diff --git a/core/README.md b/core/README.md index 7b5aa1f..4fe9835 100644 --- a/core/README.md +++ b/core/README.md @@ -65,6 +65,7 @@ Since the OpenConext suite is composed of multiple docker containers, you can us - No profile: Starts the core services: Engineblock, manage, mujina and profile (plus loadbalancer and databases). - oidc: Starts oidc as well. - teams: Starts services needed for teams (oidcng, voot and teams) +- invite: Starts services needed for Openconext-Invite (oidcng, voot and teams) - extras: Starts extras (currently pdp) If you want to start all services, you can use extras. A profile can be started by using the --profile argument to the `docker compose up` command. For example: diff --git a/core/docker-compose.yml b/core/docker-compose.yml index 30af45d..06e0151 100644 --- a/core/docker-compose.yml +++ b/core/docker-compose.yml @@ -1,4 +1,5 @@ --- +#name: openconext-core services: haproxy: image: ghcr.io/openconext/openconext-basecontainers/haproxy28:latest @@ -28,6 +29,7 @@ services: - spdashboard.dev.openconext.local - mujina-idp.dev.openconext.local - invite.dev.openconext.local + - welcome.dev.openconext.local - sbs.dev.openconext.local - spdashboard.dev.openconext.local hostname: haproxy.docker @@ -226,6 +228,7 @@ services: - "oidc" - "teams" - "extras" + - "invite" oidcplaygroundgui: image: ghcr.io/openconext/openconext-oidc-playground/oidc-playground-gui:3.0.1 @@ -304,9 +307,13 @@ services: volumes: - ./haproxy/haproxy.crt:/certificates/haproxy.crt - ./cacert/__cacert_entrypoint.sh:/__cacert_entrypoint.sh + - ./invite:/config networks: coreconextdev: entrypoint: /__cacert_entrypoint.sh + depends_on: + oidcng: + condition: service_started command: "java -jar app.jar --spring.profiles.active=devconf" hostname: inviteserver.docker working_dir: / @@ -314,6 +321,7 @@ services: - "php" - "teams" - "extras" + - "invite" inviteclient: image: ghcr.io/openconext/openconext-invite/inviteclient:0.0.23 @@ -330,9 +338,12 @@ services: condition: service_healthy mariadb: condition: service_healthy + inviteserver: + condition: service_started profiles: - "extras" - "teams" + - "invite" invitewelcome: image: ghcr.io/openconext/openconext-invite/invitewelcome:0.0.23 @@ -349,9 +360,12 @@ services: condition: service_healthy mariadb: condition: service_healthy + inviteserver: + condition: service_started profiles: - "extras" - "teams" + - "invite" voot: image: ghcr.io/openconext/openconext-voot/voot:6.2.0 diff --git a/core/invite/application.yml b/core/invite/application.yml new file mode 100644 index 0000000..fb6810c --- /dev/null +++ b/core/invite/application.yml @@ -0,0 +1,133 @@ +--- +server: + port: 8080 + error: + path: "/error" + include-message: always + forward-headers-strategy: native + servlet: + session: + cookie: + secure: false + +spring: + main: + banner-mode: "off" + session: + jdbc: + cleanup-cron: "-" + initialize-schema: always + store-type: jdbc + timeout: 8h + mvc: + log-request-details: false + security: + oauth2: + client: + registration: + oidcng: + client-id: invite.dev.openconext.local + client-secret: secretsecret + redirect-uri: "https://{baseHost}{basePort}{basePath}/login/oauth2/code/{registrationId}" + authorization-grant-type: "authorization_code" + scope: openid + provider: + oidcng: + authorization-uri: "https://connect.dev.openconext.local/oidc/authorize" + token-uri: "https://connect.dev.openconext.local/oidc/token" + user-info-uri: "https://connect.dev.openconext.local/oidc/userinfo" + jwk-set-uri: "https://connect.dev.openconext.local/oidc/certs" + user-name-attribute: sub + user-info-authentication-method: client_secret_basic + jpa: + properties: + hibernate: + naming-strategy: org.hibernate.cfg.ImprovedNamingStrategy + dialect: org.hibernate.dialect.MySQLDialect + open-in-view: false + show-sql: false + datasource: + driver-class-name: org.mariadb.jdbc.Driver + url: jdbc:mariadb://mariadb/invite?autoReconnect=true + username: inviterw + password: secret + flyway: + locations: classpath:db/mysql/migration + fail-on-missing-locations: true + mail: + host: localhost + port: 1025 + +oidcng: + discovery-url: "https://connect.dev.openconext.local/oidc/.well-known/openid-configuration" + introspect-url: "https://connect.dev.openconext.local/oidc/introspect" + resource-server-id: inviters.dev.openconext.local + resource-server-secret: secretsecret + base-url: https://invite.dev.openconext.local + +super-admin: + users: + - "urn:collab:person:example.com:admin" + +institution-admin: + entitlement: "urn:mace:surfnet.nl:surfnet.nl:sab:role:SURFconextverantwoordelijke" + organization-guid-prefix: "urn:mace:surfnet.nl:surfnet.nl:sab:organizationGUID:" + +gui: + disclaimer: + background-color: red + content: DEV + +config: + client-url: "https://invite.dev.openconext.local" + welcome-url: "https://welcome.dev.openconext.local" + server-url: "https://invite.dev.openconext.local" + server-welcome-url: "https://welcome.dev.openconext.local" + eduid-entity-id: "https://login.dev.openconext.local" + role-search-required: false + past-date-allowed: true + eduid-idp-schac-home-organization: "dev.eduid.nl" + +feature: + enable-performance-seed: False + +# We don't encode in-memory passwords, so we need to prefix them with {noop} +external-api-configuration: + remote-users: + - username: voot + password: "secret" + scopes: + - voot + - username: teams + password: "secret" + scopes: + - teams + - username: aa + password: "secret" + scopes: + - attribute_aggregation + - username: lifecycle + password: "secret" + scopes: + - lifecycle + - username: profile + password: "secret" + scopes: + - profile + - username: sp_dashboard + password: "secret" + scopes: + - sp_dashboard + +voot: + group_urn_domain: urn:mace:surf.nl:test.surfaccess.nl + +manage: + # enabled: True + enabled: False + url: "https://manage.dev.openconext.local" + user: invite + password: secret + # If you want to run the mock Manage against a git ignored file with sensitive data, e.g. manage/provisioning.local.json file + # local: True + staticManageDirectory: classpath:/manage diff --git a/core/scripts/init.sh b/core/scripts/init.sh index a29eb04..2ff088a 100755 --- a/core/scripts/init.sh +++ b/core/scripts/init.sh @@ -2,6 +2,7 @@ RED='\033[0;31m' GREEN='\033[0;32m' ORANGE='\033[0;33m' +BLUE='\033[0;34m' NOCOLOR='\033[0m' CWD=$(dirname $0) manageurl=https://manage.dev.openconext.local/manage/api/internal/ @@ -61,10 +62,10 @@ echo -e "${ORANGE}Send a PUSH in Manage, which pushes the entities to EngineBloc docker compose exec managegui curl -q -s -k -u sysadmin:secret $manageurl/push >/dev/null printf "\n" -echo -e "${RED}Please add the following line to your /etc/hosts:${NOCOLOR}${GREEN} \xE2\x9C\x94${NOCOLOR}" +echo -e "${BLUE}Please add the following line to your /etc/hosts:${NOCOLOR}${GREEN} \xE2\x9C\x94${NOCOLOR}" printf "\n" -echo "127.0.0.1 engine.dev.openconext.local manage.dev.openconext.local profile.dev.openconext.local engine-api.dev.openconext.local mujina-idp.dev.openconext.local profile.dev.openconext.local connect.dev.openconext.local teams.dev.openconext.local voot.dev.openconext.local" +echo "127.0.0.1 engine.dev.openconext.local manage.dev.openconext.local profile.dev.openconext.local engine-api.dev.openconext.local mujina-idp.dev.openconext.local profile.dev.openconext.local connect.dev.openconext.local teams.dev.openconext.local voot.dev.openconext.local invite.dev.openconext.local welcome.dev.openconext.local" printf "\n" echo "You can now login. If you want to bring the environment down, use the command below"