server:
  port: 8082
  ssl:
    bundle: infra
  servlet:
    context-path: /

spring:
  application:
    name: IdM-Service
  mail:
    host: relay-1.swedenconnect.se
    port: 587
    username: <%= scope.call_function('safe_hiera', ['smtp_user'])  %>
    password: <%= scope.call_function('safe_hiera', ['smtp_password'])  %>
  security:
    oauth2:
      resourceserver:
        jwt:
          public-key-location: classpath:connector-oauth2.pub
          audiences:
            - ${idm.oauth2-id}
  ssl:
    bundle:
      pem:
        infra:
          keystore:
            private-key: file:/etc/ssl/private/<%= @fqdn %>_infra.key
            certificate: file:/etc/ssl/certs/<%= @fqdn %>_infra.crt
          truststore:
            certificate: file:/etc/ssl/certs/infra.crt
  data:
    redis:
      password: '<%= scope.call_function('safe_hiera', ['redis_password'])  %>'
      cluster:
        nodes:
          <%- @redises.each do |host| -%>
          - <%= host %>:6379
          - <%= host %>:6380
          <%- end -%>
      ssl:
        enabled: true
      ssl-ext:
        # redis or java require IP addresses in cert if verifcation is turned on
        # Caused by: java.util.concurrent.CompletionException:
        # javax.net.ssl.SSLHandshakeException: No subject alternative names
        # matching IP address 89.46.20.236 found
        enable-hostname-verification: false
        credential:
          resource: file:/etc/ssl/private/<%= @fqdn %>_infra.p12
          password: qwerty123
        trust:
          resource: file:/etc/ssl/certs/infra.p12
          password: qwerty123

  datasource:
    url: jdbc:mariadb:loadbalance://<%= @dbs_string %>/idm
    username: idm
    password: <%= scope.call_function('safe_hiera', ['sql_password'])  %>

  liquibase:
    enabled: true # Generates database schema/tables
    change-log: classpath:changelogs/changelog-master.xml

navet:
  authorization-url: https://sysorgoauth2.test.skatteverket.se/oauth2/v1/sysorg/token
  base-url: https://api.test.skatteverket.se/folkbokforing/folkbokforingsuppgifter-for-offentliga-aktorer/v2
  bestallnings-identitet: 00000236-FO01-0001
  organisationsnummer: 162021004748
  secret:
    key-store: classpath:/certificate/navet/64905004722e1.p12
    key-store-password: 4729451359506045
    credentials:
      gateway:
        client-id: d3e1d1563a504f17acb2b33a51097a99
        client-secret: 9eE7A58695fc46DF9f563B058ffB36F1
      authorization-server:
        client-id: d34f109e3a11d02d744394423a020023e9bab0cd3ff78d63
        client-secret: ebc8b00ca4b08e790b208dc0abd460273fa6c459bc2f0023e9bab0cd3ff78d63

idm:
  # XXX fix URL replacement
  # XXX fix OAUTH
  mrecord:
    api:
      connector-id: <%= scope.call_function('safe_hiera', ['connector_id'])  %>
      check-scope:  ${idm.oauth2-id}/idrecord_check
      get-scope: ${idm.oauth2-id}/idrecord_get
    db:
      key-store-type: jceks
      key-store: classpath:dbkey.jceks
      key-store-password: secret
      key-alias: dbkey
      key-password: secret
  auth:
    destination-url: <%= scope.call_function('safe_hiera', ['destination_url'])  %>
    auth-return-url: <%= scope.call_function('safe_hiera', ['auth_return_url'])  %>
    discover-return-url: <%= scope.call_function('safe_hiera', ['discover_return_url'])  %>
    client-id: <%= scope.call_function('safe_hiera', ['client_id'])  %>
    trusted-certificates:
    - classpath:idp.cert
    id-strategy: STATIC
  rate-limits:
    capacity: 4
    time: 86400
  email:
    enabled: true
    no-reply-email: noreply@swedenconnect.se
  storage:
    pending-relative-sign-time-to-live-in-hours: 336
  oauth2-id: <%= scope.call_function('safe_hiera', ['oauth2_id'])  %>


signservice:
  discovery:
    metadata-cache-file: /tmp/metadata-cache.xml
    allowed-entity-ids:
      - http://local.dev.swedenconnect.se/idp
      - https://bankid.swedenconnect.se/idp/local
      - https://idp-sweden-connect-valfr-2017-sandbox.test.frejaeid.com
    federation-metadata-location: https://eid.svelegtest.se/metadata/mdx/role/idp.xml
    metadata-validation-certificate: classpath:certificate/metadata/sandbox-metadata.crt
  config:
    policy: localdev
    default-sign-requester-id: https://sandbox.swedenconnect.se/idm
    default-return-url: https://sandbox.swedenconnect.se/idm/frontend/common/validateSign
    sign-service-id: https://sandbox.swedenconnect.se/signservice
    default-destination-url: https://sandbox.swedenconnect.se/signservice/sign/idm/signreq
    default-signature-algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    sign-service-certificates:
      - classpath:certificate/signservice/signservice.crt
    trust-anchors:
      - classpath:certificate/signservice/test-ca.crt
  credential:
    type: JKS
    resource: classpath:certificate/signservice/sign-client.jks
    password: secret
    alias: client
    key-password: secret
  response:
    config:
      strict-processing: false
      maximum-allowed-response-age: 180000
      allowed-clock-skew: 60000
      require-assertion: true