From dddc96ae956ca603cb853a25fcb65547f59dd4ae Mon Sep 17 00:00:00 2001 From: Mirko Mollik Date: Wed, 8 May 2024 22:22:33 +0200 Subject: [PATCH] migrate missing files Signed-off-by: Mirko Mollik --- .env.example | 33 +++++ LICENSE | 201 +++++++++++++++++++++++++++++++ apps/holder-backend/Dockerfile | 1 + apps/issuer-backend/Dockerfile | 1 + apps/verifier-backend/Dockerfile | 1 + docs/development.md | 49 ++++++++ docs/repo-strucutre.md | 10 ++ docs/running-docker.md | 59 +++++++++ package.json | 8 +- 9 files changed, 360 insertions(+), 3 deletions(-) create mode 100644 .env.example create mode 100644 LICENSE create mode 100644 docs/development.md create mode 100644 docs/repo-strucutre.md create mode 100644 docs/running-docker.md diff --git a/.env.example b/.env.example new file mode 100644 index 00000000..803491af --- /dev/null +++ b/.env.example @@ -0,0 +1,33 @@ +# Keycloak config +## Keycloak settings +KEYCLOAK_ADMIN=admin +KEYCLOAK_ADMIN_PASSWORD=admin +KEYCLOAK_HOSTNAME_URL=http://localhost:8080 + +## PostgreSQL settings for keycloak +KC_POSTGRES_HOST=postgres +KC_POSTGRES_DB=keycloak +KC_POSTGRES_USER=keycloak +KC_POSTGRES_PASSWORD=admin_password_keycloak_postgres + +# Backend +## Keycloak config +KEYCLOAK_AUTH_URL=http://localhost:8080 +#KEYCLOAK_AUTH_URL=http://keycloak:8080 +KEYCLOAK_REALM=wallet +KEYCLOAK_CLIENT_ID=browser + +# DB config +## use the docker compose service name as the host name +DB_HOST=localhost +DB_PORT=5432 +DB_NAME=postgres +DB_USERNAME=postgres +DB_PASSWORD=admin_password_postgres + +#issuer +ISSUER_BASE_URL=http://localhost:3001 +ISSUER_PORT=3001 + +#verifier +VERIFIER_BASE_URL=http://localhost:3002 \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..261eeb9e --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/apps/holder-backend/Dockerfile b/apps/holder-backend/Dockerfile index 0a8f1377..5d7f5c56 100644 --- a/apps/holder-backend/Dockerfile +++ b/apps/holder-backend/Dockerfile @@ -5,6 +5,7 @@ RUN apk add --no-cache libc6-compat WORKDIR /usr/src/app COPY dist/apps/holder-backend/package*.json ./ COPY dist/apps/holder-backend/pnpm-lock.yaml ./ +COPY patches ./patches RUN npm install -g pnpm@8.15.8 RUN pnpm install --prod diff --git a/apps/issuer-backend/Dockerfile b/apps/issuer-backend/Dockerfile index 0a8f1377..5d7f5c56 100644 --- a/apps/issuer-backend/Dockerfile +++ b/apps/issuer-backend/Dockerfile @@ -5,6 +5,7 @@ RUN apk add --no-cache libc6-compat WORKDIR /usr/src/app COPY dist/apps/holder-backend/package*.json ./ COPY dist/apps/holder-backend/pnpm-lock.yaml ./ +COPY patches ./patches RUN npm install -g pnpm@8.15.8 RUN pnpm install --prod diff --git a/apps/verifier-backend/Dockerfile b/apps/verifier-backend/Dockerfile index 0a8f1377..5d7f5c56 100644 --- a/apps/verifier-backend/Dockerfile +++ b/apps/verifier-backend/Dockerfile @@ -5,6 +5,7 @@ RUN apk add --no-cache libc6-compat WORKDIR /usr/src/app COPY dist/apps/holder-backend/package*.json ./ COPY dist/apps/holder-backend/pnpm-lock.yaml ./ +COPY patches ./patches RUN npm install -g pnpm@8.15.8 RUN pnpm install --prod diff --git a/docs/development.md b/docs/development.md new file mode 100644 index 00000000..7b59e40c --- /dev/null +++ b/docs/development.md @@ -0,0 +1,49 @@ +# Development + +## Requirements +- node v20 (https://nodejs.org/en/download/package-manager) +- pnpm v9 +- enabled corepack via `corepack enable` (comes with node) + + +### Keycloak (OIDC provider) +to manage the user accounts from the cloud wallet, an OIDC provider is required. This repository offers a self hosted keycloak instance that you can use. It's a basic setup without a customized registration flow, so the user registers only with an email and password. Password reset is also possible via email, but the smtp credentials have to be set in the keycloak settings manually. + +The realm is located in the `config/keycloak/realm-export.json` file. In case you want to use another keycloak instance, you can import the realm there. It should also be possible to use any other OIDC system. + +In the default realm settings, there is no restriction to the origin of the requests and registration is open for everyone. There is also no implementation of keycloak or cloud wallet events like creating or deleting a user object. + +Webauthn is implemented, but not configured for the registration. It can be added via settings page in the wallets. The primary authentication method is the password, since we do not want to rely on just one device for login for now. + +## Development +To install all dependencies, run `pnpm install` in the root folder. + +Each app has its own `package.json` with specific jobs. In the root folder is one `package.json` with global jobs like `build`, `clean` and `lint`. + +The command `pnpm run -r init` will generate `.env` files for each app based on the example file. Applications inside the `apps` folder will not use the `.env` file in the root folder, this is only for the docker-compose setup. Instead use the `.env` files in the apps folder. In case it's an angular application, use the config file in the `assets/config` folder. + +## Issuer +The issuer app is a rest api, supporting the oid4vci protocol. Right now there is only one demo credential available. Start the issuer with `pnpm run dev`. Don't forget to have an `.env` file in the folder to configure the application, it will not use the `.env` file in the root folder. + +## Verifier +The verifier app is a rest api, supporting the oid4vp protocol. The verifier can verify the demo credential from the issuer. Start the verifier with `pnpm run dev`. Don't forget to have an `.env` file in the folder to configure the application, it will not use the `.env` file in the root folder. + +## Wallet clients +This repository includes two clients. One is a progressive web app, the other one is a chrome browser extension. Both are managed via angular and share the same code base. + +Since the backend is following the openAPI specification, an SDK to interact with it can be generated by running `pnpm run api`. To run this command, Java needs to be installed on the system. + +### PWA Client +The command `pnpm run start:pwa` will run the application in the watch mode. It will start a web server on `localhost:4200` and reload when you changed the code. The configuration is managed in the `assets/config` folder. This approach allows a dynamic config since it can be mounted into the docker container without the need of recompiling it. + +### Browser Plugin +The command `pnpm run start:extension` in the `holder` folder will watch on the build files. To use this plugin in the chrome browser during development, go to `chrome://extensions/` and enable developer mode. Then click on `Load unpacked` and select the `dist/browser-extension` folder in the `browser-extension` folder. To get the updates active, you need to reopen the plugin in the browser (hitting refresh on the plugin page is not required). + +Angular is using the webpack compiler instead of the modern esbuild. This is required since we need to build multiple file like the main and background file and right now it is not possible to pass a custom esbuild config to angular. + +To build the plugin for production, run `pnpm run build:extension`. The output will be in the `dist/browser-extension` folder like the start command, but the files are minified and optimized for production. + +## Backend +All endpoints are available via the `http://localhost:3000` address. A swagger endpoint is available at `http://localhost:3000/api` where you can authenticate with your keycloak user credentials. Don't forget to have an `.env` file in the folder to configure the application, it will not use the `.env` file in the root folder. + +You can either use a postgres or sqlite database. In case of using postgres, there is one defined in the `docker-compose.yml` in the root folder. Don't forget to sync the credentials in the root `.env` file and the one in the backend folder to get a successful connection. \ No newline at end of file diff --git a/docs/repo-strucutre.md b/docs/repo-strucutre.md new file mode 100644 index 00000000..98d3c9c4 --- /dev/null +++ b/docs/repo-strucutre.md @@ -0,0 +1,10 @@ +# Repo structure + +The repository is structured as follows: +- `.github` includes specific GitHub actions workflows. +- `.vscode` includes specific settings for Visual Studio Code. +- `apps` includes all applications. +- `config` includes configuration files to run the docker containers. Each container has its own subfolder. +- `docker` includes Dockerfiles to build the docker images. Dockerfiles also include the build part so no pre compiled code is injected from a previous step. +- `docs` includes documentation for this repository. +- `patches` includes patches for specific dependencies. \ No newline at end of file diff --git a/docs/running-docker.md b/docs/running-docker.md new file mode 100644 index 00000000..3287822f --- /dev/null +++ b/docs/running-docker.md @@ -0,0 +1,59 @@ +# Running Docker images +To run the docker compose setup, copy the `.env.example` to `.env` in the root folder. Modify the values if required. + +## Building containers +Running `docker compose build` will build the images locally. This is required if you want to run your modified apps. The typescript code gets compiled during the image build process, so there is no need to run `pnpm install` or any other build command before this. + +## Configs +The configuration of the pwa client is mounted from the `config/holder/config.js` file, this allows to change the endpoints to the different services without the need to recompile the app. + +## Known limitations +right now running it locally via docker can cause some problems since `localhost` is used to interact with some services. + +## Vault +To secure your keys, you are able to use [vault by hashicorp](https://developer.hashicorp.com/vault), otherwise the keys are either stored in the filesystem for the issuer and verifier or in the unencrypted database for the wallet. + +You are able to run vault via docker with the following command: +```bash +docker compose up -d vault +``` +This will spin up a vault instance in dev mode and will not persist the keys after a restart. In the `.env` in the root folder, you can set a token you need for authentication. + +### Using in the cloud wallet + +Configure the environment variables in the `.env` to tell the service to use vault: +```env +KM_TYPE=vault +VAULT_URL=http://localhost:8200/v1/transit +VAULT_TOKEN=root +``` +The server does not support multiple key management systems in parallel and also no import or export feature. So decide at the beginning which type of key management you want to use. + +TODO: we also need key management for the accounts to support multiple keys, because right now we use the user-id for the key reference, so each user is only able to store one key. We need a mapping table for the keys and the user-id. + +### Using in the issuer and verifier + +TODO: not implemented yet. + +### Production use +Update the docker container like this: +```yaml + vault: + image: 'hashicorp/vault:1.16' + restart: unless-stopped + healthcheck: + test: ['CMD', 'vault', 'status'] + interval: 30s + timeout: 10s + retries: 3 + start_period: 2m + volumes: + - vault-storage:/vault/file:rw + - ./config/vault:/vault/config:rw + ports: + - '8200:8200' + environment: + VAULT_ADDR: http://127.0.0.1:8200 + entrypoint: vault server -config=/vault/config/config.hcl +``` +Get familiar with the [vault deployment guide](https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-deploy). This current documentation is not fully covered to run vault in production! \ No newline at end of file diff --git a/package.json b/package.json index 60c6087b..fefc7676 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,9 @@ { "name": "@my-wallet/source", - "version": "0.0.0", - "license": "MIT", + "version": "1.0.0", + "license": "Apache-2.0", + "description": "A monorepo including multiple apps for SSI", + "author": "Mirko Mollik ", "scripts": {}, "private": true, "engines": { @@ -122,4 +124,4 @@ "@sphereon/pex@3.3.3": "patches/@sphereon__pex@3.3.3.patch" } } -} \ No newline at end of file +}