GITBOOK-913: Auth OIDC + Strongswan + Change History Design

OpenG2P · Aug 1, 2024 · 4ed4c26 · 4ed4c26
1 parent acd0570
commit 4ed4c26
Show file tree

Hide file tree

Showing 11 changed files with 285 additions and 53 deletions.
diff --git a/SUMMARY.md b/SUMMARY.md
@@ -44,7 +44,9 @@
       * [Registration](pbms/functionality/beneficiary-management/registration/README.md)
         * [📔 User Guides](pbms/functionality/beneficiary-management/registration/user-guides/README.md)
           * [📔 Import CSV File to Registry Module](pbms/functionality/beneficiary-management/registration/user-guides/import-csv-file-to-registry-module.md)
-    * [ID Verification](pbms/features/id-verification.md)
+    * [ID Verification](pbms/functionality/id-verification/README.md)
+      * [📔 User Guides](pbms/functionality/id-verification/user-guides/README.md)
+        * [📔 Configure eSignet Auth Provider for ID Authentication](pbms/functionality/id-verification/user-guides/configure-esignet-auth-provider-for-id-authentication.md)
     * [Eligibility](pbms/features/eligibility/README.md)
       * [Proxy Means Test](pbms/features/eligibility/proxy-means-test.md)
       * [📔 User Guides](pbms/features/eligibility/user-guides/README.md)
@@ -109,6 +111,7 @@
       * [RBAC](pbms/features/administration/role-based-access-control/README.md)
         * [📔 User Guides](pbms/features/administration/role-based-access-control/user-guides/README.md)
           * [📔 Create User and Assign Role](pbms/features/administration/role-based-access-control/user-guides/assign-roles-to-users.md)
+          * [Configure Keycloak Authentication Provider for User login](pbms/functionality/administration/role-based-access-control/user-guides/configure-keycloak-authentication-provider-for-user-login.md)
       * [i18n](pbms/features/administration/internationalization-i18n.md)
     * [ODK Importer](pbms/features/odk-importer/README.md)
       * [📔 User Guides](pbms/features/odk-importer/user-guides/README.md)
@@ -171,6 +174,8 @@
       * [G2P ODK Importer](pbms/development/repositories/openg2p-importers/g2p-odk-importer.md)
       * [openg2p-vci](pbms/development/repositories/openg2p-vci.md)
       * [G2P Service Provider Beneficiary Management](pbms/development/odoo-modules/g2p-service-provider-beneficiary-management.md)
+      * [Authentication OIDC: Base](pbms/development/odoo-modules/authentication-oidc-base.md)
+      * [Authentication OIDC: Reg ID](pbms/development/odoo-modules/authentication-oidc-reg-id.md)
     * [Developer Install on Linux](pbms/development/installing-openg2p-on-linux.md)
     * [Repositories](pbms/development/repositories/README.md)
       * [openg2p-fastapi-common](pbms/development/repositories/openg2p-fastapi-common/README.md)
@@ -180,9 +185,7 @@
       * [social-payments-account-registry](pbms/development/repositories/social-payments-account-registry.md)
       * [g2p-bridge](pbms/development/repositories/g2p-bridge.md)
       * [openg2p-packaging](pbms/development/repositories/openg2p-packaging.md)
-      * [openg2p-auth](pbms/development/repositories/openg2p-auth.md)
       * [openg2p-security](pbms/development/repositories/openg2p-security.md)
-      * [server-auth](pbms/development/repositories/server-auth.md)
       * [spar-load-test](pbms/development/repositories/spar-load-test.md)
       * [4sure](pbms/development/repositories/4sure.md)
       * [G2P SelfServicePortal](pbms/development/repositories/openg2p-program/g2p-selfserviceportal.md)
@@ -418,6 +421,7 @@
     * [Uninstalling Applications from Rancher UI](deployment/deployment-guide/uninstalling-applications-from-rancher-ui.md)
     * [Access a Database from Outside the Cluster](deployment/deployment-guide/access-a-database-from-outside-the-cluster.md)
     * [Configuring  External Database to OpenG2P Environment](deployment/deployment-guide/configuring-external-database-to-openg2p-environment.md)
+    * [Configure IPSec VPN Gateway to connect to external Systems using Strongswan](deployment/deployment-guide/configure-ipsec-vpn-strongswan.md)
   * [DEPRECATED - Common Components](deployment/common-components/README.md)
     * [PostgreSQL](deployment/common-components/postgresql.md)
     * [Keycloak](deployment/common-components/keycloak.md)

diff --git a/deployment/deployment-guide/configure-ipsec-vpn-strongswan.md b/deployment/deployment-guide/configure-ipsec-vpn-strongswan.md
@@ -0,0 +1,114 @@
+# Configure IPSec VPN Gateway to connect to external Systems using Strongswan
+
+1. Create a new Virtual Machine on the same network as the rest of the cluster nodes. This machine will be used as a gateway to access the external IPs. This machine will need a public IP. The preferred OS is Ubuntu Server 20.04 or higher.
+2. The rest of this guide will assume the following:
+   1. `10.10.0.0/24` - the local network subnet.
+   2. `192.168.0.0/24` - the external network subnet which we are trying to reach over VPN.
+   3. `10.10.0.15` - the internal IP of the VPN gateway machine from Step 1.
+   4. `3.10.x.x` - Public IP of the VPN gateway machine from Step 1.
+   5. `4.10.y.y` - Public IP of VPN tunnel of the external Network.
+3. VPN Gateway Setup:
+   1. Enable IP Forwarding on the node.
+      1.  Create a file `/etc/sysctl.d/60-ip-forward.conf` with the following contents:
+
+          ```
+          net.ipv4.ip_forward = 1
+          net.ipv6.conf.all.forwarding = 1
+          ```
+      2.  Run this to apply the above config:
+
+          ```
+          sudo systctl --system
+          ```
+   2. Install and configure Strongswan.
+      1.  Install Strongswan, run:
+
+          ```
+          sudo apt install strongswan libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins
+          ```
+      2.  Take backup of ipsec.conf, run:
+
+          ```
+          sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig
+          ```
+      3.  Edit the /etc/ipsec.conf with the following contents:
+
+          ```
+          config setup
+                  charondebug="all"
+                  uniqueids=yes
+          conn openg2p-to-external-vpn
+                  type=tunnel
+                  auto=start
+                  keyexchange=ikev2
+                  authby=psk
+                  # Phase 1
+                  ike=aes256-sha256-ecp521
+                  ikelifetime=28800s
+                  # Phase 2
+                  esp=aes256-sha256-ecp256
+                  lifetime=3600s
+                  aggressive=no
+                  keyingtries=%forever
+                  rekeymargin=3m
+                  left=10.10.0.15
+                  leftsubnet=10.10.0.15/32
+                  leftid=3.10.x.x
+                  right=4.10.y.y
+                  rightsubnet=192.168.0.0/24
+                  rightid=4.10.y.y
+                  dpddelay=30s
+                  dpdtimeout=120s
+                  dpdaction=restart
+          ```
+      4.  Create `/etc/ipsec.secrets` with the following content:
+
+          ```
+          10.10.0.15 4.10.y.y : PSK "<PSK Value>"
+          ```
+      5.  Start strongswan tunnel, run:
+
+          ```
+          sudo systemctl enable ipsec
+          sudo systemctl start ipsec
+          ```
+      6.  Check status by running:
+
+          ```
+          sudo ipsec statusall
+          ```
+   3. Configure iptables (firewall).
+      1.  Install `iptables-persistent` , run:
+
+          ```
+          sudo apt install iptables-persistent
+          ```
+      2.  Set default forward policy as DROP, run:
+
+          ```
+          sudo iptables -P FORWARD DROP
+          ```
+      3.  For each node that is allowed to access the external network, run the following: (The following is only an example, change it according to your system. To get the network interface names run: `ip link` )
+
+          ```
+          sudo iptables -A FORWARD -o <primary_network_interface_name> -s <10.10.node1.internalip> -j ACCEPT
+          sudo iptables -A FORWARD -i <primary_network_interface_name> -d <10.10.node1.internalip> -j ACCEPT
+
+          sudo iptables -A FORWARD -o <primary_network_interface_name> -s <10.10.node2.internalip> -j ACCEPT
+          sudo iptables -A FORWARD -i <primary_network_interface_name> -d <10.10.node2.internalip> -j ACCEPT
+          ```
+      4.  Enable NAT forwarding; run
+
+          ```
+          sudo iptables -A POSTROUTING -t nat -o <primary_network_interface_name> -j MASQUERADE
+          ```
+      5.  Save the iptables changes for the next boot, run: (Make sure to run this whenever you change something on iptables)
+
+          ```
+          sudo bash -c 'iptables-save > /etc/iptables/rules.v4'
+          ```
+4.  Add an IP Route on all the other nodes that need to access the VPN, to hop over the VPN Gateway node. (If a global routing table exists on the network, this rule can be added there instead.)
+
+    ```
+    sudo ip route add 192.168.0.0/24 via 10.10.0.15
+    ```
diff --git a/pbms/README.md b/pbms/README.md
@@ -17,7 +17,7 @@ The Program and Beneficiary Management System (PBMS) is the core module of OpenG
 
 ## Feature and Functionality
 
-<table><thead><tr><th width="201">Features</th><th>Functionality</th></tr></thead><tbody><tr><td><a href="features/program-management.md">Program management</a></td><td><ul><li>Program definition</li><li>Program lifecycle management</li><li>Managing multiple programs</li><li>Programs targeting both individuals and groups</li><li>Program disbursement cycles</li></ul></td></tr><tr><td><a href="functionality/beneficiary-management/">Beneficiary Management</a></td><td><ul><li>Identifying beneficiaries</li><li>Enrolling beneficiaries</li><li>Maintaining <a href="functionality/beneficiary-management/beneficiary-registry/">Beneficiary Registry</a></li><li>Deciding on entitlements</li><li>Disbursements</li><li>Notifications to beneficiaries</li></ul></td></tr><tr><td><a href="functionality/beneficiary-management/beneficiary-registry/">Beneficiary Registry</a></td><td><ul><li>Data sharing of beneficiaries via APIs</li></ul></td></tr><tr><td><a href="functionality/self-service-portal/">Self service portal</a></td><td><ul><li>Program application and discovery by beneficiaries</li><li>Program enrollment and disbursement status</li></ul></td></tr><tr><td><a href="features/document-management.md">Document Management</a></td><td></td></tr><tr><td><a href="features/id-verification.md">ID Verification</a></td><td><ul><li>Login using national ID via <a href="https://auth0.com/docs/authenticate/protocols/openid-connect-protocol">OpenID Connect</a> (OIDC)</li><li><a href="functionality/mts-connector/">MTS Connector</a></li></ul></td></tr><tr><td><a href="features/deduplication.md">Deduplication</a></td><td><ul><li>ID based deduplication</li><li>Phone number based deduplication</li></ul></td></tr><tr><td><a href="features/eligibility/">Eligibility</a></td><td><ul><li>Automatic computation of eligibility</li><li>Proxy Means Test</li></ul></td></tr><tr><td><a href="features/entitlement/">Entitlement</a></td><td><ul><li>Differential entitlement</li><li>Entitlement in kind</li><li>e-Vouchers</li></ul></td></tr><tr><td><a href="features/disbursement-cycles/">Disbursement</a></td><td><ul><li>Disbursement cycles and batches</li><li>Digital cash transfer via bank or mobile</li><li>Voucher based disbursement</li><li>In-kind disbursement</li><li>Generation of disbursement list</li><li>Fund management</li></ul></td></tr><tr><td><a href="features/disbursement-cycles/e-voucher.md">e-Voucher</a></td><td><ul><li>Digital vouchers for goods or services</li><li>Voucher verification app</li><li>Voucher reimbursement</li></ul></td></tr><tr><td><a href="development/upcoming-features/verifiable-credential-issuance.md">Verifiable Credential Issuance</a></td><td><ul><li>Beneficiary e-Card</li></ul></td></tr><tr><td><a href="features/accounting.md">Accounting</a></td><td><ul><li>Fund management</li><li>Reconciliation</li></ul></td></tr><tr><td><a href="features/administration/">Administration</a></td><td><ul><li>Role-based access control (RBAC)</li><li>Multilevel approval</li><li>Fund management</li><li>Multi lingual - internationalisation (i18n)</li></ul></td></tr><tr><td><a href="features/notifications/">Notifications</a></td><td><ul><li>Notifications to beneficiaries via SMS/Email</li></ul></td></tr><tr><td><a href="../interoperability.md">Interoperability</a></td><td><ul><li>Compliance with G2P Connect Registry APIs</li><li>Compliance with G2P Connect Disbursement APIs</li></ul></td></tr><tr><td><a href="features/multi-tenancy-in-pbms.md">Multi-tenancy</a></td><td><ul><li>Multiple departments using the same instance of OpenG2P</li><li>Separation of data, control and access.</li></ul></td></tr><tr><td><a href="../monitoring-and-reporting/">Monitoring and Reporting</a></td><td><ul><li>Monitor the status of the program and registries</li><li>User creates dashboard of their choice to visualise data</li></ul></td></tr><tr><td><a href="features/audit-logs.md">Audit Logs</a></td><td><ul><li>Odoo audit logs</li></ul></td></tr></tbody></table>
+<table><thead><tr><th width="201">Features</th><th>Functionality</th></tr></thead><tbody><tr><td><a href="features/program-management.md">Program management</a></td><td><ul><li>Program definition</li><li>Program lifecycle management</li><li>Managing multiple programs</li><li>Programs targeting both individuals and groups</li><li>Program disbursement cycles</li></ul></td></tr><tr><td><a href="functionality/beneficiary-management/">Beneficiary Management</a></td><td><ul><li>Identifying beneficiaries</li><li>Enrolling beneficiaries</li><li>Maintaining <a href="functionality/beneficiary-management/beneficiary-registry/">Beneficiary Registry</a></li><li>Deciding on entitlements</li><li>Disbursements</li><li>Notifications to beneficiaries</li></ul></td></tr><tr><td><a href="functionality/beneficiary-management/beneficiary-registry/">Beneficiary Registry</a></td><td><ul><li>Data sharing of beneficiaries via APIs</li></ul></td></tr><tr><td><a href="functionality/self-service-portal/">Self service portal</a></td><td><ul><li>Program application and discovery by beneficiaries</li><li>Program enrollment and disbursement status</li></ul></td></tr><tr><td><a href="features/document-management.md">Document Management</a></td><td></td></tr><tr><td><a href="functionality/id-verification/">ID Verification</a></td><td><ul><li>Login using national ID via <a href="https://auth0.com/docs/authenticate/protocols/openid-connect-protocol">OpenID Connect</a> (OIDC)</li><li><a href="functionality/mts-connector/">MTS Connector</a></li></ul></td></tr><tr><td><a href="features/deduplication.md">Deduplication</a></td><td><ul><li>ID based deduplication</li><li>Phone number based deduplication</li></ul></td></tr><tr><td><a href="features/eligibility/">Eligibility</a></td><td><ul><li>Automatic computation of eligibility</li><li>Proxy Means Test</li></ul></td></tr><tr><td><a href="features/entitlement/">Entitlement</a></td><td><ul><li>Differential entitlement</li><li>Entitlement in kind</li><li>e-Vouchers</li></ul></td></tr><tr><td><a href="features/disbursement-cycles/">Disbursement</a></td><td><ul><li>Disbursement cycles and batches</li><li>Digital cash transfer via bank or mobile</li><li>Voucher based disbursement</li><li>In-kind disbursement</li><li>Generation of disbursement list</li><li>Fund management</li></ul></td></tr><tr><td><a href="features/disbursement-cycles/e-voucher.md">e-Voucher</a></td><td><ul><li>Digital vouchers for goods or services</li><li>Voucher verification app</li><li>Voucher reimbursement</li></ul></td></tr><tr><td><a href="development/upcoming-features/verifiable-credential-issuance.md">Verifiable Credential Issuance</a></td><td><ul><li>Beneficiary e-Card</li></ul></td></tr><tr><td><a href="features/accounting.md">Accounting</a></td><td><ul><li>Fund management</li><li>Reconciliation</li></ul></td></tr><tr><td><a href="features/administration/">Administration</a></td><td><ul><li>Role-based access control (RBAC)</li><li>Multilevel approval</li><li>Fund management</li><li>Multi lingual - internationalisation (i18n)</li></ul></td></tr><tr><td><a href="features/notifications/">Notifications</a></td><td><ul><li>Notifications to beneficiaries via SMS/Email</li></ul></td></tr><tr><td><a href="../interoperability.md">Interoperability</a></td><td><ul><li>Compliance with G2P Connect Registry APIs</li><li>Compliance with G2P Connect Disbursement APIs</li></ul></td></tr><tr><td><a href="features/multi-tenancy-in-pbms.md">Multi-tenancy</a></td><td><ul><li>Multiple departments using the same instance of OpenG2P</li><li>Separation of data, control and access.</li></ul></td></tr><tr><td><a href="../monitoring-and-reporting/">Monitoring and Reporting</a></td><td><ul><li>Monitor the status of the program and registries</li><li>User creates dashboard of their choice to visualise data</li></ul></td></tr><tr><td><a href="features/audit-logs.md">Audit Logs</a></td><td><ul><li>Odoo audit logs</li></ul></td></tr></tbody></table>
 
 ## Architecture