Skip to content

NBISweden/sda-uppmax-integration

Repository files navigation

SDA Uppmax Integration

Introduction

The SDA Uppmax Integration is a service used in the Sensitive Data Archive project. The goal of the project is to automate the submission of sensitive data through Bianca. Specifically, the service contains one endpoint used for

  • Authenticating the user (initially uppmax) and allowing to perform further actions
  • Creation of token and s3config file for a specified SDA user

Endpoint Request

Currently one endpoint is available when running the service, described with curl:

curl --location --request POST '<base_url>:8080/token' \
--header 'Authorization: Basic <basic_auth_from_creds>' \
--header 'Content-Type: text/plain' \
--data-raw '{
    "swamid": "<swamid>",
    "projectid": "<projectid>"
}'

where <basic_auth_from_creds> is the base64 encoded string username:password.

The token endpoint requires basic auth and the allowed credentials can be defined in the configuration file config.yaml.

ex.

$ curl --location --request POST 'localhost:8080/token' \
       --header "Authorization: Basic $(printf 'uppmax:uppmax' | base64)" \
       --header 'Content-Type: application/json' \
       --data-raw '{"swamid": "[email protected]", "projectid": "sda001"}'

can be used in the docker compose development environment.

Endpoint Response

The token endpoint returns the following structure, if the user is authorised to access the <projectid> requested:

{
    "swamid": "<swamid>",
    "projectid": "<projectid>",
    "request_time": "<request_time>",
    "expiration": "<expiration>",
    "s3config": "<base64_encoded_s3config>"
    "crypt4gh_key": "<base64_encoded_crypt4gh_pub_key>"
}

The s3config file is base64 encoded in the response described above.

How to run

The app can be configured via ENVs or via a yaml file, an example config file is located in the root of this repo. In order to run the service locally install golang, navigate to the root of the repository and run

go run .

The following configuration is required to run the service

Variable Description Example
crypt4ghKey Path to public key ../sda_crypt4gh.pub
egaUsername The username for the EGA external service some_ega_username
egaPassword The password for the EGA external service some_ega_password
egaURL The url for the EGA external service https://ega.url
expirationDays Token validity duration in days 14
iss JWT issuer https://issuer.example.com
jwtKey Path to private key ../my_key.pub
suprUsername The username for the SUPR external service some_supr_username
suprPassword The password for the SUPR external service some_supr_password
suprURL The url for the SUPR external service https://supr.url
s3url The URL to the s3Inbox s3.example.com
uppmaxUsername Username for token requester some_username
uppmaxPassword Password for token requester some_password

How to deploy

To deploy the service without using vault (e.g. using minikube) in the lega namespace, build and push the image using

docker build -t harbor.nbis.se/uppmax/integration .
docker push harbor.nbis.se/uppmax/integration

Create a secret using

kubectl -n lega create secret generic <secret_name> --from-file=<key_path> --from-file=<public_key_path>

The names of the files should be added in the values files in jwt.keyName and crypt4ghKey respectively in the values.yaml. Populate the rest of the values.yaml file with the correct values and then install using the local copy of the helm charts with

helm install --namespace <namespace_name> uppmax charts/uppmax-integration

while to install using the published charts use

helm repo add uppmax https://nbisweden.github.io/sda-uppmax-integration/
helm repo update
helm install --namespace <namespace_name> uppmax charts/uppmax-integration