From 8f948348de34bf1ff5ea462c2f41d4b4afc779aa Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Fri, 15 Mar 2024 14:21:00 +0100
Subject: [PATCH] Mujina-idp: Add docker deployment option

---
 provision.yml                                 |  6 +-
 roles/mujina-idp/defaults/main.yml            |  5 +-
 roles/mujina-idp/handlers/main.yml            |  6 ++
 roles/mujina-idp/tasks/docker.yml             | 62 +++++++++++++++++++
 roles/mujina-idp/tasks/main.yml               | 28 +++------
 roles/mujina-idp/tasks/vm.yml                 | 26 ++++++++
 roles/mujina-idp/templates/application.yml.j2 | 19 +++++-
 .../templates/logback-docker.xml.j2           | 16 +++++
 8 files changed, 142 insertions(+), 26 deletions(-)
 create mode 100644 roles/mujina-idp/tasks/docker.yml
 create mode 100644 roles/mujina-idp/tasks/vm.yml
 create mode 100644 roles/mujina-idp/templates/logback-docker.xml.j2

diff --git a/provision.yml b/provision.yml
index b77f0294a..4d8873a08 100644
--- a/provision.yml
+++ b/provision.yml
@@ -173,8 +173,10 @@
 - hosts: docker
   become: true
   roles:
-    - { role: docker,                            tags: ['docker' ] }
-    - { role: invite,                            tags: ['invite' ] }
+    - { role: docker,     tags: ['docker' ] }
+    - { role: invite,     tags: ['invite' ] }
+    - { role: dashboard,  tags: ["dashboard"] }
+    - { role: mujina-idp, tags: ["mujina-idp"] }  
 
 - import_playbook: "{{ environment_dir }}/playbook.yml"
 
diff --git a/roles/mujina-idp/defaults/main.yml b/roles/mujina-idp/defaults/main.yml
index e5d2407ff..2e04745c3 100644
--- a/roles/mujina-idp/defaults/main.yml
+++ b/roles/mujina-idp/defaults/main.yml
@@ -1,7 +1,8 @@
 ---
 mujina_idp_dir: /opt/mujina-idp
-mujina_idp_version: ''
-mujina_idp_snapshot_timestamp: ''
+mujina_idp_dir_docker: /opt/openconext/mujina-idp
+mujina_idp_version: ""
+mujina_idp_snapshot_timestamp: ""
 mujina_idp_jar: mujina-idp-current.jar
 mujina_manage_provision_samlidp_entity_id: "{{ mujina_idp.entity_id }}"
 mujina_manage_provision_samlidp_description_en: "{{ instance_name }} Mujina IdP"
diff --git a/roles/mujina-idp/handlers/main.yml b/roles/mujina-idp/handlers/main.yml
index 6e06f52c2..c3b162a62 100644
--- a/roles/mujina-idp/handlers/main.yml
+++ b/roles/mujina-idp/handlers/main.yml
@@ -4,3 +4,9 @@
     name: "{{ springapp_service_name }}"
     state: restarted
     daemon_reload: yes
+
+- name: restart mujina-idp-docker
+  community.docker.docker_container:
+    name: mujina_idp
+    state: started
+    restart: true
diff --git a/roles/mujina-idp/tasks/docker.yml b/roles/mujina-idp/tasks/docker.yml
new file mode 100644
index 000000000..281a2291d
--- /dev/null
+++ b/roles/mujina-idp/tasks/docker.yml
@@ -0,0 +1,62 @@
+---
+- name: Set the mujina_idp directory variable
+  ansible.builtin.set_fact:
+    mujina_idp_dir: "/"
+
+- name: Create config directory
+  ansible.builtin.file:
+    path: "{{ mujina_idp_dir_docker }}"
+    mode: "0750"
+    state: directory
+    owner: root
+
+- name: Copy config
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "{{ mujina_idp_dir_docker }}/{{ item }}"
+    owner: root
+    group: root
+    mode: "0640"
+  with_items:
+    - application.yml
+    - logback-docker.xml
+  notify:
+    - restart mujina-idp-docker
+
+- name: Create and start the server container
+  community.docker.docker_container:
+    name: mujina_idp
+    image: ghcr.io/openconext/mujina/mujina-idp:{{ mujina_idp_version }}
+    pull: true
+    restart_policy: "always"
+    state: started
+    networks:
+      - name: "loadbalancer"
+    mounts:
+      - source: "{{ mujina_idp_dir_docker }}/application.yml"
+        target: /application.yml
+        type: bind
+      - source: "{{ mujina_idp_dir_docker }}/logback-docker.xml"
+        target: /logback.xml
+        type: bind
+    command: "-Xmx128m --spring.config.location=./"
+    labels:
+      traefik.http.routers.mujina-idp.rule: "Host(`mujina-idp.{{ base_domain }}`)"
+      traefik.http.routers.mujina-idp.tls: "true"
+      traefik.http.services.mujina-idp.loadbalancer.server.port: "8080"
+      traefik.enable: "true"
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "wget",
+          "-no-verbose",
+          "--tries=1",
+          "--spider",
+          "http://localhost:8080/internal/health",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+  notify: restart mujina-idp-docker
diff --git a/roles/mujina-idp/tasks/main.yml b/roles/mujina-idp/tasks/main.yml
index f414b26fb..321014458 100644
--- a/roles/mujina-idp/tasks/main.yml
+++ b/roles/mujina-idp/tasks/main.yml
@@ -1,26 +1,14 @@
 ---
+- name: Include docker tasks when running docker
+  ansible.builtin.include_tasks: docker.yml
+  when: "'docker' in group_names"
 
-- name: Copy config
-  template: 
-    src: "{{ item }}.j2"
-    dest: "{{ mujina_idp_dir }}/{{ item }}" 
-    owner: "{{ springapp_user }}" 
-    group: "{{ springapp_user }}" 
-    mode: 0740
-  with_items:
-    - logback.xml
-    - application.yml
-  notify:
-    - restart mujina-idp
-
-- name: copy apache config
-  template: 
-    src: mujina_idp.conf.j2 
-    dest: /etc/httpd/conf.d/mujina_idp.conf
-  notify: reload httpd
+- name: Include docker tasks when running docker
+  ansible.builtin.include_tasks: vm.yml
+  when: "'docker' not in group_names"
 
 - name: Include the role manage_provision_entities to provision the mujina IdP to Manage
-  include_role: 
+  ansible.builtin.include_role:
     name: manage_provision_entities
-  vars: 
+  vars:
     entity_type: saml20_idp
diff --git a/roles/mujina-idp/tasks/vm.yml b/roles/mujina-idp/tasks/vm.yml
new file mode 100644
index 000000000..f414b26fb
--- /dev/null
+++ b/roles/mujina-idp/tasks/vm.yml
@@ -0,0 +1,26 @@
+---
+
+- name: Copy config
+  template: 
+    src: "{{ item }}.j2"
+    dest: "{{ mujina_idp_dir }}/{{ item }}" 
+    owner: "{{ springapp_user }}" 
+    group: "{{ springapp_user }}" 
+    mode: 0740
+  with_items:
+    - logback.xml
+    - application.yml
+  notify:
+    - restart mujina-idp
+
+- name: copy apache config
+  template: 
+    src: mujina_idp.conf.j2 
+    dest: /etc/httpd/conf.d/mujina_idp.conf
+  notify: reload httpd
+
+- name: Include the role manage_provision_entities to provision the mujina IdP to Manage
+  include_role: 
+    name: manage_provision_entities
+  vars: 
+    entity_type: saml20_idp
diff --git a/roles/mujina-idp/templates/application.yml.j2 b/roles/mujina-idp/templates/application.yml.j2
index 77289f399..26d0be39a 100644
--- a/roles/mujina-idp/templates/application.yml.j2
+++ b/roles/mujina-idp/templates/application.yml.j2
@@ -5,14 +5,16 @@ logging:
     mujina: DEBUG
 
 server:
-  # The port to where this Spring Boot application listens to. e.g. http://localhost:{{ springapp_tcpport }}
-  port: {{ springapp_tcpport }}
+  # The port to where this Spring Boot application listens to. e.g. http://localhost:80
+  port: 8080
   # The context path of the server. You can skip this value in the overriding application.properties on the classpath
   contextPath:
   session:
     # 8 hours before we time-out
     timeout: 28800
   server-header: no
+  use-forward-headers: true
+  forward-headers-strategy: NATIVE
 
 secure_cookie: {{ mujina_idp.cookie_secure }}
 
@@ -33,6 +35,19 @@ idp:
   expires: 300
   # Authentication method ALL for every username / password combination and USER for the configured users
   auth_method: ALL
+  saml_binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
+  compare_endpoints: true
+  saml_attributes_config_file: classpath:saml-attributes.json
+  attributes:
+    [urn:mace:dir:attribute-def:uid]: "john.doe"
+    [urn:mace:dir:attribute-def:cn]: "John Doe"
+    [urn:mace:dir:attribute-def:givenName]: "John"
+    [urn:mace:dir:attribute-def:sn]: "Doe"
+    [urn:mace:dir:attribute-def:displayName]: "John Doe"
+    [urn:mace:dir:attribute-def:mail]: "j.doe@example.com"
+    [urn:mace:terena.org:attribute-def:schacHomeOrganization]: "example.com"
+    [urn:mace:dir:attribute-def:eduPersonPrincipalName]: "j.doe@example.com"
+    [urn:oasis:names:tc:SAML:attribute:subject-id]: "j.doe@example.com"
 
 acr:
   values:
diff --git a/roles/mujina-idp/templates/logback-docker.xml.j2 b/roles/mujina-idp/templates/logback-docker.xml.j2
new file mode 100644
index 000000000..1c2ddfb3b
--- /dev/null
+++ b/roles/mujina-idp/templates/logback-docker.xml.j2
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+ <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+  <encoder>
+     <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
+   </encoder>
+ </appender>
+
+  <logger name="mujina" level="DEBUG"/>
+
+  <root level="INFO">
+    <appender-ref ref="STDOUT" />
+  </root>
+</configuration>
+