diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 6426145..01ee74a 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -1,25 +1,6 @@ version: "3.7" services: - rstudio: - container_name: bridgehead-rstudio - image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest - environment: - #DEFAULT_USER: "rstudio" # This line is kept for informational purposes - PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled - DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use - HTTP_RELATIVE_PATH: "/rstudio" - ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html - labels: - - "traefik.enable=true" - - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)" - - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" - - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - - "traefik.http.routers.rstudio_ccp.tls=true" - - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip" - networks: - - rstudio - opal: container_name: bridgehead-opal image: docker.verbis.dkfz.de/ccp/dktk-opal:latest @@ -93,79 +74,14 @@ services: - beam-proxy volumes: - /tmp/bridgehead/opal-map/:/map/:ro - networks: - - default - - rstudio - - traefik: - labels: - - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2-proxy:4180/" - - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true" - - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization" - networks: - - default - - rstudio - forward_proxy: - networks: - - default - - rstudio beam-proxy: environment: APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET} APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} - # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time: - # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider): - # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP - oauth2-proxy: - image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest - container_name: bridgehead-oauth2proxy - command: >- - --allowed-group=DataSHIELD - --oidc-groups-claim=${OIDC_GROUP_CLAIM} - --auth-logging=true - --whitelist-domain=${HOST} - --http-address="0.0.0.0:4180" - --reverse-proxy=true - --upstream="static://202" - --email-domain="*" - --cookie-name="_BRIDGEHEAD_oauth2" - --cookie-secret="${OAUTH2_PROXY_SECRET}" - --cookie-expire="12h" - --cookie-secure="true" - --cookie-httponly="true" - #OIDC settings - --provider="keycloak-oidc" - --provider-display-name="VerbIS Login" - --client-id="${OIDC_PRIVATE_CLIENT_ID}" - --client-secret="${OIDC_CLIENT_SECRET}" - --redirect-url="https://${HOST}${OAUTH2_CALLBACK}" - --oidc-issuer-url="${OIDC_ISSUER_URL}" - --scope="openid email profile" - --code-challenge-method="S256" - --skip-provider-button=true - #X-Forwarded-Header settings - true/false depending on your needs - --pass-basic-auth=true - --pass-user-headers=false - --pass-access-token=false - labels: - - "traefik.enable=true" - - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" - - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180" - - "traefik.http.routers.oauth2_proxy.tls=true" - environment: - http_proxy: "http://forward_proxy:3128" - https_proxy: "http://forward_proxy:3128" - depends_on: - forward_proxy: - condition: service_healthy - secrets: opal-cert.pem: file: /tmp/bridgehead/opal-cert.pem opal-key.pem: file: /tmp/bridgehead/opal-key.pem - -networks: - rstudio: diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 7a22050..30ecb59 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -5,17 +5,12 @@ if [ "$ENABLE_DATASHIELD" == true ]; then if [ -z "${ENABLE_EXPORTER}" ] || [ "${ENABLE_EXPORTER}" != "true" ]; then log WARN "The ENABLE_EXPORTER variable is either not set or not set to 'true'." fi - OAUTH2_CALLBACK=/oauth2/callback - OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)" - add_private_oidc_redirect_url "${OAUTH2_CALLBACK}" - log INFO "DataSHIELD setup detected -- will start DataSHIELD services." OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")" TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")" OPAL_DB_PASSWORD="$(echo \"Opal DB\" | generate_simple_password)" OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" - RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")" DATASHIELD_CONNECT_SECRET="$(echo \"DataShield Connect\" | generate_simple_password)" TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then @@ -23,18 +18,12 @@ if [ "$ENABLE_DATASHIELD" == true ]; then openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE" fi mkdir -p /tmp/bridgehead/opal-map - sites="$(cat ./$PROJECT/modules/datashield-sites.json)" - echo "$sites" | docker_jq -n --args '{"sites": input | map({ - "name": ., - "id": ., - "virtualhost": "\(.):443", - "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'" - })}' $sites >/tmp/bridgehead/opal-map/central.json - echo "$sites" | docker_jq -n --args '[{ - "external": "'"$SITE_ID"':443", + echo '{"sites": []}' >/tmp/bridgehead/opal-map/central.json + echo '[{ + "external": "'$SITE_ID':443", "internal": "opal:8443", - "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'") - }]' >/tmp/bridgehead/opal-map/local.json + "allowed": ["datashield-connect.request-manager.'$BROKER_ID'"] + }]' > /tmp/bridgehead/opal-map/local.json if [ "$USER" == "root" ]; then chown -R bridgehead:docker /tmp/bridgehead chmod g+wr /tmp/bridgehead/opal-map/* diff --git a/ccp/modules/datashield-sites.json b/ccp/modules/datashield-sites.json deleted file mode 100644 index 07e2966..0000000 --- a/ccp/modules/datashield-sites.json +++ /dev/null @@ -1,14 +0,0 @@ -[ - "berlin", - "muenchen-lmu", - "dresden", - "freiburg", - "muenchen-tum", - "tuebingen", - "mainz", - "frankfurt", - "essen", - "dktk-datashield-test", - "dktk-test", - "mannheim" -] diff --git a/lib/functions.sh b/lib/functions.sh index b519369..8fdff8a 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -367,7 +367,3 @@ generate_simple_password(){ local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." echo "${combined_text}" | sha1sum | openssl pkeyutl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g' } - -docker_jq() { - docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:latest "$@" -} diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index e9f53d6..5301a9c 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -42,9 +42,6 @@ services: - /var/spool/squid volumes: - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro - healthcheck: - # Wait 1s before marking this service healthy. Required for the oauth2-proxy to talk to the OIDC provider on startup which will fail if the forward proxy is not started yet. - test: ["CMD", "sleep", "1"] landing: container_name: bridgehead-landingpage