add additional credential encoding for curl

Curl seems not to like full percent-encoding of all characters which might be related to https://github.com/curl/curl/issues/5448#event-3371269895. The version in this PR escapes a lot and strictly follows RFC3986 section 2.3 for unescaped characters
fix proxy credential escaping
2026-04-17 20:50:15 +02:00 · 2026-03-05 14:31:05 +01:00 · 2026-03-05 14:21:37 +01:00 · 2026-03-04 09:26:22 +01:00 · 2026-02-24 12:09:39 +01:00 · 2026-02-20 09:27:47 +01:00
20 changed files with 237 additions and 73 deletions
--- a/bbmri/modules/directory-sync.sh
+++ b/bbmri/modules/directory-sync.sh
@@ -1,6 +1,6 @@
 #!/bin/bash

-if [ -n "${DS_DIRECTORY_USER_NAME}" ]; then
+if [ -n "${DS_DIRECTORY_USER_NAME}" ] || [ -n "${DS_DIRECTORY_USER_TOKEN}" ]; then
 	log INFO "Directory sync setup detected -- will start directory sync service."
 	OVERRIDE+=" -f ./$PROJECT/modules/directory-sync-compose.yml"
 fi
--- a/cce/modules/airgapped-blaze-compose.yml
+++ b/cce/modules/airgapped-blaze-compose.yml
@@ -1,25 +0,0 @@
-version: "3.7"
-
-services:
-  blaze-airgapped:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
-    container_name: bridgehead-cce-blaze-airgapped
-    environment:
-      BASE_URL: "http://bridgehead-cce-blaze-airgapped:8080"
-      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
-      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
-      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
-      ENFORCE_REFERENTIAL_INTEGRITY: "false"
-    volumes:
-      - "blaze-airgapped-data:/app/data"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.blaze-airgapped_cce.rule=PathPrefix(`/cce-localdatamanagement-airgapped`)"
-      - "traefik.http.middlewares.cce_b-a_strip.stripprefix.prefixes=/cce-localdatamanagement-airgapped"
-      - "traefik.http.services.blaze-airgapped_cce.loadbalancer.server.port=8080"
-      - "traefik.http.routers.blaze-airgapped_cce.middlewares=cce_b-a_strip,auth"
-      - "traefik.http.routers.blaze-airgapped_cce.tls=true"
-
-volumes:
-  blaze-airgapped-data:
--- a/cce/modules/airgapped-blaze-setup.sh
+++ b/cce/modules/airgapped-blaze-setup.sh
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-OVERRIDE+=" -f ./$PROJECT/modules/airgapped-blaze-compose.yml"
--- a/itcc/docker-compose.yml
+++ b/itcc/docker-compose.yml
@@ -15,7 +15,7 @@ services:
      - "blaze-data:/app/data"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.blaze_itcc.rule=PathPrefix(`/itcc-localdatamanagement`)"
+      - "traefik.http.routers.blaze_itcc.rule=Host(`${HOST}`) && PathPrefix(`/itcc-localdatamanagement`)"
      - "traefik.http.middlewares.itcc_b_strip.stripprefix.prefixes=/itcc-localdatamanagement"
      - "traefik.http.services.blaze_itcc.loadbalancer.server.port=8080"
      - "traefik.http.routers.blaze_itcc.middlewares=itcc_b_strip,auth"
@@ -34,7 +34,6 @@ services:
      EPSILON: 0.28
      QUERIES_TO_CACHE: '/queries_to_cache.conf'
      ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
-      CQL_PROJECTS_ENABLED: "itcc"
    volumes:
      - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro
    depends_on:
--- a/itcc/modules/itcc-omics-ingest.sh
+++ b/itcc/modules/itcc-omics-ingest.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+if [ -n "$ENABLE_OMICS" ];then
+  OVERRIDE+=" -f ./$PROJECT/modules/itcc-omics-ingest.yaml"
+  GENERATE_API_KEY="$(generate_simple_password 'omics')"
+fi
--- a/itcc/modules/itcc-omics-ingest.yaml
+++ b/itcc/modules/itcc-omics-ingest.yaml
@@ -0,0 +1,14 @@
+services:
+  omics-endpoint:
+    image: ghcr.io/samply/itcc-omics-ingest:main
+    environment:
+      - API_KEY=${GENERATE_API_KEY}
+    volumes:
+      - /var/cache/bridgehead/omics/data:/data/uploads
+    labels:
+      - "traefik.http.routers.omics.rule=Host(`${HOST}`) && PathPrefix(`/api/omics`)"
+      - "traefik.enable=true"
+      - "traefik.http.services.omics.loadbalancer.server.port=6080"
+      - "traefik.http.routers.omics.tls=true"
+      - "traefik.http.middlewares.omics-stripprefix.stripprefix.prefixes=/api"
+      - "traefik.http.routers.omics.middlewares=omics-stripprefix"
--- a/itcc/modules/lens-compose.yml
+++ b/itcc/modules/lens-compose.yml
@@ -1,33 +1,47 @@
 version: "3.7"
 services:
-  landing:
-    container_name: lens_federated-search
-    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
+  itcc-explorer:
+    container_name: lens_itcc_explorer
+    image: samply/itcc-explorer:main
+    environment:
+      HOST: "0.0.0.0"
+      BIND_ADDR: "0.0.0.0:3000"
+      PUBLIC_ENVIRONMENT: ${PUBLIC_ENVIRONMENT}
    labels:
      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
+      - "traefik.http.routers.itcc.rule=Host(`${HOST}`) && PathPrefix(`/`)"
+      - "traefik.http.routers.itcc.entrypoints=websecure"
+      - "traefik.http.services.itcc.loadbalancer.server.port=3000"
+      - "traefik.http.routers.itcc.tls=true"

  spot:
-    image: docker.verbis.dkfz.de/ccp-private/central-spot
+    image: samply/rustyspot:latest
    environment:
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_URL: http://beam-proxy:8081
+      BEAM_PROXY_URL: http://beam-proxy:8081
      BEAM_PROXY_ID: ${SITE_ID}
      BEAM_BROKER_ID: ${BROKER_ID}
-      BEAM_APP_ID: "focus"
-      PROJECT_METADATA: "itcc"
+      BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
+      CORS_ORIGIN: "https://${HOST}"
+      SITES: ${SITES}
+      TRANSFORM: LENS
+      PROJECT: "itcc"
+      BIND_ADDR: 0.0.0.0:8055
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8080"
+      - "traefik.http.services.spot.loadbalancer.server.port=8055"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
+      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
+      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
+      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
      - "traefik.http.routers.spot.tls=true"
      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
+
+  beam-proxy:
+    environment:
+      APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}
--- a/itcc/vars
+++ b/itcc/vars
@@ -6,6 +6,7 @@ FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
 SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
+PUBLIC_ENVIRONMENT=prod

 for module in $PROJECT/modules/*.sh
 do
--- a/kr/docker-compose.yml
+++ b/kr/docker-compose.yml
@@ -12,7 +12,8 @@ services:
      BASE_URL: "http://bridgehead-kr-blaze:8080"
      JAVA_TOOL_OPTIONS: "-Xmx${BLAZE_MEMORY_CAP:-4096}m"
      DB_RESOURCE_CACHE_SIZE: ${BLAZE_RESOURCE_CACHE_CAP:-2500000}
-      DB_BLOCK_CACHE_SIZE: $BLAZE_MEMORY_CAP
+      DB_BLOCK_CACHE_SIZE: ${BLAZE_MEMORY_CAP}
+      CQL_EXPR_CACHE_SIZE: ${BLAZE_CQL_CACHE_CAP:-32}
      ENFORCE_REFERENTIAL_INTEGRITY: "false"
    volumes:
      - "blaze-data:/app/data"
--- a/kr/modules/export-and-qb.curl-templates
+++ b/kr/modules/export-and-qb.curl-templates
@@ -1,6 +0,0 @@
-# Full Excel Export
-curl --location --request POST 'https://${HOST}/ccp-exporter/request?query=Patient&query-format=FHIR_PATH&template-id=ccp&output-format=EXCEL' \
--header 'x-api-key: ${EXPORT_API_KEY}'
-
-# QB
-curl --location --request POST 'https://${HOST}/ccp-reporter/generate?template-id=ccp'
--- a/kr/modules/lens-compose.yml
+++ b/kr/modules/lens-compose.yml
@@ -4,32 +4,41 @@ services:
    deploy:
      replicas: 1 #reactivate if lens is in use
    container_name: lens_federated-search
-    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
+    image: docker.verbis.dkfz.de/ccp/kr-explorer:main
+    environment:
+      PUBLIC_SPOT_URL: https://${HOST}/prod
    labels:
+      - "traefik.http.services.lens.loadbalancer.server.port=3000"
      - "traefik.enable=true"
-      - "traefik.http.routers.landing.rule=PathPrefix(`/`)"
-      - "traefik.http.services.landing.loadbalancer.server.port=80"
-      - "traefik.http.routers.landing.tls=true"
+      - "traefik.http.routers.lens.rule=Host(`${HOST}`)"
+      - "traefik.http.routers.lens.tls=true"

  spot:
-    image: docker.verbis.dkfz.de/ccp-private/central-spot
+    image: samply/rustyspot:latest
    environment:
      BEAM_SECRET: "${FOCUS_BEAM_SECRET_SHORT}"
-      BEAM_URL: http://beam-proxy:8081
-      BEAM_PROXY_ID: ${SITE_ID}
-      BEAM_BROKER_ID: ${BROKER_ID}
-      BEAM_APP_ID: "focus"
-      PROJECT_METADATA: "kr_supervisors"
+      BEAM_PROXY_URL: http://beam-proxy:8081
+      BEAM_APP_ID: "spot.${SITE_ID}.${BROKER_ID}"
+      CORS_ORIGIN: "https://${HOST}"
+      SITES: ${SITES}
+      TRANSFORM: LENS
+      PROJECT: kr
+      BIND_ADDR: 0.0.0.0:8055
    depends_on:
      - "beam-proxy"
    labels:
      - "traefik.enable=true"
-      - "traefik.http.services.spot.loadbalancer.server.port=8080"
+      - "traefik.http.services.spot.loadbalancer.server.port=8055"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
+      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowheaders=content-type"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolalloworiginlist=https://${HOST}"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolallowcredentials=true"
      - "traefik.http.middlewares.corsheaders2.headers.accesscontrolmaxage=-1"
-      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/backend`)"
-      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/backend"
+      - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
+      - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
      - "traefik.http.routers.spot.tls=true"
-      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot"
+      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
+
+  beam-proxy:
+    environment:
+      APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}
--- a/kr/modules/obds2fhir-rest-compose.yml
+++ b/kr/modules/obds2fhir-rest-compose.yml
@@ -3,7 +3,7 @@ version: "3.7"
 services:
  obds2fhir-rest:
    container_name: bridgehead-obds2fhir-rest
-    image: docker.verbis.dkfz.de/ccp/obds2fhir-rest:main
+    image: docker.verbis.dkfz.de/samply/obds2fhir-rest:main
    environment:
      IDTYPE: BK_${IDMANAGEMENT_FRIENDLY_ID}_L-ID
      MAINZELLISTE_APIKEY: ${IDMANAGER_LOCAL_PATIENTLIST_APIKEY}
--- a/kr/vars
+++ b/kr/vars
@@ -3,7 +3,7 @@ BROKER_URL=https://${BROKER_ID}
 PROXY_ID=${SITE_ID}.${BROKER_ID}
 FOCUS_BEAM_SECRET_SHORT="$(cat /proc/sys/kernel/random/uuid | sed 's/[-]//g' | head -c 20)"
 FOCUS_RETRY_COUNT=${FOCUS_RETRY_COUNT:-64}
-SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
+SUPPORT_EMAIL=p.delpy@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL

--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -9,6 +9,15 @@ detectCompose() {
 	fi
 }

+# Encodes all characters not in unrestricted character set of RFC3986 Section 2.3
+urlencode() {
+  for ((i=0;i<${#1};i++)); do
+    local c=${1:i:1}
+    [[ "$c" =~ [a-zA-Z0-9._~-] ]] && printf '%s' "$c" || printf '%%%02X' "'$c"
+  done
+  echo
+}
+
 setupProxy() {
 	### Note: As the current data protection concepts do not allow communication via HTTP,
 	### we are not setting a proxy for HTTP requests.
@@ -22,9 +31,12 @@ setupProxy() {
 		HTTPS_PROXY_HOST="$(echo $hostport | sed -e 's,:.*,,g')"
 		HTTPS_PROXY_PORT="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')"
 		if [[ ! -z "$HTTPS_PROXY_USERNAME" && ! -z "$HTTPS_PROXY_PASSWORD" ]]; then
+			local ESCAPED_PASSWORD="$(echo $HTTPS_PROXY_PASSWORD | od -An -v -t x1 | sed -e 's/[[:space:]]//g' -e 's/\([0-9a-f][0-9a-f]\)/%\1/g' | tr -d '\n')"
+			local CURL_ESCAPED_PW="$(urlencode $HTTPS_PROXY_PASSWORD)"
 			local proto="$(echo $HTTPS_PROXY_URL | grep :// | sed -e 's,^\(.*://\).*,\1,g')"
 			local fqdn="$(echo ${HTTPS_PROXY_URL/$proto/})"
-			HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$HTTPS_PROXY_PASSWORD@$fqdn)"
+			HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$ESCAPED_PASSWORD@$fqdn)"
+			CURL_HTTPS_PROXY_FULL_URL="$(echo $proto$HTTPS_PROXY_USERNAME:$CURL_ESCAPED_PW@$fqdn)"
 			https="authenticated"
 		else
 			HTTPS_PROXY_FULL_URL=$HTTPS_PROXY_URL
@@ -33,7 +45,7 @@ setupProxy() {
 	fi

 	log INFO "Configuring proxy servers: $http http proxy (we're not supporting unencrypted comms), $https https proxy"
-	export HTTPS_PROXY_HOST HTTPS_PROXY_PORT HTTPS_PROXY_FULL_URL
+	export HTTPS_PROXY_HOST HTTPS_PROXY_PORT HTTPS_PROXY_FULL_URL CURL_HTTPS_PROXY_FULL_URL
 }

 exitIfNotRoot() {
--- a/lib/monitoring.sh
+++ b/lib/monitoring.sh
@@ -47,8 +47,8 @@ function hc_send(){

    if [ -n "$2" ]; then
        MSG="$2\n\nDocker stats:\n$UPTIME"
-        echo -e "$MSG" | https_proxy=$HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+        echo -e "$MSG" | https_proxy=$CURL_HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null -X POST --data-binary @- "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
    else
-        https_proxy=$HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
+        https_proxy=$CURL_HTTPS_PROXY_FULL_URL curl --max-time 5 -A "$USER_AGENT" -s -o /dev/null "$HCURL"/"$1" || log WARN "Monitoring failed: Unable to send data to $HCURL/$1"
    fi
 }
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -71,7 +71,7 @@ source ${PROJECT}/vars

 if [ "${PROJECT}" != "minimal" ]; then
  set +e
-  SERVERTIME="$(https_proxy=$HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
+  SERVERTIME="$(https_proxy=$CURL_HTTPS_PROXY_FULL_URL curl -m 5 -s -I $BROKER_URL_FOR_PREREQ 2>&1 | grep -i -e '^Date: ' | sed -e 's/^Date: //i')"
  RET=$?
  set -e
  if [ $RET -ne 0 ]; then
--- a/lib/tests/test_proxyparsing.sh
+++ b/lib/tests/test_proxyparsing.sh
@@ -0,0 +1,123 @@
+source ../functions.sh
+
+test_setupProxy() {
+  # simple logger for tests
+  log() { :; }
+
+  local failures=0
+  local total=0
+
+  assert_eq() {
+    local label="$1" got="$2" expected="$3"
+    total=$((total + 1))
+    if [[ "$got" != "$expected" ]]; then
+      failures=$((failures + 1))
+      printf 'FAIL: %s\n  got:      %q\n  expected: %q\n\n' "$label" "$got" "$expected"
+    else
+      printf 'ok: %s\n' "$label"
+    fi
+  }
+
+  run_case() {
+    local name="$1"
+    local url="$2"
+    local u="$3"
+    local p="$4"
+    local exp_host="$5"
+    local exp_port="$6"
+    local exp_full="$7"
+
+    HTTPS_PROXY_URL="$url"
+    HTTPS_PROXY_USERNAME="$u"
+    HTTPS_PROXY_PASSWORD="$p"
+
+    setupProxy >/dev/null 2>&1
+
+    assert_eq "$name host" "$HTTPS_PROXY_HOST" "$exp_host"
+    assert_eq "$name port" "$HTTPS_PROXY_PORT" "$exp_port"
+    assert_eq "$name full" "$HTTPS_PROXY_FULL_URL" "$exp_full"
+  }
+
+  echo "Running setupProxy tests..."
+  echo
+
+  # 1) Basic https host:port
+  run_case "basic https" \
+    "https://proxy.example.org:8443" "" "" \
+    "proxy.example.org" "8443" \
+    "https://proxy.example.org:8443"
+
+  # 2) https without port -> default 443
+  run_case "https no port" \
+    "https://proxy.example.org" "" "" \
+    "proxy.example.org" "443" \
+    "https://proxy.example.org"
+
+  # 3) no scheme, host:port -> defaults scheme=https
+  run_case "no scheme hostport" \
+    "proxy.example.org:3128" "" "" \
+    "proxy.example.org" "3128" \
+    "https://proxy.example.org:3128"
+
+  # 4) URL with path/query/fragment
+  run_case "ignores path" \
+    "https://proxy.example.org:8443/some/path?x=1#y" "" "" \
+    "proxy.example.org" "8443" \
+    "https://proxy.example.org:8443"
+
+  # 5) explicit env creds inserted
+  run_case "env creds override" \
+    "https://proxy.example.org:8443" "alice" "secret" \
+    "proxy.example.org" "8443" \
+    "https://alice:secret@proxy.example.org:8443"
+
+  # 6) embedded creds used if env creds absent
+  run_case "embedded creds" \
+    "https://bob:pw@proxy.example.org:8443" "" "" \
+    "proxy.example.org" "8443" \
+    "https://bob:pw@proxy.example.org:8443"
+
+  # 7) env creds override embedded creds
+  run_case "env overrides embedded" \
+    "https://bob:pw@proxy.example.org:8443" "alice" "secret" \
+    "proxy.example.org" "8443" \
+    "https://alice:secret@proxy.example.org:8443"
+
+  # 8) IPv6 literal with port
+  run_case "ipv6 with port" \
+    "https://[2001:db8::1]:8080" "" "" \
+    "2001:db8::1" "8080" \
+    "https://[2001:db8::1]:8080"
+
+  # 9) IPv6 literal without port -> default 443
+  run_case "ipv6 no port" \
+    "https://[2001:db8::1]" "" "" \
+    "2001:db8::1" "443" \
+    "https://[2001:db8::1]"
+
+  # 10) http scheme rejected -> outputs empty
+  HTTPS_PROXY_URL="http://proxy.example.org:8080"
+  HTTPS_PROXY_USERNAME=""
+  HTTPS_PROXY_PASSWORD=""
+  setupProxy >/dev/null 2>&1
+  assert_eq "http rejected host" "${HTTPS_PROXY_HOST:-}" ""
+  assert_eq "http rejected port" "${HTTPS_PROXY_PORT:-}" ""
+  assert_eq "http rejected full" "${HTTPS_PROXY_FULL_URL:-}" ""
+
+  # 11) empty URL -> outputs empty but no failure
+  HTTPS_PROXY_URL=""
+  setupProxy >/dev/null 2>&1
+  assert_eq "empty url host" "${HTTPS_PROXY_HOST:-}" ""
+  assert_eq "empty url port" "${HTTPS_PROXY_PORT:-}" ""
+  assert_eq "empty url full" "${HTTPS_PROXY_FULL_URL:-}" ""
+
+  echo
+  echo "Tests complete: $((total - failures))/$total passed."
+  if (( failures > 0 )); then
+    echo "Some tests failed."
+    return 1
+  fi
+  return 0
+}
+
+test_setupProxy
--- a/minimal/docker-compose.yml
+++ b/minimal/docker-compose.yml
@@ -32,7 +32,7 @@ services:

  forward_proxy:
    container_name: bridgehead-forward-proxy
-    image: docker.verbis.dkfz.de/cache/samply/bridgehead-forward-proxy:latest
+    image: samply/bridgehead-forward-proxy:pr-16
    environment:
      HTTPS_PROXY: ${HTTPS_PROXY_URL}
      HTTPS_PROXY_USERNAME: ${HTTPS_PROXY_USERNAME}
--- a/pscc/modules/osiris2fhir-compose.yml
+++ b/pscc/modules/osiris2fhir-compose.yml
@@ -0,0 +1,13 @@
+services:
+  osiris2fhir:
+    container_name: bridgehead-osiris2fhir
+    image: docker.verbis.dkfz.de/ccp/osiris2fhir:${SITE_ID}
+    environment:
+      SALT: ${LOCAL_SALT}
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.osiris2fhir.rule=PathPrefix(`/osiris2fhir`)"
+      - "traefik.http.middlewares.osiris2fhir_strip.stripprefix.prefixes=/osiris2fhir"
+      - "traefik.http.services.osiris2fhir.loadbalancer.server.port=8080"
+      - "traefik.http.routers.osiris2fhir.tls=true"
+      - "traefik.http.routers.osiris2fhir.middlewares=osiris2fhir_strip,auth"
--- a/pscc/modules/osiris2fhir-setup.sh
+++ b/pscc/modules/osiris2fhir-setup.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+if [ -n "$ENABLE_OSIRIS2FHIR" ]; then
+  log INFO "oBDS2FHIR-REST setup detected -- will start osiris2fhir module."
+  OVERRIDE+=" -f ./pscc/modules/osiris2fhir-compose.yml"
+  LOCAL_SALT="$(echo \"local-random-salt\" | openssl pkeyutl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
+fi
Author	SHA1	Message	Date
Tobias Kussel	a14da73ccc	add additional credential encoding for curl Curl seems not to like full percent-encoding of all characters which might be related to https://github.com/curl/curl/issues/5448#event-3371269895. The version in this PR escapes a lot and strictly follows RFC3986 section 2.3 for unescaped characters	2026-03-05 14:31:05 +01:00
Tobias Kussel	467613ad31	fix proxy credential escaping	2026-03-05 14:21:37 +01:00
Tobias Kussel	82ee757e17	Use new proxy escaping and forward-proxy test image	2026-03-04 09:26:22 +01:00
Pierre Delpy	c1de9b8314	WIP: enable osiris2fhir in PSCC for GR (#372 ) enable osiris2fhir in PSCC for GR	2026-02-24 12:09:39 +01:00
DavidCroftDKFZ	9d3ec957a2	Activate Directory token login (#371 ) Right now, Directory sync will only be activated if a username has been specified. It also needs to run if a login token has been specified, hence the change in this commit.	2026-02-20 09:27:47 +01:00
Martin Jurk	7a9f80537b	sites moved to etc itcc.comf (#369 )	2026-02-10 16:04:33 +01:00
Pierre Delpy	bff06a6bb0	fix kr deployment (#370 )	2026-02-10 11:21:36 +01:00
Martin Jurk	6923ead6ce	feat: itcc lens2 (#365 )	2026-01-28 14:28:09 +01:00
Manoj Waikar	7dc9e2e663	Changes to make deployed CCE explorer work properly. (#368 ) * Changes to make deployed CCE explorer work properly. In the lens environment section in services: - add PUBLIC_SPOT_URL value	2026-01-13 10:42:10 +01:00
Jan	85cfc2514d	update beam proxy server used for oauth enrollment (#366 )	2025-12-11 11:33:29 +01:00
Enola Knezevic	dd3387c2f1	test version blaze (#364 ) This is the one we need urgently	2025-12-01 12:54:57 +01:00
Enola Knezevic	a5120ba75b	obfuscate BBMRI ERIC way, test blaze version (#363 )	2025-12-01 12:50:07 +01:00
Manoj Waikar	d0c87b40a6	Use the cce-explorer:main image from docker hub (instead of ghcr). (#362 )	2025-11-21 14:52:42 +01:00
Pierre Delpy	57f49ab5fc	feat: migrate pscc to orange cloud broker (#361 )	2025-11-21 10:42:21 +01:00
Manoj Waikar	e2569f4737	Use the main image name for cce explorer. (#360 ) - instead of pr1 name	2025-11-20 14:34:33 +01:00
Manoj Waikar	56a8aac326	Add APP_spot_KEY env var under the beam-proxy section. (#358 )	2025-11-19 09:33:18 +01:00
Niklas Reimer	ab6e05826f	feat(dnpm): set timezone to Europe/Berlin (#359 )	2025-11-12 10:25:20 +01:00
DavidCroftDKFZ	394dcc2567	Directory sync: token login and cron change (#351 ) The Directory team have requested that we allow token login to the Directory, where a user uses LSAAI credentials to obtain a token from the Directory, and then uses this to authenticate Directory sync. This has been implemented via an environment variable, in an analogous way to the already existing username/password method. The default start time for the Directory sync has been shifted to 22:30, to prevent conflicts with the Bridgehead auto-update. Relevant changes have been made to the documentation. Co-authored-by: Torben Brenner <76154651+torbrenner@users.noreply.github.com> Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> Co-authored-by: Martin Lablans <6804500+lablans@users.noreply.github.com>	2025-11-11 09:43:08 +01:00
djuarezgf	58d3e6487c	feat: add nNGM project (#340 )	2025-11-06 16:47:50 +01:00
Pierre Delpy	230ff1debb	feat: add PSCC * add pscc and prepare lens2 deployment --------- Co-authored-by: p.delpy@dkfz-heidelberg.de <p.delpy@dkfz-heidelberg.de> Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>	2025-11-05 15:18:00 +01:00
DavidCroftDKFZ	6dea7c8fef	Directory sync: inherit host timezone (#354 ) Directory sync needs to be able to launch at specific times of day, and in order to do this in a predictable way, the timezone used inside the Docker container should be the same as the host. To do this, two files need to be mounted from the host. One file contains information about the time zone, the other file contains the file zone name.	2025-11-05 11:02:26 +01:00
djuarezgf	66a1bd1122	docs: add initial documentation for Samply.Exporter and Samply.Teiler (#350 )	2025-10-20 11:16:41 +02:00
Tim Schumacher	85957b3d48	Update focus tags: no project specific images anymore	2025-10-16 13:39:58 +02:00
Jan	b31f2aff7d	fix: don't run secret sync for minimal (#349 )	2025-10-15 10:45:42 +02:00
Jan	eab7700404	feat: add bridgehead check command (#342 )	2025-09-30 11:47:51 +02:00
Jan	00b10f3ae6	fix: only pass CQL_PROJECTS_ENABLED to focus if set (#344 )	2025-09-30 11:39:40 +02:00
Jan	d1f5820d0f	feat: allow cql queries for exliquid (#343 )	2025-09-30 11:01:14 +02:00
Tim Schumacher	8a35785a24	feat: add scout module (#339 )	2025-09-02 13:23:34 +02:00
Jan	e0754853d8	feat(dnpm): change to new `api-gateway` image (#337 )	2025-08-19 16:35:52 +02:00
Jan	4407a87644	chore: add more options to transfair (#325 )	2025-08-19 16:32:41 +02:00
Jan	d0851d80a0	fix: adapt to transfair cli changes (#319 )	2025-08-19 15:48:05 +02:00
djuarezgf	ada3226044	Replace hardcoded image: ...:develop references with version variables (#335 ) * added: Teiler Dashboard Version * added: MTBA Version * added: beam proxy tag version	2025-07-30 11:21:10 +02:00
Paul-Christian Volkmer	a2e7330cee	docs: Add ghcr.io to URL list (#321 )	2025-07-25 10:58:56 +02:00
Jan	9c8d0ee8f5	fix(dnpm): fix env subsitution (#333 )	2025-07-25 10:58:07 +02:00
djuarezgf	fcad7104f0	mtba: fallback to keycloak test server pending migration	2025-07-23 09:53:14 +02:00
djuarezgf	7e13e251f8	feat: migrate PSP to Authentik (#329 )	2025-07-22 11:34:49 +02:00
Jan	2cfdc3ac3e	feat(dnpm): allow setting custom dnpm image tag (#326 )	2025-07-07 15:36:14 +02:00
djuarezgf	43b24c2a62	Fixed: Authentik URL for Opal (#328 ) * Fixed: Authentik URL for Opal * Removed: Unnecessary OIDC config in CCE and BBMRI * KR with basic auth instead of OIDC	2025-07-07 15:35:54 +02:00
djuarezgf	8414604257	feat: migrate OIDC Configuration from Keycloak to Authentik (#327 ) * Change: Authentik instead of Keycloak in CCP Co-authored-by: Jan <59206115+Threated@users.noreply.github.com> --------- Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>	2025-07-04 14:26:19 +02:00
Jan	4c6f9e0f13	feat: remove local rstudio (#322 )	2025-06-27 10:55:53 +02:00
djuarezgf	a1cdc2659d	CCE Teiler and Export (#323 ) * Added Exporter to CCE * Add Teiler to CCE * Add EXPORTER_USER to adduser function	2025-06-25 15:53:29 +02:00
Pierre Delpy	92bc0557a3	fix: add obfuscation and basic auth to spot in cce and itcc (#324 ) Co-authored-by: p.delpy@dkfz-heidelberg.de <p.delpy@dkfz-heidelberg.de>	2025-06-25 14:58:20 +02:00
djuarezgf	141f1f22d0	Use relative paths in teiler (#320 )	2025-06-18 17:04:09 +02:00
Tobias Kussel	b4a788e010	docs: close Exporter code block in readme (#318 )	2025-06-16 14:23:59 +02:00
djuarezgf	c33fbfc8bc	fix: Create Exporter User only if Exporter is enabled (#317 )	2025-06-11 09:34:41 +02:00
Enola Knezevic	faa8abd4ee	chore: update eric.acc.root.crt.pem (#316 )	2025-06-10 16:48:22 +02:00
djuarezgf	7693289d4d	docs: add Teiler and Exporter to the main README.md (#315 ) Co-authored-by: Tobias Kussel <TKussel@users.noreply.github.com>	2025-06-10 11:03:18 +02:00
djuarezgf	d482324361	feat: add Teiler and Exporter in BBMRI (#312 ) Co-authored-by: Jan <59206115+Threated@users.noreply.github.com>	2025-06-05 16:55:03 +02:00
Martin Lablans	b7a42f3d3b	chore: externalize POSTGRES_TAG and bump postgres to 15.13 (#313 )	2025-06-04 14:22:34 +02:00
Tim Schumacher	fd013232f5	Cache public organoid dashboard SQL query (#309 )	2025-05-23 15:26:59 +02:00
DavidCroftDKFZ	eb52554892	docs: add faq (#288 )	2025-05-22 18:10:40 +02:00
DavidCroftDKFZ	08c695e960	docs: Control import from Directory, improve README (#297 )	2025-05-22 18:03:01 +02:00
DavidCroftDKFZ	1513fe1c6c	Added section relating to clearing data from Blaze (#303 )	2025-05-22 18:01:43 +02:00
djuarezgf	af08a9fb08	chore: change some teiler variables (#307 )	2025-05-20 16:24:24 +02:00
djuarezgf	b95f0efbe7	fix: add own url to teiler dashboard to make it offline compatible (#305 )	2025-05-20 09:39:14 +02:00
Torben Brenner	99567e2b40	fix: Ensure transfair can properly communicate with the fhir server for requests (#304 )	2025-05-19 17:01:37 +02:00
Jan	96ff6043a1	feat: allow transfair to talk to services behind the proxy (#296 )	2025-05-09 13:52:33 +02:00
Jan	844ce3386e	chore(transfair): update transfair config (#298 )	2025-05-09 11:30:26 +02:00
Martin Lablans	9782bf66b6	Code review: Move to /tmp/bridgehead/...	2025-05-08 09:18:02 +02:00
Tim Schumacher	87f0e8ad7f	Use temp directory for secret sync cache	2025-05-08 09:18:02 +02:00
Jan	7365be3e7b	chore(transfair): add option to disable tls verification (#295 )	2025-04-17 12:01:45 +02:00
Enola Knezevic	c5d08c50a4	chore: add BBMRI ERIC acceptance env (#294 )	2025-04-16 15:37:55 +02:00
Jan	72ecaadba8	fix: ssh-tunnel-setup.sh (#293 )	2025-04-15 11:36:20 +02:00
Jan	2ddd535794	feat: ssh tunnel (#292 ) * Added ccp module for a ssh tunnel Usage details under https://github.com/samply/ssh-tunnel * chore: update ssh-tunnel image to harbor * feat: ssh tunnel support diffrent port * chore: fix indentation * chore: move to top level modules * docs: add ssh-tunnel docs --------- Co-authored-by: Tobias Kussel <tobias.kussel@dkfz-heidelberg.de>	2025-04-14 10:45:15 +02:00
Jan	973547c322	chore(transfair): add new gw option (#291 )	2025-04-11 08:37:31 +02:00
Jan	6b649c9233	feat: expose transfair via traefik (#290 ) Note: Requires a bridgehead install to generate the basic auth user	2025-04-09 13:19:52 +02:00
Tim Schumacher	3144ee5214	Fix GitLab token syncing for BBMRI	2025-03-31 11:08:59 +02:00
janskiba	68804dc71b	feat: add transfair setup to ccp	2025-03-26 13:11:43 +01:00
janskiba	e5aebfe382	chore!: update transfair config	2025-03-26 13:11:43 +01:00