diff --git a/bbmri/modules/exporter-compose.yml b/bbmri/modules/exporter-compose.yml index d14b611..cd87d4e 100644 --- a/bbmri/modules/exporter-compose.yml +++ b/bbmri/modules/exporter-compose.yml @@ -23,6 +23,18 @@ services: - "traefik.http.routers.exporter_bbmri.tls=true" - "traefik.http.middlewares.exporter_bbmri_strip.stripprefix.prefixes=/bbmri-exporter" - "traefik.http.routers.exporter_bbmri.middlewares=exporter_bbmri_strip" + # Main router + - "traefik.http.routers.exporter_bbmri.priority=20" + + # API router + - "traefik.http.routers.exporter_bbmri_api.middlewares=exporter_bbmri_strip,exporter_auth" + - "traefik.http.routers.exporter_bbmri_api.rule=PathRegexp(`/bbmri-exporter/.+`)" + - "traefik.http.routers.exporter_bbmri_api.tls=true" + - "traefik.http.routers.exporter_bbmri_api.priority=25" + + # Shared middlewares + - "traefik.http.middlewares.exporter_auth.basicauth.users=${EXPORTER_USER}" + volumes: - "/var/cache/bridgehead/bbmri/exporter-files:/app/exporter-files/output" @@ -65,3 +77,12 @@ services: - "traefik.http.routers.reporter_bbmri.tls=true" - "traefik.http.middlewares.reporter_bbmri_strip.stripprefix.prefixes=/bbmri-reporter" - "traefik.http.routers.reporter_bbmri.middlewares=reporter_bbmri_strip" + - "traefik.http.routers.reporter_bbmri.priority=20" + + #- "traefik.http.routers.reporter_bbmri.middlewares=reporter_bbmri_strip,exporter_auth" + - "traefik.http.routers.reporter_bbmri_api.middlewares=reporter_bbmri_strip,exporter_auth" + - "traefik.http.routers.reporter_bbmri_api.rule=PathRegexp(`/bbmri-reporter/.+`)" + - "traefik.http.routers.reporter_bbmri_api.tls=true" + - "traefik.http.routers.reporter_bbmri_api.priority=25" + #- "traefik.http.middlewares.reporter_auth.basicauth.users=${EXPORTER_USER}" + diff --git a/bbmri/modules/exporter-setup.sh b/bbmri/modules/exporter-setup.sh index 9b947a6..bc06249 100644 --- a/bbmri/modules/exporter-setup.sh +++ b/bbmri/modules/exporter-setup.sh @@ -5,4 +5,11 @@ if [ "$ENABLE_EXPORTER" == true ]; then OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml" EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)" + + if [ -z "$EXPORTER_USER" ]; then + log "INFO" "Now generating basic auth for the exporter and reporter (see adduser in bridgehead for more information). " + generated_passwd="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 32)" + add_basic_auth_user $PROJECT $generated_passwd "EXPORTER_USER" $PROJECT + fi + fi diff --git a/bbmri/modules/teiler-compose.yml b/bbmri/modules/teiler-compose.yml index 8224b9a..417bc00 100644 --- a/bbmri/modules/teiler-compose.yml +++ b/bbmri/modules/teiler-compose.yml @@ -33,7 +33,6 @@ services: TEILER_BACKEND_URL: "https://${HOST}/bbmri-teiler-backend" TEILER_DASHBOARD_URL: "https://${HOST}/bbmri-teiler-dashboard" OIDC_URL: "${OIDC_URL}" - OIDC_REALM: "${OIDC_REALM}" OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}" OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" @@ -69,6 +68,3 @@ services: TEILER_DASHBOARD_DE_URL: "https://${HOST}/bbmri-teiler-dashboard/de" TEILER_DASHBOARD_EN_URL: "https://${HOST}/bbmri-teiler-dashboard/en" HTTP_PROXY: "http://forward_proxy:3128" - ENABLE_MTBA: "${ENABLE_MTBA}" - ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}" - IDMANAGER_UPLOAD_APIKEY: "${IDMANAGER_UPLOAD_APIKEY}" # Only used to check if the ID Manager is active diff --git a/bbmri/vars b/bbmri/vars index bd20f8a..35a16f0 100644 --- a/bbmri/vars +++ b/bbmri/vars @@ -13,18 +13,6 @@ echo $PRIVATEKEYFILENAME FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64} - -# TODO: Adapt Teiler to work without exporter. Then, remove the following OIDC configuration: -OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" -OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" -OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private -OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public -# Use "test-realm-01" for testing -OIDC_REALM="${OIDC_REALM:-master}" -OIDC_URL="https://login.verbis.dkfz.de" -OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}" -OIDC_GROUP_CLAIM="groups" - POSTGRES_TAG=15.6-alpine for module in $PROJECT/modules/*.sh diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 404cda9..a20e9e6 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -45,7 +45,6 @@ services: OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem" OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem" OIDC_URL: "${OIDC_URL}" - OIDC_REALM: "${OIDC_REALM}" OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}" OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}" @@ -141,7 +140,7 @@ services: --client-id="${OIDC_PRIVATE_CLIENT_ID}" --client-secret="${OIDC_CLIENT_SECRET}" --redirect-url="https://${HOST}${OAUTH2_CALLBACK}" - --oidc-issuer-url="${OIDC_ISSUER_URL}" + --oidc-issuer-url="${OIDC_URL}" --scope="openid email profile" --code-challenge-method="S256" --skip-provider-button=true diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 56bb015..8f89449 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -23,7 +23,6 @@ services: OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}" OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}" OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" - OIDC_REALM: "${OIDC_REALM}" OIDC_URL: "${OIDC_URL}" labels: diff --git a/ccp/modules/teiler-compose.yml b/ccp/modules/teiler-compose.yml index b1cf8aa..1a5ca9e 100644 --- a/ccp/modules/teiler-compose.yml +++ b/ccp/modules/teiler-compose.yml @@ -33,7 +33,6 @@ services: TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard" OIDC_URL: "${OIDC_URL}" - OIDC_REALM: "${OIDC_REALM}" OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}" OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" diff --git a/ccp/vars b/ccp/vars index cdc6877..5a3aa56 100644 --- a/ccp/vars +++ b/ccp/vars @@ -12,10 +12,7 @@ OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public -# Use "test-realm-01" for testing -OIDC_REALM="${OIDC_REALM:-master}" -OIDC_URL="https://login.verbis.dkfz.de" -OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}" +OIDC_URL="https://login.verbis.dkfz.de/realms/test-realm-01" OIDC_GROUP_CLAIM="groups" POSTGRES_TAG=15.6-alpine diff --git a/kr/modules/teiler-compose.yml b/kr/modules/teiler-compose.yml index c862594..25a3423 100644 --- a/kr/modules/teiler-compose.yml +++ b/kr/modules/teiler-compose.yml @@ -33,7 +33,6 @@ services: TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" TEILER_DASHBOARD_URL: "https://${HOST}/ccp-teiler-dashboard" OIDC_URL: "${OIDC_URL}" - OIDC_REALM: "${OIDC_REALM}" OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}" OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"