feat(docker-admin-ui): save admin-ui config into persistence (#674)

docker-admin-ui/Dockerfile

@@ -2,35 +2,39 @@ FROM node:fermium-alpine AS builder
 
 RUN apk update \
     && apk upgrade --available \
-    && apk add --no-cache git openjdk11-jre-headless
+    && apk add --no-cache git
 
 # TODO:
 # - use NODE_ENV=production
 # - download build package (not git clone)
-ENV ADMIN_UI_VERSION=1855dc434c1a357cb5e36ef79c3b2ac45bb89083
+ENV ADMIN_UI_VERSION=412c49a15d103ab34be248f0633df64448ba5879
+
+RUN mkdir -p /opt/flex
 
 # note that as we're pulling from a monorepo (with multiple project in it)
 # we are using partial-clone and sparse-checkout to get the admin-ui code
 RUN git clone --filter blob:none --no-checkout https://github.com/GluuFederation/flex /tmp/flex \
     && cd /tmp/flex \
     && git sparse-checkout init --cone \
     && git checkout ${ADMIN_UI_VERSION} \
-    && git sparse-checkout set admin-ui \
-    && mkdir -p /opt/flex \
-    && mv /tmp/flex/admin-ui /opt/flex/admin-ui \
-    && cd /opt/flex/admin-ui \
-    && npm install @openapitools/openapi-generator-cli \
-    && npm install openapi-merge-cli \
-    && npm run api \
-    && npm install \
-    && npm uninstall @openapitools/openapi-generator-cli \
-    && rm -rf $HOME/.npm
+    && git sparse-checkout add admin-ui \
+    && mv /tmp/flex/admin-ui /opt/flex/admin-ui
+
+# pre-packaged node modules and openapi
+RUN wget -q https://jenkins.gluu.org/npm/admin_ui/main/node_modules/admin-ui-main-node_modules.tar.gz -P /tmp \
+    && tar xzf /tmp/admin-ui-main-node_modules.tar.gz -C /opt/flex/admin-ui
+
+RUN wget -q https://jenkins.gluu.org/npm/admin_ui/main/OpenApi/jans_config_api/admin-ui-main-jans_config_api.tar.gz -P /tmp \
+    && tar xzf /tmp/admin-ui-main-jans_config_api.tar.gz -C /opt/flex/admin-ui
+
+# add missing node-sass binding for musl (alpine)
+RUN cd /opt/flex/admin-ui && npm rebuild node-sass
 
 # ===========
 # Application
 # ===========
 
-FROM node:fermium-alpine
+FROM node:fermium-alpine3.16
 
 # ======
 # alpine
@@ -45,13 +49,10 @@ RUN apk update \
 # nginx
 # =====
 
-RUN mkdir -p /etc/certs
-# RUN openssl dhparam -out /etc/certs/dhparams.pem 2048
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf
 
 # Ports for nginx
-# EXPOSE 80
-# EXPOSE 443
+EXPOSE 8080
 
 # ======
 # Python
@@ -67,7 +68,7 @@ RUN python3 -m ensurepip \
 # jans-linux-setup sync
 # =====================
 
-ENV JANS_SOURCE_VERSION=d794504fc371eac8ab2377b4828040bd73099ec4
+ENV JANS_SOURCE_VERSION=19f2ad856b069f06bdac60e10db47f3ac3a96e32
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 
 # note that as we're pulling from a monorepo (with multiple project in it)
@@ -185,7 +186,7 @@ ENV CN_WAIT_MAX_TIME=300 \
 # ==========
 # misc stuff
 # ==========
-EXPOSE 8080
+
 LABEL name="gluufederation/admin-ui" \
     maintainer="Gluu Inc. <support@gluu.org>" \
     vendor="Gluu Federation" \
@@ -194,10 +195,10 @@ LABEL name="gluufederation/admin-ui" \
     summary="Gluu Admin UI" \
     description=""
 
+RUN mkdir -p /etc/jans/conf /etc/certs
 COPY templates /app/templates/
 COPY scripts /app/scripts/
 RUN chmod +x /app/scripts/entrypoint.sh
-RUN mkdir -p /etc/jans/conf
 
 # forward logs to stdout and stderr
 RUN ln -sf /dev/stdout /var/log/nginx/access.log \
@@ -206,30 +207,21 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \
 # add existing node user to root group
 RUN addgroup node root
 
-# make empty folders
+# make empty files and folders
 RUN mkdir -p /opt/flex/admin-ui/dist /app/plugins \
     && touch /run/nginx/nginx.pid
 
-# && chown -R 1000:1000 /etc/certs \
-# && chgrp -R 0 /etc/certs && chmod -R g=u /etc/certs \
-
 # adjust ownership
-RUN chown -R 1000:1000 /var/lib/nginx \
-    && chown 1000:1000 /run/nginx/nginx.pid \
-    && chown -R 1000:1000 /opt/flex/admin-ui/.env \
-    && chown -R 1000:1000 /opt/flex/admin-ui/dist \
-    && chown -R 1000:1000 /etc/nginx/http.d/default.conf \
-    && chown -R 1000:1000 /var/lib/nginx \
-    && chown -R 1000:1000 /var/log/nginx \
-    && chown -R 1000:1000 /etc/jans \
-    && chown -R 1000:1000 /run/nginx/nginx.pid \
-    && chgrp -R 0 /opt/flex/admin-ui/.env && chmod -R g=u /opt/flex/admin-ui/.env \
-    && chgrp -R 0 /opt/flex/admin-ui/dist && chmod -R g=u /opt/flex/admin-ui/dist \
-    && chgrp -R 0 /etc/nginx/http.d/default.conf && chmod -R g=u /etc/nginx/http.d/default.conf \
-    && chgrp -R 0 /var/lib/nginx && chmod -R g=u /var/lib/nginx \
-    && chgrp -R 0 /var/log/nginx && chmod -R g=u /var/log/nginx \
-    && chgrp -R 0 /run/nginx/nginx.pid && chmod -R g=u /run/nginx/nginx.pid \
-    && chgrp -R 0 /etc/jans && chmod -R g=u /etc/jans \
+RUN chown -R 1000:0 /var/lib/nginx \
+    && chown 1000:0 /run/nginx/nginx.pid \
+    && chown 1000:0 /opt/flex/admin-ui/.env \
+    && chown -R 1000:0 /opt/flex/admin-ui/dist \
+    && chown 1000:0 /etc/nginx/http.d/default.conf \
+    && chown -R 1000:0 /var/lib/nginx \
+    && chown -R 1000:0 /var/log/nginx \
+    && chown -R 1000:0 /etc/jans \
+    && chown -R 1000:0 /etc/certs \
+    && chown 1000:0 /run/nginx/nginx.pid \
     && chown 1000:0 /opt/flex/admin-ui/plugins.config.json \
     && chown -R 1000:0 /opt/flex/admin-ui/plugins \
     && chown -R 1000:0 /app/plugins

docker-admin-ui/scripts/bootstrap.py

@@ -1,3 +1,4 @@
+import json
 import logging.config
 import os
 from uuid import uuid4
@@ -10,6 +11,8 @@
 from jans.pycloudlib.persistence import LdapClient
 from jans.pycloudlib.persistence import SpannerClient
 from jans.pycloudlib.persistence import SqlClient
+from jans.pycloudlib.persistence import doc_id_from_dn
+from jans.pycloudlib.persistence import id_from_dn
 from jans.pycloudlib.persistence.utils import PersistenceMapper
 
 from settings import LOGGING_CONFIG
@@ -56,7 +59,7 @@ def main():
 
     persistence_setup = PersistenceSetup(manager)
     persistence_setup.import_ldif_files()
-    persistence_setup.export_plugin_properties()
+    persistence_setup.save_config()
 
 
 def read_from_file(path):
@@ -155,12 +158,6 @@ def ctx(self):
         # finalized contexts
         return ctx
 
-    def export_plugin_properties(self):
-        with open("/app/templates/auiConfiguration.properties.tmpl") as f:
-            txt = f.read() % self.ctx
-            logger.info("Creating/updating plugins_admin_ui_properties secrets")
-            self.manager.secret.set("plugins_admin_ui_properties", txt)
-
     @cached_property
     def ldif_files(self):
         filenames = ["clients.ldif"]
@@ -171,6 +168,55 @@ def import_ldif_files(self):
             logger.info(f"Importing {file_}")
             self.client.create_from_ldif(file_, self.ctx)
 
+    def save_config(self):
+        logger.info("Updating admin-ui config in persistence (if required).")
+
+        with open("/app/templates/auiConfiguration.json") as f:
+            conf_from_file = f.read() % self.ctx
+
+        dn = "ou=admin-ui,ou=configuration,o=jans"
+
+        if self.persistence_type in ("sql", "spanner"):
+            dn = doc_id_from_dn(dn)
+            table_name = "jansAppConf"
+
+            entry = self.client.get(table_name, dn)
+
+            if not entry["jansConfApp"]:
+                entry["jansConfApp"] = conf_from_file
+                entry["jansRevision"] += 1
+                self.client.update(table_name, dn, entry)
+
+        elif self.persistence_type == "couchbase":
+            bucket = os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")
+            dn = id_from_dn(dn)
+
+            req = self.client.exec_query(f"SELECT META().id, {bucket}.* FROM {bucket} USE KEYS '{dn}'")
+            entry = req.json()["results"][0]
+
+            conf = entry.get("jansConfApp") or {}
+            if not conf:
+                rev = entry["jansRevision"] + 1
+                self.client.exec_query(f"UPDATE {bucket} USE KEYS '{dn}' SET jansConfApp={conf_from_file}, jansRevision={rev}")
+
+        else:
+            entry = self.client.get(dn)
+            attrs = entry.entry_attributes_as_dict
+
+            try:
+                conf = attrs.get("jansConfApp", [])[0]
+            except IndexError:
+                conf = ""
+
+            if not conf:
+                self.client.modify(
+                    dn,
+                    {
+                        "jansRevision": [(self.client.MODIFY_REPLACE, attrs["jansRevision"][0] + 1)],
+                        "jansConfApp": [(self.client.MODIFY_REPLACE, conf_from_file)],
+                    }
+                )
+
 
 if __name__ == "__main__":
     main()

docker-admin-ui/templates/auiConfiguration.json

@@ -0,0 +1,33 @@
+{
+  "oidcConfig": {
+    "authServerClient": {
+      "opHost": "https://%(hostname)s/admin",
+      "clientId": "%(admin_ui_client_id)s",
+      "clientSecret": "%(admin_ui_client_encoded_pw)s",
+      "scopes": [
+        "openid",
+        "profile",
+        "user_name",
+        "email"
+      ],
+      "acrValues": [
+        "basic"
+      ],
+      "redirectUri": "https://%(hostname)s/admin",
+      "postLogoutUri": "https://%(hostname)s/admin",
+      "frontchannelLogoutUri": "https://%(hostname)s/admin/logout"
+    },
+    "tokenServerClient": {
+      "opHost": "https://%(hostname)s/admin",
+      "clientId": "%(token_server_admin_ui_client_id)s",
+      "clientSecret": "%(token_server_admin_ui_client_encoded_pw)s",
+      "tokenEndpoint": "%(token_server_token_url)s",
+      "scopes": [
+        "openid",
+        "profile",
+        "user_name",
+        "email"
+      ]
+    }
+  }
+}

docker-admin-ui/templates/clients.ldif

@@ -28,7 +28,7 @@ jansScope: inum=6D90,ou=scopes,o=jans
 jansScope: inum=764C,ou=scopes,o=jans
 jansSubjectTyp: pairwise
 jansTknEndpointAuthMethod: client_secret_basic
-jansTrustedClnt: false
+jansTrustedClnt: true
 jansSignedRespAlg: RS256
 
 dn: inum=%(token_server_admin_ui_client_id)s,ou=clients,o=jans
@@ -57,4 +57,4 @@ jansRptAsJwt: false
 jansScope: inum=F0C4,ou=scopes,o=jans
 jansSubjectTyp: pairwise
 jansTknEndpointAuthMethod: client_secret_basic
-jansTrustedClnt: false
+jansTrustedClnt: true