avigail-oron/aiakos openid connect server and client

## aiakos openid connect server and client
//Installing aiakos server via docker compose:
//--------------------------------------------
//prerequisites: make sure you have python 3.6 installed and pip3 & docker-compose installed
git clone https://gitlab.com/aiakos/aiakos
//modify the docker-compose.yml file:
//change this for all services:
DATABASE_URL=mysql://<docker container name of sql server>/accounts
//specifically for the 'accounts' service:
BASE_URL=http://<IP address of server, the way the user's browser can see it (not localhost)>:2121/
//if you want to see Django errors nicely in the browser:
DEBUG=1

//launch it via:
docker-compose up

//Installing aiakos client via docker compose:
//--------------------------------------------
git clone https://gitlab.com/aiakos/example-client-django/tree/master
//modify docker-compose.yml file:
//change this for all services:
DATABASE_URL=mysql://<client container name>/project
AUTH_URL=http://ea1c25ed-2da9-4c82-a921-b87cff97b646:dummy@<IP of the aiakos server>:2121
DATABASE_URL=mysql://<client mysql cont name>/project
//specifically in 'project' service:
//this is a must! otherwise the django will refuse the host name since it's not a valid host name (docker service name with '_')
DEBUG=True
ALLOWED_HOSTS=*


//launch it via:
docker-compose up

//Using aiakos:
//-------------
1. connect to the server
2. login using root/root
3. MUST - generate an RSA private key in PEM format and add it
  3.1 openssl genrsa -out key.pem 2048
4. Modify the callback URLs for the Localhost app - use IP of client that the user's browser can see.
4. optionally - create additional users and applications. make sure to set the client_id in the AUTH_URL of the client
5. connect to the client app
6. you will be redirected to login page of server
7. you can use the localhost/dummy credentials or one that you have created as admin
8. you should see the client app with the user's ID

//creating new applications:
//---------------------------
//In aiakos - the password of the user owning the application is used as the OPIDC secret.
//so you need to create a new application, then create a new user and associate it with the application.
//take the id and password of that user and put it in the AUTH_URL of the client. id is the client_id, password is the secret.
//the format is: htttp://<client_id>:<secret>@<aiakos host_up/name>:<aiakos port>


//Configure SSL for aiakos provider
//----------------------------------

//***On server side:***
//generate a self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/aiakos-selfsigned.key -out /etc/ssl/certs/aiakos-selfsigned.crt

//copy the 2 files to the aiakos base library (where the Dockerfile is)
//edit the Dockerfile and modify the command to:
CMD ["gunicorn", "-k", "gevent", "--certfile=aiakos-selfsigned.crt", "--keyfile=aiakos-selfsigned.key", "-b", "[::]:80", "aiakos.wsgi"]
//edit docker-compose.yml and modify the BASE_URL to https:
BASE_URL=https://<host ip>:2121/

//remove all docker images and re-build

//***On client side***
//copy the crt file from server machine to client machine's client base dir (where Dockerfile is)
//create a trust_cert.sh, make it executable and put the following in it:
//(the last line is probably not required, since aiakos client doesn't use openssl, but just in case)
cp /app/aiakos-selfsigned.crt /etc/ssl/certs/
cd /etc/ssl/certs
ln -s aiakos-selfsigned.crt `openssl x509 -hash -noout -in aiakos-selfsigned.crt`.0

//edit Dockerfile to invoke trust_cert.sh as the first RUN command in the file:
RUN ./trust_cert.sh

//since requests python module doesn't rely on openssl, it uses its own env var to locate the permitted certificates.
//we need to set that in docker-compose.yml to point it to the crt file.
//edit docker-compose.yml and add the following line under projects -> environment:
- REQUESTS_CA_BUNDLE=/etc/ssl/certs/aiakos-selfsigned.crt
//also change AUTH_URL for all 3 containers to use https

//remove all images and re-build docker compose


//Setting secure communication (TLS) between aiakos provider -> MariaDB
//-------------------------------------------------------------------
//source: https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/
//As a best-practice, this process should be done in a docker-friendly way. I've tested it as a hack
//by connecting to the running container and fetching the files into the container (+reload the mysql process)

//***On the host machine*** (since it's accessible to the mysql container) run the following:

//create ca key
sudo openssl genrsa 2048 > ca-key.pem
//generate a certificate based on ca key
sudo openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
//verify you have ca-cert.pem and ca-key.pem
//create the server key file
sudo openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem
//process the server key
sudo openssl rsa -in server-key.pem -out server-key.pem
//sign the server certificate
sudo openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
//verify you have server-cert.pem and server-key.pem
//verify the certificate:
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
//optionally - create the client certificate & key as described in source instruction. Not required for our needs.


//***for the provider side***
//need to place ca-cert.pem in the root dir of the application
//configure Django to use SSL when connecting to mysql and point to the ca-cert.pem file
nano settings.py
//and add the folloiwng:

DATABASES = {'default':  dj_database_url.config(default=os.environ['DATABASE_URL'])}
DATABASES['default']['OPTIONS'] = { 'ssl':
                                           {
                                              'ca': '/app/ca-cert.pem',
                                           }
                                   }
//rebuild images and start the containers

//***connect to the mariadb container and do the following:***
//Note: this needs to be re-done any time the conatiner is re-built :-(
mkdir /etc/mysql/ssl
cd /etc/mysql
//take ca-cert.pem, and server-*.pem files via scp
scp <user>@<host>:<full path to file>
//create a conf file for maria db:
nano /etc/mysql/conf.d/50-server.cnf
//and paste the following:

[mysqld]
### MySQL Server ###
## Securing the Database with ssl option and certificates ##
## There is no control over the protocol level used. ##
##  mariadb will use TLSv1.0 or better.  ##
ssl
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem

//now we need to restart maria db, didn't find an elegant way, so i simply 'kill 1'.
//this causes the container to crash. luckily docker-compose recycles the same container
//in case the docker-compose.yml file was not modified. so you end up with the same instance

mysql
SHOW VARIABLES LIKE '%ssl%';
exit

//Appendix
//========

//Great OpenID Connect overview:
https://connect2id.com/learn/openid-connect

//Useful docker commands
//-----------------------
//see running containers via:
docker ps
//connect to a container via:
docker exec -it <cont_ID> bash
//see container logs via:
docker logs <cont_ID>
//see all images via
docker images
//stop running containers
docker stop <cont id/name>
//get container details:
docker inspect <cont ID/name>
//removing images (force to re-build if doing any changes to Dockerfile)
docker rmi [-f] <image id>
//clean up docker env:
docker system prune -a
docker volume rm $(docker volume ls -f dangling=true -q)
	//Installing aiakos server via docker compose:
	//--------------------------------------------
	//prerequisites: make sure you have python 3.6 installed and pip3 & docker-compose installed
	git clone https://gitlab.com/aiakos/aiakos
	//modify the docker-compose.yml file:
	//change this for all services:
	DATABASE_URL=mysql://<docker container name of sql server>/accounts
	//specifically for the 'accounts' service:
	BASE_URL=http://<IP address of server, the way the user's browser can see it (not localhost)>:2121/
	//if you want to see Django errors nicely in the browser:
	DEBUG=1

	//launch it via:
	docker-compose up

	//Installing aiakos client via docker compose:
	//--------------------------------------------
	git clone https://gitlab.com/aiakos/example-client-django/tree/master
	//modify docker-compose.yml file:
	//change this for all services:
	DATABASE_URL=mysql://<client container name>/project
	AUTH_URL=http://ea1c25ed-2da9-4c82-a921-b87cff97b646:dummy@<IP of the aiakos server>:2121
	DATABASE_URL=mysql://<client mysql cont name>/project
	//specifically in 'project' service:
	//this is a must! otherwise the django will refuse the host name since it's not a valid host name (docker service name with '_')
	DEBUG=True
	ALLOWED_HOSTS=*


	//launch it via:
	docker-compose up

	//Using aiakos:
	//-------------
	1. connect to the server
	2. login using root/root
	3. MUST - generate an RSA private key in PEM format and add it
	3.1 openssl genrsa -out key.pem 2048
	4. Modify the callback URLs for the Localhost app - use IP of client that the user's browser can see.
	4. optionally - create additional users and applications. make sure to set the client_id in the AUTH_URL of the client
	5. connect to the client app
	6. you will be redirected to login page of server
	7. you can use the localhost/dummy credentials or one that you have created as admin
	8. you should see the client app with the user's ID

	//creating new applications:
	//---------------------------
	//In aiakos - the password of the user owning the application is used as the OPIDC secret.
	//so you need to create a new application, then create a new user and associate it with the application.
	//take the id and password of that user and put it in the AUTH_URL of the client. id is the client_id, password is the secret.
	//the format is: htttp://<client_id>:<secret>@<aiakos host_up/name>:<aiakos port>


	//Configure SSL for aiakos provider
	//----------------------------------

	//*On server side:*
	//generate a self-signed certificate
	openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/aiakos-selfsigned.key -out /etc/ssl/certs/aiakos-selfsigned.crt

	//copy the 2 files to the aiakos base library (where the Dockerfile is)
	//edit the Dockerfile and modify the command to:
	CMD ["gunicorn", "-k", "gevent", "--certfile=aiakos-selfsigned.crt", "--keyfile=aiakos-selfsigned.key", "-b", "[::]:80", "aiakos.wsgi"]
	//edit docker-compose.yml and modify the BASE_URL to https:
	BASE_URL=https://<host ip>:2121/

	//remove all docker images and re-build

	//*On client side*
	//copy the crt file from server machine to client machine's client base dir (where Dockerfile is)
	//create a trust_cert.sh, make it executable and put the following in it:
	//(the last line is probably not required, since aiakos client doesn't use openssl, but just in case)
	cp /app/aiakos-selfsigned.crt /etc/ssl/certs/
	cd /etc/ssl/certs
	ln -s aiakos-selfsigned.crt `openssl x509 -hash -noout -in aiakos-selfsigned.crt`.0

	//edit Dockerfile to invoke trust_cert.sh as the first RUN command in the file:
	RUN ./trust_cert.sh

	//since requests python module doesn't rely on openssl, it uses its own env var to locate the permitted certificates.
	//we need to set that in docker-compose.yml to point it to the crt file.
	//edit docker-compose.yml and add the following line under projects -> environment:
	- REQUESTS_CA_BUNDLE=/etc/ssl/certs/aiakos-selfsigned.crt
	//also change AUTH_URL for all 3 containers to use https

	//remove all images and re-build docker compose


	//Setting secure communication (TLS) between aiakos provider -> MariaDB
	//-------------------------------------------------------------------
	//source: https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/
	//As a best-practice, this process should be done in a docker-friendly way. I've tested it as a hack
	//by connecting to the running container and fetching the files into the container (+reload the mysql process)

	//*On the host machine* (since it's accessible to the mysql container) run the following:

	//create ca key
	sudo openssl genrsa 2048 > ca-key.pem
	//generate a certificate based on ca key
	sudo openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
	//verify you have ca-cert.pem and ca-key.pem
	//create the server key file
	sudo openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem
	//process the server key
	sudo openssl rsa -in server-key.pem -out server-key.pem
	//sign the server certificate
	sudo openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
	//verify you have server-cert.pem and server-key.pem
	//verify the certificate:
	openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
	//optionally - create the client certificate & key as described in source instruction. Not required for our needs.


	//*for the provider side*
	//need to place ca-cert.pem in the root dir of the application
	//configure Django to use SSL when connecting to mysql and point to the ca-cert.pem file
	nano settings.py
	//and add the folloiwng:

	DATABASES = {'default': dj_database_url.config(default=os.environ['DATABASE_URL'])}
	DATABASES['default']['OPTIONS'] = { 'ssl':
	{
	'ca': '/app/ca-cert.pem',
	}
	}
	//rebuild images and start the containers

	//*connect to the mariadb container and do the following:*
	//Note: this needs to be re-done any time the conatiner is re-built :-(
	mkdir /etc/mysql/ssl
	cd /etc/mysql
	//take ca-cert.pem, and server-*.pem files via scp
	scp <user>@<host>:<full path to file>
	//create a conf file for maria db:
	nano /etc/mysql/conf.d/50-server.cnf
	//and paste the following:

	[mysqld]
	### MySQL Server ###
	## Securing the Database with ssl option and certificates ##
	## There is no control over the protocol level used. ##
	## mariadb will use TLSv1.0 or better. ##
	ssl
	ssl-ca=/etc/mysql/ssl/ca-cert.pem
	ssl-cert=/etc/mysql/ssl/server-cert.pem
	ssl-key=/etc/mysql/ssl/server-key.pem

	//now we need to restart maria db, didn't find an elegant way, so i simply 'kill 1'.
	//this causes the container to crash. luckily docker-compose recycles the same container
	//in case the docker-compose.yml file was not modified. so you end up with the same instance

	mysql
	SHOW VARIABLES LIKE '%ssl%';
	exit

	//Appendix
	//========

	//Great OpenID Connect overview:
	https://connect2id.com/learn/openid-connect

	//Useful docker commands
	//-----------------------
	//see running containers via:
	docker ps
	//connect to a container via:
	docker exec -it <cont_ID> bash
	//see container logs via:
	docker logs <cont_ID>
	//see all images via
	docker images
	//stop running containers
	docker stop <cont id/name>
	//get container details:
	docker inspect <cont ID/name>
	//removing images (force to re-build if doing any changes to Dockerfile)
	docker rmi [-f] <image id>
	//clean up docker env:
	docker system prune -a
	docker volume rm $(docker volume ls -f dangling=true -q)