From 4ffdc127bc6612bbe7fcf17807db84d51ec0eaa0 Mon Sep 17 00:00:00 2001
From: Okke Harsta <oharsta@zilverline.com>
Date: Wed, 29 Nov 2023 14:18:47 +0100
Subject: [PATCH] WIP for private / public inviter keys for encryption /
 decryption

---
 roles/invite/tasks/main.yml                   | 24 +++++++++++++++++++
 .../invite/templates/serverapplication.yml.j2 |  3 +++
 roles/manage-server/tasks/main.yml            | 13 +++++++++-
 .../templates/application.yml.j2              |  4 ++++
 4 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/roles/invite/tasks/main.yml b/roles/invite/tasks/main.yml
index 7392f292b..7122bec67 100644
--- a/roles/invite/tasks/main.yml
+++ b/roles/invite/tasks/main.yml
@@ -18,6 +18,24 @@
     - serverapplication.yml
   notify: restart inviteserver
 
+- name: Copy / create private key
+  copy:
+    content: "{{ invite_private_key_pkcs8 }}"
+    dest: /opt/openconext/invite/private_key_pkcs8.pem
+    owner: "root"
+    group: root
+    mode: 0740
+  notify: restart inviteserver
+
+- name: copy / create certificate
+  copy:
+    src: "{{ inventory_dir }}/files/certs/invite/public_key.pem"
+    dest: /opt/openconext/invite/public_key.pem
+    owner: "root"
+    group: root
+    mode: 0740
+  notify: restart inviteserver
+
 - name: Place the mockapplication configfiles
   ansible.builtin.template:
     src: "{{ item }}.j2"
@@ -43,6 +61,12 @@
       - source: /opt/openconext/invite/serverapplication.yml
         target: /application.yml
         type: bind
+      - source: /opt/openconext/invite/private_key_pkcs8.pem
+        target: /private_key_pkcs8.pem
+        type: bind
+      - source: /opt/openconext/invite/public_key.pem
+        target: /public_key.pem
+        type: bind
     command: '--spring.config.location=./'
     etc_hosts:
       host.docker.internal: host-gateway
diff --git a/roles/invite/templates/serverapplication.yml.j2 b/roles/invite/templates/serverapplication.yml.j2
index 3bc081840..9c307a5ac 100644
--- a/roles/invite/templates/serverapplication.yml.j2
+++ b/roles/invite/templates/serverapplication.yml.j2
@@ -62,6 +62,9 @@ spring:
   mail:
     host: {{ smtp_host }}
 
+crypto:
+  development-mode: False
+  private-key-location: classpath:private_key_pkcs8.pem
 
 cron:
   node-cron-job-responsible: true
diff --git a/roles/manage-server/tasks/main.yml b/roles/manage-server/tasks/main.yml
index 649962166..5c595065a 100644
--- a/roles/manage-server/tasks/main.yml
+++ b/roles/manage-server/tasks/main.yml
@@ -58,7 +58,7 @@
     owner: manage
     group: manage
     mode: "0640"
-  with_items: 
+  with_items:
     - "{{ manage_tabs_enabled }}"
   notify:
     - "restart manage"
@@ -75,6 +75,17 @@
   notify:
     - "restart manage"
 
+- name: copy / create certificate
+  copy:
+    src: "{{ inventory_dir }}/files/certs/invite/public_key.pem"
+    dest: "{{ manage_dir }}/public_invite_key.pem"
+    owner: "root"
+    group: root
+    mode: "0740"
+  notify:
+    - "restart manage"
+
+
 - meta: flush_handlers
 
 - name: Include the role manage_provision_entities to provision the Manage sp to Manage
diff --git a/roles/manage-server/templates/application.yml.j2 b/roles/manage-server/templates/application.yml.j2
index 80740d2a4..c5b93d93b 100644
--- a/roles/manage-server/templates/application.yml.j2
+++ b/roles/manage-server/templates/application.yml.j2
@@ -57,6 +57,10 @@ security:
   backdoor_password: {{ manage_backdoor_api_password }}
   api_users_config_path: file://{{ manage_dir }}/manage-api-users.yml
 
+crypto:
+  development-mode: False
+  public-key-location: file://{{ manage_dir }}/public_invite_key.pem
+
 spring:
   mail:
     host: localhost