Merge pull request #218 from techsavvyash/identity

Feat: Add Identity service

Makefile

@@ -5,7 +5,9 @@ RELEASE_VERSION = v0.0.14
 IMAGES := dockerhub/sunbird-rc-core dockerhub/sunbird-rc-nginx dockerhub/sunbird-rc-context-proxy-service \
 			dockerhub/sunbird-rc-public-key-service dockerhub/sunbird-rc-keycloak dockerhub/sunbird-rc-certificate-api \
 			dockerhub/sunbird-rc-certificate-signer dockerhub/sunbird-rc-notification-service dockerhub/sunbird-rc-claim-ms \
-			dockerhub/sunbird-rc-digilocker-certificate-api dockerhub/sunbird-rc-bulk-issuance dockerhub/sunbird-rc-metrics
+			dockerhub/sunbird-rc-digilocker-certificate-api dockerhub/sunbird-rc-bulk-issuance dockerhub/sunbird-rc-metrics \
+      dockerhub/sunbird-rc-identity-service
+
 build: java/registry/target/registry.jar
 	echo ${SOURCES}
 	rm -rf java/claim/target/*.jar
@@ -21,6 +23,7 @@ build: java/registry/target/registry.jar
 	make -C services/digilocker-certificate-api docker
 	make -C services/bulk_issuance docker
 	docker build -t dockerhub/sunbird-rc-nginx .
+	make -C services/identity-service/ docker
 
 java/registry/target/registry.jar: $(SOURCES)
 	echo $(SOURCES)
@@ -67,7 +70,8 @@ test: build
 	make -C services/public-key-service test
 	make -C services/context-proxy-service test
 	make -C services/bulk_issuance test
-
+  make -C services/identity-service test
+
 clean:
 	@rm -rf target || true
 	@rm java/registry/target/registry.jar || true

services/identity-service/.env.sample

@@ -0,0 +1,21 @@
+# database url where the generated DIDs will be stored
+DATABASE_URL=""
+
+#JWKS URI for JWT verification (refer openid implementation to know more)
+JWKS_URI=""
+
+# key-pair generation algorithm
+SIGNING_ALGORITHM="RS256"
+
+
+# hashicorp vault configs for storing private and public keys
+VAULT_ADDR=""
+VAULT_TOKEN=""
+VAULT_BASE_URL=""
+VAULT_ROOT_PATH=""
+VAULT_TIMEOUT=5000
+VAULT_PROXY='' #this is supposed to be a boolean flag given as a string
+
+# Configs for the server
+PORT=3332
+ENABLE_AUTH=false

services/identity-service/Dockerfile

@@ -0,0 +1,21 @@
+FROM node:16 AS install
+WORKDIR /app
+COPY package.json yarn.lock ./
+RUN yarn
+
+FROM node:16 as build
+WORKDIR /app
+COPY prisma ./prisma/
+COPY --from=install /app/node_modules ./node_modules
+RUN npx prisma generate
+COPY . .
+RUN yarn build
+
+FROM node:16
+WORKDIR /app
+COPY --from=build /app/dist ./dist
+COPY --from=build /app/package*.json ./
+COPY --from=build /app/prisma ./prisma
+COPY --from=build /app/node_modules ./node_modules
+EXPOSE 3332
+CMD [ "npm", "run", "start:migrate:prod" ]

services/identity-service/Dockerfile.test

@@ -0,0 +1,13 @@
+FROM node:16 AS install
+WORKDIR /app
+COPY package.json yarn.lock ./
+RUN yarn
+
+FROM node:16 as test
+WORKDIR /app
+COPY prisma ./prisma/
+COPY --from=install /app/node_modules ./node_modules
+RUN npx prisma generate
+COPY . .
+EXPOSE 3332
+CMD [ "yarn", "test:migrate" ]

services/identity-service/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Sunbird RC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

services/identity-service/Makefile

@@ -0,0 +1,15 @@
+IMAGE:=dockerhub/sunbird-rc-identity-service
+
+.PHONY: docker publish test run unseal
+
+docker:
+	@docker build -t $(IMAGE) .
+publish:
+	@docker push $(IMAGE)
+test:
+	@docker-compose -f docker-compose-test.yml down
+	bash build/setup_vault.sh docker-compose-test.yml vault-test
+	@docker-compose -f docker-compose-test.yml up --build --abort-on-container-exit
+compose-init:
+	bash build/setup_vault.sh
+	@docker-compose up -d --build

services/identity-service/README.md

@@ -0,0 +1,52 @@
+## Description
+
+[Nest](https://github.com/nestjs/nest) framework TypeScript starter repository.
+
+## Installation
+
+```bash
+$ npm install
+```
+
+## Running the app
+
+```bash
+# development env
+$ npm run start
+
+# watch mode
+$ npm run start:dev
+
+# production mode
+$ npm run start:prod
+```
+
+## Test
+
+```bash
+# unit tests
+$ npm run test
+
+# In independent docker containers 
+$ make test
+
+# e2e tests
+$ npm run test:e2e
+
+# test coverage
+$ npm run test:cov
+```
+
+## Support
+
+Nest is an MIT-licensed open source project. It can grow thanks to the sponsors and support by the amazing backers. If you'd like to join them, please [read more here](https://docs.nestjs.com/support).
+
+## Stay in touch
+
+- Author - [Kamil Myśliwiec](https://kamilmysliwiec.com)
+- Website - [https://nestjs.com](https://nestjs.com/)
+- Twitter - [@nestframework](https://twitter.com/nestframework)
+
+## License
+
+Nest is [MIT licensed](LICENSE).

services/identity-service/build/setup_vault.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# This script does the following things
+# * Start a vault instance with vault/vault.json configuration
+# * Unseal the vault
+# * Create a v2 kv engine 
+# * Prints the unseal keys and root token
+# * This script does not automatically unseal vault on restarts, it only works with fresh installations
+
+COMPOSE_FILE="${1:-docker-compose.yml}"
+SERVICE_NAME="${2:-vault}"
+
+echo "Setting up $SERVICE_NAME in $COMPOSE_FILE"
+
+docker-compose -f "$COMPOSE_FILE" up -d "$SERVICE_NAME"
+
+# Function to check if Vault is ready
+check_vault_status() {
+  vault_status=$(docker-compose -f "$COMPOSE_FILE" exec "$SERVICE_NAME" vault status 2>&1)
+  if [[ $vault_status == *"connection refused"* ]]; then
+    echo "Unable to connect to Vault. Waiting for Vault to start..."
+    return 1
+  elif [[ $vault_status == *"Sealed             true"* ]]; then
+    echo "Vault is sealed. Waiting for unsealing..."
+    return 0
+  else
+    echo "Unsealed and up. Moving to next steps."
+    return 0
+  fi
+}
+
+
+# Wait for Vault service to become available
+until check_vault_status; do
+    echo "Waiting for Vault service to start..."
+    sleep 1;
+done
+
+# keys contains ansi escape sequences, remove them if any
+docker-compose -f "$COMPOSE_FILE" exec "$SERVICE_NAME" vault operator init > ansi-keys.txt
+sed 's/\x1B\[[0-9;]*[JKmsu]//g' < ansi-keys.txt  > keys.txt
+sed -n 's/Unseal Key [1-1]\+: \(.*\)/\1/p' keys.txt > parsed-key.txt
+key=$(cat parsed-key.txt)
+docker-compose -f "$COMPOSE_FILE" exec -T "$SERVICE_NAME" vault operator unseal "$key"
+
+sed -n 's/Unseal Key [2-2]\+: \(.*\)/\1/p' keys.txt > parsed-key.txt
+key=$(cat parsed-key.txt)
+docker-compose -f "$COMPOSE_FILE" exec -T "$SERVICE_NAME" vault operator unseal "$key"
+
+sed -n 's/Unseal Key [3-3]\+: \(.*\)/\1/p' keys.txt > parsed-key.txt
+key=$(cat parsed-key.txt)
+docker-compose -f "$COMPOSE_FILE" exec -T "$SERVICE_NAME" vault operator unseal "$key"
+
+root_token=$(sed -n 's/Initial Root Token: \(.*\)/\1/p' keys.txt | tr -dc '[:print:]')
+
+sed -i "s/VAULT_TOKEN:.*/VAULT_TOKEN: $root_token/" "$COMPOSE_FILE"
+
+docker-compose -f "$COMPOSE_FILE" exec -e VAULT_TOKEN=$root_token -T "$SERVICE_NAME" vault secrets enable -path=kv kv-v2
+
+echo -e "\nNOTE: STORE THE FOLLOWING KEYS SOMEWHERE SAFELY. THESE ARE USED TO UNSEAL VAULT ON RESTARTS"
+
+cat keys.txt
+rm parsed-key.txt ansi-keys.txt keys.txt

services/identity-service/docker-compose-test.yml

@@ -0,0 +1,70 @@
+version: '3'
+services:
+  vault-test:
+    image: vault:1.13.3
+    restart: always
+    volumes:
+      - ./vault/vault.json:/vault/config/vault.json
+    environment:
+      - VAULT_ADDR=http://0.0.0.0:8200
+      - VAULT_API_ADDR=http://0.0.0.0:8200
+      - VAULT_ADDRESS=http://0.0.0.0:8200
+    cap_add:
+      - IPC_LOCK
+    command: vault server -config=/vault/config/vault.json
+    healthcheck:
+      test: ["CMD-SHELL", "wget --spider http://127.0.0.1:8200/v1/sys/health || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+    networks:
+      test:
+
+  db-test:
+    image: postgres:latest
+    restart: always
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      test:
+
+  identity-service-test:
+    image: identity-test
+    build: 
+      context: .
+      dockerfile: Dockerfile.test
+    depends_on: 
+      db-test:
+        condition: service_healthy
+      vault-test:
+        condition: service_healthy
+    environment:
+      DATABASE_URL: "postgres://postgres:postgres@db-test:5432/postgres"
+      VAULT_ADDR: "http://vault-test:8200"
+      # This will be replaced automatically on initialisation 
+      # make compose-init will call setup_vault.sh
+      VAULT_TOKEN: hvs.dOLOfZJe5HJW1LBgQLCnW3YU
+      VAULT_BASE_URL: "http://vault-test:8200/v1"
+      VAULT_ROOT_PATH: "http://vault-test:8200/v1/kv"
+      VAULT_TIMEOUT: 5000
+      VAULT_PROXY: 'false'
+      SIGNING_ALGORITHM: "RS256"
+      JWKS_URI: ""
+      ENABLE_AUTH: "false"
+    networks:
+      test:
+    healthcheck:
+      test:
+        [ "CMD-SHELL", "curl -f http://localhost:3332/health || exit 1" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+networks:
+  test:

services/identity-service/docker-compose.yml

@@ -0,0 +1,71 @@
+version: '3'
+services:
+  vault:
+    image: vault:1.13.3
+    restart: always
+    volumes:
+      - ./vault/vault.json:/vault/config/vault.json
+      - vault-data:/vault/file
+    environment:
+      - VAULT_ADDR=http://0.0.0.0:8200
+      - VAULT_API_ADDR=http://0.0.0.0:8200
+      - VAULT_ADDRESS=http://0.0.0.0:8200
+    cap_add:
+      - IPC_LOCK
+    command: vault server -config=/vault/config/vault.json
+    ports:
+      - 8200:8200
+    healthcheck:
+      test: ["CMD-SHELL", "wget --spider http://127.0.0.1:8200/v1/sys/health || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+  db:
+    image: postgres:latest
+    restart: always
+    ports:
+      - 5432:5432
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+    volumes:
+      - data:/var/lib/postgresql/data
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U postgres" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+  identity-service:
+    image: identity
+    build: 
+      context: .
+      dockerfile: Dockerfile
+    depends_on: 
+      db:
+        condition: service_healthy
+      vault:
+        condition: service_healthy
+    ports: 
+      - 3332:3332
+    environment:
+      DATABASE_URL: "postgres://postgres:postgres@db:5432/postgres"
+      VAULT_ADDR: "http://vault:8200"
+      # This will be replaced automatically on initialisation 
+      # make compose-init will call setup_vault.sh
+      VAULT_TOKEN: hvs.jwNIOFLgGBQhHRFuRL3y9Obl
+      VAULT_BASE_URL: "http://vault:8200/v1"
+      VAULT_ROOT_PATH: "http://vault:8200/v1/kv"
+      VAULT_TIMEOUT: 5000
+      VAULT_PROXY: 'false'
+      SIGNING_ALGORITHM: "RS256"
+      JWKS_URI: 
+      ENABLE_AUTH: "false"
+    healthcheck:
+      test:
+        [ "CMD-SHELL", "curl -f http://localhost:3332/health || exit 1" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+volumes:
+  data:
+  vault-data:

services/identity-service/nest-cli.json

@@ -0,0 +1,5 @@
+{
+  "$schema": "https://json.schemastore.org/nest-cli",
+  "collection": "@nestjs/schematics",
+  "sourceRoot": "src"
+}