Merge pull request #667 from OpenConext/release/646

Release/646: Manage update including stepup-in-manage config

Author: baszoetekouw

roles/invite/templates/logback.xml.j2

@@ -2,41 +2,41 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration scan="true">
 
- <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-  <encoder>
-     <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
-   </encoder>
- </appender>
+  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+    <encoder>
+      <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
+    </encoder>
+  </appender>
 
- <appender name="JSON_SYSLOG" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
-   <destination>host.docker.internal:514</destination>
+  <appender name="JSON_SYSLOG" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
+    <destination>host.docker.internal:514</destination>
     <encoder class="net.logstash.logback.encoder.LogstashEncoder">
-        <customFields>{"app":"invite"}</customFields>
-        <includeCallerData>true</includeCallerData>
-        <fieldNames>
-            <thread>[ignore]</thread>
-            <version>[ignore]</version>
-            <levelValue>[ignore]</levelValue>
-       </fieldNames>
-       <prefix class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
-         <layout class="ch.qos.logback.classic.PatternLayout">
-           <pattern>invitejson: </pattern>
-         </layout>
-</prefix>
-     </encoder>
+      <customFields>{"app":"invite"}</customFields>
+      <includeCallerData>true</includeCallerData>
+      <fieldNames>
+        <thread>[ignore]</thread>
+        <version>[ignore]</version>
+        <levelValue>[ignore]</levelValue>
+      </fieldNames>
+      <prefix class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
+        <layout class="ch.qos.logback.classic.PatternLayout">
+          <pattern>invitejson:</pattern>
+        </layout>
+      </prefix>
+    </encoder>
   </appender>
 
- <logger name="invite" level="DEBUG" />
- <logger name="org.springframework.security" level="WARN" />
- <logger name="org.springframework" level="WARN" />
- <logger name="org.springframework.security" level="WARN" />
- <logger name="com.zaxxer.hikari" level="ERROR" />
+  <logger name="invite" level="DEBUG"/>
+  <logger name="org.springframework.security" level="WARN"/>
+  <logger name="org.springframework" level="WARN"/>
+  <logger name="org.springframework.security" level="WARN"/>
+  <logger name="com.zaxxer.hikari" level="ERROR"/>
 
- <root level="WARN">
-   <appender-ref ref="STDOUT" />
- {% if invite_logback_json | bool %}
-    <appender-ref ref="JSON_SYSLOG" />
- {%endif%}
- </root>
+  <root level="WARN">
+    <appender-ref ref="STDOUT"/>
+    {% if invite_logback_json | bool %}
+      <appender-ref ref="JSON_SYSLOG"/>
+    {% endif %}
+  </root>
 
 </configuration>

roles/manage/defaults/main.yml

@@ -32,7 +32,13 @@ manage_tabs_enabled:
   - provisioning
   - sram
   - organisation
+  - sfo
+  - institution
 manage_docker_networks:
   - name: loadbalancer
 manage_server_restart_policy: always
 manage_server_restart_retries: 0
+manage_logback_json: false
+
+manage_stepup_raas:
+  - "urn:collab:person:example.com:admin"

roles/manage/files/metadata_templates/institution.template.json

@@ -0,0 +1,19 @@
+{
+  "entityid": "",
+  "metaDataFields": {},
+  "identifier": "",
+  "use_ra_locations": true,
+  "show_raa_contact_information": true,
+  "verify_email": true,
+  "allowed_second_factors": [
+    "tiqr"
+  ],
+  "number_of_tokens_per_identity": 3,
+  "use_ra": [],
+  "use_raa": [],
+  "select_raa": [],
+  "self_vet": true,
+  "allow_self_asserted_tokens": false,
+  "sso_on_2fa": false,
+  "stepup-client": "full"
+}

roles/manage/files/metadata_templates/sfo.template.json

@@ -0,0 +1,14 @@
+{
+  "name": "",
+  "entityid": "",
+  "metaDataFields": {},
+  "public_key": "",
+  "acs": [],
+  "loa": "{{ stepup_loa_values_supported[0] }}",
+  "assertion_encryption_enabled": false,
+  "second_factor_only": true,
+  "second_factor_only_nameid_patterns": [],
+  "blacklisted_encryption_algorithms": [],
+  "allow_sso_on_2fa": true,
+  "set_sso_cookie_on_2fa": true
+}

roles/manage/files/policies/allowed_attributes.json

@@ -15,7 +15,8 @@
     "value": "urn:mace:dir:attribute-def:eduPersonAffiliation",
     "validationRegex": "^(student|staff|faculty|employee|member)$",
     "allowedInDenyRule": true,
-    "label": "Edu person affiliation"
+    "label": "Edu person affiliation",
+    "enum": true
   },
   {
     "value": "urn:mace:dir:attribute-def:eduPersonScopedAffiliation",
@@ -45,7 +46,8 @@
     "value": "urn:collab:sab:surfnet.nl",
     "validationRegex": "^(Superuser|Instellingsbevoegde|OperationeelBeheerder|SURFconextbeheerder|DNS-Beheerder)$",
     "allowedInDenyRule": false,
-    "label": "SAB role"
+    "label": "SAB role",
+    "enum": true
   },
   {
     "value": "urn:mace:dir:attribute-def:mail",

roles/manage/tasks/main.yml

@@ -11,6 +11,15 @@
     - "/opt/openconext/manage/metadata_templates"
     - "/opt/openconext/manage/policies"
 
+- name: Copy Stepup stepup_config.json from inventory
+  ansible.builtin.template:
+    src: "stepup_config.json.j2"
+    dest: "/opt/openconext/manage/stepup_config.json"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  notify: restart manageserver
+
 - name: Import the mongo CA file
   ansible.builtin.copy:
     src: "{{ inventory_dir }}/secrets/mongo/mongoca.pem"
@@ -31,14 +40,14 @@
 - name: Place the serverapplication configfiles
   ansible.builtin.template:
     src: "{{ item }}.j2"
-    dest: /opt/openconext/manage/{{ item }}
-    owner: root
-    group: root
+    dest: "/opt/openconext/manage/{{ item }}"
+    owner: "root"
+    group: "root"
     mode: "0644"
   with_items:
-    - application.yml
-    - logback.xml
-    - manage-api-users.yml
+    - "application.yml"
+    - "logback.xml"
+    - "manage-api-users.yml"
   notify: restart manageserver
 
 - name: Place old __cacert_entrypoint.sh script
@@ -53,8 +62,8 @@
   ansible.builtin.template:
     src: "metadata_configuration/{{ item }}.schema.json.j2"
     dest: "/opt/openconext/manage/metadata_configuration/{{ item }}.schema.json"
-    owner: root
-    group: root
+    owner: "root"
+    group: "root"
     mode: "0640"
   with_items:
     - "{{ manage_tabs_enabled }}"
@@ -81,17 +90,17 @@
     group: root
     mode: "0640"
   with_items:
-    - allowed_attributes.json
-    - extra_saml_attributes.json
+    - "allowed_attributes.json"
+    - "extra_saml_attributes.json"
   notify:
     - "restart manageserver"
 
 - name: Add the mongodb and mariadb  docker network to the list of networks when MongoDB runs in Docker
   ansible.builtin.set_fact:
     manage_docker_networks:
-      - name: loadbalancer
-      - name: openconext_mongodb
-      - name: openconext_mariadb
+      - name: "loadbalancer"
+      - name: "openconext_mongodb"
+      - name: "openconext_mariadb"
   when: mongodb_in_docker | default(false) | bool
 
 - name: Create and start the server container
@@ -105,15 +114,22 @@
     state: started
     networks: "{{ manage_docker_networks }}"
     mounts:
-      - source: /opt/openconext/manage/
-        target: /config/
-        type: bind
-      - source: /opt/openconext/manage/mongoca.pem
-        target: /certificates/mongoca.crt
-        type: bind
-      - source: /opt/openconext/manage/__cacert_entrypoint.sh
-        target: /__cacert_entrypoint.sh
-        type: bind
+      - source: "/opt/openconext/manage/"
+        target: "/config/"
+        type: "bind"
+        read_only: true
+      - source: "/opt/openconext/manage/mongoca.pem"
+        target: "/certificates/mongoca.crt"
+        type: "bind"
+        read_only: true
+      - source: "/opt/openconext/manage/__cacert_entrypoint.sh"
+        target: "/__cacert_entrypoint.sh"
+        type: "bind"
+        read_only: true
+      - source: "/opt/openconext/manage/stepup_config.json"
+        target: "/stepup_config.json"
+        type: "bind"
+        read_only: true
     command: "java -jar /app.jar -Xmx512m --spring.config.location=./config/"
     etc_hosts:
       host.docker.internal: host-gateway
@@ -170,6 +186,8 @@
       - source: /etc/localtime
         target: /etc/localtime
         type: bind
+        read_only: true
       - source: /opt/openconext/common/favicon.ico
         target: /var/www/favicon.ico
         type: bind
+        read_only: true

roles/manage/templates/application.yml.j2

@@ -53,11 +53,20 @@ push:
     user: {{ pdp.username }}
     password: "{{ pdp.password }}"
     enabled: {{ manage.pdp_push_enabled }}
+  stepup:
+    url: https://middleware.{{ base_domain }}
+    user: {{ manage.middleware_user }}
+    configuration_file: "file:///stepup_config.json"
+    password: {{ manage_middleware_password }}
+    enabled:  {{ manage.stepup_push_enabled }}
+
 
 product:
   name: Manage
   organization: {{ instance_name }}
   service_provider_feed_url: {{ manage_service_provider_feed_url }}
+  jira_base_url: https://servicedesk.surf.nl/jira/browse/
+  jira_ticket_prefixes: CXT,SD
   supported_languages: {{ supported_language_codes }}
   show_oidc_rp: {{ manage_show_oidc_rp_tab }}
 

roles/manage/templates/logback.xml.j2

@@ -1,32 +1,49 @@
-#jinja2:lstrip_blocks: True
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration scan="true">
 
- <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-  <encoder>
-     <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
-   </encoder>
- </appender>
+  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+    <encoder>
+      <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
+    </encoder>
+  </appender>
 
-<appender name="EMAIL" class="ch.qos.logback.classic.net.SMTPAppender">
-   <smtpHost>{{ smtp_server }}</smtpHost>
-   <from>{{ noreply_email }}</from>
-   <to>{{ error_mail_to }}</to>
-   <subject>{{ error_subject_prefix }}Unexpected error manage</subject>
-   <layout class="ch.qos.logback.classic.html.HTMLLayout"/>
+  <appender name="EMAIL" class="ch.qos.logback.classic.net.SMTPAppender">
+    <smtpHost>{{ smtp_server }}</smtpHost>
+    <from>{{ noreply_email }}</from>
+    <to>{{ error_mail_to }}</to>
+    <subject>{{ error_subject_prefix }}Unexpected error manage</subject>
+    <layout class="ch.qos.logback.classic.html.HTMLLayout"/>
 
     <filter class="filter.CustomThresholdFilter">
-        <clazz>org.everit.json.schema.ValidationException</clazz>
-        <level>ERROR</level>
-   </filter>
- </appender>
+      <clazz>org.everit.json.schema.ValidationException</clazz>
+      <level>ERROR</level>
+    </filter>
+  </appender>
 
- <logger name="manage" level="DEBUG" />
- <logger name="com.github.cloudyrock" level="INFO" />
+{% if manage_logback_json | bool -%}
+  <appender name="JSON_SYSLOG" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
+    <destination>host.docker.internal:514</destination>
+    <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+      <customFields>{"app":"manage"}</customFields>
+      <includeCallerData>true</includeCallerData>
+      <fieldNames>
+        <thread>[ignore]</thread>
+        <version>[ignore]</version>
+        <levelValue>[ignore]</levelValue>
+      </fieldNames>
+    </encoder>
+  </appender>
+{%- endif %}
 
- <root level="WARN">
-   <appender-ref ref="EMAIL" />
-   <appender-ref ref="STDOUT" />
- </root>
+  <logger name="manage" level="DEBUG"/>
+  <logger name="com.github.cloudyrock" level="INFO"/>
+
+  <root level="WARN">
+    <appender-ref ref="STDOUT"/>
+    <appender-ref ref="EMAIL"/>
+    {% if manage_logback_json | bool -%}
+      <appender-ref ref="JSON_SYSLOG"/>
+    {%- endif %}
+  </root>
 
 </configuration>