Ship OA4MP in the Pelican docker image

OA4MP is the selected token issuer for Pelican. It's a tough one to wrangle as it's from the Java universe and the team has less experience in Java. For now, just stage the application into the container allowing developers to start kicking the tires.
jhiemstrawisc · Oct 3, 2023 · 01b7c0d · 01b7c0d
1 parent e0c7d48
commit 01b7c0d
Show file tree

Hide file tree

Showing 2 changed files with 137 additions and 0 deletions.
diff --git a/images/Dockerfile b/images/Dockerfile
@@ -37,6 +37,8 @@ COPY --from=website-build /webapp/out ./origin_ui/src/out
 
 RUN goreleaser --clean --snapshot
 
+FROM hub.opensciencegrid.org/sciauth/scitokens-oauth2-server:release AS scitokens-oauth2-server
+
 FROM --platform=linux/amd64 opensciencegrid/software-base:$BASE_OSG_SERIES-el8-$BASE_YUM_REPO
 
 # Create the xrootd user with a fixed GID/UID
@@ -47,6 +49,7 @@ RUN useradd -o -u 10940 -g 10940 -s /bin/sh xrootd
 RUN yum -y update \
     && yum -y install xrootd xrootd-client xrootd-server \
     && yum clean all \
+    && yum install -y curl java-11-openjdk-headless java-11-openjdk-devel \
     && rm -rf /var/cache/yum/
 
 WORKDIR /pelican
@@ -60,6 +63,61 @@ COPY images/supervisord/supervisord.conf /etc/supervisord.conf
 COPY images/supervisord/* /etc/supervisord.d/
 COPY images/entrypoint.sh /entrypoint.sh
 
+
+####
+# Now, start installing the SciTokens OA4MP server from
+# - https://github.com/scitokens/scitokens-oauth2-server/blob/master/Dockerfile
+####
+
+# Download and install tomcat
+RUN useradd -r -s /sbin/nologin tomcat ;\
+    mkdir -p /opt/tomcat ;\
+    curl -s -L https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.80/bin/apache-tomcat-9.0.80.tar.gz | tar -zxf - -C /opt/tomcat --strip-components=1 ;\
+    chgrp -R tomcat /opt/tomcat/conf ;\
+    chmod g+rwx /opt/tomcat/conf ;\
+    chmod g+r /opt/tomcat/conf/* ;\
+    chown -R tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/webapps/ /opt/tomcat/work/ ;\
+    chgrp -R tomcat /opt/tomcat/bin /opt/tomcat/lib ;\
+    chmod g+rwx /opt/tomcat/bin ;\
+    chmod g+r /opt/tomcat/bin/* ;\
+    ln -s /usr/lib64/libapr-1.so.0 /opt/tomcat/lib/libapr-1.so.0
+
+RUN \
+    # Create various empty directories needed by the webapp
+    mkdir -p /opt/tomcat/webapps/scitokens-server ;\
+    curl -s -L https://github.com/javaee/javamail/releases/download/JAVAMAIL-1_6_2/javax.mail.jar > /opt/tomcat/lib/javax.mail.jar ;\
+    # Install support for the QDL CLI
+    curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.3.1/oa2-qdl-installer.jar >/tmp/oa2-qdl-installer.jar ;\
+    java -jar /tmp/oa2-qdl-installer.jar -dir /opt/qdl ;\
+    rm /tmp/oa2-qdl-installer.jar ;\
+    mkdir -p /opt/qdl/var/scripts ;\
+    # Remove the default manager apps and examples -- we don't use these
+    rm -rf /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/docs /opt/tomcat/webapps/examples /opt/tomcat/webapps/host-manager /opt/tomcat/webapps/manager ;\
+    true;
+
+# The generate_jwk.sh script is part of the documented bootstrap of the container.
+COPY --from=scitokens-oauth2-server /usr/local/bin/generate_jwk.sh /usr/local/bin/generate_jwk.sh
+
+# Add other QDL CLI tools and configs
+COPY --from=scitokens-oauth2-server /opt/qdl /opt/qdl
+
+# Add in the tomcat server configuration
+COPY --from=scitokens-oauth2-server --chown=root:tomcat /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml
+
+# Copy over the OA4MP webapp.
+COPY --from=scitokens-oauth2-server --chown=tomcat:tomcat /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml
+COPY --from=scitokens-oauth2-server --chown=tomcat:tomcat /opt/scitokens-server/ /opt/scitokens-server/
+
+ENV JAVA_HOME=/usr/lib/jvm/jre \
+    CATALINA_PID=/opt/tomcat/temp/tomcat.pid \
+    CATALINA_HOME=/opt/tomcat \
+    CATALINA_BASE=/opt/tomcat \
+    CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC" \
+    JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djava.library.path=/opt/tomcat/lib" \
+    ST_HOME="/opt/scitokens-server" \
+    QDL_HOME="/opt/qdl" \
+    PATH="${ST_HOME}/bin:${QDL_HOME}/bin:${PATH}"
+
 RUN chmod +x /pelican/osdf-client \
     && chmod +x /entrypoint.sh
 

diff --git a/images/entrypoint.sh b/images/entrypoint.sh
@@ -17,6 +17,85 @@
 
 supervisord -c /etc/supervisord.conf
 
+####
+# Setup the OA4MP configuration.  Items are taken from https://github.com/scitokens/scitokens-oauth2-server/blob/master/start.sh
+# which appears to have an Apache 2.0 license.
+####
+
+# Set the hostname
+sed s+\{HOSTNAME\}+$HOSTNAME+g /opt/scitokens-server/etc/server-config.xml.tmpl > /opt/scitokens-server/etc/server-config.xml
+chgrp tomcat /opt/scitokens-server/etc/server-config.xml
+
+# Set the path in case the bash profile reset it from the container default.
+export PATH="${ST_HOME}/bin:${QDL_HOME}/bin:${PATH}"
+
+# Run the boot to inject the template
+${QDL_HOME}/var/scripts/boot.qdl
+
+# check for one or more files in a directory
+if [ -e /opt/scitokens-server/etc/qdl/ ]; then
+    # Note that `-L` is added here; this is because Kubernetes sets up some volume mounts
+    # as symlinks and `-r` will copy the symlinks (which then becomes broken).  `-L` will
+    # dereference the symlink and copy the data, which is what we want.
+    cp -rL /opt/scitokens-server/etc/qdl/*.qdl /opt/scitokens-server/var/qdl/scitokens/
+    chown -R tomcat /opt/scitokens-server/var/qdl/
+fi
+
+# Load up additional trust roots.  If OA4MP needs to contact a LDAP server, we will need
+# the CA that signed the LDAP server's certificate to be in the java trust store.
+if [ -e /opt/scitokens-server/etc/trusted-cas ]; then
+
+    shopt -s nullglob
+    for fullfile in /opt/scitokens-server/etc/trusted-cas/*.pem; do
+        echo "Importing CA certificate $fullfile into the Java trusted CA store."
+        aliasname=$(basename "$file")
+        aliasname="${filename%.*}"
+        keytool -cacerts -importcert -noprompt -storepass changeit -file "$fullfile" -alias "$aliasname"
+    done
+    shopt -u nullglob
+
+fi
+
+######
+###   OA4MP parking lot: these items need to be migrated to be generated by the `pelican origin serve` command
+######
+
+## Set the hostname and OIDC configuraiton in the proxy-config
+# sed s+\{HOSTNAME\}+$HOSTNAME+g /opt/scitokens-server/etc/proxy-config.xml.tmpl | \
+# sed s+\{CLIENT_ID\}+$CLIENT_ID+g | \
+# sed s+\{CLIENT_SECRET\}+$CLIENT_SECRET+g > /opt/scitokens-server/etc/proxy-config.xml
+# chgrp tomcat /opt/scitokens-server/etc/proxy-config.xml
+
+# Check for the JWKS key in the right location
+#if [ ! -e /opt/scitokens-server/etc/keys.jwk ]; then
+#    echo "Please provide a JWKS key in the file /opt/scitokens-server/etc/keys.jwk.  Please generate it with the following command:"
+#    echo "sudo docker run --rm  hub.opensciencegrid.org/sciauth/lightweight-token-issuer generate_jwk.sh > keys.jwk"
+#    echo "And volume mount the keys.jwk to /opt/scitokens-server/etc/keys.jwk within the container."
+#    exit 1
+#fi
+
+#####
+##### End OA4MP parking lot
+#####
+
+# Tomcat requires us to provide the intermediate chain (which, in Kubernetes, is often in the same
+# file as the host certificate itself.  If there wasn't one provided, try splitting it out.
+if [ ! -e /opt/tomcat/conf/chain.pem ]; then
+    echo "No chain present for host cert; trying to derive one"
+    pushd /tmp > /dev/null
+    if csplit -f tls- -b "%02d.crt.pem" -s -z "/opt/tomcat/conf/hostcert.pem" '/-----BEGIN CERTIFICATE-----/' '{1}' 2>/dev/null ; then
+        echo "Chain present in hostcert.pem; using it."
+        cp /tmp/tls-01.crt.pem /opt/tomcat/conf/chain.pem
+        rm /tmp/tls-*.crt.pem
+    else
+        echo "No chain present; will use empty file"
+        # No intermediate CAs found.  Create an empty file.
+        touch /opt/tomcat/conf/chain.pem
+    fi
+    popd > /dev/null
+fi
+
+
 # grab whatever arg is passed to container run command
 # and use it to launch the corresponding pelican_X daemon
 # (eg running the container with the arg director_serve will