From 0545189cec68b63087b5b117cf3fe0b3a4477a4d Mon Sep 17 00:00:00 2001 From: juarez Date: Fri, 17 Nov 2023 10:27:12 +0100 Subject: [PATCH] Integrate central Keycloak in Teiler --- ccp/modules/datashield-compose.yml | 14 +++++++++++--- ccp/modules/datashield-setup.sh | 6 +++++- ccp/modules/exporter-compose.yml | 2 +- ccp/modules/teiler-compose.yml | 11 ++++++----- ccp/modules/teiler-setup.sh | 1 + ccp/vars | 3 ++- lib/functions.sh | 10 ++++++++-- 7 files changed, 34 insertions(+), 13 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index d6bb477..4e9f5bd 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -6,7 +6,8 @@ services: image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest environment: #DEFAULT_USER: "rstudio" # This line is kept for informational purposes - PASSWORD: "${LDM_AUTH}" + #PASSWORD: "${LDM_AUTH}" + DISABLE_AUTH: "true" # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication. HTTP_RELATIVE_PATH: "/rstudio" labels: - "traefik.enable=true" @@ -14,7 +15,7 @@ services: - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - - "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip" + - "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip,auth" opal: container_name: bridgehead-opal @@ -30,7 +31,7 @@ services: environment: JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC -Dhttps.proxyHost=forward_proxy -Dhttps.proxyPort=3128" # OPAL_ADMINISTRATOR_USER: "administrator" # This line is kept for informational purposes - OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}" + OPAL_ADMINISTRATOR_PASSWORD: "${OPAL_ADMIN_PASSWORD}" POSTGRESDATA_HOST: "opal-db" POSTGRESDATA_DATABASE: "opal" POSTGRESDATA_USER: "opal" @@ -40,6 +41,13 @@ services: APP_CONTEXT_PATH: "/opal" OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem" OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem" + KEYCLOAK_URL: "https://login.verbis.dkfz.de" + KEYCLOAK_REALM: "test-realm-01" + KEYCLOAK_CLIENT_ID: "${SITE_ID}-private" + KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" + KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" + TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}" + EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}" secrets: - opal-cert.pem - opal-key.pem diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 3220c30..5f8fac4 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -3,7 +3,10 @@ if [ "$ENABLE_DATASHIELD" == true ]; then log INFO "DataSHIELD setup detected -- will start DataSHIELD services." OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" - OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + EXPORTER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + TOKEN_MANAGER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Token Manager in Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + OPAL_ADMIN_PASSWORD="$(echo \"This is a salt string to generate one consistent admin password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ @@ -20,4 +23,5 @@ if [ "$ENABLE_DATASHIELD" == true ]; then }]' > /tmp/bridgehead/opal-map/local.json cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json chown -R bridgehead:docker /tmp/bridgehead/ + generate_private_oidc_client "OIDC_CLIENT_SECRET" "https://${HOST}/opal/*" fi diff --git a/ccp/modules/exporter-compose.yml b/ccp/modules/exporter-compose.yml index 2b9b4e9..cc17c68 100644 --- a/ccp/modules/exporter-compose.yml +++ b/ccp/modules/exporter-compose.yml @@ -15,7 +15,7 @@ services: HTTP_RELATIVE_PATH: "/ccp-exporter" SITE: "${SITE_ID}" HTTP_SERVLET_REQUEST_SCHEME: "https" - OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}" + OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}" labels: - "traefik.enable=true" - "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)" diff --git a/ccp/modules/teiler-compose.yml b/ccp/modules/teiler-compose.yml index f0b0d60..659c9e2 100644 --- a/ccp/modules/teiler-compose.yml +++ b/ccp/modules/teiler-compose.yml @@ -31,9 +31,10 @@ services: environment: DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}" TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" - KEYCLOAK_URL: "https://${HOST}/login" - KEYCLOAK_REALM: "teiler" - KEYCLOAK_CLIENT_ID: "teiler" + KEYCLOAK_URL: "https://login.verbis.dkfz.de" + KEYCLOAK_REALM: "test-realm-01" + KEYCLOAK_CLIENT_ID: "${SITE_ID}-public" + KEYCLOAK_TOKEN_GROUP: "groups" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" @@ -42,8 +43,8 @@ services: TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler" TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard" TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler" - TEILER_USER: "TEILER_USER" - TEILER_ADMIN: "TEILER_ADMIN" + TEILER_USER: "${KEYCLOAK_USER_GROUP}" + TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}" teiler-backend: image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest diff --git a/ccp/modules/teiler-setup.sh b/ccp/modules/teiler-setup.sh index d1caebe..e930a7e 100644 --- a/ccp/modules/teiler-setup.sh +++ b/ccp/modules/teiler-setup.sh @@ -3,4 +3,5 @@ if [ "$ENABLE_TEILER" == true ];then log INFO "Teiler setup detected -- will start Teiler services." OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml" + generate_public_oidc_client "OIDC_PUBLIC" "https://${HOST}/ccp-teiler/*" fi diff --git a/ccp/vars b/ccp/vars index f7c5d2b..d1a3c9a 100644 --- a/ccp/vars +++ b/ccp/vars @@ -10,10 +10,11 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL DEFAULT_LANGUAGE=DE DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,} ENABLE_EXPORTER=true -ENABLE_LOGIN=true ENABLE_TEILER=true #ENABLE_DATASHIELD=true +KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" +KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" for module in $PROJECT/modules/*.sh do diff --git a/lib/functions.sh b/lib/functions.sh index e41d387..26d4152 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -275,14 +275,20 @@ function sync_secrets() { docker run --rm \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ - -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ + -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \ -e PROXY_ID=$PROXY_ID \ -e BROKER_URL=$BROKER_URL \ - -e OIDC_PROVIDER=secret-sync-central.oidc.$BROKER_ID \ + -e OIDC_PROVIDER=secret-sync-central.dev-jan.$BROKER_ID \ -e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \ docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest source /var/cache/bridgehead/secrets/* } + +capitalize_first_letter() { + input="$1" + capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}" + echo "$capitalized" +}