Add support for Globus v5 endpoint

Puppetfile

@@ -29,7 +29,7 @@ mod 'puppet-squid', '6.0.0'
 mod 'puppet-swap_file', '5.0.0'
 mod 'puppet-systemd', '7.1.0'
 mod 'puppetlabs-concat', '9.1.0'
-mod 'puppetlabs-firewall', '6.0.0'
+mod 'puppetlabs-firewall', '8.4.0'
 mod 'puppetlabs-inifile', '6.1.0'
 mod 'puppetlabs-lvm', '2.0.2'
 mod 'puppetlabs-mailalias_core', '1.2.0'
@@ -38,7 +38,7 @@ mod 'puppetlabs-mount_core', '2.0.1'
 mod 'puppetlabs-mysql', '16.3.0'
 mod 'puppetlabs-stdlib', '9.7.0'
 mod 'puppetlabs-transition', '2.0.0'
-mod 'treydock-globus', '9.0.0'
+mod 'treydock-globus', '12.1.0'
 mod 'saz-limits', '6.0.0'
 
 mod 'computecanada-jupyterhub',

data/common.yaml

@@ -14,6 +14,8 @@ lookup_options:
     merge: 'hash'
   profile::volumes::devices:
     merge: 'deep'
+  globus::client_secret:
+    convert_to: "Sensitive"
 
 profile::base::version: 15.5.0
 profile::base::packages: []
@@ -369,3 +371,10 @@ metrix::subdomain: 'metrix'
 
 metrix::slurm_jobscripts::api_url: "http://%{lookup('terraform.tag_ip.mgmt.0')}:9000"
 metrix::slurm_jobscripts::token: "%{alias('metrix::root_api_token')}"
+
+globus::display_name: "%{lookup('terraform.data.domain_name')} endpoint"
+globus::advertised_owner: false
+globus::managed_firewall: true
+globus::ip_address: "%{lookup('terraform.self.public_ip')}"
+globus::owner: "%{lookup('globus::client_id')}@clients.auth.globus.org"
+

site/profile/manifests/base.pp

@@ -80,15 +80,15 @@
     chain  => 'INPUT',
     proto  => 'all',
     source => profile::getcidr(),
-    action => 'accept',
+    jump   => 'accept',
     tag    => 'mc_bootstrap',
   }
 
   firewall { '001 drop access to metadata server':
     chain       => 'OUTPUT',
     proto       => 'tcp',
     destination => '169.254.169.254',
-    action      => 'drop',
+    jump        => 'drop',
     uid         => '! root',
     tag         => 'mc_bootstrap',
   }

site/profile/manifests/globus.pp

@@ -1,17 +1,123 @@
-class profile::globus {
+class profile::globus (
+  String[1] $collection_path = '/nfs',
+  Array[String] $domains = ['globus.org'],
+  Enum['running', 'stopped'] $ensure_oidc = 'stopped',
+) {
   package { 'wget':
     ensure => installed,
   }
+  include globus
+  Package['wget'] -> Class['globus']
 
-  $public_ip = lookup('terraform.self.public_ip')
-  class { 'globus':
-    display_name  => $globus::display_name,
-    client_id     => $globus::client_id,
-    client_secret => $globus::client_secret,
-    contact_email => $globus::contact_email,
-    ip_address    => $public_ip,
-    organization  => $globus::organization,
-    owner         => $globus::owner,
-    require       => Package['wget'],
+  $domain_string = $domains.map|$value| { " --domain ${value}" }.join(' ')
+  file { '/root/globus-gateway-setup':
+    ensure    => 'file',
+    owner     => 'root',
+    group     => 'root',
+    mode      => '0700',
+    show_diff => false,
+    content   => epp(
+      'profile/globus/globus-gateway-setup',
+      {
+        'public_ip'     => lookup('terraform.self.public_ip'),
+        'cluster_name'  => lookup('terraform.data.cluster_name'),
+        'domain_string' => $domain_string,
+      }
+    ),
   }
+
+  file { '/root/globus-collection-setup':
+    ensure    => 'file',
+    owner     => 'root',
+    group     => 'root',
+    mode      => '0700',
+    show_diff => false,
+    content   => epp(
+      'profile/globus/globus-collection-setup',
+      {
+        'public_ip'       => lookup('terraform.self.public_ip'),
+        'cluster_name'    => lookup('terraform.data.cluster_name'),
+        'collection_path' => $collection_path,
+      }
+    ),
+  }
+
+  $domain_name = lookup('terraform.data.domain_name')
+  file { '/root/globus-oidc-setup':
+    ensure    => 'file',
+    owner     => 'root',
+    group     => 'root',
+    mode      => '0700',
+    show_diff => false,
+    content   => epp(
+      'profile/globus/globus-oidc-setup',
+      {
+        'domain_name' => $domain_name,
+      }
+    ),
+  }
+
+  if $ensure_oidc == 'stopped' and length($domains) == 0 {
+    fail('Globus requires at least one authentication domain or ensure OIDC server is running  (profile::globus::ensure_oidc: running)')
+  }
+
+  exec { 'globus-gateway-setup':
+    command     => '/bin/sh /root/globus-gateway-setup',
+    environment => [
+      "GCS_CLI_CLIENT_ID=${globus::client_id}",
+      "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}",
+    ],
+    unless      => '/bin/test -s /var/lib/globus-connect-server/gateway.json',
+    require     => [
+      Exec['globus-endpoint-setup'],
+      File['/root/globus-gateway-setup'],
+    ],
+  }
+
+  exec { 'globus-collection-setup':
+    command     => '/bin/sh /root/globus-collection-setup',
+    environment => [
+      "GCS_CLI_CLIENT_ID=${globus::client_id}",
+      "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}",
+    ],
+    unless      => '/bin/test -s /var/lib/globus-connect-server/collection.json',
+    require     => [
+      Exec['globus-gateway-setup'],
+      File['/root/globus-collection-setup'],
+    ],
+  }
+
+  if $ensure_oidc == 'running' {
+    exec { 'globus-oidc-setup':
+      command     => '/bin/sh /root/globus-oidc-setup',
+      environment => [
+        "GCS_CLI_CLIENT_ID=${globus::client_id}",
+        "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}",
+      ],
+      unless      => '/bin/test -s /var/lib/globus-connect-server/oidc.json',
+      require     => [
+        Exec['globus-endpoint-setup'],
+        File['/root/globus-oidc-setup'],
+      ],
+      before      => Exec['globus-gateway-setup'],
+    }
+    file { '/var/lib/globusoidc/globus-oidc/site/login.mako':
+      ensure  => file,
+      content => epp('profile/globus/login.mako', {}),
+      mode    => '0544',
+      owner   => 'globusoidc',
+      group   => 'globusoidc',
+      require => Exec['globus-oidc-setup'],
+    }
+  }
+
+  # globus-connect-server storage-gateway update posix 7fd7da12-414a-41f8-8d07-5942c88d9cf8 --domain identity.1f30f9.eb38.gaccess.io
+  Firewall <| |> -> Exec['globus-endpoint-setup']
+  Mount <| |> -> Exec['globus-collection-setup']
+
+  # service { 'globus-oidc':
+  #   ensure  => $ensure_oidc,
+  #   enable  => $ensure_oidc == 'running',
+  #   require => Exec['globus-oidc-setup'],
+  # }
 }

site/profile/manifests/nfs.pp

@@ -70,21 +70,31 @@
 
   $options_nfsv4 = join([$nfs_options, $mount_options], ',')
   $shares_to_mount.each | String $share_name_raw | {
-    # If the instance has a volume mounted under the same name as the nfs share,
-    # we mount the nfs share under /nfs/${share_name}.
     $share_name = regsubst($share_name_raw, '^/|/$', '', 'G')
-    if $self_volumes.any |$tag, $volume_hash| { $share_name in $volume_hash } {
-      $mount_point = "/nfs/${share_name}"
-    } else {
-      $mount_point = "/${share_name}"
-    }
+    $mount_point = "/nfs/${share_name}"
     nfs::client::mount { $mount_point:
       ensure        => present,
       server        => $server,
       share         => $share_name,
       options_nfsv4 => $options_nfsv4,
       notify        => Systemd::Daemon_reload['nfs-client'],
     }
+    # If the instance has a volume mounted under the same name as the nfs share,
+    # we only mount the nfs share under /nfs/${share_name}. Otherwise, we create
+    # a mount bind to /${share_name}.
+    if ! $self_volumes.any |$tag, $volume_hash| { $share_name in $volume_hash } {
+      ensure_resource('file', "/${share_name}", { 'ensure' => 'directory' })
+      mount { "/${share_name}":
+        ensure  => mounted,
+        device  => $mount_point,
+        fstype  => none,
+        options => 'bind,x-systemd.automount',
+        require => [
+          File["/${share_name}"],
+          Nfs::Client::Mount[$mount_point],
+        ]
+      }
+    }
   }
 }
 

site/profile/manifests/reverse_proxy.pp

@@ -17,7 +17,7 @@
     dport  => [80, 443],
     proto  => 'tcp',
     source => '0.0.0.0/0',
-    action => 'accept',
+    jump   => 'accept',
   }
 
   yumrepo { 'caddy-copr-repo':

site/profile/templates/globus/globus-collection-setup.epp

@@ -0,0 +1,4 @@
+#!/bin/sh
+export GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json)
+GATEWAY_ID=$(jq -r .id /var/lib/globus-connect-server/gateway.json)
+globus-connect-server -F json --use-explicit-host <%= $public_ip %> collection create ${GATEWAY_ID} <%= $collection_path %> --default-directory '/home/$USER' "<%= $cluster_name %> collection" > /var/lib/globus-connect-server/collection.json

site/profile/templates/globus/globus-gateway-setup.epp

@@ -0,0 +1,5 @@
+#!/bin/sh
+export GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json)
+OIDC_DOMAIN=$(test -f /var/lib/globus-connect-server/oidc.json && jq -r '.auth_client.domain // ""' /var/lib/globus-connect-server/oidc.json)
+OIDC_DOMAIN=${OIDC_DOMAIN:+--domain ${OIDC_DOMAIN}}
+globus-connect-server -F json storage-gateway create --use-explicit-host <%= $public_ip %> posix "<%= $cluster_name %> gateway" <%= $domain_string %> ${OIDC_DOMAIN} > /var/lib/globus-connect-server/gateway.json

site/profile/templates/globus/globus-oidc-setup.epp

@@ -0,0 +1,5 @@
+#!/bin/sh
+set -e
+domain_name=<%= $domain_name %>
+globus-connect-server -F json oidc create --display-name "${domain_name}" --quickstart-server-name identity --support-contact "${domain_name} admin" --support-email "admin@${domain_name}"
+globus-connect-server oidc show | tail -n+2 > /var/lib/globus-connect-server/oidc.json

site/profile/templates/globus/login.mako.epp

@@ -0,0 +1,59 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <title>${display_name}</title>
+
+  <link rel="stylesheet" type="text/css" href="assets/styles.css">
+</head>
+
+  <body>
+    <main>
+      <h1 class="sr-only">Log In</h1>
+      <div class="form-container">
+        <div class="form-content">
+
+          <img src="https://github.com/computecanada/magic_castle/raw/assets/logo.png" class="logo" alt="Magic Castle Logo" />
+
+          <p class="help-text">Enter your credentials for ${display_name}</p>
+
+          <form action="${action}" method="POST" id="login_form">
+            <div class="form-group">
+              <label for="username">Username</label>
+              <input type="text" id="login" name="login">
+            </div>
+            <div class="form-group">
+              <label for="password">Password</label>
+              <input type="password" id="password" name="password">
+            </div>
+
+            <div id="error-message"></div>
+                <script type="text/javascript">
+                     const params = new URLSearchParams(window.location.search)
+                     if (params.has('error_message')) {
+                         const errorMessage = document.createElement("p");
+                         errorMessage.textContent = params.get('error_message');
+                         document.getElementById('error-message').appendChild(errorMessage);
+                     }
+                  </script>
+
+            <button type="submit">Log In</button>
+
+            <input id="status" name="action" value="ok" type="hidden">
+            <input id="csrf" name="csrf" value="${csrf}" type="hidden">
+            <input id="query" name="query" value="${query}" type="hidden">
+          </form>
+
+        </div><!-- EOF form-content-->
+
+        <div class="form-footer">
+          <a href="mailto:${support_email}">Login Issues? Contact Administrator</a>
+        </div>
+
+      </div> <!-- EOF form-container-->
+    </main>
+
+  </body>
+</html>