Added more detail to metadata feedback README

Most of the things added during testing were not necessary and they were
removed. This had the additional advantage that many files are now identical
to their equivalents in the develop branch, making the diff more manageable.

README.md

@@ -23,6 +23,7 @@ This repository is the starting point for any information and tools you will nee
     - [File structure](#file-structure)
     - [BBMRI-ERIC Directory entry needed](#bbmri-eric-directory-entry-needed)
     - [Loading data](#loading-data)
+    - [Metadata feedback](#metadata-feedback)
 4. [Things you should know](#things-you-should-know)
     - [Auto-Updates](#auto-updates)
     - [Auto-Backups](#auto-backups)
@@ -76,7 +77,7 @@ The following URLs need to be accessible (prefix with `https://`):
   * git.verbis.dkfz.de
 * To fetch docker images
   * docker.verbis.dkfz.de
-  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/all))
+  * Official Docker, Inc. URLs (subject to change, see [official list](https://docs.docker.com/desktop/setup/allow-list/))
     * hub.docker.com
     * registry-1.docker.io
     * production.cloudflare.docker.com
@@ -155,6 +156,7 @@ Clone the bridgehead repository:
 ```shell
 sudo mkdir -p /srv/docker/
 sudo git clone https://github.com/samply/bridgehead.git /srv/docker/bridgehead
+sudo git checkout metadata_fb # Only needed if you want to use metadata feedback
 ```
 
 Then, run the installation script:
@@ -347,6 +349,26 @@ Normally, you will need to build your own ETL to feed the Bridgehead. However, t
 
 You can find the profiles for generating FHIR in [Simplifier](https://simplifier.net/bbmri.de/~resources?category=Profile).
 
+### Metadata feedback
+
+The Bridgehead comes with a tool that allows you to associate metadata with samples. Multiple arbitrary text strings are allowed. A typical use case would be publications based on research using a sample. Here, one could lay down the DOI of the publication in the sample.
+
+Full details of the system can be found [here](https://github.com/samply/feedback-deployment). To avail yourself of this feature, you need to
+
+- Use the bbmri project.
+- work with the ```metadata_fb``` branch of the Bridgehead repository.
+- Build the feedback-agent Docker container (more details [here](https://github.com/samply/feedback-agent/)).
+- Build the feedback-agent-ui Docker container (more details [here](https://github.com/samply/feedback-agent-ui/)).
+
+The following extra environment variables need to be added to your ```/etc/bridgehead/bbmri.conf``` file:
+
+``` code
+ENABLE_EXPORTER=true
+ENABLE_FEEDBACK_AGENT=true
+FEEDBACK_HUB_URL=<URL for central feedback hub backend API>
+FOCUS_RETRY_COUNT=256
+```
+
 ## Things you should know
 
 ### Auto-Updates

bbmri/modules/eric-compose.yml

@@ -22,6 +22,7 @@ services:
       BROKER_URL: ${ERIC_BROKER_URL}
       PROXY_ID: ${ERIC_PROXY_ID}
       APP_focus_KEY: ${ERIC_FOCUS_BEAM_SECRET_SHORT}
+      APP_feedback-agent_KEY: ${FEEDBACK_AGENT_BEAM_SECRET}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs

bbmri/modules/exporter-compose.yml

@@ -0,0 +1,67 @@
+version: "3.7"
+
+services:
+  exporter:
+    image: docker.verbis.dkfz.de/ccp/dktk-exporter:latest
+    container_name: bridgehead-ccp-exporter
+    environment:
+      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
+      LOG_LEVEL: "INFO"
+      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
+      CROSS_ORIGINS: "https://${HOST}"
+      EXPORTER_DB_USER: "exporter"
+      EXPORTER_DB_PASSWORD: "${EXPORTER_DB_PASSWORD}"
+      EXPORTER_DB_URL: "jdbc:postgresql://exporter-db:5432/exporter"
+      HTTP_RELATIVE_PATH: "/ccp-exporter"
+      SITE: "${SITE_ID}"
+      HTTP_SERVLET_REQUEST_SCHEME: "https"
+      OPAL_PASSWORD: "${EXPORTER_OPAL_PASSWORD}"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.exporter_ccp.rule=PathPrefix(`/ccp-exporter`)"
+      - "traefik.http.services.exporter_ccp.loadbalancer.server.port=8092"
+      - "traefik.http.routers.exporter_ccp.tls=true"
+      - "traefik.http.middlewares.exporter_ccp_strip.stripprefix.prefixes=/ccp-exporter"
+      - "traefik.http.routers.exporter_ccp.middlewares=exporter_ccp_strip"
+    volumes:
+      - "/var/cache/bridgehead/ccp/exporter-files:/app/exporter-files/output"
+
+  exporter-db:
+    image: docker.verbis.dkfz.de/cache/postgres:${POSTGRES_TAG}
+    container_name: bridgehead-ccp-exporter-db
+    environment:
+      POSTGRES_USER: "exporter"
+      POSTGRES_PASSWORD: "${EXPORTER_DB_PASSWORD}"
+      POSTGRES_DB: "exporter"
+    volumes:
+      # Consider removing this volume once we find a solution to save Lens-queries to be executed in the explorer.
+      - "/var/cache/bridgehead/ccp/exporter-db:/var/lib/postgresql/data"
+
+  reporter:
+    image: docker.verbis.dkfz.de/ccp/dktk-reporter:latest
+    container_name: bridgehead-ccp-reporter
+    environment:
+      JAVA_OPTS: "-Xms1G -Xmx8G -XX:+UseG1GC"
+      LOG_LEVEL: "INFO"
+      CROSS_ORIGINS: "https://${HOST}"
+      HTTP_RELATIVE_PATH: "/ccp-reporter"
+      SITE: "${SITE_ID}"
+      EXPORTER_API_KEY: "${EXPORTER_API_KEY}"
+      EXPORTER_URL: "http://exporter:8092"
+      LOG_FHIR_VALIDATION: "false"
+      HTTP_SERVLET_REQUEST_SCHEME: "https"
+
+    # In this initial development state of the bridgehead, we are trying to have so many volumes as possible.
+    # However, in the first executions in the CCP sites, this volume seems to be very important. A report is
+    # a process that can take several hours, because it depends on the exporter.
+    # There is a risk that the bridgehead restarts, losing the already created export.
+
+    volumes:
+      - "/var/cache/bridgehead/ccp/reporter-files:/app/reports"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.reporter_ccp.rule=PathPrefix(`/ccp-reporter`)"
+      - "traefik.http.services.reporter_ccp.loadbalancer.server.port=8095"
+      - "traefik.http.routers.reporter_ccp.tls=true"
+      - "traefik.http.middlewares.reporter_ccp_strip.stripprefix.prefixes=/ccp-reporter"
+      - "traefik.http.routers.reporter_ccp.middlewares=reporter_ccp_strip"

bbmri/modules/exporter-setup.sh

@@ -0,0 +1,9 @@
+#!/bin/bash -e
+
+if [ "$ENABLE_EXPORTER" == true ]; then
+  log INFO "Exporter setup detected -- will start Exporter service."
+  OVERRIDE+=" -f ./$PROJECT/modules/exporter-compose.yml"
+  EXPORTER_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+  EXPORTER_API_KEY="$(echo \"This is a salt string to generate one consistent API KEY for the exporter. It is not required to be secret.\" | sha1sum | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)"
+  POSTGRES_TAG=15.6-alpine
+fi

bbmri/modules/exporter.md

@@ -0,0 +1,15 @@
+# Exporter and Reporter
+
+
+## Exporter
+The exporter is a REST API that exports the data of the different databases of the bridgehead in a set of tables.
+It can accept different output formats as CSV, Excel, JSON or XML. It can also export data into Opal.
+
+## Exporter-DB
+It is a database to save queries for its execution in the exporter. 
+The exporter manages also the different executions of the same query in through the database.
+
+## Reporter
+This component is a plugin of the exporter that allows to create more complex Excel reports described in templates.
+It is compatible with different template engines as Groovy, Thymeleaf,...
+It is perfect to generate a document as our traditional CCP quality report.

bbmri/modules/feedback-agent-compose.yml

@@ -0,0 +1,59 @@
+version: "3.7"
+
+services:
+  feedback-agent-ui:
+    image: "samply/feedback-agent-ui"
+    environment:
+      - VUE_APP_EXPORTER_URL=https://localhost/ccp-exporter
+      - VUE_APP_FB_BACKEND_URL=http://localhost:8072
+    labels:
+     - traefik.enable=true
+     # HTTPS
+     - traefik.http.routers.feedback_agent_ui_ccp_https.rule=PathPrefix(`/ccp-feedback-agent-ui`)
+     - traefik.http.services.feedback_agent_ui_ccp_https.loadbalancer.server.port=8096
+     - traefik.http.routers.feedback_agent_ui_ccp_https.entrypoints=websecure
+     - traefik.http.routers.feedback_agent_ui_ccp_https.tls=true
+  feedback-agent:
+    image: "samply/feedback-agent"
+    environment:
+      - SPRING_DATASOURCE_URL=jdbc:postgresql://feedback-agent-db:5432/compose-postgres
+      - SPRING_DATASOURCE_USERNAME=compose-postgres
+      - SPRING_DATASOURCE_PASSWORD=${FEEDBACK_AGENT_DB_PASSWORD}
+      - SPRING_JPA_HIBERNATE_DDL_AUTO=update
+      - BEAM_PROXY_URI=http://beam-proxy-eric:8081
+      - FEEDBACK_HUB_URL=${FEEDBACK_HUB_URL}
+      - BLAZE_BASE_URL=http://blaze:8080/fhir
+      - FEEDBACK_AGENT_SECRET=${FEEDBACK_AGENT_BEAM_SECRET}
+      - FEEDBACK_AGENT_BEAM_ID=feedback-agent.${ERIC_PROXY_ID}
+      - FEEDBACK_HUB_BEAM_ID=feedback-hub.feedback-central.${ERIC_BROKER_ID}
+      - EXPORTER_API_KEY=${EXPORTER_API_KEY}
+      - CORS_ALLOWED_ORIGINS="https://${HOST}
+    networks:
+      # Only needed for local testing.
+      - feedback
+      - default
+    labels:
+     - traefik.enable=true
+     # HTTPS
+     - traefik.http.routers.feedback_agent_ccp_https.rule=PathPrefix(`/ccp-feedback-agent`)
+     - traefik.http.services.feedback_agent_ccp_https.loadbalancer.server.port=8072
+     - traefik.http.routers.feedback_agent_ccp_https.entrypoints=websecure
+     - traefik.http.middlewares.feedback_agent_ccp_https_strip.stripprefix.prefixes=/ccp-feedback-agent
+     - traefik.http.routers.feedback_agent_ccp_https.middlewares=feedback_agent_ccp_https_strip
+     - traefik.http.routers.feedback_agent_ccp_https.tls=true
+  feedback-agent-db:
+    image: 'postgres:13.1-alpine'
+    container_name: feedback-agent-db
+    environment:
+      - POSTGRES_USER=compose-postgres
+      - POSTGRES_PASSWORD=${FEEDBACK_AGENT_DB_PASSWORD}
+
+# This is needed when you run both agent and hub locally in a test
+# environment. Not necessary in production, though it probably won't
+# cause any problems.
+networks:
+  # Network to connect agent and hub.
+  feedback:
+    name: feedback
+    driver: bridge
+

bbmri/modules/feedback-agent-setup.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if [ "$ENABLE_FEEDBACK_AGENT" == true ]; then
+  OVERRIDE+=" -f ./$PROJECT/modules/feedback-agent-compose.yml"
+  FEEDBACK_AGENT_BEAM_SECRET="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+  FEEDBACK_AGENT_DB_PASSWORD="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+fi
+

bbmri/modules/feedback-agent.md

@@ -0,0 +1,6 @@
+# Metadata feedback agent
+
+This component can be used to choose the sample to be associated
+with a given piece of metadata (generally the ID of a publication
+relating to research done with the sample).
+

bridgehead

@@ -53,17 +53,44 @@ case "$PROJECT" in
 		;;
 esac
 
+# Loads config variables and runs the projects setup script
 loadVars() {
-	# Load variables from /etc/bridgehead and /srv/docker/bridgehead
 	set -a
+	# Source the project specific config file
 	source /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "/etc/bridgehead/$PROJECT.conf not found"
+	# Source the project specific local config file if present
+	# This file is ignored by git as oposed to the regular config file as it contains private site information like etl auth data
 	if [ -e /etc/bridgehead/$PROJECT.local.conf ]; then
 		log INFO "Applying /etc/bridgehead/$PROJECT.local.conf"
 		source /etc/bridgehead/$PROJECT.local.conf || fail_and_report 1 "Found /etc/bridgehead/$PROJECT.local.conf but failed to import"
 	fi
+	# Set execution environment on main default to prod else test
+	if [[ -z "${ENVIRONMENT+x}" ]]; then
+		if [ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]; then
+			ENVIRONMENT="production"
+		else
+			ENVIRONMENT="test"
+		fi
+	fi
+	# Source the versions of the images components 
+	case "$ENVIRONMENT" in
+		"production")
+			source ./versions/prod
+			;;
+		"test")
+			source ./versions/test
+			;;
+		*)
+			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
+			source ./versions/prod
+			;;
+	esac
 	fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || fail_and_report 1 "Unable to fetchVarsFromVaultByFile"
 	setHostname
 	optimizeBlazeMemoryUsage
+	# Run project specific setup if it exists
+	# This will ususally modiy the `OVERRIDE` to include all the compose files that the project depends on
+	# This is also where projects specify which modules to load
 	[ -e ./$PROJECT/vars ] && source ./$PROJECT/vars
 	set +a
 
@@ -79,26 +106,6 @@ loadVars() {
 	fi
 	detectCompose
 	setupProxy
-
-	# Set some project-independent default values
-	: ${ENVIRONMENT:=production}
-	export ENVIRONMENT
-
-	case "$ENVIRONMENT" in
-		"production")
-			export FOCUS_TAG=main
-			export BEAM_TAG=main
-			;;
-		"test")
-			export FOCUS_TAG=develop
-			export BEAM_TAG=develop
-			;;
-		*)
-			report_error 7 "Environment \"$ENVIRONMENT\" is unknown. Assuming production. FIX THIS!"
-			export FOCUS_TAG=main
-			export BEAM_TAG=main
-			;;
-	esac
 }
 
 case "$ACTION" in

lib/functions.sh

@@ -318,7 +318,7 @@ function sync_secrets() {
         docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
 
     set -a # Export variables as environment variables
-    source /var/cache/bridgehead/secrets/*
+    source /var/cache/bridgehead/secrets/oidc
     set +a # Export variables in the regular way
 }
 

lib/gitlab-token-helper.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+[ "$1" = "get" ] || exit
+
+source /var/cache/bridgehead/secrets/gitlab_token
+
+# Any non-empty username works, only the token matters
+cat << EOF
+username=bk
+password=$BRIDGEHEAD_CONFIG_REPO_TOKEN
+EOF

lib/gitpassword.sh

@@ -1,41 +0,0 @@
-#!/bin/bash
-
-if [ "$1" != "get" ]; then
-	echo "Usage: $0 get"
-	exit 1
-fi
-
-baseDir() {
-	# see https://stackoverflow.com/questions/59895
-	SOURCE=${BASH_SOURCE[0]}
-	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
-		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
-		SOURCE=$(readlink "$SOURCE")
-		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
-        done
-        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
-        echo $DIR
-}
-
-BASE=$(baseDir)
-cd $BASE
-
-source lib/functions.sh
-
-assertVarsNotEmpty SITE_ID || fail_and_report 1 "gitpassword.sh failed: SITE_ID is empty."
-
-PARAMS="$(cat)"
-GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
-
-fetchVarsFromVault GIT_PASSWORD
-
-if [ -z "${GIT_PASSWORD}" ]; then
-	fail_and_report 1 "gitpassword.sh failed: Git password not found."
-fi
-
-cat <<EOF
-protocol=https
-host=$GITHOST
-username=bk-${SITE_ID}
-password=${GIT_PASSWORD}
-EOF

lib/update-bridgehead.sh

@@ -19,7 +19,7 @@ fi
 
 hc_send log "Checking for bridgehead updates ..."
 
-CONFFILE=/etc/bridgehead/$1.conf
+CONFFILE=/etc/bridgehead/$PROJECT.conf
 
 if [ ! -e $CONFFILE ]; then
   fail_and_report 1 "Configuration file $CONFFILE not found."
@@ -33,7 +33,43 @@ export SITE_ID
 checkOwner /srv/docker/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /srv/docker/bridgehead"
 checkOwner /etc/bridgehead bridgehead || fail_and_report 1 "Update failed: Wrong permissions in /etc/bridgehead"
 
-CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
+# Use Secret Sync to validate the GitLab token in /var/cache/bridgehead/secrets/gitlab_token.
+# If it is missing or expired, Secret Sync will create a new token and write it to the file.
+# The git credential helper reads the token from the file during git pull.
+mkdir -p /var/cache/bridgehead/secrets
+touch /var/cache/bridgehead/secrets/gitlab_token # the file has to exist to be mounted correctly in the Docker container
+log "INFO" "Running Secret Sync for the GitLab token"
+docker pull docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest # make sure we have the latest image
+docker run --rm \
+  -v /var/cache/bridgehead/secrets/gitlab_token:/usr/local/cache \
+  -v $PRIVATEKEYFILENAME:/run/secrets/privkey.pem:ro \
+  -v /srv/docker/bridgehead/$PROJECT/root.crt.pem:/run/secrets/root.crt.pem:ro \
+  -v /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro \
+  -e TLS_CA_CERTIFICATES_DIR=/conf/trusted-ca-certs \
+  -e NO_PROXY=localhost,127.0.0.1 \
+  -e ALL_PROXY=$HTTPS_PROXY_FULL_URL \
+  -e PROXY_ID=$PROXY_ID \
+  -e BROKER_URL=$BROKER_URL \
+  -e GITLAB_PROJECT_ACCESS_TOKEN_PROVIDER=secret-sync-central.oidc-client-enrollment.$BROKER_ID \
+  -e SECRET_DEFINITIONS=GitLabProjectAccessToken:BRIDGEHEAD_CONFIG_REPO_TOKEN: \
+  docker.verbis.dkfz.de/cache/samply/secret-sync-local:latest
+if [ $? -eq 0 ]; then
+  log "INFO" "Secret Sync was successful"
+  # In the past we used to hardcode tokens into the repository URL. We have to remove those now for the git credential helper to become effective.
+  CLEAN_REPO="$(git -C /etc/bridgehead remote get-url origin | sed -E 's|https://[^@]+@|https://|')"
+  git -C /etc/bridgehead remote set-url origin "$CLEAN_REPO"
+  # Set the git credential helper
+  git -C /etc/bridgehead config credential.helper /srv/docker/bridgehead/lib/gitlab-token-helper.sh
+else
+  log "WARN" "Secret Sync failed"
+  # Remove the git credential helper
+  git -C /etc/bridgehead config --unset credential.helper
+fi
+
+# In the past the git credential helper was also set for /srv/docker/bridgehead but never used.
+# Let's remove it to avoid confusion. This line can be removed at some point the future when we
+# believe that it was removed on all/most production servers.
+git -C /srv/docker/bridgehead config --unset credential.helper
 
 CHANGES=""
 
@@ -45,10 +81,6 @@ for DIR in /etc/bridgehead $(pwd); do
   if [ -n "$OUT" ]; then
     report_error log "The working directory $DIR is modified. Changed files: $OUT"
   fi
-  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
-    log "INFO" "Configuring repo to use bridgehead git credential helper."
-    git -C $DIR config credential.helper "$CREDHELPER"
-  fi
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   if [ -z "$HTTPS_PROXY_FULL_URL" ]; then
     log "INFO" "Git is using no proxy!"

versions/prod

@@ -0,0 +1,2 @@
+FOCUS_TAG=main
+BEAM_TAG=main

versions/test

@@ -0,0 +1,2 @@
+FOCUS_TAG=develop
+BEAM_TAG=develop