "VERIFY_PROFILE_ERROR", + "REMOVE_TOTP", + "REVOKE_GRANT", + "LOGIN_ERROR", + "CLIENT_LOGIN", + "RESET_PASSWORD_ERROR", + "CODE_TO_TOKEN_ERROR", + "OAUTH2_DEVICE_CODE_TO_TOKEN_ERROR", + "VALIDATE_ACCESS_TOKEN", + "UPDATE_PROFILE_ERROR", + "OAUTH2_DEVICE_VERIFY_USER_CODE", + "UPDATE_PASSWORD_ERROR", + "IDENTITY_PROVIDER_LOGIN", + "AUTHREQID_TO_TOKEN", + "LOGOUT", + "CLIENT_INFO_ERROR", + "CLIENT_REGISTER", + "PUSHED_AUTHORIZATION_REQUEST", + "REFRESH_TOKEN", + "INTROSPECT_TOKEN", + "CLIENT_DELETE", + "FEDERATED_IDENTITY_LINK_ERROR", + "CLIENT_DELETE_ERROR", + "PERMISSION_TOKEN", + "REGISTER_NODE", + "INVALID_SIGNATURE", + "PUSHED_AUTHORIZATION_REQUEST_ERROR", + "OAUTH2_DEVICE_AUTH", + "REMOVE_FEDERATED_IDENTITY", + "IDENTITY_PROVIDER_POST_LOGIN", + "IDENTITY_PROVIDER_LINK_ACCOUNT_ERROR", + "UPDATE_EMAIL", + "REGISTER_ERROR", + "EXECUTE_ACTION_TOKEN", + "LOGOUT_ERROR", + "CLIENT_UPDATE_ERROR", + "AUTHREQID_TO_TOKEN_ERROR", + "INVALID_SIGNATURE_ERROR", + "CLIENT_REGISTER_ERROR", + "FEDERATED_IDENTITY_LINK", + "IDENTITY_PROVIDER_RESPONSE_ERROR", + "IDENTITY_PROVIDER_LOGIN_ERROR", + "RESET_PASSWORD", + "UPDATE_CONSENT", + "SEND_RESET_PASSWORD_ERROR", + "REFRESH_TOKEN_ERROR", + "CUSTOM_REQUIRED_ACTION_ERROR", + "IDENTITY_PROVIDER_POST_LOGIN_ERROR", + "CODE_TO_TOKEN", + "IDENTITY_PROVIDER_FIRST_LOGIN_ERROR" + ], + "adminEventsEnabled": true, + "adminEventsDetailsEnabled": false, + "identityProviders": [ + { + "alias": "openaire", + "displayName": "OpenAIRE AAI Beta", + "internalId": "ea26795f-6c3c-49e1-9be6-93ffafe62ef4", + "providerId": "keycloak-oidc", + "enabled": true, + "updateProfileFirstLoginMode": "on", + "trustEmail": false, + "storeToken": false, + "addReadTokenRoleOnCreate": false, + "authenticateByDefault": false, + "linkOnly": false, + "firstBrokerLoginFlowAlias": "first broker login", + "config": { + "tokenUrl": "https://beta.aai.openaire.eu/auth/realms/openaire/protocol/openid-connect/token", + "acceptsPromptNoneForwardFromClient": "false", + "jwksUrl": "https://beta.aai.openaire.eu/auth/realms/openaire/protocol/openid-connect/certs", + "isAccessTokenJWT": "false", + "filteredByClaim": "false", + "backchannelSupported": "false", + "issuer": "https://beta.aai.openaire.eu/auth/realms/openaire", + "loginHint": "false", + "clientAuthMethod": "client_secret_post", + "syncMode": "IMPORT", + "clientSecret": "**********", + "allowedClockSkew": "0", + "userInfoUrl": "https://beta.aai.openaire.eu/auth/realms/openaire/protocol/openid-connect/userinfo", + "validateSignature": "true", + "hideOnLoginPage": "false", + "clientId": "11ec4125-b661-4b98-bc29-62ac61e97ee9", + "uiLocales": "false", + "disableNonce": "false", + "useJwksUrl": "true", + "sendClientIdOnLogout": "false", + "metadataDescriptorUrl": "https://beta.aai.openaire.eu/auth/realms/openaire/.well-known/openid-configuration", + "pkceEnabled": "false", + "authorizationUrl": "https://beta.aai.openaire.eu/auth/realms/openaire/protocol/openid-connect/auth", + "disableUserInfo": "false", + "logoutUrl": "https://beta.aai.openaire.eu/auth/realms/openaire/protocol/openid-connect/logout", + "sendIdTokenOnLogout": "true", + "passMaxAge": "false" + } + }, + { + "alias": "google", + "internalId": "4cfe51f3-fe85-459d-9a49-43614b965404", + "providerId": "google", + "enabled": true, + "updateProfileFirstLoginMode": "on", + "trustEmail": false, + "storeToken": false, + "addReadTokenRoleOnCreate": false, + "authenticateByDefault": false, + "linkOnly": false, + "firstBrokerLoginFlowAlias": "first broker login", + "config": { + "hideOnLoginPage": "false", + "clientId": "596924546661-83nhl986pnrpug5h624i5kptuao03dcd.apps.googleusercontent.com", + "acceptsPromptNoneForwardFromClient": "false", + "disableUserInfo": "false", + "filteredByClaim": "false", + "syncMode": "IMPORT", + "clientSecret": "**********" + } + } + ], + "identityProviderMappers": [ + { + "id": "b2001c5a-bcd4-4447-8c63-5b9cfef84766", + "name": " identity_provider", + "identityProviderAlias": "openaire", + "identityProviderMapper": "oidc-user-session-note-idp-mapper", + "config": { + "claims": "[{\"key\":\"identity_provider\",\"value\":\"openaire\"}]", + "syncMode": "FORCE" + } + }, + { + "id": "98f6c565-cf6e-426a-b89c-969f36e1ea23", + "name": "identity_provider", + "identityProviderAlias": "google", + "identityProviderMapper": "hardcoded-user-session-attribute-idp-mapper", + "config": { + "attribute.value": "google", + "syncMode": "FORCE", + "attribute": "identity_provider" + } + } + ], + "components": { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ + { + "id": "c251413a-d0d1-4585-a32d-fe289e391b22", + "name": "Full Scope Disabled", + "providerId": "scope", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "be40c111-2cda-420e-9ed8-e2b4a7ec4a0f", + "name": "Trusted Hosts", + "providerId": "trusted-hosts", + "subType": "anonymous", + "subComponents": {}, + "config": { + "host-sending-registration-request-must-match": [ + "true" + ], + "client-uris-must-match": [ + "true" + ] + } + }, + { + "id": "2bf6d537-32e6-43f0-bac4-58a5621ca242", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "62632e2d-bb44-4744-9eea-18270e7b5eef", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "authenticated", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-full-name-mapper", + "oidc-usermodel-property-mapper", + "saml-role-list-mapper", + "oidc-usermodel-attribute-mapper", + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper", + "saml-user-attribute-mapper", + "saml-user-property-mapper" + ] + } + }, + { + "id": "2d6bc782-e465-47be-a4a8-7e0307c18103", + "name": "Allowed Protocol Mapper Types", + "providerId": "allowed-protocol-mappers", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allowed-protocol-mapper-types": [ + "oidc-usermodel-property-mapper", + "oidc-full-name-mapper", + "oidc-usermodel-attribute-mapper", + "saml-user-property-mapper", + "saml-user-attribute-mapper", + "saml-role-list-mapper", + "oidc-address-mapper", + "oidc-sha256-pairwise-sub-mapper" + ] + } + }, + { + "id": "54cb1bcf-526c-4840-862d-23e436f70399", + "name": "Consent Required", + "providerId": "consent-required", + "subType": "anonymous", + "subComponents": {}, + "config": {} + }, + { + "id": "a6df9677-9684-4791-bec2-7ac39dded350", + "name": "Allowed Client Scopes", + "providerId": "allowed-client-templates", + "subType": "anonymous", + "subComponents": {}, + "config": { + "allow-default-scopes": [ + "true" + ] + } + }, + { + "id": "843d3c05-2814-44ba-bc69-6680e7a58ded", + "name": "Max Clients Limit", + "providerId": "max-clients", + "subType": "anonymous", + "subComponents": {}, + "config": { + "max-clients": [ + "200" + ] + } + } + ], + "org.keycloak.keys.KeyProvider": [ + { + "id": "7758a18b-e672-499d-9816-5a2361ae8e47", + "name": "rsa-generated", + "providerId": "rsa-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "ae89ccbb-7c9a-42bd-8d78-1f0acd65473d", + "name": "aes-generated", + "providerId": "aes-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ] + } + }, + { + "id": "da8ec80f-d86c-4085-b8eb-90a69d721a30", + "name": "rsa-enc-generated", + "providerId": "rsa-enc-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "RSA-OAEP" + ] + } + }, + { + "id": "4152446e-df97-425c-a0e2-e55b6035f896", + "name": "hmac-generated-hs512", + "providerId": "hmac-generated", + "subComponents": {}, + "config": { + "priority": [ + "100" + ], + "algorithm": [ + "HS512" + ] + } + } + ] + }, + "internationalizationEnabled": false, + "supportedLocales": [], + "authenticationFlows": [ + { + "id": "ea0de871-80f7-43c5-8265-8c60cf5ef7cf", + "alias": "Account verification options", + "description": "Method with which to verity the existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-email-verification", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Verify Existing Account by Re-authentication", + "userSetupAllowed": false + } + ] + }, + { + "id": "c3ec62ea-bcba-459a-bd45-790243b4d80b", + "alias": "Browser - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "042807b5-76be-445b-9b4a-cb56ffacdff5", + "alias": "Direct Grant - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "1f69e4f1-9b1e-4215-93fe-47ad8cb1d1ac", + "alias": "First broker login - Conditional OTP", + "description": "Flow to determine if the OTP is required for the authentication", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-otp-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "d0d1ce23-337c-48b1-b9e4-790f9f1e538d", + "alias": "Handle Existing Account", + "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-confirm-link", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Account verification options", + "userSetupAllowed": false + } + ] + }, + { + "id": "ce420ea3-db5a-4715-97c3-43083ec45685", + "alias": "Reset - Conditional OTP", + "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "conditional-user-configured", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-otp", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "d485b957-ce85-463a-8334-2091188a40ca", + "alias": "User creation or linking", + "description": "Flow for the existing/non-existing user alternatives", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "create unique user config", + "authenticator": "idp-create-user-if-unique", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Handle Existing Account", + "userSetupAllowed": false + } + ] + }, + { + "id": "c7308ba2-0f15-48f4-a4d3-bff7d9f69b30", + "alias": "Verify Existing Account by Re-authentication", + "description": "Reauthentication of existing account", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "idp-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "First broker login - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "15eb1b00-d355-46d5-b0d3-cd91ee18965f", + "alias": "browser", + "description": "browser based authentication", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-cookie", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "auth-spnego", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "identity-provider-redirector", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 25, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "forms", + "userSetupAllowed": false + } + ] + }, + { + "id": "70aa3e73-6037-4e9c-bd29-6d067fa76906", + "alias": "clients", + "description": "Base authentication for clients", + "providerId": "client-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "client-secret", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-secret-jwt", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "client-x509", + "authenticatorFlow": false, + "requirement": "ALTERNATIVE", + "priority": 40, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "c1203bc8-8e48-47c5-aa84-ee94f2c808ee", + "alias": "direct grant", + "description": "OpenID Connect Resource Owner Grant", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "direct-grant-validate-username", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "direct-grant-validate-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 30, + "autheticatorFlow": true, + "flowAlias": "Direct Grant - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "21436674-8161-4a8b-95a9-eae479b0a239", + "alias": "docker auth", + "description": "Used by Docker clients to authenticate against the IDP", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "docker-http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "4103b288-fde7-4bec-96d0-cefedbee5c97", + "alias": "first broker login", + "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticatorConfig": "review profile config", + "authenticator": "idp-review-profile", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "User creation or linking", + "userSetupAllowed": false + } + ] + }, + { + "id": "675b7446-5346-4d6f-917d-6f68799cdeb1", + "alias": "forms", + "description": "Username, password, otp and other auth forms.", + "providerId": "basic-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "auth-username-password-form", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 20, + "autheticatorFlow": true, + "flowAlias": "Browser - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "5dbb9de2-d4b9-41ea-8b5c-3bc4992d259e", + "alias": "registration", + "description": "registration flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-page-form", + "authenticatorFlow": true, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": true, + "flowAlias": "registration form", + "userSetupAllowed": false + } + ] + }, + { + "id": "49943618-291e-4449-a900-95a653d1e682", + "alias": "registration form", + "description": "registration form", + "providerId": "form-flow", + "topLevel": false, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "registration-user-creation", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-password-action", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 50, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-recaptcha-action", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 60, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "registration-terms-and-conditions", + "authenticatorFlow": false, + "requirement": "DISABLED", + "priority": 70, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + }, + { + "id": "5f460d69-6953-430e-bbc3-99f2dbf5fa66", + "alias": "reset credentials", + "description": "Reset credentials for a user if they forgot their password or something", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "reset-credentials-choose-user", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-credential-email", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 20, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticator": "reset-password", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 30, + "autheticatorFlow": false, + "userSetupAllowed": false + }, + { + "authenticatorFlow": true, + "requirement": "CONDITIONAL", + "priority": 40, + "autheticatorFlow": true, + "flowAlias": "Reset - Conditional OTP", + "userSetupAllowed": false + } + ] + }, + { + "id": "56d2dfdf-00e6-41ec-9528-3d18032038cf", + "alias": "saml ecp", + "description": "SAML ECP Profile Authentication Flow", + "providerId": "basic-flow", + "topLevel": true, + "builtIn": true, + "authenticationExecutions": [ + { + "authenticator": "http-basic-authenticator", + "authenticatorFlow": false, + "requirement": "REQUIRED", + "priority": 10, + "autheticatorFlow": false, + "userSetupAllowed": false + } + ] + } + ], + "authenticatorConfig": [ + { + "id": "84811dd1-affd-4661-82cc-bef652a72aa0", + "alias": "create unique user config", + "config": { + "require.password.update.after.registration": "false" + } + }, + { + "id": "d02673de-ae3d-49fc-b764-668219a46137", + "alias": "review profile config", + "config": { + "update.profile.on.first.login": "missing" + } + } + ], + "requiredActions": [ + { + "alias": "CONFIGURE_TOTP", + "name": "Configure OTP", + "providerId": "CONFIGURE_TOTP", + "enabled": true, + "defaultAction": false, + "priority": 10, + "config": {} + }, + { + "alias": "TERMS_AND_CONDITIONS", + "name": "Terms and Conditions", + "providerId": "TERMS_AND_CONDITIONS", + "enabled": false, + "defaultAction": false, + "priority": 20, + "config": {} + }, + { + "alias": "UPDATE_PASSWORD", + "name": "Update Password", + "providerId": "UPDATE_PASSWORD", + "enabled": true, + "defaultAction": false, + "priority": 30, + "config": {} + }, + { + "alias": "UPDATE_PROFILE", + "name": "Update Profile", + "providerId": "UPDATE_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 40, + "config": {} + }, + { + "alias": "VERIFY_EMAIL", + "name": "Verify Email", + "providerId": "VERIFY_EMAIL", + "enabled": true, + "defaultAction": false, + "priority": 50, + "config": {} + }, + { + "alias": "delete_account", + "name": "Delete Account", + "providerId": "delete_account", + "enabled": false, + "defaultAction": false, + "priority": 60, + "config": {} + }, + { + "alias": "webauthn-register", + "name": "Webauthn Register", + "providerId": "webauthn-register", + "enabled": true, + "defaultAction": false, + "priority": 70, + "config": {} + }, + { + "alias": "webauthn-register-passwordless", + "name": "Webauthn Register Passwordless", + "providerId": "webauthn-register-passwordless", + "enabled": true, + "defaultAction": false, + "priority": 80, + "config": {} + }, + { + "alias": "VERIFY_PROFILE", + "name": "Verify Profile", + "providerId": "VERIFY_PROFILE", + "enabled": true, + "defaultAction": false, + "priority": 90, + "config": {} + }, + { + "alias": "update_user_locale", + "name": "Update User Locale", + "providerId": "update_user_locale", + "enabled": true, + "defaultAction": false, + "priority": 1000, + "config": {} + } + ], + "browserFlow": "browser", + "registrationFlow": "registration", + "directGrantFlow": "direct grant", + "resetCredentialsFlow": "reset credentials", + "clientAuthenticationFlow": "clients", + "dockerAuthenticationFlow": "docker auth", + "firstBrokerLoginFlow": "first broker login", + "attributes": { + "cibaBackchannelTokenDeliveryMode": "poll", + "cibaAuthRequestedUserHint": "login_hint", + "oauth2DevicePollingInterval": "5", + "clientOfflineSessionMaxLifespan": "0", + "clientSessionIdleTimeout": "0", + "clientOfflineSessionIdleTimeout": "0", + "cibaInterval": "5", + "realmReusableOtpCode": "false", + "cibaExpiresIn": "120", + "oauth2DeviceCodeLifespan": "600", + "parRequestUriLifespan": "60", + "clientSessionMaxLifespan": "0", + "frontendUrl": "", + "acr.loa.map": "{}", + "adminEventsExpiration": "" + }, + "keycloakVersion": "24.0.2", + "userManagedAccessAllowed": false, + "clientProfiles": { + "profiles": [] + }, + "clientPolicies": { + "policies": [] + } +} \ No newline at end of file diff --git a/deployment/keycloak/keycloak.env b/deployment/keycloak/keycloak.env new file mode 100644 index 000000000..583ff5025 --- /dev/null +++ b/deployment/keycloak/keycloak.env @@ -0,0 +1,23 @@ +##################### KEYCLOAK ######################### +# DB related configuraation +KC_DB=postgres +KC_DB_URL_HOST=opendmp.postgres +KC_DB_SCHEMA=public +KC_DB_URL_DATABASE=keycloak +KC_DB_PORT=5432 +KC_DB_USERNAME=keycloak-admin +KC_DB_PASSWORD=admin + +#Keycloak related configuration +KEYCLOAK_ADMIN=opendmp-admin +KEYCLOAK_ADMIN_PASSWORD=admin +KC_HOSTNAME_URL=https://localhost:8082 +KC_HOSTNAME_ADMIN_URL=https://localhost:8082 +KC_PROXY_HEADERS=xforwarded +KC_HOSTNAME_STRICT_HTTPS=true +KC_HOSTNAME_STRICT_BACKCHANNEL=true +KC_TRANSACTION_XA_ENABLED=false +KC_HEALTH_ENABLED=true +KC_METRICS_ENABLED=true +KC_HTTPS_CERTIFICATE_FILE=/tmp/keycloak-selfsigned.crt +KC_HTTPS_CERTIFICATE_KEY_FILE=/tmp/keycloak-selfsigned.key \ No newline at end of file diff --git a/deployment/postgres/keycloak_init.sql b/deployment/postgres/keycloak_init.sql new file mode 100644 index 000000000..334cb8f66 Binary files /dev/null and b/deployment/postgres/keycloak_init.sql differ diff --git a/deployment/postgres/opendmp_init.sql b/deployment/postgres/opendmp_init.sql new file mode 100644 index 000000000..c932bc0ab Binary files /dev/null and b/deployment/postgres/opendmp_init.sql differ diff --git a/deployment/postgres/postgres.env b/deployment/postgres/postgres.env new file mode 100644 index 000000000..7ec5f2c9f --- /dev/null +++ b/deployment/postgres/postgres.env @@ -0,0 +1,4 @@ +#################### POSTGRES ######################## +#POSTGRES_DB=keycloak +POSTGRES_USER=admin +POSTGRES_PASSWORD=changeme \ No newline at end of file diff --git a/deployment/proxy/ProxyNginx.conf b/deployment/proxy/ProxyNginx.conf new file mode 100644 index 000000000..c91551e24 --- /dev/null +++ b/deployment/proxy/ProxyNginx.conf @@ -0,0 +1,147 @@ +server { + listen 8080 default_server; + listen [::]:8080 default_server; + server_name ""; + return 444; +} + +server { + listen 8080; + server_name ${APP_HOST}${APP_PORT}; + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 8081 ssl; + ssl_certificate /certifcates/cert.crt; + ssl_certificate_key /certifcates/key.key; + server_name ${APP_HOST}${APP_PORT}; + proxy_pass_header Server; + + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + add_header Referrer-Policy 'strict-origin' always; + add_header Feature-Policy "usb 'none'; xr-spatial-tracking 'none'" always; + add_header Permissions-Policy "geolocation=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=()" always; + + location / { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Fix the “It appears that your reverse proxy set up is broken" error. + proxy_pass http://opendmp.frontend:8080; + proxy_read_timeout 90; + proxy_redirect http://opendmp.frontend:8080 https://${APP_HOST}${APP_PORT}; + } + + location /api/ { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Fix the “It appears that your reverse proxy set up is broken" error. + proxy_pass http://opendmp.backend:8080; + proxy_read_timeout 90; + proxy_redirect http://opendmp.backend:8080 https://${APP_HOST}${APP_PORT}/api; + } + + location /api/notification/ { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Fix the “It appears that your reverse proxy set up is broken" error. + proxy_pass http://opendmp.notification:8080; + proxy_read_timeout 90; + proxy_redirect http://opendmp.notification:8080 https://${APP_HOST}${APP_PORT}/api/notification; + } + + location /api/annotation/ { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Fix the “It appears that your reverse proxy set up is broken" error. + proxy_pass http://opendmp.annotation:8080; + proxy_read_timeout 90; + proxy_redirect http://opendmp.annotation:8080 https://${APP_HOST}${APP_PORT}/api/annotation; + } +} + +server { + listen 8082 ssl; + ssl_certificate /certifcates/cert.crt; + ssl_certificate_key /certifcates/key.key; + server_name ${MS_HOST}; + proxy_pass_header Server; + + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + add_header Referrer-Policy 'strict-origin' always; + add_header Feature-Policy "usb 'none'; xr-spatial-tracking 'none'" always; + add_header Permissions-Policy "geolocation=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=()" always; + + location /keycloak/ { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + + # Fix the “It appears that your reverse proxy set up is broken" error. + proxy_pass https://opendmp.keycloak:8443; + proxy_read_timeout 90; + + proxy_redirect http://opendmp.keycloak:8443 https://${MS_HOST}${MS_PORT}/keycloak; + } + + location /rabbitmq/ { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + + # Fix the “It appears that your reverse proxy set up is broken" error. + proxy_pass https://opendmp.rabbitmq:15672; + proxy_read_timeout 90; + + proxy_redirect http://opendmp.rabbitmq:15672 https://${MS_HOST}${MS_PORT}/rabbitmq; + } + + location /elastic/ { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + + # Fix the “It appears that your reverse proxy set up is broken" error. + proxy_pass https://opendmp.kibana:5601; + proxy_read_timeout 90; + + proxy_redirect http://opendmp.kibana:5601 https://${MS_HOST}${MS_PORT}/elastic; + } +} diff --git a/deployment/proxy/nginx-selfsigned.crt b/deployment/proxy/nginx-selfsigned.crt new file mode 100644 index 000000000..f9dd482b1 --- /dev/null +++ b/deployment/proxy/nginx-selfsigned.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDvzCCAqegAwIBAgIUL9YHiVgQxrFPSGq4nMe6KbMznaowDQYJKoZIhvcNAQEL +BQAwbzELMAkGA1UEBhMCR1IxDzANBgNVBAgMBkF0dGljYTEPMA0GA1UEBwwGQXRo +ZW5zMQwwCgYDVQQKDANOTEcxDjAMBgNVBAsMBU9TRFlFMSAwHgYDVQQDDBdubGct +b3NkeWUubG9jYWwuY2l0ZS5ncjAeFw0yMDExMjcxODMzNTJaFw0yMTExMjcxODMz +NTJaMG8xCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdHRpY2ExDzANBgNVBAcMBkF0 +aGVuczEMMAoGA1UECgwDTkxHMQ4wDAYDVQQLDAVPU0RZRTEgMB4GA1UEAwwXbmxn +LW9zZHllLmxvY2FsLmNpdGUuZ3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCYsoKFVSg67/NckladOuqFDeJWMYOYa1MhMTCpLL5UksoYM+BiKbWvXmRH +AGZAjIO2sGf6vTFO7SN6LdjCRRqJfS9zQVKHZKUdvfxkGnPaAIqWAwQkM4fFUlZF +e5jsGd7owCoEEFAirJpz53z27Xa0En5CLSI5eLGBqLNz31zi1Rdh5BPLAtgLGEoS +kOhlDXwgGtTmBAS82sXRr51J6DQr5stKsN68+DCwJiY6GU3Kun2Kyl+bepkEtHLM +SOxe5Du3F93kC4TwFckG+JSLrq8neXNbyoBOLYNxPzAGLg9vmD7nX02hFfONdX5p +zeGMD+0oyujL0HtH8nKkv9OtvYP1AgMBAAGjUzBRMB0GA1UdDgQWBBTrvPpWYBX6 +spVt2gpkpDW6yzrBZzAfBgNVHSMEGDAWgBTrvPpWYBX6spVt2gpkpDW6yzrBZzAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqfOJiorxiszfKKeD2 +eVda5pBU+qDnUOewRKizAktPm7V+cjM7bTEkmEHQ/oKlsT0FX5nsa8YfZCYgdotd +cDWC9KqYy9itXPESoJIZ/gMJ57v1BaVDly8tHedXEltob9ywrUyf7OF55eP0fWwb +AK90PfnRsxaurVYU5nfI9U/2jpi/LdsEYlJ7zUj7KM/Z2MwPA+be4EqjNcYLT/NB +bavhjLgZNoTkI7wYOJug+ouPn6xJJcj06RS1Q4FxtfrsnAuT+L33HemUludEUE00 +TJwYWJN9hOgbyzTf5EsHxxME1gIhcYLYPMeBr9VIyJxdAEuuDJbn87oOB094sCA+ +nvpp +-----END CERTIFICATE----- \ No newline at end of file diff --git a/deployment/proxy/nginx-selfsigned.key b/deployment/proxy/nginx-selfsigned.key new file mode 100644 index 000000000..e86e8f4f8 --- /dev/null +++ b/deployment/proxy/nginx-selfsigned.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCYsoKFVSg67/Nc +kladOuqFDeJWMYOYa1MhMTCpLL5UksoYM+BiKbWvXmRHAGZAjIO2sGf6vTFO7SN6 +LdjCRRqJfS9zQVKHZKUdvfxkGnPaAIqWAwQkM4fFUlZFe5jsGd7owCoEEFAirJpz +53z27Xa0En5CLSI5eLGBqLNz31zi1Rdh5BPLAtgLGEoSkOhlDXwgGtTmBAS82sXR +r51J6DQr5stKsN68+DCwJiY6GU3Kun2Kyl+bepkEtHLMSOxe5Du3F93kC4TwFckG ++JSLrq8neXNbyoBOLYNxPzAGLg9vmD7nX02hFfONdX5pzeGMD+0oyujL0HtH8nKk +v9OtvYP1AgMBAAECggEAajxoCpPAtaCT1GgL0sBWwdNzETzJrZWd9I3gqRL0KKsn +58bP6fvS5/voEG36thYM3WHGNfDDCYJ7GFolYKPrXpS2Gp3r6T7gkdzIaGzvBVEz +GkNm8jjX0TUDyLvBHSKyr4RitwkSd81WeCUqEDIOUCI9rZTxJsMN3IOetpNEcJt1 +xR2kVuTkQiIs5evQCQ2arqTf/VQFb7FuVTtmrOggsTn33FnrUDujTAAsbEoglgvw +w1A2AYtMdGcrFIsUMJFdECkQGPVeqzKHddi1k1hv3DmOx5Rf4xJCdTL9ZYzbU1lw +ydSAM88UA7MTZWNYCGb4HjqEeDRnMUN/Qbi4f80PgQKBgQDKWLxsCBBgFRoH6nlh +TmBwYOmdQkBE09txpcpAFVZVv3eq/syZnT5+pcyj7EUexhu/p78UHPPkXDfnIKKe +C+7VOEmSM9cPMZU6cqB1x4+YZkyiU1rPD2SG46ZxBBTKsPWauJNvtuhW3K6kwMCT +ECiwG1f9EAmf9q7YKqdXGgUL3QKBgQDBL5WDIRtqHBdIPgHMue/teM+fP8I0/GKV +D3oJjBLE+I7JNp0lpeVhDvqfAL0AgZ5023hjlPobUNtpWyuLufzY6S2Pv1scyM3A +xW/LVXtC7QzdPmhrPxZkHEmRFA1zXdYo0xH4O+KDXVmYuzpIPfgrQkzt1EvP5jxv +tbjY935C+QKBgHZhr+rsVNhBwDb9YQIi3p0gtcyBZCRgZjR5MHiJgzcri5GI/J6q +tlNWIQGOS2oTsUxRkaLsxWvG4BXirAEXLiWkhrZ4icuj0JCfW21M0Z/xycf2SFx3 +vvKD4W6hWqCzIx3f+rITKp8XAT32XzQq8gMGHFY7ucXShryFR93XpTgpAoGALaAF +WaDaDqdvwDoUxrsrNRSRRHUUctsglT/AfLy+OhLR9ieV2axijhexjRfpi1MRj1u+ +BRbMMuNXznwfvrJASyJXBloVNKkgHuUCUC1yHQ5LOX1hv+J4cVBU95Sa0KJaz+15 +kvzhtFC5tl6Rlzo7gEv6SzkWZpVjtKZgb62T/lECgYBr6PyDcGVGc8rbjxugnUnm +rShh7nMRUiTMLpWrucf7Mfr4cwFgejCoEMXPgxJF5Q1acppL0dKQzfmLVqazNX58 +0XM0+fNDIeGyYKAbqtnqfmyI7O/Lb1jXPFuCNujzDxfeJX0yxoo38US4ZCD2iUrW +ZK/FFkm5ncXTenBhpHOANQ== +-----END PRIVATE KEY----- \ No newline at end of file diff --git a/deployment/proxy/nginx.conf b/deployment/proxy/nginx.conf new file mode 100644 index 000000000..6c6478175 --- /dev/null +++ b/deployment/proxy/nginx.conf @@ -0,0 +1,32 @@ +worker_processes auto; +error_log /tmp/logs/error.log warn; +pid /tmp/nginx.pid; +events { + worker_connections 1024; +} +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + server_tokens off; + + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + client_header_buffer_size 4k; + large_client_header_buffers 4 32k; + client_max_body_size 1150m; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_real_ip" [$proxy_add_x_forwarded_for]'; + + access_log /tmp/logs/access.log main; + sendfile on; + #tcp_nopush on; + keepalive_timeout 65; + #gzip on; + include /etc/nginx/conf.d/*.conf; +} \ No newline at end of file diff --git a/deployment/proxy/proxy.env b/deployment/proxy/proxy.env new file mode 100644 index 000000000..27344e6a3 --- /dev/null +++ b/deployment/proxy/proxy.env @@ -0,0 +1,4 @@ +APP_HOST=localhost +APP_PORT=:51040 +MS_HOST=localhost +MS_PORT=:51041 \ No newline at end of file diff --git a/deployment/rabbitmq/rabbitmq.env b/deployment/rabbitmq/rabbitmq.env new file mode 100644 index 000000000..dd5d91e94 --- /dev/null +++ b/deployment/rabbitmq/rabbitmq.env @@ -0,0 +1,3 @@ +RABBITMQ_DEFAULT_USER=guest +RABBITMQ_DEFAULT_PASS=guest +RABBITMQ_DEFAULT_VHOST=/rabbitmq/ \ No newline at end of file diff --git a/docker-compose.override.yml b/docker-compose.override.yml deleted file mode 100644 index f8bfbc584..000000000 --- a/docker-compose.override.yml +++ /dev/null @@ -1,90 +0,0 @@ -version: "3.8" - -services: - elasticsearch: - user: 1002:1002 #develuser - restart: unless-stopped - mem_limit: 2048m - environment: - - cluster.name=open-dmp-cluster - - bootstrap.memory_lock=true - - "ES_JAVA_OPTS=-Xmx1024m -Xms1024m" - - xpack.license.self_generated.type=basic - - xpack.monitoring.collection.enabled=true - - xpack.security.enabled=true - ulimits: - nproc: 65535 - memlock: - soft: -1 - hard: -1 - volumes: - - ./ELK.Docker/shared/config-elk/elasticsearch/config/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro - - ./ELK.Docker/shared/config-elk/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro - - ./ELK.Docker/shared/data-elk/elasticsearch-01-data:/usr/share/elasticsearch/data - - ./ELK.Docker/shared/data-elk/elasticsearch-01-log:/usr/share/elasticsearch/logs - #ports: - # - 51056:9200 - # - 51057:9300 - ports: - - "9201:9200" - expose: - - "9200" - hostname: opendmp-elastic - networks: - open-dmp-elk-network: - aliases: - - opendmp-elastic - - logstash: - # user: 1002:1002 #develuser - volumes: - - ./ELK.Docker/shared/config-elk/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml:ro - - ./ELK.Docker/shared/config-elk/logstash/config/pipelines.yml:/usr/share/logstash/config/pipelines.yml:ro - - ./ELK.Docker/shared/config-elk/logstash/config/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro - - ./ELK.Docker/shared/config-elk/logstash/pipeline:/usr/share/logstash/pipeline:ro - - ./ELK.Docker/shared/config-elk/logstash/logstash/templates:/usr/share/logstash/templates - - ./ELK.Docker/shared/data-elk/logstash-log:/usr/share/logstash/logs - - ./ELK.Docker/shared/data-elk/logstash-queue:/usr/share/logstash/queue - - ./ELK.Docker/shared/data-elk/logstash-dead_letter_queue:/usr/share/logstash/dead_letter_queue - expose: - - "31311" - - "31312" - restart: on-failure - mem_limit: 2048m - environment: - - LS_JAVA_OPTS=-Xmx1024m -Xms1024m - - xpack.license.self_generated.type=basic - - xpack.security.enabled=true - networks: - open-dmp-elk-network: - - kibana: - # user: 1002:1002 #develuser - mem_limit: 512m - environment: - - xpack.license.self_generated.type=basic - - xpack.security.enabled=true - - volumes: - - ./ELK.Docker/shared/config-elk/kibana/config:/usr/share/kibana/config:ro - #- ./ELK.Docker/shared/config-elk/kibana/certificates:/usr/share/kibana/certificates - restart: unless-stopped - ports: - - "51058:5601" - networks: - - open-dmp-elk-network - - filebeat: - restart: unless-stopped - mem_limit: 256m - #command: [ "-e=false" ] # to overwrite the -e that disables logging to file! - volumes: - - ./ELK.Docker/shared/config-elk/filebeat/config/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - - ./openDMP/logs:/usr/share/filebeat/log_data/dmp/ - - ./ELK.Docker/shared/data-elk/filebeat-log:/usr/share/filebeat/logs - - ./ELK.Docker/shared/data-elk/filebeat-data:/usr/share/filebeat/data #For windows if we mount the data directory we get "Writing of registry returned error: sync /usr/share/filebeat/data/registry/filebeat: invalid argument." - networks: - - open-dmp-elk-network - -networks: - open-dmp-elk-network: diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index fea9b49bf..000000000 --- a/docker-compose.yml +++ /dev/null @@ -1,122 +0,0 @@ -version: "3.8" - -services: - dmp-db: - image: postgres - container_name: opendmp-db - restart: unless-stopped - ports: - - "5001:5432" - expose: - - "5432" - volumes: - - dmpdata:/var/lib/postgresql/data - - ./dmp-db-scema:/docker-entrypoint-initdb.d/ - - ./dmp-db-scema/main:/main - - ./dmp-db-scema/updates:/updates - env_file: ./dmp-db-scema/Docker/dmp-db.env - networks: - - opendmp-backend-network - - dmp-pdf-converter: - image: gotenberg/gotenberg:7.4.0 - container_name: opendmp-pdf-converter - restart: unless-stopped - ports: - - "3001:3000" - expose: - - "3000" - hostname: opendmp-pdf - networks: - opendmp-pdf-network: - aliases: - - opendmp-pdf - - dmp-backend: - build: - context: ./dmp-backend - container_name: opendmp-backend - env_file: ./dmp-backend/Docker/dmp-backend.env - restart: unless-stopped - mem_limit: 2048m - ports: - - "8081:8081" - expose: - - "8080" - networks: - - opendmp-backend-network - - opendmp-pdf-network - - open-dmp-elk-network - volumes: - - ./dmp-backend/web/main/resources/config:/app/config - - ./user-guide:/app/user-guide - - ./dmp-frontend/src/assets/i18n:/app/i18n - - ./dmp-backend/web/main/resources/externalUrls:/app/externalUrls - - ./dmp-backend/web/main/resources/templates:/app/templates - - ./openDMP/dmp-backend/opendmp-logs:/app/logs - - ./openDMP/dmp-backend/tmp:/app/tmp - - ./dmp-backend/web/main/resources/logging:/app/logging - - ./dmp-backend/web/main/resources/documents:/app/documents - - dmp-frontend: - build: - context: ./dmp-frontend - container_name: opendmp-frontend - mem_limit: 2048m - restart: unless-stopped - ports: - - "8080:4200" - volumes: - - ./openDMP/dmp-frontend/static-files:/usr/share/nginx/static - - ./dmp-frontend/src/assets/config:/usr/share/nginx/html/assets/config - networks: - - opendmp-frontend-network - - elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION} - container_name: elasticsearch - build: - context: ./ELK.Docker/elasticsearch/ - args: - ELK_VERSION: $ELK_VERSION - healthcheck: - # test: curl --cacert /usr/share/elasticsearch/config/certificates/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi - interval: 30s - timeout: 10s - retries: 5 - - logstash: - image: docker.elastic.co/logstash/logstash:${STACK_VERSION} - container_name: logstash - build: - context: ./ELK.Docker/logstash/ - args: - ELK_VERSION: $ELK_VERSION - depends_on: - - elasticsearch - - kibana: - image: docker.elastic.co/kibana/kibana:${STACK_VERSION} - build: - context: ./ELK.Docker/kibana/ - args: - ELK_VERSION: $ELK_VERSION - depends_on: - - elasticsearch - filebeat: - image: docker.elastic.co/filebeat/filebeat:${STACK_VERSION} - build: - context: ./ELK.Docker/filebeat/ - args: - ELK_VERSION: $ELK_VERSION - depends_on: - - logstash - -networks: - opendmp-frontend-network: - opendmp-backend-network: - opendmp-pdf-network: - open-dmp-elk-network: -volumes: - dmpdata: - external: true