avigail-oron · July 1, 2018 08:01
diff --git a/aiakos openid connect server and client b/aiakos openid connect server and client
 //Installing aiakos server via docker compose:
 //--------------------------------------------
 //prerequisites: make sure you have python 3.6 installed and pip3 & docker-compose installed 
 git clone https://gitlab.com/aiakos/aiakos
 //modify the docker-compose.yml file:
 //change this for all services:
 DATABASE_URL=mysql://<docker container name of sql server>/accounts
 //specifically for the 'accounts' service:
 BASE_URL=http://<IP address of server, the way the user's browser can see it (not localhost)>:2121/
 //if you want to see Django errors nicely in the browser:
 DEBUG=1

 //launch it via:
 docker-compose up

 //Installing aiakos client via docker compose:
 //--------------------------------------------
 git clone https://gitlab.com/aiakos/example-client-django/tree/master
 //modify docker-compose.yml file:
 //change this for all services:
 DATABASE_URL=mysql://<client container name>/project
 AUTH_URL=http://ea1c25ed-2da9-4c82-a921-b87cff97b646:dummy@<IP of the aiakos server>:2121
 DATABASE_URL=mysql://<client mysql cont name>/project
 //specifically in 'project' service:
 //this is a must! otherwise the django will refuse the host name since it's not a valid host name (docker service name with '_')
 DEBUG=True
 ALLOWED_HOSTS=*


 //launch it via:
 docker-compose up

 //Using aiakos:
 //-------------
 1. connect to the server
 2. login using root/root
 3. MUST - generate an RSA private key in PEM format and add it
  3.1 openssl genrsa -out key.pem 2048
 4. Modify the callback URLs for the Localhost app - use IP of client that the user's browser can see.  
 4. optionally - create additional users and applications. make sure to set the client_id in the AUTH_URL of the client
 5. connect to the client app
 6. you will be redirected to login page of server
 7. you can use the localhost/dummy credentials or one that you have created as admin
 8. you should see the client app with the user's ID 

 //creating new applications:
 //---------------------------
 //In aiakos - the password of the user owning the application is used as the OPIDC secret.
 //so you need to create a new application, then create a new user and associate it with the application. 
 //take the id and password of that user and put it in the AUTH_URL of the client. id is the client_id, password is the secret.
 //the format is: htttp://<client_id>:<secret>@<aiakos host_up/name>:<aiakos port>


 //Configure SSL for aiakos provider 
 //----------------------------------

 //***On server side:***
 //generate a self-signed certificate
 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/aiakos-selfsigned.key -out /etc/ssl/certs/aiakos-selfsigned.crt

 //copy the 2 files to the aiakos base library (where the Dockerfile is)
 //edit the Dockerfile and modify the command to:
 CMD ["gunicorn", "-k", "gevent", "--certfile=aiakos-selfsigned.crt", "--keyfile=aiakos-selfsigned.key", "-b", "[::]:80", "aiakos.wsgi"]
 //edit docker-compose.yml and modify the BASE_URL to https:
 BASE_URL=https://<host ip>:2121/

 //remove all docker images and re-build

 //***On client side***
 //copy the crt file from server machine to client machine's client base dir (where Dockerfile is)
 //create a trust_cert.sh, make it executable and put the following in it: 
 //(the last line is probably not required, since aiakos client doesn't use openssl, but just in case)
 cp /app/aiakos-selfsigned.crt /etc/ssl/certs/
 cd /etc/ssl/certs
 ln -s aiakos-selfsigned.crt `openssl x509 -hash -noout -in aiakos-selfsigned.crt`.0

 //edit Dockerfile to invoke trust_cert.sh as the first RUN command in the file:
 RUN ./trust_cert.sh

 //since requests python module doesn't rely on openssl, it uses its own env var to locate the permitted certificates. 
 //we need to set that in docker-compose.yml to point it to the crt file.
 //edit docker-compose.yml and add the following line under projects -> environment:
 - REQUESTS_CA_BUNDLE=/etc/ssl/certs/aiakos-selfsigned.crt
 //also change AUTH_URL for all 3 containers to use https

 //remove all images and re-build docker compose


 //Setting secure communication (TLS) between aiakos provider -> MariaDB 
 //-------------------------------------------------------------------
 //source: https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/
 //As a best-practice, this process should be done in a docker-friendly way. I've tested it as a hack 
 //by connecting to the running container and fetching the files into the container (+reload the mysql process)

 //***On the host machine*** (since it's accessible to the mysql container) run the following:

 //create ca key
 sudo openssl genrsa 2048 > ca-key.pem
 //generate a certificate based on ca key
 sudo openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
 //verify you have ca-cert.pem and ca-key.pem
 //create the server key file
 sudo openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem
 //process the server key
 sudo openssl rsa -in server-key.pem -out server-key.pem
 //sign the server certificate
 sudo openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
 //verify you have server-cert.pem and server-key.pem
 //verify the certificate:
 openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
 //optionally - create the client certificate & key as described in source instruction. Not required for our needs.


 //***for the provider side***
 //need to place ca-cert.pem in the root dir of the application
 //configure Django to use SSL when connecting to mysql and point to the ca-cert.pem file
 nano settings.py
 //and add the folloiwng:

 DATABASES = {'default':  dj_database_url.config(default=os.environ['DATABASE_URL'])}
 DATABASES['default']['OPTIONS'] = { 'ssl': 
                                           {
                                              'ca': '/app/ca-cert.pem',
                                           }
                                   }
 //rebuild images and start the containers

 //***connect to the mariadb container and do the following:***
 //Note: this needs to be re-done any time the conatiner is re-built :-(
 mkdir /etc/mysql/ssl
 cd /etc/mysql
 //take ca-cert.pem, and server-*.pem files via scp
 scp <user>@<host>:<full path to file>
 //create a conf file for maria db:
 nano /etc/mysql/conf.d/50-server.cnf
 //and paste the following:

 [mysqld]
 ### MySQL Server ###
 ## Securing the Database with ssl option and certificates ##
 ## There is no control over the protocol level used. ##
 ##  mariadb will use TLSv1.0 or better.  ##
 ssl
 ssl-ca=/etc/mysql/ssl/ca-cert.pem
 ssl-cert=/etc/mysql/ssl/server-cert.pem
 ssl-key=/etc/mysql/ssl/server-key.pem

 //now we need to restart maria db, didn't find an elegant way, so i simply 'kill 1'.
 //this causes the container to crash. luckily docker-compose recycles the same container 
 //in case the docker-compose.yml file was not modified. so you end up with the same instance

 mysql
 SHOW VARIABLES LIKE '%ssl%';
 exit

 //Appendix
 //========

 //Great OpenID Connect overview:
 https://connect2id.com/learn/openid-connect

 //Useful docker commands
 //-----------------------
 //see running containers via:
 docker ps
 //connect to a container via:
 docker exec -it <cont_ID> bash
 //see container logs via:
 docker logs <cont_ID>
 //see all images via
 docker images
 //stop running containers
 docker stop <cont id/name>
 //get container details:
 docker inspect <cont ID/name>
 //removing images (force to re-build if doing any changes to Dockerfile)
 docker rmi [-f] <image id>
 //clean up docker env:
 docker system prune -a
 docker volume rm $(docker volume ls -f dangling=true -q)
	//Installing aiakos server via docker compose:
	//--------------------------------------------
	//prerequisites: make sure you have python 3.6 installed and pip3 & docker-compose installed
	git clone https://gitlab.com/aiakos/aiakos
	//modify the docker-compose.yml file:
	//change this for all services:
	DATABASE_URL=mysql://<docker container name of sql server>/accounts
	//specifically for the 'accounts' service:
	BASE_URL=http://<IP address of server, the way the user's browser can see it (not localhost)>:2121/
	//if you want to see Django errors nicely in the browser:
	DEBUG=1

	//launch it via:
	docker-compose up

	//Installing aiakos client via docker compose:
	//--------------------------------------------
	git clone https://gitlab.com/aiakos/example-client-django/tree/master
	//modify docker-compose.yml file:
	//change this for all services:
	DATABASE_URL=mysql://<client container name>/project
	AUTH_URL=http://ea1c25ed-2da9-4c82-a921-b87cff97b646:dummy@<IP of the aiakos server>:2121
	DATABASE_URL=mysql://<client mysql cont name>/project
	//specifically in 'project' service:
	//this is a must! otherwise the django will refuse the host name since it's not a valid host name (docker service name with '_')
	DEBUG=True
	ALLOWED_HOSTS=*


	//launch it via:
	docker-compose up

	//Using aiakos:
	//-------------
	1. connect to the server
	2. login using root/root
	3. MUST - generate an RSA private key in PEM format and add it
	3.1 openssl genrsa -out key.pem 2048
	4. Modify the callback URLs for the Localhost app - use IP of client that the user's browser can see.
	4. optionally - create additional users and applications. make sure to set the client_id in the AUTH_URL of the client
	5. connect to the client app
	6. you will be redirected to login page of server
	7. you can use the localhost/dummy credentials or one that you have created as admin
	8. you should see the client app with the user's ID

	//creating new applications:
	//---------------------------
	//In aiakos - the password of the user owning the application is used as the OPIDC secret.
	//so you need to create a new application, then create a new user and associate it with the application.
	//take the id and password of that user and put it in the AUTH_URL of the client. id is the client_id, password is the secret.
	//the format is: htttp://<client_id>:<secret>@<aiakos host_up/name>:<aiakos port>


	//Configure SSL for aiakos provider
	//----------------------------------

	//*On server side:*
	//generate a self-signed certificate
	openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/aiakos-selfsigned.key -out /etc/ssl/certs/aiakos-selfsigned.crt

	//copy the 2 files to the aiakos base library (where the Dockerfile is)
	//edit the Dockerfile and modify the command to:
	CMD ["gunicorn", "-k", "gevent", "--certfile=aiakos-selfsigned.crt", "--keyfile=aiakos-selfsigned.key", "-b", "[::]:80", "aiakos.wsgi"]
	//edit docker-compose.yml and modify the BASE_URL to https:
	BASE_URL=https://<host ip>:2121/

	//remove all docker images and re-build

	//*On client side*
	//copy the crt file from server machine to client machine's client base dir (where Dockerfile is)
	//create a trust_cert.sh, make it executable and put the following in it:
	//(the last line is probably not required, since aiakos client doesn't use openssl, but just in case)
	cp /app/aiakos-selfsigned.crt /etc/ssl/certs/
	cd /etc/ssl/certs
	ln -s aiakos-selfsigned.crt `openssl x509 -hash -noout -in aiakos-selfsigned.crt`.0

	//edit Dockerfile to invoke trust_cert.sh as the first RUN command in the file:
	RUN ./trust_cert.sh

	//since requests python module doesn't rely on openssl, it uses its own env var to locate the permitted certificates.
	//we need to set that in docker-compose.yml to point it to the crt file.
	//edit docker-compose.yml and add the following line under projects -> environment:
	- REQUESTS_CA_BUNDLE=/etc/ssl/certs/aiakos-selfsigned.crt
	//also change AUTH_URL for all 3 containers to use https

	//remove all images and re-build docker compose


	//Setting secure communication (TLS) between aiakos provider -> MariaDB
	//-------------------------------------------------------------------
	//source: https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/
	//As a best-practice, this process should be done in a docker-friendly way. I've tested it as a hack
	//by connecting to the running container and fetching the files into the container (+reload the mysql process)

	//*On the host machine* (since it's accessible to the mysql container) run the following:

	//create ca key
	sudo openssl genrsa 2048 > ca-key.pem
	//generate a certificate based on ca key
	sudo openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
	//verify you have ca-cert.pem and ca-key.pem
	//create the server key file
	sudo openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem
	//process the server key
	sudo openssl rsa -in server-key.pem -out server-key.pem
	//sign the server certificate
	sudo openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
	//verify you have server-cert.pem and server-key.pem
	//verify the certificate:
	openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
	//optionally - create the client certificate & key as described in source instruction. Not required for our needs.


	//*for the provider side*
	//need to place ca-cert.pem in the root dir of the application
	//configure Django to use SSL when connecting to mysql and point to the ca-cert.pem file
	nano settings.py
	//and add the folloiwng:

	DATABASES = {'default': dj_database_url.config(default=os.environ['DATABASE_URL'])}
	DATABASES['default']['OPTIONS'] = { 'ssl':
	{
	'ca': '/app/ca-cert.pem',
	}
	}
	//rebuild images and start the containers

	//*connect to the mariadb container and do the following:*
	//Note: this needs to be re-done any time the conatiner is re-built :-(
	mkdir /etc/mysql/ssl
	cd /etc/mysql
	//take ca-cert.pem, and server-*.pem files via scp
	scp <user>@<host>:<full path to file>
	//create a conf file for maria db:
	nano /etc/mysql/conf.d/50-server.cnf
	//and paste the following:

	[mysqld]
	### MySQL Server ###
	## Securing the Database with ssl option and certificates ##
	## There is no control over the protocol level used. ##
	## mariadb will use TLSv1.0 or better. ##
	ssl
	ssl-ca=/etc/mysql/ssl/ca-cert.pem
	ssl-cert=/etc/mysql/ssl/server-cert.pem
	ssl-key=/etc/mysql/ssl/server-key.pem

	//now we need to restart maria db, didn't find an elegant way, so i simply 'kill 1'.
	//this causes the container to crash. luckily docker-compose recycles the same container
	//in case the docker-compose.yml file was not modified. so you end up with the same instance

	mysql
	SHOW VARIABLES LIKE '%ssl%';
	exit

	//Appendix
	//========

	//Great OpenID Connect overview:
	https://connect2id.com/learn/openid-connect

	//Useful docker commands
	//-----------------------
	//see running containers via:
	docker ps
	//connect to a container via:
	docker exec -it <cont_ID> bash
	//see container logs via:
	docker logs <cont_ID>
	//see all images via
	docker images
	//stop running containers
	docker stop <cont id/name>
	//get container details:
	docker inspect <cont ID/name>
	//removing images (force to re-build if doing any changes to Dockerfile)
	docker rmi [-f] <image id>
	//clean up docker env:
	docker system prune -a
	docker volume rm $(docker volume ls -f dangling=true -q)