fix: Disable landing page for now

Ensure Mainzelliste returns SSL in Responses

bridgehead

@@ -28,6 +28,9 @@ fi
 case "$PROJECT" in
 	ccp)
 		#nothing extra to do
+        ;;
+	leme)
+		#nothing extra to do
 		;;
 	bbmri)
 		#nothing extra to do
@@ -96,6 +99,8 @@ case "$ACTION" in
 		;;
 	stop)
 		loadVars
+		# Kill stale secret-sync instances if present
+		docker kill $(docker ps -q --filter ancestor=docker.verbis.dkfz.de/cache/samply/secret-sync-local) 2>/dev/null || true
 		# HACK: This is temporarily to properly shut down false bridgehead instances (bridgehead-ccp instead ccp)
 		$COMPOSE -p bridgehead-$PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down
 		exec $COMPOSE -p $PROJECT -f ./minimal/docker-compose.yml -f ./$PROJECT/docker-compose.yml $OVERRIDE down

ccp/docker-compose.yml

@@ -21,7 +21,7 @@ services:
       - "traefik.http.routers.blaze_ccp.tls=true"
 
   focus:
-    image: docker.verbis.dkfz.de/cache/samply/focus:0.4.1
+    image: docker.verbis.dkfz.de/cache/samply/focus:0.4.4
     container_name: bridgehead-focus
     environment:
       API_KEY: ${FOCUS_BEAM_SECRET_SHORT}

ccp/modules/cbioportal-compose.yml

@@ -1,60 +0,0 @@
-version: '3.7'
-
-services:
-  cbioportal:
-    # image: docker.verbis.dkfz.de/ccp/dktk-cbioportal:latest
-    image: bridgehead-cbioportal
-    container_name: bridgehead-cbioportal
-    environment:
-      DB_PASSWORD: ${CBIOPORTAL_DB_PASSWORD}
-      # DB_PASSWORD: "password1234"
-      HTTP_RELATIVE_PATH: "/cbioportal"
-      UPLOAD_HTTP_RELATIVE_PATH: "/cbioportal-upload"
-      UPLOAD_FOLDER: "/app/uploads"
-      EXTRACTED_FOLDER: "/app/study"
-    depends_on:
-      - cbioportal-database
-      - cbioportal-session
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.cbioportal.rule=PathPrefix(`/cbioportal`)"
-      - "traefik.http.routers.cbioportal.service=cbioportal"
-      - "traefik.http.services.cbioportal.loadbalancer.server.port=8080"
-      - "traefik.http.routers.cbioportal.tls=true"
-      - "traefik.http.routers.cbioportal-upload.rule=PathPrefix(`/cbioportal-upload`)"    
-      - "traefik.http.routers.cbioportal-upload.service=cbioportal-upload"
-      - "traefik.http.routers.cbioportal-upload.tls=true"
-      - "traefik.http.services.cbioportal-upload.loadbalancer.server.port=8001" 
-      
-  cbioportal-database:
-    restart: unless-stopped
-    # image: docker.verbis.dkfz.de/ccp/dktk-cbioportal-database:latest
-    image: bridgehead-cbioportal-database
-    container_name: bridgehead-cbioportal-database
-    environment:
-      MYSQL_DATABASE: "cbioportal"
-      MYSQL_USER: "cbio_user"
-      MYSQL_PASSWORD: ${CBIOPORTAL_DB_PASSWORD}
-      MYSQL_ROOT_PASSWORD: ${CBIOPORTAL_DB_ROOT_PASSWORD}
-      # MYSQL_PASSWORD: "password1234"
-      # MYSQL_ROOT_PASSWORD: "password12"
-    volumes:
-     - /var/cache/bridgehead/ccp/cbioportal_db_data:/var/lib/mysql
- 
-  cbioportal-session:
-    image: cbioportal/session-service:0.6.1
-    container_name: bridgehead-cbioportal-session
-    environment:
-      SERVER_PORT: 5000
-      JAVA_OPTS: -Dspring.data.mongodb.uri=mongodb://cbioportal-session-database:27017/session-service
-    depends_on:
-      - cbioportal-session-database
-
-  cbioportal-session-database:
-    image: mongo:4.2
-    container_name: bridgehead-cbioportal-session-database
-    environment:
-      MONGO_INITDB_DATABASE: session_service
-    volumes:
-      - /var/cache/bridgehead/ccp/cbioportal_session_db_data:/data/db
-      

ccp/modules/cbioportal-setup.sh

@@ -1,10 +0,0 @@
-#!/bin/bash -e
-
-
-ENABLE_CBIOPORTAL=true
- if [ "$ENABLE_CBIOPORTAL" == true ]; then
-  log INFO "cBioPortal setup detected -- will start cBioPortal service."
-  OVERRIDE+=" -f ./$PROJECT/modules/cbioportal-compose.yml"
-  CBIOPORTAL_DB_PASSWORD="$(echo \"This is a salt string to generate one consistent password for the cbioportal database. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
-  CBIOPORTAL_DB_ROOT_PASSWORD="$(echo \"This is a salt string to generate one consistent root password for the cbioportal database. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 64)" 
- fi

ccp/modules/cbioportal.md

@@ -1,10 +0,0 @@
-# CBioPortal Data uploader
-
-
-## Usage
-
-We have integrated an API that allows you to upload data directly to cbioportal without the need to have cbioportal installed in your system.
-
-## Tech stack
-
-We used Flask to add this feature

ccp/modules/id-management-compose.yml

@@ -29,6 +29,7 @@ services:
     container_name: bridgehead-patientlist
     environment:
       - TOMCAT_REVERSEPROXY_FQDN=${HOST}
+      - TOMCAT_REVERSEPROXY_SSL=true
       - ML_SITE=${IDMANAGEMENT_FRIENDLY_ID}
       - ML_DB_PASS=${PATIENTLIST_POSTGRES_PASSWORD}
       - ML_API_KEY=${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}

leme/docker-compose.yml

@@ -0,0 +1,62 @@
+
+services:
+  blaze:
+    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
+    container_name: bridgehead-leme-blaze
+    environment:
+      BASE_URL: "http://bridgehead-leme-blaze:8080"
+      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
+      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
+      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
+      ENFORCE_REFERENTIAL_INTEGRITY: "false"
+    volumes:
+      - "blaze-data:/app/data"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.blaze_leme.rule=PathPrefix(`/leme-localdatamanagement`)"
+      - "traefik.http.middlewares.leme_b_strip.stripprefix.prefixes=/leme-localdatamanagement"
+      - "traefik.http.services.blaze_leme.loadbalancer.server.port=8080"
+      - "traefik.http.routers.blaze_leme.middlewares=leme_b_strip,auth"
+      - "traefik.http.routers.blaze_leme.tls=true"
+
+  focus:
+    image: docker.verbis.dkfz.de/cache/samply/focus:0.4.4
+    container_name: bridgehead-focus
+    environment:
+      API_KEY: ${FOCUS_BEAM_SECRET_SHORT}
+      BEAM_APP_ID_LONG: focus.${PROXY_ID}
+      PROXY_ID: ${PROXY_ID}
+      BLAZE_URL: "http://bridgehead-leme-blaze:8080/fhir/"
+      BEAM_PROXY_URL: http://beam-proxy:8081
+      RETRY_COUNT: ${FOCUS_RETRY_COUNT}
+      EPSILON: 0.28
+    depends_on:
+      - "beam-proxy"
+      - "blaze"
+
+  beam-proxy:
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop
+    container_name: bridgehead-beam-proxy
+    environment:
+      BROKER_URL: ${BROKER_URL}
+      PROXY_ID: ${PROXY_ID}
+      APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
+      PRIVKEY_FILE: /run/secrets/proxy.pem
+      ALL_PROXY: http://forward_proxy:3128
+      TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
+      ROOTCERT_FILE: /conf/root.crt.pem
+    secrets:
+      - proxy.pem
+    depends_on:
+      - "forward_proxy"
+    volumes:
+      - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
+      - /srv/docker/bridgehead/leme/root.crt.pem:/conf/root.crt.pem:ro
+
+
+volumes:
+  blaze-data:
+
+secrets:
+  proxy.pem:
+    file: /etc/bridgehead/pki/${SITE_ID}.priv.pem

leme/root.crt.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNTCCAh2gAwIBAgIUHtDdZ+L/Z1YmwlrHJRelJFLAGh0wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAxMLQnJva2VyLVJvb3QwHhcNMjQwNTEzMTExMTQyWhcNMzQw
+NTExMTExMjExWjAWMRQwEgYDVQQDEwtCcm9rZXItUm9vdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMLGngURLDDleDC/jGUSU12z9nfJBFrHItWQkcQk
+uZPOhCB55mD18aMtLmpXcHQ4MZdDOCHjA7n3gZa04PvueuLht57z3Uyk+M9C1Oor
+9KpnJWLogWtVJ9iaLrIGGS+lwttpglISg+7nZIszrCVaq2/mLe/Il47D7EifmA8L
+T+/gNd470tvAWaFn3pmeNJ2CHZ0ld+6CSOweerfPHq44DrZeCO8nRl/+v/JTizLg
+Fxjr2N38TohL4S8/QLIWtyQLZJbshuWAMwd7WtMXWqGPrIIDC8NiIQW8Yb1zjdoD
+/Ghmw6yfr+/m02GpJTe4rVhYJT9WYZS6wUbRlK1WTuy8T2ECAwEAAaN7MHkwDgYD
+VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMdNeYJQr5e5
+Cmh3NzSg/6eQF0IxMB8GA1UdIwQYMBaAFMdNeYJQr5e5Cmh3NzSg/6eQF0IxMBYG
+A1UdEQQPMA2CC0Jyb2tlci1Sb290MA0GCSqGSIb3DQEBCwUAA4IBAQBl3iQUJYKz
+E82f1SMyd9EHx4xs5fwVAKpndDkPBo4QbRHCeSfEnkxJHtluaDXJF0MaWMbvNps1
+99afOVjZCDa5UQUqneyBTbY1tHr3gyYV/doe4FIHA799D2dKlyxu6sPNzRZJGppT
+gaueKzc3jKINER1LcdOaPmSogNGNezCwOsAkmwuPQMrzMT8JPlLEGh0vfG4B994w
+ECxyC3PicjXvq5UOCwYiGSwawqTznLUb3FO6SFYS1mNv2inVaNfLzkuCkdIyyqeU
+dc/h6tuDSC+CKAy+/qoDNzG9KD+mI8kVyhhIrQ++vQ9bbRtWr5aQzaq+fyDJNXx3
+IQvYUuSR8Nab
+-----END CERTIFICATE-----

leme/vars

@@ -0,0 +1,14 @@
+BROKER_ID=broker-test.health-innovation-lab.eu
+BROKER_URL=http://${BROKER_ID}
+PROXY_ID=${SITE_ID}.${BROKER_ID}
+FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
+FOCUS_RETRY_COUNT=32
+PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
+
+BROKER_URL_FOR_PREREQ=$BROKER_URL
+
+# for module in $PROJECT/modules/*.sh
+# do
+#     log DEBUG "sourcing $module"
+#     source $module
+# done

lib/functions.sh

@@ -164,15 +164,15 @@ setHostname() {
 optimizeBlazeMemoryUsage() {
 	if [ -z "$BLAZE_MEMORY_CAP" ]; then
 	   system_memory_in_mb=$(LC_ALL=C free -m | grep 'Mem:' | awk '{print $2}');
-	   export BLAZE_MEMORY_CAP=$(("$system_memory_in_mb"/4));
+	   export BLAZE_MEMORY_CAP=$(($system_memory_in_mb/4));
 	fi
 	if [ -z "$BLAZE_RESOURCE_CACHE_CAP" ]; then
-		available_system_memory_chuncks=$((BLAZE_MEMORY_CAP / 1000))
+		available_system_memory_chunks=$((BLAZE_MEMORY_CAP / 1000))
-		if [ $available_system_memory_chuncks -eq 0 ]; then
+		if [ $available_system_memory_chunks -eq 0 ]; then
 			log WARN "Only ${BLAZE_MEMORY_CAP} system memory available for Blaze. If your Blaze stores more than 128000 fhir ressources it will run significally slower."
 			export BLAZE_RESOURCE_CACHE_CAP=128000;
 		else
-			export BLAZE_RESOURCE_CACHE_CAP=$((available_system_memory_chuncks * 312500))
+			export BLAZE_RESOURCE_CACHE_CAP=$((available_system_memory_chunks * 312500))
 		fi
 	fi
 }
@@ -289,7 +289,7 @@ function sync_secrets() {
     if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
         secret_sync_args="OIDC:OIDC_CLIENT_SECRET:private;$OIDC_PRIVATE_REDIRECT_URLS"
     fi
-    if [[ $OIDC_PRIVATE_REDIRECT_URLS != "" ]]; then
+    if [[ $OIDC_PUBLIC_REDIRECT_URLS != "" ]]; then
         if [[ $secret_sync_args == "" ]]; then
             secret_sync_args="OIDC:OIDC_PUBLIC:public;$OIDC_PUBLIC_REDIRECT_URLS"
         else

lib/prepare-system.sh

@@ -49,6 +49,9 @@ case "$PROJECT" in
 	ccp)
 		site_configuration_repository_middle="git.verbis.dkfz.de/bridgehead-configurations/bridgehead-config-"
 		;;
+    leme)
+		site_configuration_repository_middle="git.verbis.dkfz.de/bridgehead-configurations/bridgehead-config-"
+		;;
 	bbmri)
 		site_configuration_repository_middle="git.verbis.dkfz.de/bbmri-bridgehead-configs/"
 		;;

minimal/docker-compose.yml

@@ -46,15 +46,15 @@ services:
       # Wait 1s before marking this service healthy. Required for the oauth2-proxy to talk to the OIDC provider on startup which will fail if the forward proxy is not started yet.
       test: ["CMD", "sleep", "1"]
 
-  landing:
+  # landing:
-    container_name: bridgehead-landingpage
+  #   container_name: bridgehead-landingpage
-    image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:main
+  #   image: docker.verbis.dkfz.de/cache/samply/bridgehead-landingpage:main
-    labels:
+  #   labels:
-      - "traefik.enable=true"
+  #     - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
+  #     - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
+  #     - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
+  #     - "traefik.http.routers.landing.tls=true"
-    environment:
+  #   environment:
-      HOST: ${HOST}
+  #     HOST: ${HOST}
-      PROJECT: ${PROJECT}
+  #     PROJECT: ${PROJECT}
-      SITE_NAME: ${SITE_NAME}
+  #     SITE_NAME: ${SITE_NAME}