From 86c550cd97a549e8a9b220f9f8ac994bb82d166d Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 5 Mar 2024 11:25:08 +0100 Subject: [PATCH 001/114] Invite aa username/password --- roles/invite/templates/serverapplication.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 7ee192329..224ccadac 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -118,8 +118,8 @@ teams: group-name-context: "{{ invite.group_name_context }}" attribute-aggregation: - user: {{ invite.attribute_aggregation_user }} - password: {{ invite.attribute_aggregation_secret }} + user: {{ aa.invite_username }} + password: "{{ invite_api_attribute_aggregation_password }}" lifecycle: user: {{ invite.lifecycle_user }} From 54bad4504c21bf7863cfb646b1237c4cd50ee4a3 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Tue, 5 Mar 2024 11:36:12 +0100 Subject: [PATCH 002/114] aa: invite authority can also supply migrated teams urns --- .../templates/attributeAuthorities.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 b/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 index a2c4108a0..ece7150a8 100644 --- a/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 +++ b/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 @@ -173,5 +173,5 @@ authorities: name: "SPentityID" } ], - validationRegExp: "^urn:mace:surf.nl:.*$" + validationRegExp: "^urn:(collab:group|mace:surf.nl):.*$" } From ef48925acc978cb539617e4cf09c4002d8f3b43d Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 5 Mar 2024 11:50:25 +0100 Subject: [PATCH 003/114] Invite aa username/password --- roles/invite/templates/serverapplication.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 224ccadac..33de0fafe 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -119,7 +119,7 @@ teams: attribute-aggregation: user: {{ aa.invite_username }} - password: "{{ invite_api_attribute_aggregation_password }}" + password: "{{ invite_attribute_aggregation_secret }}" lifecycle: user: {{ invite.lifecycle_user }} From 23f069f1649cf91421f1c630f979b523d1583a56 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 5 Mar 2024 12:21:03 +0100 Subject: [PATCH 004/114] Updated scopes --- roles/manage-server/templates/manage-api-users.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/manage-server/templates/manage-api-users.yml.j2 b/roles/manage-server/templates/manage-api-users.yml.j2 index 073e96afb..b703acd5e 100644 --- a/roles/manage-server/templates/manage-api-users.yml.j2 +++ b/roles/manage-server/templates/manage-api-users.yml.j2 @@ -4,7 +4,7 @@ # READ, //Allowed to read entities # SYSTEM, //Allowed everything including Attribute Manipulation and updating / deleting Identity Providers # TEST, //Only used internally -# WRITE, //Allowed to create (excluding Identity Providers) and update all entities +# WRITE, //Allowed to create and update all entities (excluding Identity Providers) # POLICIES, //Allowed to CRUD PdP Policies # DELETE, //Allowed to delete entities (excluding Identity Providers) # ADMIN //Standard scope for all GUI related endpoint (e.g. /manage/api/client/** endpoints) From e4e0d618e6e4bcb3e8fb46c0f7d47cb105a5efda Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 5 Mar 2024 15:06:04 +0100 Subject: [PATCH 005/114] PdP push manage --- environments/template/group_vars/template.yml | 1 + environments/vm/group_vars/vm.yml | 1 + roles/manage-server/templates/application.yml.j2 | 11 +++++++++++ roles/pdp-server/templates/application.properties.j2 | 4 ---- 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 25f9552cb..60e002c77 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -449,6 +449,7 @@ manage: backdoor_api_user: backdoor_api_user oidcng_name: "OpenConext OIDC-NG" oidc_push_enabled: false + pdp_name: "PdP" run_migrations: false push_after_migration: false features: push, validation, push_preview, orphans, find_my_data, edugain, auto_refresh diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 972fc1327..d28719b30 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -336,6 +336,7 @@ manage: backdoor_api_user: backdoor_api_user oidcng_name: "OpenConext OIDC-NG" oidc_push_enabled: true + pdp_name: "PdP" features: push, validation, push_preview, orphans, find_my_data, edugain, auto_refresh environment: vm super_user_team_names: "urn:collab:group:vm.surfteams.nl:nl:surfnet:diensten:surfconext_tpm_core" diff --git a/roles/manage-server/templates/application.yml.j2 b/roles/manage-server/templates/application.yml.j2 index 69b547fee..f4d52873c 100644 --- a/roles/manage-server/templates/application.yml.j2 +++ b/roles/manage-server/templates/application.yml.j2 @@ -41,6 +41,12 @@ push: name: {{ manage.oidcng_name }} password: {{ oidcng_api_metadata_push_password }} enabled: {{ manage.oidc_push_enabled }} + pdp: + url: https://pdp.{{ base_domain }}/pdp/api/manage/push + policy_url: https://pdp.{{ base_domain }}/pdp/api/manage/policies + name: {{ manage.pdp_name }} + user: {{ pdp.username }} + password: {{ pdp.password }} product: name: Manage @@ -69,6 +75,11 @@ spring: data: mongodb: uri: mongodb://{{ manage.mongo_user }}:{{ manage.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ manage.mongo_port }}{% if not loop.last %},{% endif %}{% endfor %}/{{ manage.mongo_database }}?ssl=true + datasource: + url: jdbc:mysql://{{ pdp.db_host }}/{{ pdp.db_name }} + username: {{ pdp.db_user }} + password: {{ pdp.db_password }} + driverClassName: org.mariadb.jdbc.Driver main: banner-mode: "off" diff --git a/roles/pdp-server/templates/application.properties.j2 b/roles/pdp-server/templates/application.properties.j2 index 0fed6ebc8..a9075ea4a 100644 --- a/roles/pdp-server/templates/application.properties.j2 +++ b/roles/pdp-server/templates/application.properties.j2 @@ -58,10 +58,6 @@ manage.manageBaseUrl=https://manage.{{ base_domain }} # If true the manage push is done against the pdp_migrated_policies for testing purposes manage.pushTestMode=true -# Basic authentication for push-policies endpoint -push_endpoint.username=manage -push_endpoint.password={{ pdp_push_endpoint_secret }} - # Number of days how long the policy violations are retained policy.violation.retention.period.days=30 From f7c9a0fd7100b1b1268440dbd7278b4de8914390 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 8 Mar 2024 09:34:03 +0100 Subject: [PATCH 006/114] Added policy schema --- roles/manage-server/defaults/main.yml | 1 + .../metadata_templates/policy.template.json | 18 ++ .../templates/application.yml.j2 | 2 +- .../metadata_configuration/policy.schema.json | 203 ++++++++++++++++++ .../single_tenant_template.schema.json.j2 | 2 +- 5 files changed, 224 insertions(+), 2 deletions(-) create mode 100644 roles/manage-server/files/metadata_templates/policy.template.json create mode 100644 roles/manage-server/templates/metadata_configuration/policy.schema.json diff --git a/roles/manage-server/defaults/main.yml b/roles/manage-server/defaults/main.yml index 9fa5a0e80..1341fc496 100644 --- a/roles/manage-server/defaults/main.yml +++ b/roles/manage-server/defaults/main.yml @@ -25,5 +25,6 @@ manage_tabs_enabled: - saml20_sp - oidc10_rp - oauth20_rs + - policy - single_tenant_template - provisioning diff --git a/roles/manage-server/files/metadata_templates/policy.template.json b/roles/manage-server/files/metadata_templates/policy.template.json new file mode 100644 index 000000000..71f2c505a --- /dev/null +++ b/roles/manage-server/files/metadata_templates/policy.template.json @@ -0,0 +1,18 @@ +{ + "metaDataFields": {}, + "name": "", + "entityid": "", + "description": "", + "serviceProviderIds": [], + "identityProviderIds": [], + "attributes": [], + "loas": [], + "denyAdvice": "", + "denyRule": false, + "allAttributesMustMatch": false, + "userDisplayName": "", + "authenticatingAuthorityName": "", + "denyAdviceNl": "", + "active": true, + "type": "reg" +} diff --git a/roles/manage-server/templates/application.yml.j2 b/roles/manage-server/templates/application.yml.j2 index f4d52873c..689376434 100644 --- a/roles/manage-server/templates/application.yml.j2 +++ b/roles/manage-server/templates/application.yml.j2 @@ -76,7 +76,7 @@ spring: mongodb: uri: mongodb://{{ manage.mongo_user }}:{{ manage.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ manage.mongo_port }}{% if not loop.last %},{% endif %}{% endfor %}/{{ manage.mongo_database }}?ssl=true datasource: - url: jdbc:mysql://{{ pdp.db_host }}/{{ pdp.db_name }} + url: jdbc:mysql://{{ pdp.db_host }}/{{ pdp.db_name }}?permitMysqlScheme username: {{ pdp.db_user }} password: {{ pdp.db_password }} driverClassName: org.mariadb.jdbc.Driver diff --git a/roles/manage-server/templates/metadata_configuration/policy.schema.json b/roles/manage-server/templates/metadata_configuration/policy.schema.json new file mode 100644 index 000000000..5d39a219e --- /dev/null +++ b/roles/manage-server/templates/metadata_configuration/policy.schema.json @@ -0,0 +1,203 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "policy", + "order": 6, + "type": "object", + "properties": { + "eid": { + "type": "number" + }, + "entityid": { + "type": "string", + "minLength": 1 + }, + "policyId": { + "type": "string", + "minLength": 1 + }, + "name": { + "type": "string", + "minLength": 1 + }, + "description": { + "type": "string", + "minLength": 1 + }, + "type": { + "type": "string", + "enum": [ + "reg", + "step" + ], + "default": "reg" + }, + "revisionid": { + "type": "number" + }, + "created": { + "type": [ + "string", + "null" + ] + }, + "revisionnote": { + "type": "string" + }, + "notes": { + "type": [ + "string", + "null" + ] + }, + "serviceProviderIds": { + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "identityProviderIds": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "metaDataFields": { + "type": "object", + "properties": {}, + "patternProperties": {}, + "required": [], + "additionalProperties": false + }, + "attributes": { + "type": "array", + "required": ["name", "value"], + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "negated": { + "type": "boolean", + "default": "false" + } + } + } + }, + "loas": { + "type": "array", + "items": { + "type": "object", + "properties": { + "level": { + "type": "string" + }, + "allAttributesMustMatch": { + "type": "boolean" + }, + "negateCidrNotation": { + "type": "boolean" + }, + "attributes": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "negated": { + "type": "boolean" + } + } + } + }, + "cidrNotations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "ipAddress": { + "type": "string" + }, + "prefix": { + "type": "integer" + }, + "ipInfo": { + "type": "object", + "properties": { + "networkAddress": { + "type": "string" + }, + "broadcastAddress": { + "type": "string" + }, + "capacity": { + "type": "number" + }, + "ipv4": { + "type": "boolean" + }, + "prefix": { + "type": "integer" + } + } + } + } + } + } + } + } + }, + "allAttributesMustMatch": { + "type": "boolean" + }, + "active": { + "type": "boolean" + }, + "denyRule": { + "type": "boolean" + }, + "userDisplayName": { + "type": "string" + }, + "authenticatingAuthorityName": { + "type": "string" + }, + "denyAdvice": { + "type": [ + "string", + "null" + ] + }, + "denyAdviceNl": { + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "name", + "serviceProviderIds" + ], + "additionalProperties": false, + "indexes": [] +} diff --git a/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 index 931ce6d48..c2914b935 100644 --- a/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 @@ -1,7 +1,7 @@ { "$schema": "http://json-schema.org/draft-04/schema#", "title": "single_tenant_template", - "order": 6, + "order": 7, "definitions": { "AssertionConsumerServiceBinding": { "type": "string", From 756bc7c26d6b8a688be23d7e4082ddd30ce37d1d Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 8 Mar 2024 09:45:18 +0100 Subject: [PATCH 007/114] Basic authentication for PDP API --- .../{policy.schema.json => policy.schema.json.j2} | 0 roles/pdp-gui/templates/pdp.conf.j2 | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename roles/manage-server/templates/metadata_configuration/{policy.schema.json => policy.schema.json.j2} (100%) diff --git a/roles/manage-server/templates/metadata_configuration/policy.schema.json b/roles/manage-server/templates/metadata_configuration/policy.schema.json.j2 similarity index 100% rename from roles/manage-server/templates/metadata_configuration/policy.schema.json rename to roles/manage-server/templates/metadata_configuration/policy.schema.json.j2 diff --git a/roles/pdp-gui/templates/pdp.conf.j2 b/roles/pdp-gui/templates/pdp.conf.j2 index e84b06f00..c304de661 100644 --- a/roles/pdp-gui/templates/pdp.conf.j2 +++ b/roles/pdp-gui/templates/pdp.conf.j2 @@ -55,9 +55,9 @@ Listen {{ apache_app_listen_address.pdp }}:{{ loadbalancing.pdp.port }} Options -Indexes - + Require all granted - + Require all granted From 3634170be437a9bc9870d8a429dd20ad07ae4d41 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Sat, 9 Mar 2024 09:19:24 +0100 Subject: [PATCH 008/114] PdP endpoint for manage decide --- roles/manage-server/templates/application.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/manage-server/templates/application.yml.j2 b/roles/manage-server/templates/application.yml.j2 index 689376434..7150ce8a1 100644 --- a/roles/manage-server/templates/application.yml.j2 +++ b/roles/manage-server/templates/application.yml.j2 @@ -44,6 +44,7 @@ push: pdp: url: https://pdp.{{ base_domain }}/pdp/api/manage/push policy_url: https://pdp.{{ base_domain }}/pdp/api/manage/policies + decide_url: https://pdp.{{ base_domain }}/pdp/api/manage/decide name: {{ manage.pdp_name }} user: {{ pdp.username }} password: {{ pdp.password }} From 96331ae96e08954c39b68a39372209235521f4ff Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 11 Mar 2024 14:33:06 +0100 Subject: [PATCH 009/114] SPdashboard: JIRA moved to service accounts --- roles/spdashboard/templates/env.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/spdashboard/templates/env.j2 b/roles/spdashboard/templates/env.j2 index 395b64a98..d68c273fe 100644 --- a/roles/spdashboard/templates/env.j2 +++ b/roles/spdashboard/templates/env.j2 @@ -35,7 +35,7 @@ manage_prod_password={{ manage_prod_sp_dashboard_secret }} manage_prod_publication_status={{ spdashboard_manage_prod_publication_status }} manage_prod_oidcng_enabled={{ spdashboard_manage_prod_oidcng_enabled }} jira_host={{ spdashboard_jira_host }} -jira_username={{ spdashboard_jira_username }} +jira_personal_access_token={{ spdashboard_jira_apikey }} jira_password={{ spdashboard_jira_password }} jira_issue_priority={{ spdashboard_jira_issue_priority }} jira_issue_type={{ spdashboard_jira_issue_type }} From d623265d4c164cfd2a7077d7585f976da716f6ff Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Tue, 12 Mar 2024 11:54:43 +0100 Subject: [PATCH 010/114] New settings for EB 6.14. --- roles/engineblock/defaults/main.yml | 2 ++ roles/engineblock/templates/parameters.yml.j2 | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 33454ce49..f15b81b6f 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -11,6 +11,7 @@ engine_feature_block_user_on_violation: 0 engine_feature_enable_sso_notification: 0 engine_feature_enable_sso_session_cookie: 0 engine_feature_enable_consent: 1 +engine_feature_stepup_override_entityid: 0 engine_api_feature_metadata_push: 1 engine_api_feature_consent_listing: 1 @@ -49,6 +50,7 @@ engine_profile_baseurl: "https://profile.{{ base_domain }}" # Required for Stepup authentication engine_stepup_base_domain: "stepup.{{ base_domain }}" engine_stepup_gateway_domain: "gateway.{{ engine_stepup_base_domain }}" +engine_stepup_override_entityid: "" ## PDP endpoint engine_pdp_baseurl: https://pdp.{{ base_domain }} diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index f05832faf..3501882a8 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -229,6 +229,7 @@ parameters: feature_enable_sso_notification: {{ engine_feature_enable_sso_notification | bool | to_json }} feature_enable_sso_session_cookie: {{ engine_feature_enable_sso_session_cookie | bool | to_json }} feature_enable_consent: {{ engine_feature_enable_consent | bool | to_json }} + feature_stepup_sfo_override_engine_entityid: {{ engine_feature_stepup_override_entityid | bool | to_json }} ########################################################################################## ## PROFILE SETTINGS ########################################################################################## @@ -266,6 +267,9 @@ parameters: stepup.gateway.sfo.sso_location: '{{ engine_stepup_gateway_sfo_sso_location | replace("%","%%") }}' ## The public key from the Stepup Gateway IdP stepup.gateway.sfo.key_file: {{ engine_stepup_gateway_sfo_public_key_file | replace("%","%%") }} + ## You can override the default entityID used by Engineblock for its callout to stepup gateway. + ## You also need to enable the feature toggle feature_stepup_sfo_override_engine_entityid above. + stepup.sfo.override_engine_entityid: '{{ engine_stepup_override_entityid }}' ########################################################################################## ## THEME SETTINGS From 1ecdd503004ffe1091e20a94bf9797790c02c544 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Thu, 14 Mar 2024 09:11:11 +0100 Subject: [PATCH 011/114] Relax validation regExp voot --- .../templates/attributeAuthorities.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 b/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 index ece7150a8..799fcd208 100644 --- a/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 +++ b/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 @@ -88,7 +88,7 @@ authorities: name: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" } ], - validationRegExp: "^urn:collab:group:.*$" + validationRegExp: "^urn:.*$" } - { id: "manage", From 8e08de26b748ec1319387ebc88404f3fbbb4ed64 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Thu, 14 Mar 2024 10:57:21 +0100 Subject: [PATCH 012/114] No debugging dashboard --- roles/dashboard-server/templates/logback.xml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dashboard-server/templates/logback.xml.j2 b/roles/dashboard-server/templates/logback.xml.j2 index 45bc65ad2..78f95081e 100644 --- a/roles/dashboard-server/templates/logback.xml.j2 +++ b/roles/dashboard-server/templates/logback.xml.j2 @@ -32,7 +32,7 @@ - + From 8f948348de34bf1ff5ea462c2f41d4b4afc779aa Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 15 Mar 2024 14:21:00 +0100 Subject: [PATCH 013/114] Mujina-idp: Add docker deployment option --- provision.yml | 6 +- roles/mujina-idp/defaults/main.yml | 5 +- roles/mujina-idp/handlers/main.yml | 6 ++ roles/mujina-idp/tasks/docker.yml | 62 +++++++++++++++++++ roles/mujina-idp/tasks/main.yml | 28 +++------ roles/mujina-idp/tasks/vm.yml | 26 ++++++++ roles/mujina-idp/templates/application.yml.j2 | 19 +++++- .../templates/logback-docker.xml.j2 | 16 +++++ 8 files changed, 142 insertions(+), 26 deletions(-) create mode 100644 roles/mujina-idp/tasks/docker.yml create mode 100644 roles/mujina-idp/tasks/vm.yml create mode 100644 roles/mujina-idp/templates/logback-docker.xml.j2 diff --git a/provision.yml b/provision.yml index b77f0294a..4d8873a08 100644 --- a/provision.yml +++ b/provision.yml @@ -173,8 +173,10 @@ - hosts: docker become: true roles: - - { role: docker, tags: ['docker' ] } - - { role: invite, tags: ['invite' ] } + - { role: docker, tags: ['docker' ] } + - { role: invite, tags: ['invite' ] } + - { role: dashboard, tags: ["dashboard"] } + - { role: mujina-idp, tags: ["mujina-idp"] } - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/mujina-idp/defaults/main.yml b/roles/mujina-idp/defaults/main.yml index e5d2407ff..2e04745c3 100644 --- a/roles/mujina-idp/defaults/main.yml +++ b/roles/mujina-idp/defaults/main.yml @@ -1,7 +1,8 @@ --- mujina_idp_dir: /opt/mujina-idp -mujina_idp_version: '' -mujina_idp_snapshot_timestamp: '' +mujina_idp_dir_docker: /opt/openconext/mujina-idp +mujina_idp_version: "" +mujina_idp_snapshot_timestamp: "" mujina_idp_jar: mujina-idp-current.jar mujina_manage_provision_samlidp_entity_id: "{{ mujina_idp.entity_id }}" mujina_manage_provision_samlidp_description_en: "{{ instance_name }} Mujina IdP" diff --git a/roles/mujina-idp/handlers/main.yml b/roles/mujina-idp/handlers/main.yml index 6e06f52c2..c3b162a62 100644 --- a/roles/mujina-idp/handlers/main.yml +++ b/roles/mujina-idp/handlers/main.yml @@ -4,3 +4,9 @@ name: "{{ springapp_service_name }}" state: restarted daemon_reload: yes + +- name: restart mujina-idp-docker + community.docker.docker_container: + name: mujina_idp + state: started + restart: true diff --git a/roles/mujina-idp/tasks/docker.yml b/roles/mujina-idp/tasks/docker.yml new file mode 100644 index 000000000..281a2291d --- /dev/null +++ b/roles/mujina-idp/tasks/docker.yml @@ -0,0 +1,62 @@ +--- +- name: Set the mujina_idp directory variable + ansible.builtin.set_fact: + mujina_idp_dir: "/" + +- name: Create config directory + ansible.builtin.file: + path: "{{ mujina_idp_dir_docker }}" + mode: "0750" + state: directory + owner: root + +- name: Copy config + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "{{ mujina_idp_dir_docker }}/{{ item }}" + owner: root + group: root + mode: "0640" + with_items: + - application.yml + - logback-docker.xml + notify: + - restart mujina-idp-docker + +- name: Create and start the server container + community.docker.docker_container: + name: mujina_idp + image: ghcr.io/openconext/mujina/mujina-idp:{{ mujina_idp_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + mounts: + - source: "{{ mujina_idp_dir_docker }}/application.yml" + target: /application.yml + type: bind + - source: "{{ mujina_idp_dir_docker }}/logback-docker.xml" + target: /logback.xml + type: bind + command: "-Xmx128m --spring.config.location=./" + labels: + traefik.http.routers.mujina-idp.rule: "Host(`mujina-idp.{{ base_domain }}`)" + traefik.http.routers.mujina-idp.tls: "true" + traefik.http.services.mujina-idp.loadbalancer.server.port: "8080" + traefik.enable: "true" + healthcheck: + test: + [ + "CMD", + "wget", + "-no-verbose", + "--tries=1", + "--spider", + "http://localhost:8080/internal/health", + ] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + notify: restart mujina-idp-docker diff --git a/roles/mujina-idp/tasks/main.yml b/roles/mujina-idp/tasks/main.yml index f414b26fb..321014458 100644 --- a/roles/mujina-idp/tasks/main.yml +++ b/roles/mujina-idp/tasks/main.yml @@ -1,26 +1,14 @@ --- +- name: Include docker tasks when running docker + ansible.builtin.include_tasks: docker.yml + when: "'docker' in group_names" -- name: Copy config - template: - src: "{{ item }}.j2" - dest: "{{ mujina_idp_dir }}/{{ item }}" - owner: "{{ springapp_user }}" - group: "{{ springapp_user }}" - mode: 0740 - with_items: - - logback.xml - - application.yml - notify: - - restart mujina-idp - -- name: copy apache config - template: - src: mujina_idp.conf.j2 - dest: /etc/httpd/conf.d/mujina_idp.conf - notify: reload httpd +- name: Include docker tasks when running docker + ansible.builtin.include_tasks: vm.yml + when: "'docker' not in group_names" - name: Include the role manage_provision_entities to provision the mujina IdP to Manage - include_role: + ansible.builtin.include_role: name: manage_provision_entities - vars: + vars: entity_type: saml20_idp diff --git a/roles/mujina-idp/tasks/vm.yml b/roles/mujina-idp/tasks/vm.yml new file mode 100644 index 000000000..f414b26fb --- /dev/null +++ b/roles/mujina-idp/tasks/vm.yml @@ -0,0 +1,26 @@ +--- + +- name: Copy config + template: + src: "{{ item }}.j2" + dest: "{{ mujina_idp_dir }}/{{ item }}" + owner: "{{ springapp_user }}" + group: "{{ springapp_user }}" + mode: 0740 + with_items: + - logback.xml + - application.yml + notify: + - restart mujina-idp + +- name: copy apache config + template: + src: mujina_idp.conf.j2 + dest: /etc/httpd/conf.d/mujina_idp.conf + notify: reload httpd + +- name: Include the role manage_provision_entities to provision the mujina IdP to Manage + include_role: + name: manage_provision_entities + vars: + entity_type: saml20_idp diff --git a/roles/mujina-idp/templates/application.yml.j2 b/roles/mujina-idp/templates/application.yml.j2 index 77289f399..26d0be39a 100644 --- a/roles/mujina-idp/templates/application.yml.j2 +++ b/roles/mujina-idp/templates/application.yml.j2 @@ -5,14 +5,16 @@ logging: mujina: DEBUG server: - # The port to where this Spring Boot application listens to. e.g. http://localhost:{{ springapp_tcpport }} - port: {{ springapp_tcpport }} + # The port to where this Spring Boot application listens to. e.g. http://localhost:80 + port: 8080 # The context path of the server. You can skip this value in the overriding application.properties on the classpath contextPath: session: # 8 hours before we time-out timeout: 28800 server-header: no + use-forward-headers: true + forward-headers-strategy: NATIVE secure_cookie: {{ mujina_idp.cookie_secure }} @@ -33,6 +35,19 @@ idp: expires: 300 # Authentication method ALL for every username / password combination and USER for the configured users auth_method: ALL + saml_binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect + compare_endpoints: true + saml_attributes_config_file: classpath:saml-attributes.json + attributes: + [urn:mace:dir:attribute-def:uid]: "john.doe" + [urn:mace:dir:attribute-def:cn]: "John Doe" + [urn:mace:dir:attribute-def:givenName]: "John" + [urn:mace:dir:attribute-def:sn]: "Doe" + [urn:mace:dir:attribute-def:displayName]: "John Doe" + [urn:mace:dir:attribute-def:mail]: "j.doe@example.com" + [urn:mace:terena.org:attribute-def:schacHomeOrganization]: "example.com" + [urn:mace:dir:attribute-def:eduPersonPrincipalName]: "j.doe@example.com" + [urn:oasis:names:tc:SAML:attribute:subject-id]: "j.doe@example.com" acr: values: diff --git a/roles/mujina-idp/templates/logback-docker.xml.j2 b/roles/mujina-idp/templates/logback-docker.xml.j2 new file mode 100644 index 000000000..1c2ddfb3b --- /dev/null +++ b/roles/mujina-idp/templates/logback-docker.xml.j2 @@ -0,0 +1,16 @@ + + + + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + + + + + + From 2d6ca3e13991f4d7ee3b4a8590c8cc2edbebdc80 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 15 Mar 2024 14:59:38 +0100 Subject: [PATCH 014/114] Mujina: Use correct version var --- roles/mujina-idp/tasks/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mujina-idp/tasks/docker.yml b/roles/mujina-idp/tasks/docker.yml index 281a2291d..93b682f4f 100644 --- a/roles/mujina-idp/tasks/docker.yml +++ b/roles/mujina-idp/tasks/docker.yml @@ -26,7 +26,7 @@ - name: Create and start the server container community.docker.docker_container: name: mujina_idp - image: ghcr.io/openconext/mujina/mujina-idp:{{ mujina_idp_version }} + image: ghcr.io/openconext/mujina/mujina-idp:{{ mujina_version }} pull: true restart_policy: "always" state: started From 66f0852a8ebedcebebf26c516e0bb31fee0666e8 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 15 Mar 2024 15:15:05 +0100 Subject: [PATCH 015/114] Mujina IDP: Add config so the health and info endpoints are exposed at /internal --- roles/mujina-idp/handlers/main.yml | 2 +- roles/mujina-idp/tasks/docker.yml | 2 +- roles/mujina-idp/templates/application.yml.j2 | 20 ++++++++++++------- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/roles/mujina-idp/handlers/main.yml b/roles/mujina-idp/handlers/main.yml index c3b162a62..33f84a7cf 100644 --- a/roles/mujina-idp/handlers/main.yml +++ b/roles/mujina-idp/handlers/main.yml @@ -7,6 +7,6 @@ - name: restart mujina-idp-docker community.docker.docker_container: - name: mujina_idp + name: mujina-idp state: started restart: true diff --git a/roles/mujina-idp/tasks/docker.yml b/roles/mujina-idp/tasks/docker.yml index 93b682f4f..82ff22c0d 100644 --- a/roles/mujina-idp/tasks/docker.yml +++ b/roles/mujina-idp/tasks/docker.yml @@ -25,7 +25,7 @@ - name: Create and start the server container community.docker.docker_container: - name: mujina_idp + name: mujina-idp image: ghcr.io/openconext/mujina/mujina-idp:{{ mujina_version }} pull: true restart_policy: "always" diff --git a/roles/mujina-idp/templates/application.yml.j2 b/roles/mujina-idp/templates/application.yml.j2 index 26d0be39a..65c0834d6 100644 --- a/roles/mujina-idp/templates/application.yml.j2 +++ b/roles/mujina-idp/templates/application.yml.j2 @@ -62,12 +62,18 @@ spring: velocity: check-template-location: False -# We disable all endpoints except health for the load-balancer and info for git information. -endpoints: - enabled: false - jmx: - enabled: false +management: health: - enabled: true + mail: + enabled: false + endpoints: + web: + exposure: + include: "health,info" + base-path: "/internal" + endpoint: + info: + enabled: true info: - enabled: true + git: + mode: full From dfbdf160558966724d5ea142cc318f94c47eefca Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Tue, 19 Mar 2024 11:21:22 +0100 Subject: [PATCH 016/114] Make voot regexp more specific to rule out completely unrelated urns --- .../templates/attributeAuthorities.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 b/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 index 799fcd208..e98342b8b 100644 --- a/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 +++ b/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 @@ -88,7 +88,7 @@ authorities: name: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" } ], - validationRegExp: "^urn:.*$" + validationRegExp: "^urn:(collab:group|mace:surf.nl):.*$" } - { id: "manage", From 81339c14be041c5f237d70456b530d748d5ac335 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 21 Mar 2024 16:36:12 +0100 Subject: [PATCH 017/114] Add oidc-playground docker role. To be installed with the tag oidc-playground --- roles/oidc-playground/defaults/main.yml | 1 + roles/oidc-playground/handlers/main.yml | 5 ++ roles/oidc-playground/tasks/main.yml | 89 +++++++++++++++++++ .../oidc-playground/templates/logback.xml.j2 | 30 +++++++ .../templates/serverapplication.yml.j2 | 53 +++++++++++ 5 files changed, 178 insertions(+) create mode 100644 roles/oidc-playground/defaults/main.yml create mode 100644 roles/oidc-playground/handlers/main.yml create mode 100644 roles/oidc-playground/tasks/main.yml create mode 100644 roles/oidc-playground/templates/logback.xml.j2 create mode 100644 roles/oidc-playground/templates/serverapplication.yml.j2 diff --git a/roles/oidc-playground/defaults/main.yml b/roles/oidc-playground/defaults/main.yml new file mode 100644 index 000000000..58cb18672 --- /dev/null +++ b/roles/oidc-playground/defaults/main.yml @@ -0,0 +1 @@ +oidc_playground_dir: /opt/openconext/oidc-playground diff --git a/roles/oidc-playground/handlers/main.yml b/roles/oidc-playground/handlers/main.yml new file mode 100644 index 000000000..f195da4bb --- /dev/null +++ b/roles/oidc-playground/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart oidc-playground-docker + community.docker.docker_container: + name: dashboardserver + state: started + restart: true diff --git a/roles/oidc-playground/tasks/main.yml b/roles/oidc-playground/tasks/main.yml new file mode 100644 index 000000000..83286f4b8 --- /dev/null +++ b/roles/oidc-playground/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- name: Create oidc-playground directory + ansible.builtin.file: + dest: "{{ oidc_playground_dir }}" + state: directory + owner: root + group: root + mode: "0750" + +- name: Copy config + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "{{ oidc_playground_dir }}/{{ item }}" + owner: root + group: root + mode: "0740" + with_items: + - logback.xml + - serverapplication.yml + notify: + - "restart oidc-playground-docker" + +- name: Create and start the server container + community.docker.docker_container: + name: oidcplaygroundserver + image: ghcr.io/openconext/openconext-oidc-playground/oidc-playground-server:{{ oidc_playground_server_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + mounts: + - source: "{{ oidc_playground_dir }}/serverapplication.yml" + target: /application.yml + type: bind + - source: "{{ oidc_playground_dir }}/logback.xml" + target: /logback.xml + type: bind + command: "-Xmx128m --spring.config.location=./" + healthcheck: + test: + [ + "CMD", + "wget", + "-no-verbose", + "--tries=1", + "--spider", + "http://localhost:8080/internal/health", + ] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + notify: restart oidc-playground-docker + +- name: Create the gui container + community.docker.docker_container: + name: oidcplaygroundgui + image: ghcr.io/openconext/openconext-oidc-playground/oidc-playground-gui:{{ oidc_playground_client_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + labels: + traefik.enable: "true" + traefik.http.routers.oidc-playgroundgui.rule: "Host(`oidc-playground.{{ base_domain }}`)" + traefik.http.routers.oidc-playgroundgui.tls: "true" + traefik.http.services.oidc-playgroundgui.loadbalancer.server.port: "80" + healthcheck: + test: ["CMD", "curl", "--fail", "http://localhost/internal/health"] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + env: + HTTPD_CSP: "{{ httpd_csp.lenient }}" + +# - name: Include the role manage_provision_entities to provision oidc-playground resource server to Manage +# include_role: +# name: manage_provision_entities +# vars: +# entity_type: oauth20_rs +# +# - name: Include the role manage_provision_entities to provision oidc-playground client to Manage +# include_role: +# name: manage_provision_entities +# vars: +# entity_type: oidc10_rp diff --git a/roles/oidc-playground/templates/logback.xml.j2 b/roles/oidc-playground/templates/logback.xml.j2 new file mode 100644 index 000000000..0ffde3531 --- /dev/null +++ b/roles/oidc-playground/templates/logback.xml.j2 @@ -0,0 +1,30 @@ +#jinja2:lstrip_blocks: True + + + + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + + {{ smtp_server }} + {{ noreply_email }} + {{ error_mail_to }} + {{ error_subject_prefix }}Unexpected error oidc-playground + + + + ERROR + + + + + + + + + + diff --git a/roles/oidc-playground/templates/serverapplication.yml.j2 b/roles/oidc-playground/templates/serverapplication.yml.j2 new file mode 100644 index 000000000..ea3261872 --- /dev/null +++ b/roles/oidc-playground/templates/serverapplication.yml.j2 @@ -0,0 +1,53 @@ +logging: + config: file:///logback.xml + level: + org.springframework.data.mongodb: INFO + +server: + # The port to where this Spring Boot application listens to. + port: 8080 + server-header: + servlet: + # We serve from the root. Do not change this + context-path: + max-http-header-size: 10000000 + tomcat: + max-http-post-size: 10000000 + +management: + health: + mail: + enabled: false + endpoints: + web: + exposure: + include: "health,info" + base-path: "/internal" + endpoint: + info: + enabled: true + info: + git: + mode: full + +oidc: + discovery_endpoint: "{{ oidc_playground.discovery_endpoint }}" + client_id: "{{ oidc_playground.client_id }}" + secret: "{{ oidc_playground.secret }}" + jwt_secret: "{{ oidc_playground.jwt_secret }}" + resource_server_id: "{{ oidc_playground.resource_server_id }}" + resource_server_secret: "{{ oidc_playground.resource_server_secret }}" + redirect_uri: "https://oidc-playground.{{ base_domain }}/redirect" + redirect_uri_form_post: "https://oidc-playground.{{ base_domain }}/oidc/api/redirect" + client_redirect_uri: "https://oidc-playground.{{ base_domain }}/redirect" + +gui: + disclaimer: + background-color: "{{ environment_ribbon_colour }}" + content: "{{ environment_shortname }}" + +acr: + values: + {% for loa in [stepup_intrinsic_loa] + stepup_loa_values_supported + oidcng.acr_values_supported %} + - "{{ loa }}" + {% endfor %} From c4c99b23213c3dd8cb1df5edf8b41c0e74f79f1c Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 25 Mar 2024 13:21:38 +0100 Subject: [PATCH 018/114] Desired rights permissions --- environments/template/group_vars/template.yml | 4 ++-- environments/vm/group_vars/vm.yml | 6 +++--- .../templates/manage-api-users.yml.j2 | 18 +++++++++--------- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 60e002c77..dc99da3f6 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -459,7 +459,7 @@ manage: - { name: "dashboard", password: "{{ manage_dashboard_secret }}", - scopes: ["READ", "CHANGE_REQUEST"] + scopes: ["READ", "CHANGE_REQUEST_IDP", "CHANGE_REQUEST_SP"] } - { name: "myconext", @@ -474,7 +474,7 @@ manage: - { name: "sysadmin", password: "{{ manage_sysadmin_secret }}", - scopes: ["READ", "WRITE", "PUSH", "SYSTEM"] + scopes: ["READ", "WRITE_IDP", "WRITE_SP", "PUSH", "SYSTEM"] } - { name: "invite", diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index d28719b30..703c5c2f7 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -344,7 +344,7 @@ manage: - { name: "dashboard", password: "{{ manage_dashboard_secret }}", - scopes: ["READ", "CHANGE_REQUEST"] + scopes: [ "READ", "CHANGE_REQUEST_SP", "CHANGE_REQUEST_IDP" ] } - { name: "myconext", @@ -359,7 +359,7 @@ manage: - { name: "sp-dashboard", password: "{{ manage_sp_dashboard_secret }}", - scopes: ["READ", "WRITE", "PUSH", "DELETE"] + scopes: [ "READ", "WRITE_SP", "CHANGE_REQUEST_SP", "PUSH", "DELETE" ] } - { name: "invite", @@ -369,7 +369,7 @@ manage: - { name: "sysadmin", password: "{{ manage_sysadmin_secret }}", - scopes: ["READ", "WRITE", "PUSH", "SYSTEM"] + scopes: ["READ", "WRITE_SP", "WRITE_IDP", "PUSH", "SYSTEM"] } - { name: "stats", diff --git a/roles/manage-server/templates/manage-api-users.yml.j2 b/roles/manage-server/templates/manage-api-users.yml.j2 index b703acd5e..bf52067f7 100644 --- a/roles/manage-server/templates/manage-api-users.yml.j2 +++ b/roles/manage-server/templates/manage-api-users.yml.j2 @@ -1,13 +1,13 @@ # Valid scopes are manage.api.Scope.values(); => -# CHANGE_REQUEST, //Allowed to create change requests -# PUSH, //Allowed to push changes to EB & OIDC-NG -# READ, //Allowed to read entities -# SYSTEM, //Allowed everything including Attribute Manipulation and updating / deleting Identity Providers -# TEST, //Only used internally -# WRITE, //Allowed to create and update all entities (excluding Identity Providers) -# POLICIES, //Allowed to CRUD PdP Policies -# DELETE, //Allowed to delete entities (excluding Identity Providers) -# ADMIN //Standard scope for all GUI related endpoint (e.g. /manage/api/client/** endpoints) +# ADMIN, //Standard scope for all GUI related endpoint (e.g. /manage/api/client/** endpoints) +# CHANGE_REQUEST_IDP, //Allowed to create change requests for IdP +# CHANGE_REQUEST_SP, //Allowed to create change requests for SP +# POLICIES, //Allowed to create (excluding Identity Providers) and update all entities +# PUSH, //Allowed to push changes to EB & OIDC-NG +# READ, //Allowed to read entities +# SYSTEM, //Allowed everything including Attribute Manipulation +# WRITE_SP, //Allowed to CRUD SP / RP /RS +# WRITE_IDP //Allowed to CRUD IdP apiUsers: {% for user in manage.apiUsers %} From f6209dc8277ea787027d28cd5f5c73fc62418fa8 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 25 Mar 2024 13:26:08 +0100 Subject: [PATCH 019/114] Docu --- roles/manage-server/templates/manage-api-users.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/manage-server/templates/manage-api-users.yml.j2 b/roles/manage-server/templates/manage-api-users.yml.j2 index bf52067f7..224ca3991 100644 --- a/roles/manage-server/templates/manage-api-users.yml.j2 +++ b/roles/manage-server/templates/manage-api-users.yml.j2 @@ -2,7 +2,7 @@ # ADMIN, //Standard scope for all GUI related endpoint (e.g. /manage/api/client/** endpoints) # CHANGE_REQUEST_IDP, //Allowed to create change requests for IdP # CHANGE_REQUEST_SP, //Allowed to create change requests for SP -# POLICIES, //Allowed to create (excluding Identity Providers) and update all entities +# POLICIES, //Allowed to CRUD policies scoped for the real user # PUSH, //Allowed to push changes to EB & OIDC-NG # READ, //Allowed to read entities # SYSTEM, //Allowed everything including Attribute Manipulation From 289f0798a43a20c3e004af4b2164fd608e5e177f Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 25 Mar 2024 13:33:16 +0100 Subject: [PATCH 020/114] There is no DELETE Manage API scope --- environments/vm/group_vars/vm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 703c5c2f7..380ef216e 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -359,7 +359,7 @@ manage: - { name: "sp-dashboard", password: "{{ manage_sp_dashboard_secret }}", - scopes: [ "READ", "WRITE_SP", "CHANGE_REQUEST_SP", "PUSH", "DELETE" ] + scopes: [ "READ", "WRITE_SP", "CHANGE_REQUEST_SP", "PUSH"] } - { name: "invite", From 04802c8b395b956a0e88e63716b410dfaedee904 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 25 Mar 2024 15:01:52 +0100 Subject: [PATCH 021/114] Added policies for manage API --- environments/template/group_vars/template.yml | 2 +- environments/vm/group_vars/vm.yml | 2 +- roles/dashboard-server/templates/application.properties.j2 | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index dc99da3f6..6d7d3d93c 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -459,7 +459,7 @@ manage: - { name: "dashboard", password: "{{ manage_dashboard_secret }}", - scopes: ["READ", "CHANGE_REQUEST_IDP", "CHANGE_REQUEST_SP"] + scopes: ["READ", "CHANGE_REQUEST_IDP", "CHANGE_REQUEST_SP", "POLICIES"] } - { name: "myconext", diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 380ef216e..f0e19510e 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -344,7 +344,7 @@ manage: - { name: "dashboard", password: "{{ manage_dashboard_secret }}", - scopes: [ "READ", "CHANGE_REQUEST_SP", "CHANGE_REQUEST_IDP" ] + scopes: [ "READ", "CHANGE_REQUEST_SP", "CHANGE_REQUEST_IDP", "POLICIES"] } - { name: "myconext", diff --git a/roles/dashboard-server/templates/application.properties.j2 b/roles/dashboard-server/templates/application.properties.j2 index 1ec8cf161..86558d834 100644 --- a/roles/dashboard-server/templates/application.properties.j2 +++ b/roles/dashboard-server/templates/application.properties.j2 @@ -81,7 +81,8 @@ dashboard.feature.sab={{ dashboard.feature_sab }} dashboard.feature.manage=true dashboard.feature.jira={{ dashboard.feature_jira }} dashboard.feature.consent={{ dashboard.feature_consent }} -dashboard.feature.pdp=true +# Choices are 'MOCK', 'PDP' or 'MANAGE' +dashboard.feature.pdp=MANAGE dashboard.feature.statistics=true dashboard.feature.mail={{ dashboard.feature_mail }} dashboard.feature.oidc={{ dashboard.feature_oidc }} From cdf3c5c2f9663184aee7fd796b838cd8f56bb2c9 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 25 Mar 2024 15:06:11 +0100 Subject: [PATCH 022/114] Renamed pdp feature --- roles/dashboard-server/templates/application.properties.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dashboard-server/templates/application.properties.j2 b/roles/dashboard-server/templates/application.properties.j2 index 86558d834..0f9817be3 100644 --- a/roles/dashboard-server/templates/application.properties.j2 +++ b/roles/dashboard-server/templates/application.properties.j2 @@ -82,7 +82,7 @@ dashboard.feature.manage=true dashboard.feature.jira={{ dashboard.feature_jira }} dashboard.feature.consent={{ dashboard.feature_consent }} # Choices are 'MOCK', 'PDP' or 'MANAGE' -dashboard.feature.pdp=MANAGE +dashboard.feature.pdpSource=MANAGE dashboard.feature.statistics=true dashboard.feature.mail={{ dashboard.feature_mail }} dashboard.feature.oidc={{ dashboard.feature_oidc }} From f1ebab67a8548f6c8ff734d9173d6781614d8410 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 25 Mar 2024 15:21:39 +0100 Subject: [PATCH 023/114] Forced change --- roles/dashboard-server/templates/application.properties.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dashboard-server/templates/application.properties.j2 b/roles/dashboard-server/templates/application.properties.j2 index 0f9817be3..5f1861ff3 100644 --- a/roles/dashboard-server/templates/application.properties.j2 +++ b/roles/dashboard-server/templates/application.properties.j2 @@ -81,7 +81,7 @@ dashboard.feature.sab={{ dashboard.feature_sab }} dashboard.feature.manage=true dashboard.feature.jira={{ dashboard.feature_jira }} dashboard.feature.consent={{ dashboard.feature_consent }} -# Choices are 'MOCK', 'PDP' or 'MANAGE' +# Valid choices are 'MOCK', 'PDP' or 'MANAGE', 'MOCK' is for local development dashboard.feature.pdpSource=MANAGE dashboard.feature.statistics=true dashboard.feature.mail={{ dashboard.feature_mail }} From af58e9d4263446be37a2e0db7330b2d6fb261d35 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 25 Mar 2024 16:06:32 +0100 Subject: [PATCH 024/114] Use Manage as source for Dashboard policies --- roles/dashboard/templates/serverapplication.yml.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/dashboard/templates/serverapplication.yml.j2 b/roles/dashboard/templates/serverapplication.yml.j2 index 5072df466..b56aa5ada 100644 --- a/roles/dashboard/templates/serverapplication.yml.j2 +++ b/roles/dashboard/templates/serverapplication.yml.j2 @@ -78,7 +78,8 @@ dashboard.feature.sab={{ dashboard.feature_sab }} dashboard.feature.manage=true dashboard.feature.jira={{ dashboard.feature_jira }} dashboard.feature.consent={{ dashboard.feature_consent }} -dashboard.feature.pdp=true +# Valid choices are 'MOCK', 'PDP' or 'MANAGE', 'MOCK' is for local development +dashboard.feature.pdpSource=MANAGE dashboard.feature.statistics=true dashboard.feature.mail={{ dashboard.feature_mail }} dashboard.feature.oidc={{ dashboard.feature_oidc }} From ccdfa3f4107580eeba26e8dba052c4cc52cb0646 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 26 Mar 2024 14:45:55 +0100 Subject: [PATCH 025/114] Tiqr config for new FCM API --- roles/stepuptiqr/tasks/main.yml | 26 ++++++++++++------- roles/stepuptiqr/templates/parameters.yaml.j2 | 6 +++++ 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/roles/stepuptiqr/tasks/main.yml b/roles/stepuptiqr/tasks/main.yml index 4bbb1dd74..81c222dfc 100644 --- a/roles/stepuptiqr/tasks/main.yml +++ b/roles/stepuptiqr/tasks/main.yml @@ -27,6 +27,14 @@ mode: 0400 when: tiqr_apns_pemfile is defined +- name: Write tiqr Firebase service json + copy: + src: "{{ inventory_dir }}/secrets/tiqr-demo.json" + dest: "{{ current_release_config_file_dir_name }}/tiqr-demo.json" + owner: "{{ appname }}" + mode: 0400 + when: tiqr_firebase_credentialsfile is defined + - name: Place parameters.yml template: src: parameters.yaml.j2 @@ -48,7 +56,7 @@ notify: clear cache {{ appname }} - name: Install assets - command: php72 {{ current_release_appdir }}/bin/console assets:install + command: php72 {{ current_release_appdir }}/bin/console assets:install - name: Activate the symlink file: @@ -57,21 +65,21 @@ state: link - name: Put tiqr configuration script in /root/ - template: + template: src: "{{ item }}.j2" - dest: "/root/{{ item }}" - group: root - owner: root + dest: "/root/{{ item }}" + group: root + owner: root mode: "0500" with_items: - "01-tiqr-db_init.sh" - name: Put tiqr keyserver migration script in /root/ - template: + template: src: "{{ item }}.j2" - dest: "/root/{{ item }}" - group: root - owner: root + dest: "/root/{{ item }}" + group: root + owner: root mode: "500" with_items: - "02-tiqr-migrate-to-keyserver.php" diff --git a/roles/stepuptiqr/templates/parameters.yaml.j2 b/roles/stepuptiqr/templates/parameters.yaml.j2 index 9dd296728..52c0b5b4e 100644 --- a/roles/stepuptiqr/templates/parameters.yaml.j2 +++ b/roles/stepuptiqr/templates/parameters.yaml.j2 @@ -49,6 +49,12 @@ parameters: firebase: apikey: '{{ tiqr_firebase_apikey }}' {% endif %} +{% if tiqr_firebase_credentialsFile is defined %} + firebase: + projectId: '{{ tiqr_firebase_projectid }}' + credentialsFile: '{{ tiqr_firebase_credentialsfile }}' + cacheTokens: '{{ tiqr_firebase_cachetokens }}' +{% endif %} apns: certificate: '{{ current_release_config_file_dir_name }}/apns.pem' environment: production From ed5d207850eb9e75deb8c66deec6f630453d2f0a Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 26 Mar 2024 18:33:28 +0100 Subject: [PATCH 026/114] Stats: Move to docker --- provision.yml | 4 +- roles/stats/defaults/main.yml | 6 - roles/stats/files/yarn.repo | 7 -- roles/stats/tasks/main.yml | 148 +++++++++--------------- roles/stats/templates/config.yml.j2 | 6 +- roles/stats/templates/stats-api.wsgi.j2 | 7 -- roles/stats/templates/stats.conf.j2 | 138 +++++++++------------- 7 files changed, 111 insertions(+), 205 deletions(-) delete mode 100644 roles/stats/files/yarn.repo delete mode 100644 roles/stats/templates/stats-api.wsgi.j2 diff --git a/provision.yml b/provision.yml index 4d8873a08..bc9a8c69b 100644 --- a/provision.yml +++ b/provision.yml @@ -152,8 +152,6 @@ gather_facts: true become: true roles: - - role: stats - tags: ['stats' ] - role: influxdb tags: ['influxdb' ] handlers: @@ -177,6 +175,8 @@ - { role: invite, tags: ['invite' ] } - { role: dashboard, tags: ["dashboard"] } - { role: mujina-idp, tags: ["mujina-idp"] } + - { role: oidc-playground, tags: ["oidc-playground"] } + - { role: stats, tags: ["stats"] } - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/stats/defaults/main.yml b/roles/stats/defaults/main.yml index 56ce19105..9bdfb26b5 100644 --- a/roles/stats/defaults/main.yml +++ b/roles/stats/defaults/main.yml @@ -1,13 +1,7 @@ openconext_releases_dir: "/opt/openconext" -stats_api_env_dir: "{{ openconext_releases_dir }}/statsapi" -stats_frontend_env_dir: "{{ openconext_releases_dir }}/statsfrontend" -stats_src_dir: "{{ openconext_releases_dir }}/builds/stats" -stats_wsgi_user: stats influx_ebauth_measurement: ebauth -stats_apache_standalone: False stats_manage_url: https://manage.{{ base_domain }} stats_manage_api_user: stats stats_base_domain: stats.{{ base_domain }} stats_oidc_metadata_url: "https://connect.{{ base_domain }}/.well-known/openid-configuration" stats_oidc_client_id: "stats.{{ base_domain }}" -statistics_version: master diff --git a/roles/stats/files/yarn.repo b/roles/stats/files/yarn.repo deleted file mode 100644 index 7b6216d93..000000000 --- a/roles/stats/files/yarn.repo +++ /dev/null @@ -1,7 +0,0 @@ -[yarn] -name=Yarn Repository -baseurl=https://dl.yarnpkg.com/rpm/ -enabled=1 -gpgcheck=1 -gpgkey=https://dl.yarnpkg.com/rpm/pubkey.gpg - diff --git a/roles/stats/tasks/main.yml b/roles/stats/tasks/main.yml index a3eb31db3..15d2b87f6 100644 --- a/roles/stats/tasks/main.yml +++ b/roles/stats/tasks/main.yml @@ -1,96 +1,54 @@ --- -- name: Install IUS repo - yum: - name: - - https://repo.ius.io/ius-release-el7.rpm - -- name: Install yarn repo file - copy: src=yarn.repo dest=/etc/yum.repos.d/ - -- name: Install some packages - yum: - name: - - yarn - - npm - - nodejs - - python36u - - python36u-pip - - python36u-mod_wsgi - - python-setuptools - - git - - https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.0/cjose-0.5.1-1.el7.centos.x86_64.rpm - - https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.3.8/mod_auth_openidc-2.3.8-1.el7.x86_64.rpm - state: present - -- name: Create stats Apache tls key - copy: content="{{ stats_tls_key }}" dest={{ tls.cert_private_path }}/stats.{{ base_domain }}.key mode=0600 - when: stats_apache_standalone | bool - -- name: Copy stats Apache certificate - copy: src={{ inventory_dir }}/files/certs/stats.{{ base_domain }}.crt dest={{ tls.cert_path }}/stats.{{ base_domain }}.crt owner=root mode=0644 - when: stats_apache_standalone | bool - -- name: Copy stats Apache intermediate - copy: src={{ inventory_dir }}/files/certs/stats.{{ base_domain }}.intermediate dest={{ tls.cert_path_ca }}/stats.{{ base_domain }}.intermediate owner=root mode=0644 - when: stats_apache_standalone | bool - -- name: Create stats api wsgi user - user: name={{ stats_wsgi_user }} shell="/bin/false" state=present - -- name: Checkout OpenConext-statistics branch from Git - git: - repo: https://github.com/OpenConext/OpenConext-statistics.git - dest: "{{ stats_src_dir }}" - force: yes - version: "{{ statistics_version }}" - register: git_stats - -- name: Add git info to server - shell: git --git-dir {{ stats_src_dir }}/.git log -1 > {{ stats_src_dir }}/server/api/git.info - when: git_stats.changed - -- name: Add version info to server - shell: echo "{{ statistics_version }}" > {{ stats_src_dir }}/server/api/version.info - when: git_stats.changed - -- name: Install the virtualenv and requirements - pip: requirements={{ stats_src_dir }}/requirements/base.txt virtualenv={{ stats_api_env_dir }} virtualenv_command="/bin/python3.6 -m venv" state=latest - -- name: Install stats server api from {{ stats_src_dir }} to {{ stats_api_env_dir }} - command: cp -r {{ stats_src_dir }}/server {{ stats_api_env_dir }}/ - when: git_stats.changed - -- name: Create log directory - file: path={{ stats_api_env_dir }}/log owner={{ stats_wsgi_user }} group={{ stats_wsgi_user }} mode=0755 state=directory - -- name: Create logfile - copy: content="" dest={{ stats_api_env_dir }}/log/stats.log owner={{ stats_wsgi_user }} group={{ stats_wsgi_user }} mode=0755 force=no - -- name: Place wsgi for the server api - template: src=stats-api.wsgi.j2 dest={{ stats_api_env_dir }}/stats-api.wsgi mode=0550 owner={{ stats_wsgi_user }} group={{ stats_wsgi_user }} - notify: reload httpd - -- name: Install the api config file - template: src=config.yml.j2 dest={{ stats_api_env_dir }}/server/config/config.yml - notify: reload httpd - -- name: Install Apache config file - template: src=stats.conf.j2 dest=/etc/httpd/conf.d/stats.conf - notify: reload httpd - -- name: Create a gui build - shell: "yarn install && yarn build" - args: - chdir: "{{ stats_src_dir }}/client" - when: git_stats.changed - -- name: Delete current www directory - command: rm -fr {{ stats_api_env_dir }}/www - changed_when: false - when: git_stats.changed - -- name: Copy the build to the www directory - command: cp -r {{ stats_src_dir }}/client/build {{ stats_api_env_dir }}/www - changed_when: false - when: git_stats.changed - +- name: Create the directory the keep configfiles + ansible.builtin.file: + dest: /opt/openconext/stats + state: directory + owner: root + group: root + mode: "0770" + +- name: Install configfiles + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/opt/openconext/stats/{{ item }}" + owner: root + group: root + mode: "0644" + with_items: + - stats.conf + - config.yml + +- name: Create and start the servercontainer + community.docker.docker_container: + name: statsserver + image: ghcr.io/openconext/openconext-stats/stats-server:{{ stats_server_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + mounts: + - source: /opt/openconext/stats/config.yml + target: /app/server/config/config.yml + type: bind + - source: /dev/log + target: /dev/log + type: bind + +- name: Create and start the guicontainer + community.docker.docker_container: + name: statsgui + image: ghcr.io/openconext/openconext-stats/stats-gui:{{ stats_server_version }} + pull: true + restart_policy: "always" + state: started + labels: + traefik.http.routers.statsgui.rule: "Host(`stats.{{ base_domain }}`)" + traefik.http.routers.statsgui.tls: "true" + traefik.enable: "true" + networks: + - name: "loadbalancer" + mounts: + - source: /opt/openconext/stats/stats.conf + target: /etc/apache2/sites-enabled/000-default.conf + type: bind diff --git a/roles/stats/templates/config.yml.j2 b/roles/stats/templates/config.yml.j2 index 9388da59d..ab2a3d6a4 100644 --- a/roles/stats/templates/config.yml.j2 +++ b/roles/stats/templates/config.yml.j2 @@ -1,15 +1,12 @@ database: name: {{ influx_stats_db }} - host: localhost + host: t02.ams.surfconext.nl port: 8086 username: {{ influxdb_stats_user }} password: {{ influxdb_stats_password }} syslog: address: "/dev/log" -# Use localhost and port if syslog listens on UDP -# host: localhost -# port: 514 log: measurement: {{ influx_ebauth_measurement }} @@ -39,4 +36,3 @@ feature: True base_url: https://{{ stats_base_domain }} - diff --git a/roles/stats/templates/stats-api.wsgi.j2 b/roles/stats/templates/stats-api.wsgi.j2 deleted file mode 100644 index c9c3d36a7..000000000 --- a/roles/stats/templates/stats-api.wsgi.j2 +++ /dev/null @@ -1,7 +0,0 @@ -import sys - -if "{{stats_api_env_dir}}" not in sys.path: - sys.path.insert(0, "{{stats_api_env_dir}}") - -from server.__main__ import app as application - diff --git a/roles/stats/templates/stats.conf.j2 b/roles/stats/templates/stats.conf.j2 index 857637715..0dae35215 100644 --- a/roles/stats/templates/stats.conf.j2 +++ b/roles/stats/templates/stats.conf.j2 @@ -1,83 +1,55 @@ -{% if apache_app_listen_address.stats is defined %} -Listen {{ apache_app_listen_address.stats }}:{{ loadbalancing.stats.port }} - -{% else %} - -{% endif %} - - ServerName https://stats.{{ base_domain }} - ServerAdmin {{ admin_email }} - - DocumentRoot {{ stats_api_env_dir }}/www/ - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-STATS'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-STATS'" combined - - RewriteEngine on - - RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ - RewriteCond %{REQUEST_URI} !\.svg$ - RewriteCond %{REQUEST_URI} !\.png$ - RewriteCond %{REQUEST_URI} !\.ico$ - RewriteCond %{REQUEST_URI} !\.woff$ - RewriteCond %{REQUEST_URI} !\.woff2$ - RewriteCond %{REQUEST_URI} !\.ttf$ - RewriteCond %{REQUEST_URI} !\.eot$ - RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ - RewriteCond %{REQUEST_URI} !^/api/ - RewriteCond %{REQUEST_URI} !^/health - RewriteCond %{REQUEST_URI} !^/version - RewriteCond %{REQUEST_URI} !^/info - RewriteCond %{REQUEST_URI} !^/fonts - RewriteRule (.*) /index.html [L] - - RequestHeader set X-Forwarded-Port 443 early - - WSGIDaemonProcess server user={{ stats_wsgi_user }} group={{ stats_wsgi_user }} threads=5 python-home={{ stats_api_env_dir }} - WSGIScriptAlias /health {{ stats_api_env_dir }}/stats-api.wsgi/health - WSGIScriptAlias /info {{ stats_api_env_dir }}/stats-api.wsgi/info - WSGIScriptAlias /version {{ stats_api_env_dir }}/stats-api.wsgi/version - WSGIScriptAlias /api {{ stats_api_env_dir }}/stats-api.wsgi/api - WSGIPassAuthorization On - - WSGIProcessGroup server - WSGIApplicationGroup %{GLOBAL} - Require all granted - - {% if stats_apache_standalone %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/stats.{{ base_domain }}.crt - SSLCertificateKeyFile {{ tls.cert_private_path }}/stats.{{ base_domain }}.key - SSLCertificateChainFile {{ tls.cert_path_ca }}/stats.{{ base_domain }}.intermediate - Include ssl_backend.conf - {% endif %} - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - OIDCClaimPrefix OIDC-CLAIM- - OIDCProviderMetadataURL {{ stats_oidc_metadata_url }} - OIDCClientID {{ stats_oidc_client_id }} - OIDCClientSecret {{ stats_oidc_client_secret }} - OIDCCryptoPassphrase {{ stats_oidc_crypto_pass }} - OIDCRedirectURI https://{{ stats_base_domain }}/redirect - - OIDCUnAuthAction pass - AuthType openid-connect - Require valid-user - - - - OIDCUnAuthAction auth - AuthType openid-connect - Require valid-user - - - - Header always set Content-Security-Policy "{{ httpd_csp.lenient }}" - Header always set X-Frame-Options "DENY" - Header always set Referrer-Policy "same-origin" - Header always set X-Content-Type-Options "nosniff" - - +ServerName https://stats.{{ base_domain }} +ServerAdmin {{ admin_email }} + +DocumentRoot /var/www/html/public + +RewriteEngine on + +RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ +RewriteCond %{REQUEST_URI} !\.svg$ +RewriteCond %{REQUEST_URI} !\.png$ +RewriteCond %{REQUEST_URI} !\.ico$ +RewriteCond %{REQUEST_URI} !\.woff$ +RewriteCond %{REQUEST_URI} !\.woff2$ +RewriteCond %{REQUEST_URI} !\.ttf$ +RewriteCond %{REQUEST_URI} !\.eot$ +RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ +RewriteCond %{REQUEST_URI} !^/api/ +RewriteCond %{REQUEST_URI} !^/health +RewriteCond %{REQUEST_URI} !^/version +RewriteCond %{REQUEST_URI} !^/info +RewriteCond %{REQUEST_URI} !^/fonts +RewriteRule (.*) /index.html [L] + +ProxyPass /health http://statsserver:80/health +ProxyPass /info http://statsserver:80/info +ProxyPass /version http://statsserver:80/version +ProxyPass /api http://statsserver:80/api + + + + + +RequestHeader set X-Forwarded-Port 443 early + +OIDCClaimPrefix OIDC-CLAIM- +OIDCProviderMetadataURL {{ stats_oidc_metadata_url }} +OIDCClientID {{ stats_oidc_client_id }} +OIDCClientSecret {{ stats_oidc_client_secret }} +OIDCCryptoPassphrase {{ stats_oidc_crypto_pass }} +OIDCRedirectURI https://{{ stats_base_domain }}/redirect + + OIDCUnAuthAction pass + AuthType openid-connect + Require valid-user + + + + OIDCUnAuthAction auth + AuthType openid-connect + Require valid-user + + +Header always set X-Frame-Options "DENY" +Header always set Referrer-Policy "same-origin" +Header always set X-Content-Type-Options "nosniff" From b1868f8fd7051cda240f03d9464ef84739c17797 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 26 Mar 2024 19:30:01 +0100 Subject: [PATCH 027/114] Stats: Add X-Forwarded-Proto to oidc config, so the redirect after login is going to the correct port --- roles/stats/templates/stats.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/stats/templates/stats.conf.j2 b/roles/stats/templates/stats.conf.j2 index 0dae35215..f35045935 100644 --- a/roles/stats/templates/stats.conf.j2 +++ b/roles/stats/templates/stats.conf.j2 @@ -38,6 +38,8 @@ OIDCClientID {{ stats_oidc_client_id }} OIDCClientSecret {{ stats_oidc_client_secret }} OIDCCryptoPassphrase {{ stats_oidc_crypto_pass }} OIDCRedirectURI https://{{ stats_base_domain }}/redirect +OIDCXForwardedHeaders X-Forwarded-Proto + OIDCUnAuthAction pass AuthType openid-connect From 298754b0947ee4a787eedf11a2ac2bffe8e82825 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 27 Mar 2024 15:15:31 +0100 Subject: [PATCH 028/114] Rsyslog: Change rulesets for oidc-playground and dashboard, now they have migrated to docker --- roles/rsyslog/templates/sc_ruleset.conf.j2 | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/rsyslog/templates/sc_ruleset.conf.j2 b/roles/rsyslog/templates/sc_ruleset.conf.j2 index 9dde13702..7fd172960 100644 --- a/roles/rsyslog/templates/sc_ruleset.conf.j2 +++ b/roles/rsyslog/templates/sc_ruleset.conf.j2 @@ -7,8 +7,8 @@ $RuleSet {{ item.name }} :programname, isequal, "aa" { action(type="omfile" DynaFile="aa-{{ item.name }}") stop } :programname, isequal, "Apache-AA" { action(type="omfile" DynaFile="apache-aa-{{ item.name }}") stop } :programname, isequal, "Apache-AAlink" { action(type="omfile" DynaFile="apache-aalink-{{ item.name }}") stop } -:programname, isequal, "Apache-dashboard" { action(type="omfile" DynaFile="apache-dashboard-{{ item.name }}") stop } -:programname, isequal, "dashboard" { action(type="omfile" DynaFile="dashboard-{{ item.name }}") stop } +:programname, isequal, "dashboardgui" { action(type="omfile" DynaFile="apache-dashboard-{{ item.name }}") stop } +:programname, isequal, "dashboardserver" { action(type="omfile" DynaFile="dashboard-{{ item.name }}") stop } :programname, isequal, "Apache-EBAPI" { action(type="omfile" DynaFile="apache-eb-api-{{ item.name }}") stop } :programname, isequal, "manage" { action(type="omfile" DynaFile="manage-{{ item.name }}") stop } :programname, isequal, "Apache-Manage" { action(type="omfile" DynaFile="apache-manage-{{ item.name }}") stop } @@ -29,8 +29,8 @@ $RuleSet {{ item.name }} :programname, isequal, "oidcng" { action(type="omfile" DynaFile="oidcng-{{ item.name }}") stop } :programname, isequal, "oidcngjson" { action(type="omfile" DynaFile="oidcngjson-{{ item.name }}") stop } :programname, isequal, "Apache-oidcng" { action(type="omfile" DynaFile="apache-oidcng-{{ item.name }}") stop } -:programname, isequal, "oidc-playground" { action(type="omfile" DynaFile="oidc-playground-{{ item.name }}") stop } -:programname, isequal, "Apache-Oidc-Playground" { action(type="omfile" DynaFile="apache-oidcplayground-{{item.name }}") stop } +:programname, isequal, "oidcplaygroundserver" { action(type="omfile" DynaFile="oidc-playground-{{ item.name }}") stop } +:programname, isequal, "oidcplaygroundgui" { action(type="omfile" DynaFile="apache-oidcplayground-{{item.name }}") stop } :programname, isequal, "myconext" { action(type="omfile" DynaFile="myconext-{{ item.name }}") stop } :programname, isequal, "myconextjson" { action(type="omfile" DynaFile="myconextjson-{{ item.name }}") stop } :programname, isequal, "Apache-myconext" { action(type="omfile" DynaFile="apache-myconext-{{item.name }}") stop } @@ -50,6 +50,10 @@ $RuleSet {{ item.name }} if $programname == "{{ stepupapp }}" and $msg startswith " {{ stepupapp }}" then { action(type="omfile" DynaFile="apache-{{ stepupapp }}-{{item.name }}") stop } :programname, isequal, "{{ stepupapp }}" { action(type="omfile" DynaFile="stepup-{{ stepupapp }}-{{item.name }}") stop } {% endfor %} + +if $programname == "spdashboard" and $msg startswith " spdashboard" then { action(type="omfile" DynaFile="apache-spdashboard-{{item.name }}") stop } +:programname, isequal, "spdashboard" { action(type="omfile" DynaFile="spdashboard-{{item.name }}") stop } + :programname, isequal, "stepup-authentication" { action(type="omfile" DynaFile="stepup-authentication-{{ item.name }}") stop } {% endif %} :programname, isequal, "audispd" { action(type="omfile" DynaFile="auditd-{{ item.name }}") stop } From a0d415f94c7896f1048e19c972f996cce6af62cf Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 27 Mar 2024 15:23:36 +0100 Subject: [PATCH 029/114] Remove dashboard and oidc-playground java roles. They are now docker based --- roles/dashboard-gui/defaults/main.yml | 4 - roles/dashboard-gui/meta/main.yml | 1 - roles/dashboard-gui/tasks/main.yml | 6 -- .../dashboard-gui/templates/dashboard.conf.j2 | 98 ----------------- roles/dashboard-gui/vars/main.yml | 4 - roles/dashboard-server/defaults/main.yml | 16 --- roles/dashboard-server/handlers/main.yml | 6 -- roles/dashboard-server/meta/main.yml | 1 - roles/dashboard-server/tasks/main.yml | 21 ---- .../templates/application.properties.j2 | 101 ------------------ .../dashboard-server/templates/logback.xml.j2 | 42 -------- roles/dashboard-server/vars/main.yml | 19 ---- .../oidc-playground-client/defaults/main.yml | 3 - roles/oidc-playground-client/meta/main.yml | 1 - roles/oidc-playground-client/tasks/main.yml | 7 -- .../templates/oidc-playground.conf.j2 | 66 ------------ roles/oidc-playground-client/vars/main.yml | 4 - .../oidc-playground-server/defaults/main.yml | 18 ---- .../oidc-playground-server/handlers/main.yml | 6 -- roles/oidc-playground-server/meta/main.yml | 1 - roles/oidc-playground-server/tasks/main.yml | 26 ----- .../templates/application.yml.j2 | 37 ------- .../templates/logback.xml.j2 | 42 -------- roles/oidc-playground-server/vars/main.yml | 23 ---- roles/springboot/defaults/main.yml | 41 ------- 25 files changed, 594 deletions(-) delete mode 100644 roles/dashboard-gui/defaults/main.yml delete mode 100644 roles/dashboard-gui/meta/main.yml delete mode 100644 roles/dashboard-gui/tasks/main.yml delete mode 100644 roles/dashboard-gui/templates/dashboard.conf.j2 delete mode 100644 roles/dashboard-gui/vars/main.yml delete mode 100644 roles/dashboard-server/defaults/main.yml delete mode 100644 roles/dashboard-server/handlers/main.yml delete mode 100644 roles/dashboard-server/meta/main.yml delete mode 100644 roles/dashboard-server/tasks/main.yml delete mode 100644 roles/dashboard-server/templates/application.properties.j2 delete mode 100644 roles/dashboard-server/templates/logback.xml.j2 delete mode 100644 roles/dashboard-server/vars/main.yml delete mode 100644 roles/oidc-playground-client/defaults/main.yml delete mode 100644 roles/oidc-playground-client/meta/main.yml delete mode 100644 roles/oidc-playground-client/tasks/main.yml delete mode 100644 roles/oidc-playground-client/templates/oidc-playground.conf.j2 delete mode 100644 roles/oidc-playground-client/vars/main.yml delete mode 100644 roles/oidc-playground-server/defaults/main.yml delete mode 100644 roles/oidc-playground-server/handlers/main.yml delete mode 100644 roles/oidc-playground-server/meta/main.yml delete mode 100644 roles/oidc-playground-server/tasks/main.yml delete mode 100644 roles/oidc-playground-server/templates/application.yml.j2 delete mode 100644 roles/oidc-playground-server/templates/logback.xml.j2 delete mode 100644 roles/oidc-playground-server/vars/main.yml diff --git a/roles/dashboard-gui/defaults/main.yml b/roles/dashboard-gui/defaults/main.yml deleted file mode 100644 index 5563eca02..000000000 --- a/roles/dashboard-gui/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dashboard_gui_version: '' -dashboard_gui_snapshot_timestamp: '' -dashboard_install: true diff --git a/roles/dashboard-gui/meta/main.yml b/roles/dashboard-gui/meta/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/dashboard-gui/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/dashboard-gui/tasks/main.yml b/roles/dashboard-gui/tasks/main.yml deleted file mode 100644 index 5ed293081..000000000 --- a/roles/dashboard-gui/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: copy virtual host config - template: - src: dashboard.conf.j2 - dest: /etc/httpd/conf.d/dashboard.conf - notify: restart httpd diff --git a/roles/dashboard-gui/templates/dashboard.conf.j2 b/roles/dashboard-gui/templates/dashboard.conf.j2 deleted file mode 100644 index 26367d08e..000000000 --- a/roles/dashboard-gui/templates/dashboard.conf.j2 +++ /dev/null @@ -1,98 +0,0 @@ -{% if apache_app_listen_address.dashboard is defined %} -Listen {{ apache_app_listen_address.dashboard }}:{{ loadbalancing.dashboard.port }} - -{% else %} - -{% endif %} - # General setup for the virtual host, inherited from global configuration - ServerName https://dashboard.{{ base_domain }} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-dashboard'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-dashboard'" combined - - RewriteEngine on - - RewriteCond %{REQUEST_URI} !\.html$ - RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ - RewriteCond %{REQUEST_URI} !\.svg$ - RewriteCond %{REQUEST_URI} !\.png$ - RewriteCond %{REQUEST_URI} !\.ico$ - RewriteCond %{REQUEST_URI} !\.woff$ - RewriteCond %{REQUEST_URI} !\.woff2$ - RewriteCond %{REQUEST_URI} !\.ttf$ - RewriteCond %{REQUEST_URI} !\.eot$ - RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ - RewriteCond %{REQUEST_URI} !^/dashboard - RewriteCond %{REQUEST_URI} !^/spDashboard - RewriteCond %{REQUEST_URI} !^/health - RewriteCond %{REQUEST_URI} !^/info - RewriteCond %{REQUEST_URI} !^/internal - RewriteCond %{REQUEST_URI} !^/login - RewriteCond %{REQUEST_URI} !^/startSSO - RewriteCond %{REQUEST_URI} !^/fonts - RewriteRule (.*) /index.html [L] - - ProxyPreserveHost On - ProxyPass /Shibboleth.sso ! - ProxyPass /dashboard/api http://localhost:{{ springapp_tcpport }}/dashboard/api retry=0 - ProxyPassReverse /dashboard/api http://localhost:{{ springapp_tcpport }}/dashboard/api - - ProxyPass /health http://localhost:{{ springapp_tcpport }}/internal/health retry=0 - ProxyPass /info http://localhost:{{ springapp_tcpport }}/internal/info retry=0 - ProxyPass /login http://localhost:{{ springapp_tcpport }}/login retry=0 - ProxyPass /startSSO http://localhost:{{ springapp_tcpport }}/startSSO retry=0 - - ProxyPass /spDashboard/api http://localhost:{{ springapp_tcpport }}/spDashboard/api retry=0 - ProxyPassReverse /spDashboard/api http://localhost:{{ springapp_tcpport }}/spDashboard/api - - ProxyPass /internal http://localhost:{{ springapp_tcpport }}/internal retry=0 - ProxyPassReverse /internal http://localhost:{{ springapp_tcpport }}/internal - - - AuthType shibboleth - ShibUseHeaders On - ShibRequestSetting applicationId dashboard - ShibRequireSession On - ShibRequestSetting REMOTE_ADDR X-Forwarded-For - Require valid-user - - - DocumentRoot "{{ _springapp_dir }}/current" - - - Require all granted - - - - Require all granted - - - - Require all granted - - - - Require all granted - - - Header always set Content-Security-Policy "{{ httpd_csp.lenient_with_static_img }}" - Header always set X-Frame-Options "DENY" - Header always set Referrer-Policy "strict-origin-when-cross-origin" - Header always set X-Content-Type-Options "nosniff" - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - diff --git a/roles/dashboard-gui/vars/main.yml b/roles/dashboard-gui/vars/main.yml deleted file mode 100644 index e83f22ee1..000000000 --- a/roles/dashboard-gui/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -springapp_tcpport: 9394 -springapp_artifact_id: dashboard-gui -springapp_version: "{{ dashboard_gui_version }}" diff --git a/roles/dashboard-server/defaults/main.yml b/roles/dashboard-server/defaults/main.yml deleted file mode 100644 index 25bbe0616..000000000 --- a/roles/dashboard-server/defaults/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -dashboard_dir: /opt/dashboard -dashboard_snapshot_timestamp: '' -dashboard_jar: dashboard-current.jar -dashboard_random_source: 'file:///dev/urandom' -dashboard_hide_tabs: none -dashboard_organization: SURFconext -dashboard_install: true -dashboard_manage_provision_samlsp_client_id: "https://dashboard.{{ base_domain }}/shibboleth" -dashboard_manage_provision_samlsp_name_en: "{{ instance_name }} IdP Dashboard" -dashboard_manage_provision_samlsp_description_en: "{{ instance_name }} IdP Dashboard" -dashboard_manage_provision_samlsp_acs_location: "https://dashboard.{{ base_domain }}/Shibboleth.sso/SAML2/POST" -dashboard_manage_provision_samlsp_metadata_url: "https://dashboard.{{ base_domain }}/Shibboleth.sso/Metadata" -dashboard_manage_provision_samlsp_sp_cert: "" -dashboard_manage_provision_samlsp_trusted_proxy: false -dashboard_manage_provision_samlsp_sign: false diff --git a/roles/dashboard-server/handlers/main.yml b/roles/dashboard-server/handlers/main.yml deleted file mode 100644 index 47a812b31..000000000 --- a/roles/dashboard-server/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart dashboard - systemd: - name: dashboard - daemon_reload: yes - state: restarted diff --git a/roles/dashboard-server/meta/main.yml b/roles/dashboard-server/meta/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/dashboard-server/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/dashboard-server/tasks/main.yml b/roles/dashboard-server/tasks/main.yml deleted file mode 100644 index 0eb42f2d3..000000000 --- a/roles/dashboard-server/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: copy application config - template: - src: "{{ item }}.j2" - dest: "{{ dashboard_dir }}/{{ item }}" - owner: dashboard - group: dashboard - mode: 0740 - with_items: - - logback.xml - - application.properties - notify: - - "restart dashboard" - -- name: Include the role manage_provision_entities to provision the Dashboard sp to Manage - include_role: - name: manage_provision_entities - vars: - entity_type: saml20_sp - diff --git a/roles/dashboard-server/templates/application.properties.j2 b/roles/dashboard-server/templates/application.properties.j2 deleted file mode 100644 index 5f1861ff3..000000000 --- a/roles/dashboard-server/templates/application.properties.j2 +++ /dev/null @@ -1,101 +0,0 @@ -logging.config=file://{{ dashboard_dir }}/logback.xml -server.port={{ springapp_tcpport }} - -supported_language_codes={{ supported_language_codes }} -# Currently supported organizations: SURFconext, OpenConext and RCTSaai -organization={{ dashboard_organization }} - -# 8 hours -server.servlet.session.timeout=28800 - -# An empty value will be replaced with the default -server.server-header=no -server.servlet.session.cookie.secure=true - -# Team id that is used as definition of who is a 'dashboard_admin'. -dashboard.admin={{ dashboard.admin_team }} -# Team id that is used as definition of who is a 'dashboard.viewer'. -dashboard.viewer={{ dashboard.view_team }} -# Team id's comma separated that are used as definition of who is a 'dashboard_super_user'. -dashboard.super.user={{ dashboard.super_team }} - -dashboard.environment={{ env }} - -# SP Dashboard connection details -spDashboard.username={{ dashboard.sp_dashboard_user }} -spDashboard.password={{ dashboard_sp_dashboard_password }} - -# SAB connection details -sab.endpoint={{ dashboard.sab_endpoint }} -sab.username=cdk -sab.password={{ dashboard_sab_password }} - -sab-rest.endpoint={{ dashboard.sab_rest_endpoint }} -sab-rest.username=cdk -sab-rest.password={{ dashboard_sab_rest_password }} - -# SAB roles -admin.surfconext.idp.sabRole=SURFconextverantwoordelijke -viewer.surfconext.idp.sabRole=SURFconextbeheerder - -management.health.mail.enabled=true -management.endpoints.web.exposure.include=health,info -management.endpoints.web.base-path=/internal -management.endpoint.info.enabled=true -management.info.git.mode=full - -server.tomcat.basedir={{ dashboard_dir }}/tomcat_work - -# SMTP server settings for notifications -spring.mail.host=localhost -spring.mail.port=25 - -coin-administrative-email={{ dashboard.administrative_mail }} -administration.email.enabled={{ dashboard.administration_email_enabled }} -mailBaseUrl=https://dashboard.{{ base_domain }} -systemEmail=SURFconext - -jiraBaseUrl={{ dashboard.jira_base_url }} -jiraUsername={{ dashboard.jira_username }} -jiraPassword={{ dashboard_jira_password }} -jiraProjectKey={{ dashboard.jira_project_key }} -jiraDueDateWeeks=1 -jiraEnvironment={{ dashboard.jira_environment }} -jiraApikey={{ dashboard_jira_apikey }} -jiraUseApiKey={{ dashboard.jira_use_api_key }} - -manage.username={{ dashboard.manage_username }} -manage.password={{ manage_dashboard_secret }} -manage.manageBaseUrl={{ dashboard.manage_base_url }} - -statsUser={{ dashboard.stats_user }} -statsPassword={{ stats_dashboard_api_password }} -statsBaseUrl={{ dashboard.stats_url }} - -pdp.server={{ dashboard.pdp_server }} -pdp.username={{ dashboard.pdp_username }} -pdp.password={{ pdp_password }} - -dashboard.feature.shibboleth=true -dashboard.feature.sab={{ dashboard.feature_sab }} -dashboard.feature.manage=true -dashboard.feature.jira={{ dashboard.feature_jira }} -dashboard.feature.consent={{ dashboard.feature_consent }} -# Valid choices are 'MOCK', 'PDP' or 'MANAGE', 'MOCK' is for local development -dashboard.feature.pdpSource=MANAGE -dashboard.feature.statistics=true -dashboard.feature.mail={{ dashboard.feature_mail }} -dashboard.feature.oidc={{ dashboard.feature_oidc }} -dashboard.feature.stepup={{ dashboard.feature_stepup }} -dashboard.feature.jiraDown={{ dashboard.feature_jiradown }} - -# Comma separated string of the entity-id of all guest Idp's -guestidp.entityids={{ dashboard.guestidp_entityids }} - -# tabs that can be hidden are: statistics,apps,policies,tickets,my_idp and user_invite -dashboard.hide_tabs={{ dashboard_hide_tabs }} - -default_loa_level={{ stepup_intrinsic_loa }} -loa_values_supported={{ stepup_loa_values_supported | join(",") }} - -authn_context_levels={{ mfa_values_supported | join(",") }} diff --git a/roles/dashboard-server/templates/logback.xml.j2 b/roles/dashboard-server/templates/logback.xml.j2 deleted file mode 100644 index 78f95081e..000000000 --- a/roles/dashboard-server/templates/logback.xml.j2 +++ /dev/null @@ -1,42 +0,0 @@ -#jinja2:lstrip_blocks: True - - - - - /var/log/dashboard/dashboard.log - - - /var/log/dashboard/dashboard-%d{yyyy-MM-dd}.log.gz - {{ logback_max_history }} - - - %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n - - - - - {{ rsyslog_host }} - DAEMON - dashboard: [%thread] %logger %msg - - - - {{ smtp_server }} - {{ noreply_email }} - {{ error_mail_to }} - {{ error_subject_prefix }}Unexpected error dashboard - - - - ERROR - - - - - - - - - - - diff --git a/roles/dashboard-server/vars/main.yml b/roles/dashboard-server/vars/main.yml deleted file mode 100644 index 7c803c0cc..000000000 --- a/roles/dashboard-server/vars/main.yml +++ /dev/null @@ -1,19 +0,0 @@ -springapp_artifact_id: dashboard-server -springapp_artifact_type: jar -springapp_artifact_group_dir: org.openconext -springapp_version: "{{ dashboard_server_version }}" -springapp_dir: "{{ dashboard_dir }}" -springapp_user: dashboard -springapp_service_name: dashboard -springapp_jar: "{{ dashboard_jar }}" -springapp_tcpport: 9394 -springapp_random_source: "file:///dev/urandom" -manage_provision_samlsp_client_id: "{{ dashboard_manage_provision_samlsp_client_id }}" -manage_provision_samlsp_name_en: "{{ dashboard_manage_provision_samlsp_name_en }}" -manage_provision_samlsp_description_en: "{{ dashboard_manage_provision_samlsp_description_en }}" -manage_provision_samlsp_acs_location: "{{ dashboard_manage_provision_samlsp_acs_location }}" -manage_provision_samlsp_metadata_url: "{{ dashboard_manage_provision_samlsp_metadata_url }}" -manage_provision_samlsp_sp_cert: "{{ dashboard_manage_provision_samlsp_sp_cert }}" -manage_provision_samlsp_trusted_proxy: "{{ dashboard_manage_provision_samlsp_trusted_proxy }}" -manage_provision_samlsp_sign: "{{ dashboard_manage_provision_samlsp_sign }}" - diff --git a/roles/oidc-playground-client/defaults/main.yml b/roles/oidc-playground-client/defaults/main.yml deleted file mode 100644 index ec4dff4a4..000000000 --- a/roles/oidc-playground-client/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -oidc_playground_client_version: '' -oidc_playground_client_snapshot_timestamp: '' diff --git a/roles/oidc-playground-client/meta/main.yml b/roles/oidc-playground-client/meta/main.yml deleted file mode 100644 index 73b314ff7..000000000 --- a/roles/oidc-playground-client/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- \ No newline at end of file diff --git a/roles/oidc-playground-client/tasks/main.yml b/roles/oidc-playground-client/tasks/main.yml deleted file mode 100644 index 4df2f809c..000000000 --- a/roles/oidc-playground-client/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: copy virtual host config - template: - src: "oidc-playground.conf.j2" - dest: "/etc/httpd/conf.d/oidc-playground.conf" - notify: - - "restart httpd" diff --git a/roles/oidc-playground-client/templates/oidc-playground.conf.j2 b/roles/oidc-playground-client/templates/oidc-playground.conf.j2 deleted file mode 100644 index 3e00df74f..000000000 --- a/roles/oidc-playground-client/templates/oidc-playground.conf.j2 +++ /dev/null @@ -1,66 +0,0 @@ -{% if apache_app_listen_address.oidc_playground is defined %} -Listen {{ apache_app_listen_address.oidc_playground }}:{{ loadbalancing.oidc_playground.port }} - -{% else %} - -{% endif %} - # General setup for the virtual host, inherited from global configuration - ServerName https://oidc-playground.{{ base_domain }} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-Oidc-Playground'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-Oidc-Playground'" combined - - RewriteEngine on - - RewriteCond %{REQUEST_URI} !\.html$ - RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ - RewriteCond %{REQUEST_URI} !\.svg$ - RewriteCond %{REQUEST_URI} !\.png$ - RewriteCond %{REQUEST_URI} !\.ico$ - RewriteCond %{REQUEST_URI} !\.woff$ - RewriteCond %{REQUEST_URI} !\.woff2$ - RewriteCond %{REQUEST_URI} !\.ttf$ - RewriteCond %{REQUEST_URI} !\.eot$ - RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ - RewriteCond %{REQUEST_URI} !^/oidc - RewriteCond %{REQUEST_URI} !^/internal - RewriteCond %{REQUEST_URI} !^/fonts - RewriteRule (.*) /index.html [L] - - ProxyPass /oidc/api/actuator/health http://localhost:{{ springapp_tcpport }}/internal/health retry=0 - ProxyPass /oidc/api/actuator/info http://localhost:{{ springapp_tcpport }}/internal/info retry=0 - - ProxyPass /oidc/api/ http://localhost:{{ springapp_tcpport }}/ retry=0 - ProxyPassReverse /oidc/api/ http://localhost:{{ springapp_tcpport }}/ - - ProxyPass /internal http://localhost:{{ springapp_tcpport }}/internal retry=0 - ProxyPassReverse /internal http://localhost:{{ springapp_tcpport }}/internal - - DocumentRoot "{{ _springapp_dir }}/current" - - - satisfy any - Options -Indexes - - - Header always set Content-Security-Policy "{{ httpd_csp.lenient }}" - Header always set X-Frame-Options "DENY" - Header always set Referrer-Policy "unsafe-url" - Header always set X-Content-Type-Options "nosniff" - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - diff --git a/roles/oidc-playground-client/vars/main.yml b/roles/oidc-playground-client/vars/main.yml deleted file mode 100644 index 36ab2e806..000000000 --- a/roles/oidc-playground-client/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -springapp_tcpport: 9399 -springapp_artifact_id: oidc-playground-client -springapp_version: "{{ oidc_playground_client_version }}" diff --git a/roles/oidc-playground-server/defaults/main.yml b/roles/oidc-playground-server/defaults/main.yml deleted file mode 100644 index 58ba553f1..000000000 --- a/roles/oidc-playground-server/defaults/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -oidc_playground_dir: /opt/oidc-playground -oidc_playground_jar: oidc-playground-current.jar -oidc_playground_random_source: 'file:///dev/urandom' -oidcpg_manage_provision_oidcrp_client_id: "{{ oidc_playground.client_id }}" -oidcpg_manage_provision_oidcrp_name_en: "{{ instance_name }} OIDC Playground" -oidcpg_manage_provision_oidcrp_description_en: "OIDC Playground application to test and make the OIDC flows visible" -oidcpg_manage_provision_oidcrp_secret: "{{ oidc_playground.secret }}" -oidcpg_manage_provision_oidcrp_redirecturls: "https://oidc-playground.{{ base_domain }}/redirect" -oidcpg_manage_provision_oidcrp_grants: 'authorization_code", "implicit", "refresh_token", "client_credentials' -oidcpg_manage_provision_oidcrp_allowed_resource_servers: '{"name": "{{ oidc_playground.resource_server_id }}"}' -oidcpg_manage_provision_oidcrp_is_public_client: True - -oidcpg_manage_provision_oauth_rs_name_en: "{{ instance_name }} Playground client Resource Server" -oidcpg_manage_provision_oauth_rs_description_en: "{{ instance_name }} Playground client Resource Server" -oidcpg_manage_provision_oauth_rs_client_id: "{{ oidc_playground.resource_server_id }}" -oidcpg_manage_provision_oauth_rs_rp_secret: "{{ oidc_playground.resource_server_secret }}" -oidcpg_manage_provision_oauth_rs_scopes: "openid,groups" diff --git a/roles/oidc-playground-server/handlers/main.yml b/roles/oidc-playground-server/handlers/main.yml deleted file mode 100644 index 5a6b846cb..000000000 --- a/roles/oidc-playground-server/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart oidc-playground - systemd: - name: oidc-playground - state: restarted - daemon_reload: yes diff --git a/roles/oidc-playground-server/meta/main.yml b/roles/oidc-playground-server/meta/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/oidc-playground-server/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/oidc-playground-server/tasks/main.yml b/roles/oidc-playground-server/tasks/main.yml deleted file mode 100644 index 6c6ebf326..000000000 --- a/roles/oidc-playground-server/tasks/main.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -- name: copy config - template: - src: "{{ item }}.j2" - dest: "{{ oidc_playground_dir }}/{{ item }}" - owner: oidc-playground - group: oidc-playground - mode: 0740 - with_items: - - logback.xml - - application.yml - notify: - - "restart oidc-playground" - -- name: Include the role manage_provision_entities to provision oidc-playground resource server to Manage - include_role: - name: manage_provision_entities - vars: - entity_type: oauth20_rs - -- name: Include the role manage_provision_entities to provision oidc-playground client to Manage - include_role: - name: manage_provision_entities - vars: - entity_type: oidc10_rp diff --git a/roles/oidc-playground-server/templates/application.yml.j2 b/roles/oidc-playground-server/templates/application.yml.j2 deleted file mode 100644 index 1a34d8db6..000000000 --- a/roles/oidc-playground-server/templates/application.yml.j2 +++ /dev/null @@ -1,37 +0,0 @@ -logging: - config: file://{{ oidc_playground_dir }}/logback.xml - level: - org.springframework.data.mongodb: INFO - -server: - # The port to where this Spring Boot application listens to. - port: {{ springapp_tcpport }} - server-header: - servlet: - # We serve from the root. Do not change this - context-path: - max-http-header-size: 10000000 - tomcat: - max-http-post-size: 10000000 - -oidc: - discovery_endpoint: "{{ oidc_playground.discovery_endpoint }}" - client_id: "{{ oidc_playground.client_id }}" - secret: "{{ oidc_playground.secret }}" - jwt_secret: "{{ oidc_playground.jwt_secret }}" - resource_server_id: "{{ oidc_playground.resource_server_id }}" - resource_server_secret: "{{ oidc_playground.resource_server_secret }}" - redirect_uri: "https://oidc-playground.{{ base_domain }}/redirect" - redirect_uri_form_post: "https://oidc-playground.{{ base_domain }}/oidc/api/redirect" - client_redirect_uri: "https://oidc-playground.{{ base_domain }}/redirect" - -gui: - disclaimer: - background-color: "{{ environment_ribbon_colour }}" - content: "{{ environment_shortname }}" - -acr: - values: - {% for loa in [stepup_intrinsic_loa] + stepup_loa_values_supported + oidcng.acr_values_supported %} - - "{{ loa }}" - {% endfor %} diff --git a/roles/oidc-playground-server/templates/logback.xml.j2 b/roles/oidc-playground-server/templates/logback.xml.j2 deleted file mode 100644 index 150ea0c16..000000000 --- a/roles/oidc-playground-server/templates/logback.xml.j2 +++ /dev/null @@ -1,42 +0,0 @@ -#jinja2:lstrip_blocks: True - - - - - /var/log/oidc-playground/oidc-playground.log - - - /var/log/oidc-playground/oidc-playground-%d{yyyy-MM-dd}.log.gz - {{ logback_max_history }} - - - %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n - - - - - {{ rsyslog_host }} - DAEMON - oidc-playground: [%thread] %logger %msg - - - - {{ smtp_server }} - {{ noreply_email }} - {{ error_mail_to }} - {{ error_subject_prefix }}Unexpected error oidc-playground - - - - ERROR - - - - - - - - - - - diff --git a/roles/oidc-playground-server/vars/main.yml b/roles/oidc-playground-server/vars/main.yml deleted file mode 100644 index 5f99e0e44..000000000 --- a/roles/oidc-playground-server/vars/main.yml +++ /dev/null @@ -1,23 +0,0 @@ -springapp_artifact_id: oidc-playground-server -springapp_artifact_type: jar -springapp_artifact_group_dir: org.openconext -springapp_version: "{{ oidc_playground_server_version }}" -springapp_dir: "{{ oidc_playground_dir }}" -springapp_user: oidc-playground -springapp_service_name: oidc-playground -springapp_jar: "{{ oidc_playground_jar }}" -springapp_tcpport: 9399 -springapp_random_source: "file:///dev/urandom" -manage_provision_oidcrp_client_id: "{{ oidcpg_manage_provision_oidcrp_client_id }}" -manage_provision_oidcrp_name_en: "{{ oidcpg_manage_provision_oidcrp_name_en }}" -manage_provision_oidcrp_description_en: "{{ oidcpg_manage_provision_oidcrp_description_en }}" -manage_provision_oidcrp_secret: "{{ oidcpg_manage_provision_oidcrp_secret }}" -manage_provision_oidcrp_redirecturls: "{{ oidcpg_manage_provision_oidcrp_redirecturls }}" -manage_provision_oidcrp_grants: "{{ oidcpg_manage_provision_oidcrp_grants }}" -manage_provision_oidcrp_allowed_resource_servers: "{{ oidcpg_manage_provision_oidcrp_allowed_resource_servers }}" -manage_provision_oidcrp_is_public_client: "{{ oidcpg_manage_provision_oidcrp_is_public_client }}" -manage_provision_oauth_rs_name_en: "{{ oidcpg_manage_provision_oauth_rs_name_en }}" -manage_provision_oauth_rs_description_en: "{{ oidcpg_manage_provision_oauth_rs_description_en }}" -manage_provision_oauth_rs_client_id: "{{ oidcpg_manage_provision_oauth_rs_client_id }}" -manage_provision_oauth_rs_secret: "{{ oidcpg_manage_provision_oauth_rs_rp_secret }}" -manage_provision_oauth_rs_scopes: "{{ oidcpg_manage_provision_oauth_rs_scopes }}" diff --git a/roles/springboot/defaults/main.yml b/roles/springboot/defaults/main.yml index e8e5173a6..96b265c67 100644 --- a/roles/springboot/defaults/main.yml +++ b/roles/springboot/defaults/main.yml @@ -5,14 +5,11 @@ springboot_services_state: teams: true pdp: true attribute_aggregation: true - oidc_playground: true myconext: true account: true oidcng: true voot: true mujina_sp: true - mujina_idp: true - dashboard: true springboot_core_services: - manage @@ -37,12 +34,6 @@ springboot_gui_services: alias: attribute-aggregation-gui enabled: "{{ springboot_services_state.attribute_aggregation }}" version: "{{ attribute_aggregation_gui_version }}" - - name: oidc-playground - alias: oidc-playground-gui - enabled: "{{ springboot_services_state.oidc_playground }}" - version: "{{ oidc_playground_client_version }}" - role: oidc-playground-client - artifactid: oidc-playground-client - name: myconext alias: myconext-gui enabled: "{{ springboot_services_state.myconext }}" @@ -52,10 +43,6 @@ springboot_gui_services: group: myconext enabled: "{{ springboot_services_state.account }}" version: "{{ account_gui_version }}" - - name: dashboard - alias: dashboard-gui - enabled: "{{ springboot_services_state.dashboard }}" - version: "{{ dashboard_gui_version }}" springboot_server_services: - name: manage @@ -114,15 +101,6 @@ springboot_server_services: port: 9198 min_heapsize: "{{ attribute_aggregation_min_heapsize | default('256m') }}" max_heapsize: "{{ attribute_aggregation_max_heapsize | default('256m') }}" - - name: oidc-playground - enabled: "{{ springboot_services_state.oidc_playground }}" - version: "{{ oidc_playground_server_version }}" - type: server - port: 9399 - min_heapsize: "{{ oidc_playground_min_heapsize | default('256m') }}" - max_heapsize: "{{ oidc_playground_max_heapsize | default('256m') }}" - config: - "{{ oidc_playground }}" - name: myconext alias: myconext enabled: "{{ springboot_services_state.myconext }}" @@ -145,25 +123,6 @@ springboot_server_services: max_heapsize: "{{ mujina_sp_max_heapsize | default('128m') }}" config: "{{ mujina_sp }}" - - name: mujina-idp - alias: mujina - enabled: "{{ springboot_services_state.mujina_idp }}" - version: "{{ mujina_version }}" - role: mujina-idp - artifactid: mujina-idp - type: server - port: 9390 - min_heapsize: "{{ mujina_idp_min_heapsize | default('128m') }}" - max_heapsize: "{{ mujina_idp_max_heapsize | default('128m') }}" - config: - "{{ mujina_idp }}" - - name: dashboard - enabled: "{{ springboot_services_state.dashboard }}" - version: "{{ dashboard_server_version }}" - type: server - port: 9394 - min_heapsize: "{{ dashboard_min_heapsize | default('512m') }}" - max_heapsize: "{{ dashboard_max_heapsize | default('512m') }}" springboot_min_heapsize: "512m" springboot_max_heapsize: "512m" From af5e0e9e3f43d19a0adf3b458159921b6dc78687 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Wed, 3 Apr 2024 16:54:11 +0200 Subject: [PATCH 030/114] Prepare for new attribute surf-autorisaties --- .../metadata_configuration/oidc10_rp.schema.json.j2 | 4 ++++ .../metadata_configuration/saml20_sp.schema.json.j2 | 4 ++++ .../single_tenant_template.schema.json.j2 | 4 ++++ roles/oidcng/files/oidc_saml_mapping.json | 5 +++++ roles/oidcng/templates/openid-configuration.json.j2 | 1 + roles/shibboleth/templates/shibboleth/attribute-map.xml.j2 | 1 + 6 files changed, 19 insertions(+) diff --git a/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 index c2a6a9589..4dc3e694b 100644 --- a/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 @@ -215,6 +215,10 @@ "$ref": "#/definitions/ArpAttribute", "alias": "urn:oid:1.3.6.1.4.1.1076.20.100.10.50.2" }, + "urn:mace:surf.nl:attribute-def:surf-autorisaties": { + "$ref": "#/definitions/ArpAttribute", + "alias": "urn:oid:1.3.6.1.4.1.1076.20.100.10.50.10" + }, "urn:mace:dir:attribute-def:isMemberOf": { "$ref": "#/definitions/ArpAttribute", "alias": "urn:oid:1.3.6.1.4.1.5923.1.5.1.1", diff --git a/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 index 523a27416..8c54765fa 100644 --- a/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 @@ -259,6 +259,10 @@ "$ref": "#/definitions/ArpAttribute", "alias": "urn:oid:1.3.6.1.4.1.1076.20.100.10.50.2" }, + "urn:mace:surf.nl:attribute-def:surf-autorisaties": { + "$ref": "#/definitions/ArpAttribute", + "alias": "urn:oid:1.3.6.1.4.1.1076.20.100.10.50.10" + }, "urn:mace:dir:attribute-def:isMemberOf": { "$ref": "#/definitions/ArpAttribute", "alias": "urn:oid:1.3.6.1.4.1.5923.1.5.1.1", diff --git a/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 index c2914b935..0772b2549 100644 --- a/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 @@ -207,6 +207,10 @@ "$ref": "#/definitions/ArpAttribute", "alias": "urn:oid:1.3.6.1.4.1.1076.20.100.10.50.2" }, + "urn:mace:surf.nl:attribute-def:surf-autorisaties": { + "$ref": "#/definitions/ArpAttribute", + "alias": "urn:oid:1.3.6.1.4.1.1076.20.100.10.50.10" + }, "urn:mace:dir:attribute-def:isMemberOf": { "$ref": "#/definitions/ArpAttribute", "alias": "urn:oid:1.3.6.1.4.1.5923.1.5.1.1", diff --git a/roles/oidcng/files/oidc_saml_mapping.json b/roles/oidcng/files/oidc_saml_mapping.json index 8547f7f4e..dfb18a969 100644 --- a/roles/oidcng/files/oidc_saml_mapping.json +++ b/roles/oidcng/files/oidc_saml_mapping.json @@ -115,6 +115,11 @@ "oidc": "surf-crm-id", "multiValue": false }, + { + "saml": "urn:mace:surf.nl:attribute-def:surf-autorisaties", + "oidc": "surf-autorisaties", + "multiValue": true + }, { "saml": "urn:mace:dir:attribute-def:preferredLanguage", "oidc": "locale", diff --git a/roles/oidcng/templates/openid-configuration.json.j2 b/roles/oidcng/templates/openid-configuration.json.j2 index aa9bfa621..bbfc0e2c6 100644 --- a/roles/oidcng/templates/openid-configuration.json.j2 +++ b/roles/oidcng/templates/openid-configuration.json.j2 @@ -85,6 +85,7 @@ "eduperson_orcid", "eckid", "surf-crm-id", + "surf-autorisaties", "uids" ], "claims_parameter_supported": true, diff --git a/roles/shibboleth/templates/shibboleth/attribute-map.xml.j2 b/roles/shibboleth/templates/shibboleth/attribute-map.xml.j2 index 78ce75597..cea7916cd 100644 --- a/roles/shibboleth/templates/shibboleth/attribute-map.xml.j2 +++ b/roles/shibboleth/templates/shibboleth/attribute-map.xml.j2 @@ -38,5 +38,6 @@ + From 46da6cf72d717c1fde526c5879bbac0112432d8f Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 4 Apr 2024 10:37:59 +0200 Subject: [PATCH 031/114] Add teams docker role. This also removes teams as supported app from the springboot role --- provision.yml | 1 + roles/springboot/defaults/main.yml | 14 -- roles/teams/defaults/main.yml | 29 ++++ roles/teams/handlers/main.yml | 6 + roles/teams/tasks/main.yml | 85 ++++++++++++ roles/teams/templates/logback.xml.j2 | 29 ++++ .../teams/templates/serverapplication.yml.j2 | 129 ++++++++++++++++++ roles/teams/vars/main.yml | 14 ++ 8 files changed, 293 insertions(+), 14 deletions(-) create mode 100644 roles/teams/defaults/main.yml create mode 100644 roles/teams/handlers/main.yml create mode 100644 roles/teams/tasks/main.yml create mode 100644 roles/teams/templates/logback.xml.j2 create mode 100644 roles/teams/templates/serverapplication.yml.j2 create mode 100644 roles/teams/vars/main.yml diff --git a/provision.yml b/provision.yml index bc9a8c69b..9a18812f1 100644 --- a/provision.yml +++ b/provision.yml @@ -174,6 +174,7 @@ - { role: docker, tags: ['docker' ] } - { role: invite, tags: ['invite' ] } - { role: dashboard, tags: ["dashboard"] } + - { role: teams, tags: ["teams"] } - { role: mujina-idp, tags: ["mujina-idp"] } - { role: oidc-playground, tags: ["oidc-playground"] } - { role: stats, tags: ["stats"] } diff --git a/roles/springboot/defaults/main.yml b/roles/springboot/defaults/main.yml index 96b265c67..608ca8b48 100644 --- a/roles/springboot/defaults/main.yml +++ b/roles/springboot/defaults/main.yml @@ -2,7 +2,6 @@ springboot_services_state: manage: true - teams: true pdp: true attribute_aggregation: true myconext: true @@ -22,10 +21,6 @@ springboot_gui_services: alias: manage-gui enabled: "{{ springboot_services_state.manage }}" version: "{{ manage_gui_version }}" - - name: teams - alias: teams-gui - enabled: "{{ springboot_services_state.teams }}" - version: "{{ teams_gui_version }}" - name: pdp alias: pdp-gui enabled: "{{ springboot_services_state.pdp }}" @@ -76,15 +71,6 @@ springboot_server_services: max_heapsize: "{{ voot_max_heapsize | default('128m') }}" config: "{{ voot }}" - - name: teams - enabled: "{{ springboot_services_state.teams }}" - version: "{{ teams_server_version }}" - type: server - port: 9197 - min_heapsize: "{{ teams_min_heapsize | default('256m') }}" - max_heapsize: "{{ teams_max_heapsize | default('256m') }}" - config: - "{{ teams }}" - name: pdp enabled: "{{ springboot_services_state.pdp }}" version: "{{ pdp_server_version }}" diff --git a/roles/teams/defaults/main.yml b/roles/teams/defaults/main.yml new file mode 100644 index 000000000..c88534d92 --- /dev/null +++ b/roles/teams/defaults/main.yml @@ -0,0 +1,29 @@ +--- +teams_dir: /opt/teams +teams_cronjobmaster: true +teams_help_link_en: https://example.org +teams_help_link_nl: https://example.org +teams_help_link_pt: https://example.org +teams_tos_en: https://example.org +teams_tos_nl: https://example.org +teams_tos_pt: https://example.org +teams_main_link: https://www.openconext.org +teams_organization: "{{ instance_name}}" +teams_api_lifecycle_username: teams_api_lifecycle_user +teams_oauth2_token_url: "https://connect.{{ base_domain }}/oidc/token" +teams_authz_client_id: "teams.{{ base_domain }}" +teams_manage_provision_oidcrp_name_en: "Teams client credentials client for VOOT access" +teams_manage_provision_oidcrp_description_en: "OAuth client to access VOOT for group information" +teams_manage_provision_oidcrp_grants: "client_credentials" +teams_manage_provision_oidcrp_state: "prodaccepted" +teams_manage_provision_oidcrp_scopes: "groups" +teams_manage_provision_oidcrp_allowed_resource_servers: '{"name": "{{ voot.oidcng_checkToken_clientId }}"}' +teams_manage_provision_samlsp_client_id: "https://teams.{{ base_domain }}/shibboleth" +teams_manage_provision_samlsp_name_en: "{{ instance_name }} Teams" +teams_manage_provision_samlsp_description_en: "{{ instance_name }} Teams application for group memberships" +teams_manage_provision_samlsp_acs_location: "https://teams.{{ base_domain }}/Shibboleth.sso/SAML2/POST" +teams_manage_provision_samlsp_metadata_url: "https://teams.{{ base_domain }}/Shibboleth.sso/Metadata" +teams_manage_provision_samlsp_sp_cert: "" +teams_manage_provision_samlsp_trusted_proxy: false +teams_manage_provision_samlsp_sign: false +teams_spring_flyway_enabled: true diff --git a/roles/teams/handlers/main.yml b/roles/teams/handlers/main.yml new file mode 100644 index 000000000..df802c095 --- /dev/null +++ b/roles/teams/handlers/main.yml @@ -0,0 +1,6 @@ +- name: restart teamsserver + community.docker.docker_container: + name: teamsserver + state: started + restart: true + diff --git a/roles/teams/tasks/main.yml b/roles/teams/tasks/main.yml new file mode 100644 index 000000000..ae065dc2e --- /dev/null +++ b/roles/teams/tasks/main.yml @@ -0,0 +1,85 @@ +--- +- name: Create directory to keep configfile + ansible.builtin.file: + dest: "/opt/openconext/teams" + state: directory + owner: root + group: root + mode: "0770" + +- name: Place the serverapplication configfiles + ansible.builtin.template: + src: "{{ item }}.j2" + dest: /opt/openconext/teams/{{ item }} + owner: root + group: root + mode: "0644" + with_items: + - serverapplication.yml + - logback.xml + notify: restart teamsserver + +- name: Create and start the server container + community.docker.docker_container: + name: teamsserver + image: ghcr.io/openconext/openconext-teams-ng/teams-server:{{ teams_server_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + mounts: + - source: /opt/openconext/teams/serverapplication.yml + target: /application.yml + type: bind + - source: /opt/openconext/teams/logback.xml + target: /logback.xml + type: bind + command: "-Xmx512m --spring.config.location=./" + etc_hosts: + host.docker.internal: host-gateway + healthcheck: + test: + [ + "CMD", + "wget", + "-no-verbose", + "--tries=1", + "--spider", + "http://localhost:8080/internal/health", + ] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + notify: restart teamsserver + +- name: Create the gui container + community.docker.docker_container: + name: teamsgui + image: ghcr.io/openconext/openconext-teams-ng/teams-gui:{{ teams_gui_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.teamsgui.rule: "Host(`teams.{{ base_domain }}`)" + traefik.http.routers.teamsgui.tls: "true" + traefik.enable: "true" + healthcheck: + test: ["CMD", "curl", "--fail", "http://localhost/internal/health"] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + hostname: teams.{{ base_domain }} + env: + HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}" + HTTPD_SERVERNAME: "teams.{{ base_domain }}" + OPENCONEXT_INSTANCENAME: "{{ instance_name }}" + OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" + OPENCONEXT_HELP_EMAIL: "{{ support_email }}" + SHIB_ENTITYID: "https://teams.{{ base_domain }}/shibboleth" + SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" + SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" diff --git a/roles/teams/templates/logback.xml.j2 b/roles/teams/templates/logback.xml.j2 new file mode 100644 index 000000000..b9c559d4f --- /dev/null +++ b/roles/teams/templates/logback.xml.j2 @@ -0,0 +1,29 @@ +#jinja2:lstrip_blocks: True + + + + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + {{ smtp_server }} + {{ noreply_email }} + {{ error_mail_to }} + {{ error_subject_prefix }}Unexpected error teams + + + + ERROR + + + + + + + + + + diff --git a/roles/teams/templates/serverapplication.yml.j2 b/roles/teams/templates/serverapplication.yml.j2 new file mode 100644 index 000000000..e4035b831 --- /dev/null +++ b/roles/teams/templates/serverapplication.yml.j2 @@ -0,0 +1,129 @@ +# The logging configuration. +logging: + config: file:///logback.xml + level: + org.hibernate.SQL: INFO + +api: + lifecycle: + username: {{ teams_api_lifecycle_username }} + password: {{ teams_api_lifecycle_password }} + +secure_cookie: true + +server: + port: 8080 + error: + path: "/error" + servlet: + session: + timeout: 28800 + cookie: + secure: true + server-header: no + +feature-toggles: + expiry-date-membership: false + person-email-picker: false + +config: + support-email: {{ support_email }} + help-link-en: {{ teams_help_link_en }} + help-link-nl: {{ teams_help_link_nl }} + help-link-pt: {{ teams_help_link_pt }} + help-tos-en: {{ teams_tos_en }} + help-tos-nl: {{ teams_tos_nl }} + help-tos-pt: {{ teams_tos_pt }} + main-link: {{ teams_main_link }} + organization: {{ teams_organization }} + sponsor: {{ sponsor_name }} + supported_language_codes: {{ supported_language_codes }} + +security: + user: + name: {{ teams.voot_api_user }} + password: {{ external_group_provider_secrets.teams }} + +sp_dashboard: + user-name: {{ teams.spdashboard_api_user }} + password: {{ teams_api_spdashboard_password }} + person-urn: "{{ teams.spdashboard_person_urn }}" + name: "SP Dashboard" + email: "{{ support_email }}" + +# Is this node in a load-balanced topology responsible for cleaning up resources (See ExpiredInvitationsRemover) +cron: + node-cron-job-responsible: {{ teams_cronjobmaster }} + expression: "0 0/15 * * * ?" + +teams: + default-stem-name: "{{ teams.default_stem_name }}" + group-name-context: "{{ teams.group_name_context }}" + product-name: "{{ teams.product_name }}" + non-guest-member-of: "{{ guest_qualifier }}" + +super_admins_team: + urns: + {% for value in teams.super_admins_team_urns %} +- "{{ value }}" + {% endfor %} + +voot: + serviceUrl: https://voot.{{ base_domain }} + accessTokenUri: "{{ teams_oauth2_token_url }}" + clientId: "{{ teams_authz_client_id }}" + clientSecret: "{{ teams_authz_client_secret }}" + scopes: "{{ teams_manage_provision_oidcrp_scopes }}" + +invite: + url: https://invite.{{ base_domain }}/api/teams + user: {{ invite.teamsuser}} + password: {{ invite.teamssecret }} + +spring: + session: + store-type: jdbc + jdbc: + schema: classpath:org/springframework/session/jdbc/schema-mysql.sql + initialize-schema: always + cleanup-cron: "{% if teams_cronjobmaster %}0 13 * * * *{% else %}-{% endif %}" + jpa: + open-in-view: true + properties: + hibernate: + naming-strategy: org.hibernate.cfg.ImprovedNamingStrategy + dialect: org.hibernate.dialect.MariaDB53Dialect + datasource: + driver-class-name: org.mariadb.jdbc.Driver + url: jdbc:mysql://{{ teams.db_host }}/{{ teams.db_name }}?useMysqlMetadata=true + username: {{ teams.db_user }} + password: {{ teams.db_password }} + mail: + host: {{ smtp_host }} + port: 25 + main: + banner-mode: "off" + flyway: + enabled: {{ teams_spring_flyway_enabled }} + validate-on-migrate: false + table: schema_version + +management: + health: + mail: + enabled: true + endpoints: + web: + exposure: + include: "health,info" + base-path: "/internal" + endpoint: + info: + enabled: true + info: + git: + mode: full + +email: + from: {{ instance_name }} Teams <{{ noreply_email }}> + base-url: https://teams.{{ base_domain }} diff --git a/roles/teams/vars/main.yml b/roles/teams/vars/main.yml new file mode 100644 index 000000000..207ea9b7c --- /dev/null +++ b/roles/teams/vars/main.yml @@ -0,0 +1,14 @@ +manage_provision_oidcrp_client_id: "{{ teams_authz_client_id }}" +manage_provision_oidcrp_secret: "{{ teams_authz_client_secret }}" +manage_provision_oidcrp_name_en: "{{ teams_manage_provision_oidcrp_name_en }}" +manage_provision_oidcrp_description_en: "{{ teams_manage_provision_oidcrp_description_en }}" +manage_provision_oidcrp_grants: "{{ teams_manage_provision_oidcrp_grants }}" +manage_provision_oidcrp_allowed_resource_servers: "{{ teams_manage_provision_oidcrp_allowed_resource_servers }}" +manage_provision_samlsp_client_id: "{{ teams_manage_provision_samlsp_client_id }}" +manage_provision_samlsp_name_en: "{{ teams_manage_provision_samlsp_name_en }}" +manage_provision_samlsp_description_en: "{{ teams_manage_provision_samlsp_description_en }}" +manage_provision_samlsp_acs_location: "{{ teams_manage_provision_samlsp_acs_location }}" +manage_provision_samlsp_metadata_url: "{{ teams_manage_provision_samlsp_metadata_url }}" +manage_provision_samlsp_sp_cert: "{{ teams_manage_provision_samlsp_sp_cert }}" +manage_provision_samlsp_trusted_proxy: "{{ teams_manage_provision_samlsp_trusted_proxy }}" +manage_provision_samlsp_sign: "{{ teams_manage_provision_samlsp_sign }}" From ba534b898be87b066827d4ac2822d559f34b37fc Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 5 Apr 2024 16:28:05 +0200 Subject: [PATCH 032/114] Voot: Move to docker --- roles/voot/defaults/main.yml | 4 -- roles/voot/handlers/main.yml | 10 +-- roles/voot/tasks/main.yml | 71 +++++++++++++++---- roles/voot/templates/logback.xml.j2 | 21 ++---- ...cation.yml.j2 => serverapplication.yml.j2} | 7 +- roles/voot/templates/voot.conf.j2 | 31 -------- roles/voot/vars/main.yml | 10 --- 7 files changed, 69 insertions(+), 85 deletions(-) rename roles/voot/templates/{application.yml.j2 => serverapplication.yml.j2} (85%) delete mode 100644 roles/voot/templates/voot.conf.j2 diff --git a/roles/voot/defaults/main.yml b/roles/voot/defaults/main.yml index 1373173bd..a22394b56 100644 --- a/roles/voot/defaults/main.yml +++ b/roles/voot/defaults/main.yml @@ -1,8 +1,4 @@ --- -voot_dir: /opt/voot/ -voot_version: '' -voot_snapshot_timestamp: '' -voot_service_jar: voot-service.jar voot_manage_provision_oauth_rs_client_id: "{{ voot.oidcng_checkToken_clientId }}" voot_manage_provision_oauth_rs_rp_secret: "{{ voot.oidcng_checkToken_secret }}" voot_manage_provision_oauth_rs_name_en: "{{ instance_name }} VOOT Resource Server" diff --git a/roles/voot/handlers/main.yml b/roles/voot/handlers/main.yml index 431550df6..281d74143 100644 --- a/roles/voot/handlers/main.yml +++ b/roles/voot/handlers/main.yml @@ -1,6 +1,6 @@ --- -- name: restart voot - systemd: - name: voot - state: restarted - daemon_reload: yes +- name: restart vootserver + community.docker.docker_container: + name: dashboardserver + state: started + restart: true diff --git a/roles/voot/tasks/main.yml b/roles/voot/tasks/main.yml index e4ac372c7..845fb246d 100644 --- a/roles/voot/tasks/main.yml +++ b/roles/voot/tasks/main.yml @@ -1,25 +1,66 @@ --- +- name: Create directory to keep configfile + ansible.builtin.file: + dest: "/opt/openconext/voot" + state: directory + owner: root + group: root + mode: "0770" -- name: Copy logging config - template: +- name: Place the serverapplication configfiles + ansible.builtin.template: src: "{{ item }}.j2" - dest: "{{ voot_dir }}/{{ item }}" - owner: voot - group: voot - mode: 0740 + dest: /opt/openconext/voot/{{ item }} + owner: root + group: root + mode: "0644" with_items: + - serverapplication.yml - logback.xml - - application.yml - externalProviders.yml - notify: - - "restart voot" + notify: restart vootserver -- name: copy apache config - template: - src: "voot.conf.j2" - dest: "/etc/httpd/conf.d/voot.conf" - notify: - - "reload httpd" +- name: Create and start the server container + community.docker.docker_container: + name: vootserver + image: ghcr.io/openconext/openconext-voot/voot:{{ voot_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + mounts: + - source: /opt/openconext/voot/serverapplication.yml + target: /application.yml + type: bind + - source: /opt/openconext/voot/externalProviders.yml + target: /externalProviders.yml + type: bind + - source: /opt/openconext/voot/logback.xml + target: /logback.xml + type: bind + command: "-Xmx128m --spring.config.location=./" + etc_hosts: + host.docker.internal: host-gateway + labels: + traefik.http.routers.voot.rule: "Host(`voot.{{ base_domain }}`)" + traefik.http.routers.voot.tls: "true" + traefik.enable: "true" + healthcheck: + test: + [ + "CMD", + "wget", + "-no-verbose", + "--tries=1", + "--spider", + "http://localhost:8080/internal/health", + ] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + notify: restart vootserver - name: Include the role manage_provision_entities to provision the client_credentials client include_role: diff --git a/roles/voot/templates/logback.xml.j2 b/roles/voot/templates/logback.xml.j2 index f52cf99be..cba9c2262 100644 --- a/roles/voot/templates/logback.xml.j2 +++ b/roles/voot/templates/logback.xml.j2 @@ -1,22 +1,10 @@ - - {{ rsyslog_host }} - DAEMON - VOOTMAIN: [%thread] %logger %msg - - - - /var/log/voot/voot.log - - - /var/log/voot/voot-%d{yyyy-MM-dd}.log.gz - {{ logback_max_history }} - + - %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n - + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + @@ -37,7 +25,6 @@ - - + diff --git a/roles/voot/templates/application.yml.j2 b/roles/voot/templates/serverapplication.yml.j2 similarity index 85% rename from roles/voot/templates/application.yml.j2 rename to roles/voot/templates/serverapplication.yml.j2 index 86548f97d..2d244d2e8 100644 --- a/roles/voot/templates/application.yml.j2 +++ b/roles/voot/templates/serverapplication.yml.j2 @@ -1,8 +1,8 @@ logging: - config: "file://{{ voot_dir }}/logback.xml" + config: "file:///logback.xml" server: - port: {{ springapp_tcpport }} + port: 8080 server-header: no error: include-message: always @@ -10,7 +10,7 @@ server: externalProviders: config: - path: "file://{{ voot_dir }}/externalProviders.yml" + path: "file:///externalProviders.yml" spring: mvc: @@ -41,6 +41,7 @@ management: web: exposure: include: "health,info,mappings" + base-path: "/internal" endpoint: info: enabled: true diff --git a/roles/voot/templates/voot.conf.j2 b/roles/voot/templates/voot.conf.j2 deleted file mode 100644 index 930188ae3..000000000 --- a/roles/voot/templates/voot.conf.j2 +++ /dev/null @@ -1,31 +0,0 @@ -{% if apache_app_listen_address.voot is defined %} -Listen {{ apache_app_listen_address.voot }}:{{ loadbalancing.voot.port }} - -{% else %} - -{% endif %} - # General setup for the virtual host, inherited from global configuration - ServerName https://voot.{{ base_domain }} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-VOOT'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-VOOT'" combined - - ProxyPass / http://localhost:{{ springapp_tcpport }}/ retry=0 - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - Header always set Content-Security-Policy "{{ httpd_csp.nothing }}" - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - diff --git a/roles/voot/vars/main.yml b/roles/voot/vars/main.yml index 39e886a32..c0f758825 100644 --- a/roles/voot/vars/main.yml +++ b/roles/voot/vars/main.yml @@ -1,13 +1,3 @@ -springapp_artifact_id: voot-service -springapp_artifact_type: jar -springapp_artifact_group_dir: org/openconext -springapp_version: "{{ voot_version }}" -springapp_dir: "{{ voot_dir }}" -springapp_user: voot -springapp_service_name: voot -springapp_jar: "{{ voot_service_jar }}" -springapp_tcpport: 9191 -springapp_random_source: "file:///dev/urandom" manage_provision_oauth_rs_client_id: "{{ voot_manage_provision_oauth_rs_client_id }}" manage_provision_oauth_rs_name_en: "{{ voot_manage_provision_oauth_rs_name_en }}" manage_provision_oauth_rs_description_en: "{{ voot_manage_provision_oauth_rs_description_en }}" From 5620d47017aaa4cc20c1daeba331506f2fcf5d73 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 5 Apr 2024 16:29:08 +0200 Subject: [PATCH 033/114] PDP: Move to docker --- roles/pdp-gui/defaults/main.yml | 3 - roles/pdp-gui/meta/main.yml | 1 - roles/pdp-gui/tasks/main.yml | 7 -- roles/pdp-gui/templates/pdp.conf.j2 | 94 ------------------- roles/pdp-gui/vars/main.yml | 4 - roles/pdp-server/handlers/main.yml | 6 -- roles/pdp-server/meta/main.yml | 1 - roles/pdp-server/tasks/main.yml | 27 ------ roles/pdp-server/templates/logback.xml.j2 | 43 --------- roles/{pdp-server => pdp}/defaults/main.yml | 4 - roles/pdp/handlers/main.yml | 5 + roles/pdp/tasks/main.yml | 89 ++++++++++++++++++ roles/pdp/templates/logback.xml.j2 | 31 ++++++ .../serverapplication.properties.j2} | 16 ++-- .../templates/xacml.conext.properties.j2 | 0 roles/{pdp-server => pdp}/vars/main.yml | 10 -- 16 files changed, 134 insertions(+), 207 deletions(-) delete mode 100644 roles/pdp-gui/defaults/main.yml delete mode 100644 roles/pdp-gui/meta/main.yml delete mode 100644 roles/pdp-gui/tasks/main.yml delete mode 100644 roles/pdp-gui/templates/pdp.conf.j2 delete mode 100644 roles/pdp-gui/vars/main.yml delete mode 100644 roles/pdp-server/handlers/main.yml delete mode 100644 roles/pdp-server/meta/main.yml delete mode 100644 roles/pdp-server/tasks/main.yml delete mode 100644 roles/pdp-server/templates/logback.xml.j2 rename roles/{pdp-server => pdp}/defaults/main.yml (93%) create mode 100644 roles/pdp/handlers/main.yml create mode 100644 roles/pdp/tasks/main.yml create mode 100644 roles/pdp/templates/logback.xml.j2 rename roles/{pdp-server/templates/application.properties.j2 => pdp/templates/serverapplication.properties.j2} (90%) rename roles/{pdp-server => pdp}/templates/xacml.conext.properties.j2 (100%) rename roles/{pdp-server => pdp}/vars/main.yml (77%) diff --git a/roles/pdp-gui/defaults/main.yml b/roles/pdp-gui/defaults/main.yml deleted file mode 100644 index ced5dba47..000000000 --- a/roles/pdp-gui/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -pdp_gui_version: '' -pdp_gui_snapshot_timestamp: '' diff --git a/roles/pdp-gui/meta/main.yml b/roles/pdp-gui/meta/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/pdp-gui/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/pdp-gui/tasks/main.yml b/roles/pdp-gui/tasks/main.yml deleted file mode 100644 index a8cccc9a6..000000000 --- a/roles/pdp-gui/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: copy virtual host config - template: - src: "pdp.conf.j2" - dest: "/etc/httpd/conf.d/pdp.conf" - notify: - - "reload httpd" diff --git a/roles/pdp-gui/templates/pdp.conf.j2 b/roles/pdp-gui/templates/pdp.conf.j2 deleted file mode 100644 index c304de661..000000000 --- a/roles/pdp-gui/templates/pdp.conf.j2 +++ /dev/null @@ -1,94 +0,0 @@ -{% if apache_app_listen_address.pdp is defined %} -Listen {{ apache_app_listen_address.pdp }}:{{ loadbalancing.pdp.port }} - -{% else %} - -{% endif %} - - # General setup for the virtual host, inherited from global configuration - ServerName https://pdp.{{ base_domain }} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-PDP'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-PDP'" combined - - RewriteEngine on - - RewriteCond %{REQUEST_URI} !\.html$ - RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ - RewriteCond %{REQUEST_URI} !\.svg$ - RewriteCond %{REQUEST_URI} !\.css$ - RewriteCond %{REQUEST_URI} !\.png$ - RewriteCond %{REQUEST_URI} !\.ico$ - RewriteCond %{REQUEST_URI} !\.woff$ - RewriteCond %{REQUEST_URI} !\.woff2$ - RewriteCond %{REQUEST_URI} !\.ttf$ - RewriteCond %{REQUEST_URI} !\.eot$ - RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ - RewriteCond %{REQUEST_URI} !^/pdp - RewriteCond %{REQUEST_URI} !^/internal - RewriteCond %{REQUEST_URI} !^/fonts - RewriteRule (.*) /index.html [L] - - ProxyPass /Shibboleth.sso ! - - ProxyPass /pdp/api/health http://localhost:{{ springapp_tcpport }}/internal/health retry=0 - ProxyPass /pdp/api/info http://localhost:{{ springapp_tcpport }}/internal/info retry=0 - - ProxyPass /pdp/api http://localhost:{{ springapp_tcpport }} retry=0 - ProxyPassReverse /pdp/api http://localhost:{{ springapp_tcpport }} - - ProxyPass /internal http://localhost:{{ springapp_tcpport }}/internal retry=0 - ProxyPassReverse /internal http://localhost:{{ springapp_tcpport }}/internal - - - AuthType shibboleth - ShibUseHeaders On - ShibRequestSetting applicationId pdp - ShibRequireSession On - require valid-user - - - DocumentRoot "{{ _springapp_dir }}/current" - - - Require all granted - Options -Indexes - - - - Require all granted - - - - Require all granted - - - - Require all granted - - - - Require all granted - - - Header always set Content-Security-Policy "{{ httpd_csp.lenient }}" - Header always set X-Frame-Options "DENY" - Header always set Referrer-Policy "same-origin" - Header always set X-Content-Type-Options "nosniff" - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - diff --git a/roles/pdp-gui/vars/main.yml b/roles/pdp-gui/vars/main.yml deleted file mode 100644 index 33c79b0a6..000000000 --- a/roles/pdp-gui/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -springapp_tcpport: 9196 -springapp_artifact_id: pdp-gui -springapp_version: "{{ pdp_gui_version }}" diff --git a/roles/pdp-server/handlers/main.yml b/roles/pdp-server/handlers/main.yml deleted file mode 100644 index ca2d3bd12..000000000 --- a/roles/pdp-server/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart pdp - systemd: - name: pdp - state: restarted - daemon_reload: yes diff --git a/roles/pdp-server/meta/main.yml b/roles/pdp-server/meta/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/pdp-server/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/pdp-server/tasks/main.yml b/roles/pdp-server/tasks/main.yml deleted file mode 100644 index 79dbd9ca8..000000000 --- a/roles/pdp-server/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: Copy logging config - template: - src: "{{ item }}.j2" - dest: "{{ pdp_dir }}/{{ item }}" - owner: pdp - group: pdp - mode: 0740 - with_items: - - logback.xml - - application.properties - - xacml.conext.properties - notify: - - "restart pdp" - -- name: Include the role manage_provision_entities to provision the client_credentials client - include_role: - name: manage_provision_entities - vars: - entity_type: oidc10_rp - -- name: Include the role manage_provision_entities to provision the Dashboard sp to Manage - include_role: - name: manage_provision_entities - vars: - entity_type: saml20_sp diff --git a/roles/pdp-server/templates/logback.xml.j2 b/roles/pdp-server/templates/logback.xml.j2 deleted file mode 100644 index b8a01c4a3..000000000 --- a/roles/pdp-server/templates/logback.xml.j2 +++ /dev/null @@ -1,43 +0,0 @@ - - - - {{ rsyslog_host }} - DAEMON - PDPMAIN: [%thread] %logger %msg - - - {{ rsyslog_host }} - DAEMON - PDPANALYTICS: %msg - - - /var/log/pdp/pdp.log - - - /var/log/pdp/pdp-%d{yyyy-MM-dd}.log.gz - {{ logback_max_history }} - - - %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n - - - - - - - {{ smtp_server }} - {{ noreply_email }} - {{ error_mail_to }} - {{ error_subject_prefix }}Unexpected error pdp - - - ERROR - - - - - - - - - diff --git a/roles/pdp-server/defaults/main.yml b/roles/pdp/defaults/main.yml similarity index 93% rename from roles/pdp-server/defaults/main.yml rename to roles/pdp/defaults/main.yml index ff750bd41..272c9240e 100644 --- a/roles/pdp-server/defaults/main.yml +++ b/roles/pdp/defaults/main.yml @@ -1,8 +1,4 @@ --- -pdp_dir: /opt/pdp/ -pdp_group_url: org/openconext -pdp_server_version: '' -pdp_jar: pdp.jar pdp_email_from: '{{ noreply_email }}' pdp_cronjobmaster: true pdp_invalid_policies_error_mail_to: '{{ error_mail_to }}' diff --git a/roles/pdp/handlers/main.yml b/roles/pdp/handlers/main.yml new file mode 100644 index 000000000..aa671d48f --- /dev/null +++ b/roles/pdp/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart pdpserver + community.docker.docker_container: + name: pdpserver + state: started + restart: true diff --git a/roles/pdp/tasks/main.yml b/roles/pdp/tasks/main.yml new file mode 100644 index 000000000..9f791d18f --- /dev/null +++ b/roles/pdp/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- name: Create directory to keep configfile + ansible.builtin.file: + dest: "/opt/openconext/pdp" + state: directory + owner: root + group: root + mode: "0770" + +- name: Place the serverapplication configfiles + ansible.builtin.template: + src: "{{ item }}.j2" + dest: /opt/openconext/pdp/{{ item }} + owner: root + group: root + mode: "0644" + with_items: + - serverapplication.properties + - logback.xml + - xacml.conext.properties + notify: restart pdpserver + +- name: Create and start the server container + community.docker.docker_container: + name: pdpserver + image: ghcr.io/openconext/openconext-pdp/pdp-server:{{ pdp_server_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + mounts: + - source: /opt/openconext/pdp/serverapplication.properties + target: /application.properties + type: bind + - source: /opt/openconext/pdp/logback.xml + target: /logback.xml + type: bind + - source: /opt/openconext/pdp/xacml.conext.properties + target: /xacml.conext.properties + type: bind + command: "-Xmx512m --spring.config.location=./" + etc_hosts: + host.docker.internal: host-gateway + healthcheck: + test: + [ + "CMD", + "wget", + "-no-verbose", + "--tries=1", + "--spider", + "http://localhost:8080/internal/health", + ] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + notify: restart pdpserver + +- name: Create the gui container + community.docker.docker_container: + name: pdpgui + image: ghcr.io/openconext/openconext-pdp/pdp-gui:{{ pdp_gui_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.pdpgui.rule: "Host(`pdp.{{ base_domain }}`)" + traefik.http.routers.pdpgui.tls: "true" + traefik.enable: "true" + healthcheck: + test: ["CMD", "curl", "--fail", "http://localhost/internal/health"] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + hostname: pdp.{{ base_domain }} + env: + HTTPD_CSP: "{{ httpd_csp.lenient }}" + HTTPD_SERVERNAME: "pdp.{{ base_domain }}" + OPENCONEXT_INSTANCENAME: "{{ instance_name }}" + OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" + OPENCONEXT_HELP_EMAIL: "{{ support_email }}" + SHIB_ENTITYID: "https://pdp.{{ base_domain }}/shibboleth" + SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" + SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" diff --git a/roles/pdp/templates/logback.xml.j2 b/roles/pdp/templates/logback.xml.j2 new file mode 100644 index 000000000..b2991351c --- /dev/null +++ b/roles/pdp/templates/logback.xml.j2 @@ -0,0 +1,31 @@ + + + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + + + {{ smtp_server }} + {{ noreply_email }} + {{ error_mail_to }} + {{ error_subject_prefix }}Unexpected error pdp + + + ERROR + + + + + + + + diff --git a/roles/pdp-server/templates/application.properties.j2 b/roles/pdp/templates/serverapplication.properties.j2 similarity index 90% rename from roles/pdp-server/templates/application.properties.j2 rename to roles/pdp/templates/serverapplication.properties.j2 index a9075ea4a..00e9d7da4 100644 --- a/roles/pdp-server/templates/application.properties.j2 +++ b/roles/pdp/templates/serverapplication.properties.j2 @@ -1,8 +1,8 @@ # Log configuration -logging.config=file://{{ pdp_dir }}/logback.xml +logging.config=file:///logback.xml # Port for spring boot application -server.port={{ springapp_tcpport }} +server.port=8080 server.servlet.session.cookie.secure=true # We serve from the root. Do not change this @@ -22,10 +22,12 @@ spring.datasource.driverClassName=org.mariadb.jdbc.Driver spring.datasource.url=jdbc:mysql://{{ pdp.db_host }}/{{ pdp.db_name }} spring.datasource.username={{ pdp.db_user }} spring.datasource.password={{ pdp.db_password }} - +spring.jpa.open-in-view=True spring.flyway.enabled={{ pdp_spring_flyway_enabled }} - -spring.mail.host=localhost +spring.mvc.dispatch-options-request=true +spring.flyway.validate-on-migrate=false +spring.flyway.table=schema_version +spring.mail.host={{ smtp_host }} spring.mail.port=25 email.base_url=https://pdp.{{ base_domain }}/conflicts @@ -42,8 +44,8 @@ policy.enforcement.point.user.name={{ pdp.username }} policy.enforcement.point.user.password={{ pdp.password }} # The main XACML properties -xacml.properties.path=file://{{ pdp_dir }}/xacml.conext.properties -policy.base.dir=file://{{ pdp_dir }}/xacml-policies +xacml.properties.path=file:///xacml.conext.properties +policy.base.dir=file:///xacml-policies # Do we cache the policies in memory - recommended for production policies.cachePolicies={{ pdp.cache_policies }} diff --git a/roles/pdp-server/templates/xacml.conext.properties.j2 b/roles/pdp/templates/xacml.conext.properties.j2 similarity index 100% rename from roles/pdp-server/templates/xacml.conext.properties.j2 rename to roles/pdp/templates/xacml.conext.properties.j2 diff --git a/roles/pdp-server/vars/main.yml b/roles/pdp/vars/main.yml similarity index 77% rename from roles/pdp-server/vars/main.yml rename to roles/pdp/vars/main.yml index e099e724d..5e7703ec6 100644 --- a/roles/pdp-server/vars/main.yml +++ b/roles/pdp/vars/main.yml @@ -1,13 +1,3 @@ -springapp_artifact_id: pdp-server -springapp_artifact_type: jar -springapp_artifact_group_dir: org/openconext -springapp_version: "{{ pdp_server_version }}" -springapp_dir: "{{ pdp_dir }}" -springapp_user: pdp -springapp_service_name: pdp -springapp_jar: "{{ pdp_jar }}" -springapp_tcpport: 9196 -springapp_random_source: "file:///dev/urandom" manage_provision_oidcrp_client_id: "{{ pdp_oauth2_clientid }}" manage_provision_oidcrp_secret: "{{ pdp_client_secret }}" manage_provision_oidcrp_name_en: "{{ pdp_manage_provision_oidcrp_name_en }}" From 0e2aaab48507bd55dd07a62183271cfc07fbe9d9 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 5 Apr 2024 16:30:05 +0200 Subject: [PATCH 034/114] Attribute aggregation: Move to Docker --- .../defaults/main.yml | 1 - roles/attribute-aggregation-gui/meta/main.yml | 1 - .../attribute-aggregation-gui/tasks/main.yml | 7 - .../templates/attribute_aggregation.conf.j2 | 192 ------------------ roles/attribute-aggregation-gui/vars/main.yml | 4 - .../handlers/main.yml | 6 - .../meta/main.yml | 1 - .../tasks/main.yml | 21 -- .../templates/logback.xml.j2 | 59 ------ .../defaults/main.yml | 5 - roles/attribute-aggregation/handlers/main.yml | 5 + roles/attribute-aggregation/tasks/main.yml | 89 ++++++++ .../templates/attributeAuthorities.yml.j2 | 0 .../templates/logback.xml.j2 | 33 +++ .../templates/serverapplication.yml.j2} | 7 +- .../vars/main.yml | 10 - 16 files changed, 131 insertions(+), 310 deletions(-) delete mode 100644 roles/attribute-aggregation-gui/defaults/main.yml delete mode 100644 roles/attribute-aggregation-gui/meta/main.yml delete mode 100644 roles/attribute-aggregation-gui/tasks/main.yml delete mode 100644 roles/attribute-aggregation-gui/templates/attribute_aggregation.conf.j2 delete mode 100644 roles/attribute-aggregation-gui/vars/main.yml delete mode 100644 roles/attribute-aggregation-server/handlers/main.yml delete mode 100644 roles/attribute-aggregation-server/meta/main.yml delete mode 100644 roles/attribute-aggregation-server/tasks/main.yml delete mode 100644 roles/attribute-aggregation-server/templates/logback.xml.j2 rename roles/{attribute-aggregation-server => attribute-aggregation}/defaults/main.yml (72%) create mode 100644 roles/attribute-aggregation/handlers/main.yml create mode 100644 roles/attribute-aggregation/tasks/main.yml rename roles/{attribute-aggregation-server => attribute-aggregation}/templates/attributeAuthorities.yml.j2 (100%) create mode 100644 roles/attribute-aggregation/templates/logback.xml.j2 rename roles/{attribute-aggregation-server/templates/application.yml.j2 => attribute-aggregation/templates/serverapplication.yml.j2} (91%) rename roles/{attribute-aggregation-server => attribute-aggregation}/vars/main.yml (51%) diff --git a/roles/attribute-aggregation-gui/defaults/main.yml b/roles/attribute-aggregation-gui/defaults/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/attribute-aggregation-gui/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/attribute-aggregation-gui/meta/main.yml b/roles/attribute-aggregation-gui/meta/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/attribute-aggregation-gui/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/attribute-aggregation-gui/tasks/main.yml b/roles/attribute-aggregation-gui/tasks/main.yml deleted file mode 100644 index 54f652a38..000000000 --- a/roles/attribute-aggregation-gui/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: copy virtual host config - template: - src: "attribute_aggregation.conf.j2" - dest: "/etc/httpd/conf.d/attribute_aggregation.conf" - notify: - - "restart httpd" diff --git a/roles/attribute-aggregation-gui/templates/attribute_aggregation.conf.j2 b/roles/attribute-aggregation-gui/templates/attribute_aggregation.conf.j2 deleted file mode 100644 index 79ebf0796..000000000 --- a/roles/attribute-aggregation-gui/templates/attribute_aggregation.conf.j2 +++ /dev/null @@ -1,192 +0,0 @@ -{% if apache_app_listen_address.aa is defined %} -Listen {{ apache_app_listen_address.aa }}:{{ loadbalancing.aa.port }} - -{% else %} - -{% endif %} - - # General setup for the virtual host, inherited from global configuration - ServerName https://aa.{{ base_domain }} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-AA'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-AA'" combined - - RewriteEngine on - - RewriteCond %{REQUEST_URI} !\.html$ - RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ - RewriteCond %{REQUEST_URI} !\.svg$ - RewriteCond %{REQUEST_URI} !\.png$ - RewriteCond %{REQUEST_URI} !\.ico$ - RewriteCond %{REQUEST_URI} !\.woff$ - RewriteCond %{REQUEST_URI} !\.woff2$ - RewriteCond %{REQUEST_URI} !\.ttf$ - RewriteCond %{REQUEST_URI} !\.eot$ - RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ - RewriteCond %{REQUEST_URI} !^/aa/ - RewriteCond %{REQUEST_URI} !^/internal/ - RewriteCond %{REQUEST_URI} !^/redirect - RewriteCond %{REQUEST_URI} !^/fonts/ - RewriteRule (.*) /index.html [L] - - ProxyPass /Shibboleth.sso ! - - ProxyPass /redirect http://localhost:{{ springapp_tcpport }}/aa/api/redirect retry=0 - - ProxyPass /aa/api/health http://localhost:{{ springapp_tcpport }}/aa/api/internal/health retry=0 - ProxyPass /aa/api/info http://localhost:{{ springapp_tcpport }}/aa/api/internal/info retry=0 - - ProxyPass /internal/health http://localhost:{{ springapp_tcpport }}/aa/api/internal/health retry=0 - ProxyPass /internal/info http://localhost:{{ springapp_tcpport }}/aa/api/internal/info retry=0 - - ProxyPass /aa/api http://localhost:{{ springapp_tcpport }}/aa/api retry=0 - ProxyPassReverse /aa/api http://localhost:{{ springapp_tcpport }}/aa/api - - - AuthType shibboleth - ShibUseHeaders On - ShibRequestSetting applicationId attribute-aggregation - ShibRequireSession On - Require valid-user - - - DocumentRoot "{{ _springapp_dir }}/current" - - - Require all granted - Options -Indexes - - - # Disable shibboleth health / info check - - Require all granted - - - # The EB endpoints are secured with basic auth - - Require all granted - - - # The internal info and health - - Require all granted - - - # The Lifecycle endpoints are secured with basic auth - - Require all granted - - - Header always set Content-Security-Policy "{{ httpd_csp.lenient }}" - Header always set X-Frame-Options "DENY" - Header always set Referrer-Policy "same-origin" - Header always set X-Content-Type-Options "nosniff" - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - -{% if apache_app_listen_address.aa is defined %} - -{% else %} - -{% endif %} - - # General setup for the virtual host, inherited from global configuration - ServerName https://link.{{ base_domain }} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-AAlink'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-AAlink'" combined - - RewriteEngine on - - RewriteCond %{REQUEST_URI} !\.html$ - RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ - RewriteCond %{REQUEST_URI} !\.svg$ - RewriteCond %{REQUEST_URI} !\.png$ - RewriteCond %{REQUEST_URI} !\.ico$ - RewriteCond %{REQUEST_URI} !\.woff$ - RewriteCond %{REQUEST_URI} !\.woff2$ - RewriteCond %{REQUEST_URI} !\.ttf$ - RewriteCond %{REQUEST_URI} !\.eot$ - RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ - RewriteCond %{REQUEST_URI} !^/aa/ - RewriteCond %{REQUEST_URI} !^/redirect - RewriteCond %{REQUEST_URI} !^/internal/ - RewriteCond %{REQUEST_URI} !^/fonts/ - RewriteCond %{REQUEST_URI} !^/orcid - RewriteRule (.*) /index.html [L] - - Redirect /orcid https://link.{{ base_domain }}/aa/api/client/information.html - - ProxyPass /Shibboleth.sso ! - - ProxyPass /redirect http://localhost:{{ springapp_tcpport }}/aa/api/redirect retry=0 - - ProxyPass /aa/api/health http://localhost:{{ springapp_tcpport }}/aa/api/internal/health retry=0 - ProxyPass /aa/api/info http://localhost:{{ springapp_tcpport }}/aa/api/internal/info retry=0 - - ProxyPass /internal/health http://localhost:{{ springapp_tcpport }}/aa/api/internal/health retry=0 - ProxyPass /internal/info http://localhost:{{ springapp_tcpport }}/aa/api/internal/info retry=0 - - ProxyPass /aa/api http://localhost:{{ springapp_tcpport }}/aa/api retry=0 - ProxyPassReverse /aa/api http://localhost:{{ springapp_tcpport }}/aa/api - - ProxyPassReverse /aa/api/client http://localhost:{{ springapp_tcpport }}/aa/api/client - - - AuthType shibboleth - ShibUseHeaders On - ShibRequestSetting applicationId attribute-aggregation-link - ShibRequireSession On - require valid-user - - - # Disable shibboleth for health / info check - - allow from all - satisfy any - - - # The EB endpoints are secured with basic auth - - Require all granted - - - # The internal info and health - - Require all granted - - - Header always set Content-Security-Policy "{{ httpd_csp.lenient }}" - Header always set X-Frame-Options "DENY" - Header always set Referrer-Policy "strict-origin-when-cross-origin" - Header always set X-Content-Type-Options "nosniff" - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - diff --git a/roles/attribute-aggregation-gui/vars/main.yml b/roles/attribute-aggregation-gui/vars/main.yml deleted file mode 100644 index 9fcb6446f..000000000 --- a/roles/attribute-aggregation-gui/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -springapp_tcpport: 9198 -springapp_artifact_id: attribute-aggregation-gui -springapp_version: "{{ attribute_aggregation_gui_version }}" diff --git a/roles/attribute-aggregation-server/handlers/main.yml b/roles/attribute-aggregation-server/handlers/main.yml deleted file mode 100644 index 485969a8f..000000000 --- a/roles/attribute-aggregation-server/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart attribute-aggregation - systemd: - name: attribute-aggregation - state: restarted - daemon_reload: yes diff --git a/roles/attribute-aggregation-server/meta/main.yml b/roles/attribute-aggregation-server/meta/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/attribute-aggregation-server/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/attribute-aggregation-server/tasks/main.yml b/roles/attribute-aggregation-server/tasks/main.yml deleted file mode 100644 index bbfe5db2a..000000000 --- a/roles/attribute-aggregation-server/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: copy config - template: - src: "{{ item }}.j2" - dest: "{{ attribute_aggregation_dir }}/{{ item }}" - owner: attribute-aggregation - group: attribute-aggregation - mode: 0740 - with_items: - - logback.xml - - application.yml - - attributeAuthorities.yml - notify: - - "restart attribute-aggregation" - -- name: Include the role manage_provision_entities to provision the client_credentials client - include_role: - name: manage_provision_entities - vars: - entity_type: oidc10_rp diff --git a/roles/attribute-aggregation-server/templates/logback.xml.j2 b/roles/attribute-aggregation-server/templates/logback.xml.j2 deleted file mode 100644 index d35578de7..000000000 --- a/roles/attribute-aggregation-server/templates/logback.xml.j2 +++ /dev/null @@ -1,59 +0,0 @@ -#jinja2:lstrip_blocks: True - - - - - /var/log/attribute-aggregation/attribute-aggregation.log - - - /var/log/attribute-aggregation/attribute-aggregation-%d{yyyy-MM-dd}.log.gz - {{ logback_max_history }} - - - %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n - - - - - /var/log/attribute-aggregation/analytics.log - - - /var/log/attribute-aggregation/analytics-%d{yyyy-MM-dd}.log.gz - {{ logback_max_history }} - - - %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n - - - - - - - - - {{ rsyslog_host }} - DAEMON - aa: [%thread] %logger %msg - - - - {{ smtp_server }} - {{ noreply_email }} - {{ error_mail_to }} - {{ error_subject_prefix }}Unexpected error attribute-aggregation - - - - ERROR - - - - - - - - - - - - diff --git a/roles/attribute-aggregation-server/defaults/main.yml b/roles/attribute-aggregation/defaults/main.yml similarity index 72% rename from roles/attribute-aggregation-server/defaults/main.yml rename to roles/attribute-aggregation/defaults/main.yml index 54ad244ed..c8fa91b23 100644 --- a/roles/attribute-aggregation-server/defaults/main.yml +++ b/roles/attribute-aggregation/defaults/main.yml @@ -1,9 +1,4 @@ --- -attribute_aggregation_dir: /opt/attribute-aggregation -attribute_aggregation_version: '' -attribute_aggregation_snapshot_timestamp: '' -attribute_aggregation_jar: attribute-aggregation-current.jar -attribute_aggregation_random_source: 'file:///dev/urandom' attribute_aggregation_pseudo_mail_postfix: demo.openconext.org attribute_aggregation_pseudo_emails_retention_days_period: 90 aa_cronjobmaster: true diff --git a/roles/attribute-aggregation/handlers/main.yml b/roles/attribute-aggregation/handlers/main.yml new file mode 100644 index 000000000..3cd82abb9 --- /dev/null +++ b/roles/attribute-aggregation/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart attribute-aggregationserver + community.docker.docker_container: + name: aaserver + state: started + restart: true diff --git a/roles/attribute-aggregation/tasks/main.yml b/roles/attribute-aggregation/tasks/main.yml new file mode 100644 index 000000000..77ef5506f --- /dev/null +++ b/roles/attribute-aggregation/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- name: Create directory to keep configfile + ansible.builtin.file: + dest: "/opt/openconext/attribute-aggregation" + state: directory + owner: root + group: root + mode: "0770" + +- name: Place the serverapplication configfiles + ansible.builtin.template: + src: "{{ item }}.j2" + dest: /opt/openconext/attribute-aggregation/{{ item }} + owner: root + group: root + mode: "0644" + with_items: + - serverapplication.yml + - logback.xml + - attributeAuthorities.yml + notify: restart attribute-aggregationserver + +- name: Create and start the server container + community.docker.docker_container: + name: aaserver + image: ghcr.io/openconext/openconext-attribute-aggregation/aa-server:{{ attribute_aggregation_server_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + mounts: + - source: /opt/openconext/attribute-aggregation/serverapplication.yml + target: /application.yml + type: bind + - source: /opt/openconext/attribute-aggregation/logback.xml + target: /logback.xml + type: bind + - source: /opt/openconext/attribute-aggregation/attributeAuthorities.yml + target: /attributeAuthorities.yml + type: bind + command: "-Xmx128m --spring.config.location=./" + etc_hosts: + host.docker.internal: host-gateway + healthcheck: + test: + [ + "CMD", + "wget", + "-no-verbose", + "--tries=1", + "--spider", + "http://localhost:8080/internal/health", + ] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + notify: restart attribute-aggregationserver + +- name: Create the gui container + community.docker.docker_container: + name: aagui + image: ghcr.io/openconext/openconext-attribute-aggregation/aa-gui:{{ attribute_aggregation_gui_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.attribute-aggregationgui.rule: "Host(`aa.{{ base_domain }}`)" + traefik.http.routers.attribute-aggregationgui.tls: "true" + traefik.enable: "true" + healthcheck: + test: ["CMD", "curl", "--fail", "http://localhost/internal/health"] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + hostname: attribute-aggregation.test2.surfconext.nl + env: + HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" + HTTPD_SERVERNAME: "aa.{{ base_domain }}" + OPENCONEXT_INSTANCENAME: "{{ instance_name }}" + OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" + OPENCONEXT_HELP_EMAIL: "{{ support_email }}" + SHIB_ENTITYID: "https://aa.{{ base_domain }}/shibboleth" + SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" + SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" diff --git a/roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 b/roles/attribute-aggregation/templates/attributeAuthorities.yml.j2 similarity index 100% rename from roles/attribute-aggregation-server/templates/attributeAuthorities.yml.j2 rename to roles/attribute-aggregation/templates/attributeAuthorities.yml.j2 diff --git a/roles/attribute-aggregation/templates/logback.xml.j2 b/roles/attribute-aggregation/templates/logback.xml.j2 new file mode 100644 index 000000000..383de9910 --- /dev/null +++ b/roles/attribute-aggregation/templates/logback.xml.j2 @@ -0,0 +1,33 @@ +#jinja2:lstrip_blocks: True + + + + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + + + + {{ smtp_server }} + {{ noreply_email }} + {{ error_mail_to }} + {{ error_subject_prefix }}Unexpected error attribute-aggregation + + + + ERROR + + + + + + + + + + + diff --git a/roles/attribute-aggregation-server/templates/application.yml.j2 b/roles/attribute-aggregation/templates/serverapplication.yml.j2 similarity index 91% rename from roles/attribute-aggregation-server/templates/application.yml.j2 rename to roles/attribute-aggregation/templates/serverapplication.yml.j2 index ecd29418c..5b3138cad 100644 --- a/roles/attribute-aggregation-server/templates/application.yml.j2 +++ b/roles/attribute-aggregation/templates/serverapplication.yml.j2 @@ -1,12 +1,12 @@ # The logging configuration. logging: - config: file://{{ attribute_aggregation_dir }}/logback.xml + config: file:///logback.xml level: aa: DEBUG server: # The port to where this Spring Boot application listens to. e.g. http://localhost:{{ springapp_tcpport }} - port: {{ springapp_tcpport }} + port: 8080 servlet: context-path: /aa/api session: @@ -16,7 +16,7 @@ server: server-header: no scim_server_environment: test.surfconext -attribute_authorities_config_path: file:///opt/attribute-aggregation/attributeAuthorities.yml +attribute_authorities_config_path: file:///attributeAuthorities.yml authorization_access_token_url: "{{ aa_oauth2_token_url }}" aggregate_cache_duration_milliseconds: -1 @@ -45,6 +45,7 @@ spring: hibernate: naming-strategy: org.hibernate.cfg.ImprovedNamingStrategy dialect: org.hibernate.dialect.MariaDB53Dialect + open-in-view: true datasource: driver-class-name: org.mariadb.jdbc.Driver url: jdbc:mysql://{{ aa.db_host }}/{{ aa.db_name }} diff --git a/roles/attribute-aggregation-server/vars/main.yml b/roles/attribute-aggregation/vars/main.yml similarity index 51% rename from roles/attribute-aggregation-server/vars/main.yml rename to roles/attribute-aggregation/vars/main.yml index 822ab8122..6970929a2 100644 --- a/roles/attribute-aggregation-server/vars/main.yml +++ b/roles/attribute-aggregation/vars/main.yml @@ -1,13 +1,3 @@ -springapp_artifact_id: attribute-aggregation-server -springapp_artifact_type: jar -springapp_artifact_group_dir: org.openconext -springapp_version: "{{ attribute_aggregation_server_version }}" -springapp_dir: "{{ attribute_aggregation_dir }}" -springapp_user: attribute-aggregation -springapp_service_name: attribute-aggregation -springapp_jar: "{{ attribute_aggregation_jar }}" -springapp_tcpport: 9198 -springapp_random_source: "file:///dev/urandom" manage_provision_oidcrp_client_id: "{{ aa.authz_client_id }}" manage_provision_oidcrp_secret: "{{ aa.authz_secret }}" manage_provision_oidcrp_name_en: "{{ aa_manage_provision_oidcrp_name_en }}" From c01f6fa987e216b3fd683c701618ba32fe32ba34 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 5 Apr 2024 16:31:14 +0200 Subject: [PATCH 035/114] Add the dockerized roles for teams, attribute-aggregation, voot and pdp to the main playbook --- provision.yml | 3 +++ roles/springboot/defaults/main.yml | 38 ------------------------------ 2 files changed, 3 insertions(+), 38 deletions(-) diff --git a/provision.yml b/provision.yml index 9a18812f1..248c4f380 100644 --- a/provision.yml +++ b/provision.yml @@ -175,6 +175,9 @@ - { role: invite, tags: ['invite' ] } - { role: dashboard, tags: ["dashboard"] } - { role: teams, tags: ["teams"] } + - { role: pdp, tags: ["pdp"] } + - { role: voot, tags: ["voot"] } + - { role: attribute-aggregation, tags: ["aa"] } - { role: mujina-idp, tags: ["mujina-idp"] } - { role: oidc-playground, tags: ["oidc-playground"] } - { role: stats, tags: ["stats"] } diff --git a/roles/springboot/defaults/main.yml b/roles/springboot/defaults/main.yml index 608ca8b48..a3219e7c1 100644 --- a/roles/springboot/defaults/main.yml +++ b/roles/springboot/defaults/main.yml @@ -2,12 +2,9 @@ springboot_services_state: manage: true - pdp: true - attribute_aggregation: true myconext: true account: true oidcng: true - voot: true mujina_sp: true springboot_core_services: @@ -21,14 +18,6 @@ springboot_gui_services: alias: manage-gui enabled: "{{ springboot_services_state.manage }}" version: "{{ manage_gui_version }}" - - name: pdp - alias: pdp-gui - enabled: "{{ springboot_services_state.pdp }}" - version: "{{ pdp_gui_version }}" - - name: attribute-aggregation - alias: attribute-aggregation-gui - enabled: "{{ springboot_services_state.attribute_aggregation }}" - version: "{{ attribute_aggregation_gui_version }}" - name: myconext alias: myconext-gui enabled: "{{ springboot_services_state.myconext }}" @@ -60,33 +49,6 @@ springboot_server_services: max_heapsize: "{{ oidcng_max_heapsize | default('512m')}}" config: "{{ oidcng }}" - - name: voot - enabled: "{{ springboot_services_state.voot }}" - version: "{{ voot_version }}" - role: voot - artifactid: voot-service - port: 9191 - type: server - min_heapsize: "{{ voot_min_heapsize | default('128m') }}" - max_heapsize: "{{ voot_max_heapsize | default('128m') }}" - config: - "{{ voot }}" - - name: pdp - enabled: "{{ springboot_services_state.pdp }}" - version: "{{ pdp_server_version }}" - port: 9196 - type: server - min_heapsize: "{{ pdp_min_heapsize | default('512m') }}" - max_heapsize: "{{ pdp_max_heapsize | default('512m') }}" - config: - "{{ pdp }}" - - name: attribute-aggregation - enabled: "{{ springboot_services_state.attribute_aggregation }}" - version: "{{ attribute_aggregation_server_version }}" - type: server - port: 9198 - min_heapsize: "{{ attribute_aggregation_min_heapsize | default('256m') }}" - max_heapsize: "{{ attribute_aggregation_max_heapsize | default('256m') }}" - name: myconext alias: myconext enabled: "{{ springboot_services_state.myconext }}" From 5e48841964aa2e7e9175f4852ea5f7e19aa6a0e2 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 27 Mar 2024 16:02:14 +0100 Subject: [PATCH 036/114] stats: Remove hardcoded server address --- roles/stats/templates/config.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/stats/templates/config.yml.j2 b/roles/stats/templates/config.yml.j2 index ab2a3d6a4..6e2c82f00 100644 --- a/roles/stats/templates/config.yml.j2 +++ b/roles/stats/templates/config.yml.j2 @@ -1,6 +1,6 @@ database: name: {{ influx_stats_db }} - host: t02.ams.surfconext.nl + host: {{ influx_stats_dbhost }} port: 8086 username: {{ influxdb_stats_user }} password: {{ influxdb_stats_password }} From 88b03db63e2572f6293467d81de66c54cbdc2bce Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 8 Apr 2024 14:27:56 +0200 Subject: [PATCH 037/114] Stats: Add handlers --- roles/stats/handlers/main.yml | 12 ++++++++++++ roles/stats/tasks/main.yml | 15 +++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 roles/stats/handlers/main.yml diff --git a/roles/stats/handlers/main.yml b/roles/stats/handlers/main.yml new file mode 100644 index 000000000..be9369324 --- /dev/null +++ b/roles/stats/handlers/main.yml @@ -0,0 +1,12 @@ +- name: restart statsserver + community.docker.docker_container: + name: statsserver + state: started + restart: true + +- name: restart statsgui + community.docker.docker_container: + name: statsgui + state: started + restart: true + diff --git a/roles/stats/tasks/main.yml b/roles/stats/tasks/main.yml index 15d2b87f6..816654491 100644 --- a/roles/stats/tasks/main.yml +++ b/roles/stats/tasks/main.yml @@ -7,7 +7,7 @@ group: root mode: "0770" -- name: Install configfiles +- name: Install server configfiles ansible.builtin.template: src: "{{ item }}.j2" dest: "/opt/openconext/stats/{{ item }}" @@ -15,8 +15,19 @@ group: root mode: "0644" with_items: - - stats.conf - config.yml + notify: "restart statsserver" + +- name: Install gui configfiles + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/opt/openconext/stats/{{ item }}" + owner: root + group: root + mode: "0644" + with_items: + - stats.conf + notify: "restart statsgui" - name: Create and start the servercontainer community.docker.docker_container: From 66497cde8b643f2655b01870ffe562ae273f56dd Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 8 Apr 2024 14:39:06 +0200 Subject: [PATCH 038/114] VOOT: Fix the restart handler so it restarts voot and not dashboard --- roles/voot/handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/voot/handlers/main.yml b/roles/voot/handlers/main.yml index 281d74143..d3605537d 100644 --- a/roles/voot/handlers/main.yml +++ b/roles/voot/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart vootserver community.docker.docker_container: - name: dashboardserver + name: vootserver state: started restart: true From fd950322106f57d35f552379cebe0496219695db Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 8 Apr 2024 16:21:45 +0200 Subject: [PATCH 039/114] Teams: Add extra spring configuration parameter --- roles/teams/templates/serverapplication.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/teams/templates/serverapplication.yml.j2 b/roles/teams/templates/serverapplication.yml.j2 index e4035b831..ba667352a 100644 --- a/roles/teams/templates/serverapplication.yml.j2 +++ b/roles/teams/templates/serverapplication.yml.j2 @@ -107,6 +107,9 @@ spring: enabled: {{ teams_spring_flyway_enabled }} validate-on-migrate: false table: schema_version + user: + name: na + password: na management: health: From 060442d0c9f1664fc9a94c4c2cdd9817fa68d8b2 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 10 Apr 2024 16:33:32 +0200 Subject: [PATCH 040/114] PDP teams and dashboard: Do net set the vhost name as container name, otherwise containers would not pass the loadbalancer --- roles/attribute-aggregation/tasks/main.yml | 2 +- roles/dashboard/tasks/main.yml | 2 +- roles/pdp/tasks/main.yml | 2 +- roles/teams/tasks/main.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/attribute-aggregation/tasks/main.yml b/roles/attribute-aggregation/tasks/main.yml index 77ef5506f..852c08a07 100644 --- a/roles/attribute-aggregation/tasks/main.yml +++ b/roles/attribute-aggregation/tasks/main.yml @@ -77,7 +77,7 @@ timeout: 10s retries: 3 start_period: 10s - hostname: attribute-aggregation.test2.surfconext.nl + hostname: attribute-aggregation env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" HTTPD_SERVERNAME: "aa.{{ base_domain }}" diff --git a/roles/dashboard/tasks/main.yml b/roles/dashboard/tasks/main.yml index 272d11d57..0c701dfb4 100644 --- a/roles/dashboard/tasks/main.yml +++ b/roles/dashboard/tasks/main.yml @@ -74,7 +74,7 @@ timeout: 10s retries: 3 start_period: 10s - hostname: dashboard.test2.surfconext.nl + hostname: dashboard env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" HTTPD_SERVERNAME: "dashboard.{{ base_domain }}" diff --git a/roles/pdp/tasks/main.yml b/roles/pdp/tasks/main.yml index 9f791d18f..03675c46e 100644 --- a/roles/pdp/tasks/main.yml +++ b/roles/pdp/tasks/main.yml @@ -77,7 +77,7 @@ timeout: 10s retries: 3 start_period: 10s - hostname: pdp.{{ base_domain }} + hostname: pdp env: HTTPD_CSP: "{{ httpd_csp.lenient }}" HTTPD_SERVERNAME: "pdp.{{ base_domain }}" diff --git a/roles/teams/tasks/main.yml b/roles/teams/tasks/main.yml index ae065dc2e..4baa22064 100644 --- a/roles/teams/tasks/main.yml +++ b/roles/teams/tasks/main.yml @@ -73,7 +73,7 @@ timeout: 10s retries: 3 start_period: 10s - hostname: teams.{{ base_domain }} + hostname: teams env: HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}" HTTPD_SERVERNAME: "teams.{{ base_domain }}" From 946d3cd4c808273704723b6761ecb285170e9628 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 11 Apr 2024 13:36:02 +0200 Subject: [PATCH 041/114] iptables: Make the role Debian compatible --- roles/iptables/tasks/main.yml | 31 +++++++++++++++++++++++-------- roles/iptables/vars/Debian.yml | 2 ++ 2 files changed, 25 insertions(+), 8 deletions(-) create mode 100644 roles/iptables/vars/Debian.yml diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index 1d11fe00f..e4171abd2 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -1,31 +1,46 @@ --- - name: Uninstall firewalld - yum: + ansible.builtin.package: name: firewalld state: absent -- name: Install iptables and ip6tables - yum: +- name: Install iptables and ip6tables on CentOS + ansible.builtin.yum: name: - iptables-services state: present + when: ansible_os_family == 'RedHat' + +- name: Install iptables on debian system + ansible.builtin.apt: + name: + - iptables + - iptables-persistent + state: present + when: ansible_os_family == 'Debian' - name: Put iptables - template: + ansible.builtin.template: src: "iptables.j2" - dest: "/etc/sysconfig/iptables" + dest: /etc/sysconfig/iptables + owner: root + group: root + mode: "0644" notify: - "restart iptables" - name: Put ip6tables - template: + ansible.builtin.template: src: "ip6tables.j2" - dest: "/etc/sysconfig/ip6tables" + dest: /etc/sysconfig/ip6tables + owner: root + group: root + mode: "0644" notify: - "restart ip6tables" - name: Start and enable services iptables and iptables6 - service: + ansible.builtin.service: name: "{{ item }}" state: started enabled: true diff --git a/roles/iptables/vars/Debian.yml b/roles/iptables/vars/Debian.yml new file mode 100644 index 000000000..671ccd232 --- /dev/null +++ b/roles/iptables/vars/Debian.yml @@ -0,0 +1,2 @@ +iptables_location: /etc/sysconfig/iptables +iptables_location6: /etc/sysconfig/ip6tables From dd2d46a55a519928c1a0991e69bc15dc4e33648a Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 17 Apr 2024 20:36:17 +0200 Subject: [PATCH 042/114] Attribute aggregation: Add container for link, used for ORCID linking --- roles/attribute-aggregation/tasks/main.yml | 37 ++++++++++++++++- .../templates/apachelink.conf.j2 | 41 +++++++++++++++++++ 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 roles/attribute-aggregation/templates/apachelink.conf.j2 diff --git a/roles/attribute-aggregation/tasks/main.yml b/roles/attribute-aggregation/tasks/main.yml index 852c08a07..8d73505ac 100644 --- a/roles/attribute-aggregation/tasks/main.yml +++ b/roles/attribute-aggregation/tasks/main.yml @@ -18,6 +18,7 @@ - serverapplication.yml - logback.xml - attributeAuthorities.yml + - apachelink.conf notify: restart attribute-aggregationserver - name: Create and start the server container @@ -50,7 +51,7 @@ "-no-verbose", "--tries=1", "--spider", - "http://localhost:8080/internal/health", + "http://localhost:8080/aa/api/internal/health", ] interval: 10s timeout: 10s @@ -87,3 +88,37 @@ SHIB_ENTITYID: "https://aa.{{ base_domain }}/shibboleth" SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" + +- name: Create the gui link container + community.docker.docker_container: + name: aalink + image: ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.attribute-aggregationlink.rule: "Host(`link.{{ base_domain }}`)" + traefik.http.routers.attribute-aggregationlink.tls: "true" + traefik.enable: "true" + healthcheck: + test: ["CMD", "curl", "--fail", "http://localhost/internal/health"] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + mounts: + - source: /opt/openconext/attribute-aggregation/apachelink.conf + target: /etc/apache2/sites-enabled/000-default.conf + type: bind + hostname: attribute-link + env: + HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" + HTTPD_SERVERNAME: "link.{{ base_domain }}" + OPENCONEXT_INSTANCENAME: "{{ instance_name }}" + OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" + OPENCONEXT_HELP_EMAIL: "{{ support_email }}" + SHIB_ENTITYID: "https://link.{{ base_domain }}/shibboleth" + SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" + SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" diff --git a/roles/attribute-aggregation/templates/apachelink.conf.j2 b/roles/attribute-aggregation/templates/apachelink.conf.j2 new file mode 100644 index 000000000..b698831d7 --- /dev/null +++ b/roles/attribute-aggregation/templates/apachelink.conf.j2 @@ -0,0 +1,41 @@ +ServerName https://${HTTPD_SERVERNAME} +RewriteEngine on +RewriteCond %{REQUEST_URI} !\.html$ +RewriteCond %{REQUEST_URI} !^/aa/ +RewriteCond %{REQUEST_URI} !^/internal/ +RewriteCond %{REQUEST_URI} !^/redirect +RewriteCond %{REQUEST_URI} !^/fonts/ +RewriteCond %{REQUEST_URI} !^/orcid/ +RewriteRule (.*) /index.html [L] + +Redirect /orcid https://link.{{ base_domain }}/aa/api/client/information.html +ProxyPass /Shibboleth.sso ! + +ProxyPass /redirect http://aaserver:8080/aa/api/redirect +ProxyPass /internal/health http://aaserver:8080/aa/api/internal/health +ProxyPass /internal/info http://aaserver:8080/aa/api/internal/info + +ProxyPass /aa/api http://aaserver:8080/aa/api +ProxyPassReverse /aa/api http://aaserver:8080/aa/api +ProxyPassReverse /aa/api/client http://aaserver:8080/aa/api/client + + + + AuthType shibboleth + ShibUseHeaders On + ShibRequireSession On + Require valid-user + + + +Require all granted + + +# The EB endpoints are secured with basic auth + + Require all granted + + +Header always set X-Frame-Options "DENY" +Header always set Referrer-Policy "strict-origin-when-cross-origin" +Header always set X-Content-Type-Options "nosniff" From 0f7885783ad8e1c9fb803c429bec7cc41ea04872 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Fri, 19 Apr 2024 10:59:52 +0200 Subject: [PATCH 043/114] Remove coin:ss:allow_scb_admin_rights, completely unused anywhere Also the semantics defy understanding --- .../metadata_configuration/saml20_idp.schema.json.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/manage-server/templates/metadata_configuration/saml20_idp.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/saml20_idp.schema.json.j2 index 0dcaa22e4..54410464d 100644 --- a/roles/manage-server/templates/metadata_configuration/saml20_idp.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/saml20_idp.schema.json.j2 @@ -351,10 +351,6 @@ "type": "boolean", "info": "Set to make the IdP hidden in the dashboard when the IdP is not connected to a service." }, - "coin:ss:allow_scb_admin_rights": { - "type": "boolean", - "info": "Set to grant SAB SURFconext beheerders for this IdP the SURFconext verantwoordelijke rights." - }, "coin:signature_method": { "type": "string", "format": "url", From b1a055c8a2ff9db867bd786592bcce59d34b71ce Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Fri, 19 Apr 2024 16:48:49 +0200 Subject: [PATCH 044/114] manage: set autorefresh to true for all IdPs --- .../files/metadata_templates/saml20_idp.template.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/manage-server/files/metadata_templates/saml20_idp.template.json b/roles/manage-server/files/metadata_templates/saml20_idp.template.json index 856b82f27..8698863f2 100644 --- a/roles/manage-server/files/metadata_templates/saml20_idp.template.json +++ b/roles/manage-server/files/metadata_templates/saml20_idp.template.json @@ -12,8 +12,8 @@ "SingleSignOnService:0:Location": "" }, "autoRefresh": { - "enabled": false, - "allowAll": false, + "enabled": true, + "allowAll": true, "fields": { } } From c0de51cfbf0a0a12eb9483cae155f60b8a895aa9 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 22 Apr 2024 11:23:20 +0200 Subject: [PATCH 045/114] AA link: Remove trailing slash in Apache --- roles/attribute-aggregation/templates/apachelink.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/attribute-aggregation/templates/apachelink.conf.j2 b/roles/attribute-aggregation/templates/apachelink.conf.j2 index b698831d7..a73b32d13 100644 --- a/roles/attribute-aggregation/templates/apachelink.conf.j2 +++ b/roles/attribute-aggregation/templates/apachelink.conf.j2 @@ -5,7 +5,7 @@ RewriteCond %{REQUEST_URI} !^/aa/ RewriteCond %{REQUEST_URI} !^/internal/ RewriteCond %{REQUEST_URI} !^/redirect RewriteCond %{REQUEST_URI} !^/fonts/ -RewriteCond %{REQUEST_URI} !^/orcid/ +RewriteCond %{REQUEST_URI} !^/orcid RewriteRule (.*) /index.html [L] Redirect /orcid https://link.{{ base_domain }}/aa/api/client/information.html From a56544c8747f36a2e2b52cd88b603aa1f0861624 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 23 Apr 2024 10:24:55 +0200 Subject: [PATCH 046/114] DIYIDP: Use docker for the diyidp. Uses the docker images from Cirrus (https://github.com/cirrusidentity/docker-simplesamlphp) --- provision.yml | 1 + roles/diyidp/defaults/main.yml | 12 +- roles/diyidp/handlers/main.yml | 6 +- roles/diyidp/tasks/main.yml | 173 +++--- roles/diyidp/tasks/main_config.yml | 18 - roles/diyidp/tasks/vhost.yml | 17 - roles/diyidp/templates/000-default.conf.j2 | 7 + roles/diyidp/templates/authsources.php.j2 | 3 + roles/diyidp/templates/config-override.php.j2 | 6 + roles/diyidp/templates/config.php.j2 | 568 ------------------ roles/diyidp/templates/diyidp-pool-72.conf.j2 | 225 ------- roles/diyidp/templates/diyidp.conf.j2 | 30 - .../templates/frontpage.definition.json.j2 | 146 ----- .../diyidp/templates/login.definition.json.j2 | 68 --- .../diyidp/templates/saml20-idp-hosted.php.j2 | 21 +- roles/diyidp/templates/showusers.php.j2 | 44 +- 16 files changed, 127 insertions(+), 1218 deletions(-) delete mode 100644 roles/diyidp/tasks/main_config.yml delete mode 100644 roles/diyidp/tasks/vhost.yml create mode 100644 roles/diyidp/templates/000-default.conf.j2 create mode 100644 roles/diyidp/templates/config-override.php.j2 delete mode 100644 roles/diyidp/templates/config.php.j2 delete mode 100644 roles/diyidp/templates/diyidp-pool-72.conf.j2 delete mode 100644 roles/diyidp/templates/diyidp.conf.j2 delete mode 100644 roles/diyidp/templates/frontpage.definition.json.j2 delete mode 100644 roles/diyidp/templates/login.definition.json.j2 diff --git a/provision.yml b/provision.yml index 248c4f380..61e3a64bd 100644 --- a/provision.yml +++ b/provision.yml @@ -181,6 +181,7 @@ - { role: mujina-idp, tags: ["mujina-idp"] } - { role: oidc-playground, tags: ["oidc-playground"] } - { role: stats, tags: ["stats"] } + - { role: diyidp, tags: ["diyidp"] } - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/diyidp/defaults/main.yml b/roles/diyidp/defaults/main.yml index 6d240c194..f2d9ddae0 100644 --- a/roles/diyidp/defaults/main.yml +++ b/roles/diyidp/defaults/main.yml @@ -1,18 +1,16 @@ --- -diyidp_fpm_user: diyidp -simplesamlphp_version: 1.19.5 -diyidp_current_release_symlink: "{{ openconext_releases_dir }}/OpenConext-diyidp" diyidp_domain: diyidp."{{ base_domain }}" diyidp_cert: "diyidp.crt" -diyidp_welcome_text: | - "Congratulations<\/strong>, you have successfully installed SimpleSAMLphp. This is the start page of your installation, where you will find links to test examples, diagnostics, metadata and even links to relevant documentation." diyidp: db_host: "{{ mysql_host }}" db_name: diyidp db_user: diyidprw - dp_password: "{{ mysql_passwords.diyidp }}" + db_password: "{{ mysql_passwords.diyidp }}" + secretsalt: "{{ diyidp_secret_salt }} " + admin_password: "{{ diyidp_secret }}" +diyidp_secret_salt: secretsecret +diyidp_secret: secret diyidp_remotesp: - name: "{{ instance_name }} SP metadata" metadataurl: "https://engine.{{ base_domain }}/authentication/sp/metadata" acslocation: "https://engine.{{ base_domain }}/authentication/sp/consume-assertion" - diff --git a/roles/diyidp/handlers/main.yml b/roles/diyidp/handlers/main.yml index 7c4a7364e..1ef1d0ed4 100644 --- a/roles/diyidp/handlers/main.yml +++ b/roles/diyidp/handlers/main.yml @@ -1,5 +1,3 @@ --- -- name: restart apache - service: - name: "{{ 'apache2' if ansible_os_family == 'Debian' else 'httpd' }}" - state: restarted +- name: restart diyidp + command: docker restart diyidp diff --git a/roles/diyidp/tasks/main.yml b/roles/diyidp/tasks/main.yml index 74f936337..3e0fb2948 100644 --- a/roles/diyidp/tasks/main.yml +++ b/roles/diyidp/tasks/main.yml @@ -1,127 +1,106 @@ --- -- name: Add group {{ diyidp_fpm_user }} - group: - name: "{{ diyidp_fpm_user }}" - state: present - -- name: Add user {{ diyidp_fpm_user }} - user: - name: "{{ diyidp_fpm_user }}" - group: "{{ diyidp_fpm_user }}" - createhome: no - state: present - -- name: Create directory for vhosts to store PHP sessions - file: - path: "{{ php_session_dir}}/diyidp" - state: directory - owner: "{{ diyidp_fpm_user }}" - group: root - mode: 0770 - -- name: Download and unarchive the latest release - unarchive: - src: "https://github.com/simplesamlphp/simplesamlphp/releases/download/v{{ simplesamlphp_version }}/simplesamlphp-{{ simplesamlphp_version }}.tar.gz" - dest: "{{ openconext_releases_dir }}" - creates: "/opt/openconext/simplesamlphp-{{ simplesamlphp_version }}" - remote_src: yes - -- name: Install Apache vhost - template: - src: "{{ item }}.j2" - dest: "/etc/httpd/conf.d/{{ item }}" - with_items: - - diyidp.conf - notify: - - "restart httpd" - -- name: Clean up old php-fpm 5.6 config - file: - path: "/etc/php-fpm.d/diyidp-pool.conf" - state: absent - -- name: php-fpm 72 config - template: - src: "{{ item }}.j2" - dest: "/etc/opt/remi/php72/php-fpm.d/{{ item }}" - with_items: - - diyidp-pool-72.conf - notify: - - "restart php72-fpm" - -- name: Activate new DIY IDP release - file: - src: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}" - dest: "{{ diyidp_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - name: Create directories - file: - path: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/{{ item }}" + ansible.builtin.file: + path: "/opt/openconext/diyidp/{{ item }}" state: directory owner: root group: root - mode: 0775 + mode: "0775" with_items: - - config + - www - metadata - - data - cert - name: Put metadata certificate in place - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/certs/{{ diyidp_cert }}" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/cert/server.crt" + dest: "/opt/openconext/diyidp/cert/server.crt" + owner: root + group: root + mode: "0644" - name: Put metadata key in place - copy: + ansible.builtin.copy: content: "{{ diyidp_private_key }}" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/cert/server.key" - owner: "{{ diyidp_fpm_user }}" - mode: 0400 + dest: "/opt/openconext/diyidp/cert/server.key" + owner: root + group: root + mode: "0444" + notify: restart diyidp - name: Copy simplesamlphp configuration files - template: + ansible.builtin.template: src: "{{ item }}.j2" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/config/{{ item }}" + dest: "/opt/openconext/diyidp/{{ item }}" + mode: "0644" with_items: - - config.php + - config-override.php - authsources.php + notify: restart diyidp - name: Copy simplesamlphp metadata files - template: + ansible.builtin.template: src: "{{ item }}.j2" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/metadata/{{ item }}" + dest: "/opt/openconext/diyidp/metadata/{{ item }}" + mode: "0644" with_items: - saml20-idp-hosted.php - saml20-sp-remote.php + notify: restart diyidp - name: Copy showusers php script - template: + ansible.builtin.template: src: "showusers.php.j2" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/www/showusers.php" + dest: "/opt/openconext/diyidp/www/showusers.php" owner: root - mode: 0644 + mode: "0644" + notify: restart diyidp -- name: Copy frontpage definitions - template: - src: "frontpage.definition.json.j2" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/modules/core/dictionaries/frontpage.definition.json" - -- name: Copy login page definition - template: - src: "login.definition.json.j2" - dest: "{{ openconext_releases_dir }}/simplesamlphp-{{ simplesamlphp_version }}/dictionaries/login.definition.json" - -- name: Copy the database dump file - copy: - src: diyidp.sql - dest: "{{ openconext_releases_dir }}/builds/" - register: copy_diyidp_script - -- name: Import the database - shell: mysql -u {{ diyidp.db_user }} -p{{ diyidp.db_password }} -h {{ diyidp.db_host }} -D {{ diyidp.db_name }} < {{ openconext_releases_dir }}/builds/diyidp.sql - args: - creates: /var/lib/mysql/{{diyidp.db_name}}/users.frm +- name: Copy the apache config + ansible.builtin.template: + src: "000-default.conf.j2" + dest: "/opt/openconext/diyidp/000-default.conf" + owner: root + group: root + mode: "0644" + notify: restart diyidp + +- name: Create the container + community.docker.docker_container: + name: diyidp + image: cirrusid/simplesamlphp:v2.0.7 + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.diyidp.rule: "Host(`diyidp.{{ base_domain }}`)" + traefik.http.routers.diyidp.tls: "true" + traefik.enable: "true" + hostname: diyidp + mounts: + - source: /opt/openconext/diyidp/config-override.php + target: /var/simplesamlphp/config/config-override.php + type: bind + - source: /opt/openconext/diyidp/authsources.php + target: /var/simplesamlphp/config/authsources.php + type: bind + - source: /opt/openconext/diyidp/metadata + target: /var/simplesamlphp/config/metadata + type: bind + - source: /opt/openconext/diyidp/cert + target: /var/simplesamlphp/config/cert + type: bind + - source: /opt/openconext/diyidp/www/showusers.php + target: /var/simplesamlphp/public/showusers.php + type: bind + - source: /opt/openconext/diyidp/000-default.conf + target: /etc/apache2/sites-enabled/000-default.conf + type: bind + env: + SSP_ENABLED_MODULES: "sqlauth themesurf" + SSP_LOG_HANDLER: stderr + COMPOSER_REQUIRE: "simplesamlphp/simplesamlphp-module-sqlauth surfnet/simplesamlphp-module-themesurf:dev-main" + SSP_ENABLE_IDP: "true" + SSP_SECRET_SALT: "{{ diyidp.secretsalt }}" diff --git a/roles/diyidp/tasks/main_config.yml b/roles/diyidp/tasks/main_config.yml deleted file mode 100644 index b87f280b7..000000000 --- a/roles/diyidp/tasks/main_config.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: Copy default config - shell: cp -r {{ simplesamlphp_dir }}/config-templates {{ simplesamlphp_dir }}/config - -- name: Copy default metadata - shell: cp -r {{ simplesamlphp_dir }}/metadata-templates {{ simplesamlphp_dir }}/metadata - -- name: Generate secretsalt - shell: tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo - register: secretsalt_raw - -- name: Getting hash of the secretsalt - set_fact: simplesamlphp_secretsalt={{ secretsalt_raw.stdout }} - -- template: - src: simplesaml_config_php.conf - dest: "{{ simplesamlphp_dir }}/config/config.php" diff --git a/roles/diyidp/tasks/vhost.yml b/roles/diyidp/tasks/vhost.yml deleted file mode 100644 index 218822bda..000000000 --- a/roles/diyidp/tasks/vhost.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- template: - src: simplesamlphp.conf - dest: /etc/apache2/sites-available/simplesamlphp.conf - backup: true - when: ansible_os_family == 'Debian' - -- template: - src: simplesamlphp.conf - dest: /etc/httpd/conf.d/simplesamlphp.conf - backup: true - when: ansible_os_family == 'RedHat' - notify: restart apache - -- command: a2ensite simplesamlphp.conf - when: ansible_os_family == 'Debian' - notify: restart apache diff --git a/roles/diyidp/templates/000-default.conf.j2 b/roles/diyidp/templates/000-default.conf.j2 new file mode 100644 index 000000000..84fa26b05 --- /dev/null +++ b/roles/diyidp/templates/000-default.conf.j2 @@ -0,0 +1,7 @@ + + DocumentRoot /var/simplesamlphp/public + + + Require all granted + + diff --git a/roles/diyidp/templates/authsources.php.j2 b/roles/diyidp/templates/authsources.php.j2 index f89d144dd..769b4939d 100644 --- a/roles/diyidp/templates/authsources.php.j2 +++ b/roles/diyidp/templates/authsources.php.j2 @@ -12,6 +12,9 @@ $config = array( 'sql_user' => array( + 'core:loginpage_links' => [ + 'users' => ['href' => '/showusers.php', 'text' => 'List of available users'], + ], 'sqlauth:SQL', 'dsn' => 'mysql:host={{ diyidp.db_host}};port=3306;dbname={{ diyidp.db_name }}', 'username' => '{{ diyidp.db_user}}', diff --git a/roles/diyidp/templates/config-override.php.j2 b/roles/diyidp/templates/config-override.php.j2 new file mode 100644 index 000000000..7418d5bfa --- /dev/null +++ b/roles/diyidp/templates/config-override.php.j2 @@ -0,0 +1,6 @@ + '/', - 'certdir' => 'cert/', - 'loggingdir' => 'log/', - 'datadir' => 'data/', - - /* - * A directory where simpleSAMLphp can save temporary files. - * - * SimpleSAMLphp will attempt to create this directory if it doesn't exist. - */ - 'tempdir' => '/tmp/simplesaml', - - - /* - * If you enable this option, simpleSAMLphp will log all sent and received messages - * to the log file. - * - * This option also enables logging of the messages that are encrypted and decrypted. - * - * Note: The messages are logged with the DEBUG log level, so you also need to set - * the 'logging.level' option to LOG_DEBUG. - */ - 'debug' => FALSE, - - - 'showerrors' => TRUE, - - /** - * Custom error show function called from SimpleSAML_Error_Error::show. - * See docs/simplesamlphp-errorhandling.txt for function code example. - * - * Example: - * 'errors.show_function' => 'sspmod_exmaple_Error_Show::show', - */ - - /** - * This option allows you to enable validation of XML data against its - * schemas. A warning will be written to the log if validation fails. - */ - 'debug.validatexml' => FALSE, - - /** - * This password must be kept secret, and modified from the default value 123. - * This password will give access to the installation page of simpleSAMLphp with - * metadata listing and diagnostics pages. - */ - 'auth.adminpassword' => '{{ diyidp_secret }}', - 'admin.protectindexpage' => true, - 'admin.protectmetadata' => false, - - /** - * This is a secret salt used by simpleSAMLphp when it needs to generate a secure hash - * of a value. It must be changed from its default value to a secret value. The value of - * 'secretsalt' can be any valid string of any length. - * - * A possible way to generate a random salt is by running the following command from a unix shell: - * tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' /dev/null;echo - */ - 'secretsalt' => '{{ diyidp_secret_salt }}', - - /* - * Some information about the technical persons running this installation. - * The email address will be used as the recipient address for error reports, and - * also as the technical contact in generated metadata. - */ - 'technicalcontact_name' => '{{ instance_name }} Administrator', - 'technicalcontact_email' => '{{ admin_email }}', - - /* - * The timezone of the server. This option should be set to the timezone you want - * simpleSAMLphp to report the time in. The default is to guess the timezone based - * on your system timezone. - * - * See this page for a list of valid timezones: http://php.net/manual/en/timezones.php - */ - 'timezone' => '{{ timezone }}', - - /* - * Logging. - * - * define the minimum log level to log - * LOG_ERR No statistics, only errors - * LOG_WARNING No statistics, only warnings/errors - * LOG_NOTICE Statistics and errors - * LOG_INFO Verbose logs - * LOG_DEBUG Full debug logs - not reccomended for production - * - * Choose logging handler. - * - * Options: [syslog,file,errorlog] - * - */ - 'logging.level' => LOG_NOTICE, - 'logging.handler' => 'syslog', - - /* - * Choose which facility should be used when logging with syslog. - * - * These can be used for filtering the syslog output from simpleSAMLphp into its - * own file by configuring the syslog daemon. - * - * See the documentation for openlog (http://php.net/manual/en/function.openlog.php) for available - * facilities. Note that only LOG_USER is valid on windows. - * - * The default is to use LOG_LOCAL5 if available, and fall back to LOG_USER if not. - */ - 'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER, - - /* - * The process name that should be used when logging to syslog. - * The value is also written out by the other logging handlers. - */ - 'logging.processname' => 'simplesamlphp', - - /* Logging: file - Logfilename in the loggingdir from above. - */ - 'logging.logfile' => 'simplesamlphp.log', - - - - /* - * Enable - * - * Which functionality in simpleSAMLphp do you want to enable. Normally you would enable only - * one of the functionalities below, but in some cases you could run multiple functionalities. - * In example when you are setting up a federation bridge. - */ - 'enable.saml20-idp' => true, - 'enable.shib13-idp' => false, - 'enable.adfs-idp' => false, - 'enable.wsfed-sp' => false, - 'enable.authmemcookie' => false, - - /* - * This value is the duration of the session in seconds. Make sure that the time duration of - * cookies both at the SP and the IdP exceeds this duration. - */ - 'session.duration' => 8 * (60*60), // 8 hours. - 'session.requestcache' => 4 * (60*60), // 4 hours - - /* - * Sets the duration, in seconds, data should be stored in the datastore. As the datastore is used for - * login and logout requests, thid option will control the maximum time these operations can take. - * The default is 4 hours (4*60*60) seconds, which should be more than enough for these operations. - */ - 'session.datastore.timeout' => (4*60*60), // 4 hours - - - /* - * Expiration time for the session cookie, in seconds. - * - * Defaults to 0, which means that the cookie expires when the browser is closed. - * - * Example: - * 'session.cookie.lifetime' => 30*60, - */ - 'session.cookie.lifetime' => 0, - - /* - * Limit the path of the cookies. - * - * Can be used to limit the path of the cookies to a specific subdirectory. - * - * Example: - * 'session.cookie.path' => '/simplesaml/', - */ - 'session.cookie.path' => '/', - - /* - * Cookie domain. - * - * Can be used to make the session cookie available to several domains. - * - * Example: - * 'session.cookie.domain' => '.example.org', - */ - 'session.cookie.domain' => NULL, - - /* - * Set the secure flag in the cookie. - * - * Set this to TRUE if the user only accesses your service - * through https. If the user can access the service through - * both http and https, this must be set to FALSE. - */ - 'session.cookie.secure' => TRUE, - - /* - * Options to override the default settings for php sessions. - */ - 'session.phpsession.cookiename' => null, - 'session.phpsession.savepath' => null, - 'session.phpsession.httponly' => true, - - /* - * Languages available and what language is default - */ - 'language.available' => array('en'), - 'language.default' => 'en', - - /* - * Extra dictionary for attribute names. - * This can be used to define local attributes. - * - * The format of the parameter is a string with :. - * - * Specifying this option will cause us to look for modules//dictionaries/.definition.json - * The dictionary should look something like: - * - * { - * "firstattribute": { - * "en": "English name", - * "no": "Norwegian name" - * }, - * "secondattribute": { - * "en": "English name", - * "no": "Norwegian name" - * } - * } - * - * Note that all attribute names in the dictionary must in lowercase. - * - * Example: 'attributes.extradictionary' => 'ourmodule:ourattributes', - */ - 'attributes.extradictionary' => NULL, - - /* - * Which theme directory should be used? - */ - //'theme.use' => 'default', - 'theme.use' => 'surfconext-diy:diytheme', - - /* - * Default IdP for WS-Fed. - */ - 'default-wsfed-idp' => 'urn:federation:pingfederate:localhost', - - /* - * Whether the discovery service should allow the user to save his choice of IdP. - */ - 'idpdisco.enableremember' => TRUE, - 'idpdisco.rememberchecked' => TRUE, - - // Disco service only accepts entities it knows. - 'idpdisco.validate' => TRUE, - - 'idpdisco.extDiscoveryStorage' => NULL, - - /* - * IdP Discovery service look configuration. - * Wether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box - * gives the best use experience. - * - * When using dropdown box a cookie is used to highlight the previously chosen IdP in the dropdown. - * This makes it easier for the user to choose the IdP - * - * Options: [links,dropdown] - * - */ - 'idpdisco.layout' => 'links', - - /* - * Whether simpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication - * responses. - * - * The default is to sign the assertion element, but that can be overridden by setting this - * option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the - * same name to the metadata of the SP. - */ - 'shib13.signresponse' => TRUE, - - - - /* - * Authentication processing filters that will be executed for all IdPs - * Both Shibboleth and SAML 2.0 - */ - 'authproc.idp' => array( - /* Enable the authproc filter below to add URN Prefixces to all attributes - 10 => array( - 'class' => 'core:AttributeMap', 'addurnprefix' - ), */ - /* Enable the authproc filter below to automatically generated eduPersonTargetedID. - 20 => 'core:TargetedID', - */ - - // Adopts language from attribute to use in UI - 30 => 'core:LanguageAdaptor', - - /* Add a realm attribute from edupersonprincipalname - 40 => 'core:AttributeRealm', - */ - 45 => array( - 'class' => 'core:StatisticsWithAttribute', - 'attributename' => 'realm', - 'type' => 'saml20-idp-SSO', - ), - - /* When called without parameters, it will fallback to filter attributes ‹the old way› - * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote. - */ - 50 => 'core:AttributeLimit', - - /* - * Search attribute "distinguishedName" for pattern and replaces if found - - 60 => array( - 'class' => 'core:AttributeAlter', - 'pattern' => '/OU=studerende/', - 'replacement' => 'Student', - 'subject' => 'distinguishedName', - '%replace', - ), - */ - - /* - * Consent module is enabled (with no permanent storage, using cookies). - - 90 => array( - 'class' => 'consent:Consent', - 'store' => 'consent:Cookie', - 'focus' => 'yes', - 'checked' => TRUE - ), - */ - // If language is set in Consent module it will be added as an attribute. - 98 => 'core:LanguageAdaptor', - ), - /* - * Authentication processing filters that will be executed for all IdPs - * Both Shibboleth and SAML 2.0 - */ - 'authproc.sp' => array( - /* - 10 => array( - 'class' => 'core:AttributeMap', 'removeurnprefix' - ), - */ - - /* When called without parameters, it will fallback to filter attributes ‹the old way› - * by checking the 'attributes' parameter in metadata on SP hosted and IdP remote. - */ - 50 => 'core:AttributeLimit', - - /* - * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation. - */ - 60 => array('class' => 'core:GenerateGroups', 'eduPersonAffiliation'), - // All users will be members of 'users' and 'members' - 61 => array('class' => 'core:AttributeAdd', 'groups' => array('users', 'members')), - - // Adopts language from attribute to use in UI - 90 => 'core:LanguageAdaptor', - - - ), - - - /* - * This option configures the metadata sources. The metadata sources is given as an array with - * different metadata sources. When searching for metadata, simpleSAMPphp will search through - * the array from start to end. - * - * Each element in the array is an associative array which configures the metadata source. - * The type of the metadata source is given by the 'type' element. For each type we have - * different configuration options. - * - * Flat file metadata handler: - * - 'type': This is always 'flatfile'. - * - 'directory': The directory we will load the metadata files from. The default value for - * this option is the value of the 'metadatadir' configuration option, or - * 'metadata/' if that option is unset. - * - * XML metadata handler: - * This metadata handler parses an XML file with either an EntityDescriptor element or an - * EntitiesDescriptor element. The XML file may be stored locally, or (for debugging) on a remote - * web server. - * The XML hetadata handler defines the following options: - * - 'type': This is always 'xml'. - * - 'file': Path to the XML file with the metadata. - * - 'url': The url to fetch metadata from. THIS IS ONLY FOR DEBUGGING - THERE IS NO CACHING OF THE RESPONSE. - * - * - * Examples: - * - * This example defines two flatfile sources. One is the default metadata directory, the other - * is a metadata directory with autogenerated metadata files. - * - * 'metadata.sources' => array( - * array('type' => 'flatfile'), - * array('type' => 'flatfile', 'directory' => 'metadata-generated'), - * ), - * - * This example defines a flatfile source and an XML source. - * 'metadata.sources' => array( - * array('type' => 'flatfile'), - * array('type' => 'xml', 'file' => 'idp.example.org-idpMeta.xml'), - * ), - * - * - * Default: - * 'metadata.sources' => array( - * array('type' => 'flatfile') - * ), - */ - 'metadata.sources' => array( - array('type' => 'flatfile'), - ), - - - /* - * Configure the datastore for simpleSAMLphp. - * - * - 'phpsession': Limited datastore, which uses the PHP session. - * - 'memcache': Key-value datastore, based on memcache. - * - 'sql': SQL datastore, using PDO. - * - * The default datastore is 'phpsession'. - * - * (This option replaces the old 'session.handler'-option.) - */ - 'store.type' => 'phpsession', - - - /* - * The DSN the sql datastore should connect to. - * - * See http://www.php.net/manual/en/pdo.drivers.php for the various - * syntaxes. - */ - 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3', - - /* - * The username and password to use when connecting to the database. - */ - 'store.sql.username' => NULL, - 'store.sql.password' => NULL, - - /* - * The prefix we should use on our tables. - */ - 'store.sql.prefix' => 'simpleSAMLphp', - - - /* - * Configuration for the MemcacheStore class. This allows you to store - * multiple redudant copies of sessions on different memcache servers. - * - * 'memcache_store.servers' is an array of server groups. Every data - * item will be mirrored in every server group. - * - * Each server group is an array of servers. The data items will be - * load-balanced between all servers in each server group. - * - * Each server is an array of parameters for the server. The following - * options are available: - * - 'hostname': This is the hostname or ip address where the - * memcache server runs. This is the only required option. - * - 'port': This is the port number of the memcache server. If this - * option isn't set, then we will use the 'memcache.default_port' - * ini setting. This is 11211 by default. - * - 'weight': This sets the weight of this server in this server - * group. http://php.net/manual/en/function.Memcache-addServer.php - * contains more information about the weight option. - * - 'timeout': The timeout for this server. By default, the timeout - * is 3 seconds. - * - * Example of redudant configuration with load balancing: - * This configuration makes it possible to lose both servers in the - * a-group or both servers in the b-group without losing any sessions. - * Note that sessions will be lost if one server is lost from both the - * a-group and the b-group. - * - * 'memcache_store.servers' => array( - * array( - * array('hostname' => 'mc_a1'), - * array('hostname' => 'mc_a2'), - * ), - * array( - * array('hostname' => 'mc_b1'), - * array('hostname' => 'mc_b2'), - * ), - * ), - * - * Example of simple configuration with only one memcache server, - * running on the same computer as the web server: - * Note that all sessions will be lost if the memcache server crashes. - * - * 'memcache_store.servers' => array( - * array( - * array('hostname' => 'localhost'), - * ), - * ), - * - */ - 'memcache_store.servers' => array( - array( - array('hostname' => 'localhost'), - ), - ), - - - /* - * This value is the duration data should be stored in memcache. Data - * will be dropped from the memcache servers when this time expires. - * The time will be reset every time the data is written to the - * memcache servers. - * - * This value should always be larger than the 'session.duration' - * option. Not doing this may result in the session being deleted from - * the memcache servers while it is still in use. - * - * Set this value to 0 if you don't want data to expire. - * - * Note: The oldest data will always be deleted if the memcache server - * runs out of storage space. - */ - 'memcache_store.expires' => 36 * (60*60), // 36 hours. - - - /* - * Should signing of generated metadata be enabled by default. - * - * Metadata signing can also be enabled for a individual SP or IdP by setting the - * same option in the metadata for the SP or IdP. - */ - 'metadata.sign.enable' => FALSE, - - /* - * The default key & certificate which should be used to sign generated metadata. These - * are files stored in the cert dir. - * These values can be overridden by the options with the same names in the SP or - * IdP metadata. - * - * If these aren't specified here or in the metadata for the SP or IdP, then - * the 'certificate' and 'privatekey' option in the metadata will be used. - * if those aren't set, signing of metadata will fail. - */ - 'metadata.sign.privatekey' => NULL, - 'metadata.sign.privatekey_pass' => NULL, - 'metadata.sign.certificate' => NULL, - - - /* - * Proxy to use for retrieving URLs. - * - * Example: - * 'proxy' => 'tcp://proxy.example.com:5100' - */ - 'proxy' => NULL, - - 'trusted.url.domains' => array(), - 'module.enable' => [ - 'sqlauth' => true, - ], - -); diff --git a/roles/diyidp/templates/diyidp-pool-72.conf.j2 b/roles/diyidp/templates/diyidp-pool-72.conf.j2 deleted file mode 100644 index 33da0c132..000000000 --- a/roles/diyidp/templates/diyidp-pool-72.conf.j2 +++ /dev/null @@ -1,225 +0,0 @@ -; Create a new pool named diyidp. -[diyidp] - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. - -; Use unix socket -listen = /var/run/php-fpm/diyidp-pool-72.sock -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: -1 -;listen.backlog = -1 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = 127.0.0.1 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0666 -listen.owner = apache -listen.group = apache -listen.mode = 0640 - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = {{ diyidp_fpm_user }} -group = {{ diyidp_fpm_user }} - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives: -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; Note: This value is mandatory. -pm = ondemand - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes to be created when pm is set to 'dynamic'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. -; Note: Used when pm is set to either 'static' or 'dynamic' -; Note: This value is mandatory. -pm.max_children = 20 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -;pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -;pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -;pm.max_spare_servers = 5 - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -pm.max_requests = 300 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. By default, the status page shows the following -; information: -; accepted conn - the number of request accepted by the pool; -; pool - the name of the pool; -; process manager - static or dynamic; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes. -; The values of 'idle processes', 'active processes' and 'total processes' are -; updated each second. The value of 'accepted conn' is updated in real time. -; Example output: -; accepted conn: 12073 -; pool: www -; process manager: static -; idle processes: 35 -; active processes: 65 -; total processes: 100 -; By default the status page output is formatted as text/plain. Passing either -; 'html' or 'json' as a query string will return the corresponding output -; syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/log/php-fpm/www-slow.log - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. This value must be an absolute path. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Default Value: no -;catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -php_admin_value[error_log] = /var/log/php-fpm/diyidp-error.log -php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 128M - -; Set session path to a directory owned by process user -php_value[session.save_handler] = files -php_value[session.save_path] = {{ php_session_dir }}/diyidp -php_value[disable_functions] = {{ php_disabled_functions }} diff --git a/roles/diyidp/templates/diyidp.conf.j2 b/roles/diyidp/templates/diyidp.conf.j2 deleted file mode 100644 index c055f3b82..000000000 --- a/roles/diyidp/templates/diyidp.conf.j2 +++ /dev/null @@ -1,30 +0,0 @@ -Listen {{ apache_app_listen_address.diyidp }}:{{ loadbalancing.diyidp.port }} - - ServerName https://{{ diyidp_domain }} - ServerAdmin {{ admin_email }} - DirectoryIndex index.php - DocumentRoot {{ diyidp_current_release_symlink }}/www - - SetEnv HTTPS on - Alias /simplesaml "{{ diyidp_current_release_symlink }}/www" - - Require all granted - - Options -MultiViews - RewriteEngine On - - - Redirect permanent /simplesaml/showusers.php /showusers.php - - # Proxy the requests to FPM - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/diyidp-pool-72.sock|fcgi://localhost/{{ diyidp_current_release_symlink }}/www/$1 - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-DIYIDP'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-DIYIDP'" combined - diff --git a/roles/diyidp/templates/frontpage.definition.json.j2 b/roles/diyidp/templates/frontpage.definition.json.j2 deleted file mode 100644 index b42c6eb6f..000000000 --- a/roles/diyidp/templates/frontpage.definition.json.j2 +++ /dev/null @@ -1,146 +0,0 @@ -{ - "page_title": { - "en": "SimpleSAMLphp installation page" - }, - "intro": { - "en": {{ diyidp_welcome_text }} - }, - "useful_links_header": { - "en": "Useful links for your installation" - }, - "metadata_header": { - "en": "Metadata" - }, - "doc_header": { - "en": "Documentation" - }, - "checkphp": { - "en": "Checking your PHP installation" - }, - "about_header": { - "en": "About SimpleSAMLphp" - }, - "about_text": { - "en": "This SimpleSAMLphp thing is pretty cool, where can I read more about it? You can find more information about it at the SimpleSAMLphp web page <\/a> over at UNINETT<\/a>." - }, - "required": { - "en": "Required" - }, - "required_ldap": { - "en": "Required for LDAP" - }, - "required_radius": { - "en": "Required for Radius" - }, - "optional": { - "en": "Optional" - }, - "reccomended": { - "en": "Recommended" - }, - "warnings": { - "en": "Warnings" - }, - "warnings_https": { - "en": "You are not using HTTPS<\/strong> - encrypted communication with the user. HTTP works fine for test purposes, but in a production environment, you should use HTTPS. [ Read more about SimpleSAMLphp maintenance<\/a> ]" - }, - "warnings_secretsalt": { - "en": "The configuration uses the default secret salt - make sure you modify the default 'secretsalt' option in the simpleSAML configuration in production environments. [Read more about SimpleSAMLphp configuration<\/a> ]" - }, - "warnings_suhosin_url_length": { - "en": "The length of query parameters is limited by the PHP Suhosin extension. Please increase the suhosin.get.max_value_length option to at least 2048 bytes." - }, - "link_saml2example": { - "en": "SAML 2.0 SP example - test logging in through your IdP" - }, - "link_shib13example": { - "en": "Shibboleth 1.3 SP example - test logging in through your Shib IdP" - }, - "link_openidprovider": { - "en": "OpenID Provider site - Alpha version (test code)" - }, - "link_diagnostics": { - "en": "Diagnostics on hostname, port and protocol" - }, - "link_phpinfo": { - "en": "PHP info" - }, - "link_meta_overview": { - "en": "Metadata overview for your installation. Diagnose your metadata files" - }, - "link_meta_saml2sphosted": { - "en": "Hosted SAML 2.0 Service Provider Metadata (automatically generated)" - }, - "link_meta_saml2idphosted": { - "en": "Hosted SAML 2.0 Identity Provider Metadata (automatically generated)" - }, - "link_meta_shib13sphosted": { - "en": "Hosted Shibboleth 1.3 Service Provider Metadata (automatically generated)" - }, - "link_meta_shib13idphosted": { - "en": "Hosted Shibboleth 1.3 Identity Provider Metadata (automatically generated)" - }, - "link_xmlconvert": { - "en": "XML to SimpleSAMLphp metadata converter" - }, - "link_doc_install": { - "en": "Installing SimpleSAMLphp" - }, - "link_doc_sp": { - "en": "Using SimpleSAMLphp as a Service Provider" - }, - "link_doc_idp": { - "en": "Using SimpleSAMLphp as an Identity Provider" - }, - "link_doc_shibsp": { - "en": "Configure Shibboleth 1.3 SP to work with SimpleSAMLphp IdP" - }, - "link_doc_googleapps": { - "en": "SimpleSAMLphp as an IdP for Google Apps for Education" - }, - "link_doc_advanced": { - "en": "SimpleSAMLphp Advanced Features" - }, - "link_doc_maintenance": { - "en": "SimpleSAMLphp Maintenance and Configuration" - }, - "link_configcheck": { - "en": "SimpleSAMLphp configuration check" - }, - "link_cleardiscochoices": { - "en": "Delete my choices of IdP in the IdP discovery services" - }, - "welcome": { - "en": "Welcome" - }, - "configuration": { - "en": "Configuration" - }, - "metadata": { - "en": "Metadata" - }, - "tools": { - "en": "Tools" - }, - "show_metadata": { - "en": "Show metadata" - }, - "login_as_admin": { - "en": "Login as administrator" - }, - "loggedin_as_admin": { - "en": "You are logged in as administrator" - }, - "auth": { - "en": "Authentication" - }, - "federation": { - "en": "Federation" - }, - "authtest": { - "en": "Test configured authentication sources " - }, - "deprecated": { - "en": "Deprecated" - } -} diff --git a/roles/diyidp/templates/login.definition.json.j2 b/roles/diyidp/templates/login.definition.json.j2 deleted file mode 100644 index a7c0969e9..000000000 --- a/roles/diyidp/templates/login.definition.json.j2 +++ /dev/null @@ -1,68 +0,0 @@ -{ - "error_header": { - "en": "Error" - }, - "user_pass_header": { - "en": "Enter your username and password" - }, - "user_pass_text": { - "en": "A service has requested you to authenticate yourself. Please enter your username and password in the form below.

The list of known users and their attributes is available here.

" - }, - "login_button": { - "en": "Login" - }, - "processing": { - "en": "Processing..." - }, - "username": { - "en": "Username" - }, - "organization": { - "en": "Organization" - }, - "password": { - "en": "Password" - }, - "help_header": { - "en": "Help! I don't remember my password." - }, - "help_text": { - "en": "Too bad! - Without your username and password you cannot authenticate yourself for access to the service. There may be someone that can help you. Consult the help desk at your organization!" - }, - "error_nopassword": { - "en": "You sent something to the login page, but for some reason the password was not sent. Try again please." - }, - "error_wrongpassword": { - "en": "Incorrect username or password." - }, - "select_home_org": { - "en": "Choose your home organization" - }, - "next": { - "en": "Next" - }, - "change_home_org_title": { - "en": "Change your home organization" - }, - "change_home_org_text": { - "en": "You have chosen %HOMEORG%<\/b> as your home organization. If this is wrong you may choose another one." - }, - "change_home_org_button": { - "en": "Choose home organization" - }, - "help_desk_link": { - "en": "Help desk homepage" - }, - "help_desk_email": { - "en": "Send e-mail to help desk" - }, - "contact_info": { - "en": "Contact information:" - }, - "remember_username": { - "en": "Remember my username" - }, - "remember_me": { - "en": "Remember me" - } -} diff --git a/roles/diyidp/templates/saml20-idp-hosted.php.j2 b/roles/diyidp/templates/saml20-idp-hosted.php.j2 index 22cfaff44..6b8577f55 100644 --- a/roles/diyidp/templates/saml20-idp-hosted.php.j2 +++ b/roles/diyidp/templates/saml20-idp-hosted.php.j2 @@ -5,7 +5,7 @@ * See: https://rnd.feide.no/content/idp-hosted-metadata-reference */ -$metadata['__DYNAMIC:1__'] = array( +$metadata['https://diyidp.{{ base_domain}}'] = array( /* * The hostname of the server (VHOST) that will use this SAML entity. * @@ -49,23 +49,6 @@ $metadata['__DYNAMIC:1__'] = array( // Convert LDAP names to oids. 100 => array('class' => 'core:AttributeMap', 'name2oid'), 200 => array('class' => 'core:AttributeMap', 'name2urn'), - 300 => array('class' => 'saml:PersistentNameID', 'attribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' ), + 300 => array('class' => 'saml:PersistentNameID', 'identifyingAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' ), ), - - /* - * Uncomment the following to specify the registration information in the - * exported metadata. Refer to: - * http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html - * for more information. - */ - /* - 'RegistrationInfo' => array( - 'authority' => 'urn:mace:example.org', - 'instant' => '2008-01-17T11:28:03Z', - 'policies' => array( - 'en' => 'http://example.org/policy', - 'es' => 'http://example.org/politica', - ), - ), - */ ); diff --git a/roles/diyidp/templates/showusers.php.j2 b/roles/diyidp/templates/showusers.php.j2 index 8aa11b589..ad13e89b0 100644 --- a/roles/diyidp/templates/showusers.php.j2 +++ b/roles/diyidp/templates/showusers.php.j2 @@ -4,17 +4,30 @@ $dbuser = "{{ diyidp.db_user }}"; $dbpass = "{{ diyidp.db_password }}"; $dbhost = "{{ diyidp.db_host }}"; - -function doQuery($qryString, $dbuser, $dbpass, $dbhost) { - - // Make a MySQL Connection - mysql_connect($dbhost, $dbuser, $dbpass) or die(mysql_error()); - - // Retrieve the data - $setUTF8 = mysql_query("SET NAMES utf8"); - $result = mysql_query($qryString) or die(mysql_error()); - - return $result; +$dbname = "{{ diyidp.db_name }}"; + +function doQuery($qryString, $dbuser, $dbpass, $dbhost, $dbname) { + try { + // Create a new PDO connection + $dsn = "mysql:host=$dbhost;dbname=$dbname;charset=utf8"; + $pdo = new PDO($dsn, $dbuser, $dbpass); + $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); + + // Prepare and execute the query + $stmt = $pdo->prepare($qryString); + $stmt->execute(); + // Return the rows + $rows = []; + while ($r = $stmt->fetch(PDO::FETCH_ASSOC)) { + $rows[] = $r; + } + + return $rows; + + } + catch (PDOException $e) { + die("PDO Error: " . $e->getMessage()); + } } /** @@ -206,14 +219,7 @@ GROUP BY diy.uid ORDER BY LPAD(lower(username), 2,0), LPAD(lower(username), 10,0)"; // Run the query - $qryrset = doQuery($sqlString, $dbuser, $dbpass, $dbhost); - - //var_dump($qryrset); - - $rows = array(); - while($r = mysql_fetch_assoc($qryrset)) { - $rows[] = $r; - } + $rows = doQuery($sqlString, $dbuser, $dbpass, $dbhost, $dbname); $htmlTable = array2table($rows); print_r($htmlTable); From f628aa896f3301abf00087f0c64be9e3a06fe65c Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 23 Apr 2024 14:18:45 +0200 Subject: [PATCH 047/114] Invite only one cron cleanup --- roles/invite/templates/serverapplication.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 33de0fafe..88600fd79 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -24,6 +24,11 @@ spring: session: jdbc: initialize-schema: always +{% if invite_cronjobmaster is defined and invite_cronjobmaster = false %} + cleanup-cron: "-" +{% else %} + cleanup-cron: "*/5 * * * *" +{% endif %} store-type: jdbc timeout: 8h mvc: From 9abcda8bf2c76a8dcdaaabe21acaa0167a9d014c Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 23 Apr 2024 14:22:57 +0200 Subject: [PATCH 048/114] Invite only one cron cleanup (typo) --- roles/invite/templates/serverapplication.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 88600fd79..65829ca50 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -24,7 +24,7 @@ spring: session: jdbc: initialize-schema: always -{% if invite_cronjobmaster is defined and invite_cronjobmaster = false %} +{% if invite_cronjobmaster is defined and invite_cronjobmaster == false %} cleanup-cron: "-" {% else %} cleanup-cron: "*/5 * * * *" From 13d6e75e3ac776ffe1c3539a26365a07b683c974 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 23 Apr 2024 14:34:27 +0200 Subject: [PATCH 049/114] Invite only one cron cleanup (typo) --- roles/invite/templates/serverapplication.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 65829ca50..ae4ee9d86 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -27,7 +27,7 @@ spring: {% if invite_cronjobmaster is defined and invite_cronjobmaster == false %} cleanup-cron: "-" {% else %} - cleanup-cron: "*/5 * * * *" + cleanup-cron: "*/5 * * * * *" {% endif %} store-type: jdbc timeout: 8h From 8c5e4318aba2836e7098910d6f72bfeac4bf6f83 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Wed, 24 Apr 2024 09:44:28 +0200 Subject: [PATCH 050/114] Invite: More cron-job finetuning --- roles/invite/templates/serverapplication.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index ae4ee9d86..2512a8d3b 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -27,7 +27,7 @@ spring: {% if invite_cronjobmaster is defined and invite_cronjobmaster == false %} cleanup-cron: "-" {% else %} - cleanup-cron: "*/5 * * * * *" + cleanup-cron: "0 */5 * * * *" {% endif %} store-type: jdbc timeout: 8h @@ -73,7 +73,7 @@ crypto: private-key-location: file:///private_key_pkcs8.pem cron: - node-cron-job-responsible: true + node-cron-job-responsible: invite_cronjobmaster user-cleaner-expression: "0 0/30 * * * *" last-activity-duration-days: 1000 role-expiration-notifier-expression: "0 0/30 * * * *" From 45c3c7991c5f05c78dd4db7aa2677465a40e8ab4 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Wed, 24 Apr 2024 09:52:04 +0200 Subject: [PATCH 051/114] Invite: More cron-job finetuning --- roles/invite/templates/serverapplication.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 2512a8d3b..e8f75babf 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -73,7 +73,7 @@ crypto: private-key-location: file:///private_key_pkcs8.pem cron: - node-cron-job-responsible: invite_cronjobmaster + node-cron-job-responsible: {{ invite_cronjobmaster }} user-cleaner-expression: "0 0/30 * * * *" last-activity-duration-days: 1000 role-expiration-notifier-expression: "0 0/30 * * * *" From 4110f34b86c05eefa60e8c0a63e5e6b4bb30545d Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 24 Apr 2024 13:20:02 +0200 Subject: [PATCH 052/114] Dashboard: make PDP source configurable --- roles/dashboard/templates/serverapplication.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dashboard/templates/serverapplication.yml.j2 b/roles/dashboard/templates/serverapplication.yml.j2 index b56aa5ada..5f0dc21ef 100644 --- a/roles/dashboard/templates/serverapplication.yml.j2 +++ b/roles/dashboard/templates/serverapplication.yml.j2 @@ -79,7 +79,7 @@ dashboard.feature.manage=true dashboard.feature.jira={{ dashboard.feature_jira }} dashboard.feature.consent={{ dashboard.feature_consent }} # Valid choices are 'MOCK', 'PDP' or 'MANAGE', 'MOCK' is for local development -dashboard.feature.pdpSource=MANAGE +dashboard.feature.pdpSource={{ dashboard.pdp_source }} dashboard.feature.statistics=true dashboard.feature.mail={{ dashboard.feature_mail }} dashboard.feature.oidc={{ dashboard.feature_oidc }} From 113011574e30c9775f2346960347e44da2901feb Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 17 Apr 2024 13:21:07 +0200 Subject: [PATCH 053/114] Move profile deployment to docker --- provision.yml | 1 + roles/profile/defaults/main.yml | 40 +--- roles/profile/handlers/main.yml | 9 +- roles/profile/tasks/install-branch.yml | 39 --- roles/profile/tasks/install-release.yml | 31 --- roles/profile/tasks/main.yml | 215 ++++++----------- .../templates/global_view_parameters.yml.j2 | 26 ++ .../{parameters.yaml.j2 => parameters.yml.j2} | 7 +- .../profile/templates/profile-pool-72.conf.j2 | 225 ------------------ roles/profile/templates/profile.conf.j2 | 53 ----- roles/profile/vars/main.yml | 11 +- 11 files changed, 131 insertions(+), 526 deletions(-) delete mode 100644 roles/profile/tasks/install-branch.yml delete mode 100644 roles/profile/tasks/install-release.yml create mode 100644 roles/profile/templates/global_view_parameters.yml.j2 rename roles/profile/templates/{parameters.yaml.j2 => parameters.yml.j2} (94%) delete mode 100644 roles/profile/templates/profile-pool-72.conf.j2 delete mode 100644 roles/profile/templates/profile.conf.j2 diff --git a/provision.yml b/provision.yml index 248c4f380..870b66a50 100644 --- a/provision.yml +++ b/provision.yml @@ -181,6 +181,7 @@ - { role: mujina-idp, tags: ["mujina-idp"] } - { role: oidc-playground, tags: ["oidc-playground"] } - { role: stats, tags: ["stats"] } + - { role: profile, tags: ["profile"] } - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/profile/defaults/main.yml b/roles/profile/defaults/main.yml index 208687a05..ad0c115d0 100644 --- a/roles/profile/defaults/main.yml +++ b/roles/profile/defaults/main.yml @@ -1,42 +1,21 @@ # Default variables used to configure Profile # These can be overwritten via group or extra vars -# Version of Profile that is installable by this role -# E.g. profile_version: x.y.z -profile_version: '' - -# Profile installer specific variables -profile_version_dir: "{{ profile_version | replace('/', '-') }}" -profile_branch_dir: "{{ openconext_builds_dir }}/OpenConext-profile-{{ profile_branch | replace('/', '-') }}" -profile_release_dir: "{{ openconext_releases_dir }}/OpenConext-profile-{{ profile_version_dir }}" -profile_build_path: "{{ openconext_builds_dir }}/OpenConext-profile-{{ profile_version_dir }}.tar.gz" -profile_download_url: "https://github.com/OpenConext/OpenConext-profile/releases/download/{{ profile_version }}/OpenConext-profile-{{ profile_version_dir }}.tar.gz" -profile_current_release_symlink: "{{ openconext_releases_dir }}/OpenConext-profile" - -# Domain under which profile can be found -profile_domain: profile.{{ base_domain }} - -# Cache and log paths -profile_symfony_cache_path: "/tmp/profile/symfony-cache/" -profile_symfony_log_path: "/var/log/profile" - # Secret used by application for adding entropy to security related operations profile_secret: secret - +engine_api_verify_ssl: true +profile_vhost_name: "profile.{{ base_domain }}" # Language code for user locale to be set by default # E.g. profile_default_locale: en profile_default_locale: en -# IP-address and domain of Engine API to enable Profile to send API calls -engine_api_verify_ssl: true - # Paths of public and private key used for sending SAML AuthnRequests -profile_saml_sp_publickey: ../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer -profile_saml_sp_privatekey: ../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem +profile_saml_sp_publickey: /var/www/html/vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer +profile_saml_sp_privatekey: /var/www/html/vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem # Paths of public and private key used for signing metadata -profile_saml_metadata_publickey: ../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer -profile_saml_metadata_privatekey: ../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem +profile_saml_metadata_publickey: /var/www/html/vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer +profile_saml_metadata_privatekey: /var/www/html/vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem # Domain under which EngineBlock can be found engine_domain: engine.{{ base_domain }} @@ -46,10 +25,8 @@ engine_profile_idp_entityid: https://{{ engine_domain }}/authentication/idp/meta # URL for remote identity provider's single sign on engine_profile_idp_sso_url: https://{{ engine_domain }}/authentication/idp/single-sign-on - -profile_fpm_user: profile -profile_fpm_port: 802 - +# Certificate containting the public SAML signing key of the reomote IDP +engine_profile_idp_certificate: "/var/www/html/config/openconext/certs/{{ profile_eb_saml_public_key }}" profile_info_request_email: "{{ support_email }}" profile_lifecycle_enabled: false @@ -63,4 +40,3 @@ profile_manage_provision_samlsp_metadata_url: "https://profile.{{ base_domain }} profile_manage_provision_samlsp_sp_cert: "" profile_manage_provision_samlsp_trusted_proxy: false profile_manage_provision_samlsp_sign: false - diff --git a/roles/profile/handlers/main.yml b/roles/profile/handlers/main.yml index 8a2235003..0e6bf345f 100644 --- a/roles/profile/handlers/main.yml +++ b/roles/profile/handlers/main.yml @@ -1,5 +1,6 @@ --- -- name: restart php72-fpm - service: - name: php72-php-fpm - state: restarted +- name: restart profile + community.docker.docker_container: + name: profile + state: started + restart: true diff --git a/roles/profile/tasks/install-branch.yml b/roles/profile/tasks/install-branch.yml deleted file mode 100644 index ab28a4c84..000000000 --- a/roles/profile/tasks/install-branch.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ profile_release_dir }}" - register: profile_dir - -- name: Checkout profile branch - git: - repo: https://github.com/OpenConext/OpenConext-profile.git - dest: "{{ profile_branch_dir }}" - version: "{{ profile_branch }}" - force: yes - register: profile_gitclone - -- name: Make release - command: "./makeRelease.sh {{ profile_branch }}" - environment: - HOME: "{{ openconext_builds_dir }}" - args: - chdir: "{{ profile_branch_dir }}" - when: - - profile_gitclone.changed or not profile_dir.stat.exists - -- name: Unpack current version - unarchive: - src: "{{ openconext_builds_dir }}/Releases/OpenConext-profile-{{ profile_branch | replace('/', '_') }}.tar.gz" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - profile_gitclone.changed or not profile_dir.stat.exists - -- name: Activate new Profile branch - file: - src: "{{ openconext_releases_dir }}/OpenConext-profile-{{ profile_branch | replace('/', '_') }}" - dest: "{{ profile_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" diff --git a/roles/profile/tasks/install-release.yml b/roles/profile/tasks/install-release.yml deleted file mode 100644 index 9aa5a7f5a..000000000 --- a/roles/profile/tasks/install-release.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ profile_current_release_symlink }}" - follow: no - register: profile_dir - -- name: Download current version - get_url: - url: "{{ profile_download_url }}" - dest: "{{ profile_build_path }}" - register: profile_download - -- name: Unpack current version - unarchive: - src: "{{ profile_build_path }}" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - profile_download.changed or profile_dir.stat.lnk_source != profile_release_dir - -- name: Activate new Profile release - file: - src: "{{ profile_release_dir }}" - dest: "{{ profile_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" - when: - - profile_download.changed or profile_dir.stat.lnk_source != profile_release_dir diff --git a/roles/profile/tasks/main.yml b/roles/profile/tasks/main.yml index 5401b873b..df91dce0e 100644 --- a/roles/profile/tasks/main.yml +++ b/roles/profile/tasks/main.yml @@ -1,170 +1,113 @@ --- -- name: Add group {{ profile_fpm_user }} - group: - name: "{{ profile_fpm_user }}" +- name: Add group {{ appname }} + ansible.builtin.group: + name: "{{ appname }}" state: present + register: profile_guid -- name: Add user {{ profile_fpm_user }} - user: - name: "{{ profile_fpm_user }}" - group: "{{ profile_fpm_user }}" - createhome: no +- name: Add user {{ appname }} + ansible.builtin.user: + name: "{{ appname }}" + group: "{{ appname }}" + createhome: false state: present + register: profile_uid -- name: Create directory for vhosts to store PHP sessions - file: - path: "{{ php_session_dir}}/profile" +- name: Create some dirs + ansible.builtin.file: state: directory - owner: "{{ profile_fpm_user }}" + dest: "{{ item }}" + owner: root group: root - mode: 0770 - -- name: Include install-release.yml - include_tasks: install-release.yml - when: profile_branch is not defined or profile_branch == '' - -- name: Include install-branch.yml - include_tasks: install-branch.yml - when: profile_branch is defined and profile_branch != '' - -- name: Create the cache dir for Symfony - file: - path: "{{ profile_symfony_cache_path }}" - state: directory - owner: "{{ profile_fpm_user }}" - group: "{{ profile_fpm_user }}" - recurse: yes - -- name: Create the log dir for Symfony - file: - path: "{{ profile_symfony_log_path }}" - state: directory - owner: "{{ profile_fpm_user }}" - group: '{{ profile_fpm_user }}' - recurse: yes - -- name: Place parameters.yaml - template: - src: "{{ item }}.j2" - dest: "{{ profile_current_release_symlink }}/config/legacy/{{ item }}" - mode: 0644 + mode: "0755" with_items: - - parameters.yaml + - "{{ current_release_config_dir_name }}" + - "{{ current_release_config_dir_name }}/certs" + - "{{ current_release_config_dir_name }}/translations/overrides" + +- name: Put parameters YAML config + ansible.builtin.template: + src: "{{ item }}.yml.j2" + dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" + mode: "0640" + group: "{{ appname }}" + with_items: + - parameters + - global_view_parameters notify: - - "restart php72-fpm" - -- name: Instantiate global_view_parameters.yml.dist - command: mv global_view_parameters.yaml.dist global_view_parameters.yaml - args: - chdir: "{{ profile_current_release_symlink }}/config/legacy/" - creates: "{{ profile_current_release_symlink }}/config/legacy/global_view_parameters.yaml" + - restart {{ appname }} + +- name: Install the engineblock certificate + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/certs/{{ profile_eb_saml_public_key }}" + dest: "{{ current_release_config_dir_name }}/certs/{{ profile_eb_saml_public_key }}" + mode: "0644" + owner: root + group: root - name: Check presence of language specific overrides - local_action: stat path="{{ inventory_dir }}/files/profile/overrides/" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/profile/overrides/" + delegate_to: localhost register: overrides_present become: false -# Can be removed after 2022-01-01 -- name: Check for wrongly created overrides file (not dir) - stat: - path: "{{ profile_current_release_symlink }}/translations/overrides" - register: overridesisfile - -# Can be removed after 2022-01-01 -- name: Clean up wrongly created overrides file (not dir) - file: - path: "{{ profile_current_release_symlink }}/translations/overrides" - state: absent - when: overrides_present.stat.exists and overridesisfile.stat.exists and overridesisfile.stat.isdir == False - - name: Copy language specific overrides - template: + ansible.builtin.template: src: "{{ item }}" - dest: "{{ profile_current_release_symlink }}/translations/overrides/" + dest: "{{ current_release_config_dir_name }}/translations/overrides/" when: overrides_present.stat.exists with_fileglob: - "{{ inventory_dir }}/files/profile/overrides/*" notify: - - "restart php72-fpm" + - "restart {{ appname }}" - name: Check if we have a custom favicon - local_action: stat path="{{ inventory_dir }}/files/favicon.ico" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/favicon.ico" + delegate_to: localhost register: customfavicon become: false - name: Install environment specific favicon - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/favicon.ico" - dest: "{{ profile_current_release_symlink }}/public/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: root + mode: "0644" when: customfavicon.stat.exists -- name: Create the symfony cache - command: php72 bin/console cache:clear --env={{ profile_apache_symfony_environment }} --no-debug - args: - chdir: "{{ profile_current_release_symlink }}/" - when: - - not develop - changed_when: false - -- name: Make sure cache dir has correct permissions - file: - path: "{{ profile_current_release_symlink }}/var/cache" - owner: "{{ profile_fpm_user }}" - group: "{{ profile_fpm_user }}" - recurse: yes - changed_when: false - -- name: Make sure log dir has correct permissions - file: - path: "{{ profile_current_release_symlink }}/var/log" - owner: "{{ profile_fpm_user }}" - group: "{{ profile_fpm_user }}" - recurse: yes - changed_when: false - -- name: Install Apache vhost - template: - src: "{{ item }}.j2" - dest: "/etc/httpd/conf.d/{{ item }}" - with_items: - - profile.conf - notify: - - "restart httpd" - -- name: clean up old php-fpm 5.6 config - file: - path: "/etc/php-fpm.d/profile-pool.conf" - state: absent - -- name: php-fpm 72 config - template: - src: "{{ item }}.j2" - dest: "/etc/opt/remi/php72/php-fpm.d/{{ item }}" - with_items: - - profile-pool-72.conf - notify: - - "restart php72-fpm" - -- name: clean up profile <3.0 config - file: - path: "/etc/openconext/profile.yml" - state: absent +- name: Create the container + community.docker.docker_container: + name: "{{ appname }}" + image: ghcr.io/openconext/openconext-profile/profile:{{ profile_version }} + etc_hosts: + host.docker.internal: host-gateway + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.profile.rule: "Host(`{{ profile_vhost_name }}`)" + traefik.http.routers.profile.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ profile_uid.uid }}" + APACHE_GUID: "#{{ profile_guid.gid }}" + APP_ENV: prod + HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}" + mounts: + - source: /opt/openconext/profile + target: /var/www/html/config/openconext + type: bind + - source: /opt/openconext/profile/images/favicon.ico + target: /var/www/html/public/favicon.ico + type: bind - name: Include the role manage_provision_entities to provision profile to Manage - include_role: + ansible.builtin.include_role: name: manage_provision_entities - vars: + vars: entity_type: saml20_sp - -# Remove all dirs, but keep the current version and from the rest the most recent one. -- name: Clean up old releases - shell: ls -td {{ openconext_releases_dir }}/OpenConext-profile-* | grep -v $(readlink {{ profile_current_release_symlink }}) | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_releases - changed_when: '"removed" in clean_releases.stdout' - -# Remove all tarballs, but keep the current version and from the rest the most recent one. -- name: Clean up old builds - shell: ls -td {{ openconext_builds_dir }}/OpenConext-profile-* {{ openconext_builds_dir }}/Releases/ | grep -v {{ profile_build_path }} | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_builds - changed_when: '"removed" in clean_builds.stdout' diff --git a/roles/profile/templates/global_view_parameters.yml.j2 b/roles/profile/templates/global_view_parameters.yml.j2 new file mode 100644 index 000000000..f39839b42 --- /dev/null +++ b/roles/profile/templates/global_view_parameters.yml.j2 @@ -0,0 +1,26 @@ +# This file is auto-generated during the composer install +parameters: + help_url: + en: 'https://support.surfconext.nl/help-profile-en' + nl: 'https://support.surfconext.nl/help-profile-nl' + pt: 'https://support.surfconext.nl/help-profile-en' + privacy_url: + en: 'https://support.surfconext.nl/privacy-en' + nl: 'https://support.surfconext.nl/privacy-nl' + pt: 'https://support.surfconext.nl/privacy-en' + terms_of_service_url: + en: 'https://support.surfconext.nl/terms-en' + nl: 'https://support.surfconext.nl/terms-nl' + pt: 'https://support.surfconext.nl/terms-en' + platform_url: + en: 'https://www.surfconext.nl/en' + nl: 'https://www.surfconext.nl' + pt: 'https://www.surfconext.nl/en' + profile_explanation_image_path: + en: build/images/profile_home_en.png + nl: build/images/profile_home_nl.png + pt: build/images/profile_home_pt.png + attribute_information_url: + en: 'https://support.surfconext.nl/attributes-en' + nl: 'https://support.surfconext.nl/attributes-nl' + pt: 'https://support.surfconext.nl/attributes-en' diff --git a/roles/profile/templates/parameters.yaml.j2 b/roles/profile/templates/parameters.yml.j2 similarity index 94% rename from roles/profile/templates/parameters.yaml.j2 rename to roles/profile/templates/parameters.yml.j2 index 8459f9e2c..6f427dd1d 100644 --- a/roles/profile/templates/parameters.yaml.j2 +++ b/roles/profile/templates/parameters.yml.j2 @@ -1,5 +1,8 @@ parameters: - secret: '{{ profile_secret }}' + app_env: prod + app_debug: false + app_secret: {{ profile_secret }} + secret: {{ profile_secret }} locales: [en, nl] default_locale: {{ profile_default_locale }} open_conext_locale_cookie_key: lang @@ -38,7 +41,7 @@ parameters: attribute_aggregation_orcid_logo_path: 'build/images/orcid.png' attribute_aggregation_orcid_connect_url: 'https://link.{{ base_domain }}/orcid?redirectUrl=https://profile.{{ base_domain }}/my-connections' - mailer_url: 'smtp://localhost:25' + mailer_url: 'smtp://{{ smtp_host }}:25' attribute_support_email_from: '{{ noreply_email }}' attribute_support_email_to: '{{ engine_idp_debugging_email_address }}' diff --git a/roles/profile/templates/profile-pool-72.conf.j2 b/roles/profile/templates/profile-pool-72.conf.j2 deleted file mode 100644 index f8d7690a9..000000000 --- a/roles/profile/templates/profile-pool-72.conf.j2 +++ /dev/null @@ -1,225 +0,0 @@ -; Create a new pool named profile. -[profile] - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. - -; Use unix socket -listen = /var/run/php-fpm/profile-pool-72.sock -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: -1 -;listen.backlog = -1 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = 127.0.0.1 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0666 -listen.owner = apache -listen.group = apache -listen.mode = 0640 - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = {{ profile_fpm_user }} -group = {{ profile_fpm_user }} - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives: -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; Note: This value is mandatory. -pm = ondemand - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes to be created when pm is set to 'dynamic'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. -; Note: Used when pm is set to either 'static' or 'dynamic' -; Note: This value is mandatory. -pm.max_children = 20 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -;pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -;pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -;pm.max_spare_servers = 5 - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -pm.max_requests = 300 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. By default, the status page shows the following -; information: -; accepted conn - the number of request accepted by the pool; -; pool - the name of the pool; -; process manager - static or dynamic; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes. -; The values of 'idle processes', 'active processes' and 'total processes' are -; updated each second. The value of 'accepted conn' is updated in real time. -; Example output: -; accepted conn: 12073 -; pool: www -; process manager: static -; idle processes: 35 -; active processes: 65 -; total processes: 100 -; By default the status page output is formatted as text/plain. Passing either -; 'html' or 'json' as a query string will return the corresponding output -; syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/log/php-fpm/www-slow.log - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. This value must be an absolute path. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Default Value: no -;catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -php_admin_value[error_log] = /var/log/php-fpm/profile-error.log -php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 128M - -; Set session path to a directory owned by process user -php_value[session.save_handler] = files -php_value[session.save_path] = {{ php_session_dir }}/profile -php_value[disable_functions] = {{ php_disabled_functions }} diff --git a/roles/profile/templates/profile.conf.j2 b/roles/profile/templates/profile.conf.j2 deleted file mode 100644 index dece65bc8..000000000 --- a/roles/profile/templates/profile.conf.j2 +++ /dev/null @@ -1,53 +0,0 @@ -{% if apache_app_listen_address.profile is defined %} -Listen {{ apache_app_listen_address.profile }}:{{ loadbalancing.profile.port }} - -{% else %} - -{% endif %} - ServerName {{ profile_domain }} - ServerAdmin {{ admin_email }} - - DocumentRoot {{ profile_current_release_symlink }}/public - - SetEnv APP_ENV {{ profile_apache_symfony_environment }} - SetEnv HTTPS on - - - Require all granted - - Options -MultiViews - RewriteEngine On - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ index.php [QSA,L] - - - Header always set Referrer-Policy "strict-origin-when-cross-origin" - Header always set Content-Security-Policy "{{ httpd_csp.strict_with_static_img }}" - - # Proxy the requests to FPM - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/profile-pool-72.sock|fcgi://localhost/{{ profile_current_release_symlink }}/public/$1 - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-PROFILE'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-PROFILE'" combined - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - ExpiresActive on - ExpiresByType font/* "access plus 1 year" - ExpiresByType image/* "access plus 6 months" - ExpiresByType text/css "access plus 1 year" - ExpiresByType text/js "access plus 1 year" - - diff --git a/roles/profile/vars/main.yml b/roles/profile/vars/main.yml index fcd768a4f..96e501593 100644 --- a/roles/profile/vars/main.yml +++ b/roles/profile/vars/main.yml @@ -1,8 +1,11 @@ +appname: "profile" +current_release_config_dir_name: "/opt/openconext/{{ appname }}" + manage_provision_samlsp_client_id: "{{ profile_manage_provision_samlsp_client_id }}" -manage_provision_samlsp_name_en: "{{ profile_manage_provision_samlsp_name_en }}" -manage_provision_samlsp_description_en: "{{ profile_manage_provision_samlsp_description_en }}" -manage_provision_samlsp_acs_location: "{{ profile_manage_provision_samlsp_acs_location }}" -manage_provision_samlsp_metadata_url: "{{ profile_manage_provision_samlsp_metadata_url }}" +manage_provision_samlsp_name_en: "{{ profile_manage_provision_samlsp_name_en }}" +manage_provision_samlsp_description_en: "{{ profile_manage_provision_samlsp_description_en }}" +manage_provision_samlsp_acs_location: "{{ profile_manage_provision_samlsp_acs_location }}" +manage_provision_samlsp_metadata_url: "{{ profile_manage_provision_samlsp_metadata_url }}" manage_provision_samlsp_sp_cert: "{{ profile_manage_provision_samlsp_sp_cert }}" manage_provision_samlsp_trusted_proxy: "{{ profile_manage_provision_samlsp_trusted_proxy }}" manage_provision_samlsp_sign: "{{ profile_manage_provision_samlsp_sign }}" From 95552cf1cc819ab5fbfe851827c35ac38dee088a Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Mon, 22 Apr 2024 10:40:35 +0200 Subject: [PATCH 054/114] Updates for profile 4.0 --- roles/profile/tasks/main.yml | 4 ++-- roles/profile/templates/parameters.yml.j2 | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/profile/tasks/main.yml b/roles/profile/tasks/main.yml index df91dce0e..b2bb827d7 100644 --- a/roles/profile/tasks/main.yml +++ b/roles/profile/tasks/main.yml @@ -23,7 +23,7 @@ with_items: - "{{ current_release_config_dir_name }}" - "{{ current_release_config_dir_name }}/certs" - - "{{ current_release_config_dir_name }}/translations/overrides" + - "{{ current_release_config_dir_name }}/translationoverrides" - name: Put parameters YAML config ansible.builtin.template: @@ -55,7 +55,7 @@ - name: Copy language specific overrides ansible.builtin.template: src: "{{ item }}" - dest: "{{ current_release_config_dir_name }}/translations/overrides/" + dest: "{{ current_release_config_dir_name }}/translationoverrides/" when: overrides_present.stat.exists with_fileglob: - "{{ inventory_dir }}/files/profile/overrides/*" diff --git a/roles/profile/templates/parameters.yml.j2 b/roles/profile/templates/parameters.yml.j2 index 6f427dd1d..93158f055 100644 --- a/roles/profile/templates/parameters.yml.j2 +++ b/roles/profile/templates/parameters.yml.j2 @@ -2,7 +2,7 @@ parameters: app_env: prod app_debug: false app_secret: {{ profile_secret }} - secret: {{ profile_secret }} + locales: [en, nl] default_locale: {{ profile_default_locale }} open_conext_locale_cookie_key: lang @@ -58,3 +58,6 @@ parameters: session_handler: ~ # Database settings when using a db to store sessions. Unused in the default setup dsn: mysql://profilerw:secret@localhost/profile?serverVersion=5.7 + + # which context class ref is used for the saml bundle + authentication_context_class_ref: ~ From bfdca3710944c02ab2f1a724e9de3595ecbe9958 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Thu, 2 May 2024 11:30:09 +0200 Subject: [PATCH 055/114] Added default for missing env variable invite_cronjobmaster --- roles/invite/defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/invite/defaults/main.yml b/roles/invite/defaults/main.yml index 8d54ac551..60e35df36 100644 --- a/roles/invite/defaults/main.yml +++ b/roles/invite/defaults/main.yml @@ -2,7 +2,7 @@ invite_manage_provision_oidcrp_client_id: "{{ invite.oidc_client_id }}" invite_manage_provision_oidcrp_name_en: "{{ instance_name }} invite" invite_manage_provision_oidcrp_description_en: "{{ instance_name }} invite" invite_manage_provision_oidcrp_secret: "{{ invite.oidc_secret }}" -invite_manage_provision_oidcrp_redirecturls: "https://invite.{{ base_domain }}/login/oauth2/code/oidcng" +invite_manage_provision_oidcrp_redirecturls: "https://invite.{{ base_domain }}/login/oauth2/code/oidcng" invite_manage_provision_oidcrp_grants: "authorization_code" invite_manage_provision_oidcrp_allowed_resource_servers: '{"name": "{{ invite.resource_server_id }}"}' invite_manage_provision_oidcrp_is_public_client: false @@ -13,3 +13,5 @@ invite_manage_provision_oauth_rs_client_id: "{{ invite.resource_server_id }}" invite_manage_provision_oauth_rs_rp_secret: "{{ invite.resource_server_secret }}" invite_manage_provision_oauth_rs_scopes: "openid" invite_mock_install: false +# Override is in the dockerX.env host_var files +invite_cronjobmaster: true From 1ab36a0e175069e8f0a696b47508ebe0eaa00059 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Fri, 3 May 2024 15:18:27 +0200 Subject: [PATCH 056/114] Improve SAML xml metadata content type to be compliant with SAML metadata spec 4.1.1 --- roles/metadata/templates/metadata.conf.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/metadata/templates/metadata.conf.j2 b/roles/metadata/templates/metadata.conf.j2 index 2d7eaea3d..292e9ed32 100644 --- a/roles/metadata/templates/metadata.conf.j2 +++ b/roles/metadata/templates/metadata.conf.j2 @@ -18,8 +18,9 @@ Listen {{ apache_app_listen_address.metadata }}:{{ loadbalancing.metadata.port } Header always set X-XSS-Protection "1; mode=block" AddType application/x-pem-file .pem + AddType application/samlmetadata+xml .xml - ForceType text/xml + ForceType application/samlmetadata+xml ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-METADATA'" From 22d8a1de063a77272bda5b613a79c2b036bb5742 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 6 May 2024 11:34:01 +0200 Subject: [PATCH 057/114] Unify the naming of the smtp_server config parameter. Some configs referred to smtp_host, others to smtp_server. The remaining parameter is smtp_server --- roles/invite/templates/serverapplication.yml.j2 | 2 +- roles/pdp/templates/serverapplication.properties.j2 | 2 +- roles/profile/templates/parameters.yml.j2 | 2 +- roles/teams/templates/serverapplication.yml.j2 | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index e8f75babf..738527c96 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -66,7 +66,7 @@ spring: locations: classpath:db/{vendor}/migration fail-on-missing-locations: true mail: - host: {{ smtp_host }} + host: {{ smtp_server }} crypto: development-mode: False diff --git a/roles/pdp/templates/serverapplication.properties.j2 b/roles/pdp/templates/serverapplication.properties.j2 index 00e9d7da4..e8b91bf17 100644 --- a/roles/pdp/templates/serverapplication.properties.j2 +++ b/roles/pdp/templates/serverapplication.properties.j2 @@ -27,7 +27,7 @@ spring.flyway.enabled={{ pdp_spring_flyway_enabled }} spring.mvc.dispatch-options-request=true spring.flyway.validate-on-migrate=false spring.flyway.table=schema_version -spring.mail.host={{ smtp_host }} +spring.mail.host={{ smtp_server }} spring.mail.port=25 email.base_url=https://pdp.{{ base_domain }}/conflicts diff --git a/roles/profile/templates/parameters.yml.j2 b/roles/profile/templates/parameters.yml.j2 index 93158f055..35baf6e56 100644 --- a/roles/profile/templates/parameters.yml.j2 +++ b/roles/profile/templates/parameters.yml.j2 @@ -41,7 +41,7 @@ parameters: attribute_aggregation_orcid_logo_path: 'build/images/orcid.png' attribute_aggregation_orcid_connect_url: 'https://link.{{ base_domain }}/orcid?redirectUrl=https://profile.{{ base_domain }}/my-connections' - mailer_url: 'smtp://{{ smtp_host }}:25' + mailer_url: 'smtp://{{ smtp_server }}:25' attribute_support_email_from: '{{ noreply_email }}' attribute_support_email_to: '{{ engine_idp_debugging_email_address }}' diff --git a/roles/teams/templates/serverapplication.yml.j2 b/roles/teams/templates/serverapplication.yml.j2 index ba667352a..059a1271a 100644 --- a/roles/teams/templates/serverapplication.yml.j2 +++ b/roles/teams/templates/serverapplication.yml.j2 @@ -99,7 +99,7 @@ spring: username: {{ teams.db_user }} password: {{ teams.db_password }} mail: - host: {{ smtp_host }} + host: {{ smtp_server }} port: 25 main: banner-mode: "off" From f79d50eec14d7d3bbd9d55676a6186660cd07221 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 6 May 2024 15:23:25 +0200 Subject: [PATCH 058/114] New release_as use_as_nameid for the ARP --- .../metadata_configuration/oidc10_rp.schema.json.j2 | 10 ++++++++++ .../metadata_configuration/saml20_sp.schema.json.j2 | 9 +++++++++ .../single_tenant_template.schema.json.j2 | 9 +++++++++ 3 files changed, 28 insertions(+) diff --git a/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 index 4dc3e694b..1d0f59fb0 100644 --- a/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 @@ -23,7 +23,17 @@ }, "value": { "type": "string" + }, + "motivation": { + "type": "string" + }, + "release_as": { + "type": "string" + }, + "use_as_nameid": { + "type": "boolean" } + } } } diff --git a/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 index 8c54765fa..9224943bd 100644 --- a/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 @@ -51,6 +51,15 @@ }, "value": { "type": "string" + }, + "motivation": { + "type": "string" + }, + "release_as": { + "type": "string" + }, + "use_as_nameid": { + "type": "boolean" } } } diff --git a/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 index 0772b2549..0a928e7fe 100644 --- a/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 @@ -37,6 +37,15 @@ }, "value": { "type": "string" + }, + "motivation": { + "type": "string" + }, + "release_as": { + "type": "string" + }, + "use_as_nameid": { + "type": "boolean" } } } From 33d774697fe603a825c5fccf36b987ca7bbab24e Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 7 May 2024 12:13:28 +0200 Subject: [PATCH 059/114] Lifecycle: Move to docker --- roles/lifecycle/defaults/main.yml | 23 -- roles/lifecycle/handlers/main.yml | 6 + roles/lifecycle/tasks/install-branch.yml | 45 ---- roles/lifecycle/tasks/install-release.yml | 32 --- roles/lifecycle/tasks/main.yml | 141 ++++------- .../templates/lifecycle-pool-72.conf.j2 | 225 ------------------ roles/lifecycle/templates/lifecycle.conf.j2 | 35 --- roles/lifecycle/templates/makeRelease.sh.j2 | 92 ------- roles/lifecycle/templates/parameters.yml.j2 | 3 + roles/lifecycle/vars/main.yml | 13 + 10 files changed, 72 insertions(+), 543 deletions(-) delete mode 100644 roles/lifecycle/defaults/main.yml create mode 100644 roles/lifecycle/handlers/main.yml delete mode 100644 roles/lifecycle/tasks/install-branch.yml delete mode 100644 roles/lifecycle/tasks/install-release.yml delete mode 100644 roles/lifecycle/templates/lifecycle-pool-72.conf.j2 delete mode 100644 roles/lifecycle/templates/lifecycle.conf.j2 delete mode 100644 roles/lifecycle/templates/makeRelease.sh.j2 create mode 100644 roles/lifecycle/vars/main.yml diff --git a/roles/lifecycle/defaults/main.yml b/roles/lifecycle/defaults/main.yml deleted file mode 100644 index b22afc29e..000000000 --- a/roles/lifecycle/defaults/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# -lifecycle_version: '' -# Lifecycle installer specific variables -lifecycle_version_dir: "{{ lifecycle_version | replace('/', '-') }}" -lifecycle_branch_dir: "{{ openconext_builds_dir }}/OpenConext-user-lifecycle-{{ lifecycle_branch | replace('/', '-') }}" -lifecycle_release_dir: "{{ openconext_releases_dir }}/OpenConext-user-lifecycle-{{ lifecycle_version_dir }}" -lifecycle_build_path: "{{ openconext_builds_dir }}/OpenConext-user-lifecycle-{{ lifecycle_version_dir }}.tar.gz" -lifecycle_download_url: "https://github.com/OpenConext/OpenConext-user-lifecycle/releases/download/{{ lifecycle_version }}/OpenConext-user-lifecycle-{{ lifecycle_version_dir }}.tar.gz" -lifecycle_current_release_symlink: "{{ openconext_releases_dir }}/OpenConext-user-lifecycle" - -lifecycle_user: lifecycle -lifecycle_data_dir: /opt/openconext/OpenConext-lifecycle -lifecycle_symfony_env: prod -lifecycle_apache_symfony_environment: prod -lifecycle_eb_logins_db: eb_logins -lifecycle_db_host: localhost -lifecycle_user_quota: 1500 -lifecycle_inactivity_period: 37 -lifecycle_api_enabled: true -lifecycle_api_password: secret -lifecycle_api_username: lifecycle - diff --git a/roles/lifecycle/handlers/main.yml b/roles/lifecycle/handlers/main.yml new file mode 100644 index 000000000..8c65fdb80 --- /dev/null +++ b/roles/lifecycle/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart lifecycle + community.docker.docker_container: + name: lifecycle + state: started + restart: true diff --git a/roles/lifecycle/tasks/install-branch.yml b/roles/lifecycle/tasks/install-branch.yml deleted file mode 100644 index c3c7dfaca..000000000 --- a/roles/lifecycle/tasks/install-branch.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ lifecycle_release_dir }}" - register: lifecycle_dir - -- name: Create build dir - file: - path: "{{ lifecycle_branch_dir }}" - state: directory - - #- name: Checkout lifecycle branch - #git: - # repo: https://github.com/OpenConext/OpenConext-lifecycle-user.git - # dest: "{{ lifecycle_branch_dir }}" - # version: "{{ lifecycle_branch }}" - # force: yes - #register: lifecycle_gitclone -- name: Copy makerelease.sh - template: - src: "makeRelease.sh.j2" - dest: "{{lifecycle_branch_dir}}/makeRelease.sh" - mode: 0770 - -- name: Make release - command: "./makeRelease.sh {{ lifecycle_branch }}" - environment: - HOME: "{{ openconext_builds_dir }}" - args: - chdir: "{{ lifecycle_branch_dir }}" - -- name: Unpack current version - unarchive: - src: "{{ openconext_builds_dir }}/Releases/OpenConext-user-lifecycle-{{ lifecycle_branch | replace('/', '_') }}.tar.gz" - dest: "{{ openconext_releases_dir }}" - copy: no - -- name: Activate new lifecycle branch - file: - src: "{{ openconext_releases_dir }}/OpenConext-user-lifecycle-{{ lifecycle_branch | replace('/', '_') }}" - dest: "{{ lifecycle_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" diff --git a/roles/lifecycle/tasks/install-release.yml b/roles/lifecycle/tasks/install-release.yml deleted file mode 100644 index cd6820db6..000000000 --- a/roles/lifecycle/tasks/install-release.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ lifecycle_current_release_symlink }}" - follow: no - register: lifecycle_dir - -- name: Download current version - get_url: - url: "{{ lifecycle_download_url }}" - dest: "{{ lifecycle_build_path }}" - register: lifecycle_download - -- name: Unpack current version - unarchive: - src: "{{ lifecycle_build_path }}" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - lifecycle_download.changed or lifecycle_dir.stat.lnk_source != lifecycle_release_dir - -- name: Activate new Lifecycle release - file: - src: "{{ lifecycle_release_dir }}" - dest: "{{ lifecycle_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" - when: - - lifecycle_download.changed or lifecycle_dir.stat.lnk_source != lifecycle_release_dir - diff --git a/roles/lifecycle/tasks/main.yml b/roles/lifecycle/tasks/main.yml index ed09c7bf7..2c5c99e3b 100644 --- a/roles/lifecycle/tasks/main.yml +++ b/roles/lifecycle/tasks/main.yml @@ -1,108 +1,67 @@ - name: Add group {{ lifecycle_user }} - group: + ansible.builtin.group: name: "{{ lifecycle_user }}" state: present + register: lifecycle_guid - name: Add user {{ lifecycle_user }} - user: + ansible.builtin.user: name: "{{ lifecycle_user }}" group: "{{ lifecycle_user }}" - createhome: yes + createhome: true state: present + register: lifecycle_uid -- name: Create php session dir for lifecycle - file: - path: "{{ php_session_dir }}/lifecycle" +- name: Create config dirs sajsdjasjaksa + ansible.builtin.file: state: directory - owner: "{{ lifecycle_user }}" + dest: "{{ item }}" + owner: root group: root - mode: 0770 - -- name: Install Apache vhost - template: - src: lifecycle.conf.j2 - dest: /etc/httpd/conf.d/lifecycle.conf - notify: "reload httpd" - -- name: Clean up old php-fpm 5.6 config - file: - path: "/etc/php-fpm.d/lifecycle-pool.conf" - state: absent - -- name: php-fpm 72 config - template: - src: "{{ item }}.j2" - dest: "/etc/opt/remi/php72/php-fpm.d/{{ item }}" + mode: "0755" with_items: - - lifecycle-pool-72.conf - notify: - - "restart php72-php-fpm" + - "{{ current_release_config_dir_name }}" -- name: Include install-branch.yml - include_tasks: install-branch.yml - when: lifecycle_branch is defined and lifecycle_branch != '' - -- name: Include install-release.yml - include_tasks: install-release.yml - when: lifecycle_branch is not defined or lifecycle_branch == '' - -- name: Place parameters.yml - template: - src: "{{ item }}.j2" - dest: "{{ lifecycle_current_release_symlink }}/config/legacy/{{ item }}" - mode: 0644 +- name: Put parameters YAML config + ansible.builtin.template: + src: "{{ item }}.yml.j2" + dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" + mode: "0640" + group: "{{ appname }}" with_items: - - parameters.yml + - parameters notify: - - "restart php72-fpm" - -- name: Place .envl file - copy: - src: env - dest: "{{ lifecycle_current_release_symlink }}/.env" - mode: 0644 - -- name: Create the symfony cache - command: "/usr/bin/php72 bin/console cache:clear --env={{ lifecycle_apache_symfony_environment }} --no-debug" - args: - chdir: "{{ lifecycle_current_release_symlink }}/" - when: - - not develop - changed_when: false - -- name: Make sure cache dir has correct permissions - file: - path: "{{ lifecycle_current_release_symlink }}/var/cache" - owner: "{{ lifecycle_user }}" - group: "{{ lifecycle_user }}" - recurse: yes - changed_when: false - -- name: Make sure log dir has correct permissions - file: - path: "{{ lifecycle_current_release_symlink }}/var/logs" - owner: "{{ lifecycle_user }}" - group: "{{ lifecycle_user }}" - recurse: yes - changed_when: false - - # Remove all dirs, but keep the current version and from the rest the most recent one. -- name: Clean up old releases - shell: ls -td {{ openconext_releases_dir }}/OpenConext-user-lifecycle-* | grep -v $(readlink {{ lifecycle_current_release_symlink }}) | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_releases - changed_when: '"removed" in clean_releases.stdout' + - restart {{ appname }} -# Remove all tarballs, but keep the current version and from the rest the most recent one. -- name: Clean up old builds - shell: ls -td {{ openconext_builds_dir }}/OpenConext-user-lifecycle-* {{ openconext_builds_dir }}/Releases/ | grep -v {{ lifecycle_build_path }} | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_builds - changed_when: '"removed" in clean_builds.stdout' +- name: Create the container + community.docker.docker_container: + name: "{{ appname }}" + image: ghcr.io/openconext/openconext-user-lifecycle/user-lifecycle:{{ lifecycle_version }} + etc_hosts: + host.docker.internal: host-gateway + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.lifecycle.rule: "Host(`lifecycle.{{ base_domain }}`)" + traefik.http.routers.lifecycle.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ lifecycle_uid.uid }}" + APACHE_GUID: "#{{ lifecycle_guid.gid }}" + APP_ENV: prod + HTTPD_CSP: "{{ httpd_csp.strict }}" + mounts: + - source: /opt/openconext/lifecycle + target: /var/www/html/config/openconext + type: bind -- name: Create daily cronjob - cron: - name: lifecycle run - minute: "8" - hour: "01" - user: "{{ lifecycle_user }}" - job: "/usr/bin/php72 {{ lifecycle_current_release_symlink }}/userlifecycle deprovision" - cron_file: user_lifecycle +#- name: Create daily cronjob + # cron: + # name: lifecycle run + # minute: "8" + # hour: "01" + # user: "{{ lifecycle_user }}" + # job: "/usr/bin/php72 {{ lifecycle_current_release_symlink }}/userlifecycle deprovision" + # cron_file: user_lifecycle diff --git a/roles/lifecycle/templates/lifecycle-pool-72.conf.j2 b/roles/lifecycle/templates/lifecycle-pool-72.conf.j2 deleted file mode 100644 index ef2217ba1..000000000 --- a/roles/lifecycle/templates/lifecycle-pool-72.conf.j2 +++ /dev/null @@ -1,225 +0,0 @@ -; Create a new pool named lifecycle. -[lifecycle] - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. - -; Use unix socket -listen = /var/run/php-fpm/lifecycle-pool-72.sock -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: -1 -;listen.backlog = -1 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = 127.0.0.1 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0666 -listen.owner = apache -listen.group = apache -listen.mode = 0640 - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = {{ lifecycle_user }} -group = {{ lifecycle_user }} - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives: -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; Note: This value is mandatory. -pm = ondemand - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes to be created when pm is set to 'dynamic'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. -; Note: Used when pm is set to either 'static' or 'dynamic' -; Note: This value is mandatory. -pm.max_children = 20 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -;pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -;pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -;pm.max_spare_servers = 5 - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -pm.max_requests = 300 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. By default, the status page shows the following -; information: -; accepted conn - the number of request accepted by the pool; -; pool - the name of the pool; -; process manager - static or dynamic; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes. -; The values of 'idle processes', 'active processes' and 'total processes' are -; updated each second. The value of 'accepted conn' is updated in real time. -; Example output: -; accepted conn: 12073 -; pool: www -; process manager: static -; idle processes: 35 -; active processes: 65 -; total processes: 100 -; By default the status page output is formatted as text/plain. Passing either -; 'html' or 'json' as a query string will return the corresponding output -; syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/log/php-fpm/www-slow.log - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. This value must be an absolute path. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Default Value: no -;catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -php_admin_value[error_log] = /var/log/php-fpm/lifecycle-error.log -php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 128M - -; Set session path to a directory owned by process user -php_value[session.save_handler] = files -php_value[session.save_path] = {{ php_session_dir }}/lifecycle -php_value[disable_functions] = {{ php_disabled_functions }} diff --git a/roles/lifecycle/templates/lifecycle.conf.j2 b/roles/lifecycle/templates/lifecycle.conf.j2 deleted file mode 100644 index a2252c132..000000000 --- a/roles/lifecycle/templates/lifecycle.conf.j2 +++ /dev/null @@ -1,35 +0,0 @@ -{% if apache_app_listen_address.lifecycle is defined %} -Listen {{ apache_app_listen_address.lifecycle }}:{{ loadbalancing.lifecycle.port }} - -{% else %} - -{% endif %} - ServerAdmin {{ admin_email }} - DocumentRoot "{{ lifecycle_current_release_symlink }}/public" - SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 - - Require all granted - Options -MultiViews - RewriteEngine On - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ index.php [QSA,L] - - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/lifecycle-pool-72.sock|fcgi://localhost{{ lifecycle_current_release_symlink }}/public/$1 - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-LIFECYCLE'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-LIFECYCLE'" combined - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - diff --git a/roles/lifecycle/templates/makeRelease.sh.j2 b/roles/lifecycle/templates/makeRelease.sh.j2 deleted file mode 100644 index d9384ee70..000000000 --- a/roles/lifecycle/templates/makeRelease.sh.j2 +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/sh -# Copy of SP Dashboard makeRelease.sh file. Please review everything carefully! - -PREVIOUS_SF_ENV=${SYMFONY_ENV} -export SYMFONY_ENV="{{ lifecycle_symfony_env }}" - -RELEASE_DIR=${HOME}/Releases -GITHUB_USER=OpenConext -PROJECT_NAME=OpenConext-user-lifecycle - -if [ -z "$1" ] -then - -cat << EOF -Please specify the tag or branch to make a release of. - -Examples: - - sh makeRelease.sh 0.1.0 - sh makeRelease.sh master - sh makeRelease.sh develop - -If you want to GPG sign the release, you can specify the "sign" parameter, this will -invoke the gpg command line tool to sign it. - - sh makeRelease 0.1.0 sign - -EOF -exit 1 -else - TAG=$1 -fi - -PROJECT_DIR_NAME=${PROJECT_NAME}-${TAG//\//_} && -PROJECT_DIR=${RELEASE_DIR}/${PROJECT_DIR_NAME} && - -echo "Preparing environment" && -mkdir -p ${RELEASE_DIR} && -rm -rf ${PROJECT_DIR} && -cd ${RELEASE_DIR} -git clone https://github.com/${GITHUB_USER}/${PROJECT_NAME}.git ${PROJECT_DIR_NAME} && - -cd ${PROJECT_DIR} && -git checkout ${TAG} && -echo "Running Composer Install"; -curl -sS https://getcomposer.org/installer | php -php ./composer.phar install -n --prefer-dist -o --ignore-platform-reqs&& - -echo "Tagging the release in RELEASE file" && -COMMITHASH=`git rev-parse HEAD` && -echo "Tag: ${TAG}" > ${PROJECT_DIR}/RELEASE && -echo "Commit: ${COMMITHASH}" >> ${PROJECT_DIR}/RELEASE && - -echo "Cleaning build of dev files" && -rm -rf ${PROJECT_DIR}/.idea && -rm -rf ${PROJECT_DIR}/.git && -rm -f ${PROJECT_DIR}/.gitignore && -rm -f ${PROJECT_DIR}/makeRelease.sh && -rm -f ${PROJECT_DIR}/bin/composer.phar && -rm -rf ${PROJECT_DIR}/features && -rm -rf ${PROJECT_DIR}/behat.yml && -rm -rf ${PROJECT_DIR}/build.xml && -rm -rf ${PROJECT_DIR}/tests && -rm -rf ${PROJECT_DIR}/ci && -rm -rf ${PROJECT_DIR}/.travis.yml && -rm -rf ${PROJECT_DIR}/ansible && -rm -rf ${PROJECT_DIR}/Vagrantfile && - -echo "Create tarball" && -cd ${RELEASE_DIR} && -tar -czf ${PROJECT_DIR_NAME}.tar.gz ${PROJECT_DIR_NAME} - - -echo "Create checksum file" && -cd ${RELEASE_DIR} && -if hash sha1sum 2>/dev/null; then - sha1sum ${PROJECT_DIR_NAME}.tar.gz > ${PROJECT_DIR_NAME}.sha -else - shasum ${PROJECT_DIR_NAME}.tar.gz > ${PROJECT_DIR_NAME}.sha -fi - -if [ -n "$2" ] -then - if [ "$2" == "sign" ] - then - echo "Signing build" - cd ${RELEASE_DIR} - gpg -o ${PROJECT_DIR_NAME}.sha.gpg --clearsign ${PROJECT_DIR_NAME}.sha - fi -fi - -export SYMFONY_ENV=${PREVIOUS_SF_ENV} diff --git a/roles/lifecycle/templates/parameters.yml.j2 b/roles/lifecycle/templates/parameters.yml.j2 index 4e69bca28..20c2f5ceb 100644 --- a/roles/lifecycle/templates/parameters.yml.j2 +++ b/roles/lifecycle/templates/parameters.yml.j2 @@ -1,4 +1,7 @@ parameters: + app_env: prod + app_debug: false + app_secret: {{ lifecycle_symfony_secret }} database_host: {{ lifecycle_db_host }} database_port: 3306 database_name: {{ lifecycle_eb_logins_db }} diff --git a/roles/lifecycle/vars/main.yml b/roles/lifecycle/vars/main.yml new file mode 100644 index 000000000..0eb9d3835 --- /dev/null +++ b/roles/lifecycle/vars/main.yml @@ -0,0 +1,13 @@ +--- +appname: lifecycle +lifecycle_version: '' +lifecycle_user: lifecycle +lifecycle_symfony_env: prod +lifecycle_eb_logins_db: eb_logins +lifecycle_db_host: localhost +lifecycle_user_quota: 1500 +lifecycle_inactivity_period: 37 +lifecycle_api_enabled: true +lifecycle_api_password: secret +lifecycle_api_username: lifecycle +current_release_config_dir_name: /opt/openconext/{{ appname }} From dfcd6c86c253c8b4834b5c392c60b9737a205588 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 13 May 2024 10:23:02 +0200 Subject: [PATCH 060/114] Add DELETE_SP to sp-portal on test --- environments/vm/group_vars/vm.yml | 2 +- roles/manage-server/templates/manage-api-users.yml.j2 | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index f0e19510e..8d2000ae3 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -359,7 +359,7 @@ manage: - { name: "sp-dashboard", password: "{{ manage_sp_dashboard_secret }}", - scopes: [ "READ", "WRITE_SP", "CHANGE_REQUEST_SP", "PUSH"] + scopes: [ "READ", "WRITE_SP", "DELETE_SP", "CHANGE_REQUEST_SP", "PUSH"] } - { name: "invite", diff --git a/roles/manage-server/templates/manage-api-users.yml.j2 b/roles/manage-server/templates/manage-api-users.yml.j2 index 224ca3991..a9c77ff30 100644 --- a/roles/manage-server/templates/manage-api-users.yml.j2 +++ b/roles/manage-server/templates/manage-api-users.yml.j2 @@ -6,7 +6,8 @@ # PUSH, //Allowed to push changes to EB & OIDC-NG # READ, //Allowed to read entities # SYSTEM, //Allowed everything including Attribute Manipulation -# WRITE_SP, //Allowed to CRUD SP / RP /RS +# WRITE_SP, //Allowed to CRU SP / RP /RS +# DELETE_SP, //Allowed to Delete SP / RP /RS # WRITE_IDP //Allowed to CRUD IdP apiUsers: From 3021ae0f263d22ecb4c22cd6c0396e23c5517a83 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 14 May 2024 10:54:57 +0200 Subject: [PATCH 061/114] Added ansible vars for AA sab-rest --- environments/template/group_vars/template.yml | 3 ++ environments/template/secrets/skeleton.yml | 1 + environments/vm/group_vars/vm.yml | 3 ++ environments/vm/secrets/vm.yml | 1 + .../templates/attributeAuthorities.yml.j2 | 34 +++++++++++++++++++ 5 files changed, 42 insertions(+) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 6d7d3d93c..ec442436a 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -359,6 +359,9 @@ aa: sab_username: coin-test sab_password: "{{ aa_sab_password }}" sab_endpoint: https://sab-ng.surfnet.nl/simplesaml/module.php/attributes/server.php + sab_rest_username: surfconexttest + sab_rest_password: "{{ aa_sab_rest_password }}" + sab_rest_endpoint: https://sab-ng.surfnet.nl surfmarket_url: https://example.org surfmarket_username: example@example.org surfmarket_password: "{{ aa_surfmarket_password }}" diff --git a/environments/template/secrets/skeleton.yml b/environments/template/secrets/skeleton.yml index a112b13b1..3ff4309bb 100644 --- a/environments/template/secrets/skeleton.yml +++ b/environments/template/secrets/skeleton.yml @@ -63,6 +63,7 @@ pdp_sab_password: secret aa_eb_password: secret aa_authz_client_secret: secret aa_sab_password: secret +aa_sab_rest_password: secret aa_idin_client_secret: secret aa_orcid_password: secret aa_surfmarket_password: secret diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 8d2000ae3..36f4ffb89 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -249,6 +249,9 @@ aa: sab_username: coin-test sab_password: "{{ aa_sab_password }}" sab_endpoint: https://sab-ng.surfnet.nl/simplesaml/module.php/attributes/server.php + sab_rest_username: surfconexttest + sab_rest_password: "{{ aa_sab_rest_password }}" + sab_rest_endpoint: https://sab-ng.surfnet.nl surfmarket_url: https://example.org surfmarket_username: example@example.org surfmarket_password: "{{ aa_surfmarket_password }}" diff --git a/environments/vm/secrets/vm.yml b/environments/vm/secrets/vm.yml index a20f93595..f514983ab 100644 --- a/environments/vm/secrets/vm.yml +++ b/environments/vm/secrets/vm.yml @@ -66,6 +66,7 @@ pdp_sab_password: secret aa_eb_password: secret aa_authz_client_secret: secretsecret aa_sab_password: secret +aa_sab_rest_password: secret aa_idin_client_secret: secret aa_orcid_password: secret aa_surfmarket_password: secret diff --git a/roles/attribute-aggregation/templates/attributeAuthorities.yml.j2 b/roles/attribute-aggregation/templates/attributeAuthorities.yml.j2 index e98342b8b..ed26c3778 100644 --- a/roles/attribute-aggregation/templates/attributeAuthorities.yml.j2 +++ b/roles/attribute-aggregation/templates/attributeAuthorities.yml.j2 @@ -175,3 +175,37 @@ authorities: ], validationRegExp: "^urn:(collab:group|mace:surf.nl):.*$" } + - { + id: "sabrest", + description: "SURF Autorisatie Beheer - REST", + endpoint: "{{ aa.sab_rest_endpoint }}", + user: "{{ aa.sab_rest_username }}", + password: "{{ aa.sab_rest_password }}", + timeOut: 1000, + timeOut: 1000, + attributes: [ + { + name: "urn:mace:dir:attribute-def:eduPersonEntitlement", + description: "URI (either URN or URL) that indicates a set of rights to specific resources.", + type: "string", + example: "urn:mace:surfnet.nl:surfnet.nl:sab:role:Instellingsbevoegde" + }, + { + name: "urn:mace:surf.nl:attribute-def:surf-autorisaties", + description: "URI (either URN or URL) that indicates a set of rights to specific resources.", + type: "string", + example: "urn:mace:surfnet.nl:surfnet.nl:sab:role:Instellingsbevoegde" + } + + ], + requiredInputAttributes: [ + { + name: "urn:mace:dir:attribute-def:uid", + }, + { + name: "urn:mace:terena.org:attribute-def:schacHomeOrganization", + } + + ], + validationRegExp: "^urn:mace:surfnet.nl:(surfnet\\.nl|surf\\.nl):sab:(role|organizationCode|organizationGUID|mobile):[A-Z0-9_+-]+$" + } From 8db35928cc22e57433a7977613a55c5c3b30a056 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 15 May 2024 14:08:09 +0200 Subject: [PATCH 062/114] Docker: Create a common config dir for apps and place the favicon in it --- roles/docker/tasks/main.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 144c89f1c..70892703d 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -130,3 +130,25 @@ service: iptablesdocker.service enabled: true state: started + +- name: Create OpenConext common files dir + ansible.builtin.file: + state: directory + path: "/opt/openconext/common/" + owner: root + mode: "0755" + +- name: Check if a favicon exists + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/favicon.ico" + delegate_to: localhost + register: favicon_present + become: false + +- name: Place the favicon file + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/favicon.ico" + dest: /opt/openconext/common/favicon.ico + owner: root + group: root + mode: "0644" From 2b74e762d25c8f76e72b48443c189481dae9f7bb Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 15 May 2024 14:15:39 +0200 Subject: [PATCH 063/114] Docker roles: Set the timezone and mount the favicon where applicable --- roles/dashboard/tasks/main.yml | 9 +++++++++ roles/invite/tasks/main.yml | 14 ++++++++++++++ roles/mujina-idp/tasks/docker.yml | 2 ++ roles/oidc-playground/tasks/main.yml | 9 +++++++++ roles/pdp/tasks/main.yml | 9 +++++++++ roles/profile/tasks/main.yml | 6 +++++- roles/teams/tasks/main.yml | 9 +++++++++ 7 files changed, 57 insertions(+), 1 deletion(-) diff --git a/roles/dashboard/tasks/main.yml b/roles/dashboard/tasks/main.yml index 0c701dfb4..c9f2def95 100644 --- a/roles/dashboard/tasks/main.yml +++ b/roles/dashboard/tasks/main.yml @@ -23,6 +23,8 @@ - name: Create and start the server container community.docker.docker_container: name: dashboardserver + env: + TZ: "{{ timezone }}" image: ghcr.io/openconext/openconext-dashboard/dashboard-server:{{ dashboard_server_version }} pull: true restart_policy: "always" @@ -75,6 +77,13 @@ retries: 3 start_period: 10s hostname: dashboard + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind + - source: /opt/openconext/common/favicon.ico + target: /var/www/favicon.ico + type: bind env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" HTTPD_SERVERNAME: "dashboard.{{ base_domain }}" diff --git a/roles/invite/tasks/main.yml b/roles/invite/tasks/main.yml index 66c605da9..155f3008a 100644 --- a/roles/invite/tasks/main.yml +++ b/roles/invite/tasks/main.yml @@ -51,6 +51,8 @@ - name: Create and start the server container community.docker.docker_container: name: inviteserver + env: + TZ: "{{ timezone }}" image: ghcr.io/openconext/openconext-invite/inviteserver:{{ invite_server_version }} pull: true restart_policy: "always" @@ -97,6 +99,10 @@ timeout: 10s retries: 3 start_period: 10s + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind env: HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}" @@ -119,6 +125,10 @@ timeout: 10s retries: 3 start_period: 10s + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind env: HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}" @@ -147,6 +157,10 @@ timeout: 10s retries: 3 start_period: 10s + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind when: invite_mock_install notify: restart inviteprovisioningmock diff --git a/roles/mujina-idp/tasks/docker.yml b/roles/mujina-idp/tasks/docker.yml index 82ff22c0d..e8438e8fa 100644 --- a/roles/mujina-idp/tasks/docker.yml +++ b/roles/mujina-idp/tasks/docker.yml @@ -30,6 +30,8 @@ pull: true restart_policy: "always" state: started + env: + TZ: "{{ timezone }}" networks: - name: "loadbalancer" mounts: diff --git a/roles/oidc-playground/tasks/main.yml b/roles/oidc-playground/tasks/main.yml index 83286f4b8..1f5d7bb99 100644 --- a/roles/oidc-playground/tasks/main.yml +++ b/roles/oidc-playground/tasks/main.yml @@ -23,6 +23,8 @@ - name: Create and start the server container community.docker.docker_container: name: oidcplaygroundserver + env: + TZ: "{{ timezone }}" image: ghcr.io/openconext/openconext-oidc-playground/oidc-playground-server:{{ oidc_playground_server_version }} pull: true restart_policy: "always" @@ -73,6 +75,13 @@ timeout: 10s retries: 3 start_period: 10s + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind + - source: /opt/openconext/common/favicon.ico + target: /var/www/favicon.ico + type: bind env: HTTPD_CSP: "{{ httpd_csp.lenient }}" diff --git a/roles/pdp/tasks/main.yml b/roles/pdp/tasks/main.yml index 03675c46e..a668c82cc 100644 --- a/roles/pdp/tasks/main.yml +++ b/roles/pdp/tasks/main.yml @@ -23,6 +23,8 @@ - name: Create and start the server container community.docker.docker_container: name: pdpserver + env: + TZ: "{{ timezone }}" image: ghcr.io/openconext/openconext-pdp/pdp-server:{{ pdp_server_version }} pull: true restart_policy: "always" @@ -77,6 +79,13 @@ timeout: 10s retries: 3 start_period: 10s + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind + - source: /opt/openconext/common/favicon.ico + target: /var/www/favicon.ico + type: bind hostname: pdp env: HTTPD_CSP: "{{ httpd_csp.lenient }}" diff --git a/roles/profile/tasks/main.yml b/roles/profile/tasks/main.yml index b2bb827d7..872d653fa 100644 --- a/roles/profile/tasks/main.yml +++ b/roles/profile/tasks/main.yml @@ -102,9 +102,13 @@ - source: /opt/openconext/profile target: /var/www/html/config/openconext type: bind - - source: /opt/openconext/profile/images/favicon.ico + - source: /opt/openconext/common/favicon.ico target: /var/www/html/public/favicon.ico type: bind + - source: /etc/localtime + target: /etc/localtime + type: bind + - name: Include the role manage_provision_entities to provision profile to Manage ansible.builtin.include_role: diff --git a/roles/teams/tasks/main.yml b/roles/teams/tasks/main.yml index 4baa22064..8326a466a 100644 --- a/roles/teams/tasks/main.yml +++ b/roles/teams/tasks/main.yml @@ -22,6 +22,8 @@ - name: Create and start the server container community.docker.docker_container: name: teamsserver + env: + TZ: "{{ timezone }}" image: ghcr.io/openconext/openconext-teams-ng/teams-server:{{ teams_server_version }} pull: true restart_policy: "always" @@ -74,6 +76,13 @@ retries: 3 start_period: 10s hostname: teams + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind + - source: /opt/openconext/common/favicon.ico + target: /var/www/favicon.ico + type: bind env: HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}" HTTPD_SERVERNAME: "teams.{{ base_domain }}" From d4dfb6d060ccd7b663e70690a12923b4de2c4760 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 15 May 2024 14:32:01 +0200 Subject: [PATCH 064/114] Traefik: use the correct var --- roles/docker/templates/traefik.yaml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/docker/templates/traefik.yaml.j2 b/roles/docker/templates/traefik.yaml.j2 index e303744ca..43230fcf2 100644 --- a/roles/docker/templates/traefik.yaml.j2 +++ b/roles/docker/templates/traefik.yaml.j2 @@ -10,11 +10,13 @@ providers: entryPoints: websecure: address: ":443" +{% if engine_trusted_proxy_ips is defined %} forwardedHeaders: trustedIPs: {% for engine_trusted_proxy_ip in engine_trusted_proxy_ips %} - {{ engine_trusted_proxy_ip }} {% endfor %} +{% endif %} # Server transport configuration serversTransport: insecureSkipVerify: true From 3d5245010fbc1ee197f3b6f4a155ab1bf28f5523 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 15 May 2024 14:38:07 +0200 Subject: [PATCH 065/114] Oidc-playground: put the favicon in the correct dir --- roles/oidc-playground/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/oidc-playground/tasks/main.yml b/roles/oidc-playground/tasks/main.yml index 1f5d7bb99..fd4b0d0f7 100644 --- a/roles/oidc-playground/tasks/main.yml +++ b/roles/oidc-playground/tasks/main.yml @@ -80,7 +80,7 @@ target: /etc/localtime type: bind - source: /opt/openconext/common/favicon.ico - target: /var/www/favicon.ico + target: /var/www/html/favicon.ico type: bind env: HTTPD_CSP: "{{ httpd_csp.lenient }}" From 3d47931783a206a9f60e9c438adebcabe8b9a27f Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 15 May 2024 14:54:59 +0200 Subject: [PATCH 066/114] Voot: Add timezone information --- roles/voot/tasks/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/voot/tasks/main.yml b/roles/voot/tasks/main.yml index 845fb246d..15403e587 100644 --- a/roles/voot/tasks/main.yml +++ b/roles/voot/tasks/main.yml @@ -23,6 +23,8 @@ - name: Create and start the server container community.docker.docker_container: name: vootserver + env: + TZ: "{{ timezone }}" image: ghcr.io/openconext/openconext-voot/voot:{{ voot_version }} pull: true restart_policy: "always" @@ -63,7 +65,7 @@ notify: restart vootserver - name: Include the role manage_provision_entities to provision the client_credentials client - include_role: + ansible.builtin.include_role: name: manage_provision_entities - vars: + vars: entity_type: oauth20_rs From 6c00a9d3e1da10de56b55d7ba8d85201d6987f5e Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 17 May 2024 15:27:15 +0200 Subject: [PATCH 067/114] Feature toggle for invite migration --- environments/template/group_vars/template.yml | 1 + environments/vm/group_vars/vm.yml | 1 + roles/teams/templates/serverapplication.yml.j2 | 7 +++---- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index ec442436a..4348c9b2c 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -268,6 +268,7 @@ teams: spdashboard_person_urn: "urn:collab:person:surfnet.nl:sp-dashboard-C133A36F-CFCA-4F3D-87CE-7ECE29773FE0" product_name: "OpenConext Teams" default_stem_name: "demo:openconext:org" + feature_invite_migration_on: False super_admins_team_urns: - "nl:surfnet:diensten:teams_super_users" - "nl:surfnet:diensten:teams_super_admin_users" diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 36f4ffb89..2f6b472b9 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -157,6 +157,7 @@ teams: spdashboard_person_urn: "urn:collab:person:surfnet.nl:sp-dashboard-C133A36F-CFCA-4F3D-87CE-7ECE29773FE0" product_name: "OpenConext Teams" default_stem_name: "demo:openconext:org" + feature_invite_migration_on: False super_admins_team_urns: - "nl:surfnet:diensten:teams_super_users" - "nl:surfnet:diensten:teams_super_admin_users" diff --git a/roles/teams/templates/serverapplication.yml.j2 b/roles/teams/templates/serverapplication.yml.j2 index 059a1271a..097ad4024 100644 --- a/roles/teams/templates/serverapplication.yml.j2 +++ b/roles/teams/templates/serverapplication.yml.j2 @@ -22,10 +22,6 @@ server: secure: true server-header: no -feature-toggles: - expiry-date-membership: false - person-email-picker: false - config: support-email: {{ support_email }} help-link-en: {{ teams_help_link_en }} @@ -39,6 +35,9 @@ config: sponsor: {{ sponsor_name }} supported_language_codes: {{ supported_language_codes }} +features: + invite-migration-on: {{ teams.feature_invite_migration_on }} + security: user: name: {{ teams.voot_api_user }} From 01ee2f58013cf6d4d01ae2f5119a5a25c1859a67 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 21 May 2024 11:16:32 +0200 Subject: [PATCH 068/114] Added https://eduid.nl/trust/validate-names-external ACR --- environments/template/group_vars/template.yml | 1 + environments/vm/group_vars/vm.yml | 1 + roles/myconext-server/templates/application.yml.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 4348c9b2c..2de30e70e 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -390,6 +390,7 @@ oidcng: key_rollover_cron_expression: "0 0 0 * * *" acr_values_supported: - https://eduid.nl/trust/validate-names + - https://eduid.nl/trust/validate-names-external - https://eduid.nl/trust/linked-institution - https://eduid.nl/trust/affiliation-student - https://refeds.org/profile/mfa diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 2f6b472b9..7b42fa64c 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -280,6 +280,7 @@ oidcng: key_rollover_cron_expression: "0 0 0 * * *" acr_values_supported: - https://eduid.nl/trust/validate-names + - https://eduid.nl/trust/validate-names-external - https://eduid.nl/trust/linked-institution - https://eduid.nl/trust/affiliation-student - https://refeds.org/profile/mfa diff --git a/roles/myconext-server/templates/application.yml.j2 b/roles/myconext-server/templates/application.yml.j2 index 3422965c3..ce9b5c110 100644 --- a/roles/myconext-server/templates/application.yml.j2 +++ b/roles/myconext-server/templates/application.yml.j2 @@ -153,6 +153,7 @@ linked_accounts: account_linking_context_class_ref: linked_institution: https://eduid.nl/trust/linked-institution validate_names: https://eduid.nl/trust/validate-names + validate_names_external: https://eduid.nl/trust/validate-names-external affiliation_student: https://eduid.nl/trust/affiliation-student profile_mfa: https://refeds.org/profile/mfa From 5440cb1843dd59c0f1c6d7310d0f371ce72366be Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Thu, 23 May 2024 16:24:39 +0200 Subject: [PATCH 069/114] Added tag alias for aa --- provision.yml | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/provision.yml b/provision.yml index 3fe68a22b..dbf105be5 100644 --- a/provision.yml +++ b/provision.yml @@ -171,18 +171,19 @@ - hosts: docker become: true roles: - - { role: docker, tags: ['docker' ] } - - { role: invite, tags: ['invite' ] } - - { role: dashboard, tags: ["dashboard"] } - - { role: teams, tags: ["teams"] } - - { role: pdp, tags: ["pdp"] } - - { role: voot, tags: ["voot"] } - - { role: attribute-aggregation, tags: ["aa"] } - - { role: mujina-idp, tags: ["mujina-idp"] } - - { role: oidc-playground, tags: ["oidc-playground"] } - - { role: stats, tags: ["stats"] } - - { role: diyidp, tags: ["diyidp"] } - - { role: profile, tags: ["profile"] } + - { role: docker, tags: [ "docker" ] } + - { role: invite, tags: [ "invite" ] } + - { role: dashboard, tags: [ "dashboard" ] } + - { role: teams, tags: [ "teams" ] } + - { role: pdp, tags: [ "pdp" ] } + - { role: voot, tags: [ "voot" ] } + - { role: attribute-aggregation, tags: [ "aa", "attribute-aggregation" ] } + - { role: mujina-idp, tags: [ "mujina-idp", "mujina" ] } + - { role: mujina-sp, tags: [ "mujina-idp", "mujina" ] } + - { role: oidc-playground, tags: [ "oidc-playground" ] } + - { role: stats, tags: [ "stats" ] } + - { role: diyidp, tags: [ "diyidp" ] } + - { role: profile, tags: [ "profile" ] } - import_playbook: "{{ environment_dir }}/playbook.yml" From 024ea1d784747a5421d0f0620061a66ce70b7a44 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 24 May 2024 08:34:53 +0200 Subject: [PATCH 070/114] Myconext to docker --- provision.yml | 28 +-- roles/haproxy_mgnt/tasks/main.yml | 28 ++- roles/myconext-gui/defaults/main.yml | 5 - roles/myconext-gui/meta/main.yml | 1 - roles/myconext-gui/tasks/main.yml | 6 - roles/myconext-gui/templates/myconext.conf.j2 | 130 ------------- roles/myconext-gui/vars/main.yml | 4 - roles/myconext-server/defaults/main.yml | 7 - roles/myconext-server/handlers/main.yml | 6 - roles/myconext-server/meta/main.yml | 1 - roles/myconext-server/tasks/main.yml | 65 ------- .../myconext-server/templates/logback.xml.j2 | 62 ------ roles/myconext-server/vars/main.yml | 10 - roles/myconext/handlers/main.yml | 5 + roles/myconext/tasks/main.yml | 184 ++++++++++++++++++ .../templates/application.yml.j2 | 21 +- roles/myconext/templates/logback.xml.j2 | 20 ++ .../templates/tiqr.configuration.yml.j2 | 4 +- 18 files changed, 259 insertions(+), 328 deletions(-) delete mode 100644 roles/myconext-gui/defaults/main.yml delete mode 100644 roles/myconext-gui/meta/main.yml delete mode 100644 roles/myconext-gui/tasks/main.yml delete mode 100644 roles/myconext-gui/templates/myconext.conf.j2 delete mode 100644 roles/myconext-gui/vars/main.yml delete mode 100644 roles/myconext-server/defaults/main.yml delete mode 100644 roles/myconext-server/handlers/main.yml delete mode 100644 roles/myconext-server/meta/main.yml delete mode 100644 roles/myconext-server/tasks/main.yml delete mode 100644 roles/myconext-server/templates/logback.xml.j2 delete mode 100644 roles/myconext-server/vars/main.yml create mode 100644 roles/myconext/handlers/main.yml create mode 100644 roles/myconext/tasks/main.yml rename roles/{myconext-server => myconext}/templates/application.yml.j2 (94%) create mode 100644 roles/myconext/templates/logback.xml.j2 rename roles/{myconext-server => myconext}/templates/tiqr.configuration.yml.j2 (85%) diff --git a/provision.yml b/provision.yml index dbf105be5..a78c88158 100644 --- a/provision.yml +++ b/provision.yml @@ -171,19 +171,21 @@ - hosts: docker become: true roles: - - { role: docker, tags: [ "docker" ] } - - { role: invite, tags: [ "invite" ] } - - { role: dashboard, tags: [ "dashboard" ] } - - { role: teams, tags: [ "teams" ] } - - { role: pdp, tags: [ "pdp" ] } - - { role: voot, tags: [ "voot" ] } - - { role: attribute-aggregation, tags: [ "aa", "attribute-aggregation" ] } - - { role: mujina-idp, tags: [ "mujina-idp", "mujina" ] } - - { role: mujina-sp, tags: [ "mujina-idp", "mujina" ] } - - { role: oidc-playground, tags: [ "oidc-playground" ] } - - { role: stats, tags: [ "stats" ] } - - { role: diyidp, tags: [ "diyidp" ] } - - { role: profile, tags: [ "profile" ] } + - { role: docker, tags: ['docker' ] } + - { role: invite, tags: ['invite' ] } + - { role: dashboard, tags: ["dashboard"] } + - { role: teams, tags: ["teams"] } + - { role: pdp, tags: ["pdp"] } + - { role: voot, tags: ["voot"] } + - { role: attribute-aggregation, tags: ["aa"] } + - { role: mujina-idp, tags: ["mujina-idp"] } + - { role: oidc-playground, tags: ["oidc-playground"] } + - { role: myconext, tags: ["myconext"] } + - { role: stats, tags: ["stats"] } + - { role: diyidp, tags: ["diyidp"] } + - { role: profile, tags: ["profile"] } + - { role: lifecycle, tags: ["lifecycle"] } + - { role: demosp, tags: ["demosp"] } - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/haproxy_mgnt/tasks/main.yml b/roles/haproxy_mgnt/tasks/main.yml index 5babeb3f3..db671de11 100644 --- a/roles/haproxy_mgnt/tasks/main.yml +++ b/roles/haproxy_mgnt/tasks/main.yml @@ -5,11 +5,25 @@ register: patch_process_started - block: - - name: End the play if the patchprocess is running - debug: - msg: "The patchprocess is running. No loadbalancer management allowed" - - meta: end_play - when: patch_process_started.stat.exists and skip_patch_check is not defined + - name: End the play if the patchprocess is running + debug: + msg: "The patchprocess is running. No loadbalancer management allowed" + - meta: end_play + when: patch_process_started.stat.exists and skip_patch_check is not defined + +# Set the fact weight_blue as an integer. The value is the 100 minus value of the supplied +# variable "weight_red". +- set_fact: + weight_blue: "{{ 100 - weight_red }}" + +- name: Create list with labels and weights as dictionaries + set_fact: + server_labels_with_weights: "{{ server_labels_with_weights + [{ 'label': item.label, 'weight': (weight_red if item.color == 'red' else weight_blue) }] }}" + loop: "{{ docker_blauwrood_servers }}" + +- name: debug + debug: + msg: "{{server_labels_with_weights }}" - name: get new weight for haproxy hosts haproxy_commands: @@ -41,12 +55,12 @@ - name: dump weight output debug: - msg: '{{ haproxy_weights.haproxy_items }}' + msg: "{{ haproxy_weights.haproxy_items }}" when: weight is defined - name: dump state output debug: - msg: '{{ haproxy_states.haproxy_items }}' + msg: "{{ haproxy_states.haproxy_items }}" when: state is defined - name: set weights for haproxy hosts diff --git a/roles/myconext-gui/defaults/main.yml b/roles/myconext-gui/defaults/main.yml deleted file mode 100644 index 136cbd6a7..000000000 --- a/roles/myconext-gui/defaults/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -myconext_gui_version: '' -myconext_gui_snapshot_timestamp: '' -myconext_install: true -myconext_skip_wayf: true diff --git a/roles/myconext-gui/meta/main.yml b/roles/myconext-gui/meta/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/myconext-gui/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/myconext-gui/tasks/main.yml b/roles/myconext-gui/tasks/main.yml deleted file mode 100644 index 50cdcf59e..000000000 --- a/roles/myconext-gui/tasks/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: copy virtual host config - template: - src: myconext.conf.j2 - dest: /etc/httpd/conf.d/myconext.conf - notify: restart httpd diff --git a/roles/myconext-gui/templates/myconext.conf.j2 b/roles/myconext-gui/templates/myconext.conf.j2 deleted file mode 100644 index c85c686de..000000000 --- a/roles/myconext-gui/templates/myconext.conf.j2 +++ /dev/null @@ -1,130 +0,0 @@ -{% if apache_app_listen_address.myconext is defined %} -Listen {{ apache_app_listen_address.myconext }}:{{ loadbalancing.myconext.port }} - -{% else %} - -{% endif %} - # General setup for the virtual host, inherited from global configuration - ServerName https://mijn.{{ myconext_base_domain }} - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-myconext'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-myconext'" combined - - RewriteEngine on - - {% for links in myconext.links %} - RewriteRule "^/{{ links.name }}(/|$)" "{{ links.url }}" [R,L] - {% endfor %} - - RewriteCond %{REQUEST_URI} !\.html$ - RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ - RewriteCond %{REQUEST_URI} !\.svg$ - RewriteCond %{REQUEST_URI} !\.png$ - RewriteCond %{REQUEST_URI} !\.ico$ - RewriteCond %{REQUEST_URI} !\.woff$ - RewriteCond %{REQUEST_URI} !\.woff2$ - RewriteCond %{REQUEST_URI} !\.ttf$ - RewriteCond %{REQUEST_URI} !\.eot$ - RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ - RewriteCond %{REQUEST_URI} !^/myconext - RewriteCond %{REQUEST_URI} !^/tiqr - RewriteCond %{REQUEST_URI} !^/actuator - RewriteCond %{REQUEST_URI} !^/internal - RewriteCond %{REQUEST_URI} !^/config - RewriteCond %{REQUEST_URI} !^/login - RewriteCond %{REQUEST_URI} !^/startSSO - RewriteCond %{REQUEST_URI} !^/fonts - RewriteCond %{REQUEST_URI} !^/.well-known - RewriteRule (.*) /index.html [L] - - ProxyPreserveHost On - ProxyPass /Shibboleth.sso ! - - ProxyPass /myconext/api http://localhost:{{ springapp_tcpport }}/myconext/api retry=0 - ProxyPassReverse /myconext/api http://localhost:{{ springapp_tcpport }}/myconext/api - - ProxyPass /tiqr http://localhost:{{ springapp_tcpport }}/tiqr retry=0 - ProxyPassReverse /tiqr http://localhost:{{ springapp_tcpport }}/tiqr - - ProxyPass /internal http://localhost:{{ springapp_tcpport }}/internal retry=0 - ProxyPass /actuator http://localhost:{{ springapp_tcpport }}/internal retry=0 - ProxyPass /login http://localhost:{{ springapp_tcpport }}/login retry=0 - ProxyPass /startSSO http://localhost:{{ springapp_tcpport }}/startSSO retry=0 - ProxyPass /config http://localhost:{{ springapp_tcpport }}/config retry=0 - - - AuthType shibboleth - ShibUseHeaders On - ShibRequestSetting applicationId myconext - {% if myconext_skip_wayf is defined and myconext_skip_wayf %} - ShibRequestSetting entityID https://login.{{ myconext_base_domain }} - {% endif %} - ShibRequireSession On - Require valid-user - - - DocumentRoot "{{ _springapp_dir }}/current" - - - Require all granted - Options -Indexes - - - # Public endpoints - - Require all granted - - - # After logout / delete - - Require all granted - - - {% if myconext.feature_create_eduid_institution_enabled %} - - Require all granted - - {% endif %} - - # The Spring Boot endpoints - - Require all granted - - - Require all granted - - - # Svelte resources - - Require all granted - - - - Require all granted - - - - Require all granted - - - Header always set Content-Security-Policy "{{ httpd_csp.lenient_with_static_img }}" - Header always set X-Frame-Options "DENY" - Header always set Referrer-Policy "same-origin" - Header always set X-Content-Type-Options "nosniff" - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - diff --git a/roles/myconext-gui/vars/main.yml b/roles/myconext-gui/vars/main.yml deleted file mode 100644 index 51cb36e6d..000000000 --- a/roles/myconext-gui/vars/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -springapp_tcpport: 9189 -springapp_artifact_id: myconext-gui -springapp_version: "{{ myconext_gui_version }}" diff --git a/roles/myconext-server/defaults/main.yml b/roles/myconext-server/defaults/main.yml deleted file mode 100644 index a8a628f00..000000000 --- a/roles/myconext-server/defaults/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -myconext_dir: /opt/myconext -myconext_snapshot_timestamp: '' -myconext_jar: myconext-current.jar -myconext_random_source: 'file:///dev/urandom' -myconext_install: true -myconext_cronjobmaster: true diff --git a/roles/myconext-server/handlers/main.yml b/roles/myconext-server/handlers/main.yml deleted file mode 100644 index 3d20a5b33..000000000 --- a/roles/myconext-server/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart myconext - service: - name: myconext - state: restarted - daemon_reload: yes diff --git a/roles/myconext-server/meta/main.yml b/roles/myconext-server/meta/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/myconext-server/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/myconext-server/tasks/main.yml b/roles/myconext-server/tasks/main.yml deleted file mode 100644 index 9dc1a2767..000000000 --- a/roles/myconext-server/tasks/main.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- - -- name: copy config - template: - src: "{{ item }}.j2" - dest: "{{ myconext_dir }}/{{ item }}" - owner: myconext - group: myconext - mode: 0740 - with_items: - - logback.xml - - application.yml - - tiqr.configuration.yml - notify: - - "restart myconext" - -- name: copy / create GCM config - copy: - src: "{{ inventory_dir }}/files/myconext/firebase.json" - dest: "{{ myconext_dir }}/firebase.json" - owner: "root" - group: "myconext" - mode: 0740 - notify: - - "restart myconext" - -- name: copy / create APNS certificate - copy: - content: "{{ myconext_apns }}" - dest: "{{ myconext_dir }}/apns.p8" - owner: "root" - group: "myconext" - mode: 0740 - notify: - - "restart myconext" - -- name: copy / create private key - copy: - content: "{{ myconext_private_key }}" - dest: "{{ myconext_dir }}/myconext_saml.key" - owner: "root" - group: "myconext" - mode: 0740 - notify: - - "restart myconext" - -- name: copy / create certificate - copy: - src: "{{ inventory_dir }}/files/certs/myconext/myconext_saml.crt" - dest: "{{ myconext_dir }}/myconext_saml.crt" - owner: "root" - group: "myconext" - mode: 0740 - notify: - - "restart myconext" - -- name: create geo download directory - file: - path: "{{ myconext_dir }}/geo2lite" - state: directory - owner: "{{ _springapp_user }}" - group: "{{ _springapp_user }}" - mode: 0760 - -- meta: flush_handlers diff --git a/roles/myconext-server/templates/logback.xml.j2 b/roles/myconext-server/templates/logback.xml.j2 deleted file mode 100644 index 1f3b85483..000000000 --- a/roles/myconext-server/templates/logback.xml.j2 +++ /dev/null @@ -1,62 +0,0 @@ -#jinja2:lstrip_blocks: True - - - - - /var/log/myconext/myconext.log - - - /var/log/myconext/myconext-%d{yyyy-MM-dd}.log.gz - {{ logback_max_history }} - - - %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n - - - - - {{ ansible_fqdn }} - 514 - {"app":"myconext"} - - [ignore] - [ignore] - [ignore] - - - myconextjson: - - - - - {{ rsyslog_host }} - DAEMON - myconext: [%thread] %logger %msg - - - - {{ smtp_server }} - {{ noreply_email }} - {{ error_mail_to }} - {{ error_subject_prefix }}Unexpected error myconext - - - - myconext.exceptions.ExpiredAuthenticationException - myconext.exceptions.UserNotFoundException - ERROR - - - - - - - - - - - - - - - diff --git a/roles/myconext-server/vars/main.yml b/roles/myconext-server/vars/main.yml deleted file mode 100644 index 6fe920066..000000000 --- a/roles/myconext-server/vars/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -springapp_artifact_id: myconext-server -springapp_artifact_type: jar -springapp_artifact_group_dir: org.openconext -springapp_version: "{{ myconext_server_version }}" -springapp_dir: "{{ myconext_dir }}" -springapp_user: myconext -springapp_service_name: myconext -springapp_jar: "{{ myconext_jar }}" -springapp_tcpport: 9189 -springapp_random_source: "file:///dev/urandom" diff --git a/roles/myconext/handlers/main.yml b/roles/myconext/handlers/main.yml new file mode 100644 index 000000000..f0285c7e7 --- /dev/null +++ b/roles/myconext/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart myconextserver + community.docker.docker_container: + name: myconextserver + state: started + restart: true diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml new file mode 100644 index 000000000..3bb0cc2d6 --- /dev/null +++ b/roles/myconext/tasks/main.yml @@ -0,0 +1,184 @@ +--- +- name: Create common certs directory + ansible.builtin.file: + dest: /opt/openconext/certs/ + state: directory + owner: root + group: root + mode: "0755" + +- name: Install the Mongo CA certificate + ansible.builtin.copy: + src: "{{ inventory_dir }}/secrets/mongo/mongoca.pem" + dest: /opt/openconext/certs/mongoca.crt + owner: root + group: root + mode: "0644" + +- name: Create directory to keep configfiles + ansible.builtin.file: + dest: "/opt/openconext/myconext" + state: directory + owner: root + group: root + mode: "0770" + +- name: Place the serverapplication configfiles + ansible.builtin.template: + src: "{{ item }}.j2" + dest: /opt/openconext/myconext/{{ item }} + owner: root + group: root + mode: "0644" + with_items: + - application.yml + - logback.xml + - tiqr.configuration.yml + notify: restart myconextserver + +- name: Copy / create GCM config + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/myconext/firebase.json" + dest: "/opt/openconext/myconext/firebase.json" + owner: "root" + group: "root" + mode: "0640" + notify: + - "restart myconextserver" + +- name: Copy / create APNS certificate + ansible.builtin.copy: + content: "{{ myconext_apns }}" + dest: "/opt/openconext/myconext/apns.p8" + owner: "root" + group: "root" + mode: "0740" + notify: + - "restart myconextserver" + +- name: copy / create private key + ansible.builtin.copy: + content: "{{ myconext_private_key }}" + dest: "/opt/openconext/myconext/myconext_saml.key" + owner: "root" + group: "root" + mode: "0640" + notify: + - "restart myconextserver" + +- name: copy / create certificate + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/certs/myconext/myconext_saml.crt" + dest: "/opt/openconext/myconext/myconext_saml.crt" + owner: "root" + group: "root" + mode: "0740" + notify: + - "restart myconextserver" + +- name: Create geo download directory + ansible.builtin.file: + path: "/opt/openconext/myconext/geo2lite" + state: directory + owner: "root" + group: "root" + mode: "0750" + +- name: Create and start the server container + community.docker.docker_container: + name: myconextserver + image: ghcr.io/openconext/openconext-myconext/myconext-server:{{ myconext_server_version }} + pull: true + restart_policy: "always" + state: started + env: + USE_SYSTEM_CA_CERTS: "true" + TZ: "{{ timezone }}" + networks: + - name: "loadbalancer" + mounts: + - source: /opt/openconext/myconext/ + target: /config/ + type: bind + - source: /opt/openconext/certs/mongoca.crt + target: /certificates/mongoca.crt + type: bind + entrypoint: /__cacert_entrypoint.sh + command: 'java -jar /app.jar -Xmx256M --spring.config.location=./config/' + etc_hosts: + host.docker.internal: host-gateway + healthcheck: + test: ["CMD", "wget", "-no-verbose", "--tries=1", "--spider", "http://localhost:8080/internal/health" ] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + notify: restart myconextserver + +- name: Create the client container + community.docker.docker_container: + name: myconextgui + image: ghcr.io/openconext/openconext-myconext/myconext-gui:{{ myconext_gui_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.myconextgui.rule: "Host(`mijn.{{ myconext_base_domain }}`)" + traefik.http.routers.myconextgui.tls: "true" + traefik.enable: "true" + healthcheck: + test: ["CMD", "curl", "--fail" , "http://localhost" ] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind + - source: /opt/openconext/common/favicon.ico + target: /var/www/favicon.ico + type: bind + env: + HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" + HTTPD_SERVERNAME: "mijn.{{ myconext_base_domain }}" + OPENCONEXT_INSTANCENAME: "{{ instance_name }}" + OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" + OPENCONEXT_HELP_EMAIL: "{{ support_email }}" + SHIB_ENTITYID: "https://mijn.{{ myconext_base_domain }}/shibboleth" + SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" + SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" + +- name: Create the account gui + community.docker.docker_container: + name: accountgui + image: ghcr.io/openconext/openconext-myconext/account-gui:{{ account_gui_version }} + pull: true + restart_policy: "always" + state: started + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.accountgui.rule: "Host(`login.{{ myconext_base_domain }}`)" + traefik.http.routers.accountgui.tls: "true" + traefik.enable: "true" + healthcheck: + test: ["CMD", "curl", "--fail" , "http://localhost"] + interval: 10s + timeout: 10s + retries: 3 + start_period: 10s + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind + - source: /opt/openconext/common/favicon.ico + target: /var/www/favicon.ico + type: bind + + env: + HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img_for_idp }}" + HTTPD_SERVERNAME: "login.{{ myconext_base_domain }}" + diff --git a/roles/myconext-server/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 similarity index 94% rename from roles/myconext-server/templates/application.yml.j2 rename to roles/myconext/templates/application.yml.j2 index ce9b5c110..c4c37abef 100644 --- a/roles/myconext-server/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -1,5 +1,5 @@ logging: - config: file://{{ myconext_dir }}/logback.xml + config: file:///config/logback.xml level: org.springframework.data.mongodb: INFO org.springframework.data.convert: INFO @@ -7,7 +7,7 @@ logging: server: # The port to where this Spring Boot application listens to. - port: {{ springapp_tcpport }} + port: 8080 error: path: "/error" server-header: @@ -35,6 +35,7 @@ email: magic-link-url: https://login.{{ myconext_base_domain }}/saml/guest-idp/magic my-surfconext-url: https://mijn.{{ myconext_base_domain }} idp-surfconext-url: https://login.{{ myconext_base_domain }} + mail-templates-directory: classpath:mail_templates identity-provider-meta-data: single_sign_on_service_uri: "https://login.{{ myconext_base_domain }}/saml/guest-idp/SSO" @@ -99,11 +100,10 @@ feature: # Does the SAMLIdpService expects authn requests to be signed requires_signed_authn_request: False - secure_cookie: true idp_entity_id: https://login.{{ myconext_base_domain }} -private_key_path: file://{{ myconext_dir }}/myconext_saml.key -certificate_path: file://{{ myconext_dir }}/myconext_saml.crt +private_key_path: file:///config/myconext_saml.key +certificate_path: file:///config/myconext_saml.crt tiqr_hash_secret: "{{ myconext_tiqr_hash_secret }}" remember_me_max_age_seconds: 15_768_000 @@ -117,7 +117,7 @@ sms: url: "{{ myconext.sms_api_url}}" bearer: "{{ myconext_sms_bearer }}" -tiqr_configuration: "file://{{ myconext_dir }}/tiqr.configuration.yml" +tiqr_configuration: "file:///config/tiqr.configuration.yml" attribute_aggregation: @@ -153,7 +153,6 @@ linked_accounts: account_linking_context_class_ref: linked_institution: https://eduid.nl/trust/linked-institution validate_names: https://eduid.nl/trust/validate-names - validate_names_external: https://eduid.nl/trust/validate-names-external affiliation_student: https://eduid.nl/trust/affiliation-student profile_mfa: https://refeds.org/profile/mfa @@ -171,7 +170,7 @@ eduid_api: geo_location: license_key: {{ myconext_geo2lite_license_key }} external_url: "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key={license_key}&suffix=tar.gz" - download_directory: "{{ myconext_dir }}/geo2lite" + download_directory: "/config/geo2lite" spring: data: @@ -179,7 +178,7 @@ spring: uri: mongodb://{{ myconext.mongo_user }}:{{ myconext.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ myconext.mongo_port }}{% if not loop.last %},{% endif %}{% endfor %}/{{ myconext.mongo_database }}?ssl=true mail: - host: localhost + host: {{ smtp_server }} port: 25 main: banner-mode: "off" @@ -191,6 +190,10 @@ management: enabled: true # We disable all endpoints except health for the load-balancer and info for git information. endpoints: + web: + exposure: + include: "health,info,mappings,metrics" + base-path: "/internal" enabled: false health: enabled: true diff --git a/roles/myconext/templates/logback.xml.j2 b/roles/myconext/templates/logback.xml.j2 new file mode 100644 index 000000000..57b0ab15f --- /dev/null +++ b/roles/myconext/templates/logback.xml.j2 @@ -0,0 +1,20 @@ +#jinja2:lstrip_blocks: True + + + + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + + + + + + + + + diff --git a/roles/myconext-server/templates/tiqr.configuration.yml.j2 b/roles/myconext/templates/tiqr.configuration.yml.j2 similarity index 85% rename from roles/myconext-server/templates/tiqr.configuration.yml.j2 rename to roles/myconext/templates/tiqr.configuration.yml.j2 index 79954e093..e09df4e49 100644 --- a/roles/myconext-server/templates/tiqr.configuration.yml.j2 +++ b/roles/myconext/templates/tiqr.configuration.yml.j2 @@ -13,7 +13,7 @@ rateLimitResetMinutes: 30 apns: serverHost: "api.push.apple.com" port: 443 - signingKey: "file://{{ myconext_dir }}/apns.p8" + signingKey: "file:///config/apns.p8" # Leave empty for non-local development serverCertificateChain: "" topic: "nl.eduid" @@ -21,5 +21,5 @@ apns: keyId: "{{ myconext.apns_keyid }}" gcm: - firebaseServiceAccount: "file://{{ myconext_dir }}/firebase.json" + firebaseServiceAccount: "file:///config/firebase.json" appName: "tiqr" From 8c645511e76f5ed5f723334185639c09d6ec4e8c Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 24 May 2024 08:37:10 +0200 Subject: [PATCH 071/114] Removing demosp, not needed in the main playbook --- provision.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/provision.yml b/provision.yml index a78c88158..9d5ff248c 100644 --- a/provision.yml +++ b/provision.yml @@ -185,7 +185,6 @@ - { role: diyidp, tags: ["diyidp"] } - { role: profile, tags: ["profile"] } - { role: lifecycle, tags: ["lifecycle"] } - - { role: demosp, tags: ["demosp"] } - import_playbook: "{{ environment_dir }}/playbook.yml" From ae7c405328f7609bdbc44a39bfe3d11ba691585d Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 24 May 2024 08:38:34 +0200 Subject: [PATCH 072/114] PDP: Fix favicon --- roles/pdp/tasks/main.yml | 2 +- roles/pdp/templates/logback.xml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/pdp/tasks/main.yml b/roles/pdp/tasks/main.yml index a668c82cc..ee4661c43 100644 --- a/roles/pdp/tasks/main.yml +++ b/roles/pdp/tasks/main.yml @@ -84,7 +84,7 @@ target: /etc/localtime type: bind - source: /opt/openconext/common/favicon.ico - target: /var/www/favicon.ico + target: /var/www/html/favicon.ico type: bind hostname: pdp env: diff --git a/roles/pdp/templates/logback.xml.j2 b/roles/pdp/templates/logback.xml.j2 index b2991351c..403776189 100644 --- a/roles/pdp/templates/logback.xml.j2 +++ b/roles/pdp/templates/logback.xml.j2 @@ -7,7 +7,7 @@ - %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + %logger{40}:%L %d{ISO8601} %5p [%t] - %m%n From ba3a1eec6a590e569e051dd22ddb85534554b26a Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 24 May 2024 16:27:11 +0200 Subject: [PATCH 073/114] Verify ID eduID --- environments/template/group_vars/template.yml | 2 +- environments/template/secrets/skeleton.yml | 2 ++ environments/vm/group_vars/vm.yml | 2 +- environments/vm/secrets/vm.yml | 2 ++ roles/myconext/templates/application.yml.j2 | 12 +++++++++++- 5 files changed, 17 insertions(+), 3 deletions(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 2de30e70e..33193737c 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -410,7 +410,7 @@ myconext: mongo_password: "{{ mongo_passwords.myconext }}" rp_client_id: myconext.ala.eduid rs_client_id: myconext.rs - idp_external_validation_entity_id: http://mock-idp + verify_base_uri: "https://validate.test.eduid.nl" feature_webauthn: false feature_warning_educational_email_domain: false feature_show_connections: false diff --git a/environments/template/secrets/skeleton.yml b/environments/template/secrets/skeleton.yml index 3ff4309bb..142390aaf 100644 --- a/environments/template/secrets/skeleton.yml +++ b/environments/template/secrets/skeleton.yml @@ -33,6 +33,8 @@ myconext_api_attribute_aggregation_password: secret myconext_client_secret: secret myconext_rs_client_secret: secret myconext_geo2lite_license_key: secret +myconext_verify_client_id: secret +myconext_verify_secret: secret engine_api_profile_password: secret engine_api_deprovision_password: secret engine_parameters_secret: secret diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 7b42fa64c..8b50798f5 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -299,7 +299,7 @@ myconext: mongo_password: "{{ mongo_passwords.myconext }}" rp_client_id: myconext.ala.eduid rs_client_id: myconext.rs - idp_external_validation_entity_id: http://mock-idp + verify_base_uri: "https://validate.test.eduid.nl" feature_webauthn: false feature_warning_educational_email_domain: false feature_use_external_validation: false diff --git a/environments/vm/secrets/vm.yml b/environments/vm/secrets/vm.yml index f514983ab..5d6b35b30 100644 --- a/environments/vm/secrets/vm.yml +++ b/environments/vm/secrets/vm.yml @@ -43,6 +43,8 @@ myconext_api_attribute_aggregation_password: secret myconext_client_secret: secret myconext_rs_client_secret: secret myconext_geo2lite_license_key: secret +myconext_verify_client_id: secret +myconext_verify_secret: secret engine_api_profile_password: secret engine_api_deprovision_password: secret diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index c4c37abef..bcdd3053c 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -99,6 +99,8 @@ feature: default_remember_me: True # Does the SAMLIdpService expects authn requests to be signed requires_signed_authn_request: False + # Do we support ID verify + id_verify: True secure_cookie: true idp_entity_id: https://login.{{ myconext_base_domain }} @@ -157,7 +159,6 @@ account_linking_context_class_ref: profile_mfa: https://refeds.org/profile/mfa account_linking: - idp_external_validation_entity_id: {{ myconext.idp_external_validation_entity_id }} myconext_sp_entity_id: https://mijn.{{ myconext_base_domain }}/shibboleth eduid_api: @@ -172,6 +173,15 @@ geo_location: external_url: "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key={license_key}&suffix=tar.gz" download_directory: "/config/geo2lite" +verify: + client_id: {{ myconext_verify_client_id }} + secret: {{ myconext_verify_secret }} + base_uri: {{ myconext.verify_base_uri }} + sp_verify_redirect_url: https://mijn.{{ myconext_base_domain }}/myconext/api/sp/verify/redirect + idp_verify_redirect_url: https://login.{{ myconext_base_domain }}/myconext/api/idp/verify/redirect + mobile_verify_redirect_url: https://mijn.{{ myconext_base_domain }}/myconext/api/mobile/verify/redirect + issuers_path: "classpath:idin/issuers.json" + spring: data: mongodb: From 812cc698df752aec3868a05a609d60be7f562474 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 24 May 2024 08:47:41 +0200 Subject: [PATCH 074/114] Invite: Remove duplicate mounts key in the mock docker provisioning --- roles/invite/tasks/main.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/invite/tasks/main.yml b/roles/invite/tasks/main.yml index 155f3008a..9ea09131f 100644 --- a/roles/invite/tasks/main.yml +++ b/roles/invite/tasks/main.yml @@ -144,6 +144,9 @@ - source: /opt/openconext/invite/mockapplication.yml target: /application.yml type: bind + - source: /etc/localtime + target: /etc/localtime + type: bind networks: - name: "loadbalancer" labels: @@ -157,10 +160,6 @@ timeout: 10s retries: 3 start_period: 10s - mounts: - - source: /etc/localtime - target: /etc/localtime - type: bind when: invite_mock_install notify: restart inviteprovisioningmock From d3a83ec116d1abeed331df933e01d48f3e548a6a Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 24 May 2024 17:55:44 +0200 Subject: [PATCH 075/114] Myconext: Still uses an SP specific metadata endpoint --- roles/myconext/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index 3bb0cc2d6..2f4595a44 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -148,8 +148,8 @@ OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" OPENCONEXT_HELP_EMAIL: "{{ support_email }}" SHIB_ENTITYID: "https://mijn.{{ myconext_base_domain }}/shibboleth" - SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" - SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" + SHIB_REMOTE_ENTITYID: "https://login.{{ myconext_base_domain }}" + SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.my_conext_idp }}" - name: Create the account gui community.docker.docker_container: From 052859f2429cad732bd4c61adcd66b848a62b4c9 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Sat, 25 May 2024 12:21:03 +0200 Subject: [PATCH 076/114] Revert "Myconext: Still uses an SP specific metadata endpoint" This reverts commit d3a83ec116d1abeed331df933e01d48f3e548a6a. --- roles/myconext/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index 2f4595a44..3bb0cc2d6 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -148,8 +148,8 @@ OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout" OPENCONEXT_HELP_EMAIL: "{{ support_email }}" SHIB_ENTITYID: "https://mijn.{{ myconext_base_domain }}/shibboleth" - SHIB_REMOTE_ENTITYID: "https://login.{{ myconext_base_domain }}" - SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.my_conext_idp }}" + SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata" + SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}" - name: Create the account gui community.docker.docker_container: From 66fa240dd1927c26e1200c16bc79a60103d3ed0a Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Sat, 25 May 2024 12:35:53 +0200 Subject: [PATCH 077/114] Myconext: - Use the engineblock entityID to tell shibboleth where to login after logging out - Add missing config parameter --- roles/myconext/templates/application.yml.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index bcdd3053c..08e433a7b 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -72,7 +72,7 @@ rp_origin: https://login.{{ myconext_base_domain }} sp_redirect_url: https://mijn.{{ myconext_base_domain }} sp_entity_id: {{ myconext.sp_entity_id }} sp_entity_metadata_url: {{ myconext.sp_entity_metadata_url }} -guest_idp_entity_id: https://login.{{ myconext_base_domain }} +guest_idp_entity_id: https://engine.{{ base_domain }}/authentication/idp/metadata my_conext_url: https://mijn.{{ myconext_base_domain }} domain: {{ myconext_base_domain }} mijn_eduid_entity_id: https://mijn.{{ myconext_base_domain }}/shibboleth @@ -155,6 +155,7 @@ linked_accounts: account_linking_context_class_ref: linked_institution: https://eduid.nl/trust/linked-institution validate_names: https://eduid.nl/trust/validate-names + validate_names_external: https://eduid.nl/trust/validate-names-external affiliation_student: https://eduid.nl/trust/affiliation-student profile_mfa: https://refeds.org/profile/mfa From 8e202be9d24ea72c17ddfc79b37f47a26346be66 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 27 May 2024 14:41:26 +0200 Subject: [PATCH 078/114] Myconext: Make sure the /internal/info endpoint shows version information --- roles/myconext/templates/application.yml.j2 | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 08e433a7b..9393dd76d 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -199,16 +199,13 @@ management: health: mail: enabled: true + info: + enabled: true + git: + mode: full # We disable all endpoints except health for the load-balancer and info for git information. endpoints: web: exposure: include: "health,info,mappings,metrics" base-path: "/internal" - enabled: false - health: - enabled: true - info: - enabled: true - git: - mode: full From 5d05e36cc10fe45b009405baad78cc6b7dde6815 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 28 May 2024 08:53:35 +0200 Subject: [PATCH 079/114] Lifecycle: add defaults --- roles/lifecycle/defaults/main.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 roles/lifecycle/defaults/main.yml diff --git a/roles/lifecycle/defaults/main.yml b/roles/lifecycle/defaults/main.yml new file mode 100644 index 000000000..1338bd91c --- /dev/null +++ b/roles/lifecycle/defaults/main.yml @@ -0,0 +1,13 @@ +--- +appname: lifecycle +lifecycle_version: '' +lifecycle_user: lifecycle +lifecycle_symfony_env: prod +lifecycle_eb_logins_db: eb_logins +lifecycle_db_host: localhost +lifecycle_user_quota: 1500 +lifecycle_inactivity_period: 38 +lifecycle_api_enabled: true +lifecycle_api_password: secret +lifecycle_api_username: lifecycle +current_release_config_dir_name: /opt/openconext/{{ appname }} From 091583cfef957b786d93c05c63398108e476f903 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 28 May 2024 10:43:25 +0200 Subject: [PATCH 080/114] Haproxy: Redirect rule now uses base so you can redirect a URL +path --- roles/haproxy/templates/haproxy_frontend.cfg.j2 | 2 +- roles/haproxy/templates/validvhostsunrestricted.acl.j2 | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy_frontend.cfg.j2 b/roles/haproxy/templates/haproxy_frontend.cfg.j2 index 001073db1..426ffa691 100644 --- a/roles/haproxy/templates/haproxy_frontend.cfg.j2 +++ b/roles/haproxy/templates/haproxy_frontend.cfg.j2 @@ -104,7 +104,7 @@ frontend local_ip acl securitytxt path /.well-known/security.txt http-request redirect location {{ haproxy_securitytxt_target_url }} if securitytxt {% endif %} - http-request redirect location %[req.hdr(host),lower,map(/etc/haproxy/maps/redirects.map)] if { req.hdr(host),lower,map_str(/etc/haproxy/maps/redirects.map) -m found } + http-request redirect location %[base,map_reg(/etc/haproxy/maps/redirects.map)] if { base,map_reg(/etc/haproxy/maps/redirects.map) -m found } {% if haproxy_sni_ip_restricted is defined %} #-------------------------------------------------------------------- diff --git a/roles/haproxy/templates/validvhostsunrestricted.acl.j2 b/roles/haproxy/templates/validvhostsunrestricted.acl.j2 index 220991634..14e2d555f 100644 --- a/roles/haproxy/templates/validvhostsunrestricted.acl.j2 +++ b/roles/haproxy/templates/validvhostsunrestricted.acl.j2 @@ -5,6 +5,9 @@ {% endfor %} {%if haproxy_redirects is defined %} {% for application in haproxy_redirects %} +{%if application.hostname is defined %} +{{ application.hostname }} +{% endif %} {{ application.url }} {% endfor %} {% endif %} From 02f8616983e6038e16db6a8058bd6384ee59335d Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 28 May 2024 15:11:13 +0200 Subject: [PATCH 081/114] Haproxy_mgnt: Undo the previous change, as that was WIP --- roles/haproxy_mgnt/tasks/main.yml | 28 +++++++--------------------- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/roles/haproxy_mgnt/tasks/main.yml b/roles/haproxy_mgnt/tasks/main.yml index db671de11..5babeb3f3 100644 --- a/roles/haproxy_mgnt/tasks/main.yml +++ b/roles/haproxy_mgnt/tasks/main.yml @@ -5,25 +5,11 @@ register: patch_process_started - block: - - name: End the play if the patchprocess is running - debug: - msg: "The patchprocess is running. No loadbalancer management allowed" - - meta: end_play - when: patch_process_started.stat.exists and skip_patch_check is not defined - -# Set the fact weight_blue as an integer. The value is the 100 minus value of the supplied -# variable "weight_red". -- set_fact: - weight_blue: "{{ 100 - weight_red }}" - -- name: Create list with labels and weights as dictionaries - set_fact: - server_labels_with_weights: "{{ server_labels_with_weights + [{ 'label': item.label, 'weight': (weight_red if item.color == 'red' else weight_blue) }] }}" - loop: "{{ docker_blauwrood_servers }}" - -- name: debug - debug: - msg: "{{server_labels_with_weights }}" + - name: End the play if the patchprocess is running + debug: + msg: "The patchprocess is running. No loadbalancer management allowed" + - meta: end_play + when: patch_process_started.stat.exists and skip_patch_check is not defined - name: get new weight for haproxy hosts haproxy_commands: @@ -55,12 +41,12 @@ - name: dump weight output debug: - msg: "{{ haproxy_weights.haproxy_items }}" + msg: '{{ haproxy_weights.haproxy_items }}' when: weight is defined - name: dump state output debug: - msg: "{{ haproxy_states.haproxy_items }}" + msg: '{{ haproxy_states.haproxy_items }}' when: state is defined - name: set weights for haproxy hosts From d49db817379116b60ce2157f9320020010e69bac Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 24 May 2024 20:55:04 +0200 Subject: [PATCH 082/114] Troubleshooting myconext --- roles/myconext/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 roles/myconext/defaults/main.yml diff --git a/roles/myconext/defaults/main.yml b/roles/myconext/defaults/main.yml new file mode 100644 index 000000000..2fa088e32 --- /dev/null +++ b/roles/myconext/defaults/main.yml @@ -0,0 +1,2 @@ +--- +myconext_cronjobmaster: true From 561be4c4f014fc480f58040c1957b71efecd2690 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 28 May 2024 15:58:47 +0200 Subject: [PATCH 083/114] Profile user --- environments/template/secrets/skeleton.yml | 1 + environments/vm/secrets/vm.yml | 1 + roles/invite/templates/serverapplication.yml.j2 | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/environments/template/secrets/skeleton.yml b/environments/template/secrets/skeleton.yml index 142390aaf..f4b360621 100644 --- a/environments/template/secrets/skeleton.yml +++ b/environments/template/secrets/skeleton.yml @@ -146,6 +146,7 @@ invite_teams_secret: secret invite_attribute_aggregation_secret: secret invite_manage_secret: secret invite_lifecycle_secret: secret +invite_profile_secret: secret invite_private_key_pkcs8: | -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfpYYMgKYDICkp diff --git a/environments/vm/secrets/vm.yml b/environments/vm/secrets/vm.yml index 5d6b35b30..b62a74ffe 100644 --- a/environments/vm/secrets/vm.yml +++ b/environments/vm/secrets/vm.yml @@ -293,6 +293,7 @@ invite_teams_secret: secret invite_attribute_aggregation_secret: secret invite_manage_secret: secret invite_lifecycle_secret: secret +invite_profile_secret: secret invite_private_key_pkcs8: | -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfpYYMgKYDICkp diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 738527c96..ce2a92ba9 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -130,6 +130,10 @@ lifecycle: user: {{ invite.lifecycle_user }} password: {{ invite.lifecycle_secret }} +profile: + user: {{ invite.profile_user }} + password: {{ invite.profile_secret }} + email: from: "{{ noreply_email }}" contactEmail: "{{ support_email }}" From e6703d9de22208fff8a950580c597c6503e16ca9 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 29 May 2024 11:27:22 +0200 Subject: [PATCH 084/114] Haproxy management role: - Simplify the role by using Ansible native plugins - Get the backend servers from the configuration - Set color or other dynamic properties in the configuration of the backend servers --- library/haproxy_commands.py | 76 -------------------- roles/haproxy_mgnt/tasks/main.yml | 111 +++++++++++++----------------- 2 files changed, 48 insertions(+), 139 deletions(-) delete mode 100644 library/haproxy_commands.py diff --git a/library/haproxy_commands.py b/library/haproxy_commands.py deleted file mode 100644 index 83e932c8e..000000000 --- a/library/haproxy_commands.py +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/env python -from ansible.module_utils.basic import * - - -def _haproxy_weight(host, weight, app_name): - return { - "host": host, "weight": str(weight) + "%", "backend": app_name + "_be" - } - - -def _haproxy_state(host, state, app_name): - return { - "host": host, "state": state, "backend": app_name + "_be", - "wait": "yes" - } - - -if __name__ == "__main__": - fields = { - "java_blauwrood_servers": {"java_blauwrood_servers": True, "type": "list"}, - "php_blauwrood_servers": {"php_blauwrood_servers": True, "type": "list"}, - "static_blauwrood_servers": {"static_blauwrood_servers": True, "type": "list"}, - "stepup_blauwrood_servers": {"stepup_blauwrood_servers": True, "type": "list"}, - "docker_blauwrood_servers": {"docker_blauwrood_servers": True, "type": "list"}, - "weight": {"type": "str"}, - "color": {"required": True, "type": "str"}, - "app_name": {"required": True, "type": "str"}, - "app_type": {"required": True, "type": "str"}, - "state": {"type": "str"} - } - module = AnsibleModule(argument_spec=fields) - java_servers = [s["label"] for s in module.params["java_blauwrood_servers"]] - php_servers = [s["label"] for s in module.params["php_blauwrood_servers"]] - static_servers = [s["label"] for s in module.params["static_blauwrood_servers"]] - stepup_servers = [s["label"] for s in module.params["stepup_blauwrood_servers"]] - docker_servers = [s["label"] for s in module.params["docker_blauwrood_servers"]] - app_name = module.params["app_name"].lower() - app_type = module.params["app_type"].lower() - - weight = module.params["weight"] - color = module.params["color"] - - state = module.params["state"] - - if app_type == "java": - servers = java_servers - elif app_type == "php": - servers = php_servers - elif app_type == "static": - servers = static_servers - elif app_type == "stepup": - servers = stepup_servers - elif app_type == "docker": - servers = docker_servers - - red_servers = [s for s in servers if s.upper().endswith("ROOD")] - blue_servers = [s for s in servers if s.upper().endswith("BLAUW")] - if color == "rood": - state_servers = red_servers - elif color == "blauw": - state_servers = blue_servers - - if state: - haproxy_items = [_haproxy_state(s, state, app_name) for s in state_servers] - module.exit_json(haproxy_items=haproxy_items) - else: - weight = int(weight[:-1]) if weight.endswith("%") else int(weight) - other_weight = 100 - weight - color = color.lower() - - red_weight = weight if color == "rood" else other_weight - blue_weight = weight if color == "blauw" else other_weight - - red_items = [_haproxy_weight(s, red_weight, app_name) for s in red_servers] - blue_items = [_haproxy_weight(s, blue_weight, app_name) for s in blue_servers] - module.exit_json(haproxy_items=red_items + blue_items) diff --git a/roles/haproxy_mgnt/tasks/main.yml b/roles/haproxy_mgnt/tasks/main.yml index 5babeb3f3..86eacf6ba 100644 --- a/roles/haproxy_mgnt/tasks/main.yml +++ b/roles/haproxy_mgnt/tasks/main.yml @@ -1,74 +1,59 @@ --- -- name: Check if the patchproces is running, except when called from the patchproces - stat: - path: /tmp/patchprocesstarted - register: patch_process_started +- name: Extract list of application names + ansible.builtin.set_fact: + app_names: "{{ haproxy_applications | map(attribute='name') | list }}" -- block: - - name: End the play if the patchprocess is running - debug: - msg: "The patchprocess is running. No loadbalancer management allowed" - - meta: end_play - when: patch_process_started.stat.exists and skip_patch_check is not defined +- name: Check if dynamic_input exists in haproxy_applications + ansible.builtin.set_fact: + app_exists: "{{ app_name in app_names }}" -- name: get new weight for haproxy hosts - haproxy_commands: - java_blauwrood_servers: "{{ java_blauwrood_servers }}" - php_blauwrood_servers: "{{ php_blauwrood_servers }}" - static_blauwrood_servers: "{{ static_blauwrood_servers }}" - stepup_blauwrood_servers: "{{ stepup_blauwrood_servers }}" - docker_blauwrood_servers: "{{ docker_blauwrood_servers }}" - weight: "{{ weight }}" - color: "{{ color }}" - app_name: "{{ app_name }}" - app_type: "{{ app_type }}" - when: weight is defined - register: haproxy_weights +- name: Fail if dynamic_input does not exist in haproxy_applications + ansible.builtin.fail: + msg: "The application '{{ app_name }}' does not exist in haproxy_applications. Available applications are: {{ app_names | join(', ') }}" + when: not app_exists -- name: get new state for haproxy hosts - haproxy_commands: - java_blauwrood_servers: "{{ java_blauwrood_servers }}" - php_blauwrood_servers: "{{ php_blauwrood_servers }}" - static_blauwrood_servers: "{{ static_blauwrood_servers }}" - stepup_blauwrood_servers: "{{ stepup_blauwrood_servers }}" - docker_blauwrood_servers: "{{ docker_blauwrood_servers }}" - color: "{{ color }}" - state: "{{ state }}" - app_name: "{{ app_name }}" - app_type: "{{ app_type }}" - when: state is defined - register: haproxy_states +- name: Set the complementing weight + ansible.builtin.set_fact: + weight_complementing: "{{ 100 - weight | int }}" -- name: dump weight output - debug: - msg: '{{ haproxy_weights.haproxy_items }}' - when: weight is defined +- name: Get the server list from the servers configured in haproxy_applications + ansible.builtin.set_fact: + selected_servers: "{{ (haproxy_applications | selectattr('name', 'equalto', app_name) | map(attribute='servers') | first) }}" -- name: dump state output - debug: - msg: '{{ haproxy_states.haproxy_items }}' - when: state is defined +- name: Check if the patchproces is running, except when called from the patchproces + ansible.builtin.stat: + path: /tmp/patchprocesstarted + register: patch_process_started -- name: set weights for haproxy hosts - haproxy: +- block: + - name: End the play if the patchprocess is running + ansible.builtin.debug: + msg: "The patchprocess is running. No loadbalancer management allowed" + - ansible.builtin.meta: end_play + when: patch_process_started.stat.exists and skip_patch_check is not defined + +- name: Create an empty list + ansible.builtin.set_fact: + server_labels_with_weights: [] + +- name: Create list with labels and weights as dictionaries + ansible.builtin.set_fact: + server_labels_with_weights: "{{ server_labels_with_weights + [{ 'label': item.label, 'weight': (weight if item[app_filter] == app_filtervalue else weight_complementing) }] }}" + loop: "{{ selected_servers }}" + +- name: Show the created list + ansible.builtin.debug: + msg: "{{ server_labels_with_weights }}" + +- name: Set weights for haproxy hosts + community.general.haproxy: state: enabled - host: "{{ item.host }}" - fail_on_not_found: yes - socket: /var/lib/haproxy/haproxy.stats - weight: "{{ item.weight }}" - backend: "{{ item.backend }}" - with_items: "{{ haproxy_weights.haproxy_items }}" - when: weight is defined - -- name: set state for haproxy hosts - haproxy: - state: "{{ item.state }}" - host: "{{ item.host }}" - fail_on_not_found: yes + host: "{{ item.label }}" + fail_on_not_found: true socket: /var/lib/haproxy/haproxy.stats - backend: "{{ item.backend }}" - with_items: "{{ haproxy_states.haproxy_items }}" - when: state is defined + weight: "{{ item.weight }}%" + backend: "{{ app_name }}_be" + with_items: "{{ server_labels_with_weights }}" - name: Write the state to the correct state file - shell: echo "show servers state" | socat /var/lib/haproxy/haproxy.stats - > /var/lib/haproxy/state + ansible.builtin.shell: echo "show servers state" | socat /var/lib/haproxy/haproxy.stats - > /var/lib/haproxy/state From dfe86e02566493aff87329df970f144ed1fbbc5b Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 29 May 2024 13:15:07 +0200 Subject: [PATCH 085/114] Refactored eduID API security --- environments/template/secrets/skeleton.yml | 5 ++-- environments/vm/secrets/vm.yml | 5 ++-- roles/myconext/templates/application.yml.j2 | 27 ++++++++++++++++----- 3 files changed, 27 insertions(+), 10 deletions(-) diff --git a/environments/template/secrets/skeleton.yml b/environments/template/secrets/skeleton.yml index f4b360621..de77619b9 100644 --- a/environments/template/secrets/skeleton.yml +++ b/environments/template/secrets/skeleton.yml @@ -27,9 +27,10 @@ engine_api_metadata_push_password: secret oidcng_api_metadata_push_password: secret oidcng_api_tokens_profile_password: secret oidcng_api_tokens_eduid_password: secret -myconext_api_attribute_manipulation_password: secret +myconext_api_attribute_manipulation_password: "{noop}secret" myconext_oidcng_rs_client_secret: secret -myconext_api_attribute_aggregation_password: secret +myconext_api_attribute_aggregation_password: "{noop}secret" +myconext_api_studielink_password: "{noop}secret" myconext_client_secret: secret myconext_rs_client_secret: secret myconext_geo2lite_license_key: secret diff --git a/environments/vm/secrets/vm.yml b/environments/vm/secrets/vm.yml index b62a74ffe..be964a68f 100644 --- a/environments/vm/secrets/vm.yml +++ b/environments/vm/secrets/vm.yml @@ -37,9 +37,10 @@ engine_api_metadata_push_password: secret oidcng_api_metadata_push_password: secret oidcng_api_tokens_profile_password: secret oidcng_api_tokens_eduid_password: secret -myconext_api_attribute_manipulation_password: secret +myconext_api_attribute_manipulation_password: "{noop}secret" myconext_oidcng_rs_client_secret: secret -myconext_api_attribute_aggregation_password: secret +myconext_api_attribute_aggregation_password: "{noop}secret" +myconext_api_studielink_password: "{noop}secret" myconext_client_secret: secret myconext_rs_client_secret: secret myconext_geo2lite_license_key: secret diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 9393dd76d..2a45589ba 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -121,14 +121,29 @@ sms: tiqr_configuration: "file:///config/tiqr.configuration.yml" +# We don't encode in-memory passwords, so we need to prefix them with {noop} +external-api-configuration: + remote-users: + - + username: aa + password: "{{ myconext_api_attribute_aggregation_password }}" + scopes: + - attribute-aggregation + - system + - + username: oidcng + password: {{ myconext_api_attribute_manipulation_password }} + scopes: + - attribute-manipulation + - + username: studielink + password: {{ myconext_api_studielink_password }} + scopes: + - remote-creation + rp_client_id: rp.studielink.nl + schac_home: studielink.nl -attribute_aggregation: - user: aa - password: {{ myconext_api_attribute_aggregation_password }} -attribute_manipulation: - user: oidcng - password: {{ myconext_api_attribute_manipulation_password }} oidc-token-api: token-url: https://connect.{{ base_domain }}/tokens From efdde5f9195f5a307421c8c16fd8c76ea90b058f Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 29 May 2024 13:19:32 +0200 Subject: [PATCH 086/114] Escaping bugfix --- roles/myconext/templates/application.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 2a45589ba..03265f85b 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -132,12 +132,12 @@ external-api-configuration: - system - username: oidcng - password: {{ myconext_api_attribute_manipulation_password }} + password: "{{ myconext_api_attribute_manipulation_password }}" scopes: - attribute-manipulation - username: studielink - password: {{ myconext_api_studielink_password }} + password: "{{ myconext_api_studielink_password }}" scopes: - remote-creation rp_client_id: rp.studielink.nl From 44b4fe3c59a740408f44efaf81c4895a4cc4d85b Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 29 May 2024 14:17:42 +0200 Subject: [PATCH 087/114] Added new swagger path --- roles/myconext/templates/application.yml.j2 | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 03265f85b..891840760 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -21,12 +21,15 @@ server: max-http-header-size: 20000 springdoc: - pathsToMatch: "/mobile/**" + pathsToMatch: + - "/remote-creation/**" + - "/mobile/**" api-docs: - path: "/myconext/api/mobile/api-docs" + path: "/myconext/api/api-docs" enabled: true + # resolves to https://login.test2.eduid.nl/myconext/api/swagger-ui/index.html swagger-ui: - path: "/myconext/api/mobile/api-ui.html" + path: "/myconext/api/" operationsSorter: method enabled: true From 04c2d5d37b571679b47151f415ed705dc56cb6d9 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 29 May 2024 14:31:07 +0200 Subject: [PATCH 088/114] Rename api/remote-creation --- roles/myconext/templates/application.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 891840760..c22352c31 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -22,7 +22,7 @@ server: springdoc: pathsToMatch: - - "/remote-creation/**" + - "api/remote-creation/**" - "/mobile/**" api-docs: path: "/myconext/api/api-docs" From cebbad97bd41c07ffefc0c876d3f5d841c769352 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 29 May 2024 14:45:38 +0200 Subject: [PATCH 089/114] / bug --- roles/myconext/templates/application.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index c22352c31..b3e28b574 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -22,7 +22,7 @@ server: springdoc: pathsToMatch: - - "api/remote-creation/**" + - "/api/remote-creation/**" - "/mobile/**" api-docs: path: "/myconext/api/api-docs" From deedd73ccff01779b0c5cbec76d2c7244d458c2b Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 29 May 2024 15:52:23 +0200 Subject: [PATCH 090/114] Rsyslog: Docker apps --- roles/rsyslog/templates/sc_ruleset.conf.j2 | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/roles/rsyslog/templates/sc_ruleset.conf.j2 b/roles/rsyslog/templates/sc_ruleset.conf.j2 index 7fd172960..66af2cf28 100644 --- a/roles/rsyslog/templates/sc_ruleset.conf.j2 +++ b/roles/rsyslog/templates/sc_ruleset.conf.j2 @@ -4,23 +4,24 @@ $RuleSet {{ item.name }} :programname, isequal, "Apache-EB" { action(type="omfile" DynaFile="apache-eb-{{ item.name }}") stop } :programname, isequal, "EBAUTH" { action(type="omfile" DynaFile="ebauth-{{ item.name }}") stop } :programname, isequal, "haproxy" { action(type="omfile" DynaFile="haproxy-{{ item.name }}") stop } -:programname, isequal, "aa" { action(type="omfile" DynaFile="aa-{{ item.name }}") stop } -:programname, isequal, "Apache-AA" { action(type="omfile" DynaFile="apache-aa-{{ item.name }}") stop } -:programname, isequal, "Apache-AAlink" { action(type="omfile" DynaFile="apache-aalink-{{ item.name }}") stop } +:programname, isequal, "aaserver" { action(type="omfile" DynaFile="aa-{{ item.name }}") stop } +:programname, isequal, "aagui" { action(type="omfile" DynaFile="apache-aa-{{ item.name }}") stop } +:programname, isequal, "aalink" { action(type="omfile" DynaFile="apache-aa-{{ item.name }}") stop } :programname, isequal, "dashboardgui" { action(type="omfile" DynaFile="apache-dashboard-{{ item.name }}") stop } :programname, isequal, "dashboardserver" { action(type="omfile" DynaFile="dashboard-{{ item.name }}") stop } :programname, isequal, "Apache-EBAPI" { action(type="omfile" DynaFile="apache-eb-api-{{ item.name }}") stop } :programname, isequal, "manage" { action(type="omfile" DynaFile="manage-{{ item.name }}") stop } :programname, isequal, "Apache-Manage" { action(type="omfile" DynaFile="apache-manage-{{ item.name }}") stop } -:programname, isequal, "PDPMAIN" { action(type="omfile" DynaFile="pdp-{{ item.name }}") stop } :programname, isequal, "PDPANALYTICS" { action(type="omfile" DynaFile="pdpanalytics-{{ item.name }}") stop } -:programname, isequal, "Apache-PDP" { action(type="omfile" DynaFile="apache-pdp-{{ item.name }}") stop } -:programname, isequal, "openconext-profile" { action(type="omfile" DynaFile="profile-{{ item.name }}") stop } -:programname, isequal, "Apache-PROFILE" { action(type="omfile" DynaFile="apache-profile-{{ item.name }}") stop } +:programname, isequal, "pdpserver" { action(type="omfile" DynaFile="pdp-{{ item.name }}") stop } +:programname, isequal, "pdpgui" { action(type="omfile" DynaFile="apache-pdp-{{ item.name }}") stop } +if $programname == "profile" and $msg startswith " {" then { action(type="omfile" DynaFile="profile-{{ item.name }}") stop } +:programname, isequal, "profile" { action(type="omfile" DynaFile="apache-profile-{{ item.name }}") stop } :programname, isequal, "teams" { action(type="omfile" DynaFile="teams-{{ item.name }}") stop } :programname, isequal, "Apache-teams" { action(type="omfile" DynaFile="apache-teams-{{ item.name }}") stop } -:programname, isequal, "VOOTMAIN" { action(type="omfile" DynaFile="voot-{{ item.name }}") stop } -:programname, isequal, "Apache-VOOT" { action(type="omfile" DynaFile="apache-voot-{{ item.name }}") stop } +:programname, isequal, "teamsserver" { action(type="omfile" DynaFile="teams-{{ item.name }}") stop } +:programname, isequal, "teamsgui" { action(type="omfile" DynaFile="apache-teams-{{ item.name }}") stop } +:programname, isequal, "vootserver" { action(type="omfile" DynaFile="voot-{{ item.name }}") stop } :programname, isequal, "mariadbd" { action(type="omfile" DynaFile="galera-{{ item.name }}") stop } :programname, isequal, "garb-systemd" { action(type="omfile" DynaFile="haproxy-{{ item.name }}") stop } :programname, isequal, "Keepalived_vrrp" { action(type="omfile" DynaFile="keepalived-{{ item.name }}") stop } @@ -44,6 +45,9 @@ $RuleSet {{ item.name }} :programname, startswith, "inviteprovisioningmock" { action(type="omfile" DynaFile="inviteprovisioningmock-{{ item.name }}") stop } :programname, startswith, "loadbalancer" { action(type="omfile" DynaFile="loadbalancer-{{ item.name }}") stop } +if $programname == "gateway" and $msg startswith ' {"message":"Second Factor Authenticated"' then { action(type="omfile" DynaFile="stepup-authentication-{{ item.name }}") stop } +if $programname == "gateway" and $msg startswith ' {"message":"Intrinsic Loa Requested"' then { action(type="omfile" DynaFile="stepup-authentication-{{ item.name }}") stop } + {% for stepupapp in stepupapps %} :programname, isequal, "stepup-{{ stepupapp }}" { action(type="omfile" DynaFile="stepup-{{ stepupapp }}-{{item.name }}") stop } :programname, isequal, "Apache-{{ stepupapp }}" { action(type="omfile" DynaFile="apache-{{ stepupapp }}-{{item.name }}") stop } From a54fce099187d01449d307f5bb7daf9da893e424 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 29 May 2024 15:53:32 +0200 Subject: [PATCH 091/114] Refactored API security --- environments/template/secrets/skeleton.yml | 10 ++-- environments/vm/secrets/vm.yml | 10 ++-- .../invite/templates/serverapplication.yml.j2 | 48 +++++++++++-------- 3 files changed, 39 insertions(+), 29 deletions(-) diff --git a/environments/template/secrets/skeleton.yml b/environments/template/secrets/skeleton.yml index de77619b9..0467a8500 100644 --- a/environments/template/secrets/skeleton.yml +++ b/environments/template/secrets/skeleton.yml @@ -142,12 +142,12 @@ myconext_private_key: | invite_oidc_secret: secretsecret invite_rs_secret: secretsecret -invite_voot_secret: secret -invite_teams_secret: secret -invite_attribute_aggregation_secret: secret +invite_voot_secret: "{noop}secret" +invite_teams_secret: "{noop}secret" +invite_attribute_aggregation_secret: "{noop}secret" invite_manage_secret: secret -invite_lifecycle_secret: secret -invite_profile_secret: secret +invite_lifecycle_secret: "{noop}secret" +invite_profile_secret: "{noop}secret" invite_private_key_pkcs8: | -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfpYYMgKYDICkp diff --git a/environments/vm/secrets/vm.yml b/environments/vm/secrets/vm.yml index be964a68f..079f57599 100644 --- a/environments/vm/secrets/vm.yml +++ b/environments/vm/secrets/vm.yml @@ -289,12 +289,12 @@ myconext_private_key: | invite_oidc_secret: secretsecret invite_rs_secret: secretsecret -invite_voot_secret: secret -invite_teams_secret: secret -invite_attribute_aggregation_secret: secret +invite_voot_secret: "{noop}secret" +invite_teams_secret: "{noop}secret" +invite_attribute_aggregation_secret: "{noop}secret" invite_manage_secret: secret -invite_lifecycle_secret: secret -invite_profile_secret: secret +invite_lifecycle_secret: "{noop}secret" +invite_profile_secret: "{noop}secret" invite_private_key_pkcs8: | -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfpYYMgKYDICkp diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index ce2a92ba9..9b117bd92 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -112,28 +112,38 @@ config: past-date-allowed: {{ invite.past_date_allowed }} eduid-idp-schac-home-organization: {{ invite.eduid_idp_schac_home_organization }} +# We don't encode in-memory passwords, so we need to prefix them with {noop} +external-api-configuration: + remote-users: + - + username: {{ invite.vootuser }} + password: "{{ invite.vootsecret }}" + scopes: + - voot + - + username: {{ invite.teamsuser}} + password: "{{ invite.teamssecret }}" + scopes: + - teams + - + username: {{ aa.invite_username }} + password: "{{ invite_attribute_aggregation_secret }}" + scopes: + - attribute_aggregation + - + username: {{ invite.lifecycle_user }} + password: "{{ invite.lifecycle_secret }}" + scopes: + - lifecycle + - + username: {{ invite.profile_user }} + password: "{{ invite.profile_secret }}" + scopes: + - profile + voot: - user: {{ invite.vootuser }} - password: {{ invite.vootsecret }} group_urn_domain: "{{ invite.group_urn_domain }}" -teams: - user: {{ invite.teamsuser}} - password: {{ invite.teamssecret }} - group-name-context: "{{ invite.group_name_context }}" - -attribute-aggregation: - user: {{ aa.invite_username }} - password: "{{ invite_attribute_aggregation_secret }}" - -lifecycle: - user: {{ invite.lifecycle_user }} - password: {{ invite.lifecycle_secret }} - -profile: - user: {{ invite.profile_user }} - password: {{ invite.profile_secret }} - email: from: "{{ noreply_email }}" contactEmail: "{{ support_email }}" From 843c19739c9de28c0f47b7272c73fc6e728594e9 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 29 May 2024 16:16:35 +0200 Subject: [PATCH 092/114] Remove imjournal plugin when only forwarding. On our Debian hosts, journald automatically forwards to rsyslog. With the imjournal plugin present log entries would be duplicated in the logs --- roles/rsyslog/templates/rsyslog_onlyforward.conf.j2 | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/rsyslog/templates/rsyslog_onlyforward.conf.j2 b/roles/rsyslog/templates/rsyslog_onlyforward.conf.j2 index de99bdcc3..c2235025e 100644 --- a/roles/rsyslog/templates/rsyslog_onlyforward.conf.j2 +++ b/roles/rsyslog/templates/rsyslog_onlyforward.conf.j2 @@ -2,11 +2,6 @@ module(load="imuxsock") module(load="imklog") # provides kernel logging support module(load="immark" interval="600" ) # provides --MARK-- message capability -module(load="imjournal" - PersistStateInterval="100" - StateFile="/var/spool/rsyslog/imjournal.state" - ratelimit.interval="30" - ratelimit.burst="20000" ) # Reads journald logs $PreserveFQDN on From 4ac89e25e95d327d9d4ffc376cd0db73d187aa40 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Thu, 30 May 2024 14:50:41 +0200 Subject: [PATCH 093/114] Add brin-code to IdP's in manage --- .../metadata_configuration/saml20_idp.schema.json.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/manage-server/templates/metadata_configuration/saml20_idp.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/saml20_idp.schema.json.j2 index 54410464d..538d8431e 100644 --- a/roles/manage-server/templates/metadata_configuration/saml20_idp.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/saml20_idp.schema.json.j2 @@ -312,6 +312,11 @@ "type": "string", "info": "The defined client code. Generally an abbreviation of the name of the client." }, + "coin:institution_brin": { + "type": "string", + "format": "brin", + "info": "Official BRIN code as assigned to this IdP's institution by Dienst uitvoering Onderwijs (DUO)." + }, "coin:institution_guid": { "type": "string", "format": "uuid", From 206f8f75902ffc0a1ed63c49ac74079bfdb99acc Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 4 Jun 2024 13:29:52 +0200 Subject: [PATCH 094/114] Feature toggle feature_remote_creation_api --- environments/template/group_vars/template.yml | 3 ++- environments/vm/group_vars/vm.yml | 3 ++- roles/myconext/templates/application.yml.j2 | 16 ++++++---------- 3 files changed, 10 insertions(+), 12 deletions(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 33193737c..c1f0c7bf2 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -414,7 +414,8 @@ myconext: feature_webauthn: false feature_warning_educational_email_domain: false feature_show_connections: false - feature_use_external_validation: false + feature_id_verify: true + feature_remote_creation_api: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true feature_create_eduid_institution_landing: true diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 8b50798f5..86a2e6e6f 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -302,7 +302,8 @@ myconext: verify_base_uri: "https://validate.test.eduid.nl" feature_webauthn: false feature_warning_educational_email_domain: false - feature_use_external_validation: false + feature_id_verify: true + feature_remote_creation_api: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true feature_create_eduid_institution_landing: true diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index b3e28b574..cca16c2ed 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -51,19 +51,14 @@ schac_home_organization: eduid.nl cron: node-cron-job-responsible: {{ myconext_cronjobmaster }} token-cleaner-expression: "0 0/15 * * * *" - service-name-resolver-initial-delay-milliseconds: 120_000 - service-name-resolver-fixed-rate-milliseconds: 43_200_000 - metadata-resolver-initial-delay-milliseconds: 1 - metadata-resolver-fixed-rate-milliseconds: 86_400_000 - metadata-resolver-url: "https://metadata.surfconext.nl/idps-metadata.xml" + manage-initial-delay-milliseconds: 15000 + manage-fixed-rate-milliseconds: 43_200_000 manage: username: myconext password: "{{ manage_myconext_secret }}" base_url: "https://manage.{{ base_domain }}" enabled: True - # Can also be a https url - fallback_url: "classpath:metadata/sp-names.json" base_domain: {{ myconext_base_domain }} saml_metadata_base_path: https://login.{{ myconext_base_domain }} @@ -87,8 +82,6 @@ feature: webauthn: {{ myconext.feature_webauthn }} warning_educational_email_domain: {{ myconext.feature_warning_educational_email_domain }} connections: {{ myconext.feature_show_connections }} - # Do we allow the account linking to take place with the accounting IdP, e.g. add extra button in IdP link screen - use_external_validation: {{ myconext.feature_use_external_validation }} # Do we deny emails that are known Disposable Email Providers deny_disposable_email_providers: {{ myconext.feature_deny_disposable_email_providers }} use_deny_allow_list: @@ -103,7 +96,10 @@ feature: # Does the SAMLIdpService expects authn requests to be signed requires_signed_authn_request: False # Do we support ID verify - id_verify: True + id_verify: {{ myconext.feature_id_verify}} + # Do we support the remote creation API (e.g. for studielink) + remote_creation_api: {{ myconext.feature_remote_creation_api }} + secure_cookie: true idp_entity_id: https://login.{{ myconext_base_domain }} From 97b18ec803b0cc922ffc9d72c01296f19a980d64 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 5 Jun 2024 08:56:41 +0200 Subject: [PATCH 095/114] Use institutionGUID for remote API users in myconext --- roles/myconext/templates/application.yml.j2 | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index cca16c2ed..d1e57a537 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -139,11 +139,9 @@ external-api-configuration: password: "{{ myconext_api_studielink_password }}" scopes: - remote-creation - rp_client_id: rp.studielink.nl + institutionGUID: ec9d6d75-0d11-e511-80d0-005056956c1a schac_home: studielink.nl - - oidc-token-api: token-url: https://connect.{{ base_domain }}/tokens user: eduid From cd521c1131a01042fc843561b97a1200985061d4 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 5 Jun 2024 11:59:08 +0200 Subject: [PATCH 096/114] Show details for health endpoint --- roles/myconext/templates/application.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index d1e57a537..a6bae43a5 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -211,6 +211,7 @@ management: health: mail: enabled: true + show-details: always info: enabled: true git: From d2700e89dd965b87edad90a0205e580ad4b788bb Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 7 Jun 2024 12:47:31 +0200 Subject: [PATCH 097/114] Added boolean metadata field to disable state decoding --- .../metadata_configuration/oidc10_rp.schema.json.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 index 1d0f59fb0..d4282609f 100644 --- a/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 @@ -308,6 +308,11 @@ "format": "url", "info": "Enter the URL that is allowed to use for this RP to host a JWT containing request parameters (when doing a request using a signed jwt)." }, + "oidc:state_parameter_decoding_disabled": { + "type": "boolean", + "info": "Select this option to disbale the default decoding of the state parameter in the authorization request.", + "default": false + }, "logo:0:url": { "type": "string", "format": "url", From 943197613f207a97851f4a853cbdf7721afde06e Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 7 Jun 2024 12:51:52 +0200 Subject: [PATCH 098/114] Typo --- .../templates/metadata_configuration/oidc10_rp.schema.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 index d4282609f..869f3d892 100644 --- a/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 @@ -310,7 +310,7 @@ }, "oidc:state_parameter_decoding_disabled": { "type": "boolean", - "info": "Select this option to disbale the default decoding of the state parameter in the authorization request.", + "info": "Select this option to disable the default decoding of the state parameter in the authorization request.", "default": false }, "logo:0:url": { From a9ddd290223cb7665e0e8fef86f91b1767d2111b Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 7 Jun 2024 13:57:20 +0200 Subject: [PATCH 099/114] Enclose {noop}secret passwords --- roles/oidcng/templates/application.yml.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/oidcng/templates/application.yml.j2 b/roles/oidcng/templates/application.yml.j2 index 24a4b068c..56276bd6f 100644 --- a/roles/oidcng/templates/application.yml.j2 +++ b/roles/oidcng/templates/application.yml.j2 @@ -74,18 +74,18 @@ spring: manage: user: manage - password: {{ oidcng_api_metadata_push_password }} + password: "{{ oidcng_api_metadata_push_password }}" token-api: enabled: {{ oidcng.token_api_enabled }} users: - user: eduid - password: {{ oidcng_api_tokens_eduid_password }} + password: "{{ oidcng_api_tokens_eduid_password }}" - user: profile - password: {{ oidcng_api_tokens_profile_password }} + password: "{{ oidcng_api_tokens_profile_password }}" eduid: user: oidcng - password: {{ myconext_api_attribute_manipulation_password }} - uri: https://login.{{ myconext_base_domain }}/myconext/api/attribute-manipulation + password: "{{ myconext_api_attribute_manipulation_password }}" + uri: "https://login.{{ myconext_base_domain }}/myconext/api/attribute-manipulation" enabled: {{ oidcng.eduid_attribute_manipulation_enabled }} From fded101cf6abe8b53b256411215fba898babd820 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 7 Jun 2024 14:00:02 +0200 Subject: [PATCH 100/114] Enclose {noop}secret passwords --- .../templates/serverapplication.yml.j2 | 2 +- roles/invite/templates/mockapplication.yml.j2 | 2 +- roles/manage-server/templates/application.yml.j2 | 8 ++++---- roles/myconext/templates/application.yml.j2 | 2 +- roles/teams/templates/serverapplication.yml.j2 | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/attribute-aggregation/templates/serverapplication.yml.j2 b/roles/attribute-aggregation/templates/serverapplication.yml.j2 index 5b3138cad..7929fab4b 100644 --- a/roles/attribute-aggregation/templates/serverapplication.yml.j2 +++ b/roles/attribute-aggregation/templates/serverapplication.yml.j2 @@ -34,7 +34,7 @@ security: api: lifecycle: username: {{ attribute_aggregator_api_lifecycle_username }} - password: {{ attribute_aggregator_api_lifecycle_password }} + password: "{{ attribute_aggregator_api_lifecycle_password }}" pseudo: mail_postfix: {{ attribute_aggregation_pseudo_mail_postfix }} diff --git a/roles/invite/templates/mockapplication.yml.j2 b/roles/invite/templates/mockapplication.yml.j2 index fe1e6c390..621fffe8b 100644 --- a/roles/invite/templates/mockapplication.yml.j2 +++ b/roles/invite/templates/mockapplication.yml.j2 @@ -18,7 +18,7 @@ spring: driver-class-name: com.mysql.cj.jdbc.Driver url: jdbc:mysql://{{ invite.db_host }}/invite username: {{ invite.db_user }} - password: {{ invite.db_secret }} + password: "{{ invite.db_secret }}" server: port: 8081 diff --git a/roles/manage-server/templates/application.yml.j2 b/roles/manage-server/templates/application.yml.j2 index 7150ce8a1..ac754edcd 100644 --- a/roles/manage-server/templates/application.yml.j2 +++ b/roles/manage-server/templates/application.yml.j2 @@ -39,7 +39,7 @@ push: url: https://connect.{{ base_domain }}/manage/connections user: manage name: {{ manage.oidcng_name }} - password: {{ oidcng_api_metadata_push_password }} + password: "{{ oidcng_api_metadata_push_password }}" enabled: {{ manage.oidc_push_enabled }} pdp: url: https://pdp.{{ base_domain }}/pdp/api/manage/push @@ -47,7 +47,7 @@ push: decide_url: https://pdp.{{ base_domain }}/pdp/api/manage/decide name: {{ manage.pdp_name }} user: {{ pdp.username }} - password: {{ pdp.password }} + password: "{{ pdp.password }}" product: name: Manage @@ -61,7 +61,7 @@ metadata_templates_path: file://{{ manage_dir }}/metadata_templates security: backdoor_user_name: {{ manage.backdoor_api_user }} - backdoor_password: {{ manage_backdoor_api_password }} + backdoor_password: "{{ manage_backdoor_api_password }}" api_users_config_path: file://{{ manage_dir }}/manage-api-users.yml super_user_team_names: {{ manage.super_user_team_names }} @@ -79,7 +79,7 @@ spring: datasource: url: jdbc:mysql://{{ pdp.db_host }}/{{ pdp.db_name }}?permitMysqlScheme username: {{ pdp.db_user }} - password: {{ pdp.db_password }} + password: "{{ pdp.db_password }}" driverClassName: org.mariadb.jdbc.Driver main: banner-mode: "off" diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index a6bae43a5..b7dbc4f22 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -145,7 +145,7 @@ external-api-configuration: oidc-token-api: token-url: https://connect.{{ base_domain }}/tokens user: eduid - password: {{ oidcng_api_tokens_eduid_password }} + password: "{{ oidcng_api_tokens_eduid_password }}" enabled: {{ oidcng.token_api_enabled }} oidc: diff --git a/roles/teams/templates/serverapplication.yml.j2 b/roles/teams/templates/serverapplication.yml.j2 index 097ad4024..555b5343b 100644 --- a/roles/teams/templates/serverapplication.yml.j2 +++ b/roles/teams/templates/serverapplication.yml.j2 @@ -7,7 +7,7 @@ logging: api: lifecycle: username: {{ teams_api_lifecycle_username }} - password: {{ teams_api_lifecycle_password }} + password: "{{ teams_api_lifecycle_password }}" secure_cookie: true @@ -41,7 +41,7 @@ features: security: user: name: {{ teams.voot_api_user }} - password: {{ external_group_provider_secrets.teams }} + password: "{{ external_group_provider_secrets.teams }}" sp_dashboard: user-name: {{ teams.spdashboard_api_user }} From ff4041dba064d20d93e37ac0db7a1d092024bbad Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 14 Jun 2024 15:48:32 +0200 Subject: [PATCH 101/114] Haproxy: Add redirect urls to the list of allowed vhosts --- roles/haproxy/templates/validvhostsunrestricted.acl.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/haproxy/templates/validvhostsunrestricted.acl.j2 b/roles/haproxy/templates/validvhostsunrestricted.acl.j2 index 14e2d555f..252319f8d 100644 --- a/roles/haproxy/templates/validvhostsunrestricted.acl.j2 +++ b/roles/haproxy/templates/validvhostsunrestricted.acl.j2 @@ -7,7 +7,8 @@ {% for application in haproxy_redirects %} {%if application.hostname is defined %} {{ application.hostname }} -{% endif %} +{% else %} {{ application.url }} +{% endif %} {% endfor %} {% endif %} From 946e739aa866593623feb302d29dacfdceed5ee1 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 14 Jun 2024 15:49:29 +0200 Subject: [PATCH 102/114] OIDCNG: Bigger Header limit to allow large accesstokens to be POSTED --- roles/oidcng/templates/oidcng.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/oidcng/templates/oidcng.conf.j2 b/roles/oidcng/templates/oidcng.conf.j2 index e054d7958..40b7cfad8 100644 --- a/roles/oidcng/templates/oidcng.conf.j2 +++ b/roles/oidcng/templates/oidcng.conf.j2 @@ -9,7 +9,7 @@ Listen {{ apache_app_listen_address.oidcng }}:{{ loadbalancing.oidcng.port }} ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-oidcng'" CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-oidcng'" combined - + LimitRequestFieldSize 16384 ProxyPass /.well-known/openid-configuration http://localhost:{{ springapp_tcpport}}/oidc/.well-known/openid-configuration retry=0 ProxyPass /actuator http://localhost:{{ springapp_tcpport}}/internal retry=0 From 4a1cf48325927d62b9ab26104c4ddd8399594b35 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 14 Jun 2024 15:50:12 +0200 Subject: [PATCH 103/114] Main playbook: Add extra tag to aa role --- provision.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provision.yml b/provision.yml index 9d5ff248c..357d54136 100644 --- a/provision.yml +++ b/provision.yml @@ -177,7 +177,7 @@ - { role: teams, tags: ["teams"] } - { role: pdp, tags: ["pdp"] } - { role: voot, tags: ["voot"] } - - { role: attribute-aggregation, tags: ["aa"] } + - { role: attribute-aggregation, tags: ["aa", "attribute-aggregation"] } - { role: mujina-idp, tags: ["mujina-idp"] } - { role: oidc-playground, tags: ["oidc-playground"] } - { role: myconext, tags: ["myconext"] } From 1250c4ae5b4aea439b9175c4bd55a6829e6d7db7 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 17 Jun 2024 13:55:03 +0200 Subject: [PATCH 104/114] Stats: Use correct domain in the Traefik docker label --- roles/stats/defaults/main.yml | 1 + roles/stats/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/stats/defaults/main.yml b/roles/stats/defaults/main.yml index 9bdfb26b5..9822b2a2c 100644 --- a/roles/stats/defaults/main.yml +++ b/roles/stats/defaults/main.yml @@ -5,3 +5,4 @@ stats_manage_api_user: stats stats_base_domain: stats.{{ base_domain }} stats_oidc_metadata_url: "https://connect.{{ base_domain }}/.well-known/openid-configuration" stats_oidc_client_id: "stats.{{ base_domain }}" +stats_domain: "stats.{{ base_domain }}" diff --git a/roles/stats/tasks/main.yml b/roles/stats/tasks/main.yml index 816654491..9a5d5d965 100644 --- a/roles/stats/tasks/main.yml +++ b/roles/stats/tasks/main.yml @@ -54,7 +54,7 @@ restart_policy: "always" state: started labels: - traefik.http.routers.statsgui.rule: "Host(`stats.{{ base_domain }}`)" + traefik.http.routers.statsgui.rule: "Host(`{{ stats_domain }}`)" traefik.http.routers.statsgui.tls: "true" traefik.enable: "true" networks: From 80dbc8fbbff891a3423e11253376b4ddb7e14f3f Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 17 Jun 2024 14:02:07 +0200 Subject: [PATCH 105/114] Maven artifact is in ansible itself --- library/maven_artifact.py | 364 -------------------------------------- 1 file changed, 364 deletions(-) delete mode 100644 library/maven_artifact.py diff --git a/library/maven_artifact.py b/library/maven_artifact.py deleted file mode 100644 index a91421402..000000000 --- a/library/maven_artifact.py +++ /dev/null @@ -1,364 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- - -# This module has been copied from ansible-modules-extra and can be removed as soon as downloading of -# the latest snapshot is included an ansible release (ansible 2.0.0.1 contains a maven_artifact module -# which does not download the latest snapshot version) - -# Copyright (c) 2014, Chris Schmidt -# -# Built using https://github.com/hamnis/useful-scripts/blob/master/python/download-maven-artifact -# as a reference and starting point. -# -# This module is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This software is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this software. If not, see . - -__author__ = 'cschmidt' - -from lxml import etree -import os -import hashlib -import sys - -DOCUMENTATION = ''' ---- -module: maven_artifact -short_description: Downloads an Artifact from a Maven Repository -version_added: "2.0" -description: - - Downloads an artifact from a maven repository given the maven coordinates provided to the module. Can retrieve - - snapshots or release versions of the artifact and will resolve the latest available version if one is not - - available. -author: "Chris Schmidt (@chrisisbeef)" -requirements: - - "python >= 2.6" - - lxml -options: - group_id: - description: - - The Maven groupId coordinate - required: true - artifact_id: - description: - - The maven artifactId coordinate - required: true - version: - description: - - The maven version coordinate - required: false - default: latest - classifier: - description: - - The maven classifier coordinate - required: false - default: null - extension: - description: - - The maven type/extension coordinate - required: false - default: jar - repository_url: - description: - - The URL of the Maven Repository to download from - required: false - default: http://repo1.maven.org/maven2 - username: - description: - - The username to authenticate as to the Maven Repository - required: false - default: null - password: - description: - - The password to authenticate with to the Maven Repository - required: false - default: null - dest: - description: - - The path where the artifact should be written to - required: true - default: false - state: - description: - - The desired state of the artifact - required: true - default: present - choices: [present,absent] - validate_certs: - description: - - If C(no), SSL certificates will not be validated. This should only be set to C(no) when no other option exists. - required: false - default: 'yes' - choices: ['yes', 'no'] - version_added: "1.9.3" -''' - -EXAMPLES = ''' -# Download the latest version of the JUnit framework artifact from Maven Central -- maven_artifact: group_id=junit artifact_id=junit dest=/tmp/junit-latest.jar - -# Download JUnit 4.11 from Maven Central -- maven_artifact: group_id=junit artifact_id=junit version=4.11 dest=/tmp/junit-4.11.jar - -# Download an artifact from a private repository requiring authentication -- maven_artifact: group_id=com.company artifact_id=library-name repository_url=https://repo.company.com/maven username=user password=pass dest=/tmp/library-name-latest.jar - -# Download a WAR File to the Tomcat webapps directory to be deployed -- maven_artifact: group_id=com.company artifact_id=web-app extension=war repository_url=https://repo.company.com/maven dest=/var/lib/tomcat7/webapps/web-app.war -''' - -class Artifact(object): - def __init__(self, group_id, artifact_id, version, classifier=None, extension='jar'): - if not group_id: - raise ValueError("group_id must be set") - if not artifact_id: - raise ValueError("artifact_id must be set") - - self.group_id = group_id - self.artifact_id = artifact_id - self.version = version - self.classifier = classifier - - if not extension: - self.extension = "jar" - else: - self.extension = extension - - def is_snapshot(self): - return self.version and self.version.endswith("SNAPSHOT") - - def path(self, with_version=True): - base = self.group_id.replace(".", "/") + "/" + self.artifact_id - if with_version and self.version: - return base + "/" + self.version - else: - return base - - def _generate_filename(self): - if not self.classifier: - return self.artifact_id + "." + self.extension - else: - return self.artifact_id + "-" + self.classifier + "." + self.extension - - def get_filename(self, filename=None): - if not filename: - filename = self._generate_filename() - elif os.path.isdir(filename): - filename = os.path.join(filename, self._generate_filename()) - return filename - - def __str__(self): - if self.classifier: - return "%s:%s:%s:%s:%s" % (self.group_id, self.artifact_id, self.extension, self.classifier, self.version) - elif self.extension != "jar": - return "%s:%s:%s:%s" % (self.group_id, self.artifact_id, self.extension, self.version) - else: - return "%s:%s:%s" % (self.group_id, self.artifact_id, self.version) - - @staticmethod - def parse(input): - parts = input.split(":") - if len(parts) >= 3: - g = parts[0] - a = parts[1] - v = parts[len(parts) - 1] - t = None - c = None - if len(parts) == 4: - t = parts[2] - if len(parts) == 5: - t = parts[2] - c = parts[3] - return Artifact(g, a, v, c, t) - else: - return None - - -class MavenDownloader: - def __init__(self, module, base="http://repo1.maven.org/maven2"): - self.module = module - if base.endswith("/"): - base = base.rstrip("/") - self.base = base - self.user_agent = "Maven Artifact Downloader/1.0" - - def _find_latest_version_available(self, artifact): - path = "/%s/maven-metadata.xml" % (artifact.path(False)) - xml = self._request(self.base + path, "Failed to download maven-metadata.xml", lambda r: etree.parse(r)) - v = xml.xpath("/metadata/versioning/versions/version[last()]/text()") - if v: - return v[0] - - def find_uri_for_artifact(self, artifact): - if artifact.is_snapshot(): - path = "/%s/maven-metadata.xml" % (artifact.path()) - xml = self._request(self.base + path, "Failed to download maven-metadata.xml", lambda r: etree.parse(r)) - timestamp = xml.xpath("/metadata/versioning/snapshot/timestamp/text()")[0] - buildNumber = xml.xpath("/metadata/versioning/snapshot/buildNumber/text()")[0] - return self._uri_for_artifact(artifact, artifact.version.replace("SNAPSHOT", timestamp + "-" + buildNumber)) - else: - return self._uri_for_artifact(artifact) - - def _uri_for_artifact(self, artifact, version=None): - if artifact.is_snapshot() and not version: - raise ValueError("Expected uniqueversion for snapshot artifact " + str(artifact)) - elif not artifact.is_snapshot(): - version = artifact.version - if artifact.classifier: - return self.base + "/" + artifact.path() + "/" + artifact.artifact_id + "-" + version + "-" + artifact.classifier + "." + artifact.extension - - return self.base + "/" + artifact.path() + "/" + artifact.artifact_id + "-" + version + "." + artifact.extension - - def _request(self, url, failmsg, f): - # Hack to add parameters in the way that fetch_url expects - self.module.params['url_username'] = self.module.params.get('username', '') - self.module.params['url_password'] = self.module.params.get('password', '') - self.module.params['http_agent'] = self.module.params.get('user_agent', None) - - response, info = fetch_url(self.module, url) - if info['status'] != 200: - raise ValueError(failmsg + " because of " + info['msg'] + "for URL " + url) - else: - return f(response) - - - def download(self, artifact, filename=None): - filename = artifact.get_filename(filename) - if not artifact.version or artifact.version == "latest": - artifact = Artifact(artifact.group_id, artifact.artifact_id, self._find_latest_version_available(artifact), - artifact.classifier, artifact.extension) - - url = self.find_uri_for_artifact(artifact) - if not self.verify_md5(filename, url + ".md5"): - response = self._request(url, "Failed to download artifact " + str(artifact), lambda r: r) - if response: - with open(filename, 'w') as f: - # f.write(response.read()) - self._write_chunks(response, f, report_hook=self.chunk_report) - return True - else: - return False - else: - return True - - def chunk_report(self, bytes_so_far, chunk_size, total_size): - percent = float(bytes_so_far) / total_size - percent = round(percent * 100, 2) - sys.stdout.write("Downloaded %d of %d bytes (%0.2f%%)\r" % - (bytes_so_far, total_size, percent)) - - if bytes_so_far >= total_size: - sys.stdout.write('\n') - - def _write_chunks(self, response, file, chunk_size=8192, report_hook=None): - total_size = response.info().getheader('Content-Length').strip() - total_size = int(total_size) - bytes_so_far = 0 - - while 1: - chunk = response.read(chunk_size) - bytes_so_far += len(chunk) - - if not chunk: - break - - file.write(chunk) - if report_hook: - report_hook(bytes_so_far, chunk_size, total_size) - - return bytes_so_far - - def verify_md5(self, file, remote_md5): - if not os.path.exists(file): - return False - else: - local_md5 = self._local_md5(file) - remote = self._request(remote_md5, "Failed to download MD5", lambda r: r.read()) - return local_md5 == remote - - def _local_md5(self, file): - md5 = hashlib.md5() - with open(file, 'rb') as f: - for chunk in iter(lambda: f.read(8192), ''): - md5.update(chunk) - return md5.hexdigest() - - -def main(): - module = AnsibleModule( - argument_spec = dict( - group_id = dict(default=None), - artifact_id = dict(default=None), - version = dict(default="latest"), - classifier = dict(default=None), - extension = dict(default='jar'), - repository_url = dict(default=None), - username = dict(default=None), - password = dict(default=None), - state = dict(default="present", choices=["present","absent"]), # TODO - Implement a "latest" state - dest = dict(type="path", default=None), - validate_certs = dict(required=False, default=True, type='bool'), - ) - ) - - group_id = module.params["group_id"] - artifact_id = module.params["artifact_id"] - version = module.params["version"] - classifier = module.params["classifier"] - extension = module.params["extension"] - repository_url = module.params["repository_url"] - repository_username = module.params["username"] - repository_password = module.params["password"] - state = module.params["state"] - dest = module.params["dest"] - - if not repository_url: - repository_url = "http://repo1.maven.org/maven2" - - #downloader = MavenDownloader(module, repository_url, repository_username, repository_password) - downloader = MavenDownloader(module, repository_url) - - try: - artifact = Artifact(group_id, artifact_id, version, classifier, extension) - except ValueError as e: - module.fail_json(msg=e.args[0]) - - prev_state = "absent" - if os.path.isdir(dest): - dest = dest + "/" + artifact_id + "-" + version + "." + extension - if os.path.lexists(dest): - if not artifact.is_snapshot(): - prev_state = "present" - elif downloader.verify_md5(dest, downloader.find_uri_for_artifact(artifact) + '.md5'): - prev_state = "present" - else: - path = os.path.dirname(dest) - if not os.path.exists(path): - os.makedirs(path) - - if prev_state == "present": - module.exit_json(dest=dest, state=state, changed=False) - - try: - if downloader.download(artifact, dest): - module.exit_json(state=state, dest=dest, group_id=group_id, artifact_id=artifact_id, version=version, classifier=classifier, extension=extension, repository_url=repository_url, changed=True) - else: - module.fail_json(msg="Unable to download the artifact") - except ValueError as e: - module.fail_json(msg=e.args[0]) - - -# import module snippets -from ansible.module_utils.basic import * -from ansible.module_utils.urls import * -if __name__ == '__main__': - main() From 41dd386f83716928641557f4a9ae94348f1b3432 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 17 Jun 2024 14:03:09 +0200 Subject: [PATCH 106/114] Attribute aggregation: Add timezone info to the containers --- roles/attribute-aggregation/tasks/main.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/roles/attribute-aggregation/tasks/main.yml b/roles/attribute-aggregation/tasks/main.yml index 8d73505ac..c1f52d97d 100644 --- a/roles/attribute-aggregation/tasks/main.yml +++ b/roles/attribute-aggregation/tasks/main.yml @@ -79,6 +79,13 @@ retries: 3 start_period: 10s hostname: attribute-aggregation + mounts: + - source: /etc/localtime + target: /etc/localtime + type: bind + - source: /opt/openconext/common/favicon.ico + target: /var/www/favicon.ico + type: bind env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" HTTPD_SERVERNAME: "aa.{{ base_domain }}" @@ -112,6 +119,12 @@ - source: /opt/openconext/attribute-aggregation/apachelink.conf target: /etc/apache2/sites-enabled/000-default.conf type: bind + - source: /etc/localtime + target: /etc/localtime + type: bind + - source: /opt/openconext/common/favicon.ico + target: /var/www/favicon.ico + type: bind hostname: attribute-link env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" From 3547d628f63637856f95d00d59a6bf52560c8ff2 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 17 Jun 2024 14:04:04 +0200 Subject: [PATCH 107/114] DIYIDP: Use SSP 2.2.2 --- roles/diyidp/defaults/main.yml | 2 +- roles/diyidp/tasks/main.yml | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/diyidp/defaults/main.yml b/roles/diyidp/defaults/main.yml index f2d9ddae0..a8dd6b24e 100644 --- a/roles/diyidp/defaults/main.yml +++ b/roles/diyidp/defaults/main.yml @@ -1,5 +1,5 @@ --- -diyidp_domain: diyidp."{{ base_domain }}" +diyidp_domain: "diyidp.{{ base_domain }}" diyidp_cert: "diyidp.crt" diyidp: db_host: "{{ mysql_host }}" diff --git a/roles/diyidp/tasks/main.yml b/roles/diyidp/tasks/main.yml index 3e0fb2948..0688ddfe7 100644 --- a/roles/diyidp/tasks/main.yml +++ b/roles/diyidp/tasks/main.yml @@ -1,4 +1,6 @@ --- +- debug: + msg: "{{ diyidp }}" - name: Create directories ansible.builtin.file: path: "/opt/openconext/diyidp/{{ item }}" @@ -68,14 +70,14 @@ - name: Create the container community.docker.docker_container: name: diyidp - image: cirrusid/simplesamlphp:v2.0.7 + image: cirrusid/simplesamlphp:v2.2.2 pull: true restart_policy: "always" state: started networks: - name: "loadbalancer" labels: - traefik.http.routers.diyidp.rule: "Host(`diyidp.{{ base_domain }}`)" + traefik.http.routers.diyidp.rule: "Host(`{{ diyidp_domain }}`)" traefik.http.routers.diyidp.tls: "true" traefik.enable: "true" hostname: diyidp From 9dfbfc75848fd4ff3faac770b0d07c89bc9e0029 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 17 Jun 2024 14:04:44 +0200 Subject: [PATCH 108/114] Haproxy: allow port to be set on the backend itself --- roles/haproxy/templates/haproxy_backend.cfg.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy_backend.cfg.j2 b/roles/haproxy/templates/haproxy_backend.cfg.j2 index b82b1e005..de9b0d612 100644 --- a/roles/haproxy/templates/haproxy_backend.cfg.j2 +++ b/roles/haproxy/templates/haproxy_backend.cfg.j2 @@ -34,7 +34,7 @@ cookie HTTPSERVERID insert nocache indirect httponly secure maxidle {{ haproxy_cookie_max_idle }} {% for server in application.servers %} - server {{ server.label }} {{ server.ip }}:{{ application.port }} cookie {{ server.label }} check inter 8000 fall 5 rise 2 maxconn {{ application.maxconn | default('35') }} {% if application.sslbackend is defined%} ssl verify required verifyhost {{ application.backend_vhost_name }} ca-file {{ application.backend_ca_file }}{% endif %} weight 100 + server {{ server.label }} {{ server.ip }}:{% if server.port is defined %}{{ server.port }}{% else %}{{ application.port }}{% endif %} cookie {{ server.label }} check inter 8000 fall 5 rise 2 maxconn {{ application.maxconn | default('35') }} {% if application.sslbackend is defined%} ssl verify required verifyhost {{ application.backend_vhost_name }} ca-file {{ application.backend_ca_file }}{% endif %} weight 100 {% endfor %} From 71f38da82706e79108dd8a1df567062e4d8614f4 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 17 Jun 2024 14:05:37 +0200 Subject: [PATCH 109/114] Haproxy: Add redirect rules to restricted frontend --- roles/haproxy/templates/haproxy_frontend.cfg.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/haproxy/templates/haproxy_frontend.cfg.j2 b/roles/haproxy/templates/haproxy_frontend.cfg.j2 index 426ffa691..f1d92acd8 100644 --- a/roles/haproxy/templates/haproxy_frontend.cfg.j2 +++ b/roles/haproxy/templates/haproxy_frontend.cfg.j2 @@ -199,5 +199,6 @@ frontend localhost_restricted acl securitytxt path /.well-known/security.txt http-request redirect location {{ haproxy_securitytxt_target_url }} if securitytxt {% endif %} + http-request redirect location %[base,map_reg(/etc/haproxy/maps/redirects.map)] if { base,map_reg(/etc/haproxy/maps/redirects.map) -m found } {% endif %} From fc20a9d03fbcc6832d2d13a884586d2348c0c6f0 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 18 Jun 2024 13:08:33 +0200 Subject: [PATCH 110/114] Secure cookie setting dashboard --- roles/dashboard/templates/serverapplication.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/dashboard/templates/serverapplication.yml.j2 b/roles/dashboard/templates/serverapplication.yml.j2 index 5f0dc21ef..1afea013b 100644 --- a/roles/dashboard/templates/serverapplication.yml.j2 +++ b/roles/dashboard/templates/serverapplication.yml.j2 @@ -6,6 +6,7 @@ organization={{ dashboard_organization }} # 8 hours server.servlet.session.timeout=28800 +server.servlet.session.cookie.secure=true # An empty value will be replaced with the default server.server-header=no From 0c6f2131163ede112b35be17a213073ecbeb6749 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 18 Jun 2024 14:03:37 +0200 Subject: [PATCH 111/114] Jira send mail documentation --- roles/dashboard/templates/serverapplication.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dashboard/templates/serverapplication.yml.j2 b/roles/dashboard/templates/serverapplication.yml.j2 index 1afea013b..21803b3d5 100644 --- a/roles/dashboard/templates/serverapplication.yml.j2 +++ b/roles/dashboard/templates/serverapplication.yml.j2 @@ -49,7 +49,6 @@ spring.mail.host=host.docker.internal spring.mail.port=25 coin-administrative-email={{ dashboard.administrative_mail }} -administration.email.enabled={{ dashboard.administration_email_enabled }} mailBaseUrl=https://dashboard.{{ base_domain }} systemEmail=SURFconext @@ -77,6 +76,7 @@ pdp.password={{ pdp_password }} dashboard.feature.shibboleth=true dashboard.feature.sab={{ dashboard.feature_sab }} dashboard.feature.manage=true +# If feature.jira is set to false, then emails are send out when questions are asked or an entity is linked / unlinked dashboard.feature.jira={{ dashboard.feature_jira }} dashboard.feature.consent={{ dashboard.feature_consent }} # Valid choices are 'MOCK', 'PDP' or 'MANAGE', 'MOCK' is for local development From 97d198c3ab7d701b1ed47095cd47531cdf8c5055 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Wed, 19 Jun 2024 10:25:34 +0200 Subject: [PATCH 112/114] myconext: refresh from manage every 5 minutes --- roles/myconext/templates/application.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index b7dbc4f22..50bc3817d 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -52,7 +52,7 @@ cron: node-cron-job-responsible: {{ myconext_cronjobmaster }} token-cleaner-expression: "0 0/15 * * * *" manage-initial-delay-milliseconds: 15000 - manage-fixed-rate-milliseconds: 43_200_000 + manage-fixed-rate-milliseconds: 300_000 manage: username: myconext From 76b4f05492e84a347556e533dd50e434e731501e Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 19 Jun 2024 10:28:32 +0200 Subject: [PATCH 113/114] Do not allow for extraneous keys in the ARP --- .../templates/metadata_configuration/oidc10_rp.schema.json.j2 | 4 ++-- .../templates/metadata_configuration/saml20_sp.schema.json.j2 | 3 ++- .../single_tenant_template.schema.json.j2 | 3 ++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 index 869f3d892..0ba7e116b 100644 --- a/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/oidc10_rp.schema.json.j2 @@ -33,8 +33,8 @@ "use_as_nameid": { "type": "boolean" } - - } + }, + "additionalProperties": false } } }, diff --git a/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 index 9224943bd..2679f2f6e 100644 --- a/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/saml20_sp.schema.json.j2 @@ -61,7 +61,8 @@ "use_as_nameid": { "type": "boolean" } - } + }, + "additionalProperties": false } } }, diff --git a/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 b/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 index 0a928e7fe..5d6fda209 100644 --- a/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 +++ b/roles/manage-server/templates/metadata_configuration/single_tenant_template.schema.json.j2 @@ -47,7 +47,8 @@ "use_as_nameid": { "type": "boolean" } - } + }, + "additionalProperties": false } } }, From 0a346ad5b871f0f4543b132fd071e93a85838d9a Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 19 Jun 2024 11:51:53 +0200 Subject: [PATCH 114/114] Revert "Maven artifact is in ansible itself" This reverts commit 80dbc8fbbff891a3423e11253376b4ddb7e14f3f. --- library/maven_artifact.py | 364 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 364 insertions(+) create mode 100644 library/maven_artifact.py diff --git a/library/maven_artifact.py b/library/maven_artifact.py new file mode 100644 index 000000000..a91421402 --- /dev/null +++ b/library/maven_artifact.py @@ -0,0 +1,364 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# This module has been copied from ansible-modules-extra and can be removed as soon as downloading of +# the latest snapshot is included an ansible release (ansible 2.0.0.1 contains a maven_artifact module +# which does not download the latest snapshot version) + +# Copyright (c) 2014, Chris Schmidt +# +# Built using https://github.com/hamnis/useful-scripts/blob/master/python/download-maven-artifact +# as a reference and starting point. +# +# This module is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This software is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this software. If not, see . + +__author__ = 'cschmidt' + +from lxml import etree +import os +import hashlib +import sys + +DOCUMENTATION = ''' +--- +module: maven_artifact +short_description: Downloads an Artifact from a Maven Repository +version_added: "2.0" +description: + - Downloads an artifact from a maven repository given the maven coordinates provided to the module. Can retrieve + - snapshots or release versions of the artifact and will resolve the latest available version if one is not + - available. +author: "Chris Schmidt (@chrisisbeef)" +requirements: + - "python >= 2.6" + - lxml +options: + group_id: + description: + - The Maven groupId coordinate + required: true + artifact_id: + description: + - The maven artifactId coordinate + required: true + version: + description: + - The maven version coordinate + required: false + default: latest + classifier: + description: + - The maven classifier coordinate + required: false + default: null + extension: + description: + - The maven type/extension coordinate + required: false + default: jar + repository_url: + description: + - The URL of the Maven Repository to download from + required: false + default: http://repo1.maven.org/maven2 + username: + description: + - The username to authenticate as to the Maven Repository + required: false + default: null + password: + description: + - The password to authenticate with to the Maven Repository + required: false + default: null + dest: + description: + - The path where the artifact should be written to + required: true + default: false + state: + description: + - The desired state of the artifact + required: true + default: present + choices: [present,absent] + validate_certs: + description: + - If C(no), SSL certificates will not be validated. This should only be set to C(no) when no other option exists. + required: false + default: 'yes' + choices: ['yes', 'no'] + version_added: "1.9.3" +''' + +EXAMPLES = ''' +# Download the latest version of the JUnit framework artifact from Maven Central +- maven_artifact: group_id=junit artifact_id=junit dest=/tmp/junit-latest.jar + +# Download JUnit 4.11 from Maven Central +- maven_artifact: group_id=junit artifact_id=junit version=4.11 dest=/tmp/junit-4.11.jar + +# Download an artifact from a private repository requiring authentication +- maven_artifact: group_id=com.company artifact_id=library-name repository_url=https://repo.company.com/maven username=user password=pass dest=/tmp/library-name-latest.jar + +# Download a WAR File to the Tomcat webapps directory to be deployed +- maven_artifact: group_id=com.company artifact_id=web-app extension=war repository_url=https://repo.company.com/maven dest=/var/lib/tomcat7/webapps/web-app.war +''' + +class Artifact(object): + def __init__(self, group_id, artifact_id, version, classifier=None, extension='jar'): + if not group_id: + raise ValueError("group_id must be set") + if not artifact_id: + raise ValueError("artifact_id must be set") + + self.group_id = group_id + self.artifact_id = artifact_id + self.version = version + self.classifier = classifier + + if not extension: + self.extension = "jar" + else: + self.extension = extension + + def is_snapshot(self): + return self.version and self.version.endswith("SNAPSHOT") + + def path(self, with_version=True): + base = self.group_id.replace(".", "/") + "/" + self.artifact_id + if with_version and self.version: + return base + "/" + self.version + else: + return base + + def _generate_filename(self): + if not self.classifier: + return self.artifact_id + "." + self.extension + else: + return self.artifact_id + "-" + self.classifier + "." + self.extension + + def get_filename(self, filename=None): + if not filename: + filename = self._generate_filename() + elif os.path.isdir(filename): + filename = os.path.join(filename, self._generate_filename()) + return filename + + def __str__(self): + if self.classifier: + return "%s:%s:%s:%s:%s" % (self.group_id, self.artifact_id, self.extension, self.classifier, self.version) + elif self.extension != "jar": + return "%s:%s:%s:%s" % (self.group_id, self.artifact_id, self.extension, self.version) + else: + return "%s:%s:%s" % (self.group_id, self.artifact_id, self.version) + + @staticmethod + def parse(input): + parts = input.split(":") + if len(parts) >= 3: + g = parts[0] + a = parts[1] + v = parts[len(parts) - 1] + t = None + c = None + if len(parts) == 4: + t = parts[2] + if len(parts) == 5: + t = parts[2] + c = parts[3] + return Artifact(g, a, v, c, t) + else: + return None + + +class MavenDownloader: + def __init__(self, module, base="http://repo1.maven.org/maven2"): + self.module = module + if base.endswith("/"): + base = base.rstrip("/") + self.base = base + self.user_agent = "Maven Artifact Downloader/1.0" + + def _find_latest_version_available(self, artifact): + path = "/%s/maven-metadata.xml" % (artifact.path(False)) + xml = self._request(self.base + path, "Failed to download maven-metadata.xml", lambda r: etree.parse(r)) + v = xml.xpath("/metadata/versioning/versions/version[last()]/text()") + if v: + return v[0] + + def find_uri_for_artifact(self, artifact): + if artifact.is_snapshot(): + path = "/%s/maven-metadata.xml" % (artifact.path()) + xml = self._request(self.base + path, "Failed to download maven-metadata.xml", lambda r: etree.parse(r)) + timestamp = xml.xpath("/metadata/versioning/snapshot/timestamp/text()")[0] + buildNumber = xml.xpath("/metadata/versioning/snapshot/buildNumber/text()")[0] + return self._uri_for_artifact(artifact, artifact.version.replace("SNAPSHOT", timestamp + "-" + buildNumber)) + else: + return self._uri_for_artifact(artifact) + + def _uri_for_artifact(self, artifact, version=None): + if artifact.is_snapshot() and not version: + raise ValueError("Expected uniqueversion for snapshot artifact " + str(artifact)) + elif not artifact.is_snapshot(): + version = artifact.version + if artifact.classifier: + return self.base + "/" + artifact.path() + "/" + artifact.artifact_id + "-" + version + "-" + artifact.classifier + "." + artifact.extension + + return self.base + "/" + artifact.path() + "/" + artifact.artifact_id + "-" + version + "." + artifact.extension + + def _request(self, url, failmsg, f): + # Hack to add parameters in the way that fetch_url expects + self.module.params['url_username'] = self.module.params.get('username', '') + self.module.params['url_password'] = self.module.params.get('password', '') + self.module.params['http_agent'] = self.module.params.get('user_agent', None) + + response, info = fetch_url(self.module, url) + if info['status'] != 200: + raise ValueError(failmsg + " because of " + info['msg'] + "for URL " + url) + else: + return f(response) + + + def download(self, artifact, filename=None): + filename = artifact.get_filename(filename) + if not artifact.version or artifact.version == "latest": + artifact = Artifact(artifact.group_id, artifact.artifact_id, self._find_latest_version_available(artifact), + artifact.classifier, artifact.extension) + + url = self.find_uri_for_artifact(artifact) + if not self.verify_md5(filename, url + ".md5"): + response = self._request(url, "Failed to download artifact " + str(artifact), lambda r: r) + if response: + with open(filename, 'w') as f: + # f.write(response.read()) + self._write_chunks(response, f, report_hook=self.chunk_report) + return True + else: + return False + else: + return True + + def chunk_report(self, bytes_so_far, chunk_size, total_size): + percent = float(bytes_so_far) / total_size + percent = round(percent * 100, 2) + sys.stdout.write("Downloaded %d of %d bytes (%0.2f%%)\r" % + (bytes_so_far, total_size, percent)) + + if bytes_so_far >= total_size: + sys.stdout.write('\n') + + def _write_chunks(self, response, file, chunk_size=8192, report_hook=None): + total_size = response.info().getheader('Content-Length').strip() + total_size = int(total_size) + bytes_so_far = 0 + + while 1: + chunk = response.read(chunk_size) + bytes_so_far += len(chunk) + + if not chunk: + break + + file.write(chunk) + if report_hook: + report_hook(bytes_so_far, chunk_size, total_size) + + return bytes_so_far + + def verify_md5(self, file, remote_md5): + if not os.path.exists(file): + return False + else: + local_md5 = self._local_md5(file) + remote = self._request(remote_md5, "Failed to download MD5", lambda r: r.read()) + return local_md5 == remote + + def _local_md5(self, file): + md5 = hashlib.md5() + with open(file, 'rb') as f: + for chunk in iter(lambda: f.read(8192), ''): + md5.update(chunk) + return md5.hexdigest() + + +def main(): + module = AnsibleModule( + argument_spec = dict( + group_id = dict(default=None), + artifact_id = dict(default=None), + version = dict(default="latest"), + classifier = dict(default=None), + extension = dict(default='jar'), + repository_url = dict(default=None), + username = dict(default=None), + password = dict(default=None), + state = dict(default="present", choices=["present","absent"]), # TODO - Implement a "latest" state + dest = dict(type="path", default=None), + validate_certs = dict(required=False, default=True, type='bool'), + ) + ) + + group_id = module.params["group_id"] + artifact_id = module.params["artifact_id"] + version = module.params["version"] + classifier = module.params["classifier"] + extension = module.params["extension"] + repository_url = module.params["repository_url"] + repository_username = module.params["username"] + repository_password = module.params["password"] + state = module.params["state"] + dest = module.params["dest"] + + if not repository_url: + repository_url = "http://repo1.maven.org/maven2" + + #downloader = MavenDownloader(module, repository_url, repository_username, repository_password) + downloader = MavenDownloader(module, repository_url) + + try: + artifact = Artifact(group_id, artifact_id, version, classifier, extension) + except ValueError as e: + module.fail_json(msg=e.args[0]) + + prev_state = "absent" + if os.path.isdir(dest): + dest = dest + "/" + artifact_id + "-" + version + "." + extension + if os.path.lexists(dest): + if not artifact.is_snapshot(): + prev_state = "present" + elif downloader.verify_md5(dest, downloader.find_uri_for_artifact(artifact) + '.md5'): + prev_state = "present" + else: + path = os.path.dirname(dest) + if not os.path.exists(path): + os.makedirs(path) + + if prev_state == "present": + module.exit_json(dest=dest, state=state, changed=False) + + try: + if downloader.download(artifact, dest): + module.exit_json(state=state, dest=dest, group_id=group_id, artifact_id=artifact_id, version=version, classifier=classifier, extension=extension, repository_url=repository_url, changed=True) + else: + module.fail_json(msg="Unable to download the artifact") + except ValueError as e: + module.fail_json(msg=e.args[0]) + + +# import module snippets +from ansible.module_utils.basic import * +from ansible.module_utils.urls import * +if __name__ == '__main__': + main()