Adding the files and actions required for the docker images

.github/workflows/deploy.yml

@@ -4,30 +4,109 @@ on:
   push:
     tags:
       - "*"
+  workflow_dispatch:
 
 jobs:
   deployment:
+    permissions:
+      packages: write
     environment: deploy
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
-    - name: Set up JDK 11
-      uses: actions/setup-java@v1
-      with:
-        java-version: 11
-        server-id: openconext-releases
-        server-username: MAVEN_USERNAME
-        server-password: MAVEN_PASSWORD
-    - name: Set up cache
-      uses: actions/cache@v1
-      with:
-        path: ~/.m2/repository
-        key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-        restore-keys: |
-          ${{ runner.os }}-maven-
-    - name: Deploy with Maven
-      run: mvn --batch-mode deploy -DskipTests
-      env:
-        MAVEN_USERNAME: ${{ secrets.BUILD_USERNAME }}
-        MAVEN_PASSWORD: ${{ secrets.BUILD_PASSWORD }}
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v4
+        with:
+          java-version: 11
+          distribution: "temurin"
+          server-id: openconext-releases
+          server-username: MAVEN_USERNAME
+          server-password: MAVEN_PASSWORD
+
+      - name: Set up cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+
+      - name: Determine the version
+        run: echo ::set-output name=version::$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)
+        id: versioncheck
+
+      - name: Exit when workflow_dispatch is triggered, and the version does not contain SNAPSHOT in it's name
+        run: |
+          echo "Only SNAPSHOT releases can be triggered with the workflow_dispatch"
+          exit 1
+        if: github.event_name == 'workflow_dispatch' && ( !endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT'))
+
+      - name: Exit when a production build is triggered, and the github tag is not the same as the version in pom.xml
+        run: |
+          echo "Project version ${{ steps.versioncheck.outputs.version }} does not match git tag ${{ github.ref_name }}"
+          exit 1
+        if: github.event_name != 'workflow_dispatch' && steps.versioncheck.outputs.version != github.ref_name
+
+      - name: Set up JDK 11 for snapshots
+        uses: actions/setup-java@v4
+        with:
+          java-version: "11"
+          distribution: "temurin"
+          cache: "maven"
+          server-id: openconext-snapshots
+          server-username: MAVEN_USERNAME
+          server-password: MAVEN_PASSWORD
+        if: ( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT'))
+
+      - name: Set up JDK 11 for releases
+        uses: actions/setup-java@v4
+        with:
+          java-version: "11"
+          distribution: "temurin"
+          cache: "maven"
+          server-id: openconext-releases
+          server-username: MAVEN_USERNAME
+          server-password: MAVEN_PASSWORD
+        if: ${{!( endsWith(steps.versioncheck.outputs.version, '-SNAPSHOT')) }}
+
+      - name: Deploy with Maven
+        run: mvn --batch-mode deploy -DskipTests
+        env:
+          MAVEN_USERNAME: ${{ secrets.BUILD_USERNAME }}
+          MAVEN_PASSWORD: ${{ secrets.BUILD_PASSWORD }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/openconext/openconext-oidcng/oidcng
+          flavor: |
+            latest=false
+          tags: |
+            type=ref,event=tag
+            type=raw,event=tag,value=latest
+            type=raw,event=workflow_dispatch,value=snapshot
+            type=semver,pattern={{version}},value=${{ steps.versioncheck.outputs.version }}
+            type=sha
+
+      - name: Build and push the oidcng-server
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

docker/Dockerfile

@@ -0,0 +1,3 @@
+FROM eclipse-temurin:11-jdk-alpine
+COPY target/*.jar app.jar
+ENTRYPOINT ["java","-jar","/app.jar"]

pom.xml

@@ -21,7 +21,7 @@
 
     <groupId>org.openconext</groupId>
     <artifactId>oidcng</artifactId>
-    <version>6.1.12</version>
+    <version>6.1.13-SNAPSHOT</version>
     <name>oidcng</name>
 
     <dependencyManagement>

src/main/resources/application-devconf.yml

@@ -0,0 +1,59 @@
+server:
+  port: 80
+
+mongodb_db: oidcng
+oidc_saml_mapping_path: classpath:/oidc/saml_mapping.json
+openid_configuration_path: classpath:/openid-configuration-docker.json
+secret_key_set_path: classpath:/secret_keyset.json
+associated_data: 4CEFFA8B-90DD-4737-8B04-6DA51C5B29AE
+access_token_one_way_hash_salt: secret
+private_key_path: file:///config/saml.key
+certificate_path: file:///config/saml.crt
+default_acr_value: http://dev.openconext.local/assurance/loa1
+secure_cookie: false
+oidc_token_endpoint: https://connect.dev.openconext.local/oidc/token
+environment: SURFconext DEV
+
+features:
+  # Do we enforce that the RS - if eduID pseudonymisation is required - belongs to the SURF IdP linked to the eduID user account?
+  # We link RS's and SURF IdP's using the coin:institution-guid
+  enforce-eduid-resource-server-linked-account: true
+  # Do we show consent if configured for a RP in manage
+  consent-enabled: true
+
+sp:
+  entity_id: https://connect.dev.openconext.local
+  acs_location: https://connect.dev.openconext.local/login/saml2/sso/oidcng
+
+idp:
+  entity_id: https://engine.dev.openconext.local/authentication/idp/metadata
+  sso_location: https://engine.dev.openconext.local/authentication/idp/single-sign-on
+  saml_assertion_signing_key: classpath:/engine.dev.openconext.local.default.pem
+
+spring:
+  data:
+    mongodb:
+      uri: mongodb://oidcngrw:secret@mongo:27017/oidcng?ssl=false
+  thymeleaf:
+    cache: false
+  main:
+    banner-mode: off
+
+manage:
+  user: manage
+  password: secret
+
+token-api:
+  # Is the token API enabled for Profile and eduID? If not access to the token API endpoints is forbidden
+  enabled: true
+  users:
+    - user: eduid
+      password: secret
+    - user: profile
+      password: secret
+
+eduid:
+  user: oidcng
+  password: secret
+  uri: https://eduid.dev.openconext.local/myconext/api/attribute-manipulation
+  enabled: true

src/main/resources/engine.dev.openconext.local.default.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIJAPdqJ9JQKN6vMA0GCSqGSIb3DQEBBQUAMEYxDzANBgNV
+BAMTBkVuZ2luZTERMA8GA1UECxMIU2VydmljZXMxEzARBgNVBAoTCk9wZW5Db25l
+eHQxCzAJBgNVBAYTAk5MMB4XDTE1MDQwMjE0MDE1NFoXDTI1MDQwMTE0MDE1NFow
+RjEPMA0GA1UEAxMGRW5naW5lMREwDwYDVQQLEwhTZXJ2aWNlczETMBEGA1UEChMK
+T3BlbkNvbmV4dDELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCeVodghQwFR0pItxGaJ3LXHA+ZLy1w/TMaGDcJaszAZRWRkL/6djwb
+abR7TB45QN6dfKOFGzobQxG1Oksky3gz4Pki1BSzi/DwsjWCw+Yi40cYpYeg/XM0
+tvHKVorlsx/7Thm5WuC7rwytujr/lV7f6lavf/ApnLHnOORU2h0ZWctJiestapMa
+C5mc40msruWWp04axmrYICmTmGhEy7w0qO4/HLKjXtWbJh71GWtJeLzG5Hj04X44
+wI+D9PUJs9U3SYh9SCFZwq0v+oYeqajiX0JPzB+8aVOPmOOM5WqoT8OCddOM/Tls
+L/0PcxByGHsgJuWbWMI1PKlK3omR764PAgMBAAGjgagwgaUwHQYDVR0OBBYEFLow
+msUCD2CrHU0lich1DMkNppmLMHYGA1UdIwRvMG2AFLowmsUCD2CrHU0lich1DMkN
+ppmLoUqkSDBGMQ8wDQYDVQQDEwZFbmdpbmUxETAPBgNVBAsTCFNlcnZpY2VzMRMw
+EQYDVQQKEwpPcGVuQ29uZXh0MQswCQYDVQQGEwJOTIIJAPdqJ9JQKN6vMAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIF9tGG1C9HOSTQJA5qL13y5Ad8G
+57bJjBfTjp/dw308zwagsdTeFQIgsP4tdQqPMwYmBImcTx6vUNdiwlIol7TBCPGu
+qQAHD0lgTkChCzWezobIPxjitlkTUZGHqn4Kpq+mFelX9x4BElmxdLj0RQV3c3Bh
+oW0VvJvBkqVKWkZ0HcUTQMlMrQEOq6D32jGh0LPCQN7Ke6ir0Ix5knb7oegND49f
+bLSxpdo5vSuxQd+Zn6nI1/VLWtWpdeHMKhiw2+/ArR9YM3cY8UwFQOj9Y6wI6gPC
+Gh/q1qv2HnngmnPrNzZik8XucGcf1Wm2zE4UIVYKW31T52mqRVDKRk8F3Eo=
+-----END CERTIFICATE-----

src/main/resources/openid-configuration-docker.json

@@ -0,0 +1,70 @@
+{
+  "issuer": "https://connect.dev.openconext.local",
+  "authorization_endpoint": "https://connect.dev.openconext.local/oidc/authorize",
+  "token_endpoint": "https://connect.dev.openconext.local/oidc/token",
+  "userinfo_endpoint": "https://connect.dev.openconext.local/oidc/userinfo",
+  "introspect_endpoint": "https://connect.dev.openconext.local/oidc/introspect",
+  "jwks_uri": "https://connect.dev.openconext.local/oidc/certs",
+  "response_types_supported": [
+    "code",
+    "token",
+    "id_token",
+    "code token",
+    "code id_token",
+    "token id_token",
+    "code token id_token"
+  ],
+  "response_modes_supported": ["fragment", "query", "form_post"],
+  "grant_types_supported": [
+    "authorization_code",
+    "implicit",
+    "refresh_token",
+    "client_credentials"
+  ],
+  "subject_types_supported": ["public", "pairwise"],
+  "id_token_signing_alg_values_supported": ["RS256"],
+  "scopes_supported": [
+    "openid",
+    "groups",
+    "profile",
+    "email",
+    "address",
+    "phone"
+  ],
+  "token_endpoint_auth_methods_supported": [
+    "client_secret_basic",
+    "client_secret_post",
+    "client_secret_jwt",
+    "private_key_jwt"
+  ],
+  "claims_supported": [
+    "aud",
+    "nbf",
+    "iss",
+    "exp",
+    "iat",
+    "jti",
+    "nonce",
+    "at_hash",
+    "c_hash",
+    "s_hash",
+    "sub",
+    "edumember_is_member_of",
+    "eduperson_affiliation",
+    "eduperson_entitlement",
+    "eduperson_principal_name",
+    "eduperson_scoped_affiliation",
+    "email",
+    "family_name",
+    "given_name",
+    "name",
+    "nickname",
+    "preferred_username",
+    "schac_home_organization",
+    "schac_home_organization_type",
+    "schac_personal_unique_code",
+    "uids"
+  ],
+  "claims_parameter_supported": true,
+  "code_challenge_methods_supported": ["plain", "S256"]
+}