From f3135679afa334b290175f83a9c87fea70be6f72 Mon Sep 17 00:00:00 2001
From: Bart Geesink <bart.geesink@surf.nl>
Date: Wed, 10 Jul 2024 18:09:32 +0200
Subject: [PATCH] oidcng to docker

---
 provision.yml                             |   1 +
 roles/oidcng/defaults/main.yml            |   5 +-
 roles/oidcng/tasks/main.yml               | 123 +++++++++++++++-------
 roles/oidcng/templates/application.yml.j2 |  46 ++++++--
 roles/oidcng/templates/logback.xml.j2     |  51 +--------
 5 files changed, 133 insertions(+), 93 deletions(-)

diff --git a/provision.yml b/provision.yml
index e1e2d60b2..5a21697c3 100644
--- a/provision.yml
+++ b/provision.yml
@@ -182,6 +182,7 @@
     - { role: oidc-playground, tags: ["oidc-playground"] }  
     - { role: myconext,    tags: ["myconext"] }  
     - { role: manage,    tags: ["manage"] }  
+    - { role: oidcng,    tags: ["oidcng"] }  
     - { role: stats,      tags: ["stats"] }  
     - { role: diyidp,      tags: ["diyidp"] }  
     - { role: profile,      tags: ["profile"] }  
diff --git a/roles/oidcng/defaults/main.yml b/roles/oidcng/defaults/main.yml
index c8441fa86..b3c2c829f 100644
--- a/roles/oidcng/defaults/main.yml
+++ b/roles/oidcng/defaults/main.yml
@@ -1,9 +1,8 @@
 ---
-oidcng_dir: /opt/oidcng
+oidcng_dir: /opt/openconext/oidcng
+oidcng_config_dir: /config
 oidcng_version: ''
 oidcng_snapshot_timestamp: ''
-oidcng_jar: oidcng-current.jar
-oidcng_random_source: 'file:///dev/urandom'
 oidcng_cronjobmaster: true
 oidcng_saml_sp_entityid: https://connect.{{ base_domain }}
 oidcng_idp_metadata_url: https://engine.{{ base_domain }}/authentication/idp/metadata
diff --git a/roles/oidcng/tasks/main.yml b/roles/oidcng/tasks/main.yml
index 597561cb3..b712ab29c 100644
--- a/roles/oidcng/tasks/main.yml
+++ b/roles/oidcng/tasks/main.yml
@@ -1,84 +1,135 @@
 ---
+- name: Create config dir
+  ansible.builtin.file:
+    path: "{{ oidcng_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0750"
 
-- name: copy config
-  template:
+- name: Copy config
+  ansible.builtin.template:
     src: "{{ item }}.j2"
     dest: "{{ oidcng_dir }}/{{ item }}"
     owner: root
-    group: oidcng
-    mode: 0740
+    group: root
+    mode: "0640"
   with_items:
     - logback.xml
     - application.yml
   notify:
     - "restart oidcng"
 
-- name: copy oidcng secret keyset configuration
-  template:
+- name: Copy oidcng secret keyset configuration
+  ansible.builtin.template:
     src: "secret_keyset.json.j2"
     dest: "{{ oidcng_dir }}/secret_keyset.json"
+    owner: root
+    group: root
+    mode: "0640"
   notify:
     - "restart oidcng"
 
-- name: copy oidcng well-known discovery configuration
-  template:
+- name: Copy oidcng well-known discovery configuration
+  ansible.builtin.template:
     src: "openid-configuration.json.j2"
     dest: "{{ oidcng_dir }}/openid-configuration.json"
+    owner: root
+    group: root
+    mode: "0640"
   notify:
     - "restart oidcng"
 
-- name: copy oidc saml mapping
-  copy:
+- name: Copy oidc saml mapping
+  ansible.builtin.copy:
     src: oidc_saml_mapping.json
     dest: "{{ oidcng_dir }}"
     owner: "root"
-    group: "oidcng"
-    mode: 0740
+    group: "root"  
+    mode: "0640"
   notify:
     - "restart oidcng"
 
-- name: copy / create private key
-  copy:
+- name: Copy / create SAML private key
+  ansible.builtin.copy:
     content: "{{ oidcng_private_key }}"
     dest: "{{ oidcng_dir }}/oidcsaml.key"
     owner: "root"
-    group: "oidcng"
-    mode: 0740
+    group: "root"
+    mode: "0640"
   notify:
     - "restart oidcng"
 
-- name: copy / create certificate
-  copy:
+- name: Copy / create SAML certificate
+  ansible.builtin.copy:
     src: "{{ inventory_dir }}/files/certs/oidc/oidcsaml.crt"
     dest: "{{ oidcng_dir }}/oidcsaml.crt"
     owner: "root"
-    group: "oidcng"
-    mode: 0740
+    group: "root"
+    mode: "0640"
   notify:
     - "restart oidcng"
 
-- name: copy / create metatdata signing certificate
-  copy:
+- name: Copy engineblock signing certificate
+  ansible.builtin.copy:
     src: "{{ inventory_dir }}/files/certs/oidcng/SURFconext-metadata-signer.pem"
     dest: "{{ oidcng_dir }}/SURFconext-metadata-signer.pem"
     owner: "root"
-    group: "oidcng"
-    mode: 0740
+    group: "root"
+    mode: "0640"
   notify:
     - "restart oidcng"
 
-- name: copy apache config
-  template:
-    src: "oidcng.conf.j2"
-    dest: "/etc/httpd/conf.d/oidcng.conf"
-  notify:
-    - "reload httpd"
+- name: Create and start the server container
+  community.docker.docker_container:
+    name: oidcngserver
+    image: ghcr.io/openconext/openconext-oidcng/oidcng:{{ oidcng_version }}
+    entrypoint: /__cacert_entrypoint.sh
+    pull: true
+    restart_policy: "always"
+    state: started
+    networks:
+      - name: "loadbalancer"
+    mounts:
+      - source: "{{ oidcng_dir }}"
+        target: /config/
+        type: bind
+      - source: /opt/openconext/manage/mongoca.pem
+        target: /certificates/mongoca.crt
+        type: bind
+    command: "java -jar /app.jar -Xmx512m --spring.config.location=./config/"
+    etc_hosts:
+      host.docker.internal: host-gateway
+    env:
+      USE_SYSTEM_CA_CERTS: "true"
+    hostname: manage
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "wget",
+          "-no-verbose",
+          "--tries=1",
+          "--spider",
+          "http://localhost:8080/internal/health",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    labels:
+      traefik.enable: "true"
+      traefik.http.services.oidcng.loadbalancer.server.port: "8080"
+      traefik.http.routers.oidcng.rule: "Host(`connect.{{ base_domain }}`)"
+      traefik.http.routers.oidcng.tls: "true"
+      traefik.http.routers.oidcng.middlewares: oidcngmw@docker
+      traefik.http.middlewares.oidcngmw.replacepathregex.regex: "^/.well-known/openid-configuration"
+      traefik.http.middlewares.oidcngmw.replacepathregex.replacement: "/oidc/.well-known/openid-configuration"
 
-- meta: flush_handlers
 
-- name: Include the role manage_provision_entities to provision oidncg to Manage
-  include_role:
-    name: manage_provision_entities
-  vars:
-    entity_type: saml20_sp
 
+#- name: Include the role manage_provision_entities to provision oidncg to Manage
+#  ansible.builtin.include_role:
+#    name: manage_provision_entities
+#  vars:
+#    entity_type: saml20_sp
diff --git a/roles/oidcng/templates/application.yml.j2 b/roles/oidcng/templates/application.yml.j2
index 56276bd6f..e64c18209 100644
--- a/roles/oidcng/templates/application.yml.j2
+++ b/roles/oidcng/templates/application.yml.j2
@@ -1,6 +1,6 @@
 # The logging configuration.
 logging:
-  config: file://{{ oidcng_dir }}/logback.xml
+  config: file://{{ oidcng_config_dir }}/logback.xml
   level:
     org.springframework: WARN
     oidc: WARN
@@ -14,10 +14,15 @@ cron:
   key-rollover-expression: {{ oidcng.key_rollover_cron_expression }}
   consent-expiry-duration-days: 90
 
+keys-cache:
+  # The max-age cache control for signing keys in seconds
+  cache-duration-seconds: 3600
+  # The time in seconds where new signing keys are published, but not used
+  idle-time-seconds: 7200
 
 server:
   # The port to where this Spring Boot application listens to.
-  port: {{ springapp_tcpport }}
+  port: 8080
   error:
     path: "/error"
   server-header:
@@ -34,13 +39,13 @@ server:
     max-swallow-size: 10000000
 
 mongodb_db: {{ oidcng.mongo_database }}
-oidc_saml_mapping_path: file://{{ oidcng_dir }}/oidc_saml_mapping.json
-openid_configuration_path: file://{{ oidcng_dir }}/openid-configuration.json
-secret_key_set_path: file://{{ oidcng_dir }}/secret_keyset.json
+oidc_saml_mapping_path: file://{{ oidcng_config_dir }}/oidc_saml_mapping.json
+openid_configuration_path: file://{{ oidcng_config_dir }}/openid-configuration.json
+secret_key_set_path: file://{{ oidcng_config_dir }}/secret_keyset.json
 associated_data: {{ oidcng_associated_data }}
 access_token_one_way_hash_salt: {{ oidcng_access_token_one_way_hash_salt }}
-private_key_path: file://{{ oidcng_dir }}/oidcsaml.key
-certificate_path: file://{{ oidcng_dir }}/oidcsaml.crt
+private_key_path: file://{{ oidcng_config_dir }}/oidcsaml.key
+certificate_path: file://{{ oidcng_config_dir }}/oidcsaml.crt
 default_acr_value: {{ oidcng.default_acr_value }}
 secure_cookie: true
 oidc_token_endpoint: https://connect.{{ base_domain }}/oidc/token
@@ -62,7 +67,7 @@ sp:
 idp:
   entity_id: https://engine.{{ base_domain }}/authentication/idp/metadata
   sso_location: {{ oidcng_idp_sso_location }}
-  saml_assertion_signing_key: file://{{ oidcng_dir }}/SURFconext-metadata-signer.pem
+  saml_assertion_signing_key: file://{{ oidcng_config_dir }}/SURFconext-metadata-signer.pem
 
 spring:
   data:
@@ -89,3 +94,28 @@ eduid:
   password: "{{ myconext_api_attribute_manipulation_password }}"
   uri: "https://login.{{ myconext_base_domain }}/myconext/api/attribute-manipulation"
   enabled: {{ oidcng.eduid_attribute_manipulation_enabled }}
+
+
+management:
+  health:
+    mail:
+      enabled: false
+  endpoints:
+    web:
+      exposure:
+        include: "health,info,mappings"
+      base-path: "/internal"
+  endpoint:
+    info:
+      enabled: true
+    mappings:
+      enabled: true
+  info:
+    git:
+      mode: full
+
+# used by the git plugin
+info:
+  build:
+    artifact: "@project.artifactId@"
+    version: "@project.version@"
diff --git a/roles/oidcng/templates/logback.xml.j2 b/roles/oidcng/templates/logback.xml.j2
index 767ba7aa3..c1061bac8 100644
--- a/roles/oidcng/templates/logback.xml.j2
+++ b/roles/oidcng/templates/logback.xml.j2
@@ -2,38 +2,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration scan="true">
 
- <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
-   <file>/var/log/oidcng/oidcng.log</file>
-   <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
-     <!-- daily rollover -->
-     <fileNamePattern>/var/log/oidcng/oidcng-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
-     <maxHistory>{{ logback_max_history }}</maxHistory>
-   </rollingPolicy>
-   <encoder>
+ <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+  <encoder>
      <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
    </encoder>
  </appender>
 
- <appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
-   <syslogHost>{{ rsyslog_host }}</syslogHost>
-   <facility>DAEMON</facility>
-   <suffixPattern>oidcng: [%thread] %logger %msg</suffixPattern>
- </appender>
-
- <appender name="JSON_SYSLOG" class="net.logstash.logback.appender.LogstashSocketAppender">
-    <host>{{ ansible_fqdn }}</host>
-    <port>514</port>
-      <customFields>{"app":"oidcng"}</customFields>
-        <fieldNames>
-            <thread>[ignore]</thread>
-            <version>[ignore]</version>
-            <levelValue>[ignore]</levelValue>
-       </fieldNames>
-             <prefix class="ch.qos.logback.classic.PatternLayout">
-        <pattern>oidcngjson:</pattern>
-      </prefix>
-  </appender>
-
  <appender name="EMAIL" class="ch.qos.logback.classic.net.SMTPAppender">
    <smtpHost>{{ smtp_server }}</smtpHost>
    <from>{{ noreply_email }}</from>
@@ -41,30 +15,15 @@
    <subject>{{ error_subject_prefix }}Unexpected error oidcng</subject>
    <layout class="ch.qos.logback.classic.html.HTMLLayout"/>
 
-    <filter class="filter.CustomThresholdFilter">
-        <clazz>com.nimbusds.oauth2.sdk.ParseException</clazz>
-        <clazz>org.springframework.security.authentication.BadCredentialsException</clazz>
-        <clazz>oidc.exceptions.UnauthorizedException</clazz>
-        <clazz>oidc.exceptions.RedirectMismatchException</clazz>
-        <clazz>org.springframework.dao.EmptyResultDataAccessException</clazz>
-        <clazz>java.lang.IllegalArgumentException</clazz>
+   <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
      <level>ERROR</level>
    </filter>
  </appender>
 
- <logger name="oidc" level="WARN" />
- <logger name="org.springframework" level="WARN" />
+ <logger name="dashboard" level="DEBUG" />
  <root level="WARN">
-{%if oidcng_logback_file |bool  %}
-   <appender-ref ref="FILE" />
-{%endif%}
-{%if oidcng_logback_email |bool  %}
+   <appender-ref ref="STDOUT" />
    <appender-ref ref="EMAIL" />
-{%endif%}
-   <appender-ref ref="SYSLOG" />
-{%if oidcng_logback_json |bool  %}
-   <appender-ref ref="JSON_SYSLOG" />
-{%endif%}
  </root>
 
 </configuration>