Config update

.eslintrc.js

@@ -10,8 +10,7 @@ module.exports = {
   ],
   rules: {
     'no-console': 'warn',
-    'no-unused-vars': 'warn',
-    'no-undef': 'warn'
+    'no-unused-vars': 'warn'
   },
   globals: {
     NodeJS: true,

CHANGELOG.md

@@ -41,6 +41,21 @@
 
 ### New features
 
+- Upgraded to `@opencrvs/mosip` v1.8.0 to support the following enhancements:
+  - Added QR code scanner form configuration, allowing users to scan QR codes and automatically prefill form fields with the extracted data. [#7939](https://github.com/opencrvs/opencrvs-core/issues/7939)
+  - Integrated E-signet authentication flow using mock identities. [#8062](https://github.com/opencrvs/opencrvs-core/issues/8062)
+  - Enabled online verification flow with mock identities. [#7944](https://github.com/opencrvs/opencrvs-core/issues/7944)
+  - Provided support for custom business logic to determine whether MOSIP processing should be triggered during registration. [#7942](https://github.com/opencrvs/opencrvs-core/issues/7942)
+  - Ensured that registering a death event deactivates the corresponding identity in MOSIP. [#7943](https://github.com/opencrvs/opencrvs-core/issues/7943)
+  - Enforced rejection of registrations if MOSIP processing fails. [#8174](https://github.com/opencrvs/opencrvs-core/issues/8174)
+
+### Improvements
+
+- Added Build summary and refactored deployment workflow to be more clear [#6984](https://github.com/opencrvs/opencrvs-core/issues/6984)
+- Build OpenCRVS release images for arm devices [#9455](https://github.com/opencrvs/opencrvs-core/issues/9455)
+
+## 1.6.4
+
 - Added a local virtual machine setup for testing Ansible playbooks locally (on MacOS and Ubuntu ). Check [provision.ipynb](infrastructure/local-development/provision.ipynb) for more details.
 
 ### Improvements

infrastructure/backups/backup.sh

@@ -134,6 +134,7 @@ mkdir -p $ROOT_PATH/backups/mongo
 mkdir -p $ROOT_PATH/backups/minio
 mkdir -p $ROOT_PATH/backups/vsexport
 mkdir -p $ROOT_PATH/backups/postgres
+mkdir -p $ROOT_PATH/backups/sqlite
 
 # This enables root-created directory to be writable by the docker user
 chown -R 1000:1000 $ROOT_PATH/backups
@@ -215,7 +216,16 @@ docker run --rm \
   postgres:17 \
   bash -c "pg_dump -h postgres -U $POSTGRES_USER -d events -F c -f /backups/events-${LABEL:-$BACKUP_DATE}.dump"
 
-#-------------------------------------------------------------------------------------
+# Backup SQLite
+# ---------------------------------------------------------------------------------------------
+echo "Creating a backup for SQLite"
+
+docker run --rm \
+  -v $ROOT_PATH/sqlite:/data/sqlite \
+  -v $ROOT_PATH/backups/sqlite:/data/backup \
+  alpine sh -c "apk add --no-cache sqlite && \
+  sqlite3 /data/sqlite/mosip-api.db \".backup '/data/backup/mosip-api-${LABEL:-$BACKUP_DATE}.sqlite'\""
+
 
 echo ""
 echo "Delete all currently existing snapshots"
@@ -313,6 +323,7 @@ mkdir -p $BACKUP_RAW_FILES_DIR/mongo/ && cp $ROOT_PATH/backups/mongo/metrics-${L
 mkdir -p $BACKUP_RAW_FILES_DIR/mongo/ && cp $ROOT_PATH/backups/mongo/webhooks-${LABEL:-$BACKUP_DATE}.gz $BACKUP_RAW_FILES_DIR/mongo/
 mkdir -p $BACKUP_RAW_FILES_DIR/mongo/ && cp $ROOT_PATH/backups/mongo/performance-${LABEL:-$BACKUP_DATE}.gz $BACKUP_RAW_FILES_DIR/mongo/
 mkdir -p $BACKUP_RAW_FILES_DIR/postgres/ && cp $ROOT_PATH/backups/postgres/events-${LABEL:-$BACKUP_DATE}.dump $BACKUP_RAW_FILES_DIR/postgres/
+mkdir -p $BACKUP_RAW_FILES_DIR/sqlite/ && cp $ROOT_PATH/backups/sqlite/mosip-api-${LABEL:-$BACKUP_DATE}.sqlite $BACKUP_RAW_FILES_DIR/sqlite/
 
 tar -czf /tmp/${LABEL:-$BACKUP_DATE}.tar.gz -C "$BACKUP_RAW_FILES_DIR" .
 

infrastructure/clear-all-data.sh

@@ -156,5 +156,10 @@ echo "✅ Database and roles dropped."
 echo "🚀 Reinitializing Postgres with on-deploy.sh..."
 
 docker service update --force opencrvs_postgres-on-update
+# Delete all data from SQLite
+# ---------------------------
+docker run --rm -v /data/sqlite:/data/sqlite alpine \
+  sh -c "apk add --no-cache sqlite && sqlite3 /data/sqlite/mosip-api.db 'DELETE FROM transactions;'"
 
 echo "✅ All data cleared."
+

infrastructure/docker-compose.deploy.yml

@@ -591,6 +591,11 @@ services:
       - INFOBIP_SENDER_ID=${INFOBIP_SENDER_ID:-}
       - DOMAIN={{hostname}}
       - ANALYTICS_DATABASE_URL=postgres://events_analytics:${ANALYTICS_POSTGRES_PASSWORD}@postgres/events
+      - ESIGNET_REDIRECT_URL=${ESIGNET_REDIRECT_URL}
+      - OPENID_PROVIDER_CLIENT_ID=${OPENID_PROVIDER_CLIENT_ID:-}
+      - OPENID_PROVIDER_CLAIMS=${OPENID_PROVIDER_CLAIMS:-}
+      - MOSIP_API_USERINFO_URL=${MOSIP_API_USERINFO_URL:-}
+      - LOCALE=en
     networks:
       - overlay_net
     logging:
@@ -1099,6 +1104,74 @@ services:
       placement:
         constraints:
           - node.labels.data1 == true
+
+  mosip-api:
+    volumes:
+      - '/data/sqlite:/data/sqlite'
+    image: ghcr.io/opencrvs/mosip-api:${MOSIP_API_VERSION}
+    environment:
+      - NODE_ENV=production
+      - MOSIP_BIRTH_WEBHOOK_URL=http://mosip-mock:20240/webhooks/opencrvs/birth
+      - MOSIP_DEATH_WEBHOOK_URL=http://mosip-mock:20240/webhooks/opencrvs/death
+      - OPENCRVS_GATEWAY_URL=http://gateway:7070
+      - OPENCRVS_PUBLIC_KEY_URL=http://auth:4040/.well-known
+      - LOCALE=en
+      - ESIGNET_USERINFO_URL=${ESIGNET_USERINFO_URL}
+      - ESIGNET_TOKEN_URL=${ESIGNET_TOKEN_URL}
+      - ESIGNET_REDIRECT_URL=${ESIGNET_REDIRECT_URL}
+      - OIDP_CLIENT_PRIVATE_KEY_PATH=${OIDP_CLIENT_PRIVATE_KEY_PATH}
+      - OPENID_PROVIDER_CLAIMS=${OPENID_PROVIDER_CLAIMS}
+      - DECRYPT_P12_FILE_PATH=${DECRYPT_P12_FILE_PATH}
+      - DECRYPT_P12_FILE_PASSWORD=${DECRYPT_P12_FILE_PASSWORD}
+      - ENCRYPT_CERT_PATH=${ENCRYPT_CERT_PATH}
+      - IDA_AUTH_DOMAIN_URI=${IDA_AUTH_DOMAIN_URI}
+      - IDA_AUTH_URL=${IDA_AUTH_URL}
+      - PARTNER_APIKEY=${PARTNER_APIKEY}
+      - PARTNER_ID=${PARTNER_ID}
+      - PARTNER_MISP_LK=${PARTNER_MISP_LK}
+      - SIGN_P12_FILE_PATH=${SIGN_P12_FILE_PATH}
+      - SIGN_P12_FILE_PASSWORD=${SIGN_P12_FILE_PASSWORD}
+      - CLIENT_APP_URL=https://register.{{hostname}}
+      - SQLITE_DATABASE_PATH=/data/sqlite/mosip-api.db
+      - MOSIP_PACKET_AUTH_CLIENT_ID=${MOSIP_PACKET_AUTH_CLIENT_ID}
+      - MOSIP_PACKET_AUTH_CLIENT_SECRET=${MOSIP_PACKET_AUTH_CLIENT_SECRET}
+      - MOSIP_WEBSUB_AUTH_CLIENT_ID=${MOSIP_WEBSUB_AUTH_CLIENT_ID}
+      - MOSIP_WEBSUB_AUTH_CLIENT_SECRET=${MOSIP_WEBSUB_AUTH_CLIENT_SECRET}
+      - MOSIP_AUTH_URL=${MOSIP_AUTH_URL}
+      - MOSIP_WEBSUB_CALLBACK_URL=https://mosip-api.{{hostname}}/websub/callback
+      - MOSIP_WEBSUB_HUB_URL=${MOSIP_WEBSUB_HUB_URL}
+      - MOSIP_WEBSUB_SECRET=${MOSIP_WEBSUB_SECRET}
+      - MOSIP_WEBSUB_TOPIC=${MOSIP_WEBSUB_TOPIC}
+      - MOSIP_CREATE_PACKET_URL=${MOSIP_CREATE_PACKET_URL}
+      - MOSIP_PROCESS_PACKET_URL=${MOSIP_PROCESS_PACKET_URL}
+      - MOSIP_VERIFIABLE_CREDENTIAL_ALLOWLIST=${MOSIP_VERIFIABLE_CREDENTIAL_ALLOWLIST}
+      - MOSIP_CENTER_ID=${MOSIP_CENTER_ID}
+      - MOSIP_MACHINE_ID=${MOSIP_MACHINE_ID}
+    deploy:
+      replicas: 1
+      labels:
+        - 'traefik.enable=true'
+        - 'traefik.http.routers.mosip-api.rule=Host(`mosip-api.{{hostname}}`)'
+        - 'traefik.http.services.mosip-api.loadbalancer.server.port=2024'
+        - 'traefik.http.routers.mosip-api.tls=true'
+        - 'traefik.http.routers.mosip-api.tls.certresolver=certResolver'
+        - 'traefik.http.routers.mosip-api.entrypoints=web,websecure'
+        - 'traefik.http.routers.mosip-api.middlewares=gzip-compression'
+        - 'traefik.docker.network=opencrvs_overlay_net'
+        - 'traefik.http.middlewares.mosip-api.headers.customresponseheaders.Pragma=no-cache'
+        - 'traefik.http.middlewares.mosip-api.headers.customresponseheaders.Cache-control=no-store'
+        - 'traefik.http.middlewares.mosip-api.headers.customresponseheaders.X-Robots-Tag=none'
+        - 'traefik.http.middlewares.mosip-api.headers.stsseconds=31536000'
+        - 'traefik.http.middlewares.mosip-api.headers.stsincludesubdomains=true'
+        - 'traefik.http.middlewares.mosip-api.headers.stspreload=true'
+    networks:
+      - overlay_net
+    logging:
+      driver: gelf
+      options:
+        gelf-address: 'udp://127.0.0.1:12201'
+        tag: 'mosip-api'
+
 secrets:
   redis-acl.{{ts}}:
     external: true

infrastructure/docker-compose.development-deploy.yml

@@ -28,6 +28,10 @@ services:
       - SMTP_USERNAME=${SMTP_USERNAME}
       - SMTP_PASSWORD=${SMTP_PASSWORD}
       - SMTP_SECURE=${SMTP_SECURE}
+      - ESIGNET_REDIRECT_URL=${ESIGNET_REDIRECT_URL}
+      - OPENID_PROVIDER_CLIENT_ID=${OPENID_PROVIDER_CLIENT_ID:-}
+      - OPENID_PROVIDER_CLAIMS=${OPENID_PROVIDER_CLAIMS:-}
+      - MOSIP_API_USERINFO_URL=${MOSIP_API_USERINFO_URL:-}
     deploy:
       replicas: 1
     networks:

infrastructure/docker-compose.qa-deploy.yml

@@ -57,6 +57,11 @@ services:
       - SMTP_USERNAME=${SMTP_USERNAME}
       - SMTP_PASSWORD=${SMTP_PASSWORD}
       - SMTP_SECURE=${SMTP_SECURE}
+      - ESIGNET_REDIRECT_URL=${ESIGNET_REDIRECT_URL}
+      - OPENID_PROVIDER_CLIENT_ID=${OPENID_PROVIDER_CLIENT_ID:-}
+      - OPENID_PROVIDER_CLAIMS=${OPENID_PROVIDER_CLAIMS:-}
+      - MOSIP_API_USERINFO_URL=${MOSIP_API_USERINFO_URL}
+      - V2_EVENTS=true
     deploy:
       replicas: 1
     networks:
@@ -125,3 +130,66 @@ services:
     environment:
       - QA_ENV=true
       - NODE_ENV=production
+
+  mosip-api:
+    environment:
+      - MOSIP_WEBSUB_CALLBACK_URL=http://mosip-api:2024/websub/callback
+    volumes:
+      - /certs:/certs:ro 
+
+  mosip-mock:
+    image: ghcr.io/opencrvs/mosip-mock:${MOSIP_API_VERSION}
+    depends_on:
+      - mosip-api
+    environment:
+      - NODE_ENV=production
+      - SENDER_EMAIL_ADDRESS=${SENDER_EMAIL_ADDRESS:-}
+      - ALERT_EMAIL=${ALERT_EMAIL:-}
+      - SMTP_HOST=${SMTP_HOST:-}
+      - SMTP_PORT=${SMTP_PORT:-}
+      - SMTP_USERNAME=${SMTP_USERNAME:-}
+      - SMTP_PASSWORD=${SMTP_PASSWORD:-}
+      - SMTP_SECURE=${SMTP_SECURE:-}
+      - MOSIP_WEBSUB_CALLBACK_URL=http://mosip-api:2024/websub/callback
+      - ISSUER_URL=http://mosip-mock:20240
+      - MOSIP_WEBSUB_TOPIC=${MOSIP_WEBSUB_TOPIC}
+    networks:
+      - overlay_net
+    logging:
+      driver: gelf
+      options:
+        gelf-address: 'udp://127.0.0.1:12201'
+        tag: 'mosip-mock'
+
+  esignet-mock:
+    image: ghcr.io/opencrvs/esignet-mock:${MOSIP_API_VERSION}
+    volumes:
+      - /certs:/certs:ro 
+    environment:
+      - NODE_ENV=production
+      - CLIENT_APP_URL=https://register.{{hostname}}
+      - OIDP_CLIENT_PRIVATE_KEY_PATH=${OIDP_CLIENT_PRIVATE_KEY_PATH}
+    deploy:
+      replicas: 1
+      labels:
+        - 'traefik.enable=true'
+        - 'traefik.http.routers.esignet-mock.rule=Host(`esignet-mock.{{hostname}}`)'
+        - 'traefik.http.services.esignet-mock.loadbalancer.server.port=20260'
+        - 'traefik.http.routers.esignet-mock.tls=true'
+        - 'traefik.http.routers.esignet-mock.tls.certresolver=certResolver'
+        - 'traefik.http.routers.esignet-mock.entrypoints=web,websecure'
+        - 'traefik.http.routers.esignet-mock.middlewares=gzip-compression'
+        - 'traefik.docker.network=opencrvs_overlay_net'
+        - 'traefik.http.middlewares.esignet-mock.headers.customresponseheaders.Pragma=no-cache'
+        - 'traefik.http.middlewares.esignet-mock.headers.customresponseheaders.Cache-control=no-store'
+        - 'traefik.http.middlewares.esignet-mock.headers.customresponseheaders.X-Robots-Tag=none'
+        - 'traefik.http.middlewares.esignet-mock.headers.stsseconds=31536000'
+        - 'traefik.http.middlewares.esignet-mock.headers.stsincludesubdomains=true'
+        - 'traefik.http.middlewares.esignet-mock.headers.stspreload=true'
+    networks:
+      - overlay_net
+    logging:
+      driver: gelf
+      options:
+        gelf-address: 'udp://127.0.0.1:12201'
+        tag: 'esignet-mock'

infrastructure/docker-compose.staging-deploy.yml

@@ -1,11 +1,3 @@
-#
-# Production deployments of OpenCRVS should never be exposed to the internet.
-# Instead, they should be deployed on a private network and exposed to the internet via a VPN.
-#
-# Before you deploy staging or production environments, make sure the application servers are
-# either in an internal network or protected with a firewall. No ports should be exposed to the internet.
-#
-
 services:
   gateway:
     environment:
@@ -88,29 +80,6 @@ services:
     environment:
       - NODE_ENV=production
 
-  countryconfig:
-    image: ${DOCKERHUB_ACCOUNT}/${DOCKERHUB_REPO}:${COUNTRY_CONFIG_VERSION}
-    restart: unless-stopped
-    secrets:
-      - jwt-public-key.{{ts}}
-    environment:
-      - NODE_ENV=production
-      - FHIR_URL=http://hearth:3447/fhir
-      - AUTH_URL=http://auth:4040
-      - APPLICATION_CONFIG_URL=http://config:2021
-      - CONFIRM_REGISTRATION_URL=http://workflow:5050/confirm/registration
-      - CHECK_INVALID_TOKEN=true
-      - SENTRY_DSN=${SENTRY_DSN:-}
-      - SENDER_EMAIL_ADDRESS=${SENDER_EMAIL_ADDRESS}
-      - ALERT_EMAIL=${ALERT_EMAIL}
-      - SMTP_HOST=${SMTP_HOST}
-      - SMTP_PORT=${SMTP_PORT}
-      - SMTP_USERNAME=${SMTP_USERNAME}
-      - SMTP_PASSWORD=${SMTP_PASSWORD}
-      - SMTP_SECURE=${SMTP_SECURE}
-    deploy:
-      replicas: 1
-
   client:
     environment:
       - DECLARED_DECLARATION_SEARCH_QUERY_COUNT=100
@@ -150,36 +119,12 @@ services:
       - REPLICAS=1
 
   traefik:
-    # These templates use an Automatic Certificate Management Environment (Let's Encrypt).
-    # This makes sure that the HTTPS certificates are automatically generated and renewed without manual maintenance.
-    #
-    # This default configuration will only work if OpenCRVS is directly accessible from the internet.
-    #
-    # WE STRONGLY RECOMMEND THAT YOU DO NOT EXPOSE PRODUCTION OPENCRVS TO THE INTERNET!
-    #
-    # If you are deploying OpenCRVS in a private network, you have two options:
-    # 1. Use a DNS provider that supports ACME DNS-01 challenges.
-    # 2. Use a manually renewed certificate file.
-
-    # For your country to use the DNS-01 challenge, your domain's DNS provider must be one of the ones listed here
-    # https://doc.traefik.io/traefik/https/acme/#providers
-    #
-    # If your DNS provider is not listed, you can use manually renewed certificate files instead of Let's Encrypt.
-    # To do this, remove the `environment` and `certificatesresolvers.certResolver.acme` sections and uncomment the following lines.
-    # You will also need to place your certificates in the `/data/traefik/certs` directory.
-    # Ensure that the file names match the ones defined below.
-    #
-    # volumes:
-    #   - /var/run/docker.sock:/var/run/docker.sock
-    #   - /data/traefik/certs:/certs
-    # command:
-    #   - --tls.certificates.certfile=/certs/crvs.cm.crt
-    #   - --tls.certificates.keyfile=/certs/crvs.cm.key
-    #   - --tls.certificates.stores=default
-    #   - --tls.stores.default.defaultcertificate.certfile=/certs/crvs.cm.crt
-    #   - --tls.stores.default.defaultcertificate.keyfile=/certs/crvs.cm.key
-
+    networks:
+      - overlay_net
     command:
+      # Use HTTP-01 challenge as the web server is publicly available
+      # https://doc.traefik.io/traefik/https/acme/#httpchallenge
+      # For DNS-01 challenge and manual certificates, check staging and production configurations
       - --certificatesresolvers.certResolver.acme.email=riku@opencrvs.org
       - --certificatesresolvers.certResolver.acme.storage=acme.json
       - --certificatesresolvers.certResolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
@@ -201,3 +146,57 @@ services:
       - --accesslog=true
       - --accesslog.format=json
       - --ping=true
+
+  countryconfig:
+    image: ${DOCKERHUB_ACCOUNT}/${DOCKERHUB_REPO}:${COUNTRY_CONFIG_VERSION}
+    restart: unless-stopped
+    secrets:
+      - jwt-public-key.{{ts}}
+    environment:
+      - NODE_ENV=production
+      - QA_ENV=true
+      - FHIR_URL=http://hearth:3447/fhir
+      - AUTH_URL=http://auth:4040
+      - APPLICATION_CONFIG_URL=http://config:2021
+      - CONFIRM_REGISTRATION_URL=http://workflow:5050/confirm/registration
+      - CHECK_INVALID_TOKEN=true
+      - MONGO_URL=mongodb://mongo1/user-mgnt?replicaSet=rs0
+      - SENTRY_DSN=${SENTRY_DSN:-}
+      - SENDER_EMAIL_ADDRESS=${SENDER_EMAIL_ADDRESS}
+      - ALERT_EMAIL=${ALERT_EMAIL}
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_USERNAME=${SMTP_USERNAME}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
+      - SMTP_SECURE=${SMTP_SECURE}
+      - ESIGNET_REDIRECT_URL=${ESIGNET_REDIRECT_URL}
+      - OPENID_PROVIDER_CLIENT_ID=${OPENID_PROVIDER_CLIENT_ID:-}
+      - OPENID_PROVIDER_CLAIMS=${OPENID_PROVIDER_CLAIMS:-}
+      - MOSIP_API_USERINFO_URL=${MOSIP_API_USERINFO_URL:-}
+    deploy:
+      replicas: 1
+    networks:
+      - overlay_net
+
+
+  mosip-api:
+    volumes:
+      - /certs:/certs:ro
+    environment:
+      - CREDENTIAL_PARTNER_CERTIFICATE_PATH=/certs/credential-partner.csr
+      - CREDENTIAL_PARTNER_PRIVATE_KEY_PATH=/certs/credential-partner.pem
+      - MOSIP_PACKET_AUTH_CLIENT_ID=${MOSIP_PACKET_AUTH_CLIENT_ID}
+      - MOSIP_PACKET_AUTH_CLIENT_SECRET=${MOSIP_PACKET_AUTH_CLIENT_SECRET}
+      - MOSIP_WEBSUB_AUTH_CLIENT_ID=${MOSIP_WEBSUB_AUTH_CLIENT_ID}
+      - MOSIP_WEBSUB_AUTH_CLIENT_SECRET=${MOSIP_WEBSUB_AUTH_CLIENT_SECRET}
+      - MOSIP_AUTH_PASS=${MOSIP_AUTH_PASS}
+      - MOSIP_AUTH_URL=${MOSIP_AUTH_URL}
+      - MOSIP_AUTH_USER=${MOSIP_AUTH_USER}
+      - MOSIP_GENERATE_AID_URL=${MOSIP_GENERATE_AID_URL}
+      - MOSIP_BIRTH_WEBHOOK_URL=${MOSIP_BIRTH_WEBHOOK_URL}
+      - MOSIP_DEATH_WEBHOOK_URL=${MOSIP_DEATH_WEBHOOK_URL}
+    logging:
+      driver: gelf
+      options:
+        gelf-address: 'udp://127.0.0.1:12201'
+        tag: 'esignet-mock'