refactor: use environment variables for oauth2-proxy config

Allow Usage of Centraxx Interface without login

ccp/modules/datashield-compose.yml

@@ -121,42 +121,38 @@ services:
   oauth2-proxy:
     image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
     container_name: bridgehead-oauth2proxy
-    command: >-
-      --allowed-group=DataSHIELD
-      --oidc-groups-claim=${OIDC_GROUP_CLAIM}
-      --auth-logging=true
-      --whitelist-domain=${HOST}
-      --http-address="0.0.0.0:4180"
-      --reverse-proxy=true
-      --upstream="static://202"
-      --email-domain="*"
-      --cookie-name="_BRIDGEHEAD_oauth2"
-      --cookie-secret="${OAUTH2_PROXY_SECRET}"
-      --cookie-expire="12h"
-      --cookie-secure="true"
-      --cookie-httponly="true"
+    environment:
+      - http_proxy=http://forward_proxy:3128
+      - https_proxy=http://forward_proxy:3128
+      - OAUTH2_PROXY_ALLOWED_GROUPS=DataSHIELD
+      - OAUTH2_PROXY_OIDC_GROUPS_CLAIM=${OIDC_GROUP_CLAIM}
+      - OAUTH2_PROXY_WHITELIST_DOMAIN=${HOST}
+      - OAUTH2_PROXY_HTTP_ADDRESS=:4180
+      - OAUTH2_PROXY_REVERSE_PROXY=true
+      - OAUTH2_PROXY_UPSTREAMS=static://202
+      - OAUTH2_PROXY_EMAIL_DOMAINS=*
+      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2
+      - OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_SECRET}
+      - OAUTH2_PROXY_COOKIE_EXPIRE=12h
       #OIDC settings
-      --provider="keycloak-oidc"
-      --provider-display-name="VerbIS Login"
-      --client-id="${OIDC_PRIVATE_CLIENT_ID}"
-      --client-secret="${OIDC_CLIENT_SECRET}"
-      --redirect-url="https://${HOST}${OAUTH2_CALLBACK}"
-      --oidc-issuer-url="${OIDC_ISSUER_URL}"
-      --scope="openid email profile"
-      --code-challenge-method="S256"
-      --skip-provider-button=true
+      - OAUTH2_PROXY_PROVIDER=keycloak-oidc
+      - OAUTH2_PROXY_PROVIDER_DISPLAY_NAME="VerbIS Login"
+      - OAUTH2_PROXY_CLIENT_ID=${OIDC_PRIVATE_CLIENT_ID}
+      - OAUTH2_PROXY_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
+      - OAUTH2_PROXY_REDIRECT_URL="https://${HOST}${OAUTH2_CALLBACK}"
+      - OAUTH2_PROXY_OIDC_ISSUER_URL=${OIDC_ISSUER_URL}
+      - OAUTH2_PROXY_SCOPE=openid profile email
+      - OAUTH2_PROXY_CODE_CHALLENGE_METHOD=true
+      - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
       #X-Forwarded-Header settings - true/false depending on your needs
-      --pass-basic-auth=true
-      --pass-user-headers=false
-      --pass-access-token=false
+      - OAUTH2_PROXY_PASS_BASIC_AUTH=true
+      - OAUTH2_PROXY_PASS_USER_HEADERS=false
+      - OAUTH2_PROXY_ACCESS_TOKEN=false
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`)"
+      - "traefik.http.routers.oauth2_proxy.rule=PathPrefix(`/oauth2`)"
       - "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
       - "traefik.http.routers.oauth2_proxy.tls=true"
-    environment:
-      http_proxy: "http://forward_proxy:3128"
-      https_proxy: "http://forward_proxy:3128"
     depends_on:
       forward_proxy:
         condition: service_healthy

ccp/modules/id-management-compose.yml

@@ -19,10 +19,18 @@ services:
       - traefik-forward-auth
     labels:
       - "traefik.enable=true"
+      # Router with Authentication
       - "traefik.http.routers.id-manager.rule=PathPrefix(`/id-manager`)"
-      - "traefik.http.services.id-manager.loadbalancer.server.port=8080"
       - "traefik.http.routers.id-manager.tls=true"
       - "traefik.http.routers.id-manager.middlewares=traefik-forward-auth-idm"
+      - "traefik.http.routers.id-manager.service=id-manager-service"
+      # Router without Authentication
+      - "traefik.http.routers.id-manager-compatibility.rule=PathPrefix(`/id-manager/paths/translator/getIds`)"
+      - "traefik.http.routers.id-manager-compatibility.tls=true"
+      - "traefik.http.routers.id-manager-compatibility.service=id-manager-service"
+      # Definition of Service
+      - "traefik.http.services.id-manager-service.loadbalancer.server.port=8080"
+      - "traefik.http.services.id-manager-service.loadbalancer.server.scheme=http"
 
   patientlist:
     image: docker.verbis.dkfz.de/bridgehead/mainzelliste
@@ -57,7 +65,7 @@ services:
       - "/tmp/bridgehead/patientlist/:/docker-entrypoint-initdb.d/"
 
   traefik-forward-auth:
-    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:v7.6.0
+    image: docker.verbis.dkfz.de/cache/oauth2-proxy/oauth2-proxy:latest
     environment:
       - http_proxy=http://forward_proxy:3128
       - https_proxy=http://forward_proxy:3128
@@ -67,6 +75,7 @@ services:
       - OAUTH2_PROXY_CLIENT_ID=bridgehead-${SITE_ID}
       - OAUTH2_PROXY_CLIENT_SECRET=${IDMANAGER_AUTH_CLIENT_SECRET}
       - OAUTH2_PROXY_COOKIE_SECRET=${IDMANAGER_AUTH_COOKIE_SECRET}
+      - OAUTH2_PROXY_COOKIE_NAME=_BRIDGEHEAD_oauth2_idm
       - OAUTH2_PROXY_COOKIE_DOMAINS=.${HOST}
       - OAUTH2_PROXY_HTTP_ADDRESS=:4180
       - OAUTH2_PROXY_REVERSE_PROXY=true

lib/prerequisites.sh

@@ -3,14 +3,16 @@
 source lib/functions.sh
 
 detectCompose
+CONFIG_DIR="/etc/bridgehead/"
+COMPONENT_DIR="/srv/docker/bridgehead/"
 
 if ! id "bridgehead" &>/dev/null; then
   log ERROR "User bridgehead does not exist. Please run bridgehead install $PROJECT"
   exit 1
 fi
 
-checkOwner /srv/docker/bridgehead bridgehead || exit 1
-checkOwner /etc/bridgehead bridgehead || exit 1
+checkOwner "${CONFIG_DIR}" bridgehead || exit 1
+checkOwner "${COMPONENT_DIR}" bridgehead || exit 1
 
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."
@@ -32,31 +34,31 @@ fi
 log INFO "Checking configuration ..."
 
 ## Download submodule
-if [ ! -d "/etc/bridgehead/" ]; then
-  fail_and_report 1 "Please set up the config folder at /etc/bridgehead. Instruction are in the readme."
+if [ ! -d "${CONFIG_DIR}" ]; then
+  fail_and_report 1 "Please set up the config folder at ${CONFIG_DIR}. Instruction are in the readme."
 fi
 
 # TODO: Check all required variables here in a generic loop
 
 #check if project env is present
-if [ -d "/etc/bridgehead/${PROJECT}.conf" ]; then
-   fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under /etc/bridgehead-config/${PROJECT}.conf."
+if [ -d "${CONFIG_DIR}${PROJECT}.conf" ]; then
+   fail_and_report 1 "Project config not found. Please copy the template from ${PROJECT} and put it under ${CONFIG_DIR}${PROJECT}.conf."
 fi
 
 # TODO: Make sure you're in the right directory, or, even better, be independent from the working directory.
 
 log INFO "Checking ssl cert for accessing bridgehead via https"
 
-if [ ! -d "/etc/bridgehead/traefik-tls" ]; then
+if [ ! -d "${CONFIG_DIR}traefik-tls" ]; then
   log WARN "TLS certs for accessing bridgehead via https missing, we'll now create a self-signed one. Please consider getting an officially signed one (e.g. via Let's Encrypt ...) and put into /etc/bridgehead/traefik-tls"
   mkdir -p /etc/bridgehead/traefik-tls
 fi
 
-if [ ! -e "/etc/bridgehead/traefik-tls/fullchain.pem" ]; then
+if [ ! -e "${CONFIG_DIR}traefik-tls/fullchain.pem" ]; then
   openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/bridgehead/traefik-tls/privkey.pem -out /etc/bridgehead/traefik-tls/fullchain.pem -days 3650 -subj "/CN=$HOST"
 fi
 
-if [ -e /etc/bridgehead/vault.conf ]; then
+if [ -e "${CONFIG_DIR}"vault.conf ]; then
   if [ "$(stat -c "%a %U" /etc/bridgehead/vault.conf)" != "600 bridgehead" ]; then
     fail_and_report 1 "/etc/bridgehead/vault.conf has wrong owner/permissions. To correct this issue, run chmod 600 /etc/bridgehead/vault.conf && chown bridgehead /etc/bridgehead/vault.conf."
   fi
@@ -64,7 +66,7 @@ fi
 
 log INFO "Checking network access ($BROKER_URL_FOR_PREREQ) ..."
 
-source /etc/bridgehead/${PROJECT}.conf
+source "${CONFIG_DIR}${PROJECT}".conf
 source ${PROJECT}/vars
 
 if [ "${PROJECT}" != "minimal" ]; then
@@ -92,10 +94,10 @@ if [ "${PROJECT}" != "minimal" ]; then
   fi
 fi
 checkPrivKey() {
-  if [ -e /etc/bridgehead/pki/${SITE_ID}.priv.pem ]; then
+  if [ -e "${CONFIG_DIR}pki/${SITE_ID}.priv.pem" ]; then
     log INFO "Success - private key found."
   else
-    log ERROR "Unable to find private key at /etc/bridgehead/pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
+    log ERROR "Unable to find private key at ${CONFIG_DIR}pki/${SITE_ID}.priv.pem. To fix, please run\n  bridgehead enroll ${PROJECT}\nand follow the instructions."
     return 1
   fi
   return 0
@@ -107,6 +109,11 @@ else
   checkPrivKey || exit 1
 fi
 
+for dir in  "${CONFIG_DIR}" "${COMPONENT_DIR}"; do
+  log INFO "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")"
+  hc_send log "Checking branch: $(cd $dir && echo "$dir $(git branch --show-current)")"
+done
+
 log INFO "Success - all prerequisites are met!"
 hc_send log "Success - all prerequisites are met!"
 

minimal/docker-compose.yml

@@ -10,13 +10,13 @@ services:
       - --providers.docker=true
       - --providers.docker.exposedbydefault=false
       - --providers.file.directory=/configuration/
-      - --api.dashboard=true
+      - --api.dashboard=false
       - --accesslog=true
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
+      - "traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard/`)"
       - "traefik.http.routers.dashboard.entrypoints=websecure"
       - "traefik.http.routers.dashboard.service=api@internal"
       - "traefik.http.routers.dashboard.tls=true"