From a84e9c1523f9c0430405683a1e6805e41c7c5e44 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 22 Sep 2023 10:06:59 +0200 Subject: [PATCH 01/33] Configure SSO in repository --- roles/repository/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/repository/tasks/main.yml b/roles/repository/tasks/main.yml index aab05315b..bb302fbec 100644 --- a/roles/repository/tasks/main.yml +++ b/roles/repository/tasks/main.yml @@ -345,6 +345,17 @@ path: "{{ content_folder }}/web-server/conf" state: absent + - name: Configure identity service when available + when: groups.identity | default([]) # FIXME and external? + vars: + sso_repository_properties: + authentication.chain: identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm + identity-service.auth-server-url: "http://{{ identity_host }}:8080/auth" # FIXME + identity-service.resource: "{{ identity_client_id }}" + identity-service.credentials.secret: "{{ identity_client_secret }}" # required only if client is not set to public + ansible.builtin.set_fact: + repository_properties: "{{ repository_properties | ansible.builtin.combine(sso_repository_properties) }}" + - name: Create alfresco-global.properties main snippet vars: merged_repository_properties: >- From d8cbc23f9c775956390d6b65b21265f86ed753cd Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 22 Sep 2023 14:49:40 +0200 Subject: [PATCH 02/33] support latest rockylinux minor --- group_vars/all.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/all.yml b/group_vars/all.yml index ae28f8027..d2bbb500a 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -76,6 +76,7 @@ acc: supported_os: RedHat: versions: + - 8.8 - 8.7 - 8.6 - 8.5 @@ -86,6 +87,7 @@ supported_os: - 7.6 Rocky: versions: + - 8.8 - 8.7 - 8.6 CentOS: From ffab672b51ae2a496675021946ee8284f564da50 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 22 Sep 2023 14:50:02 +0200 Subject: [PATCH 03/33] fixup identity arguments --- playbooks/acs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 7fe86ab80..71f53dd8e 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -71,7 +71,7 @@ roles: - role: "../roles/identity" identity_admin_username: admin - identity_admin_pasword: "{{ hostvars.localhost.identity_admin_password }}" + identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}" when: acs.edition == "Enterprise" and not groups.external_identity | default([]) tags: - identity From fd77e92aeff5bc191b698165d15f6bdbb98c99de Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 22 Sep 2023 14:53:45 +0200 Subject: [PATCH 04/33] fixup client vars --- roles/repository/defaults/main.yml | 4 ++++ roles/repository/tasks/main.yml | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/repository/defaults/main.yml b/roles/repository/defaults/main.yml index 38a852824..46d3c5748 100644 --- a/roles/repository/defaults/main.yml +++ b/roles/repository/defaults/main.yml @@ -84,3 +84,7 @@ keystore_src: >- {%- endif %} repo_keystore: {} repository_monitored_startup_timeout_seconds: 300 + +repository_identity_client_id: alfresco +# required only if keycloak client is not set to public +repository_identity_client_secret: null diff --git a/roles/repository/tasks/main.yml b/roles/repository/tasks/main.yml index bb302fbec..63189f09d 100644 --- a/roles/repository/tasks/main.yml +++ b/roles/repository/tasks/main.yml @@ -351,8 +351,8 @@ sso_repository_properties: authentication.chain: identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm identity-service.auth-server-url: "http://{{ identity_host }}:8080/auth" # FIXME - identity-service.resource: "{{ identity_client_id }}" - identity-service.credentials.secret: "{{ identity_client_secret }}" # required only if client is not set to public + identity-service.resource: "{{ repository_identity_client_id }}" + identity-service.credentials.secret: "{{ repository_identity_client_secret }}" ansible.builtin.set_fact: repository_properties: "{{ repository_properties | ansible.builtin.combine(sso_repository_properties) }}" From cbf07e7d04d5858ef21f62d2f72009c6ad75c0fc Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 25 Sep 2023 15:11:34 +0200 Subject: [PATCH 05/33] handle http port --- playbooks/acs.yml | 1 + roles/identity/defaults/main.yml | 2 ++ roles/identity/meta/argument_specs.yml | 5 +++++ roles/identity/tasks/main.yml | 1 + 4 files changed, 9 insertions(+) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 71f53dd8e..d8ef53f36 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -72,6 +72,7 @@ - role: "../roles/identity" identity_admin_username: admin identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}" + identity_keycloak_http_port: 8081 when: acs.edition == "Enterprise" and not groups.external_identity | default([]) tags: - identity diff --git a/roles/identity/defaults/main.yml b/roles/identity/defaults/main.yml index fc8625335..869ee890b 100644 --- a/roles/identity/defaults/main.yml +++ b/roles/identity/defaults/main.yml @@ -5,3 +5,5 @@ identity_admin_password: null identity_keycloak_quarkus_version: 21.1.2 identity_alfresco_theme_version: 0.3.5 + +identity_keycloak_http_port: 8080 diff --git a/roles/identity/meta/argument_specs.yml b/roles/identity/meta/argument_specs.yml index 2596052d4..6054b2f4d 100644 --- a/roles/identity/meta/argument_specs.yml +++ b/roles/identity/meta/argument_specs.yml @@ -13,3 +13,8 @@ argument_specs: required: true description: | Password of the keycloak instance admin user + identity_keycloak_http_port: + type: int + default: 8080 + description: | + Port where to expose the keycloak instance diff --git a/roles/identity/tasks/main.yml b/roles/identity/tasks/main.yml index 8e033b228..91f4fa12e 100644 --- a/roles/identity/tasks/main.yml +++ b/roles/identity/tasks/main.yml @@ -7,6 +7,7 @@ keycloak_quarkus_start_dev: true keycloak_quarkus_proxy_mode: none keycloak_quarkus_host: localhost + keycloak_quarkus_http_port: "{{ identity_keycloak_http_port }}" keycloak_quarkus_http_relative_path: '' ansible.builtin.include_role: name: middleware_automation.keycloak.keycloak_quarkus From 3ffc4f7f8ef35ac45160d1eb0eb036173ac38032 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 25 Sep 2023 17:03:51 +0200 Subject: [PATCH 06/33] do not fail playbook if transformers is empty --- playbooks/acs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index d8ef53f36..c1e51ab6c 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -163,7 +163,7 @@ - name: Check wether we want mTLS for Repostory ansible.builtin.set_fact: repo_mtls_required: >- - {{ groups.repository | difference(groups.transformers) | length > 0 }} + {{ groups.repository | difference(groups.transformers | default([])) | length > 0 }} - name: Build keystore role argument ansible.builtin.set_fact: repository_keystore: From 77a5c6441c78ca7fea1bf0953e316e061fe60cba Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 25 Sep 2023 17:04:11 +0200 Subject: [PATCH 07/33] fixup properties injection --- roles/repository/tasks/main.yml | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/roles/repository/tasks/main.yml b/roles/repository/tasks/main.yml index 63189f09d..f5a9fb9a9 100644 --- a/roles/repository/tasks/main.yml +++ b/roles/repository/tasks/main.yml @@ -345,23 +345,31 @@ path: "{{ content_folder }}/web-server/conf" state: absent + - name: Initialize accumulator for dynamic properties + ansible.builtin.set_fact: + dynamic_properties: {} + - name: Configure identity service when available - when: groups.identity | default([]) # FIXME and external? + when: groups.identity | default([]) # FIXME move to role argument vars: sso_repository_properties: - authentication.chain: identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm - identity-service.auth-server-url: "http://{{ identity_host }}:8080/auth" # FIXME - identity-service.resource: "{{ repository_identity_client_id }}" - identity-service.credentials.secret: "{{ repository_identity_client_secret }}" + please: help + authentication: + chain: identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm + identity-service: + resource: "{{ repository_identity_client_id }}" + credentials: + secret: "{{ repository_identity_client_secret }}" + identity-service.auth-server-url: "http://{{ identity_host }}:8080/" # FIXME hardcoded port ansible.builtin.set_fact: - repository_properties: "{{ repository_properties | ansible.builtin.combine(sso_repository_properties) }}" + dynamic_properties: "{{ dynamic_properties | ansible.builtin.combine(sso_repository_properties) }}" - name: Create alfresco-global.properties main snippet vars: merged_repository_properties: >- {{ default_repository_properties - | combine(repository_properties - | default(None)) }} + | combine(repository_properties | default(None)) + | combine(dynamic_properties) }} ansible.builtin.template: owner: "{{ username }}" group: "{{ group_name }}" From 4b208c69318f798d9fe25686fe0146cf2c3e597a Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 25 Sep 2023 18:04:51 +0200 Subject: [PATCH 08/33] configure nginx in front of keycloak --- roles/identity/tasks/main.yml | 4 ++-- roles/nginx/templates/alfresco_proxy.j2 | 14 ++++++++++---- roles/repository/tasks/main.yml | 2 +- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/roles/identity/tasks/main.yml b/roles/identity/tasks/main.yml index 91f4fa12e..176c4c365 100644 --- a/roles/identity/tasks/main.yml +++ b/roles/identity/tasks/main.yml @@ -5,9 +5,9 @@ keycloak_quarkus_admin_pass: "{{ identity_admin_password }}" keycloak_quarkus_version: "{{ identity_keycloak_quarkus_version }}" keycloak_quarkus_start_dev: true - keycloak_quarkus_proxy_mode: none + keycloak_quarkus_proxy_mode: edge keycloak_quarkus_host: localhost keycloak_quarkus_http_port: "{{ identity_keycloak_http_port }}" - keycloak_quarkus_http_relative_path: '' + keycloak_quarkus_http_relative_path: auth ansible.builtin.include_role: name: middleware_automation.keycloak.keycloak_quarkus diff --git a/roles/nginx/templates/alfresco_proxy.j2 b/roles/nginx/templates/alfresco_proxy.j2 index 96ea5df2d..7636155ac 100644 --- a/roles/nginx/templates/alfresco_proxy.j2 +++ b/roles/nginx/templates/alfresco_proxy.j2 @@ -59,7 +59,6 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; - proxy_pass_header Set-Cookie; } location /api-explorer/ { @@ -71,6 +70,16 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; + } + + location /auth/ { + proxy_pass http://{{ identity_host }}:8081/; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; } @@ -84,7 +93,6 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; - proxy_pass_header Set-Cookie; } location /workspace/ { @@ -96,7 +104,6 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; - proxy_pass_header Set-Cookie; } location /control-center/ { @@ -108,6 +115,5 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; - proxy_pass_header Set-Cookie; } {% endif %} diff --git a/roles/repository/tasks/main.yml b/roles/repository/tasks/main.yml index f5a9fb9a9..89dda1303 100644 --- a/roles/repository/tasks/main.yml +++ b/roles/repository/tasks/main.yml @@ -360,7 +360,7 @@ resource: "{{ repository_identity_client_id }}" credentials: secret: "{{ repository_identity_client_secret }}" - identity-service.auth-server-url: "http://{{ identity_host }}:8080/" # FIXME hardcoded port + identity-service.auth-server-url: "http://{{ identity_host }}:8081/" # FIXME hardcoded port ansible.builtin.set_fact: dynamic_properties: "{{ dynamic_properties | ansible.builtin.combine(sso_repository_properties) }}" From be6df8ec8f03c229b11a0aa25439948b15425d3d Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 10:39:32 +0200 Subject: [PATCH 09/33] hook realm in playbook --- .secrets.baseline | 2 +- playbooks/acs.yml | 11 ++++++++++- roles/identity/defaults/main.yml | 2 +- roles/identity/tasks/realm.yml | 4 ++-- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 3bf862cde..96cdfc04f 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -182,7 +182,7 @@ { "type": "Secret Keyword", "filename": "roles/identity/tasks/realm.yml", - "hashed_secret": "973503d55aba40e89d4ab4c16783bc9a159c512e", + "hashed_secret": "95fd8196fcf819b3e2c33a18c5d16be8c7eb7960", "is_verified": false, "line_number": 13, "is_secret": false diff --git a/playbooks/acs.yml b/playbooks/acs.yml index c1e51ab6c..137fd774a 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -73,7 +73,16 @@ identity_admin_username: admin identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}" identity_keycloak_http_port: 8081 - when: acs.edition == "Enterprise" and not groups.external_identity | default([]) + when: not groups.external_identity | default([]) + tasks: + - name: Configure Realm + vars: + identity_admin_username: admin + identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}" + identity_keycloak_http_port: 8081 + ansible.builtin.include_role: + name: "../roles/identity" + tasks_from: realm tags: - identity diff --git a/roles/identity/defaults/main.yml b/roles/identity/defaults/main.yml index 869ee890b..76c90243d 100644 --- a/roles/identity/defaults/main.yml +++ b/roles/identity/defaults/main.yml @@ -4,6 +4,6 @@ identity_admin_username: admin identity_admin_password: null identity_keycloak_quarkus_version: 21.1.2 -identity_alfresco_theme_version: 0.3.5 +identity_alfresco_theme_version: "0.3.5" identity_keycloak_http_port: 8080 diff --git a/roles/identity/tasks/realm.yml b/roles/identity/tasks/realm.yml index 2d85d4bdd..539d7c9ff 100644 --- a/roles/identity/tasks/realm.yml +++ b/roles/identity/tasks/realm.yml @@ -10,7 +10,7 @@ - name: Configure Alfresco Keycloak realm community.general.keycloak_realm: auth_client_id: admin-cli - auth_keycloak_url: http://localhost:8080 + auth_keycloak_url: "http://localhost:{{ identity_keycloak_http_port }}" auth_realm: master auth_username: "{{ identity_admin_username }}" auth_password: "{{ identity_admin_password }}" @@ -44,7 +44,7 @@ - name: Configure basic alfresco client community.general.keycloak_client: auth_client_id: admin-cli - auth_keycloak_url: http://localhost:8080 + auth_keycloak_url: "http://localhost:{{ identity_keycloak_http_port }}" auth_realm: master auth_username: "{{ identity_admin_username }}" auth_password: "{{ identity_admin_password }}" From 4b6a0c8c8fea459f6af2236fdf3e5da16ef079ae Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 12:50:39 +0200 Subject: [PATCH 10/33] use variable for port --- playbooks/acs.yml | 4 ++-- roles/common/defaults/main.yml | 2 ++ roles/nginx/templates/alfresco_proxy.j2 | 2 +- roles/repository/tasks/main.yml | 4 ++-- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 137fd774a..c6c4b1494 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -72,14 +72,14 @@ - role: "../roles/identity" identity_admin_username: admin identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}" - identity_keycloak_http_port: 8081 + identity_keycloak_http_port: "{{ ports_cfg.identity.http }}" when: not groups.external_identity | default([]) tasks: - name: Configure Realm vars: identity_admin_username: admin identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}" - identity_keycloak_http_port: 8081 + identity_keycloak_http_port: "{{ ports_cfg.identity.http }}" ansible.builtin.include_role: name: "../roles/identity" tasks_from: realm diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index cd958faf2..3c52493bf 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -133,6 +133,8 @@ ports_cfg: admin: 9093 elasticsearch: http: "{{- groups.external_elasticsearch | default([]) | map('extract', hostvars, ['elasticsearch_port']) | first | default('9200') -}}" + identity: + http: "{{- groups.external_identity | default([]) | map('extract', hostvars, ['identity_port']) | first | default('8082') -}}" # Default download location of necessary artefacts download_location: /tmp/ansible_artefacts diff --git a/roles/nginx/templates/alfresco_proxy.j2 b/roles/nginx/templates/alfresco_proxy.j2 index 7636155ac..ca559a112 100644 --- a/roles/nginx/templates/alfresco_proxy.j2 +++ b/roles/nginx/templates/alfresco_proxy.j2 @@ -73,7 +73,7 @@ } location /auth/ { - proxy_pass http://{{ identity_host }}:8081/; + proxy_pass http://{{ identity_host }}:{{ ports_cfg.identity.http }}/; proxy_redirect off; proxy_buffering off; proxy_set_header Host $host:$server_port; diff --git a/roles/repository/tasks/main.yml b/roles/repository/tasks/main.yml index 89dda1303..ff9ade984 100644 --- a/roles/repository/tasks/main.yml +++ b/roles/repository/tasks/main.yml @@ -353,14 +353,14 @@ when: groups.identity | default([]) # FIXME move to role argument vars: sso_repository_properties: - please: help authentication: chain: identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm identity-service: resource: "{{ repository_identity_client_id }}" credentials: secret: "{{ repository_identity_client_secret }}" - identity-service.auth-server-url: "http://{{ identity_host }}:8081/" # FIXME hardcoded port + # Do not try to merge with the previous `identity-service` or you will regret it + identity-service.auth-server-url: "http://{{ identity_host }}:{{ ports_cfg.identity.http }}/" ansible.builtin.set_fact: dynamic_properties: "{{ dynamic_properties | ansible.builtin.combine(sso_repository_properties) }}" From e9b48c8fec58a6d143df6adca4eba9869956e953 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 13:04:00 +0200 Subject: [PATCH 11/33] identity url as role argument for repository --- playbooks/acs.yml | 5 +++++ roles/repository/defaults/main.yml | 3 ++- roles/repository/meta/argument_specs.yml | 18 ++++++++++++++++++ roles/repository/tasks/main.yml | 6 +++--- 4 files changed, 28 insertions(+), 4 deletions(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index c6c4b1494..6e39cab26 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -186,11 +186,16 @@ when: - repo_mtls_required - ats_mtls_capable + - name: Enable identity service + when: groups.identity + groups.external_identity | length > 0 + ansible.builtin.set_fact: + identity_url: "http://{{ identity_host }}:{{ ports_cfg.identity.http }}/" roles: - role: "../roles/repository" repo_keystore: "{{ repository_keystore | default({}) }}" repository_properties: "{{ global_properties }}" raw_properties: "{{ properties_snippets }}" + repository_identity_url: "{{ identity_url | default('') }}" post_tasks: - name: Update installation status file with ACS become: true diff --git a/roles/repository/defaults/main.yml b/roles/repository/defaults/main.yml index 46d3c5748..dea095d21 100644 --- a/roles/repository/defaults/main.yml +++ b/roles/repository/defaults/main.yml @@ -85,6 +85,7 @@ keystore_src: >- repo_keystore: {} repository_monitored_startup_timeout_seconds: 300 +# Identity service arguments +repository_identity_url: null repository_identity_client_id: alfresco -# required only if keycloak client is not set to public repository_identity_client_secret: null diff --git a/roles/repository/meta/argument_specs.yml b/roles/repository/meta/argument_specs.yml index e2fe229e9..cc1965f42 100644 --- a/roles/repository/meta/argument_specs.yml +++ b/roles/repository/meta/argument_specs.yml @@ -27,3 +27,21 @@ argument_specs: Check the java role's argument specification for details. Pay special attention to using the same passphrase for the keystore than the one used in the source PKCS12 certificate container. + repository_identity_url: + type: str + required: false + description: | + If set, enable that host as identity service url + repository_identity_client_id: + type: str + required: false + default: alfresco + description: | + The name of the oauth client to be used when contacting the identity + service + repository_identity_client_secret: + type: str + required: false + description: | + The secret for the oauth client to be used when contacting the + identity service - can be left blank if the oauth client is public diff --git a/roles/repository/tasks/main.yml b/roles/repository/tasks/main.yml index ff9ade984..c54ef578e 100644 --- a/roles/repository/tasks/main.yml +++ b/roles/repository/tasks/main.yml @@ -349,8 +349,8 @@ ansible.builtin.set_fact: dynamic_properties: {} - - name: Configure identity service when available - when: groups.identity | default([]) # FIXME move to role argument + - name: Configure identity service when provided + when: repository_identity_url vars: sso_repository_properties: authentication: @@ -360,7 +360,7 @@ credentials: secret: "{{ repository_identity_client_secret }}" # Do not try to merge with the previous `identity-service` or you will regret it - identity-service.auth-server-url: "http://{{ identity_host }}:{{ ports_cfg.identity.http }}/" + identity-service.auth-server-url: "{{ repository_identity_url }}" ansible.builtin.set_fact: dynamic_properties: "{{ dynamic_properties | ansible.builtin.combine(sso_repository_properties) }}" From 1496470c1d35662ba7a930c86dbd0ce0c9040328 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 14:23:44 +0200 Subject: [PATCH 12/33] Add identity integration test --- .github/workflows/enteprise.yml | 3 ++ molecule/identity/converge.yml | 5 ++ .../identity/host_vars/identity-instance.yml | 1 + molecule/identity/molecule.yml | 48 +++++++++++++++++++ 4 files changed, 57 insertions(+) create mode 100644 molecule/identity/converge.yml create mode 100644 molecule/identity/host_vars/identity-instance.yml create mode 100644 molecule/identity/molecule.yml diff --git a/.github/workflows/enteprise.yml b/.github/workflows/enteprise.yml index d278cca07..a842ba700 100644 --- a/.github/workflows/enteprise.yml +++ b/.github/workflows/enteprise.yml @@ -84,6 +84,9 @@ jobs: scenario: - name: elasticsearch - name: pki + include: + - name: identity + image: rockylinux:8.7 steps: - name: Checkout uses: actions/checkout@v4 diff --git a/molecule/identity/converge.yml b/molecule/identity/converge.yml new file mode 100644 index 000000000..fff65925c --- /dev/null +++ b/molecule/identity/converge.yml @@ -0,0 +1,5 @@ +--- +- name: Run the playbook + ansible.builtin.import_playbook: ../../playbooks/acs.yml + vars: + autogen_unsecure_secrets: true diff --git a/molecule/identity/host_vars/identity-instance.yml b/molecule/identity/host_vars/identity-instance.yml new file mode 100644 index 000000000..146ddd8e0 --- /dev/null +++ b/molecule/identity/host_vars/identity-instance.yml @@ -0,0 +1 @@ +ansible_user: ansible diff --git a/molecule/identity/molecule.yml b/molecule/identity/molecule.yml new file mode 100644 index 000000000..2fe9f5a61 --- /dev/null +++ b/molecule/identity/molecule.yml @@ -0,0 +1,48 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: identity-instance + image: $MOLECULE_ROLE_IMAGE + dockerfile: ../../tests/molecule/Dockerfile-noprivs.j2 + command: "/lib/systemd/systemd" + privileged: true + tmpfs: + - /run + - /run/lock + - /tmp + volume_mounts: + - "/sys/fs/cgroup:/sys/fs/cgroup:ro" + groups: + - database + - activemq + - repository + - trusted_resource_consumers + - identity + - nginx + published_ports: + - 80/tcp + - 0.0.0.0:443:443/tcp + - 0.0.0.0:8080:8080/tcp + +provisioner: + name: ansible + config_options: + defaults: + pipelining: True + ansible_args: + - -e + - "@tests/test-extra-vars.yml" + - -e + - "@tests/test-ssl.yml" + inventory: + links: + group_vars: ../../group_vars + host_vars: host_vars + playbooks: + prepare: ../default/prepare.yml + verify: ../default/verify.yml +verifier: + name: ansible From 234a0210ce0d9ffde9ba8402eaf9006082ac8f42 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 14:34:35 +0200 Subject: [PATCH 13/33] revert 8.8 --- group_vars/all.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index d2bbb500a..ae28f8027 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -76,7 +76,6 @@ acc: supported_os: RedHat: versions: - - 8.8 - 8.7 - 8.6 - 8.5 @@ -87,7 +86,6 @@ supported_os: - 7.6 Rocky: versions: - - 8.8 - 8.7 - 8.6 CentOS: From d658d053eb8daf7f45cafcd7f0fdf9f538d303fd Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 14:47:26 +0200 Subject: [PATCH 14/33] fixup --- playbooks/acs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 6e39cab26..14f832215 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -187,7 +187,7 @@ - repo_mtls_required - ats_mtls_capable - name: Enable identity service - when: groups.identity + groups.external_identity | length > 0 + when: ((groups.identity | default([])) + (groups.external_identity | default([]))) | length > 0 ansible.builtin.set_fact: identity_url: "http://{{ identity_host }}:{{ ports_cfg.identity.http }}/" roles: @@ -195,7 +195,7 @@ repo_keystore: "{{ repository_keystore | default({}) }}" repository_properties: "{{ global_properties }}" raw_properties: "{{ properties_snippets }}" - repository_identity_url: "{{ identity_url | default('') }}" + repository_identity_url: "{{ identity_url | default(omit) }}" post_tasks: - name: Update installation status file with ACS become: true From 24ca8a876829093c4632aa264269aefdc40fb80d Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 15:07:20 +0200 Subject: [PATCH 15/33] add verify for identity --- molecule/identity/molecule.yml | 3 --- molecule/identity/verify.yml | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 molecule/identity/verify.yml diff --git a/molecule/identity/molecule.yml b/molecule/identity/molecule.yml index 2fe9f5a61..a2849d531 100644 --- a/molecule/identity/molecule.yml +++ b/molecule/identity/molecule.yml @@ -41,8 +41,5 @@ provisioner: links: group_vars: ../../group_vars host_vars: host_vars - playbooks: - prepare: ../default/prepare.yml - verify: ../default/verify.yml verifier: name: ansible diff --git a/molecule/identity/verify.yml b/molecule/identity/verify.yml new file mode 100644 index 000000000..197b083ea --- /dev/null +++ b/molecule/identity/verify.yml @@ -0,0 +1,34 @@ +--- +- name: Verify Identity + hosts: identity + gather_facts: true + tasks: + - name: Populate services facts + ansible.builtin.service_facts: + + - name: Check services up + ansible.builtin.assert: + that: + - ansible_facts.services['alfresco-content.service'].state == "running" + - ansible_facts.services['keycloak.service'].state == "running" + + - name: Retrieve contents of alfresco-global.properties + become: true + ansible.builtin.slurp: + src: /etc/opt/alfresco/content-services/classpath/alfresco-global.properties + register: slurp_global_properties + + - name: Check reindex service contains the expected ExecStart line + vars: + global_properties_content: "{{ slurp_global_properties['content'] | b64decode }}" + expected_auth_chain: "authentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm" + expected_service_resource: "identity-service.resource=alfresco" + expected_service_credentials: "identity-service.credentials.secret=" + expected_auth_url: "identity-service.auth-server-url=http://172.17.0.2:8082/" + ansible.builtin.assert: + that: + - "expected_auth_chain in global_properties_content" + - "expected_service_resource in global_properties_content" + - "expected_service_credentials in global_properties_content" + - "expected_auth_url in global_properties_content" + msg: "{{ global_properties_content }}" From 65d1b7eb25109f88cc1d1e6eac8c86a54ce9159c Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 17:12:30 +0200 Subject: [PATCH 16/33] known urls as identity argument --- molecule/identity/host_vars/identity-instance.yml | 2 ++ roles/identity/defaults/main.yml | 2 ++ roles/identity/meta/argument_specs.yml | 6 ++++++ roles/identity/tasks/realm.yml | 2 ++ 4 files changed, 12 insertions(+) diff --git a/molecule/identity/host_vars/identity-instance.yml b/molecule/identity/host_vars/identity-instance.yml index 146ddd8e0..c31218ff9 100644 --- a/molecule/identity/host_vars/identity-instance.yml +++ b/molecule/identity/host_vars/identity-instance.yml @@ -1 +1,3 @@ ansible_user: ansible +known_urls: + - http://localhost/ diff --git a/roles/identity/defaults/main.yml b/roles/identity/defaults/main.yml index 76c90243d..b7910ba85 100644 --- a/roles/identity/defaults/main.yml +++ b/roles/identity/defaults/main.yml @@ -7,3 +7,5 @@ identity_keycloak_quarkus_version: 21.1.2 identity_alfresco_theme_version: "0.3.5" identity_keycloak_http_port: 8080 + +identity_known_urls: [] diff --git a/roles/identity/meta/argument_specs.yml b/roles/identity/meta/argument_specs.yml index 6054b2f4d..c7885c952 100644 --- a/roles/identity/meta/argument_specs.yml +++ b/roles/identity/meta/argument_specs.yml @@ -18,3 +18,9 @@ argument_specs: default: 8080 description: | Port where to expose the keycloak instance + identity_known_urls: + type: list + elements: str + default: [] + description: | + A list of possible origin URLs which are allowed to interact with the configured realm diff --git a/roles/identity/tasks/realm.yml b/roles/identity/tasks/realm.yml index 539d7c9ff..2b37e99fe 100644 --- a/roles/identity/tasks/realm.yml +++ b/roles/identity/tasks/realm.yml @@ -51,4 +51,6 @@ realm: alfresco client_id: alfresco enabled: true + redirect_uris: "{{ identity_known_urls | map('regex_replace', '(.*)$', '\\1*') | list }}" + web_origins: "{{ identity_known_urls }}" state: present From e58c9a7915f6c6339cadc7e8a8250ae93abb17bf Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 17:29:45 +0200 Subject: [PATCH 17/33] really run identity in the enterprise workflow --- .github/workflows/enteprise.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/enteprise.yml b/.github/workflows/enteprise.yml index a842ba700..8b0f16b0d 100644 --- a/.github/workflows/enteprise.yml +++ b/.github/workflows/enteprise.yml @@ -85,8 +85,10 @@ jobs: - name: elasticsearch - name: pki include: - - name: identity - image: rockylinux:8.7 + - scenario: + name: identity + molecule_distro: + image: rockylinux:8 steps: - name: Checkout uses: actions/checkout@v4 From d4bff874ea3639056f21e07434ad12524e1d62f6 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 17:30:15 +0200 Subject: [PATCH 18/33] default prepare playbook is a requirement --- molecule/identity/molecule.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/molecule/identity/molecule.yml b/molecule/identity/molecule.yml index a2849d531..4a0692dc3 100644 --- a/molecule/identity/molecule.yml +++ b/molecule/identity/molecule.yml @@ -41,5 +41,7 @@ provisioner: links: group_vars: ../../group_vars host_vars: host_vars + playbooks: + prepare: ../default/prepare.yml verifier: name: ansible From be207d878dd3b13528b79e725bc739e867870030 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Sep 2023 18:48:04 +0200 Subject: [PATCH 19/33] more tests --- .github/workflows/enteprise.yml | 2 +- .secrets.baseline | 10 ++++++++++ molecule/identity/verify.yml | 16 ++++++++++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/.github/workflows/enteprise.yml b/.github/workflows/enteprise.yml index 8b0f16b0d..a64210ce6 100644 --- a/.github/workflows/enteprise.yml +++ b/.github/workflows/enteprise.yml @@ -88,7 +88,7 @@ jobs: - scenario: name: identity molecule_distro: - image: rockylinux:8 + image: rockylinux:8.7 steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.secrets.baseline b/.secrets.baseline index 96cdfc04f..a6cf7bed7 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -128,6 +128,16 @@ "is_secret": false } ], + "molecule/identity/verify.yml": [ + { + "type": "Secret Keyword", + "filename": "molecule/identity/verify.yml", + "hashed_secret": "3f42f2d120c36646b79792b8dccee509e1480ad0", + "is_verified": false, + "line_number": 38, + "is_secret": false + } + ], "molecule/pki/host_vars/localhost.yaml": [ { "type": "Secret Keyword", diff --git a/molecule/identity/verify.yml b/molecule/identity/verify.yml index 197b083ea..c1bca107e 100644 --- a/molecule/identity/verify.yml +++ b/molecule/identity/verify.yml @@ -32,3 +32,19 @@ - "expected_service_credentials in global_properties_content" - "expected_auth_url in global_properties_content" msg: "{{ global_properties_content }}" + + - name: Fetch realm + community.general.keycloak_realm_info: + auth_keycloak_url: "http://localhost:8082" + realm: alfresco + register: result_realm_info + + - ansible.builtin.debug: + var: result_realm_info + + - name: Assert that realm is consistent + ansible.builtin.assert: + that: + - result_realm_info.realm_info['realm'] == "alfresco" + - result_realm_info.realm_info['account-service'] == "http://localhost/auth/realms/alfresco/account" + - result_realm_info.realm_info['public_key'] is defined From 7498df04c268e6edfbfdb82f57ae63580c2e6cc4 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Wed, 27 Sep 2023 12:09:15 +0200 Subject: [PATCH 20/33] pipeline for ent search int --- molecule/elasticsearch/molecule.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/molecule/elasticsearch/molecule.yml b/molecule/elasticsearch/molecule.yml index e71a1c595..6d8ef912f 100644 --- a/molecule/elasticsearch/molecule.yml +++ b/molecule/elasticsearch/molecule.yml @@ -33,6 +33,9 @@ platforms: - trusted_resource_consumers provisioner: name: ansible + config_options: + defaults: + pipelining: True ansible_args: - -e - "@tests/test-ssl.yml" From 17cac5c51e3c1278cbb5a0bb303b9b8b9b11dfd0 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Wed, 27 Sep 2023 12:09:31 +0200 Subject: [PATCH 21/33] fixup conditional --- playbooks/acs.yml | 2 +- roles/repository/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 14f832215..f598efea5 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -195,7 +195,7 @@ repo_keystore: "{{ repository_keystore | default({}) }}" repository_properties: "{{ global_properties }}" raw_properties: "{{ properties_snippets }}" - repository_identity_url: "{{ identity_url | default(omit) }}" + repository_identity_url: "{{ identity_url | default('') }}" post_tasks: - name: Update installation status file with ACS become: true diff --git a/roles/repository/tasks/main.yml b/roles/repository/tasks/main.yml index c54ef578e..120bd52bc 100644 --- a/roles/repository/tasks/main.yml +++ b/roles/repository/tasks/main.yml @@ -350,7 +350,7 @@ dynamic_properties: {} - name: Configure identity service when provided - when: repository_identity_url + when: repository_identity_url | length > 0 vars: sso_repository_properties: authentication: From d9d053532413d1bcd4cdd4f7fa46d7e743bb005c Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Wed, 27 Sep 2023 12:10:26 +0200 Subject: [PATCH 22/33] cleanup --- molecule/identity/host_vars/identity-instance.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/molecule/identity/host_vars/identity-instance.yml b/molecule/identity/host_vars/identity-instance.yml index c31218ff9..146ddd8e0 100644 --- a/molecule/identity/host_vars/identity-instance.yml +++ b/molecule/identity/host_vars/identity-instance.yml @@ -1,3 +1 @@ ansible_user: ansible -known_urls: - - http://localhost/ From 95027c041bc1f7b4218590b8e6a1fcbeaaea647d Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Wed, 27 Sep 2023 12:24:49 +0200 Subject: [PATCH 23/33] fallback to empty identity url --- roles/repository/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/repository/defaults/main.yml b/roles/repository/defaults/main.yml index dea095d21..4dfed60ad 100644 --- a/roles/repository/defaults/main.yml +++ b/roles/repository/defaults/main.yml @@ -86,6 +86,6 @@ repo_keystore: {} repository_monitored_startup_timeout_seconds: 300 # Identity service arguments -repository_identity_url: null +repository_identity_url: '' repository_identity_client_id: alfresco repository_identity_client_secret: null From 35bbeb0fd7d4de703c7d22dccf2ea02a8e75113c Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Thu, 28 Sep 2023 17:41:44 +0200 Subject: [PATCH 24/33] cleanup molecule ports --- molecule/elasticsearch/molecule.yml | 1 - molecule/identity/molecule.yml | 2 -- molecule/local/molecule.yml | 4 +++- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/molecule/elasticsearch/molecule.yml b/molecule/elasticsearch/molecule.yml index 6d8ef912f..c7dfc1589 100644 --- a/molecule/elasticsearch/molecule.yml +++ b/molecule/elasticsearch/molecule.yml @@ -9,7 +9,6 @@ platforms: dockerfile: ../../tests/molecule/Dockerfile-noprivs.j2 command: "/lib/systemd/systemd" published_ports: - - 80/tcp - 0.0.0.0:443:443/tcp privileged: true tmpfs: diff --git a/molecule/identity/molecule.yml b/molecule/identity/molecule.yml index 4a0692dc3..88186e742 100644 --- a/molecule/identity/molecule.yml +++ b/molecule/identity/molecule.yml @@ -23,9 +23,7 @@ platforms: - identity - nginx published_ports: - - 80/tcp - 0.0.0.0:443:443/tcp - - 0.0.0.0:8080:8080/tcp provisioner: name: ansible diff --git a/molecule/local/molecule.yml b/molecule/local/molecule.yml index de96a3934..f11c0ec4e 100644 --- a/molecule/local/molecule.yml +++ b/molecule/local/molecule.yml @@ -27,11 +27,13 @@ platforms: - acc - nginx published_ports: - - 80/tcp - 0.0.0.0:443:443/tcp provisioner: name: ansible + config_options: + defaults: + pipelining: true ansible_args: - -e - "@tests/test-extra-vars.yml" From 803b563cf9f278ad2e6225ceb11e8077df65e369 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Thu, 28 Sep 2023 18:05:00 +0200 Subject: [PATCH 25/33] fixup string default --- molecule/identity/verify.yml | 6 +++--- roles/repository/defaults/main.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/molecule/identity/verify.yml b/molecule/identity/verify.yml index c1bca107e..0433175cb 100644 --- a/molecule/identity/verify.yml +++ b/molecule/identity/verify.yml @@ -18,19 +18,19 @@ src: /etc/opt/alfresco/content-services/classpath/alfresco-global.properties register: slurp_global_properties - - name: Check reindex service contains the expected ExecStart line + - name: Check alfresco-global.properties contains expected identity properties vars: global_properties_content: "{{ slurp_global_properties['content'] | b64decode }}" expected_auth_chain: "authentication.chain=identity-service1:identity-service,alfrescoNtlm1:alfrescoNtlm" expected_service_resource: "identity-service.resource=alfresco" expected_service_credentials: "identity-service.credentials.secret=" - expected_auth_url: "identity-service.auth-server-url=http://172.17.0.2:8082/" + expected_auth_url_regex: 'identity-service\.auth-server-url=http:\/\/.*\/' ansible.builtin.assert: that: - "expected_auth_chain in global_properties_content" - "expected_service_resource in global_properties_content" - "expected_service_credentials in global_properties_content" - - "expected_auth_url in global_properties_content" + - "global_properties_content | regex_search(expected_auth_url_regex)" msg: "{{ global_properties_content }}" - name: Fetch realm diff --git a/roles/repository/defaults/main.yml b/roles/repository/defaults/main.yml index 4dfed60ad..d25a82952 100644 --- a/roles/repository/defaults/main.yml +++ b/roles/repository/defaults/main.yml @@ -88,4 +88,4 @@ repository_monitored_startup_timeout_seconds: 300 # Identity service arguments repository_identity_url: '' repository_identity_client_id: alfresco -repository_identity_client_secret: null +repository_identity_client_secret: '' From e5b0927a66d31b2e2924c10c2cd5620d52fea953 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 29 Sep 2023 17:45:20 +0200 Subject: [PATCH 26/33] fixup secrets --- .secrets.baseline | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index a6cf7bed7..72bd5749f 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -154,7 +154,7 @@ "filename": "playbooks/acs.yml", "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", "is_verified": false, - "line_number": 345, + "line_number": 360, "is_secret": false } ], @@ -279,5 +279,5 @@ } ] }, - "generated_at": "2023-09-29T07:22:26Z" + "generated_at": "2023-09-29T15:44:55Z" } From 5900fd96fcd51c100adbba32d62d33706eee2f61 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 2 Oct 2023 09:57:06 +0200 Subject: [PATCH 27/33] support remaining arguments for identity role --- roles/identity/defaults/main.yml | 5 ++++- roles/identity/meta/argument_specs.yml | 15 +++++++++++++++ roles/identity/tasks/main.yml | 6 +++--- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/roles/identity/defaults/main.yml b/roles/identity/defaults/main.yml index b7910ba85..565fd758a 100644 --- a/roles/identity/defaults/main.yml +++ b/roles/identity/defaults/main.yml @@ -3,9 +3,12 @@ identity_admin_username: admin identity_admin_password: null -identity_keycloak_quarkus_version: 21.1.2 +identity_keycloak_quarkus_version: "21.1.2" identity_alfresco_theme_version: "0.3.5" identity_keycloak_http_port: 8080 +identity_keycloak_start_dev: true +identity_keycloak_proxy_mode: edge +identity_keycloak_host: localhost identity_known_urls: [] diff --git a/roles/identity/meta/argument_specs.yml b/roles/identity/meta/argument_specs.yml index c7885c952..27dd20cd4 100644 --- a/roles/identity/meta/argument_specs.yml +++ b/roles/identity/meta/argument_specs.yml @@ -18,6 +18,21 @@ argument_specs: default: 8080 description: | Port where to expose the keycloak instance + identity_keycloak_start_dev: + type: bool + default: true + description: | + If keycloak should be started in development mode. Not suitable for production + identity_keycloak_proxy_mode: + type: str + default: edge + description: | + Fine tune specific behaviour when running keycloak behind a proxy + identity_keycloak_host: + type: str + default: localhost + description: | + Hostname where clients can reach the keycloak instance identity_known_urls: type: list elements: str diff --git a/roles/identity/tasks/main.yml b/roles/identity/tasks/main.yml index 176c4c365..5455f82b1 100644 --- a/roles/identity/tasks/main.yml +++ b/roles/identity/tasks/main.yml @@ -4,9 +4,9 @@ vars: keycloak_quarkus_admin_pass: "{{ identity_admin_password }}" keycloak_quarkus_version: "{{ identity_keycloak_quarkus_version }}" - keycloak_quarkus_start_dev: true - keycloak_quarkus_proxy_mode: edge - keycloak_quarkus_host: localhost + keycloak_quarkus_start_dev: "{{ identity_keycloak_start_dev }}" + keycloak_quarkus_proxy_mode: "{{ identity_keycloak_proxy_mode }}" + keycloak_quarkus_host: "{{ identity_keycloak_host }}" keycloak_quarkus_http_port: "{{ identity_keycloak_http_port }}" keycloak_quarkus_http_relative_path: auth ansible.builtin.include_role: From 7e0c4c80954812c7c0943f86c0fa4f2da7a38910 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 2 Oct 2023 10:58:58 +0200 Subject: [PATCH 28/33] workaround keycloak redirecting to http --- roles/nginx/templates/alfresco_proxy.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/alfresco_proxy.j2 b/roles/nginx/templates/alfresco_proxy.j2 index ca559a112..fd5853e4b 100644 --- a/roles/nginx/templates/alfresco_proxy.j2 +++ b/roles/nginx/templates/alfresco_proxy.j2 @@ -79,7 +79,7 @@ proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header X-Forwarded-Proto $scheme; FIXME proxy_pass_header Set-Cookie; } From 812621050dbbda4892d3eaf69ff76582b9efc737 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 2 Oct 2023 11:06:29 +0200 Subject: [PATCH 29/33] configure keycloak host --- .secrets.baseline | 4 ++-- group_vars/repository.yml | 2 +- playbooks/acs.yml | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 72bd5749f..00c24b633 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -154,7 +154,7 @@ "filename": "playbooks/acs.yml", "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", "is_verified": false, - "line_number": 360, + "line_number": 361, "is_secret": false } ], @@ -279,5 +279,5 @@ } ] }, - "generated_at": "2023-09-29T15:44:55Z" + "generated_at": "2023-10-02T09:06:16Z" } diff --git a/group_vars/repository.yml b/group_vars/repository.yml index be9874f46..bf5db3a7d 100644 --- a/group_vars/repository.yml +++ b/group_vars/repository.yml @@ -33,7 +33,7 @@ global_properties: cluster: enabled: "{{ (groups['repository'] | length > 1 and not (cluster_keepoff | bool)) | lower }}" share: - host: "{{ fqdn_alfresco | default(known_urls[0]) | default(nginx_host) }}" + host: "{{ fqdn_alfresco | default(known_urls[0] | urlsplit('hostname')) | default(nginx_host) }}" port: "{{ acs_play_port }}" protocol: "{{ acs_play_proto }}" messaging: diff --git a/playbooks/acs.yml b/playbooks/acs.yml index f598efea5..78100e908 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -73,6 +73,7 @@ identity_admin_username: admin identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}" identity_keycloak_http_port: "{{ ports_cfg.identity.http }}" + identity_keycloak_host: "{{ fqdn_alfresco | default(known_urls[0] | urlsplit('hostname')) | default(nginx_host) }}" when: not groups.external_identity | default([]) tasks: - name: Configure Realm From 19ddce62f1eb34b9588a8e51307da579fc88be69 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 2 Oct 2023 12:05:45 +0200 Subject: [PATCH 30/33] simplify because other variables are not available under identity group --- playbooks/acs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 78100e908..a54ba7588 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -73,7 +73,7 @@ identity_admin_username: admin identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}" identity_keycloak_http_port: "{{ ports_cfg.identity.http }}" - identity_keycloak_host: "{{ fqdn_alfresco | default(known_urls[0] | urlsplit('hostname')) | default(nginx_host) }}" + identity_keycloak_host: "{{ fqdn_alfresco }}" when: not groups.external_identity | default([]) tasks: - name: Configure Realm From f90c337d25b2f32e89543b217f90385c67581003 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 2 Oct 2023 12:23:55 +0200 Subject: [PATCH 31/33] revert localhost on identity because seems not good --- .secrets.baseline | 4 ++-- playbooks/acs.yml | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 00c24b633..5a3c92216 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -154,7 +154,7 @@ "filename": "playbooks/acs.yml", "hashed_secret": "0eeb6b7bb932e8594b4ffe039dc15332f670cbd9", "is_verified": false, - "line_number": 361, + "line_number": 360, "is_secret": false } ], @@ -279,5 +279,5 @@ } ] }, - "generated_at": "2023-10-02T09:06:16Z" + "generated_at": "2023-10-02T10:23:47Z" } diff --git a/playbooks/acs.yml b/playbooks/acs.yml index a54ba7588..f598efea5 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -73,7 +73,6 @@ identity_admin_username: admin identity_admin_password: "{{ hostvars.localhost.identity_admin_password }}" identity_keycloak_http_port: "{{ ports_cfg.identity.http }}" - identity_keycloak_host: "{{ fqdn_alfresco }}" when: not groups.external_identity | default([]) tasks: - name: Configure Realm From 4d29f52dba30788f91f25630ae3e0e040bb8dbea Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 2 Oct 2023 14:13:13 +0200 Subject: [PATCH 32/33] revert workaround --- roles/nginx/templates/alfresco_proxy.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/alfresco_proxy.j2 b/roles/nginx/templates/alfresco_proxy.j2 index fd5853e4b..ca559a112 100644 --- a/roles/nginx/templates/alfresco_proxy.j2 +++ b/roles/nginx/templates/alfresco_proxy.j2 @@ -79,7 +79,7 @@ proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; FIXME + proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; } From c84317aae7fe782d034eab1d36ad50e286852402 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 2 Oct 2023 15:52:07 +0200 Subject: [PATCH 33/33] apply review suggestions --- .secrets.baseline | 4 ++-- group_vars/repository.yml | 2 +- molecule/identity/verify.yml | 15 ++++++++------- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 5a3c92216..dc7afaaee 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -134,7 +134,7 @@ "filename": "molecule/identity/verify.yml", "hashed_secret": "3f42f2d120c36646b79792b8dccee509e1480ad0", "is_verified": false, - "line_number": 38, + "line_number": 40, "is_secret": false } ], @@ -279,5 +279,5 @@ } ] }, - "generated_at": "2023-10-02T10:23:47Z" + "generated_at": "2023-10-02T13:51:17Z" } diff --git a/group_vars/repository.yml b/group_vars/repository.yml index bf5db3a7d..3a3dad30c 100644 --- a/group_vars/repository.yml +++ b/group_vars/repository.yml @@ -27,7 +27,7 @@ global_properties: username: "{{ repo_db_username }}" password: "{{ repo_db_password }}" alfresco: - host: "{{ fqdn_alfresco | default(nginx_host) }}" + host: "{{ fqdn_alfresco | default(known_urls[0] | urlsplit('hostname')) | default(nginx_host) }}" port: "{{ acs_play_port }}" protocol: "{{ acs_play_proto }}" cluster: diff --git a/molecule/identity/verify.yml b/molecule/identity/verify.yml index 0433175cb..5228b28e0 100644 --- a/molecule/identity/verify.yml +++ b/molecule/identity/verify.yml @@ -1,13 +1,14 @@ --- -- name: Verify Identity - hosts: identity - gather_facts: true +- name: Verify + hosts: all + gather_facts: false tasks: - name: Populate services facts ansible.builtin.service_facts: - name: Check services up ansible.builtin.assert: + quiet: true that: - ansible_facts.services['alfresco-content.service'].state == "running" - ansible_facts.services['keycloak.service'].state == "running" @@ -26,12 +27,13 @@ expected_service_credentials: "identity-service.credentials.secret=" expected_auth_url_regex: 'identity-service\.auth-server-url=http:\/\/.*\/' ansible.builtin.assert: + quiet: true that: - "expected_auth_chain in global_properties_content" - "expected_service_resource in global_properties_content" - "expected_service_credentials in global_properties_content" - "global_properties_content | regex_search(expected_auth_url_regex)" - msg: "{{ global_properties_content }}" + fail_msg: "{{ global_properties_content }}" - name: Fetch realm community.general.keycloak_realm_info: @@ -39,12 +41,11 @@ realm: alfresco register: result_realm_info - - ansible.builtin.debug: - var: result_realm_info - - name: Assert that realm is consistent ansible.builtin.assert: + quiet: true that: - result_realm_info.realm_info['realm'] == "alfresco" - result_realm_info.realm_info['account-service'] == "http://localhost/auth/realms/alfresco/account" - result_realm_info.realm_info['public_key'] is defined + fail_msg: "Realm contents doesn't meet expectations: {{ result_realm_info }}"