Add SBS

.gitignore

@@ -1,3 +1,4 @@
 stepup/gateway/surfnet_yubikey.yaml
 stepup/.env
-/.idea
+/.idea
+.env

core/dbschema/createdbs.sql

@@ -6,6 +6,7 @@ CREATE DATABASE IF NOT EXISTS spdashboard;
 CREATE DATABASE IF NOT EXISTS invite;
 CREATE DATABASE IF NOT EXISTS userlifecycle;
 CREATE DATABASE IF NOT EXISTS spdashboard;
+CREATE DATABASE IF NOT EXISTS sbs;
 
 CREATE USER IF NOT EXISTS 'ebrw'@'%' IDENTIFIED BY 'secret';
 GRANT ALL PRIVILEGES ON eb.* TO 'ebrw'@'%';
@@ -30,3 +31,6 @@ GRANT ALL PRIVILEGES ON userlifecycle.* TO 'userlifecyclerw'@'%';
 
 CREATE USER IF NOT EXISTS 'spdrwrw'@'%' IDENTIFIED BY 'secret';
 GRANT ALL PRIVILEGES ON spdashboard.* TO 'spdrwrw'@'%';
+
+CREATE USER IF NOT EXISTS 'sbs'@'%' IDENTIFIED BY 'secret';
+GRANT ALL PRIVILEGES ON sbs.* TO 'sbs'@'%';

core/docker-compose.yml

@@ -21,6 +21,7 @@ services:
           - spdashboard.dev.openconext.local
           - mujina-idp.dev.openconext.local
           - invite.dev.openconext.local
+          - sbs.dev.openconext.local
     hostname: haproxy.docker
 
   mariadb:
@@ -416,6 +417,72 @@ services:
       coreconextdev:
     hostname: mailcatcher.docker
 
+  redis:
+    image: "docker.io/redis"
+    healthcheck:
+      test: ["CMD", "redis-cli","ping"]
+      timeout: 5s
+      retries: 10
+    networks:
+      coreconextdev:
+    hostname: redis.docker
+
+  # This is apache RP
+  #   client -> sbs-client:3000
+  #   api    -> sbs-api:8080
+  sbs:
+    image: ghcr.io/surfscz/sram-sbs-client:openconext-dev
+    ports:
+      - 8080:80
+    networks:
+      coreconextdev:
+    # volumes:
+    #   - ./sbs/apache.conf:/etc/apache2/sites-enabled/apache.conf:ro"
+    hostname: sbs.docker
+    depends_on:
+      sbs-server:
+        condition: service_healthy
+
+  # This is the version with node/yarn
+  # sbs-client:
+  #   image: "node:22"
+  #   environment:
+  #     - NODE_ENV=development
+  #     - HOST=0.0.0.0
+  #     - PORT=8080
+  #   networks:
+  #     coreconextdev:
+  #   healthcheck:
+  #     test: ["CMD", "curl", "--fail", "-s", "http://localhost:8080/index.html"]
+  #     timeout: 5s
+  #     retries: 10
+  #   volumes:
+  #     - ../../SBS/client:/home/node/app
+  #   working_dir: /home/node/app
+  #   hostname: sbs-client.docker
+  #   command: "yarn start"
+
+  sbs-server:
+    image: ghcr.io/surfscz/sram-sbs-server:openconext-dev
+    environment:
+      TESTING: 1
+      PROFILE: "local"
+      ALLOW_MOCK_USER_API: 1
+    volumes:
+      - ./sbs/config:/opt/sbs/config
+    networks:
+      coreconextdev:
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "-s", "http://localhost:8080/health"]
+      timeout: 5s
+      retries: 10
+    hostname: sbs-server.docker
+    depends_on:
+      redis:
+        condition: service_healthy
+      mariadb:
+        condition: service_healthy
+
 networks:
   coreconextdev:
     driver: bridge

core/sbs/apache-dev.conf

@@ -0,0 +1,30 @@
+ServerName sbs
+DocumentRoot /var/www/html
+
+Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.dev.openconext.local; frame-ancestors 'none'; block-all-mixed-content;"
+Header set Permissions-Policy      "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()"
+
+#RewriteEngine On
+#RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io)
+#RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
+#RewriteRule ^/(.*)$ /index.html  [L]
+
+ProxyRequests off
+ProxyPassMatch  ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sbs-server:8080/
+ProxyPassReverse / http://sbs-server:8080/
+ProxyPass /socket.io/ ws://sbs-server:8080/socket.io/
+ProxyPassReverse /socket.io/ ws://sbs-server:8080/socket.io/
+ProxyPass / http://sbs-client:8080/
+ProxyPassReverse / http://sbs-client:8080/
+
+<If "%{REQUEST_URI} =~ m#^/api/images/#">
+    Header set Cache-Control:  "public, max-age=31536000, immutable"
+</If>
+<ElseIf "%{REQUEST_URI} =~ m#^/(api|pam-weblogin|flasgger_static|swagger|health|config|info)#">
+    Header set Cache-Control:  "no-cache, private"
+</ElseIf>
+
+<Directory /var/www/html>
+    Require all granted
+    Options -Indexes
+</Directory>

core/sbs/apache.conf

@@ -0,0 +1,31 @@
+Listen 8080
+<VirtualHost *:8080>
+    ServerName sbs
+    DocumentRoot /opt/sbs/client/build
+
+    Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.dev.openconext.local; frame-ancestors 'none'; block-all-mixed-content;"
+    Header set Permissions-Policy      "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()"
+
+    #RewriteEngine On
+    #RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io)
+    #RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
+    #RewriteRule ^/(.*)$ /index.html  [L]
+
+    ProxyRequests off
+    ProxyPassMatch  ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sbs-server:8080/
+    ProxyPassReverse / http://sbs-server:8080/
+    ProxyPass /socket.io/ ws://sbs-server:8080/socket.io/
+    ProxyPassReverse /socket.io/ ws://sbs-server:8080/socket.io/
+
+    <If "%{REQUEST_URI} =~ m#^/api/images/#">
+        Header set Cache-Control:  "public, max-age=31536000, immutable"
+    </If>
+    <ElseIf "%{REQUEST_URI} =~ m#^/(api|pam-weblogin|flasgger_static|swagger|health|config|info)#">
+        Header set Cache-Control:  "no-cache, private"
+    </ElseIf>
+
+    <Directory /opt/sbs/client/build>
+        Require all granted
+        Options -Indexes
+    </Directory>
+</VirtualHost>

core/sbs/config/alembic.ini

@@ -0,0 +1,72 @@
+# A generic, single database configuration.
+
+[alembic]
+# path to migration scripts
+script_location = migrations
+
+# template used to generate migration files
+# file_template = %%(rev)s_%%(slug)s
+
+# timezone to use when rendering the date
+# within the migration file as well as the filename.
+# string value is passed to dateutil.tz.gettz()
+# leave blank for localtime
+# timezone =
+
+# max length of characters to apply to the
+# "slug" field
+#truncate_slug_length = 40
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+# set to 'true' to allow .pyc and .pyo files without
+# a source .py file to be detected as revisions in the
+# versions/ directory
+# sourceless = false
+
+# version location specification; this defaults
+# to alembic/versions.  When using multiple version
+# directories, initial revisions must be specified with --version-path
+# version_locations = %(here)s/bar %(here)s/bat alembic/versions
+
+# the output encoding used when revision files
+# are written from script.py.mako
+# output_encoding = utf-8
+
+sqlalchemy.url = {{ sbs_db_connection_migration }}
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = NOTSET
+handlers = console
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = DEBUG
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S