From 659c721bd0134136fa3aa37d7441bed6cecb6355 Mon Sep 17 00:00:00 2001 From: Basilio Bogado <541149+basiliskus@users.noreply.github.com> Date: Wed, 27 Mar 2024 09:15:04 -0700 Subject: [PATCH 1/4] Added script to set up RS vault secrets for local testing and updated instructions accordingly --- .secrets.baseline | 36 +--------------- README.md | 91 +++++++++++++-------------------------- scripts/rs/readme.md | 3 ++ scripts/{ => rs}/reset.sh | 9 +--- scripts/rs/setup-vault.sh | 12 ++++++ 5 files changed, 47 insertions(+), 104 deletions(-) create mode 100644 scripts/rs/readme.md rename scripts/{ => rs}/reset.sh (89%) create mode 100755 scripts/rs/setup-vault.sh diff --git a/.secrets.baseline b/.secrets.baseline index bc6710c5f..1e227ab15 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -132,40 +132,6 @@ "is_secret": false } ], - "README.md": [ - { - "type": "Secret Keyword", - "filename": "README.md", - "hashed_secret": "367e3228ed16bf72b36de9a4134ee8b825cafacb", - "is_verified": false, - "line_number": 314, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "README.md", - "hashed_secret": "40bd7d88eae0468b048e62e1056ac390970b2b51", - "is_verified": false, - "line_number": 319, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "README.md", - "hashed_secret": "0d46754ae17642645ca041edaac9a1c1569f5edc", - "is_verified": false, - "line_number": 324, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "README.md", - "hashed_secret": "3c4da28c9bc45d01e4950ee6f8e67a8d1a1ec19b", - "is_verified": false, - "line_number": 334, - "is_secret": false - } - ], "docker-compose.postgres.yml": [ { "type": "Secret Keyword", @@ -277,5 +243,5 @@ } ] }, - "generated_at": "2024-03-11T15:51:37Z" + "generated_at": "2024-03-27T15:53:08Z" } diff --git a/README.md b/README.md index 03a051827..56bc7778a 100644 --- a/README.md +++ b/README.md @@ -296,93 +296,62 @@ After enabling this option it is recommended that you delete all docker images a with this option enabled. 1. Checkout `master` branch for `CDCgov/prime-reportstream` -2. CD to `prime-reportstream/prime-router` -3. Run the `./cleanslate` script. For more information you can refer to the [ReportStream docs](https://github.com/CDCgov/prime-reportstream/blob/master/prime-router/docs/docs-deprecated/getting-started/getting-started.md#building-the-baseline) -4. Run RS with `docker compose up --build -d` -5. Run `./gradlew resetDB && ./gradlew reloadTable && ./gradlew reloadSettings` -6. Edit `/settings/staging/0166-flexion-staging-results-handling.yml` - 1. Comment the lines related to staging settings, and uncomment the ones for local settings: - 1. `authTokenUrl`, `reportUrl`, `authHeaders.host` under REST `transport` in `receivers` - 2. `type` and `credentialName` under SFTP `transport` in `receivers` -7. Run `./prime multiple-settings set -i ./settings/staging/0166-flexion-staging-results-handling.yml` -8. Run `./prime organization addkey --public-key /path/to/trusted-intermediary/mock_credentials/organization-trusted-intermediary-public-key-local.pem --scope "flexion.*.report" --orgName flexion --kid flexion.etor-service-sender --doit` -9. Setup local vault secret - 1. Go to: `http://localhost:8200/` - 2. Use token in `prime-router/.vault/env/.env.local` to authenticate - 3. Go to `Secrets engines` > `secret/` > `Create secret` - 1. Create secret for `flexion.etor-service-receiver-orders` - 1. Path for this secret: `FLEXION--ETOR-SERVICE-RECEIVER-ORDERS` - 2. JSON data: - ``` - { - "@type": "UserApiKey", - "apiKey": "Contents of file at trusted-intermediary/mock_credentials/organization-report-stream-private-key-local.pem", - "user": "flexion" - } - ``` - 2. Create secret for `flexion.etor-service-receiver-results` - 1. Path for this secret: `FLEXION--ETOR-SERVICE-RECEIVER-RESULTS` - 2. JSON data: - ``` - { - "@type": "UserApiKey", - "apiKey": "Contents of file at trusted-intermediary/mock_credentials/organization-report-stream-private-key-local.pem", - "user": "flexion" - } - ``` - 3. Create secret for `DEFAULT-SFTP` - 1. Path for this secret: `DEFAULT-SFTP` - 2. JSON data: - ``` - { - "@type": "UserPass", - "user": "user", - "pass": "pass" - } - ``` +2. Copy all the scripts found at `scripts/rs` to `prime-reportstream/prime-router` + - **Note**: update the `path_to_cdcti` variable in the scripts to point to the path for the `trusted-intermediary` codebase in your machine +3. CD to `prime-reportstream/prime-router` +4. Run the `./cleanslate` script. For more information you can refer to the [ReportStream docs](https://github.com/CDCgov/prime-reportstream/blob/master/prime-router/docs/docs-deprecated/getting-started/getting-started.md#building-the-baseline) +5. Run RS with `docker compose up --build -d` +6. Edit `/settings/staging/0166-flexion-staging-results-handling.yml` to comment the lines related to staging settings, and uncomment the ones for local settings: + - `authTokenUrl`, `reportUrl`, `authHeaders.host` under REST `transport` in `receivers` + - `type` and `credentialName` under SFTP `transport` in `receivers` +7. Run the `./reset.sh` script to reset the database and apply the flexion org settings +8. Run the `./setup-vault.sh` script to set up the local vault secrets + - You can verify that the script created the secrets succesfully by going to `http://localhost:8200/` in your browser, use the token in `prime-router/.vault/env/.env.local` to authenticate, and then go to `Secrets engines` > `secret/` to check the available secrets #### Submit request to ReportStream -In order to submit a request, you'll need to authenticate with ReportStream using JWT auth: -1. Create a JWT for the sender (e.g. `flexion.simulated-hospital`) using the sender's private key. You may use [this CLI tool](https://github.com/mike-engel/jwt-cli) to create the JWT: - ``` - jwt encode --exp='+5min' --jti $(uuidgen) --alg RS256 -k -i -s -a staging.prime.cdc.gov --no-iat -S @/path/to/sender_private.pem - ``` -2. Use the generated JWT to authenticate with ReportStream and get the token, which will be in the `access_token` response - ``` - curl --header 'Content-Type: application/x-www-form-urlencoded' --data 'scope=flexion.*.report' --data 'client_assertion=' --data 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' --data 'grant_type=client_credentials' 'http://localhost:7071/api/token' - ``` -3. Submit an Order or Result using the returned token +##### Locally -##### Orders +###### Orders To test sending from a simulated hospital: ``` -curl --header 'Content-Type: application/hl7-v2' --header 'Client: flexion.simulated-hospital' --header 'Authorization: Bearer ' --data-binary '@/path/to/orm_message.hl7' 'http://localhost:7071/api/waters' +curl --header 'Content-Type: application/hl7-v2' --header 'Client: flexion.simulated-hospital' --header 'Authorization: Bearer dummy_token' --data-binary '@/path/to/orm_message.hl7' 'http://localhost:7071/api/waters' ``` To test sending from TI: ``` -curl --header 'Content-Type: application/fhir+ndjson' --header 'Client: flexion.etor-service-sender' --header 'Authorization: Bearer ' --data-binary '@/path/to/oml_message.fhir' 'http://localhost:7071/api/waters' +curl --header 'Content-Type: application/fhir+ndjson' --header 'Client: flexion.etor-service-sender' --header 'Authorization: Bearer dummy_token' --data-binary '@/path/to/oml_message.fhir' 'http://localhost:7071/api/waters' ``` -##### Results +###### Results To test sending from a simulated lab: ``` -curl --header 'Content-Type: application/hl7-v2' --header 'Client: flexion.simulated-lab' --header 'Authorization: Bearer ' --data-binary '@/path/to/oru_message.hl7' 'http://localhost:7071/api/waters' +curl --header 'Content-Type: application/hl7-v2' --header 'Client: flexion.simulated-lab' --header 'Authorization: Bearer dummy_token' --data-binary '@/path/to/oru_message.hl7' 'http://localhost:7071/api/waters' ``` To test sending from TI: ``` -curl --header 'Content-Type: application/fhir+ndjson' --header 'Client: flexion.etor-service-sender' --header 'Authorization: Bearer ' --data-binary '@/path/to/oru_message.fhir' 'http://localhost:7071/api/waters' +curl --header 'Content-Type: application/fhir+ndjson' --header 'Client: flexion.etor-service-sender' --header 'Authorization: Bearer dummy_token' --data-binary '@/path/to/oru_message.fhir' 'http://localhost:7071/api/waters' ``` After one or two minutes, check that hl7 files have been dropped to `prime-reportstream/prime-router/build/sftp` folder -**Note**: `` should be replaced by the bearer token received from the `/api/token` endpoint +##### Staging + +In order to submit a request, you'll need to authenticate with ReportStream using JWT auth: +1. Create a JWT for the sender (e.g. `flexion.simulated-hospital`) using the sender's private key. You may use [this CLI tool](https://github.com/mike-engel/jwt-cli) to create the JWT: + ``` + jwt encode --exp='+5min' --jti $(uuidgen) --alg RS256 -k -i -s -a staging.prime.cdc.gov --no-iat -S @/path/to/sender_private.pem + ``` +2. Use the generated JWT to authenticate with ReportStream and get the token, which will be in the `access_token` response + ``` + curl --header 'Content-Type: application/x-www-form-urlencoded' --data 'scope=flexion.*.report' --data 'client_assertion=' --data 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' --data 'grant_type=client_credentials' 'http://localhost:7071/api/token' + ``` +3. Submit an Order or Result using the returned token in the `'Authorization: Bearer '` header ## DORA Metrics diff --git a/scripts/rs/readme.md b/scripts/rs/readme.md new file mode 100644 index 000000000..0d63fa544 --- /dev/null +++ b/scripts/rs/readme.md @@ -0,0 +1,3 @@ +# ReportStream Scripts + +The scripts in this folders are meant to be copied and run in the [prime-reportstream](https://github.com/CDCgov/prime-reportstream) codebase inside the `prime-router` folder. diff --git a/scripts/reset.sh b/scripts/rs/reset.sh similarity index 89% rename from scripts/reset.sh rename to scripts/rs/reset.sh index 9d6fa6959..f760739a1 100755 --- a/scripts/reset.sh +++ b/scripts/rs/reset.sh @@ -1,18 +1,11 @@ #!/usr/bin/env bash -#Run in the prime-reportstream repo inside the prime-router folder. +# NOTE: Remember to run this script inside the prime-router directory of the prime-reportstream codebase ./gradlew resetDB - ./gradlew reloadTable - ./gradlew flywayRepair - ./gradlew reloadSettings - ./prime multiple-settings set -s -i ./settings/staging/0166-flexion-staging-results-handling.yml - ./prime organization addkey --public-key ~/trusted-intermediary/mock_credentials/organization-trusted-intermediary-public-key-local.pem --scope "flexion.*.report" --orgName flexion --kid flexion.etor-service-sender --doit - ./prime organization addkey --public-key /trusted-intermediary/mock_credentials/organization-trusted-intermediary-public-key-local.pem --scope "flexion.*.report" --orgName flexion --kid flexion.simulated-hospital --doit - ./prime organization addkey --public-key /trusted-intermediary/mock_credentials/organization-trusted-intermediary-public-key-local.pem --scope "flexion.*.report" --orgName flexion --kid flexion.simulated-lab --doit diff --git a/scripts/rs/setup-vault.sh b/scripts/rs/setup-vault.sh new file mode 100755 index 000000000..2b4c555c5 --- /dev/null +++ b/scripts/rs/setup-vault.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +# NOTE: Remember to run this script inside the prime-router directory of the prime-reportstream codebase +# Make sure to update the path_to_cdcti variable to the trusted-intermediary directory + +path_to_cdcti="/path/to/trusted-intermediary" +private_key=$(cat $path_to_cdcti/mock_credentials/organization-report-stream-private-key-local.pem) + +export $(xargs <.vault/env/.env.local) + +./prime create-credential --type UserPass --user foo --pass pass --persist DEFAULT-SFTP +./prime create-credential --type UserApiKey --apikey-user flexion --apikey "$private_key" --persist FLEXION--ETOR-SERVICE-RECEIVER-ORDERS +./prime create-credential --type UserApiKey --apikey-user flexion --apikey "$private_key" --persist FLEXION--ETOR-SERVICE-RECEIVER-RESULTS From 47465c194693196ae0d0950bfe7a340dcf8e90de Mon Sep 17 00:00:00 2001 From: Basilio Bogado <541149+basiliskus@users.noreply.github.com> Date: Thu, 28 Mar 2024 11:06:55 -0700 Subject: [PATCH 2/4] Added CDCTI_HOME env variable based on feedback --- scripts/rs/readme.md | 2 ++ scripts/rs/reset.sh | 8 +++++--- scripts/rs/setup-vault.sh | 6 +++--- scripts/rs/start-here.sh | 1 + 4 files changed, 11 insertions(+), 6 deletions(-) create mode 100755 scripts/rs/start-here.sh diff --git a/scripts/rs/readme.md b/scripts/rs/readme.md index 0d63fa544..fd9b600a0 100644 --- a/scripts/rs/readme.md +++ b/scripts/rs/readme.md @@ -1,3 +1,5 @@ # ReportStream Scripts The scripts in this folders are meant to be copied and run in the [prime-reportstream](https://github.com/CDCgov/prime-reportstream) codebase inside the `prime-router` folder. + +These scripts rely in a `CDCTI_HOME` environment variable that needs to be set in your environment to your local path to the CDC-TI codebase. You may update and run the `start-here.sh` script to set it. You may also want to add it to your shell's startup file to persist it. diff --git a/scripts/rs/reset.sh b/scripts/rs/reset.sh index f760739a1..e1c28d1ab 100755 --- a/scripts/rs/reset.sh +++ b/scripts/rs/reset.sh @@ -1,11 +1,13 @@ #!/usr/bin/env bash # NOTE: Remember to run this script inside the prime-router directory of the prime-reportstream codebase +# Make sure to add a CDCTI_HOME environment variable pointing to the trusted-intermediary directory +# export CDCTI_HOME="/path/to/trusted-intermediary" ./gradlew resetDB ./gradlew reloadTable ./gradlew flywayRepair ./gradlew reloadSettings ./prime multiple-settings set -s -i ./settings/staging/0166-flexion-staging-results-handling.yml -./prime organization addkey --public-key ~/trusted-intermediary/mock_credentials/organization-trusted-intermediary-public-key-local.pem --scope "flexion.*.report" --orgName flexion --kid flexion.etor-service-sender --doit -./prime organization addkey --public-key /trusted-intermediary/mock_credentials/organization-trusted-intermediary-public-key-local.pem --scope "flexion.*.report" --orgName flexion --kid flexion.simulated-hospital --doit -./prime organization addkey --public-key /trusted-intermediary/mock_credentials/organization-trusted-intermediary-public-key-local.pem --scope "flexion.*.report" --orgName flexion --kid flexion.simulated-lab --doit +./prime organization addkey --public-key $CDCTI_HOME/mock_credentials/organization-trusted-intermediary-public-key-local.pem --scope "flexion.*.report" --orgName flexion --kid flexion.etor-service-sender --doit +./prime organization addkey --public-key $CDCTI_HOME/mock_credentials/organization-trusted-intermediary-public-key-local.pem --scope "flexion.*.report" --orgName flexion --kid flexion.simulated-hospital --doit +./prime organization addkey --public-key $CDCTI_HOME/mock_credentials/organization-trusted-intermediary-public-key-local.pem --scope "flexion.*.report" --orgName flexion --kid flexion.simulated-lab --doit diff --git a/scripts/rs/setup-vault.sh b/scripts/rs/setup-vault.sh index 2b4c555c5..f851a145b 100755 --- a/scripts/rs/setup-vault.sh +++ b/scripts/rs/setup-vault.sh @@ -1,9 +1,9 @@ #!/usr/bin/env bash # NOTE: Remember to run this script inside the prime-router directory of the prime-reportstream codebase -# Make sure to update the path_to_cdcti variable to the trusted-intermediary directory +# Make sure to add a CDCTI_HOME environment variable pointing to the trusted-intermediary directory +# export CDCTI_HOME="/path/to/trusted-intermediary" -path_to_cdcti="/path/to/trusted-intermediary" -private_key=$(cat $path_to_cdcti/mock_credentials/organization-report-stream-private-key-local.pem) +private_key=$(cat $CDCTI_HOME/mock_credentials/organization-report-stream-private-key-local.pem) export $(xargs <.vault/env/.env.local) diff --git a/scripts/rs/start-here.sh b/scripts/rs/start-here.sh new file mode 100755 index 000000000..3392408f8 --- /dev/null +++ b/scripts/rs/start-here.sh @@ -0,0 +1 @@ +export CDCTI_HOME="/path/to/trusted-intermediary" From 8cbf42447c391849a155c121026cc58f03c5449e Mon Sep 17 00:00:00 2001 From: Basilio Bogado <541149+basiliskus@users.noreply.github.com> Date: Thu, 28 Mar 2024 11:11:42 -0700 Subject: [PATCH 3/4] Added to instructions based on feedback --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 56bc7778a..96c6d8e57 100644 --- a/README.md +++ b/README.md @@ -343,7 +343,7 @@ After one or two minutes, check that hl7 files have been dropped to `prime-repor ##### Staging In order to submit a request, you'll need to authenticate with ReportStream using JWT auth: -1. Create a JWT for the sender (e.g. `flexion.simulated-hospital`) using the sender's private key. You may use [this CLI tool](https://github.com/mike-engel/jwt-cli) to create the JWT: +1. Create a JWT for the sender (e.g. `flexion.simulated-hospital`) using the sender's private key, which should be stored in Keybase. You may use [this CLI tool](https://github.com/mike-engel/jwt-cli) to create the JWT: ``` jwt encode --exp='+5min' --jti $(uuidgen) --alg RS256 -k -i -s -a staging.prime.cdc.gov --no-iat -S @/path/to/sender_private.pem ``` From ea16883f5e9b40739b6463a9dc866a6dad9deef8 Mon Sep 17 00:00:00 2001 From: Basilio Bogado <541149+basiliskus@users.noreply.github.com> Date: Thu, 28 Mar 2024 11:31:56 -0700 Subject: [PATCH 4/4] Added instruction --- scripts/rs/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/rs/readme.md b/scripts/rs/readme.md index fd9b600a0..1d485f302 100644 --- a/scripts/rs/readme.md +++ b/scripts/rs/readme.md @@ -1,5 +1,5 @@ # ReportStream Scripts -The scripts in this folders are meant to be copied and run in the [prime-reportstream](https://github.com/CDCgov/prime-reportstream) codebase inside the `prime-router` folder. +The scripts in this folders are meant to be copied and run in the [prime-reportstream](https://github.com/CDCgov/prime-reportstream) codebase inside the `prime-router` folder. You can also create symbolic link instead of copying the files in order to keep them up-to-date. These scripts rely in a `CDCTI_HOME` environment variable that needs to be set in your environment to your local path to the CDC-TI codebase. You may update and run the `start-here.sh` script to set it. You may also want to add it to your shell's startup file to persist it.