search

International-Data-Spaces-Association / metadata-broker-open-core

This is the repository of the open-core reference implementation of the IDS Metadata Broker.
Apache License 2.0
10 stars 17 forks source link

Broker not authenticated with local DAPS #88

Closed jfernandezsqs closed 2 years ago

jfernandezsqs commented 2 years ago

I have deployed an omejdnDAPS, a DSC version 7.0.1 and the latest version of the metadata broker in my local environment. The issue is that the broker is not authenticating our local DAPS. With a previous release of the metadata broker, in order to set-up it we used the command "mvn clean package" to create a broker-core-4.2.8-SNAPSHOT.jar with the correct files configured (broker-core/src/main/resources/isstbroker-keystore.jks and application.properties with daps.url specified).

Currently, the "mvn clean package" is not working with the latest version of the metadata broker. I used this in order to create our "registry.gitlab.cc-asp.fraunhofer.de/eis-ids/broker-open/core" image.

Now, with the docker-compose.yml file which is at (https://github.com/International-Data-Spaces-Association/metadata-broker-open-core/tree/master/docker/composefiles/broker-localhost) I can configure properly the DAPS_URL and the IDENTITY_JAVAKEYSTORE

broker-core:
    image: registry.gitlab.cc-asp.fraunhofer.de/eis-ids/broker-open/core:latest
    container_name: broker-core
    volumes:
      - /etc/idscert/localhost:/etc/cert/
    restart: always
    environment:
    - SPARQL_ENDPOINT=http://broker-fuseki:3030/connectorData
    - ELASTICSEARCH_HOSTNAME=broker-elasticsearch
    - SHACL_VALIDATION=true
    - DAPS_VALIDATE_INCOMING=true
    - IDENTITY_JAVAKEYSTORE=/etc/cert/isstbroker-keystore.jks
    - COMPONENT_URI=https://localhost/
    - COMPONENT_CATALOGURI=https://localhost/connectors/
    - JWKS_TRUSTEDHOSTS=daps.aisec.fraunhofer.de,omejdn
    - DAPS_URL=https://omejdn/token
    expose:
    - "8080"

When I try to obtain the description of the metadatabroker from the Dataspace Connector it gives the following error:

curl -X 'POST' \'https://localhost:7080/api/ids/description?recipient=https%3A%2F%2Fbroker-reverseproxy%2Finfrastructure' \-H 'accept: */*' \ -d ''

Server response
Error: response status is 417
Response body
{
  "details": {
    "reason": {
      "properties": null,
      "@id": "https://w3id.org/idsa/code/NOT_AUTHENTICATED"
    },
    "payload": "An error occurred while verifying your token",
    "type": "de.fraunhofer.iais.eis.RejectionMessageImpl"
  },
  "message": "Received unexpected response message."
}

Is it possible to introduce/configure in the docker-compose.yml our own daps.crt? This file is located at (https://github.com/International-Data-Spaces-Association/metadata-broker-open-core/tree/master/docker/broker-core) and I assume that this is the problem why the broker is not authenticating our local DAPS. Waiting for your response, thanks in advance.

SebastianOpriel commented 2 years ago

Dear @jfernandezsqs it shall be possible, via setting another environment variable in docker-compose and thus overwriting the properties entry here: https://github.com/International-Data-Spaces-Association/metadata-broker-open-core/blob/592303a5aa4092b771d886abd9b13ea2942a32f7/broker-core/src/main/resources/application.properties#L42 And for sure make sure the crt will be placed in the proper directory you are mounting locally (volumes entry).

I faced also some issues regarding DAT-validation of incoming messages, I couldn't figure our the problem's origin yet. Thus, I set daps.validateIncoming=false` (https://github.com/International-Data-Spaces-Association/metadata-broker-open-core/blob/592303a5aa4092b771d886abd9b13ea2942a32f7/broker-core/src/main/resources/application.properties#L28)

jfernandezsqs commented 2 years ago

I am not able of following your proposed solution:

I can not obtain the Metadata Broker self-description due to token not authenticated. I need to change and use our file daps.crt that is inside metadata-broker-open-core/docker/broker-core/

NehaThawani44 commented 2 years ago

@jfernandezsqs Can you please elaborate if the updated daps.crt helped you to get rid of the 'NOT_AUTHENTICATED' error?

jfernandezsqs commented 2 years ago

I can not verify if the daps.crt is correct becuase the "mvn clean package" command is not working. It is detailed in this issue https://github.com/International-Data-Spaces-Association/metadata-broker-open-core/issues/86 We need mvn clean package in order to set-up our local testbed

jfernandezsqs commented 2 years ago

Now that mvn clean package is working, I have tried it again with the following configuration:

volumes: broker-fuseki:

I deleted the image `registry.gitlab.cc-asp.fraunhofer.de/eis-ids/broker-open/core` and build it from `docker/broker-core/` using the command `docker build -t registry.gitlab.cc-asp.fraunhofer.de/eis-ids/broker-open/core .`

- Finally, I executed `docker-compose up'

When I try from the Dataspace connector to obtain the self-description of the Broker I get:
POST /api/ids/description
Recipient URL  --> https://broker-reverseproxy/infrastructure
Response body:

{ "details": { "reason": { "properties": null, "@id": "https://w3id.org/idsa/code/NOT_AUTHENTICATED" }, "payload": "An error occurred while verifying your token", "type": "de.fraunhofer.iais.eis.RejectionMessageImpl" }, "message": "Received unexpected response message." }


These are the Metadata broker logs

Creating broker-core ... done Creating broker-reverseproxy ... done Creating broker-fuseki ... done Attaching to broker-core, broker-reverseproxy, broker-fuseki broker-core | Starting Spring boot app broker-core | ARGS=-Djava.security.egd=file:/dev/./urandom -Dsparql.url=http://broker-fuseki:3030/connectorData -Delasticsearch.hostname=broker-elasticsearch -Ddaps.validateIncoming=true -Dinfomodel.validateWithShacl=true -Dcomponent.uri=https://localhost/ -Dssl.javakeystore=/etc/cert/isstbroker-keystore.jks -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 broker-core | Listening for transport dt_socket at address: 5005 broker-reverseproxy | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration broker-reverseproxy | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ broker-reverseproxy | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh broker-reverseproxy | 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf broker-reverseproxy | 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf broker-reverseproxy | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh broker-reverseproxy | /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh broker-reverseproxy | /docker-entrypoint.sh: Configuration complete; ready for start up broker-core | SLF4J: No SLF4J providers were found. broker-core | SLF4J: Defaulting to no-operation (NOP) logger implementation broker-core | SLF4J: See http://www.slf4j.org/codes.html#noProviders for further details. broker-fuseki | [2022-02-18 16:12:19] Server INFO Apache Jena Fuseki 3.14.0 broker-fuseki | [2022-02-18 16:12:19] Config INFO FUSEKI_HOME=/jena-fuseki broker-fuseki | [2022-02-18 16:12:19] Config INFO FUSEKIBASE=/fuseki broker-fuseki | [2022-02-18 16:12:19] Config INFO Shiro file: file:///fuseki/shiro.ini broker-core | broker-core | . ____ broker-core | /\ / __' () _ \ \ \ \ broker-core | ( ( )__ | ' | '| | ' \/ _` | \ \ \ \ broker-core | \/ _)| |)| | | | | || (| | ) ) ) ) broker-core | ' |__| .|| ||| |\, | / / / / broker-core | =========|_|==============|__/=//// broker-core | :: Spring Boot :: (v2.1.16.RELEASE) broker-core | broker-fuseki | [2022-02-18 16:12:20] Config INFO Configuration file: /fuseki/config.ttl broker-fuseki | [2022-02-18 16:12:20] Config INFO Load configuration: file:///fuseki/configuration/connectorData.ttl broker-fuseki | [2022-02-18 16:12:20] Config INFO Register: /connectorData broker-fuseki | [2022-02-18 16:12:20] Server INFO Started 2022/02/18 16:12:20 UTC on port 3030 broker-core | Feb 18, 2022 4:12:23 PM org.apache.catalina.core.StandardService startInternal broker-core | INFO: Starting service [Tomcat] broker-core | Feb 18, 2022 4:12:23 PM org.apache.catalina.core.StandardEngine startInternal broker-core | INFO: Starting Servlet engine: [Apache Tomcat/9.0.37] broker-core | Feb 18, 2022 4:12:23 PM org.apache.catalina.core.ApplicationContext log broker-core | INFO: Initializing Spring embedded WebApplicationContext broker-fuseki | [2022-02-18 16:12:26] Fuseki INFO [1] GET http://broker-fuseki:3030/connectorData/sparql?query=ASK+WHERE+%7B+GRAPH+%3Chttps%3A%2F%2Fbroker.ids.isst.fraunhofer.de%2Fadmin%3E+%7B%3Fs+%3Fp+%3Fo+.%7D+%7D broker-fuseki | [2022-02-18 16:12:26] Fuseki INFO [1] Query = ASK WHERE { GRAPH https://broker.ids.isst.fraunhofer.de/admin {?s ?p ?o .} } broker-fuseki | [2022-02-18 16:12:26] Fuseki INFO [1] 200 OK (70 ms) broker-core | Feb 18, 2022 4:12:33 PM org.apache.catalina.core.ApplicationContext log broker-core | INFO: Initializing Spring DispatcherServlet 'dispatcherServlet' broker-reverseproxy | 172.21.0.1 - - [18/Feb/2022:16:12:34 +0000] "GET / HTTP/1.1" 200 2802 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0" broker-reverseproxy | 172.21.0.3 - - [18/Feb/2022:16:12:48 +0000] "POST /infrastructure HTTP/1.1" 200 2662 "-" "okhttp/4.9.3"

jfernandezsqs commented 2 years ago

daps.crt was not set-up correctly. Fixed.