From d8e374a30fae74d20c8fb8c86e52e2cba1a80fc9 Mon Sep 17 00:00:00 2001 From: Dan Date: Thu, 30 Nov 2023 15:30:31 +0200 Subject: [PATCH 01/10] Adding the files and jobs requires to build the production Docker image --- .github/workflows/build-push-docker-image.yml | 47 +++++++++++++++++++ .github/workflows/tag-release.yml | 9 ++++ docker/Dockerfile.prod | 13 +++++ 3 files changed, 69 insertions(+) create mode 100644 .github/workflows/build-push-docker-image.yml create mode 100644 docker/Dockerfile.prod diff --git a/.github/workflows/build-push-docker-image.yml b/.github/workflows/build-push-docker-image.yml new file mode 100644 index 000000000..c31b8a0a6 --- /dev/null +++ b/.github/workflows/build-push-docker-image.yml @@ -0,0 +1,47 @@ +name: build-push-docker-image + +on: + push: + branches: feature/docker_configs + workflow_dispatch: + +jobs: + build-push-docker-image: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Get the latest release + id: release + uses: robinraju/release-downloader@v1.7 + with: + latest: true + fileName: "*.tar.bz2" + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push the Production image + uses: docker/build-push-action@v4 + with: + context: . + file: docker/Dockerfile.prod + platforms: linux/amd64 + push: true + tags: | + ghcr.io/openconext/openconext-engineblock/openconext-engineblock:prod + ghcr.io/openconext/openconext-engineblock/openconext-engineblock:${{ github.sha }} + ghcr.io/openconext/openconext-engineblock/openconext-engineblock:${{ steps.release.outputs.tag_name }} diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index e363dbf1c..3ab675128 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -55,3 +55,12 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: release_id: ${{ steps.create_release.outputs.id }} + + after_build: + needs: build + runs-on: ubuntu-latest + steps: + - name: Trigger Docker container build + uses: benc-uk/workflow-dispatch@v1 + with: + workflow: build-push-docker-image.yml diff --git a/docker/Dockerfile.prod b/docker/Dockerfile.prod new file mode 100644 index 000000000..677dde360 --- /dev/null +++ b/docker/Dockerfile.prod @@ -0,0 +1,13 @@ +FROM ghcr.io/openconext/openconext-basecontainers/php72-apache2:latest AS php-build +COPY *.tar.bz2 /tmp/ +RUN tar -xvjf /tmp/*.tar.bz2 -C /var/www/html/ && \ + rm -rf /tmp/*.tar.bz2 + +# Add the config files for Apache2 +RUN rm -rf /etc/apache2/sites-enabled/* +COPY ./docker/php-fpm/apache2.conf /etc/apache2/sites-enabled/apache2.conf + +# Set the default workdir +WORKDIR /var/www/html +EXPOSE 80 +CMD ["apache2-foreground"] From c38c467d020316bf5ffd13f2286a723dc90647fa Mon Sep 17 00:00:00 2001 From: Dan Date: Tue, 5 Dec 2023 17:27:27 +0200 Subject: [PATCH 02/10] Move from CMD to entrypoint --- docker/Dockerfile.prod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile.prod b/docker/Dockerfile.prod index 677dde360..997652f18 100644 --- a/docker/Dockerfile.prod +++ b/docker/Dockerfile.prod @@ -10,4 +10,4 @@ COPY ./docker/php-fpm/apache2.conf /etc/apache2/sites-enabled/apache2.conf # Set the default workdir WORKDIR /var/www/html EXPOSE 80 -CMD ["apache2-foreground"] +ENTRYPOINT ["apache2-foreground"] From cc54bbbf3fda78fbfa23374de60556bd9de35aa5 Mon Sep 17 00:00:00 2001 From: Dan Date: Wed, 6 Dec 2023 18:27:26 +0200 Subject: [PATCH 03/10] Moving back to CMD --- docker/Dockerfile.prod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile.prod b/docker/Dockerfile.prod index 997652f18..677dde360 100644 --- a/docker/Dockerfile.prod +++ b/docker/Dockerfile.prod @@ -10,4 +10,4 @@ COPY ./docker/php-fpm/apache2.conf /etc/apache2/sites-enabled/apache2.conf # Set the default workdir WORKDIR /var/www/html EXPOSE 80 -ENTRYPOINT ["apache2-foreground"] +CMD ["apache2-foreground"] From 33d4f9ead20ed166d905ca91d6c1f719684708b0 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 30 Jan 2024 13:30:09 +0100 Subject: [PATCH 04/10] Make engineblock work in a devconf setup --- .dockerignore | 2 +- docker/conf/engine.conf | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 docker/conf/engine.conf diff --git a/.dockerignore b/.dockerignore index 81f12c596..b3b2d4d92 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,4 +1,4 @@ -* + !ci !config !data diff --git a/docker/conf/engine.conf b/docker/conf/engine.conf new file mode 100644 index 000000000..43336b5e8 --- /dev/null +++ b/docker/conf/engine.conf @@ -0,0 +1,32 @@ +DocumentRoot /var/www/html/web +ServerName engine +SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 + + + Require all granted + Options -MultiViews + RewriteEngine On + RewriteBase / + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule ^(.*)$ app.php [QSA,L] + + +Header always set X-Content-Type-Options "nosniff" + +SetEnv HTTPS on + +RewriteEngine On +# We support only GET/POST +RewriteCond %{REQUEST_METHOD} !^(POST|GET)$ +RewriteRule .* - [R=405,L] + +# Set the php application handler so mod_php interpets the files + + SetHandler application/x-httpd-php + + +ExpiresActive on +ExpiresByType font/* "access plus 1 year" +ExpiresByType image/* "access plus 6 months" +ExpiresByType text/css "access plus 1 year" +ExpiresByType text/js "access plus 1 year" From 787d99d667c62dc8dc9ff105f4e75267edacab9d Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 30 Jan 2024 13:46:22 +0100 Subject: [PATCH 05/10] Add logging in Docker to log to stdout --- docker/Dockerfile.prod | 14 +++++++++----- docker/conf/logging.yml | 22 ++++++++++++++++++++++ 2 files changed, 31 insertions(+), 5 deletions(-) create mode 100644 docker/conf/logging.yml diff --git a/docker/Dockerfile.prod b/docker/Dockerfile.prod index 677dde360..2e7bdb192 100644 --- a/docker/Dockerfile.prod +++ b/docker/Dockerfile.prod @@ -1,11 +1,15 @@ -FROM ghcr.io/openconext/openconext-basecontainers/php72-apache2:latest AS php-build -COPY *.tar.bz2 /tmp/ -RUN tar -xvjf /tmp/*.tar.bz2 -C /var/www/html/ && \ - rm -rf /tmp/*.tar.bz2 +FROM ghcr.io/openconext/openconext-basecontainers/php72-apache2:latest +COPY ./*tar.gz /tmp/ +RUN tar --strip-components=1 -xvzf /tmp/*tar.gz -C /var/www/html/ && \ + rm -rf /tmp/*.tar.gz # Add the config files for Apache2 RUN rm -rf /etc/apache2/sites-enabled/* -COPY ./docker/php-fpm/apache2.conf /etc/apache2/sites-enabled/apache2.conf +COPY ./docker/conf/engine.conf /etc/apache2/sites-enabled/engine.conf +COPY ./docker/conf/logging.yml /var/www/html/app/config/ +RUN mkdir /var/www/html/app/cache && \ + chmod -R 777 /var/www/html/app/cache/ && \ + chmod 777 /var/www/html/app/logs/ # Set the default workdir WORKDIR /var/www/html diff --git a/docker/conf/logging.yml b/docker/conf/logging.yml new file mode 100644 index 000000000..87bb4c4b2 --- /dev/null +++ b/docker/conf/logging.yml @@ -0,0 +1,22 @@ +monolog: + channels: ["%logger.channel%", "authentication"] + handlers: + main: + type: fingers_crossed + activation_strategy: engineblock.logger.manual_or_error_activation_strategy + passthru_level: "%logger.fingers_crossed.passthru_level%" + handler: stderr + channels: ["!authentication"] + stderr: + type: stream + path: php://stderr + ident: "%logger.syslog.ident%" + formatter: engineblock.logger.additional_info_formatter + authentication: + type: stream + path: php://stderr + ident: EBAUTH + facility: user + level: INFO + channels: [authentication] + formatter: engineblock.logger.formatter.syslog_json From c77b89f115a77ee73e4a70eced376402b48008d6 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 30 Jan 2024 19:59:04 +0100 Subject: [PATCH 06/10] GHA Docker: Add labels and tags --- .github/workflows/build-push-docker-image.yml | 96 +++++++++++-------- 1 file changed, 54 insertions(+), 42 deletions(-) diff --git a/.github/workflows/build-push-docker-image.yml b/.github/workflows/build-push-docker-image.yml index c31b8a0a6..a42d2895b 100644 --- a/.github/workflows/build-push-docker-image.yml +++ b/.github/workflows/build-push-docker-image.yml @@ -1,47 +1,59 @@ name: build-push-docker-image on: - push: - branches: feature/docker_configs - workflow_dispatch: + push: + branches: feature/docker_configs + workflow_dispatch: jobs: - build-push-docker-image: - runs-on: ubuntu-latest - permissions: - packages: write - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Get the latest release - id: release - uses: robinraju/release-downloader@v1.7 - with: - latest: true - fileName: "*.tar.bz2" - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push the Production image - uses: docker/build-push-action@v4 - with: - context: . - file: docker/Dockerfile.prod - platforms: linux/amd64 - push: true - tags: | - ghcr.io/openconext/openconext-engineblock/openconext-engineblock:prod - ghcr.io/openconext/openconext-engineblock/openconext-engineblock:${{ github.sha }} - ghcr.io/openconext/openconext-engineblock/openconext-engineblock:${{ steps.release.outputs.tag_name }} + build-push-docker-image: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Get the latest release + id: release + uses: robinraju/release-downloader@v1.9 + with: + latest: true + fileName: "*.tar.gz" + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set docker metadata for the container + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/openconext/openconext-engineblock/engineblock + tags: | + type=ref,event=tag + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + + - name: Build and push the Production image + uses: docker/build-push-action@v5 + with: + context: . + file: docker/Dockerfile.prod + platforms: linux/amd64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} From 113c5eb9f4e4c2c5f9cee38635d879d95a245d69 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 20 Feb 2024 15:59:49 +0100 Subject: [PATCH 07/10] Docker: minor path fixes --- docker/Dockerfile.prod | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docker/Dockerfile.prod b/docker/Dockerfile.prod index 2e7bdb192..a01f7f4f4 100644 --- a/docker/Dockerfile.prod +++ b/docker/Dockerfile.prod @@ -6,10 +6,7 @@ RUN tar --strip-components=1 -xvzf /tmp/*tar.gz -C /var/www/html/ && \ # Add the config files for Apache2 RUN rm -rf /etc/apache2/sites-enabled/* COPY ./docker/conf/engine.conf /etc/apache2/sites-enabled/engine.conf -COPY ./docker/conf/logging.yml /var/www/html/app/config/ -RUN mkdir /var/www/html/app/cache && \ - chmod -R 777 /var/www/html/app/cache/ && \ - chmod 777 /var/www/html/app/logs/ +COPY ./docker/conf/logging.yml /var/www/html/config/packages/ # Set the default workdir WORKDIR /var/www/html From baa7fed99206e19524761dfb6cc13dc8b25781f7 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Tue, 20 Feb 2024 16:02:21 +0100 Subject: [PATCH 08/10] GHA docker: Update actions to their latest versions --- .github/workflows/build-push-docker-image.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-push-docker-image.yml b/.github/workflows/build-push-docker-image.yml index a42d2895b..6b00e220b 100644 --- a/.github/workflows/build-push-docker-image.yml +++ b/.github/workflows/build-push-docker-image.yml @@ -12,7 +12,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get the latest release id: release @@ -22,10 +22,10 @@ jobs: fileName: "*.tar.gz" - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to GitHub Container Registry uses: docker/login-action@v3 From 7819f6e66ede3648c4e02b778f25552a506d9b94 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 24 Apr 2024 08:57:34 +0200 Subject: [PATCH 09/10] Docker: Add DELETE as allowed method in Apache. Needed for userlifecycle --- docker/conf/engine.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/conf/engine.conf b/docker/conf/engine.conf index 43336b5e8..31bd65f39 100644 --- a/docker/conf/engine.conf +++ b/docker/conf/engine.conf @@ -17,7 +17,7 @@ SetEnv HTTPS on RewriteEngine On # We support only GET/POST -RewriteCond %{REQUEST_METHOD} !^(POST|GET)$ +RewriteCond %{REQUEST_METHOD} !^(POST|GET|DELETE)$ RewriteRule .* - [R=405,L] # Set the php application handler so mod_php interpets the files From 3a4de232e95900440d4e55f154670425919dc049 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Thu, 22 Aug 2024 16:34:21 +0200 Subject: [PATCH 10/10] Add devconf specific configuration to the container --- app/config/parameters.yml.docker | 293 +++++++++++++++++++++++++++++++ docker/Dockerfile.prod | 2 + 2 files changed, 295 insertions(+) create mode 100644 app/config/parameters.yml.docker diff --git a/app/config/parameters.yml.docker b/app/config/parameters.yml.docker new file mode 100644 index 000000000..100d58728 --- /dev/null +++ b/app/config/parameters.yml.docker @@ -0,0 +1,293 @@ +parameters: + ########################################################################################## + ## GLOBAL SETTINGS + ########################################################################################## + ## This is a string that should be unique to your application and it's commonly used to add more + ## entropy to security related operations. Its value should be a series of characters, numbers and + ## symbols chosen randomly and the recommended length is around 32 characters. + secret: secret + + ## Note: due to legacy reasons, hostname must be left empty (hostname + ## from the Host header will be used) or set to match the domain + ## setting. For example: + ## + ## domain = dev.openconext.local + ## hostname = engine.dev.openconext.local + domain: dev.openconext.local + ## Set a fixed hostname for OpenConext EngineBlock to use. + hostname: engine.dev.openconext.local + + ## Configure trusted proxies to use their X-Forwarded-For header. + trusted_proxies: + - 192.168.1.1 + - 10.0.0.1 + + ## The enabled languages, currently 'en', 'nl' and 'pt' are supported + enabled_languages: + - nl + - en + + ########################################################################################## + ## SAML2 SETTINGS + ########################################################################################## + ## Path to the attribute definition file. + ## Where EngineBlock can look for attribute definitions. + ## These determine: + ## * How attributes are displayed in Profile and Consent + ## * How attributes are Normalized and Denormalized + ## * How attributes are validated + attribute_definition_file_path: %kernel.project_dir%/application/configs/attributes.json + + ## The Signing / Encryption keys used for the SAML2 authentication and metadata + ## When EngineBlock signs responses (when it acts as an Idp) + ## or requests (when it acts as an SP) it uses these X.509 certs. + encryption_keys: + default: + publicFile: /config/engine/engineblock.crt + privateFile: /config/engine/engineblock.pem + + ## List of signature methods explicitly forbidden by EngineBlock. + forbidden_signature_methods: { } + + ## List of allowed ACS location URI schemes + allowed_acs_location_schemes: + - http + - https + + ## Add RequestedAttributes to the AttributeConsumingService of the SP Proxy metadata of Engineblock, default is all + ## Options are 'all' (optional and required attributes), 'required' (only required attributes) or 'none' + metadata_add_requested_attributes: all + + ########################################################################################## + ## PHP SETTINGS + ########################################################################################## + ## Ideally, PHP is configured using the regular PHP configuration in + ## /etc, but EngineBlock supports runtime modification of PHP + ## settings. + php_settings: + memory_limit: 256M + display_errors: '1' + error_reporting: '6135' + date.timezone: Europe/Amsterdam + sendmail_from: 'OpenConext EngineBlock ' + + ## EngineBlock API credentials + ## The API user config, allows for configuration of multiple different users + api.users.metadataPush.username: serviceregistry + api.users.metadataPush.password: secret + api.users.profile.username: profile + api.users.profile.password: secret + api.users.deprovision.username: lifecycle + api.users.deprovision.password: secret + + ########################################################################################## + ## PDP SETTINGS + ########################################################################################## + ## Location of PDP + pdp.host: 'https://pdp.dev.openconext.local' + + ## PDP uses basic auth + pdp.username: pdp_admin + pdp.password: secret + pdp.client_id: EngineBlock + pdp.policy_decision_point_path: /pdp/api/decide/policy + + ########################################################################################## + ## ATTRIBUTE AGGREGATION SETTINGS + ########################################################################################## + ## Location of AA + attribute_aggregation.base_url: 'https://aa.dev.openconext.local/aa/api/internal/attribute/aggregation' + attribute_aggregation.username: eb + attribute_aggregation.password: secret + + ## LOGGING / ERROR HANDLING + ## Note that we have the following priorities: + ## EMERGENCY: system is unusable + ## ALERT: action must be taken immediately + ## CRITICAL: critical conditions + ## ERROR: error conditions + ## WARNING: warning conditions + ## NOTICE: normal but significant condition + ## INFO: informational messages + ## DEBUG: debug messages + logger.channel: engineblock + logger.fingers_crossed.passthru_level: NOTICE + logger.fingers_crossed.action_level: ERROR + logger.syslog.ident: EBLOG + logger.line_format: '[%%datetime%%] %%channel%%.%%level_name%%: %%message%% %%extra%% %%context%%' + + ########################################################################################## + ## DATABASE SETTINGS + ########################################################################################## + database.host: localhost + database.port: '3306' + database.user: ebrw + database.password: secret + database.dbname: eb + database.test.host: localhost + database.test.port: '3306' + database.test.user: eb_testrw + database.test.password: secret + database.test.dbname: eb_test + + ########################################################################################## + ## MISCELLANEOUS SETTINGS + ########################################################################################## + ## The memory limit used for the metadata push this setting is overridden in the ConnectionsController + engineblock.metadata_push_memory_limit: 256M + ## Minimum execution time in milliseconds when a received response is deemed invalid (default: 5000 ms) + minimum_execution_time_on_invalid_received_response: 5000 + ## The value for guest qualifier. Can be overridden for specific environments + addgueststatus_guestqualifier: 'urn:collab:org:dev.openconext.local' + + ## Language cookie settings + ## The value for the domain is also used for clearing SSO Notification cookies if the feature is enabled + cookie.path: / + cookie.secure: true + cookie.locale.domain: .dev.openconext.local + cookie.locale.expiry: 5184000 + cookie.locale.http_only: false + cookie.locale.secure: true + + ## UI settings + view_default_title: OpenConext + view_default_header: OpenConext + view_default_logo: /images/logo.png + view_default_logo_width: 96 + view_default_logo_height: 96 + # when set, will show a ribbon top-right to visually distinguish this install from other + # environments in your constellation (e.g. "test", "qa"), with the given ribbon color in + # env_ribbon_color. You can choose from colors: crimson,orange,hotpink,khaki. + env_name: "" + env_ribbon_color: "" + + ui_return_to_sp_link: false + + ## The default email where IdP request access are send + email_request_access_address: help@example.org + + ## The query to be used to detect if healthy + monitor_database_health_check_query: 'SELECT uuid FROM user LIMIT 1;' + + ## Cutoff point for showing unfiltered IdPs on the WAYF. + ## Do not show unfiltered IdPs on the WAYF if there are more IdPs than the cutoff point. + wayf.cutoff_point_for_showing_unfiltered_idps: 50 + + ## Allow users to save their selected IdP and then auto-select it on returning visits. + wayf.remember_choice: false + + ## Toggle the default IdP quick link banner on the WAYF. + wayf.display_default_idp_banner_on_wayf: true + wayf.default_idp_entity_id: https://default-idp.dev.openconext.local + + ## Toggle display & content of global site notice + global.site_notice.show: false + global.site_notice.allowed.tags: '

    1. ' + + ## Settings for detecting whether the user is stuck in a authentication loop within his session + time_frame_for_authentication_loop_in_seconds: 60 + maximum_authentication_procedures_allowed: 5 + + ## Store attributes with their values, meaning that if an Idp suddenly + ## sends a new value (like a new e-mail address) consent has to be + ## given again. + consent_store_values: true + + ## Email configuration + email_idp_debugging: + from: + name: 'OpenConext EngineBlock' + address: no-reply@example.org + to: + address: coin-logs-dev@list.surfnet.nl + name: 'OpenConext Admin' + subject: 'IdP debug info from %%1$s' + + ## Swiftmailer configuration + mailer_transport: 'smtp' + mailer_host: 'localhost' + mailer_port: '25' + mailer_user: '' + mailer_password: '' + + ########################################################################################## + ## FEATURE SETTINGS + ########################################################################################## + feature_eb_encrypted_assertions: true + feature_eb_encrypted_assertions_require_outer_signature: true + feature_api_metadata_push: true + feature_api_consent_listing: true + feature_api_consent_remove: true + feature_api_metadata_api: true + feature_api_deprovision: true + feature_run_all_manipulations_prior_to_consent: false + feature_block_user_on_violation: false + feature_enable_consent: true + + ########################################################################################## + ## PROFILE SETTINGS + ########################################################################################## + ## Location of Profile + profile_base_url: 'https://profile.dev.openconext.local' + + ########################################################################################## + ## SFO SETTINGS + ########################################################################################## + ## This PCRE regex is used to blacklist incoming AuthnContextClassRef attributes on. If an empty string is used + ## the validation is skipped. The validator will throw an exception if the used regex is invalid. + stepup.authn_context_class_ref_blacklist_regex: '/http:\/\/vm\.openconext\.org\/assurance\/loa[1-3]/' + ## The loa mapping from the internal used LoA's to the Stepup Gateway LOA's. + ## Specification of the mapping: stepup.loa.mapping.[int 1|2|3].[string engineblock|gateway] + ## The integer after the mapping field indicates the LoA level (1, 2 or 3 are supported). + ## The engineblock or gateway keys specify the LoAs identifier as will be carried in the AuthnContextClassRef of an assertion. + stepup.loa.mapping: + 10: + engineblock: 'http://dev.openconext.local/assurance/loa1' + gateway: 'http://dev.openconext.local/assurance/loa1' + 15: + engineblock: 'http://dev.openconext.local/assurance/loa1_5' + gateway: 'http://dev.openconext.local/assurance/loa1_5' + 20: + engineblock: 'http://dev.openconext.local/assurance/loa2' + gateway: 'http://dev.openconext.local/assurance/loa2' + 30: + engineblock: 'http://dev.openconext.local/assurance/loa3' + gateway: 'http://dev.openconext.local/assurance/loa3' + ## The fallback LoA to return when the Stepup authentication fails but is not required + stepup.loa.loa1: 'http://dev.openconext.local/assurance/loa1' + ## The EntityId (metadata URL) used in the callout to the SFO endpoint of the configured Stepup Gateway + stepup.gateway.sfo.entity_id: 'https://gateway.dev.openconext.local/second-factor-only/metadata' + ## The single sign-on endpoint used for Stepup Gateway SFO callouts + stepup.gateway.sfo.sso_location: 'https://gateway.dev.openconext.local/second-factor-only/single-sign-on' + ## The public key from the Stepup Gateway IdP + stepup.gateway.sfo.key_file: /config/engine/engineblock.crt + + ########################################################################################## + ## THEME SETTINGS + ########################################################################################## + # When changing the default theme name, be aware that the CI build will no longer be able to select our default + # test suite for js e2e tests. This because a SED command is in place to rewrite the parameters.yml. + # See the SED command in Gitlab Actions runner: 'Run Cypress integration tests' + theme.name: skeune + + ########################################################################################## + ## SSO NOTIFICATION SETTINGS + ########################################################################################## + feature_enable_sso_notification: false + sso_notification_encryption_algorithm: AES-256-CBC + ## The encryption key used to decrypt the SSO notification + sso_notification_encryption_key: + ## The encryption key salt used to decrypt the SSO notification + sso_notification_encryption_key_salt: + + ########################################################################################## + ## SSO SESSION COOKIES SETTINGS + ########################################################################################## + # When the user is successfully authenticated by an Identity Provider, Engineblock stores an SSO session cookie in + # their browser. OpenConext's SSO query service is then able, if necessary, to verify whether this cookie exists and + # to return the correct answer to the requesting party based on this. + feature_enable_sso_session_cookie: false + # The time the cookie expires. This is a timestamp in number of seconds since the authentication. + # If set to 0 the cookie will expire at the end of the session (when the browser closes). + sso_session_cookie_max_age: 0 + diff --git a/docker/Dockerfile.prod b/docker/Dockerfile.prod index a01f7f4f4..176c5f384 100644 --- a/docker/Dockerfile.prod +++ b/docker/Dockerfile.prod @@ -7,6 +7,8 @@ RUN tar --strip-components=1 -xvzf /tmp/*tar.gz -C /var/www/html/ && \ RUN rm -rf /etc/apache2/sites-enabled/* COPY ./docker/conf/engine.conf /etc/apache2/sites-enabled/engine.conf COPY ./docker/conf/logging.yml /var/www/html/config/packages/ +# Instantiate devconf config +RUN cp app/config/parameters.yml.docker app/config/parameters.yml # Set the default workdir WORKDIR /var/www/html