Merge branch 'registrar-modularization' of gitlab.eox.at:esa/prism/vs into registrar-modularization

.bumpversion.cfg

+[bumpversion]
+current_version = 1.0.0-rc.2
+commit = True
+tag = True
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<release>[a-z]+)\.(?P<build>\d+))?
+serialize = 
+	{major}.{minor}.{patch}-{release}.{build}
+	{major}.{minor}.{patch}
+tag_name = release-{new_version}
+
+[bumpversion:part:release]
+optional_value = final
+first_value = alpha
+values = 
+	alpha
+	beta
+	rc
+	final
+
+[bumpversion:file:.bumpversion.cfg]
+search = current_version = {current_version}
+
+[bumpversion:glob:**/Dockerfile]
+search = version="{current_version}"
+replace = version="{new_version}"
+
+[bumpversion:glob:preprocessor/setup.py]
+search = version="{current_version}"
+replace = version="{new_version}"
+
+[bumpversion:glob:docker-compose*ops.yml]
+search = :release-{current_version}
+replace = :release-{new_version}
+
+[bumpversion:glob:config/*ops.html]
+search = release-{current_version}
+replace = release-{new_version}

.gitlab-ci.yml

@@ -4,83 +4,111 @@ variables:
 stages:
   - build
 
-
-build-master:
-  image: docker:latest
+build-tag:
+  image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
-    - docker:dind
+    - docker:19.03.13-dind
   before_script:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
-    - VERSION_1=`grep 'version="*"' core/Dockerfile | cut -d '"' -f2`
     - IMAGE_1="$CI_REGISTRY_IMAGE/pvs_core"
     - docker pull "$IMAGE_1":latest || true
-    - docker build --cache-from "$IMAGE_1":latest -t "$IMAGE_1":dev -t "$IMAGE_1":$VERSION_1 core/
-    - VERSION_2=`grep 'version="*"' preprocessor/Dockerfile | cut -d '"' -f2`
+    - docker build --cache-from "$IMAGE_1":latest -t "$IMAGE_1":dev -t "$IMAGE_1":$CI_COMMIT_TAG core/
     - IMAGE_2="$CI_REGISTRY_IMAGE/pvs_preprocessor"
     - docker pull "$IMAGE_2":latest || true
-    - docker build --cache-from "$IMAGE_2":latest -t "$IMAGE_2":dev -t "$IMAGE_2":$VERSION_2 preprocessor/
-    - VERSION_3=`grep 'version="*"' client/Dockerfile | cut -d '"' -f2`
+    - docker build --cache-from "$IMAGE_2":latest -t "$IMAGE_2":dev -t "$IMAGE_2":$CI_COMMIT_TAG preprocessor/
     - IMAGE_3="$CI_REGISTRY_IMAGE/pvs_client"
     - docker pull "$IMAGE_3":latest || true
-    - docker build --cache-from "$IMAGE_3":latest -t "$IMAGE_3":dev -t "$IMAGE_3":$VERSION_3 client/
-    - VERSION_4=`grep 'version="*"' cache/Dockerfile | cut -d '"' -f2`
+    - docker build --cache-from "$IMAGE_3":latest -t "$IMAGE_3":dev -t "$IMAGE_3":$CI_COMMIT_TAG client/
     - IMAGE_4="$CI_REGISTRY_IMAGE/pvs_cache"
     - docker pull "$IMAGE_4":latest || true
-    - docker build --cache-from "$IMAGE_4":latest -t "$IMAGE_4":dev -t "$IMAGE_4":$VERSION_4 cache/
-    - VERSION_5=`grep 'version="*"' fluentd/Dockerfile | cut -d '"' -f2`
+    - docker build --cache-from "$IMAGE_4":latest -t "$IMAGE_4":dev -t "$IMAGE_4":$CI_COMMIT_TAG cache/
     - IMAGE_5="$CI_REGISTRY_IMAGE/fluentd"
     - docker pull "$IMAGE_5":latest || true
-    - docker build --cache-from "$IMAGE_5":latest -t "$IMAGE_5":dev -t "$IMAGE_5":$VERSION_5 fluentd/
-    - VERSION_6=`grep 'version="*"' ingestor/Dockerfile | cut -d '"' -f2`
+    - docker build --cache-from "$IMAGE_5":latest -t "$IMAGE_5":dev -t "$IMAGE_5":$CI_COMMIT_TAG fluentd/
     - IMAGE_6="$CI_REGISTRY_IMAGE/pvs_ingestor"
     - docker pull "$IMAGE_6":latest || true
-    - docker build --cache-from "$IMAGE_6":latest -t "$IMAGE_6":dev -t "$IMAGE_6":$VERSION_6 ingestor/
+    - docker build --cache-from "$IMAGE_6":latest -t "$IMAGE_6":dev -t "$IMAGE_6":$CI_COMMIT_TAG ingestor/
+    - cd ./testing && ./gitlab_test.sh
+    - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
+    - docker push "$IMAGE_1":$CI_COMMIT_TAG
+    - docker push "$IMAGE_2":$CI_COMMIT_TAG
+    - docker push "$IMAGE_3":$CI_COMMIT_TAG
+    - docker push "$IMAGE_4":$CI_COMMIT_TAG
+    - docker push "$IMAGE_5":$CI_COMMIT_TAG
+    - docker push "$IMAGE_6":$CI_COMMIT_TAG
+  only:
+    - tags
+build-master-staging:
+  image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
+  stage: build
+  services:
+    - docker:19.03.13-dind
+  before_script:
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  script:
+    - if [[ "$CI_COMMIT_BRANCH" = "master" ]] ; then TAG_USED="latest"; else TAG_USED="staging"; fi
+    - IMAGE_1="$CI_REGISTRY_IMAGE/pvs_core"
+    - docker pull "$IMAGE_1":"$TAG_USED" || true
+    - docker build --cache-from "$IMAGE_1":"$TAG_USED" -t "$IMAGE_1":dev -t "$IMAGE_1":"$TAG_USED" core/
+    - IMAGE_2="$CI_REGISTRY_IMAGE/pvs_preprocessor"
+    - docker pull "$IMAGE_2":"$TAG_USED" || true
+    - docker build --cache-from "$IMAGE_2":"$TAG_USED" -t "$IMAGE_2":dev -t "$IMAGE_2":"$TAG_USED" preprocessor/
+    - IMAGE_3="$CI_REGISTRY_IMAGE/pvs_client"
+    - docker pull "$IMAGE_3":"$TAG_USED" || true
+    - docker build --cache-from "$IMAGE_3":"$TAG_USED" -t "$IMAGE_3":dev -t "$IMAGE_3":"$TAG_USED" client/
+    - IMAGE_4="$CI_REGISTRY_IMAGE/pvs_cache"
+    - docker pull "$IMAGE_4":"$TAG_USED" || true
+    - docker build --cache-from "$IMAGE_4":"$TAG_USED" -t "$IMAGE_4":dev -t "$IMAGE_4":"$TAG_USED" cache/
+    - IMAGE_5="$CI_REGISTRY_IMAGE/fluentd"
+    - docker pull "$IMAGE_6":"$TAG_USED" || true
+    - docker build --cache-from "$IMAGE_5":"$TAG_USED" -t "$IMAGE_5":dev -t "$IMAGE_5":"$TAG_USED" fluentd/
+    - IMAGE_6="$CI_REGISTRY_IMAGE/pvs_ingestor"
+    - docker pull "$IMAGE_6":"$TAG_USED" || true
+    - docker build --cache-from "$IMAGE_6":"$TAG_USED" -t "$IMAGE_6":dev -t "$IMAGE_6":"$TAG_USED" ingestor/
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
-    - docker push "$IMAGE_1":$VERSION_1
-    - docker push "$IMAGE_1":latest
-    - docker push "$IMAGE_2":$VERSION_2
-    - docker push "$IMAGE_2":latest
-    - docker push "$IMAGE_3":$VERSION_3
-    - docker push "$IMAGE_3":latest
-    - docker push "$IMAGE_4":$VERSION_4
-    - docker push "$IMAGE_4":latest
-    - docker push "$IMAGE_5":$VERSION_5
-    - docker push "$IMAGE_5":latest
-    - docker push "$IMAGE_6":$VERSION_6
-    - docker push "$IMAGE_6":latest
+    - docker push "$IMAGE_1":"$TAG_USED"
+    - docker push "$IMAGE_2":"$TAG_USED"
+    - docker push "$IMAGE_3":"$TAG_USED"
+    - docker push "$IMAGE_4":"$TAG_USED"
+    - docker push "$IMAGE_5":"$TAG_USED"
+    - docker push "$IMAGE_6":"$TAG_USED"
   only:
+    - staging
     - master
+  except:
     - tags
 build:
-  image: docker:latest
+  image: registry.gitlab.eox.at/esa/prism/vs/docker-base-testing:latest
   stage: build
   services:
-    - docker:dind
+    - docker:19.03.13-dind
   before_script:
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_core"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev core/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev core/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_preprocessor"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev preprocessor/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev preprocessor/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_client"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev client/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev client/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_cache"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev cache/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev cache/
     - IMAGE="$CI_REGISTRY_IMAGE/fluentd"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev fluentd/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev fluentd/
     - IMAGE="$CI_REGISTRY_IMAGE/pvs_ingestor"
-    - docker pull "$IMAGE":latest || true
-    - docker build --cache-from "$IMAGE":latest -t "$IMAGE":dev ingestor/
+    - docker pull "$IMAGE":staging || true
+    - docker build --cache-from "$IMAGE":staging -t "$IMAGE":dev ingestor/
     - cd ./testing && ./gitlab_test.sh
     - if [ $? -ne 0 ]; then exit 1; fi  # actually fail build
   except:
+    - tags
+    - staging
     - master

LICENSE

+Copyright (c) 2019-2020 EOX IT Services GmbH <https://eox.at>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -53,6 +53,13 @@ The following services are defined via docker compose files.
 * provides the endpoint for external access
 * configured via docker labels
 
+### shibauth
+
+* based on the external unicon/shibboleth-sp:3.0.4 Apache + Shibboleth SP3 image
+* provides authentication and authorization via SAML2
+* docker configuration files set access control rules
+* traefik labels determine which services are protected via Shib
+
 ### database
 
 * based on external postgis:10 image
@@ -173,7 +180,7 @@ The following services are defined via docker compose files.
 
 * uses external atmoz/sftp image
 * provides sftp access to two volumes for report exchange on registration result xmls and ingest requirement xmls
-* accessible on swarm master on port 2222 
+* accessible on swarm master on port 2222-22xx
 * credentials supplied via config
 
 # Usage
@@ -217,7 +224,7 @@ printf "<DJANGO_PASSWORD>" | docker secret create DJANGO_PASSWORD -
 printf "<OS_PASSWORD>" | docker secret create OS_PASSWORD -
 
 # configs creation
-printf "<user>:<password>:<UID>:<GID>" | docker config create sftp-users -
+printf "<user>:<password>:<UID>:<GID>" | docker config create sftp_users_<name> -
 # for production base stack deployment, additional basic authentication credentials list need to be created
 # format of such a list used by traefik are username:hashedpassword (MD5, SHA1, BCrypt)
 sudo apt-get install apache2-utils
@@ -226,6 +233,18 @@ docker secret create BASIC_AUTH_USERS_AUTH auth_list.txt
 docker secret create BASIC_AUTH_USERS_APIAUTH auth_list_api.txt
 ```
 
+In case **shibauth** service will be used, for production deployment, two more secrets need to be created for each stack, where **shibauth** is deployed. These ensure that the SP is recognized and its identity confirmed by the IDP. They are configured as **stack-name-capitalized_SHIB_KEY** and **stack-name-capitalized_SHIB_CERT**. In order to create them, use the attached **keygen.sh** command-line tool in */config* folder. 
+```bash
+SPURL="https://emg.pass.copernicus.eu" # service initial access point made accessible by traefik
+./config/keygen.sh -h $SPURL -y 20 -e https://$SPURL/shibboleth -n sp-signing -f
+docker secret create EMG_SHIB_CERT sp-signing-cert.pem 
+docker secret create EMG_SHIB_KEY sp-signing-key.pem 
+```
+Additionally a docker config `idp-metadata` containing the metadata of the used IDP needs to be added:
+```bash
+docker config create idp_metadata idp-metadata-received.xml 
+```
+
 Deploy the stack in dev environment:
 ```
 docker stack deploy -c docker-compose.vhr18.yml -c docker-compose.vhr18.dev.yml -c docker-compose.logging.yml -c docker-compose.logging.dev.yml vhr18-pvs  # start VHR_IMAGE_2018 stack in dev mode, for example to use local sources
@@ -285,7 +304,7 @@ On production machine, `fluentd` is set as a logging driver for docker daemon by
 
 The `SFTP` image allow remote access into 2 logging folders, you can define (edit/add) users, passwords and (UID/GID) using `docker config create` mentioned above.
 
-In the below example the username is `eox`, once the stack is deployed you can sftp into the logging folders through port 2222 on -if you are running the dev stack- localhost :
+In the below example the username is `eox`, once the stack is deployed you can sftp into the logging folders through port 2222 (for ``vhr18``, ``emg`` and ``dem`` have 2223 and 2224 respectively) if you are running the dev stack localhost :
 
 ```bash
 sftp -P 2222 eox@127.0.0.1
@@ -294,7 +313,6 @@ You will log in  into`/home/eox/data` directory which contains the 2 logging dir
 
  **NOTE:**  The mounted directory that you are directed into is *`/home/user`*, where `user` is the username, hence when setting / editing  the username in configs, the `sftp` mounted volumes path in `docker-compose.<collection>.yml` must change respectively.
  
-
 # Documentation
 
 ## Installation
@@ -323,6 +341,21 @@ The documentation is generated in the respective *_build/html* directory.
 
 # Create software releases
 
+## Release a new vs version
+
+We use [bump2version](https://github.com/c4urself/bump2version) to increment versions of invividual docker images and create git tags. Tags after push trigger CI `docker push` action of versioned images. It also updates used image versions in `.ops` docker compose files.
+
+Pushing to `master` branch updates `latest` images, while `staging` branch push updates `staging` images.
+For **versions** in general, we use semantic versioning with format {major}.{minor}.{patch}-{release}.{build}.
+First check deployed staging version on staging platform (TBD), then if no problems are found, proceed.
+Following operation should be done on `staging` or `master` branch.
+```
+bump2version <major/minor/patch/release/build>
+git push
+git push --tags
+```
+If it was done on `staging` branch, then it should be merged to `master`, unless only a patch to previous major versions is made.
+A hotfix to production is developed in a branch initiated from master, then merged to staging for verification. It is then merged to master for release.
 ## Source code release
 
 Create a TAR from source code:

cache/Dockerfile

@@ -31,7 +31,7 @@ LABEL name="prism view server cache" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server cache" \
-      version="0.0.1-dev"
+      version="1.0.0-rc.2"
 
 USER root
 ADD install.sh \

client/Dockerfile

@@ -31,6 +31,6 @@ LABEL name="prism view server client" \
       vendor="EOX IT Services GmbH <https://eox.at>" \
       license="MIT Copyright (C) 2019 EOX IT Services GmbH <https://eox.at>" \
       type="prism view server client" \
-      version="0.0.1-dev"
+      version="1.0.0-rc.2"
 
 COPY html/ /usr/share/nginx/html/

config/dem_index-dev.html

@@ -3,6 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
+  <meta name="application" content="VS Client release-1.0.0-rc.2">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />

config/dem_index-ops.html

@@ -3,6 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
+  <meta name="application" content="VS Client release-1.0.0-rc.2">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />

config/dem_registrar-config.yml

@@ -10,6 +10,7 @@ sources:
         auth_version: !env '${ST_AUTH_VERSION}'
         auth_url: !env '${OS_AUTH_URL}'
         auth_url_short: !env '${OS_AUTH_URL_SHORT}'
+        container: !env '${UPLOAD_CONTAINER}'
 
 schemes:
   - type: gsc

config/emg_index-dev.html

@@ -3,6 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
+  <meta name="application" content="VS Client release-1.0.0-rc.2">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />

config/emg_index-ops.html

@@ -3,6 +3,7 @@
 <head>
   <meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
   <meta charset="UTF-8">
+  <meta name="application" content="VS Client release-1.0.0-rc.2">
   <title>PRISM View Server</title>
   <link rel="icon" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-192x192.png" sizes="192x192" />
   <link rel="apple-touch-icon-precomposed" href="//eox.at/wp-content/uploads/2015/06/cropped-eox_eye-180x180.png" />

config/emg_registrar-config.yml

@@ -10,6 +10,7 @@ sources:
         auth_version: !env '${ST_AUTH_VERSION}'
         auth_url: !env '${OS_AUTH_URL}'
         auth_url_short: !env '${OS_AUTH_URL_SHORT}'
+        container: !env '${UPLOAD_CONTAINER}'
 
 schemes:
   - type: gsc

config/shibboleth/attribute-map.xml

+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <Attribute name="urn:mace:dir:attribute-def:cds-spci-es_oa-signed-tcs" id="spField1"/>
+    <Attribute name="urn:mace:dir:attribute-def:cds-spci-es_oa-user-category" id="spField2"/>
+</Attributes>

config/shibboleth/dem-ac-cache.xml

+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space TP_Data_Providers Data_Access_Services Ops_Space_Inf_Services Public_Auth Int_Org_NGO
+    </Rule>
+  </AND>
+</AccessControl>

config/shibboleth/dem-ac.xml

+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space TP_Data_Providers Data_Access_Services Ops_Space_Inf_Services
+    </Rule>
+  </AND>
+</AccessControl>

config/shibboleth/dem-shibboleth2.xml

+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://dem.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file

config/shibboleth/emg-ac-cache.xml

+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
+    </Rule>
+  </AND>
+</AccessControl>

config/shibboleth/emg-ac.xml

+<AccessControl
+type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
+  <AND>
+    <RuleRegex require="spField1">.+</RuleRegex>
+    <Rule require="spField2">
+      Copernicus_Services Union_Inst Union_Research_Projects_space Union_Research_Projects_non-space Public_Auth
+    </Rule>
+  </AND>
+</AccessControl>

config/shibboleth/emg-shibboleth2.xml

+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://emg.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file

config/shibboleth/index.html

+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Authentication Success</title>
+</head>
+<body>
+    <h1>Your login was successful and you were granted access to the service.
+      Please access the URL, which you originally requested. Proper redirection is not implemented yet.</h1>
+</body>
+</html>