Merge pull request #1200 from ITfoxtec/test

Test

Author: Revsgaard

ReleaseConfig/FoxIDs.Control/appsettings.json

@@ -27,6 +27,7 @@
     },
     "Options": {
       "Log": "Stdout",
+      //"Log": "OpenSearchAndStdoutErrors",
       "DataStorage": "MongoDb",
       //"DataStorage": "PostgreSql",
       "KeyStorage": "None",
@@ -40,6 +41,11 @@
     //"PostgreSql": {
     //  "ConnectionString": "Host=localhost;Username=postgres;Password=xxxxxxxx;Database=FoxIDs"
     //},
+    //"OpenSearch": {
+    //  "Nodes": [ "https://admin:xxxxxxxx@localhost:9200/" ],
+    //  "LogLifetime": "Max180Days",
+    //  "AllowInsecureCertificates": true //Accept self-signed certificate
+    //},
     "MasterSeedEnabled": true,
     "MainTenantSeedEnabled": true
 

ReleaseConfig/FoxIDs/appsettings.json

@@ -26,6 +26,7 @@
     },
     "Options": {
       "Log": "Stdout",
+      //"Log": "OpenSearchAndStdoutErrors",
       "DataStorage": "MongoDb",
       //"DataStorage": "PostgreSql",
       "KeyStorage": "None",
@@ -37,7 +38,12 @@
       "ConnectionString": "mongodb://localhost:27017"
     },
     //"PostgreSql": {
-    //  "ConnectionString": "Host=localhost;Username=xxxxxxxx;Password=xxxxxxxx;Database=FoxIDs"
+    //  "ConnectionString": "Host=localhost;Username=postgres;Password=xxxxxxxx;Database=FoxIDs"
+    //},
+    //"OpenSearch": {
+    //  "Nodes": [ "https://admin:xxxxxxxx@localhost:9200/" ],
+    //  "LogLifetime": "Max180Days",
+    //  "AllowInsecureCertificates": true //Accept self-signed certificate
     //},
     "RequestDomainAsCustomDomain": true,
     "ReadLoopbackRequestDomain": true

docs/deployment-window-iis.md

@@ -18,7 +18,8 @@ This deployment include:
 
 - Two websites one for FoxIDs and one for the FoxIDs Control (Admin Client and API).
 - The two websites are exposed on two different domains / sub-domains.
-- NoSQL database containing all data including tenants, environments and users. Either deploy [MongoDB Community Edition](https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-windows/) or [PostgreSQL](https://www.postgresql.org/download/windows/).
+- NoSQL database containing all data including tenants, environments and users. Either deploy **MongoDB Community Edition** or **PostgreSQL**.
+- FoxIDs logs are default saved in files. Depending on the load, consider to use [OpenSearch](#opensearch) in production.
 
 ## Deployment
 
@@ -94,11 +95,11 @@ Download the `win-acme.v2.x.x.x64.pluggable.zip` file from the latest [win-acme
 
 The two websites now have `https` bindings with the certificate created by Let's encrypt and the certificate will automatically be updated for every 3 months or so.
 
-### Add FoxIDs to the websites
+### Xcopy deploy FoxIDs to websites
 Download the `FoxIDs-x.x.x-win-x64.zip` file from the [FoxIDs release](https://github.com/ITfoxtec/FoxIDs/releases) and unpack the ZIP file. The zip file contains two folders one for the FoxIDs site and one for the FoxIDs Control site.
 
-- Copy the zip file folder FoxIDs into the websites physical path e.g. `C:\inetpub\FoxIDs`
-- And copy the zip file folder FoxIDs.Control into the websites physical path e.g. `C:\inetpub\FoxIDs.Control`
+- Xcopy the zip file folder FoxIDs into the websites physical path e.g. `C:\inetpub\FoxIDs`
+- And Xcopy the zip file folder FoxIDs.Control into the websites physical path e.g. `C:\inetpub\FoxIDs.Control`
 
 Configure both the FoxIDs site and the FoxIDs Control site in the `appsettings.json` files, located in e.g. `C:\inetpub\FoxIDs\appsettings.json` and `C:\inetpub\FoxIDs.Control\appsettings.json`
 
@@ -128,15 +129,62 @@ Configure both the FoxIDs site and the FoxIDs Control site in the `appsettings.j
         "DataCache": "None"
     },
     "PostgreSql": {
-      "ConnectionString": "Host=localhost;Username=postgres;Password=xxxx;Database=FoxIDs"
+      "ConnectionString": "Host=localhost;Username=postgres;Password=xxxxxxxx;Database=FoxIDs"
     },
     ```
 5. Optionally configure to send emails with SMTP.
 
 ### FoxIDs Logs
 FoxIDs log files are default saved in `C:\inetpub\logs\LogFiles`. You can change the path in the `web.config` file in the two websites.
 
-The logs contain errors, warnings, events and trace. Depending on the load, consider using [OpenSearch](https://docs.opensearch.org/docs/latest/install-and-configure/install-opensearch/windows/) in production.
+The logs contain errors, warnings, events and trace.
+
+### OpenSearch
+Depending on the load, consider to use OpenSearch in production instead of log files.
+
+Download [OpenSearch](https://docs.opensearch.org/docs/latest/install-and-configure/install-opensearch/windows/) or download from the [download page](https://opensearch.org/downloads/).
+
+1. Create a folder on a permanent place e.g. `C:\opensearch` on the C drive. The OpenSearch `.bat` file is subsequently registered to run in Windows Task Scheduler.
+2. Move the downloaded file `opensearch-x.x.x-windows-x64.zip` to the folder and unpack the file - *the file names are to log to unpack in the default download folder*
+3. Start a Command Prompt 
+4. Navigate to the `opensearch-x.x.x` folder
+5. Set an administrator password, run `set OPENSEARCH_INITIAL_ADMIN_PASSWORD=<custom-admin-password>`
+6. Start service, run `.\opensearch-windows-install.bat`
+7. Start another Command Prompt 
+8. Test the OpenSearch, run test request `curl.exe -X GET https://localhost:9200 -u "admin:<custom-admin-password>" --insecure`
+9. Test the OpenSearch plugins, run test request `curl.exe -X GET https://localhost:9200/_cat/plugins?v -u "admin:<custom-admin-password>" --insecure`
+10. Go back to the OpenSearch Command Prompt and stop OpenSearch by clicking `ctrl+c` and then `y`
+
+Create a task to rune OpenSearch
+1. Open **Task Scheduler**
+2. Click **Create Task...**
+3. Add the **Name** `OpenSearch`
+4. Change the account that run the task, click **Change User or Group...**
+5. Write `NETWORK SERVICE` and click **OK**
+6. Select the **Actions** tab
+7. Click **New...**
+8. In **Program/script** start the `.bat` file e.g., write `C:\opensearch\opensearch-x.x.x\opensearch-windows-install.bat` and click **OK**
+9. Select the **Settings** tab
+10. Select the setting **If the task fails, restart every:**
+11. Deselect the setting (remove the checkmark) **Stop the task if it runs longer then:**
+12. Click **OK**
+13. Start the task
+
+OpenSearch is default started with a self-signed certificate. You can configure a domain and a certificate but, in this guide, the self-signed certificate is retained and FoxIDs is configured to accept the certificate.
+
+Configure OpenSearch in both the FoxIDs site and the FoxIDs Control site in the `appsettings.json` files, located in e.g. `C:\inetpub\FoxIDs\appsettings.json` and `C:\inetpub\FoxIDs.Control\appsettings.json`
+
+```json
+"Options": {
+    "Log": "OpenSearchAndStdoutErrors",
+    //DB configuration...
+},
+"OpenSearch": {
+    "Nodes": [ "https://admin:xxxxxxxx@localhost:9200/" ],
+    "LogLifetime": "Max180Days", 
+    "AllowInsecureCertificates": true //Accept self-signed certificate
+},
+```
 
 ## First login
 Open your FoxIDs Control site (<a href="http://control.my-domain.com" target="_blank">http://control.my-domain.com</a> or <a href="https://control.my-domain.com" target="_blank">https://control.my-domain.com</a>) in a browser. 

docs/risk-passwords.md

@@ -4,20 +4,20 @@ You can achieve higher password quality and a higher level of security by using
 
 Hundreds of millions of real world passwords previously exposed in data breaches is collected as risk passwords. By validating that the leaked passwords are not reused, you significantly increase the level of password security.
 
-**1) Download risk passwords (pwned passwords)**  
+> The risk passwords are uploaded ones per FoxIDs deployment in the master tenant and can be used in all tenants and environments.
+
+
+## 1) Download risk passwords (pwned passwords)
 Download the `SHA-1` pwned passwords in a single file from [haveibeenpwned.com/passwords](https://haveibeenpwned.com/Passwords) using the [PwnedPasswordsDownloader tool](https://github.com/HaveIBeenPwned/PwnedPasswordsDownloader).
 
 > Be aware that it takes some time to download all risk passwords.
 
-**2) Upload risk passwords to FoxIDs**  
-You can upload risk passwords with the FoxIDs seed tool console application. The seed tool code is [downloaded](https://github.com/ITfoxtec/FoxIDs/tree/master/tools/FoxIDs.SeedTool) and need to be compiled and [configured](#configure-the-seed-tool) to run.
-
-> The risk passwords is uploaded ones per FoxIDs deployment in the master tenant.
+## 2) Upload risk passwords to FoxIDs
+You then upload the risk passwords with the FoxIDs seed tool console application.  
 
-**3) Test**  
-You can read the number of risk passwords uploaded to FoxIDs in [FoxIDs Control Client](control.md#foxids-control-client) master tenant on the Settings / Risk Passwords tap. And you can test if a password is okay or has appeared in breaches.
+Download the `FoxIDs.SeedTool-x.x.x-win-x64.zip` or `FoxIDs.SeedTool-x.x.x-linux-x64.zip` file from the [FoxIDs release](https://github.com/ITfoxtec/FoxIDs/releases) and unpack the seed tool.
 
-## Configure the Seed Tool
+### Configure the Seed Tool
 
 The seed tool is configured in the `appsettings.json` file.
 
@@ -51,18 +51,22 @@ Add your FoxIDs and FoxIDs Control API endpoints and client secret and local ris
 
 ```json
 "SeedSettings": {
-    "FoxIDsEndpoint": "https://foxidsxxxx.azurewebsites.net",
-    "FoxIDsControlEndpoint": "https://foxidscontrolxxxx.azurewebsites.net",
+    "FoxIDsEndpoint": "https://foxidsxxxx.com", // custom domain or local development https://localhost:44330
+    "FoxIDsControlEndpoint": "https://control.foxidsxxxx.com", // custom domain or local development https://localhost:44331
     "ClientSecret": "xxx",
     ...
     "PwnedPasswordsPath": "c:\\... xxx ...\\pwned-passwords-sha1-ordered-by-count-v4.txt"
 }
 ```
 
-## Run the Seed Tool
+### Run the Seed Tool
+
+1. Start a Command Prompt 
+2. Run the seed tool with `SeedTool.exe`
+3. Click `U` to start uploading risk passwords  
 
-Run the seed tool executable SeedTool.exe or run the seed tool directly from Visual Studio. 
+> The risk password upload will take a while.
 
-* Click 'p' to start uploading risk passwords  
+## 3) Test
+You can read the number of risk passwords uploaded to FoxIDs in [FoxIDs Control Client](control.md#foxids-control-client) master tenant on the Settings / Risk Passwords tap. And you can test if a password is okay or has appeared in breaches.
 
-The risk password upload will take a while.

src/FoxIDs.Control/FoxIDs.Control.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net9.0</TargetFramework>
-		<Version>1.17.2</Version>
+		<Version>1.17.3</Version>
 		<RootNamespace>FoxIDs</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>FoxIDs</Company>

src/FoxIDs.Control/Infrastructure/Hosting/ServiceCollectionExtensions.cs

@@ -142,11 +142,17 @@ public static IServiceCollection AddInfrastructure(this IServiceCollection servi
 
             if (settings.Options.Log == LogOptions.OpenSearchAndStdoutErrors)
             {
-                var openSearchQueryLogSettings = new ConnectionSettings(settings.OpenSearch.Nodes.Count == 1 ? new SingleNodeConnectionPool(settings.OpenSearch.Nodes.First()) : new StaticConnectionPool(settings.OpenSearch.Nodes))
+                var openSearchNodes = settings.OpenSearchQuery != null ? settings.OpenSearchQuery.Nodes : settings.OpenSearch.Nodes;
+                var openSearchQueryLogSettings = new ConnectionSettings(openSearchNodes.Count == 1 ? new SingleNodeConnectionPool(openSearchNodes.First()) : new StaticConnectionPool(openSearchNodes))
                     .RequestTimeout(TimeSpan.FromSeconds(20))
                     .MaxRetryTimeout(TimeSpan.FromSeconds(30))
                     .ThrowExceptions();
 
+                if (settings.OpenSearch.AllowInsecureCertificates)
+                {
+                    openSearchQueryLogSettings.ServerCertificateValidationCallback(CertificateValidations.AllowAll);
+                }
+
                 services.AddSingleton(new OpenSearchClientQueryLog(openSearchQueryLogSettings));
             }
 

src/FoxIDs.Control/Logic/Logs/LogOpenSearchLogic.cs

@@ -253,6 +253,16 @@ private async Task<IEnumerable<OpenSearchLogItem>> LoadLogsAsync(Api.LogRequest
         }
 
         private IEnumerable<string> GetIndexName()
+        {
+            foreach(var name in GetIndexBaseName()) { yield return name; }
+
+            if (settings.OpenSearchQuery != null && !string.IsNullOrWhiteSpace(settings.OpenSearchQuery?.CrossClusterSearchClusterName))
+            {
+                foreach (var name in GetIndexBaseName()) { yield return $"{settings.OpenSearchQuery.CrossClusterSearchClusterName}:{name}"; }
+            }
+        }
+
+        private IEnumerable<string> GetIndexBaseName()
         {
             yield return $"{settings.OpenSearch.LogName}*";
             // Remove in about 8 month (support logtype changed to keyword) from now 2025.01.17

src/FoxIDs.Control/Logic/Logs/UsageLogOpenSearchLogic.cs

@@ -274,6 +274,16 @@ private async Task<FiltersAggregate> LoadUsageEventsAsync(string tenantName, str
         }
 
         private IEnumerable<string> GetIndexName()
+        {
+            foreach (var name in GetIndexBaseName()) { yield return name; }
+
+            if (settings.OpenSearchQuery != null && !string.IsNullOrWhiteSpace(settings.OpenSearchQuery?.CrossClusterSearchClusterName))
+            {
+                foreach (var name in GetIndexBaseName()) { yield return $"{settings.OpenSearchQuery.CrossClusterSearchClusterName}:{name}"; }
+            }
+        }
+
+        private IEnumerable<string> GetIndexBaseName()
         {
             yield return $"{settings.OpenSearch.LogName}*";
             // Remove in about 8 month (support logtype changed to keyword) from now 2025.01.17

src/FoxIDs.Control/Models/Config/FoxIDsControlSettings.cs

@@ -15,6 +15,12 @@ public class FoxIDsControlSettings : Settings, IValidatableObject
         [Required]
         public string DownParty { get; set; } = Constants.ControlApi.ResourceName;
 
+        /// <summary>
+        /// Optional, OpenSearch Query configuration.
+        /// </summary>
+        [ValidateComplexType]
+        public OpenSearchQuerySettings OpenSearchQuery { get; set; }
+
         [ValidateComplexType]
         public ApplicationInsightsSettings ApplicationInsights { get; set; }
 

src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj

@@ -2,7 +2,7 @@
 
 	<PropertyGroup>
 		<TargetFramework>net9.0</TargetFramework>
-		<Version>1.17.2</Version>
+		<Version>1.17.3</Version>
 		<RootNamespace>FoxIDs.Client</RootNamespace>
 		<Authors>Anders Revsgaard</Authors>
 		<Company>FoxIDs</Company>