From afb63306a8bd663689920303bd925f892d0fd227 Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 3 Aug 2023 10:35:41 +0200 Subject: [PATCH 01/81] Remove unnecessary version of docker-compose.override files --- ccp/modules/datashield-compose.yml | 2 - ccp/modules/dnpm-compose.yml | 2 - ccp/modules/exporter-compose.yml | 2 - ccp/modules/login-compose.yml | 2 - ccp/modules/mtba-compose.yml | 2 - ccp/modules/teiler-ui-compose.yml | 72 ++++++++++++++++++++++++++++++ 6 files changed, 72 insertions(+), 10 deletions(-) create mode 100644 ccp/modules/teiler-ui-compose.yml diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index edca65c..bd486ea 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: rstudio: container_name: bridgehead-rstudio diff --git a/ccp/modules/dnpm-compose.yml b/ccp/modules/dnpm-compose.yml index c32426f..061e010 100644 --- a/ccp/modules/dnpm-compose.yml +++ b/ccp/modules/dnpm-compose.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: beam-proxy: environment: diff --git a/ccp/modules/exporter-compose.yml b/ccp/modules/exporter-compose.yml index 5922690..adfce0b 100644 --- a/ccp/modules/exporter-compose.yml +++ b/ccp/modules/exporter-compose.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: exporter: image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest diff --git a/ccp/modules/login-compose.yml b/ccp/modules/login-compose.yml index 787d4b2..db979b5 100644 --- a/ccp/modules/login-compose.yml +++ b/ccp/modules/login-compose.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: login-db: diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 670d990..c6cf474 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: mtba: image: docker.verbis.dkfz.de/cache/samply/mtba:1.0.0 diff --git a/ccp/modules/teiler-ui-compose.yml b/ccp/modules/teiler-ui-compose.yml new file mode 100644 index 0000000..92a98d8 --- /dev/null +++ b/ccp/modules/teiler-ui-compose.yml @@ -0,0 +1,72 @@ +services: + + teiler-root-config: + image: docker.verbis.dkfz.de/cache/samply/teiler-root-config:develop + container_name: bridgehead-teiler-root-config + labels: + - "traefik.enable=true" + - "traefik.http.routers.teiler_root_config_ccp.rule=PathPrefix(`/ccp-teiler`)" + - "traefik.http.services.teiler_root_config_ccp.loadbalancer.server.port=9000" + - "traefik.http.routers.teiler_root_config_ccp.tls=true" + - "traefik.http.middlewares.teiler_root_config_ccp_strip.stripprefix.prefixes=/ccp-teiler" + - "traefik.http.routers.teiler_root_config_ccp.middlewares=teiler_root_config_ccp_strip" + environment: + TEILER_CORE_URL: "https://${HOST}/ccp-teiler-core" + TEILER_UI_URL: "https://${HOST}/ccp-teiler-ui" + DEFAULT_LANGUAGE: "de" + HTTP_RELATIVE_PATH: "/ccp-teiler" + + teiler-ui: + image: docker.verbis.dkfz.de/cache/samply/teiler-ui:develop + container_name: bridgehead-teiler-ui + labels: + - "traefik.enable=true" + - "traefik.http.routers.teiler_ui_ccp.rule=PathPrefix(`/ccp-teiler-ui`)" + - "traefik.http.services.teiler_ui_ccp.loadbalancer.server.port=80" + - "traefik.http.routers.teiler_ui_ccp.tls=true" + - "traefik.http.middlewares.teiler_ui_ccp_strip.stripprefix.prefixes=/ccp-teiler-ui" + - "traefik.http.routers.teiler_ui_ccp.middlewares=teiler_ui_ccp_strip" + environment: + DEFAULT_LANGUAGE: "DE" + TEILER_CORE_URL: "https://${HOST}/ccp-teiler-core" + KEYCLOAK_URL: "https://${HOST}/login" + KEYCLOAK_REALM: "teiler-ui" + KEYCLOAK_CLIENT_ID: "teiler-ui" + TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" + TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" + TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" + TEILER_PROJECT: "${PROJECT}" + EXPORTER_API_KEY: "${EXPORTER_API_KEY}" + TEILER_ROOT_CONFIG_URL: "https://${HOST}/ccp-teiler" + TEILER_UI_HTTP_RELATIVE_PATH: "/ccp-teiler-ui" + TEILER_ROOT_CONFIG_HTTP_RELATIVE_PATH: "/ccp-teiler" + + teiler-core: + image: docker.verbis.dkfz.de/ccp/dktk-teiler-core:latest + container_name: bridgehead-teiler-core + labels: + - "traefik.enable=true" + - "traefik.http.routers.teiler_core_ccp.rule=PathPrefix(`/ccp-teiler-core`)" + - "traefik.http.services.teiler_core_ccp.loadbalancer.server.port=8085" + - "traefik.http.routers.teiler_core_ccp.tls=true" + - "traefik.http.middlewares.teiler_core_ccp_strip.stripprefix.prefixes=/ccp-teiler-core" + - "traefik.http.routers.teiler_core_ccp.middlewares=teiler_core_ccp_strip" + environment: + LOG_LEVEL: "INFO" + APPLICATION_PORT: "8085" + APPLICATION_ADDRESS: "${HOST}" + DEFAULT_LANGUAGE: "DE" + CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf" + TEILER_CONFIG_UPDATER_CRON: "0 1 * * * *" + TEILER_ROOT_CONFIG_HTTP_RELATIVE_PATH: "/ccp-teiler" + TEILER_ROOT_CONFIG_URL: "https://${HOST}/ccp-teiler" + TEILER_UI_DE_URL: "https://${HOST}/ccp-teiler-ui/de" + TEILER_UI_EN_URL: "https://${HOST}/ccp-teiler-ui/en" + CENTRAX_URL: "${CENTRAXX_URL}" + IS_DKTK_SITE: "${IS_DKTK_SITE}" + secrets: + - ccp.conf + +secrets: + ccp.conf: + file: /etc/bridgehead/ccp.conf From b87d746a20994b7658b89735fe7227fc1670cf19 Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 3 Aug 2023 10:35:41 +0200 Subject: [PATCH 02/81] Remove unnecessary version of docker-compose.override files --- ccp/modules/teiler-ui-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ccp/modules/teiler-ui-compose.yml b/ccp/modules/teiler-ui-compose.yml index 92a98d8..5a51c8e 100644 --- a/ccp/modules/teiler-ui-compose.yml +++ b/ccp/modules/teiler-ui-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: teiler-root-config: From d3edb5e1439cdb6b9ee16539634ed584ddb7dccc Mon Sep 17 00:00:00 2001 From: juarez Date: Mon, 11 Sep 2023 13:27:08 +0200 Subject: [PATCH 03/81] Bugfix: Add version in every docker compose file --- ccp/modules/datashield-compose.yml | 2 ++ ccp/modules/dnpm-compose.yml | 2 ++ ccp/modules/exporter-compose.yml | 2 ++ ccp/modules/login-compose.yml | 2 ++ ccp/modules/mtba-compose.yml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index bd486ea..edca65c 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: rstudio: container_name: bridgehead-rstudio diff --git a/ccp/modules/dnpm-compose.yml b/ccp/modules/dnpm-compose.yml index 061e010..c32426f 100644 --- a/ccp/modules/dnpm-compose.yml +++ b/ccp/modules/dnpm-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: beam-proxy: environment: diff --git a/ccp/modules/exporter-compose.yml b/ccp/modules/exporter-compose.yml index adfce0b..5922690 100644 --- a/ccp/modules/exporter-compose.yml +++ b/ccp/modules/exporter-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: exporter: image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest diff --git a/ccp/modules/login-compose.yml b/ccp/modules/login-compose.yml index db979b5..787d4b2 100644 --- a/ccp/modules/login-compose.yml +++ b/ccp/modules/login-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: login-db: diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index c6cf474..670d990 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: mtba: image: docker.verbis.dkfz.de/cache/samply/mtba:1.0.0 From 8e171b71de524df3fe2da232d9b62fd288ca0794 Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 3 Aug 2023 10:35:41 +0200 Subject: [PATCH 04/81] Remove unnecessary version of docker-compose.override files --- ccp/modules/datashield-compose.yml | 2 -- ccp/modules/dnpm-compose.yml | 2 -- ccp/modules/exporter-compose.yml | 2 -- ccp/modules/login-compose.yml | 2 -- ccp/modules/mtba-compose.yml | 2 -- 5 files changed, 10 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index edca65c..bd486ea 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: rstudio: container_name: bridgehead-rstudio diff --git a/ccp/modules/dnpm-compose.yml b/ccp/modules/dnpm-compose.yml index c32426f..061e010 100644 --- a/ccp/modules/dnpm-compose.yml +++ b/ccp/modules/dnpm-compose.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: beam-proxy: environment: diff --git a/ccp/modules/exporter-compose.yml b/ccp/modules/exporter-compose.yml index 5922690..adfce0b 100644 --- a/ccp/modules/exporter-compose.yml +++ b/ccp/modules/exporter-compose.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: exporter: image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest diff --git a/ccp/modules/login-compose.yml b/ccp/modules/login-compose.yml index 787d4b2..db979b5 100644 --- a/ccp/modules/login-compose.yml +++ b/ccp/modules/login-compose.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: login-db: diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 670d990..c6cf474 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -1,5 +1,3 @@ -version: "3.7" - services: mtba: image: docker.verbis.dkfz.de/cache/samply/mtba:1.0.0 From 3d136959e7d4c768d36b00680b27c9b8711ca542 Mon Sep 17 00:00:00 2001 From: juarez Date: Mon, 11 Sep 2023 13:27:08 +0200 Subject: [PATCH 05/81] Bugfix: Add version in every docker compose file --- ccp/modules/datashield-compose.yml | 2 ++ ccp/modules/dnpm-compose.yml | 2 ++ ccp/modules/exporter-compose.yml | 2 ++ ccp/modules/login-compose.yml | 2 ++ ccp/modules/mtba-compose.yml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index bd486ea..edca65c 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: rstudio: container_name: bridgehead-rstudio diff --git a/ccp/modules/dnpm-compose.yml b/ccp/modules/dnpm-compose.yml index 061e010..c32426f 100644 --- a/ccp/modules/dnpm-compose.yml +++ b/ccp/modules/dnpm-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: beam-proxy: environment: diff --git a/ccp/modules/exporter-compose.yml b/ccp/modules/exporter-compose.yml index adfce0b..5922690 100644 --- a/ccp/modules/exporter-compose.yml +++ b/ccp/modules/exporter-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: exporter: image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest diff --git a/ccp/modules/login-compose.yml b/ccp/modules/login-compose.yml index db979b5..787d4b2 100644 --- a/ccp/modules/login-compose.yml +++ b/ccp/modules/login-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: login-db: diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index c6cf474..670d990 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -1,3 +1,5 @@ +version: "3.7" + services: mtba: image: docker.verbis.dkfz.de/cache/samply/mtba:1.0.0 From cec3dfe4cd742f6223ee4bda399237a1ef230837 Mon Sep 17 00:00:00 2001 From: janskiba Date: Tue, 7 Nov 2023 14:55:26 +0000 Subject: [PATCH 06/81] Add secret sync to the bridgehead --- bridgehead | 1 + lib/functions.sh | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/bridgehead b/bridgehead index 31a838e..2740209 100755 --- a/bridgehead +++ b/bridgehead @@ -82,6 +82,7 @@ loadVars() { export FOCUS_TAG=main ;; esac + sync_secrets } case "$ACTION" in diff --git a/lib/functions.sh b/lib/functions.sh index 6a45d35..2bbf155 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -239,3 +239,35 @@ add_basic_auth_user() { log DEBUG "Saving clear text credentials in $FILE. If wanted, delete them manually." sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE } + +SECRET_SYNC_ARGS=${SECRET_SYNC_ARGS:-""} +# First argument is the variable name that will be generated. +# Second argument is a comma seperated list of allowed redirect urls for the oidc client. +function generate_oidc_client() { + local delimiter=$'\x1E' + if [[ $SECRET_SYNC_ARGS == "" ]]; then + SECRET_SYNC_ARGS+="OIDC:$1:$2" + else + SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:$2" + fi +} + +function sync_secrets() { + if [[ $SECRET_SYNC_ARGS == "" ]]; then + return + fi + # The oidc provider will need to be switched based on the project at some point I guess + docker run --rm \ + -v /var/cache/bridgehead/secrets:/usr/local/cache \ + -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ + -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ + -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ + -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ + -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \ + -e PROXY_ID=$PROXY_ID \ + -e BROKER_URL=$BROKER_URL \ + -e OIDC_PROVIDER=secret-sync.central.$BROKER_ID \ + -e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \ + docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest + source /var/cache/bridgehead/secrets/* +} From f854ab58ce6b2f7fd851963e438dd9025d6b827f Mon Sep 17 00:00:00 2001 From: janskiba Date: Mon, 13 Nov 2023 16:22:23 +0000 Subject: [PATCH 07/81] Update to new secret-sync semantics --- lib/functions.sh | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 2bbf155..d46353c 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -241,14 +241,27 @@ add_basic_auth_user() { } SECRET_SYNC_ARGS=${SECRET_SYNC_ARGS:-""} -# First argument is the variable name that will be generated. +# First argument is the variable name that will be generated it will not have a value. # Second argument is a comma seperated list of allowed redirect urls for the oidc client. -function generate_oidc_client() { +# The resulting client id will be $SITE_ID-public +function generate_public_oidc_client() { local delimiter=$'\x1E' if [[ $SECRET_SYNC_ARGS == "" ]]; then - SECRET_SYNC_ARGS+="OIDC:$1:$2" + SECRET_SYNC_ARGS+="OIDC:$1:public;$2" else - SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:$2" + SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:public;$2" + fi +} + +# First argument is the variable name that the client secret will be avalible at. +# Second argument is a comma seperated list of allowed redirect urls for the oidc client. +# The resulting client id will be $SITE_ID-private +function generate_private_oidc_client() { + local delimiter=$'\x1E' + if [[ $SECRET_SYNC_ARGS == "" ]]; then + SECRET_SYNC_ARGS+="OIDC:$1:private;$2" + else + SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:private;$2" fi } From 41153199560b9814c27013c18f357aa3e26b6037 Mon Sep 17 00:00:00 2001 From: Jan Skiba Date: Thu, 16 Nov 2023 14:21:19 +0100 Subject: [PATCH 08/81] Setup hostname earlier --- bridgehead | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bridgehead b/bridgehead index 2740209..a1cb708 100755 --- a/bridgehead +++ b/bridgehead @@ -50,6 +50,7 @@ loadVars() { source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import" fi fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile" + setHostname [ -e ./$PROJECT/vars ] && source ./$PROJECT/vars set +a @@ -64,7 +65,6 @@ loadVars() { OVERRIDE+=" -f ./$PROJECT/docker-compose.override.yml" fi detectCompose - setHostname setupProxy # Set some project-independent default values From 93a91326a2a9ae23f6b8e88bda94c6eebf75a5cb Mon Sep 17 00:00:00 2001 From: Jan Skiba Date: Thu, 16 Nov 2023 14:24:41 +0100 Subject: [PATCH 09/81] Make sure path exists --- lib/functions.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index d46353c..cc55643 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -269,9 +269,11 @@ function sync_secrets() { if [[ $SECRET_SYNC_ARGS == "" ]]; then return fi + mkdir -p /var/cache/bridgehead/secrets/ + touch /var/cache/bridgehead/secrets/oidc # The oidc provider will need to be switched based on the project at some point I guess docker run --rm \ - -v /var/cache/bridgehead/secrets:/usr/local/cache \ + -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ @@ -279,7 +281,7 @@ function sync_secrets() { -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \ -e PROXY_ID=$PROXY_ID \ -e BROKER_URL=$BROKER_URL \ - -e OIDC_PROVIDER=secret-sync.central.$BROKER_ID \ + -e OIDC_PROVIDER=secret-sync-central.oidc.$BROKER_ID \ -e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \ docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest source /var/cache/bridgehead/secrets/* From dc3d5496e137dc3569c4fc09f141844e29b6bb1c Mon Sep 17 00:00:00 2001 From: juarez Date: Fri, 17 Nov 2023 10:27:12 +0100 Subject: [PATCH 10/81] Integrate central Keycloak in Teiler --- ccp/modules/datashield-compose.yml | 14 +++++++++++--- ccp/modules/datashield-setup.sh | 6 +++++- ccp/modules/exporter-compose.yml | 2 +- ccp/modules/teiler-compose.yml | 11 ++++++----- ccp/modules/teiler-setup.sh | 1 + ccp/vars | 3 ++- lib/functions.sh | 10 ++++++++-- 7 files changed, 34 insertions(+), 13 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index edca65c..a126b1a 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -6,7 +6,8 @@ services: image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest environment: #DEFAULT_USER: "rstudio" # This line is kept for informational purposes - PASSWORD: "${LDM_AUTH}" + #PASSWORD: "${LDM_AUTH}" + DISABLE_AUTH: "true" # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication. HTTP_RELATIVE_PATH: "/rstudio" labels: - "traefik.enable=true" @@ -14,7 +15,7 @@ services: - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - - "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip" + - "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip,auth" opal: container_name: bridgehead-opal @@ -30,7 +31,7 @@ services: environment: JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC -Dhttps.proxyHost=forward_proxy -Dhttps.proxyPort=3128" # OPAL_ADMINISTRATOR_USER: "administrator" # This line is kept for informational purposes - OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}" + OPAL_ADMINISTRATOR_PASSWORD: "${OPAL_ADMIN_PASSWORD}" POSTGRESDATA_HOST: "opal-db" POSTGRESDATA_DATABASE: "opal" POSTGRESDATA_USER: "opal" @@ -40,6 +41,13 @@ services: APP_CONTEXT_PATH: "/opal" OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem" OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem" + KEYCLOAK_URL: "https://login.verbis.dkfz.de" + KEYCLOAK_REALM: "test-realm-01" + KEYCLOAK_CLIENT_ID: "${SITE_ID}-private" + KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" + KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" + TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}" + EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}" secrets: - opal-cert.pem - opal-key.pem diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 3220c30..5f8fac4 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -3,7 +3,10 @@ if [ "$ENABLE_DATASHIELD" == true ]; then log INFO "DataSHIELD setup detected -- will start DataSHIELD services." OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" - OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + EXPORTER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + TOKEN_MANAGER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Token Manager in Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + OPAL_ADMIN_PASSWORD="$(echo \"This is a salt string to generate one consistent admin password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ @@ -20,4 +23,5 @@ if [ "$ENABLE_DATASHIELD" == true ]; then }]' > /tmp/bridgehead/opal-map/local.json cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json chown -R bridgehead:docker /tmp/bridgehead/ + generate_private_oidc_client "OIDC_CLIENT_SECRET" "https://${HOST}/opal/*" fi diff --git a/ccp/modules/exporter-compose.yml b/ccp/modules/exporter-compose.yml index 5922690..d5eb227 100644 --- a/ccp/modules/exporter-compose.yml +++ b/ccp/modules/exporter-compose.yml @@ -15,7 +15,7 @@ services: HTTP_RELATIVE_PATH: "/ccp-exporter" SITE: "${SITE_ID}" HTTP_SERVLET_REQUEST_SCHEME: "https" - OPAL_ADMINISTRATOR_PASSWORD: "${LDM_AUTH}" + OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}" labels: - "traefik.enable=true" - "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)" diff --git a/ccp/modules/teiler-compose.yml b/ccp/modules/teiler-compose.yml index f0b0d60..659c9e2 100644 --- a/ccp/modules/teiler-compose.yml +++ b/ccp/modules/teiler-compose.yml @@ -31,9 +31,10 @@ services: environment: DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}" TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" - KEYCLOAK_URL: "https://${HOST}/login" - KEYCLOAK_REALM: "teiler" - KEYCLOAK_CLIENT_ID: "teiler" + KEYCLOAK_URL: "https://login.verbis.dkfz.de" + KEYCLOAK_REALM: "test-realm-01" + KEYCLOAK_CLIENT_ID: "${SITE_ID}-public" + KEYCLOAK_TOKEN_GROUP: "groups" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" @@ -42,8 +43,8 @@ services: TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler" TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard" TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler" - TEILER_USER: "TEILER_USER" - TEILER_ADMIN: "TEILER_ADMIN" + TEILER_USER: "${KEYCLOAK_USER_GROUP}" + TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}" teiler-backend: image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest diff --git a/ccp/modules/teiler-setup.sh b/ccp/modules/teiler-setup.sh index d1caebe..e930a7e 100644 --- a/ccp/modules/teiler-setup.sh +++ b/ccp/modules/teiler-setup.sh @@ -3,4 +3,5 @@ if [ "$ENABLE_TEILER" == true ];then log INFO "Teiler setup detected -- will start Teiler services." OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml" + generate_public_oidc_client "OIDC_PUBLIC" "https://${HOST}/ccp-teiler/*" fi diff --git a/ccp/vars b/ccp/vars index 8ca411d..b133cf4 100644 --- a/ccp/vars +++ b/ccp/vars @@ -10,10 +10,11 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL DEFAULT_LANGUAGE=DE DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,} ENABLE_EXPORTER=true -ENABLE_LOGIN=true ENABLE_TEILER=true #ENABLE_DATASHIELD=true +KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" +KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" POSTGRES_TAG=15.6-alpine for module in $PROJECT/modules/*.sh diff --git a/lib/functions.sh b/lib/functions.sh index cc55643..72bd8e8 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -275,14 +275,20 @@ function sync_secrets() { docker run --rm \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ - -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ + -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \ -e PROXY_ID=$PROXY_ID \ -e BROKER_URL=$BROKER_URL \ - -e OIDC_PROVIDER=secret-sync-central.oidc.$BROKER_ID \ + -e OIDC_PROVIDER=secret-sync-central.dev-jan.$BROKER_ID \ -e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \ docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest source /var/cache/bridgehead/secrets/* } + +capitalize_first_letter() { + input="$1" + capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}" + echo "$capitalized" +} From 0015365d1b72697cd2f681520d82f7e82ef2afdd Mon Sep 17 00:00:00 2001 From: janskiba Date: Mon, 20 Nov 2023 11:34:18 +0000 Subject: [PATCH 11/81] Generate addtional redirect url --- ccp/modules/teiler-setup.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ccp/modules/teiler-setup.sh b/ccp/modules/teiler-setup.sh index e930a7e..17b19bd 100644 --- a/ccp/modules/teiler-setup.sh +++ b/ccp/modules/teiler-setup.sh @@ -3,5 +3,10 @@ if [ "$ENABLE_TEILER" == true ];then log INFO "Teiler setup detected -- will start Teiler services." OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml" - generate_public_oidc_client "OIDC_PUBLIC" "https://${HOST}/ccp-teiler/*" + redirect_urls="https://${HOST}/ccp-teiler/*" + host_without_proxy="$(echo "$HOST" | cut -d '.' -f1)" + if [[ "$HOST" != "$host_without_proxy" ]]; then + redirect_urls+=",https://$host_without_proxy/ccp-teiler/*" + fi + generate_public_oidc_client "OIDC_PUBLIC" "$redirect_urls" fi From 3c8ec73ac341dbbf2203cd02f13c9373dec70804 Mon Sep 17 00:00:00 2001 From: janskiba Date: Tue, 21 Nov 2023 10:39:17 +0000 Subject: [PATCH 12/81] Update oidc provider to new url --- lib/functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/functions.sh b/lib/functions.sh index 72bd8e8..e0367e2 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -281,7 +281,7 @@ function sync_secrets() { -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \ -e PROXY_ID=$PROXY_ID \ -e BROKER_URL=$BROKER_URL \ - -e OIDC_PROVIDER=secret-sync-central.dev-jan.$BROKER_ID \ + -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \ -e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \ docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest source /var/cache/bridgehead/secrets/* From bb076c5d5aa6bd90c1074dfdd4927d2fdd21b1a1 Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 23 Nov 2023 10:38:50 +0100 Subject: [PATCH 13/81] Add function generate_redirect_urls --- ccp/modules/datashield-setup.sh | 2 +- ccp/modules/teiler-setup.sh | 7 +------ lib/functions.sh | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 5f8fac4..420a450 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -23,5 +23,5 @@ if [ "$ENABLE_DATASHIELD" == true ]; then }]' > /tmp/bridgehead/opal-map/local.json cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json chown -R bridgehead:docker /tmp/bridgehead/ - generate_private_oidc_client "OIDC_CLIENT_SECRET" "https://${HOST}/opal/*" + generate_private_oidc_client "OIDC_CLIENT_SECRET" "$(generate_redirect_urls '/opal/*')" fi diff --git a/ccp/modules/teiler-setup.sh b/ccp/modules/teiler-setup.sh index 17b19bd..0da6f6f 100644 --- a/ccp/modules/teiler-setup.sh +++ b/ccp/modules/teiler-setup.sh @@ -3,10 +3,5 @@ if [ "$ENABLE_TEILER" == true ];then log INFO "Teiler setup detected -- will start Teiler services." OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml" - redirect_urls="https://${HOST}/ccp-teiler/*" - host_without_proxy="$(echo "$HOST" | cut -d '.' -f1)" - if [[ "$HOST" != "$host_without_proxy" ]]; then - redirect_urls+=",https://$host_without_proxy/ccp-teiler/*" - fi - generate_public_oidc_client "OIDC_PUBLIC" "$redirect_urls" + generate_public_oidc_client "OIDC_PUBLIC" "$(generate_redirect_urls '/ccp-teiler/*')" fi diff --git a/lib/functions.sh b/lib/functions.sh index e0367e2..78317fd 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -292,3 +292,18 @@ capitalize_first_letter() { capitalized="$(tr '[:lower:]' '[:upper:]' <<< ${input:0:1})${input:1}" echo "$capitalized" } + +generate_redirect_urls(){ + local redirect_urls="https://${HOST}$1" + local host_without_proxy="$(echo "$HOST" | cut -d '.' -f1)" + local port="$(echo "$HOST" | rev | cut -d ':' -f1 | rev)" + if [ -z "${port}" ]; then + port="" + else + port=":$port" + fi + if [[ "$HOST" != "$host_without_proxy" ]]; then + redirect_urls+=",https://$host_without_proxy$port$1" + fi + echo "$redirect_urls" +} From 043e12b9854c292356cbce827577bb9dec12def8 Mon Sep 17 00:00:00 2001 From: janskiba Date: Thu, 23 Nov 2023 09:58:34 +0000 Subject: [PATCH 14/81] Remove port handeling when generating redirect url --- lib/functions.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 78317fd..0cb5aba 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -296,12 +296,6 @@ capitalize_first_letter() { generate_redirect_urls(){ local redirect_urls="https://${HOST}$1" local host_without_proxy="$(echo "$HOST" | cut -d '.' -f1)" - local port="$(echo "$HOST" | rev | cut -d ':' -f1 | rev)" - if [ -z "${port}" ]; then - port="" - else - port=":$port" - fi if [[ "$HOST" != "$host_without_proxy" ]]; then redirect_urls+=",https://$host_without_proxy$port$1" fi From 131b52f57b77ee0be127a4d1cb61fc43bc0f502d Mon Sep 17 00:00:00 2001 From: janskiba Date: Thu, 23 Nov 2023 10:28:43 +0000 Subject: [PATCH 15/81] Account for ip address host values --- lib/functions.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 0cb5aba..0c93862 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -242,7 +242,7 @@ add_basic_auth_user() { SECRET_SYNC_ARGS=${SECRET_SYNC_ARGS:-""} # First argument is the variable name that will be generated it will not have a value. -# Second argument is a comma seperated list of allowed redirect urls for the oidc client. +# Second argument is a comma separated list of allowed redirect urls for the oidc client. # The resulting client id will be $SITE_ID-public function generate_public_oidc_client() { local delimiter=$'\x1E' @@ -253,8 +253,8 @@ function generate_public_oidc_client() { fi } -# First argument is the variable name that the client secret will be avalible at. -# Second argument is a comma seperated list of allowed redirect urls for the oidc client. +# First argument is the variable name that the client secret will be available at. +# Second argument is a comma separated list of allowed redirect urls for the oidc client. # The resulting client id will be $SITE_ID-private function generate_private_oidc_client() { local delimiter=$'\x1E' @@ -293,11 +293,15 @@ capitalize_first_letter() { echo "$capitalized" } +# Generate a string of ',' separated string of redirect urls relative to $HOST. +# $1 will be appended to the url +# If the host looks like dev-jan.inet.dkfz-heidelberg.de it will generate urls with dev-jan and the original $HOST as url Authorities generate_redirect_urls(){ local redirect_urls="https://${HOST}$1" local host_without_proxy="$(echo "$HOST" | cut -d '.' -f1)" - if [[ "$HOST" != "$host_without_proxy" ]]; then - redirect_urls+=",https://$host_without_proxy$port$1" + # Only append second url if its different and the host is not an ip address + if [[ "$HOST" != "$host_without_proxy" && ! "$HOST" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + redirect_urls+=",https://$host_without_proxy$1" fi echo "$redirect_urls" } From 9ebbf2ed9b42115ef11964b4b1da8bcf133237ba Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 23 Nov 2023 14:33:28 +0100 Subject: [PATCH 16/81] Bugfix: Export /var/cache/bridgehead/secrets as environment variables --- lib/functions.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/functions.sh b/lib/functions.sh index 0c93862..fe0ab67 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -284,7 +284,9 @@ function sync_secrets() { -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \ -e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \ docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest + set -a # Export variables as environment variables source /var/cache/bridgehead/secrets/* + set +a # Export variables in the regular way } capitalize_first_letter() { From 163650f592da0e4fdf5e949ce18be951e551c51c Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 23 Nov 2023 15:54:44 +0100 Subject: [PATCH 17/81] Add generate_password function --- ccp/modules/datashield-setup.sh | 10 +++++----- ccp/modules/login-setup.sh | 2 +- lib/functions.sh | 13 +++++++++++++ 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 420a450..3a964cd 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -3,10 +3,10 @@ if [ "$ENABLE_DATASHIELD" == true ]; then log INFO "DataSHIELD setup detected -- will start DataSHIELD services." OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" - EXPORTER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" - TOKEN_MANAGER_OPAL_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Token Manager in Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" - OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal DB. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" - OPAL_ADMIN_PASSWORD="$(echo \"This is a salt string to generate one consistent admin password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")" + TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")" + OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ @@ -20,7 +20,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then "external": "opal-'"$SITE_ID"'", "internal": "opal:8080", "allowed": [$input.sites[].id | "datashield-connect.\(.).broker.ccp-it.dktk.dkfz.de"] - }]' > /tmp/bridgehead/opal-map/local.json + }]' >/tmp/bridgehead/opal-map/local.json cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json chown -R bridgehead:docker /tmp/bridgehead/ generate_private_oidc_client "OIDC_CLIENT_SECRET" "$(generate_redirect_urls '/opal/*')" diff --git a/ccp/modules/login-setup.sh b/ccp/modules/login-setup.sh index 5ead5d4..1981b87 100644 --- a/ccp/modules/login-setup.sh +++ b/ccp/modules/login-setup.sh @@ -3,5 +3,5 @@ if [ "$ENABLE_LOGIN" == true ]; then log INFO "Login setup detected -- will start Login services." OVERRIDE+=" -f ./$PROJECT/modules/login-compose.yml" - KEYCLOAK_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Keycloak. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + KEYCLOAK_DB_PASSWORD="$(generate_password \"local Keycloak\")" fi diff --git a/lib/functions.sh b/lib/functions.sh index fe0ab67..1754767 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -307,3 +307,16 @@ generate_redirect_urls(){ fi echo "$redirect_urls" } + +generate_password(){ + local seed_text="$1" + local random_digit=$(openssl rand -hex 1 | head -c 1) + local random_upper=$(openssl rand -base64 3 | tr -dc 'A-Z' | head -c 1) + local random_lower=$(openssl rand -base64 3 | tr -dc 'a-z' | head -c 1) + local random_special=$(echo '@#$%^&+=' | fold -w1 | shuf -n1) + + local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." + local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" | base64 | head -c 26) + + echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}" +} From 8486abedd43f979595aad6e1247cb21028eaa5c4 Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 23 Nov 2023 17:28:39 +0100 Subject: [PATCH 18/81] Add R-Studio Admin Password --- ccp/modules/datashield-compose.yml | 4 ++-- ccp/modules/datashield-setup.sh | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index a126b1a..78ff12f 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -6,7 +6,7 @@ services: image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest environment: #DEFAULT_USER: "rstudio" # This line is kept for informational purposes - #PASSWORD: "${LDM_AUTH}" + PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" DISABLE_AUTH: "true" # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication. HTTP_RELATIVE_PATH: "/rstudio" labels: @@ -15,7 +15,7 @@ services: - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - - "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip,auth" + - "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip" opal: container_name: bridgehead-opal diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 3a964cd..e77e4c9 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -7,6 +7,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")" OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" + RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")" DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ From e32f484c31cbc00c6b2c4cce6d68ff1e403d62fc Mon Sep 17 00:00:00 2001 From: juarez Date: Fri, 24 Nov 2023 08:52:54 +0100 Subject: [PATCH 19/81] Add keycloak configuration --- ccp/modules/datashield-compose.yml | 6 +++--- ccp/modules/mtba-compose.yml | 1 + ccp/modules/teiler-compose.yml | 8 ++++---- ccp/vars | 6 ++++++ 4 files changed, 14 insertions(+), 7 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 78ff12f..bac8a07 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -41,9 +41,9 @@ services: APP_CONTEXT_PATH: "/opal" OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem" OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem" - KEYCLOAK_URL: "https://login.verbis.dkfz.de" - KEYCLOAK_REALM: "test-realm-01" - KEYCLOAK_CLIENT_ID: "${SITE_ID}-private" + KEYCLOAK_URL: "${KEYCLOAK_URL}" + KEYCLOAK_REALM: "${KEYCLOAK_REALM}" + KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}" KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}" diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 670d990..b448378 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -19,6 +19,7 @@ services: FILE_CHARSET: ${MTBA_FILE_CHARSET} FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE} CSV_DELIMITER: ${MTBA_CSV_DELIMITER} + HTTP_RELATIVE_PATH: "/mtba" labels: - "traefik.enable=true" - "traefik.http.routers.mtba_ccp.rule=PathPrefix(`/mtba`)" diff --git a/ccp/modules/teiler-compose.yml b/ccp/modules/teiler-compose.yml index 659c9e2..14b8633 100644 --- a/ccp/modules/teiler-compose.yml +++ b/ccp/modules/teiler-compose.yml @@ -31,10 +31,10 @@ services: environment: DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}" TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" - KEYCLOAK_URL: "https://login.verbis.dkfz.de" - KEYCLOAK_REALM: "test-realm-01" - KEYCLOAK_CLIENT_ID: "${SITE_ID}-public" - KEYCLOAK_TOKEN_GROUP: "groups" + KEYCLOAK_URL: "${KEYCLOAK_URL}" + KEYCLOAK_REALM: "${KEYCLOAK_REALM}" + KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}" + KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_TOKEN_GROUP}" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" diff --git a/ccp/vars b/ccp/vars index b133cf4..5ca76a2 100644 --- a/ccp/vars +++ b/ccp/vars @@ -15,6 +15,12 @@ ENABLE_TEILER=true KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" +KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private +KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public +# TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing +KEYCLOAK_REALM="test-realm-01" +KEYCLOAK_URL="https://login.verbis.dkfz.de" +KEYCLOAK_TOKEN_GROUP="groups" POSTGRES_TAG=15.6-alpine for module in $PROJECT/modules/*.sh From 903ef0df9b32f4d7f126ef647f81bc1e08db6db1 Mon Sep 17 00:00:00 2001 From: juarez Date: Mon, 27 Nov 2023 19:39:16 +0100 Subject: [PATCH 20/81] Add Keycloak to MTBA --- bridgehead | 1 + ccp/modules/mtba-compose.yml | 7 +++++++ ccp/vars | 2 +- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/bridgehead b/bridgehead index a1cb708..4e25da7 100755 --- a/bridgehead +++ b/bridgehead @@ -41,6 +41,7 @@ case "$PROJECT" in ;; esac +# TODO: Please add proper documentation for variable priorities (1. secrets, 2. vars, 3. PROJECT.local.conf, 4. PROJECT.conf, 5. ??? loadVars() { # Load variables from /etc/bridgehead and /srv/docker/bridgehead set -a diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index b448378..fb7b19a 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -20,11 +20,18 @@ services: FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE} CSV_DELIMITER: ${MTBA_CSV_DELIMITER} HTTP_RELATIVE_PATH: "/mtba" + KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" + KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}" + KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" + KEYCLOAK_REALM: "${KEYCLOAK_REALM}" + KEYCLOAK_URL: "${KEYCLOAK_URL}" + labels: - "traefik.enable=true" - "traefik.http.routers.mtba_ccp.rule=PathPrefix(`/mtba`)" - "traefik.http.services.mtba_ccp.loadbalancer.server.port=8480" - "traefik.http.routers.mtba_ccp.tls=true" + - "traefik.http.middlewares.mtba_ccp_strip.stripprefix.prefixes=/mtba" - "traefik.http.routers.mtba_ccp.middlewares=mtba_ccp_strip, auth" volumes: diff --git a/ccp/vars b/ccp/vars index 5ca76a2..b051cee 100644 --- a/ccp/vars +++ b/ccp/vars @@ -18,7 +18,7 @@ KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public # TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing -KEYCLOAK_REALM="test-realm-01" +KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}" KEYCLOAK_URL="https://login.verbis.dkfz.de" KEYCLOAK_TOKEN_GROUP="groups" POSTGRES_TAG=15.6-alpine From ae965fddb307d1f52a4a4b01dd0199b35d46a70b Mon Sep 17 00:00:00 2001 From: juarez Date: Tue, 28 Nov 2023 16:50:36 +0100 Subject: [PATCH 21/81] Add proxy to R-Studio for loading R packages --- ccp/modules/datashield-compose.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index bac8a07..14e9650 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -7,8 +7,10 @@ services: environment: #DEFAULT_USER: "rstudio" # This line is kept for informational purposes PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" - DISABLE_AUTH: "true" # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication. + DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use + # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication. HTTP_RELATIVE_PATH: "/rstudio" + ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html labels: - "traefik.enable=true" - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)" From f6965859fe89b57e40088a41eefc84df20182cea Mon Sep 17 00:00:00 2001 From: juarez Date: Tue, 28 Nov 2023 16:51:30 +0100 Subject: [PATCH 22/81] Add comment about PASSWORD and DISABLE_AUTH in R-Studio --- ccp/modules/datashield-compose.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 14e9650..292f20c 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -6,7 +6,7 @@ services: image: docker.verbis.dkfz.de/ccp/dktk-rstudio:latest environment: #DEFAULT_USER: "rstudio" # This line is kept for informational purposes - PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" + PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication. HTTP_RELATIVE_PATH: "/rstudio" @@ -17,7 +17,6 @@ services: - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - - "traefik.http.routers.rstudio_ccp.middlewares=rstudio_ccp_strip" opal: container_name: bridgehead-opal From 0cd4ededc70e8108541e24f704acfb17be3351f8 Mon Sep 17 00:00:00 2001 From: juarez Date: Wed, 29 Nov 2023 09:29:18 +0100 Subject: [PATCH 23/81] Add oauth2_proxy --- ccp/docker-compose.yml | 44 ++++++++++++++++++++++++++++++ ccp/modules/datashield-compose.yml | 4 +-- ccp/modules/datashield-setup.sh | 1 + ccp/modules/teiler-compose.yml | 2 +- ccp/vars | 3 +- 5 files changed, 50 insertions(+), 4 deletions(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index d92ccfb..269ed2e 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -52,6 +52,50 @@ services: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro + traefik: + labels: + - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2_proxy:4180/" + - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true" + - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization" + + + oauth2_proxy: + image: quay.io/oauth2-proxy/oauth2-proxy + container_name: bridgehead_oauth2_proxy + command: >- + --allowed-group=/${KEYCLOAK_USER_GROUP} + --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} + --auth-logging=true + --whitelist-domain=${HOST} + --http-address="0.0.0.0:4180" + --reverse-proxy=true + --upstream="static://202" + --email-domain="*" + --cookie-name="_BRIDGEHEAD_oauth2" + --cookie-secret="${OAUTH2_PROXY_SECRET}" + --cookie-expire="12h" + --cookie-secure="true" + --cookie-httponly="true" + #OIDC settings + --provider="keycloak-oidc" + --provider-display-name="VerbIS Login" + --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}" + --client-secret="${OIDC_CLIENT_SECRET}" + --redirect-url="https://${HOST}/oauth2/callback" + --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}" + --scope="openid email profile" + --code-challenge-method="S256" + --skip-provider-button=true + #X-Forwarded-Header settings - true/false depending on your needs + --pass-basic-auth=true + --pass-user-headers=false + --pass-access-token=false + labels: + - "traefik.enable=true" + - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" + - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180" + - "traefik.http.routers.oauth2_proxy.tls=true" + volumes: blaze-data: diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 292f20c..611b39f 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -8,15 +8,15 @@ services: #DEFAULT_USER: "rstudio" # This line is kept for informational purposes PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use - # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication. HTTP_RELATIVE_PATH: "/rstudio" ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html labels: - "traefik.enable=true" - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)" - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" - - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" + - "traefik.http.routers.rstudio_ccp.tls=true" + - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip" opal: container_name: bridgehead-opal diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index e77e4c9..bd50a43 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -9,6 +9,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")" DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ chown -R bridgehead:docker /tmp/bridgehead/ diff --git a/ccp/modules/teiler-compose.yml b/ccp/modules/teiler-compose.yml index 14b8633..8266eca 100644 --- a/ccp/modules/teiler-compose.yml +++ b/ccp/modules/teiler-compose.yml @@ -34,7 +34,7 @@ services: KEYCLOAK_URL: "${KEYCLOAK_URL}" KEYCLOAK_REALM: "${KEYCLOAK_REALM}" KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}" - KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_TOKEN_GROUP}" + KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_GROUP_CLAIM}" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" diff --git a/ccp/vars b/ccp/vars index b051cee..62a8df3 100644 --- a/ccp/vars +++ b/ccp/vars @@ -20,7 +20,8 @@ KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public # TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}" KEYCLOAK_URL="https://login.verbis.dkfz.de" -KEYCLOAK_TOKEN_GROUP="groups" +KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}" +KEYCLOAK_GROUP_CLAIM="groups" POSTGRES_TAG=15.6-alpine for module in $PROJECT/modules/*.sh From b44a208e08b9a6898cf83055b58511889fab997e Mon Sep 17 00:00:00 2001 From: janskiba Date: Thu, 30 Nov 2023 13:46:08 +0000 Subject: [PATCH 24/81] Better redirect url handeling --- ccp/modules/datashield-setup.sh | 2 +- ccp/modules/teiler-setup.sh | 2 +- lib/functions.sh | 48 +++++++++++++++++++-------------- 3 files changed, 30 insertions(+), 22 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index bd50a43..e5625fa 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -25,5 +25,5 @@ if [ "$ENABLE_DATASHIELD" == true ]; then }]' >/tmp/bridgehead/opal-map/local.json cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json chown -R bridgehead:docker /tmp/bridgehead/ - generate_private_oidc_client "OIDC_CLIENT_SECRET" "$(generate_redirect_urls '/opal/*')" + add_private_oidc_redirect_url "/opal/*" fi diff --git a/ccp/modules/teiler-setup.sh b/ccp/modules/teiler-setup.sh index 0da6f6f..1e97079 100644 --- a/ccp/modules/teiler-setup.sh +++ b/ccp/modules/teiler-setup.sh @@ -3,5 +3,5 @@ if [ "$ENABLE_TEILER" == true ];then log INFO "Teiler setup detected -- will start Teiler services." OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml" - generate_public_oidc_client "OIDC_PUBLIC" "$(generate_redirect_urls '/ccp-teiler/*')" + add_public_oidc_redirect_url "/ccp-teiler/*" fi diff --git a/lib/functions.sh b/lib/functions.sh index 1754767..0039093 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -240,33 +240,41 @@ add_basic_auth_user() { sed -i "/^$NAME/ s|$|\n# User: $USER\n# Password: $PASSWORD|" $FILE } -SECRET_SYNC_ARGS=${SECRET_SYNC_ARGS:-""} -# First argument is the variable name that will be generated it will not have a value. -# Second argument is a comma separated list of allowed redirect urls for the oidc client. -# The resulting client id will be $SITE_ID-public -function generate_public_oidc_client() { - local delimiter=$'\x1E' - if [[ $SECRET_SYNC_ARGS == "" ]]; then - SECRET_SYNC_ARGS+="OIDC:$1:public;$2" +OIDC_PUBLIC_REDIRECT_URLS=${OIDC_PUBLIC_REDIRECT_URLS:-""} +OIDC_PRIVATE_REDIRECT_URLS=${OIDC_PRIVATE_REDIRECT_URLS:-""} + +# Add a redirect url to the public oidc client of the bridgehead +function add_public_oidc_redirect_url() { + if [[ $OIDC_PUBLIC_REDIRECT_URLS == "" ]]; then + OIDC_PUBLIC_REDIRECT_URLS+="$(generate_redirect_urls $1)" else - SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:public;$2" + OIDC_PUBLIC_REDIRECT_URLS+=",$(generate_redirect_urls $1)" fi } -# First argument is the variable name that the client secret will be available at. -# Second argument is a comma separated list of allowed redirect urls for the oidc client. -# The resulting client id will be $SITE_ID-private -function generate_private_oidc_client() { - local delimiter=$'\x1E' - if [[ $SECRET_SYNC_ARGS == "" ]]; then - SECRET_SYNC_ARGS+="OIDC:$1:private;$2" +# Add a redirect url to the private oidc client of the bridgehead +function add_private_oidc_redirect_url() { + if [[ $OIDC_PRIVATE_REDIRECT_URLS == "" ]]; then + OIDC_PRIVATE_REDIRECT_URLS+="$(generate_redirect_urls $1)" else - SECRET_SYNC_ARGS+="${delimiter}OIDC:$1:private;$2" + OIDC_PRIVATE_REDIRECT_URLS+=",$(generate_redirect_urls $1)" fi } function sync_secrets() { - if [[ $SECRET_SYNC_ARGS == "" ]]; then + local delimiter=$'\x1E' + local secret_sync_args="" + if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then + secret_sync_args="OIDC:OIDC_CLIENT_SECRET:private;$OIDC_PRIVATE_REDIRECT_URLS" + fi + if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then + if [[ $secret_sync_args == "" ]]; then + secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS" + else + secret_sync_args+="${delimiter}OIDC:$1:public;$OIDC_PUBLIC_REDIRECT_URLS" + fi + fi + if [[ $secret_sync_args == "" ]]; then return fi mkdir -p /var/cache/bridgehead/secrets/ @@ -282,7 +290,7 @@ function sync_secrets() { -e PROXY_ID=$PROXY_ID \ -e BROKER_URL=$BROKER_URL \ -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \ - -e SECRET_DEFINITIONS=$SECRET_SYNC_ARGS \ + -e SECRET_DEFINITIONS=$secret_sync_args \ docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest set -a # Export variables as environment variables source /var/cache/bridgehead/secrets/* @@ -298,7 +306,7 @@ capitalize_first_letter() { # Generate a string of ',' separated string of redirect urls relative to $HOST. # $1 will be appended to the url # If the host looks like dev-jan.inet.dkfz-heidelberg.de it will generate urls with dev-jan and the original $HOST as url Authorities -generate_redirect_urls(){ +function generate_redirect_urls(){ local redirect_urls="https://${HOST}$1" local host_without_proxy="$(echo "$HOST" | cut -d '.' -f1)" # Only append second url if its different and the host is not an ip address From 5d4d0405ab889df8c24e76d4c270b9b8aa63f89c Mon Sep 17 00:00:00 2001 From: janskiba Date: Thu, 30 Nov 2023 14:05:07 +0000 Subject: [PATCH 25/81] fix: public client generation --- lib/functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/functions.sh b/lib/functions.sh index 0039093..507d323 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -271,7 +271,7 @@ function sync_secrets() { if [[ $secret_sync_args == "" ]]; then secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS" else - secret_sync_args+="${delimiter}OIDC:$1:public;$OIDC_PUBLIC_REDIRECT_URLS" + secret_sync_args+="${delimiter}OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS" fi fi if [[ $secret_sync_args == "" ]]; then From f9b26b695823282da9de90f33a89825a94f7c502 Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 30 Nov 2023 17:25:32 +0100 Subject: [PATCH 26/81] Use develop branch for mtba --- ccp/modules/mtba-compose.yml | 4 +- ccp/modules/teiler-ui-compose.yml | 74 ------------------------------- 2 files changed, 1 insertion(+), 77 deletions(-) diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index fb7b19a..290b846 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: mtba: - image: docker.verbis.dkfz.de/cache/samply/mtba:1.0.0 + image: docker.verbis.dkfz.de/cache/samply/mtba:develop container_name: bridgehead-mtba environment: BLAZE_STORE_URL: http://blaze:8080 @@ -32,8 +32,6 @@ services: - "traefik.http.services.mtba_ccp.loadbalancer.server.port=8480" - "traefik.http.routers.mtba_ccp.tls=true" - - "traefik.http.middlewares.mtba_ccp_strip.stripprefix.prefixes=/mtba" - - "traefik.http.routers.mtba_ccp.middlewares=mtba_ccp_strip, auth" volumes: - /var/cache/bridgehead/ccp/mtba/input:/app/input - /var/cache/bridgehead/ccp/mtba/persist:/app/persist diff --git a/ccp/modules/teiler-ui-compose.yml b/ccp/modules/teiler-ui-compose.yml index 5a51c8e..e69de29 100644 --- a/ccp/modules/teiler-ui-compose.yml +++ b/ccp/modules/teiler-ui-compose.yml @@ -1,74 +0,0 @@ -version: "3.7" - -services: - - teiler-root-config: - image: docker.verbis.dkfz.de/cache/samply/teiler-root-config:develop - container_name: bridgehead-teiler-root-config - labels: - - "traefik.enable=true" - - "traefik.http.routers.teiler_root_config_ccp.rule=PathPrefix(`/ccp-teiler`)" - - "traefik.http.services.teiler_root_config_ccp.loadbalancer.server.port=9000" - - "traefik.http.routers.teiler_root_config_ccp.tls=true" - - "traefik.http.middlewares.teiler_root_config_ccp_strip.stripprefix.prefixes=/ccp-teiler" - - "traefik.http.routers.teiler_root_config_ccp.middlewares=teiler_root_config_ccp_strip" - environment: - TEILER_CORE_URL: "https://${HOST}/ccp-teiler-core" - TEILER_UI_URL: "https://${HOST}/ccp-teiler-ui" - DEFAULT_LANGUAGE: "de" - HTTP_RELATIVE_PATH: "/ccp-teiler" - - teiler-ui: - image: docker.verbis.dkfz.de/cache/samply/teiler-ui:develop - container_name: bridgehead-teiler-ui - labels: - - "traefik.enable=true" - - "traefik.http.routers.teiler_ui_ccp.rule=PathPrefix(`/ccp-teiler-ui`)" - - "traefik.http.services.teiler_ui_ccp.loadbalancer.server.port=80" - - "traefik.http.routers.teiler_ui_ccp.tls=true" - - "traefik.http.middlewares.teiler_ui_ccp_strip.stripprefix.prefixes=/ccp-teiler-ui" - - "traefik.http.routers.teiler_ui_ccp.middlewares=teiler_ui_ccp_strip" - environment: - DEFAULT_LANGUAGE: "DE" - TEILER_CORE_URL: "https://${HOST}/ccp-teiler-core" - KEYCLOAK_URL: "https://${HOST}/login" - KEYCLOAK_REALM: "teiler-ui" - KEYCLOAK_CLIENT_ID: "teiler-ui" - TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" - TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" - TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" - TEILER_PROJECT: "${PROJECT}" - EXPORTER_API_KEY: "${EXPORTER_API_KEY}" - TEILER_ROOT_CONFIG_URL: "https://${HOST}/ccp-teiler" - TEILER_UI_HTTP_RELATIVE_PATH: "/ccp-teiler-ui" - TEILER_ROOT_CONFIG_HTTP_RELATIVE_PATH: "/ccp-teiler" - - teiler-core: - image: docker.verbis.dkfz.de/ccp/dktk-teiler-core:latest - container_name: bridgehead-teiler-core - labels: - - "traefik.enable=true" - - "traefik.http.routers.teiler_core_ccp.rule=PathPrefix(`/ccp-teiler-core`)" - - "traefik.http.services.teiler_core_ccp.loadbalancer.server.port=8085" - - "traefik.http.routers.teiler_core_ccp.tls=true" - - "traefik.http.middlewares.teiler_core_ccp_strip.stripprefix.prefixes=/ccp-teiler-core" - - "traefik.http.routers.teiler_core_ccp.middlewares=teiler_core_ccp_strip" - environment: - LOG_LEVEL: "INFO" - APPLICATION_PORT: "8085" - APPLICATION_ADDRESS: "${HOST}" - DEFAULT_LANGUAGE: "DE" - CONFIG_ENV_VAR_PATH: "/run/secrets/ccp.conf" - TEILER_CONFIG_UPDATER_CRON: "0 1 * * * *" - TEILER_ROOT_CONFIG_HTTP_RELATIVE_PATH: "/ccp-teiler" - TEILER_ROOT_CONFIG_URL: "https://${HOST}/ccp-teiler" - TEILER_UI_DE_URL: "https://${HOST}/ccp-teiler-ui/de" - TEILER_UI_EN_URL: "https://${HOST}/ccp-teiler-ui/en" - CENTRAX_URL: "${CENTRAXX_URL}" - IS_DKTK_SITE: "${IS_DKTK_SITE}" - secrets: - - ccp.conf - -secrets: - ccp.conf: - file: /etc/bridgehead/ccp.conf From 25ac4d2590c15a674fb0126429369d78ee0753fc Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 30 Nov 2023 17:32:51 +0100 Subject: [PATCH 27/81] mtba latest --- ccp/modules/mtba-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 290b846..8917f47 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -2,7 +2,7 @@ version: "3.7" services: mtba: - image: docker.verbis.dkfz.de/cache/samply/mtba:develop + image: docker.verbis.dkfz.de/cache/samply/mtba:latest container_name: bridgehead-mtba environment: BLAZE_STORE_URL: http://blaze:8080 From 0b2e64a2d5ff1897ca444cb54a3b2bf07a5b3477 Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 30 Nov 2023 17:39:01 +0100 Subject: [PATCH 28/81] add /oauth2/callback and /mtba to Keycloak private client --- ccp/docker-compose.yml | 2 +- ccp/modules/mtba-setup.sh | 1 + ccp/vars | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index 269ed2e..be2d358 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -81,7 +81,7 @@ services: --provider-display-name="VerbIS Login" --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}" --client-secret="${OIDC_CLIENT_SECRET}" - --redirect-url="https://${HOST}/oauth2/callback" + --redirect-url="https://${HOST}${OAUTH2_CALLBACK}" --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}" --scope="openid email profile" --code-challenge-method="S256" diff --git a/ccp/modules/mtba-setup.sh b/ccp/modules/mtba-setup.sh index 53b4ce0..cdf0f31 100644 --- a/ccp/modules/mtba-setup.sh +++ b/ccp/modules/mtba-setup.sh @@ -8,5 +8,6 @@ function mtbaSetup() { exit 1; fi OVERRIDE+=" -f ./$PROJECT/modules/mtba-compose.yml" + add_private_oidc_redirect_url "/mtba/*" fi } diff --git a/ccp/vars b/ccp/vars index 62a8df3..94b79f0 100644 --- a/ccp/vars +++ b/ccp/vars @@ -22,6 +22,9 @@ KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}" KEYCLOAK_URL="https://login.verbis.dkfz.de" KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}" KEYCLOAK_GROUP_CLAIM="groups" +OAUTH2_CALLBACK=/oauth2/callback + +add_private_oidc_redirect_url "${OAUTH2_CALLBACK}" POSTGRES_TAG=15.6-alpine for module in $PROJECT/modules/*.sh From e411883d184b1a827ca3bae980a2d9c523db6dbf Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 30 Nov 2023 17:58:50 +0100 Subject: [PATCH 29/81] mtba develop --- ccp/modules/mtba-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 8917f47..f88c239 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -2,7 +2,8 @@ version: "3.7" services: mtba: - image: docker.verbis.dkfz.de/cache/samply/mtba:latest + #image: docker.verbis.dkfz.de/cache/samply/mtba:latest + image: samply/mtba:develop container_name: bridgehead-mtba environment: BLAZE_STORE_URL: http://blaze:8080 From 28a612f2187f85bdfec43713ba25f9101ac6cea2 Mon Sep 17 00:00:00 2001 From: juarez Date: Fri, 1 Dec 2023 08:58:36 +0100 Subject: [PATCH 30/81] add default template-ids of exporter and reporter --- ccp/modules/teiler-compose.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ccp/modules/teiler-compose.yml b/ccp/modules/teiler-compose.yml index 8266eca..b28753f 100644 --- a/ccp/modules/teiler-compose.yml +++ b/ccp/modules/teiler-compose.yml @@ -45,6 +45,9 @@ services: TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler" TEILER_USER: "${KEYCLOAK_USER_GROUP}" TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}" + REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb" + EXPORTER_DEFAULT_TEMPLATE_ID: "ccp" + teiler-backend: image: docker.verbis.dkfz.de/ccp/dktk-teiler-backend:latest From 148e87341f5598177598f1cb72b2481892bdb142 Mon Sep 17 00:00:00 2001 From: juarez Date: Fri, 1 Dec 2023 09:16:29 +0100 Subject: [PATCH 31/81] move OAUTH2_SECRET --- ccp/modules/datashield-setup.sh | 1 - ccp/vars | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index e5625fa..5262b6b 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -9,7 +9,6 @@ if [ "$ENABLE_DATASHIELD" == true ]; then OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")" DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" - OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ chown -R bridgehead:docker /tmp/bridgehead/ diff --git a/ccp/vars b/ccp/vars index 94b79f0..eb998d7 100644 --- a/ccp/vars +++ b/ccp/vars @@ -23,6 +23,7 @@ KEYCLOAK_URL="https://login.verbis.dkfz.de" KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}" KEYCLOAK_GROUP_CLAIM="groups" OAUTH2_CALLBACK=/oauth2/callback +OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)" add_private_oidc_redirect_url "${OAUTH2_CALLBACK}" POSTGRES_TAG=15.6-alpine From 0a2dbb4b2d5e250c62671392a9c855d836076d1f Mon Sep 17 00:00:00 2001 From: janskiba Date: Fri, 8 Dec 2023 11:50:06 +0000 Subject: [PATCH 32/81] fix: Restrict rstudio network access --- ccp/modules/datashield-compose.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 611b39f..501c666 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -17,6 +17,8 @@ services: - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip" + networks: + - rstudio opal: container_name: bridgehead-opal @@ -88,6 +90,18 @@ services: - beam-proxy volumes: - /tmp/bridgehead/opal-map/:/map/:ro + networks: + - default + - rstudio + + traefik: + networks: + - default + - rstudio + forward_proxy: + networks: + - default + - rstudio beam-proxy: environment: @@ -98,3 +112,6 @@ secrets: file: /tmp/bridgehead/opal-cert.pem opal-key.pem: file: /tmp/bridgehead/opal-key.pem + +networks: + rstudio: From 371097377a2d8914eafae5e831c0ed6e049b25f2 Mon Sep 17 00:00:00 2001 From: janskiba Date: Tue, 12 Dec 2023 09:53:14 +0000 Subject: [PATCH 33/81] feat: Add token-manager to beam --- ccp/modules/datashield-compose.yml | 3 +++ ccp/modules/datashield-setup.sh | 1 + 2 files changed, 4 insertions(+) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 501c666..55bda13 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -51,6 +51,8 @@ services: KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}" EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}" + BEAM_APP_ID: token-manager.${PROXY_ID} + BEAM_SECRET: ${TOKEN_MANAGER_SECRET} secrets: - opal-cert.pem - opal-key.pem @@ -106,6 +108,7 @@ services: beam-proxy: environment: APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET} + APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} secrets: opal-cert.pem: diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 5262b6b..d9932c3 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -9,6 +9,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")" DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + TOKEN_MANAGER_SECRET="$(echo \"This is a salt string to generate one consistent password as the Token Manger secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ chown -R bridgehead:docker /tmp/bridgehead/ From 9f31e950a5c9375b2786f1fbc00e91a5eb24cc60 Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 13 Dec 2023 11:01:25 +0000 Subject: [PATCH 34/81] fix: generate the right beam connect mappings --- ccp/modules/datashield-mappings.json | 70 +++++----------------------- ccp/modules/datashield-setup.sh | 18 ++++--- lib/functions.sh | 1 + 3 files changed, 23 insertions(+), 66 deletions(-) diff --git a/ccp/modules/datashield-mappings.json b/ccp/modules/datashield-mappings.json index d902b8f..a65d9d5 100644 --- a/ccp/modules/datashield-mappings.json +++ b/ccp/modules/datashield-mappings.json @@ -1,59 +1,11 @@ - -{ - "sites": [ - { - "id": "berlin", - "name": "berlin", - "virtualhost": "opal-berlin", - "beamconnect": "datashield-connect.berlin.broker.ccp-it.dktk.dkfz.de" - }, - { - "id": "muenchen-lmu", - "name": "muenchen-lmu", - "virtualhost": "opal-muenchen-lmu", - "beamconnect": "datashield-connect.muenchen-lmu.broker.ccp-it.dktk.dkfz.de" - }, - { - "id": "dresden", - "name": "dresden", - "virtualhost": "opal-dresden", - "beamconnect": "datashield-connect.dresden.broker.ccp-it.dktk.dkfz.de" - }, - { - "id": "freiburg", - "name": "freiburg", - "virtualhost": "opal-freiburg", - "beamconnect": "datashield-connect.freiburg.broker.ccp-it.dktk.dkfz.de" - }, - { - "id": "muenchen-tum", - "name": "muenchen-tum", - "virtualhost": "opal-muenchen-tum", - "beamconnect": "datashield-connect.muenchen-tum.broker.ccp-it.dktk.dkfz.de" - }, - { - "id": "tuebingen", - "name": "tuebingen", - "virtualhost": "opal-tuebingen", - "beamconnect": "datashield-connect.tuebingen.broker.ccp-it.dktk.dkfz.de" - }, - { - "id": "mainz", - "name": "mainz", - "virtualhost": "opal-mainz", - "beamconnect": "datashield-connect.mainz.broker.ccp-it.dktk.dkfz.de" - }, - { - "id": "frankfurt", - "name": "frankfurt", - "virtualhost": "opal-frankfurt", - "beamconnect": "datashield-connect.frankfurt.broker.ccp-it.dktk.dkfz.de" - }, - { - "id": "essen", - "name": "essen", - "virtualhost": "opal-essen", - "beamconnect": "datashield-connect.essen.broker.ccp-it.dktk.dkfz.de" - } - ] -} +[ + "berlin", + "muenchen-lmu", + "dresden", + "freiburg", + "muenchen-tum", + "tuebingen", + "mainz", + "frankfurt", + "essen" +] diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index d9932c3..bc1b1dc 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -17,13 +17,17 @@ if [ "$ENABLE_DATASHIELD" == true ]; then chmod g+r /tmp/bridgehead/opal-key.pem fi mkdir -p /tmp/bridgehead/opal-map - jq -n --argfile input ./$PROJECT/modules/datashield-mappings.json ' - [{ - "external": "opal-'"$SITE_ID"'", - "internal": "opal:8080", - "allowed": [$input.sites[].id | "datashield-connect.\(.).broker.ccp-it.dktk.dkfz.de"] - }]' >/tmp/bridgehead/opal-map/local.json - cp -f ./$PROJECT/modules/datashield-mappings.json /tmp/bridgehead/opal-map/central.json + jq -n '{"sites": input | map({ + "name": ., + "id": ., + "virtualhost": "opal-\(.):443", + "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'" + })}' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/central.json + jq -n '[{ + "external": "'"$SITE_ID"'", + "internal": "opal:8080", + "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'") + }]' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/local.json chown -R bridgehead:docker /tmp/bridgehead/ add_private_oidc_redirect_url "/opal/*" fi diff --git a/lib/functions.sh b/lib/functions.sh index 507d323..b7d0fc4 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -279,6 +279,7 @@ function sync_secrets() { fi mkdir -p /var/cache/bridgehead/secrets/ touch /var/cache/bridgehead/secrets/oidc + chown -R bridgehead:docker /var/cache/bridgehead # The oidc provider will need to be switched based on the project at some point I guess docker run --rm \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ From b73ddc883cc7d0b2fdafbfe47482350d7924bd6e Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 13 Dec 2023 12:24:51 +0000 Subject: [PATCH 35/81] fix: Change permissions on new bridgehead dirs --- lib/functions.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/functions.sh b/lib/functions.sh index b7d0fc4..548b912 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -132,6 +132,10 @@ assertVarsNotEmpty() { fixPermissions() { CHOWN=$(which chown) sudo $CHOWN -R bridgehead /etc/bridgehead /srv/docker/bridgehead + set +e + sudo $CHOWN -R --silent /var/cache/bridgehead + sudo $CHOWN -R --silent /tmp/bridgehead + set -e } source lib/monitoring.sh From 1edcdce5c637632ec7cfc2e454007173c53a7264 Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 13 Dec 2023 13:17:16 +0000 Subject: [PATCH 36/81] fix: beam connect site renaming --- ccp/modules/datashield-setup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index bc1b1dc..46522ec 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -20,11 +20,11 @@ if [ "$ENABLE_DATASHIELD" == true ]; then jq -n '{"sites": input | map({ "name": ., "id": ., - "virtualhost": "opal-\(.):443", + "virtualhost": "\(.):443", "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'" })}' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/central.json jq -n '[{ - "external": "'"$SITE_ID"'", + "external": "'"$SITE_ID"':443", "internal": "opal:8080", "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'") }]' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/local.json From b34f4f2a0f17500f876d3168e55a132171d54c20 Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 13 Dec 2023 13:22:06 +0000 Subject: [PATCH 37/81] fix: chown syntax --- lib/functions.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 548b912..b27eeb1 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -133,8 +133,8 @@ fixPermissions() { CHOWN=$(which chown) sudo $CHOWN -R bridgehead /etc/bridgehead /srv/docker/bridgehead set +e - sudo $CHOWN -R --silent /var/cache/bridgehead - sudo $CHOWN -R --silent /tmp/bridgehead + sudo $CHOWN -R --silent bridgehead /var/cache/bridgehead + sudo $CHOWN -R --silent bridgehead /tmp/bridgehead set -e } From d3da4266101ea8e171e0ef6c232b403d198d00cc Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 13 Dec 2023 14:07:11 +0000 Subject: [PATCH 38/81] fix: opal ssl cert --- ccp/modules/datashield-setup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 46522ec..5142cb4 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -13,7 +13,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ chown -R bridgehead:docker /tmp/bridgehead/ - openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=${HOST:-opal}/C=DE" + openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE" chmod g+r /tmp/bridgehead/opal-key.pem fi mkdir -p /tmp/bridgehead/opal-map @@ -25,7 +25,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then })}' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/central.json jq -n '[{ "external": "'"$SITE_ID"':443", - "internal": "opal:8080", + "internal": "opal:8443", "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'") }]' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/local.json chown -R bridgehead:docker /tmp/bridgehead/ From 2a024e751d5659b843664c903617d5274742354b Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Wed, 13 Dec 2023 17:39:35 +0100 Subject: [PATCH 39/81] fix: only change permissions on related files --- lib/functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/functions.sh b/lib/functions.sh index b27eeb1..7992276 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -283,7 +283,7 @@ function sync_secrets() { fi mkdir -p /var/cache/bridgehead/secrets/ touch /var/cache/bridgehead/secrets/oidc - chown -R bridgehead:docker /var/cache/bridgehead + chown -R bridgehead:docker /var/cache/bridgehead/secrets # The oidc provider will need to be switched based on the project at some point I guess docker run --rm \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ From fa141f8e8670263522543913bb0ffc6b4a5ea03c Mon Sep 17 00:00:00 2001 From: Jan <59206115+Threated@users.noreply.github.com> Date: Wed, 13 Dec 2023 17:54:54 +0100 Subject: [PATCH 40/81] fix: undo permission changes on startup --- lib/functions.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lib/functions.sh b/lib/functions.sh index 7992276..c53859b 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -132,10 +132,6 @@ assertVarsNotEmpty() { fixPermissions() { CHOWN=$(which chown) sudo $CHOWN -R bridgehead /etc/bridgehead /srv/docker/bridgehead - set +e - sudo $CHOWN -R --silent bridgehead /var/cache/bridgehead - sudo $CHOWN -R --silent bridgehead /tmp/bridgehead - set -e } source lib/monitoring.sh From 8e5ddc493c3522c6cfcfab09c5e2dfac93cbf7aa Mon Sep 17 00:00:00 2001 From: juarez Date: Wed, 13 Dec 2023 20:14:56 +0100 Subject: [PATCH 41/81] teiler-orchestrator and teiler-dashboard latest --- ccp/modules/teiler-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ccp/modules/teiler-compose.yml b/ccp/modules/teiler-compose.yml index b28753f..f9f7ab2 100644 --- a/ccp/modules/teiler-compose.yml +++ b/ccp/modules/teiler-compose.yml @@ -3,7 +3,7 @@ version: "3.7" services: teiler-orchestrator: - image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:develop + image: docker.verbis.dkfz.de/cache/samply/teiler-orchestrator:latest container_name: bridgehead-teiler-orchestrator labels: - "traefik.enable=true" @@ -19,7 +19,7 @@ services: HTTP_RELATIVE_PATH: "/ccp-teiler" teiler-dashboard: - image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop + image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:latest container_name: bridgehead-teiler-dashboard labels: - "traefik.enable=true" From f6dac7038ff58392b5a9605e88e835d533a146bb Mon Sep 17 00:00:00 2001 From: juarez Date: Wed, 13 Dec 2023 22:57:37 +0100 Subject: [PATCH 42/81] Only users of group DataSHIELD can use R-Studio --- ccp/docker-compose.yml | 38 ------------------------------ ccp/modules/datashield-compose.yml | 37 +++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 38 deletions(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index be2d358..c4610b6 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -59,44 +59,6 @@ services: - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization" - oauth2_proxy: - image: quay.io/oauth2-proxy/oauth2-proxy - container_name: bridgehead_oauth2_proxy - command: >- - --allowed-group=/${KEYCLOAK_USER_GROUP} - --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} - --auth-logging=true - --whitelist-domain=${HOST} - --http-address="0.0.0.0:4180" - --reverse-proxy=true - --upstream="static://202" - --email-domain="*" - --cookie-name="_BRIDGEHEAD_oauth2" - --cookie-secret="${OAUTH2_PROXY_SECRET}" - --cookie-expire="12h" - --cookie-secure="true" - --cookie-httponly="true" - #OIDC settings - --provider="keycloak-oidc" - --provider-display-name="VerbIS Login" - --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}" - --client-secret="${OIDC_CLIENT_SECRET}" - --redirect-url="https://${HOST}${OAUTH2_CALLBACK}" - --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}" - --scope="openid email profile" - --code-challenge-method="S256" - --skip-provider-button=true - #X-Forwarded-Header settings - true/false depending on your needs - --pass-basic-auth=true - --pass-user-headers=false - --pass-access-token=false - labels: - - "traefik.enable=true" - - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" - - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180" - - "traefik.http.routers.oauth2_proxy.tls=true" - - volumes: blaze-data: diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 55bda13..780d049 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -110,6 +110,43 @@ services: APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET} APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} + oauth2_proxy: + image: quay.io/oauth2-proxy/oauth2-proxy + container_name: bridgehead_oauth2_proxy + command: >- + --allowed-group=/DataSHIELD + --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} + --auth-logging=true + --whitelist-domain=${HOST} + --http-address="0.0.0.0:4180" + --reverse-proxy=true + --upstream="static://202" + --email-domain="*" + --cookie-name="_BRIDGEHEAD_oauth2" + --cookie-secret="${OAUTH2_PROXY_SECRET}" + --cookie-expire="12h" + --cookie-secure="true" + --cookie-httponly="true" + #OIDC settings + --provider="keycloak-oidc" + --provider-display-name="VerbIS Login" + --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}" + --client-secret="${OIDC_CLIENT_SECRET}" + --redirect-url="https://${HOST}${OAUTH2_CALLBACK}" + --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}" + --scope="openid email profile" + --code-challenge-method="S256" + --skip-provider-button=true + #X-Forwarded-Header settings - true/false depending on your needs + --pass-basic-auth=true + --pass-user-headers=false + --pass-access-token=false + labels: + - "traefik.enable=true" + - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" + - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180" + - "traefik.http.routers.oauth2_proxy.tls=true" + secrets: opal-cert.pem: file: /tmp/bridgehead/opal-cert.pem From 44d7b34834f4c3da5d1c77e6a090cd14d504b76f Mon Sep 17 00:00:00 2001 From: juarez Date: Wed, 13 Dec 2023 23:11:23 +0100 Subject: [PATCH 43/81] Use last version of mtba --- ccp/modules/mtba-compose.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index f88c239..8917f47 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -2,8 +2,7 @@ version: "3.7" services: mtba: - #image: docker.verbis.dkfz.de/cache/samply/mtba:latest - image: samply/mtba:develop + image: docker.verbis.dkfz.de/cache/samply/mtba:latest container_name: bridgehead-mtba environment: BLAZE_STORE_URL: http://blaze:8080 From 0793ea9fc6a29068f27548262b84b8fe87734471 Mon Sep 17 00:00:00 2001 From: juarez Date: Wed, 13 Dec 2023 23:14:34 +0100 Subject: [PATCH 44/81] Use develop version of mtba --- ccp/modules/mtba-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 8917f47..9fcb74c 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -2,7 +2,8 @@ version: "3.7" services: mtba: - image: docker.verbis.dkfz.de/cache/samply/mtba:latest + #image: docker.verbis.dkfz.de/cache/samply/mtba:latest + image: docker.verbis.dkfz.de/cache/samply/mtba:develop container_name: bridgehead-mtba environment: BLAZE_STORE_URL: http://blaze:8080 From 37f100dc01691653018cdfef7ee24b6da5a597ea Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 14 Dec 2023 00:08:41 +0100 Subject: [PATCH 45/81] Default values for MTBA --- ccp/modules/mtba-compose.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 9fcb74c..f03532f 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -12,14 +12,14 @@ services: ID_MANAGER_API_KEY: ${IDMANAGER_UPLOAD_APIKEY} ID_MANAGER_PSEUDONYM_ID_TYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID ID_MANAGER_URL: http://id-manager:8080/id-manager - PATIENT_CSV_FIRST_NAME_HEADER: ${MTBA_PATIENT_CSV_FIRST_NAME_HEADER} - PATIENT_CSV_LAST_NAME_HEADER: ${MTBA_PATIENT_CSV_LAST_NAME_HEADER} - PATIENT_CSV_GENDER_HEADER: ${MTBA_PATIENT_CSV_GENDER_HEADER} - PATIENT_CSV_BIRTHDAY_HEADER: ${MTBA_PATIENT_CSV_BIRTHDAY_HEADER} + PATIENT_CSV_FIRST_NAME_HEADER: ${MTBA_PATIENT_CSV_FIRST_NAME_HEADER:-FIRST_NAME} + PATIENT_CSV_LAST_NAME_HEADER: ${MTBA_PATIENT_CSV_LAST_NAME_HEADER:-LAST_NAME} + PATIENT_CSV_GENDER_HEADER: ${MTBA_PATIENT_CSV_GENDER_HEADER:-GENDER} + PATIENT_CSV_BIRTHDAY_HEADER: ${MTBA_PATIENT_CSV_BIRTHDAY_HEADER:-BIRTHDAY} CBIOPORTAL_URL: http://cbioportal:8080 - FILE_CHARSET: ${MTBA_FILE_CHARSET} - FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE} - CSV_DELIMITER: ${MTBA_CSV_DELIMITER} + FILE_CHARSET: ${MTBA_FILE_CHARSET:-UTF-8} + FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF} + CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB} HTTP_RELATIVE_PATH: "/mtba" KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}" From 643e9e67a6edc552af77c0fb44e80d8e30364c9c Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 14 Dec 2023 14:04:42 +0100 Subject: [PATCH 46/81] Added: Enable MTBA and Enable DataSHIELD to Teiler Backend --- ccp/modules/teiler-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ccp/modules/teiler-compose.yml b/ccp/modules/teiler-compose.yml index f9f7ab2..40e394c 100644 --- a/ccp/modules/teiler-compose.yml +++ b/ccp/modules/teiler-compose.yml @@ -71,6 +71,8 @@ services: TEILER_DASHBOARD_EN_URL: "https://${HOST}/ccp-teiler-dashboard/en" CENTRAX_URL: "${CENTRAXX_URL}" HTTP_PROXY: "http://forward_proxy:3128" + ENABLE_MTBA: "${ENABLE_MTBA}" + ENABLE_DATASHIELD: "${ENABLE_DATASHIELD}" secrets: - ccp.conf From 977ad139f8225e3da71c60a2a33ddb47232dfdf1 Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 14 Dec 2023 18:34:30 +0100 Subject: [PATCH 47/81] Added: allowed-groups --- ccp/modules/datashield-compose.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 780d049..3b2da3e 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -110,6 +110,9 @@ services: APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET} APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} + # TODO: Allow users of group /DataSHIELD and KEYCLOAK_USER_GROUP at the same time: + # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/): + # --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP oauth2_proxy: image: quay.io/oauth2-proxy/oauth2-proxy container_name: bridgehead_oauth2_proxy From d62f5a404b72af701f4e306267744298dc9e7489 Mon Sep 17 00:00:00 2001 From: janskiba Date: Thu, 21 Dec 2023 08:28:47 +0000 Subject: [PATCH 48/81] Add central token manager beam id --- ccp/modules/datashield-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 3b2da3e..cb09b5d 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -53,6 +53,7 @@ services: EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}" BEAM_APP_ID: token-manager.${PROXY_ID} BEAM_SECRET: ${TOKEN_MANAGER_SECRET} + BEAM_DATASHIELD_PROXY: request-manager secrets: - opal-cert.pem - opal-key.pem From 2f04e51f96d2f1547a7f022a38cb73de3dec4ce0 Mon Sep 17 00:00:00 2001 From: janskiba Date: Thu, 21 Dec 2023 08:29:04 +0000 Subject: [PATCH 49/81] Add test sites --- ccp/modules/datashield-mappings.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ccp/modules/datashield-mappings.json b/ccp/modules/datashield-mappings.json index a65d9d5..7d8dad4 100644 --- a/ccp/modules/datashield-mappings.json +++ b/ccp/modules/datashield-mappings.json @@ -7,5 +7,7 @@ "tuebingen", "mainz", "frankfurt", - "essen" + "essen", + "dktk-datashield-test", + "dktk-test" ] From e54475f7044024e8778646709525f809d11590a5 Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 21 Dec 2023 09:35:38 +0100 Subject: [PATCH 50/81] Added: volume for opal metadata db --- ccp/modules/datashield-compose.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index cb09b5d..99d0883 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -54,6 +54,8 @@ services: BEAM_APP_ID: token-manager.${PROXY_ID} BEAM_SECRET: ${TOKEN_MANAGER_SECRET} BEAM_DATASHIELD_PROXY: request-manager + volumes: + - "/var/cache/bridgehead/ccp/opal-metadata-db:/srv/data/orientdb" # Opal metadata secrets: - opal-cert.pem - opal-key.pem @@ -68,7 +70,7 @@ services: POSTGRES_USER: "opal" POSTGRES_DB: "opal" volumes: - - "/var/cache/bridgehead/ccp/opal-db:/var/lib/postgresql/data" + - "/var/cache/bridgehead/ccp/opal-db:/var/lib/postgresql/data" # Opal project data (imported from exporter) opal-rserver: container_name: bridgehead-opal-rserver From 01efc6f9b9cca4c80e36d3c8b94ab3f7dfa59fd8 Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 21 Dec 2023 13:40:32 +0100 Subject: [PATCH 51/81] Added: volume for opal metadata db (II) --- ccp/modules/datashield-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 99d0883..40581b8 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -55,7 +55,7 @@ services: BEAM_SECRET: ${TOKEN_MANAGER_SECRET} BEAM_DATASHIELD_PROXY: request-manager volumes: - - "/var/cache/bridgehead/ccp/opal-metadata-db:/srv/data/orientdb" # Opal metadata + - "/var/cache/bridgehead/ccp/opal-metadata-db:/srv" # Opal metadata secrets: - opal-cert.pem - opal-key.pem From 935c45b74dd4b156634edc288a5fcf74dfbb24ca Mon Sep 17 00:00:00 2001 From: juarez Date: Thu, 21 Dec 2023 13:47:00 +0100 Subject: [PATCH 52/81] Added: volume for opal metadata db (III) --- ccp/modules/datashield-compose.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 40581b8..fea2ff7 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -59,8 +59,6 @@ services: secrets: - opal-cert.pem - opal-key.pem - tmpfs: - - /srv opal-db: container_name: bridgehead-opal-db From f0a05b12ad19205cb015ccfef083f5c089be0252 Mon Sep 17 00:00:00 2001 From: janskiba Date: Fri, 22 Dec 2023 10:41:07 +0000 Subject: [PATCH 53/81] fix: Generate stable passwords --- ccp/modules/datashield-setup.sh | 10 +++++----- lib/functions.sh | 26 +++++++++++++++++++++----- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 5142cb4..604fcc8 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -3,13 +3,13 @@ if [ "$ENABLE_DATASHIELD" == true ]; then log INFO "DataSHIELD setup detected -- will start DataSHIELD services." OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" - EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")" - TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")" - OPAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for Opal. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + EXPORTER_OPAL_PASSWORD="$(generate_simple_password \"exporter in Opal\")" + TOKEN_MANAGER_OPAL_PASSWORD="$(generate_simple_password \"Token Manager in Opal\")" + OPAL_DB_PASSWORD="$(echo \"Opal DB\" | generate_simple_password)" OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")" - DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" - TOKEN_MANAGER_SECRET="$(echo \"This is a salt string to generate one consistent password as the Token Manger secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)" + DATASHIELD_CONNECT_SECRET="$(echo \"DataShield Connect\" | generate_simple_password)" + TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ chown -R bridgehead:docker /tmp/bridgehead/ diff --git a/lib/functions.sh b/lib/functions.sh index c53859b..b89de60 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -317,15 +317,31 @@ function generate_redirect_urls(){ echo "$redirect_urls" } +# This password contains at least one special char, a random number and a random upper and lower case letter generate_password(){ local seed_text="$1" - local random_digit=$(openssl rand -hex 1 | head -c 1) - local random_upper=$(openssl rand -base64 3 | tr -dc 'A-Z' | head -c 1) - local random_lower=$(openssl rand -base64 3 | tr -dc 'a-z' | head -c 1) - local random_special=$(echo '@#$%^&+=' | fold -w1 | shuf -n1) + local seed_num=$(awk 'BEGIN{FS=""} NR==1{print $10}' /etc/bridgehead/pki/${SITE_ID}.priv.pem | od -An -tuC) + local nums="1234567890" + local n=$(echo "$seed_num" | awk '{print $1 % 10}') + local random_digit=${nums:$n:1} + local n=$(echo "$seed_num" | awk '{print $1 % 26}') + local upper="ABCDEFGHIJKLMNOPQRSTUVWXYZ" + local lower="abcdefghijklmnopqrstuvwxyz" + local random_upper=${upper:$n:1} + local random_lower=${lower:$n:1} + local n=$(echo "$seed_num" | awk '{print $1 % 8}') + local special='@#$%^&+=' + local random_special=${special:$n:1} local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." - local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" | base64 | head -c 26) + local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26) echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}" } + +# This password only contains alphanumeric characters +generate_simple_password(){ + local seed_text="$1" + local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." + echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g' +} From c60c9fc4b48512b4f708b09d5c53302c901b8a24 Mon Sep 17 00:00:00 2001 From: janskiba Date: Fri, 22 Dec 2023 10:54:13 +0000 Subject: [PATCH 54/81] fix: Use strong pw for opal --- ccp/modules/datashield-setup.sh | 4 ++-- lib/functions.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 604fcc8..c600657 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -3,8 +3,8 @@ if [ "$ENABLE_DATASHIELD" == true ]; then log INFO "DataSHIELD setup detected -- will start DataSHIELD services." OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" - EXPORTER_OPAL_PASSWORD="$(generate_simple_password \"exporter in Opal\")" - TOKEN_MANAGER_OPAL_PASSWORD="$(generate_simple_password \"Token Manager in Opal\")" + EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")" + TOKEN_MANAGER_OPAL_PASSWORD="$(generate_password \"Token Manager in Opal\")" OPAL_DB_PASSWORD="$(echo \"Opal DB\" | generate_simple_password)" OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")" RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")" diff --git a/lib/functions.sh b/lib/functions.sh index b89de60..c098cf4 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -334,7 +334,7 @@ generate_password(){ local random_special=${special:$n:1} local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." - local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26) + local main_password=$(echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/\//A/g') echo "${main_password}${random_digit}${random_upper}${random_lower}${random_special}" } From 4e3cd6892246e205ec79343ab5356969be0f1134 Mon Sep 17 00:00:00 2001 From: janskiba Date: Mon, 22 Jan 2024 08:25:57 +0000 Subject: [PATCH 55/81] Only sync secrets on startup --- bridgehead | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bridgehead b/bridgehead index 4e25da7..49ad3a5 100755 --- a/bridgehead +++ b/bridgehead @@ -83,7 +83,6 @@ loadVars() { export FOCUS_TAG=main ;; esac - sync_secrets } case "$ACTION" in @@ -91,6 +90,7 @@ case "$ACTION" in loadVars hc_send log "Bridgehead $PROJECT startup: Checking requirements ..." checkRequirements + sync_secrets hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..." exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit ;; From 92a1f4bb59763f8d89ae0a0cb93aaffaf3240073 Mon Sep 17 00:00:00 2001 From: janskiba Date: Mon, 22 Jan 2024 13:47:25 +0000 Subject: [PATCH 56/81] Add `dsCCPhos` --- ccp/modules/datashield-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index fea2ff7..f777a01 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -72,7 +72,7 @@ services: opal-rserver: container_name: bridgehead-opal-rserver - image: docker.verbis.dkfz.de/cache/datashield/rock-base:6.3 # https://datashield.discourse.group/t/ds-aggregate-method-error/416/4 + image: docker.verbis.dkfz.de/ccp/dktk-rserver # datashield/rock-base + dsCCPhos tmpfs: - /srv From 01d3a38e1881a574ccaf07a1e131880eae8057ba Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 31 Jan 2024 09:21:19 +0000 Subject: [PATCH 57/81] refactor: Use jq from docker --- ccp/modules/datashield-setup.sh | 11 ++++++----- lib/functions.sh | 4 ++++ 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index c600657..464b0e1 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -17,17 +17,18 @@ if [ "$ENABLE_DATASHIELD" == true ]; then chmod g+r /tmp/bridgehead/opal-key.pem fi mkdir -p /tmp/bridgehead/opal-map - jq -n '{"sites": input | map({ + sites="$(cat ./$PROJECT/modules/datashield-mappings.json)" + echo "$sites" | docker_jq -n --args '{"sites": input | map({ "name": ., "id": ., "virtualhost": "\(.):443", "beamconnect": "datashield-connect.\(.).'"$BROKER_ID"'" - })}' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/central.json - jq -n '[{ + })}' $sites > /tmp/bridgehead/opal-map/central.json + echo "$sites" | docker_jq -n --args '[{ "external": "'"$SITE_ID"':443", "internal": "opal:8443", "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'") - }]' ./$PROJECT/modules/datashield-mappings.json > /tmp/bridgehead/opal-map/local.json - chown -R bridgehead:docker /tmp/bridgehead/ + }]' > /tmp/bridgehead/opal-map/local.json + chown -R bridgehead:docker /tmp/bridgehead/* add_private_oidc_redirect_url "/opal/*" fi diff --git a/lib/functions.sh b/lib/functions.sh index c098cf4..b54ceec 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -345,3 +345,7 @@ generate_simple_password(){ local combined_text="This is a salt string to generate one consistent password for ${seed_text}. It is not required to be secret." echo "${combined_text}" | openssl rsautl -sign -inkey "/etc/bridgehead/pki/${SITE_ID}.priv.pem" 2> /dev/null | base64 | head -c 26 | sed 's/[+\/]/A/g' } + +docker_jq() { + docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:1.7 "$@" +} From 224c1472b2b9ff64b85a923fcb78d311709ec6e8 Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 31 Jan 2024 14:23:14 +0000 Subject: [PATCH 58/81] fix: Correctly set file permissions --- ccp/modules/datashield-setup.sh | 8 +++++--- lib/functions.sh | 1 - lib/prepare-system.sh | 4 +++- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 464b0e1..9324305 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -12,9 +12,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then TOKEN_MANAGER_SECRET="$(echo \"Token Manager\" | generate_simple_password)" if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then mkdir -p /tmp/bridgehead/ - chown -R bridgehead:docker /tmp/bridgehead/ openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE" - chmod g+r /tmp/bridgehead/opal-key.pem fi mkdir -p /tmp/bridgehead/opal-map sites="$(cat ./$PROJECT/modules/datashield-mappings.json)" @@ -29,6 +27,10 @@ if [ "$ENABLE_DATASHIELD" == true ]; then "internal": "opal:8443", "allowed": input | map("datashield-connect.\(.).'"$BROKER_ID"'") }]' > /tmp/bridgehead/opal-map/local.json - chown -R bridgehead:docker /tmp/bridgehead/* + if [ "$USER" == "root" ]; then + chown -R bridgehead:docker /tmp/bridgehead + chmod g+wr /tmp/bridgehead/opal-map/* + chmod g+r /tmp/bridgehead/opal-key.pem + fi add_private_oidc_redirect_url "/opal/*" fi diff --git a/lib/functions.sh b/lib/functions.sh index b54ceec..897eef2 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -279,7 +279,6 @@ function sync_secrets() { fi mkdir -p /var/cache/bridgehead/secrets/ touch /var/cache/bridgehead/secrets/oidc - chown -R bridgehead:docker /var/cache/bridgehead/secrets # The oidc provider will need to be switched based on the project at some point I guess docker run --rm \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index cd470b2..c43c0b1 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -88,7 +88,9 @@ elif [[ "$DEV_MODE" == "DEV" ]]; then git clone "$url" /etc/bridgehead fi -chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead +mkdir -p /tmp/bridgehead /var/cache/bridgehead +chown -R bridgehead:docker /etc/bridgehead /srv/docker/bridgehead /tmp/bridgehead /var/cache/bridgehead +chmod -R g+wr /var/cache/bridgehead /tmp/bridgehead log INFO "System preparation is completed and configuration is present." From 32ffb33ab161750f0952f6c01aca4132e06f5620 Mon Sep 17 00:00:00 2001 From: janskiba Date: Mon, 5 Feb 2024 08:31:00 +0000 Subject: [PATCH 59/81] fix: Only give writeable dirs the docker role --- lib/prepare-system.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/prepare-system.sh b/lib/prepare-system.sh index c43c0b1..156f7c8 100755 --- a/lib/prepare-system.sh +++ b/lib/prepare-system.sh @@ -88,8 +88,9 @@ elif [[ "$DEV_MODE" == "DEV" ]]; then git clone "$url" /etc/bridgehead fi +chown -R bridgehead /etc/bridgehead /srv/docker/bridgehead mkdir -p /tmp/bridgehead /var/cache/bridgehead -chown -R bridgehead:docker /etc/bridgehead /srv/docker/bridgehead /tmp/bridgehead /var/cache/bridgehead +chown -R bridgehead:docker /tmp/bridgehead /var/cache/bridgehead chmod -R g+wr /var/cache/bridgehead /tmp/bridgehead log INFO "System preparation is completed and configuration is present." From 51e8888fe1533d914d5da699d65ae2558ecfab9a Mon Sep 17 00:00:00 2001 From: janskiba Date: Tue, 6 Feb 2024 14:08:11 +0000 Subject: [PATCH 60/81] Use latest jq --- lib/functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/functions.sh b/lib/functions.sh index 897eef2..ed2570b 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -346,5 +346,5 @@ generate_simple_password(){ } docker_jq() { - docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:1.7 "$@" + docker run --rm -i docker.verbis.dkfz.de/cache/jqlang/jq:latest "$@" } From af3e5231d88d40b3b6d9528e23cca0c655b712d0 Mon Sep 17 00:00:00 2001 From: juarez Date: Tue, 6 Feb 2024 17:18:10 +0100 Subject: [PATCH 61/81] Added: Proxy to R-Studio oauth2-proxy --- ccp/modules/datashield-compose.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index f777a01..e4e925b 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -112,7 +112,7 @@ services: APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} # TODO: Allow users of group /DataSHIELD and KEYCLOAK_USER_GROUP at the same time: - # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/): + # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider): # --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP oauth2_proxy: image: quay.io/oauth2-proxy/oauth2-proxy @@ -150,6 +150,9 @@ services: - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180" - "traefik.http.routers.oauth2_proxy.tls=true" + environment: + http_proxy: "http://forward_proxy:3128" + https_proxy: "http://forward_proxy:3128" secrets: opal-cert.pem: From 4a9427a1bd3b333475d13cb3eb58b34a707458de Mon Sep 17 00:00:00 2001 From: janskiba Date: Tue, 6 Feb 2024 16:18:23 +0000 Subject: [PATCH 62/81] fix: Use forward proxy for secret sync --- lib/functions.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/functions.sh b/lib/functions.sh index ed2570b..ee2cf2c 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -279,19 +279,23 @@ function sync_secrets() { fi mkdir -p /var/cache/bridgehead/secrets/ touch /var/cache/bridgehead/secrets/oidc + $COMPOSE -p secret_sync -f ./minimal/docker-compose.yml up -d forward_proxy # The oidc provider will need to be switched based on the project at some point I guess docker run --rm \ + --network secret_sync_default \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ - -e HTTPS_PROXY=$HTTPS_PROXY_FULL_URL \ + -e NO_PROXY=localhost,127.0.0.1 \ + -e ALL_PROXY=http://forward_proxy:3128 \ -e PROXY_ID=$PROXY_ID \ -e BROKER_URL=$BROKER_URL \ -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \ -e SECRET_DEFINITIONS=$secret_sync_args \ docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest + $COMPOSE -p secret_sync -f ./minimal/docker-compose.yml down forward_proxy set -a # Export variables as environment variables source /var/cache/bridgehead/secrets/* set +a # Export variables in the regular way From b241feecdb8a1cc145a6cd769bc2578e4b6700b4 Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 7 Feb 2024 14:08:00 +0000 Subject: [PATCH 63/81] fix: Pull oauth2 proxy from harbor --- ccp/modules/datashield-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index e4e925b..89a38d3 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -115,7 +115,7 @@ services: # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider): # --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP oauth2_proxy: - image: quay.io/oauth2-proxy/oauth2-proxy + image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest container_name: bridgehead_oauth2_proxy command: >- --allowed-group=/DataSHIELD From f3fa1ce712377bfede72b197023724e6f65f21db Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 7 Feb 2024 16:05:26 +0000 Subject: [PATCH 64/81] fix: secret sync account for minimal override --- lib/functions.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/functions.sh b/lib/functions.sh index ee2cf2c..7ec79ce 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -279,7 +279,11 @@ function sync_secrets() { fi mkdir -p /var/cache/bridgehead/secrets/ touch /var/cache/bridgehead/secrets/oidc - $COMPOSE -p secret_sync -f ./minimal/docker-compose.yml up -d forward_proxy + local override="" + if [ -f "minimal/docker-compose.override.yml" ]; then + override+=" -f ./minimal/docker-compose.override.yml" + fi + $COMPOSE -p secret_sync -f ./minimal/docker-compose.yml $override up -d forward_proxy # The oidc provider will need to be switched based on the project at some point I guess docker run --rm \ --network secret_sync_default \ From 64250d9d218f22e40d98092fe575add3775c921f Mon Sep 17 00:00:00 2001 From: janskiba Date: Thu, 8 Feb 2024 13:38:37 +0000 Subject: [PATCH 65/81] refactor: Use beam proxy directly as proxy --- bridgehead | 2 +- lib/functions.sh | 11 ++--------- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/bridgehead b/bridgehead index 49ad3a5..b1ce678 100755 --- a/bridgehead +++ b/bridgehead @@ -90,7 +90,7 @@ case "$ACTION" in loadVars hc_send log "Bridgehead $PROJECT startup: Checking requirements ..." checkRequirements - sync_secrets + sync_secrets hc_send log "Bridgehead $PROJECT startup: Requirements checked out. Now starting bridgehead ..." exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE up --abort-on-container-exit ;; diff --git a/lib/functions.sh b/lib/functions.sh index 7ec79ce..c175fcf 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -279,27 +279,20 @@ function sync_secrets() { fi mkdir -p /var/cache/bridgehead/secrets/ touch /var/cache/bridgehead/secrets/oidc - local override="" - if [ -f "minimal/docker-compose.override.yml" ]; then - override+=" -f ./minimal/docker-compose.override.yml" - fi - $COMPOSE -p secret_sync -f ./minimal/docker-compose.yml $override up -d forward_proxy - # The oidc provider will need to be switched based on the project at some point I guess docker run --rm \ - --network secret_sync_default \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e NO_PROXY=localhost,127.0.0.1 \ - -e ALL_PROXY=http://forward_proxy:3128 \ + -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \ -e PROXY_ID=$PROXY_ID \ -e BROKER_URL=$BROKER_URL \ -e OIDC_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \ -e SECRET_DEFINITIONS=$secret_sync_args \ docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest - $COMPOSE -p secret_sync -f ./minimal/docker-compose.yml down forward_proxy + set -a # Export variables as environment variables source /var/cache/bridgehead/secrets/* set +a # Export variables in the regular way From 1995997ac203c306af61e1f71b8347ca3da0ecc7 Mon Sep 17 00:00:00 2001 From: janskiba Date: Thu, 8 Feb 2024 13:39:17 +0000 Subject: [PATCH 66/81] fix: Wait for forward proxy to start --- ccp/modules/datashield-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 89a38d3..2127ac2 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -153,6 +153,8 @@ services: environment: http_proxy: "http://forward_proxy:3128" https_proxy: "http://forward_proxy:3128" + depends_on: + - forward_proxy secrets: opal-cert.pem: From 97a558dd461d639f6182069cac6fcbf57aa0cc6a Mon Sep 17 00:00:00 2001 From: juarez Date: Tue, 13 Feb 2024 15:18:37 +0100 Subject: [PATCH 67/81] Removed:Login-compose --- ccp/modules/login-compose.yml | 47 ----------------------------------- ccp/modules/login-setup.sh | 7 ------ ccp/modules/login.md | 13 ---------- 3 files changed, 67 deletions(-) delete mode 100644 ccp/modules/login-setup.sh delete mode 100644 ccp/modules/login.md diff --git a/ccp/modules/login-compose.yml b/ccp/modules/login-compose.yml index 787d4b2..e69de29 100644 --- a/ccp/modules/login-compose.yml +++ b/ccp/modules/login-compose.yml @@ -1,47 +0,0 @@ -version: "3.7" - -services: - - login-db: - image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG} - container_name: bridgehead-login-db - environment: - POSTGRES_USER: "keycloak" - POSTGRES_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in login-setup.sh - POSTGRES_DB: "keycloak" - tmpfs: - - /var/lib/postgresql/data -# Consider removing this comment once we have collected experience in production. -# volumes: -# - "bridgehead-login-db:/var/lib/postgresql/data" - - login: - image: docker.verbis.dkfz.de/ccp/dktk-keycloak:latest - container_name: bridgehead-login - environment: - KEYCLOAK_ADMIN: "admin" - KEYCLOAK_ADMIN_PASSWORD: "${LDM_AUTH}" - TEILER_ADMIN: "${PROJECT}" - TEILER_ADMIN_PASSWORD: "${LDM_AUTH}" - TEILER_ADMIN_FIRST_NAME: "${OPERATOR_FIRST_NAME}" - TEILER_ADMIN_LAST_NAME: "${OPERATOR_LAST_NAME}" - TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" - KC_DB_PASSWORD: "${KEYCLOAK_DB_PASSWORD}" # Set in login-setup.sh - KC_HOSTNAME_URL: "https://${HOST}/login" - KC_HOSTNAME_STRICT: "false" - KC_PROXY_ADDRESS_FORWARDING: "true" - TEILER_ORCHESTRATOR_EXTERN_URL: "https://${HOST}/ccp-teiler" - command: - - start-dev --import-realm --proxy edge --http-relative-path=/login - labels: - - "traefik.enable=true" - - "traefik.http.routers.login.rule=PathPrefix(`/login`)" - - "traefik.http.services.login.loadbalancer.server.port=8080" - - "traefik.http.routers.login.tls=true" - depends_on: - - login-db - -# Consider removing this comment once we have collected experience in production. -#volumes: -# bridgehead-login-db: -# name: "bridgehead-login-db" diff --git a/ccp/modules/login-setup.sh b/ccp/modules/login-setup.sh deleted file mode 100644 index 1981b87..0000000 --- a/ccp/modules/login-setup.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -e - -if [ "$ENABLE_LOGIN" == true ]; then - log INFO "Login setup detected -- will start Login services." - OVERRIDE+=" -f ./$PROJECT/modules/login-compose.yml" - KEYCLOAK_DB_PASSWORD="$(generate_password \"local Keycloak\")" -fi diff --git a/ccp/modules/login.md b/ccp/modules/login.md deleted file mode 100644 index eee488c..0000000 --- a/ccp/modules/login.md +++ /dev/null @@ -1,13 +0,0 @@ -# Login -The login component is a local Keycloak instance. In the future will be replaced by the central keycloak instance -or maybe can be used to add local identity providers to the bridgehead or just to simplify the configuration of -the central keycloak instance for the integration of every new bridgehead. -The basic configuration of our Keycloak instance is contained in a small json file. - -### Teiler User -Currently, the local keycloak is used by the teiler. There is a basic admin user in the basic configuration of keycloak. -The user can be configured with the environment variables TEILER_ADMIN_XXX. - -## Login-DB -Keycloak requires a local database for its configuration. However, as we use an initial json configuration file, if no -local identity provider is configured nor any local user, theoretically we don't need a volume for the login. From cea577bde58aac3ed2d7099a8d48b2202bc90011 Mon Sep 17 00:00:00 2001 From: juarez Date: Wed, 14 Feb 2024 21:43:12 +0100 Subject: [PATCH 68/81] Removed: login-compose --- ccp/modules/login-compose.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 ccp/modules/login-compose.yml diff --git a/ccp/modules/login-compose.yml b/ccp/modules/login-compose.yml deleted file mode 100644 index e69de29..0000000 From ef8866b94315d7e483cc4208769028abde531110 Mon Sep 17 00:00:00 2001 From: janskiba Date: Thu, 15 Feb 2024 13:13:52 +0000 Subject: [PATCH 69/81] fix: Start oauth proxy after forward_proxy is ready --- ccp/modules/datashield-compose.yml | 3 ++- minimal/docker-compose.yml | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 2127ac2..db2760a 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -154,7 +154,8 @@ services: http_proxy: "http://forward_proxy:3128" https_proxy: "http://forward_proxy:3128" depends_on: - - forward_proxy + forward_proxy: + condition: service_healthy secrets: opal-cert.pem: diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index 9a43953..217f1b3 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -42,6 +42,8 @@ services: - /var/spool/squid volumes: - /etc/bridgehead/trusted-ca-certs:/docker/custom-certs/:ro + healthcheck: + test: ["CMD", "sleep", "1"] landing: container_name: bridgehead-landingpage From 2eb56e66c872a256a2e81ada4f0de16b545c3e79 Mon Sep 17 00:00:00 2001 From: juarez Date: Fri, 17 Nov 2023 10:27:12 +0100 Subject: [PATCH 70/81] Integrate central Keycloak in Teiler --- ccp/modules/datashield-compose.yml | 2 +- ccp/vars | 1 + lib/functions.sh | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index db2760a..e3e0d01 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -96,7 +96,7 @@ services: networks: - default - rstudio - + traefik: networks: - default diff --git a/ccp/vars b/ccp/vars index eb998d7..eb2a1c8 100644 --- a/ccp/vars +++ b/ccp/vars @@ -10,6 +10,7 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL DEFAULT_LANGUAGE=DE DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,} ENABLE_EXPORTER=true +ENABLE_LOGIN=true ENABLE_TEILER=true #ENABLE_DATASHIELD=true diff --git a/lib/functions.sh b/lib/functions.sh index c175fcf..d32bdbe 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -270,7 +270,7 @@ function sync_secrets() { if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then if [[ $secret_sync_args == "" ]]; then secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS" - else + else secret_sync_args+="${delimiter}OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS" fi fi @@ -282,7 +282,7 @@ function sync_secrets() { docker run --rm \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ - -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ + -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e NO_PROXY=localhost,127.0.0.1 \ From 29d2bc04408a3cc1e6ff9c5abf343c1cf0e8e3be Mon Sep 17 00:00:00 2001 From: juarez Date: Mon, 27 Nov 2023 19:39:16 +0100 Subject: [PATCH 71/81] Add Keycloak to MTBA --- ccp/modules/mtba-compose.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index f03532f..3912bcb 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -21,12 +21,6 @@ services: FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF} CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB} HTTP_RELATIVE_PATH: "/mtba" - KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" - KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}" - KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" - KEYCLOAK_REALM: "${KEYCLOAK_REALM}" - KEYCLOAK_URL: "${KEYCLOAK_URL}" - labels: - "traefik.enable=true" - "traefik.http.routers.mtba_ccp.rule=PathPrefix(`/mtba`)" From 8a197ce5c7606e802f4615cb665a40ecd263a8d1 Mon Sep 17 00:00:00 2001 From: juarez Date: Wed, 29 Nov 2023 09:29:18 +0100 Subject: [PATCH 72/81] Add oauth2_proxy --- ccp/modules/datashield-compose.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index e3e0d01..105c9ae 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -8,12 +8,14 @@ services: #DEFAULT_USER: "rstudio" # This line is kept for informational purposes PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use + # TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication. HTTP_RELATIVE_PATH: "/rstudio" ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html labels: - "traefik.enable=true" - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)" - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" + - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip" From 9a1860ccf9fb1d62be46150b6cde5c889d21b814 Mon Sep 17 00:00:00 2001 From: juarez Date: Tue, 13 Feb 2024 15:58:24 +0100 Subject: [PATCH 73/81] Removed: / from groups --- ccp/modules/datashield-compose.yml | 2 +- ccp/modules/mtba-compose.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 105c9ae..bc09e1f 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -120,7 +120,7 @@ services: image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest container_name: bridgehead_oauth2_proxy command: >- - --allowed-group=/DataSHIELD + --allowed-group=DataSHIELD --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} --auth-logging=true --whitelist-domain=${HOST} diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 3912bcb..042bca1 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -3,7 +3,8 @@ version: "3.7" services: mtba: #image: docker.verbis.dkfz.de/cache/samply/mtba:latest - image: docker.verbis.dkfz.de/cache/samply/mtba:develop + #image: docker.verbis.dkfz.de/cache/samply/mtba:develop + image: samply/mtba:develop container_name: bridgehead-mtba environment: BLAZE_STORE_URL: http://blaze:8080 From 19d0fefe94b147d9a0e8d891c2f5138d9b711f1a Mon Sep 17 00:00:00 2001 From: juarez Date: Tue, 13 Feb 2024 18:49:06 +0100 Subject: [PATCH 74/81] Changed: master realm --- ccp/vars | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ccp/vars b/ccp/vars index eb2a1c8..f4d70fe 100644 --- a/ccp/vars +++ b/ccp/vars @@ -18,8 +18,8 @@ KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public -# TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing -KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}" +# Use "test-realm-01" for testing +KEYCLOAK_REALM="${KEYCLOAK_REALM:-master}" KEYCLOAK_URL="https://login.verbis.dkfz.de" KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}" KEYCLOAK_GROUP_CLAIM="groups" From f72e7c77990081dd3ee64458c616daf6594e99aa Mon Sep 17 00:00:00 2001 From: juarez Date: Tue, 13 Feb 2024 18:54:26 +0100 Subject: [PATCH 75/81] Changed: replace keycloak with oidc --- ccp/modules/datashield-compose.yml | 22 +++++++++++----------- ccp/modules/mtba-compose.yml | 10 +++++++--- ccp/modules/teiler-compose.yml | 14 +++++++------- ccp/vars | 17 ++++++++--------- lib/functions.sh | 2 +- minimal/docker-compose.yml | 2 -- 6 files changed, 34 insertions(+), 33 deletions(-) diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index bc09e1f..19a5e35 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -15,7 +15,6 @@ services: - "traefik.enable=true" - "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)" - "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787" - - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio" - "traefik.http.routers.rstudio_ccp.tls=true" - "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip" @@ -46,11 +45,11 @@ services: APP_CONTEXT_PATH: "/opal" OPAL_PRIVATE_KEY: "/run/secrets/opal-key.pem" OPAL_CERTIFICATE: "/run/secrets/opal-cert.pem" - KEYCLOAK_URL: "${KEYCLOAK_URL}" - KEYCLOAK_REALM: "${KEYCLOAK_REALM}" - KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PRIVATE_CLIENT_ID}" - KEYCLOAK_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" - KEYCLOAK_ADMIN_GROUP: "${KEYCLOAK_ADMIN_GROUP}" + OIDC_URL: "${OIDC_URL}" + OIDC_REALM: "${OIDC_REALM}" + OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}" + OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" + OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}" TOKEN_MANAGER_PASSWORD: "${TOKEN_MANAGER_OPAL_PASSWORD}" EXPORTER_PASSWORD: "${EXPORTER_OPAL_PASSWORD}" BEAM_APP_ID: token-manager.${PROXY_ID} @@ -113,15 +112,15 @@ services: APP_datashield-connect_KEY: ${DATASHIELD_CONNECT_SECRET} APP_token-manager_KEY: ${TOKEN_MANAGER_SECRET} - # TODO: Allow users of group /DataSHIELD and KEYCLOAK_USER_GROUP at the same time: + # TODO: Allow users of group /DataSHIELD and OIDC_USER_GROUP at the same time: # Maybe a solution would be (https://oauth2-proxy.github.io/oauth2-proxy/configuration/oauth_provider): - # --allowed-groups=/DataSHIELD,KEYCLOAK_USER_GROUP + # --allowed-groups=/DataSHIELD,OIDC_USER_GROUP oauth2_proxy: image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest container_name: bridgehead_oauth2_proxy command: >- --allowed-group=DataSHIELD - --oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM} + --oidc-groups-claim=${OIDC_GROUP_CLAIM} --auth-logging=true --whitelist-domain=${HOST} --http-address="0.0.0.0:4180" @@ -136,10 +135,10 @@ services: #OIDC settings --provider="keycloak-oidc" --provider-display-name="VerbIS Login" - --client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}" + --client-id="${OIDC_PRIVATE_CLIENT_ID}" --client-secret="${OIDC_CLIENT_SECRET}" --redirect-url="https://${HOST}${OAUTH2_CALLBACK}" - --oidc-issuer-url="${KEYCLOAK_ISSUER_URL}" + --oidc-issuer-url="${OIDC_ISSUER_URL}" --scope="openid email profile" --code-challenge-method="S256" --skip-provider-button=true @@ -147,6 +146,7 @@ services: --pass-basic-auth=true --pass-user-headers=false --pass-access-token=false + labels: - "traefik.enable=true" - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)" diff --git a/ccp/modules/mtba-compose.yml b/ccp/modules/mtba-compose.yml index 042bca1..56bb015 100644 --- a/ccp/modules/mtba-compose.yml +++ b/ccp/modules/mtba-compose.yml @@ -2,9 +2,7 @@ version: "3.7" services: mtba: - #image: docker.verbis.dkfz.de/cache/samply/mtba:latest - #image: docker.verbis.dkfz.de/cache/samply/mtba:develop - image: samply/mtba:develop + image: docker.verbis.dkfz.de/cache/samply/mtba:develop container_name: bridgehead-mtba environment: BLAZE_STORE_URL: http://blaze:8080 @@ -22,6 +20,12 @@ services: FILE_END_OF_LINE: ${MTBA_FILE_END_OF_LINE:-LF} CSV_DELIMITER: ${MTBA_CSV_DELIMITER:-TAB} HTTP_RELATIVE_PATH: "/mtba" + OIDC_ADMIN_GROUP: "${OIDC_ADMIN_GROUP}" + OIDC_CLIENT_ID: "${OIDC_PRIVATE_CLIENT_ID}" + OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}" + OIDC_REALM: "${OIDC_REALM}" + OIDC_URL: "${OIDC_URL}" + labels: - "traefik.enable=true" - "traefik.http.routers.mtba_ccp.rule=PathPrefix(`/mtba`)" diff --git a/ccp/modules/teiler-compose.yml b/ccp/modules/teiler-compose.yml index 40e394c..a76f161 100644 --- a/ccp/modules/teiler-compose.yml +++ b/ccp/modules/teiler-compose.yml @@ -19,7 +19,7 @@ services: HTTP_RELATIVE_PATH: "/ccp-teiler" teiler-dashboard: - image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:latest + image: docker.verbis.dkfz.de/cache/samply/teiler-dashboard:develop container_name: bridgehead-teiler-dashboard labels: - "traefik.enable=true" @@ -31,10 +31,10 @@ services: environment: DEFAULT_LANGUAGE: "${DEFAULT_LANGUAGE}" TEILER_BACKEND_URL: "https://${HOST}/ccp-teiler-backend" - KEYCLOAK_URL: "${KEYCLOAK_URL}" - KEYCLOAK_REALM: "${KEYCLOAK_REALM}" - KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}" - KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_GROUP_CLAIM}" + OIDC_URL: "${OIDC_URL}" + OIDC_REALM: "${OIDC_REALM}" + OIDC_CLIENT_ID: "${OIDC_PUBLIC_CLIENT_ID}" + OIDC_TOKEN_GROUP: "${OIDC_GROUP_CLAIM}" TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}" TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}" TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}" @@ -43,8 +43,8 @@ services: TEILER_ORCHESTRATOR_URL: "https://${HOST}/ccp-teiler" TEILER_DASHBOARD_HTTP_RELATIVE_PATH: "/ccp-teiler-dashboard" TEILER_ORCHESTRATOR_HTTP_RELATIVE_PATH: "/ccp-teiler" - TEILER_USER: "${KEYCLOAK_USER_GROUP}" - TEILER_ADMIN: "${KEYCLOAK_ADMIN_GROUP}" + TEILER_USER: "${OIDC_USER_GROUP}" + TEILER_ADMIN: "${OIDC_ADMIN_GROUP}" REPORTER_DEFAULT_TEMPLATE_ID: "ccp-qb" EXPORTER_DEFAULT_TEMPLATE_ID: "ccp" diff --git a/ccp/vars b/ccp/vars index f4d70fe..c1e9887 100644 --- a/ccp/vars +++ b/ccp/vars @@ -10,19 +10,18 @@ BROKER_URL_FOR_PREREQ=$BROKER_URL DEFAULT_LANGUAGE=DE DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,} ENABLE_EXPORTER=true -ENABLE_LOGIN=true ENABLE_TEILER=true #ENABLE_DATASHIELD=true -KEYCLOAK_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" -KEYCLOAK_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" -KEYCLOAK_PRIVATE_CLIENT_ID=${SITE_ID}-private -KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public +OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" +OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" +OIDC_PRIVATE_CLIENT_ID=${SITE_ID}-private +OIDC_PUBLIC_CLIENT_ID=${SITE_ID}-public # Use "test-realm-01" for testing -KEYCLOAK_REALM="${KEYCLOAK_REALM:-master}" -KEYCLOAK_URL="https://login.verbis.dkfz.de" -KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}" -KEYCLOAK_GROUP_CLAIM="groups" +OIDC_REALM="${OIDC_REALM:-master}" +OIDC_URL="https://login.verbis.dkfz.de" +OIDC_ISSUER_URL="${OIDC_URL}/realms/${OIDC_REALM}" +OIDC_GROUP_CLAIM="groups" OAUTH2_CALLBACK=/oauth2/callback OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)" diff --git a/lib/functions.sh b/lib/functions.sh index d32bdbe..fa2a144 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -282,7 +282,7 @@ function sync_secrets() { docker run --rm \ -v /var/cache/bridgehead/secrets/oidc:/usr/local/cache \ -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \ - -v ./$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ + -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \ -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \ -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \ -e NO_PROXY=localhost,127.0.0.1 \ diff --git a/minimal/docker-compose.yml b/minimal/docker-compose.yml index 217f1b3..9c761af 100644 --- a/minimal/docker-compose.yml +++ b/minimal/docker-compose.yml @@ -57,5 +57,3 @@ services: HOST: ${HOST} PROJECT: ${PROJECT} SITE_NAME: ${SITE_NAME} - - From 3e44dab9f212f2d536f7eb4d04ce9709a9e91be2 Mon Sep 17 00:00:00 2001 From: janskiba Date: Mon, 19 Feb 2024 08:26:53 +0000 Subject: [PATCH 76/81] chore: Remame datashield mappings to datashield sites --- ccp/modules/datashield-setup.sh | 2 +- ccp/modules/{datashield-mappings.json => datashield-sites.json} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename ccp/modules/{datashield-mappings.json => datashield-sites.json} (100%) diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 9324305..858d31f 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -15,7 +15,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/bridgehead/opal-key.pem -out /tmp/bridgehead/opal-cert.pem -days 3650 -subj "/CN=opal/C=DE" fi mkdir -p /tmp/bridgehead/opal-map - sites="$(cat ./$PROJECT/modules/datashield-mappings.json)" + sites="$(cat ./$PROJECT/modules/datashield-sites.json)" echo "$sites" | docker_jq -n --args '{"sites": input | map({ "name": ., "id": ., diff --git a/ccp/modules/datashield-mappings.json b/ccp/modules/datashield-sites.json similarity index 100% rename from ccp/modules/datashield-mappings.json rename to ccp/modules/datashield-sites.json From fb4da54297a8949f7c0783bc63b27c0cc31659dc Mon Sep 17 00:00:00 2001 From: janskiba Date: Mon, 19 Feb 2024 08:30:49 +0000 Subject: [PATCH 77/81] chore: Add mannheim to datashield sites --- ccp/modules/datashield-sites.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ccp/modules/datashield-sites.json b/ccp/modules/datashield-sites.json index 7d8dad4..07e2966 100644 --- a/ccp/modules/datashield-sites.json +++ b/ccp/modules/datashield-sites.json @@ -9,5 +9,6 @@ "frankfurt", "essen", "dktk-datashield-test", - "dktk-test" + "dktk-test", + "mannheim" ] From 74eb86f8af14f763342232912a5342bd4cf99257 Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 21 Feb 2024 15:25:02 +0000 Subject: [PATCH 78/81] fix: Update permissions on update --- lib/functions.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/functions.sh b/lib/functions.sh index fa2a144..d5c3a8c 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -132,6 +132,10 @@ assertVarsNotEmpty() { fixPermissions() { CHOWN=$(which chown) sudo $CHOWN -R bridgehead /etc/bridgehead /srv/docker/bridgehead + if [ -d "/tmp/bridgehead" ]; then # Used by datashield + sudo chown -R bridgehead:docker "/tmp/bridgehead" + if [ -d "/var/cache/bridgehead" ]; then # Used by the teiler + sudo chown -R bridgehead:docker "/var/cache/bridgehead" } source lib/monitoring.sh From db9692795af31617fb8c0dc756f69906a8e4f000 Mon Sep 17 00:00:00 2001 From: janskiba Date: Wed, 21 Feb 2024 15:28:51 +0000 Subject: [PATCH 79/81] fix: Fix if syntrax --- lib/functions.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/functions.sh b/lib/functions.sh index d5c3a8c..cc2f3ec 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -134,8 +134,10 @@ fixPermissions() { sudo $CHOWN -R bridgehead /etc/bridgehead /srv/docker/bridgehead if [ -d "/tmp/bridgehead" ]; then # Used by datashield sudo chown -R bridgehead:docker "/tmp/bridgehead" + fi if [ -d "/var/cache/bridgehead" ]; then # Used by the teiler sudo chown -R bridgehead:docker "/var/cache/bridgehead" + fi } source lib/monitoring.sh From b2c933f5e50aee4fee474cfacb87432551118ece Mon Sep 17 00:00:00 2001 From: Torben Brenner Date: Wed, 28 Feb 2024 10:52:57 +0100 Subject: [PATCH 80/81] fix: set focus version to 0.4.0 --- ccp/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index d92ccfb..5e26878 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -19,7 +19,7 @@ services: - "traefik.http.routers.blaze_ccp.tls=true" focus: - image: docker.verbis.dkfz.de/cache/samply/focus:${FOCUS_TAG} + image: docker.verbis.dkfz.de/cache/samply/focus:0.4.0 container_name: bridgehead-focus environment: API_KEY: ${FOCUS_BEAM_SECRET_SHORT} From 7478d804dfd17eb00eb8ab22f9f695783a87672d Mon Sep 17 00:00:00 2001 From: janskiba Date: Mon, 11 Mar 2024 10:34:05 +0000 Subject: [PATCH 81/81] refactor: Move vars to their setup files --- ccp/docker-compose.yml | 6 ------ ccp/modules/datashield-compose.yml | 4 ++++ ccp/modules/datashield-setup.sh | 3 +++ ccp/modules/teiler-setup.sh | 2 ++ ccp/vars | 5 ----- lib/functions.sh | 8 ++++---- 6 files changed, 13 insertions(+), 15 deletions(-) diff --git a/ccp/docker-compose.yml b/ccp/docker-compose.yml index e85e909..5e26878 100644 --- a/ccp/docker-compose.yml +++ b/ccp/docker-compose.yml @@ -52,12 +52,6 @@ services: - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro - /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro - traefik: - labels: - - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2_proxy:4180/" - - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true" - - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization" - volumes: blaze-data: diff --git a/ccp/modules/datashield-compose.yml b/ccp/modules/datashield-compose.yml index 19a5e35..48f5276 100644 --- a/ccp/modules/datashield-compose.yml +++ b/ccp/modules/datashield-compose.yml @@ -99,6 +99,10 @@ services: - rstudio traefik: + labels: + - "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2_proxy:4180/" + - "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true" + - "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization" networks: - default - rstudio diff --git a/ccp/modules/datashield-setup.sh b/ccp/modules/datashield-setup.sh index 858d31f..7674ecf 100644 --- a/ccp/modules/datashield-setup.sh +++ b/ccp/modules/datashield-setup.sh @@ -1,6 +1,9 @@ #!/bin/bash -e if [ "$ENABLE_DATASHIELD" == true ]; then + # HACK: This only works because exporter-setup.sh and teiler-setup.sh are sourced after datashield-setup.sh + ENABLE_EXPORTER=true + ENABLE_TEILER=true log INFO "DataSHIELD setup detected -- will start DataSHIELD services." OVERRIDE+=" -f ./$PROJECT/modules/datashield-compose.yml" EXPORTER_OPAL_PASSWORD="$(generate_password \"exporter in Opal\")" diff --git a/ccp/modules/teiler-setup.sh b/ccp/modules/teiler-setup.sh index 1e97079..cc561d5 100644 --- a/ccp/modules/teiler-setup.sh +++ b/ccp/modules/teiler-setup.sh @@ -3,5 +3,7 @@ if [ "$ENABLE_TEILER" == true ];then log INFO "Teiler setup detected -- will start Teiler services." OVERRIDE+=" -f ./$PROJECT/modules/teiler-compose.yml" + DEFAULT_LANGUAGE=DE + DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,} add_public_oidc_redirect_url "/ccp-teiler/*" fi diff --git a/ccp/vars b/ccp/vars index c1e9887..33f3e26 100644 --- a/ccp/vars +++ b/ccp/vars @@ -7,11 +7,6 @@ SUPPORT_EMAIL=support-ccp@dkfz-heidelberg.de PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem BROKER_URL_FOR_PREREQ=$BROKER_URL -DEFAULT_LANGUAGE=DE -DEFAULT_LANGUAGE_LOWER_CASE=${DEFAULT_LANGUAGE,,} -ENABLE_EXPORTER=true -ENABLE_TEILER=true -#ENABLE_DATASHIELD=true OIDC_USER_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})" OIDC_ADMIN_GROUP="DKTK_CCP_$(capitalize_first_letter ${SITE_ID})_Verwalter" diff --git a/lib/functions.sh b/lib/functions.sh index cc2f3ec..0e44a7f 100644 --- a/lib/functions.sh +++ b/lib/functions.sh @@ -133,11 +133,11 @@ fixPermissions() { CHOWN=$(which chown) sudo $CHOWN -R bridgehead /etc/bridgehead /srv/docker/bridgehead if [ -d "/tmp/bridgehead" ]; then # Used by datashield - sudo chown -R bridgehead:docker "/tmp/bridgehead" - fi + sudo $CHOWN -R bridgehead:docker "/tmp/bridgehead" + fi if [ -d "/var/cache/bridgehead" ]; then # Used by the teiler - sudo chown -R bridgehead:docker "/var/cache/bridgehead" - fi + sudo $CHOWN -R bridgehead:docker "/var/cache/bridgehead" + fi } source lib/monitoring.sh