Work in progress with boilerplate files

Signed-off-by: Marco Emilio "sphakka" Poleggi <marcoep@ieee.org>

.gitignore

 README.html
+id_*
+*.pem
+*.key
\ No newline at end of file

Ansible/ansible.cfg

+[defaults]
+inventory = hosts.yml
+remote_user = terraform
+private_key_file = keys/id_ed25519
+host_key_checking = false
+deprecation_warnings = false
+interpreter_python = auto_silent

Ansible/hosts.yml

+all:
+  hosts:
+    testserver:
+      ansible_ssh_host: '<your-VM-IP>'
+
+    # aliases
+    tfserver:
+      testserver:
+
+    project-web-sso:
+      testserver:

Ansible/keys/README.md

+Files dropped here with names "id_*" won't be committed -- see the top-level
+.gitignore file.

Ansible/playbooks/files/kind-config.yaml

+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+# patch the generated kubeadm config with some extra settings
+kubeadmConfigPatches:
+- |
+  apiVersion: kubelet.config.k8s.io/v1beta1
+  kind: KubeletConfiguration
+  evictionHard:
+    nodefs.available: "0%"
+# patch it further using a JSON 6902 patch
+kubeadmConfigPatchesJSON6902:
+- group: kubeadm.k8s.io
+  version: v1beta3
+  kind: ClusterConfiguration
+  patch: |
+    - op: add
+      path: /apiServer/certSANs/-
+      value: my-hostname
+
+# Comment in this to fix the API port so that you can use kubectl via an SSH
+# tunnel started from the management machine with:
+#   $ ssh -L 6443:localhost:6443 <remote-kube-host>
+# References: <https://github.com/kubernetes-sigs/kind/issues/3417#issuecomment-1806231832>
+networking:
+  apiServerPort: 6443
+
+nodes:
+- role: control-plane
+- role: worker
+  labels:
+    application: hepia-bachelor-web-sso

Ansible/playbooks/files/lb-deployment.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: http-echo
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: http-echo
+  template:
+    metadata:
+      labels:
+        app: http-echo
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: kind-worker  # Schedule pods on one worker node
+      containers:
+      - name: http-echo
+        image: hashicorp/http-echo
+        args:
+        - >-
+          -text=Hello from Kubernetes! My IP is $(POD_IP)
+        env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        ports:
+        - containerPort: 5678
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: loadbalancer
+spec:
+  type: LoadBalancer
+  selector:
+    app: http-echo
+  ports:
+  - port: 80
+    targetPort: 5678

Ansible/playbooks/files/metallb.yaml

+# Layer 2 configuration
+# <https://metallb.universe.tf/configuration/#layer-2-configuration>
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: default
+  namespace: metallb-system
+spec:
+  addresses:
+    - 172.18.0.1/24  # Adjust this range based on your Docker network
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: default
+  namespace: metallb-system

Ansible/playbooks/kind-metallb.yml

+---

Application/backend/app.log

-2024-12-02 12:10:55,122 - __main__ - INFO - Starting Flask application...
-2024-12-02 12:11:05,697 - __main__ - INFO - Starting Flask application...
-2024-12-02 12:11:05,701 - werkzeug - INFO - WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
- * Running on all addresses (0.0.0.0)
- * Running on http://127.0.0.1:8000
- * Running on http://192.168.1.93:8000
-2024-12-02 12:11:05,701 - werkzeug - INFO - Press CTRL+C to quit
-2024-12-02 12:11:50,693 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:11:50] "OPTIONS /enroll HTTP/1.1" 200 -
-2024-12-02 12:11:50,703 - __main__ - INFO - Enrollment attempt for email: test@gmail.com
-2024-12-02 12:11:51,392 - __main__ - ERROR - Unexpected error: An error occurred (InvalidAccessKeyId) when calling the PutObject operation: Unknown
-2024-12-02 12:11:51,396 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:11:51] "POST /enroll HTTP/1.1" 500 -
-2024-12-02 12:19:27,242 - __main__ - INFO - Starting Flask application...
-2024-12-02 12:19:27,246 - werkzeug - INFO - WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
- * Running on all addresses (0.0.0.0)
- * Running on http://127.0.0.1:8000
- * Running on http://192.168.1.93:8000
-2024-12-02 12:19:27,246 - werkzeug - INFO - Press CTRL+C to quit
-2024-12-02 12:19:42,112 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:19:42] "OPTIONS /enroll HTTP/1.1" 200 -
-2024-12-02 12:19:42,115 - __main__ - INFO - Enrollment attempt for email: test@gmail.com
-2024-12-02 12:19:42,700 - __main__ - ERROR - Unexpected error: An error occurred (InvalidAccessKeyId) when calling the PutObject operation: Unknown
-2024-12-02 12:19:42,702 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:19:42] "POST /enroll HTTP/1.1" 500 -
-2024-12-02 12:20:19,205 - __main__ - INFO - AWS_ACCESS_KEY_ID: AKIAVEKYIBTQEJB2XSNM
-2024-12-02 12:20:19,205 - __main__ - INFO - AWS_SECRET_ACCESS_KEY: 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
-2024-12-02 12:20:19,205 - __main__ - INFO - AWS_ENDPOINT_URL: https://os.zhdk.cloud.switch.ch
-2024-12-02 12:20:19,205 - __main__ - INFO - S3_BUCKET_NAME: cloud-bach-proj
-2024-12-02 12:20:19,272 - __main__ - INFO - Starting Flask application...
-2024-12-02 12:20:19,274 - werkzeug - INFO - WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
- * Running on all addresses (0.0.0.0)
- * Running on http://127.0.0.1:8000
- * Running on http://192.168.1.93:8000
-2024-12-02 12:20:19,274 - werkzeug - INFO - Press CTRL+C to quit
-2024-12-02 12:21:40,705 - __main__ - INFO - SWTICH_ACCESS_KEY_ID: None
-2024-12-02 12:21:40,705 - __main__ - INFO - SWITCH_SECRET_ACCESS_KEY: None
-2024-12-02 12:21:40,705 - __main__ - INFO - SWTICH_ENDPOINT_URL: None
-2024-12-02 12:21:40,705 - __main__ - INFO - S3_BUCKET_NAME: cloud-bach-proj
-2024-12-02 12:21:40,713 - botocore.credentials - INFO - Found credentials in environment variables.
-2024-12-02 12:21:40,766 - botocore.configprovider - INFO - Found endpoint for s3 via: environment_global.
-2024-12-02 12:21:40,770 - __main__ - INFO - Starting Flask application...
-2024-12-02 12:21:40,773 - werkzeug - INFO - WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
- * Running on all addresses (0.0.0.0)
- * Running on http://127.0.0.1:8000
- * Running on http://192.168.1.93:8000
-2024-12-02 12:21:40,773 - werkzeug - INFO - Press CTRL+C to quit
-2024-12-02 12:21:51,332 - __main__ - INFO - SWTICH_ACCESS_KEY_ID: None
-2024-12-02 12:21:51,332 - __main__ - INFO - SWITCH_SECRET_ACCESS_KEY: None
-2024-12-02 12:21:51,332 - __main__ - INFO - SWTICH_ENDPOINT_URL: None
-2024-12-02 12:21:51,332 - __main__ - INFO - S3_BUCKET_NAME: cloud-bach-proj
-2024-12-02 12:21:51,340 - botocore.credentials - INFO - Found credentials in environment variables.
-2024-12-02 12:21:51,389 - botocore.configprovider - INFO - Found endpoint for s3 via: environment_global.
-2024-12-02 12:21:51,394 - __main__ - INFO - Starting Flask application...
-2024-12-02 12:21:51,396 - werkzeug - INFO - WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
- * Running on all addresses (0.0.0.0)
- * Running on http://127.0.0.1:8000
- * Running on http://192.168.1.93:8000
-2024-12-02 12:21:51,396 - werkzeug - INFO - Press CTRL+C to quit
-2024-12-02 12:23:04,117 - __main__ - INFO - SWTICH_ACCESS_KEY_ID: None
-2024-12-02 12:23:04,117 - __main__ - INFO - SWITCH_SECRET_ACCESS_KEY: None
-2024-12-02 12:23:04,117 - __main__ - INFO - SWTICH_ENDPOINT_URL: None
-2024-12-02 12:23:04,117 - __main__ - INFO - S3_BUCKET_NAME: None
-2024-12-02 12:23:04,126 - botocore.credentials - INFO - Found credentials in environment variables.
-2024-12-02 12:23:04,196 - __main__ - CRITICAL - S3_BUCKET_NAME environment variable is not set
-2024-12-02 12:53:11,151 - __main__ - INFO - SWTICH_ACCESS_KEY_ID: 4406dbe746a24614a9bc8f7ec864e59f
-2024-12-02 12:53:11,151 - __main__ - INFO - SWITCH_SECRET_ACCESS_KEY: cec6e60954b24a51923fe5aaea9fbb3b
-2024-12-02 12:53:11,151 - __main__ - INFO - SWTICH_ENDPOINT_URL: https://os.zhdk.cloud.switch.ch
-2024-12-02 12:53:11,151 - __main__ - INFO - S3_BUCKET_NAME: cloud-bach-proj
-2024-12-02 12:53:11,385 - __main__ - INFO - Starting Flask application...
-2024-12-02 12:53:11,391 - werkzeug - INFO - WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
- * Running on all addresses (0.0.0.0)
- * Running on http://127.0.0.1:8000
- * Running on http://192.168.1.93:8000
-2024-12-02 12:53:11,391 - werkzeug - INFO - Press CTRL+C to quit
-2024-12-02 12:53:19,651 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:53:19] "OPTIONS /enroll HTTP/1.1" 200 -
-2024-12-02 12:53:19,656 - __main__ - INFO - Enrollment attempt for email: test@gmail.com
-2024-12-02 12:53:20,645 - __main__ - ERROR - Unexpected error: An error occurred (NoSuchBucket) when calling the PutObject operation: Unknown
-2024-12-02 12:53:20,647 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:53:20] "POST /enroll HTTP/1.1" 500 -
-2024-12-02 12:54:00,835 - __main__ - INFO - SWTICH_ACCESS_KEY_ID: 4406dbe746a24614a9bc8f7ec864e59f
-2024-12-02 12:54:00,835 - __main__ - INFO - SWITCH_SECRET_ACCESS_KEY: cec6e60954b24a51923fe5aaea9fbb3b
-2024-12-02 12:54:00,835 - __main__ - INFO - SWTICH_ENDPOINT_URL: https://os.zhdk.cloud.switch.ch
-2024-12-02 12:54:00,835 - __main__ - INFO - S3_BUCKET_NAME: cloud-bach-proj
-2024-12-02 12:54:00,923 - __main__ - INFO - Starting Flask application...
-2024-12-02 12:54:01,360 - werkzeug - INFO - WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
- * Running on all addresses (0.0.0.0)
- * Running on http://127.0.0.1:8000
- * Running on http://192.168.1.93:8000
-2024-12-02 12:54:01,361 - werkzeug - INFO - Press CTRL+C to quit
-2024-12-02 12:54:09,932 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:54:09] "OPTIONS /enroll HTTP/1.1" 200 -
-2024-12-02 12:54:09,937 - __main__ - INFO - Enrollment attempt for email: test@gmail.com
-2024-12-02 12:54:10,203 - __main__ - INFO - Successfully enrolled user: test@gmail.com
-2024-12-02 12:54:10,205 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:54:10] "POST /enroll HTTP/1.1" 200 -
-2024-12-02 12:54:19,954 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:54:19] "OPTIONS /login HTTP/1.1" 200 -
-2024-12-02 12:54:19,960 - __main__ - INFO - Login attempt for email: test@gmail.com
-2024-12-02 12:54:20,282 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:54:20] "POST /login HTTP/1.1" 200 -
-2024-12-02 12:54:27,064 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:54:27] "OPTIONS /logout HTTP/1.1" 200 -
-2024-12-02 12:54:27,069 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:54:27] "POST /logout HTTP/1.1" 400 -
-2024-12-02 12:55:40,966 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:55:40] "OPTIONS /logout HTTP/1.1" 200 -
-2024-12-02 12:55:40,971 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:55:40] "POST /logout HTTP/1.1" 400 -
-2024-12-02 12:55:46,985 - __main__ - INFO - SWTICH_ACCESS_KEY_ID: 4406dbe746a24614a9bc8f7ec864e59f
-2024-12-02 12:55:46,985 - __main__ - INFO - SWITCH_SECRET_ACCESS_KEY: cec6e60954b24a51923fe5aaea9fbb3b
-2024-12-02 12:55:46,985 - __main__ - INFO - SWTICH_ENDPOINT_URL: https://os.zhdk.cloud.switch.ch
-2024-12-02 12:55:46,985 - __main__ - INFO - S3_BUCKET_NAME: cloud-bach-proj
-2024-12-02 12:55:47,082 - __main__ - INFO - Starting Flask application...
-2024-12-02 12:55:47,580 - werkzeug - INFO - WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
- * Running on all addresses (0.0.0.0)
- * Running on http://127.0.0.1:8000
- * Running on http://192.168.1.93:8000
-2024-12-02 12:55:47,580 - werkzeug - INFO - Press CTRL+C to quit
-2024-12-02 12:55:53,216 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:55:53] "OPTIONS /login HTTP/1.1" 200 -
-2024-12-02 12:55:53,221 - __main__ - INFO - Login attempt for email: test@gmail.com
-2024-12-02 12:55:53,396 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:55:53] "POST /login HTTP/1.1" 200 -
-2024-12-02 12:55:54,335 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:55:54] "OPTIONS /logout HTTP/1.1" 200 -
-2024-12-02 12:55:54,340 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:55:54] "POST /logout HTTP/1.1" 400 -
-2024-12-02 12:56:23,774 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:56:23] "OPTIONS /logout HTTP/1.1" 200 -
-2024-12-02 12:56:23,780 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:56:23] "POST /logout HTTP/1.1" 400 -
-2024-12-02 12:56:30,635 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:56:30] "OPTIONS /login HTTP/1.1" 200 -
-2024-12-02 12:56:30,641 - __main__ - INFO - Login attempt for email: test@gmail.com
-2024-12-02 12:56:31,075 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:56:31] "POST /login HTTP/1.1" 200 -
-2024-12-02 12:56:32,425 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:56:32] "OPTIONS /logout HTTP/1.1" 200 -
-2024-12-02 12:56:32,430 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:56:32] "POST /logout HTTP/1.1" 400 -
-2024-12-02 12:57:02,178 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:57:02] "OPTIONS /login HTTP/1.1" 200 -
-2024-12-02 12:57:02,184 - __main__ - INFO - Login attempt for email: test@gmail.com
-2024-12-02 12:57:02,825 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:57:02] "POST /login HTTP/1.1" 200 -
-2024-12-02 12:57:04,463 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:57:04] "OPTIONS /logout HTTP/1.1" 200 -
-2024-12-02 12:57:05,167 - werkzeug - INFO - 127.0.0.1 - - [02/Dec/2024 12:57:05] "POST /logout HTTP/1.1" 200 -
-2024-12-09 09:10:26,299 - __main__ - INFO - SWTICH_ACCESS_KEY_ID: 4406dbe746a24614a9bc8f7ec864e59f
-2024-12-09 09:10:26,299 - __main__ - INFO - SWITCH_SECRET_ACCESS_KEY: cec6e60954b24a51923fe5aaea9fbb3b
-2024-12-09 09:10:26,299 - __main__ - INFO - SWTICH_ENDPOINT_URL: https://os.zhdk.cloud.switch.ch
-2024-12-09 09:10:26,299 - __main__ - INFO - S3_BUCKET_NAME: cloud-bach-proj
-2024-12-09 09:10:26,615 - __main__ - INFO - Starting Flask application...
-2024-12-09 09:10:27,453 - werkzeug - INFO - WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
- * Running on all addresses (0.0.0.0)
- * Running on http://127.0.0.1:8000
- * Running on http://192.168.1.159:8000
-2024-12-09 09:10:27,453 - werkzeug - INFO - Press CTRL+C to quit
-2024-12-09 09:20:42,041 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:20:42] "OPTIONS /enroll HTTP/1.1" 200 -
-2024-12-09 09:20:42,045 - __main__ - INFO - Enrollment attempt for email: sapos@hotmail.com
-2024-12-09 09:20:43,477 - __main__ - INFO - Successfully enrolled user: sapos@hotmail.com
-2024-12-09 09:20:43,478 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:20:43] "POST /enroll HTTP/1.1" 200 -
-2024-12-09 09:20:52,022 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:20:52] "OPTIONS /login HTTP/1.1" 200 -
-2024-12-09 09:20:52,026 - __main__ - INFO - Login attempt for email: sapos@hotmail.com
-2024-12-09 09:20:52,208 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:20:52] "POST /login HTTP/1.1" 401 -
-2024-12-09 09:20:56,219 - __main__ - INFO - Login attempt for email: sapos@hotmail.com
-2024-12-09 09:20:56,909 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:20:56] "POST /login HTTP/1.1" 200 -
-2024-12-09 09:21:21,262 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:21:21] "OPTIONS /logout HTTP/1.1" 200 -
-2024-12-09 09:21:21,692 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:21:21] "POST /logout HTTP/1.1" 200 -
-2024-12-09 09:21:29,789 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:21:29] "OPTIONS /enroll HTTP/1.1" 200 -
-2024-12-09 09:21:29,793 - __main__ - INFO - Enrollment attempt for email: fran.abm94@gmail.com
-2024-12-09 09:21:30,036 - __main__ - INFO - Successfully enrolled user: fran.abm94@gmail.com
-2024-12-09 09:21:30,037 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:21:30] "POST /enroll HTTP/1.1" 200 -
-2024-12-09 09:21:54,239 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:21:54] "OPTIONS /login HTTP/1.1" 200 -
-2024-12-09 09:21:54,242 - __main__ - INFO - Login attempt for email: fran.abm94@gmail.com
-2024-12-09 09:21:54,689 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:21:54] "POST /login HTTP/1.1" 200 -
-2024-12-09 09:21:56,036 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:21:56] "OPTIONS /logout HTTP/1.1" 200 -
-2024-12-09 09:21:56,455 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:21:56] "POST /logout HTTP/1.1" 200 -
-2024-12-09 09:21:58,042 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:21:58] "OPTIONS /enroll HTTP/1.1" 200 -
-2024-12-09 09:21:58,044 - __main__ - INFO - Enrollment attempt for email: fran.abm94@gmail.com
-2024-12-09 09:21:58,125 - __main__ - INFO - Enrollment failed - user already exists: fran.abm94@gmail.com
-2024-12-09 09:21:58,126 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:21:58] "POST /enroll HTTP/1.1" 409 -
-2024-12-09 09:22:05,692 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:22:05] "OPTIONS /enroll HTTP/1.1" 200 -
-2024-12-09 09:22:05,694 - __main__ - INFO - Enrollment attempt for email: fran.abm@gmail.com
-2024-12-09 09:22:06,199 - __main__ - INFO - Successfully enrolled user: fran.abm@gmail.com
-2024-12-09 09:22:06,200 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:22:06] "POST /enroll HTTP/1.1" 200 -
-2024-12-09 09:22:16,204 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:22:16] "OPTIONS /login HTTP/1.1" 200 -
-2024-12-09 09:22:16,205 - __main__ - INFO - Login attempt for email: fran.abm@gmail.com
-2024-12-09 09:22:16,590 - werkzeug - INFO - 127.0.0.1 - - [09/Dec/2024 09:22:16] "POST /login HTTP/1.1" 200 -

README.md

@@ -20,47 +20,77 @@ S3 storage for the enrollment and session data.
 
 ## Architecture
 
-The system architecture is composed of 3 tiers:
-  1. The **front-end** that provides a log-in Web GUI (languages: HTML5, JS)
-     and sends incoming authentication requests to the back-end.
-  2. The **back-end** (languages: Python/Flask) that receives
-     and handles authentication requests from the front-end. All the session
-     logic is implemented here in a CRUD-like fashion: session objects are
-     stored in an S3-compatible storage.
+The system's 3-tier architecture is microservice-based:
+
+  1. The replicated **front-end** tier implements:
+      * a login Web GUI composed of several *views* (languages: HTML5, JS) and
+      * associated logic (languages: Python/Flask) which sends incoming
+        authentication requests to the back-end and returns the results to the
+        views.  The ingress/egress point is a load balancer that exposes an
+        external IP address.
+  2. The **back-end** tier (languages: Python/Flask) tier receives and handles
+     authentication requests from the front-end. All the enrollment and
+     session logic is implemented here in a CRUD-like fashion: corresponding
+     objects are stored in an S3-compatible storage.
   3. The **storage** tier is a standard S3-like object storage which can be
      accessed only by the back-end.
 
-:construction: **TO-DO**: add API diagrams: components, activity.
+![Application's architecture and deployment](app_arch_depl.png)
+*Application's architecture and deployment schema*
+
+
+### Infrastructure  and deployment
+
+The front-end replicas and the back-end are deployed in separate containers
+hosted by a Kubernetes-based MetalLB service deployment. The service, on its
+turn, is hosted by a 2-node KinD cluster installed on a single VM
+infrastructure.
 
 
 ### Front-end
 
-:construction: Web portal with REST-based functions, written in HTML5
-and JavaScript. The service routes are:
+Web portal with REST-based functions, written in HTML5, JavaScript (views) and
+Python/Flask (main logic). All related files are in directory `frontend/`.
 
-  * `enroll`: subscribe to the system with credentials
-  * `unenroll`: delete subscription credentials
+The REST service *routes* are:
+
+  * `enroll`: sign-up (subscribe) to the system with credentials
+  * `unenroll`: delete subscription credentials (remove account)
   * `login`: authenticate with e-mail and, if needed (first login), password
   * `logout`: de-authenticate by removing the current session
 
-:construction: **TO-DO**: add API prototypes.
+The following files in directory `views/` handle the client-side workflow.
+
+  * `index.html` provides just two buttons:
+      * "Login" linked to the view `login.html`
+      * "Sign up" (enroll) linked to the view `signup.html`
+  * `signup.html` provides a form with with input fields "e-mail" and
+    "password" and is linked to the `dashboard.html` view
+  * `login.html` provides a form with input fields "e-mail" and "password" and
+    is linked to the `dashboard.html` view.
+  * `dashboard.html` provides two buttons "Logout" and "Remove account" (unenroll)
 
-Input fields: *e-mail* and *password*.
+The file `main.py` handles the REST logic by conveying all requests to the
+back-end.
 
-Buttons: 4, named as the routes above.
+:bulb: **This part does not requires adaptations.**
 
 
 ### Back-end
 
-:construction: Session management subsystem written in Python/Flask
+The single file `backend/main.py` (Python/Flask) implements the enrollment and
+session management logic by handling REST requests coming from the
+front-end. The corresponding objects are managed in a CRUD-like fashion
+in/from a single S3 storage bucket.
 
-:tools: This part requires some development by the students.
+:tools: **This part requires some development.** See the details in the
+boilerplate `backend/main.py`.
 
 
 ### Storage
 
-:construction: S3-like object storage composed of 1 buckets with two directories: one for
-*enrollment* data, one for *session* data.
+This is a single S3-like buckets with two directories: one for *enrollment*
+data, one for *session* data.
 
 Objects shall be written as JSON data based on the following proposed schema.
 
@@ -139,6 +169,7 @@ Minimum schema (you're free to extend it):
 Example data for object named `foo@bar.com`:
 ``` json
 {
+	"client": "192.168.1.2",
 	"timestamp": 1733330967
 }
 ```
@@ -169,10 +200,10 @@ nothing else is recorded by the back-end.
 
 #### Enroll
 
-A new user subscribes to the system via the `enroll` function:
+A *new* user subscribes to the system via the `enroll` function:
 
   1. **User** provides enrollment data (*e-mail* and *password*) via the the
-     front-end.
+     front-end's `signup` view.
   2. **Front-end** sends enrollment data to the back-end.
   3. **Back-end** verifies enrollment data:
       - IF user exists THEN returns 'KO:ALREADY_ENROLLED'
@@ -184,24 +215,26 @@ A new user subscribes to the system via the `enroll` function:
 
 #### Unenroll
 
-An enrolled unsubscribes from the system with the `unenroll` function:
+An *enrolled* user unsubscribes from the system (removes their account) with
+the `unenroll` function:
 
-  1. **User** provides enrollment data (*e-mail* and *password*) via the the
-     front-end.
+  1. **User** provides enrollment *e-mail* via the the front-end's `dashboard`
+     view.
   2. **Front-end** sends enrollment data to the back-end.
   3. **Back-end** verifies enrollment data:
       - IF user does not exists THEN returns 'KO:NO\_SUCH\_USER'
       - ELSE
           1. Removes enrollment data and any active sessions from the storage
           2. Returns 'OK:UNENROLLED' to the front-end
-  4. **Front-end** receives response from the back-end and shows it to the user.
+  4. **Front-end** receives response from the back-end and shows it to the
+     user.
 
 
 #### Login
 
 An enrolled user authenticates to the system with the `login` function:
 
-  1. **User** provides *e-mail* via the the front-end.
+  1. **User** provides *e-mail* via the the front-end's view `login`.
   2. **Front-end** sends *e-mail* to the back-end.
   3. **Back-end** verifies the *e-mail*:
       - IF user does not exists THEN returns 'KO:NO\_SUCH\_USER'
@@ -227,7 +260,7 @@ An enrolled user authenticates to the system with the `login` function:
 
 An enrolled user deauthenticates to the system with the `logout` function:
 
-  1. **User** provides *e-mail* via the the front-end.
+  1. **User** provides *e-mail* via the the front-end's view `dashboard`.
   2. **Front-end** sends *e-mail* to the back-end.
   3. **Back-end** verifies the *e-mail*:
       - IF user does not exists THEN returns 'KO:NO\_SUCH\_USER'
@@ -247,7 +280,7 @@ is composed of
   * A single VM featuring:
       * Source image: A Debian 12 Bookworm
       * Flavor: 2 vCPUs, 4GB RAM, 40GB root disk -- no extra volume needed
-      * A KinD installation
+      * A KinD/Kubectl installation
   * One S3 bucket.
 
 The infrastructure (computing instance + S3 storage) shall be provisioned via
@@ -255,52 +288,86 @@ The infrastructure (computing instance + S3 storage) shall be provisioned via
 
 :bulb: References:
   * Terraform: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
-  * :question: what else?
 
 
 ## Service deployment
 
-The service is deployed on a 2-pods microservice hosted by a two-node KinD
-cluster, with a single MetalLB load-balancer entry point, as done with the
+The service shall be deployed on a 3-pods K8s microservice hosted by a
+two-node KinD cluster, with a single MetalLB load-balancer entry point, as
+done with the
 [Lab-K8s](https://gitedu.hesge.ch/lsds/teaching/bachelor/cloud-and-deployment/lab-k8s).
+The front-end shall be replicated over 2 pods. The 3rd pod shall host the
+back-end.
 
 The whole software stack, apart from the KinD package, shall be deployed via
-**Ansible**. Of course, instead of the dummy `http-echo` app, a different
-Docker image shall be used -- :construction: see the [project's Docker file
-boilerplate](provide-link-please). This image shall be rebuilt after any
-modification to the application code. The application shall be redeployed
-whenever its image is updated.
+**Ansible**. Of course, instead of the dummy `http-echo` app, two different
+Docker images shall be used -- :construction: see the [project's Docker file
+boilerplate](provide-link-please): one for the front-end, the other for the
+back-end, both hosted in the [Docker Hub registry](https://hub.docker.com/) --
+you shall create a personal public repository. **We trust you, please, do not
+cheat!**
+
+The front-end image does not need to be rebuilt, unless you want to implement
+some client-side (HTML/JS) bonuses.
+
+The back-end image shall be rebuilt after any modification to the application
+code.
+
+The whole stack shall be redeployed whenever any of its images are updated.
 
 
 ## Tasks
 
 :construction: **To be finalized**
 
+:warning: Please respect the file layout provided by this repository!
+
 You shall:
 
-0. Fork this repository.
-1. Complete the Python back-end file(s) in folder `Application/back-end.py`.
-2. Rebuild the application Docker image, and store it (somewhere) --
-   **(:question: TO-DO - We should provide instructions + Dockerfile:
-    - Build image on the student's workstation
-    - What's better: push to Dockerhub vs to scp to VM + import?
-    )**. This task shall be automated via Ansible -- see below.
-3. Complete your Terraform files from the version you developed in
+1. Fork this repository.
+2. Complete the Python back-end file(s) in folder
+   `Application/backend/main.py`.
+3. Rebuild the application back-end Docker image, and push it to your public
+   Docker Hub repositry -- **(:question: TO-DO - We should provide
+   instructions)**. This task shall be automated via Ansible -- see below.
+4. Complete your Terraform files from the version you developed in
    [Lab-Terraform](https://gitedu.hesge.ch/lsds/teaching/bachelor/cloud-and-deployment/lab-terraform/-/blob/main/SwitchEngines/README.md)
    up to Task #8. Your recipe shall handle only the provisioning of the VM
    plus an S3 storage bucket -- no KinD/Kubectl package installation. Commit
    your recipe files (included Cloud-init) and in directory `Terraform/`.
-4. Complete your Ansible playbook, starting from the version you developed in
+5. Complete your Ansible playbook, starting from the version you developed in
    [Lab-Ansible](https://gitedu.hesge.ch/lsds/teaching/bachelor/cloud-and-deployment/lab-ansible)
-   Task #10, to:
-    - expose the application portal IP (e.g., load-balancer IP) to the
+   Task #10, to (commit all realted files in directory `Ansible/`):
+    - expose the application portal's IP (i.e, the load-balancer's) to the
       Internet via `socat` or other mechanism of your choice;
-    - :question: **(TO-DO: What's better? Local or registry [Docker])?**
-      rebuild and transfer/download the application image to your VM instance.
-   Commit these files in directory `Ansible/`.
+    - rebuild and push the application images to your Docker Hub
+      repository. These shall be [`local_action`
+      tasks.](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_delegation.html)
+
+:bulb: References:
+  * Build and push Docker images: https://docs.docker.com/get-started/introduction/build-and-push-first-image/
+  * Ansible playbook delegation:
+    https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_delegation.html
+
+
+### Bonuses
+
+You will get bonus for any of the following improvements.
+
+  * Ask for the password when removing an account (unenroll) -- extra
+    safety. +0.2 points.
+  * Use password hashing in the back-end -- extra security. +0.1 points.
+  * Handle session expiration after a configurable amount of time (in
+    minutes). You can use an extra enrollment view's parameter
+    `expiration_time`. +0.3 points.
+  * Handle multiple sessions started from different browsers, e.g., private
+    navigation tab/window. +0.4 points.
+  * Support temporary disconnection via client session data stored in a Web
+    cookie (without the password) -- this requires some sort of [cryptographic
+    "nonce"](https://en.wikipedia.org/wiki/Cryptographic_nonce). +0.5 points.
 
 
-### Tests
+### Testing
 
 The following tests shall be passed by your implementation:
 

Terraform/conf/cloud-init.packages.yaml

+#cloud-config
+---
+
+# package_update: true
+# package_upgrade: true
+
+groups:
+  - docker
+
+system_info:
+  default_user:
+    groups: [docker]
+
+# add any basic packages here:
+packages:
+  - curl
+  - nano
+  - ripgrep
+  - docker.io
+  - bash-completion

Terraform/conf/cloud-init.users.yaml

+#cloud-config
+---
+groups:
+  - terraform
+
+system_info:
+  default_user:
+    name: terraform
+    gecos: terraform
+    primary_group: terraform
+    groups: [users, admin, sudo]
+    shell: /bin/bash
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    ssh_authorized_keys:
+      - <your-ssh-ed25519-or-RSA-public-key>

Terraform/main.tf

+# main.tf

Terraform/outputs.tf

+# outputs.tf

Terraform/variables.tf

+# variables.tf