Merge pull request #550 from SURFscz/openconext-dev

Make deploy compatible with OpenConext-devconf images

environments/docker/group_vars/container.yml

@@ -52,8 +52,8 @@ containers:
 images:
   db: mariadb:11
   redis: redis:7
-  sbs: ghcr.io/surfscz/sram-sbs:main
-  sbs_server: ghcr.io/surfscz/sram-sbs-server:main
+  sbs: ghcr.io/surfscz/sram-sbs-client:openconext-dev
+  sbs_server: ghcr.io/surfscz/sram-sbs-server:openconext-dev
   ldap: ghcr.io/surfscz/sram-ldap:main
   metadata: ghcr.io/surfscz/sram-metadata:main
   pyff: ghcr.io/surfscz/sram-pyff:main

roles/ci-test/tasks/main.yml

@@ -82,16 +82,6 @@
     mode: "0644"
   notify: "restart php-fpm"
 
-- name: Create RP resume.html
-  copy:
-    src: "{{ item }}"
-    dest: "{{ rp_docroot_dir }}/{{ item }}"
-    mode: "0644"
-  loop:
-    - "resume.html"
-    - "resume.js"
-  notify: "restart php-fpm"
-
 
 #########################################################
 ## nginx

roles/ci-test/templates/index.php.j2

@@ -30,29 +30,21 @@ if (isset($_GET['client_id'])) {
     $rp = $_GET['client_id'];
 }
 
-if ($_POST['id_token']) {
-    $jwt = $_POST['id_token'];
-    $parts = explode('.', $jwt);
-    $payload = json_decode(base64_decode($parts[1]));
-    $rp = $payload->aud[0];
-}
-
 if (isset($_GET['scope'])) {
     $scope =  $_GET['scope'];
     $_SESSION['scope'] = $scope;
-    $reset = true;
 } else {
     $scope = @$_SESSION['scope'] ? $_SESSION['scope'] : $SCOPES;
 }
 
 if (isset($_GET['redirect_uri'])) {
     $redirect_uri = $_GET['redirect_uri'];
 } else {
-    $redirect_uri = 'https://rp.ci-runner.sram.surf.nl/resume.html';
+    $redirect_uri = 'https://rp.ci-runner.sram.surf.nl/index.php';
 }
 
 if (isset($_GET['claims'])) {
-    $request_claims = @$_GET['claims'];
+    $request_claims = $_GET['claims'];
 } else {
     $request_claims = $CLAIMS;
 }
@@ -61,7 +53,7 @@ $_SESSION['claims'] = $request_claims;
 if (isset($_GET['response_type'])) {
     $response_type = [$_GET['response_type']];
 } else {
-    $response_type = array('id_token token');
+    $response_type = ['code'];
 }
 
 if (isset($_GET['idp_hint'])) {
@@ -83,11 +75,8 @@ $oidc = new OpenIDConnectClient('https://proxy.acc.sram.eduteams.org/',
                                 $CLIENT_SECRET);
 $oidc->addScope(explode(" ", $scope));
 #$oidc->addAuthParam(array('idp_hint' => $idp_hint));
-error_log("===");
-error_log("http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]");
-error_log( print_r($response_type, TRUE) );
 $oidc->setResponseTypes($response_type);
-$oidc->setAllowImplicitFlow(true);
+// $oidc->setAllowImplicitFlow(true);
 $oidc->setRedirectURL($redirect_uri);
 #$oidc->addAuthParam(array('response_mode' => 'form_post'));
 
@@ -115,18 +104,14 @@ $access_token = $_SESSION['access_token'];
 $userinfo = $_SESSION['userinfo'];
 $request_claims = $_SESSION['claims'];
 
-if (isset($_POST['scope'])) {
-    $resultant_scope = $_POST['scope'];
-}
-
+$meta = new StdClass();
 $meta->requested_scope = $scope;
-$meta->resultant_scope = $resultant_scope;
 $meta->requested_claims = $request_claims;
 
 echo "ID_TOKEN\n<pre id=id_token>" . json_encode($id_token, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
 echo "ACCESS_TOKEN\n<pre id=access_token>" . json_encode($access_token, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
 echo "USER_INFO\n<pre id=user_info>" . json_encode($userinfo, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
 echo "META\n<pre id=meta>" . json_encode($meta, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "</pre>\n";
 ?>
-<form method="POST"><input type="submit" name="reset"  value="Reset"></form>
+<form method="POST" action="/index.php"><input type="submit" name="reset"  value="Reset"></form>
 </body></html>

roles/docker_sbs/defaults/main.yml

@@ -156,3 +156,5 @@ sbs_csp_style_hashes:
   - 'sha256-vFt3L2qLqpJmRpcXGbYr2UVSmgSp9VCUzz2lnqWIATw='
   - 'sha256-SU3XCwbQ/8qgzoGOWCYdkwIr3xRrl5rsvdFcpw8NSiE='  # on /new-service-request
   - 'sha256-WTC9gHKjIpzl5ub1eg/YrRy/k+jlzeyRojah9dxAApc='  # on /new-service-request
+
+sbs_engine_block_public_key_url: https://example.com/

roles/docker_sbs/tasks/main.yml

@@ -229,7 +229,7 @@
   template:
     src: "sbs-apache.j2"
     dest: "{{ sbs_apache_conf }}"
-  notify: "Restart sbs containers"
+  # notify: "Restart sbs containers"
 
 # - name: "install nginx config"
 #   template:
@@ -273,20 +273,20 @@
 
 # We need to remove sram-static so it gets repopulated
 # with new SBS image static content
-- name: Stop and remove sbs and sbs-server containers
-  docker_container:
-    name: "{{ item }}"
-    state: absent
-  with_items:
-    - "{{ containers.sbs }}"
-    - "{{ containers.sbs_server }}"
-  when: "sbs_image is changed"
+# - name: Stop and remove sbs and sbs-server containers
+#   docker_container:
+#     name: "{{ item }}"
+#     state: absent
+#   with_items:
+#     - "{{ containers.sbs }}"
+#     - "{{ containers.sbs_server }}"
+#   when: "sbs_image is changed"
 
-- name: Remove sbs_static volume
-  community.docker.docker_volume:
-    name: sbs_static
-    state: absent
-  when: "sbs_image is changed"
+# - name: Remove sbs_static volume
+#   community.docker.docker_volume:
+#     name: sbs_static
+#     state: absent
+#   when: "sbs_image is changed"
 
 - name: Start sbs container
   docker_container:
@@ -295,34 +295,37 @@
     pull: "never"
     restart_policy: "always"
     state: "started"
-    env:
-      REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
+    # env:
+    #   REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
     volumes:
-      - "{{ sbs_conf_dir }}:/opt/sbs/config"
-      - "{{ sbs_cert_dir }}:/opt/sbs/cert"
-      - "{{ sbs_log_dir }}:/opt/sbs/log"
-      - "sbs_static:/opt/sbs/client/build"
+      - "{{ sbs_apache_conf }}:/etc/apache2/sites-enabled/apache.conf:ro"
+      # - "sbs_static:/opt/sbs/client/build"
     networks:
+      - name: "{{traefik_network}}"
       - name: "{{internal_network}}"
-    etc_hosts:
-      oidc-op.scz-vm.net: "172.20.1.24"
+    labels:
+      traefik.enable: "true"
+      traefik.docker.network: "{{traefik_network}}"
+      traefik.http.routers.sbs.rule: "Host(`{{ sbs_base_domain }}`)"
+      traefik.http.routers.sbs.tls: "true"
 
-- name: Start apache container
+- name: Start sbs server container
   docker_container:
     name: "{{ containers.sbs_server }}"
     image: "{{ images.sbs_server }}"
     restart_policy: "always"
     state: started
+    env:
+      REQUESTS_CA_BUNDLE: "/etc/ssl/certs/ca-certificates.crt"
+      RUN_MIGRATIONS: "1"
     pull: "always"
     volumes:
-      - "{{ sbs_apache_conf }}:/etc/apache2/sites-enabled/sbs.conf:ro"
-      - "sbs_static:/var/www/html"
+      - "{{ sbs_conf_dir }}:/opt/sbs/config"
+      - "{{ sbs_cert_dir }}:/opt/sbs/cert"
+      - "{{ sbs_log_dir }}:/opt/sbs/log"
+      # - "{{ sbs_apache_conf }}:/etc/apache2/sites-enabled/sbs.conf:ro"
+      # - "sbs_static:/var/www/html"
     networks:
-      - name: "{{traefik_network}}"
       - name: "{{internal_network}}"
-    labels:
-      traefik.enable: "true"
-      traefik.docker.network: "{{traefik_network}}"
-      traefik.http.routers.sbs.rule: "Host(`{{ sbs_base_domain }}`)"
-      traefik.http.routers.sbs.tls: "true"
-
+    etc_hosts:
+      oidc-op.scz-vm.net: "172.20.1.24"

roles/docker_sbs/templates/sbs-apache.j2

@@ -1,7 +1,7 @@
 ServerName {{ hostnames.sbs }}
 #ErrorLog /proc/self/fd/2
 #CustomLog /proc/self/fd/1 common
-DocumentRoot /var/www/html
+DocumentRoot /opt/sbs/client/build
 
 Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; block-all-mixed-content;"
 Header set Permissions-Policy      "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()"
@@ -12,10 +12,10 @@ RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
 RewriteRule ^/(.*)$ /index.html  [L]
 
 ProxyRequests off
-ProxyPass /socket.io/ ws://{{ containers.sbs }}:{{sbs_backend_port}}/socket.io/
-ProxyPassReverse /socket.io/ ws://{{ containers.sbs }}:{{sbs_backend_port}}/socket.io/
-ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://{{ containers.sbs }}:{{sbs_backend_port}}/
-ProxyPassReverse / http://{{ containers.sbs }}:{{sbs_backend_port}}/
+ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://{{ containers.sbs_server }}:{{sbs_backend_port}}/
+ProxyPassReverse / http://{{ containers.sbs_server }}:{{sbs_backend_port}}/
+ProxyPass /socket.io/ ws://{{ containers.sbs_server }}:{{sbs_backend_port}}/socket.io/
+ProxyPassReverse /socket.io/ ws://{{ containers.sbs_server }}:{{sbs_backend_port}}/socket.io/
 
 <If "%{REQUEST_URI} =~ m#^/api/images/#">
     Header set Cache-Control:  "public, max-age=31536000, immutable"
@@ -24,8 +24,7 @@ ProxyPassReverse / http://{{ containers.sbs }}:{{sbs_backend_port}}/
     Header set Cache-Control:  "no-cache, private"
 </ElseIf>
 
-
-<Directory /var/www/html>
+<Directory /opt/sbs/client/build>
     Require all granted
     Options -Indexes
 </Directory>

roles/sbs/defaults/main.yml

@@ -151,3 +151,5 @@ sbs_csp_style_hashes:
   - 'sha256-vFt3L2qLqpJmRpcXGbYr2UVSmgSp9VCUzz2lnqWIATw='
   - 'sha256-SU3XCwbQ/8qgzoGOWCYdkwIr3xRrl5rsvdFcpw8NSiE='  # on /new-service-request
   - 'sha256-WTC9gHKjIpzl5ub1eg/YrRy/k+jlzeyRojah9dxAApc='  # on /new-service-request
+
+sbs_engine_block_public_key_url: https://example.com/