Skip to content

Commit

Permalink
feat: add casa and janssen integration (#25)
Browse files Browse the repository at this point in the history 
* chore: prepare v5.0.0 (jans-based)

* chore: reorganize assets

* chore: remove unused assets

* chore: update build date

* fix: set jansAttrs to empty hashmap

* chore: remove unused assets

* chore: introduce GLUU_SOURCE_URL env

* feat: add option to use TLSv1.2

* feat: adjust permissions
  • Loading branch information
@iromli
iromli authored Jan 10, 2022
1 parent 5d406da commit 973beca
Show file tree
Hide file tree
Showing 25 changed files with 654 additions and 781 deletions.
2 changes: 1 addition & 1 deletion .dockerignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
*

# include required files/directories
!certs
!scripts
!templates
!LICENSE
!requirements.txt
!jetty
17 changes: 0 additions & 17 deletions CHANGES.md
View file

This file was deleted.

206 changes: 108 additions & 98 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,42 +1,29 @@
FROM adoptopenjdk/openjdk11:jre-11.0.8_10-alpine

# symlink JVM
RUN mkdir -p /usr/lib/jvm/default-jvm /usr/java/latest \
&& ln -sf /opt/java/openjdk /usr/lib/jvm/default-jvm/jre \
&& ln -sf /usr/lib/jvm/default-jvm/jre /usr/java/latest/jre
FROM bellsoft/liberica-openjre-alpine:11

# ===============
# Alpine packages
# ===============

RUN apk update \
&& apk add --no-cache py3-pip openssl tini \
&& apk add --no-cache --virtual build-deps git wget

# ======
# rclone
# ======

ARG RCLONE_VERSION=v1.51.0
RUN wget -q https://github.com/rclone/rclone/releases/download/${RCLONE_VERSION}/rclone-${RCLONE_VERSION}-linux-amd64.zip -O /tmp/rclone.zip \
&& unzip -qq /tmp/rclone.zip -d /tmp \
&& mv /tmp/rclone-${RCLONE_VERSION}-linux-amd64/rclone /usr/bin/ \
&& rm -rf /tmp/rclone-${RCLONE_VERSION}-linux-amd64 /tmp/rclone.zip
&& apk add --no-cache py3-pip openssl tini py3-cryptography py3-lxml py3-psycopg2 py3-grpcio \
&& apk add --no-cache --virtual build-deps git wget \
&& mkdir -p /usr/java/latest \
&& ln -sf /usr/lib/jvm/jre /usr/java/latest/jre

# =====
# Jetty
# =====

ARG JETTY_VERSION=9.4.26.v20200117
ARG JETTY_VERSION=10.0.6
ARG JETTY_HOME=/opt/jetty
ARG JETTY_BASE=/opt/gluu/jetty
ARG JETTY_BASE=/opt/jans/jetty
ARG JETTY_USER_HOME_LIB=/home/jetty/lib

# Install jetty
RUN wget -q https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/${JETTY_VERSION}/jetty-distribution-${JETTY_VERSION}.tar.gz -O /tmp/jetty.tar.gz \
RUN wget -q https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/${JETTY_VERSION}/jetty-home-${JETTY_VERSION}.tar.gz -O /tmp/jetty.tar.gz \
&& mkdir -p /opt \
&& tar -xzf /tmp/jetty.tar.gz -C /opt \
&& mv /opt/jetty-distribution-${JETTY_VERSION} ${JETTY_HOME} \
&& mv /opt/jetty-home-${JETTY_VERSION} ${JETTY_HOME} \
&& rm -rf /tmp/jetty.tar.gz

# Ports required by jetty
Expand All @@ -46,38 +33,25 @@ EXPOSE 8080
# Casa
# ====

# @TODO: change this as soon as 4.2.2-SNAPSHOT is available
ENV GLUU_VERSION=4.2.1.Final
ENV GLUU_BUILD_DATE="2020-09-24 08:34"
ENV GLUU_VERSION=5.0.0-SNAPSHOT
ENV GLUU_BUILD_DATE="2022-01-08 18:32"
ENV GLUU_SOURCE_URL=https://jenkins.gluu.org/maven/org/gluu/casa/${GLUU_VERSION}/casa-${GLUU_VERSION}.war

# Install Casa
RUN wget -q https://ox.gluu.org/maven/org/gluu/casa/${GLUU_VERSION}/casa-${GLUU_VERSION}.war -O /tmp/casa.war \
RUN wget -q ${GLUU_SOURCE_URL} -O /tmp/casa.war \
&& mkdir -p ${JETTY_BASE}/casa/webapps/casa \
&& unzip -qq /tmp/casa.war -d ${JETTY_BASE}/casa/webapps/casa \
&& java -jar ${JETTY_HOME}/start.jar jetty.home=${JETTY_HOME} jetty.base=${JETTY_BASE}/casa --add-to-start=server,deploy,resources,http,http-forwarded,jsp \
&& rm -f /tmp/casa.war

# ===========
# Custom libs
# ===========

RUN mkdir -p /usr/share/java

ARG TWILIO_VERSION=7.17.0
RUN wget -q https://repo1.maven.org/maven2/com/twilio/sdk/twilio/${TWILIO_VERSION}/twilio-${TWILIO_VERSION}.jar -O /usr/share/java/twilio.jar

ARG JSMPP_VERSION=2.3.7
RUN wget -q https://repo1.maven.org/maven2/org/jsmpp/jsmpp/${JSMPP_VERSION}/jsmpp-${JSMPP_VERSION}.jar -O /usr/share/java/jsmpp.jar
&& java -jar ${JETTY_HOME}/start.jar jetty.home=${JETTY_HOME} jetty.base=${JETTY_BASE}/casa --add-module=server,deploy,resources,http,jsp,cdi-decorate \
&& rm -f /tmp/casa.war \
&& rm -f ${JETTY_BASE}/casa/webapps/casa/WEB-INF/jetty-web.xml

# ======
# Python
# ======

RUN apk add --no-cache py3-cryptography
COPY requirements.txt /app/requirements.txt
RUN pip3 install -U pip \
&& pip3 install --no-cache-dir -r /app/requirements.txt \
&& rm -rf /src/pygluu-containerlib/.git
RUN pip3 install -U pip wheel \
&& pip3 install -r /app/requirements.txt --no-cache-dir

# =======
# Cleanup
Expand All @@ -97,67 +71,84 @@ COPY LICENSE /licenses/
# Config ENV
# ==========

ENV GLUU_CONFIG_ADAPTER=consul \
GLUU_CONFIG_CONSUL_HOST=localhost \
GLUU_CONFIG_CONSUL_PORT=8500 \
GLUU_CONFIG_CONSUL_CONSISTENCY=stale \
GLUU_CONFIG_CONSUL_SCHEME=http \
GLUU_CONFIG_CONSUL_VERIFY=false \
GLUU_CONFIG_CONSUL_CACERT_FILE=/etc/certs/consul_ca.crt \
GLUU_CONFIG_CONSUL_CERT_FILE=/etc/certs/consul_client.crt \
GLUU_CONFIG_CONSUL_KEY_FILE=/etc/certs/consul_client.key \
GLUU_CONFIG_CONSUL_TOKEN_FILE=/etc/certs/consul_token \
GLUU_CONFIG_KUBERNETES_NAMESPACE=default \
GLUU_CONFIG_KUBERNETES_CONFIGMAP=gluu \
GLUU_CONFIG_KUBERNETES_USE_KUBE_CONFIG=false
ENV CN_CONFIG_ADAPTER=consul \
CN_CONFIG_CONSUL_HOST=localhost \
CN_CONFIG_CONSUL_PORT=8500 \
CN_CONFIG_CONSUL_CONSISTENCY=stale \
CN_CONFIG_CONSUL_SCHEME=http \
CN_CONFIG_CONSUL_VERIFY=false \
CN_CONFIG_CONSUL_CACERT_FILE=/etc/certs/consul_ca.crt \
CN_CONFIG_CONSUL_CERT_FILE=/etc/certs/consul_client.crt \
CN_CONFIG_CONSUL_KEY_FILE=/etc/certs/consul_client.key \
CN_CONFIG_CONSUL_TOKEN_FILE=/etc/certs/consul_token \
CN_CONFIG_CONSUL_NAMESPACE=jans \
CN_CONFIG_KUBERNETES_NAMESPACE=default \
CN_CONFIG_KUBERNETES_CONFIGMAP=jans \
CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG=false \
CN_CONFIG_GOOGLE_SECRET_VERSION_ID=latest \
CN_CONFIG_GOOGLE_SECRET_NAME_PREFIX=jans

# ==========
# Secret ENV
# ==========

ENV GLUU_SECRET_ADAPTER=vault \
GLUU_SECRET_VAULT_SCHEME=http \
GLUU_SECRET_VAULT_HOST=localhost \
GLUU_SECRET_VAULT_PORT=8200 \
GLUU_SECRET_VAULT_VERIFY=false \
GLUU_SECRET_VAULT_ROLE_ID_FILE=/etc/certs/vault_role_id \
GLUU_SECRET_VAULT_SECRET_ID_FILE=/etc/certs/vault_secret_id \
GLUU_SECRET_VAULT_CERT_FILE=/etc/certs/vault_client.crt \
GLUU_SECRET_VAULT_KEY_FILE=/etc/certs/vault_client.key \
GLUU_SECRET_VAULT_CACERT_FILE=/etc/certs/vault_ca.crt \
GLUU_SECRET_KUBERNETES_NAMESPACE=default \
GLUU_SECRET_KUBERNETES_SECRET=gluu \
GLUU_SECRET_KUBERNETES_USE_KUBE_CONFIG=false
ENV CN_SECRET_ADAPTER=vault \
CN_SECRET_VAULT_SCHEME=http \
CN_SECRET_VAULT_HOST=localhost \
CN_SECRET_VAULT_PORT=8200 \
CN_SECRET_VAULT_VERIFY=false \
CN_SECRET_VAULT_ROLE_ID_FILE=/etc/certs/vault_role_id \
CN_SECRET_VAULT_SECRET_ID_FILE=/etc/certs/vault_secret_id \
CN_SECRET_VAULT_CERT_FILE=/etc/certs/vault_client.crt \
CN_SECRET_VAULT_KEY_FILE=/etc/certs/vault_client.key \
CN_SECRET_VAULT_CACERT_FILE=/etc/certs/vault_ca.crt \
CN_SECRET_VAULT_NAMESPACE=jans \
CN_SECRET_KUBERNETES_NAMESPACE=default \
CN_SECRET_KUBERNETES_SECRET=jans \
CN_SECRET_KUBERNETES_USE_KUBE_CONFIG=false \
CN_SECRET_GOOGLE_SECRET_MANAGER_PASSPHRASE=secret \
CN_SECRET_GOOGLE_SECRET_VERSION_ID=latest \
CN_SECRET_GOOGLE_SECRET_NAME_PREFIX=jans

# ===============
# Persistence ENV
# ===============

ENV GLUU_PERSISTENCE_TYPE=ldap \
GLUU_PERSISTENCE_LDAP_MAPPING=default \
GLUU_LDAP_URL=localhost:1636 \
GLUU_COUCHBASE_URL=localhost \
GLUU_COUCHBASE_USER=admin \
GLUU_COUCHBASE_CERT_FILE=/etc/certs/couchbase.crt \
GLUU_COUCHBASE_PASSWORD_FILE=/etc/gluu/conf/couchbase_password \
GLUU_COUCHBASE_CONN_TIMEOUT=10000 \
GLUU_COUCHBASE_CONN_MAX_WAIT=20000
ENV CN_PERSISTENCE_TYPE=ldap \
CN_PERSISTENCE_LDAP_MAPPING=default \
CN_LDAP_URL=localhost:1636 \
CN_LDAP_USE_SSL=true \
CN_COUCHBASE_URL=localhost \
CN_COUCHBASE_USER=admin \
CN_COUCHBASE_CERT_FILE=/etc/certs/couchbase.crt \
CN_COUCHBASE_PASSWORD_FILE=/etc/jans/conf/couchbase_password \
CN_COUCHBASE_CONN_TIMEOUT=10000 \
CN_COUCHBASE_CONN_MAX_WAIT=20000 \
CN_COUCHBASE_SCAN_CONSISTENCY=not_bounded \
CN_COUCHBASE_BUCKET_PREFIX=jans \
CN_COUCHBASE_TRUSTSTORE_ENABLE=true \
CN_COUCHBASE_KEEPALIVE_INTERVAL=30000 \
CN_COUCHBASE_KEEPALIVE_TIMEOUT=2500 \
CN_GOOGLE_SPANNER_INSTANCE_ID="" \
CN_GOOGLE_SPANNER_DATABASE_ID=""

# ===========
# Generic ENV
# ===========

ENV GLUU_MAX_RAM_PERCENTAGE=75.0 \
GLUU_WAIT_MAX_TIME=300 \
GLUU_WAIT_SLEEP_DURATION=10 \
GLUU_OXD_SERVER_URL=https://localhost:8443 \
GLUU_OXAUTH_BACKEND=localhost:8081 \
GLUU_JAVA_OPTIONS="" \
GLUU_DOCUMENT_STORE_TYPE=LOCAL \
GLUU_JACKRABBIT_URL=http://localhost:8080 \
GLUU_JACKRABBIT_ADMIN_ID=admin \
GLUU_JACKRABBIT_ADMIN_PASSWORD_FILE=/etc/gluu/conf/jackrabbit_admin_password \
GLUU_SSL_CERT_FROM_SECRETS=false
ENV CN_MAX_RAM_PERCENTAGE=75.0 \
CN_WAIT_MAX_TIME=300 \
CN_WAIT_SLEEP_DURATION=10 \
PYTHON_HOME=/opt/jython \
CN_DOCUMENT_STORE_TYPE=LOCAL \
CN_JACKRABBIT_URL=http://localhost:8080 \
CN_JACKRABBIT_ADMIN_ID=admin \
CN_JACKRABBIT_ADMIN_PASSWORD_FILE=/etc/jans/conf/jackrabbit_admin_password \
CN_JAVA_OPTIONS="" \
CN_AUTH_SERVER_BACKEND=localhost:8081 \
CN_SSL_CERT_FROM_SECRETS=false \
GOOGLE_PROJECT_ID="" \
GOOGLE_APPLICATION_CREDENTIALS=/etc/jans/conf/google-credentials.json

# ==========
# misc stuff
Expand All @@ -166,24 +157,43 @@ ENV GLUU_MAX_RAM_PERCENTAGE=75.0 \
LABEL name="Casa" \
maintainer="Gluu Inc. <support@gluu.org>" \
vendor="Gluu Federation" \
version="4.2.2" \
version="5.0.0" \
release="dev" \
summary="Gluu Casa" \
description="Self-service portal for people to manage their account security preferences in the Gluu Server, like 2FA"

RUN mkdir -p /etc/certs \
/etc/gluu/conf/casa \
/opt/gluu/python/libs \
/opt/gluu/jetty/casa/static \
/opt/gluu/jetty/casa/plugins \
/deploy \
/etc/jans/conf/casa \
/opt/jans/python/libs \
/opt/jans/jetty/casa/static \
/opt/jans/jetty/casa/plugins \
/app/templates \
/app/tmp

COPY jetty/jetty-env.xml ${JETTY_BASE}/casa/webapps/casa/WEB-INF/
COPY jetty/log4j2.xml ${JETTY_BASE}/casa/resources/
COPY jetty/casa_web_resources.xml ${JETTY_BASE}/casa/webapps/
COPY templates /app/templates/
COPY scripts /app/scripts
RUN chmod +x /app/scripts/entrypoint.sh \
&& cp /app/templates/casa_web_resources.xml /opt/gluu/jetty/casa/webapps/
RUN chmod +x /app/scripts/entrypoint.sh

# create non-root user
RUN adduser -s /bin/sh -D -G root -u 1000 jetty

# adjust ownership
RUN chown -R 1000:1000 /opt/jans/jetty \
&& chown -R 1000:1000 /opt/jetty \
&& chown -R 1000:1000 /tmp \
&& chgrp -R 0 /opt/jans/jetty && chmod -R g=u /opt/jans/jetty \
&& chgrp -R 0 /opt/jetty && chmod -R g=u /opt/jetty \
&& chgrp -R 0 /tmp && chmod -R g=u /tmp \
&& chgrp -R 0 /etc/certs && chmod -R g=u /etc/certs \
&& chgrp -R 0 /etc/jans && chmod -R g=u /etc/jans \
&& chmod -R +w /usr/java/latest/jre/lib/security/cacerts && chgrp -R 0 /usr/java/latest/jre/lib/security/cacerts && chmod -R g=u /usr/java/latest/jre/lib/security/cacerts \
&& chmod 664 /opt/jetty/etc/jetty.xml \
&& chmod 664 /opt/jetty/etc/webdefault.xml

USER 1000

ENTRYPOINT ["tini", "-e", "143", "-g", "--"]
CMD ["sh", "/app/scripts/entrypoint.sh"]
10 changes: 1 addition & 9 deletions Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,7 @@
GLUU_VERSION=4.2.2
GLUU_VERSION=5.0.0
IMAGE_NAME=gluufederation/casa
UNSTABLE_VERSION=dev

build-dev:
@echo "[I] Building Docker image ${IMAGE_NAME}:${GLUU_VERSION}_${UNSTABLE_VERSION}"
@docker build --rm --force-rm -t ${IMAGE_NAME}:${GLUU_VERSION}_${UNSTABLE_VERSION} .

trivy-scan:
@echo "[I] Scanning Docker image ${IMAGE_NAME}:${GLUU_VERSION}_${UNSTABLE_VERSION} using trivy"
@trivy -d image ${IMAGE_NAME}:${GLUU_VERSION}_${UNSTABLE_VERSION}

dockle-scan:
@echo "[I] Scanning Docker image ${IMAGE_NAME}:${GLUU_VERSION}_${UNSTABLE_VERSION} using dockle"
@dockle -d ${IMAGE_NAME}:${GLUU_VERSION}_${UNSTABLE_VERSION}
Loading

0 comments on commit 973beca

Please sign in to comment.