added navet service

SUNET · Oct 11, 2024 · e2f727d · e2f727d
1 parent 63da45a
commit e2f727d
Show file tree

Hide file tree

Showing 5 changed files with 123 additions and 0 deletions.
diff --git a/eduid-navet-service/etc/kommun-a.p12 b/eduid-navet-service/etc/kommun-a.p12
diff --git a/eduid-navet-service/etc/navet-service.properties b/eduid-navet-service/etc/navet-service.properties
@@ -0,0 +1,29 @@
+# Basic configuration
+host = 0.0.0.0
+port = 8080
+
+# Organisation configuration
+organisationNumber = 162021004748
+orderIdentity = 00000079-FO01-0001
+
+# Servlet configuration
+apiRootPath = /*
+apiPackagesPath = se.sunet.navet.service.api
+
+# Jetty SSL configuration
+https = false
+jettyKeyStorePath = /path/to/keystore.jks
+jettyKeyStorePassword = secret
+jettyKeyManagerPassword = secret
+
+# navetclient services and SSL configuration
+wsBaseEndpoint = https://www2.test.skatteverket.se/na/na_epersondata/V4
+navetKeyStorePath = /opt/eduid/eduid-navet-service/run/kommun-a.p12
+navetKeyStorePassword = 4611510421732432
+navetTrustStorePath = /opt/eduid/eduid-navet-service/run/truststore.jks
+navetTrustStorePassword = abc123
+
+# BasicAuth configuration
+basicAuth = false
+hashLoginServiceRealm = localhost
+hashLoginServiceProperties = /path/to/realm.properties
diff --git a/eduid-navet-service/etc/start.sh b/eduid-navet-service/etc/start.sh
@@ -0,0 +1,79 @@
+#!/bin/sh
+
+set -e
+set -x
+
+# These could be set from Puppet if multiple instances are deployed
+eduid_name=${eduid_name-'eduid-navet-service'}
+base_dir=${base_dir-"/opt/eduid/${eduid_name}"}
+# These *can* be set from Puppet, but are less expected to...
+navet_keystore_name=${navet_keystore_name-'eduid.se'}
+navet_etcdir=${navet_etcdir-"${base_dir}/etc"}
+navet_state_dir=${navet_state_dir-"${base_dir}/run"}
+navet_cert_file=${navet_cert_file-"${navet_etcdir}/navet.crt"}
+navet_key_file=${navet_key_file-"${navet_etcdir}/navet.key"}
+navet_keystore_file=${navet_keystore_file-"${navet_state_dir}/navet_keystore.p12"}
+navet_ca_cert_file=${navet_ca_cert_file-"${navet_etcdir}/Steria-AB-EID-CA-v2.cer"}
+navet_intermediate_cert_file1=${navet_intermediate_cert_file1-"${navet_etcdir}/VeriSign.cer"}
+navet_intermediate_cert_file2=${navet_intermediate_cert_file2-"${navet_etcdir}/Symantec.cer"}
+navet_truststore_file=${navet_truststore_file-"${navet_state_dir}/navet_truststore.jks"}
+
+navet_properties=${navet_properties-"${navet_etcdir}/navet-service.properties"}
+navet_jar_file=${navet_jar_file-'/opt/eduid/eduid-navet-service-0.1-SNAPSHOT.jar'}
+
+# Variables mm_truststore_file and mm_keystore_file are required when generating truststore and keystore
+
+useradd eduid
+chown -R eduid: "${navet_state_dir}"
+
+ls -l "${navet_etcdir}"
+
+if [ ! -s "${navet_truststore_file}" ]; then
+    echo "$0: Creating Java truststore file ${navet_truststore_file}"
+
+    if [ "x${navet_truststore_pw}" = "x" ]; then
+        echo "$0: ERROR: navet_truststore_pw not set."
+        exit 1
+    fi
+
+    ls -l "${navet_ca_cert_file}"
+    (umask 077; keytool -import -trustcacerts -alias root \
+    -file "${navet_ca_cert_file}" -keystore "${navet_truststore_file}" \
+    -deststorepass "${navet_truststore_pw}" -noprompt)
+
+    ls -l "${navet_intermediate_cert_file1}"
+    (umask 077; keytool -import -trustcacerts -alias inter1 \
+    -file "${navet_intermediate_cert_file1}" -keystore "${navet_truststore_file}" \
+    -deststorepass "${navet_truststore_pw}" -noprompt)
+
+    ls -l "${navet_intermediate_cert_file2}"
+    (umask 077; keytool -import -trustcacerts -alias inter2 \
+    -file "${navet_intermediate_cert_file2}" -keystore "${navet_truststore_file}" \
+    -deststorepass "${navet_truststore_pw}" -noprompt)
+fi
+
+if [ ! -s "${navet_keystore_file}" ]; then
+    echo "$0: Creating Java keystore file (p12) ${navet_keystore_file}"
+
+    if [ "x${navet_keystore_pw}" = "x" ]; then
+        echo "$0: ERROR: mm_keystore_pw not set."
+        exit 1
+    fi
+
+    ls -l "${navet_key_file}" "${navet_cert_file}"
+    (umask 077; openssl pkcs12 -export -inkey "${navet_key_file}" \
+    -in "${navet_cert_file}" -out "${navet_keystore_file}" \
+    -name "${navet_keystore_name}" -passout pass:"${navet_keystore_pw}")
+fi
+
+
+# || true to not fail on read-only cfg_dir
+chown root:eduid "${navet_truststore_file}" "${navet_keystore_file}" || true
+chmod 640 "${navet_truststore_file}" "${navet_keystore_file}" || true
+chgrp eduid "${navet_properties}" || true
+chmod 640 "${navet_properties}" || true
+
+echo "$0: Starting JAR ${navet_jar_file} (properties file: ${navet_properties})"
+exec start-stop-daemon --start --quiet -c eduid:eduid \
+     --pidfile "${state_dir}/${eduid_name}.pid" --make-pidfile \
+     --exec /usr/local/openjdk-11/bin/java -- -jar ${navet_jar_file} -c ${navet_properties}
diff --git a/eduid-navet-service/etc/truststore.jks b/eduid-navet-service/etc/truststore.jks
diff --git a/eduid/compose.yml b/eduid/compose.yml
@@ -604,6 +604,21 @@ services:
       - redis
       - rsyslog
 
+  navet_service:
+    image: docker.sunet.se/eduid/eduid-navet-service:staging
+    pull_policy: if_not_present
+    networks:
+      dev:
+    volumes:
+      - ../eduid-navet-service/etc:/opt/eduid/eduid-navet-service/etc:ro
+      - ../eduid-navet-service/etc/start.sh:/start.sh:ro
+      - ../eduid-navet-service/run:/opt/eduid/eduid-navet-service/run
+      - eduidlogdata:/var/log/eduid
+    environment:
+      navet_keystore_file: /opt/eduid/eduid-navet-service/run/kommun-a.p12
+      navet_truststore_file: /opt/eduid/eduid-navet-service/run/truststore.jks
+      #command: "bash -c 'useradd eduid; cp /opt/eduid/eduid-navet-service/etc/kommun-a.p12 /opt/eduid/eduid-navet-service/etc/kommun-a.p12; cp /opt/eduid/eduid-navet-service/run/truststore.jks /opt/eduid/eduid-navet-service/run/truststore.jks; /start.sh'"
+
   neo4jdb:
     image: neo4j:4.4-enterprise
     expose: