dbildungs-iam-server

dBildungsplattform · Dec 18, 2024 · 52383ab · 52383ab
1 parent 9d267a3
commit 52383ab
Show file tree

Hide file tree

Showing 10 changed files with 137 additions and 178 deletions.
diff --git a/automation/dbildungs-iam-server/Chart.yaml b/automation/dbildungs-iam-server/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: spsh-1387
+appVersion: SPSH-1628
 description: dBildungs-IAM-server
 name: dbildungs-iam-server
 type: application
-version: 0.0.0-spsh-1387-20241218-1102
+version: 0.0.0-spsh-1628-20241218-1115
diff --git a/automation/dbildungs-iam-server/config/config.json b/automation/dbildungs-iam-server/config/config.json
@@ -30,6 +30,11 @@
     "PASSWORD": "",
     "USE_TLS": false
   },
+  "LDAP": {
+    "URL": "ldap://spsh-xxx.svc.cluster.local",
+    "BIND_DN": "cn=admin,dc=schule-sh,dc=de",
+    "ADMIN_PASSWORD": "password"
+  },
   "DATA": {
     "ROOT_ORGANISATION_ID": "d39cb7cf-2f9b-45f1-849f-973661f2f057"
   },
@@ -46,10 +51,22 @@
     "BACKEND_FOR_FRONTEND_MODULE_LOG_LEVEL": "debug"
   },
   "ITSLEARNING": {
+    "ENABLED": false,
+    "ENDPOINT": "https://itslearning.example.com",
+    "USERNAME": "username",
+    "PASSWORD": "password",
     "ROOT": "sh",
     "ROOT_OEFFENTLICH": "oeffentlich",
     "ROOT_ERSATZ": "ersatz"
   },
+  "OX": {
+    "ENABLED": false,
+    "ENDPOINT": "https://ox_ip:ox_port/webservices/OXUserService",
+    "CONTEXT_ID": "1337",
+    "CONTEXT_NAME": "contextname",
+    "USERNAME": "username",
+    "PASSWORD": "password"
+  },
   "PRIVACYIDEA": {
     "ENDPOINT": "http://localhost:5000",
     "USERNAME": "admin",
@@ -58,22 +75,11 @@
     "REALM": "defrealm"
   },
   "IMPORT": {
-    "CSV_FILE_MAX_SIZE_IN_MB": 10,
-    "CSV_MAX_NUMBER_OF_USERS": 2000,
-    "PASSPHRASE_SECRET": "44abDqJk2qgwRbpGfO0VZx7DpXeFsm7R",
-    "PASSPHRASE_SALT": "YDp6fYkbUcj4ZkyAOnbAHGQ9O72htc5M"
+    "IMPORT_FILE_MAXGROESSE_IN_MB": 10
   },
   "SYSTEM": {
     "RENAME_WAITING_TIME_IN_SECONDS": 3,
     "STEP_UP_TIMEOUT_ENABLED": "true",
     "STEP_UP_TIMEOUT_IN_SECONDS": 10
-  },
-  "VIDIS": {
-      "BASE_URL": "https://service-stage.vidis.schule",
-      "USERNAME": "",
-      "PASSWORD": "",
-      "REGION_NAME": "test-region",
-      "KEYCLOAK_GROUP": "VIDIS-service",
-      "KEYCLOAK_ROLE": "VIDIS-user"
   }
 }
diff --git a/automation/dbildungs-iam-server/cron/Dockerfile b/automation/dbildungs-iam-server/cron/Dockerfile
@@ -1,7 +1,5 @@
 FROM alpine:3.19
 
-ENV LOG_FILE_PATH=/var/log/cron.log
-
 # Install necessary packages
 RUN apk update && \
     apk add --no-cache bash cronie jq openssl vim wget

diff --git a/automation/dbildungs-iam-server/cron/scripts/get_access_token.sh b/automation/dbildungs-iam-server/cron/scripts/get_access_token.sh
@@ -53,13 +53,13 @@ elif [ -n "$JWKS_FILE_PATH" ] && [ -f "$JWKS_FILE_PATH" ]; then
   # JWKS_FILE_PATH is set, use the file
   jwks=$(cat "$JWKS_FILE_PATH")
 else
-  echo "Error: No JWKS environment variable or JWKS file found." >> "${LOG_FILE_PATH}"
+  echo "Error: No JWKS environment variable or JWKS file found." >> /var/log/cron.log
   exit 1
 fi
 
 # Check if environment variables are set
 if [[ -z "$clientId" || -z "$kc_token_url" || -z "$jwks" ]]; then
-    echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> "${LOG_FILE_PATH}"
+    echo "Error: CLIENT_ID, TOKEN_URL, and JWKS environment variables must be set." >> /var/log/cron.log
     exit 1
 fi
 
@@ -68,7 +68,7 @@ key_json=$(echo "$jwks" | jq -c '.keys[0]')
 
 # Check if key_json is empty
 if [[ -z "$key_json" ]]; then
-  echo "Error: No keys found in JWKS." >> "${LOG_FILE_PATH}"
+  echo "Error: No keys found in JWKS." >> /var/log/cron.log
   exit 1
 fi
 
@@ -110,14 +110,14 @@ dq=INTEGER:0x$dq_dec
 qi=INTEGER:0x$qi_dec
 EOF
 
-echo "Starting to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"
+echo "Starting to generate PEM-formatted private key" >> /var/log/cron.log
 
 # Generate the PEM-formatted private key
 temp_key_file=$(mktemp)
 openssl asn1parse -genconf "$asn1_structure" -out "$temp_key_file" > /dev/null 2>&1
 openssl rsa -in "$temp_key_file" -inform DER -outform PEM -out "$temp_key_file.pem" > /dev/null 2>&1
 
-echo "Ending to generate PEM-formatted private key" >> "${LOG_FILE_PATH}"
+echo "Ending to generate PEM-formatted private key" >> /var/log/cron.log
 
 # Remove temporary files
 rm "$asn1_structure" "$temp_key_file"
@@ -146,14 +146,14 @@ payload_base64=$(base64url_encode "$payload")
 # Combine header and payload
 header_payload="$header_base64.$payload_base64"
 
-echo "Payload created" >> "${LOG_FILE_PATH}"
+echo "Payload created" >> /var/log/cron.log
 
 # Sign the JWT
 signature=$(echo -n "$header_payload" | \
   openssl dgst -sha256 -sign "$temp_key_file.pem" | \
   openssl enc -base64 -A | tr '+/' '-_' | tr -d '=')
 
-echo "Signed the JWT" >> "${LOG_FILE_PATH}"
+echo "Signed the JWT" >> /var/log/cron.log
 
 # Remove the temporary PEM key file
 rm "$temp_key_file.pem"
@@ -166,15 +166,15 @@ response=$(wget -qO- --post-data "grant_type=client_credentials&client_id=$clien
   --header "Content-Type: application/x-www-form-urlencoded" \
   "$kc_token_url")
 
-echo "Access token requested" >> "${LOG_FILE_PATH}"
+echo "Access token requested" >> /var/log/cron.log
 
 # Check if the response contains an access token
 if echo "$response" | grep -q '"access_token"'; then
   # Extract the access token from the response
   access_token=$(echo "$response" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')
   echo "$access_token"
 else
-  echo "Failed to retrieve access token. Response:" >> "${LOG_FILE_PATH}"
-  echo "$response" >> "${LOG_FILE_PATH}"
+  echo "Failed to retrieve access token. Response:" >> /var/log/cron.log
+  echo "$response" >> /var/log/cron.log
   exit 1
 fi
diff --git a/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl b/automation/dbildungs-iam-server/templates/_dbildungs-iam-server-envs.tpl
@@ -1,99 +1,94 @@
 {{- define "dbildungs-iam-server-backend-envs" }}
-- name: DB_SECRET
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: db-password
-- name: DB_USERNAME
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: db-username
-- name: DB_HOST
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: db-host
-- name: KC_ADMIN_SECRET
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: keycloak-adminSecret
-- name: DB_CLIENT_URL
-  value: "postgres://$(DB_HOST)/"
-- name: KC_CLIENT_SECRET
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: keycloak-clientSecret
-- name: KC_SERVICE_CLIENT_PRIVATE_JWKS
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: service-account-private-jwks
-- name: FRONTEND_SESSION_SECRET
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: frontend-sessionSecret
-- name: ITSLEARNING_ENABLED
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: itslearning-enabled
-- name: ITSLEARNING_ENDPOINT
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: itslearning-endpoint
-- name: ITSLEARNING_USERNAME
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: itslearning-username
-- name: ITSLEARNING_PASSWORD
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: itslearning-password
-- name: LDAP_ADMIN_PASSWORD
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: ldap-admin-password
-- name: PI_BASE_URL
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: pi-base-url
-- name: PI_ADMIN_USER
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: pi-admin-user
-- name: PI_ADMIN_PASSWORD
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: pi-admin-password
-- name: PI_USER_RESOLVER
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: pi-user-resolver
-- name: PI_REALM
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: pi-user-realm
-- name: REDIS_PASSWORD
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: redis-password
-- name: OX_PASSWORD
-  valueFrom:
-    secretKeyRef:
-        name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
-        key: ox-password
+          - name: DB_SECRET
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: db-password
+          - name: DB_USERNAME
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: db-username
+          - name: DB_HOST
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: db-host
+          - name: KC_ADMIN_SECRET
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: keycloak-adminSecret
+          - name: DB_CLIENT_URL
+            value: "postgres://$(DB_HOST)/"
+          - name: KC_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: keycloak-clientSecret
+          - name: KC_SERVICE_CLIENT_PRIVATE_JWKS
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: service-account-private-jwks
+          - name: FRONTEND_SESSION_SECRET
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: frontend-sessionSecret
+          - name: ITSLEARNING_ENABLED
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: itslearning-enabled
+          - name: ITSLEARNING_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: itslearning-endpoint
+          - name: ITSLEARNING_USERNAME
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: itslearning-username
+          - name: ITSLEARNING_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: itslearning-password
+          - name: LDAP_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: ldap-admin-password
+          - name: PI_BASE_URL
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: pi-base-url
+          - name: PI_ADMIN_USER
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: pi-admin-user
+          - name: PI_ADMIN_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: pi-admin-password
+          - name: PI_USER_RESOLVER
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: pi-user-resolver
+          - name: PI_REALM
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: pi-user-realm
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                  name: {{ default .Values.auth.existingSecret .Values.auth.secretName }}
+                  key: redis-password
 {{- end}}
diff --git a/automation/dbildungs-iam-server/templates/backend-deployment.yaml b/automation/dbildungs-iam-server/templates/backend-deployment.yaml
@@ -45,9 +45,9 @@ spec:
           command: [ "node", "dist/src/console/main.js", "keycloak", "update-clients", "dev" ]
           env:
             {{- include "dbildungs-iam-server-backend-envs" . | indent  12 }}
-            {{- if .Values.backend.extraEnvVars }}
-            {{ toYaml .Values.backend.extraEnvVars | nindent 12 }}
-            {{- end }}
+              {{- if .Values.backend.extraEnvVars }}
+              {{ toYaml .Values.backend.extraEnvVars | nindent 12 }}
+              {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ template "common.names.name" . }}

diff --git a/automation/dbildungs-iam-server/templates/configmap.yaml b/automation/dbildungs-iam-server/templates/configmap.yaml
@@ -22,17 +22,9 @@ data:
   LDAP_OEFFENTLICHE_SCHULEN_DOMAIN: "{{ .Values.ldap.oeffentlicheSchulenDomain }}"
   LDAP_ERSATZSCHULEN_DOMAIN: "{{ .Values.ldap.ersatzschulenDomain }}"
   STATUS_REDIRECT_URL: "{{ .Values.status.url }}"
-  OX_ENABLED: "{{ .Values.ox.enabled }}"
-  OX_USERNAME: "{{ .Values.ox.username }}"
-  OX_ENDPOINT: "{{ .Values.ox.endpoint }}"
-  OX_CONTEXT_ID: "{{ .Values.ox.contextId }}"
-  OX_CONTEXT_NAME: "{{ .Values.ox.contextName }}"
   SYSTEM_RENAME_WAITING_TIME_IN_SECONDS: "{{ .Values.backend.env.renameWaitingTimeInSeconds }}"
   SYSTEM_STEP_UP_TIMEOUT_ENABLED: "{{ .Values.backend.env.stepUpTimeoutEnabled }}"
   SYSTEM_STEP_UP_TIMEOUT_IN_SECONDS: "{{ .Values.backend.env.stepUpTimeoutInSeconds }}"
   ITSLEARNING_ROOT: '{{ .Values.itslearning.root }}'
   ITSLEARNING_ROOT_OEFFENTLICH: '{{ .Values.itslearning.rootOeffentlich }}'
   ITSLEARNING_ROOT_ERSATZ: '{{ .Values.itslearning.rootErsatz }}'
-  NODE_OPTIONS: "--max-old-space-size={{ .Values.backend.env.maxOldSpaceSize }}"
-  IMPORT_CSV_FILE_MAX_SIZE_IN_MB: '{{ .Values.import.csvFileMaxSizeInMB }}'
-  IMPORT_CSV_MAX_NUMBER_OF_USERS: '{{ .Values.import.csvMaxNumberOfUsers }}'