First public revision

.gitignore

@@ -0,0 +1,5 @@
+# Avoid secrets
+*.pem
+secrets/*.txt
+*.jar
+*.class

.gitmodules

@@ -0,0 +1,9 @@
+[submodule "frontend/CovidCode-UI"]
+	path = frontend/CovidCode-UI
+	url = https://github.com/admin-ch/CovidCode-UI.git
+[submodule "authcodews/CovidCode-Service"]
+	path = authcodews/CovidCode-Service
+	url = https://github.com/admin-ch/CovidCode-Service.git
+[submodule "backendws/dp3t-sdk-backend"]
+	path = backendws/dp3t-sdk-backend
+	url = https://github.com/DP-3T/dp3t-sdk-backend.git

Makefile

@@ -0,0 +1,10 @@
+
+#tag := $(shell git rev-parse --abbrev-ref HEAD)
+tag := latest
+
+build:
+	docker build -t stayawayinesctec/dp3t-backendws:$(tag) ./backendws
+	docker build -t stayawayinesctec/dp3t-authcodews:$(tag) ./authcodews
+	docker build -t stayawayinesctec/dp3t-keycloak:$(tag) ./keycloak
+	docker build -t stayawayinesctec/dp3t-frontend:$(tag) ./frontend
+

README.md

@@ -0,0 +1,64 @@
+# dp3t-docker
+
+This is a self-contained distribution of Decentralized Privacy-Preserving Proximity Tracing (DP^3T) server components, including the CovidCode health authority code generation UI and service, packaged with Docker and orchestrated with docker-compose or Swarm. It allows you to quickly setup a server environment to test the DP^3T mobile applications.
+
+**DISCLAIMER:** This is for testing purposes only. Don't use this in a public network.
+
+## Quick start
+
+First, create the secret keys and admin password with:
+
+    make -C secrets
+
+You may now edit `docker-compose.yml` to create a regular user for testing, if needed. (You can also connect to http://localhost:8180 later to create users in the `bag-pts` realm and add them to group `bag-pts-allowed`.)
+
+To deploy the server cluster on localhost run:
+
+    docker-compose up
+
+then connect to https://localhost for the public interface. Login, generate a code, and use it as follows:
+
+    ./tests/post.sh 2020-05-21 123 123 123 123
+
+giving the correct data and code. To list exposed buckets for today use:
+
+    ./tests/get.sh
+
+## Building
+
+Check-out the project with:
+
+    git clone --recurse-submodules https://github.com/stayawayinesctec/dp3t-docker
+
+or just add the submodules to an existing clone with:
+
+    git submodule update --init
+
+Build all images with:
+
+    docker-compose build
+
+## Customization
+
+This project is hardcoded for https://localhost. If you want to use something else, just find and replace https://localhost everywhere before rebuilding it, namely:
+
+    ./frontend/environment.prod.ts
+    ./frontend/Caddyfile
+    ./authcodews/application.yml
+    ./keycloak/create.sh
+    ./tests/get.sh
+    ./tests/post.sh
+
+Many parameters of each web-service can be changed in application properties files in `./authcodews` and `./backendws`.
+
+Secrets (keys and passwords) are managed as volumes mounted from the `./secrets` folder. You cam also opt to deploy in swarm-mode using `docker-compose-swarm.yml` after loading secrets with:
+
+    make -C secrets load
+
+## More information
+
+The DP3T project is available at: https://github.com/DP-3T
+
+The CovidCode service and UI are available at: https://github.com/admin-ch
+
+This setup has been packaged by the [STAYAWAY team](https://stayaway.inesctec.pt) at [INESCTEC](https://inesctec.pt). It is available at https://github.com/stayawayinesctec/dp3t-docker

authcodews/.dockerignore

@@ -0,0 +1,2 @@
+.git
+.gitignore

authcodews/Dockerfile

@@ -0,0 +1,22 @@
+FROM openjdk:11 AS build
+
+RUN apt-get update && apt-get install -y maven
+WORKDIR /build/
+COPY CovidCode-Service /build
+RUN mvn package -Dmaven.test.skip=true
+
+FROM openjdk:11.0.7-jre-slim
+
+RUN useradd app
+WORKDIR /app/
+
+COPY --from=build /build/target/ha-authcode-generation-service.jar .
+COPY ./logback.xml ./application.yml /app/
+RUN chown -R app:app /app
+
+COPY entrypoint.sh /app
+
+USER app
+EXPOSE 8113
+
+ENTRYPOINT /app/entrypoint.sh

authcodews/application.yml

@@ -0,0 +1,147 @@
+info:
+    build:
+        artifact: '@project.artifactId@'
+        description: '@project.description@'
+        name: '@project.name@'
+        version: '@project.version@'
+logging:
+  level:
+    ch:
+      admin:
+        bit:
+          jeap: DEBUG
+        bag: DEBUG
+    io:
+      swagger:
+        models:
+          parameters:
+            AbstractSerializableParameter: ERROR
+    org:
+      hibernate: ERROR
+      springframework:
+        security:
+          authentication:
+            event:
+              LoggerListener: ERROR
+          oauth2:
+            server:
+              resource:
+                web:
+                  BearerTokenAuthenticationFilter: INFO
+        web:
+          servlet:
+            resource:
+              ResourceHttpRequestHandler: INFO
+          filter:
+            CommonsRequestLoggingFilter: INFO
+    springfox:
+      documentation:
+        spring:
+          web:
+            readers:
+              operation:
+                CachingOperationNameGenerator: ERROR
+  pattern:
+    level: '[%X{correlationId}] %5p'
+  config: classpath:logback-spring.xml
+  file:
+    name: log.log
+server:
+    port: 8113
+    servlet:
+        context-path: /
+spring:
+    application:
+        name: ha-authcodegeneration
+    profiles:
+        active: jwt
+    datasource:
+        type: com.zaxxer.hikari.HikariDataSource
+        driver-class-name: org.postgresql.Driver
+        url: ${DB_URL}
+        username: ${DB_USER}
+        password: ${DB_PASSWORD}
+        hikari:
+            maximum-pool-size: 10
+            pool-name: hikari-cp-${spring.application.name}
+    jpa:
+        hibernate:
+            ddl-auto: validate
+        properties:
+            hibernate:
+                dialect: org.hibernate.dialect.PostgreSQL10Dialect
+        show-sql: false
+        open-in-view: false
+    flyway:
+        enabled: true
+        clean-on-validation-error: false
+        locations: classpath:db/migration/common
+
+    messages:
+        basename: mail-messages,validation-messages
+        encoding: UTF-8
+        fallback-to-system-locale: false
+
+    servlet:
+        multipart:
+            max-file-size: 10MB
+            max-request-size: 10MB
+    session:
+        store-type: none
+    data:
+        rest:
+            base-path: /
+            max-page-size: 100
+            default-page-size: 20
+    main:
+        banner-mode: off
+
+management:
+  endpoints:
+    web:
+      exposure:
+        include: '*'
+  endpoint:
+    jolokia:
+      enabled: true
+    health:
+      show-details: always
+    flyway:
+      enabled: true
+
+authcodegeneration:
+    rest:
+        connectTimeoutSeconds: 5
+        readTimeoutSeconds: 5
+    service:
+        keycloak:
+            uri: https://localhost
+            realm: "bag-pts"
+            masterPassword: admin
+            clientSecret: secret
+        callCountLimit: 1
+        codeExpirationDelay: 1440
+        deletionCron: "0 30 1 * * ?"
+        onsetSubtractionDays: 3
+        minSleepTime: 3
+        maxSleepTime: 8
+    monitor:
+        prometheus:
+            user: "prometheus"
+            password: "{noop}secret"
+            secure: false
+    jwt:
+        issuer: "https://localhost"
+        token-validity: 300000
+        privateKey: ${JWTTOKEN_PRIVATE}
+jeap:
+  security:
+    oauth2:
+      resourceserver:
+        authorization-server:
+          issuer: "https://localhost/auth/realms/bag-pts"
+          jwk-set-uri: "http://keycloak:8080/auth/realms/bag-pts/protocol/openid-connect/certs"
+
+ha-authcode-generation-service:
+    allowed-origin: "https://localhost"
+

authcodews/entrypoint.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+file_env JWTTOKEN_PRIVATE
+file_env DB_USER
+file_env DB_PASSWORD
+
+exec java -jar $JAVA_OPTS -Dlogging.config=/app/logback.xml -Dspring.config.location=/app/application.yml /app/ha-authcode-generation-service.jar

authcodews/logback.xml

@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration scan="true">
+    <include resource="org/springframework/boot/logging/logback/defaults.xml"/>
+    <springProperty scope="context" name="app" source="spring.application.name"/>
+    <springProperty scope="context" name="withBootAdmin" source="spring.boot.admin.client.enabled"/>
+
+    <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <charset>UTF-8</charset>
+            <Pattern>%d %highlight(%-5level) [${app},%X{X-B3-TraceId:-}] %cyan(%logger{35}) - %msg %marker%n</Pattern>
+        </encoder>
+    </appender>
+    <appender name="JSON" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LoggingEventCompositeJsonEncoder">
+            <providers>
+                <timestamp/>
+                <context/>
+                <loggerName>
+                    <fieldName>logger</fieldName>
+                    <shortenedLoggerNameLength>20</shortenedLoggerNameLength>
+                </loggerName>
+                <logLevel/>
+                <tags/>
+                <threadName/>
+                <mdc/>
+                <arguments/>
+                <logstashMarkers/>
+                <stackHash>
+                    <fieldName>exception-hash</fieldName>
+                </stackHash>
+                <stackTrace>
+                    <fieldName>exception</fieldName>
+                    <throwableConverter class="net.logstash.logback.stacktrace.ShortenedThrowableConverter">
+                        <maxDepthPerThrowable>40</maxDepthPerThrowable>
+                        <maxLength>4096</maxLength>
+                        <shortenedClassNameLength>20</shortenedClassNameLength>
+                        <rootCauseFirst>true</rootCauseFirst>
+                        <exclude>sun\.reflect\..*\.invoke.*</exclude>
+                    </throwableConverter>
+                </stackTrace>
+                <message/>
+            </providers>
+        </encoder>
+    </appender>
+
+    <springProfile name="cloud">
+
+        <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
+            <file>log.log</file>
+            <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
+                <fileNamePattern>log.log.%i</fileNamePattern>
+                <minIndex>1</minIndex>
+                <maxIndex>3</maxIndex>
+            </rollingPolicy>
+            <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
+                <MaxFileSize>2MB</MaxFileSize>
+            </triggeringPolicy>
+            <encoder>
+                <charset>UTF-8</charset>
+                <Pattern>%d %highlight(%-5level) [${app},%X{X-B3-TraceId:-}] %cyan(%logger{35}) - %msg %marker%n</Pattern>
+            </encoder>
+        </appender>
+
+        <root level="INFO">
+            <appender-ref ref="JSON"/>
+            <if condition='isDefined("withBootAdmin")'>
+                <then>
+                    <if condition='property("withBootAdmin").equalsIgnoreCase("true")'>
+                        <then>
+                            <appender-ref ref="FILE"/>
+                        </then>
+                    </if>
+                </then>
+            </if>
+        </root>
+    </springProfile>
+
+
+
+    <springProfile name="!cloud">
+        <root level="INFO">
+            <appender-ref ref="CONSOLE"/>
+        </root>
+    </springProfile>
+</configuration>