Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add db user auth #59

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

add db user auth #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
41e2e7d
connect auth to db
MalinAhlberg Oct 25, 2024
5f5600a
update env
MalinAhlberg Nov 21, 2024
48b08b3
fix download config
MalinAhlberg Nov 25, 2024
5feb248
use new images
MalinAhlberg Oct 25, 2024
be4b356
data_loader: insert key hash before ingesting
MalinAhlberg Dec 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ credentials_PGPASSWORD=rootpass
# auth
auth_ELIXIR_ID=XC56EL11xx
auth_ELIXIR_SECRET=wHPVQaYXmdDHg
auth_DB_PASSWORD=auth
auth_DB_USER=auth

# rabbitmq
rabbitmq_MQ_PASSWORD=test
Expand Down
3 changes: 3 additions & 0 deletions docker-compose-demo.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ services:
depends_on:
s3inbox:
condition: service_started
oidc:
condition: service_healthy
image: python:3.10-alpine
networks:
- secure
Expand Down Expand Up @@ -41,6 +43,7 @@ services:
image: python:3.10-slim
networks:
- public
- secure
ports:
- "8080:8080"
restart: always
Expand Down
27 changes: 16 additions & 11 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,14 @@ services:
auth:
container_name: auth
command: sda-auth
image: ghcr.io/neicnordic/sensitive-data-archive:v0.3.25
image: ghcr.io/neicnordic/sensitive-data-archive:PR1099
networks:
- secure
depends_on:
credentials:
condition: service_completed_successfully
postgres:
condition: service_healthy
environment:
- OIDC_ID=${auth_ELIXIR_ID}
- OIDC_PROVIDER=http://${DOCKERHOST:-localhost}:8080/oidc/
Expand All @@ -39,6 +43,8 @@ services:
- OIDC_REDIRECTURL=http://localhost:8085/oidc/login
- LOG_LEVEL=debug
- RESIGNJWT=false
- DB_PASSWORD=${auth_DB_PASSWORD}
- DB_USER=${auth_DB_USER}
extra_hosts:
- ${DOCKERHOST:-localhost}:host-gateway
- "host.docker.internal:host-gateway"
Expand All @@ -65,7 +71,7 @@ services:
interval: 5s
timeout: 20s
retries: 20
image: ghcr.io/neicnordic/sensitive-data-archive:v0.3.25-rabbitmq
image: ghcr.io/neicnordic/sensitive-data-archive:PR1099-rabbitmq
networks:
- secure
ports:
Expand All @@ -89,7 +95,7 @@ services:
interval: 5s
timeout: 20s
retries: 20
image: ghcr.io/neicnordic/sensitive-data-archive:v0.3.25-postgres
image: ghcr.io/neicnordic/sensitive-data-archive:PR1099-postgres
networks:
- secure
restart: always
Expand Down Expand Up @@ -139,10 +145,9 @@ services:
- DB_PASSWORD=${download_DB_PASSWORD}
- DB_USER=${download_DB_USER}
- OIDC_CONFIGURATION_URL=http://${DOCKERHOST:-dockerhost}:8080/oidc/.well-known/openid-configuration
- ARCHIVE_TYPE=s3seekable
extra_hosts:
- ${DOCKERHOST:-dockerhost}:host-gateway
image: harbor.nbis.se/gdi/sda-download:20240415
image: ghcr.io/neicnordic/sensitive-data-archive:PR1099-download
networks:
- public
- secure
Expand Down Expand Up @@ -173,7 +178,7 @@ services:
- BROKER_USER=${finalize_BROKER_USER}
- DB_PASSWORD=${finalize_DB_PASSWORD}
- DB_USER=${finalize_DB_USER}
image: ghcr.io/neicnordic/sensitive-data-archive:v0.3.25
image: ghcr.io/neicnordic/sensitive-data-archive:PR1099
networks:
- secure
restart: always
Expand All @@ -199,7 +204,7 @@ services:
- BROKER_USER=${ingest_BROKER_USER}
- DB_PASSWORD=${ingest_DB_PASSWORD}
- DB_USER=${ingest_DB_USER}
image: ghcr.io/neicnordic/sensitive-data-archive:v0.3.25
image: ghcr.io/neicnordic/sensitive-data-archive:PR1099
networks:
- secure
restart: always
Expand All @@ -225,7 +230,7 @@ services:
- BROKER_USER=${mapper_BROKER_USER}
- DB_PASSWORD=${mapper_DB_PASSWORD}
- DB_USER=${mapper_DB_USER}
image: ghcr.io/neicnordic/sensitive-data-archive:v0.3.25
image: ghcr.io/neicnordic/sensitive-data-archive:PR1099
networks:
- secure
restart: always
Expand All @@ -251,7 +256,7 @@ services:
- BROKER_USER=${verify_BROKER_USER}
- DB_PASSWORD=${verify_DB_PASSWORD}
- DB_USER=${verify_DB_USER}
image: ghcr.io/neicnordic/sensitive-data-archive:v0.3.25
image: ghcr.io/neicnordic/sensitive-data-archive:PR1099
networks:
- secure
restart: always
Expand Down Expand Up @@ -280,7 +285,7 @@ services:
- SERVER_JWTPUBKEYURL=http://${DOCKERHOST:-dockerhost}:8080/oidc/jwk
extra_hosts:
- ${DOCKERHOST:-dockerhost}:host-gateway
image: ghcr.io/neicnordic/sensitive-data-archive:v0.3.25
image: ghcr.io/neicnordic/sensitive-data-archive:PR1099
networks:
- public
- secure
Expand All @@ -297,7 +302,7 @@ services:
depends_on:
credentials:
condition: service_completed_successfully
image: ghcr.io/neicnordic/sensitive-data-archive:v0.3.25
image: ghcr.io/neicnordic/sensitive-data-archive:PR1099
networks:
- secure
restart: always
Expand Down
13 changes: 10 additions & 3 deletions scripts/load_data.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,17 @@
#!/bin/sh
set -e

apk -q --no-cache add curl jq
apk -q --no-cache add curl jq postgresql-client

pip -q install s3cmd

token=$(curl -s -k https://oidc:8080/tokens | jq -r '.[0]')


hash=$(sed -n '2p' /shared/c4gh.pub.pem | base64 -d -w0 | xxd -c64 -p)
# insert a c4gh public key hash
PGPASSWORD=rootpass psql -U postgres -h postgres -d sda -At -c "INSERT INTO sda.encryption_keys(key_hash, description) VALUES('$hash', 'test key') ON CONFLICT DO NOTHING;"

FILES="htsnexus_test_NA12878.bam htsnexus_test_NA12878.bam.bai htsnexus_test_NA12878.bam.blocks.yaml htsnexus_test_NA12878.bam.gzi"
for file in ${FILES}; do
curl -s -L -o "$file" "https://github.com/umccr/htsget-rs/raw/main/data/bam/$file"
Expand Down Expand Up @@ -44,7 +51,7 @@ for file in ${FILES}; do
jq -r -c -n \
--arg type ingest \
--arg user [email protected] \
--arg filepath dummy_gdi.eu/"$file.c4gh" \
--arg filepath "$file.c4gh" \
--argjson encrypted_checksums "$encrypted_checksums" \
'$ARGS.named|@base64'
)
Expand Down Expand Up @@ -107,7 +114,7 @@ for file in ${FILES}; do
jq -r -c -n \
--arg type accession \
--arg user [email protected] \
--arg filepath dummy_gdi.eu/"$file.c4gh" \
--arg filepath "$file.c4gh" \
--arg accession_id "FILE000000$I" \
--argjson decrypted_checksums "$(echo "$MSG"| jq -r '.payload|fromjson|.decrypted_checksums|tostring')" \
'$ARGS.named|@base64'
Expand Down
2 changes: 1 addition & 1 deletion scripts/make_credentials.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ apt-get -o DPkg::Lock::Timeout=60 install -y curl jq postgresql-client openssl >
pip install --upgrade pip > /dev/null
pip install aiohttp Authlib joserfc requests > /dev/null

for n in download finalize inbox ingest mapper sync verify; do
for n in api auth download finalize inbox ingest mapper sync verify; do
echo "creating credentials for: $n"
db_password=$(eval echo \$$n"_DB_PASSWORD")
mq_password=$(eval echo \$$n"_BROKER_PASSWORD")
Expand Down
Loading