Add client access time monitoring to the service.

.github/workflows/container-build.yml

@@ -16,17 +16,17 @@ jobs:
     steps:
     - name: make date tag
       id: mkdatetag
-      run: echo "::set-output name=dtag::$(date +%Y%m%d-%H%M)"
+      run: echo "dtag=$(date +%Y%m%d-%H%M)" >> $GITHUB_OUTPUT
 
   build:
     runs-on: ubuntu-latest
     needs: [make-date-tag]
     strategy:
       fail-fast: False
       matrix:
-        repo: ['development', 'testing', 'release']
+        repo: ['release']
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Generate tag list
       id: generate-tag-list
@@ -44,20 +44,20 @@ jobs:
         # This causes the tag_list array to be comma-separated below,
         # which is required for build-push-action
         IFS=,
-        echo "::set-output name=taglist::${tag_list[*]}"
+        echo "taglist=${tag_list[*]}" >> $GITHUB_OUTPUT
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v2.7.0
 
     - name: Log in to OSG Harbor
-      uses: docker/login-action@v1
+      uses: docker/login-action@v2.2.0
       with:
         registry: hub.opensciencegrid.org
         username: ${{ secrets.OSG_HARBOR_ROBOT_USER }}
         password: ${{ secrets.OSG_HARBOR_ROBOT_PASSWORD }}
 
     - name: Build and push Docker images
-      uses: docker/build-push-action@v2.2.0
+      uses: docker/build-push-action@v4
       with:
         context: .
         push: true

Dockerfile

@@ -1,107 +1,68 @@
 FROM hub.opensciencegrid.org/opensciencegrid/software-base:3.6-al8-release
 
-RUN yum install -y curl java-11-openjdk java-11-openjdk-devel
+RUN yum install -y curl java-11-openjdk-headless java-11-openjdk-devel
 
 # Download and install tomcat
 RUN useradd -r -s /sbin/nologin tomcat ;\
-mkdir -p /opt/tomcat ;\
-curl -s -L https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.tar.gz | tar -zxf - -C /opt/tomcat --strip-components=1 ;\
-chgrp -R tomcat /opt/tomcat/conf ;\
-chmod g+rwx /opt/tomcat/conf ;\
-chmod g+r /opt/tomcat/conf/* ;\
-chown -R tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/webapps/ /opt/tomcat/work/ ;\
-chgrp -R tomcat /opt/tomcat/bin /opt/tomcat/lib ;\
-chmod g+rwx /opt/tomcat/bin ;\
-chmod g+r /opt/tomcat/bin/*
-
-ADD server.xml /opt/tomcat/conf/server.xml
-RUN chgrp -R tomcat /opt/tomcat/conf/server.xml ;\
-chmod go+r /opt/tomcat/conf/server.xml
-
-ADD add-trust-root.pem /opt/tomcat/conf/add-trust-root.pem
-ADD comodo-rsa.pem /opt/tomcat/conf/comodo-rsa.pem
-ADD incommon-igtf.pem /opt/tomcat/conf/incommon-igtf.pem
-RUN cat /opt/tomcat/conf/incommon-igtf.pem /opt/tomcat/conf/comodo-rsa.pem /opt/tomcat/conf/add-trust-root.pem > /opt/tomcat/conf/CA-bundle.pem && \
-    keytool -cacerts -importcert -noprompt -storepass changeit -file /opt/tomcat/conf/incommon-igtf.pem -alias incommon && \
-    keytool -cacerts -importcert -noprompt -storepass changeit -file /opt/tomcat/conf/comodo-rsa.pem -alias comodo && \
-    keytool -cacerts -importcert -noprompt -storepass changeit -file /opt/tomcat/conf/add-trust-root.pem -alias addtrust
-
-#ADD tomcat.service /etc/systemd/system/tomcat.service
-#RUN systemctl enable tomcat.service
-
-COPY --chown=tomcat:tomcat scitokens-server /opt
-RUN curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.3.1/oauth2.war > /opt/tomcat/webapps/scitokens-server.war ;\
-mkdir -p /opt/tomcat/webapps/scitokens-server ;\
-cd /opt/tomcat/webapps/scitokens-server ;\
-jar -xf ../scitokens-server.war ;\
-chgrp -R tomcat /opt/tomcat/webapps/scitokens-server ;\
-mkdir -p /opt/tomcat/var/storage/scitokens-server ;\
-chown -R tomcat:tomcat /opt/tomcat/var/storage/scitokens-server ;\
-rm -rf /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/docs /opt/tomcat/webapps/examples /opt/tomcat/webapps/host-manager /opt/tomcat/webapps/manager
-COPY --chown=tomcat:tomcat scitokens-server/web.xml /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml
-RUN chmod 644 /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml
-
-# need to put the java mail jar into the tomcat lib directory
-RUN curl -s -L https://github.com/javaee/javamail/releases/download/JAVAMAIL-1_6_2/javax.mail.jar > /opt/tomcat/lib/javax.mail.jar
-
-# Make JWK a volume mount
-RUN mkdir -p /opt/scitokens-server/bin && mkdir -p /opt/scitokens-server/etc && mkdir -p /opt/scitokens-server/etc/templates && mkdir -p /opt/scitokens-server/lib && mkdir -p /opt/scitokens-server/log && mkdir -p /opt/scitokens-server/var/qdl/scitokens && mkdir -p /opt/scitokens-server/var/storage/file_store
-
-# Create a single key in the etc directory for signing
-RUN curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.3.1/jwt.jar > /opt/scitokens-server/lib/jwt.jar
-
-# Make server configuration a volume mount
-ADD scitokens-server/etc/server-config.xml /opt/scitokens-server/etc/server-config.xml.tmpl
-ADD scitokens-server/etc/proxy-config.xml /opt/scitokens-server/etc/proxy-config.xml.tmpl
-
-ADD scitokens-server/bin/scitokens-cli /opt/scitokens-server/bin/scitokens-cli
-RUN curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.3.1/cli.jar >/opt/scitokens-server/lib/scitokens-cli.jar ;\
-chmod +x /opt/scitokens-server/bin/scitokens-cli
-
-ADD scitokens-server/etc/templates/client-template.xml /opt/scitokens-server/etc/templates/client-template.xml
-ADD scitokens-server/etc/templates/readme.txt /opt/scitokens-server/etc/templates/readme.txt
-ADD scitokens-server/var/qdl/scitokens/policies.qdl /opt/scitokens-server/var/qdl/scitokens/policies.qdl
-RUN chgrp tomcat /opt/scitokens-server/var/qdl/scitokens/policies.qdl
-# Java 11 apparently does not identify the mime type for .json files quite right.
-ADD scitokens-server/var/qdl/user-config.json /opt/scitokens-server/var/qdl/user-config.txt
-RUN chgrp tomcat /opt/scitokens-server/var/qdl/user-config.txt
-RUN ln -s /usr/lib64/libapr-1.so.0 /opt/tomcat/lib/libapr-1.so.0
-
+    mkdir -p /opt/tomcat ;\
+    curl -s -L https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.tar.gz | tar -zxf - -C /opt/tomcat --strip-components=1 ;\
+    chgrp -R tomcat /opt/tomcat/conf ;\
+    chmod g+rwx /opt/tomcat/conf ;\
+    chmod g+r /opt/tomcat/conf/* ;\
+    chown -R tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/webapps/ /opt/tomcat/work/ ;\
+    chgrp -R tomcat /opt/tomcat/bin /opt/tomcat/lib ;\
+    chmod g+rwx /opt/tomcat/bin ;\
+    chmod g+r /opt/tomcat/bin/* ;\
+    ln -s /usr/lib64/libapr-1.so.0 /opt/tomcat/lib/libapr-1.so.0
+
+RUN \
+    # Create various empty directories needed by the webapp
+    mkdir -p /opt/scitokens-server/etc/trusted-cas &&\
+    mkdir -p /opt/scitokens-server/lib &&\
+    mkdir -p /opt/scitokens-server/log &&\
+    mkdir -p /opt/scitokens-server/var/storage/file_store &&\
+    mkdir -p /opt/tomcat/webapps/scitokens-server ;\
+    # Install the OA4MP webapp and associated dependencies.
+    curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.3.1/oauth2.war > /opt/tomcat/webapps/scitokens-server.war ;\
+    curl -s -L https://github.com/javaee/javamail/releases/download/JAVAMAIL-1_6_2/javax.mail.jar > /opt/tomcat/lib/javax.mail.jar ;\
+    curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.3.1/jwt.jar > /opt/scitokens-server/lib/jwt.jar ;\
+    curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.3.1/cli.jar > /opt/scitokens-server/lib/scitokens-cli.jar ;\
+    cd /opt/tomcat/webapps/scitokens-server ;\
+    jar -xf ../scitokens-server.war ;\
+    chgrp -R tomcat /opt/tomcat/webapps/scitokens-server ;\
+    mkdir -p /opt/tomcat/var/storage/scitokens-server ;\
+    chown -R tomcat:tomcat /opt/tomcat/var/storage/scitokens-server ;\
+    # Install support for the QDL CLI
+    curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.3.1/oa2-qdl-installer.jar >/tmp/oa2-qdl-installer.jar ;\
+    java -jar /tmp/oa2-qdl-installer.jar -dir /opt/qdl ;\
+    rm /tmp/oa2-qdl-installer.jar ;\
+    mkdir -p /opt/qdl/var/scripts ;\
+    # Remove the default manager apps and examples -- we don't use these
+    rm -rf /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/docs /opt/tomcat/webapps/examples /opt/tomcat/webapps/host-manager /opt/tomcat/webapps/manager ;\
+    true;
+
+# The generate_jwk.sh script is part of the documented bootstrap of the container.
 ADD generate_jwk.sh /usr/local/bin/generate_jwk.sh
 
-# QDL support 21-01-2021
-RUN curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.3.1/oa2-qdl-installer.jar >/tmp/oa2-qdl-installer.jar ;\
-java -jar /tmp/oa2-qdl-installer.jar -dir /opt/qdl
-
-RUN  mkdir -p /opt/qdl/var/scripts
-
-ADD qdl/etc/qdl.properties /opt/qdl/etc/qdl.properties
-ADD qdl/etc/qdl-cfg.xml /opt/qdl/etc/qdl-cfg.xml
-
-ADD qdl/var/scripts/boot.qdl /opt/qdl/var/scripts/boot.qdl
-RUN chmod +x /opt/qdl/var/scripts/boot.qdl
-
-ADD qdl/bin/qdl /opt/qdl/bin/qdl
-RUN chmod +x /opt/qdl/bin/qdl
+# Add other QDL CLI tools and configs not part of the default installer
+COPY qdl /opt/qdl
 
-ADD qdl/bin/qdl-run /opt/qdl/bin/qdl-run
-RUN chmod +x /opt/qdl/bin/qdl-run
-# END QDL support
+# Add in the tomcat server configuration
+ADD --chown=root:tomcat server.xml /opt/tomcat/conf/server.xml
 
-ENV JAVA_HOME=/usr/lib/jvm/jre
-ENV CATALINA_PID=/opt/tomcat/temp/tomcat.pid
-ENV CATALINA_HOME=/opt/tomcat
-ENV CATALINA_BASE=/opt/tomcat
-ENV CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
-ENV JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djava.library.path=/opt/tomcat/lib"
-ENV ST_HOME="/opt/scitokens-server"
-ENV QDL_HOME="/opt/qdl"
-ENV PATH="${ST_HOME}/bin:${QDL_HOME}/bin:${PATH}"
+# Copy over our configuration of the OA4MP webapp.
+COPY --chown=tomcat:tomcat scitokens-server/web.xml /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml
+COPY --chown=tomcat:tomcat scitokens-server/ /opt/scitokens-server/
+
+ENV JAVA_HOME=/usr/lib/jvm/jre \
+    CATALINA_PID=/opt/tomcat/temp/tomcat.pid \
+    CATALINA_HOME=/opt/tomcat \
+    CATALINA_BASE=/opt/tomcat \
+    CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC" \
+    JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djava.library.path=/opt/tomcat/lib" \
+    ST_HOME="/opt/scitokens-server" \
+    QDL_HOME="/opt/qdl" \
+    PATH="${ST_HOME}/bin:${QDL_HOME}/bin:${PATH}"
 
-#RUN "${QDL_HOME}/var/scripts/boot.qdl"
 ADD start.sh /start.sh
 CMD ["/start.sh"]
-
-
-
-

qdl/bin/qdl-run

@@ -1,3 +1,4 @@
+#!/bin/sh
 # The script to invoke the QDL interpreter.
 
 CFG_FILE="$QDL_HOME/etc/qdl-cfg.xml"

qdl/var/scripts/boot.qdl

@@ -1,4 +1,4 @@
-#! /usr/bin/env qdl-run
+#!/usr/bin/env qdl-run
 
 /*
    Boot script in QDL to set up a new OA4MP issuer install. This is run exactly

scitokens-server/bin/scitokens-cli

@@ -1,3 +1,4 @@
+#!/bin/sh
 # Run the OA4MP command processor. This will allow you to edit, create or remove
 # clients, approvals, users and archived users. You can also reset the counter and do copy
 # operations from one store to another

scitokens-server/etc/proxy-config.xml → scitokens-server/etc/proxy-config.xml.tmpl

@@ -1,11 +1,10 @@
 <config>
     <client name="proxy-client">
         <logging
-                logFileName="/tmp/oa4mp-oauth2-fs-client.xml"
+                logFileName="/dev/stdout"
                 logName="oa4mp"
-                logSize="100000"
-                logFileCount="2"
-                debug="true"/>
+                logFileCount="1"
+                debug="trace"/>
         <id>{CLIENT_ID}</id>
         <secret>{CLIENT_SECRET}</secret>
         <callbackUri>https://{HOSTNAME}/scitokens-server/ready</callbackUri>

scitokens-server/etc/server-config.xml → scitokens-server/etc/server-config.xml.tmpl

@@ -18,10 +18,9 @@
              address="https://{HOSTNAME}/scitokens-server">
 
         <logging
-                logFileName="/opt/scitokens-server/log/scitokens-server.log"
+                logFileName="/dev/stdout"
                 logName="scitokens-server"
-                logSize="100000"
-                logFileCount="2"
+                logFileCount="1"
                 debug="trace"/>
         <JSONWebKey>
             <path><![CDATA[/opt/scitokens-server/etc/keys.jwk]]></path>

server.xml

@@ -114,7 +114,7 @@
         <SSLHostConfig>
             <Certificate certificateKeyFile="conf/hostkey.pem"
                          certificateFile="conf/hostcert.pem"
-                         certificateChainFile="conf/CA-bundle.pem"
+                         certificateChainFile="conf/chain.pem"
                          type="RSA" />
         </SSLHostConfig>
     </Connector>

start.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # Set the hostname
 sed s+\{HOSTNAME\}+$HOSTNAME+g /opt/scitokens-server/etc/server-config.xml.tmpl > /opt/scitokens-server/etc/server-config.xml
@@ -8,6 +8,9 @@ sed s+\{CLIENT_SECRET\}+$CLIENT_SECRET+g > /opt/scitokens-server/etc/proxy-confi
 chgrp tomcat /opt/scitokens-server/etc/server-config.xml
 chgrp tomcat /opt/scitokens-server/etc/proxy-config.xml
 
+# Set the path in case the bash profile reset it from the container default.
+export PATH="${ST_HOME}/bin:${QDL_HOME}/bin:${PATH}"
+
 # Run the boot to inject the template
 ${QDL_HOME}/var/scripts/boot.qdl
 
@@ -21,10 +24,45 @@ fi
 
 # check for one or more files in a directory
 if [ -e /opt/scitokens-server/etc/qdl/ ]; then
-    cp -r /opt/scitokens-server/etc/qdl/*.qdl /opt/scitokens-server/var/qdl/
+    # Note that `-L` is added here; this is because Kubernetes sets up some volume mounts
+    # as symlinks and `-r` will copy the symlinks (which then becomes broken).  `-L` will
+    # dereference the symlink and copy the data, which is what we want.
+    cp -rL /opt/scitokens-server/etc/qdl/*.qdl /opt/scitokens-server/var/qdl/scitokens/
     chown -R tomcat /opt/scitokens-server/var/qdl/
 fi
 
+# Load up additional trust roots.  If OA4MP needs to contact a LDAP server, we will need
+# the CA that signed the LDAP server's certificate to be in the java trust store.
+if [ -e /opt/scitokens-server/etc/trusted-cas ]; then
+
+    shopt -s nullglob
+    for fullfile in /opt/scitokens-server/etc/trusted-cas/*.pem; do
+        echo "Importing CA certificate $fullfile into the Java trusted CA store."
+        aliasname=$(basename "$file")
+        aliasname="${filename%.*}"
+        keytool -cacerts -importcert -noprompt -storepass changeit -file "$fullfile" -alias "$aliasname"
+    done
+    shopt -u nullglob
+
+fi
+
+# Tomcat requires us to provide the intermediate chain (which, in Kubernetes, is often in the same
+# file as the host certificate itself.  If there wasn't one provided, try splitting it out.
+if [ ! -e /opt/tomcat/conf/chain.pem ]; then
+    echo "No chain present for host cert; trying to derive one"
+    pushd /tmp > /dev/null
+    if csplit -f tls- -b "%02d.crt.pem" -s -z "/opt/tomcat/conf/hostcert.pem" '/-----BEGIN CERTIFICATE-----/' '{1}' 2>/dev/null ; then
+        echo "Chain present in hostcert.pem; using it."
+        cp /tmp/tls-01.crt.pem /opt/tomcat/conf/chain.pem
+        rm /tmp/tls-*.crt.pem
+    else
+        echo "No chain present; will use empty file"
+        # No intermediate CAs found.  Create an empty file.
+        touch /opt/tomcat/conf/chain.pem
+    fi
+    popd > /dev/null
+fi
+
 # Start tomcat
 exec /opt/tomcat/bin/catalina.sh run