diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml index d28428c..bd94bee 100644 --- a/.github/workflows/container-build.yml +++ b/.github/workflows/container-build.yml @@ -16,7 +16,7 @@ jobs: steps: - name: make date tag id: mkdatetag - run: echo "::set-output name=dtag::$(date +%Y%m%d-%H%M)" + run: echo "dtag=$(date +%Y%m%d-%H%M)" >> $GITHUB_OUTPUT build: runs-on: ubuntu-latest @@ -24,9 +24,9 @@ jobs: strategy: fail-fast: False matrix: - repo: ['development', 'testing', 'release'] + repo: ['release'] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Generate tag list id: generate-tag-list @@ -44,20 +44,20 @@ jobs: # This causes the tag_list array to be comma-separated below, # which is required for build-push-action IFS=, - echo "::set-output name=taglist::${tag_list[*]}" + echo "taglist=${tag_list[*]}" >> $GITHUB_OUTPUT - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v2.7.0 - name: Log in to OSG Harbor - uses: docker/login-action@v1 + uses: docker/login-action@v2.2.0 with: registry: hub.opensciencegrid.org username: ${{ secrets.OSG_HARBOR_ROBOT_USER }} password: ${{ secrets.OSG_HARBOR_ROBOT_PASSWORD }} - name: Build and push Docker images - uses: docker/build-push-action@v2.2.0 + uses: docker/build-push-action@v4 with: context: . push: true diff --git a/Dockerfile b/Dockerfile index 3dc2c5c..d500304 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,107 +1,68 @@ FROM hub.opensciencegrid.org/opensciencegrid/software-base:3.6-al8-release -RUN yum install -y curl java-11-openjdk java-11-openjdk-devel +RUN yum install -y curl java-11-openjdk-headless java-11-openjdk-devel # Download and install tomcat RUN useradd -r -s /sbin/nologin tomcat ;\ -mkdir -p /opt/tomcat ;\ -curl -s -L https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.tar.gz | tar -zxf - -C /opt/tomcat --strip-components=1 ;\ -chgrp -R tomcat /opt/tomcat/conf ;\ -chmod g+rwx /opt/tomcat/conf ;\ -chmod g+r /opt/tomcat/conf/* ;\ -chown -R tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/webapps/ /opt/tomcat/work/ ;\ -chgrp -R tomcat /opt/tomcat/bin /opt/tomcat/lib ;\ -chmod g+rwx /opt/tomcat/bin ;\ -chmod g+r /opt/tomcat/bin/* - -ADD server.xml /opt/tomcat/conf/server.xml -RUN chgrp -R tomcat /opt/tomcat/conf/server.xml ;\ -chmod go+r /opt/tomcat/conf/server.xml - -ADD add-trust-root.pem /opt/tomcat/conf/add-trust-root.pem -ADD comodo-rsa.pem /opt/tomcat/conf/comodo-rsa.pem -ADD incommon-igtf.pem /opt/tomcat/conf/incommon-igtf.pem -RUN cat /opt/tomcat/conf/incommon-igtf.pem /opt/tomcat/conf/comodo-rsa.pem /opt/tomcat/conf/add-trust-root.pem > /opt/tomcat/conf/CA-bundle.pem && \ - keytool -cacerts -importcert -noprompt -storepass changeit -file /opt/tomcat/conf/incommon-igtf.pem -alias incommon && \ - keytool -cacerts -importcert -noprompt -storepass changeit -file /opt/tomcat/conf/comodo-rsa.pem -alias comodo && \ - keytool -cacerts -importcert -noprompt -storepass changeit -file /opt/tomcat/conf/add-trust-root.pem -alias addtrust - -#ADD tomcat.service /etc/systemd/system/tomcat.service -#RUN systemctl enable tomcat.service - -COPY --chown=tomcat:tomcat scitokens-server /opt -RUN curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.3.1/oauth2.war > /opt/tomcat/webapps/scitokens-server.war ;\ -mkdir -p /opt/tomcat/webapps/scitokens-server ;\ -cd /opt/tomcat/webapps/scitokens-server ;\ -jar -xf ../scitokens-server.war ;\ -chgrp -R tomcat /opt/tomcat/webapps/scitokens-server ;\ -mkdir -p /opt/tomcat/var/storage/scitokens-server ;\ -chown -R tomcat:tomcat /opt/tomcat/var/storage/scitokens-server ;\ -rm -rf /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/docs /opt/tomcat/webapps/examples /opt/tomcat/webapps/host-manager /opt/tomcat/webapps/manager -COPY --chown=tomcat:tomcat scitokens-server/web.xml /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml -RUN chmod 644 /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml - -# need to put the java mail jar into the tomcat lib directory -RUN curl -s -L https://github.com/javaee/javamail/releases/download/JAVAMAIL-1_6_2/javax.mail.jar > /opt/tomcat/lib/javax.mail.jar - -# Make JWK a volume mount -RUN mkdir -p /opt/scitokens-server/bin && mkdir -p /opt/scitokens-server/etc && mkdir -p /opt/scitokens-server/etc/templates && mkdir -p /opt/scitokens-server/lib && mkdir -p /opt/scitokens-server/log && mkdir -p /opt/scitokens-server/var/qdl/scitokens && mkdir -p /opt/scitokens-server/var/storage/file_store - -# Create a single key in the etc directory for signing -RUN curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.3.1/jwt.jar > /opt/scitokens-server/lib/jwt.jar - -# Make server configuration a volume mount -ADD scitokens-server/etc/server-config.xml /opt/scitokens-server/etc/server-config.xml.tmpl -ADD scitokens-server/etc/proxy-config.xml /opt/scitokens-server/etc/proxy-config.xml.tmpl - -ADD scitokens-server/bin/scitokens-cli /opt/scitokens-server/bin/scitokens-cli -RUN curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.3.1/cli.jar >/opt/scitokens-server/lib/scitokens-cli.jar ;\ -chmod +x /opt/scitokens-server/bin/scitokens-cli - -ADD scitokens-server/etc/templates/client-template.xml /opt/scitokens-server/etc/templates/client-template.xml -ADD scitokens-server/etc/templates/readme.txt /opt/scitokens-server/etc/templates/readme.txt -ADD scitokens-server/var/qdl/scitokens/policies.qdl /opt/scitokens-server/var/qdl/scitokens/policies.qdl -RUN chgrp tomcat /opt/scitokens-server/var/qdl/scitokens/policies.qdl -# Java 11 apparently does not identify the mime type for .json files quite right. -ADD scitokens-server/var/qdl/user-config.json /opt/scitokens-server/var/qdl/user-config.txt -RUN chgrp tomcat /opt/scitokens-server/var/qdl/user-config.txt -RUN ln -s /usr/lib64/libapr-1.so.0 /opt/tomcat/lib/libapr-1.so.0 - + mkdir -p /opt/tomcat ;\ + curl -s -L https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.tar.gz | tar -zxf - -C /opt/tomcat --strip-components=1 ;\ + chgrp -R tomcat /opt/tomcat/conf ;\ + chmod g+rwx /opt/tomcat/conf ;\ + chmod g+r /opt/tomcat/conf/* ;\ + chown -R tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/webapps/ /opt/tomcat/work/ ;\ + chgrp -R tomcat /opt/tomcat/bin /opt/tomcat/lib ;\ + chmod g+rwx /opt/tomcat/bin ;\ + chmod g+r /opt/tomcat/bin/* ;\ + ln -s /usr/lib64/libapr-1.so.0 /opt/tomcat/lib/libapr-1.so.0 + +RUN \ + # Create various empty directories needed by the webapp + mkdir -p /opt/scitokens-server/etc/trusted-cas &&\ + mkdir -p /opt/scitokens-server/lib &&\ + mkdir -p /opt/scitokens-server/log &&\ + mkdir -p /opt/scitokens-server/var/storage/file_store &&\ + mkdir -p /opt/tomcat/webapps/scitokens-server ;\ + # Install the OA4MP webapp and associated dependencies. + curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.3.1/oauth2.war > /opt/tomcat/webapps/scitokens-server.war ;\ + curl -s -L https://github.com/javaee/javamail/releases/download/JAVAMAIL-1_6_2/javax.mail.jar > /opt/tomcat/lib/javax.mail.jar ;\ + curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.3.1/jwt.jar > /opt/scitokens-server/lib/jwt.jar ;\ + curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.3.1/cli.jar > /opt/scitokens-server/lib/scitokens-cli.jar ;\ + cd /opt/tomcat/webapps/scitokens-server ;\ + jar -xf ../scitokens-server.war ;\ + chgrp -R tomcat /opt/tomcat/webapps/scitokens-server ;\ + mkdir -p /opt/tomcat/var/storage/scitokens-server ;\ + chown -R tomcat:tomcat /opt/tomcat/var/storage/scitokens-server ;\ + # Install support for the QDL CLI + curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.3.1/oa2-qdl-installer.jar >/tmp/oa2-qdl-installer.jar ;\ + java -jar /tmp/oa2-qdl-installer.jar -dir /opt/qdl ;\ + rm /tmp/oa2-qdl-installer.jar ;\ + mkdir -p /opt/qdl/var/scripts ;\ + # Remove the default manager apps and examples -- we don't use these + rm -rf /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/docs /opt/tomcat/webapps/examples /opt/tomcat/webapps/host-manager /opt/tomcat/webapps/manager ;\ + true; + +# The generate_jwk.sh script is part of the documented bootstrap of the container. ADD generate_jwk.sh /usr/local/bin/generate_jwk.sh -# QDL support 21-01-2021 -RUN curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.3.1/oa2-qdl-installer.jar >/tmp/oa2-qdl-installer.jar ;\ -java -jar /tmp/oa2-qdl-installer.jar -dir /opt/qdl - -RUN mkdir -p /opt/qdl/var/scripts - -ADD qdl/etc/qdl.properties /opt/qdl/etc/qdl.properties -ADD qdl/etc/qdl-cfg.xml /opt/qdl/etc/qdl-cfg.xml - -ADD qdl/var/scripts/boot.qdl /opt/qdl/var/scripts/boot.qdl -RUN chmod +x /opt/qdl/var/scripts/boot.qdl - -ADD qdl/bin/qdl /opt/qdl/bin/qdl -RUN chmod +x /opt/qdl/bin/qdl +# Add other QDL CLI tools and configs not part of the default installer +COPY qdl /opt/qdl -ADD qdl/bin/qdl-run /opt/qdl/bin/qdl-run -RUN chmod +x /opt/qdl/bin/qdl-run -# END QDL support +# Add in the tomcat server configuration +ADD --chown=root:tomcat server.xml /opt/tomcat/conf/server.xml -ENV JAVA_HOME=/usr/lib/jvm/jre -ENV CATALINA_PID=/opt/tomcat/temp/tomcat.pid -ENV CATALINA_HOME=/opt/tomcat -ENV CATALINA_BASE=/opt/tomcat -ENV CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC" -ENV JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djava.library.path=/opt/tomcat/lib" -ENV ST_HOME="/opt/scitokens-server" -ENV QDL_HOME="/opt/qdl" -ENV PATH="${ST_HOME}/bin:${QDL_HOME}/bin:${PATH}" +# Copy over our configuration of the OA4MP webapp. +COPY --chown=tomcat:tomcat scitokens-server/web.xml /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml +COPY --chown=tomcat:tomcat scitokens-server/ /opt/scitokens-server/ + +ENV JAVA_HOME=/usr/lib/jvm/jre \ + CATALINA_PID=/opt/tomcat/temp/tomcat.pid \ + CATALINA_HOME=/opt/tomcat \ + CATALINA_BASE=/opt/tomcat \ + CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC" \ + JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djava.library.path=/opt/tomcat/lib" \ + ST_HOME="/opt/scitokens-server" \ + QDL_HOME="/opt/qdl" \ + PATH="${ST_HOME}/bin:${QDL_HOME}/bin:${PATH}" -#RUN "${QDL_HOME}/var/scripts/boot.qdl" ADD start.sh /start.sh CMD ["/start.sh"] - - - - diff --git a/qdl/bin/qdl-run b/qdl/bin/qdl-run old mode 100644 new mode 100755 index cfd93f3..fd6d929 --- a/qdl/bin/qdl-run +++ b/qdl/bin/qdl-run @@ -1,3 +1,4 @@ +#!/bin/sh # The script to invoke the QDL interpreter. CFG_FILE="$QDL_HOME/etc/qdl-cfg.xml" diff --git a/qdl/var/scripts/boot.qdl b/qdl/var/scripts/boot.qdl old mode 100644 new mode 100755 index ffdc4e7..12e4d9f --- a/qdl/var/scripts/boot.qdl +++ b/qdl/var/scripts/boot.qdl @@ -1,4 +1,4 @@ -#! /usr/bin/env qdl-run +#!/usr/bin/env qdl-run /* Boot script in QDL to set up a new OA4MP issuer install. This is run exactly diff --git a/scitokens-server/bin/scitokens-cli b/scitokens-server/bin/scitokens-cli old mode 100644 new mode 100755 index bdd89a2..94eaf3b --- a/scitokens-server/bin/scitokens-cli +++ b/scitokens-server/bin/scitokens-cli @@ -1,3 +1,4 @@ +#!/bin/sh # Run the OA4MP command processor. This will allow you to edit, create or remove # clients, approvals, users and archived users. You can also reset the counter and do copy # operations from one store to another diff --git a/scitokens-server/etc/proxy-config.xml b/scitokens-server/etc/proxy-config.xml.tmpl similarity index 83% rename from scitokens-server/etc/proxy-config.xml rename to scitokens-server/etc/proxy-config.xml.tmpl index a7ec92f..882d91a 100644 --- a/scitokens-server/etc/proxy-config.xml +++ b/scitokens-server/etc/proxy-config.xml.tmpl @@ -1,11 +1,10 @@ + logFileCount="1" + debug="trace"/> {CLIENT_ID} {CLIENT_SECRET} https://{HOSTNAME}/scitokens-server/ready diff --git a/scitokens-server/etc/server-config.xml b/scitokens-server/etc/server-config.xml.tmpl similarity index 95% rename from scitokens-server/etc/server-config.xml rename to scitokens-server/etc/server-config.xml.tmpl index e51f734..bc5869f 100644 --- a/scitokens-server/etc/server-config.xml +++ b/scitokens-server/etc/server-config.xml.tmpl @@ -18,10 +18,9 @@ address="https://{HOSTNAME}/scitokens-server"> diff --git a/scitokens-server/var/qdl/user-config.json b/scitokens-server/var/qdl/user-config.txt similarity index 100% rename from scitokens-server/var/qdl/user-config.json rename to scitokens-server/var/qdl/user-config.txt diff --git a/server.xml b/server.xml index 88f9bb4..e4a1827 100644 --- a/server.xml +++ b/server.xml @@ -114,7 +114,7 @@ diff --git a/start.sh b/start.sh index fefc560..457f6b5 100755 --- a/start.sh +++ b/start.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # Set the hostname sed s+\{HOSTNAME\}+$HOSTNAME+g /opt/scitokens-server/etc/server-config.xml.tmpl > /opt/scitokens-server/etc/server-config.xml @@ -8,6 +8,9 @@ sed s+\{CLIENT_SECRET\}+$CLIENT_SECRET+g > /opt/scitokens-server/etc/proxy-confi chgrp tomcat /opt/scitokens-server/etc/server-config.xml chgrp tomcat /opt/scitokens-server/etc/proxy-config.xml +# Set the path in case the bash profile reset it from the container default. +export PATH="${ST_HOME}/bin:${QDL_HOME}/bin:${PATH}" + # Run the boot to inject the template ${QDL_HOME}/var/scripts/boot.qdl @@ -21,10 +24,45 @@ fi # check for one or more files in a directory if [ -e /opt/scitokens-server/etc/qdl/ ]; then - cp -r /opt/scitokens-server/etc/qdl/*.qdl /opt/scitokens-server/var/qdl/ + # Note that `-L` is added here; this is because Kubernetes sets up some volume mounts + # as symlinks and `-r` will copy the symlinks (which then becomes broken). `-L` will + # dereference the symlink and copy the data, which is what we want. + cp -rL /opt/scitokens-server/etc/qdl/*.qdl /opt/scitokens-server/var/qdl/scitokens/ chown -R tomcat /opt/scitokens-server/var/qdl/ fi +# Load up additional trust roots. If OA4MP needs to contact a LDAP server, we will need +# the CA that signed the LDAP server's certificate to be in the java trust store. +if [ -e /opt/scitokens-server/etc/trusted-cas ]; then + + shopt -s nullglob + for fullfile in /opt/scitokens-server/etc/trusted-cas/*.pem; do + echo "Importing CA certificate $fullfile into the Java trusted CA store." + aliasname=$(basename "$file") + aliasname="${filename%.*}" + keytool -cacerts -importcert -noprompt -storepass changeit -file "$fullfile" -alias "$aliasname" + done + shopt -u nullglob + +fi + +# Tomcat requires us to provide the intermediate chain (which, in Kubernetes, is often in the same +# file as the host certificate itself. If there wasn't one provided, try splitting it out. +if [ ! -e /opt/tomcat/conf/chain.pem ]; then + echo "No chain present for host cert; trying to derive one" + pushd /tmp > /dev/null + if csplit -f tls- -b "%02d.crt.pem" -s -z "/opt/tomcat/conf/hostcert.pem" '/-----BEGIN CERTIFICATE-----/' '{1}' 2>/dev/null ; then + echo "Chain present in hostcert.pem; using it." + cp /tmp/tls-01.crt.pem /opt/tomcat/conf/chain.pem + rm /tmp/tls-*.crt.pem + else + echo "No chain present; will use empty file" + # No intermediate CAs found. Create an empty file. + touch /opt/tomcat/conf/chain.pem + fi + popd > /dev/null +fi + # Start tomcat exec /opt/tomcat/bin/catalina.sh run