From 5990140fad053d3ff92900c0019ea55c3638bbff Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 9 Oct 2024 13:46:55 +0200 Subject: [PATCH 01/59] Galera: Make Galera Rocky 9 compatible --- roles/galera/tasks/cluster_nodes.yml | 17 ++++++++--------- roles/galera/templates/mariadb.repo.rocky9.j2 | 7 +++++++ 2 files changed, 15 insertions(+), 9 deletions(-) create mode 100644 roles/galera/templates/mariadb.repo.rocky9.j2 diff --git a/roles/galera/tasks/cluster_nodes.yml b/roles/galera/tasks/cluster_nodes.yml index 0a6fb3e73..648fa2f77 100644 --- a/roles/galera/tasks/cluster_nodes.yml +++ b/roles/galera/tasks/cluster_nodes.yml @@ -12,19 +12,18 @@ state: present ignoreerrors: yes -# Add MariaDB repo and key -- name: Add MariaDB.org repository CentOS7 - template: - src: "mariadb.repo.j2" - dest: "/etc/yum.repos.d/mariadb.repo" - when: ansible_distribution_major_version == '7' - - name: Add MariaDB.org repository Rocky 8 template: src: "mariadb.repo.rocky8.j2" dest: "/etc/yum.repos.d/mariadb.repo" when: ansible_distribution_major_version == '8' +- name: Add MariaDB.org repository Rocky 9 + template: + src: "mariadb.repo.rocky9.j2" + dest: "/etc/yum.repos.d/mariadb.repo" + when: ansible_distribution_major_version == '9' + - name: Install MariaDB, Galera, socat, python3-PyMySQL yum: name: @@ -215,7 +214,7 @@ mysql_user: name: "{{ mariadb_cluster_user }}" password: "{{ mariadb_cluster_password }}" - priv: "*.*:GRANT RELOAD,PROCESS,LOCK TABLES,BINLOG MONITOR" + priv: "*.*:RELOAD,PROCESS,LOCK TABLES,BINLOG MONITOR" state: present login_user: root login_password: "{{ mariadb_root_password }}" @@ -227,7 +226,7 @@ mysql_user: name: "{{ mariadb_backup_user }}" password: "{{ mariadb_backup_password }}" - priv: "*.*:GRANT RELOAD,PROCESS,LOCK TABLES,BINLOG MONITOR,CONNECTION ADMIN" + priv: "*.*:RELOAD,PROCESS,LOCK TABLES,BINLOG MONITOR,CONNECTION ADMIN" state: present login_user: root login_password: "{{ mariadb_root_password }}" diff --git a/roles/galera/templates/mariadb.repo.rocky9.j2 b/roles/galera/templates/mariadb.repo.rocky9.j2 new file mode 100644 index 000000000..9d661f1de --- /dev/null +++ b/roles/galera/templates/mariadb.repo.rocky9.j2 @@ -0,0 +1,7 @@ +# http://mariadb.org/mariadb/repositories/ +[mariadb] +name = MariaDB +baseurl = http://yum.mariadb.org/10.6/rhel9-amd64 +module_hotfixes=1 +gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB +gpgcheck=1 From e79440bd5d2269f0170eab94595fd34074326119 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 9 Oct 2024 14:31:38 +0200 Subject: [PATCH 02/59] New feature toggle for invite --- roles/invite/templates/serverapplication.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 909ab54cc..1a0a140a4 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -117,6 +117,9 @@ config: past-date-allowed: {{ invite.past_date_allowed }} eduid-idp-schac-home-organization: {{ invite.eduid_idp_schac_home_organization }} +feature: + limit-institution-admin-role-visibility: {{ invite.limit_institution_admin_role_visibility }} + # We don't encode in-memory passwords, but they are reused so do NOT prefix them with {noop} external-api-configuration: remote-users: From df95274e22c6051d90be05cf418e1257fe63d510 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 11 Oct 2024 14:03:47 +0200 Subject: [PATCH 03/59] OIDC INFO log level --- roles/oidcng/templates/logback.xml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/oidcng/templates/logback.xml.j2 b/roles/oidcng/templates/logback.xml.j2 index 21422750c..8d5fa6e87 100644 --- a/roles/oidcng/templates/logback.xml.j2 +++ b/roles/oidcng/templates/logback.xml.j2 @@ -40,7 +40,7 @@ - + {%if oidcng_logback_email |bool %} From 24a4025dbbeeb47470bd7fbda694307adf563220 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 11 Oct 2024 14:08:33 +0200 Subject: [PATCH 04/59] OIDC INFO log level --- roles/oidcng/templates/application.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/oidcng/templates/application.yml.j2 b/roles/oidcng/templates/application.yml.j2 index 1f3a52eab..74ddfc11f 100644 --- a/roles/oidcng/templates/application.yml.j2 +++ b/roles/oidcng/templates/application.yml.j2 @@ -3,7 +3,7 @@ logging: config: file://{{ oidcng_config_dir }}/logback.xml level: org.springframework: WARN - oidc: WARN + oidc: INFO # Is this node in a load-balanced topology responsible for cleaning up resources cron: From 22e4e533879d4adb61c65a5966c80b51357fb8ee Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 9 Oct 2024 15:40:29 +0200 Subject: [PATCH 05/59] Galera: Fix backup user privileges --- roles/galera/tasks/cluster_nodes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/galera/tasks/cluster_nodes.yml b/roles/galera/tasks/cluster_nodes.yml index 648fa2f77..9e7ecbf2f 100644 --- a/roles/galera/tasks/cluster_nodes.yml +++ b/roles/galera/tasks/cluster_nodes.yml @@ -226,7 +226,7 @@ mysql_user: name: "{{ mariadb_backup_user }}" password: "{{ mariadb_backup_password }}" - priv: "*.*:RELOAD,PROCESS,LOCK TABLES,BINLOG MONITOR,CONNECTION ADMIN" + priv: "*.*:SELECT,RELOAD,PROCESS,LOCK TABLES,BINLOG MONITOR,CONNECTION ADMIN,SHOW VIEW" state: present login_user: root login_password: "{{ mariadb_root_password }}" From 5ed109755be2ed93cacaceff78406f8739228167 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Sat, 12 Oct 2024 14:21:41 +0200 Subject: [PATCH 06/59] Part of #261 --- .../metadata_configuration/provisioning.schema.json.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/manage/templates/metadata_configuration/provisioning.schema.json.j2 b/roles/manage/templates/metadata_configuration/provisioning.schema.json.j2 index 8698ca67c..4bd13f9e4 100644 --- a/roles/manage/templates/metadata_configuration/provisioning.schema.json.j2 +++ b/roles/manage/templates/metadata_configuration/provisioning.schema.json.j2 @@ -137,6 +137,11 @@ "type": "string", "format": "uuid", "info": "The institution_guid of a connected IdP for eduID scim provisioning." + }, + "user_wait_time": { + "type": "number", + "default": 0, + "info": "The number of seconds that it takes to create the user account after provisioning." } }, "patternProperties": { From 27af4e0e502335fe1826a5ca62717b7190c3cffd Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Mon, 14 Oct 2024 14:52:35 +0200 Subject: [PATCH 07/59] Report on migrations status --- roles/engineblock/tasks/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 2bd81fb6d..2baa50469 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -222,6 +222,18 @@ changed_when: False run_once: True +- name: Check doctrine migrations status + shell: php72 app/console doctrine:migrations:status --env={{ engine_apache_symfony_environment }} + args: + chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" + register: eb_database_migration_status + changed_when: False + run_once: True + +- name: Print return information from the previous task + ansible.builtin.debug: + var: eb_database_migration_status + - name: Create the database schema command: "php72 app/console doctrine:schema:create -n --env={{ engine_apache_symfony_environment }}" args: From 8699d7239d4a20c986c1412a68cd3790ffe8fdc3 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 14 Oct 2024 19:22:36 +0200 Subject: [PATCH 08/59] OIDCNG: Make the device flow configurable --- roles/oidcng/defaults/main.yml | 2 ++ roles/oidcng/templates/application.yml.j2 | 2 ++ roles/oidcng/templates/openid-configuration.json.j2 | 8 ++++++-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/roles/oidcng/defaults/main.yml b/roles/oidcng/defaults/main.yml index 23d6def24..cc444fba4 100644 --- a/roles/oidcng/defaults/main.yml +++ b/roles/oidcng/defaults/main.yml @@ -9,6 +9,7 @@ oidcng_idp_metadata_url: https://engine.{{ base_domain }}/authentication/idp/met oidcng_base_hostname: connect.{{ base_domain }} oidcng_logback_email: true oidcng_logback_json: true +oidcng_device_flow: false oidcng_idp_sso_location: https://engine.{{ base_domain }}/authentication/idp/single-sign-on oidcng_manage_provision_samlsp_client_id: "https://connect.{{ base_domain }}" oidcng_manage_provision_samlsp_name_en: "{{ instance_name }} OIDC Gateway" @@ -18,3 +19,4 @@ oidcng_manage_provision_samlsp_metadata_url: "https://connect.{{ base_domain }}/ oidcng_manage_provision_samlsp_sp_cert: "{{ lookup('file', '{{ inventory_dir }}/files/certs/oidc/oidcsaml.crt') | depem }}" oidcng_manage_provision_samlsp_sign: "True" oidcng_manage_provision_samlsp_trusted_proxy: "True" + diff --git a/roles/oidcng/templates/application.yml.j2 b/roles/oidcng/templates/application.yml.j2 index 74ddfc11f..03bba7150 100644 --- a/roles/oidcng/templates/application.yml.j2 +++ b/roles/oidcng/templates/application.yml.j2 @@ -50,7 +50,9 @@ certificate_path: file://{{ oidcng_config_dir }}/oidcsaml.crt default_acr_value: {{ oidcng.default_acr_value }} secure_cookie: true oidc_token_endpoint: https://connect.{{ base_domain }}/oidc/token +{% if oidcng_device_flow | bool %} device_verification_url: https://connect.{{ base_domain }}/oidc/verify +{% endif %} environment: {{ oidcng.environment }} features: diff --git a/roles/oidcng/templates/openid-configuration.json.j2 b/roles/oidcng/templates/openid-configuration.json.j2 index 874b0c6af..5356d4873 100644 --- a/roles/oidcng/templates/openid-configuration.json.j2 +++ b/roles/oidcng/templates/openid-configuration.json.j2 @@ -5,7 +5,9 @@ "userinfo_endpoint": "https://{{ oidcng_base_hostname }}/oidc/userinfo", "introspect_endpoint": "https://{{ oidcng_base_hostname }}/oidc/introspect", "jwks_uri": "https://{{ oidcng_base_hostname }}/oidc/certs", +{% if oidcng_device_flow | bool %} "device_authorization_endpoint": "https://{{ oidcng_base_hostname }}/oidc/device_authorization", +{% endif %} "response_types_supported": [ "code", "token", @@ -24,8 +26,10 @@ "authorization_code", "implicit", "refresh_token", - "client_credentials", - "urn:ietf:params:oauth:grant-type:device_code" +{% if oidcng_device_flow | bool %} + "urn:ietf:params:oauth:grant-type:device_code", +{% endif %} + "client_credentials" ], "subject_types_supported": [ "public", From adc48ff914af2cc3e89416b86b8a9f352e083a99 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 14 Oct 2024 19:30:21 +0200 Subject: [PATCH 09/59] oidcng: Make max heap configurable --- roles/oidcng/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/oidcng/tasks/main.yml b/roles/oidcng/tasks/main.yml index e45be0e38..fdd8834e8 100644 --- a/roles/oidcng/tasks/main.yml +++ b/roles/oidcng/tasks/main.yml @@ -108,7 +108,7 @@ - source: /opt/openconext/oidcng/__cacert_entrypoint.sh target: /__cacert_entrypoint.sh type: bind - command: "java -jar /app.jar -Xmx512m --spring.config.location=./config/" + command: "java -jar /app.jar -Xmx{{ oidcng_max_heapsize |default('512m')}} --spring.config.location=./config/" etc_hosts: host.docker.internal: host-gateway env: From 30af603cee6098b4767c779951f21523b5d8dc7d Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 18 Oct 2024 08:17:51 +0200 Subject: [PATCH 10/59] Part of https://github.com/OpenConext/OpenConext-Invite/issues/239 --- roles/invite/templates/serverapplication.yml.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 1a0a140a4..f643acca0 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -153,6 +153,10 @@ external-api-configuration: password: "{{ invite.sp_dashboard_secret }}" scopes: - sp_dashboard + applications: + - manageId: {{ invite.sp_dashboard_manage_id }} + manageType: SAML20_SP + voot: group_urn_domain: "{{ invite.group_urn_domain }}" From a6a8bb50394451d6c5d2dfb1ae37b582d06cf226 Mon Sep 17 00:00:00 2001 From: Pieter van der Meulen Date: Fri, 18 Oct 2024 12:49:14 +0200 Subject: [PATCH 11/59] Fix YAML indenting error --- roles/stepupselfservice/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/stepupselfservice/tasks/main.yml b/roles/stepupselfservice/tasks/main.yml index 447d405c4..95cf4b559 100644 --- a/roles/stepupselfservice/tasks/main.yml +++ b/roles/stepupselfservice/tasks/main.yml @@ -81,4 +81,4 @@ - source: /opt/openconext/selfservice target: /var/www/html/config/openconext type: bind - register: selfservicecontainer + register: selfservicecontainer From 646c758e120ef2ba39ed17bf0f78f6451635585e Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 22 Oct 2024 08:50:28 +0200 Subject: [PATCH 12/59] Change path of database script to run inside docker container --- roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 b/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 index 8bc649e8a..f00ef5541 100644 --- a/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 +++ b/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 @@ -1,7 +1,13 @@ #!/bin/bash +# +#### To run the database init inside the docker : +# sudo docker cp /root/01-webauthn-db_init.sh webauthn:/ +# sudo docker exec -it webauthn /bin/bash /01-webauthn-db_init.sh +#### +# #overwrite database settings for deploy export DATABASE_URL=mysql://{{ database_webauthn_deploy_user }}:{{ mysql_passwords.webauthndeploy }}@{{ webauthn_db_host }}:3306/{{ database_webauthn_name }} -cd {{ current_release_symlink }} +cd /var/www/html echo "Create database if not exists" {{ php_cli }} bin/console doctrine:database:create --if-not-exists echo "Create or migrate schema" From b3957e5bc9a112eee16594398cf3c4ff9092bc40 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 22 Oct 2024 12:50:42 +0200 Subject: [PATCH 13/59] Change path and add checks to webauthn database script. Add docker instructions --- .../templates/01-webauthn-db_init.sh.j2 | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 b/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 index f00ef5541..4f022728f 100644 --- a/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 +++ b/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 @@ -1,15 +1,24 @@ #!/bin/bash # -#### To run the database init inside the docker : +### To run inside a runnig docker container # sudo docker cp /root/01-webauthn-db_init.sh webauthn:/ # sudo docker exec -it webauthn /bin/bash /01-webauthn-db_init.sh -#### # -#overwrite database settings for deploy -export DATABASE_URL=mysql://{{ database_webauthn_deploy_user }}:{{ mysql_passwords.webauthndeploy }}@{{ webauthn_db_host }}:3306/{{ database_webauthn_name }} cd /var/www/html echo "Create database if not exists" -{{ php_cli }} bin/console doctrine:database:create --if-not-exists +/var/www/html/bin/console doctrine:database:create --if-not-exists +if [ $? -eq 0 ] +then + echo "Done!" +else + echo "Database creation failed" + exit 1 +fi echo "Create or migrate schema" -{{ php_cli }} bin/console doctrine:migrations:migrate -echo "Done!" +/var/www/html/bin/console doctrine:migrations:migrate +then + echo "Done!" +else + echo "Database migration failed" + exit 1 +fi From 91f6c5ed1a02844fc611fd08f8dfd3dd80bfc08e Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Wed, 23 Oct 2024 09:44:27 +0200 Subject: [PATCH 14/59] Typo in webauthn migration script --- roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 b/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 index 4f022728f..81a1ea893 100644 --- a/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 +++ b/roles/stepupwebauthn/templates/01-webauthn-db_init.sh.j2 @@ -16,6 +16,7 @@ else fi echo "Create or migrate schema" /var/www/html/bin/console doctrine:migrations:migrate +if [ $? -eq 0 ] then echo "Done!" else From 9c704b51618b324ee481198b701c300e5cfbb472 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Wed, 23 Oct 2024 10:40:15 +0200 Subject: [PATCH 15/59] engine-api has a proper health endpoint now --- environments/template/group_vars/template.yml | 4 ++-- environments/vm/group_vars/vm.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 99256fab1..eedfe5226 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -23,7 +23,7 @@ attribute_aggregation_gui_version: "3.0.6" attribute_aggregation_server_version: "3.0.6" oidc_playground_client_version: "3.0.0" oidc_playground_server_version: "3.0.0" -engine_version: "6.9.1" +engine_version: "6.15.0" manage_gui_version: "7.3.3-SNAPSHOT" manage_server_version: "7.3.3-SNAPSHOT" lifecycle_version: "0.1.1" @@ -596,7 +596,7 @@ haproxy_applications: - name: engine_api vhost_name: engine-api.{{ base_domain }} ha_method: "GET" - ha_url: "/" + ha_url: "/health" port: "{{ loadbalancing.engine_api.port }}" servers: "{{php_servers}}" restricted: yes diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index 94868534a..b181c5e56 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -24,7 +24,7 @@ attribute_aggregation_gui_version: "3.0.6" attribute_aggregation_server_version: "3.0.6" oidc_playground_client_version: "3.0.0" oidc_playground_server_version: "3.0.0" -engine_version: "6.9.1" +engine_version: "6.15.0" manage_gui_version: "7.3.3-SNAPSHOT" manage_server_version: "7.3.3-SNAPSHOT" lifecycle_version: "0.1.1" @@ -498,7 +498,7 @@ haproxy_applications: - name: engine_api vhost_name: engine-api.{{ base_domain }} ha_method: "GET" - ha_url: "/" + ha_url: "/health" port: "{{ loadbalancing.engine_api.port }}" servers: "{{php_servers}}" From 9260a339dc367ca88322708fc32d2d3e81867517 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Fri, 25 Oct 2024 13:07:52 +0200 Subject: [PATCH 16/59] Removed eva_guest_account_duration --- .../metadata_configuration/provisioning.schema.json.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/manage/templates/metadata_configuration/provisioning.schema.json.j2 b/roles/manage/templates/metadata_configuration/provisioning.schema.json.j2 index 4bd13f9e4..7557a69a1 100644 --- a/roles/manage/templates/metadata_configuration/provisioning.schema.json.j2 +++ b/roles/manage/templates/metadata_configuration/provisioning.schema.json.j2 @@ -112,10 +112,6 @@ "type": "string", "info": "The token of the EVA endpoint." }, - "eva_guest_account_duration": { - "type": "number", - "info": "The number of days the EVA guest account will be valid." - }, "graph_url": { "type": "string", "format": "url", From 59d2eba6b14b06d79bb05933de3a9b783e784448 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Mon, 28 Oct 2024 10:45:30 +0100 Subject: [PATCH 17/59] Feature toggle for device flow --- roles/oidcng/templates/application.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/oidcng/templates/application.yml.j2 b/roles/oidcng/templates/application.yml.j2 index 03bba7150..f4595497c 100644 --- a/roles/oidcng/templates/application.yml.j2 +++ b/roles/oidcng/templates/application.yml.j2 @@ -50,9 +50,7 @@ certificate_path: file://{{ oidcng_config_dir }}/oidcsaml.crt default_acr_value: {{ oidcng.default_acr_value }} secure_cookie: true oidc_token_endpoint: https://connect.{{ base_domain }}/oidc/token -{% if oidcng_device_flow | bool %} device_verification_url: https://connect.{{ base_domain }}/oidc/verify -{% endif %} environment: {{ oidcng.environment }} features: @@ -63,6 +61,8 @@ features: enforce-scope-resource-server: false # Do we show consent if configured for a RP in manage consent-enabled: {{ oidcng.consent_enabled }} + # Do we allow for Device Authorization flow + oidcng_device_flow: {{ oidcng_device_flow }} sp: entity_id: {{ oidcng_saml_sp_entityid }} From d8fe9d5ee5b7ee3d6207a941a855b363b972f998 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Tue, 29 Oct 2024 12:39:28 +0100 Subject: [PATCH 18/59] azure-mfa will be azuremfa --- roles/rsyslog/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rsyslog/defaults/main.yml b/roles/rsyslog/defaults/main.yml index bf984f267..e0ae47861 100644 --- a/roles/rsyslog/defaults/main.yml +++ b/roles/rsyslog/defaults/main.yml @@ -10,3 +10,4 @@ stepupapps: - webauthn - tiqr - azure-mfa + - azuremfa From 7b624df2fedacd1ffe0eec47055a6fb5fc3aee8b Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 29 Oct 2024 15:56:37 +0100 Subject: [PATCH 19/59] Part of https://github.com/OpenConext/OpenConext-myconext/issues/534 --- roles/myconext/templates/application.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 1c555e1dc..9f1cf1474 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -164,6 +164,12 @@ oidc: sp-create-from-institution-redirect-url: https://mijn.{{ myconext_base_domain }}/myconext/api/sp/create-from-institution/oidc-redirect base-url: https://connect.{{ base_domain }} + +services-configuration: + # All entity identifiers from services we want to hide in the data & activity overview + hide_in_overview: + - playground_client + linked_accounts: # The duration that non validated-name linked accounts are valid - note that they are not removed and will still be used for EPPN Pseudonymisation expiry-duration-days-non-validated: 180 From 2ac1bd6b3ef60ddfabca6d8ba554440761e919c1 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Wed, 6 Nov 2024 11:35:34 +0100 Subject: [PATCH 20/59] bump voot to 6.2.0 --- environments/template/group_vars/template.yml | 2 +- environments/vm/group_vars/vm.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index eedfe5226..74f01d787 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -35,7 +35,7 @@ pdp_gui_version: "4.0.2" profile_version: "3.1.4" teams_gui_version: "9.1.3" teams_server_version: "9.1.3" -voot_version: "5.0.0" +voot_version: "6.2.0" myconext_server_version: "6.0.2" myconext_gui_version: "6.0.2" account_gui_version: "6.0.2" diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index b181c5e56..bc5d7486d 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -36,7 +36,7 @@ pdp_gui_version: "4.0.2" profile_version: "3.1.4" teams_gui_version: "9.1.3" teams_server_version: "9.1.3" -voot_version: "5.0.0" +voot_version: "6.2.0" myconext_server_version: "6.0.2" myconext_gui_version: "6.0.2" account_gui_version: "6.0.2" From 97ffff47aa7fb5ae4ef983a4e4ae4b7e9c306a66 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 6 Nov 2024 15:25:45 +0100 Subject: [PATCH 21/59] Fixes https://github.com/OpenConext/OpenConext-manage/issues/449 --- roles/manage/templates/logback.xml.j2 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/manage/templates/logback.xml.j2 b/roles/manage/templates/logback.xml.j2 index f5ca6c7cb..d1df41a7a 100644 --- a/roles/manage/templates/logback.xml.j2 +++ b/roles/manage/templates/logback.xml.j2 @@ -1,7 +1,7 @@ #jinja2:lstrip_blocks: True - + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n @@ -15,8 +15,9 @@ {{ error_subject_prefix }}Unexpected error manage - - ERROR + + org.everit.json.schema.ValidationException + ERROR From 29a0766518b81894e4e412ce78e80f66e630e538 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Thu, 7 Nov 2024 11:37:01 +0100 Subject: [PATCH 22/59] Forgot variable nudge_eduid_app_pause_days --- roles/myconext/templates/application.yml.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 9f1cf1474..9746d5ce0 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -110,7 +110,8 @@ tiqr_hash_secret: "{{ myconext_tiqr_hash_secret }}" remember_me_max_age_seconds: 15_768_000 sso_mfa_duration_seconds: 3600 -nudge_eduid_app_days: {{ myconext.nudge_eduid_app_days }} +nudge_eduid_app_login_days: {{ myconext.nudge_eduid_app_login_days }} +nudge_eduid_app_pause_days: {{ myconext.nudge_eduid_app_pause_days }} remember_me_question_asked_days: {{ myconext.remember_me_question_asked_days }} email_guessing_sleep_millis: 500 email_spam_threshold_seconds: 15 From 986646e087699fc4be88c1e87b2237394f5ac553 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 12 Nov 2024 13:49:32 +0100 Subject: [PATCH 23/59] Localicious https://github.com/OpenConext/OpenConext-myconext/issues/546 --- environments/vm/group_vars/vm.yml | 1 + roles/myconext/templates/application.yml.j2 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index bc5d7486d..e22fea2dd 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -310,6 +310,7 @@ myconext: feature_warning_educational_email_domain: false feature_id_verify: true feature_remote_creation_api: true + feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true feature_create_eduid_institution_landing: true diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 9746d5ce0..2502621b8 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -36,6 +36,7 @@ springdoc: email: from: eduID + error_mail: info@surfconext.nl magic-link-url: https://login.{{ myconext_base_domain }}/saml/guest-idp/magic my-surfconext-url: https://mijn.{{ myconext_base_domain }} idp-surfconext-url: https://login.{{ myconext_base_domain }} @@ -100,6 +101,8 @@ feature: id_verify: {{ myconext.feature_id_verify}} # Do we support the remote creation API (e.g. for studielink) remote_creation_api: {{ myconext.feature_remote_creation_api }} + # Do we send error mails for reported errors by the JS UI + send_js_exceptions: {{ myconext.feature_send_js_exceptions }} secure_cookie: true From 9b1ccfe7539660177810a7cbf1789871d25fe43c Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 14 Nov 2024 15:30:32 +0100 Subject: [PATCH 24/59] DIYIDP: Make the role compatible with the new mariadb docker --- roles/diyidp/defaults/main.yml | 2 ++ roles/diyidp/tasks/main.yml | 3 +-- roles/diyidp/templates/config-override.php.j2 | 4 ++-- roles/diyidp/templates/saml20-idp-hosted.php.j2 | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/diyidp/defaults/main.yml b/roles/diyidp/defaults/main.yml index 5fe652520..f2e8ca303 100644 --- a/roles/diyidp/defaults/main.yml +++ b/roles/diyidp/defaults/main.yml @@ -14,3 +14,5 @@ diyidp_remotesp: - name: "{{ instance_name }} SP metadata" metadataurl: "https://engine.{{ base_domain }}/authentication/sp/metadata" acslocation: "https://engine.{{ base_domain }}/authentication/sp/consume-assertion" +diyidp_docker_networks: + - name: "loadbalancer" diff --git a/roles/diyidp/tasks/main.yml b/roles/diyidp/tasks/main.yml index 0688ddfe7..4f16c2423 100644 --- a/roles/diyidp/tasks/main.yml +++ b/roles/diyidp/tasks/main.yml @@ -74,8 +74,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ diyidp_docker_networks }}" labels: traefik.http.routers.diyidp.rule: "Host(`{{ diyidp_domain }}`)" traefik.http.routers.diyidp.tls: "true" diff --git a/roles/diyidp/templates/config-override.php.j2 b/roles/diyidp/templates/config-override.php.j2 index 7418d5bfa..41d4b3b76 100644 --- a/roles/diyidp/templates/config-override.php.j2 +++ b/roles/diyidp/templates/config-override.php.j2 @@ -2,5 +2,5 @@ $config['certdir'] = 'config/cert/'; $config['metadatadir'] = 'config/metadata/'; $config['auth.adminpassword'] = '{{ diyidp.admin_password }}'; -$config['baseurlpath'] = 'https://diyidp.{{ base_domain }}/'; -$config['theme.use'] = '{{ diyidp.theme |default("default") }}'; +$config['baseurlpath'] = 'https://{{ diyidp_domain }}/'; +$config['theme.use'] = '{{ diyidp_theme |default("default") }}'; diff --git a/roles/diyidp/templates/saml20-idp-hosted.php.j2 b/roles/diyidp/templates/saml20-idp-hosted.php.j2 index 6b8577f55..c741bce77 100644 --- a/roles/diyidp/templates/saml20-idp-hosted.php.j2 +++ b/roles/diyidp/templates/saml20-idp-hosted.php.j2 @@ -5,7 +5,7 @@ * See: https://rnd.feide.no/content/idp-hosted-metadata-reference */ -$metadata['https://diyidp.{{ base_domain}}'] = array( +$metadata['https://{{ diyidp_domain}}'] = array( /* * The hostname of the server (VHOST) that will use this SAML entity. * From 33333586b8d721cb5225e4afbf6f6b86c1374399 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 14 Nov 2024 15:39:03 +0100 Subject: [PATCH 25/59] PDP: Make the push test mode configurable in stead of hard coded true --- roles/pdp/defaults/main.yml | 1 + roles/pdp/templates/serverapplication.properties.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/pdp/defaults/main.yml b/roles/pdp/defaults/main.yml index 272c9240e..4f548db6a 100644 --- a/roles/pdp/defaults/main.yml +++ b/roles/pdp/defaults/main.yml @@ -20,3 +20,4 @@ pdp_manage_provision_samlsp_sp_cert: "" pdp_manage_provision_samlsp_trusted_proxy: false pdp_manage_provision_samlsp_sign: false pdp_spring_flyway_enabled: true +pdp_manage_push_testmode: true diff --git a/roles/pdp/templates/serverapplication.properties.j2 b/roles/pdp/templates/serverapplication.properties.j2 index 0c4eee93f..27fd45f51 100644 --- a/roles/pdp/templates/serverapplication.properties.j2 +++ b/roles/pdp/templates/serverapplication.properties.j2 @@ -58,7 +58,7 @@ manage.password={{ manage_pdp_secret }} period.manage.refresh.minutes=10 manage.manageBaseUrl=https://manage.{{ base_domain }} # If true the manage push is done against the pdp_migrated_policies for testing purposes -manage.pushTestMode=true +manage.pushTestMode={{ pdp_manage_push_testmode }} # Number of days how long the policy violations are retained policy.violation.retention.period.days=30 From d0af493ad581115793ce50bff0cc96d0969cc1e3 Mon Sep 17 00:00:00 2001 From: Thijs Kinkhorst Date: Fri, 15 Nov 2024 15:46:31 +0100 Subject: [PATCH 26/59] Add sp-specific metadata checkbox also to RPs Although it makes less natural sense than for SAML SPs (since the generated metadata is SAML), some consumers may have an interest in this metadata for their purposes. --- .../metadata_configuration/oidc10_rp.schema.json.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/manage/templates/metadata_configuration/oidc10_rp.schema.json.j2 b/roles/manage/templates/metadata_configuration/oidc10_rp.schema.json.j2 index 08e6903e7..31386095d 100644 --- a/roles/manage/templates/metadata_configuration/oidc10_rp.schema.json.j2 +++ b/roles/manage/templates/metadata_configuration/oidc10_rp.schema.json.j2 @@ -328,6 +328,11 @@ "type": "number", "info": "The height of the logo found at logo:0:url in pixels." }, + "coin:sp_specific_metadata": { + "type": "boolean", + "default": false, + "info": "Publish SP-specific metadata containing only whitelisted IdPs." + }, "coin:push_enabled": { "type": "boolean", "default": false, From ccca7aadc91769597d61b370777517cc4b6548ee Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 19 Nov 2024 13:31:51 +0100 Subject: [PATCH 27/59] Disable performance-seed --- roles/invite/templates/serverapplication.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index f643acca0..aa04da69e 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -119,6 +119,7 @@ config: feature: limit-institution-admin-role-visibility: {{ invite.limit_institution_admin_role_visibility }} + enable-performance-seed: False # We don't encode in-memory passwords, but they are reused so do NOT prefix them with {noop} external-api-configuration: From 708a6be0fbc34971439c5a4604570654b5e928cb Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 19 Nov 2024 14:48:06 +0100 Subject: [PATCH 28/59] Do not allow for seed-generation other than localhost --- roles/invite/templates/serverapplication.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index aa04da69e..394eaaaf1 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -115,6 +115,7 @@ config: eduid-entity-id: "https://login.{{ myconext_base_domain }}" role-search-required: false past-date-allowed: {{ invite.past_date_allowed }} + performance-seed-allowed: False eduid-idp-schac-home-organization: {{ invite.eduid_idp_schac_home_organization }} feature: From 9cf8c6311311418929720efc579103f00e669b1f Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 26 Nov 2024 10:32:05 +0100 Subject: [PATCH 29/59] Allow for performance seed invite on test2 --- roles/invite/templates/serverapplication.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2 index 394eaaaf1..fc9259765 100644 --- a/roles/invite/templates/serverapplication.yml.j2 +++ b/roles/invite/templates/serverapplication.yml.j2 @@ -115,7 +115,7 @@ config: eduid-entity-id: "https://login.{{ myconext_base_domain }}" role-search-required: false past-date-allowed: {{ invite.past_date_allowed }} - performance-seed-allowed: False + performance-seed-allowed: {{ invite.performance_seed_allowed }} eduid-idp-schac-home-organization: {{ invite.eduid_idp_schac_home_organization }} feature: From fff42d10e02bf3df41cabf258d20ade51422e9a7 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Tue, 26 Nov 2024 14:40:30 +0100 Subject: [PATCH 30/59] Added missing feature_send_js_exceptions: true --- environments/template/group_vars/template.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 74f01d787..3374a4b90 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -419,6 +419,7 @@ myconext: feature_show_connections: false feature_id_verify: true feature_remote_creation_api: true + feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true feature_create_eduid_institution_landing: true From 18a32b90fbc20a75721b79f4f798fbbb9ad280e6 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 26 Nov 2024 20:56:15 +0100 Subject: [PATCH 31/59] DIYIDP: Only create docker mariadb network when the boolean mariadb_in_docker has been set to true --- roles/diyidp/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/diyidp/tasks/main.yml b/roles/diyidp/tasks/main.yml index 4f16c2423..f4e90ff64 100644 --- a/roles/diyidp/tasks/main.yml +++ b/roles/diyidp/tasks/main.yml @@ -67,6 +67,13 @@ mode: "0644" notify: restart diyidp +- name: Add the mariadb docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + diyidp_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: diyidp From e26e50553ba8aa698468e11e5abbde6fe66d9bb9 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 14 Nov 2024 14:38:17 +0100 Subject: [PATCH 32/59] Add small Mongo docker role, for running on a single node --- provision.yml | 6 ++ roles/mongodbdocker/defaults/main.yml | 2 + roles/mongodbdocker/tasks/main.yml | 87 +++++++++++++++++++ .../templates/backup_mongo.pl.j2 | 37 ++++++++ 4 files changed, 132 insertions(+) create mode 100644 roles/mongodbdocker/defaults/main.yml create mode 100644 roles/mongodbdocker/tasks/main.yml create mode 100644 roles/mongodbdocker/templates/backup_mongo.pl.j2 diff --git a/provision.yml b/provision.yml index 5a21697c3..4d292a291 100644 --- a/provision.yml +++ b/provision.yml @@ -189,5 +189,11 @@ - { role: lifecycle, tags: ["lifecycle"] } - { role: stepuptiqr, tags: ['stepuptiqr' , 'stepup'] } +- hosts: docker_mariadb + become: true + roles: + - { role: mariadbdocker, tags: ['mariadbdocker']} + - { role: mongodbdocker, tags: ['mongodbdocker']} + - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/mongodbdocker/defaults/main.yml b/roles/mongodbdocker/defaults/main.yml new file mode 100644 index 000000000..c0095f38b --- /dev/null +++ b/roles/mongodbdocker/defaults/main.yml @@ -0,0 +1,2 @@ +replica_set_name: "{{ instance_name }}" +docker_mongodb_network_range: "172.21.22.0/24" diff --git a/roles/mongodbdocker/tasks/main.yml b/roles/mongodbdocker/tasks/main.yml new file mode 100644 index 000000000..fcc667d54 --- /dev/null +++ b/roles/mongodbdocker/tasks/main.yml @@ -0,0 +1,87 @@ +--- +- name: Install required packages + ansible.builtin.apt: + name: "python3-pymongo" + state: present + +- name: Create MongoDB volume + community.docker.docker_volume: + name: openconext_mongodb + state: present + +- name: Create MongoDB network + community.docker.docker_network: + name: openconext_mongodb + state: present + internal: false + ipam_config: + - subnet: "{{ docker_mongodb_network_range }}" + +- name: Create the MongoDB container + community.docker.docker_container: + name: openconext_mongodb + image: bitnami/mongodb:7.0 + state: started + pull: true + restart_policy: "always" + ports: "127.0.0.1:27017:27017" + networks: + - name: "openconext_mongodb" + mounts: + - type: volume + source: openconext_mongodb + target: /var/lib/mysql + - type: bind + source: /home/backup/mongo/ + target: /home/backup + env: + MONGODB_ROOT_USER: admin + MONGODB_ROOT_PASSWORD: "{{ mongo_admin_password }}" + MONGODB_REPLICA_SET_NAME: "{{ replica_set_name }}" + MONGODB_REPLICA_SET_MODE: primary + MONGODB_REPLICA_SET_KEY: "{{ mongodb_replicateset_key }}" + MONGODB_ADVERTISED_HOSTNAME: openconext_mongodb + volumes: + - openconext_mongodb:/bitnami/mongodb + hostname: openconext_mongodb + +- name: Create mongo database users + community.mongodb.mongodb_user: + login_database: admin + database: "{{ item.db_name }}" + login_user: admin + login_password: "{{ mongo_admin_password }}" + login_host: 127.0.0.1 + name: "{{ item.name }}" + password: "{{ item.password }}" + roles: readWrite + replica_set: "{{ replica_set_name }}" + strict_compatibility: false + no_log: false + run_once: true + with_items: "{{ mongo.users }}" + changed_when: false + tags: mongo_users + +- name: Create the backupdir + ansible.builtin.file: + path: /home/backup/mongo + owner: 1001 + group: 1001 + mode: "0700" + +- name: Install the backup script + ansible.builtin.template: + src: "backup_mongo.pl.j2" + dest: "/usr/local/sbin/backup_mongo.pl" + mode: "0700" + owner: root + group: root + +- name: Create cron symlink for backup script + ansible.builtin.file: + src: "/usr/local/sbin/backup_mongo.pl" + dest: "/etc/cron.daily/mongodb_backup" + state: link + mode: "0700" + owner: root diff --git a/roles/mongodbdocker/templates/backup_mongo.pl.j2 b/roles/mongodbdocker/templates/backup_mongo.pl.j2 new file mode 100644 index 000000000..c8e014742 --- /dev/null +++ b/roles/mongodbdocker/templates/backup_mongo.pl.j2 @@ -0,0 +1,37 @@ +#!/usr/bin/perl +# Variables + +$backupdir = "/home/backup"; +$username = "admin"; +$password = "{{ mongo_admin_password }}"; + +umask 0077; + +# Determine current day +$day = `/bin/date +'%a'`; +chomp($day); + +# Remove old backups if exists +if ( -e "$backupdir/mongo-dump-$day/") { +`rm -rf $backupdir/mongo-dump-$day/`; +} + +# Dump databases +`docker exec openconext_mongodb mongodump --username $username --password $password --authenticationDatabase admin --out $backupdir/mongo-dump-$day`; + +# Gzip dumps +opendir(BDIR, "$backupdir/mongo-dump-$day/"); +my @files = readdir(BDIR); +closedir(BDIR); +chdir("$backupdir/mongo-dump-$day/"); +foreach $dir (@files) { +if ($dir !~ /^\.+$/) { +if ($dir !~ /\.\./g) { +if ( -d "$backupdir/mongo-dump-$day/$dir") { +`tar -cvzf $backupdir/mongo-dump-$day/$dir.tar.gz $dir/`; +`rm -rf $backupdir/mongo-dump-$day/$dir/`; +} +} +} +} +umask 0022; From 268fc153390a206f79afd3869cf5f1cb41dce9ef Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 26 Nov 2024 21:54:54 +0100 Subject: [PATCH 33/59] Manage: make it possible to connect to a locally available mongo in docker --- roles/manage/defaults/main.yml | 7 +++++-- roles/manage/tasks/main.yml | 10 ++++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/roles/manage/defaults/main.yml b/roles/manage/defaults/main.yml index ef5c4271d..bc41cd266 100644 --- a/roles/manage/defaults/main.yml +++ b/roles/manage/defaults/main.yml @@ -1,8 +1,8 @@ --- manage_dir: /config/ -manage_snapshot_timestamp: '' +manage_snapshot_timestamp: "" manage_jar: manage-current.jar -manage_random_source: 'file:///dev/urandom' +manage_random_source: "file:///dev/urandom" manage_cronjobmaster: false manage_disclaimer_background_color: "{{ environment_ribbon_colour }}" manage_disclaimer_content: "{{ environment_shortname }}" @@ -30,3 +30,6 @@ manage_tabs_enabled: - single_tenant_template - provisioning - sram + +manage_docker_networks: + - name: loadbalancer diff --git a/roles/manage/tasks/main.yml b/roles/manage/tasks/main.yml index 9a4132c42..3ab287de4 100644 --- a/roles/manage/tasks/main.yml +++ b/roles/manage/tasks/main.yml @@ -72,6 +72,13 @@ notify: - "restart manageserver" +- name: Add the mongodb docker network to the list of networks when MongoDB runs in Docker + ansible.builtin.set_fact: + manage_docker_networks: + - name: loadbalancer + - name: openconext_mongodb + when: mongodb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: manageserver @@ -80,8 +87,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ manage_docker_networks }}" mounts: - source: /opt/openconext/manage/ target: /config/ From 053df90b31706cfbc536307c43b28550fc1883fb Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 26 Nov 2024 21:56:38 +0100 Subject: [PATCH 34/59] Myconext: make it possible to connect to a locally available mongo in docker --- roles/myconext/defaults/main.yml | 2 ++ roles/myconext/tasks/main.yml | 14 ++++++++++---- roles/myconext/templates/application.yml.j2 | 2 +- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/roles/myconext/defaults/main.yml b/roles/myconext/defaults/main.yml index 2fa088e32..4082fa28d 100644 --- a/roles/myconext/defaults/main.yml +++ b/roles/myconext/defaults/main.yml @@ -1,2 +1,4 @@ --- myconext_cronjobmaster: true +myconext_docker_networks: + - name: loadbalancer diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index c5d424713..167b35523 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -56,7 +56,7 @@ notify: - "restart myconextserver" -- name: copy / create private key +- name: Copy / create private key ansible.builtin.copy: content: "{{ myconext_private_key }}" dest: "/opt/openconext/myconext/myconext_saml.key" @@ -66,7 +66,7 @@ notify: - "restart myconextserver" -- name: copy / create certificate +- name: Copy / create certificate ansible.builtin.copy: src: "{{ inventory_dir }}/files/certs/myconext/myconext_saml.crt" dest: "/opt/openconext/myconext/myconext_saml.crt" @@ -92,6 +92,13 @@ group: "root" mode: "0755" +- name: Add the mongodb docker network to the list of networks when MongoDB runs in Docker + ansible.builtin.set_fact: + myconext_docker_networks: + - name: loadbalancer + - name: openconext_mongodb + when: mongodb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: myconextserver @@ -102,8 +109,7 @@ env: USE_SYSTEM_CA_CERTS: "1" TZ: "{{ timezone }}" - networks: - - name: "loadbalancer" + networks: "{{ myconext_docker_networks }}" mounts: - source: /opt/openconext/myconext/ target: /config/ diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 2502621b8..081a8196e 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -215,7 +215,7 @@ verify: spring: data: mongodb: - uri: mongodb://{{ myconext.mongo_user }}:{{ myconext.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ myconext.mongo_port }}{% if not loop.last %},{% endif %}{% endfor %}/{{ myconext.mongo_database }}?ssl=true + uri: mongodb://{{ myconext.mongo_user }}:{{ myconext.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ myconext.mongo_port }}{% if not loop.last %},{% endif %}{% endfor %}/{{ myconext.mongo_database }}?ssl={{ mongodb_ssl | default('true') }} mail: host: {{ smtp_server }} From 6a0d3e1765a7cd41d470283d61e70e8dd32ba561 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 26 Nov 2024 21:57:12 +0100 Subject: [PATCH 35/59] OIDCNG: make it possible to connect to a locally available mongo in docker --- roles/oidcng/defaults/main.yml | 7 ++++--- roles/oidcng/tasks/main.yml | 13 ++++++++----- roles/oidcng/templates/application.yml.j2 | 2 +- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/roles/oidcng/defaults/main.yml b/roles/oidcng/defaults/main.yml index cc444fba4..44641c6c1 100644 --- a/roles/oidcng/defaults/main.yml +++ b/roles/oidcng/defaults/main.yml @@ -1,8 +1,8 @@ --- oidcng_dir: /opt/openconext/oidcng oidcng_config_dir: /config -oidcng_version: '' -oidcng_snapshot_timestamp: '' +oidcng_version: "" +oidcng_snapshot_timestamp: "" oidcng_cronjobmaster: true oidcng_saml_sp_entityid: https://connect.{{ base_domain }} oidcng_idp_metadata_url: https://engine.{{ base_domain }}/authentication/idp/metadata @@ -19,4 +19,5 @@ oidcng_manage_provision_samlsp_metadata_url: "https://connect.{{ base_domain }}/ oidcng_manage_provision_samlsp_sp_cert: "{{ lookup('file', '{{ inventory_dir }}/files/certs/oidc/oidcsaml.crt') | depem }}" oidcng_manage_provision_samlsp_sign: "True" oidcng_manage_provision_samlsp_trusted_proxy: "True" - +oidcng_docker_networks: + - name: loadbalancer diff --git a/roles/oidcng/tasks/main.yml b/roles/oidcng/tasks/main.yml index fdd8834e8..fa35fac7c 100644 --- a/roles/oidcng/tasks/main.yml +++ b/roles/oidcng/tasks/main.yml @@ -88,6 +88,13 @@ group: "root" mode: "0755" +- name: Add the mongodb docker network to the list of networks when MongoDB runs in Docker + ansible.builtin.set_fact: + oidcng_docker_networks: + - name: loadbalancer + - name: openconext_mongodb + when: mongodb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: oidcngserver @@ -96,8 +103,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ oidcng_docker_networks }}" mounts: - source: "{{ oidcng_dir }}" target: /config/ @@ -137,9 +143,6 @@ traefik.http.middlewares.oidcngmw.replacepathregex.regex: "^/.well-known/openid-configuration" traefik.http.middlewares.oidcngmw.replacepathregex.replacement: "/oidc/.well-known/openid-configuration" register: oidcngservercontainer - - - #- name: Include the role manage_provision_entities to provision oidncg to Manage # ansible.builtin.include_role: # name: manage_provision_entities diff --git a/roles/oidcng/templates/application.yml.j2 b/roles/oidcng/templates/application.yml.j2 index f4595497c..c4f4d58d6 100644 --- a/roles/oidcng/templates/application.yml.j2 +++ b/roles/oidcng/templates/application.yml.j2 @@ -76,7 +76,7 @@ idp: spring: data: mongodb: - uri: "mongodb://{{ oidcng.mongo_user }}:{{ oidcng.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ oidcng.mongo_port }}{% if not loop.last %},{% endif %}{%endfor %}/{{ oidcng.mongo_database }}?ssl=true" + uri: "mongodb://{{ oidcng.mongo_user }}:{{ oidcng.mongo_password }}@{% for host in groups['mongo_servers'] %}{{ hostvars[host]['inventory_hostname'] }}:{{ oidcng.mongo_port }}{% if not loop.last %},{% endif %}{%endfor %}/{{ oidcng.mongo_database }}?ssl={{ mongodb_ssl | default('true') }}" thymeleaf: cache: true From d02b582f6c3284bdde3995534e9adebb789e201c Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 25 Oct 2024 16:21:41 +0200 Subject: [PATCH 36/59] Engineblock: Move to docker --- provision.yml | 5 +- roles/engineblock/defaults/main.yml | 4 +- roles/engineblock/handlers/main.yml | 6 + roles/engineblock/tasks/main.yml | 375 +++++++----------- roles/engineblock/templates/parameters.yml.j2 | 18 +- roles/engineblock/vars/docker.yml | 3 + 6 files changed, 169 insertions(+), 242 deletions(-) create mode 100644 roles/engineblock/vars/docker.yml diff --git a/provision.yml b/provision.yml index 5a21697c3..90b4bfcfb 100644 --- a/provision.yml +++ b/provision.yml @@ -98,10 +98,6 @@ tags: ['app_php', 'static'] - role: openconext-common tags: ['core', 'app_php', 'eb', 'profile'] - - role: engineblock - when: - - inventory_hostname not in groups['lifecycle'] - tags: ['core', 'app_php', 'eb'] - role: lifecycle when: - inventory_hostname in groups['lifecycle'] @@ -187,6 +183,7 @@ - { role: diyidp, tags: ["diyidp"] } - { role: profile, tags: ["profile"] } - { role: lifecycle, tags: ["lifecycle"] } + - { role: engineblock, tags: ["eb"] } - { role: stepuptiqr, tags: ['stepuptiqr' , 'stepup'] } - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 389247a44..1ab26ffcc 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -1,4 +1,3 @@ -#--- ## Version of EngineBlock that is installable by this role engine_version: '' # Be aware that if you enable this option that NPM, Node.js and Composer are installed @@ -13,7 +12,6 @@ engine_feature_enable_sso_session_cookie: 0 engine_feature_enable_consent: 1 engine_feature_stepup_override_entityid: 0 engine_feature_idp_initiated_flow: 1 - engine_api_feature_metadata_push: 1 engine_api_feature_consent_listing: 1 engine_api_feature_consent_remove: 0 @@ -128,3 +126,5 @@ engineblock_selenium_install_dir: /opt # Composer composer_path: /usr/local/bin/composer + +engineblock_log_attributes: [] diff --git a/roles/engineblock/handlers/main.yml b/roles/engineblock/handlers/main.yml index 8a2235003..ee9e9e1e8 100644 --- a/roles/engineblock/handlers/main.yml +++ b/roles/engineblock/handlers/main.yml @@ -3,3 +3,9 @@ service: name: php72-php-fpm state: restarted + +- name: restart engine + community.docker.docker_container: + name: engine + state: started + restart: true diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 2baa50469..c68843405 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -1,300 +1,223 @@ ---- -- name: Add group {{ engine_fpm_user }} - group: - name: "{{ engine_fpm_user }}" +- name: Include docker vars + ansible.builtin.include_vars: docker.yml + +- name: Add group engine + ansible.builtin.group: + name: "engine" state: present + register: engine_guid -- name: Add user {{ engine_fpm_user }} - user: - name: "{{ engine_fpm_user }}" - group: "{{ engine_fpm_user }}" - createhome: no +- name: Add user engine + ansible.builtin.user: + name: "engine" + group: "engine" + createhome: false state: present + register: engine_uid -- name: Create directory for vhosts to store PHP sessions - file: - path: "{{ php_session_dir}}/engine" +- name: Create some dirs + ansible.builtin.file: state: directory - owner: "{{ engine_fpm_user }}" + dest: "{{ item }}" + owner: root group: root - mode: 0770 - -- name: Install build tools (npm, composer) - include_tasks: build.yml - when: - - "(engine_branch is defined and engine_branch != '') or develop" - -- name: Include install-release.yml - include_tasks: install-release.yml - when: - - "(engine_branch is not defined or engine_branch == '') and not develop" - -- name: Include install-branch.yml - include_tasks: install-branch.yml - when: - - "(engine_branch is defined and engine_branch != '') and not develop" - -- name: Include develop.yml - include_tasks: develop.yml - when: - - develop | bool - -- name: Include test.yml - include_tasks: test.yml - when: - - develop | bool + mode: "0755" + with_items: + - "{{ current_release_config_dir_name }}" + - "{{ current_release_config_dir_name }}/certs" + - "{{ current_release_config_dir_name }}/configs" + - "{{ current_release_config_dir_name }}/images" + - "{{ current_release_config_dir_name }}/languages" - name: Place parameters.yml - template: - src: "{{ item }}.j2" - dest: "{{ engine_current_release_symlink }}/app/config/{{ item }}" - mode: 0644 - with_items: - - parameters.yml - notify: - - "restart php72-fpm" + ansible.builtin.template: + src: parameters.yml.j2 + dest: "{{ current_release_config_dir_name }}/configs/parameters.yml" + mode: "0640" + owner: root + group: engine + notify: restart engine - name: Check presence of environment specific attributes.json - local_action: stat path="{{ inventory_dir }}/files/eb/attributes.json" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/attributes.json" register: attributes_json_present become: false + delegate_to: localhost - name: Copy environment specific attributes.json - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/eb/attributes.json" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/application/configs/" + dest: "{{ current_release_config_dir_name }}/configs/" + mode: "0644" + owner: root + group: engine when: attributes_json_present.stat.exists - name: Check presence of language specific overrides - local_action: stat path="{{ inventory_dir }}/files/eb/languages/" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/languages/" register: overrides_present become: false + delegate_to: localhost - name: Copy language specific overrides - template: + ansible.builtin.template: src: "{{ item }}" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/languages" + dest: "{{ current_release_config_dir_name }}/languages/" + owner: root + group: engine + mode: "0644" when: overrides_present.stat.exists with_fileglob: - "{{ inventory_dir }}/files/eb/languages/*" notify: - - "restart php72-fpm" + - "restart engine" - name: Check if we have a custom logo - local_action: stat path="{{ inventory_dir }}/files/logo.png" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/logo.png" register: customlogo become: false + delegate_to: localhost - name: Install environment specific logo - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/logo.png" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/images/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: engine + mode: "0644" when: customlogo.stat.exists - name: Check if we have a custom favicon - local_action: stat path="{{ inventory_dir }}/files/favicon.ico" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/favicon.ico" register: customfavicon become: false + delegate_to: localhost - name: Install environment specific favicon - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/favicon.ico" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/" + dest: "/opt/openconext/common/" + owner: root + group: root + mode: "0644" when: customfavicon.stat.exists - name: Check if we have a custom background back image for the feedback page - local_action: stat path="{{ inventory_dir }}/files/eb/background-back.svg" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/background-back.svg" register: eb_customfeedbackbackground become: false + delegate_to: localhost - name: Install environment specific background back image - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/eb/background-back.svg" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/images/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: engine + mode: "0644" when: eb_customfeedbackbackground.stat.exists - name: Check if we have a custom background front image for the feedback page - local_action: stat path="{{ inventory_dir }}/files/eb/background-front.svg" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/eb/background-front.svg" register: eb_customfeedbackforeground become: false + delegate_to: localhost - name: Install environment specific background front image - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/eb/background-front.svg" - dest: "{{ openconext_releases_dir }}/OpenConext-engineblock/web/images/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: engine + mode: "0644" when: eb_customfeedbackforeground.stat.exists - name: Check if we have a Stepup GW certificate - local_action: stat path="{{ inventory_dir }}/files/certs/stepup_gateway.pem" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/certs/stepup_gateway.pem" register: eb_stepupgwcert become: false + delegate_to: localhost - name: Install Stepup GW certificate - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/certs/stepup_gateway.pem" - dest: "{{ engine_stepup_gateway_sfo_public_key_file }}" + dest: "{{ current_release_config_dir_name }}/certs/" + owner: root + group: engine + mode: "0644" when: eb_stepupgwcert.stat.exists -- name: Install Apache vhost - template: - src: "{{ item }}.j2" - dest: "/etc/httpd/conf.d/{{ item }}" - with_items: - - engine.conf - - engine-api.conf - notify: - - "restart httpd" - -- name: clean up old php-fpm 5.6 config - file: - path: "/etc/php-fpm.d/engine-pool.conf" - state: absent - -- name: php-fpm 72 config - template: - src: "{{ item }}.j2" - dest: "/etc/opt/remi/php72/php-fpm.d/{{ item }}" - with_items: - - engine-pool-72.conf - notify: - - "restart php72-fpm" - -- name: copy over the engineblock keys - copy: - content: "{{ engineblock_private_keys[item.key] }}" - dest: "{{ item.value.privateFile }}" - owner: "{{ engine_fpm_user }}" - group: root - mode: 0440 - with_dict: "{{ engine_keys }}" - -- name: copy engineblock certificates to correct location - copy: - src: "{{ inventory_dir }}/files/certs/{{ item.value.publicKey }}" - dest: "{{ item.value.publicFile }}" - with_dict: "{{ engine_keys }}" - when: - - not engine_crt_not_in_inventory - -- name: copy engineblock certificates to correct location when not located in the inventory dir - copy: - src: "files/certs/{{ item.value.publicKey }}" - dest: "{{ item.value.publicFile }}" - with_dict: "{{ engine_keys }}" - when: - - engine_crt_not_in_inventory | bool - -- name: Make the SYMFONY_ENV var available for scripts - become: yes - lineinfile: - dest: "/etc/environment" - state: present - line: "SYMFONY_ENV={{ engine_apache_symfony_environment }}" - -- name: Create EngineBlock test database - mysql_db: - name: "{{ engine_test_database_name }}" - state: present - when: - - develop | bool - -- name: Create EngineBlock test database user - mysql_user: - name: "{{ engine_test_database_user }}" - host: "{{ engine_test_database_host }}" - password: "{{ engine_test_database_password }}" - priv: "{{ engine_test_database_name }}.*:ALL" - state: present - when: - - develop | bool - -- name: Check existence of the eb database - shell: php72 app/console doctrine:migrations:status --env={{ engine_apache_symfony_environment }} | grep "Current Version" | awk '{print $4 }' - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - register: eb_database_version - changed_when: False - run_once: True - -- name: Check doctrine migrations status - shell: php72 app/console doctrine:migrations:status --env={{ engine_apache_symfony_environment }} - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - register: eb_database_migration_status - changed_when: False - run_once: True - -- name: Print return information from the previous task - ansible.builtin.debug: - var: eb_database_migration_status - -- name: Create the database schema - command: "php72 app/console doctrine:schema:create -n --env={{ engine_apache_symfony_environment }}" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - when: - - eb_database_version.stdout == '0' - run_once: True - -- name: Add migration versions to the database - command: "php72 app/console doctrine:migrations:version -n --add --all --env={{ engine_apache_symfony_environment }}" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - when: - - eb_database_version.stdout == '0' - run_once: True - -- name: Run EngineBlock Doctrine migrations - command: "php72 app/console doctrine:migrations:migrate -n --env={{ engine_apache_symfony_environment }}" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - register: doctrine_migrations_output - changed_when: "'No migrations to execute' not in doctrine_migrations_output.stdout" - tags: enginemigrations - when: - - engine_skip_db_migration is undefined - run_once: true - -- name: Clear the symfony cache - command: "php72 app/console cache:clear --env={{ engine_apache_symfony_environment }} --no-debug" - args: - chdir: "{{ openconext_releases_dir }}/OpenConext-engineblock" - when: - - not develop - changed_when: false - -- name: Make sure cache dir has correct permissions - file: - path: "{{engine_current_release_symlink}}/app/cache" - owner: "{{ engine_fpm_user }}" - group: "{{ engine_fpm_user }}" - recurse: yes - when: - - not develop - changed_when: False - -- name: Make sure log dir has correct permissions - file: - path: "{{engine_current_release_symlink}}/app/logs" - owner: "{{ engine_fpm_user }}" - group: "{{ engine_fpm_user }}" - recurse: yes - when: not develop - -# Remove all dirs, but keep the current version and from the rest the most recent one. -- name: Clean up old releases - shell: ls -td {{ openconext_releases_dir }}/OpenConext-engineblock-* | grep -v $(readlink {{ engine_current_release_symlink }}) | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_engine_releases - changed_when: '"removed" in clean_engine_releases.stdout' - -# Remove all tarballs, but keep the current version and from the rest the most recent one. -- name: Clean up old builds - shell: ls -td {{ openconext_builds_dir }}/OpenConext-engineblock-* {{ openconext_builds_dir }}/Releases/ | grep -v {{ engine_build_path }} | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_engine_builds - changed_when: '"removed" in clean_engine_builds.stdout' +- name: Copy over the engineblock keys + ansible.builtin.copy: + content: "{{ item.private_key }}" + dest: "{{ current_release_config_dir_name }}/certs/{{ item.name }}.key" + owner: root + group: engine + mode: "0440" + loop: "{{ engine_key_and_certs }}" + +- name: Copy engineblock certificates to correct location + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/certs/{{ item.crt_name }}" + dest: "{{ current_release_config_dir_name }}/certs/{{ item.name }}.crt" + owner: root + group: engine + mode: "0644" + loop: "{{ engine_key_and_certs }}" + +- name: Create the container + community.docker.docker_container: + name: "engineblock" + image: ghcr.io/openconext/openconext-engineblock/openconext-engineblock:{{ engine_version }} + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.engine.rule: "Host(`engine.{{ base_domain }}`)" + traefik.http.routers.engine.service: "engineblock" + traefik.http.routers.engine.tls: "true" + traefik.http.routers.engineapi.rule: "Host(`engine-api.{{ base_domain }}`)" + traefik.http.routers.engineapi.service: "engineblock" + traefik.http.routers.engineapi.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ engine_uid.uid }}" + APACHE_GUID: "#{{ engine_guid.gid }}" + etc_hosts: + host.docker.internal: host-gateway + mounts: + - source: "{{ current_release_config_dir_name }}/configs/parameters.yml" + target: "/var/www/html/app/config/parameters.yml" + type: bind + - source: "{{ current_release_config_dir_name }}/configs/attributes.json" + target: "/var/www/html/app/config/attributes.json" + type: bind + - source: "{{ current_release_config_dir_name }}/images/background-back.svg" + target: "/var/www/html/web/images/background-back.svg" + type: bind + - source: "{{ current_release_config_dir_name }}/images/background-front.svg" + target: "/var/www/html/web/images/background-front.svg" + type: bind + - source: "{{ current_release_config_dir_name }}/images/logo.png" + target: "/var/www/html/web/images/logo.png" + type: bind + - source: "{{ current_release_config_dir_name }}/certs/" + target: "/var/www/html/certs/" + type: bind + - source: "/opt/openconext/common/favicon.ico" + target: "/var/www/html/web/favicon.ico" + type: bind diff --git a/roles/engineblock/templates/parameters.yml.j2 b/roles/engineblock/templates/parameters.yml.j2 index 5982aa21a..19a23f77e 100644 --- a/roles/engineblock/templates/parameters.yml.j2 +++ b/roles/engineblock/templates/parameters.yml.j2 @@ -38,18 +38,17 @@ parameters: ## * How attributes are displayed in Profile and Consent ## * How attributes are Normalized and Denormalized ## * How attributes are validated - attribute_definition_file_path: {{ openconext_releases_dir }}/OpenConext-engineblock/application/configs/attributes.json + attribute_definition_file_path: {{ engine_config_dir }}/attributes.json ## The Signing / Encryption keys used for the SAML2 authentication and metadata ## When EngineBlock signs responses (when it acts as an Idp) ## or requests (when it acts as an SP) it uses these X.509 certs. encryption_keys: -{% for key, value in engine_keys.items() %} - {{ key }}: - publicFile: {{ value.publicFile }} - privateFile: {{ value.privateFile }} +{% for engine_key in engine_key_and_certs %} + {{ engine_key.name }}: + publicFile: "{{ engine_certs_dir }}/{{ engine_key.name}}.crt" + privateFile: "{{ engine_certs_dir}}/{{ engine_key.name }}.key" {% endfor %} - ## List of signature methods explicitly forbidden by EngineBlock. forbidden_signature_methods: { } @@ -209,7 +208,7 @@ parameters: ## Swiftmailer configuration mailer_transport: 'smtp' - mailer_host: 'localhost' + mailer_host: '{{ smtp_server }}' mailer_port: '25' mailer_user: '' mailer_password: '' @@ -231,7 +230,6 @@ parameters: feature_enable_consent: {{ engine_feature_enable_consent | bool | to_json }} feature_stepup_sfo_override_engine_entityid: {{ engine_feature_stepup_override_entityid | bool | to_json }} feature_enable_idp_initiated_flow: {{ engine_feature_idp_initiated_flow | bool | to_json }} - ########################################################################################## ## PROFILE SETTINGS ########################################################################################## @@ -268,7 +266,7 @@ parameters: ## The single sign-on endpoint used for Stepup Gateway SFO callouts stepup.gateway.sfo.sso_location: '{{ engine_stepup_gateway_sfo_sso_location | replace("%","%%") }}' ## The public key from the Stepup Gateway IdP - stepup.gateway.sfo.key_file: {{ engine_stepup_gateway_sfo_public_key_file | replace("%","%%") }} + stepup.gateway.sfo.key_file: "{{ engine_certs_dir }}/stepup_gateway.pem" ## You can override the default entityID used by Engineblock for its callout to stepup gateway. ## You also need to enable the feature toggle feature_stepup_sfo_override_engine_entityid above. stepup.sfo.override_engine_entityid: '{{ engine_stepup_override_entityid }}' @@ -308,4 +306,4 @@ parameters: # A (list) mapping is for example : where the label represents the label that is # used in the authentication log record. The attributeName will be searched in the response attributes and if present # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation. - auth.log.attributes: [] + auth.log.attributes: {{ engineblock_log_attributes }} diff --git a/roles/engineblock/vars/docker.yml b/roles/engineblock/vars/docker.yml new file mode 100644 index 000000000..d9a3a943b --- /dev/null +++ b/roles/engineblock/vars/docker.yml @@ -0,0 +1,3 @@ +current_release_config_dir_name: /opt/openconext/engine +engine_config_dir: /var/www/html/app/config +engine_certs_dir: /var/www/html/certs From 9612abfe6e962f7323a57f0a02fa6df35dac37a2 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 5 Nov 2024 09:33:56 +0100 Subject: [PATCH 37/59] Engineblock: Mount the language overrides files --- roles/engineblock/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index c68843405..f6475c9cd 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -203,6 +203,12 @@ - source: "{{ current_release_config_dir_name }}/configs/parameters.yml" target: "/var/www/html/app/config/parameters.yml" type: bind + - source: "{{ current_release_config_dir_name }}/languages/overrides.en.php" + target: "/var/www/html/languages/overrides.en.php" + type: bind + - source: "{{ current_release_config_dir_name }}/languages/overrides.nl.php" + target: "/var/www/html/languages/overrides.nl.php" + type: bind - source: "{{ current_release_config_dir_name }}/configs/attributes.json" target: "/var/www/html/app/config/attributes.json" type: bind From b301da5ccf665c2e38975166f18f46c9bfaaafac Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 14 Nov 2024 13:41:31 +0100 Subject: [PATCH 38/59] EB: Mount a volume in /tmp to save the sessions --- roles/engineblock/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index f6475c9cd..594b4f85d 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -178,6 +178,11 @@ mode: "0644" loop: "{{ engine_key_and_certs }}" +- name: Create Docker volume to contain the sessions + community.docker.docker_volume: + name: engineblock_sessions + state: present + - name: Create the container community.docker.docker_container: name: "engineblock" @@ -197,6 +202,7 @@ env: APACHE_UID: "#{{ engine_uid.uid }}" APACHE_GUID: "#{{ engine_guid.gid }}" + TZ: "{{ timezone }}" etc_hosts: host.docker.internal: host-gateway mounts: @@ -227,3 +233,6 @@ - source: "/opt/openconext/common/favicon.ico" target: "/var/www/html/web/favicon.ico" type: bind + - source: engineblock_sessions + target: /tmp/ + type: volume From a9546eeab2877e2569e7b171fdff505b98534c33 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 20 Nov 2024 08:27:01 +0100 Subject: [PATCH 39/59] Engineblock: Clean non docker related configuration --- roles/engineblock/defaults/main.yml | 29 +-- roles/engineblock/handlers/main.yml | 5 - roles/engineblock/tasks/build.yml | 43 ---- roles/engineblock/tasks/develop.yml | 46 ---- roles/engineblock/tasks/install-branch.yml | 45 ---- roles/engineblock/tasks/install-release.yml | 31 --- roles/engineblock/tasks/main.yml | 21 +- roles/engineblock/tasks/test.yml | 36 --- .../engineblock/templates/engine-api.conf.j2 | 54 ----- .../templates/engine-pool-72.conf.j2 | 227 ------------------ roles/engineblock/templates/engine.conf.j2 | 56 ----- roles/engineblock/templates/selenium-unit.j2 | 11 - .../engineblock/vars/{docker.yml => main.yml} | 0 13 files changed, 9 insertions(+), 595 deletions(-) delete mode 100644 roles/engineblock/tasks/build.yml delete mode 100644 roles/engineblock/tasks/develop.yml delete mode 100644 roles/engineblock/tasks/install-branch.yml delete mode 100644 roles/engineblock/tasks/install-release.yml delete mode 100644 roles/engineblock/tasks/test.yml delete mode 100644 roles/engineblock/templates/engine-api.conf.j2 delete mode 100644 roles/engineblock/templates/engine-pool-72.conf.j2 delete mode 100644 roles/engineblock/templates/engine.conf.j2 delete mode 100644 roles/engineblock/templates/selenium-unit.j2 rename roles/engineblock/vars/{docker.yml => main.yml} (100%) diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 1ab26ffcc..c58a30d05 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -1,7 +1,6 @@ ## Version of EngineBlock that is installable by this role -engine_version: '' +engine_version: "" # Be aware that if you enable this option that NPM, Node.js and Composer are installed -#engine_branch: "develop" # Feature toggles engine_feature_encrypted_assertions: 1 engine_feature_encrypted_assertions_require_outer_signature: 1 @@ -42,7 +41,7 @@ engine_domain: engine.{{ base_domain }} engine_debug: false engine_theme: "skeune" -#engine_theme: openconext +# engine_theme: openconext engine_profile_baseurl: "https://profile.{{ base_domain }}" @@ -90,17 +89,6 @@ engine_stepup_gateway_sfo_public_key_file: "{{ engine_keys.default.publicFile }} ## The minimum priority of messages that will be logged engine_logging_passthru_level: NOTICE -#engine_initial_sql: '' - -engineblock_symfony_cache_path: "/tmp/engineblock/cache" -engineblock_symfony_log_path: "{{ engine_current_release_symlink }}/var/logs" - -engine_fpm_user: engine -engine_fpm_port: 801 -engine_fpm_memory: 128M -# When using vagrant for provisioning, it's not possible to put something in the inventory dir -engine_crt_not_in_inventory: false - # The memory limit used for the metadata push engine_metadata_push_memory_limit: 256M @@ -116,15 +104,4 @@ eb_tos_url: "https://example.org" engine_site_notice_show: false -# Backwards compatibility with older secrets files -engineblock_private_keys: - default: "{{ engineblock_private_key }}" - -# Webdriver test settings -engineblock_selenium_version: 2.53.1 -engineblock_selenium_install_dir: /opt - -# Composer -composer_path: /usr/local/bin/composer - -engineblock_log_attributes: [] +engineblock_log_attributes: [] diff --git a/roles/engineblock/handlers/main.yml b/roles/engineblock/handlers/main.yml index ee9e9e1e8..6ab193b9f 100644 --- a/roles/engineblock/handlers/main.yml +++ b/roles/engineblock/handlers/main.yml @@ -1,9 +1,4 @@ --- -- name: restart php72-fpm - service: - name: php72-php-fpm - state: restarted - - name: restart engine community.docker.docker_container: name: engine diff --git a/roles/engineblock/tasks/build.yml b/roles/engineblock/tasks/build.yml deleted file mode 100644 index 566f0e6f6..000000000 --- a/roles/engineblock/tasks/build.yml +++ /dev/null @@ -1,43 +0,0 @@ -- name: Get Composer installer signature. - uri: - url: https://composer.github.io/installer.sig - return_content: true - register: composer_installer_signature - -- name: Download Composer installer - get_url: - url: https://getcomposer.org/installer - dest: /tmp/composer-installer.php - mode: 0755 - checksum: "sha384:{{ composer_installer_signature.content }}" - register: reg_composer_installer - -- name: Run Composer installer - command: > - php72 composer-installer.php - chdir=/tmp - when: - - reg_composer_installer.changed | bool - -- name: Move Composer into globally-accessible location. - command: > - mv -f /tmp/composer.phar {{ composer_path }} - creates={{ composer_path }} - when: - - reg_composer_installer.changed | bool - -- name: Remove Nodesource repositories for Node.js - yum: - name: "nodesource-release" - state: removed - -- name: Add Nodesource repositories for Node.js - yum: - name: "https://rpm.nodesource.com/pub_12.x/el/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/nodesource-release-el{{ ansible_distribution_major_version }}-1.noarch.rpm" - state: present - -- name: Ensure Node.js and npm are installed - yum: - name: "nodejs-12*" - state: present - enablerepo: nodesource diff --git a/roles/engineblock/tasks/develop.yml b/roles/engineblock/tasks/develop.yml deleted file mode 100644 index 4732b79f6..000000000 --- a/roles/engineblock/tasks/develop.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: Add "engineblock" user - user: - name: engineblock - groups: "{{ apache_user}}" - append: yes - state: present - createhome: no - -- name: Create the cache dir for Symfony - file: - path: "{{ engineblock_symfony_cache_path }}" - state: directory - recurse: yes - -- name: Create the log dir for Symfony - file: - path: "{{ engineblock_symfony_log_path }}" - state: directory - recurse: yes - -- name: Ensure setfacl support is present. - become: true - package: - name: acl - state: present - -- name: Allow vagrant user complete access to all engineblock files - become: true - acl: - entity: "{{ item[0] }}" - default: "{{ item[1] }}" - path: "{{ item[2] }}" - permissions: rwx - use_nfsv4_acls: yes - with_nested: - - [ "{{ engine_fpm_user }}", "vagrant" ] - - [ "no", "yes" ] - - [ "{{ engineblock_symfony_cache_path }}", "{{ engineblock_symfony_log_path }}", "/opt/openconext/OpenConext-engineblock/" ] - -- name: Copy app_dev.php.dist to OpenConext web folder - copy: - src: "/opt/openconext/OpenConext-engineblock/app_dev.php.dist" - dest: "/opt/openconext/OpenConext-engineblock/web/app_dev.php" - remote_src: yes - mode: 0644 diff --git a/roles/engineblock/tasks/install-branch.yml b/roles/engineblock/tasks/install-branch.yml deleted file mode 100644 index 56d819ac3..000000000 --- a/roles/engineblock/tasks/install-branch.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ engine_release_dir }}" - register: eb_dir - -- name: Checkout engine-block branch - git: - repo: https://github.com/OpenConext/OpenConext-engineblock.git - dest: "{{ engine_branch_dir }}" - version: "{{ engine_branch }}" - force: yes - register: eb_gitclone - -- name: Make release - command: "./bin/makeRelease.sh {{ engine_branch }}" - environment: - HOME: "{{ openconext_builds_dir }}" - PATH: /usr/local/bin:{{ ansible_env.PATH }} - args: - chdir: "{{ engine_branch_dir }}" - when: - - eb_gitclone.changed or not eb_dir.stat.exists - register: make_release_out - -- debug: - var: make_release_out - verbosity: 2 - -- name: Unpack current version - unarchive: - src: "{{ openconext_builds_dir }}/Releases/OpenConext-engineblock-{{ engine_branch | replace('/', '_') }}.tar.gz" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - eb_gitclone.changed or not eb_dir.stat.exists - -- name: Activate new EngineBlock branch - file: - src: "{{ openconext_releases_dir }}/OpenConext-engineblock-{{ engine_branch | replace('/', '_') }}" - dest: "{{ engine_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" diff --git a/roles/engineblock/tasks/install-release.yml b/roles/engineblock/tasks/install-release.yml deleted file mode 100644 index a76789e17..000000000 --- a/roles/engineblock/tasks/install-release.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ engine_current_release_symlink }}" - follow: no - register: eb_dir - -- name: Download current version - get_url: - url: "{{ engine_download_url }}" - dest: "{{ engine_build_path }}" - register: eb_download - -- name: Unpack current version - unarchive: - src: "{{ engine_build_path }}" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - eb_download.changed or eb_dir.stat.lnk_source != engine_release_dir - -- name: Activate new EngineBlock release - file: - src: "{{ engine_release_dir }}" - dest: "{{ engine_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" - when: - - eb_download.changed or eb_dir.stat.lnk_source != engine_release_dir diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 594b4f85d..0376bd638 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -1,6 +1,3 @@ -- name: Include docker vars - ansible.builtin.include_vars: docker.yml - - name: Add group engine ansible.builtin.group: name: "engine" @@ -52,8 +49,7 @@ mode: "0644" owner: root group: engine - when: - attributes_json_present.stat.exists + when: attributes_json_present.stat.exists - name: Check presence of language specific overrides ansible.builtin.stat: @@ -89,8 +85,7 @@ owner: root group: engine mode: "0644" - when: - customlogo.stat.exists + when: customlogo.stat.exists - name: Check if we have a custom favicon ansible.builtin.stat: @@ -106,8 +101,7 @@ owner: root group: root mode: "0644" - when: - customfavicon.stat.exists + when: customfavicon.stat.exists - name: Check if we have a custom background back image for the feedback page ansible.builtin.stat: @@ -123,8 +117,7 @@ owner: root group: engine mode: "0644" - when: - eb_customfeedbackbackground.stat.exists + when: eb_customfeedbackbackground.stat.exists - name: Check if we have a custom background front image for the feedback page ansible.builtin.stat: @@ -140,8 +133,7 @@ owner: root group: engine mode: "0644" - when: - eb_customfeedbackforeground.stat.exists + when: eb_customfeedbackforeground.stat.exists - name: Check if we have a Stepup GW certificate ansible.builtin.stat: @@ -157,8 +149,7 @@ owner: root group: engine mode: "0644" - when: - eb_stepupgwcert.stat.exists + when: eb_stepupgwcert.stat.exists - name: Copy over the engineblock keys ansible.builtin.copy: diff --git a/roles/engineblock/tasks/test.yml b/roles/engineblock/tasks/test.yml deleted file mode 100644 index 43133372b..000000000 --- a/roles/engineblock/tasks/test.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: Create install directory - file: - path: "{{ engineblock_selenium_install_dir }}/selenium" - state: directory - recurse: yes - -- name: Install latest Chrome - yum: - name: https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm - state: present - -- name: Install Selenium standalone - get_url: - url: "http://selenium-release.storage.googleapis.com/{{ engineblock_selenium_version | regex_replace('\\.[0-9]+$', '') }}/selenium-server-standalone-{{ engineblock_selenium_version }}.jar" - dest: "{{ engineblock_selenium_install_dir }}/selenium/selenium-server-standalone-{{ engineblock_selenium_version }}.jar" - mode: 0755 - -- name: Get the latest release for chromedriver - uri: - url: https://chromedriver.storage.googleapis.com/LATEST_RELEASE - return_content: yes - register: chromedriver_latest - -- name: Install chromedriver - unarchive: - src: "https://chromedriver.storage.googleapis.com/{{ chromedriver_latest.content | trim }}/chromedriver_linux64.zip" - dest: "{{ engineblock_selenium_install_dir }}/selenium" - mode: 0755 - copy: no - -- name: Install systemd unit file - template: - src: "selenium-unit.j2" - dest: /etc/systemd/system/selenium.service - mode: 0755 diff --git a/roles/engineblock/templates/engine-api.conf.j2 b/roles/engineblock/templates/engine-api.conf.j2 deleted file mode 100644 index f2e455933..000000000 --- a/roles/engineblock/templates/engine-api.conf.j2 +++ /dev/null @@ -1,54 +0,0 @@ -{% if apache_app_listen_address.engine_api is defined %} -Listen {{ apache_app_listen_address.engine_api }}:{{ loadbalancing.engine_api.port }} - -{% else %} - -{% endif %} - ServerAdmin {{ admin_email }} - - DocumentRoot {{ engine_current_release_symlink }}/web - ServerName {{ engine_api_domain }} - - - Require all granted - Options -MultiViews - RewriteEngine On - RewriteBase / - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ app{% if develop %}_dev{% endif %}.php [QSA,L] - -{% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} -{% endif %} - - Header always set X-Content-Type-Options "nosniff" - Header always set X-Frame-Options "DENY" - Header always set Content-Security-Policy "{{ httpd_csp.nothing }}" - - SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 - SetEnv ENGINEBLOCK_ENV {{ engine_apache_environment }} - SetEnv SYMFONY_ENV {{ engine_apache_symfony_environment }} - SetEnv HTTPS on - - RewriteEngine On - # We support only GET/POST/HEAD - RewriteCond %{REQUEST_METHOD} !^(POST|DELETE|GET|HEAD)$ - RewriteRule .* - [R=405,L] - - #Proxy the requests to FPM - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/engine-pool-72.sock|fcgi://localhost/{{ engine_current_release_symlink }}/web/$1 - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-EBAPI'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-EBAPI'" combined - - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - diff --git a/roles/engineblock/templates/engine-pool-72.conf.j2 b/roles/engineblock/templates/engine-pool-72.conf.j2 deleted file mode 100644 index c766f2a65..000000000 --- a/roles/engineblock/templates/engine-pool-72.conf.j2 +++ /dev/null @@ -1,227 +0,0 @@ -; Create a new pool named engine. -[engine] - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. - -; Use unix socket -listen = /var/run/php-fpm/engine-pool-72.sock - -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: -1 -;listen.backlog = -1 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = 127.0.0.1 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0666 -listen.owner = apache -listen.group = apache -listen.mode = 0640 - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = {{ engine_fpm_user }} -group = {{ engine_fpm_user }} - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives: -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; Note: This value is mandatory. -pm = dynamic - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes to be created when pm is set to 'dynamic'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. -; Note: Used when pm is set to either 'static' or 'dynamic' -; Note: This value is mandatory. -pm.max_children = 40 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -pm.start_servers = 5 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = 5 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = 35 - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. By default, the status page shows the following -; information: -; accepted conn - the number of request accepted by the pool; -; pool - the name of the pool; -; process manager - static or dynamic; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes. -; The values of 'idle processes', 'active processes' and 'total processes' are -; updated each second. The value of 'accepted conn' is updated in real time. -; Example output: -; accepted conn: 12073 -; pool: www -; process manager: static -; idle processes: 35 -; active processes: 65 -; total processes: 100 -; By default the status page output is formatted as text/plain. Passing either -; 'html' or 'json' as a query string will return the corresponding output -; syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/log/php-fpm/www-slow.log - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. This value must be an absolute path. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Default Value: no -;catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -php_admin_value[error_log] = /var/log/php-fpm/engine-error.log -php_admin_flag[log_errors] = on -php_admin_value[memory_limit] = {{ engine_fpm_memory }} -php_admin_value[post_max_size] = 25M - -; Set session path to a directory owned by process user -php_value[session.save_handler] = files -php_value[session.save_path] = {{ php_session_dir }}/engine -php_value[disable_functions] = {{ php_disabled_functions }} diff --git a/roles/engineblock/templates/engine.conf.j2 b/roles/engineblock/templates/engine.conf.j2 deleted file mode 100644 index 6b7b769c1..000000000 --- a/roles/engineblock/templates/engine.conf.j2 +++ /dev/null @@ -1,56 +0,0 @@ -{% if apache_app_listen_address.engine is defined %} -Listen {{ apache_app_listen_address.engine }}:{{ loadbalancing.engine.port }} - -{% else %} - -{% endif %} - ServerAdmin {{ admin_email }} - - DocumentRoot {{ engine_current_release_symlink }}/web - ServerName {{ engine_domain }} - - - Require all granted - Options -MultiViews - RewriteEngine On - RewriteBase / - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ app{% if develop %}_dev{% endif %}.php [QSA,L] - - - Header always set X-Content-Type-Options "nosniff" - - SetEnv ENGINEBLOCK_ENV {{ engine_apache_environment }} - SetEnv SYMFONY_ENV {{ engine_apache_symfony_environment }} - SetEnv HTTPS on - - RewriteEngine On - # We support only GET/POST - RewriteCond %{REQUEST_METHOD} !^(POST|GET)$ - RewriteRule .* - [R=405,L] - - #Proxy the requests to FPM - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/engine-pool-72.sock|fcgi://localhost/{{ engine_current_release_symlink }}/web/$1 - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-EB'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-EB'" combined - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - ExpiresActive on - ExpiresByType font/* "access plus 1 year" - ExpiresByType image/* "access plus 6 months" - ExpiresByType text/css "access plus 1 year" - ExpiresByType text/js "access plus 1 year" - diff --git a/roles/engineblock/templates/selenium-unit.j2 b/roles/engineblock/templates/selenium-unit.j2 deleted file mode 100644 index 29f943cfa..000000000 --- a/roles/engineblock/templates/selenium-unit.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Selenium test framework -After=syslog.target network.target - -[Service] -ExecStart=/usr/bin/java -jar {{ engineblock_selenium_install_dir }}/selenium/selenium-server-standalone-{{ engineblock_selenium_version }}.jar -Dwebdriver.chrome.driver={{ engineblock_selenium_install_dir }}/selenium/chromedriver & -Restart=on-failure -RestartSec=20s - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/engineblock/vars/docker.yml b/roles/engineblock/vars/main.yml similarity index 100% rename from roles/engineblock/vars/docker.yml rename to roles/engineblock/vars/main.yml From 7b690916eafa3ad57a5f618e89974d3441592745 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 22 Nov 2024 08:11:49 +0100 Subject: [PATCH 40/59] EB: Add no log option to tasks that would show the eb keys on screen --- roles/engineblock/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 0376bd638..492329c32 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -158,6 +158,7 @@ owner: root group: engine mode: "0440" + no_log: true loop: "{{ engine_key_and_certs }}" - name: Copy engineblock certificates to correct location @@ -167,6 +168,7 @@ owner: root group: engine mode: "0644" + no_log: true loop: "{{ engine_key_and_certs }}" - name: Create Docker volume to contain the sessions From c1eb2189c5d4a6c3762353a7a2f5b8636c511ea4 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Fri, 22 Nov 2024 08:12:20 +0100 Subject: [PATCH 41/59] EB: Add memory environment var --- roles/engineblock/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 492329c32..2189ad4c2 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -196,6 +196,7 @@ APACHE_UID: "#{{ engine_uid.uid }}" APACHE_GUID: "#{{ engine_guid.gid }}" TZ: "{{ timezone }}" + PHP_MEMORY_LIMIT: "{{ engine_php_memory }}" etc_hosts: host.docker.internal: host-gateway mounts: From 61e4c460721ca2704d829d421cfeb3a86ed5be30 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Sun, 24 Nov 2024 20:07:29 +0100 Subject: [PATCH 42/59] Engineblock: add default php memory setting --- roles/engineblock/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index c58a30d05..07f906d37 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -105,3 +105,5 @@ eb_tos_url: "https://example.org" engine_site_notice_show: false engineblock_log_attributes: [] + +engine_php_memory: 256M From 10354e717409b00d2192cb05379e68e8964b4443 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 26 Nov 2024 08:09:28 +0100 Subject: [PATCH 43/59] Engineblock is moved to a seperate group. This allows running engineblock on seperate docker hosts --- provision.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/provision.yml b/provision.yml index 90b4bfcfb..f8e6b456c 100644 --- a/provision.yml +++ b/provision.yml @@ -164,10 +164,14 @@ - { role: stepupra , tags: ['stepupra' , 'stepup'] } - { role: stepupgateway , tags: ['stepupgateway' , 'stepup'] } -- hosts: docker +- hosts: docker_apps1,docker_apps2 become: true roles: - { role: docker, tags: ['docker' ] } + +- hosts: docker_apps1 + become: true + roles: - { role: invite, tags: ['invite' ] } - { role: dashboard, tags: ["dashboard"] } - { role: teams, tags: ["teams"] } @@ -183,8 +187,12 @@ - { role: diyidp, tags: ["diyidp"] } - { role: profile, tags: ["profile"] } - { role: lifecycle, tags: ["lifecycle"] } - - { role: engineblock, tags: ["eb"] } - { role: stepuptiqr, tags: ['stepuptiqr' , 'stepup'] } +- hosts: docker_apps2 + become: true + roles: + - { role: engineblock, tags: ["eb"] } + - import_playbook: "{{ environment_dir }}/playbook.yml" From 2030a8231fcc803cc5c13c6745acca83a5ea133a Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 14 Nov 2024 14:42:39 +0100 Subject: [PATCH 44/59] Add small MariaDB docker role, for running on a single node --- roles/mariadbdocker/defaults/main.yml | 3 + roles/mariadbdocker/tasks/main.yml | 96 +++++++++++++++++++ .../templates/mariadb_backup.sh.j2 | 49 ++++++++++ 3 files changed, 148 insertions(+) create mode 100644 roles/mariadbdocker/defaults/main.yml create mode 100644 roles/mariadbdocker/tasks/main.yml create mode 100644 roles/mariadbdocker/templates/mariadb_backup.sh.j2 diff --git a/roles/mariadbdocker/defaults/main.yml b/roles/mariadbdocker/defaults/main.yml new file mode 100644 index 000000000..4a346be37 --- /dev/null +++ b/roles/mariadbdocker/defaults/main.yml @@ -0,0 +1,3 @@ +docker_mariadb_network_range: "172.21.21.0/24" +mysql_backup_user: backup_user +backup_node: True diff --git a/roles/mariadbdocker/tasks/main.yml b/roles/mariadbdocker/tasks/main.yml new file mode 100644 index 000000000..a50f3723a --- /dev/null +++ b/roles/mariadbdocker/tasks/main.yml @@ -0,0 +1,96 @@ +--- +- name: Create MariaDB volume + community.docker.docker_volume: + name: openconext_mariadb + state: present + +- name: Create MariaDB network + community.docker.docker_network: + name: openconext_mariadb + state: present + internal: false + ipam_config: + - subnet: "{{ docker_mariadb_network_range }}" + +- name: Create the MariaDB container + community.docker.docker_container: + name: openconext_mariadb + image: mariadb:10.6 + state: started + pull: true + restart_policy: "always" + ports: "127.0.0.1:3306:3306" + networks: + - name: "openconext_mariadb" + mounts: + - type: volume + source: openconext_mariadb + target: /var/lib/mysql + env: + MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}" + +- name: Create database + community.mysql.mysql_db: + name: "{{ item }}" + state: present + login_user: root + login_host: localhost + login_password: "{{ mariadb_root_password }}" + with_items: + - "{{ databases.names }}" + +- name: Create database user + community.mysql.mysql_user: + name: "{{ item[0].name }}" + host: "{{ item[1] }}" + password: "{{ item[0].password }}" + priv: "{{ item[0].db_name }}.*:{{ item[0].privilege }}" + state: present + append_privs: true + login_user: root + login_host: localhost + login_password: "{{ mariadb_root_password }}" + # no_log: true + with_nested: + - "{{ databases.users }}" + - "{{ database_clients }}" + +- name: Add mariadb backup user + community.mysql.mysql_user: + name: "{{ mysql_backup_user }}" + password: "{{ mysql_backup_password }}" + login_user: root + login_password: "{{ mariadb_root_password }}" + login_host: localhost + priv: "*.*:SELECT,RELOAD,PROCESS,LOCK TABLES,BINLOG MONITOR,CONNECTION ADMIN,SHOW VIEW" + state: present + # no_log: true + +- name: Create the backup directory + ansible.builtin.file: + path: /home/backup + state: directory + owner: root + group: root + mode: "0700" + when: + - backup_node | bool + +- name: Put mariadb_backup script + ansible.builtin.template: + src: "mariadb_backup.sh.j2" + dest: "/usr/local/sbin/mariadb_backup.sh" + mode: "0700" + owner: root + when: + - backup_node | bool + +- name: Create cron symlink for backup script + file: + src: /usr/local/sbin/mariadb_backup.sh + dest: /etc/cron.daily/db_backup + state: link + mode: 0700 + owner: root + when: + - backup_node | bool diff --git a/roles/mariadbdocker/templates/mariadb_backup.sh.j2 b/roles/mariadbdocker/templates/mariadb_backup.sh.j2 new file mode 100644 index 000000000..43efffdea --- /dev/null +++ b/roles/mariadbdocker/templates/mariadb_backup.sh.j2 @@ -0,0 +1,49 @@ +#!/bin/bash + +umask 0077 + +declare -x PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin + +MYSQL_USER="{{ mysql_backup_user }}" +MYSQL_PASS="{{ mysql_backup_password }}" +FOLDER="/home/backup" + +DAY=$(/bin/date +'%a') + +echo "-- Remove old backups --" +find /home/backup/ -type f -ctime +2 -delete + +echo "-- START new backups --" + +echo "SET autocommit=0;SET unique_checks=0;SET foreign_key_checks=0;" > tmp_sqlhead.sql +echo "SET autocommit=1;SET unique_checks=1;SET foreign_key_checks=1;" > tmp_sqlend.sql + +if [ -z "$1" ] + then + echo "-- Dumping all DB ..." + for I in $(docker exec openconext_mariadb mariadb -u $MYSQL_USER --password=$MYSQL_PASS -e 'show databases' -s --skip-column-names); + do + if [ "$I" = information_schema ] || [ "$I" = mysql ] || [ "$I" = sys ] || [ "$I" = performance_schema ] # exclude this DB + then + echo "-- Skip $I ..." + continue + fi + echo "-- Dumping $I ..." + # Pipe compress and concat the head/end with the stoutput of mysqlump ( '-' cat argument) + docker exec openconext_mariadb mysqldump -u $MYSQL_USER --password=$MYSQL_PASS $I | cat tmp_sqlhead.sql - tmp_sqlend.sql | gzip -fc > "$FOLDER/$DAY-$I.sql.gz" + done + +else + I=$1; + echo "-- Dumping $I ..." + # Pipe compress and concat the head/end with the stoutput of mysqlump ( '-' cat argument) + docker exec openconext_mariadb mysqldump -u $MYSQL_USER --password=$MYSQL_PASS $I | cat tmp_sqlhead.sql - tmp_sqlend.sql | gzip -fc > "$FOLDER/$DAY-$I.sql.gz" +fi + +# remove tmp files +rm tmp_sqlhead.sql +rm tmp_sqlend.sql + +echo "-- FINISH —" + +umask 0022 From 6cfc49eedbc43296041f44508485581fd6526dcc Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Fri, 29 Nov 2024 16:02:08 +0100 Subject: [PATCH 45/59] Overwrite apple-app-site-association for myconext --- roles/myconext/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index c5d424713..e37729542 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -46,6 +46,14 @@ notify: - "restart myconextserver" +- name: Copy apple-app-site-association from inventory + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/myconext/apple-app-site-association" + dest: "/opt/openconext/myconext/apple-app-site-association" + owner: "root" + group: "root" + mode: "0640" + - name: Copy / create APNS certificate ansible.builtin.copy: content: "{{ myconext_apns }}" @@ -153,6 +161,9 @@ - source: /opt/openconext/common/favicon.ico target: /var/www/favicon.ico type: bind + - source: /opt/openconext/myconext/apple-app-site-association + target: /var/www/.well-known/apple-app-site-association + type: bind env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" HTTPD_SERVERNAME: "mijn.{{ myconext_base_domain }}" From 0fe40fb5cb7d7a93729c2c92fe118df8c17b8ada Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Fri, 29 Nov 2024 16:13:10 +0100 Subject: [PATCH 46/59] Overwrite apple-app-site-association for myconext --- roles/myconext/tasks/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index e37729542..fc2145af9 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -161,9 +161,7 @@ - source: /opt/openconext/common/favicon.ico target: /var/www/favicon.ico type: bind - - source: /opt/openconext/myconext/apple-app-site-association - target: /var/www/.well-known/apple-app-site-association - type: bind + env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img }}" HTTPD_SERVERNAME: "mijn.{{ myconext_base_domain }}" @@ -200,6 +198,9 @@ - source: /opt/openconext/common/favicon.ico target: /var/www/favicon.ico type: bind + - source: /opt/openconext/myconext/apple-app-site-association + target: /var/www/.well-known/apple-app-site-association + type: bind env: HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img_for_idp }}" From fdaf26bc232286b036d0a7f96d7c86ecd9642eff Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Fri, 29 Nov 2024 16:15:55 +0100 Subject: [PATCH 47/59] Overwrite apple-app-site-association for myconext - file rights --- roles/myconext/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml index fc2145af9..c3559244e 100644 --- a/roles/myconext/tasks/main.yml +++ b/roles/myconext/tasks/main.yml @@ -52,7 +52,7 @@ dest: "/opt/openconext/myconext/apple-app-site-association" owner: "root" group: "root" - mode: "0640" + mode: "0644" - name: Copy / create APNS certificate ansible.builtin.copy: From 01f8d3e11fbd4894833274dbd9e63e966d3b1ecc Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 2 Dec 2024 10:53:06 +0100 Subject: [PATCH 48/59] EB: Run the container handler only when the docker task has not restarted it already --- roles/engineblock/handlers/main.yml | 1 + roles/engineblock/tasks/main.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/engineblock/handlers/main.yml b/roles/engineblock/handlers/main.yml index 6ab193b9f..562fae00c 100644 --- a/roles/engineblock/handlers/main.yml +++ b/roles/engineblock/handlers/main.yml @@ -4,3 +4,4 @@ name: engine state: started restart: true + when: ebcontainer is success and ebcontainer is not change diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 2189ad4c2..226d2f815 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -196,7 +196,7 @@ APACHE_UID: "#{{ engine_uid.uid }}" APACHE_GUID: "#{{ engine_guid.gid }}" TZ: "{{ timezone }}" - PHP_MEMORY_LIMIT: "{{ engine_php_memory }}" + PHP_MEMORY_LIMIT: "{{ engine_php_memory }}" etc_hosts: host.docker.internal: host-gateway mounts: @@ -230,3 +230,4 @@ - source: engineblock_sessions target: /tmp/ type: volume + register: ebcontainer From ebdde8807e83b9c3d9cfe0c7c98f78f4e02740c9 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 2 Dec 2024 10:27:28 +0100 Subject: [PATCH 49/59] All apps that have a MariaDB connection now have the ability to use an internal Docker network to connect to a local MariaDB host in Docker --- roles/attribute-aggregation/defaults/main.yml | 2 ++ roles/attribute-aggregation/tasks/main.yml | 10 ++++++++-- roles/engineblock/defaults/main.yml | 2 ++ roles/engineblock/tasks/main.yml | 10 ++++++++-- roles/invite/defaults/main.yml | 2 ++ roles/invite/tasks/main.yml | 15 ++++++++++----- roles/lifecycle/defaults/main.yml | 2 ++ roles/lifecycle/tasks/main.yml | 10 ++++++++-- roles/manage/defaults/main.yml | 2 ++ roles/manage/tasks/main.yml | 10 ++++++++-- roles/pdp/defaults/main.yml | 2 ++ roles/pdp/tasks/main.yml | 12 +++++++++--- roles/spdashboard/defaults/main.yml | 2 ++ roles/spdashboard/tasks/main.yml | 12 +++++++----- roles/stepupgateway/defaults/main.yml | 2 ++ roles/stepupgateway/tasks/main.yml | 10 ++++++++-- roles/stepupmiddleware/defaults/main.yml | 2 ++ roles/stepupmiddleware/tasks/docker.yml | 10 ++++++++-- roles/stepuptiqr/defaults/main.yml | 2 ++ roles/stepuptiqr/tasks/main.yml | 14 ++++++++++---- roles/stepupwebauthn/defaults/main.yml | 2 ++ roles/stepupwebauthn/tasks/main.yml | 10 ++++++++-- roles/teams/defaults/main.yml | 4 +++- roles/teams/tasks/main.yml | 10 ++++++++-- 24 files changed, 125 insertions(+), 34 deletions(-) create mode 100644 roles/stepupgateway/defaults/main.yml create mode 100644 roles/stepupmiddleware/defaults/main.yml create mode 100644 roles/stepuptiqr/defaults/main.yml create mode 100644 roles/stepupwebauthn/defaults/main.yml diff --git a/roles/attribute-aggregation/defaults/main.yml b/roles/attribute-aggregation/defaults/main.yml index c8fa91b23..d5bae0b6e 100644 --- a/roles/attribute-aggregation/defaults/main.yml +++ b/roles/attribute-aggregation/defaults/main.yml @@ -9,3 +9,5 @@ aa_manage_provision_oidcrp_description_en: "OAuth client to access VOOT for grou aa_manage_provision_oidcrp_grants: "client_credentials" aa_manage_provision_oidcrp_allowed_resource_servers: '{"name": "{{ voot.oidcng_checkToken_clientId }}"}' aa_spring_flyway_enabled: true +aa_docker_networks: + - name: loadbalancer diff --git a/roles/attribute-aggregation/tasks/main.yml b/roles/attribute-aggregation/tasks/main.yml index ab79fefe6..eded44567 100644 --- a/roles/attribute-aggregation/tasks/main.yml +++ b/roles/attribute-aggregation/tasks/main.yml @@ -21,6 +21,13 @@ - apachelink.conf notify: restart attribute-aggregationserver +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + aa_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: aaserver @@ -28,8 +35,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ aa_docker_networks }}" mounts: - source: /opt/openconext/attribute-aggregation/serverapplication.yml target: /application.yml diff --git a/roles/engineblock/defaults/main.yml b/roles/engineblock/defaults/main.yml index 07f906d37..f267d051d 100644 --- a/roles/engineblock/defaults/main.yml +++ b/roles/engineblock/defaults/main.yml @@ -107,3 +107,5 @@ engine_site_notice_show: false engineblock_log_attributes: [] engine_php_memory: 256M +engine_docker_networks: + - name: loadbalancer diff --git a/roles/engineblock/tasks/main.yml b/roles/engineblock/tasks/main.yml index 2189ad4c2..7724de46e 100644 --- a/roles/engineblock/tasks/main.yml +++ b/roles/engineblock/tasks/main.yml @@ -176,14 +176,20 @@ name: engineblock_sessions state: present +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + engine_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "engineblock" image: ghcr.io/openconext/openconext-engineblock/openconext-engineblock:{{ engine_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ engine_docker_networks}}" labels: traefik.http.routers.engine.rule: "Host(`engine.{{ base_domain }}`)" traefik.http.routers.engine.service: "engineblock" diff --git a/roles/invite/defaults/main.yml b/roles/invite/defaults/main.yml index 60e35df36..71b3c9b3e 100644 --- a/roles/invite/defaults/main.yml +++ b/roles/invite/defaults/main.yml @@ -15,3 +15,5 @@ invite_manage_provision_oauth_rs_scopes: "openid" invite_mock_install: false # Override is in the dockerX.env host_var files invite_cronjobmaster: true +invite_docker_networks: + - name: loadbalancer diff --git a/roles/invite/tasks/main.yml b/roles/invite/tasks/main.yml index a0b4b7232..06142a85e 100644 --- a/roles/invite/tasks/main.yml +++ b/roles/invite/tasks/main.yml @@ -48,6 +48,13 @@ when: invite_mock_install notify: restart inviteprovisioningmock +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + invite_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: inviteserver @@ -57,8 +64,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ invite_docker_networks }}" mounts: - source: /opt/openconext/invite/serverapplication.yml target: /application.yml @@ -80,7 +86,6 @@ start_period: 10s register: inviteservercontainer - - name: Create the client container community.docker.docker_container: name: inviteclient @@ -133,6 +138,7 @@ env: HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}" + - name: Create and start the mock provisioning container community.docker.docker_container: name: inviteprovisioningmock @@ -148,8 +154,7 @@ - source: /etc/localtime target: /etc/localtime type: bind - networks: - - name: "loadbalancer" + networks: "{{ invite_docker_networks }}" labels: traefik.http.routers.invitemock.rule: "Host(`mock.{{ base_domain }}`)" traefik.http.routers.invitemock.tls: "true" diff --git a/roles/lifecycle/defaults/main.yml b/roles/lifecycle/defaults/main.yml index 1338bd91c..cdf563af1 100644 --- a/roles/lifecycle/defaults/main.yml +++ b/roles/lifecycle/defaults/main.yml @@ -11,3 +11,5 @@ lifecycle_api_enabled: true lifecycle_api_password: secret lifecycle_api_username: lifecycle current_release_config_dir_name: /opt/openconext/{{ appname }} +lifecycle_docker_networks: + - name: loadbalancer diff --git a/roles/lifecycle/tasks/main.yml b/roles/lifecycle/tasks/main.yml index 011a3f3aa..102dcccbb 100644 --- a/roles/lifecycle/tasks/main.yml +++ b/roles/lifecycle/tasks/main.yml @@ -33,6 +33,13 @@ notify: - restart {{ appname }} +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + lifecycle_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" @@ -41,8 +48,7 @@ host.docker.internal: host-gateway pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ lifecycle_docker_networks }}" labels: traefik.http.routers.lifecycle.rule: "Host(`lifecycle.{{ base_domain }}`)" traefik.http.routers.lifecycle.tls: "true" diff --git a/roles/manage/defaults/main.yml b/roles/manage/defaults/main.yml index ef5c4271d..a2de6442d 100644 --- a/roles/manage/defaults/main.yml +++ b/roles/manage/defaults/main.yml @@ -30,3 +30,5 @@ manage_tabs_enabled: - single_tenant_template - provisioning - sram +manage_docker_networks: + - name: loadbalancer diff --git a/roles/manage/tasks/main.yml b/roles/manage/tasks/main.yml index 9a4132c42..292744a11 100644 --- a/roles/manage/tasks/main.yml +++ b/roles/manage/tasks/main.yml @@ -72,6 +72,13 @@ notify: - "restart manageserver" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + manage_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: manageserver @@ -80,8 +87,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ manage_docker_networks}}" mounts: - source: /opt/openconext/manage/ target: /config/ diff --git a/roles/pdp/defaults/main.yml b/roles/pdp/defaults/main.yml index 4f548db6a..687f5f5ee 100644 --- a/roles/pdp/defaults/main.yml +++ b/roles/pdp/defaults/main.yml @@ -21,3 +21,5 @@ pdp_manage_provision_samlsp_trusted_proxy: false pdp_manage_provision_samlsp_sign: false pdp_spring_flyway_enabled: true pdp_manage_push_testmode: true +pdp_docker_networks: + -name: loadbalancer diff --git a/roles/pdp/tasks/main.yml b/roles/pdp/tasks/main.yml index b1e81edaf..086a6b0f1 100644 --- a/roles/pdp/tasks/main.yml +++ b/roles/pdp/tasks/main.yml @@ -20,6 +20,13 @@ - xacml.conext.properties notify: restart pdpserver +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + pdp_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: pdpserver @@ -29,8 +36,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ pdp_docker_networks }}" mounts: - source: /opt/openconext/pdp/serverapplication.properties target: /application.properties @@ -59,7 +65,7 @@ retries: 3 start_period: 10s register: pdpservercontainer - + - name: Create the gui container community.docker.docker_container: name: pdpgui diff --git a/roles/spdashboard/defaults/main.yml b/roles/spdashboard/defaults/main.yml index 9548590a0..bb1c0f3c5 100644 --- a/roles/spdashboard/defaults/main.yml +++ b/roles/spdashboard/defaults/main.yml @@ -37,3 +37,5 @@ spdashboard_oidcng_playground_uri_test: https://oidc-playground.dev.support.surf spdashboard_oidcng_playground_uri_prod: https://oidc-playground.dev.support.surfconext.nl/redirect spdashboard_show_global_notice: False spdashboard_global_notice_date: "01-01-2020" +spdashboard_docker_networks: + - name: loadbalancer diff --git a/roles/spdashboard/tasks/main.yml b/roles/spdashboard/tasks/main.yml index f6cfbaaab..d11b11edd 100644 --- a/roles/spdashboard/tasks/main.yml +++ b/roles/spdashboard/tasks/main.yml @@ -15,9 +15,12 @@ group: root mode: 0644 -- name: Create the spdashboard container network - docker_network: - name: "spdashboard" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + spdashboard_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool - name: Create the container docker_container: @@ -26,8 +29,7 @@ env_file: "/opt/openconext/spdashboard/env" pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ spdashboard_docker_networks }}" labels: traefik.http.routers.spdashboard.rule: "Host(`{{ spdashboard_domain }}`)" traefik.http.routers.spdashboard.tls: "true" diff --git a/roles/stepupgateway/defaults/main.yml b/roles/stepupgateway/defaults/main.yml new file mode 100644 index 000000000..fc9eb42f3 --- /dev/null +++ b/roles/stepupgateway/defaults/main.yml @@ -0,0 +1,2 @@ +gateway_docker_networks: + - name: loadbalancer diff --git a/roles/stepupgateway/tasks/main.yml b/roles/stepupgateway/tasks/main.yml index fe01380d9..f101649d8 100644 --- a/roles/stepupgateway/tasks/main.yml +++ b/roles/stepupgateway/tasks/main.yml @@ -109,14 +109,20 @@ owner: "{{ appname }}" mode: "0600" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + gateway_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-gateway/stepup-gateway:{{ gateway_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ gateway_docker_networks }}" labels: traefik.http.routers.gateway.rule: "Host(`{{ gateway_vhost_name }}`)" traefik.http.routers.gateway.tls: "true" diff --git a/roles/stepupmiddleware/defaults/main.yml b/roles/stepupmiddleware/defaults/main.yml new file mode 100644 index 000000000..a9bed70fa --- /dev/null +++ b/roles/stepupmiddleware/defaults/main.yml @@ -0,0 +1,2 @@ +middelware_docker_networks: + - name: loadbalancer diff --git a/roles/stepupmiddleware/tasks/docker.yml b/roles/stepupmiddleware/tasks/docker.yml index 443ecd4b7..48eba81bd 100644 --- a/roles/stepupmiddleware/tasks/docker.yml +++ b/roles/stepupmiddleware/tasks/docker.yml @@ -36,14 +36,20 @@ notify: - restart {{ appname }} +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + middelware_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-middleware/stepup-middleware:{{ middleware_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ middelware_docker_networks }}" labels: traefik.http.routers.middleware.rule: "Host(`{{ middleware_vhost_name }}`)" traefik.http.routers.middleware.tls: "true" diff --git a/roles/stepuptiqr/defaults/main.yml b/roles/stepuptiqr/defaults/main.yml new file mode 100644 index 000000000..9ebaecc27 --- /dev/null +++ b/roles/stepuptiqr/defaults/main.yml @@ -0,0 +1,2 @@ +tiqr_docker_networks: + - name: loadbalancer diff --git a/roles/stepuptiqr/tasks/main.yml b/roles/stepuptiqr/tasks/main.yml index dfed7faf2..52608184d 100644 --- a/roles/stepuptiqr/tasks/main.yml +++ b/roles/stepuptiqr/tasks/main.yml @@ -45,11 +45,11 @@ when: tiqr_apns_pemfile is defined - name: Write tiqr Firebase service json - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/secrets/stepup/tiqr-demo.json" dest: "{{ current_release_config_file_dir_name }}/tiqr-demo.json" owner: "{{ appname }}" - mode: 0400 + mode: "0400" when: tiqr_firebase_credentialsfile is defined - name: Place parameters.yml @@ -62,14 +62,20 @@ notify: - restart tiqr +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + tiqr_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-tiqr/stepup-tiqr:{{ tiqr_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ tiqr_docker_networks }}" labels: traefik.http.routers.tiqr.rule: "Host(`tiqr.{{ base_domain }}`)" traefik.http.routers.tiqr.tls: "true" diff --git a/roles/stepupwebauthn/defaults/main.yml b/roles/stepupwebauthn/defaults/main.yml new file mode 100644 index 000000000..98c9f7204 --- /dev/null +++ b/roles/stepupwebauthn/defaults/main.yml @@ -0,0 +1,2 @@ +webauthn_docker_networks: + - name: loadbalancer diff --git a/roles/stepupwebauthn/tasks/main.yml b/roles/stepupwebauthn/tasks/main.yml index 0e63f21e6..a0bfbb3d1 100644 --- a/roles/stepupwebauthn/tasks/main.yml +++ b/roles/stepupwebauthn/tasks/main.yml @@ -97,14 +97,20 @@ with_items: - "01-webauthn-db_init.sh" +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + webauthn_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create the container community.docker.docker_container: name: "{{ appname }}" image: ghcr.io/openconext/stepup-webauthn/stepup-webauthn:{{ webauthn_version }} pull: true restart_policy: "always" - networks: - - name: "loadbalancer" + networks: "{{ webauthn_docker_networks }}" labels: traefik.http.routers.webauthn.rule: "Host(`webauthn.{{ base_domain }}`)" traefik.http.routers.webauthn.tls: "true" diff --git a/roles/teams/defaults/main.yml b/roles/teams/defaults/main.yml index c88534d92..60d344650 100644 --- a/roles/teams/defaults/main.yml +++ b/roles/teams/defaults/main.yml @@ -8,7 +8,7 @@ teams_tos_en: https://example.org teams_tos_nl: https://example.org teams_tos_pt: https://example.org teams_main_link: https://www.openconext.org -teams_organization: "{{ instance_name}}" +teams_organization: "{{ instance_name }}" teams_api_lifecycle_username: teams_api_lifecycle_user teams_oauth2_token_url: "https://connect.{{ base_domain }}/oidc/token" teams_authz_client_id: "teams.{{ base_domain }}" @@ -27,3 +27,5 @@ teams_manage_provision_samlsp_sp_cert: "" teams_manage_provision_samlsp_trusted_proxy: false teams_manage_provision_samlsp_sign: false teams_spring_flyway_enabled: true +teams_docker_networks: + - name: "loadbalancer" diff --git a/roles/teams/tasks/main.yml b/roles/teams/tasks/main.yml index 7561fe6bb..2e250d0af 100644 --- a/roles/teams/tasks/main.yml +++ b/roles/teams/tasks/main.yml @@ -19,6 +19,13 @@ - logback.xml notify: restart teamsserver +- name: Add the MariaDB docker network to the list of networks when MariaDB runs in Docker + ansible.builtin.set_fact: + teams_docker_networks: + - name: loadbalancer + - name: openconext_mariadb + when: mariadb_in_docker | default(false) | bool + - name: Create and start the server container community.docker.docker_container: name: teamsserver @@ -28,8 +35,7 @@ pull: true restart_policy: "always" state: started - networks: - - name: "loadbalancer" + networks: "{{ teams_docker_networks }}" mounts: - source: /opt/openconext/teams/serverapplication.yml target: /application.yml From ec015720b018b5ab3ddb2ecc7df0477155d704aa Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Mon, 2 Dec 2024 10:32:51 +0100 Subject: [PATCH 50/59] Mariadb docker: Add a mariadb config file --- roles/mariadbdocker/files/settings.cnf | 2 ++ roles/mariadbdocker/tasks/main.yml | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 roles/mariadbdocker/files/settings.cnf diff --git a/roles/mariadbdocker/files/settings.cnf b/roles/mariadbdocker/files/settings.cnf new file mode 100644 index 000000000..84a706c29 --- /dev/null +++ b/roles/mariadbdocker/files/settings.cnf @@ -0,0 +1,2 @@ +[mariadb] +sql_mode=NO_ENGINE_SUBSTITUTION diff --git a/roles/mariadbdocker/tasks/main.yml b/roles/mariadbdocker/tasks/main.yml index a50f3723a..cd748f83f 100644 --- a/roles/mariadbdocker/tasks/main.yml +++ b/roles/mariadbdocker/tasks/main.yml @@ -3,6 +3,21 @@ community.docker.docker_volume: name: openconext_mariadb state: present +- name: Create MariaDB config dir + ansible.builtin.file: + path: /opt/openconext/mariadb/ + owner: root + group: root + mode: "0755" + state: directory + +- name: Copy mariadb config file + ansible.builtin.copy: + src: settings.cnf + dest: /opt/openconext/mariadb/settings.cnf + owner: root + group: root + mode: "0644" - name: Create MariaDB network community.docker.docker_network: @@ -26,6 +41,9 @@ - type: volume source: openconext_mariadb target: /var/lib/mysql + - type: bind + source: /opt/openconext/mariadb/settings.cnf + target: /etc/mysql/conf.d/settings.cnf env: MARIADB_ROOT_PASSWORD: "{{ mariadb_root_password }}" From fa109b3f5731b241ad7331a7c8ec61ebba39994a Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 4 Dec 2024 14:19:17 +0100 Subject: [PATCH 51/59] Added ribbon env variables for myconext --- roles/myconext/templates/application.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 2502621b8..0c99f6c9f 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -223,6 +223,11 @@ spring: main: banner-mode: "off" +gui: + disclaimer: + background-color: {{ environment_ribbon_colour }} + content: {{ environment_shortname }} + # We disable all endpoints except health for the load-balancer and info for git information. management: health: From 67f75e7991b4c72190fbcdb62903f4711e73deff Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 4 Dec 2024 15:24:14 +0100 Subject: [PATCH 52/59] https://github.com/OpenConext/OpenConext-myconext/issues/545 --- environments/template/group_vars/template.yml | 1 + environments/vm/group_vars/vm.yml | 1 + roles/myconext/templates/application.yml.j2 | 5 ++++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 3374a4b90..4802bd2d6 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -419,6 +419,7 @@ myconext: feature_show_connections: false feature_id_verify: true feature_remote_creation_api: true + feature_mail_institution_mail_usage: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index e22fea2dd..ecab6e6de 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -310,6 +310,7 @@ myconext: feature_warning_educational_email_domain: false feature_id_verify: true feature_remote_creation_api: true + feature_mail_institution_mail_usage: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 0c99f6c9f..61c9597c1 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -55,6 +55,8 @@ cron: token-cleaner-expression: "0 0/15 * * * *" manage-initial-delay-milliseconds: 15000 manage-fixed-rate-milliseconds: 300_000 + # Runs on the first day of February, May, August, and November. + mail-institution-mail-usage-expression: "0 0 0 1 2,5,8,11 *" manage: username: myconext @@ -103,7 +105,8 @@ feature: remote_creation_api: {{ myconext.feature_remote_creation_api }} # Do we send error mails for reported errors by the JS UI send_js_exceptions: {{ myconext.feature_send_js_exceptions }} - + # Do we periodically mail users who have used their institution account + mail_institution_mail_usage: {{ myconext.feature_mail_institution_mail_usage }} secure_cookie: true idp_entity_id: https://login.{{ myconext_base_domain }} From beb5f380b0528fb424b77d1ab65fe134c9b94499 Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Thu, 5 Dec 2024 14:25:08 +0100 Subject: [PATCH 53/59] https://github.com/OpenConext/OpenConext-myconext/issues/547 --- environments/template/group_vars/template.yml | 1 + environments/vm/group_vars/vm.yml | 1 + roles/myconext/templates/application.yml.j2 | 6 ++++++ 3 files changed, 8 insertions(+) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 4802bd2d6..0512e06fc 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -420,6 +420,7 @@ myconext: feature_id_verify: true feature_remote_creation_api: true feature_mail_institution_mail_usage: true + feature_nudge_app_mail: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index ecab6e6de..ad0cb3160 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -311,6 +311,7 @@ myconext: feature_id_verify: true feature_remote_creation_api: true feature_mail_institution_mail_usage: true + feature_nudge_app_mail: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true feature_create_eduid_institution_enabled: true diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 61c9597c1..4b180a428 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -57,6 +57,10 @@ cron: manage-fixed-rate-milliseconds: 300_000 # Runs on the first day of February, May, August, and November. mail-institution-mail-usage-expression: "0 0 0 1 2,5,8,11 *" + # Every day at 6:30AM + nudge-app-mail-expression: "0 30 6 * * ?" + # Number of days after creation of the eduID account which the nudge mail is send + nudge-app-mail-days-after-creation: 14 manage: username: myconext @@ -107,6 +111,8 @@ feature: send_js_exceptions: {{ myconext.feature_send_js_exceptions }} # Do we periodically mail users who have used their institution account mail_institution_mail_usage: {{ myconext.feature_mail_institution_mail_usage }} + # Do we mail users who have not installed the eduID app + nudge_app_mail: {{ myconext.feature_nudge_app_mail }} secure_cookie: true idp_entity_id: https://login.{{ myconext_base_domain }} From 0399d42789f4e7ed76645d900d2934a1136597e4 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Thu, 5 Dec 2024 14:41:40 +0100 Subject: [PATCH 54/59] Fix stepup-webauthn logo location --- roles/stepupwebauthn/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/stepupwebauthn/tasks/main.yml b/roles/stepupwebauthn/tasks/main.yml index a0bfbb3d1..a1738fc01 100644 --- a/roles/stepupwebauthn/tasks/main.yml +++ b/roles/stepupwebauthn/tasks/main.yml @@ -119,8 +119,8 @@ APACHE_UID: "#{{ webauthn_uid.uid }}" APACHE_GUID: "#{{ webauthn_guid.gid }}" mounts: - - source: /opt/openconext/webauthn/public/images/header-logo.png - target: /var/www/html/public/build/images/logo/header-logo.png + - source: /opt/openconext/azuremfa/public/images/header-logo.png + target: /var/www/html/public/build/images/header-logo.png type: bind - source: /opt/openconext/webauthn target: /var/www/html/config/openconext From 1cb30d8a1b7ed14aebf7889d90f5fc3444f113c4 Mon Sep 17 00:00:00 2001 From: Peter Havekes Date: Mon, 9 Dec 2024 10:12:29 +0100 Subject: [PATCH 55/59] Stepup-webauthn Fix image path --- roles/stepupwebauthn/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/stepupwebauthn/tasks/main.yml b/roles/stepupwebauthn/tasks/main.yml index a1738fc01..2a51ac91f 100644 --- a/roles/stepupwebauthn/tasks/main.yml +++ b/roles/stepupwebauthn/tasks/main.yml @@ -119,7 +119,7 @@ APACHE_UID: "#{{ webauthn_uid.uid }}" APACHE_GUID: "#{{ webauthn_guid.gid }}" mounts: - - source: /opt/openconext/azuremfa/public/images/header-logo.png + - source: /opt/openconext/webauthn/public/images/header-logo.png target: /var/www/html/public/build/images/header-logo.png type: bind - source: /opt/openconext/webauthn From ddf04a368344f2495ab9c1aee61d62b8dd49cb15 Mon Sep 17 00:00:00 2001 From: Pieter van der Meulen Date: Tue, 10 Dec 2024 10:18:20 +0100 Subject: [PATCH 56/59] Add activation flow sellection using entitlement attribute for selfservice 5.0.5 --- roles/stepupselfservice/templates/parameters.yml.j2 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/stepupselfservice/templates/parameters.yml.j2 b/roles/stepupselfservice/templates/parameters.yml.j2 index cb2f25759..54c6e1bb3 100644 --- a/roles/stepupselfservice/templates/parameters.yml.j2 +++ b/roles/stepupselfservice/templates/parameters.yml.j2 @@ -89,6 +89,11 @@ parameters: preferred_activation_flow_name: activate preferred_activation_flow_options: [ra, self] + activation_flow_attribute_name: urn:mace:dir:attribute-def:eduPersonEntitlement + activation_flow_attributes: + ra: urn:mace:surf.nl:surfsecureid:activation:ra + self: urn:mace:surf.nl:surfsecureid:activation:self + # Self-asserted tokens: enable/disable recovery methods # # One of the two options should be enabled to have a fully functioning From 5f77f8ec83e47f311cf52f8b4eaead74a962051e Mon Sep 17 00:00:00 2001 From: Okke Harsta Date: Wed, 11 Dec 2024 10:15:41 +0100 Subject: [PATCH 57/59] https://github.com/OpenConext/OpenConext-myconext/issues/606 --- environments/template/group_vars/template.yml | 1 + environments/vm/group_vars/vm.yml | 1 + roles/myconext/templates/application.yml.j2 | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index 0512e06fc..5093e0f92 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -420,6 +420,7 @@ myconext: feature_id_verify: true feature_remote_creation_api: true feature_mail_institution_mail_usage: true + feature_mail_inactivity_mails: true feature_nudge_app_mail: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true diff --git a/environments/vm/group_vars/vm.yml b/environments/vm/group_vars/vm.yml index ad0cb3160..1ed11a8a1 100644 --- a/environments/vm/group_vars/vm.yml +++ b/environments/vm/group_vars/vm.yml @@ -311,6 +311,7 @@ myconext: feature_id_verify: true feature_remote_creation_api: true feature_mail_institution_mail_usage: true + feature_mail_inactivity_mails: true feature_nudge_app_mail: true feature_send_js_exceptions: true feature_deny_disposable_email_providers: true diff --git a/roles/myconext/templates/application.yml.j2 b/roles/myconext/templates/application.yml.j2 index 4b180a428..66ac68c53 100644 --- a/roles/myconext/templates/application.yml.j2 +++ b/roles/myconext/templates/application.yml.j2 @@ -61,6 +61,8 @@ cron: nudge-app-mail-expression: "0 30 6 * * ?" # Number of days after creation of the eduID account which the nudge mail is send nudge-app-mail-days-after-creation: 14 + # Every day at 7:30AM + inactivity-users-expression: "0 30 7 * * ?" manage: username: myconext @@ -111,6 +113,8 @@ feature: send_js_exceptions: {{ myconext.feature_send_js_exceptions }} # Do we periodically mail users who have used their institution account mail_institution_mail_usage: {{ myconext.feature_mail_institution_mail_usage }} + # Do we periodically mail users who are inactive and might have their account deleted + mail_inactivity_mails: {{ myconext.feature_mail_inactivity_mails }} # Do we mail users who have not installed the eduID app nudge_app_mail: {{ myconext.feature_nudge_app_mail }} From cdb57e463b9e4777765d509612709718d5d42b75 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Fri, 13 Dec 2024 14:36:30 +0100 Subject: [PATCH 58/59] MANAGE: add `coin:disable_scoping` by defualt for new IdPs (closes OpenConext/OpenConext-Manage#458) --- roles/manage/files/metadata_templates/saml20_idp.template.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/manage/files/metadata_templates/saml20_idp.template.json b/roles/manage/files/metadata_templates/saml20_idp.template.json index 8698863f2..3c29ee713 100644 --- a/roles/manage/files/metadata_templates/saml20_idp.template.json +++ b/roles/manage/files/metadata_templates/saml20_idp.template.json @@ -9,7 +9,8 @@ "name:en": "", "OrganizationName:en": "", "SingleSignOnService:0:Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", - "SingleSignOnService:0:Location": "" + "SingleSignOnService:0:Location": "", + "coin:disable_scoping": true }, "autoRefresh": { "enabled": true, From e9ec11dd8ad3f62ea55c663f97b802a0768bccc7 Mon Sep 17 00:00:00 2001 From: Bas Zoetekouw Date: Mon, 16 Dec 2024 17:32:03 +0100 Subject: [PATCH 59/59] add dependabot got github-actions --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..23c4cb3b5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +--- +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly"