Chg: update image tag in helm values to v3.0.2-RC1

Wifi 13542

.clang-format

@@ -0,0 +1,178 @@
+---
+Language:        Cpp
+# BasedOnStyle:  LLVM
+AccessModifierOffset: -2
+AlignAfterOpenBracket: Align
+AlignArrayOfStructures: None
+AlignConsecutiveMacros: None
+AlignConsecutiveAssignments: None
+AlignConsecutiveBitFields: None
+AlignConsecutiveDeclarations: None
+AlignEscapedNewlines: Right
+AlignOperands:   Align
+AlignTrailingComments: true
+AllowAllArgumentsOnNextLine: true
+AllowAllConstructorInitializersOnNextLine: true
+AllowAllParametersOfDeclarationOnNextLine: true
+AllowShortEnumsOnASingleLine: true
+AllowShortBlocksOnASingleLine: Never
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: All
+AllowShortLambdasOnASingleLine: All
+AllowShortIfStatementsOnASingleLine: Never
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterDefinitionReturnType: None
+AlwaysBreakAfterReturnType: None
+AlwaysBreakBeforeMultilineStrings: false
+AlwaysBreakTemplateDeclarations: MultiLine
+AttributeMacros:
+  - __capability
+BinPackArguments: true
+BinPackParameters: true
+BraceWrapping:
+  AfterCaseLabel:  false
+  AfterClass:      false
+  AfterControlStatement: Never
+  AfterEnum:       false
+  AfterFunction:   false
+  AfterNamespace:  false
+  AfterObjCDeclaration: false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterExternBlock: false
+  BeforeCatch:     false
+  BeforeElse:      false
+  BeforeLambdaBody: false
+  BeforeWhile:     false
+  IndentBraces:    false
+  SplitEmptyFunction: true
+  SplitEmptyRecord: true
+  SplitEmptyNamespace: true
+BreakBeforeBinaryOperators: None
+BreakBeforeConceptDeclarations: true
+BreakBeforeBraces: Attach
+BreakBeforeInheritanceComma: false
+BreakInheritanceList: BeforeColon
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializersBeforeComma: false
+BreakConstructorInitializers: BeforeColon
+BreakAfterJavaFieldAnnotations: false
+BreakStringLiterals: true
+ColumnLimit:     100
+CommentPragmas:  '^ IWYU pragma:'
+CompactNamespaces: false
+ConstructorInitializerAllOnOneLineOrOnePerLine: false
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DeriveLineEnding: true
+DerivePointerAlignment: false
+DisableFormat:   false
+EmptyLineAfterAccessModifier: Never
+EmptyLineBeforeAccessModifier: LogicalBlock
+ExperimentalAutoDetectBinPacking: false
+FixNamespaceComments: true
+ForEachMacros:
+  - foreach
+  - Q_FOREACH
+  - BOOST_FOREACH
+IfMacros:
+  - KJ_IF_MAYBE
+IncludeBlocks:   Preserve
+IncludeCategories:
+  - Regex:           '^"(llvm|llvm-c|clang|clang-c)/'
+    Priority:        2
+    SortPriority:    0
+    CaseSensitive:   false
+  - Regex:           '^(<|"(gtest|gmock|isl|json)/)'
+    Priority:        3
+    SortPriority:    0
+    CaseSensitive:   false
+  - Regex:           '.*'
+    Priority:        1
+    SortPriority:    0
+    CaseSensitive:   false
+IncludeIsMainRegex: '(Test)?$'
+IncludeIsMainSourceRegex: ''
+IndentAccessModifiers: false
+IndentCaseLabels: false
+IndentCaseBlocks: false
+IndentGotoLabels: true
+IndentPPDirectives: None
+IndentExternBlock: AfterExternBlock
+IndentRequires:  false
+IndentWidth:     4
+IndentWrappedFunctionNames: false
+InsertTrailingCommas: None
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: true
+LambdaBodyIndentation: Signature
+MacroBlockBegin: ''
+MacroBlockEnd:   ''
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: All
+ObjCBinPackProtocolList: Auto
+ObjCBlockIndentWidth: 2
+ObjCBreakBeforeNestedBlockParam: true
+ObjCSpaceAfterProperty: false
+ObjCSpaceBeforeProtocolList: true
+PenaltyBreakAssignment: 2
+PenaltyBreakBeforeFirstCallParameter: 19
+PenaltyBreakComment: 300
+PenaltyBreakFirstLessLess: 120
+PenaltyBreakString: 1000
+PenaltyBreakTemplateDeclaration: 10
+PenaltyExcessCharacter: 1000000
+PenaltyReturnTypeOnItsOwnLine: 60
+PenaltyIndentedWhitespace: 0
+PointerAlignment: Right
+PPIndentWidth:   -1
+ReferenceAlignment: Pointer
+ReflowComments:  true
+ShortNamespaceLines: 1
+SortIncludes:    CaseSensitive
+SortJavaStaticImport: Before
+SortUsingDeclarations: true
+SpaceAfterCStyleCast: false
+SpaceAfterLogicalNot: false
+SpaceAfterTemplateKeyword: true
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeCaseColon: false
+SpaceBeforeCpp11BracedList: false
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeInheritanceColon: true
+SpaceBeforeParens: ControlStatements
+SpaceAroundPointerQualifiers: Default
+SpaceBeforeRangeBasedForLoopColon: true
+SpaceInEmptyBlock: false
+SpaceInEmptyParentheses: false
+SpacesBeforeTrailingComments: 1
+SpacesInAngles:  Never
+SpacesInConditionalStatement: false
+SpacesInContainerLiterals: true
+SpacesInCStyleCastParentheses: false
+SpacesInLineCommentPrefix:
+  Minimum:         1
+  Maximum:         -1
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+SpaceBeforeSquareBrackets: false
+BitFieldColonSpacing: Both
+Standard:        Latest
+StatementAttributeLikeMacros:
+  - Q_EMIT
+StatementMacros:
+  - Q_UNUSED
+  - QT_REQUIRE_VERSION
+TabWidth:        4
+UseCRLF:         false
+UseTab:          Always
+WhitespaceSensitiveMacros:
+  - STRINGIZE
+  - PP_STRINGIZE
+  - BOOST_PP_STRINGIZE
+  - NS_SWIFT_NAME
+  - CF_SWIFT_NAME
+...
+

.github/workflows/ci.yml

@@ -13,6 +13,7 @@ on:
   pull_request:
     branches:
       - main
+      - 'release/*'
 
 defaults:
   run:
@@ -25,45 +26,78 @@ jobs:
       DOCKER_REGISTRY_URL: tip-tip-wlan-cloud-ucentral.jfrog.io
       DOCKER_REGISTRY_USERNAME: ucentral
     steps:
-    - uses: actions/checkout@v2
-
-    - name: Build Docker image
-      run: docker build -t wlan-cloud-ucentralsec:${{ github.sha }} .
-
-    - name: Tag Docker image
-      run: |
-        TAGS="${{ github.sha }}"
-
-        if [[ ${GITHUB_REF} == "refs/heads/"* ]]
-        then
-          CURRENT_TAG=$(echo ${GITHUB_REF#refs/heads/} | tr '/' '-')
-          TAGS="$TAGS $CURRENT_TAG"
-        else
-          if [[ ${GITHUB_REF} == "refs/tags/"* ]]
-          then
-            CURRENT_TAG=$(echo ${GITHUB_REF#refs/tags/} | tr '/' '-')
-            TAGS="$TAGS $CURRENT_TAG"
-          else # PR build
-            CURRENT_TAG=$(echo ${GITHUB_HEAD_REF#refs/heads/} | tr '/' '-')
-            TAGS="$TAGS $CURRENT_TAG"
-          fi
-        fi
-
-        echo "Result tags: $TAGS"
-
-        for tag in $TAGS; do
-          docker tag wlan-cloud-ucentralsec:${{ github.sha }} ${{ env.DOCKER_REGISTRY_URL }}/ucentralsec:$tag
-        done
-
-    - name: Log into Docker registry
-      if: startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/pull/') || github.ref == 'refs/heads/main'
-      uses: docker/login-action@v1
+    - name: Checkout actions repo
+      uses: actions/checkout@v3
       with:
-        registry: ${{ env.DOCKER_REGISTRY_URL }}
-        username: ${{ env.DOCKER_REGISTRY_USERNAME }}
-        password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+        repository: Telecominfraproject/.github
+        path: github
 
-    - name: Push Docker images
-      if: startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/pull/') || github.ref == 'refs/heads/main'
+    - name: Build and push Docker image
+      uses: ./github/composite-actions/docker-image-build
+      with:
+        image_name: owsec
+        registry: tip-tip-wlan-cloud-ucentral.jfrog.io
+        registry_user: ucentral
+        registry_password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+
+    - name: Notify on failure via Slack
+      if: failure() && github.ref == 'refs/heads/main'
+      uses: rtCamp/action-slack-notify@v2
+      env:
+        SLACK_USERNAME: GitHub Actions failure notifier
+        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+        SLACK_COLOR: "${{ job.status }}"
+        SLACK_ICON: https://raw.githubusercontent.com/quintessence/slack-icons/master/images/github-logo-slack-icon.png
+        SLACK_TITLE: Docker build failed for OWSec service
+
+  trigger-testing:
+    if: startsWith(github.ref, 'refs/pull/')
+    runs-on: ubuntu-latest
+    needs: docker
+    steps:
+    - name: Get base branch name and set as output
+      id: get_base_branch
       run: |
-        docker images | grep ${{ env.DOCKER_REGISTRY_URL }}/ucentralsec | awk -F ' ' '{print $1":"$2}' | xargs -I {} docker push {}
+        echo "branch=$(echo ${GITHUB_BASE_REF##*/})" >> $GITHUB_OUTPUT
+        echo "owgw_branch=$(echo ${GITHUB_BASE_REF##*/} | sed 's/main/master/g')" >> $GITHUB_OUTPUT
+
+    - name: Checkout actions repo
+      uses: actions/checkout@v3
+      with:
+        repository: Telecominfraproject/.github
+        path: github
+
+    - name: Trigger testing of OpenWifi Docker Compose deployment and wait for result
+      uses: ./github/composite-actions/trigger-workflow-and-wait
+      env:
+        BASE_BRANCH: ${{ steps.get_base_branch.outputs.branch }}
+        OWGW_BASE_BRANCH: ${{ steps.get_base_branch.outputs.owgw_branch }}
+      with:
+        owner: Telecominfraproject
+        repo: wlan-testing
+        workflow: ow_docker-compose.yml
+        token: ${{ secrets.WLAN_TESTING_PAT }}
+        ref: master
+        inputs: '{"deployment_version": "${{ env.BASE_BRANCH }}", "owgw_version": "${{ env.OWGW_BASE_BRANCH }}", "owsec_version": "${{ github.sha }}", "owfms_version": "${{ env.BASE_BRANCH }}", "owprov_version": "${{ env.BASE_BRANCH }}", "owanalytics_version": "${{ env.BASE_BRANCH }}", "owsub_version": "${{ env.BASE_BRANCH }}", "microservice": "owsec"}'
+
+  trigger-deploy-to-dev:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    needs:
+      - docker
+    steps:
+    - name: Checkout actions repo
+      uses: actions/checkout@v3
+      with:
+        repository: Telecominfraproject/.github
+        path: github
+
+    - name: Trigger deployment of the latest version to dev instance and wait for result
+      uses: ./github/composite-actions/trigger-workflow-and-wait
+      with:
+        owner: Telecominfraproject
+        repo: wlan-testing
+        workflow: ucentralgw-dev-deployment.yaml
+        token: ${{ secrets.WLAN_TESTING_PAT }}
+        ref: master
+        inputs: '{"force_latest": "true"}'

.github/workflows/cleanup.yml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - main
+      - 'release/*'
     types: [ closed ]
 
 defaults:
@@ -16,4 +17,10 @@ jobs:
     steps:
       - run: |
           export PR_BRANCH_TAG=$(echo ${GITHUB_HEAD_REF#refs/heads/} | tr '/' '-')
-          curl -uucentral:${{ secrets.DOCKER_REGISTRY_PASSWORD }} -X DELETE "https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral/ucentralsec/$PR_BRANCH_TAG"
+
+          if [[ ! $PR_BRANCH_TAG =~ (main|master|release-*) ]]; then
+            echo "PR branch is $PR_BRANCH_TAG, deleting Docker image"
+            curl -s -uucentral:${{ secrets.DOCKER_REGISTRY_PASSWORD }} -X DELETE "https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral/owsec/$PR_BRANCH_TAG"
+          else
+            echo "PR branch is $PR_BRANCH_TAG, not deleting Docker image"
+          fi

.github/workflows/enforce-jira-issue-key.yml

@@ -0,0 +1,24 @@
+name: Ensure Jira issue is linked
+
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+    branches:
+      - 'release/*'
+
+jobs:
+  check_for_issue_key:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout actions repo
+        uses: actions/checkout@v3
+        with:
+          repository: Telecominfraproject/.github
+          path: github
+
+      - name: Run JIRA check
+        uses: ./github/composite-actions/enforce-jira-issue-key
+        with:
+          jira_base_url: ${{ secrets.TIP_JIRA_URL }}
+          jira_user_email: ${{ secrets.TIP_JIRA_USER_EMAIL }}
+          jira_api_token: ${{ secrets.TIP_JIRA_API_TOKEN }}

.github/workflows/openapi-pages.yml

@@ -0,0 +1,38 @@
+name: Update OpenAPI docs on GitHub Pages
+
+on:
+  push:
+    paths:
+      - 'openapi/**'
+    branches:
+      - main
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  docsgen:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Generate static HTML page with docs from OpenAPI definition
+        run: |
+          docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli:v6.2.1 generate -i https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentralsec/main/openpapi/owsec.yaml -g html2 --skip-validate-spec -o /local/
+
+      - name: Update OpenAPI docs
+        run: |
+          mkdir -p ~/.ssh
+          ssh-keyscan -H github.com >> ~/.ssh/known_hosts
+          echo https://tip-automation:${{ secrets.GIT_PUSH_PAT }}@github.com > ~/.git-credentials
+          git config --global credential.helper store
+          git config --global user.email "tip-automation@telecominfraproject.com"
+          git config --global user.name "TIP Automation User"
+          git pull
+          git checkout gh-pages || git checkout -b gh-pages
+          mv index.html docs/index.html
+          git add docs
+          git commit -m'Update OpenAPI docs for GitHub pages'
+          git push --set-upstream origin gh-pages

.github/workflows/release.yml

@@ -0,0 +1,46 @@
+name: Release chart package
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  helm-package:
+    runs-on: ubuntu-20.04
+    env:
+      HELM_REPO_URL: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
+      HELM_REPO_USERNAME: ucentral
+    steps:
+      - name: Checkout uCentral assembly chart repo
+        uses: actions/checkout@v3
+        with:
+          path: wlan-cloud-ucentralsec
+
+      - name: Build package
+        working-directory: wlan-cloud-ucentralsec/helm
+        run: |
+          helm plugin install https://github.com/aslafy-z/helm-git --version 0.10.0
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo update
+          helm dependency update
+          mkdir dist
+          helm package . -d dist
+
+      - name: Generate GitHub release body
+        working-directory: wlan-cloud-ucentralsec/helm
+        run: |
+          pip3 install yq -q
+          echo "Docker image - tip-tip-wlan-cloud-ucentral.jfrog.io/owsec:$GITHUB_REF_NAME" > release.txt
+          echo "Helm charted may be attached to this release" >> release.txt
+          echo "Deployment artifacts may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/$GITHUB_REF_NAME" >> release.txt
+
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@v1
+        with:
+          body_path: wlan-cloud-ucentralsec/helm/release.txt
+          files: wlan-cloud-ucentralsec/helm/dist/*

.gitignore

@@ -18,3 +18,4 @@ _deps
 *.csr
 /cmake-build/
 /smake-build-debug/
+test_scripts/curl/result.json

.idea/.gitignore

@@ -1,21 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml
-# Datasource local storage ignored files
-/dataSources/
-/dataSources.local.xml
-# Editor-based HTTP Client requests
-/httpRequests/
-/certs/
-/logs/
-*.csr
-*.db
-/docker-compose/certs/
-/docker-compose/*-data/data/
-/docker-compose/*-data/uploads/
-/docker-compose/.env
-/docker-compose/.env_*
-/cmake-build/
-*.pem
-result.json
-token.json

BUILDING.md

@@ -0,0 +1,197 @@
+# Building from source
+
+In order to build OWSEC, you will need to install its dependencies, which includes the following:
+- cmake
+- boost
+- POCO 1.10.1 or later
+- a C++17 compiler
+- openssl
+- libpq-dev (PortgreSQL development libraries)
+- mysql-client (MySQL client)
+- librdkafka
+- cppkafka
+
+The build is done in 2 parts. The first part is to build a local copy of the framework tailored to your environment. This
+framework is called [Poco](https://github.com/pocoproject/poco). The version used in this project has a couple of fixes
+from the master copy needed for cmake. Please use the version of this [Poco fix](https://github.com/Telecominfraproject/wlan-cloud-lib-poco). Building
+Poco may take several minutes depending on the platform you are building on.
+
+## Ubuntu
+These instructions have proven to work on Ubuntu 20.4.
+```bash
+sudo apt install git cmake g++ libssl-dev libmariadb-dev \
+    libpq-dev libaprutil1-dev apache2-dev libboost-all-dev \
+    librdkafka-dev default-libmysqlclient-dev \
+    nlohmann-json-dev
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-poco --branch poco-tip-v1 poco
+cd poco
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-cppkafka --branch tip-v1 cppkafka
+cd cppkafka
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-valijson --branch tip-v1 valijson
+cd valijson
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/fmtlib/fmt --branch 9.0.0 /fmtlib
+cd fmtlib
+mkdir cmake-build
+cd cmake-build
+cmake ..
+make
+make install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-ucentralsec
+cd wlan-cloud-ucentralsec
+mkdir cmake-build
+cd cmake-build
+cmake ..
+make -j 8
+cd ../..
+```
+
+## Fedora
+The following instructions have proven to work on Fedora 33
+```bash
+sudo yum install cmake g++ openssl-devel mysql-devel mysql apr-util-devel boost boost-devel \
+    yaml-cpp-devel lua-devel
+sudo dnf install postgresql.x86_64 librdkafka-devel
+sudo dnf install postgresql-devel json-devel
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-poco --branch poco-tip-v1 poco
+cd poco
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-cppkafka --branch tip-v1 cppkafka
+cd cppkafka
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-valijson --branch tip-v1 valijson
+cd valijson
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-ucentralsec
+cd wlan-cloud-ucentralsec
+mkdir cmake-build
+cd cmake-build
+cmake ..
+make
+cd ../..
+```
+
+## macOS Build
+The following instructions have proven to work on macOS Big Sur. You need to install [Homebrew](https://brew.sh/). You must also have installed [XCode for OS X](https://www.freecodecamp.org/news/how-to-download-and-install-xcode/).
+```bash
+brew install openssl \
+	cmake \
+	libpq \
+	mysql-client \
+	apr \
+	apr-util \
+	boost \
+	yaml-cpp \
+	postgresql \
+	librdkafka \
+	nlohmann-json \
+	fmt
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-poco --branch poco-tip-v1 poco
+pushd poco
+mkdir cmake-build
+push cmake-build
+cmake -DOPENSSL_ROOT_DIR=</path/to/openssl> -DENABLE_NETSSL=1 -DENABLE_JWT=1 -DENABLE_CRYPTO=1 ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+popd
+popd
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-cppkafka --branch tip-v1 cppkafka
+pushd cppkafka
+mkdir cmake-build
+pushd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+popd
+popd
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-valijson --branch tip-v1 valijson
+pushd valijson
+mkdir cmake-build
+pushd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+popd
+popd
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-ucentralsec
+pushd wlan-cloud-ucentralsec
+mkdir cmake-build
+pushd cmake-build
+cmake ..
+make -j
+popd
+popd
+```
+
+## Raspberry
+The build on a rPI takes a while. You can shorten that build time and requirements by disabling all the larger database
+support. You can build with only SQLite support by not installing the packages for PostgreSQL, and MySQL by
+adding -DSMALL_BUILD=1 on the cmake build line.
+
+```bash
+sudo apt install git cmake g++ libssl-dev libaprutil1-dev apache2-dev \
+    libboost-all-dev libyaml-cpp-dev
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-poco --branch poco-tip-v1 poco
+cd poco
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-ucentralsec
+cd wlan-cloud-ucentralsec
+mkdir cmake-build
+cd cmake-build
+cmake -DSMALL_BUILD=1 ..
+make
+cd ../..
+```

CLI.md

@@ -1,9 +1,9 @@
 # Security Service CLI Documentation
 
 ## Before using the CLI
-You must set the environment variable `UCENTRALSEC`. You must specify the host and port for the security service. Here is an example
+You must set the environment variable `OWSEC`. You must specify the host and port for the security service. Here is an example
 ```csh
-export UCENTRALSEC=mysecurityservice,example.com:16001
+export OWSEC=mysecurityservice,example.com:16001
 ```
 Once set, you can start using the `CLI`.
 
@@ -12,64 +12,59 @@ Most commands will take from 0 to 2 parameters. You should include all parameter
 
 ## The commands
 
-### `cli createuser <email> <initial password>`
-This will create a simple user as admin using the email as login ID and setting the initial password.
+### listendpoints                          
+Get all the system endpoints.
 
-### `cli createuser_v <email> <initial password>`
-This will create a simple user and force email verification. 
+### emailtest                              
+Generate a forgot Password e-amil to the logged in user.
 
-### `cli deleteuser <id>`
-Delete the specified user using the user's UUID.
+### me
+Show information about the logged user.
 
-### `cli getuser <id>`
-Get the specified user using the user's UUID.
+### createuser <email> <password>          
+Create a user with an initial password and force the user to change password.
 
-### `cli listusers`
-Get a list of users.
+### createuser_v <email> <password>        
+Same as create user but also force an e-mail verification.
 
-### `cli policies`
-List the link used to display password and usage policies for the management site.
+### deleteuser <user UUID>                 
+Delete the user.
+    
+### getuser <user UUID>                    
+Get the user information.
 
-### `cli setavatar <id> <filename>`
-Sets the avatar for the user with ID. The file should be gif, png, svg.
+### listusers
+List users.
 
-### `cli deleteavatar <id>`
-Remove the avatar fort the specified user ID.
+### policies
+List the login and access policies.
 
-### `cli secversion`
-Get the vewrsion of the secufiry service.
+### setavatar <user UUID> <filename>       
+Sets the avatar for user to the image in filename.
 
-### `cli sectimes`
-Get the starttime and uptime for the security service.
+### getavatar <user UUID>                  
+Get the avatar for the user.
 
+### deleteavatar <user UUID>               
+Remove the avatar for a user.
 
+### sendemail <recipient> <from>           
+Sends a test email to see if the e-mail system is working.
 
+### setloglevel <subsystem> <loglevel>
+Set the log level for s specific subsystem.
 
-### `cli revisions`
-Get the list of currently available revisions.
+### getloglevels
+Get the current log levels for all subsystems.
 
-### `cli devicetypes`
-Retrieve the list of known `device_types`
+### getloglevelnames
+Get the log level names available.
 
-### `cli firmwareage <device_type> <revision>`
-If you specify your `device_type` and `revision`, the system will do its best to estimate how
-far in the past you `revision` is compared to the latest revision.
+### getsubsystemnames
+Get the list of subsystems.
 
-### `cli gethistory <serialNumber>`
-Get the revision history for a given device.
-
-### `cli connecteddevices`
-Get a list of the currently known devices and the last connection information we have about the,
-
-### `cli connecteddevice <serialNumber>`
-Get the information relevant to a specific device.
-
-### `cli devicereport`
-Give a simplified dashboard report of the data in the service.
-
-### `cli fmsversion`
-Display the version of the service.
-
-### `cli fmstimes`
-Display the uptime and start time of the service.
+### systeminfo
+Get basic system information.
 
+### reloadsubsystem <subsystem name>
+Reload the configuration for a subsystem.

CMakeLists.txt

@@ -1,5 +1,5 @@
 cmake_minimum_required(VERSION 3.13)
-project(ucentralsec VERSION 2.1.0)
+project(owsec VERSION 3.0.0)
 
 set(CMAKE_CXX_STANDARD 17)
 
@@ -20,67 +20,174 @@ endif()
 
 # Auto build increment. You must define BUILD_INCREMENT with cmake -DBUILD_INCREMENT=1
 if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/build)
-    file(READ build BUILD_NUM)
+    file(READ ${CMAKE_CURRENT_SOURCE_DIR}/build BUILD_NUM)
     if(BUILD_INCREMENT)
         MATH(EXPR BUILD_NUM "${BUILD_NUM}+1")
-        file(WRITE build ${BUILD_NUM})
+        file(WRITE ${CMAKE_CURRENT_SOURCE_DIR}/build ${BUILD_NUM})
     endif()
 else()
     set(BUILD_NUM 1)
-    file(WRITE build ${BUILD_NUM})
+    file(WRITE ${CMAKE_CURRENT_SOURCE_DIR}/build ${BUILD_NUM})
 endif()
 
+find_package(Git QUIET)
+if(GIT_FOUND AND EXISTS "${PROJECT_SOURCE_DIR}/.git")
+    execute_process(COMMAND ${GIT_EXECUTABLE} rev-parse --short HEAD
+            WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+            RESULT_VARIABLE GIT_RESULT
+            OUTPUT_VARIABLE GIT_HASH)
+    if(NOT GIT_RESULT EQUAL "0")
+        message(FATAL_ERROR "git rev-parse --short HEAD failed with ${GIT_RESULT}")
+    endif()
+    string(REGEX REPLACE "\n$" "" GIT_HASH "${GIT_HASH}")
+endif()
+
+add_definitions(-DAWS_CUSTOM_MEMORY_MANAGEMENT -DBOOST_NO_CXX98_FUNCTION_BASE=1)
+
 set(BUILD_SHARED_LIBS 1)
 
-add_definitions(-DAPP_VERSION="${CMAKE_PROJECT_VERSION}" -DBUILD_NUMBER="${BUILD_NUM}")
 add_definitions(-DTIP_SECURITY_SERVICE="1")
+add_definitions(-DPOCO_LOG_DEBUG="1")
+
+add_compile_options(-Wall -Wextra)
+if(ASAN)
+    add_compile_options(-fsanitize=address)
+    add_link_options(-fsanitize=address)
+endif()
 
-set(Boost_USE_STATIC_LIBS OFF)
-set(Boost_USE_MULTITHREADED ON)
-set(Boost_USE_STATIC_RUNTIME OFF)
-find_package(Boost REQUIRED system)
 find_package(OpenSSL REQUIRED)
 find_package(ZLIB REQUIRED)
-
+find_package(fmt  REQUIRED)
+find_package(AWSSDK     REQUIRED COMPONENTS sns)
+find_package(nlohmann_json  REQUIRED)
 find_package(CppKafka REQUIRED)
 find_package(PostgreSQL REQUIRED)
 find_package(MySQL REQUIRED)
 find_package(Poco REQUIRED COMPONENTS JSON Crypto JWT Net Util NetSSL Data DataSQLite DataPostgreSQL DataMySQL)
 
-add_executable( ucentralsec
-                build
-                src/Daemon.h src/Daemon.cpp
-                src/MicroService.cpp src/MicroService.h
-                src/SubSystemServer.cpp src/SubSystemServer.h
-                src/RESTAPI_oauth2Handler.h src/RESTAPI_oauth2Handler.cpp
-                src/RESTAPI_handler.h src/RESTAPI_handler.cpp
-                src/RESTAPI_server.cpp src/RESTAPI_server.h
-                src/RESTAPI_SecurityObjects.cpp src/RESTAPI_SecurityObjects.h
-                src/RESTAPI_system_command.h src/RESTAPI_system_command.cpp
-                src/RESTAPI_protocol.h
-                src/AuthService.h src/AuthService.cpp
-                src/KafkaManager.h src/KafkaManager.cpp
-                src/StorageService.cpp src/StorageService.h
-                src/Utils.cpp src/Utils.h
-                src/storage_setup.cpp
-                src/storage_tables.cpp src/SMTPMailerService.cpp src/SMTPMailerService.h
-                src/RESTAPI_users_handler.cpp src/RESTAPI_users_handler.h
-                src/RESTAPI_user_handler.cpp src/RESTAPI_user_handler.h
-                src/RESTAPI_action_links.cpp src/RESTAPI_action_links.h src/storage_users.cpp
-                src/RESTAPI_InternalServer.cpp src/RESTAPI_InternalServer.h
-                src/RESTAPI_validateToken_handler.cpp src/RESTAPI_validateToken_handler.h
-                src/RESTAPI_systemEndpoints_handler.cpp src/RESTAPI_systemEndpoints_handler.h
-                src/RESTAPI_AssetServer.cpp src/RESTAPI_AssetServer.h
-                src/RESTAPI_avatarHandler.cpp src/RESTAPI_avatarHandler.h
-                src/storage_avatar.cpp src/storage_avatar.h src/storage_users.h
-                src/OpenWifiTypes.h )
+include_directories(/usr/local/include  /usr/local/opt/openssl/include src include/kafka /usr/local/opt/mysql-client/include)
+
+configure_file(src/ow_version.h.in ${PROJECT_SOURCE_DIR}/src/ow_version.h @ONLY)
+
+add_executable( owsec
+        build
+        src/ow_version.h.in
+        src/framework/CountryCodes.h
+        src/framework/KafkaTopics.h
+        src/framework/MicroService.h
+        src/framework/OpenWifiTypes.h
+        src/framework/orm.h
+        src/framework/StorageClass.h
+        src/framework/MicroServiceErrorHandler.h
+        src/framework/UI_WebSocketClientServer.cpp
+        src/framework/UI_WebSocketClientServer.h
+        src/framework/UI_WebSocketClientNotifications.cpp
+        src/framework/UI_WebSocketClientNotifications.h
+        src/framework/utils.h
+        src/framework/utils.cpp
+        src/framework/AppServiceRegistry.h
+        src/framework/SubSystemServer.cpp
+        src/framework/SubSystemServer.h
+        src/framework/RESTAPI_utils.h
+        src/framework/AuthClient.cpp
+        src/framework/AuthClient.h
+        src/framework/MicroServiceNames.h
+        src/framework/MicroServiceFuncs.h
+        src/framework/OpenAPIRequests.cpp
+        src/framework/OpenAPIRequests.h
+        src/framework/MicroServiceFuncs.cpp
+        src/framework/ALBserver.cpp
+        src/framework/ALBserver.h
+        src/framework/KafkaManager.cpp
+        src/framework/KafkaManager.h
+        src/framework/RESTAPI_RateLimiter.h
+        src/framework/WebSocketLogger.h
+        src/framework/RESTAPI_GenericServerAccounting.h
+        src/framework/RESTAPI_SystemConfiguration.h
+        src/framework/CIDR.h
+        src/framework/RESTAPI_Handler.cpp
+        src/framework/RESTAPI_Handler.h
+        src/framework/RESTAPI_ExtServer.h
+        src/framework/RESTAPI_ExtServer.cpp
+        src/framework/RESTAPI_IntServer.cpp
+        src/framework/RESTAPI_IntServer.h
+        src/framework/RESTAPI_SystemCommand.h
+        src/framework/RESTAPI_WebSocketServer.h
+        src/framework/EventBusManager.cpp
+        src/framework/EventBusManager.h
+        src/framework/RESTAPI_PartHandler.h
+        src/framework/MicroService.cpp
+        src/framework/MicroServiceExtra.h
+        src/framework/default_device_types.h
+        src/RESTObjects/RESTAPI_SecurityObjects.h src/RESTObjects/RESTAPI_SecurityObjects.cpp
+        src/RESTObjects/RESTAPI_GWobjects.h src/RESTObjects/RESTAPI_GWobjects.cpp
+        src/RESTObjects/RESTAPI_FMSObjects.h src/RESTObjects/RESTAPI_FMSObjects.cpp
+        src/RESTObjects/RESTAPI_CertObjects.cpp src/RESTObjects/RESTAPI_CertObjects.h
+        src/RESTObjects/RESTAPI_OWLSobjects.cpp src/RESTObjects/RESTAPI_OWLSobjects.h
+        src/RESTObjects/RESTAPI_ProvObjects.cpp src/RESTObjects/RESTAPI_ProvObjects.h
+        src/RESTObjects/RESTAPI_AnalyticsObjects.cpp src/RESTObjects/RESTAPI_AnalyticsObjects.h
+        src/RESTObjects/RESTAPI_SubObjects.cpp src/RESTObjects/RESTAPI_SubObjects.h
+
+        src/seclibs/qrcode/qrcodegen.hpp src/seclibs/qrcode/qrcodegen.cpp
+        src/seclibs/cpptotp/bytes.cpp src/seclibs/cpptotp/bytes.h
+        src/seclibs/cpptotp/otp.cpp src/seclibs/cpptotp/otp.h
+        src/seclibs/cpptotp/sha1.cpp src/seclibs/cpptotp/sha1.h
+        src/RESTAPI/RESTAPI_oauth2_handler.h src/RESTAPI/RESTAPI_oauth2_handler.cpp
+        src/RESTAPI/RESTAPI_users_handler.cpp src/RESTAPI/RESTAPI_users_handler.h
+        src/RESTAPI/RESTAPI_user_handler.cpp src/RESTAPI/RESTAPI_user_handler.h
+        src/RESTAPI/RESTAPI_action_links.cpp src/RESTAPI/RESTAPI_action_links.h
+        src/RESTAPI/RESTAPI_validate_token_handler.cpp src/RESTAPI/RESTAPI_validate_token_handler.h
+        src/RESTAPI/RESTAPI_system_endpoints_handler.cpp src/RESTAPI/RESTAPI_system_endpoints_handler.h
+        src/RESTAPI/RESTAPI_asset_server.cpp src/RESTAPI/RESTAPI_asset_server.h
+        src/RESTAPI/RESTAPI_avatar_handler.cpp src/RESTAPI/RESTAPI_avatar_handler.h
+        src/RESTAPI/RESTAPI_subavatar_handler.cpp src/RESTAPI/RESTAPI_subavatar_handler.h
+        src/RESTAPI/RESTAPI_email_handler.cpp src/RESTAPI/RESTAPI_email_handler.h
+        src/RESTAPI/RESTAPI_sms_handler.cpp src/RESTAPI/RESTAPI_sms_handler.h
+        src/RESTAPI/RESTAPI_suboauth2_handler.h src/RESTAPI/RESTAPI_suboauth2_handler.cpp
+        src/RESTAPI/RESTAPI_subuser_handler.h src/RESTAPI/RESTAPI_subuser_handler.cpp
+        src/RESTAPI/RESTAPI_subusers_handler.h src/RESTAPI/RESTAPI_subusers_handler.cpp
+        src/RESTAPI/RESTAPI_validate_sub_token_handler.cpp src/RESTAPI/RESTAPI_validate_sub_token_handler.h
+        src/RESTAPI/RESTAPI_submfa_handler.cpp src/RESTAPI/RESTAPI_submfa_handler.h
+        src/RESTAPI/RESTAPI_preferences.cpp src/RESTAPI/RESTAPI_preferences.h
+        src/RESTAPI/RESTAPI_subpreferences.cpp src/RESTAPI/RESTAPI_subpreferences.h
+        src/RESTAPI/RESTAPI_routers.cpp
+        src/Daemon.h src/Daemon.cpp
+        src/SpecialUserHelpers.h
+        src/AuthService.h src/AuthService.cpp
+        src/StorageService.cpp src/StorageService.h
+        src/SMTPMailerService.cpp src/SMTPMailerService.h
+        src/SMSSender.cpp src/SMSSender.h
+        src/MFAServer.cpp src/MFAServer.h
+        src/SMS_provider_aws.cpp src/SMS_provider_aws.h
+        src/SMS_provider.cpp src/SMS_provider.h
+        src/SMS_provider_twilio.cpp src/SMS_provider_twilio.h
+        src/ActionLinkManager.cpp src/ActionLinkManager.h
+        src/ACLProcessor.h
+        src/storage/orm_users.cpp src/storage/orm_users.h
+        src/storage/orm_tokens.cpp src/storage/orm_tokens.h
+        src/storage/orm_preferences.cpp src/storage/orm_preferences.h
+        src/storage/orm_actionLinks.cpp src/storage/orm_actionLinks.h
+        src/storage/orm_avatar.cpp src/storage/orm_avatar.h
+        src/SpecialUserHelpers.h
+        src/RESTAPI/RESTAPI_db_helpers.h src/storage/orm_logins.cpp src/storage/orm_logins.h
+        src/RESTAPI/RESTAPI_totp_handler.cpp
+        src/RESTAPI/RESTAPI_totp_handler.h
+        src/TotpCache.h
+        src/RESTAPI/RESTAPI_subtotp_handler.cpp src/RESTAPI/RESTAPI_subtotp_handler.h
+        src/RESTAPI/RESTAPI_signup_handler.cpp src/RESTAPI/RESTAPI_signup_handler.h
+        src/MessagingTemplates.h src/RESTAPI/RESTAPI_apiKey_handler.cpp src/RESTAPI/RESTAPI_apiKey_handler.h src/storage/orm_apikeys.cpp src/storage/orm_apikeys.h src/RESTAPI/RESTAPI_validate_apikey.cpp src/RESTAPI/RESTAPI_validate_apikey.h src/RESTAPI/RESTAPI_systemSecret_handler.cpp src/RESTAPI/RESTAPI_systemSecret_handler.h src/SecretStore.cpp src/SecretStore.h)
 
 if(NOT SMALL_BUILD)
-    target_link_libraries(ucentralsec PUBLIC
-            ${Poco_LIBRARIES} ${Boost_LIBRARIES} ${MySQL_LIBRARIES}  ${ZLIB_LIBRARIES}
+    target_link_libraries(owsec PUBLIC
+            ${Poco_LIBRARIES}
+            ${MySQL_LIBRARIES}
+            ${ZLIB_LIBRARIES}
             CppKafka::cppkafka
+            ${AWSSDK_LINK_LIBRARIES}
+            fmt::fmt
+            resolv
             )
     if(UNIX AND NOT APPLE)
-        target_link_libraries(ucentralsec PUBLIC PocoJSON)
+        target_link_libraries(owsec PUBLIC PocoJSON)
     endif()
-endif()
+endif()

CONFIGURATION.md

@@ -0,0 +1,270 @@
+# OWSEC Configuration
+Here is the list of parameters you can configure in the `owsec.properties` file.
+
+## OWSEC Specific Parameters
+### OWSEC Login
+```properties
+authentication.default.password: 13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf
+authentication.default.username: tip@ucentral.com
+authentication.enabled: true
+```
+
+```properties
+authentication.token.ageing = 30 * 24 * 60 * 60
+authentication.oldpasswords = 5
+openwifi.document.policy.access = /wwwassets/access_policy.html
+openwifi.document.policy.password = /wwwassets/password_policy.html
+authentication.validation.expression =
+subscriber.validation.expression =
+subscriber.policy.access = /wwwassets/access_policy.html
+subscriber.policy.password = /wwwassets/password_policy.html
+```
+
+### Mail template variables
+```properties
+helper.user.email = charles.bourque@arilia.com
+helper.sub.email = charles.bourque@arilia.com
+helper.user.global.email = info@arilia.com
+helper.sub.global.email = info@arilia.com
+helper.user.site = https://ucentral.dpaas.arilia.com
+helper.sub.site = https://ucentral.dpaas.arilia.com
+helper.user.login = https://ucentral.dpaas.arilia.com
+helper.sub.login = https://ucentral.dpaas.arilia.com
+helper.user.signature = Arilia Wireless Inc.
+helper.sub.signature = Arilia Wireless Inc.
+```
+
+### Google authenticator
+```properties
+totp.issuer: Arilia
+```
+
+### Mailer 
+```properties
+mailer.enabled: true
+mailer.hostname: email-smtp.us-west-2.amazonaws.com
+mailer.loginmethod: login
+mailer.password: ***********************************************
+mailer.port: 587
+mailer.sender: no-reply@arilia.com
+mailer.templates: $OWSEC_ROOT/templates
+mailer.username: AKIATXEXGKF3QZN543VS
+```
+
+### Built-in web server 
+```properties
+openwifi.avatar.maxsize: 2000000
+openwifi.document.policy.access: /wwwassets/access_policy.html
+openwifi.document.policy.password: /wwwassets/password_policy.html
+```
+
+### SMS Sender
+```properties
+smssender.aws.accesskey: ***********************
+smssender.aws.region: us-west-2
+smssender.aws.secretkey: ******************************************+X
+smssender.enabled: true
+smssender.provider: aws
+```
+
+```properties
+smssender.provider = twilio
+smssender.twilio.sid = ***********************
+smssender.twilio.token = **********************
+smssender.twilio.phonenumber = +18888888888
+```
+
+## Generic OpenWiFi SDK parameters
+### REST API External parameters
+These are the parameters required for the configuration of the external facing REST API server
+```properties
+openwifi.restapi.host.0.backlog = 100
+openwifi.restapi.host.0.security = relaxed
+openwifi.restapi.host.0.rootca = $OWSEC_ROOT/certs/restapi-ca.pem
+openwifi.restapi.host.0.address = *
+openwifi.restapi.host.0.port = 16001
+openwifi.restapi.host.0.cert = $OWSEC_ROOT/certs/restapi-cert.pem
+openwifi.restapi.host.0.key = $OWSEC_ROOT/certs/restapi-key.pem
+openwifi.restapi.host.0.key.password = mypassword
+```
+
+#### openwifi.restapi.host.0.backlog
+This is the number of concurrent REST API calls that maybe be kept in the backlog for processing. That's a good rule of thumb. Never go above 500.
+#### openwifi.restapi.host.0.rootca
+This is the root file of your own certificate CA in `pem` format.
+#### openwifi.restapi.host.0.cert
+This is your own server certificate in `pem` format..
+#### openwifi.restapi.host.0.key
+This is the private key associated with your own certificate in `pem` format.
+#### openwifi.restapi.host.0.address
+Leve this a `*` in the case you want to bind to all interfaces on your gateway host or select the address of a single interface.
+#### openwifi.restapi.host.0.port
+The port on which the REST API server is listening. By default, this is 16002.
+#### openwifi.restapi.host.0.security
+Leave this as `relaxed` for now for devices.
+#### openwifi.restapi.host.0.key.password
+If you key file uses a password, please enter it here.
+
+### REST API Intra microservice parameters
+The following parameters describe the configuration for the inter-microservice HTTP server. You may use the same certificate/key
+you are using for your extenral server or another certificate.
+```properties
+openwifi.internal.restapi.host.0.backlog = 100
+openwifi.internal.restapi.host.0.security = relaxed
+openwifi.internal.restapi.host.0.rootca = $OWSEC_ROOT/certs/restapi-ca.pem
+openwifi.internal.restapi.host.0.address = *
+openwifi.internal.restapi.host.0.port = 17001
+openwifi.internal.restapi.host.0.cert = $OWSEC_ROOT/certs/restapi-cert.pem
+openwifi.internal.restapi.host.0.key = $OWSEC_ROOT/certs/restapi-key.pem
+openwifi.internal.restapi.host.0.key.password = mypassword
+```
+
+#### openwifi.internal.host.0.backlog
+This is the number of concurrent REST API calls that maybe be kept in the backlog for processing. That's a good rule of thumb. Never go above 500.
+#### openwifi.internal.host.0.rootca
+This is the root file of your own certificate CA in `pem` format.
+#### openwifi.internal.host.0.cert
+This is your own server certificate in `pem` format..
+#### openwifi.internal.host.0.key
+This is the private key associated with your own certificate in `pem` format.
+#### openwifi.internal.host.0.address
+Leve this a `*` in the case you want to bind to all interfaces on your gateway host or select the address of a single interface.
+#### openwifi.internal.host.0.port
+The port on which the REST API server is listening. By default, this is 17002.
+#### openwifi.internal.host.0.security
+Leave this as `relaxed` for now for devices.
+#### openwifi.internal.host.0.key.password
+If you key file uses a password, please enter it here.
+
+### Microservice information
+These are different Microservie parameters. Following is a brief explanation.
+```properties
+openwifi.service.key = $OWSEC_ROOT/certs/restapi-key.pem
+openwifi.service.key.password = mypassword
+openwifi.system.data = $OWSEC_ROOT/data
+openwifi.system.uri.private = https://localhost:17004
+openwifi.system.uri.public = https://ucentral.dpaas.arilia.com:16002
+openwifi.system.uri.ui = https://ucentral-ui.arilia.com
+openwifi.security.restapi.disable = false
+openwifi.system.commandchannel = /tmp/app.ucentralfms
+openwifi.autoprovisioning = true
+```
+#### openwifi.service.key
+From time to time, the microservice must encrypt information. This is the key it should use. You may use the
+same keey as you RESTAPI or your server.
+#### openwifi.service.key.password
+The password for the `openwifi.service.key`
+#### openwifi.system.data
+The location of system data. This path must exist.
+#### openwifi.system.uri.private
+The URI to reach the controller on the internal port.
+#### openwifi.system.uri.public
+The URI to reach the controller from the outside world.
+#### openwifi.system.uri.ui
+The URI of the UI to manage this service
+#### openwifi.security.restapi.disable
+This allows to disable security for internal and external API calls. This should only be used if the controller
+sits behind an application load balancer that will actually do TLS. Setting this to `true` disables security.
+#### openwifi.system.commandchannel
+The UNIX socket command channel used by this service.
+#### openwifi.autoprovisioning
+Allow unknown devices to be provisioned by the system.
+
+### ALB Support
+In order to support an application load balancer health check verification, your need to provide the following parameters.
+```properties
+alb.enable = true
+alb.port = 16101
+```
+
+### Kafka
+The controller use Kafka, like all the other microservices. You must configure the kafka section in order for the
+system to work.
+```properties
+openwifi.kafka.group.id = security
+openwifi.kafka.client.id = security1
+openwifi.kafka.enable = true
+openwifi.kafka.brokerlist = my_Kafka.example.com:9092
+openwifi.kafka.auto.commit = false
+openwifi.kafka.queue.buffering.max.ms = 50
+```
+
+### openwifi.kafka.group.id
+The group ID is a single word that should identify the type of service tuning. In the case `security`
+### openwifi.kafka.client.id
+The client ID is a single service within that group ID. Each participant must have a unique client ID.
+### openwifi.kafka.enable
+Kafka should always be enabled.
+### openwifi.kafka.brokerlist
+The list of servers where your Kafka server is running. Comma separated.
+### openwifi.kafka.auto.commit
+Auto commit flag in Kafka. Leave as `false`.
+### openwifi.kafka.queue.buffering.max.ms
+Kafka buffering. Leave as `50`.
+### Kafka security
+If you intend to use SSL, you should look into Kafka Connect and specify the certificates below.
+```properties
+penwifi.kafka.ssl.ca.location =
+openwifi.kafka.ssl.certificate.location =
+openwifi.kafka.ssl.key.location =
+openwifi.kafka.ssl.key.password =
+```
+
+### DB Type
+The controller supports 3 types of Database. SQLite should only be used for sites with less than 100 APs or for testing in the lab.
+In order to select which database to use, you must set the `storage.type` value to sqlite, postgresql, or mysql.
+
+```properties
+storage.type = sqlite
+#storage.type = postgresql
+#storage.type = mysql
+```
+
+### Storage SQLite parameters
+Additional parameters to set for SQLite. The only important one is `storage.type.sqlite.db` which is the database name on disk.
+```properties
+storage.type.sqlite.db = security.db
+storage.type.sqlite.idletime = 120
+storage.type.sqlite.maxsessions = 128
+```
+
+### Storage Postgres
+Additional parameters to set if you select Postgres for your database. You must specify `host`, `username`, `password`,
+`database`, and `port`.
+```properties
+storage.type.postgresql.maxsessions = 64
+storage.type.postgresql.idletime = 60
+storage.type.postgresql.host = localhost
+storage.type.postgresql.username = security
+storage.type.postgresql.password = security
+storage.type.postgresql.database = security
+storage.type.postgresql.port = 5432
+storage.type.postgresql.connectiontimeout = 60
+```
+
+### Storage MySQL/MariaDB
+Additional parameters to set if you select mysql for your database. You must specify `host`, `username`, `password`,
+`database`, and `port`.
+```properties
+storage.type.mysql.maxsessions = 64
+storage.type.mysql.idletime = 60
+storage.type.mysql.host = localhost
+storage.type.postgresql.username = security
+storage.type.postgresql.password = security
+storage.type.postgresql.database = security
+storage.type.mysql.port = 3306
+storage.type.mysql.connectiontimeout = 60
+```
+
+### Logging Parameters
+The microservice provides extensive logging. If you would like to keep logging on disk, set the `logging.type = file`. If you only want
+console logging, `set logging.type = console`. When selecting file, `logging.path` must exist. `logging.level` sets the
+basic logging level for the entire controller. `logging.websocket` disables WebSocket logging.
+
+```properties
+logging.type = file
+logging.path = $OWSEC_ROOT/logs
+logging.level = information
+logging.asynch = true
+logging.websocket = false
+```

CONTRIBUTING.md

@@ -0,0 +1,38 @@
+# How to Contribute
+
+We'd love to accept your patches and contributions to this project. There are
+just a few small guidelines you need to follow.
+
+## Version of C++
+This project is based on the C++17 standard and compiles as-is on most platforms 
+using either clang or g++. Do not use C++21 or C++23 features for now. Some core 
+libraries used in this project do not support C++21 or C++23 yet.
+
+## Variable Naming
+Naming of pretty much anything uses Pascal naming. Longer explicit names using casing. 
+Member variable naming adds a `_` at the end of the vars. Try to
+keep this standard going. Sometimes you must override a base class function and then of course
+you need to follow the base class.
+
+## This is a cmake project
+This is a cmake project, and you need to adhere to the cmake rules. If you need
+to add a package to the CMakeList, you need to ensure that the package is available
+on all required platforms and compiles. Remember that this project runs on Linux, OS X, 
+and the Raspberry PI.
+
+## Licensed packages
+When adding a package, you must also state the licensing for the package. MIT, BSD, Apache licenses
+are acceptable. No commercial licenses are allowed. 
+
+## clang formatting
+Please format your code using the included `.clang-format` file included in the project.
+
+```bash
+clang-format -i --style=<project root>/.clang-format myfile.cpp
+```
+
+## Pull Requests
+All submissions, including submissions by project members, require review. We
+accept GitHub pull requests. Please create a branch with the Jira name for addressing the issue you are fixing or the 
+feature you are implementing.
+Create a pull-request from the branch into master. 

Dockerfile

@@ -1,23 +1,22 @@
-FROM alpine AS builder
+ARG DEBIAN_VERSION=11.5-slim
+ARG POCO_VERSION=poco-tip-v2
+ARG CPPKAFKA_VERSION=tip-v1
+ARG VALIJASON_VERSION=tip-v1
 
-RUN apk add --update --no-cache \
-    openssl openssh \
-    ncurses-libs \
-    bash util-linux coreutils curl \
-    make cmake gcc g++ libstdc++ libgcc git zlib-dev \
-    openssl-dev boost-dev unixodbc-dev postgresql-dev mariadb-dev \
-    apache2-utils yaml-dev apr-util-dev \
-    librdkafka-dev
+FROM debian:$DEBIAN_VERSION AS build-base
 
-RUN git clone https://github.com/stephb9959/poco /poco
-RUN git clone https://github.com/stephb9959/cppkafka /cppkafka
+RUN apt-get update && apt-get install --no-install-recommends -y \
+    make cmake g++ git curl zip unzip pkg-config \
+    libpq-dev libmariadb-dev libmariadbclient-dev-compat \
+    librdkafka-dev libboost-all-dev libssl-dev \
+    zlib1g-dev ca-certificates libcurl4-openssl-dev libfmt-dev
 
-WORKDIR /cppkafka
-RUN mkdir cmake-build
-WORKDIR cmake-build
-RUN cmake ..
-RUN cmake --build . --config Release -j8
-RUN cmake --build . --target install
+FROM build-base AS poco-build
+
+ARG POCO_VERSION
+
+ADD https://api.github.com/repos/Telecominfraproject/wlan-cloud-lib-poco/git/refs/tags/${POCO_VERSION} version.json
+RUN git clone https://github.com/Telecominfraproject/wlan-cloud-lib-poco --branch ${POCO_VERSION} /poco
 
 WORKDIR /poco
 RUN mkdir cmake-build
@@ -26,36 +25,96 @@ RUN cmake ..
 RUN cmake --build . --config Release -j8
 RUN cmake --build . --target install
 
-ADD CMakeLists.txt build /ucentralsec/
-ADD cmake /ucentralsec/cmake
-ADD src /ucentralsec/src
+FROM build-base AS cppkafka-build
 
-WORKDIR /ucentralsec
+ARG CPPKAFKA_VERSION
+
+ADD https://api.github.com/repos/Telecominfraproject/wlan-cloud-lib-cppkafka/git/refs/tags/${CPPKAFKA_VERSION} version.json
+RUN git clone https://github.com/Telecominfraproject/wlan-cloud-lib-cppkafka --branch ${CPPKAFKA_VERSION} /cppkafka
+
+WORKDIR /cppkafka
 RUN mkdir cmake-build
-WORKDIR /ucentralsec/cmake-build
+WORKDIR cmake-build
 RUN cmake ..
 RUN cmake --build . --config Release -j8
+RUN cmake --build . --target install
 
-FROM alpine
+FROM build-base AS valijson-build
 
-ENV UCENTRALSEC_USER=ucentralsec \
-    UCENTRALSEC_ROOT=/ucentralsec-data \
-    UCENTRALSEC_CONFIG=/ucentralsec-data
+ARG VALIJASON_VERSION
 
-RUN addgroup -S "$UCENTRALSEC_USER" && \
-    adduser -S -G "$UCENTRALSEC_USER" "$UCENTRALSEC_USER"
+ADD https://api.github.com/repos/Telecominfraproject/wlan-cloud-lib-valijson/git/refs/tags/${VALIJASON_VERSION} version.json
+RUN git clone https://github.com/Telecominfraproject/wlan-cloud-lib-valijson --branch ${VALIJASON_VERSION} /valijson
 
-RUN mkdir /ucentral
-RUN mkdir -p "$UCENTRALSEC_ROOT" "$UCENTRALSEC_CONFIG" && \
-    chown "$UCENTRALSEC_USER": "$UCENTRALSEC_ROOT" "$UCENTRALSEC_CONFIG"
-RUN apk add --update --no-cache librdkafka mariadb-connector-c libpq unixodbc su-exec
+WORKDIR /valijson
+RUN mkdir cmake-build
+WORKDIR cmake-build
+RUN cmake ..
+RUN cmake --build . --config Release -j8
+RUN cmake --build . --target install
 
-COPY --from=builder /ucentralsec/cmake-build/ucentralsec /ucentral/ucentralsec
-COPY --from=builder /cppkafka/cmake-build/src/lib/* /lib/
-COPY --from=builder /poco/cmake-build/lib/* /lib/
+FROM build-base AS owsec-build
+
+ADD CMakeLists.txt build /owsec/
+ADD overlays /owsec/overlays
+ADD cmake /owsec/cmake
+ADD src /owsec/src
+ADD .git /owsec/.git
+ARG VCPKG_VERSION=2022.11.14
+RUN git clone --depth 1 --branch ${VCPKG_VERSION} https://github.com/microsoft/vcpkg && \
+    ./vcpkg/bootstrap-vcpkg.sh && \
+    mkdir /vcpkg/custom-triplets && \
+    cp /vcpkg/triplets/x64-linux.cmake /vcpkg/custom-triplets/x64-linux.cmake && \
+    sed -i 's/set(VCPKG_LIBRARY.*/set(VCPKG_LIBRARY_LINKAGE dynamic)/g' /vcpkg/custom-triplets/x64-linux.cmake && \
+    ./vcpkg/vcpkg install aws-sdk-cpp[sns]:x64-linux json-schema-validator:x64-linux --overlay-triplets=/vcpkg/custom-triplets --overlay-ports=/owsec/overlays
+
+COPY --from=poco-build /usr/local/include /usr/local/include
+COPY --from=poco-build /usr/local/lib /usr/local/lib
+COPY --from=cppkafka-build /usr/local/include /usr/local/include
+COPY --from=cppkafka-build /usr/local/lib /usr/local/lib
+
+WORKDIR /owsec
+RUN mkdir cmake-build
+WORKDIR /owsec/cmake-build
+RUN cmake -DCMAKE_TOOLCHAIN_FILE=/vcpkg/scripts/buildsystems/vcpkg.cmake ..
+RUN cmake --build . --config Release -j8
+
+FROM debian:$DEBIAN_VERSION
+
+ENV OWSEC_USER=owsec \
+    OWSEC_ROOT=/owsec-data \
+    OWSEC_CONFIG=/owsec-data
+
+RUN useradd "$OWSEC_USER"
+
+RUN mkdir /openwifi
+RUN mkdir -p "$OWSEC_ROOT" "$OWSEC_CONFIG" && \
+    chown "$OWSEC_USER": "$OWSEC_ROOT" "$OWSEC_CONFIG"
+
+RUN apt-get update && apt-get install --no-install-recommends -y \
+    librdkafka++1 gosu gettext ca-certificates bash jq curl wget \
+    libmariadb-dev-compat libpq5 postgresql-client libfmt7
+
+COPY readiness_check /readiness_check
+COPY test_scripts/curl/cli /cli
+
+COPY owsec.properties.tmpl /
+COPY wwwassets /dist/wwwassets
+COPY templates /dist/templates
 COPY docker-entrypoint.sh /
+COPY wait-for-postgres.sh /
+RUN wget https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentral-deploy/main/docker-compose/certs/restapi-ca.pem \
+    -O /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
+
+COPY --from=owsec-build /owsec/cmake-build/owsec /openwifi/owsec
+COPY --from=owsec-build /vcpkg/installed/x64-linux/lib/ /usr/local/lib/
+COPY --from=cppkafka-build /cppkafka/cmake-build/src/lib/ /usr/local/lib/
+COPY --from=poco-build /poco/cmake-build/lib/ /usr/local/lib/
+COPY --from=valijson-build /usr/local/include /usr/local/include
+
+RUN ldconfig
 
 EXPOSE 16001 17001 16101
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["/ucentral/ucentralsec"]
+CMD ["/openwifi/owsec"]

OPERATOR.md

@@ -0,0 +1,37 @@
+# Operator Support
+In order to support multiple tenants and operators, you must prepare the security service to serve
+customized e-mails and messages.
+
+## Structure for `templates`
+Any file in the root of the directory will be used as defaults. The following files must be present:
+- email_invitation.html/txt : This email message will be sent to a newly added user. 
+- email_verification.html/txt : This email is sent when an email verification is required.
+- password_reset.html/txt : This is sent when a pasword reset is requested.
+- verification_code.html/txt : This is used during MFA when email based.
+- signup_verification.html/txt : This email is send to a new subscriber who signed up for service.
+- sub_email_verification.html/txt : This is sent to a subscriber requiring an email verification.
+- sub_verification_code.html/txt : This is used during MFA when email based for a subscriber.
+- logo.jpg : The default logo to use in any of these emails.
+
+## Structure for `wwwassets`
+Any file in the root of the directory will be used as defaults. The following files must be present:
+- email_verification_error.html : Used when email verification has failed.
+- email_verification_success.html : Used when emil verification has succeeded.
+- invitation_error.html :
+- invitation_success.html :
+- password_policy.html :
+- password_reset.html :
+- password_reset_success.html :
+- password_reset_error.html :
+- signup_verification.html :
+- signup_verification_error.html :
+- signup_verification_success.html :
+- favicon.ico : icon for the application
+- 404_error.html : your customized 404 page
+- the_logo : the logo to use.
+
+## For tenants
+When creating a tenant/operator, you must create a subdirectory inside each `wwwassets` and `templates` and replicate 
+all the files that appear at the root level. You need to use the short Operator name (also known as RegistrantId in the API). This means 
+no spaces, all lowercase characters and numbers. No special characters: 0-9 and a-z. 
+

README.md

@@ -1,59 +1,100 @@
-# ucentralsec
+<p align="center">
+    <img src="images/project/logo.svg" width="200"/>
+</p>
 
-uCentralSec is the Authentication & Resource Policy Access service for the uCentral system. In order to use the uCentral system
-you must have at least 1 uCentralSec. uCentralSec is the first point of contact for the entire architecture. We strongly recommend using Docker 
-to deploy all the uCentral services. If you would like to develop and play with the source, please do.
+# OpenWiFi Security  (OWSEC)
+
+## What is it?
+The OWSEC is a service for the TIP OpenWiFi CloudSDK (OWSDK).
+OWSEC is the Authentication and Resource Policy Access service for the TIP
+OpenWiFi Cloud SDK (OWSDK). OWSEC,
+like all other OWSDK microservices, is defined using an OpenAPI definition and uses the ucentral communication
+protocol to interact with Access Points. To use the OWSUB, you either need to [build it](#building) or use the
+[Docker version](#docker).
+
+## Building
+To build the microservice from source, please follow the instructions in [here](./BUILDING.md)
+
+## Docker
+To use the CLoudSDK deployment please follow [here](https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy)
 
 ## OpenAPI
-Like all other uCentral services, uCentralSec is defined through an OpenAPI. You can use this API to build your own applications or integration modules
-into your own systems. If all you need it to access the uCentralGW for example (the service that manages the APs), you will need to:
+You may get static page with OpenAPI docs generated from the definition on [GitHub Page](https://telecominfraproject.github.io/wlan-cloud-ucentralsec/).
+Also, you may use [Swagger UI](https://petstore.swagger.io/#/) with OpenAPI definition file raw link (i.e. [latest version file](https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentralsec/main/openapi/owsec.yaml)) to get interactive docs page.
 
+## Usage
+Like all other OWSDK services, OWSEC is defined through an OpenAPI. You can use this API to build your own 
+applications or integration modules into your own systems. If all you need it to access the OWGW for 
+example (the service that manages the APs), you will need to:
 - get a token (`/oauth2`)
 - find the endpoints on the system (`/systemEndpoints`) 
-- choose one to manage (pick an endpoint that matches what you are trying to do by looking at its `type`. For the gateway, type = ucentrtalgw)
-- make your calls (use the PublicEndPoint of the corresponding entry to make your calls, do not forget to add `/api/v1` as the root os the call)
+- choose a microservice to manage (pick an endpoint that matches what you are trying to do by looking at its 
+`type`. For the Cloud SDK Controller, type = owgw)
+- make your calls (use the PublicEndPoint of the corresponding entry to make your calls, 
+do not forget to add `/api/v1` as the root os the call)
 
-The CLI for the [uCentralGW](https://github.com/telecominfraproject/wlan-cloud-ucentralgw/blob/main/test_scripts/curl/cli) has a very good example of this. Loog for the `setgateway` 
-function.
+The CLI for the [OWGW](https://github.com/telecominfraproject/wlan-cloud-ucentralsec/blob/main/test_scripts/curl/cli) has 
+a very good example of this. Look for the `setgateway` function.
+
+You may get static page with OpenAPI docs generated from the definition on [GitHub Page](https://telecominfraproject.github.io/wlan-cloud-ucentralsec/).
+
+Also, you may use [Swagger UI](https://petstore.swagger.io/#/) with OpenAPI definition file raw link (i.e. [latest version file](https://validator.swagger.io/validator?url=https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentralsec/main/openpapi/owsec.yaml)) to get interactive docs page.
+
+#### Expected directory layout
+From the directory where your cloned source is, you will need to create the `certs`, `logs`, and `uploads` directories.
+```bash
+mkdir certs
+mkdir certs/cas
+mkdir logs
+mkdir uploads
+```
+You should now have the following:
+```text
+--+-- certs
+  |   +--- cas
+  +-- cmake
+  +-- cmake-build
+  +-- logs
+  +-- src
+  +-- test_scripts
+  +-- openapi
+  +-- uploads
+  +-- owsec.properties
+```
+
+### Certificate
+The OWSEC uses a certificate to provide security for the REST API Certificate to secure the Northbound API.
+
+#### The `certs` directory
+For all deployments, you will need the following `certs` directory, populated with the proper files.
+
+```text
+certs ---+--- restapi-ca.pem
+         +--- restapi-cert.pem
+         +--- restapi-key.pem
+```
 
 ## Firewall Considerations
-The entire uCentral systems uses several MicroServices. In order for the whole system to work, you should provide the following port
-access
+| Port  | Description                                | Configurable |
+|:------|:-------------------------------------------|:------------:|
+| 16001 | Default port from the devices to the OWSEC |     yes      |
 
-- Security
-  - Properties file: ucentralsec.properties
-  - Ports
-    - Public: 16001
-    - Private: 17001
-    - ALB: 16101
+### Environment variables
+The following environment variables should be set from the root directory of the service. They tell the OWGW process where to find
+the configuration and the root directory.
+```bash
+export OWGW_ROOT=`pwd`
+export OWGW_CONFIG=`pwd`
+```
+You can run the shell script `set_env.sh` from the microservice root.
 
-- Gateway:
-  - Properties file: ucentralgw.properties
-  - Ports
-    - Public: 16002
-    - Private: 17002
-    - ALB: 16102
-
-- Firmware:
-  - Properties file: ucentralfms.properties
-  - Ports
-    - Public: 16004
-    - Private: 17004
-    - ALB: 16104
-
-## Security Configuration
-The service relies on a properties configuration file called `ucentralsec.properties`. In this file, you should configure several entries. Many values are optional 
-and you can rely on the defaults. Here are some values of note:
-
-### `authentication.default.password`
-Set the hash of the default username and password. Please look below on how to do this. 
-
-### `authentication.default.username`
-Set the default username to use to login.
+### OWSEC Service Configuration
+The configuration is kept in a file called `owsec.properties`. To understand the content of this file,
+please look [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/blob/main/CONFIGURATION.md)
 
 ### Default username and password
-The default username and password are set in `ucentralsec.properties` file. The following entries manage the username and password
-```text
+The default username and password are set in `owsec.properties` file. The following entries manage the username and password
+```properties
 authentication.default.username = tip@ucentral.com
 authentication.default.password = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 ```
@@ -68,108 +109,63 @@ echo -n "weLoveWifiroot@system.com" | shasum -a 256
 b5bfed31e2a272e52973a57b95042ab842db3999475f3d79f1ce0f45f465e34c  -
 ```
 Then you need to modify your properties file like this
-```text
+```properties
 authentication.default.username = root@system.com
 authentication.default.password = b5bfed31e2a272e52973a57b95042ab842db3999475f3d79f1ce0f45f465e34c
 ```
 Remember, when you login, use `root@system.com` with the password `weLoveWifi`, not this monster digit sequence.
 
-#### Is this safe?
-Is this safe to show the hash in a text file? Let me put it this way, if you can find a way to break this encryption, you
-would have control over the entire internet. It's incredibly safe. If you love math, you can find a lot of videos explaining
-how hashes work and why they are safe.
+### Changing default password
+On the first startup of the service new user will be created with the default credentials from properties `authentication.default.username` and `authentication.default.password`, but **you will have to change the password** before making any real requests.
+You can this using [owgw-ui](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui/) on first login or using the following script:
 
-
-### `authentication.validation.expression`
-This is a regular expression (regex) to verify the incoming password. You can find many examples on the internet on how to create these expressions. I suggest 
-that using Google is your friend. Someone has figured out what you want to do already. Click [here](https://stackoverflow.com/questions/19605150/regex-for-password-must-contain-at-least-eight-characters-at-least-one-number-a)
-to get a sample. The default is
-
-```
-^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{8,}$
+```bash
+export OWSEC=openwifi.wlan.local:16001 # endpoint to your owsec RESTAPI endpoint
+#export FLAGS="-k" # uncomment and add curl flags that you would like to pass for the request (for example '-k' may be used to pass errors with self-signed certificates)
+export OWSEC_DEFAULT_USERNAME=root@system.com # default username that you've set in property 'authentication.default.username'
+export OWSEC_DEFAULT_PASSWORD=weLoveWifi # default password __in cleartext__ from property 'authentication.default.password'
+export OWSEC_NEW_PASSWORD=NewPass123% # new password that must be set for the user (must comply with 'authentication.validation.expression')
+test_scripts/curl/cli testlogin $OWSEC_DEFAULT_USERNAME $OWSEC_DEFAULT_PASSWORD $OWSEC_NEW_PASSWORD
 ```
 
-### `authentication.oldpasswords`
-The number of older passwords to keep. Default is 5.
+CLI is also included in Docker image if you want to run it this way:
 
-### Kafka integration
-This security service uses Kafka to coordinate security with other services that are part of the system. You must have a Kafka service running
-in order to use this. You can find several examples of Kafka services available with Docker. Here are the values you need to configure.
-
-```asm
-ucentral.kafka.group.id = security
-ucentral.kafka.client.id = security1
-ucentral.kafka.enable = true
-ucentral.kafka.brokerlist = my.kafkaserver.arilia.com:9092
-ucentral.kafka.auto.commit = false
-ucentral.kafka.queue.buffering.max.ms = 50
+```bash
+export OWSEC=openwifi.wlan.local:16001
+#export FLAGS="-k"
+export OWSEC_DEFAULT_USERNAME=root@system.com
+export OWSEC_DEFAULT_PASSWORD=weLoveWifi
+export OWSEC_NEW_PASSWORD=NewPass123%
+docker run --rm -ti \
+  --network=host \
+  --env OWSEC \
+  --env FLAGS \
+  --env OWSEC_DEFAULT_USERNAME \
+  --env OWSEC_DEFAULT_PASSWORD \
+  --env OWSEC_NEW_PASSWORD \
+  tip-tip-wlan-cloud-ucentral.jfrog.io/owsec:main \
+  /cli testlogin $OWSEC_DEFAULT_USERNAME $OWSEC_DEFAULT_PASSWORD $OWSEC_NEW_PASSWORD
 ```
 
-#### `ucentral.kafka.brokerlist`
-This is the list of your kafka brokers. This is a comma separated list. You should use IP addresses or FQDNs and the relevant ports, usually 9092 is the 
-default.
+It is very important that you not use spaces in your OrgName.
+## Kafka topics
+Toe read more about Kafka, follow the [document](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/main/KAFKA.md)
 
-#### `ucentral.kafka.group.id`
-Every service on the Kafka bux must have a unique value (at least in our case). This should be a string. We suggest using a name corresponding to the 
-function provided. In this case, security.
+## Contributions
+We need more contributors. Should you wish to contribute,
+please follow the [contributions](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/CONTRIBUTING.md) document.
 
-### Certificates
-Of course we need certificates. In our case, we already have existing certificates we have. You should find out how your file name correspond
-to our names. We suggest reusing the same names we use so it is easier to use our default configuration files. We suggest using proper certificates 
-for the publicly visible interfaces. For private interfaces, self-signed certificates are OK. We will not describe how to use/create private certificates 
-here.
-
-#### The public interface
-Here are the parameters for the public interface. The important files are:
-- `restapi-ca.pem` : the CA of your certificate
-- `restapi-cert.pem` : the certificate for the public interface
-- `restapi-key.pem` : the key associated with this certificate
-- `ucentral.restapi.host.0.key.password` : if you key is password protected, you may supply that password here.
-
-```asm
-ucentral.restapi.host.0.backlog = 100
-ucentral.restapi.host.0.security = relaxed
-ucentral.restapi.host.0.rootca = $UCENTRALSEC_ROOT/certs/restapi-ca.pem
-ucentral.restapi.host.0.address = *
-ucentral.restapi.host.0.port = 16001
-ucentral.restapi.host.0.cert = $UCENTRALSEC_ROOT/certs/restapi-cert.pem
-ucentral.restapi.host.0.key = $UCENTRALSEC_ROOT/certs/restapi-key.pem
-ucentral.restapi.host.0.key.password = mypassword
-```
-
-#### The private interface
-The private interface is used for service-to-service communication. You can use self-signed certificates here or letsencrypt. The file names are similar 
-to the filenames used in the previous section.
-
-```asm
-ucentral.internal.restapi.host.0.backlog = 100
-ucentral.internal.restapi.host.0.security = relaxed
-ucentral.internal.restapi.host.0.rootca = $UCENTRALSEC_ROOT/certs/restapi-ca.pem
-ucentral.internal.restapi.host.0.address = *
-ucentral.internal.restapi.host.0.port = 17001
-ucentral.internal.restapi.host.0.cert = $UCENTRALSEC_ROOT/certs/restapi-cert.pem
-ucentral.internal.restapi.host.0.key = $UCENTRALSEC_ROOT/certs/restapi-key.pem
-ucentral.internal.restapi.host.0.key.password = mypassword
-```
-
-### Other important values
-Here are other important values you must set.
-
-
-```asm
-ucentral.system.data = $UCENTRALSEC_ROOT/data
-ucentral.system.uri.private = https://localhost:17001
-ucentral.system.uri.public = https://ucentral.dpaas.arilia.com:16001
-ucentral.system.commandchannel = /tmp/app.ucentralsec
-ucentral.service.key = $UCENTRALSEC_ROOT/certs/restapi-key.pem
-```
-
-#### `ucentral.system.data`
-The location of some important data files including the user name database.
-
-#### `ucentral.system.uri.private`
-This is the FQDN used internally between services.
-
-#### `ucentral.system.uri.public`
-This is the FQDN used externally serving the OpenAPI interface.
+## Pull Requests
+Please create a branch with the Jira addressing the issue you are fixing or the feature you are implementing.
+Create a pull-request from the branch into master.
 
+## Additional OWSDK Microservices
+Here is a list of additional OWSDK microservices
+| Name | Description | Link | OpenAPI |
+| :--- | :--- | :---: | :---: |
+| OWSEC | Security Service | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec) | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/blob/main/openpapi/owsec.yaml) |
+| OWGW | Controller Service | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw) | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/openapi/owgw.yaml) |
+| OWFMS | Firmware Management Service | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralfms) | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralfms/blob/main/openapi/owfms.yaml) |
+| OWPROV | Provisioning Service | [here](https://github.com/Telecominfraproject/wlan-cloud-owprov) | [here](https://github.com/Telecominfraproject/wlan-cloud-owprov/blob/main/openapi/owprov.yaml) |
+| OWANALYTICS | Analytics Service | [here](https://github.com/Telecominfraproject/wlan-cloud-analytics) | [here](https://github.com/Telecominfraproject/wlan-cloud-analytics/blob/main/openapi/owanalytics.yaml) |
+| OWSUB | Subscriber Service | [here](https://github.com/Telecominfraproject/wlan-cloud-userportal) | [here](https://github.com/Telecominfraproject/wlan-cloud-userportal/blob/main/openapi/userportal.yaml) |

build

@@ -1 +1 @@
-11
+7

docker-entrypoint.sh

@@ -1,11 +1,101 @@
-#!/bin/sh
+#!/bin/bash
 set -e
 
-if [ "$1" = '/ucentral/ucentralsec' -a "$(id -u)" = '0' ]; then
+if [ "$SELFSIGNED_CERTS" = 'true' ]; then
+    update-ca-certificates
+fi
+
+if [[ "$TEMPLATE_CONFIG" = 'true' ]]; then
+  RESTAPI_HOST_ROOTCA=${RESTAPI_HOST_ROOTCA:-"\$OWSEC_ROOT/certs/restapi-ca.pem"} \
+  RESTAPI_HOST_PORT=${RESTAPI_HOST_PORT:-"16001"} \
+  RESTAPI_HOST_CERT=${RESTAPI_HOST_CERT:-"\$OWSEC_ROOT/certs/restapi-cert.pem"} \
+  RESTAPI_HOST_KEY=${RESTAPI_HOST_KEY:-"\$OWSEC_ROOT/certs/restapi-key.pem"} \
+  RESTAPI_HOST_KEY_PASSWORD=${RESTAPI_HOST_KEY_PASSWORD:-"mypassword"} \
+  RESTAPI_WWWASSETS=${RESTAPI_WWWASSETS:-"\$OWSEC_ROOT/persist/wwwassets"} \
+  INTERNAL_RESTAPI_HOST_ROOTCA=${INTERNAL_RESTAPI_HOST_ROOTCA:-"\$OWSEC_ROOT/certs/restapi-ca.pem"} \
+  INTERNAL_RESTAPI_HOST_PORT=${INTERNAL_RESTAPI_HOST_PORT:-"17001"} \
+  INTERNAL_RESTAPI_HOST_CERT=${INTERNAL_RESTAPI_HOST_CERT:-"\$OWSEC_ROOT/certs/restapi-cert.pem"} \
+  INTERNAL_RESTAPI_HOST_KEY=${INTERNAL_RESTAPI_HOST_KEY:-"\$OWSEC_ROOT/certs/restapi-key.pem"} \
+  INTERNAL_RESTAPI_HOST_KEY_PASSWORD=${INTERNAL_RESTAPI_HOST_KEY_PASSWORD:-"mypassword"} \
+  AUTHENTICATION_DEFAULT_USERNAME=${AUTHENTICATION_DEFAULT_USERNAME:-"tip@ucentral.com"} \
+  AUTHENTICATION_DEFAULT_PASSWORD=${AUTHENTICATION_DEFAULT_PASSWORD:-"13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf"} \
+  SYSTEM_DATA=${SYSTEM_DATA:-"\$OWSEC_ROOT/data"} \
+  SYSTEM_URI_PRIVATE=${SYSTEM_URI_PRIVATE:-"https://localhost:17001"} \
+  SYSTEM_URI_PUBLIC=${SYSTEM_URI_PUBLIC:-"https://localhost:16001"} \
+  SYSTEM_URI_UI=${SYSTEM_URI_UI:-"http://localhost"} \
+  SECURITY_RESTAPI_DISABLE=${SECURITY_RESTAPI_DISABLE:-"false"} \
+  SERVICE_KEY=${SERVICE_KEY:-"\$OWSEC_ROOT/certs/restapi-key.pem"} \
+  SERVICE_KEY_PASSWORD=${SERVICE_KEY_PASSWORD:-"mypassword"} \
+  SMSSENDER_ENABLED=${SMSSENDER_ENABLED:-"false"} \
+  SMSSENDER_PROVIDER=${SMSSENDER_PROVIDER:-""} \
+  SMSSENDER_AWS_SECRETKEY=${SMSSENDER_AWS_SECRETKEY:-""} \
+  SMSSENDER_AWS_ACCESSKEY=${SMSSENDER_AWS_ACCESSKEY:-""} \
+  SMSSENDER_AWS_REGION=${SMSSENDER_AWS_REGION:-""} \
+  SMSSENDER_TWILIO_SID=${SMSSENDER_TWILIO_SID:-""} \
+  SMSSENDER_TWILIO_TOKEN=${SMSSENDER_TWILIO_TOKEN:-""} \
+  SMSSENDER_TWILIO_PHONENUMBER=${SMSSENDER_TWILIO_PHONENUMBER:-""} \
+  MAILER_ENABLED=${MAILER_ENABLED:-"false"} \
+  MAILER_HOSTNAME=${MAILER_HOSTNAME:-"localhost"} \
+  MAILER_USERNAME=${MAILER_USERNAME:-""} \
+  MAILER_PASSWORD=${MAILER_PASSWORD:-""} \
+  MAILER_SENDER=${MAILER_SENDER:-"OpenWIFI"} \
+  MAILER_PORT=${MAILER_PORT:-"587"} \
+  MAILER_TEMPLATES=${MAILER_TEMPLATES:-"\$OWSEC_ROOT/persist/templates"} \
+  KAFKA_ENABLE=${KAFKA_ENABLE:-"true"} \
+  KAFKA_BROKERLIST=${KAFKA_BROKERLIST:-"localhost:9092"} \
+  KAFKA_SSL_CA_LOCATION=${KAFKA_SSL_CA_LOCATION:-""} \
+  KAFKA_SSL_CERTIFICATE_LOCATION=${KAFKA_SSL_CERTIFICATE_LOCATION:-""} \
+  KAFKA_SSL_KEY_LOCATION=${KAFKA_SSL_KEY_LOCATION:-""} \
+  KAFKA_SSL_KEY_PASSWORD=${KAFKA_SSL_KEY_PASSWORD:-""} \
+  DOCUMENT_POLICY_ACCESS=${DOCUMENT_POLICY_ACCESS:-"\$OWSEC_ROOT/persist/wwwassets/access_policy.html"} \
+  DOCUMENT_POLICY_PASSWORD=${DOCUMENT_POLICY_PASSWORD:-"\$OWSEC_ROOT/persist/wwwassets/password_policy.html"} \
+  STORAGE_TYPE=${STORAGE_TYPE:-"sqlite"} \
+  STORAGE_TYPE_POSTGRESQL_HOST=${STORAGE_TYPE_POSTGRESQL_HOST:-"localhost"} \
+  STORAGE_TYPE_POSTGRESQL_USERNAME=${STORAGE_TYPE_POSTGRESQL_USERNAME:-"owsec"} \
+  STORAGE_TYPE_POSTGRESQL_PASSWORD=${STORAGE_TYPE_POSTGRESQL_PASSWORD:-"owsec"} \
+  STORAGE_TYPE_POSTGRESQL_DATABASE=${STORAGE_TYPE_POSTGRESQL_DATABASE:-"owsec"} \
+  STORAGE_TYPE_POSTGRESQL_PORT=${STORAGE_TYPE_POSTGRESQL_PORT:-"5432"} \
+  STORAGE_TYPE_MYSQL_HOST=${STORAGE_TYPE_MYSQL_HOST:-"localhost"} \
+  STORAGE_TYPE_MYSQL_USERNAME=${STORAGE_TYPE_MYSQL_USERNAME:-"owsec"} \
+  STORAGE_TYPE_MYSQL_PASSWORD=${STORAGE_TYPE_MYSQL_PASSWORD:-"owsec"} \
+  STORAGE_TYPE_MYSQL_DATABASE=${STORAGE_TYPE_MYSQL_DATABASE:-"owsec"} \
+  STORAGE_TYPE_MYSQL_PORT=${STORAGE_TYPE_MYSQL_PORT:-"3306"} \
+  USER_HELPER_EMAIL=${USER_HELPER_EMAIL:-"openwifi@telecominfraproject.com"} \
+  SUB_HELPER_EMAIL=${SUB_HELPER_EMAIL:-"openwifi@telecominfraproject.com"} \
+  GLOBAL_USER_HELPER_EMAIL=${GLOBAL_USER_HELPER_EMAIL:-"openwifi@telecominfraproject.com"} \
+  GLOBAL_SUB_HELPER_EMAIL=${GLOBAL_SUB_HELPER_EMAIL:-"openwifi@telecominfraproject.com"} \
+  USER_HELPER_SITE=${USER_HELPER_SITE:-"https://openwifi.telecominfraproject.com"} \
+  SUB_HELPER_SITE=${SUB_HELPER_SITE:-"https://openwifi.telecominfraproject.com"} \
+  USER_SYSTEM_LOGIN=${USER_SYSTEM_LOGIN:-"https://openwifi.telecominfraproject.com"} \
+  SUB_SYSTEM_LOGIN=${SUB_SYSTEM_LOGIN:-"https://openwifi.telecominfraproject.com"} \
+  USER_SIGNATURE=${USER_SIGNATURE:-"Telecom Infra Project"} \
+  SUB_SIGNATURE=${SUB_SIGNATURE:-"Telecom Infra Project"} \
+  envsubst < /owsec.properties.tmpl > $OWSEC_CONFIG/owsec.properties
+fi
+
+# Check if wwwassets directory exists
+export RESTAPI_WWWASSETS=$(grep 'openwifi.restapi.wwwassets' $OWSEC_CONFIG/owsec.properties | awk -F '=' '{print $2}' | xargs | envsubst)
+if [[ ! -d "$(dirname $RESTAPI_WWWASSETS)" ]]; then
+  mkdir -p $(dirname $RESTAPI_WWWASSETS)
+fi
+if [[ ! -d "$RESTAPI_WWWASSETS" ]]; then
+  cp -r /dist/wwwassets $RESTAPI_WWWASSETS
+fi
+
+# Check if templates directory exists
+export MAILER_TEMPLATES=$(grep 'mailer.templates' $OWSEC_CONFIG/owsec.properties | awk -F '=' '{print $2}' | xargs | envsubst)
+if [[ ! -d "$(dirname $MAILER_TEMPLATES)" ]]; then
+  mkdir -p $(dirname $MAILER_TEMPLATES)
+fi
+if [[ ! -d "$MAILER_TEMPLATES" ]]; then
+  cp -r /dist/templates $MAILER_TEMPLATES
+fi
+
+if [ "$1" = '/openwifi/owsec' -a "$(id -u)" = '0' ]; then
     if [ "$RUN_CHOWN" = 'true' ]; then
-      chown -R "$UCENTRALSEC_USER": "$UCENTRALSEC_ROOT" "$UCENTRALSEC_CONFIG"
+      chown -R "$OWSEC_USER": "$OWSEC_ROOT" "$OWSEC_CONFIG"
     fi
-    exec su-exec "$UCENTRALSEC_USER" "$@"
+    exec gosu "$OWSEC_USER" "$@"
 fi
 
 exec "$@"

helm/.gitignore

@@ -1 +1,3 @@
 *.swp
+Chart.lock
+charts/

helm/Chart.yaml

@@ -1,18 +1,18 @@
 apiVersion: v2
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
-name: ucentralsec
+name: owsec
 version: 0.1.0
 dependencies:
 - name: postgresql
-  repository: https://charts.bitnami.com/bitnami
+  repository: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
   version: 10.9.2
   condition: postgresql.enabled
 - name: mysql
-  repository: https://charts.bitnami.com/bitnami
+  repository: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
   version: 8.8.3
   condition: mysql.enabled
 - name: mariadb
-  repository: https://charts.bitnami.com/bitnami
+  repository: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
   version: 9.4.2
   condition: mariadb.enabled

helm/README.md

@@ -1,6 +1,6 @@
-# ucentralsec
+# owsec
 
-This Helm chart helps to deploy uCentralSec to the Kubernetes clusters. It is mainly used in [assembly chart](https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/chart) as uCentralSec requires other services as dependencies that are considered in that Helm chart. This chart is purposed to define deployment logic close to the application code itself and define default values that could be overriden during deployment.
+This Helm chart helps to deploy OpenWIFI Security (further on refered as __Security__) to the Kubernetes clusters. It is mainly used in [assembly chart](https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/chart) as Security requires other services as dependencies that are considered in that Helm chart. This chart is purposed to define deployment logic close to the application code itself and define default values that could be overriden during deployment.
 
 
 ## TL;DR;
@@ -11,7 +11,7 @@ $ helm install .
 
 ## Introduction
 
-This chart bootstraps an ucentralsec on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+This chart bootstraps the Security on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
 
 ## Installing the Chart
 
@@ -20,10 +20,10 @@ Currently this chart is not assembled in charts archives, so [helm-git](https://
 To install the chart with the release name `my-release`:
 
 ```bash
-$ helm install --name my-release git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=main
+$ helm install --name my-release git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm/owsec-0.1.0.tgz?ref=main
 ```
 
-The command deploys ucentralsec on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
+The command deploys the Security on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
 
 > **Tip**: List all releases using `helm list`
 
@@ -47,31 +47,31 @@ The following table lists the configurable parameters of the chart and their def
 | strategyType | string | Application deployment strategy | `'Recreate'` |
 | nameOverride | string | Override to be used for application deployment |  |
 | fullnameOverride | string | Override to be used for application deployment (has priority over nameOverride) |  |
-| images.ucentralsec.repository | string | Docker image repository |  |
-| images.ucentralsec.tag | string | Docker image tag | `'master'` |
-| images.ucentralsec.pullPolicy | string | Docker image pull policy | `'Always'` |
-| services.ucentralsec.type | string | uCentralSec service type | `'LoadBalancer'` |
-| services.ucentralsec.ports.restapi.servicePort | number | REST API endpoint port to be exposed on service | `16001` |
-| services.ucentralsec.ports.restapi.targetPort | number | REST API endpoint port to be targeted by service | `16001` |
-| services.ucentralsec.ports.restapi.protocol | string | REST API endpoint protocol | `'TCP'` |
-| services.ucentralsec.ports.restapiinternal.servicePort | string | Internal REST API endpoint port to be exposed on service | `17001` |
-| services.ucentralsec.ports.restapiinternal.targetPort | number | Internal REST API endpoint port to be targeted by service | `17001` |
-| services.ucentralsec.ports.restapiinternal.protocol | string | Internal REST API endpoint protocol | `'TCP'` |
-| checks.ucentralsec.liveness.httpGet.path | string | Liveness check path to be used | `'/'` |
-| checks.ucentralsec.liveness.httpGet.port | number | Liveness check port to be used (should be pointint to ALB endpoint) | `16101` |
-| checks.ucentralsec.readiness.httpGet.path | string | Readiness check path to be used | `'/'` |
-| checks.ucentralsec.readiness.httpGet.port | number | Readiness check port to be used (should be pointint to ALB endpoint) | `16101` |
+| images.owsec.repository | string | Docker image repository |  |
+| images.owsec.tag | string | Docker image tag | `'master'` |
+| images.owsec.pullPolicy | string | Docker image pull policy | `'Always'` |
+| services.owsec.type | string | OpenWIFI Security service type | `'LoadBalancer'` |
+| services.owsec.ports.restapi.servicePort | number | REST API endpoint port to be exposed on service | `16001` |
+| services.owsec.ports.restapi.targetPort | number | REST API endpoint port to be targeted by service | `16001` |
+| services.owsec.ports.restapi.protocol | string | REST API endpoint protocol | `'TCP'` |
+| services.owsec.ports.restapiinternal.servicePort | string | Internal REST API endpoint port to be exposed on service | `17001` |
+| services.owsec.ports.restapiinternal.targetPort | number | Internal REST API endpoint port to be targeted by service | `17001` |
+| services.owsec.ports.restapiinternal.protocol | string | Internal REST API endpoint protocol | `'TCP'` |
+| checks.owsec.liveness.httpGet.path | string | Liveness check path to be used | `'/'` |
+| checks.owsec.liveness.httpGet.port | number | Liveness check port to be used (should be pointint to ALB endpoint) | `16101` |
+| checks.owsec.readiness.httpGet.path | string | Readiness check path to be used | `'/'` |
+| checks.owsec.readiness.httpGet.port | number | Readiness check port to be used (should be pointint to ALB endpoint) | `16101` |
 | ingresses.restapi.enabled | boolean | Defines if REST API endpoint should be exposed via Ingress controller | `False` |
 | ingresses.restapi.hosts | array | List of hosts for exposed REST API |  |
 | ingresses.restapi.paths | array | List of paths to be exposed for REST API |  |
-| volumes.ucentralsec | array | Defines list of volumes to be attached to uCentralSec |  |
-| persistence.enabled | boolean | Defines if uCentralSec requires Persistent Volume (required for permanent files storage and SQLite DB if enabled) | `True` |
+| volumes.owsec | array | Defines list of volumes to be attached to the Security |  |
+| persistence.enabled | boolean | Defines if Security requires Persistent Volume (required for permanent files storage and SQLite DB if enabled) | `True` |
 | persistence.accessModes | array | Defines PV access modes |  |
 | persistence.size | string | Defines PV size | `'10Gi'` |
-| public_env_variables | hash | Defines list of environment variables to be passed to uCentralSec | |
-| configProperties | hash | Configuration properties that should be passed to the application in `ucentralsec.properties`. May be passed by key in set (i.e. `configProperties."rtty\.token"`) | |
-| certs | hash | Defines files (keys and certificates) that should be passed to uCentralSec (PEM format is adviced to be used) (see `volumes.ucentralsec` on where it is mounted) |  |
-
+| public_env_variables | hash | Defines list of environment variables to be passed to the Security | |
+| configProperties | hash | Configuration properties that should be passed to the application in `owsec.properties`. May be passed by key in set (i.e. `configProperties."rtty\.token"`) | |
+| existingCertsSecret | string | Existing Kubernetes secret containing all required certificates and private keys for microservice operation. If set, certificates from `certs` key are ignored | `""` |
+| certs | hash | Defines files (keys and certificates) that should be passed to the Gateway (PEM format is adviced to be used) (see `volumes.owsec` on where it is mounted). If `existingCertsSecret` is set, certificates passed this way will not be used. |  |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

helm/templates/_config.tpl

@@ -1,4 +1,4 @@
-{{- define "ucentralsec.config" -}}
+{{- define "owsec.config" -}}
 {{- range $key, $value := .Values.configProperties }}
 {{ $key }} = {{ $value }}
 {{- end }}

helm/templates/_helpers.tpl

@@ -2,7 +2,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "ucentralsec.name" -}}
+{{- define "owsec.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
@@ -11,7 +11,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "ucentralsec.fullname" -}}
+{{- define "owsec.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
@@ -27,6 +27,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "ucentralsec.chart" -}}
+{{- define "owsec.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{- define "owsec.ingress.apiVersion" -}}
+  {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}}
+      {{- print "networking.k8s.io/v1" -}}
+  {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}}
+    {{- print "networking.k8s.io/v1beta1" -}}
+  {{- else -}}
+    {{- print "extensions/v1beta1" -}}
+  {{- end -}}
+{{- end -}}

helm/templates/deployment.yaml

@@ -1,42 +1,90 @@
 {{- $root := . -}}
+{{- $storageType := index .Values.configProperties "storage.type" -}}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "ucentralsec.fullname" . }}
+  name: {{ include "owsec.fullname" . }}
   labels:
-    app.kubernetes.io/name: {{ include "ucentralsec.name" . }}
-    helm.sh/chart: {{ include "ucentralsec.chart" . }}
+    app.kubernetes.io/name: {{ include "owsec.name" . }}
+    helm.sh/chart: {{ include "owsec.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
   replicas: {{ .Values.replicaCount }}
   strategy:
     type: {{ .Values.strategyType }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: {{ include "ucentralsec.name" . }}
+      app.kubernetes.io/name: {{ include "owsec.name" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
-      {{- with .Values.services.ucentralsec.labels }}
+      {{- with .Values.services.owsec.labels }}
       {{- toYaml . | nindent 6 }}
       {{- end }}
   template:
     metadata:
       annotations:
-        checksum/config: {{ include "ucentralsec.config" . | sha256sum }}
+        checksum/config: {{ include "owsec.config" . | sha256sum }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       labels:
-        app.kubernetes.io/name: {{ include "ucentralsec.name" . }}
+        app.kubernetes.io/name: {{ include "owsec.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
-        {{- with .Values.services.ucentralsec.labels }}
+        {{- with .Values.services.owsec.labels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
 
+      initContainers:
+        - name: wait-kafka
+          image: "{{ .Values.images.dockerize.repository }}:{{ .Values.images.dockerize.tag }}"
+          imagePullPolicy: {{ .Values.images.dockerize.pullPolicy }}
+          args:
+            - -wait
+            - tcp://{{ index .Values.configProperties "openwifi.kafka.brokerlist" }}
+            - -timeout
+            - 600s
+
+{{- if eq $storageType "postgresql" }}
+        - name: wait-postgres
+          image: "{{ .Values.images.owsec.repository }}:{{ .Values.images.owsec.tag }}"
+          imagePullPolicy: {{ .Values.images.owsec.pullPolicy }}
+          command:
+            - /wait-for-postgres.sh
+            - {{ index .Values.configProperties "storage.type.postgresql.host" }}
+            - echo
+            - "PostgreSQL is ready"
+          env:
+            - name: KUBERNETES_DEPLOYED
+              value: "{{ now }}"
+          {{- range $key, $value := .Values.public_env_variables }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+          {{- end }}
+          {{- range $key, $value := .Values.secret_env_variables }}
+            - name: {{ $key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "owsec.fullname" $root }}-env
+                  key: {{ $key }}
+          {{- end }}
+          volumeMounts:
+          {{- range .Values.volumes.owsec }}
+          - name: {{ .name }}
+            mountPath: {{ .mountPath }}
+            {{- if .subPath }}
+            subPath: {{ .subPath }}
+            {{- end }}
+          {{- end }}
+{{- end }}
+
       containers:
 
-        - name: ucentralsec
-          image: "{{ .Values.images.ucentralsec.repository }}:{{ .Values.images.ucentralsec.tag }}"
-          imagePullPolicy: {{ .Values.images.ucentralsec.pullPolicy }}
+        - name: owsec
+          image: "{{ .Values.images.owsec.repository }}:{{ .Values.images.owsec.tag }}"
+          imagePullPolicy: {{ .Values.images.owsec.pullPolicy }}
 
           env:
             - name: KUBERNETES_DEPLOYED
@@ -49,19 +97,19 @@ spec:
             - name: {{ $key }}
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "ucentralsec.fullname" $root }}-env
+                  name: {{ include "owsec.fullname" $root }}-env
                   key: {{ $key }}
           {{- end }}
 
           ports:
-          {{- range $port, $portValue := .Values.services.ucentralsec.ports }}
+          {{- range $port, $portValue := .Values.services.owsec.ports }}
             - name: {{ $port }}
               containerPort: {{ $portValue.targetPort }}
               protocol: {{ $portValue.protocol }}
           {{- end }}
 
           volumeMounts:
-          {{- range .Values.volumes.ucentralsec }}
+          {{- range .Values.volumes.owsec }}
           - name: {{ .name }}
             mountPath: {{ .mountPath }}
             {{- if .subPath }}
@@ -69,13 +117,13 @@ spec:
             {{- end }}
           {{- end }}
 
-          {{- if .Values.checks.ucentralsec.liveness }}
+          {{- if .Values.checks.owsec.liveness }}
           livenessProbe:
-            {{- toYaml .Values.checks.ucentralsec.liveness | nindent 12 }}
+            {{- toYaml .Values.checks.owsec.liveness | nindent 12 }}
           {{- end }}
-          {{- if .Values.checks.ucentralsec.readiness }}
+          {{- if .Values.checks.owsec.readiness }}
           readinessProbe:
-            {{- toYaml .Values.checks.ucentralsec.readiness | nindent 12 }}
+            {{- toYaml .Values.checks.owsec.readiness | nindent 12 }}
           {{- end }}
 
           {{- with .Values.resources }}
@@ -91,7 +139,7 @@ spec:
       imagePullSecrets:
       {{- range $image, $imageValue := .Values.images }}
         {{- if $imageValue.regcred }}
-      - name: {{ include "ucentralsec.fullname" $root }}-{{ $image }}-regcred
+      - name: {{ include "owsec.fullname" $root }}-{{ $image }}-regcred
         {{- end }}
       {{- end }}
 

helm/templates/ingress.yaml

@@ -2,13 +2,13 @@
 {{- range $ingress, $ingressValue := .Values.ingresses }}
 {{- if $ingressValue.enabled }}
 ---
-apiVersion: extensions/v1beta1
+apiVersion: {{ include "owsec.ingress.apiVersion" $root }}
 kind: Ingress
 metadata:
-  name: {{ include "ucentralsec.fullname" $root }}-{{ $ingress }}
+  name: {{ include "owsec.fullname" $root }}-{{ $ingress }}
   labels:
-    app.kubernetes.io/name: {{ include "ucentralsec.name" $root }}
-    helm.sh/chart: {{ include "ucentralsec.chart" $root }}
+    app.kubernetes.io/name: {{ include "owsec.name" $root }}
+    helm.sh/chart: {{ include "owsec.chart" $root }}
     app.kubernetes.io/instance: {{ $root.Release.Name }}
     app.kubernetes.io/managed-by: {{ $root.Release.Service }}
   {{- with $ingressValue.annotations }}
@@ -36,9 +36,23 @@ spec:
       paths:
       {{- range $ingressValue.paths }}
         - path: {{ .path }}
+          {{- if $root.Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
+          pathType: {{ .pathType | default "ImplementationSpecific" }}
+          {{- end }}
           backend:
-            serviceName: {{ include "ucentralsec.fullname" $root }}-{{ .serviceName }}
+            {{- if $root.Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
+            service:
+              name: {{ include "owsec.fullname" $root }}-{{ .serviceName }}
+              port:
+              {{- if kindIs "string" .servicePort }}
+                name: {{ .servicePort }}
+              {{- else }}
+                number: {{ .servicePort }}
+              {{- end }}
+            {{- else }}
+            serviceName: {{ include "owsec.fullname" $root }}-{{ .serviceName }}
             servicePort: {{ .servicePort }}
+            {{- end }}
       {{- end }}
   {{- end }}
 

helm/templates/pvc.yaml

@@ -3,10 +3,10 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ template "ucentralsec.fullname" . }}-pvc
+  name: {{ template "owsec.fullname" . }}-pvc
   labels:
-    app.kubernetes.io/name: {{ include "ucentralsec.name" . }}
-    helm.sh/chart: {{ include "ucentralsec.chart" . }}
+    app.kubernetes.io/name: {{ include "owsec.name" . }}
+    helm.sh/chart: {{ include "owsec.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
   {{- with .Values.persistence.annotations  }}

helm/templates/secret-certs.yaml

@@ -2,11 +2,11 @@
 apiVersion: v1
 metadata:
   labels:
-    app.kuberentes.io/name: {{ include "ucentralsec.name" . }}
-    helm.sh/chart: {{ include "ucentralsec.chart" . }}
+    app.kuberentes.io/name: {{ include "owsec.name" . }}
+    helm.sh/chart: {{ include "owsec.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-  name: {{ include "ucentralsec.fullname" . }}-certs
+  name: {{ include "owsec.fullname" . }}-certs
 kind: Secret
 type: Opaque
 data:

helm/templates/secret-config.yaml

@@ -2,12 +2,12 @@
 apiVersion: v1
 metadata:
   labels:
-    app.kuberentes.io/name: {{ include "ucentralsec.name" . }}
-    helm.sh/chart: {{ include "ucentralsec.chart" . }}
+    app.kuberentes.io/name: {{ include "owsec.name" . }}
+    helm.sh/chart: {{ include "owsec.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-  name: {{ include "ucentralsec.fullname" . }}-config
+  name: {{ include "owsec.fullname" . }}-config
 kind: Secret
 type: Opaque
 data:
-  ucentralsec.properties: {{ include "ucentralsec.config" . | b64enc }}
+  owsec.properties: {{ include "owsec.config" . | b64enc }}

helm/templates/secret-env.yaml

@@ -2,11 +2,11 @@
 apiVersion: v1
 metadata:
   labels:
-    app.kuberentes.io/name: {{ include "ucentralsec.name" . }}
-    helm.sh/chart: {{ include "ucentralsec.chart" . }}
+    app.kuberentes.io/name: {{ include "owsec.name" . }}
+    helm.sh/chart: {{ include "owsec.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
-  name: {{ include "ucentralsec.fullname" . }}-env
+  name: {{ include "owsec.fullname" . }}-env
 kind: Secret
 type: Opaque
 data:

helm/templates/secret-regcred.yaml

@@ -10,11 +10,11 @@ kind: Secret
 type: kubernetes.io/dockerconfigjson
 metadata:
   labels:
-    app.kuberentes.io/name: {{ include "ucentralsec.name" $root }}
-    helm.sh/chart: {{ include "ucentralsec.chart" $root }}
+    app.kuberentes.io/name: {{ include "owsec.name" $root }}
+    helm.sh/chart: {{ include "owsec.chart" $root }}
     app.kubernetes.io/instance: {{ $root.Release.Name }}
     app.kubernetes.io/managed-by: {{ $root.Release.Service }}
-  name: {{ include "ucentralsec.fullname" $root }}-{{ $image }}-regcred
+  name: {{ include "owsec.fullname" $root }}-{{ $image }}-regcred
 data:
   .dockerconfigjson: {{ template "imagePullSecret" $imageValue.regcred }}
 {{- end }}

helm/templates/service.yaml

@@ -4,14 +4,14 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "ucentralsec.fullname" $root }}-{{ $service }}
+  name: {{ include "owsec.fullname" $root }}-{{ $service }}
   {{- with $serviceValue.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   labels:
-    app.kubernetes.io/name: {{ include "ucentralsec.name" $root }}
-    helm.sh/chart: {{ include "ucentralsec.chart" $root }}
+    app.kubernetes.io/name: {{ include "owsec.name" $root }}
+    helm.sh/chart: {{ include "owsec.chart" $root }}
     app.kubernetes.io/instance: {{ $root.Release.Name }}
     app.kubernetes.io/managed-by: {{ $root.Release.Service }}
 
@@ -39,7 +39,7 @@ spec:
       {{- end }}
   {{- end }}
   selector:
-    app.kubernetes.io/name: {{ include "ucentralsec.name" $root }}
+    app.kubernetes.io/name: {{ include "owsec.name" $root }}
     app.kubernetes.io/instance: {{ $root.Release.Name }}
     {{- with $serviceValue.labels }}
     {{- toYaml . | nindent 4 }}

helm/values.yaml

@@ -1,23 +1,28 @@
 # System
 replicaCount: 1
 strategyType: Recreate
+revisionHistoryLimit: 2
 
 nameOverride: ""
 fullnameOverride: ""
 
 images:
-  ucentralsec:
-    repository: tip-tip-wlan-cloud-ucentral.jfrog.io/ucentralsec
-    tag: main
+  owsec:
+    repository: tip-tip-wlan-cloud-ucentral.jfrog.io/owsec
+    tag: v3.0.2-RC1
     pullPolicy: Always
 #    regcred:
 #      registry: tip-tip-wlan-cloud-ucentral.jfrog.io
 #      username: username
 #      password: password
+  dockerize:
+    repository: tip-tip-wlan-cloud-ucentral.jfrog.io/dockerize
+    tag: 0.16.0
+    pullPolicy: IfNotPresent
 
 services:
-  ucentralsec:
-    type: LoadBalancer
+  owsec:
+    type: ClusterIP
     ports:
       restapi:
         servicePort: 16001
@@ -29,15 +34,15 @@ services:
         protocol: TCP
 
 checks:
-  ucentralsec:
+  owsec:
     liveness:
       httpGet:
         path: /
         port: 16101
     readiness:
-      httpGet:
-        path: /
-        port: 16101
+      exec:
+        command:
+          - /readiness_check
 
 ingresses:
   restapi:
@@ -49,29 +54,30 @@ ingresses:
     - restapi.chart-example.local
     paths:
     - path: /
-      serviceName: ucentralsec
+      pathType: ImplementationSpecific
+      serviceName: owsec
       servicePort: restapi
 
 volumes:
-  ucentralsec:
+  owsec:
     - name: config
-      mountPath: /ucentralsec-data/ucentralsec.properties
-      subPath: ucentralsec.properties
+      mountPath: /owsec-data/owsec.properties
+      subPath: owsec.properties
       # Template below will be rendered in template
       volumeDefinition: |
         secret:
-          secretName: {{ include "ucentralsec.fullname" . }}-config
+          secretName: {{ include "owsec.fullname" . }}-config
     - name: certs
-      mountPath: /ucentralsec-data/certs
+      mountPath: /owsec-data/certs
       volumeDefinition: |
         secret:
-          secretName: {{ include "ucentralsec.fullname" . }}-certs
+          secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "owsec.fullname" . }}-certs{{ end }}
     # Change this if you want to use another volume type
     - name: persist
-      mountPath: /ucentralsec-data/persist
+      mountPath: /owsec-data/persist
       volumeDefinition: |
         persistentVolumeClaim:
-          claimName: {{ template "ucentralsec.fullname" . }}-pvc
+          claimName: {{ template "owsec.fullname" . }}-pvc
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -86,7 +92,7 @@ resources: {}
   #  memory: 128Mi
 
 securityContext:
-  fsGroup: 101
+  fsGroup: 1000
 
 nodeSelector: {}
 
@@ -94,6 +100,8 @@ tolerations: []
 
 affinity: {}
 
+podAnnotations: {}
+
 persistence:
   enabled: true
   # storageClassName: "-"
@@ -104,48 +112,65 @@ persistence:
 
 # Application
 public_env_variables:
-  UCENTRALSEC_ROOT: /ucentralsec-data
-  UCENTRALSEC_CONFIG: /ucentralsec-data
+  OWSEC_ROOT: /owsec-data
+  OWSEC_CONFIG: /owsec-data
+  # Environment variables required for the readiness checks using script
+  FLAGS: "-s --connect-timeout 3"
+  # NOTE in order for readiness check to use system info you need to set READINESS_METHOD to "systeminfo" and set OWSEC to the OWSEC's REST API endpoint
+  #READINESS_METHOD: systeminfo
 
-secret_env_variables: {}
+secret_env_variables:
+  OWSEC_USERNAME: tip@ucentral.com
+  OWSEC_PASSWORD: openwifi
 
 configProperties:
   # -> Public part
   # REST API
-  ucentral.restapi.host.0.backlog: 100
-  ucentral.restapi.host.0.security: relaxed
-  ucentral.restapi.host.0.rootca: $UCENTRALSEC_ROOT/certs/restapi-ca.pem
-  ucentral.restapi.host.0.address: "*"
-  ucentral.restapi.host.0.port: 16001
-  ucentral.restapi.host.0.cert: $UCENTRALSEC_ROOT/certs/restapi-cert.pem
-  ucentral.restapi.host.0.key: $UCENTRALSEC_ROOT/certs/restapi-key.pem
-  ucentral.restapi.wwwassets: $UCENTRALSEC_ROOT/wwwassets
-  ucentral.internal.restapi.host.0.backlog: 100
-  ucentral.internal.restapi.host.0.security: relaxed
-  ucentral.internal.restapi.host.0.rootca: $UCENTRALSEC_ROOT/certs/restapi-ca.pem
-  ucentral.internal.restapi.host.0.address: "*"
-  ucentral.internal.restapi.host.0.port: 17001
-  ucentral.internal.restapi.host.0.cert: $UCENTRALSEC_ROOT/certs/restapi-cert.pem
-  ucentral.internal.restapi.host.0.key: $UCENTRALSEC_ROOT/certs/restapi-key.pem
+  openwifi.restapi.host.0.backlog: 100
+  openwifi.restapi.host.0.security: relaxed
+  openwifi.restapi.host.0.rootca: $OWSEC_ROOT/certs/restapi-ca.pem
+  openwifi.restapi.host.0.address: "*"
+  openwifi.restapi.host.0.port: 16001
+  openwifi.restapi.host.0.cert: $OWSEC_ROOT/certs/restapi-cert.pem
+  openwifi.restapi.host.0.key: $OWSEC_ROOT/certs/restapi-key.pem
+  openwifi.restapi.wwwassets: $OWSEC_ROOT/persist/wwwassets
+  openwifi.internal.restapi.host.0.backlog: 100
+  openwifi.internal.restapi.host.0.security: relaxed
+  openwifi.internal.restapi.host.0.rootca: $OWSEC_ROOT/certs/restapi-ca.pem
+  openwifi.internal.restapi.host.0.address: "*"
+  openwifi.internal.restapi.host.0.port: 17001
+  openwifi.internal.restapi.host.0.cert: $OWSEC_ROOT/certs/restapi-cert.pem
+  openwifi.internal.restapi.host.0.key: $OWSEC_ROOT/certs/restapi-key.pem
   # Authentication
   authentication.enabled: true
   authentication.default.access: master
   authentication.service.type: internal
   # Mailer
+  mailer.enabled: "false"
   mailer.hostname: smtp.gmail.com
+  mailer.sender: OpenWIFI
   mailer.loginmethod: login
   mailer.port: 587
-  mailer.templates: $UCENTRALSEC_ROOT/templates
+  mailer.templates: $OWSEC_ROOT/persist/templates
+  # SMS
+  smssender.enabled: "false"
+  smssender.provider: "aws"
+  #smssender.aws.region: ""
+  #smssender.twilio.phonenumber: ""
   # ALB
   alb.enable: "true"
   alb.port: 16101
   # Kafka
-  ucentral.kafka.enable: "false"
-  ucentral.kafka.group.id: security
-  ucentral.kafka.client.id: security1
-  ucentral.kafka.brokerlist: localhost:9092
-  ucentral.kafka.auto.commit: false
-  ucentral.kafka.queue.buffering.max.ms: 50
+  openwifi.kafka.enable: "false"
+  openwifi.kafka.group.id: security
+  openwifi.kafka.client.id: security1
+  openwifi.kafka.brokerlist: localhost:9092
+  openwifi.kafka.auto.commit: false
+  openwifi.kafka.queue.buffering.max.ms: 50
+  openwifi.kafka.ssl.ca.location: ""
+  openwifi.kafka.ssl.certificate.location: ""
+  openwifi.kafka.ssl.key.location: ""
+  openwifi.kafka.ssl.key.password: ""
   # Storage
   storage.type: sqlite # (sqlite|postgresql|mysql|odbc)
   ## SQLite
@@ -156,52 +181,45 @@ configProperties:
   storage.type.postgresql.maxsessions: 64
   storage.type.postgresql.idletime: 60
   storage.type.postgresql.host: localhost
-  storage.type.postgresql.database: ucentral
+  storage.type.postgresql.database: owsec
   storage.type.postgresql.port: 5432
   storage.type.postgresql.connectiontimeout: 60
   ## MySQL
   storage.type.mysql.maxsessions: 64
   storage.type.mysql.idletime: 60
   storage.type.mysql.host: localhost
-  storage.type.mysql.database: ucentral
+  storage.type.mysql.database: owsec
   storage.type.mysql.port: 3306
   storage.type.mysql.connectiontimeout: 60
   # System
-  ucentral.service.key: $UCENTRALSEC_ROOT/certs/restapi-key.pem
-  ucentral.system.data: $UCENTRALSEC_ROOT/persist
-  ucentral.system.debug: "true"
-  ucentral.system.uri.private: https://localhost:17001
-  ucentral.system.uri.public: https://localhost:16001
-  ucentral.system.uri.ui: https://localhost
-  ucentral.system.commandchannel: /tmp/app_ucentralsec
+  openwifi.service.key: $OWSEC_ROOT/certs/restapi-key.pem
+  openwifi.system.data: $OWSEC_ROOT/persist
+  openwifi.system.debug: "true"
+  openwifi.system.uri.private: https://localhost:17001
+  openwifi.system.uri.public: https://localhost:16001
+  openwifi.system.uri.ui: https://localhost
+  openwifi.system.commandchannel: /tmp/app_owsec
   # Logging
-  logging.formatters.f1.class: PatternFormatter
-  logging.formatters.f1.pattern: "%Y-%m-%d %H:%M:%S %s: [%p] %t"
-  logging.formatters.f1.times: UTC
-  logging.channels.c1.class: ConsoleChannel
-  logging.channels.c1.formatter: f1
-  logging.channels.c2.class: FileChannel
-  logging.channels.c2.path: /tmp/log_ucentralsec
-  logging.channels.c2.formatter.class: PatternFormatter
-  logging.channels.c2.formatter.pattern: "%Y-%m-%d %H:%M:%S %s: [%p] %t"
-  logging.channels.c2.rotation: "20 M"
-  logging.channels.c2.archive: timestamp
-  logging.channels.c2.purgeCount: 20
-  logging.channels.c3.class: ConsoleChannel
-  logging.channels.c3.pattern: "%s: [%p] %t"
-  logging.loggers.root.channel: c1
-  logging.loggers.root.level: debug
+  logging.type: console
+  logging.path: $OWSEC_ROOT/logs
+  logging.level: debug
 
   # -> Secret part
   # REST API
-  ucentral.restapi.host.0.key.password: mypassword
-  ucentral.internal.restapi.host.0.key.password: mypassword
+  openwifi.restapi.host.0.key.password: mypassword
+  openwifi.internal.restapi.host.0.key.password: mypassword
   # Authentication
   authentication.default.username: tip@ucentral.com
   authentication.default.password: 13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf
   # Mailer
   mailer.username: no-reply@arilia.com
   mailer.password: "**************************"
+  # SMS
+  #smssender.aws.secretkey: ""
+  #smssender.aws.accesskey: ""
+  #smssender.twilio.sid: ""
+  #smssender.twilio.token: ""
+  #
   # Storage
   ## PostgreSQL
   storage.type.postgresql.username: stephb
@@ -210,6 +228,9 @@ configProperties:
   storage.type.mysql.username: stephb
   storage.type.mysql.password: snoopy99
 
+# NOTE: List of required certificates may be found in "certs" key. Alternative way to pass required certificates is to create external secret with all required certificates and set secret name in "existingCertsSecret" key. Details may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/chart#tldr
+existingCertsSecret: ""
+
 certs:
   # restapi-ca.pem: ""
   # restapi-cert.pem: ""
@@ -224,10 +245,10 @@ postgresql:
     repository: bitnami/postgresql
     tag: 11.13.0-debian-10-r0
 
-  postgresqlPostgresPassword: ""
-  postgresqlUsername: postgres
-  postgresqlPassword: ""
-  postgresqlDatabase: ""
+  postgresqlPostgresPassword: "rootPassword"
+  postgresqlUsername: stephb
+  postgresqlPassword: snoopy99
+  postgresqlDatabase: owgw
 
   persistence:
     enabled: true
@@ -244,10 +265,10 @@ mysql:
     tag: 8.0.26-debian-10-r10
 
   auth:
-    rootPassword: ""
-    database: my_database
-    username: ""
-    password: ""
+    rootPassword: rootPassword
+    database: owgw
+    username: stephb
+    password: snoopy99
 
   primary:
     persistence:
@@ -265,10 +286,10 @@ mariadb:
     tag: 10.5.12-debian-10-r0
 
   auth:
-    rootPassword: ""
-    database: my_database
-    username: ""
-    password: ""
+    rootPassword: rootPassword
+    database: owgw
+    username: stephb
+    password: snoopy99
 
   primary:
     persistence:

images/project/logo.svg

@@ -0,0 +1,165 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 24.2.3, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 141.5 185.6" style="enable-background:new 0 0 141.5 185.6;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#414141;}
+	.st1{fill:#FFFFFF;}
+	.st2{fill:#FED206;}
+	.st3{fill:#EB6F53;}
+	.st4{fill:#3BA9B6;}
+</style>
+<g>
+	<g>
+		<path class="st0" d="M120.7,183.9H21.5c-10.8,0-19.5-8.7-19.5-19.5V20.5c0-10.8,8.7-19.5,19.5-19.5h99.2
+			c10.8,0,19.5,8.7,19.5,19.5v143.9C140.2,175.2,131.5,183.9,120.7,183.9z"/>
+		<g>
+			<g>
+				<g>
+					<path class="st1" d="M46.3,166.2v-3.4h-1.2v-0.6h3.1v0.6H47v3.4H46.3z"/>
+				</g>
+				<g>
+					<path class="st1" d="M49,166.2v-4h2.7v0.6h-2v1h2v0.6h-2v1.1h2v0.6H49z"/>
+				</g>
+				<g>
+					<path class="st1" d="M52.6,166.2v-4h0.7v3.4h1.8v0.6H52.6z"/>
+				</g>
+				<g>
+					<path class="st1" d="M55.7,166.2v-4h2.7v0.6h-2v1h2v0.6h-2v1.1h2v0.6H55.7z"/>
+				</g>
+				<g>
+					<path class="st1" d="M59.1,164.2c0-1.2,0.9-2.1,2.1-2.1c0.8,0,1.3,0.4,1.6,0.9l-0.6,0.3c-0.2-0.3-0.6-0.6-1-0.6
+						c-0.8,0-1.4,0.6-1.4,1.4c0,0.8,0.6,1.4,1.4,1.4c0.4,0,0.8-0.3,1-0.6l0.6,0.3c-0.3,0.5-0.8,0.9-1.6,0.9
+						C60,166.3,59.1,165.5,59.1,164.2z"/>
+				</g>
+				<g>
+					<path class="st1" d="M63.2,164.2c0-1.2,0.8-2.1,2-2.1c1.2,0,2,0.9,2,2.1c0,1.2-0.8,2.1-2,2.1C64,166.3,63.2,165.4,63.2,164.2z
+						 M66.5,164.2c0-0.8-0.5-1.4-1.3-1.4c-0.8,0-1.3,0.6-1.3,1.4c0,0.8,0.5,1.4,1.3,1.4C66,165.7,66.5,165,66.5,164.2z"/>
+				</g>
+				<g>
+					<path class="st1" d="M71.3,166.2v-3.1l-1.2,3.1h-0.3l-1.2-3.1v3.1h-0.7v-4h1l1.1,2.7l1.1-2.7h1v4H71.3z"/>
+				</g>
+				<g>
+					<path class="st1" d="M75.7,166.2v-4h0.7v4H75.7z"/>
+				</g>
+				<g>
+					<path class="st1" d="M80.4,166.2l-2.1-2.8v2.8h-0.7v-4h0.7l2,2.8v-2.8h0.7v4H80.4z"/>
+				</g>
+				<g>
+					<path class="st1" d="M82.3,166.2v-4H85v0.6h-2v1h2v0.6h-2v1.7H82.3z"/>
+				</g>
+				<g>
+					<path class="st1" d="M87.9,166.2l-0.9-1.5h-0.7v1.5h-0.7v-4h1.7c0.8,0,1.3,0.5,1.3,1.2c0,0.7-0.5,1.1-0.9,1.2l1,1.6H87.9z
+						 M88,163.5c0-0.4-0.3-0.6-0.7-0.6h-1v1.3h1C87.7,164.1,88,163.9,88,163.5z"/>
+				</g>
+				<g>
+					<path class="st1" d="M92.4,166.2l-0.3-0.8h-1.8l-0.3,0.8h-0.8l1.6-4h0.9l1.6,4H92.4z M91.2,162.9l-0.7,1.9h1.4L91.2,162.9z"/>
+				</g>
+				<g>
+					<path class="st1" d="M95.8,166.2v-4h1.5c0.8,0,1.2,0.5,1.2,1.2c0,0.6-0.4,1.2-1.2,1.2h-1.2v1.7H95.8z M98.2,163.4
+						c0-0.5-0.3-0.9-0.9-0.9h-1.1v1.7h1.1C97.8,164.3,98.2,163.9,98.2,163.4z"/>
+				</g>
+				<g>
+					<path class="st1" d="M101.5,166.2l-1.1-1.6h-0.9v1.6h-0.3v-4h1.5c0.7,0,1.2,0.4,1.2,1.2c0,0.7-0.5,1.1-1.1,1.1l1.2,1.7H101.5z
+						 M101.6,163.4c0-0.5-0.4-0.9-0.9-0.9h-1.1v1.7h1.1C101.2,164.3,101.6,163.9,101.6,163.4z"/>
+				</g>
+				<g>
+					<path class="st1" d="M102.8,164.2c0-1.2,0.8-2.1,1.9-2.1c1.2,0,1.9,0.9,1.9,2.1c0,1.2-0.8,2.1-1.9,2.1
+						C103.6,166.3,102.8,165.4,102.8,164.2z M106.3,164.2c0-1-0.6-1.7-1.6-1.7c-1,0-1.6,0.7-1.6,1.7c0,1,0.6,1.7,1.6,1.7
+						C105.7,166,106.3,165.2,106.3,164.2z"/>
+				</g>
+				<g>
+					<path class="st1" d="M106.9,165.8l0.2-0.3c0.2,0.2,0.4,0.4,0.8,0.4c0.5,0,0.9-0.4,0.9-0.9v-2.8h0.3v2.8c0,0.8-0.5,1.2-1.2,1.2
+						C107.5,166.3,107.2,166.1,106.9,165.8z"/>
+				</g>
+				<g>
+					<path class="st1" d="M110.4,166.2v-4h2.5v0.3h-2.2v1.5h2.1v0.3h-2.1v1.6h2.2v0.3H110.4z"/>
+				</g>
+				<g>
+					<path class="st1" d="M113.5,164.2c0-1.2,0.9-2.1,2-2.1c0.6,0,1.1,0.3,1.5,0.7l-0.3,0.2c-0.3-0.3-0.7-0.6-1.2-0.6
+						c-0.9,0-1.7,0.7-1.7,1.7c0,1,0.7,1.7,1.7,1.7c0.5,0,0.9-0.2,1.2-0.6l0.3,0.2c-0.4,0.4-0.8,0.7-1.5,0.7
+						C114.4,166.3,113.5,165.5,113.5,164.2z"/>
+				</g>
+				<g>
+					<path class="st1" d="M118.7,166.2v-3.7h-1.3v-0.3h2.9v0.3H119v3.7H118.7z"/>
+				</g>
+			</g>
+			<g>
+				<polygon class="st1" points="26.3,163.8 31.6,158.5 36.9,163.8 37.7,163.8 31.6,157.6 25.5,163.8 				"/>
+				<polygon class="st1" points="36.9,164.7 31.6,170 26.3,164.7 25.5,164.7 31.6,170.8 37.7,164.7 				"/>
+				<polygon class="st1" points="31,163.8 36.3,158.5 41.6,163.8 42.5,163.8 36.3,157.6 30.2,163.8 				"/>
+				<polygon class="st1" points="41.6,164.7 36.3,170 31,164.7 30.2,164.7 36.3,170.8 42.5,164.7 				"/>
+			</g>
+		</g>
+		<g>
+			<path class="st1" d="M33.2,100.7c-4.6,0-8.3,3.7-8.3,8.3s3.7,8.3,8.3,8.3s8.3-3.7,8.3-8.3S37.8,100.7,33.2,100.7z"/>
+		</g>
+		<g>
+			<g>
+				<g>
+					<path class="st2" d="M33.2,35.2c40.7,0,73.8,33.1,73.8,73.8c0,0.7,0,1.4,0,2.1c0,1.7,0.6,3.3,1.7,4.6c1.2,1.2,2.8,1.9,4.5,2
+						l0.2,0c3.5,0,6.3-2.7,6.4-6.2c0-0.8,0-1.7,0-2.5c0-47.7-38.8-86.6-86.6-86.6c-0.8,0-1.7,0-2.5,0c-1.7,0-3.3,0.8-4.5,2
+						c-1.2,1.2-1.8,2.9-1.7,4.6c0.1,3.5,3,6.3,6.6,6.2C31.8,35.2,32.5,35.2,33.2,35.2z"/>
+				</g>
+			</g>
+		</g>
+		<g>
+			<g>
+				<g>
+					<path class="st3" d="M33.2,60.5c26.7,0,48.5,21.7,48.5,48.5c0,0.6,0,1.3,0,2c-0.1,1.7,0.5,3.3,1.7,4.6c1.2,1.3,2.7,2,4.4,2.1
+						c1.7,0.1,3.3-0.5,4.6-1.7c1.2-1.2,2-2.7,2-4.4c0-0.9,0.1-1.8,0.1-2.6c0-33.8-27.5-61.2-61.2-61.2c-0.8,0-1.6,0-2.6,0.1
+						c-1.7,0.1-3.3,0.8-4.4,2.1c-1.2,1.3-1.8,2.9-1.7,4.6s0.8,3.3,2.1,4.4c1.3,1.2,2.9,1.8,4.6,1.7C31.9,60.5,32.6,60.5,33.2,60.5z"
+						/>
+				</g>
+			</g>
+		</g>
+		<g>
+			<g>
+				<g>
+					<path class="st4" d="M33.2,86.7c12.3,0,22.3,10,22.3,22.3c0,0.5,0,1.1-0.1,1.8c-0.3,3.5,2.3,6.6,5.8,6.9
+						c3.5,0.3,6.6-2.3,6.9-5.8c0.1-1,0.1-1.9,0.1-2.8c0-19.3-15.7-35.1-35.1-35.1c-0.9,0-1.8,0-2.8,0.1c-1.7,0.1-3.2,0.9-4.3,2.2
+						c-1.1,1.3-1.6,2.9-1.5,4.6c0.1,1.7,0.9,3.2,2.2,4.3c1.3,1.1,2.9,1.6,4.6,1.5C32.1,86.7,32.7,86.7,33.2,86.7z"/>
+				</g>
+			</g>
+		</g>
+	</g>
+	<g>
+		<path class="st1" d="M35.8,130.4c1.1,0.6,2.1,1.5,2.7,2.6c0.7,1.1,1,2.3,1,3.7s-0.3,2.6-1,3.7c-0.7,1.1-1.6,2-2.7,2.6
+			c-1.1,0.6-2.4,1-3.8,1s-2.7-0.3-3.8-1c-1.1-0.6-2.1-1.5-2.7-2.6c-0.7-1.1-1-2.3-1-3.7c0-1.3,0.3-2.6,1-3.7c0.7-1.1,1.6-2,2.7-2.6
+			c1.1-0.6,2.4-0.9,3.8-0.9C33.4,129.5,34.7,129.8,35.8,130.4z M29.9,132.9c-0.7,0.4-1.2,0.9-1.6,1.6s-0.6,1.4-0.6,2.2
+			c0,0.8,0.2,1.6,0.6,2.3c0.4,0.7,0.9,1.2,1.6,1.6c0.7,0.4,1.4,0.6,2.1,0.6c0.8,0,1.5-0.2,2.1-0.6c0.6-0.4,1.2-0.9,1.5-1.6
+			c0.4-0.7,0.6-1.4,0.6-2.3c0-0.8-0.2-1.6-0.6-2.2s-0.9-1.2-1.5-1.6c-0.6-0.4-1.4-0.6-2.1-0.6C31.3,132.3,30.6,132.5,29.9,132.9z"/>
+		<path class="st1" d="M50.6,133.6c0.8,0.5,1.4,1.1,1.8,2c0.4,0.8,0.6,1.8,0.6,2.9c0,1.1-0.2,2-0.6,2.8c-0.4,0.8-1,1.5-1.8,1.9
+			c-0.8,0.5-1.6,0.7-2.6,0.7c-0.7,0-1.4-0.1-2-0.4s-1.1-0.7-1.5-1.2v5.4h-3.1V133h3.1v1.6c0.4-0.5,0.9-1,1.4-1.2s1.2-0.4,2-0.4
+			C48.9,132.9,49.8,133.1,50.6,133.6z M49.1,140.5c0.5-0.6,0.7-1.3,0.7-2.2c0-0.9-0.2-1.6-0.7-2.1c-0.5-0.6-1.1-0.8-1.9-0.8
+			s-1.4,0.3-1.9,0.8c-0.5,0.6-0.8,1.3-0.8,2.1c0,0.9,0.2,1.6,0.8,2.2s1.1,0.8,1.9,0.8S48.6,141,49.1,140.5z"/>
+		<path class="st1" d="M63.4,134.4c0.9,1,1.4,2.4,1.4,4.2c0,0.3,0,0.6,0,0.7H57c0.2,0.7,0.5,1.2,1,1.6c0.5,0.4,1.1,0.6,1.8,0.6
+			c0.5,0,1-0.1,1.5-0.3s0.9-0.5,1.3-0.9l1.6,1.6c-0.5,0.6-1.2,1.1-2,1.4c-0.8,0.3-1.6,0.5-2.6,0.5c-1.1,0-2.1-0.2-3-0.7
+			s-1.5-1.1-2-1.9c-0.5-0.8-0.7-1.8-0.7-2.9c0-1.1,0.2-2.1,0.7-2.9s1.1-1.5,2-1.9c0.8-0.5,1.8-0.7,2.9-0.7
+			C61.2,132.9,62.5,133.4,63.4,134.4z M61.8,137.5c0-0.7-0.3-1.3-0.7-1.7s-1-0.6-1.7-0.6c-0.7,0-1.2,0.2-1.7,0.6
+			c-0.4,0.4-0.7,1-0.9,1.7H61.8z"/>
+		<path class="st1" d="M76.2,134c0.7,0.7,1.1,1.7,1.1,3v6.8h-3.1v-5.9c0-0.7-0.2-1.2-0.6-1.6s-0.9-0.6-1.5-0.6
+			c-0.8,0-1.4,0.3-1.8,0.8c-0.4,0.5-0.7,1.2-0.7,2v5.3h-3.1V133h3.1v1.9c0.7-1.3,2-2,3.7-2C74.6,132.8,75.5,133.2,76.2,134z"/>
+		<path class="st1" d="M96,129.7h3.3l-4.7,14h-3.3l-2.9-10.1l-3,10.1h-3.2l-4.7-14h3.4l3,10.7l3-10.7H90l3.1,10.7L96,129.7z"/>
+		<path class="st1" d="M103.3,128.7c0.3,0.3,0.5,0.7,0.5,1.2s-0.2,0.9-0.5,1.2c-0.3,0.3-0.7,0.5-1.2,0.5c-0.5,0-0.9-0.2-1.2-0.5
+			c-0.3-0.3-0.5-0.7-0.5-1.2c0-0.5,0.2-0.9,0.5-1.2c0.3-0.3,0.7-0.5,1.2-0.5C102.6,128.2,103,128.3,103.3,128.7z M100.6,133h3.1
+			v10.8h-3.1V133z"/>
+		<path class="st1" d="M106.5,129.7h10.1l0,2.6h-6.9v3.4h6.3v2.6h-6.3v5.3h-3.2V129.7z"/>
+		<path class="st1" d="M120.9,128.7c0.3,0.3,0.5,0.7,0.5,1.2s-0.2,0.9-0.5,1.2c-0.3,0.3-0.7,0.5-1.2,0.5c-0.5,0-0.9-0.2-1.2-0.5
+			c-0.3-0.3-0.5-0.7-0.5-1.2c0-0.5,0.2-0.9,0.5-1.2c0.3-0.3,0.7-0.5,1.2-0.5C120.1,128.2,120.5,128.3,120.9,128.7z M118.1,133h3.1
+			v10.8h-3.1V133z"/>
+	</g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+</svg>

openpapi/ucentralsec/ucentralsec.yaml

@@ -1,910 +0,0 @@
-openapi: 3.0.1
-info:
-  title: uCentral Security API
-  description: A process to manage security logins
-  version: 2.0.0
-  license:
-    name: BSD3
-    url: https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/LICENSE
-  contact:
-    name: Arilia Support
-    email: ucentralsupport@arilia.com
-    url: https://www.ucentral.info/support
-
-servers:
-  - url: 'https://localhost:16001/api/v1'
-
-security:
-  - bearerAuth: []
-  - ApiKeyAuth: []
-
-components:
-  securitySchemes:
-    ApiKeyAuth:
-      type: apiKey
-      in: header
-      name: X-API-KEY
-    bearerAuth:
-      type: http
-      scheme: bearer
-      bearerFormat: JWT
-
-  responses:
-    NotFound:
-      description: The specified resource was not found.
-      content:
-        application/json:
-          schema:
-            properties:
-              ErrorCode:
-                type: integer
-              ErrorDetails:
-                type: string
-              ErrorDescription:
-                type: string
-
-    Unauthorized:
-      description: The requested does not have sufficient rights to perform the operation.
-      content:
-        application/json:
-          schema:
-            properties:
-              ErrorCode:
-                type: integer
-              ErrorDetails:
-                type: string
-              ErrorDescription:
-                type: string
-
-    Success:
-      description: The requested operation was performed.
-      content:
-        application/json:
-          schema:
-            properties:
-              Operation:
-                type: string
-              Details:
-                type: string
-              Code:
-                type: integer
-
-  schemas:
-
-    WebTokenRequest:
-      description: User Id and password.
-      type: object
-      required:
-        - userId
-        - password
-      properties:
-        userId:
-          type: string
-          default: support@example.com
-        password:
-          type: string
-          default: support
-        newPassword:
-          type: string
-          default: support
-        refreshToken:
-          type: string
-      example:
-        userId: support@example.com
-        password: support
-
-    WebTokenResult:
-      description: Login and Refresh Tokens to be used in subsequent API calls.
-      type: object
-      properties:
-        access_token:
-          type: string
-        refresh_token:
-          type: string
-        token_type:
-          type: string
-        expires_in:
-          type: integer
-          format: int32
-        idle_timeout:
-          type: integer
-          format: int32
-        username:
-          type: string
-        created:
-          type: integer
-          format: int64
-        userMustChangePassword:
-          type: boolean
-        errorCode:
-          type: integer     # 0 = no error, 1 = passwordAlreadyUsed, 2=invalidPassword
-        aclTemplate:
-          $ref: '#/components/schemas/WebTokenAclTemplate'
-
-    WebTokenAclTemplate:
-      type: object
-      properties:
-        aclTemplate:
-          $ref: '#/components/schemas/AclTemplate'
-
-    ApiKeyCreationRequest:
-      type: object
-      properties:
-        name:
-          type: string
-        description:
-          type: string
-        expiresOn:
-          type: integer
-          format: int64
-        rights:
-          $ref: '#/components/schemas/AclTemplate'
-
-    ApiKeyCreationAnswer:
-      type: object
-      properties:
-        UUID:
-          type: string
-          format: uuid
-        name:
-          type: string
-        created:
-          type: integer
-          format: int64
-        expiresOn:
-          type: integer
-          format: int64
-        apiKey:
-          type: string
-        rights:
-          $ref: '#/components/schemas/AclTemplate'
-
-    AclTemplate:
-      type: object
-      properties:
-        Read:
-          type: boolean
-        ReadWrite:
-          type: boolean
-        ReadWriteCreate:
-          type: boolean
-        Delete:
-          type: boolean
-        PortalLogin:
-          type: boolean
-
-    SystemEndpoint:
-      type: object
-      properties:
-        type:
-          type: string
-        id:
-          type: integer
-        vendor:
-          type: string
-        uri:
-          type: string
-          format: uri
-        authenticationType:
-          type: string
-
-    SystemEndpointList:
-      type: object
-      properties:
-        endpoints:
-          type: array
-          items:
-            $ref: '#/components/schemas/SystemEndpoint'
-
-    UserInfo:
-      type: object
-      properties:
-        id:
-          type: string
-          format: uuid
-        name:
-          type: string
-        description:
-          type: string
-        avatar:
-          type: string
-          format: uri
-        email:
-          type: string
-          format: email
-        validated:
-          type: boolean
-        validationEmail:
-          type: string
-          format: email
-        validationDate:
-          type: integer
-          format: int64
-        created:
-          type: integer
-          format: int64
-        validationURI:
-          type: string
-        changePassword:
-          type: boolean
-        lastLogin:
-          type: integer
-          format: int64
-        currentLoginURI:
-          type: string
-        lastPasswordChange:
-          type: integer
-          format: int64
-        lastEmailCheck:
-          type: integer
-          format: int64
-        currentPassword:
-          type: string
-        lastPasswords:
-          type: array
-          items:
-            type: string
-        waitingForEmailCheck:
-          type: boolean
-        notes:
-          type: array
-          items:
-            $ref: '#/components/schemas/NoteInfo'
-        location:
-          type: string
-          format: uuid
-        owner:
-          type: string
-          format: uuid
-        suspended:
-          type: boolean
-        blackListed:
-          type: boolean
-        locale:
-          type: string
-        userRole:
-          type: string
-          enum:
-            - root
-            - admin
-            - sub
-            - csr
-            - system
-            - special
-        oauthType:
-          type: string
-          enum:
-            - internal
-            - normal
-            - gmail
-            - facebook
-            - linkedin
-            - instagram
-        oauthUserInfo:
-          type: string
-        securityPolicy:
-          type: string
-        securityPolicyChange:
-          type: integer
-          format: int64
-
-    UserList:
-      type: object
-      properties:
-        users:
-          type: array
-          items:
-            $ref: '#/components/schemas/UserInfo'
-
-
-    #########################################################################################
-    ##
-    ## These are endpoints that all services in the uCentral stack must provide
-    ##
-    #########################################################################################
-    AnyPayload:
-      type: object
-      properties:
-        Document:
-          type: string
-
-    StringList:
-      type: object
-      properties:
-        list:
-          type: array
-          items:
-            type: string
-
-    TagValuePair:
-      type: object
-      properties:
-        tag:
-          type: string
-        value:
-          type: string
-
-    TagValuePairList:
-      type: object
-      properties:
-        tagList:
-          type: array
-          items:
-            $ref: '#/components/schemas/TagValuePair'
-
-    NoteInfo:
-      type: object
-      properties:
-        created:
-          type: integer
-          format: int64
-        createdBy:
-          type: string
-        note:
-          type: string
-
-    SystemCommandDetails:
-      type: object
-      properties:
-        command:
-          type: string
-          enum:
-            - setloglevels
-            - getloglevels
-            - getSubSystemNames
-            - getLogLevelNames
-            - stats
-        parameters:
-          oneOf:
-            - $ref: '#/components/schemas/StringList'
-            - $ref: '#/components/schemas/TagValuePairList'
-
-    SystemCommandResults:
-      type: object
-      oneOf:
-        - $ref: '#/components/schemas/StringList'
-        - $ref: '#/components/schemas/TagValuePairList'
-
-    ProfileAction:
-      type: object
-      properties:
-        resource:
-          type: string
-        access:
-          type: string
-          enum:
-            - NONE
-            - READ
-            - MODIFY
-            - DELETE
-            - CREATE
-            - TEST
-            - MOVE
-
-    SecurityProfile:
-      type: object
-      properties:
-        id:
-          type: integer
-          format: int64
-        name:
-          type: string
-        description:
-          type: string
-        policy:
-          type: array
-          items:
-            $ref: '#/components/schemas/ProfileAction'
-        role:
-          type: string
-        notes:
-          type: array
-          items:
-            $ref: '#/components/schemas/NoteInfo'
-
-    SecurityProfileList:
-      type: object
-      properties:
-        profiles:
-          type: array
-          items:
-            $ref: '#/components/schemas/SecurityProfile'
-
-    InternalServiceInfo:
-      type: object
-      properties:
-        privateURI:
-          type: string
-        publicURI:
-          type: string
-        token:
-          type: string
-
-    InternalSystemServices:
-      type: object
-      properties:
-        key:
-          type: string
-        version:
-          type: integer
-        services:
-          type: array
-          items:
-            $ref: '#/components/schemas/InternalServiceInfo'
-
-    TokenValidationResult:
-      type: object
-      properties:
-        userInfo:
-          $ref: '#/components/schemas/UserInfo'
-        tokenInfo:
-          $ref: '#/components/schemas/WebTokenResult'
-    #########################################################################################
-    ##
-    ## End of uCentral system wide values
-    ##
-    #########################################################################################
-
-paths:
-  /oauth2:
-    post:
-      tags:
-        - Authentication
-      summary: Get access token - to be used as Bearer token header for all other API requests.
-      operationId: getAccessToken
-      parameters:
-        - in: query
-          name: newPassword
-          description: used when a user is trying to change her password. This will be the new password.
-          schema:
-            type: string
-          required: false
-        - in: query
-          name: forgotPassword
-          description: A user forgot her password. She needs to present her e-mail address in the userId and set this to true
-          schema:
-            type: boolean
-          required: false
-        - in: query
-          name: requirements
-          description: A user forgot her password. She needs to present her e-mail address in the userId and set this to true
-          schema:
-            type: boolean
-          required: false
-      requestBody:
-        description: User id and password
-        required: true
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/WebTokenRequest'
-      responses:
-        200:
-          description: successful operation
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/WebTokenResult'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-  /oauth2/{token}:
-    delete:
-      tags:
-        - Authentication
-      summary: Revoke a token.
-      operationId: removeAccessToken
-      parameters:
-        - in: path
-          name: token
-          schema:
-            type:
-              string
-          required: true
-      responses:
-        204:
-          description: successful operation
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/responses/Success'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-  /systemEndpoints:
-    get:
-      tags:
-        - Authentication
-      summary: retrieve the system layout
-      operationId: getSystemInfo
-      responses:
-        200:
-          description: successful operation
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/SystemEndpointList'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-  /users:
-    get:
-      tags:
-        - User Management
-      summary: Retrieve a list of existing users as well as some information about them.
-      operationId: getUsers
-      parameters:
-        - in: query
-          name: offset
-          schema:
-            type: integer
-            format: int64
-          required: false
-        - in: query
-          name: limit
-          schema:
-            type: integer
-            format: int64
-          required: false
-        - in: query
-          description: Selecting this option means the newest record will be returned. Use limit to select how many.
-          name: filter
-          schema:
-            type: string
-          required: false
-        - in: query
-          description: Return only the ids.
-          name: idOnly
-          schema:
-            type: boolean
-          required: false
-        - in: query
-          description: Return only the ids.
-          name: select
-          schema:
-            type: string
-            example: id1,id2,id3,id4,id5
-          required: false
-      responses:
-        200:
-          $ref: '#/components/schemas/UserList'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-  /user/{id}:
-    get:
-      tags:
-        - User Management
-      operationId: getUser
-      summary: Retrieve the information for a single user
-      parameters:
-        - in: path
-          name: id
-          schema:
-            type: string
-            format: uuid
-          required: true
-      responses:
-        200:
-          $ref: '#/components/schemas/UserInfo'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-    delete:
-      tags:
-        - User Management
-      operationId: deleteUser
-      summary: Delete s single user
-      parameters:
-        - in: path
-          name: id
-          schema:
-            type: integer
-            format: int64
-          required: true
-      responses:
-        204:
-          $ref: '#/components/responses/Success'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-    post:
-      tags:
-        - User Management
-      operationId: createUser
-      summary: Create a single user
-      parameters:
-        - in: path
-          name: id
-          #must be set to 0 for user creation
-          schema:
-            type: integer
-            format: int64
-          required: true
-        - in: query
-          name: email_verification
-          schema:
-            type: boolean
-          required: false
-      requestBody:
-        description: User details (some fields are ignored during creation)
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/UserInfo'
-      responses:
-        200:
-          $ref: '#/components/schemas/UserInfo'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-    put:
-      tags:
-        - User Management
-      operationId: updateUser
-      summary: Modifying a single user
-      parameters:
-        - in: path
-          name: id
-          schema:
-            type: integer
-            format: int64
-          required: true
-        - in: query
-          name: email_verification
-          schema:
-            type: boolean
-          required: false
-      requestBody:
-        description: User details (some fields are ignored during update)
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/UserInfo'
-      responses:
-        200:
-          $ref: '#/components/schemas/UserInfo'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-  /avatar/{id}:
-    get:
-      tags:
-        - Avatar
-      operationId: getAvatar
-      summary: Retrieve teh avatar associated with a user ID
-      parameters:
-        - in: path
-          name: id
-          schema:
-            type: string
-            format: uuid
-          required: true
-
-      responses:
-        200:
-          description: Successfully retrieved the avatar
-          content:
-            image/jpeg:
-              schema:
-                type: string
-                format: binary
-            image/png:
-              schema:
-                type: string
-                format: binary
-            image/svg+xml:
-              schema:
-                type: string
-                format: binary
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-    delete:
-      tags:
-        - Avatar
-      operationId: deleteAvatar
-      summary: Remove an Avatar associated with a user ID
-      parameters:
-        - in: path
-          name: id
-          schema:
-            type: string
-            format: uuid
-          required: true
-      responses:
-        204:
-          $ref: '#/components/responses/Success'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-    post:
-      tags:
-        - Avatar
-      operationId: createAvatar
-      summary: Create an Avatar associated with a user ID
-      parameters:
-        - in: path
-          name: id
-          schema:
-            type: string
-            format: uuid
-          required: true
-      requestBody:
-        description: User id and password
-        required: true
-        content:
-          image/jpeg:
-            schema:
-              type: string
-              format: binary
-          image/png:
-            schema:
-              type: string
-              format: binary
-          image/svg+xml:
-            schema:
-              type: string
-              format: binary
-
-      responses:
-        200:
-          $ref: '#/components/responses/Success'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-  #########################################################################################
-  ##
-  ## These are endpoints that all services in the uCentral stack must provide
-  ##
-  #########################################################################################
-
-  /system:
-    post:
-      tags:
-        - System Commands
-      summary: Perform some systeme wide commands
-      operationId: systemCommand
-      requestBody:
-        description: Command details
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/SystemCommandDetails'
-      responses:
-        200:
-          description: Successfull command execution
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/SystemCommandResults'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-    get:
-      tags:
-        - System Commands
-      summary: Retrieve different values from the running service.
-      operationId: getSystemCommand
-      parameters:
-        - in: query
-          description: Get a value
-          name: command
-          schema:
-            type: string
-            enum:
-              - version
-              - times
-          required: true
-
-      responses:
-        200:
-          description: Successfull command execution
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/TagValuePair'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-  /securityProfiles:
-    get:
-      tags:
-        - Security
-      summary: Retrieve the list of security profiles for a specific service type
-      operationId: getSecurituProfiles
-      parameters:
-        - in: query
-          description: Pagination start (starts at 1. If not specified, 1 is assumed)
-          name: offset
-          schema:
-            type: integer
-          required: false
-        - in: query
-          description: Maximum number of entries to return (if absent, no limit is assumed)
-          name: limit
-          schema:
-            type: integer
-          required: false
-        - in: query
-          description: Filter the results
-          name: filter
-          schema:
-            type: string
-          required: false
-      responses:
-        200:
-          $ref: '#/components/schemas/SecurityProfileList'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-  #########################################################################################
-  ##  The following calls are restricted to the private system side APIs
-  #########################################################################################
-  /systemServices:
-    get:
-      tags:
-        - Security
-      summary: Retrieve the basic system information. This information is used between services only.
-      operationId: getSystemServices
-      responses:
-        200:
-          $ref: '#/components/schemas/InternalSystemServices'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-  /validateToken:
-    get:
-      tags:
-        - Security
-      summary: Allows any microservice to validate a token and get security policy for a specific user.
-      operationId: validateToken
-      parameters:
-        - in: query
-          name: token
-          schema:
-            type: string
-          required: true
-      responses:
-        200:
-          $ref: '#/components/schemas/TokenValidationResult'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
-
-#########################################################################################
-##
-## These are endpoints that all services in the uCentral stack must provide
-##
-#########################################################################################

overlays/curl/portfile.cmake

@@ -0,0 +1 @@
+set(VCPKG_POLICY_EMPTY_PACKAGE enabled)

overlays/curl/vcpkg.json

@@ -0,0 +1,4 @@
+{
+    "name": "curl",
+    "version-string": "7.74.0-1.3+deb11u3"
+}

overlays/openssl/portfile.cmake

@@ -0,0 +1 @@
+set(VCPKG_POLICY_EMPTY_PACKAGE enabled)

overlays/openssl/vcpkg.json

@@ -0,0 +1,4 @@
+{
+    "name": "openssl",
+    "version-string": "1.1.1n-0+deb11u3"
+}

overlays/zlib/portfile.cmake

@@ -0,0 +1 @@
+set(VCPKG_POLICY_EMPTY_PACKAGE enabled)

overlays/zlib/vcpkg.json

@@ -0,0 +1,4 @@
+{
+    "name": "zlib",
+    "version-string": "1:1.2.11.dfsg-2+deb11u2"
+}

owsec.properties

@@ -0,0 +1,146 @@
+#
+# uCentral protocol server for devices. This is where you point
+# all your devices. You can replace the * for address by the specific
+# address of one of your interfaces
+#
+
+#
+# REST API access
+#
+openwifi.restapi.host.0.backlog = 100
+openwifi.restapi.host.0.security = relaxed
+openwifi.restapi.host.0.rootca = $OWSEC_ROOT/certs/restapi-ca.pem
+openwifi.restapi.host.0.address = *
+openwifi.restapi.host.0.port = 16001
+openwifi.restapi.host.0.cert = $OWSEC_ROOT/certs/restapi-cert.pem
+openwifi.restapi.host.0.key = $OWSEC_ROOT/certs/restapi-key.pem
+openwifi.restapi.host.0.key.password = mypassword
+openwifi.restapi.wwwassets = $OWSEC_ROOT/wwwassets
+
+openwifi.internal.restapi.host.0.backlog = 100
+openwifi.internal.restapi.host.0.security = relaxed
+openwifi.internal.restapi.host.0.rootca = $OWSEC_ROOT/certs/restapi-ca.pem
+openwifi.internal.restapi.host.0.address = *
+openwifi.internal.restapi.host.0.port = 17001
+openwifi.internal.restapi.host.0.cert = $OWSEC_ROOT/certs/restapi-cert.pem
+openwifi.internal.restapi.host.0.key = $OWSEC_ROOT/certs/restapi-key.pem
+openwifi.internal.restapi.host.0.key.password = mypassword
+
+#
+# Generic section that all microservices must have
+#
+authentication.enabled = true
+authentication.default.username = tip@ucentral.com
+authentication.default.password = 13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf
+openwifi.system.data = $OWSEC_ROOT/data
+openwifi.system.uri.private = https://localhost:17001
+openwifi.system.uri.public = https://main.server.com:16001
+openwifi.system.uri.ui = https://ucentral-ui.main.server.com
+openwifi.security.restapi.disable = false
+openwifi.system.commandchannel = /tmp/app.ucentralsec
+openwifi.service.key = $OWSEC_ROOT/certs/restapi-key.pem
+openwifi.service.key.password = mypassword
+
+smssender.enabled = false
+smssender.provider = aws
+smssender.aws.secretkey = ***************************************
+smssender.aws.accesskey = ***************************************
+smssender.aws.region = **************
+
+#smssender.provider = twilio
+#smssender.twilio.sid = ***********************
+#smssender.twilio.token = **********************
+#smssender.twilio.phonenumber = +18888888888
+
+#
+# Security Microservice Specific Section
+#
+mailer.enabled = false
+mailer.hostname = smtp.gmail.com
+mailer.username = ************************
+mailer.password = ************************
+mailer.sender = OpenWIFI
+mailer.loginmethod = login
+mailer.port = 587
+mailer.templates = $OWSEC_ROOT/templates
+
+helper.user.email = openwifi@telecominfraproject.com
+helper.sub.email = openwifi@telecominfraproject.com
+helper.user.global.email = openwifi@telecominfraproject.com
+helper.sub.global.email = openwifi@telecominfraproject.com
+helper.user.site = https://openwifi.telecominfraproject.com
+helper.sub.site = https://openwifi.telecominfraproject.com
+helper.user.login = https://openwifi.telecominfraproject.com
+helper.sub.login = https://openwifi.telecominfraproject.com
+helper.user.signature = Telecom Infra Project
+helper.sub.signature = Telecom Infra Project
+
+#############################
+# Generic information for all micro-services
+#############################
+#
+# NLB Support
+#
+alb.enable = true
+alb.port = 16101
+
+#
+# Kafka
+#
+openwifi.kafka.group.id = security
+openwifi.kafka.client.id = security1
+openwifi.kafka.enable = true
+openwifi.kafka.brokerlist = kafka:9092
+openwifi.kafka.auto.commit = false
+openwifi.kafka.queue.buffering.max.ms = 50
+openwifi.kafka.ssl.ca.location =
+openwifi.kafka.ssl.certificate.location =
+openwifi.kafka.ssl.key.location =
+openwifi.kafka.ssl.key.password =
+
+openwifi.document.policy.access = /wwwassets/access_policy.html
+openwifi.document.policy.password = /wwwassets/password_policy.html
+openwifi.avatar.maxsize = 2000000
+
+totp.issuer = OpenWiFi
+#
+# This section select which form of persistence you need
+# Only one selected at a time. If you select multiple, this service will die if a horrible
+# death and might make your beer flat.
+#
+storage.type = sqlite
+#storage.type = postgresql
+#storage.type = mysql
+#storage.type = odbc
+
+storage.type.sqlite.db = security.db
+storage.type.sqlite.idletime = 120
+storage.type.sqlite.maxsessions = 128
+
+storage.type.postgresql.maxsessions = 64
+storage.type.postgresql.idletime = 60
+storage.type.postgresql.host = localhost
+storage.type.postgresql.username = owsec
+storage.type.postgresql.password = owsec
+storage.type.postgresql.database = owsec
+storage.type.postgresql.port = 5432
+storage.type.postgresql.connectiontimeout = 60
+
+storage.type.mysql.maxsessions = 64
+storage.type.mysql.idletime = 60
+storage.type.mysql.host = localhost
+storage.type.mysql.username = owsec
+storage.type.mysql.password = owsec
+storage.type.mysql.database = owsec
+storage.type.mysql.port = 3306
+storage.type.mysql.connectiontimeout = 60
+
+########################################################################
+########################################################################
+#
+# Logging: please leave as is for now.
+#
+########################################################################
+logging.type = file
+logging.path = $OWSEC_ROOT/logs
+logging.level = debug

owsec.properties.tmpl

@@ -0,0 +1,142 @@
+#
+# uCentral protocol server for devices. This is where you point
+# all your devices. You can replace the * for address by the specific
+# address of one of your interfaces
+#
+
+#
+# REST API access
+#
+openwifi.restapi.host.0.backlog = 100
+openwifi.restapi.host.0.security = relaxed
+openwifi.restapi.host.0.rootca = ${RESTAPI_HOST_ROOTCA}
+openwifi.restapi.host.0.address = *
+openwifi.restapi.host.0.port = ${RESTAPI_HOST_PORT}
+openwifi.restapi.host.0.cert = ${RESTAPI_HOST_CERT}
+openwifi.restapi.host.0.key = ${RESTAPI_HOST_KEY}
+openwifi.restapi.host.0.key.password = ${RESTAPI_HOST_KEY_PASSWORD}
+openwifi.restapi.wwwassets = ${RESTAPI_WWWASSETS}
+
+openwifi.internal.restapi.host.0.backlog = 100
+openwifi.internal.restapi.host.0.security = relaxed
+openwifi.internal.restapi.host.0.rootca = ${INTERNAL_RESTAPI_HOST_ROOTCA}
+openwifi.internal.restapi.host.0.address = *
+openwifi.internal.restapi.host.0.port = ${INTERNAL_RESTAPI_HOST_PORT}
+openwifi.internal.restapi.host.0.cert = ${INTERNAL_RESTAPI_HOST_CERT}
+openwifi.internal.restapi.host.0.key = ${INTERNAL_RESTAPI_HOST_KEY}
+openwifi.internal.restapi.host.0.key.password = ${INTERNAL_RESTAPI_HOST_KEY_PASSWORD}
+
+#
+# Generic section that all microservices must have
+#
+authentication.enabled = true
+authentication.default.username = ${AUTHENTICATION_DEFAULT_USERNAME}
+authentication.default.password = ${AUTHENTICATION_DEFAULT_PASSWORD}
+openwifi.system.data = ${SYSTEM_DATA}
+openwifi.system.uri.private = ${SYSTEM_URI_PRIVATE}
+openwifi.system.uri.public = ${SYSTEM_URI_PUBLIC}
+openwifi.system.uri.ui = ${SYSTEM_URI_UI}
+openwifi.security.restapi.disable = ${SECURITY_RESTAPI_DISABLE}
+openwifi.system.commandchannel = /tmp/app.ucentralsec
+openwifi.service.key = ${SERVICE_KEY}
+openwifi.service.key.password = ${SERVICE_KEY_PASSWORD}
+
+smssender.enabled = ${SMSSENDER_ENABLED}
+smssender.provider = ${SMSSENDER_PROVIDER}
+
+smssender.aws.secretkey = ${SMSSENDER_AWS_SECRETKEY}
+smssender.aws.accesskey = ${SMSSENDER_AWS_ACCESSKEY}
+smssender.aws.region = ${SMSSENDER_AWS_REGION}
+
+smssender.twilio.sid = ${SMSSENDER_TWILIO_SID}
+smssender.twilio.token = ${SMSSENDER_TWILIO_TOKEN}
+smssender.twilio.phonenumber = ${SMSSENDER_TWILIO_PHONENUMBER}
+
+#
+# Security Microservice Specific Section
+#
+mailer.enabled = ${MAILER_ENABLED}
+mailer.hostname = ${MAILER_HOSTNAME}
+mailer.username = ${MAILER_USERNAME}
+mailer.password = ${MAILER_PASSWORD}
+mailer.sender = ${MAILER_SENDER}
+mailer.loginmethod = login
+mailer.port = ${MAILER_PORT}
+mailer.templates = ${MAILER_TEMPLATES}
+
+helper.user.email = ${USER_HELPER_EMAIL}
+helper.sub.email = ${SUB_HELPER_EMAIL}
+helper.user.global.email = ${GLOBAL_USER_HELPER_EMAIL}
+helper.sub.global.email = ${GLOBAL_SUB_HELPER_EMAIL}
+helper.user.site = ${USER_HELPER_SITE}
+helper.sub.site = ${SUB_HELPER_SITE}
+helper.user.login = ${USER_SYSTEM_LOGIN}
+helper.sub.login = ${SUB_SYSTEM_LOGIN}
+helper.user.signature = ${USER_SIGNATURE}
+helper.sub.signature = ${SUB_SIGNATURE}
+
+#############################
+# Generic information for all micro services
+#############################
+#
+# NLB Support
+#
+alb.enable = true
+alb.port = 16101
+
+#
+# Kafka
+#
+openwifi.kafka.group.id = security
+openwifi.kafka.client.id = security1
+openwifi.kafka.enable = ${KAFKA_ENABLE}
+openwifi.kafka.brokerlist = ${KAFKA_BROKERLIST}
+openwifi.kafka.auto.commit = false
+openwifi.kafka.queue.buffering.max.ms = 50
+openwifi.kafka.ssl.ca.location = ${KAFKA_SSL_CA_LOCATION}
+openwifi.kafka.ssl.certificate.location = ${KAFKA_SSL_CERTIFICATE_LOCATION}
+openwifi.kafka.ssl.key.location = ${KAFKA_SSL_KEY_LOCATION}
+openwifi.kafka.ssl.key.password = ${KAFKA_SSL_KEY_PASSWORD}
+
+openwifi.document.policy.access = ${DOCUMENT_POLICY_ACCESS}
+openwifi.document.policy.password = ${DOCUMENT_POLICY_PASSWORD}
+openwifi.avatar.maxsize = 2000000
+#
+# This section select which form of persistence you need
+# Only one selected at a time. If you select multiple, this service will die if a horrible
+# death and might make your beer flat.
+#
+storage.type = ${STORAGE_TYPE}
+
+storage.type.sqlite.db = security.db
+storage.type.sqlite.idletime = 120
+storage.type.sqlite.maxsessions = 128
+
+storage.type.postgresql.maxsessions = 64
+storage.type.postgresql.idletime = 60
+storage.type.postgresql.host = ${STORAGE_TYPE_POSTGRESQL_HOST}
+storage.type.postgresql.username = ${STORAGE_TYPE_POSTGRESQL_USERNAME}
+storage.type.postgresql.password = ${STORAGE_TYPE_POSTGRESQL_PASSWORD}
+storage.type.postgresql.database = ${STORAGE_TYPE_POSTGRESQL_DATABASE}
+storage.type.postgresql.port = ${STORAGE_TYPE_POSTGRESQL_PORT}
+storage.type.postgresql.connectiontimeout = 60
+
+storage.type.mysql.maxsessions = 64
+storage.type.mysql.idletime = 60
+storage.type.mysql.host = ${STORAGE_TYPE_MYSQL_HOST}
+storage.type.mysql.username = ${STORAGE_TYPE_MYSQL_USERNAME}
+storage.type.mysql.password = ${STORAGE_TYPE_MYSQL_PASSWORD}
+storage.type.mysql.database = ${STORAGE_TYPE_MYSQL_DATABASE}
+storage.type.mysql.port = ${STORAGE_TYPE_MYSQL_PORT}
+storage.type.mysql.connectiontimeout = 60
+
+
+########################################################################
+########################################################################
+#
+# Logging: please leave as is for now.
+#
+########################################################################
+logging.type = console
+logging.path = $OWSEC_ROOT/logs
+logging.level = debug

owsec.service

@@ -5,8 +5,8 @@ Wants=network-online.target
 
 [Service]
 Type=simple
-Environment="UCENTRALSEC_ROOT=/home/admin/dev/wlan-cloud-ucentralsec"
-ExecStart=/home/admin/dev/wlan-cloud-ucentralsec/cmake-build/ucentralsec
+Environment="OWSEC_ROOT=/home/admin/dev/wlan-cloud-ucentralsec"
+ExecStart=/home/admin/dev/wlan-cloud-ucentralsec/cmake-build/owsec
 WorkingDirectory=/home/admin/dev/wlan-cloud-ucentralsec
 # ExecReload=/bin/kill -s HUP $MAINPID
 User=admin

readiness_check

@@ -0,0 +1,59 @@
+#!/bin/bash
+set -e
+
+if [[ "$(which jq)" == "" ]]
+then
+  echo "You need the package jq installed to use this script."
+  exit 1
+fi
+
+if [[ "$(which curl)" == "" ]]
+then
+  echo "You need the package curl installed to use this script."
+  exit 1
+fi
+
+
+if [[ "${READINESS_METHOD}" == "systeminfo" ]]
+then
+  if [[ "${OWSEC_USERNAME}" == "" ]]
+  then
+    echo "You must set the variable OWSEC_USERNAME in order to use this script. Something like"
+    echo "OWSEC_USERNAME=tip@ucentral.com"
+    exit 1
+  fi
+
+  if [[ "${OWSEC_PASSWORD}" == "" ]]
+  then
+    echo "You must set the variable OWSEC_PASSWORD in order to use this script. Something like"
+    echo "OWSEC_PASSWORD=openwifi"
+    exit 1
+  fi
+
+  export RESTAPI_PORT=$(grep 'openwifi.restapi.host.0.port' $OWSEC_CONFIG/owsec.properties | awk -F '=' '{print $2}' | xargs | envsubst)
+  # Get OAuth token from OWSEC and cache it or use cached one
+  payload="{ \"userId\" : \"$OWSEC_USERNAME\" , \"password\" : \"$OWSEC_PASSWORD\" }"
+  if [[ -f "/tmp/token" ]]
+  then
+    token=$(cat /tmp/token)
+  else
+    token=$(curl ${FLAGS} -k -X POST -H "Content-Type: application/json" -d "$payload" "https://localhost:$RESTAPI_PORT/api/v1/oauth2" | jq -r '.access_token')
+  fi
+  if [[ "${token}" == "" ]]
+  then
+    echo "Could not login. Please verify the host and username/password."
+    exit 13
+  fi
+  echo -n $token > /tmp/token
+
+  # Make systeminfo request to the local owsec instance
+  curl ${FLAGS} -k -X GET "https://localhost:$RESTAPI_PORT/api/v1/system?command=info" \
+    -H "accept: application/json" \
+    -H "Authorization: Bearer ${token}" > /tmp/result.json
+  exit_code=$?
+  jq < /tmp/result.json
+  exit $exit_code
+else
+  export ALB_PORT=$(grep 'alb.port' $OWSEC_CONFIG/owsec.properties | awk -F '=' '{print $2}' | xargs | envsubst)
+  curl localhost:$ALB_PORT
+fi

set_env.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 
-export UCENTRALSEC_CONFIG=`pwd`
-export UCENTRALSEC_ROOT=`pwd`
+export OWSEC_CONFIG=`pwd`
+export OWSEC_ROOT=`pwd`

src/ACLProcessor.h

@@ -0,0 +1,132 @@
+//
+// Created by stephane bourque on 2021-11-12.
+//
+
+#ifndef OWSEC_ACLPROCESSOR_H
+#define OWSEC_ACLPROCESSOR_H
+
+#include "RESTObjects/RESTAPI_SecurityObjects.h"
+
+namespace OpenWifi {
+
+	class ACLProcessor {
+	  public:
+		enum ACL_OPS { READ, MODIFY, DELETE, CREATE };
+		/*
+		 *  0) You can only delete yourself if you are a subscriber
+			1) You cannot delete yourself
+			2) If you are root, you can do anything.
+			3) You can do anything to yourself
+			4) Nobody can touch a root, unless they are a root, unless it is to get information on a
+		 ROOT 5) Creation rules: ROOT -> create anything PARTNER -> (multi-tenant owner)
+		 admin,subs,csr,installer,noc,accounting - matches to an entity in provisioning ADMIN ->
+		 admin-subs-csr-installer-noc-accounting ACCOUNTING -> subs-installer-csr
+
+		 */
+		static inline bool Can(const SecurityObjects::UserInfo &User,
+							   const SecurityObjects::UserInfo &Target, ACL_OPS Op) {
+
+			switch (Op) {
+			case DELETE: {
+				//  can a user delete themselves - yes - only if not root. We do not want a system
+				//  to end up rootless
+				if (User.id == Target.id) {
+					return User.userRole != SecurityObjects::ROOT;
+				}
+				//  Root can delete anyone
+				switch (User.userRole) {
+				case SecurityObjects::ROOT:
+					return true;
+				case SecurityObjects::ADMIN:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::SUBSCRIBER:
+					return User.id == Target.id;
+				case SecurityObjects::CSR:
+					return false;
+				case SecurityObjects::SYSTEM:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::INSTALLER:
+					return User.id == Target.id;
+				case SecurityObjects::NOC:
+					return Target.userRole == SecurityObjects::NOC;
+				case SecurityObjects::ACCOUNTING:
+					return Target.userRole == SecurityObjects::ACCOUNTING;
+				case SecurityObjects::PARTNER:
+					return Target.userRole != SecurityObjects::ROOT;
+				default:
+					return false;
+				}
+			} break;
+
+			case READ: {
+				return User.userRole == SecurityObjects::ROOT ||
+					   User.userRole == SecurityObjects::ADMIN ||
+					   User.userRole == SecurityObjects::PARTNER;
+			} break;
+
+			case CREATE: {
+				switch (User.userRole) {
+				case SecurityObjects::ROOT:
+					return true;
+				case SecurityObjects::ADMIN:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::SUBSCRIBER:
+					return false;
+				case SecurityObjects::CSR:
+					return Target.userRole == SecurityObjects::CSR;
+				case SecurityObjects::SYSTEM:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::INSTALLER:
+					return Target.userRole == SecurityObjects::INSTALLER;
+				case SecurityObjects::NOC:
+					return Target.userRole == SecurityObjects::NOC;
+				case SecurityObjects::ACCOUNTING:
+					return Target.userRole == SecurityObjects::ACCOUNTING;
+				case SecurityObjects::PARTNER:
+					return Target.userRole != SecurityObjects::ROOT;
+				default:
+					return false;
+				}
+			} break;
+
+			case MODIFY: {
+				switch (User.userRole) {
+				case SecurityObjects::ROOT:
+					return true;
+				case SecurityObjects::ADMIN:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::SUBSCRIBER:
+					return User.id == Target.id;
+				case SecurityObjects::CSR:
+					return Target.userRole == SecurityObjects::CSR;
+				case SecurityObjects::SYSTEM:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::INSTALLER:
+					return Target.userRole == SecurityObjects::INSTALLER;
+				case SecurityObjects::NOC:
+					return Target.userRole == SecurityObjects::NOC;
+				case SecurityObjects::ACCOUNTING:
+					return Target.userRole == SecurityObjects::ACCOUNTING;
+				case SecurityObjects::PARTNER:
+					return Target.userRole != SecurityObjects::ROOT;
+				default:
+					return false;
+				}
+			} break;
+			default:
+				return false;
+			}
+		}
+
+	  private:
+	};
+
+} // namespace OpenWifi
+
+#endif // OWSEC_ACLPROCESSOR_H

src/ALBHealthCheckServer.h

@@ -1,114 +0,0 @@
-//
-// Created by stephane bourque on 2021-06-04.
-//
-
-#ifndef UCENTRALGW_ALBHEALTHCHECKSERVER_H
-#define UCENTRALGW_ALBHEALTHCHECKSERVER_H
-
-#include <memory>
-#include <iostream>
-#include <fstream>
-#include <sstream>
-
-#include "Poco/Thread.h"
-#include "Poco/Net/HTTPServer.h"
-#include "Poco/Net/HTTPServerRequest.h"
-#include "Poco/Net/HTTPServerResponse.h"
-#include "Poco/Net/HTTPRequestHandler.h"
-#include "Poco/Logger.h"
-
-#include "Daemon.h"
-#include "SubSystemServer.h"
-
-namespace OpenWifi {
-
-	class ALBRequestHandler: public Poco::Net::HTTPRequestHandler
-			/// Return a HTML document with the current date and time.
-		{
-		  public:
-			ALBRequestHandler(Poco::Logger & L)
-				: Logger_(L)
-			{
-			}
-
-			void handleRequest(Poco::Net::HTTPServerRequest& Request, Poco::Net::HTTPServerResponse& Response)
-			{
-				Logger_.information(Poco::format("ALB-REQUEST(%s): New ALB request.",Request.clientAddress().toString()));
-				Response.setChunkedTransferEncoding(true);
-				Response.setContentType("text/html");
-				Response.setDate(Poco::Timestamp());
-				Response.setStatus(Poco::Net::HTTPResponse::HTTP_OK);
-				Response.setKeepAlive(true);
-				Response.set("Connection","keep-alive");
-				Response.setVersion(Poco::Net::HTTPMessage::HTTP_1_1);
-				std::ostream &Answer = Response.send();
-				Answer << "uCentralGW Alive and kicking!" ;
-			}
-
-	  private:
-		Poco::Logger 	& Logger_;
-	};
-
-	class ALBRequestHandlerFactory: public Poco::Net::HTTPRequestHandlerFactory
-		{
-		  public:
-			explicit ALBRequestHandlerFactory(Poco::Logger & L):
-				Logger_(L)
-			{
-			}
-
-			ALBRequestHandler* createRequestHandler(const Poco::Net::HTTPServerRequest& request) override
-			{
-				if (request.getURI() == "/")
-					return new ALBRequestHandler(Logger_);
-				else
-					return nullptr;
-			}
-
-		  private:
-			Poco::Logger	&Logger_;
-		};
-
-    class ALBHealthCheckServer : public SubSystemServer {
-        public:
-            ALBHealthCheckServer() noexcept:
-                    SubSystemServer("ALBHealthCheckServer", "ALB-SVR", "alb")
-            {
-            }
-
-            static ALBHealthCheckServer *instance() {
-                if (instance_ == nullptr) {
-                    instance_ = new ALBHealthCheckServer;
-                }
-                return instance_;
-            }
-
-            int Start() {
-                if(Daemon()->ConfigGetBool("alb.enable",false)) {
-                    Port_ = (int)Daemon()->ConfigGetInt("alb.port",15015);
-                    Socket_ = std::make_unique<Poco::Net::ServerSocket>(Port_);
-                    auto Params = new Poco::Net::HTTPServerParams;
-                    Server_ = std::make_unique<Poco::Net::HTTPServer>(new ALBRequestHandlerFactory(Logger_), *Socket_, Params);
-                    Server_->start();
-                }
-
-                return 0;
-            }
-
-            void Stop() {
-                if(Server_)
-                    Server_->stop();
-            }
-
-          private:
-            static ALBHealthCheckServer *instance_;
-            std::unique_ptr<Poco::Net::HTTPServer>   	Server_;
-            std::unique_ptr<Poco::Net::ServerSocket> 	Socket_;
-            int                                     	Port_ = 0;
-        };
-
-    inline ALBHealthCheckServer * ALBHealthCheckServer() { return ALBHealthCheckServer::instance(); }
-    inline class ALBHealthCheckServer * ALBHealthCheckServer::instance_ = nullptr;
-}
-
-#endif // UCENTRALGW_ALBHEALTHCHECKSERVER_H

src/ActionLinkManager.cpp

@@ -0,0 +1,144 @@
+//
+// Created by stephane bourque on 2021-11-08.
+//
+
+#include "ActionLinkManager.h"
+#include "MessagingTemplates.h"
+#include "RESTObjects/RESTAPI_SecurityObjects.h"
+#include "StorageService.h"
+#include "fmt/format.h"
+#include "framework/utils.h"
+
+namespace OpenWifi {
+
+	int ActionLinkManager::Start() {
+		poco_information(Logger(), "Starting...");
+		if (!Running_)
+			Thr_.start(*this);
+		return 0;
+	}
+
+	void ActionLinkManager::Stop() {
+		poco_information(Logger(), "Stopping...");
+		if (Running_) {
+			Running_ = false;
+			Thr_.wakeUp();
+			Thr_.join();
+		}
+		poco_information(Logger(), "Stopped...");
+	}
+
+
+    void ActionLinkManager::run() {
+		Running_ = true;
+		Utils::SetThreadName("action-mgr");
+
+        Poco::Thread::trySleep(10000);
+
+		while (Running_) {
+			Poco::Thread::trySleep(2000);
+			if (!Running_)
+				break;
+			std::vector<SecurityObjects::ActionLink> Links;
+			{
+				std::lock_guard G(Mutex_);
+				StorageService()->ActionLinksDB().GetActions(Links);
+			}
+
+			if (Links.empty())
+				continue;
+
+			for (auto &i : Links) {
+				if (!Running_)
+					break;
+
+				SecurityObjects::UserInfo UInfo;
+				if ((i.action == OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD ||
+					 i.action == OpenWifi::SecurityObjects::LinkActions::VERIFY_EMAIL) &&
+					!StorageService()->UserDB().GetUserById(i.userId, UInfo)) {
+					StorageService()->ActionLinksDB().CancelAction(i.id);
+					continue;
+				} else if ((i.action ==
+								OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD ||
+							i.action == OpenWifi::SecurityObjects::LinkActions::SUB_VERIFY_EMAIL ||
+							i.action == OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP) &&
+						   !StorageService()->SubDB().GetUserById(i.userId, UInfo)) {
+					StorageService()->ActionLinksDB().CancelAction(i.id);
+					continue;
+				} else if ((i.action == OpenWifi::SecurityObjects::LinkActions::EMAIL_INVITATION) &&
+						   (OpenWifi::Now() - i.created) > (24 * 60 * 60)) {
+					StorageService()->ActionLinksDB().CancelAction(i.id);
+					continue;
+				}
+
+				switch (i.action) {
+				case OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD: {
+					if (AuthService()->SendEmailToUser(i.id, UInfo.email,
+													   MessagingTemplates::FORGOT_PASSWORD)) {
+						poco_information(
+							Logger(), fmt::format("Send password reset link to {}", UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;
+
+				case OpenWifi::SecurityObjects::LinkActions::VERIFY_EMAIL: {
+					if (AuthService()->SendEmailToUser(i.id, UInfo.email,
+													   MessagingTemplates::EMAIL_VERIFICATION)) {
+						poco_information(Logger(), fmt::format("Send email verification link to {}",
+															   UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;
+
+				case OpenWifi::SecurityObjects::LinkActions::EMAIL_INVITATION: {
+					if (AuthService()->SendEmailToUser(i.id, UInfo.email,
+													   MessagingTemplates::EMAIL_INVITATION)) {
+						poco_information(
+							Logger(), fmt::format("Send new subscriber email invitation link to {}",
+												  UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;
+
+				case OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD: {
+					if (AuthService()->SendEmailToSubUser(i.id, UInfo.email,
+														  MessagingTemplates::SUB_FORGOT_PASSWORD,"")) {
+						poco_information(
+							Logger(),
+							fmt::format("Send subscriber password reset link to {}", UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;
+
+				case OpenWifi::SecurityObjects::LinkActions::SUB_VERIFY_EMAIL: {
+					if (AuthService()->SendEmailToSubUser(
+							i.id, UInfo.email, MessagingTemplates::SUB_EMAIL_VERIFICATION,"")) {
+						poco_information(
+							Logger(), fmt::format("Send subscriber email verification link to {}",
+												  UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;
+
+				case OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP: {
+					auto Signup = Poco::StringTokenizer(UInfo.signingUp, ":");
+					if (AuthService()->SendEmailToSubUser(
+							i.id, UInfo.email, MessagingTemplates::SUB_SIGNUP_VERIFICATION,
+							Signup.count() == 1 ? "" : Signup[0])) {
+						poco_information(
+							Logger(),
+							fmt::format("Send new subscriber email verification link to {}",
+										UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;
+
+				default: {
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				}
+				}
+			}
+		}
+	}
+
+} // namespace OpenWifi

src/ActionLinkManager.h

@@ -0,0 +1,30 @@
+//
+// Created by stephane bourque on 2021-11-08.
+//
+
+#pragma once
+
+#include "framework/SubSystemServer.h"
+
+namespace OpenWifi {
+
+	class ActionLinkManager : public SubSystemServer, Poco::Runnable {
+	  public:
+		static ActionLinkManager *instance() {
+			static auto instance_ = new ActionLinkManager;
+			return instance_;
+		}
+
+		int Start() final;
+		void Stop() final;
+		void run() final;
+
+	  private:
+		Poco::Thread Thr_;
+		std::atomic_bool Running_ = false;
+
+		ActionLinkManager() noexcept
+			: SubSystemServer("ActionLinkManager", "ACTION-SVR", "action.server") {}
+	};
+	inline ActionLinkManager *ActionLinkManager() { return ActionLinkManager::instance(); }
+} // namespace OpenWifi

src/AuthClient.cpp

@@ -1,88 +0,0 @@
-//
-// Created by stephane bourque on 2021-06-30.
-//
-#include <utility>
-
-#include "AuthClient.h"
-#include "RESTAPI_SecurityObjects.h"
-#include "Daemon.h"
-#include "OpenAPIRequest.h"
-
-namespace OpenWifi {
-	class AuthClient * AuthClient::instance_ = nullptr;
-
-	int AuthClient::Start() {
-		return 0;
-	}
-
-	void AuthClient::Stop() {
-
-	}
-
-	void AuthClient::RemovedCachedToken(const std::string &Token) {
-		SubMutexGuard G(Mutex_);
-		UserCache_.erase(Token);
-	}
-
-	bool IsTokenExpired(const SecurityObjects::WebToken &T) {
-		return ((T.expires_in_+T.created_)<std::time(nullptr));
-	}
-
-	bool AuthClient::IsAuthorized(Poco::Net::HTTPServerRequest & Request, std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo ) {
-		SubMutexGuard G(Mutex_);
-
-		auto User = UserCache_.find(SessionToken);
-		if(User != UserCache_.end() && !IsTokenExpired(User->second.webtoken)) {
-			UInfo = User->second;
-			return true;
-		} else {
-			Types::StringPairVec QueryData;
-			QueryData.push_back(std::make_pair("token",SessionToken));
-			OpenAPIRequestGet	Req(    uSERVICE_SECURITY,
-								  	"/api/v1/validateToken",
-									 QueryData,
-								  5000);
-			Poco::JSON::Object::Ptr Response;
-			if(Req.Do(Response)==Poco::Net::HTTPResponse::HTTP_OK) {
-				if(Response->has("tokenInfo") && Response->has("userInfo")) {
-					SecurityObjects::UserInfoAndPolicy	P;
-					P.from_json(Response);
-					UserCache_[SessionToken] = P;
-					UInfo = P;
-				}
-				return true;
-			}
-
-		}
-		return false;
-	}
-
-	bool AuthClient::IsTokenAuthorized(const std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo) {
-		SubMutexGuard G(Mutex_);
-
-		auto User = UserCache_.find(SessionToken);
-		if(User != UserCache_.end() && !IsTokenExpired(User->second.webtoken)) {
-			UInfo = User->second;
-			return true;
-		} else {
-			Types::StringPairVec QueryData;
-			QueryData.push_back(std::make_pair("token",SessionToken));
-			OpenAPIRequestGet	Req(uSERVICE_SECURITY,
-									 "/api/v1/validateToken",
-									 QueryData,
-									 5000);
-			Poco::JSON::Object::Ptr Response;
-			if(Req.Do(Response)==Poco::Net::HTTPResponse::HTTP_OK) {
-				if(Response->has("tokenInfo") && Response->has("userInfo")) {
-					SecurityObjects::UserInfoAndPolicy	P;
-					P.from_json(Response);
-					UserCache_[SessionToken] = P;
-					UInfo = P;
-				}
-				return true;
-			}
-
-		}
-		return false;
-	}
-}

src/AuthClient.h

@@ -1,45 +0,0 @@
-//
-// Created by stephane bourque on 2021-06-30.
-//
-
-#ifndef UCENTRALGW_AUTHCLIENT_H
-#define UCENTRALGW_AUTHCLIENT_H
-
-#include "Poco/JSON/Object.h"
-#include "Poco/Net/HTTPServerRequest.h"
-#include "Poco/Net/HTTPServerResponse.h"
-#include "Poco/JWT/Signer.h"
-#include "Poco/SHA2Engine.h"
-#include "RESTAPI_SecurityObjects.h"
-#include "SubSystemServer.h"
-
-namespace OpenWifi {
-
-class AuthClient : public SubSystemServer {
-	  public:
-		explicit AuthClient() noexcept:
-			SubSystemServer("Authentication", "AUTH-CLNT", "authentication")
-		{
-		}
-
-		static AuthClient *instance() {
-			if (instance_ == nullptr) {
-				instance_ = new AuthClient;
-			}
-			return instance_;
-		}
-
-		int Start() override;
-		void Stop() override;
-		bool IsAuthorized(Poco::Net::HTTPServerRequest & Request, std::string &SessionToken, OpenWifi::SecurityObjects::UserInfoAndPolicy & UInfo );
-		void RemovedCachedToken(const std::string &Token);
-		bool IsTokenAuthorized(const std::string &Token, SecurityObjects::UserInfoAndPolicy & UInfo);
-	  private:
-		static AuthClient 					*instance_;
-		OpenWifi::SecurityObjects::UserInfoCache 		UserCache_;
-	};
-
-	inline AuthClient * AuthClient() { return AuthClient::instance(); }
-}
-
-#endif // UCENTRALGW_AUTHCLIENT_H

src/AuthService.h

@@ -6,104 +6,229 @@
 //	Arilia Wireless Inc.
 //
 
-#ifndef UCENTRAL_UAUTHSERVICE_H
-#define UCENTRAL_UAUTHSERVICE_H
+#pragma once
 
 #include <regex>
 
-#include "SubSystemServer.h"
-
+#include "Poco/Crypto/DigestEngine.h"
+#include "Poco/ExpireLRUCache.h"
+#include "Poco/HMACEngine.h"
 #include "Poco/JSON/Object.h"
+#include "Poco/JWT/Signer.h"
 #include "Poco/Net/HTTPServerRequest.h"
 #include "Poco/Net/HTTPServerResponse.h"
-#include "Poco/JWT/Signer.h"
 #include "Poco/SHA2Engine.h"
+#include "framework/SubSystemServer.h"
 
-#include "RESTAPI_SecurityObjects.h"
+#include "framework/MicroServiceFuncs.h"
+#include "framework/ow_constants.h"
 
-namespace OpenWifi{
+#include "MessagingTemplates.h"
+#include "RESTObjects/RESTAPI_SecurityObjects.h"
 
-    static const std::string AUTHENTICATION_SYSTEM{"SYSTEM"};
+namespace OpenWifi {
 
-    class AuthService : public SubSystemServer {
-    public:
+	static const std::string AUTHENTICATION_SYSTEM{"SYSTEM"};
 
-        enum ACCESS_TYPE {
-            USERNAME,
-            SERVER,
-            CUSTOM
-        };
+	class AuthService : public SubSystemServer {
+	  public:
+		enum ACCESS_TYPE { USERNAME, SERVER, CUSTOM };
 
-        enum AUTH_ERROR {
-            SUCCESS,
-            PASSWORD_CHANGE_REQUIRED,
-            INVALID_CREDENTIALS,
-            PASSWORD_ALREADY_USED,
-            USERNAME_PENDING_VERIFICATION,
-            PASSWORD_INVALID,
-            INTERNAL_ERROR
-        };
+		static ACCESS_TYPE IntToAccessType(int C);
+		static int AccessTypeToInt(ACCESS_TYPE T);
 
-        enum EMAIL_REASON {
-            FORGOT_PASSWORD,
-            EMAIL_VERIFICATION
-        };
+		static auto instance() {
+			static auto instance_ = new AuthService;
+			return instance_;
+		}
 
-        static ACCESS_TYPE IntToAccessType(int C);
-        static int AccessTypeToInt(ACCESS_TYPE T);
+		int Start() override;
+		void Stop() override;
 
-        static AuthService *instance() {
-            if (instance_ == nullptr) {
-                instance_ = new AuthService;
-            }
-            return instance_;
-        }
+		[[nodiscard]] bool IsAuthorized(Poco::Net::HTTPServerRequest &Request,
+										std::string &SessionToken,
+										SecurityObjects::UserInfoAndPolicy &UInfo,
+										std::uint64_t TID, bool &Expired);
+		[[nodiscard]] bool IsAuthorized(const std::string &SessionToken,
+										SecurityObjects::UserInfoAndPolicy &UInfo,
+										std::uint64_t TID, bool &Expired);
 
-        int Start() override;
-        void Stop() override;
+		[[nodiscard]] UNAUTHORIZED_REASON Authorize(std::string &UserName,
+													const std::string &Password,
+													const std::string &NewPassword,
+													SecurityObjects::UserInfoAndPolicy &UInfo,
+													bool &Expired);
+		void CreateToken(const std::string &UserName, SecurityObjects::UserInfoAndPolicy &UInfo);
+		[[nodiscard]] bool SetPassword(const std::string &Password,
+									   SecurityObjects::UserInfo &UInfo);
+		[[nodiscard]] const std::string &PasswordValidationExpression() const {
+			return PasswordValidationStr_;
+		};
+		void Logout(const std::string &token, bool EraseFromCache = true);
 
-        [[nodiscard]] bool IsAuthorized(Poco::Net::HTTPServerRequest & Request,std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo );
-        [[nodiscard]] AUTH_ERROR Authorize( std::string & UserName, const std::string & Password, const std::string & NewPassword, SecurityObjects::UserInfoAndPolicy & UInfo );
-        void CreateToken(const std::string & UserName, SecurityObjects::UserInfoAndPolicy &UInfo);
-        [[nodiscard]] bool ValidateToken(const std::string & Token, std::string & SessionToken, SecurityObjects::UserInfoAndPolicy & UserInfo  );
-        [[nodiscard]] bool SetPassword(const std::string &Password, SecurityObjects::UserInfo & UInfo);
-        [[nodiscard]] const std:: string & PasswordValidationExpression() const { return PasswordValidationStr_;};
-        void Logout(const std::string &token);
+		[[nodiscard]] bool IsSubAuthorized(Poco::Net::HTTPServerRequest &Request,
+										   std::string &SessionToken,
+										   SecurityObjects::UserInfoAndPolicy &UInfo,
+										   std::uint64_t TID, bool &Expired);
+		[[nodiscard]] UNAUTHORIZED_REASON AuthorizeSub(std::string &UserName,
+													   const std::string &Password,
+													   const std::string &NewPassword,
+													   SecurityObjects::UserInfoAndPolicy &UInfo,
+													   bool &Expired);
 
-        bool ValidatePassword(const std::string &pwd);
+		void CreateSubToken(const std::string &UserName, SecurityObjects::UserInfoAndPolicy &UInfo);
+		[[nodiscard]] bool SetSubPassword(const std::string &Password,
+										  SecurityObjects::UserInfo &UInfo);
+		[[nodiscard]] const std::string &SubPasswordValidationExpression() const {
+			return PasswordValidationStr_;
+		};
+		void SubLogout(const std::string &token, bool EraseFromCache = true);
 
-        [[nodiscard]] bool IsValidToken(const std::string &Token, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo);
-        [[nodiscard]] bool IsValidAPIKEY(const Poco::Net::HTTPServerRequest &Request);
-        [[nodiscard]] std::string GenerateToken(const std::string & UserName, ACCESS_TYPE Type);
-        [[nodiscard]] bool ValidateToken(const std::string & Token, std::string & SessionToken, SecurityObjects::WebToken & UserInfo  );
-        [[nodiscard]] std::string ComputePasswordHash(const std::string &UserName, const std::string &Password);
-        [[nodiscard]] bool UpdatePassword(const std::string &Admin, const std::string &UserName, const std::string & OldPassword, const std::string &NewPassword);
-        [[nodiscard]] std::string ResetPassword(const std::string &Admin, const std::string &UserName);
+		void RemoveTokenSystemWide(const std::string &token);
 
-        [[nodiscard]] static bool VerifyEmail(SecurityObjects::UserInfo &UInfo);
-        [[nodiscard]] static bool SendEmailToUser(std::string &Email, EMAIL_REASON Reason);
+		bool ValidatePassword(const std::string &pwd);
+		bool ValidateSubPassword(const std::string &pwd);
 
-    private:
-		static AuthService *instance_;
-		bool    			Secure_ = false ;
-		std::string     	DefaultUserName_;
-		std::string			DefaultPassword_;
-		std::string     	Mechanism_;
-		Poco::JWT::Signer	Signer_;
-		Poco::SHA2Engine	SHA2_;
-		SecurityObjects::UserInfoCache UserCache_;
-        std::string          PasswordValidationStr_;
-		std::regex          PasswordValidation_;
-		uint64_t            TokenAging_ = 30 * 24 * 60 * 60;
-        uint64_t            HowManyOldPassword_=5;
-        AuthService() noexcept:
-            SubSystemServer("Authentication", "AUTH-SVR", "authentication")
-        {
-        }
-    };
+		[[nodiscard]] bool IsValidToken(const std::string &Token,
+										SecurityObjects::WebToken &WebToken,
+										SecurityObjects::UserInfo &UserInfo, bool &Expired);
+		[[nodiscard]] bool IsValidSubToken(const std::string &Token,
+										   SecurityObjects::WebToken &WebToken,
+										   SecurityObjects::UserInfo &UserInfo, bool &Expired);
+		[[nodiscard]] std::string GenerateTokenJWT(const std::string &UserName, ACCESS_TYPE Type);
+		[[nodiscard]] std::string GenerateTokenHMAC(const std::string &UserName, ACCESS_TYPE Type);
 
-    inline AuthService * AuthService() { return AuthService::instance(); }
+		[[nodiscard]] bool IsValidApiKey(const std::string &ApiKey,
+										 SecurityObjects::WebToken &WebToken,
+										 SecurityObjects::UserInfo &UserInfo, bool &Expired,
+										 std::uint64_t &expiresOn, bool &Suspended);
+		[[nodiscard]] std::string ComputeNewPasswordHash(const std::string &UserName,
+														 const std::string &Password);
+		[[nodiscard]] bool ValidatePasswordHash(const std::string &UserName,
+												const std::string &Password,
+												const std::string &StoredPassword);
+		[[nodiscard]] bool ValidateSubPasswordHash(const std::string &UserName,
+												   const std::string &Password,
+												   const std::string &StoredPassword);
 
-} // end of namespace
+		[[nodiscard]] bool UpdatePassword(const std::string &Admin, const std::string &UserName,
+										  const std::string &OldPassword,
+										  const std::string &NewPassword);
+		[[nodiscard]] std::string ResetPassword(const std::string &Admin,
+												const std::string &UserName);
 
-#endif //UCENTRAL_UAUTHSERVICE_H
+		[[nodiscard]] bool UpdateSubPassword(const std::string &Admin, const std::string &UserName,
+											 const std::string &OldPassword,
+											 const std::string &NewPassword);
+		[[nodiscard]] std::string ResetSubPassword(const std::string &Admin,
+												   const std::string &UserName);
+
+		[[nodiscard]] static bool VerifyEmail(SecurityObjects::UserInfo &UInfo);
+		[[nodiscard]] static bool VerifySubEmail(SecurityObjects::UserInfo &UInfo);
+
+		[[nodiscard]] bool SendEmailToUser(const std::string &LinkId, std::string &Email,
+										   MessagingTemplates::EMAIL_REASON Reason);
+		[[nodiscard]] bool SendEmailToSubUser(const std::string &LinkId, std::string &Email,
+											  MessagingTemplates::EMAIL_REASON Reason,
+											  const std::string &OperatorName);
+		[[nodiscard]] bool RequiresMFA(const SecurityObjects::UserInfoAndPolicy &UInfo);
+
+		[[nodiscard]] bool SendEmailChallengeCode(const SecurityObjects::UserInfoAndPolicy &UInfo,
+												  const std::string &code);
+
+		bool DeleteUserFromCache(const std::string &UserName);
+		bool DeleteSubUserFromCache(const std::string &UserName);
+		void RevokeToken(std::string &Token);
+		void RevokeSubToken(std::string &Token);
+
+		[[nodiscard]] static inline const std::string GetLogoAssetURI() {
+			return MicroServicePublicEndPoint() + "/wwwassets/logo.png";
+		}
+
+		[[nodiscard]] static inline const std::string GetLogoAssetFileName() {
+			return MicroServiceWWWAssetsDir() + "/logo.png";
+		}
+
+		[[nodiscard]] static inline const std::string GetSubLogoAssetURI() {
+			return MicroServicePublicEndPoint() + "/wwwassets/sub_logo.png";
+		}
+
+		[[nodiscard]] static inline const std::string GetSubLogoAssetFileName() {
+			return MicroServiceWWWAssetsDir() + "/sub_logo.png";
+		}
+
+		inline const std::string &GetPasswordPolicy() const { return PasswordPolicy_; }
+		inline const std::string &GetAccessPolicy() const { return AccessPolicy_; }
+
+		inline const std::string &GetSubPasswordPolicy() const { return SubPasswordPolicy_; }
+		inline const std::string &GetSubAccessPolicy() const { return SubAccessPolicy_; }
+
+		bool RefreshUserToken(Poco::Net::HTTPServerRequest &Request,
+							  const std::string &RefreshToken,
+							  SecurityObjects::UserInfoAndPolicy &UI);
+		bool RefreshSubToken(Poco::Net::HTTPServerRequest &Request, const std::string &RefreshToken,
+							 SecurityObjects::UserInfoAndPolicy &UI);
+
+		[[nodiscard]] inline auto HelperEmail() const { return HelperEmail_; };
+		[[nodiscard]] inline auto SubHelperEmail() const { return SubHelperEmail_; };
+		[[nodiscard]] inline auto GlobalHelperEmail() const { return GlobalHelperEmail_; };
+		[[nodiscard]] inline auto GlobalSubHelperEmail() const { return GlobalSubHelperEmail_; };
+		[[nodiscard]] inline auto HelperSite() const { return HelperSite_; };
+		[[nodiscard]] inline auto SubHelperSite() const { return SubHelperSite_; };
+		[[nodiscard]] inline auto SystemLoginSite() const { return SystemLoginSite_; };
+		[[nodiscard]] inline auto SubSystemLoginSite() const { return SubSystemLoginSite_; };
+		[[nodiscard]] inline auto UserSignature() const { return UserSignature_; };
+		[[nodiscard]] inline auto SubSignature() const { return SubSignature_; };
+
+	  private:
+		Poco::SHA2Engine SHA2_;
+
+		std::string AccessPolicy_;
+		std::string PasswordPolicy_;
+		std::string SubAccessPolicy_;
+		std::string SubPasswordPolicy_;
+		std::string PasswordValidationStr_;
+		std::string SubPasswordValidationStr_;
+		std::regex PasswordValidation_;
+		std::regex SubPasswordValidation_;
+
+		uint64_t TokenAging_ = 15 * 24 * 60 * 60;
+		uint64_t HowManyOldPassword_ = 5;
+		uint64_t RefreshTokenLifeSpan_ = 90 * 24 * 60 * 60;
+
+		std::string HelperEmail_;
+		std::string SubHelperEmail_;
+		std::string GlobalHelperEmail_;
+		std::string GlobalSubHelperEmail_;
+		std::string HelperSite_;
+		std::string SubHelperSite_;
+		std::string SystemLoginSite_;
+		std::string SubSystemLoginSite_;
+		std::string UserSignature_;
+		std::string SubSignature_;
+
+		class SHA256Engine : public Poco::Crypto::DigestEngine {
+		  public:
+			enum { BLOCK_SIZE = 64, DIGEST_SIZE = 32 };
+
+			SHA256Engine() : DigestEngine("SHA256") {}
+		};
+
+		Poco::HMACEngine<SHA256Engine> HMAC_{"tipopenwifi"};
+
+		AuthService() noexcept : SubSystemServer("Authentication", "AUTH-SVR", "authentication") {}
+	};
+
+	inline auto AuthService() { return AuthService::instance(); }
+
+	[[nodiscard]] inline bool AuthServiceIsAuthorized(Poco::Net::HTTPServerRequest &Request,
+													  std::string &SessionToken,
+													  SecurityObjects::UserInfoAndPolicy &UInfo,
+													  std::uint64_t TID, bool &Expired, bool Sub) {
+		if (Sub)
+			return AuthService()->IsSubAuthorized(Request, SessionToken, UInfo, TID, Expired);
+		else
+			return AuthService()->IsAuthorized(Request, SessionToken, UInfo, TID, Expired);
+	}
+
+} // namespace OpenWifi

src/Daemon.cpp

@@ -10,62 +10,70 @@
 //	Arilia Wireless Inc.
 //
 
-#include <cstdlib>
-#include <boost/algorithm/string.hpp>
-
+#include "Poco/Environment.h"
 #include "Poco/Util/Application.h"
 #include "Poco/Util/Option.h"
-#include "Poco/Environment.h"
 
 #include "Daemon.h"
 
-#include "ALBHealthCheckServer.h"
-#include "KafkaManager.h"
-#include "StorageService.h"
-#include "RESTAPI_server.h"
-#include "SMTPMailerService.h"
-#include "RESTAPI_InternalServer.h"
+#include <aws/core/Aws.h>
+#include <aws/s3/model/AccessControlPolicy.h>
+
+#include "ActionLinkManager.h"
 #include "AuthService.h"
+#include "SMSSender.h"
+#include "SMTPMailerService.h"
+#include "StorageService.h"
+#include "TotpCache.h"
+#include "framework/RESTAPI_RateLimiter.h"
+#include "framework/UI_WebSocketClientServer.h"
+#include <SecretStore.h>
 
 namespace OpenWifi {
-    class Daemon *Daemon::instance_ = nullptr;
+	class Daemon *Daemon::instance_ = nullptr;
 
-    class Daemon *Daemon::instance() {
-        if (instance_ == nullptr) {
-            instance_ = new Daemon(vDAEMON_PROPERTIES_FILENAME,
-                                   vDAEMON_ROOT_ENV_VAR,
-                                   vDAEMON_CONFIG_ENV_VAR,
-                                   vDAEMON_APP_NAME,
-                                   vDAEMON_BUS_TIMER,
-                                   Types::SubSystemVec{
-                                           Storage(),
-                                           RESTAPI_Server(),
-                                           RESTAPI_InternalServer(),
-                                           SMTPMailerService(),
-                                           AuthService()
-                                   });
-        }
-        return instance_;
-    }
+	class Daemon *Daemon::instance() {
+		if (instance_ == nullptr) {
+			instance_ =
+				new Daemon(vDAEMON_PROPERTIES_FILENAME, vDAEMON_ROOT_ENV_VAR,
+						   vDAEMON_CONFIG_ENV_VAR, vDAEMON_APP_NAME, vDAEMON_BUS_TIMER,
+						   SubSystemVec{StorageService(), SMSSender(), AuthService(), ActionLinkManager(),
+										SMTPMailerService(), RESTAPI_RateLimiter(), TotpCache(),
+										UI_WebSocketClientServer(), SecretStore()});
+		}
+		return instance_;
+	}
 
-    void Daemon::initialize(Poco::Util::Application &self) {
-        MicroService::initialize(*this);
-    }
-}
+	void Daemon::PostInitialization([[maybe_unused]] Poco::Util::Application &self) {
+		AssetDir_ = MicroService::instance().ConfigPath("openwifi.restapi.wwwassets");
+	}
+
+	void DaemonPostInitialization(Poco::Util::Application &self) {
+		Daemon()->PostInitialization(self);
+	}
+} // namespace OpenWifi
 
 int main(int argc, char **argv) {
-    try {
-        auto App = OpenWifi::Daemon::instance();
-        auto ExitCode =  App->run(argc, argv);
-        delete App;
+	try {
+		SSL_library_init();
+		Aws::SDKOptions AwsOptions;
+		AwsOptions.memoryManagementOptions.memoryManager = nullptr;
+		AwsOptions.cryptoOptions.initAndCleanupOpenSSL = false;
+		AwsOptions.httpOptions.initAndCleanupCurl = true;
 
-        return ExitCode;
+		Aws::InitAPI(AwsOptions);
 
-    } catch (Poco::Exception &exc) {
-        std::cerr << exc.displayText() << std::endl;
-        return Poco::Util::Application::EXIT_SOFTWARE;
-    }
+		int ExitCode = 0;
+		{
+			auto App = OpenWifi::Daemon::instance();
+			ExitCode = App->run(argc, argv);
+		}
+		ShutdownAPI(AwsOptions);
+		return ExitCode;
+	} catch (Poco::Exception &exc) {
+		std::cout << exc.displayText() << std::endl;
+		return Poco::Util::Application::EXIT_SOFTWARE;
+	}
 }
 
-
 // end of namespace

src/Daemon.h

@@ -2,53 +2,50 @@
 // Created by stephane bourque on 2021-06-10.
 //
 
-#ifndef UCENTRALSEC_DAEMON_H
-#define UCENTRALSEC_DAEMON_H
+#pragma once
 
-#include <iostream>
 #include <cstdlib>
-#include <vector>
+#include <iostream>
 #include <set>
+#include <vector>
 
+#include "framework/MicroService.h"
+#include "framework/MicroServiceNames.h"
+
+#include "Poco/Crypto/Cipher.h"
+#include "Poco/Crypto/CipherFactory.h"
+#include "Poco/Crypto/RSAKey.h"
+#include "Poco/ErrorHandler.h"
+#include "Poco/UUIDGenerator.h"
 #include "Poco/Util/Application.h"
-#include "Poco/Util/ServerApplication.h"
 #include "Poco/Util/Option.h"
 #include "Poco/Util/OptionSet.h"
-#include "Poco/UUIDGenerator.h"
-#include "Poco/ErrorHandler.h"
-#include "Poco/Crypto/RSAKey.h"
-#include "Poco/Crypto/CipherFactory.h"
-#include "Poco/Crypto/Cipher.h"
-
-
-#include "OpenWifiTypes.h"
-#include "MicroService.h"
+#include "Poco/Util/ServerApplication.h"
 
 namespace OpenWifi {
 
-    static const char * vDAEMON_PROPERTIES_FILENAME = "ucentralsec.properties";
-    static const char * vDAEMON_ROOT_ENV_VAR = "UCENTRALSEC_ROOT";
-    static const char * vDAEMON_CONFIG_ENV_VAR = "UCENTRALSEC_CONFIG";
-    static const char * vDAEMON_APP_NAME = uSERVICE_SECURITY.c_str();
-    static const uint64_t vDAEMON_BUS_TIMER = 5000;
+	[[maybe_unused]] static const char *vDAEMON_PROPERTIES_FILENAME = "owsec.properties";
+	[[maybe_unused]] static const char *vDAEMON_ROOT_ENV_VAR = "OWSEC_ROOT";
+	[[maybe_unused]] static const char *vDAEMON_CONFIG_ENV_VAR = "OWSEC_CONFIG";
+	[[maybe_unused]] static const char *vDAEMON_APP_NAME = uSERVICE_SECURITY.c_str();
+	[[maybe_unused]] static const uint64_t vDAEMON_BUS_TIMER = 5000;
 
-    class Daemon : public MicroService {
-    public:
-        explicit Daemon(std::string PropFile,
-                        std::string RootEnv,
-                        std::string ConfigEnv,
-                        std::string AppName,
-                        uint64_t BusTimer,
-                        Types::SubSystemVec SubSystems) :
-                MicroService( PropFile, RootEnv, ConfigEnv, AppName, BusTimer, SubSystems) {};
+	class Daemon : public MicroService {
+	  public:
+		explicit Daemon(const std::string &PropFile, const std::string &RootEnv,
+						const std::string &ConfigEnv, const std::string &AppName, uint64_t BusTimer,
+						const SubSystemVec &SubSystems)
+			: MicroService(PropFile, RootEnv, ConfigEnv, AppName, BusTimer, SubSystems){};
 
-        void initialize(Poco::Util::Application &self);
-        static Daemon *instance();
-    private:
-        static Daemon 				*instance_;
-    };
+		void PostInitialization(Poco::Util::Application &self);
+		static Daemon *instance();
+		inline const std::string &AssetDir() { return AssetDir_; }
 
-    inline Daemon * Daemon() { return Daemon::instance(); }
-}
+	  private:
+		static Daemon *instance_;
+		std::string AssetDir_;
+	};
 
-#endif //UCENTRALSEC_DAEMON_H
+	inline Daemon *Daemon() { return Daemon::instance(); }
+	void DaemonPostInitialization(Poco::Util::Application &self);
+} // namespace OpenWifi

src/KafkaManager.cpp

@@ -1,221 +0,0 @@
-//
-//	License type: BSD 3-Clause License
-//	License copy: https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/LICENSE
-//
-//	Created by Stephane Bourque on 2021-03-04.
-//	Arilia Wireless Inc.
-//
-#include <thread>
-
-#include "KafkaManager.h"
-
-#include "Daemon.h"
-#include "Utils.h"
-
-namespace OpenWifi {
-
-	class KafkaManager *KafkaManager::instance_ = nullptr;
-
-	KafkaManager::KafkaManager() noexcept:
-		SubSystemServer("KafkaManager", "KAFKA-SVR", "ucentral.kafka")
-	{
-	}
-
-	void KafkaManager::initialize(Poco::Util::Application & self) {
-		SubSystemServer::initialize(self);
-		KafkaEnabled_ = Daemon()->ConfigGetBool("ucentral.kafka.enable",false);
-	}
-
-#ifdef SMALL_BUILD
-
-	int KafkaManager::Start() {
-		return 0;
-	}
-	void KafkaManager::Stop() {
-	}
-
-#else
-
-	int KafkaManager::Start() {
-		if(!KafkaEnabled_)
-			return 0;
-		ProducerThr_ = std::make_unique<std::thread>([this]() { this->ProducerThr(); });
-		ConsumerThr_ = std::make_unique<std::thread>([this]() { this->ConsumerThr(); });
-		return 0;
-	}
-
-	void KafkaManager::Stop() {
-		if(KafkaEnabled_) {
-			ProducerRunning_ = ConsumerRunning_ = false;
-			ProducerThr_->join();
-			ConsumerThr_->join();
-			return;
-		}
-	}
-
-	void KafkaManager::ProducerThr() {
-		cppkafka::Configuration Config({
-										   { "client.id", Daemon()->ConfigGetString("ucentral.kafka.client.id") },
-										   { "metadata.broker.list", Daemon()->ConfigGetString("ucentral.kafka.brokerlist") }
-									   });
-		SystemInfoWrapper_ = 	R"lit({ "system" : { "id" : )lit" +
-								  	std::to_string(Daemon()->ID()) +
-									R"lit( , "host" : ")lit" + Daemon()->PrivateEndPoint() +
-									R"lit(" } , "payload" : )lit" ;
-		cppkafka::Producer	Producer(Config);
-		ProducerRunning_ = true;
-		while(ProducerRunning_) {
-			std::this_thread::sleep_for(std::chrono::milliseconds(200));
-			try
-			{
-				SubMutexGuard G(ProducerMutex_);
-				auto Num=0;
-				while (!Queue_.empty()) {
-					const auto M = Queue_.front();
-					Producer.produce(
-						cppkafka::MessageBuilder(M.Topic).key(M.Key).payload(M.PayLoad));
-					Queue_.pop();
-					Num++;
-				}
-				if(Num)
-					Producer.flush();
-			} catch (const cppkafka::HandleException &E ) {
-				Logger_.warning(Poco::format("Caught a Kafka exception (producer): %s",std::string{E.what()}));
-			} catch (const Poco::Exception &E) {
-				Logger_.log(E);
-			}
-		}
-	}
-
-	void KafkaManager::PartitionAssignment(const cppkafka::TopicPartitionList& partitions) {
-		Logger_.information(Poco::format("Partition assigned: %Lu...",(uint64_t )partitions.front().get_partition()));
-	}
-	void KafkaManager::PartitionRevocation(const cppkafka::TopicPartitionList& partitions) {
-		Logger_.information(Poco::format("Partition revocation: %Lu...",(uint64_t )partitions.front().get_partition()));
-	}
-
-	void KafkaManager::ConsumerThr() {
-		cppkafka::Configuration Config({
-										   { "client.id", Daemon()->ConfigGetString("ucentral.kafka.client.id") },
-										   { "metadata.broker.list", Daemon()->ConfigGetString("ucentral.kafka.brokerlist") },
-										   { "group.id", Daemon()->ConfigGetString("ucentral.kafka.group.id") },
-										   { "enable.auto.commit", Daemon()->ConfigGetBool("ucentral.kafka.auto.commit",false) },
-										   { "auto.offset.reset", "latest" } ,
-										   { "enable.partition.eof", false }
-									   });
-
-		cppkafka::TopicConfiguration topic_config = {
-			{ "auto.offset.reset", "smallest" }
-		};
-
-		// Now configure it to be the default topic config
-		Config.set_default_topic_configuration(topic_config);
-
-		cppkafka::Consumer Consumer(Config);
-		Consumer.set_assignment_callback([this](cppkafka::TopicPartitionList& partitions) {
-			if(!partitions.empty()) {
-				Logger_.information(Poco::format("Partition assigned: %Lu...",
-												 (uint64_t)partitions.front().get_partition()));
-			}
-		});
-		Consumer.set_revocation_callback([this](const cppkafka::TopicPartitionList& partitions) {
-			if(!partitions.empty()) {
-				Logger_.information(Poco::format("Partition revocation: %Lu...",
-												 (uint64_t)partitions.front().get_partition()));
-			}
-		});
-
-        bool AutoCommit = Daemon()->ConfigGetBool("ucentral.kafka.auto.commit",false);
-        auto BatchSize = Daemon()->ConfigGetInt("ucentral.kafka.consumer.batchsize",20);
-
-        Types::StringVec    Topics;
-		for(const auto &i:Notifiers_)
-			Topics.push_back(i.first);
-
-		Consumer.subscribe(Topics);
-
-		ConsumerRunning_ = true;
-		while(ConsumerRunning_) {
-			try {
-				std::vector<cppkafka::Message> MsgVec = Consumer.poll_batch(BatchSize, std::chrono::milliseconds(200));
-				for(auto const &Msg:MsgVec) {
-                    if (!Msg)
-                        continue;
-                    if (Msg.get_error()) {
-                        if (!Msg.is_eof()) {
-                            Logger_.error(Poco::format("Error: %s", Msg.get_error().to_string()));
-                        }if(!AutoCommit)
-                            Consumer.async_commit(Msg);
-                        continue;
-                    }
-                    SubMutexGuard G(ConsumerMutex_);
-                    auto It = Notifiers_.find(Msg.get_topic());
-                    if (It != Notifiers_.end()) {
-                        Types::TopicNotifyFunctionList &FL = It->second;
-                        std::string Key{Msg.get_key()};
-                        std::string Payload{Msg.get_payload()};
-                        for (auto &F : FL) {
-                            std::thread T(F.first, Key, Payload);
-                            T.detach();
-                        }
-                    }
-                    if (!AutoCommit)
-                        Consumer.async_commit(Msg);
-                }
-			} catch (const cppkafka::HandleException &E) {
-				Logger_.warning(Poco::format("Caught a Kafka exception (consumer): %s",std::string{E.what()}));
-			} catch (const Poco::Exception &E) {
-				Logger_.log(E);
-			}
-		}
-	}
-
-	std::string KafkaManager::WrapSystemId(const std::string & PayLoad) {
-		return std::move( SystemInfoWrapper_ + PayLoad + "}");
-	}
-
-	void KafkaManager::PostMessage(std::string topic, std::string key, std::string PayLoad, bool WrapMessage ) {
-		if(KafkaEnabled_) {
-			SubMutexGuard G(Mutex_);
-			KMessage M{
-				.Topic = topic,
-				.Key = key,
-				.PayLoad = WrapMessage ? WrapSystemId(PayLoad) : PayLoad };
-			Queue_.push(M);
-		}
-	}
-
-	int KafkaManager::RegisterTopicWatcher(const std::string &Topic, Types::TopicNotifyFunction &F) {
-		if(KafkaEnabled_) {
-			SubMutexGuard G(Mutex_);
-			auto It = Notifiers_.find(Topic);
-			if(It == Notifiers_.end()) {
-				Types::TopicNotifyFunctionList L;
-				L.emplace(L.end(),std::make_pair(F,FunctionId_));
-				Notifiers_[Topic] = std::move(L);
-			} else {
-				It->second.emplace(It->second.end(),std::make_pair(F,FunctionId_));
-			}
-			return FunctionId_++;
-		} else {
-			return 0;
-		}
-	}
-
-	void KafkaManager::UnregisterTopicWatcher(const std::string &Topic, int Id) {
-		if(KafkaEnabled_) {
-			SubMutexGuard G(Mutex_);
-			auto It = Notifiers_.find(Topic);
-			if(It != Notifiers_.end()) {
-				Types::TopicNotifyFunctionList & L = It->second;
-				for(auto it=L.begin(); it!=L.end(); it++)
-					if(it->second == Id) {
-						L.erase(it);
-						break;
-					}
-			}
-		}
-	}
-
-#endif
-} // namespace

src/KafkaManager.h

@@ -1,74 +0,0 @@
-//
-//	License type: BSD 3-Clause License
-//	License copy: https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/LICENSE
-//
-//	Created by Stephane Bourque on 2021-03-04.
-//	Arilia Wireless Inc.
-//
-
-#ifndef UCENTRALGW_KAFKAMANAGER_H
-#define UCENTRALGW_KAFKAMANAGER_H
-
-#include <queue>
-#include <thread>
-
-#include "SubSystemServer.h"
-#include "OpenWifiTypes.h"
-
-#include "cppkafka/cppkafka.h"
-
-namespace OpenWifi {
-
-	class KafkaManager : public SubSystemServer {
-	  public:
-
-		struct KMessage {
-					std::string Topic,
-								Key,
-								PayLoad;
-		};
-
-		void initialize(Poco::Util::Application & self) override;
-		static KafkaManager *instance() {
-			if(instance_== nullptr)
-				instance_ = new KafkaManager;
-			return instance_;
-		}
-
-		void ProducerThr();
-		void ConsumerThr();
-
-		int Start() override;
-		void Stop() override;
-
-		void PostMessage(std::string topic, std::string key, std::string payload, bool WrapMessage = true);
-		[[nodiscard]] std::string WrapSystemId(const std::string & PayLoad);
-		[[nodiscard]] bool Enabled() { return KafkaEnabled_; }
-		int RegisterTopicWatcher(const std::string &Topic, Types::TopicNotifyFunction & F);
-		void UnregisterTopicWatcher(const std::string &Topic, int FunctionId);
-		void WakeUp();
-		void PartitionAssignment(const cppkafka::TopicPartitionList& partitions);
-		void PartitionRevocation(const cppkafka::TopicPartitionList& partitions);
-
-	  private:
-		static KafkaManager 			*instance_;
-		SubMutex 						ProducerMutex_;
-		SubMutex 						ConsumerMutex_;
-		bool 							KafkaEnabled_ = false;
-		std::atomic_bool 				ProducerRunning_ = false;
-		std::atomic_bool 				ConsumerRunning_ = false;
-		std::queue<KMessage>			Queue_;
-		std::string 					SystemInfoWrapper_;
-		std::unique_ptr<std::thread>	ConsumerThr_;
-		std::unique_ptr<std::thread>	ProducerThr_;
-		int                       		FunctionId_=1;
-		Types::NotifyTable        		Notifiers_;
-		std::unique_ptr<cppkafka::Configuration>    Config_;
-
-		KafkaManager() noexcept;
-	};
-
-	inline KafkaManager * KafkaManager() { return KafkaManager::instance(); }
-}	// NameSpace
-
-#endif // UCENTRALGW_KAFKAMANAGER_H

src/Kafka_topics.h

@@ -1,37 +0,0 @@
-//
-// Created by stephane bourque on 2021-06-07.
-//
-
-#ifndef UCENTRALGW_KAFKA_TOPICS_H
-#define UCENTRALGW_KAFKA_TOPICS_H
-
-namespace OpenWifi::KafkaTopics {
-	static const std::string HEALTHCHECK{"healthcheck"};
-	static const std::string STATE{"state"};
-	static const std::string CONNECTION{"connection"};
-	static const std::string WIFISCAN{"wifiscan"};
-	static const std::string ALERTS{"alerts"};
-	static const std::string COMMAND{"command"};
-	static const std::string SERVICE_EVENTS{"service_events"};
-	static const std::string DEVICE_EVENT_QUEUE{"device_event_queue"};
-
-	namespace ServiceEvents {
-		static const std::string EVENT_JOIN{"join"};
-		static const std::string EVENT_LEAVE{"leave"};
-		static const std::string EVENT_KEEP_ALIVE{"keep-alive"};
-		static const std::string EVENT_REMOVE_TOKEN{"remove-token"};
-
-		namespace Fields {
-			static const std::string EVENT{"event"};
-			static const std::string ID{"id"};
-			static const std::string TYPE{"type"};
-			static const std::string PUBLIC{"publicEndPoint"};
-			static const std::string PRIVATE{"privateEndPoint"};
-			static const std::string KEY{"key"};
-			static const std::string VRSN{"version"};
-			static const std::string TOKEN{"token"};
-		}
-	}
-}
-
-#endif // UCENTRALGW_KAFKA_TOPICS_H

src/MFAServer.cpp

@@ -0,0 +1,126 @@
+//
+// Created by stephane bourque on 2021-10-11.
+//
+
+#include "MFAServer.h"
+#include "AuthService.h"
+#include "SMSSender.h"
+#include "SMTPMailerService.h"
+#include "TotpCache.h"
+
+#include "framework/MicroServiceFuncs.h"
+#include "framework/utils.h"
+
+namespace OpenWifi {
+
+	int MFAServer::Start() { return 0; }
+
+	void MFAServer::Stop() {}
+
+	bool MFAServer::StartMFAChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo,
+									  Poco::JSON::Object &ChallengeStart) {
+		std::lock_guard G(Mutex_);
+
+		CleanCache();
+
+		if (!MethodEnabled(UInfo.userinfo.userTypeProprietaryInfo.mfa.method))
+			return false;
+
+		std::string Challenge = MakeChallenge();
+		std::string uuid = MicroServiceCreateUUID();
+		uint64_t Created = Utils::Now();
+
+		ChallengeStart.set("uuid", uuid);
+		ChallengeStart.set("created", Created);
+		ChallengeStart.set("question", "mfa challenge");
+		ChallengeStart.set("method", UInfo.userinfo.userTypeProprietaryInfo.mfa.method);
+
+		Cache_[uuid] = MFACacheEntry{.UInfo = UInfo,
+									 .Answer = Challenge,
+									 .Created = Created,
+									 .Method = UInfo.userinfo.userTypeProprietaryInfo.mfa.method};
+		return SendChallenge(UInfo, UInfo.userinfo.userTypeProprietaryInfo.mfa.method, Challenge);
+	}
+
+	bool MFAServer::SendChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo,
+								  const std::string &Method, const std::string &Challenge) {
+		if (Method == MFAMETHODS::SMS && SMSSender()->Enabled() &&
+			!UInfo.userinfo.userTypeProprietaryInfo.mobiles.empty()) {
+			std::string Message = "This is your login code: " + Challenge +
+								  " Please enter this in your login screen.";
+			return SMSSender()->Send(UInfo.userinfo.userTypeProprietaryInfo.mobiles[0].number,
+									 Message);
+		} else if (Method == MFAMETHODS::EMAIL && SMTPMailerService()->Enabled() &&
+				   !UInfo.userinfo.email.empty()) {
+			return AuthService()->SendEmailChallengeCode(UInfo, Challenge);
+		} else if (Method == MFAMETHODS::AUTHENTICATOR &&
+				   !UInfo.userinfo.userTypeProprietaryInfo.authenticatorSecret.empty()) {
+			return true;
+		}
+
+		return false;
+	}
+
+	bool MFAServer::ResendCode(const std::string &uuid) {
+		std::lock_guard G(Mutex_);
+		auto Hint = Cache_.find(uuid);
+		if (Hint == Cache_.end())
+			return false;
+		return SendChallenge(Hint->second.UInfo, Hint->second.Method, Hint->second.Answer);
+	}
+
+	bool MFAServer::CompleteMFAChallenge(const Poco::JSON::Object::Ptr &ChallengeResponse,
+										 SecurityObjects::UserInfoAndPolicy &UInfo) {
+		std::lock_guard G(Mutex_);
+
+		if (!ChallengeResponse->has("uuid") || !ChallengeResponse->has("answer"))
+			return false;
+
+		auto uuid = ChallengeResponse->get("uuid").toString();
+		auto Hint = Cache_.find(uuid);
+		if (Hint == end(Cache_)) {
+			return false;
+		}
+
+		auto answer = ChallengeResponse->get("answer").toString();
+		std::string Expecting;
+		if (Hint->second.Method == MFAMETHODS::AUTHENTICATOR) {
+			if (!TotpCache()->ValidateCode(
+					Hint->second.UInfo.userinfo.userTypeProprietaryInfo.authenticatorSecret, answer,
+					Expecting)) {
+				return false;
+			}
+		} else if (Hint->second.Answer != answer) {
+			return false;
+		}
+
+		UInfo = Hint->second.UInfo;
+		Cache_.erase(Hint);
+		return true;
+	}
+
+	bool MFAServer::MethodEnabled(const std::string &Method) {
+		if (Method == MFAMETHODS::SMS)
+			return SMSSender()->Enabled();
+
+		if (Method == MFAMETHODS::EMAIL)
+			return SMTPMailerService()->Enabled();
+
+		if (Method == MFAMETHODS::AUTHENTICATOR)
+			return true;
+
+		return false;
+	}
+
+	void MFAServer::CleanCache() {
+		// it is assumed that you have locked Cache_ at this point.
+		uint64_t Now = Utils::Now();
+		for (auto i = begin(Cache_); i != end(Cache_);) {
+			if ((Now - i->second.Created) > 300) {
+				i = Cache_.erase(i);
+			} else {
+				++i;
+			}
+		}
+	}
+} // namespace OpenWifi

src/MFAServer.h

@@ -0,0 +1,65 @@
+//
+// Created by stephane bourque on 2021-10-11.
+//
+
+#pragma once
+
+#include "Poco/JSON/Object.h"
+#include "RESTObjects/RESTAPI_SecurityObjects.h"
+#include "framework/MicroServiceFuncs.h"
+#include "framework/SubSystemServer.h"
+
+#include "fmt/format.h"
+
+namespace OpenWifi {
+
+	namespace MFAMETHODS {
+		inline const static std::string SMS{"sms"};
+		inline const static std::string EMAIL{"email"};
+		inline const static std::string AUTHENTICATOR{"authenticator"};
+		inline const static std::vector<std::string> Methods{SMS, EMAIL, AUTHENTICATOR};
+		inline bool Validate(const std::string &M) {
+			return std::find(cbegin(Methods), cend(Methods), M) != Methods.end();
+		}
+	} // namespace MFAMETHODS
+
+	struct MFACacheEntry {
+		SecurityObjects::UserInfoAndPolicy UInfo;
+		std::string Answer;
+		uint64_t Created;
+		std::string Method;
+	};
+
+	typedef std::map<std::string, MFACacheEntry> MFAChallengeCache;
+
+	class MFAServer : public SubSystemServer {
+	  public:
+		int Start() override;
+		void Stop() override;
+		static auto instance() {
+			static auto instance_ = new MFAServer;
+			return instance_;
+		}
+
+		bool StartMFAChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo,
+							   Poco::JSON::Object &Challenge);
+		bool CompleteMFAChallenge(const Poco::JSON::Object::Ptr &ChallengeResponse,
+								  SecurityObjects::UserInfoAndPolicy &UInfo);
+		static bool MethodEnabled(const std::string &Method);
+		bool ResendCode(const std::string &uuid);
+		static bool SendChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo,
+								  const std::string &Method, const std::string &Challenge);
+
+		static inline std::string MakeChallenge() {
+			return fmt::format("{0:06}", MicroServiceRandom(1, 999999));
+		}
+
+	  private:
+		MFAChallengeCache Cache_;
+		MFAServer() noexcept : SubSystemServer("MFServer", "MFA-SVR", "mfa") {}
+
+		void CleanCache();
+	};
+
+	inline auto MFAServer() { return MFAServer::instance(); }
+} // namespace OpenWifi

src/MessagingTemplates.h

@@ -0,0 +1,112 @@
+//
+// Created by stephane bourque on 2022-07-25.
+//
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+namespace OpenWifi {
+
+	class MessagingTemplates {
+	  public:
+		static MessagingTemplates &instance() {
+			static auto instance = new MessagingTemplates;
+			return *instance;
+		}
+
+		enum EMAIL_REASON {
+			FORGOT_PASSWORD = 0,
+			EMAIL_VERIFICATION,
+			SUB_SIGNUP_VERIFICATION,
+			EMAIL_INVITATION,
+			VERIFICATION_CODE,
+			SUB_FORGOT_PASSWORD,
+			SUB_EMAIL_VERIFICATION,
+			SUB_VERIFICATION_CODE,
+			CERTIFICATE_TRANSFER_NOTIFICATION,
+			CERTIFICATE_TRANSFER_AUTHORIZATION,
+			CERTIFICATE_DISPUTE_SUCCESS,
+			CERTIFICATE_DISPUTE_REJECTED,
+			CERTIFICATE_TRANSFER_CANCELED,
+			CERTIFICATE_TRANSFER_ACCEPTED,
+			CERTIFICATE_TRANSFER_REJECTED
+		};
+
+		static std::string AddOperator(const std::string &filename,
+									   const std::string &OperatorName) {
+			if (OperatorName.empty())
+				return "/" + filename;
+			return "/" + OperatorName + "/" + filename;
+		}
+
+		static std::string TemplateName(EMAIL_REASON r, const std::string &OperatorName = "") {
+			switch (r) {
+			case FORGOT_PASSWORD:
+				return AddOperator(EmailTemplateNames[FORGOT_PASSWORD], OperatorName);
+			case EMAIL_VERIFICATION:
+				return AddOperator(EmailTemplateNames[EMAIL_VERIFICATION], OperatorName);
+			case SUB_SIGNUP_VERIFICATION:
+				return AddOperator(EmailTemplateNames[SUB_SIGNUP_VERIFICATION], OperatorName);
+			case EMAIL_INVITATION:
+				return AddOperator(EmailTemplateNames[EMAIL_INVITATION], OperatorName);
+			case VERIFICATION_CODE:
+				return AddOperator(EmailTemplateNames[VERIFICATION_CODE], OperatorName);
+			case SUB_FORGOT_PASSWORD:
+				return AddOperator(EmailTemplateNames[SUB_FORGOT_PASSWORD], OperatorName);
+			case SUB_EMAIL_VERIFICATION:
+				return AddOperator(EmailTemplateNames[SUB_EMAIL_VERIFICATION], OperatorName);
+			case SUB_VERIFICATION_CODE:
+				return AddOperator(EmailTemplateNames[SUB_VERIFICATION_CODE], OperatorName);
+			case CERTIFICATE_TRANSFER_NOTIFICATION:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_NOTIFICATION],
+								   OperatorName);
+			case CERTIFICATE_TRANSFER_AUTHORIZATION:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_AUTHORIZATION],
+								   OperatorName);
+			case CERTIFICATE_DISPUTE_SUCCESS:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_DISPUTE_SUCCESS], OperatorName);
+			case CERTIFICATE_DISPUTE_REJECTED:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_DISPUTE_REJECTED], OperatorName);
+			case CERTIFICATE_TRANSFER_CANCELED:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_CANCELED], OperatorName);
+			case CERTIFICATE_TRANSFER_ACCEPTED:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_ACCEPTED], OperatorName);
+			case CERTIFICATE_TRANSFER_REJECTED:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_REJECTED], OperatorName);
+			default:
+				return "";
+			}
+		}
+
+		static std::string Logo(const std::string &OperatorName = "") {
+			return AddOperator("logo.png", OperatorName);
+		}
+
+		static std::string SubLogo(const std::string &OperatorName = "") {
+			return AddOperator("sub_logo.png", OperatorName);
+		}
+
+	  private:
+		inline const static std::vector<std::string> EmailTemplateNames = {
+			"password_reset",
+			"email_verification",
+			"sub_signup_verification",
+			"email_invitation",
+			"verification_code",
+			"sub_password_reset",
+			"sub_email_verification",
+			"sub_verification_code",
+			"certificate_transfer_notification",
+			"certificate_transfer_authorization",
+			"certificate_dispute_success",
+			"certificate_dispute_rejected",
+			"certificate_transfer_canceled",
+			"certificate_transfer_accepted",
+			"certificate_transfer_rejected"};
+	};
+
+	inline MessagingTemplates &MessagingTemplates() { return MessagingTemplates::instance(); }
+
+} // namespace OpenWifi

src/MicroService.cpp

@@ -1,501 +0,0 @@
-//
-// Created by stephane bourque on 2021-06-22.
-//
-#include <cstdlib>
-#include <boost/algorithm/string.hpp>
-
-#include "Poco/Util/Application.h"
-#include "Poco/Util/ServerApplication.h"
-#include "Poco/Util/Option.h"
-#include "Poco/Util/OptionSet.h"
-#include "Poco/Util/HelpFormatter.h"
-#include "Poco/Environment.h"
-#include "Poco/Net/HTTPSStreamFactory.h"
-#include "Poco/Net/HTTPStreamFactory.h"
-#include "Poco/Net/FTPSStreamFactory.h"
-#include "Poco/Net/FTPStreamFactory.h"
-#include "Poco/Path.h"
-#include "Poco/File.h"
-#include "Poco/String.h"
-#include "Poco/JSON/Object.h"
-#include "Poco/JSON/Parser.h"
-#include "Poco/JSON/Stringifier.h"
-
-#include "ALBHealthCheckServer.h"
-#ifndef SMALL_BUILD
-#include "KafkaManager.h"
-#endif
-#include "Kafka_topics.h"
-
-#include "MicroService.h"
-#include "Utils.h"
-
-#ifndef TIP_SECURITY_SERVICE
-#include "AuthClient.h"
-#endif
-
-namespace OpenWifi {
-
-	void MyErrorHandler::exception(const Poco::Exception & E) {
-		Poco::Thread * CurrentThread = Poco::Thread::current();
-		App_.logger().log(E);
-		App_.logger().error(Poco::format("Exception occurred in %s",CurrentThread->getName()));
-	}
-
-	void MyErrorHandler::exception(const std::exception & E) {
-		Poco::Thread * CurrentThread = Poco::Thread::current();
-		App_.logger().warning(Poco::format("std::exception on %s",CurrentThread->getName()));
-	}
-
-	void MyErrorHandler::exception() {
-		Poco::Thread * CurrentThread = Poco::Thread::current();
-		App_.logger().warning(Poco::format("exception on %s",CurrentThread->getName()));
-	}
-
-	void MicroService::Exit(int Reason) {
-		std::exit(Reason);
-	}
-
-	void MicroService::BusMessageReceived(const std::string &Key, const std::string & Message) {
-		SubMutexGuard G(InfraMutex_);
-		try {
-			Poco::JSON::Parser P;
-			auto Object = P.parse(Message).extract<Poco::JSON::Object::Ptr>();
-			if (Object->has(KafkaTopics::ServiceEvents::Fields::ID) &&
-				Object->has(KafkaTopics::ServiceEvents::Fields::EVENT)) {
-				uint64_t 	ID = Object->get(KafkaTopics::ServiceEvents::Fields::ID);
-				auto 		Event = Object->get(KafkaTopics::ServiceEvents::Fields::EVENT).toString();
-				if (ID != ID_) {
-					if(	Event==KafkaTopics::ServiceEvents::EVENT_JOIN ||
-						Event==KafkaTopics::ServiceEvents::EVENT_KEEP_ALIVE ||
-						Event==KafkaTopics::ServiceEvents::EVENT_LEAVE ) {
-						if(	Object->has(KafkaTopics::ServiceEvents::Fields::TYPE) &&
-						   	Object->has(KafkaTopics::ServiceEvents::Fields::PUBLIC) &&
-							Object->has(KafkaTopics::ServiceEvents::Fields::PRIVATE) &&
-						   	Object->has(KafkaTopics::ServiceEvents::Fields::VRSN) &&
-							Object->has(KafkaTopics::ServiceEvents::Fields::KEY)) {
-
-							if (Event == KafkaTopics::ServiceEvents::EVENT_KEEP_ALIVE && Services_.find(ID) != Services_.end()) {
-								Services_[ID].LastUpdate = std::time(nullptr);
-							} else if (Event == KafkaTopics::ServiceEvents::EVENT_LEAVE) {
-								Services_.erase(ID);
-								logger().information(Poco::format("Service %s ID=%Lu leaving system.",Object->get(KafkaTopics::ServiceEvents::Fields::PRIVATE).toString(),ID));
-							} else if (Event == KafkaTopics::ServiceEvents::EVENT_JOIN || Event == KafkaTopics::ServiceEvents::EVENT_KEEP_ALIVE) {
-								logger().information(Poco::format("Service %s ID=%Lu joining system.",Object->get(KafkaTopics::ServiceEvents::Fields::PRIVATE).toString(),ID));
-								Services_[ID] = MicroServiceMeta{
-									.Id = ID,
-									.Type = Poco::toLower(Object->get(KafkaTopics::ServiceEvents::Fields::TYPE).toString()),
-									.PrivateEndPoint = Object->get(KafkaTopics::ServiceEvents::Fields::PRIVATE).toString(),
-									.PublicEndPoint = Object->get(KafkaTopics::ServiceEvents::Fields::PUBLIC).toString(),
-									.AccessKey = Object->get(KafkaTopics::ServiceEvents::Fields::KEY).toString(),
-									.Version = Object->get(KafkaTopics::ServiceEvents::Fields::VRSN).toString(),
-									.LastUpdate = (uint64_t)std::time(nullptr)};
-								for (const auto &[Id, Svc] : Services_) {
-									logger().information(Poco::format("ID: %Lu Type: %s EndPoint: %s",Id,Svc.Type,Svc.PrivateEndPoint));
-								}
-							}
-						} else {
-							logger().error(Poco::format("KAFKA-MSG: invalid event '%s', missing a field.",Event));
-						}
-					} else if (Event==KafkaTopics::ServiceEvents::EVENT_REMOVE_TOKEN) {
-						if(Object->has(KafkaTopics::ServiceEvents::Fields::TOKEN)) {
-#ifndef TIP_SECURITY_SERVICE
-							AuthClient()->RemovedCachedToken(Object->get(KafkaTopics::ServiceEvents::Fields::TOKEN).toString());
-#endif
-						} else {
-							logger().error(Poco::format("KAFKA-MSG: invalid event '%s', missing token",Event));
-						}
-					} else {
-						logger().error(Poco::format("Unknown Event: %s Source: %Lu", Event, ID));
-					}
-				}
-			} else {
-				logger().error("Bad bus message.");
-			}
-
-			auto i=Services_.begin();
-			auto Now = (uint64_t )std::time(nullptr);
-			for(;i!=Services_.end();) {
-			    if((Now - i->second.LastUpdate)>60) {
-			        i = Services_.erase(i);
-			    } else
-			        ++i;
-			}
-
-		} catch (const Poco::Exception &E) {
-			logger().log(E);
-		}
-	}
-
-	MicroServiceMetaVec MicroService::GetServices(const std::string & Type) {
-		SubMutexGuard G(InfraMutex_);
-
-		auto T = Poco::toLower(Type);
-		MicroServiceMetaVec	Res;
-		for(const auto &[Id,ServiceRec]:Services_) {
-			if(ServiceRec.Type==T)
-				Res.push_back(ServiceRec);
-		}
-		return Res;
-	}
-
-	MicroServiceMetaVec MicroService::GetServices() {
-		SubMutexGuard G(InfraMutex_);
-
-		MicroServiceMetaVec	Res;
-		for(const auto &[Id,ServiceRec]:Services_) {
-			Res.push_back(ServiceRec);
-		}
-		return Res;
-	}
-
-	void MicroService::initialize(Poco::Util::Application &self) {
-		// add the default services
-		SubSystems_.push_back(KafkaManager());
-		SubSystems_.push_back(ALBHealthCheckServer());
-
-		Poco::Net::initializeSSL();
-		Poco::Net::HTTPStreamFactory::registerFactory();
-		Poco::Net::HTTPSStreamFactory::registerFactory();
-		Poco::Net::FTPStreamFactory::registerFactory();
-		Poco::Net::FTPSStreamFactory::registerFactory();
-		std::string Location = Poco::Environment::get(DAEMON_CONFIG_ENV_VAR,".");
-		Poco::Path ConfigFile;
-
-		ConfigFile = ConfigFileName_.empty() ? Location + "/" + DAEMON_PROPERTIES_FILENAME : ConfigFileName_;
-
-		if(!ConfigFile.isFile())
-		{
-			std::cerr << DAEMON_APP_NAME << ": Configuration "
-					  << ConfigFile.toString() << " does not seem to exist. Please set " + DAEMON_CONFIG_ENV_VAR
-												  + " env variable the path of the " + DAEMON_PROPERTIES_FILENAME + " file." << std::endl;
-			std::exit(Poco::Util::Application::EXIT_CONFIG);
-		}
-
-		static const char * LogFilePathKey = "logging.channels.c2.path";
-
-		loadConfiguration(ConfigFile.toString());
-
-		if(LogDir_.empty()) {
-			std::string OriginalLogFileValue = ConfigPath(LogFilePathKey);
-			config().setString(LogFilePathKey, OriginalLogFileValue);
-		} else {
-			config().setString(LogFilePathKey, LogDir_);
-		}
-		Poco::File	DataDir(ConfigPath("ucentral.system.data"));
-		DataDir_ = DataDir.path();
-		if(!DataDir.exists()) {
-			try {
-				DataDir.createDirectory();
-			} catch (const Poco::Exception &E) {
-				logger().log(E);
-			}
-		}
-		std::string KeyFile = ConfigPath("ucentral.service.key");
-		std::string KeyFilePassword = ConfigPath("ucentral.service.key.password" , "" );
-		AppKey_ = Poco::SharedPtr<Poco::Crypto::RSAKey>(new Poco::Crypto::RSAKey("", KeyFile, KeyFilePassword));
-		Cipher_ = CipherFactory_.createCipher(*AppKey_);
-		ID_ = Utils::GetSystemId();
-		if(!DebugMode_)
-			DebugMode_ = ConfigGetBool("ucentral.system.debug",false);
-		MyPrivateEndPoint_ = ConfigGetString("ucentral.system.uri.private");
-		MyPublicEndPoint_ = ConfigGetString("ucentral.system.uri.public");
-		UIURI_ = ConfigGetString("ucentral.system.uri.ui");
-		MyHash_ = CreateHash(MyPublicEndPoint_);
-		InitializeSubSystemServers();
-		ServerApplication::initialize(self);
-
-		Types::TopicNotifyFunction F = [this](std::string s1,std::string s2) { this->BusMessageReceived(s1,s2); };
-		KafkaManager()->RegisterTopicWatcher(KafkaTopics::SERVICE_EVENTS, F);
-	}
-
-	void MicroService::uninitialize() {
-		// add your own uninitialization code here
-		ServerApplication::uninitialize();
-	}
-
-	void MicroService::reinitialize(Poco::Util::Application &self) {
-		ServerApplication::reinitialize(self);
-		// add your own reinitialization code here
-	}
-
-	void MicroService::defineOptions(Poco::Util::OptionSet &options) {
-		ServerApplication::defineOptions(options);
-
-		options.addOption(
-			Poco::Util::Option("help", "", "display help information on command line arguments")
-				.required(false)
-				.repeatable(false)
-				.callback(Poco::Util::OptionCallback<MicroService>(this, &MicroService::handleHelp)));
-
-		options.addOption(
-			Poco::Util::Option("file", "", "specify the configuration file")
-				.required(false)
-				.repeatable(false)
-				.argument("file")
-				.callback(Poco::Util::OptionCallback<MicroService>(this, &MicroService::handleConfig)));
-
-		options.addOption(
-			Poco::Util::Option("debug", "", "to run in debug, set to true")
-				.required(false)
-				.repeatable(false)
-				.callback(Poco::Util::OptionCallback<MicroService>(this, &MicroService::handleDebug)));
-
-		options.addOption(
-			Poco::Util::Option("logs", "", "specify the log directory and file (i.e. dir/file.log)")
-				.required(false)
-				.repeatable(false)
-				.argument("dir")
-				.callback(Poco::Util::OptionCallback<MicroService>(this, &MicroService::handleLogs)));
-
-		options.addOption(
-			Poco::Util::Option("version", "", "get the version and quit.")
-				.required(false)
-				.repeatable(false)
-				.callback(Poco::Util::OptionCallback<MicroService>(this, &MicroService::handleVersion)));
-
-	}
-
-	void MicroService::handleHelp(const std::string &name, const std::string &value) {
-		HelpRequested_ = true;
-		displayHelp();
-		stopOptionsProcessing();
-	}
-
-	void MicroService::handleVersion(const std::string &name, const std::string &value) {
-		HelpRequested_ = true;
-		std::cout << Version() << std::endl;
-		stopOptionsProcessing();
-	}
-
-	void MicroService::handleDebug(const std::string &name, const std::string &value) {
-		if(value == "true")
-			DebugMode_ = true ;
-	}
-
-	void MicroService::handleLogs(const std::string &name, const std::string &value) {
-		LogDir_ = value;
-	}
-
-	void MicroService::handleConfig(const std::string &name, const std::string &value) {
-		ConfigFileName_ = value;
-	}
-
-	void MicroService::displayHelp() {
-		Poco::Util::HelpFormatter helpFormatter(options());
-		helpFormatter.setCommand(commandName());
-		helpFormatter.setUsage("OPTIONS");
-		helpFormatter.setHeader("A " + DAEMON_APP_NAME + " implementation for TIP.");
-		helpFormatter.format(std::cout);
-	}
-
-	void MicroService::InitializeSubSystemServers() {
-		for(auto i:SubSystems_)
-			addSubsystem(i);
-	}
-
-	void MicroService::StartSubSystemServers() {
-		for(auto i:SubSystems_) {
-			i->Start();
-		}
-		BusEventManager_.Start();
-	}
-
-	void MicroService::StopSubSystemServers() {
-		BusEventManager_.Stop();
-		for(auto i=SubSystems_.rbegin(); i!=SubSystems_.rend(); ++i)
-			(*i)->Stop();
-	}
-
-	std::string MicroService::CreateUUID() {
-		return UUIDGenerator_.create().toString();
-	}
-
-	bool MicroService::SetSubsystemLogLevel(const std::string &SubSystem, const std::string &Level) {
-		try {
-			auto P = Poco::Logger::parseLevel(Level);
-			auto Sub = Poco::toLower(SubSystem);
-
-			if (Sub == "all") {
-				for (auto i : SubSystems_) {
-					i->Logger().setLevel(P);
-				}
-				return true;
-			} else {
-				// std::cout << "Sub:" << SubSystem << " Level:" << Level << std::endl;
-				for (auto i : SubSystems_) {
-					if (Sub == Poco::toLower(i->Name())) {
-						i->Logger().setLevel(P);
-						return true;
-					}
-				}
-			}
-		} catch (const Poco::Exception & E) {
-			std::cout << "Exception" << std::endl;
-		}
-		return false;
-	}
-
-	Types::StringVec MicroService::GetSubSystems() const {
-		Types::StringVec Result;
-		for(auto i:SubSystems_)
-			Result.push_back(i->Name());
-		return Result;
-	}
-
-	Types::StringPairVec MicroService::GetLogLevels() const {
-		Types::StringPairVec Result;
-
-		for(auto &i:SubSystems_) {
-			auto P = std::make_pair( i->Name(), Utils::LogLevelToString(i->GetLoggingLevel()));
-			Result.push_back(P);
-		}
-		return Result;
-	}
-
-	const Types::StringVec & MicroService::GetLogLevelNames() const {
-		static Types::StringVec LevelNames{"none", "fatal", "critical", "error", "warning", "notice", "information", "debug", "trace" };
-		return LevelNames;
-	}
-
-	uint64_t MicroService::ConfigGetInt(const std::string &Key,uint64_t Default) {
-		return (uint64_t) config().getInt64(Key,Default);
-	}
-
-	uint64_t MicroService::ConfigGetInt(const std::string &Key) {
-		return config().getInt(Key);
-	}
-
-	uint64_t MicroService::ConfigGetBool(const std::string &Key,bool Default) {
-		return config().getBool(Key,Default);
-	}
-
-	uint64_t MicroService::ConfigGetBool(const std::string &Key) {
-		return config().getBool(Key);
-	}
-
-	std::string MicroService::ConfigGetString(const std::string &Key,const std::string & Default) {
-		return config().getString(Key, Default);
-	}
-
-	std::string MicroService::ConfigGetString(const std::string &Key) {
-		return config().getString(Key);
-	}
-
-	std::string MicroService::ConfigPath(const std::string &Key,const std::string & Default) {
-		std::string R = config().getString(Key, Default);
-		return Poco::Path::expand(R);
-	}
-
-	std::string MicroService::ConfigPath(const std::string &Key) {
-		std::string R = config().getString(Key);
-		return Poco::Path::expand(R);
-	}
-
-	std::string MicroService::Encrypt(const std::string &S) {
-		return Cipher_->encryptString(S, Poco::Crypto::Cipher::Cipher::ENC_BASE64);;
-	}
-
-	std::string MicroService::Decrypt(const std::string &S) {
-		return Cipher_->decryptString(S, Poco::Crypto::Cipher::Cipher::ENC_BASE64);;
-	}
-
-	std::string MicroService::CreateHash(const std::string &S) {
-		SHA2_.update(S);
-		return Utils::ToHex(SHA2_.digest());
-	}
-
-	std::string MicroService::MakeSystemEventMessage( const std::string & Type ) const {
-		Poco::JSON::Object	Obj;
-		Obj.set(KafkaTopics::ServiceEvents::Fields::EVENT,Type);
-		Obj.set(KafkaTopics::ServiceEvents::Fields::ID,ID_);
-		Obj.set(KafkaTopics::ServiceEvents::Fields::TYPE,Poco::toLower(DAEMON_APP_NAME));
-		Obj.set(KafkaTopics::ServiceEvents::Fields::PUBLIC,MyPublicEndPoint_);
-		Obj.set(KafkaTopics::ServiceEvents::Fields::PRIVATE,MyPrivateEndPoint_);
-		Obj.set(KafkaTopics::ServiceEvents::Fields::KEY,MyHash_);
-		Obj.set(KafkaTopics::ServiceEvents::Fields::VRSN,Version_);
-		std::stringstream ResultText;
-		Poco::JSON::Stringifier::stringify(Obj, ResultText);
-		return ResultText.str();
-	}
-
-	void BusEventManager::run() {
-		Running_ = true;
-		auto Msg = Daemon()->MakeSystemEventMessage(KafkaTopics::ServiceEvents::EVENT_JOIN);
-		KafkaManager()->PostMessage(KafkaTopics::SERVICE_EVENTS,Daemon()->PrivateEndPoint(),Msg, false);
-		while(Running_) {
-			Poco::Thread::trySleep((unsigned long)Daemon()->DaemonBusTimer());
-			if(!Running_)
-				break;
-			auto Msg = Daemon()->MakeSystemEventMessage(KafkaTopics::ServiceEvents::EVENT_KEEP_ALIVE);
-			KafkaManager()->PostMessage(KafkaTopics::SERVICE_EVENTS,Daemon()->PrivateEndPoint(),Msg, false);
-		}
-		Msg = Daemon()->MakeSystemEventMessage(KafkaTopics::ServiceEvents::EVENT_LEAVE);
-		KafkaManager()->PostMessage(KafkaTopics::SERVICE_EVENTS,Daemon()->PrivateEndPoint(),Msg, false);
-	};
-
-	void BusEventManager::Start() {
-		if(KafkaManager()->Enabled()) {
-			Thread_.start(*this);
-		}
-	}
-
-	void BusEventManager::Stop() {
-		if(KafkaManager()->Enabled()) {
-			Running_ = false;
-			Thread_.wakeUp();
-			Thread_.join();
-		}
-	}
-
-	[[nodiscard]] bool MicroService::IsValidAPIKEY(const Poco::Net::HTTPServerRequest &Request) {
-		try {
-			auto APIKEY = Request.get("X-API-KEY");
-			return APIKEY == MyHash_;
-		} catch (const Poco::Exception &E) {
-			logger().log(E);
-		}
-		return false;
-	}
-
-	void MicroService::SavePID() {
-		try {
-			std::ofstream O;
-			O.open(Daemon()->DataDir() + "/pidfile",std::ios::binary | std::ios::trunc);
-			O << Poco::Process::id();
-			O.close();
-		} catch (...)
-		{
-			std::cout << "Could not save system ID" << std::endl;
-		}
-	}
-
-	int MicroService::main(const ArgVec &args) {
-
-		MyErrorHandler	ErrorHandler(*this);
-		Poco::ErrorHandler::set(&ErrorHandler);
-
-		if (!HelpRequested_) {
-			SavePID();
-			Poco::Logger &logger = Poco::Logger::get(DAEMON_APP_NAME);
-			logger.notice(Poco::format("Starting %s version %s.",DAEMON_APP_NAME, Version()));
-
-			if(Poco::Net::Socket::supportsIPv6())
-				logger.information("System supports IPv6.");
-			else
-				logger.information("System does NOT support IPv6.");
-
-			if (config().getBool("application.runAsDaemon", false)) {
-				logger.information("Starting as a daemon.");
-			}
-			logger.information(Poco::format("System ID set to %Lu",ID_));
-			StartSubSystemServers();
-			waitForTerminationRequest();
-			StopSubSystemServers();
-
-			logger.notice(Poco::format("Stopped %s...",DAEMON_APP_NAME));
-		}
-
-		return Application::EXIT_OK;
-	}
-}

src/MicroService.h

@@ -1,174 +0,0 @@
-//
-// Created by stephane bourque on 2021-06-22.
-//
-
-#ifndef UCENTRALGW_MICROSERVICE_H
-#define UCENTRALGW_MICROSERVICE_H
-
-#include <array>
-#include <iostream>
-#include <cstdlib>
-#include <vector>
-#include <set>
-
-#include "Poco/Util/Application.h"
-#include "Poco/Util/ServerApplication.h"
-#include "Poco/Util/Option.h"
-#include "Poco/Util/OptionSet.h"
-#include "Poco/UUIDGenerator.h"
-#include "Poco/ErrorHandler.h"
-#include "Poco/Crypto/RSAKey.h"
-#include "Poco/Crypto/CipherFactory.h"
-#include "Poco/Crypto/Cipher.h"
-#include "Poco/SHA2Engine.h"
-#include "Poco/Net/HTTPServerRequest.h"
-#include "Poco/Process.h"
-
-#include "OpenWifiTypes.h"
-#include "SubSystemServer.h"
-
-namespace OpenWifi {
-
-	static const std::string uSERVICE_SECURITY{"ucentralsec"};
-	static const std::string uSERVICE_GATEWAY{"ucentralgw"};
-	static const std::string uSERVICE_FIRMWARE{ "ucentralfms"};
-    static const std::string uSERVICE_TOPOLOGY{ "owtopo"};
-    static const std::string uSERVICE_PROVISIONING{ "owprov"};
-
-	class MyErrorHandler : public Poco::ErrorHandler {
-	  public:
-		explicit MyErrorHandler(Poco::Util::Application &App) : App_(App) {}
-		void exception(const Poco::Exception & E) override;
-		void exception(const std::exception & E) override;
-		void exception() override;
-	  private:
-		Poco::Util::Application	&App_;
-	};
-
-	class BusEventManager : public Poco::Runnable {
-	  public:
-		void run() override;
-		void Start();
-		void Stop();
-	  private:
-		std::atomic_bool 	Running_ = false;
-		Poco::Thread		Thread_;
-	};
-
-	struct MicroServiceMeta {
-		uint64_t 		Id=0;
-		std::string 	Type;
-		std::string 	PrivateEndPoint;
-		std::string 	PublicEndPoint;
-		std::string 	AccessKey;
-		std::string		Version;
-		uint64_t 		LastUpdate=0;
-	};
-
-	typedef std::map<uint64_t, MicroServiceMeta>	MicroServiceMetaMap;
-	typedef std::vector<MicroServiceMeta>			MicroServiceMetaVec;
-
-	class MicroService : public Poco::Util::ServerApplication {
-	  public:
-		explicit MicroService( 	std::string PropFile,
-					 	std::string RootEnv,
-					 	std::string ConfigVar,
-					 	std::string AppName,
-					  	uint64_t BusTimer,
-					  	Types::SubSystemVec Subsystems) :
-			DAEMON_PROPERTIES_FILENAME(std::move(PropFile)),
-			DAEMON_ROOT_ENV_VAR(std::move(RootEnv)),
-			DAEMON_CONFIG_ENV_VAR(std::move(ConfigVar)),
-			DAEMON_APP_NAME(std::move(AppName)),
-			DAEMON_BUS_TIMER(BusTimer),
-			SubSystems_(std::move(Subsystems)) {
-			std::string V{APP_VERSION};
-			std::string B{BUILD_NUMBER};
-			Version_ =  V + "(" + B +  ")";
-		}
-
-		int main(const ArgVec &args) override;
-		void initialize(Application &self) override;
-		void uninitialize() override;
-		void reinitialize(Application &self) override;
-		void defineOptions(Poco::Util::OptionSet &options) override;
-		void handleHelp(const std::string &name, const std::string &value);
-		void handleVersion(const std::string &name, const std::string &value);
-		void handleDebug(const std::string &name, const std::string &value);
-		void handleLogs(const std::string &name, const std::string &value);
-		void handleConfig(const std::string &name, const std::string &value);
-		void displayHelp();
-
-		void InitializeSubSystemServers();
-		void StartSubSystemServers();
-		void StopSubSystemServers();
-		void Exit(int Reason);
-		bool SetSubsystemLogLevel(const std::string & SubSystem, const std::string & Level);
-		[[nodiscard]] std::string Version() { return Version_; }
-		[[nodiscard]] const Poco::SharedPtr<Poco::Crypto::RSAKey> & Key() { return AppKey_; }
-		[[nodiscard]] inline const std::string & DataDir() { return DataDir_; }
-		[[nodiscard]] std::string CreateUUID();
-		[[nodiscard]] bool Debug() const { return DebugMode_; }
-		[[nodiscard]] uint64_t ID() const { return ID_; }
-		[[nodiscard]] Types::StringVec GetSubSystems() const;
-		[[nodiscard]] Types::StringPairVec GetLogLevels() const;
-		[[nodiscard]] const Types::StringVec & GetLogLevelNames() const;
-		[[nodiscard]] std::string ConfigGetString(const std::string &Key,const std::string & Default);
-		[[nodiscard]] std::string ConfigGetString(const std::string &Key);
-		[[nodiscard]] std::string ConfigPath(const std::string &Key,const std::string & Default);
-		[[nodiscard]] std::string ConfigPath(const std::string &Key);
-		[[nodiscard]] uint64_t ConfigGetInt(const std::string &Key,uint64_t Default);
-		[[nodiscard]] uint64_t ConfigGetInt(const std::string &Key);
-		[[nodiscard]] uint64_t ConfigGetBool(const std::string &Key,bool Default);
-		[[nodiscard]] uint64_t ConfigGetBool(const std::string &Key);
-		[[nodiscard]] std::string Encrypt(const std::string &S);
-		[[nodiscard]] std::string Decrypt(const std::string &S);
-		[[nodiscard]] std::string CreateHash(const std::string &S);
-		[[nodiscard]] std::string Hash() const { return MyHash_; };
-		[[nodiscard]] std::string ServiceType() const { return DAEMON_APP_NAME; };
-		[[nodiscard]] std::string PrivateEndPoint() const { return MyPrivateEndPoint_; };
-		[[nodiscard]] std::string PublicEndPoint() const { return MyPublicEndPoint_; };
-		[[nodiscard]] std::string MakeSystemEventMessage( const std::string & Type ) const ;
-		inline uint64_t DaemonBusTimer() const { return DAEMON_BUS_TIMER; };
-
-		void BusMessageReceived( const std::string & Key, const std::string & Message);
-		[[nodiscard]] MicroServiceMetaVec GetServices(const std::string & type);
-		[[nodiscard]] MicroServiceMetaVec GetServices();
-		[[nodiscard]] bool IsValidAPIKEY(const Poco::Net::HTTPServerRequest &Request);
-
-		void SavePID();
-		inline uint64_t GetPID() { return Poco::Process::id(); };
-		[[nodiscard]] inline const std::string GetPublicAPIEndPoint() const { return MyPublicEndPoint_ + "/api/v1"; };
-		[[nodiscard]] inline const std::string & GetUIURI() const { return UIURI_;};
-
-	  private:
-		bool                        HelpRequested_ = false;
-		std::string                 LogDir_;
-		std::string                 ConfigFileName_;
-		Poco::UUIDGenerator         UUIDGenerator_;
-		uint64_t                    ID_ = 1;
-		Poco::SharedPtr<Poco::Crypto::RSAKey>	AppKey_ = nullptr;
-		bool                        DebugMode_ = false;
-		std::string 				DataDir_;
-		Types::SubSystemVec			SubSystems_;
-		Poco::Crypto::CipherFactory & CipherFactory_ = Poco::Crypto::CipherFactory::defaultFactory();
-		Poco::Crypto::Cipher        * Cipher_ = nullptr;
-		Poco::SHA2Engine			SHA2_;
-		MicroServiceMetaMap			Services_;
-		std::string 				MyHash_;
-		std::string 				MyPrivateEndPoint_;
-		std::string 				MyPublicEndPoint_;
-		std::string                 UIURI_;
-		std::string 				Version_;
-		BusEventManager				BusEventManager_;
-		SubMutex 					InfraMutex_;
-
-		std::string DAEMON_PROPERTIES_FILENAME;
-		std::string DAEMON_ROOT_ENV_VAR;
-		std::string DAEMON_CONFIG_ENV_VAR;
-		std::string DAEMON_APP_NAME;
-		uint64_t 	DAEMON_BUS_TIMER;
-	};
-}
-
-#endif // UCENTRALGW_MICROSERVICE_H

src/OpenAPIRequest.cpp

@@ -1,68 +0,0 @@
-//
-// Created by stephane bourque on 2021-07-01.
-//
-#include <iostream>
-
-#include "OpenAPIRequest.h"
-
-#include "Poco/Net/HTTPSClientSession.h"
-#include <Poco/Net/HTTPClientSession.h>
-#include <Poco/Net/HTTPRequest.h>
-#include <Poco/Net/HTTPResponse.h>
-#include <Poco/StreamCopier.h>
-#include <Poco/JSON/Parser.h>
-#include <Poco/Path.h>
-#include <Poco/URI.h>
-#include <Poco/Exception.h>
-#include "Utils.h"
-#include "Daemon.h"
-
-namespace OpenWifi {
-
-	OpenAPIRequestGet::OpenAPIRequestGet( 	const std::string & ServiceType,
-											const std::string & EndPoint,
-									 		Types::StringPairVec & QueryData,
-											uint64_t msTimeout):
- 		Type_(ServiceType),
- 		EndPoint_(EndPoint),
-		QueryData_(QueryData),
-		msTimeout_(msTimeout) {
-
-	}
-
-	int OpenAPIRequestGet::Do(Poco::JSON::Object::Ptr &ResponseObject) {
-		try {
-		    auto Services = Daemon()->GetServices(Type_);
-			for(auto const &Svc:Services) {
-				Poco::URI	URI(Svc.PrivateEndPoint);
-				Poco::Net::HTTPSClientSession Session(URI.getHost(), URI.getPort());
-
-				URI.setPath(EndPoint_);
-				for (const auto &qp : QueryData_)
-					URI.addQueryParameter(qp.first, qp.second);
-
-				std::string Path(URI.getPathAndQuery());
-				Session.setTimeout(Poco::Timespan(msTimeout_/1000, msTimeout_ % 1000));
-
-				Poco::Net::HTTPRequest Request(Poco::Net::HTTPRequest::HTTP_GET,
-											   Path,
-											   Poco::Net::HTTPMessage::HTTP_1_1);
-				Request.add("X-API-KEY", Svc.AccessKey);
-				Session.sendRequest(Request);
-
-				Poco::Net::HTTPResponse Response;
-				std::istream &is = Session.receiveResponse(Response);
-				if(Response.getStatus()==Poco::Net::HTTPResponse::HTTP_OK) {
-					Poco::JSON::Parser	P;
-					ResponseObject = P.parse(is).extract<Poco::JSON::Object::Ptr>();
-				}
-				return Response.getStatus();
-			}
-		}
-		catch (const Poco::Exception &E)
-		{
-			std::cerr << E.displayText() << std::endl;
-		}
-		return -1;
-	}
-}

src/OpenAPIRequest.h

@@ -1,29 +0,0 @@
-//
-// Created by stephane bourque on 2021-07-01.
-//
-
-#ifndef UCENTRALGW_OPENAPIREQUEST_H
-#define UCENTRALGW_OPENAPIREQUEST_H
-
-#include "Poco/JSON/Object.h"
-
-#include "OpenWifiTypes.h"
-
-namespace OpenWifi {
-
-	class OpenAPIRequestGet {
-	  public:
-		explicit OpenAPIRequestGet( const std::string & Type,
-								   	const std::string & EndPoint,
-									Types::StringPairVec & QueryData,
-									uint64_t msTimeout);
-		int Do(Poco::JSON::Object::Ptr &ResponseObject);
-	  private:
-		std::string 			Type_;
-		std::string 			EndPoint_;
-		Types::StringPairVec 	QueryData_;
-		uint64_t 				msTimeout_;
-	};
-}
-
-#endif // UCENTRALGW_OPENAPIREQUEST_H

src/OpenWifiTypes.h

@@ -1,68 +0,0 @@
-//
-// Created by stephane bourque on 2021-06-13.
-//
-
-#ifndef UCENTRALGW_UCENTRALTYPES_H
-#define UCENTRALGW_UCENTRALTYPES_H
-
-#include "SubSystemServer.h"
-
-#include <vector>
-#include <string>
-#include <map>
-#include <functional>
-#include <list>
-#include <utility>
-#include <queue>
-
-#include "Poco/StringTokenizer.h"
-
-namespace OpenWifi::Types {
-    typedef std::pair<std::string,std::string>              StringPair;
-	typedef std::vector<StringPair>	                        StringPairVec;
-    typedef std::queue<StringPair>	                        StringPairQueue;
-	typedef std::vector<std::string>						StringVec;
-	typedef std::set<std::string>                           StringSet;
-	typedef std::vector<SubSystemServer*>					SubSystemVec;
-	typedef std::map<std::string,std::set<std::string>>		StringMapStringSet;
-	typedef std::function<void(std::string, std::string)>   TopicNotifyFunction;
-	typedef std::list<std::pair<TopicNotifyFunction,int>>   TopicNotifyFunctionList;
-	typedef std::map<std::string, TopicNotifyFunctionList>  NotifyTable;
-    typedef std::map<std::string,uint64_t>                  CountedMap;
-
-    typedef std::string         UUID_t;
-    typedef std::vector<UUID_t> UUIDvec_t;
-
-    inline void UpdateCountedMap(CountedMap &M, const std::string &S, uint64_t Increment=1) {
-        auto it = M.find(S);
-        if(it==M.end())
-            M[S] = Increment;
-        else
-            it->second += Increment;
-    }
-
-    inline std::string to_string( const StringVec &V) {
-        std::string Result;
-
-        bool first=true;
-        for(const auto &i:V) {
-            if(first) {
-                Result += i;
-                first = false;
-            } else {
-                Result += ",";
-                Result += i;
-            }
-        }
-        return Result;
-    }
-
-    inline void from_string(const std::string &S, StringVec &V) {
-        Poco::StringTokenizer   Tokens(S,",",Poco::StringTokenizer::TOK_TRIM | Poco::StringTokenizer::TOK_IGNORE_EMPTY);
-
-        for(auto const &i:Tokens)
-            V.emplace_back(i);
-    }
-};
-
-#endif // UCENTRALGW_UCENTRALTYPES_H

src/RESTAPI/RESTAPI_action_links.cpp

@@ -0,0 +1,356 @@
+//
+// Created by stephane bourque on 2021-06-22.
+//
+
+#include "Poco/JSON/Parser.h"
+#include "Poco/Net/HTMLForm.h"
+
+#include "RESTAPI_action_links.h"
+#include "StorageService.h"
+#include "framework/OpenAPIRequests.h"
+#include "framework/RESTAPI_PartHandler.h"
+
+#include "Daemon.h"
+
+namespace OpenWifi {
+
+#if defined(TIP_CERT_SERVICE)
+	bool ProcessExternalActionLinks(RESTAPIHandler &handler, const std::string &Id,
+									const std::string &Action);
+#endif
+
+	void RESTAPI_action_links::DoGet() {
+
+		auto Action = GetParameter("action", "");
+		auto Id = GetParameter("id", "");
+
+#if defined(TIP_CERT_SERVICE)
+		if (!OpenWifi::ProcessExternalActionLinks(*this, Id, Action)) {
+			return;
+		}
+#endif
+
+		SecurityObjects::ActionLink Link;
+		if (!StorageService()->ActionLinksDB().GetActionLink(Id, Link))
+			return DoReturnA404();
+
+		if (Action == "password_reset")
+			return RequestResetPassword(Link);
+		else if (Action == "sub_password_reset")
+			return RequestResetPassword(Link);
+		else if (Action == "email_verification")
+			return DoEmailVerification(Link);
+		else if (Action == "sub_email_verification")
+			return DoEmailVerification(Link);
+		else if (Action == "signup_verification")
+			return DoNewSubVerification(Link);
+		else
+			return DoReturnA404();
+	}
+
+	void RESTAPI_action_links::DoPost() {
+		auto Action = GetParameter("action", "");
+
+		if (Action == "password_reset")
+			return CompleteResetPassword();
+		else if (Action == "sub_password_reset")
+			return CompleteResetPassword();
+		else if (Action == "signup_completion")
+			return CompleteSubVerification();
+		else if (Action == "email_invitation")
+			return CompleteEmailInvitation();
+		else
+			return DoReturnA404();
+	}
+
+	void RESTAPI_action_links::AddGlobalVars(Types::StringPairVec &Vars) {
+		Vars.push_back(std::make_pair("USER_HELPER_EMAIL", AuthService()->HelperEmail()));
+		Vars.push_back(std::make_pair("SUB_HELPER_EMAIL", AuthService()->SubHelperEmail()));
+		Vars.push_back(
+			std::make_pair("GLOBAL_USER_HELPER_EMAIL", AuthService()->GlobalHelperEmail()));
+		Vars.push_back(
+			std::make_pair("GLOBAL_SUB_HELPER_EMAIL", AuthService()->GlobalSubHelperEmail()));
+		Vars.push_back(std::make_pair("USER_HELPER_SITE", AuthService()->HelperSite()));
+		Vars.push_back(std::make_pair("SUB_HELPER_SITE", AuthService()->SubHelperSite()));
+		Vars.push_back(std::make_pair("USER_SYSTEM_LOGIN", AuthService()->SystemLoginSite()));
+		Vars.push_back(std::make_pair("SUB_SYSTEM_LOGIN", AuthService()->SubSystemLoginSite()));
+		Vars.push_back(std::make_pair("USER_SIGNATURE", AuthService()->UserSignature()));
+		Vars.push_back(std::make_pair("SUB_SIGNATURE", AuthService()->SubSignature()));
+	}
+
+	void RESTAPI_action_links::RequestResetPassword(SecurityObjects::ActionLink &Link) {
+		Logger_.information(fmt::format("REQUEST-PASSWORD-RESET({}): For ID={}",
+										Request->clientAddress().toString(), Link.userId));
+		Poco::File FormFile{Daemon()->AssetDir() + "/password_reset.html"};
+		Types::StringPairVec FormVars{
+			{"UUID", Link.id},
+			{"PASSWORD_VALIDATION", AuthService()->PasswordValidationExpression()}};
+		AddGlobalVars(FormVars);
+		SendHTMLFileBack(FormFile, FormVars);
+	}
+
+	void RESTAPI_action_links::DoNewSubVerification(SecurityObjects::ActionLink &Link) {
+		Logger_.information(fmt::format("REQUEST-SUB-SIGNUP({}): For ID={}",
+										Request->clientAddress().toString(), Link.userId));
+		Poco::File FormFile{Daemon()->AssetDir() + "/sub_signup_verification.html"};
+		Types::StringPairVec FormVars{
+			{"UUID", Link.id},
+			{"PASSWORD_VALIDATION", AuthService()->PasswordValidationExpression()}};
+		AddGlobalVars(FormVars);
+		SendHTMLFileBack(FormFile, FormVars);
+	}
+
+	void RESTAPI_action_links::CompleteResetPassword() {
+		RESTAPI_PartHandler PartHandler;
+		Poco::Net::HTMLForm Form(*Request, Request->stream(), PartHandler);
+		if (!Form.empty()) {
+
+			auto Password1 = Form.get("password1", "bla");
+			auto Password2 = Form.get("password2", "blu");
+			auto Id = Form.get("id", "");
+			auto now = OpenWifi::Now();
+
+			SecurityObjects::ActionLink Link;
+			if (!StorageService()->ActionLinksDB().GetActionLink(Id, Link))
+				return DoReturnA404();
+
+			if (now > Link.expires) {
+				StorageService()->ActionLinksDB().CancelAction(Id);
+				return DoReturnA404();
+			}
+
+			if (Password1 != Password2 || !AuthService()->ValidatePassword(Password2) ||
+				!AuthService()->ValidatePassword(Password1)) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/password_reset_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT",
+					 "For some reason, the passwords entered do not match or they do not comply "
+					 "with"
+					 " accepted password creation restrictions. Please consult our on-line help"
+					 " to look at the our password policy. If you would like to contact us, please "
+					 "mention"
+					 " id(" +
+						 Id + ")"}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}
+
+			SecurityObjects::UserInfo UInfo;
+
+			bool Found = Link.userAction
+							 ? StorageService()->UserDB().GetUserById(Link.userId, UInfo)
+							 : StorageService()->SubDB().GetUserById(Link.userId, UInfo);
+			if (!Found) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/password_reset_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT", "This request does not contain a valid user ID. Please contact "
+								   "your system administrator."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}
+
+			if (UInfo.blackListed || UInfo.suspended) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/password_reset_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT", "Please contact our system administrators. We have identified "
+								   "an error in your account that must be resolved first."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}
+
+			bool GoodPassword = Link.userAction ? AuthService()->SetPassword(Password1, UInfo)
+												: AuthService()->SetSubPassword(Password1, UInfo);
+			if (!GoodPassword) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/password_reset_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id}, {"ERROR_TEXT", "You cannot reuse one of your recent passwords."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}
+
+			UInfo.modified = OpenWifi::Now();
+			if (Link.userAction)
+				StorageService()->UserDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
+			else
+				StorageService()->SubDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
+
+			Poco::File FormFile{Daemon()->AssetDir() + "/password_reset_success.html"};
+			Types::StringPairVec FormVars{{"UUID", Id},
+										  {"USERNAME", UInfo.email},
+										  {"ACTION_LINK", MicroService::instance().GetUIURI()}};
+			AddGlobalVars(FormVars);
+			StorageService()->ActionLinksDB().CompleteAction(Id);
+			SendHTMLFileBack(FormFile, FormVars);
+		} else {
+			DoReturnA404();
+		}
+	}
+
+	void RESTAPI_action_links::CompleteSubVerification() {
+		RESTAPI_PartHandler PartHandler;
+		Poco::Net::HTMLForm Form(*Request, Request->stream(), PartHandler);
+
+		if (!Form.empty()) {
+			auto Password1 = Form.get("password1", "bla");
+			auto Password2 = Form.get("password2", "blu");
+			auto Id = Form.get("id", "");
+			auto now = OpenWifi::Now();
+
+			SecurityObjects::ActionLink Link;
+			if (!StorageService()->ActionLinksDB().GetActionLink(Id, Link)) {
+				return DoReturnA404();
+			}
+
+			if (now > Link.expires) {
+				StorageService()->ActionLinksDB().CancelAction(Id);
+				return DoReturnA404();
+			}
+
+			if (Password1 != Password2 || !AuthService()->ValidateSubPassword(Password1)) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/sub_password_reset_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT",
+					 "For some reason, the passwords entered do not match or they do not comply "
+					 "with"
+					 " accepted password creation restrictions. Please consult our on-line help"
+					 " to look at the our password policy. If you would like to contact us, please "
+					 "mention"
+					 " id(" +
+						 Id + ")"}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}
+
+			SecurityObjects::UserInfo UInfo;
+			bool Found = StorageService()->SubDB().GetUserById(Link.userId, UInfo);
+			if (!Found) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT", "This request does not contain a valid user ID. Please contact "
+								   "your system administrator."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}
+
+			if (UInfo.blackListed || UInfo.suspended) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT", "Please contact our system administrators. We have identified "
+								   "an error in your account that must be resolved first."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}
+
+			bool GoodPassword = AuthService()->SetSubPassword(Password1, UInfo);
+			if (!GoodPassword) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id}, {"ERROR_TEXT", "You cannot reuse one of your recent passwords."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}
+
+			UInfo.modified = OpenWifi::Now();
+			UInfo.changePassword = false;
+			UInfo.lastEmailCheck = OpenWifi::Now();
+			UInfo.waitingForEmailCheck = false;
+			UInfo.validated = OpenWifi::Now();
+
+			StorageService()->SubDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
+
+			Poco::File FormFile{Daemon()->AssetDir() + "/sub_signup_verification_success.html"};
+			Types::StringPairVec FormVars{{"UUID", Id}, {"USERNAME", UInfo.email}};
+			StorageService()->ActionLinksDB().CompleteAction(Id);
+
+			//  Send the update to the provisioning service
+			Poco::JSON::Object Body;
+			auto RawSignup = Poco::StringTokenizer(UInfo.signingUp, ":");
+			Body.set("signupUUID", RawSignup.count() == 1 ? UInfo.signingUp : RawSignup[1]);
+			OpenAPIRequestPut ProvRequest(
+				uSERVICE_PROVISIONING, "/api/v1/signup",
+				{{"signupUUID", RawSignup.count() == 1 ? UInfo.signingUp : RawSignup[1]},
+				 {"operation", "emailVerified"}},
+				Body, 30000);
+			Logger().information(fmt::format(
+				"({}): Completed subscriber e-mail verification and password.", UInfo.email));
+			Poco::JSON::Object::Ptr Response;
+			auto Status = ProvRequest.Do(Response);
+			std::stringstream ooo;
+			if (Response != nullptr)
+				Response->stringify(ooo);
+			Logger().information(fmt::format(
+				"({}): Completed subscriber e-mail verification. Provisioning notified, Error={}.",
+				UInfo.email, Status));
+			AddGlobalVars(FormVars);
+			SendHTMLFileBack(FormFile, FormVars);
+			Logger().information(fmt::format(
+				"({}): Completed subscriber e-mail verification. FORM notified.", UInfo.email));
+		} else {
+			DoReturnA404();
+		}
+	}
+
+	void RESTAPI_action_links::DoEmailVerification(SecurityObjects::ActionLink &Link) {
+		auto now = OpenWifi::Now();
+
+		if (now > Link.expires) {
+			StorageService()->ActionLinksDB().CancelAction(Link.id);
+			return DoReturnA404();
+		}
+
+		SecurityObjects::UserInfo UInfo;
+		bool Found = Link.userAction ? StorageService()->UserDB().GetUserById(Link.userId, UInfo)
+									 : StorageService()->SubDB().GetUserById(Link.userId, UInfo);
+		if (!Found) {
+			Types::StringPairVec FormVars{
+				{"UUID", Link.id},
+				{"ERROR_TEXT", "This does not appear to be a valid email verification link.."}};
+			Poco::File FormFile{Daemon()->AssetDir() + "/email_verification_error.html"};
+			AddGlobalVars(FormVars);
+			return SendHTMLFileBack(FormFile, FormVars);
+		}
+
+		Logger_.information(fmt::format("EMAIL-VERIFICATION(%s): For ID={}",
+										Request->clientAddress().toString(), UInfo.email));
+		UInfo.waitingForEmailCheck = false;
+		UInfo.validated = true;
+		UInfo.lastEmailCheck = OpenWifi::Now();
+		UInfo.validationDate = OpenWifi::Now();
+		UInfo.modified = OpenWifi::Now();
+		if (Link.userAction)
+			StorageService()->UserDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
+		else
+			StorageService()->SubDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
+		Types::StringPairVec FormVars{{"UUID", Link.id},
+									  {"USERNAME", UInfo.email},
+									  {"ACTION_LINK", MicroService::instance().GetUIURI()}};
+		Poco::File FormFile{Daemon()->AssetDir() + "/email_verification_success.html"};
+		AddGlobalVars(FormVars);
+		StorageService()->ActionLinksDB().CompleteAction(Link.id);
+		SendHTMLFileBack(FormFile, FormVars);
+	}
+
+	void RESTAPI_action_links::DoReturnA404() {
+		Types::StringPairVec FormVars;
+		Poco::File FormFile{Daemon()->AssetDir() + "/404_error.html"};
+		AddGlobalVars(FormVars);
+		SendHTMLFileBack(FormFile, FormVars);
+	}
+
+	void RESTAPI_action_links::CompleteEmailInvitation() {
+		/// TODO:
+	}
+
+	void RESTAPI_action_links::RequestSubResetPassword(
+		[[maybe_unused]] SecurityObjects::ActionLink &Link) {}
+
+	void RESTAPI_action_links::DoSubEmailVerification(
+		[[maybe_unused]] SecurityObjects::ActionLink &Link) {}
+
+} // namespace OpenWifi