From fe06751b594a281aa82bec2cbdc8a542849373d3 Mon Sep 17 00:00:00 2001 From: juarez Date: Fri, 17 Nov 2023 10:27:12 +0100 Subject: [PATCH 1/6] Integrate central Keycloak in Teiler --- ccp/modules/datashield-compose.yml | 2 +- ccp/vars | 1 + lib/functions.sh | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index db2760a..e3e0d01 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -96,7 +96,7 @@ services: networks: - default - rstudio - + traefik: networks: - default diff --git a/ccp/vars b/ccp/vars index eb998d7..eb2a1c8 100644 --- a/ccp/vars +++ b/ccp/vars @@ -10,6 +10,7 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL DEFAULT_LANGUAGE=DE DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,} ENABLE_EXPORTER=true +ENABLE_LOGIN=true ENABLE_TEILER=true #ENABLE_DATASHIELD=true diff --git a/lib/functions.sh b/lib/functions.sh index c175fcf..d32bdbe 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -270,7 +270,7 @@ function sync_secrets() { if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then if [[ $secret_sync_args == "" ]]; then secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS" - else + else secret_sync_args+="${delimiter}OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS" fi fi @@ -282,7 +282,7 @@ function sync_secrets() { docker run --rm \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ - -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ + -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e NO_PROXY=localhost,127.0.0.1 \ From 9a2b0f3dbb00f51186500c1b60913f202051fecb Mon Sep 17 00:00:00 2001 From: juarez Date: Mon, 27 Nov 2023 19:39:16 +0100 Subject: [PATCH 2/6] Add Keycloak to MTBA --- ccp/modules/mtba-compose.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index f03532f..3912bcb 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -21,12 +21,6 @@ services: FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF} CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB} HTTP_RELATIVE_PATH: "/mtba" - KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" - KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}" - KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" - KEYCLOAK_REALM: "${KEYCLOAK_REALM}" - KEYCLOAK_URL: "${KEYCLOAK_URL}" - labels: - "traefik.enable=true" - "traefik.http.routers.mtba_ccp.rule=PathPrefix(`/mtba`)" From 416616c4693622ae0f3f58ec787357f66b11c472 Mon Sep 17 00:00:00 2001 From: juarez Date: Wed, 29 Nov 2023 09:29:18 +0100 Subject: [PATCH 3/6] Add oauth2_proxy --- ccp/modules/datashield-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index e3e0d01..105c9ae 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -8,12 +8,14 @@ services: #DEFAULT_USER: "rstudio" # This line is kept for informational purposes PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use + # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication. HTTP_RELATIVE_PATH: "/rstudio" ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html labels: - "traefik.enable=true" - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)" - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" + - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip" From 64a4f86030ca497cc373907371a473cfdf4a12fe Mon Sep 17 00:00:00 2001 From: juarez Date: Tue, 13 Feb 2024 15:58:24 +0100 Subject: [PATCH 4/6] Removed: / from groups --- ccp/modules/datashield-compose.yml | 2 +- ccp/modules/mtba-compose.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 105c9ae..bc09e1f 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -120,7 +120,7 @@ services: image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest container_name: bridgehead_oauth2_proxy command: >- - --allowed-group=/DataSHIELD + --allowed-group=DataSHIELD --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} --auth-logging=true --whitelist-domain=${HOST} diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 3912bcb..042bca1 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -3,7 +3,8 @@ version: "3.7" services: mtba: #image: docker.verbis.dkfz.de/cache/samply/mtba:latest - image: docker.verbis.dkfz.de/cache/samply/mtba:develop + #image: docker.verbis.dkfz.de/cache/samply/mtba:develop + image: samply/mtba:develop container_name: bridgehead-mtba environment: BLAZE_STORE_URL: http://blaze:8080 From 3be6ad52870e4d847e8c9cabf489dda92434f3fd Mon Sep 17 00:00:00 2001 From: juarez Date: Tue, 13 Feb 2024 18:49:06 +0100 Subject: [PATCH 5/6] Changed: master realm --- ccp/vars | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ccp/vars b/ccp/vars index eb2a1c8..f4d70fe 100644 --- a/ccp/vars +++ b/ccp/vars @@ -18,8 +18,8 @@ KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public -# TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing -KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}" +# Use "test-realm-01" for testing +KEYCLOAK_REALM="${KEYCLOAK_REALM:-master}" KEYCLOAK_URL="https://login.verbis.dkfz.de" KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}" KEYCLOAK_GROUP_CLAIM="groups" From 5a5f3030fe9305245bf7d797dfdf4ea4c15c787d Mon Sep 17 00:00:00 2001 From: juarez Date: Tue, 13 Feb 2024 18:54:26 +0100 Subject: [PATCH 6/6] Changed: replace keycloak with oidc --- ccp/modules/datashield-compose.yml | 22 +++++++++++----------- ccp/modules/mtba-compose.yml | 10 +++++++--- ccp/modules/teiler-compose.yml | 14 +++++++------- ccp/vars | 17 ++++++++--------- lib/functions.sh | 2 +- minimal/docker-compose.yml | 2 -- 6 files changed, 34 insertions(+), 33 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index bc09e1f..19a5e35 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -15,7 +15,6 @@ services: - "traefik.enable=true" - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)" - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" - - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip" @@ -46,11 +45,11 @@ services: APP_CONTEXT_PATH: "/opal" OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem" OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem" - KEYCLOAK_URL: "${KEYCLOAK_URL}" - KEYCLOAK_REALM: "${KEYCLOAK_REALM}" - KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}" - KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" - KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" + OIDC_URL: "${OIDC_URL}" + OIDC_REALM: "${OIDC_REALM}" + OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}" + OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" + OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}" TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}" EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}" BEAM_APP_ID: token-manager.${PROXY_ID} @@ -113,15 +112,15 @@ services: APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET} APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} - # TODO: Allow users of group /DataSHIELD and KEYCLOAK_USER_GROUP at the same time: + # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time: # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider): - # --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP + # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP oauth2_proxy: image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest container_name: bridgehead_oauth2_proxy command: >- --allowed-group=DataSHIELD - --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} + --oidc-groups-claim=${OIDC_GROUP_CLAIM} --auth-logging=true --whitelist-domain=${HOST} --http-address="0.0.0.0:4180" @@ -136,10 +135,10 @@ services: #OIDC settings --provider="keycloak-oidc" --provider-display-name="VerbIS Login" - --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}" + --client-id="${OIDC_PRIVATE_CLIENT_ID}" --client-secret="${OIDC_CLIENT_SECRET}" --redirect-url="https://${HOST}${OAUTH2_CALLBACK}" - --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}" + --oidc-issuer-url="${OIDC_ISSUER_URL}" --scope="openid email profile" --code-challenge-method="S256" --skip-provider-button=true @@ -147,6 +146,7 @@ services: --pass-basic-auth=true --pass-user-headers=false --pass-access-token=false + labels: - "traefik.enable=true" - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 042bca1..56bb015 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -2,9 +2,7 @@ version: "3.7" services: mtba: - #image: docker.verbis.dkfz.de/cache/samply/mtba:latest - #image: docker.verbis.dkfz.de/cache/samply/mtba:develop - image: samply/mtba:develop + image: docker.verbis.dkfz.de/cache/samply/mtba:develop container_name: bridgehead-mtba environment: BLAZE_STORE_URL: http://blaze:8080 @@ -22,6 +20,12 @@ services: FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF} CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB} HTTP_RELATIVE_PATH: "/mtba" + OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}" + OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}" + OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" + OIDC_REALM: "${OIDC_REALM}" + OIDC_URL: "${OIDC_URL}" + labels: - "traefik.enable=true" - "traefik.http.routers.mtba_ccp.rule=PathPrefix(`/mtba`)" diff --git a/ccp/modules/teiler-compose.yml b/ccp/modules/teiler-compose.yml index 40e394c..a76f161 100644 --- a/ccp/modules/teiler-compose.yml +++ b/ccp/modules/teiler-compose.yml @@ -19,7 +19,7 @@ services: HTTP_RELATIVE_PATH: "/ccp-teiler" teiler-dashboard: - image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:latest + image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop container_name: bridgehead-teiler-dashboard labels: - "traefik.enable=true" @@ -31,10 +31,10 @@ services: environment: DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}" TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" - KEYCLOAK_URL: "${KEYCLOAK_URL}" - KEYCLOAK_REALM: "${KEYCLOAK_REALM}" - KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}" - KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_GROUP_CLAIM}" + OIDC_URL: "${OIDC_URL}" + OIDC_REALM: "${OIDC_REALM}" + OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}" + OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" @@ -43,8 +43,8 @@ services: TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler" TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard" TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler" - TEILER_USER: "${KEYCLOAK_USER_GROUP}" - TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}" + TEILER_USER: "${OIDC_USER_GROUP}" + TEILER_ADMIN: "${OIDC_ADMIN_GROUP}" REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb" EXPORTER_DEFAULT_TEMPLATE_ID: "ccp" diff --git a/ccp/vars b/ccp/vars index f4d70fe..c1e9887 100644 --- a/ccp/vars +++ b/ccp/vars @@ -10,19 +10,18 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL DEFAULT_LANGUAGE=DE DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,} ENABLE_EXPORTER=true -ENABLE_LOGIN=true ENABLE_TEILER=true #ENABLE_DATASHIELD=true -KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" -KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" -KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private -KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public +OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" +OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" +OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private +OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public # Use "test-realm-01" for testing -KEYCLOAK_REALM="${KEYCLOAK_REALM:-master}" -KEYCLOAK_URL="https://login.verbis.dkfz.de" -KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}" -KEYCLOAK_GROUP_CLAIM="groups" +OIDC_REALM="${OIDC_REALM:-master}" +OIDC_URL="https://login.verbis.dkfz.de" +OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}" +OIDC_GROUP_CLAIM="groups" OAUTH2_CALLBACK=/oauth2/callback OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)" diff --git a/lib/functions.sh b/lib/functions.sh index d32bdbe..fa2a144 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -282,7 +282,7 @@ function sync_secrets() { docker run --rm \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ - -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ + -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e NO_PROXY=localhost,127.0.0.1 \ diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index 217f1b3..9c761af 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -57,5 +57,3 @@ services: HOST: ${HOST} PROJECT: ${PROJECT} SITE_NAME: ${SITE_NAME} - -