ESMO_EWP_pub issueshttps://scm.atosresearch.eu/ari/ESMO_EWP/-/issues2019-04-01T12:31:24Zhttps://scm.atosresearch.eu/ari/ESMO_EWP/-/issues/2Testing /cm/ewp/localEsmoHosts2019-04-01T12:31:24ZMiryam VillegasTesting /cm/ewp/localEsmoHostsAfter merging devmanifest branch with development branch, I'm trying **http://localhost:8080/cm/ewp/localEsmoHosts**, and I get this:
```
2019-04-01 12:35:52.725 INFO 5772 --- [nio-8080-exec-6] .r.c.m.AttributeProfilesGetApiController ...After merging devmanifest branch with development branch, I'm trying **http://localhost:8080/cm/ewp/localEsmoHosts**, and I get this:
```
2019-04-01 12:35:52.725 INFO 5772 --- [nio-8080-exec-6] .r.c.m.AttributeProfilesGetApiController : EWP: Found 2 ESMO hosts in the registry
2019-04-01 12:35:52.736 INFO 5772 --- [nio-8080-exec-6] .r.c.m.AttributeProfilesGetApiController : EWP: Fetching ESMO manifest from https://docker-demo.fsat.no/esmo-manifest
2019-04-01 12:35:52.960 INFO 5772 --- [nio-8080-exec-6] .r.c.m.AttributeProfilesGetApiController : EWP: Accepted RSA public keys for verifying signature: 2
2019-04-01 12:35:52.963 INFO 5772 --- [nio-8080-exec-6] .r.c.m.AttributeProfilesGetApiController : EWP: Could not fetch ESMO manifest from host https://docker-demo.fsat.no/esmo-manifest
2019-04-01 12:35:52.963 INFO 5772 --- [nio-8080-exec-6] .r.c.m.AttributeProfilesGetApiController : EWP: Error: com.google.gson.JsonSyntaxException: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was BEGIN_ARRAY at line 1 column 2 path $
2019-04-01 12:35:52.963 INFO 5772 --- [nio-8080-exec-6] .r.c.m.AttributeProfilesGetApiController : EWP: Fetching ESMO manifest from https://esmo.es/gw
2019-04-01 12:35:53.411 INFO 5772 --- [nio-8080-exec-6] .r.c.m.AttributeProfilesGetApiController : EWP: HTTP Response status 410
2019-04-01 12:35:53.413 INFO 5772 --- [nio-8080-exec-6] .r.c.m.AttributeProfilesGetApiController : EWP: Error updating ESMO manifest data java.io.FileNotFoundException: src\test\java\esmo-manifest-gateway.json (El sistema no puede encontrar el archivo especificado)
java.io.FileNotFoundException: src\test\java\esmo-manifest-gateway.json (El sistema no puede encontrar el archivo especificado)
```
Related to the other ewp services implemented by Matija, http://localhost:8080/cm/ewp/manifest is working, but **http://localhost:8080/cm/ewp/esmoHosts** fails:
```
2019-04-01 13:04:07.172 INFO 5772 --- [nio-8080-exec-8] .r.c.m.AttributeProfilesGetApiController : EWP: Found 2 ESMO hosts in the registry
2019-04-01 13:04:07.173 INFO 5772 --- [nio-8080-exec-8] .r.c.m.AttributeProfilesGetApiController : EWP: Fetching ESMO manifest from https://docker-demo.fsat.no/esmo-manifest
2019-04-01 13:04:07.512 INFO 5772 --- [nio-8080-exec-8] .r.c.m.AttributeProfilesGetApiController : EWP: Accepted RSA public keys for verifying signature: 2
2019-04-01 13:04:07.517 INFO 5772 --- [nio-8080-exec-8] .r.c.m.AttributeProfilesGetApiController : EWP: Could not fetch ESMO manifest from host https://docker-demo.fsat.no/esmo-manifest
2019-04-01 13:04:07.517 INFO 5772 --- [nio-8080-exec-8] .r.c.m.AttributeProfilesGetApiController : EWP: Error: com.google.gson.JsonSyntaxException: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was BEGIN_ARRAY at line 1 column 2 path $
2019-04-01 13:04:07.517 INFO 5772 --- [nio-8080-exec-8] .r.c.m.AttributeProfilesGetApiController : EWP: Fetching ESMO manifest from https://esmo.es/gw
2019-04-01 13:04:07.724 INFO 5772 --- [nio-8080-exec-8] .r.c.m.AttributeProfilesGetApiController : EWP: HTTP Response status 410
2019-04-01 13:04:07.728 INFO 5772 --- [nio-8080-exec-8] .r.c.m.AttributeProfilesGetApiController : EWP: Error updating ESMO manifest data java.io.FileNotFoundException: src\test\java\esmo-manifest-gateway.json (El sistema no puede encontrar el archivo especificado)
```
Could you please take a look at it?
Thank you!https://scm.atosresearch.eu/ari/ESMO_EWP/-/issues/1Module to publish data to EWP registry and to consume the EWP data into the ...2019-02-25T13:18:56ZGhost UserModule to publish data to EWP registry and to consume the EWP data into the ConfigManager@Nikos.triantafyllou @ross.little @miryam.villegas @matija.puzar
We need to publish the contact and trust information of our gateways on the EWP registry so the other gateways, acting as originating Gateways (oGW from now on)trust t...@Nikos.triantafyllou @ross.little @miryam.villegas @matija.puzar
We need to publish the contact and trust information of our gateways on the EWP registry so the other gateways, acting as originating Gateways (oGW from now on)trust them automatically when contacting them as termianting Gateways, (tGW from now on). Also, Gateways can publish just their own access endopints, hiding everything behind them and requiring AP discovery when queried, or they can publish an entry for each AP behind them, in a way they still act as proxies but fully transparent, with no discovery. When queried, they already know which AP has been selected.
Given the EWP schema for the registry entries, we have some constraints and drawbacks:
* changes must be requested manually to the Registry operators, which would take control away from us.
* we can only define the schema for the apis we would add, but we need to adjust to the schema for the top level entry.
* registry metadata is defined in XMl whereas we extensively use JSON, requiring two marshalling/unmarshalling steps.
Also, ESMO imposes some constraints:
* as we are defining new kinds of services on EWP, we cannot reuse the existing EWP api definitions (as they are designed for a completely different usage, and also each api has a semantic context that must be carefully kept), so we would need to define a schema of new APIs.
* so, any existing EWP entity cannot leverage our new services without adapting to them.
* we work with collections of external entities, not with multi-level entities, so a GW publishing multiple APs should be transformed on a plain list of pseudo-APs.
* we need the registry data to be mapped to our internal format, so each registry entry representing a Gateway (or each entry of the set of APs hidden behind a Gateway) must be mapped to an entityMetadata object (see the common swagger yaml specs).
Given all the above, Matija proposed a solution: the EWP registry should just publish an entry for each Gateway, which provides the information required by EWP, but the only published data relevant for ESMO would be a URL pointing to a manifest file published on the GW itself.
This implies that:
* We have full control over the contents and maintenance of the published data: we register once, and we manage our APs internally, we can change our data needs as we please.
* We have full control over the format of the data: so instead of developing a XML schema, we can use our current entityMetadata object to publish the entries.
* As any entity wishing to use our APIs nevertheless needs to adapt to our protocol, we can use this design with no bad impact.
Thus, to implement this solution, the EWP module will have to:
* Publish the Gateway manifest: it will be a document on an https url, containing a single or a list of entityMetadata objects. The url will be included on the EWP registry. So, this opens three scenarios:
- Just the GW metadata object is published:
- the module will read the GW info from an internal config file and publish it as is.
- The whole list of locally connected APs for the GW is published (see an example at the end):
- the module will read the GW info from an internal config file and the CM local AP collection file
- the objects on the local AP collection must be altered, as the APs are not accessed directly (it will always be the GW who is accessed)
- The entityID will be the AP's.
- The displayName and logo, will be the AP's.
- the endpoint information will be the GW's.
- the public key/certificate information will be the GW's.
- Also, both the GW object and an object per AP could be published. This way, if the user chooses the GW on the selector he will be shown a second step of discovery, or if he chooses directly the AP, the second gateway will be transparent.
* Feed the CM with the GW collection. To build it:
- Read the EWP registry file
- Get only the ESMO GW entries
- Discard the entry of this same GW (as we have the GW config and the AP collection, we can search the entityID of the local GW and APs).
- Get the manifest file for each one of the remaining GWs
- Join all the retrieved lists
- Add the handler-microservice information on each entity (use the identifier of the GW-AP module, as found on the GW config. The same value for all).
- Write the list on the specified CM path for this collection.
See an example of the files used and generated:
**Example of GW entity metadata (local data, to feed the EWP module)**
```javascript
{
"entityId" : "https://esmo.uji.es/gw/",
"defaultDisplayName" : "UJI ESMO Gateway",
"displayNames" : {
"ES" : "UJI ESMO Gateway",
"EN" : "UJI ESMO Gateway"},
"logo" : "AWDGRsFbFDEfFGTNNJKKYGFVFfDDSSSDGWGW==",
"location" : "ES|Spain",
"protocol" : "ESMO/GW2GW",
"microservice" : ["GW2GWms001"],
"endpoints" : [
{"type":"GWquery",
"method":"HTTP-POST",
"url":"https://esmo.uji.es/gw/gw2gw/query",
},
],
"securityKeys" : [
{"keyType":"RSAPublicKey",
"usage":"signing",
"key":"MDAACaFgw...xFgyGWGW=",
},
{"keyType":"RSAPublicKey",
"usage":"encryption",
"key":"MDAACaFgw...xFgyGWGW=",
}
],
"encryptResponses" : true,
"supportedEncryptionAlg" : ["AES256","AES512"],
"signResponses": true,
"supportedSigningAlg" : ["RSA-SHA256"],
}
```
**Example of local AP metadata collection (local data, to feed the EWP module)**
```javascript
[
{
"entityId" : "https://sir2.uji.es/idp/saml2/metadata.xml",
"defaultDisplayName" : "UJI SIR2 Identity Provider",
"displayNames" : {
"ES" : "UJI Proveedor de Identidad de SIR2",
"EN" : "UJI SIR2 Identity Provider"},
"logo" : "AWDGRsFbFDEfFGTNNJKKYGFVFfDDSSSDIDP1IDP1==",
"location" : "ES|Spain",
"protocol" : "SAML2",
"microservice" : ["SAMLms001"],
"claims" : ["displayName","surname","dateOfBirth","eduPersonAffiliation"],
"endpoints" : [
{"type":"SSOService",
"method":"HTTP-POST",
"url":"https://sir2.uji.es/idp/saml2/idp/SSOService.php",
},
{"type":"SLOService",
"method":"HTTP-GET",
"url":"https://sir2.uji.es/idp/saml2/idp/SLOService.php",
}
],
"securityKeys" : [
{"keyType":"RSAPublicKey",
"usage":"signing",
"key":"MDAACaFgw...xFgyIDP1IDP1=",
},
{"keyType":"RSAPublicKey",
"usage":"encryption",
"key":"MDAACaFgw...xFgyIDP1IDP1=",
}
],
"encryptResponses" : false,
"supportedEncryptionAlg" : ["AES256","AES512"],
"signResponses": true,
"supportedSigningAlg" : ["RSA-SHA256"],
"otherData" : {
"attributeMappingToEIDAS" : {"displayName" : "CurrentGivenName", "surname" : "CurrentFamilyName"}
}
},
{
"entityId" : "https://stork.uji.es/ap/",
"defaultDisplayName" : "UJI STORK2.0 Attribute Provider",
"displayNames" : {
"ES" : "UJI Proveedor de Atributos de STORK2.0",
"EN" : "UJI STORK2.0 Attribute Provider"},
"logo" : "AWDGRsFbFDEfFGTNNJKKYGFVFfDDSSSDIDP2IDP2==",
"location" : "ES|Spain",
"protocol" : "SAML2",
"microservice" : ["SAMLms001"],
"endpoints" : [
{"type":"AttributeQueryService",
"method":"HTTP-POST",
"url":"https://stork.uji.es/ap/rest/query/",
},
],
"securityKeys" : [
{"keyType":"RSAPublicKey",
"usage":"signing",
"key":"MDAACaFgw...xFgyIDP2IDP2=",
},
{"keyType":"RSAPublicKey",
"usage":"encryption",
"key":"MDAACaFgw...xFgyIDP2IDP2=",
}
],
"encryptResponses" : false,
"supportedEncryptionAlg" : ["AES256","AES512"],
"signResponses": true,
"supportedSigningAlg" : ["RSA-SHA256"],
"otherData" : {
"attributeMappingToEIDAS" : {"givenName" : "CurrentGivenName", "surname" : "CurrentFamilyName"}
}
},
]
```
**Example of EWP ESMO manifest file: just the GW is published**
notice that microservice info is not included
```javascript
[
{
"entityId" : "https://esmo.uji.es/gw/",
"defaultDisplayName" : "UJI ESMO Gateway",
"displayNames" : {
"ES" : "UJI ESMO Gateway",
"EN" : "UJI ESMO Gateway"},
"logo" : "AWDGRsFbFDEfFGTNNJKKYGFVFfDDSSSDGWGW==",
"location" : "ES|Spain",
"protocol" : "ESMO/GW2GW",
"endpoints" : [
{"type":"GWquery",
"method":"HTTP-POST",
"url":"https://esmo.uji.es/gw/gw2gw/query",
},
],
"securityKeys" : [
{"keyType":"RSAPublicKey",
"usage":"signing",
"key":"MDAACaFgw...xFgyGWGW=",
},
{"keyType":"RSAPublicKey",
"usage":"encryption",
"key":"MDAACaFgw...xFgyGWGW=",
}
],
"encryptResponses" : true,
"supportedEncryptionAlg" : ["AES256","AES512"],
"signResponses": true,
"supportedSigningAlg" : ["RSA-SHA256"],
},
]
```
**Example of EWP ESMO manifest file: just an entry per each AP is published**
notice that microservice info is not included, and that the endpoint and the keys are from the GW
```javascript
[
{
"entityId" : "https://sir2.uji.es/idp/saml2/metadata.xml",
"defaultDisplayName" : "UJI SIR2 Identity Provider",
"displayNames" : {
"ES" : "UJI Proveedor de Identidad de SIR2",
"EN" : "UJI SIR2 Identity Provider"},
"logo" : "AWDGRsFbFDEfFGTNNJKKYGFVFfDDSSSDIDP1IDP1==",
"location" : "ES|Spain",
"protocol" : "ESMO/GW2GW",
"endpoints" : [
{"type":"GWquery",
"method":"HTTP-POST",
"url":"https://esmo.uji.es/gw/gw2gw/query",
},
],
"securityKeys" : [
{"keyType":"RSAPublicKey",
"usage":"signing",
"key":"MDAACaFgw...xFgyGWGW=",
},
{"keyType":"RSAPublicKey",
"usage":"encryption",
"key":"MDAACaFgw...xFgyGWGW=",
}
],
"encryptResponses" : true,
"supportedEncryptionAlg" : ["AES256","AES512"],
"signResponses": true,
"supportedSigningAlg" : ["RSA-SHA256"],
},
{
"entityId" : "https://stork.uji.es/ap/",
"defaultDisplayName" : "UJI STORK2.0 Attribute Provider",
"displayNames" : {
"ES" : "UJI Proveedor de Atributos de STORK2.0",
"EN" : "UJI STORK2.0 Attribute Provider"},
"logo" : "AWDGRsFbFDEfFGTNNJKKYGFVFfDDSSSDIDP2IDP2==",
"location" : "ES|Spain",
"protocol" : "ESMO/GW2GW",
"endpoints" : [
{"type":"GWquery",
"method":"HTTP-POST",
"url":"https://esmo.uji.es/gw/gw2gw/query",
},
],
"securityKeys" : [
{"keyType":"RSAPublicKey",
"usage":"signing",
"key":"MDAACaFgw...xFgyGWGW=",
},
{"keyType":"RSAPublicKey",
"usage":"encryption",
"key":"MDAACaFgw...xFgyGWGW=",
}
],
"encryptResponses" : true,
"supportedEncryptionAlg" : ["AES256","AES512"],
"signResponses": true,
"supportedSigningAlg" : ["RSA-SHA256"],
},
]
```
**And both approximations could be published at the same time on the file: the entry per each AP and the GW entry**
Just the objects of both examples above on a single list
```javascript
[
{
"entityId" : "https://esmo.uji.es/gw/",
"defaultDisplayName" : "UJI ESMO Gateway",
"displayNames" : {
"ES" : "UJI ESMO Gateway",
"EN" : "UJI ESMO Gateway"},
"logo" : "AWDGRsFbFDEfFGTNNJKKYGFVFfDDSSSDGWGW==",
"location" : "ES|Spain",
"protocol" : "ESMO/GW2GW",
"endpoints" : [
{"type":"GWquery",
"method":"HTTP-POST",
"url":"https://esmo.uji.es/gw/gw2gw/query",
},
],
"securityKeys" : [
{"keyType":"RSAPublicKey",
"usage":"signing",
"key":"MDAACaFgw...xFgyGWGW=",
},
{"keyType":"RSAPublicKey",
"usage":"encryption",
"key":"MDAACaFgw...xFgyGWGW=",
}
],
"encryptResponses" : true,
"supportedEncryptionAlg" : ["AES256","AES512"],
"signResponses": true,
"supportedSigningAlg" : ["RSA-SHA256"],
},
{
"entityId" : "https://sir2.uji.es/idp/saml2/metadata.xml",
"defaultDisplayName" : "UJI SIR2 Identity Provider",
"displayNames" : {
"ES" : "UJI Proveedor de Identidad de SIR2",
"EN" : "UJI SIR2 Identity Provider"},
"logo" : "AWDGRsFbFDEfFGTNNJKKYGFVFfDDSSSDIDP1IDP1==",
"location" : "ES|Spain",
"protocol" : "ESMO/GW2GW",
"endpoints" : [
{"type":"GWquery",
"method":"HTTP-POST",
"url":"https://esmo.uji.es/gw/gw2gw/query",
},
],
"securityKeys" : [
{"keyType":"RSAPublicKey",
"usage":"signing",
"key":"MDAACaFgw...xFgyGWGW=",
},
{"keyType":"RSAPublicKey",
"usage":"encryption",
"key":"MDAACaFgw...xFgyGWGW=",
}
],
"encryptResponses" : true,
"supportedEncryptionAlg" : ["AES256","AES512"],
"signResponses": true,
"supportedSigningAlg" : ["RSA-SHA256"],
},
{
"entityId" : "https://stork.uji.es/ap/",
"defaultDisplayName" : "UJI STORK2.0 Attribute Provider",
"displayNames" : {
"ES" : "UJI Proveedor de Atributos de STORK2.0",
"EN" : "UJI STORK2.0 Attribute Provider"},
"logo" : "AWDGRsFbFDEfFGTNNJKKYGFVFfDDSSSDIDP2IDP2==",
"location" : "ES|Spain",
"protocol" : "ESMO/GW2GW",
"endpoints" : [
{"type":"GWquery",
"method":"HTTP-POST",
"url":"https://esmo.uji.es/gw/gw2gw/query",
},
],
"securityKeys" : [
{"keyType":"RSAPublicKey",
"usage":"signing",
"key":"MDAACaFgw...xFgyGWGW=",
},
{"keyType":"RSAPublicKey",
"usage":"encryption",
"key":"MDAACaFgw...xFgyGWGW=",
}
],
"encryptResponses" : true,
"supportedEncryptionAlg" : ["AES256","AES512"],
"signResponses": true,
"supportedSigningAlg" : ["RSA-SHA256"],
},
]
```