From 4582ae563ddf2492c519fdbc7685af2ce3c5529d Mon Sep 17 00:00:00 2001 From: Isman Firmansyah Date: Tue, 14 Jun 2022 01:53:55 +0700 Subject: [PATCH] feat: add newly redesigned jans-client-api (#1540) --- .../rancher-partner-charts/questions.yaml | 13 +- charts/janssen/README.md | 7 +- charts/janssen/charts/config/README.md | 5 +- .../charts/config/templates/configmaps.yaml | 15 +- charts/janssen/charts/config/values.yaml | 6 +- charts/janssen/values.schema.json | 11 +- charts/janssen/values.yaml | 22 +- docker-jans-client-api/.dockerignore | 1 + docker-jans-client-api/Dockerfile | 104 +++++-- docker-jans-client-api/Makefile | 12 +- docker-jans-client-api/README.md | 13 +- .../jetty/jans-client-api.xml | 11 + docker-jans-client-api/jetty/jetty-env.xml | 22 ++ docker-jans-client-api/jetty/log4j2.xml | 113 ++++++++ docker-jans-client-api/scripts/bootstrap.py | 265 ++++++++++++------ docker-jans-client-api/scripts/entrypoint.sh | 21 +- .../templates/client-api-server.yml.tmpl | 122 -------- .../templates/jans.properties.tmpl | 1 + 18 files changed, 481 insertions(+), 283 deletions(-) create mode 100644 docker-jans-client-api/jetty/jans-client-api.xml create mode 100644 docker-jans-client-api/jetty/jetty-env.xml create mode 100644 docker-jans-client-api/jetty/log4j2.xml delete mode 100644 docker-jans-client-api/templates/client-api-server.yml.tmpl diff --git a/automation/rancher-partner-charts/questions.yaml b/automation/rancher-partner-charts/questions.yaml index cfbd0b08445..534cb962e3a 100644 --- a/automation/rancher-partner-charts/questions.yaml +++ b/automation/rancher-partner-charts/questions.yaml @@ -46,16 +46,11 @@ questions: description: "Middleware API to help application developers call an OAuth, OpenID or UMA server. You may wonder why this is necessary. It makes it easier for client developers to use OpenID signing and encryption features, without becoming crypto experts. This API provides some high level endpoints to do some of the heavy lifting." show_subquestion_if: true subquestions: - - variable: config.configmap.cnClientApiApplicationCertCn + - variable: config.configmap.cnClientApiCertCn default: "client-api" - description: "Client API application keystore name" + description: "Client API CommonName value for certificate subject" type: string - label: Client API application keystore name - - variable: config.configmap.cnClientApiAdminCertCn - default: "client-api" - description: "Client API admin keystore name" - type: string - label: Client API admin keystore name + label: Client API certificate CommonName (CN) # ====================== # Test environment group @@ -849,5 +844,3 @@ questions: label: SCIM Replicas description: "Service replica number." show_if: "global.scim.enabled=true" - - diff --git a/charts/janssen/README.md b/charts/janssen/README.md index cadf7bd92cd..92a89afc090 100644 --- a/charts/janssen/README.md +++ b/charts/janssen/README.md @@ -110,7 +110,7 @@ Kubernetes: `>=v1.21.0-0` | client-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | client-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | client-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnCacheType":"NATIVE_PERSISTENCE","cnClientApiAdminCertCn":"client-api","cnClientApiApplicationCertCn":"client-api","cnClientApiBindIpAddresses":"*","cnConfigGoogleSecretNamePrefix":"janssen","cnConfigGoogleSecretVersionId":"latest","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbjanssen.default.svc.cluster.local","cnCouchbaseUser":"janssen","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerPassPhrase":"Test1234#","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceLdapMapping":"default","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretGoogleSecretNamePrefix":"janssen","cnSecretGoogleSecretVersionId":"latest","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"jans","cnSqlDbPort":3306,"cnSqlDbTimezone":"UTC","cnSqlDbUser":"jans","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@jans.io","image":{"pullSecrets":[],"repository":"janssenproject/configurator","tag":"1.0.1_dev"},"ldapPassword":"P@ssw0rds","orgName":"Janssen","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Janssen services. | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnCacheType":"NATIVE_PERSISTENCE","cnClientApiAdminCertCn":"client-api","cnClientApiApplicationCertCn":"client-api","cnClientApiCertCn":"client-api","cnClientApiBindIpAddresses":"*","cnConfigGoogleSecretNamePrefix":"janssen","cnConfigGoogleSecretVersionId":"latest","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbjanssen.default.svc.cluster.local","cnCouchbaseUser":"janssen","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerPassPhrase":"Test1234#","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceLdapMapping":"default","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretGoogleSecretNamePrefix":"janssen","cnSecretGoogleSecretVersionId":"latest","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"jans","cnSqlDbPort":3306,"cnSqlDbTimezone":"UTC","cnSqlDbUser":"jans","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@jans.io","image":{"pullSecrets":[],"repository":"janssenproject/configurator","tag":"1.0.1_dev"},"ldapPassword":"P@ssw0rds","orgName":"Janssen","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Janssen services. | | config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"janssenproject/config-api","tag":"1.0.1_dev"},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"400Mi"},"requests":{"cpu":"1000m","memory":"400Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | | config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | @@ -141,8 +141,9 @@ Kubernetes: `>=v1.21.0-0` | config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | | config.city | string | `"Austin"` | City. Used for certificate creation. | | config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | -| config.configmap.cnClientApiAdminCertCn | string | `"client-api"` | Client-api OAuth client admin certificate common name. This should be left to the default value client-api . | -| config.configmap.cnClientApiApplicationCertCn | string | `"client-api"` | Client-api OAuth client application certificate common name. This should be left to the default value client-api. | +| config.configmap.cnClientApiAdminCertCn | string | `"client-api"` | Client-api OAuth client admin certificate common name. This should be left to the default value client-api (deprecated) . | +| config.configmap.cnClientApiApplicationCertCn | string | `"client-api"` | Client-api OAuth client application certificate common name. This should be left to the default value client-api (deprecated in favor of `configmap.config.cnClientApiCertCn`) . | +| config.configmap.cnClientApiCertCn | string | `"client-api"` | Client-api OAuth client certificate common name. This should be left to the default value client-api. | | config.configmap.cnClientApiBindIpAddresses | string | `"*"` | Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy | | config.configmap.cnConfigGoogleSecretNamePrefix | string | `"janssen"` | Prefix for Janssen configuration secret in Google Secret Manager. Defaults to janssen. If left intact janssen-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | | config.configmap.cnConfigGoogleSecretVersionId | string | `"latest"` | Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | diff --git a/charts/janssen/charts/config/README.md b/charts/janssen/charts/config/README.md index 4aacfc279d8..1fe462dd763 100644 --- a/charts/janssen/charts/config/README.md +++ b/charts/janssen/charts/config/README.md @@ -31,8 +31,9 @@ Kubernetes: `>=v1.21.0-0` | adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | | city | string | `"Austin"` | City. Used for certificate creation. | | configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | -| configmap.cnClientApiAdminCertCn | string | `"client-api"` | Client-api OAuth client admin certificate common name. This should be left to the default value client-api . | -| configmap.cnClientApiApplicationCertCn | string | `"client-api"` | Client-api OAuth client application certificate common name. This should be left to the default value client-api. | +| configmap.cnClientApiAdminCertCn | string | `"client-api"` | Client-api OAuth client admin certificate common name. This should be left to the default value client-api (deprecated). | +| configmap.cnClientApiApplicationCertCn | string | `"client-api"` | Client-api OAuth client application certificate common name. This should be left to the default value client-api (deprecated in favor of `configmap.cnClientApiCertCn`). | +| configmap.cnClientApiCertCn | string | `"client-api"` | Client-api OAuth certificate common name. This should be left to the default value client-api. | | configmap.cnClientApiBindIpAddresses | string | `"*"` | Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy | | configmap.cnConfigGoogleSecretNamePrefix | string | `"janssen"` | Prefix for Janssen configuration secret in Google Secret Manager. Defaults to janssen. If left intact janssen-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | | configmap.cnConfigGoogleSecretVersionId | string | `"latest"` | Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | diff --git a/charts/janssen/charts/config/templates/configmaps.yaml b/charts/janssen/charts/config/templates/configmaps.yaml index 2d28bbb3a8b..25ccd3a2076 100644 --- a/charts/janssen/charts/config/templates/configmaps.yaml +++ b/charts/janssen/charts/config/templates/configmaps.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ConfigMap -metadata: +metadata: name: {{ .Release.Name }}-config-cm namespace: {{ .Release.Namespace }} labels: @@ -80,6 +80,14 @@ data: | toJson | replace "clientApiLogTarget" "client_api_log_target" | replace "clientApiLogLevel" "client_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" | squote }} {{- end }} @@ -134,8 +142,7 @@ data: CN_PERSISTENCE_LDAP_MAPPING: {{ .Values.configmap.cnPersistenceLdapMapping | quote }} {{- end }} # Auto enable installation of some services - CN_CLIENT_API_APPLICATION_CERT_CN: {{ .Values.configmap.cnClientApiApplicationCertCn | quote }} - CN_CLIENT_API_ADMIN_CERT_CN: {{ .Values.configmap.cnClientApiAdminCertCn | quote }} + CN_CLIENT_API_CERT_CN: {{ .Values.configmap.cnClientApiCertCn | quote }} {{ if eq .Values.configmap.cnCacheType "REDIS" }} CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} @@ -382,4 +389,4 @@ metadata: {{- if .Values.additionalAnnotations }} annotations: {{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/janssen/charts/config/values.yaml b/charts/janssen/charts/config/values.yaml index a1fbba0e4d5..c7c874f3802 100644 --- a/charts/janssen/charts/config/values.yaml +++ b/charts/janssen/charts/config/values.yaml @@ -31,10 +31,8 @@ configmap: cnSqldbUserPassword: Test1234# # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . cnCacheType: NATIVE_PERSISTENCE - # -- Client-api OAuth client admin certificate common name. This should be left to the default value client-api . - cnClientApiAdminCertCn: client-api - # -- Client-api OAuth client application certificate common name. This should be left to the default value client-api. - cnClientApiApplicationCertCn: client-api + # -- Client-api OAuth certificate common name. This should be left to the default value client-api. + cnClientApiCertCn: client-api # -- Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy cnClientApiBindIpAddresses: "*" containerMetadataName: kubernetes diff --git a/charts/janssen/values.schema.json b/charts/janssen/values.schema.json index 0ae01f101c5..4130fa96892 100644 --- a/charts/janssen/values.schema.json +++ b/charts/janssen/values.schema.json @@ -78,13 +78,8 @@ "type": "string", "pattern": "^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" }, - "cnClientApiAdminCertCn": { - "description": "Client-api OAuth client admin certificate common name. This should be left to the default value client-api", - "type": "string", - "pattern": "^[a-z-]+$" - }, - "cnClientApiApplicationCertCn": { - "description": "Client-api OAuth client application certificate common name. This should be left to the default value client-api", + "cnClientApiCertCn": { + "description": "Client-api OAuth certificate common name. This should be left to the default value client-api", "type": "string", "pattern": "^[a-z-]+$" }, @@ -2241,4 +2236,4 @@ "else": true } } -} \ No newline at end of file +} diff --git a/charts/janssen/values.yaml b/charts/janssen/values.yaml index 44660c83cfa..668dc4764f4 100644 --- a/charts/janssen/values.yaml +++ b/charts/janssen/values.yaml @@ -229,10 +229,8 @@ config: cnSqldbUserPassword: Test1234# # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . cnCacheType: NATIVE_PERSISTENCE - # -- Client-api OAuth client admin certificate common name. This should be left to the default value client-api . - cnClientApiAdminCertCn: client-api - # -- Client-api OAuth client application certificate common name. This should be left to the default value client-api. - cnClientApiApplicationCertCn: client-api + # -- Client-api OAuth certificate common name. This should be left to the default value client-api. + cnClientApiCertCn: client-api # -- Client-api bind address. This limits what ip ranges can access the client-api. This should be left as * and controlled by a NetworkPolicy cnClientApiBindIpAddresses: "*" # -- The name of the Kubernetes ConfigMap that will hold the configuration layer @@ -567,6 +565,22 @@ global: clientApiLogTarget: "STDOUT" # -- client-api.log level clientApiLogLevel: "INFO" + # -- client-api_persistence.log target + persistenceLogTarget: "FILE" + # -- client-api_persistence.log level + persistenceLogLevel: "INFO" + # -- client-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- client-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- client-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- client-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- client-api_script.log target + scriptLogTarget: "FILE" + # -- client-api_script.log level + scriptLogLevel: "INFO" cloud: # -- Boolean flag if enabled will strip resources requests and limits from all services. testEnviroment: false diff --git a/docker-jans-client-api/.dockerignore b/docker-jans-client-api/.dockerignore index 025dc02eec5..021092c8a34 100644 --- a/docker-jans-client-api/.dockerignore +++ b/docker-jans-client-api/.dockerignore @@ -6,3 +6,4 @@ !templates !LICENSE !requirements.txt +!jetty diff --git a/docker-jans-client-api/Dockerfile b/docker-jans-client-api/Dockerfile index dd3d25dab85..ddae804ac55 100644 --- a/docker-jans-client-api/Dockerfile +++ b/docker-jans-client-api/Dockerfile @@ -7,25 +7,56 @@ FROM bellsoft/liberica-openjre-alpine:11.0.15 RUN apk update \ && apk upgrade \ && apk add --no-cache openssl python3 tini curl py3-cryptography py3-psycopg2 py3-grpcio \ - && apk add --no-cache --virtual .build-deps unzip wget git \ + && apk add --no-cache --virtual .build-deps zip wget git \ && mkdir -p /usr/java/latest \ && ln -sf /usr/lib/jvm/jre /usr/java/latest/jre +# ===== +# Jetty +# ===== + +ARG JETTY_VERSION=11.0.8 +ARG JETTY_HOME=/opt/jetty +ARG JETTY_BASE=/opt/jans/jetty +ARG JETTY_USER_HOME_LIB=/home/jetty/lib + +# Install jetty +RUN wget -q https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/${JETTY_VERSION}/jetty-home-${JETTY_VERSION}.tar.gz -O /tmp/jetty.tar.gz \ + && mkdir -p /opt \ + && tar -xzf /tmp/jetty.tar.gz -C /opt \ + && mv /opt/jetty-home-${JETTY_VERSION} ${JETTY_HOME} \ + && rm -rf /tmp/jetty.tar.gz + +# Ports required by jetty +EXPOSE 8080 + +# ====== +# Jython +# ====== + +ARG JYTHON_VERSION=2.7.3 +RUN wget -q https://ox.gluu.org/maven/org/gluufederation/jython-installer/${JYTHON_VERSION}/jython-installer-${JYTHON_VERSION}.jar -O /tmp/jython-installer.jar \ + && mkdir -p /opt/jython \ + && java -jar /tmp/jython-installer.jar -v -s -d /opt/jython -e ensurepip \ + && rm -f /tmp/jython-installer.jar /tmp/*.properties + # ========== # Client API # ========== -ENV CN_VERSION=1.0.0 -ENV CN_BUILD_DATE='2022-04-22 08:50' -ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-client-api-server/${CN_VERSION}/jans-client-api-server-${CN_VERSION}-distribution.zip +ENV CN_VERSION=1.0.1-SNAPSHOT +ENV CN_BUILD_DATE='2022-06-09 08:49' +ENV CN_SOURCE_URL=https://jenkins.jans.io/maven/io/jans/jans-client-api-server/${CN_VERSION}/jans-client-api-server-${CN_VERSION}.war -RUN wget -q ${CN_SOURCE_URL} -O /tmp/client-api.zip \ - && mkdir -p /opt/client-api \ - && unzip -qq /tmp/client-api.zip -d /opt/client-api \ - && rm /tmp/client-api.zip \ - && rm -rf /opt/client-api/conf/client-api-server.keystore /opt/client-api/conf/client-api-server.yml - -EXPOSE 8443 8444 +COPY jetty/jetty-env.xml /tmp/WEB-INF/jetty-env.xml +RUN mkdir -p ${JETTY_BASE}/jans-client-api/webapps \ + && wget -q ${CN_SOURCE_URL} -O /tmp/jans-client-api.war \ + && cd /tmp \ + && zip -d jans-client-api.war WEB-INF/jetty-web.xml \ + && zip -r jans-client-api.war WEB-INF/jetty-env.xml \ + && cp jans-client-api.war ${JETTY_BASE}/jans-client-api/webapps/jans-client-api.war \ + && java -jar ${JETTY_HOME}/start.jar jetty.home=${JETTY_HOME} jetty.base=${JETTY_BASE}/jans-client-api --add-module=server,deploy,annotations,webapp,servlet,resources,http,http-forwarded,threadpool,jsp,websocket,logging/slf4j,logging-jetty \ + && rm -rf /tmp/jans-client-api.war /tmp/WEB-INF # ====== # Python @@ -37,12 +68,40 @@ RUN python3 -m ensurepip \ && pip3 install --no-cache-dir -r /app/requirements.txt \ && pip3 uninstall -y pip wheel +# ===================== +# jans-linux-setup sync +# ===================== + +ENV JANS_LINUX_SETUP_VERSION=819fc2bc8ca596845a17498f7bd2e101cc466775 +ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup + +# note that as we're pulling from a monorepo (with multiple project in it) +# we are using partial-clone and sparse-checkout to get the jans-linux-setup code +RUN git clone --filter blob:none --no-checkout https://github.com/janssenproject/jans /tmp/jans \ + && cd /tmp/jans \ + && git sparse-checkout init --cone \ + && git checkout ${JANS_LINUX_SETUP_VERSION} \ + && git sparse-checkout set ${JANS_SETUP_DIR} + +RUN mkdir -p /app/static/rdbm /app/schema /app/templates/jans-client-api + +# sync static files and templates from linux-setup +RUN cd /tmp/jans \ + && cp ${JANS_SETUP_DIR}/static/rdbm/sql_data_types.json /app/static/rdbm/ \ + && cp ${JANS_SETUP_DIR}/static/rdbm/ldap_sql_data_type_mapping.json /app/static/rdbm/ \ + && cp ${JANS_SETUP_DIR}/static/rdbm/opendj_attributes_syntax.json /app/static/rdbm/ \ + && cp ${JANS_SETUP_DIR}/static/rdbm/sub_tables.json /app/static/rdbm/ \ + && cp ${JANS_SETUP_DIR}/schema/jans_schema.json /app/schema/ \ + && cp ${JANS_SETUP_DIR}/schema/custom_schema.json /app/schema/ \ + && cp ${JANS_SETUP_DIR}/schema/opendj_types.json /app/schema/ \ + && cp ${JANS_SETUP_DIR}/templates/jans-client-api/configuration.ldif /app/templates/jans-client-api/ \ + && cp ${JANS_SETUP_DIR}/templates/jans-client-api/dynamic-conf.json /app/templates/jans-client-api/ + # ======= # Cleanup # ======= -RUN apk del .build-deps \ - && rm -rf /var/cache/apk/* +RUN apk del .build-deps && rm -rf /var/cache/apk/* /tmp/jans # ======= # License @@ -117,8 +176,8 @@ ENV CN_PERSISTENCE_TYPE=ldap \ # client-api ENV # ============== -ENV CN_CLIENT_API_APPLICATION_CERT_CN=localhost \ - CN_CLIENT_API_ADMIN_CERT_CN=localhost \ +ENV CN_CLIENT_API_APPLICATION_CERT_CN="" \ + CN_CLIENT_API_CERT_CN=localhost \ CN_CLIENT_API_BIND_IP_ADDRESSES="*" # =========== @@ -144,22 +203,23 @@ LABEL name="janssenproject/client-api" \ summary="Janssen Client API" \ description="Client software to secure apps with OAuth 2.0, OpenID Connect, and UMA" -RUN mkdir -p /etc/certs \ - /etc/jans/conf \ - /opt/client-api/logs +RUN mkdir -p /etc/certs /etc/jans/conf ${JETTY_BASE}/jans-client-api/logs +COPY jetty/log4j2.xml ${JETTY_BASE}/jans-client-api/resources/ COPY scripts /app/scripts COPY templates/*.tmpl /app/templates/ RUN chmod +x /app/scripts/entrypoint.sh # create non-root user -RUN adduser -s /bin/sh -D -G root -u 1000 1000 +RUN adduser -s /bin/sh -D -G root -u 1000 jetty # adjust ownership and permission -RUN chmod -R g=u /opt/client-api/conf \ - && chmod -R g=u /opt/client-api/logs \ +RUN chmod -R g=u ${JETTY_BASE}/jans-client-api/resources \ + && chmod -R g=u ${JETTY_BASE}/jans-client-api/logs \ && chmod -R g=u /etc/certs \ && chmod -R g=u /etc/jans \ - && chmod 664 /usr/java/latest/jre/lib/security/cacerts + && chmod 664 /usr/java/latest/jre/lib/security/cacerts \ + && chmod 664 /opt/jetty/etc/jetty.xml \ + && chmod 664 /opt/jetty/etc/webdefault.xml USER 1000 diff --git a/docker-jans-client-api/Makefile b/docker-jans-client-api/Makefile index 5a66decf6ac..124bf1fdf88 100644 --- a/docker-jans-client-api/Makefile +++ b/docker-jans-client-api/Makefile @@ -1,15 +1,9 @@ -CN_VERSION=1.0.0 +CN_VERSION=1.0.1 IMAGE_NAME=janssenproject/client-api UNSTABLE_VERSION=dev +.PHONY: test clean all build-dev + build-dev: @echo "[I] Building Docker image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION}" @docker build --rm --force-rm -t ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} . - -trivy-scan: - @echo "[I] Scanning Docker image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} using trivy" - @trivy -d image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} - -dockle-scan: - @echo "[I] Scanning Docker image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} using dockle" - @dockle -d ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} diff --git a/docker-jans-client-api/README.md b/docker-jans-client-api/README.md index f795e91008d..dd80c2a7d0f 100644 --- a/docker-jans-client-api/README.md +++ b/docker-jans-client-api/README.md @@ -60,8 +60,7 @@ The following environment variables are supported by the container: - `CN_COUCHBASE_TRUSTSTORE_ENABLE`: Enable truststore for encrypted Couchbase connection (default to `true`). - `CN_COUCHBASE_KEEPALIVE_INTERVAL`: Keep-alive interval for Couchbase connection (default to `30000` milliseconds). - `CN_COUCHBASE_KEEPALIVE_TIMEOUT`: Keep-alive timeout for Couchbase connection (default to `2500` milliseconds). -- `CN_CLIENT_API_APPLICATION_CERT_CN`: CommonName used in application certificate subject -- `CN_CLIENT_API_ADMIN_CERT_CN`: CommonName used in admin certificate subject +- `CN_CLIENT_API_CERT_CN`: CommonName used in certificate subject. - `CN_CLIENT_API_BIND_IP_ADDRESSES`: A comma-separated host/IP address that are allowed to access client-api (default to `*`). - `CN_JAVA_OPTIONS`: Java options passed to entrypoint, i.e. `-Xmx1024m` (default to empty-string). - `GOOGLE_PROJECT_ID`: Google Project ID (default to empty string). Used when `CN_CONFIG_ADAPTER` or `CN_SECRET_ADAPTER` set to `google`. @@ -91,7 +90,15 @@ The following key-value pairs are the defaults: ```json { "client_api_log_target": "STDOUT", - "client_api_log_level": "INFO" + "client_api_log_level": "INFO", + "persistence_log_target": "FILE", + "persistence_log_level": "INFO", + "persistence_duration_log_target": "FILE", + "persistence_duration_log_level": "INFO", + "ldap_stats_log_target": "FILE", + "ldap_stats_log_level": "INFO", + "script_log_target": "FILE", + "script_log_level": "INFO" } ``` diff --git a/docker-jans-client-api/jetty/jans-client-api.xml b/docker-jans-client-api/jetty/jans-client-api.xml new file mode 100644 index 00000000000..9e4ded669fa --- /dev/null +++ b/docker-jans-client-api/jetty/jans-client-api.xml @@ -0,0 +1,11 @@ + + + + + /jans-client-api + + /jans-client-api.war + + true + + diff --git a/docker-jans-client-api/jetty/jetty-env.xml b/docker-jans-client-api/jetty/jetty-env.xml new file mode 100644 index 00000000000..228cae0b737 --- /dev/null +++ b/docker-jans-client-api/jetty/jetty-env.xml @@ -0,0 +1,22 @@ + + + + + + + + + + BeanManager + + + + javax.enterprise.inject.spi.BeanManager + org.jboss.weld.resources.ManagerObjectFactory + + + + + + diff --git a/docker-jans-client-api/jetty/log4j2.xml b/docker-jans-client-api/jetty/log4j2.xml new file mode 100644 index 00000000000..db469a7162b --- /dev/null +++ b/docker-jans-client-api/jetty/log4j2.xml @@ -0,0 +1,113 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docker-jans-client-api/scripts/bootstrap.py b/docker-jans-client-api/scripts/bootstrap.py index ceb67388957..78e4e1f51f5 100644 --- a/docker-jans-client-api/scripts/bootstrap.py +++ b/docker-jans-client-api/scripts/bootstrap.py @@ -1,9 +1,9 @@ import json import logging.config import os - -from ruamel.yaml import safe_load -from ruamel.yaml import safe_dump +import re +from functools import cached_property +from string import Template from jans.pycloudlib import get_manager from jans.pycloudlib.persistence import render_couchbase_properties @@ -15,11 +15,16 @@ from jans.pycloudlib.persistence import sync_ldap_truststore from jans.pycloudlib.persistence import render_sql_properties from jans.pycloudlib.persistence import render_spanner_properties -from jans.pycloudlib.persistence.utils import PersistencMapper +from jans.pycloudlib.persistence import CouchbaseClient +from jans.pycloudlib.persistence import LdapClient +from jans.pycloudlib.persistence import SpannerClient +from jans.pycloudlib.persistence import SqlClient +from jans.pycloudlib.persistence.utils import PersistenceMapper from jans.pycloudlib.utils import cert_to_truststore from jans.pycloudlib.utils import get_random_chars from jans.pycloudlib.utils import exec_cmd from jans.pycloudlib.utils import generate_ssl_certkey +from jans.pycloudlib.utils import generate_base64_contents from settings import LOGGING_CONFIG @@ -53,42 +58,39 @@ def generate_keystore(cert_file, key_file, keystore_file, keystore_password): class Connector: - def __init__(self, manager, type_): + def __init__(self, manager): self.manager = manager - self.type = type_ - assert self.type in ("application", "admin") @property def cert_file(self): - return f"/etc/certs/client_api_{self.type}.crt" + return "/etc/certs/client_api.crt" @property def key_file(self): - return f"/etc/certs/client_api_{self.type}.key" + return "/etc/certs/client_api.key" @property def keystore_file(self): - return f"/etc/certs/client_api_{self.type}.keystore" + return "/etc/certs/client_api.jks" @property def cert_cn(self): - conn_type = self.type.upper() - - # backward-compat with 4.1.x - if f"{conn_type}_KEYSTORE_CN" in os.environ: - return os.environ.get(f"{conn_type}_KEYSTORE_CN", "localhost") - return os.environ.get(f"CN_CLIENT_API_{conn_type}_CERT_CN", "localhost") + # CN_CLIENT_API_APPLICATION_CERT_CN is deprecated, but we keep it as backward-compat + legacy_cn = os.environ.get("CN_CLIENT_API_APPLICATION_CERT_CN", "") + if legacy_cn: + return legacy_cn + return os.environ.get("CN_CLIENT_API_CERT_CN", "localhost") def sync_x509(self): - cert = self.manager.secret.get(f"client_api_{self.type}_cert") - key = self.manager.secret.get(f"client_api_{self.type}_key") + cert = self.manager.secret.get("client_api_cert") + key = self.manager.secret.get("client_api_key") if cert and key: - self.manager.secret.to_file(f"client_api_{self.type}_cert", self.cert_file) - self.manager.secret.to_file(f"client_api_{self.type}_key", self.key_file) + self.manager.secret.to_file("client_api_cert", self.cert_file) + self.manager.secret.to_file("client_api_key", self.key_file) else: generate_ssl_certkey( - f"client_api_{self.type}", + "client_api", self.manager.config.get("admin_email"), self.manager.config.get("hostname"), self.manager.config.get("orgName"), @@ -98,29 +100,29 @@ def sync_x509(self): extra_dns=[self.cert_cn], ) # save cert and key to secrets for later use - self.manager.secret.from_file(f"client_api_{self.type}_cert", self.cert_file) - self.manager.secret.from_file(f"client_api_{self.type}_key", self.key_file) + self.manager.secret.from_file("client_api_cert", self.cert_file) + self.manager.secret.from_file("client_api_key", self.key_file) def get_keystore_password(self): - password = manager.secret.get(f"client_api_{self.type}_keystore_password") + password = manager.secret.get("client_api_keystore_password") if not password: password = get_random_chars() - manager.secret.set(f"client_api_{self.type}_keystore_password", password) + manager.secret.set("client_api_keystore_password", password) return password def sync_keystore(self): - jks = self.manager.secret.get(f"client_api_{self.type}_jks_base64") + jks = self.manager.secret.get("client_api_jks_base64") if jks: self.manager.secret.to_file( - f"client_api_{self.type}_jks_base64", self.keystore_file, decode=True, binary_mode=True, + "client_api_jks_base64", self.keystore_file, decode=True, binary_mode=True, ) else: generate_keystore(self.cert_file, self.key_file, self.keystore_file, self.get_keystore_password()) # save keystore to secrets for later use self.manager.secret.from_file( - f"client_api_{self.type}_jks_base64", self.keystore_file, encode=True, binary_mode=True, + "client_api_jks_base64", self.keystore_file, encode=True, binary_mode=True, ) def sync(self): @@ -128,67 +130,13 @@ def sync(self): self.sync_keystore() -def render_client_api_config(): - with open("/app/templates/client-api-server.yml.tmpl") as f: - data = safe_load(f.read()) - - persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap") - conn = f"jans-{persistence_type}.properties" - - data["storage"] = "jans_server_configuration" - data["storage_configuration"] = { - "baseDn": "o=jans", - "type": "/etc/jans/conf/jans.properties", - "salt": "/etc/jans/conf/salt", - "connection": f"/etc/jans/conf/{conn}", - } - - app_connector = Connector(manager, "application") - app_connector.sync() - admin_connector = Connector(manager, "admin") - admin_connector.sync() - - data["server"]["applicationConnectors"][0]["keyStorePassword"] = app_connector.get_keystore_password() - data["server"]["applicationConnectors"][0]["keyStorePath"] = app_connector.keystore_file - data["server"]["adminConnectors"][0]["keyStorePassword"] = admin_connector.get_keystore_password() - data["server"]["adminConnectors"][0]["keyStorePath"] = admin_connector.keystore_file - - ip_addresses = os.environ.get("CN_CLIENT_API_BIND_IP_ADDRESSES", "*") - data["bind_ip_addresses"] = [ - addr.strip() - for addr in ip_addresses.split(",") - if addr - ] - - log_config = configure_logging() - data["logging"]["loggers"]["io.jans"] = log_config["client_api_log_level"] - - if log_config["client_api_log_target"] == "FILE": - data["logging"]["appenders"] = [ - { - "type": "file", - "threshold": log_config["client_api_log_level"], - "logFormat": "%-6level [%d{HH:mm:ss.SSS}] [%t] %logger{5} - %X{code} %msg %n", - "currentLogFilename": "/opt/client-api/logs/client-api.log", - "archivedLogFilenamePattern": "/opt/client-api/logs/client-api-%d{yyyy-MM-dd}-%i.log.gz", - "archivedFileCount": 7, - "timeZone": "UTC", - "maxFileSize": "10MB", - }, - ] - - # write config - with open("/opt/client-api/conf/client-api-server.yml", "w") as f: - f.write(safe_dump(data)) - - def main(): persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap") render_salt(manager, "/app/templates/salt.tmpl", "/etc/jans/conf/salt") render_base_properties("/app/templates/jans.properties.tmpl", "/etc/jans/conf/jans.properties") - mapper = PersistencMapper() + mapper = PersistenceMapper() persistence_groups = mapper.groups() if persistence_type == "hybrid": @@ -226,8 +174,15 @@ def main(): get_web_cert() - # if not os.path.isfile("/opt/client-api/client-api-server.yml"): - render_client_api_config() + modify_jetty_xml() + modify_webdefault_xml() + configure_logging() + + connector = Connector(manager) + connector.sync() + + persistence_setup = PersistenceSetup(manager, connector) + persistence_setup.import_ldif_files() def configure_logging(): @@ -235,6 +190,14 @@ def configure_logging(): config = { "client_api_log_target": "STDOUT", "client_api_log_level": "INFO", + "persistence_log_target": "FILE", + "persistence_log_level": "INFO", + "persistence_duration_log_target": "FILE", + "persistence_duration_log_level": "INFO", + "ldap_stats_log_target": "FILE", + "ldap_stats_log_level": "INFO", + "script_log_target": "FILE", + "script_log_level": "INFO" } # pre-populate custom config; format is JSON string of ``dict`` @@ -270,8 +233,136 @@ def configure_logging(): # update the config config[k] = v - # finalize - return config + # mapping between the ``log_target`` value and their appenders + file_aliases = { + "client_api_log_target": "FILE", + "persistence_log_target": "JANS_CLIENTAPI_PERSISTENCE_FILE", + "persistence_duration_log_target": "JANS_CLIENTAPI_PERSISTENCE_DURATION_FILE", + "ldap_stats_log_target": "JANS_CLIENTAPI_PERSISTENCE_LDAP_STATISTICS_FILE", + "script_log_target": "JANS_CLIENTAPI_SCRIPT_LOG_FILE", + } + + for key, value in config.items(): + if not key.endswith("_target"): + continue + + if value == "STDOUT": + config[key] = "Console" + else: + config[key] = file_aliases[key] + + logfile = "/opt/jans/jetty/jans-client-api/resources/log4j2.xml" + with open(logfile) as f: + txt = f.read() + + tmpl = Template(txt) + with open(logfile, "w") as f: + f.write(tmpl.safe_substitute(config)) + + +def modify_jetty_xml(): + fn = "/opt/jetty/etc/jetty.xml" + with open(fn) as f: + txt = f.read() + + # disable contexts + updates = re.sub( + r'', + r'\n\t\t\t\t false\n\t\t\t ', + txt, + flags=re.DOTALL | re.M, + ) + + with open(fn, "w") as f: + f.write(updates) + + +def modify_webdefault_xml(): + fn = "/opt/jetty/etc/webdefault.xml" + with open(fn) as f: + txt = f.read() + + # disable dirAllowed + updates = re.sub( + r'(dirAllowed)(\s*)()true()', + r'\1\2\3false\4', + txt, + flags=re.DOTALL | re.M, + ) + + with open(fn, "w") as f: + f.write(updates) + + +class PersistenceSetup: + def __init__(self, manager, connector): + self.manager = manager + self.connector = connector + + client_classes = { + "ldap": LdapClient, + "couchbase": CouchbaseClient, + "spanner": SpannerClient, + "sql": SqlClient, + } + + # determine persistence type + mapper = PersistenceMapper() + self.persistence_type = mapper.mapping["default"] + + # determine persistence client + client_cls = client_classes.get(self.persistence_type) + self.client = client_cls(manager) + + def get_dynamic_conf(self, ctx): + with open("/app/templates/jans-client-api/dynamic-conf.json") as f: + txt = f.read() % ctx + + conf = json.loads(txt) + + ip_addresses = os.environ.get("CN_CLIENT_API_BIND_IP_ADDRESSES", "*") + conf["bindIpAddresses"] = [ + addr.strip() + for addr in ip_addresses.split(",") + if addr + ] + + persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap") + conf["storageConfiguration"] = { + "baseDn": "o=jans", + "type": "/etc/jans/conf/jans.properties", + "salt": "/etc/jans/conf/salt", + "connection": f"/etc/jans/conf/jans-{persistence_type}.properties", + } + + # TODO: change loggingLevel? + return conf + + @cached_property + def ctx(self): + ctx = { + "client_api_keystore_fn": self.connector.keystore_file, + "client_api_keystore_pw": self.connector.get_keystore_password(), + "client_api_crypto_provider_fn": "/etc/certs/client-api-jwks.keystore", + "client_api_storage_type": "jans_server_configuration", + } + + dynamic_conf = json.dumps(self.get_dynamic_conf(ctx)) + ctx["client_api_dynamic_conf_base64"] = generate_base64_contents(dynamic_conf) + return ctx + + @cached_property + def ldif_files(self): + filenames = ["configuration.ldif"] + return [ + f"/app/templates/jans-client-api/{filename}" + for filename in filenames + ] + + def import_ldif_files(self): + for file_ in self.ldif_files: + logger.info(f"Importing {file_}") + self.client.create_from_ldif(file_, self.ctx) if __name__ == "__main__": diff --git a/docker-jans-client-api/scripts/entrypoint.sh b/docker-jans-client-api/scripts/entrypoint.sh index fae269d0acb..3cb9aec1ae2 100644 --- a/docker-jans-client-api/scripts/entrypoint.sh +++ b/docker-jans-client-api/scripts/entrypoint.sh @@ -5,12 +5,23 @@ set -e python3 /app/scripts/wait.py python3 /app/scripts/bootstrap.py -# run the server -# customized `/opt/client-api/bin/client-api-start.sh` +# run jans-client-api +cd /opt/jans/jetty/jans-client-api + +# shellcheck disable=SC2086 exec java \ - -Djava.net.preferIPv4Stack=true \ + -server \ + -XX:+DisableExplicitGC \ -XX:+UseContainerSupport \ -XX:MaxRAMPercentage=$CN_MAX_RAM_PERCENTAGE \ + -Djava.net.preferIPv4Stack=true \ + -Djans.base=/etc/jans \ + -Dserver.base=/opt/jans/jetty/jans-client-api \ + -Dlog.base=/opt/jans/jetty/jans-client-api \ + -Djava.io.tmpdir=/tmp \ + -Dpython.home=/opt/jython \ + -Dlog4j2.configurationFile=resources/log4j2.xml \ ${CN_JAVA_OPTIONS} \ - -cp /opt/client-api/client-api.jar:/opt/client-api/lib/* \ - io.jans.ca.server.RpServerApplication server /opt/client-api/conf/client-api-server.yml + -jar /opt/jetty/start.jar \ + jetty.deploy.scanInterval=0 \ + jetty.httpConfig.sendServerVersion=false diff --git a/docker-jans-client-api/templates/client-api-server.yml.tmpl b/docker-jans-client-api/templates/client-api-server.yml.tmpl deleted file mode 100644 index 7194d9752b2..00000000000 --- a/docker-jans-client-api/templates/client-api-server.yml.tmpl +++ /dev/null @@ -1,122 +0,0 @@ - -# server configuration -use_client_authentication_for_pat: true -trust_all_certs: false -trust_store_path: '' -trust_store_password: '' -enable_jwks_generation: true -crypt_provider_key_store_path: '/opt/client-api/conf/client-api-jwks.keystore' -crypt_provider_key_store_password: 'example' -crypt_provider_dn_name: 'CN=jans-client CA Certificates' -support-google-logout: true -state_expiration_in_minutes: 5 -nonce_expiration_in_minutes: 5 -db_cleanup_interval_in_hours: 1 -rp_cache_expiration_in_minutes: 60 -public_op_key_cache_expiration_in_minutes: 60 -protect_commands_with_access_token: true -accept_id_token_without_signature: false -protect_commands_with_rp_id: [] -uma2_auto_register_claims_gathering_endpoint_as_redirect_uri_of_client: false -add_client_credentials_grant_type_automatically_during_client_registration: true -migration_source_folder_path: '' -allowed_op_hosts: [] -storage: h2 -enable_tracing: false -# tracer: jaeger or zipkin -tracer: 'jaeger' -tracer_host: 'localhost' -tracer_port: 5775 -storage_configuration: - dbFileLocation: /opt/client-api/data/rp_db - -# Connectors -server: - applicationConnectors: - - type: https - port: 8443 - keyStorePath: /opt/client-api/conf/client-api-server.keystore - keyStorePassword: example - validateCerts: false - adminConnectors: - - type: https - port: 8444 - keyStorePath: /opt/client-api/conf/client-api-server.keystore - keyStorePassword: example - validateCerts: false - -# Logging settings. -logging: - - # Logger-specific levels. - loggers: - io.jans: INFO - org.reflections.Reflections: ERROR - -# Logback's Time Based Rolling Policy - archivedLogFilenamePattern: /tmp/application-%d{yyyy-MM-dd}.log.gz -# Logback's Size and Time Based Rolling Policy - archivedLogFilenamePattern: /tmp/application-%d{yyyy-MM-dd}-%i.log.gz -# Logback's Fixed Window Rolling Policy - archivedLogFilenamePattern: /tmp/application-%i.log.gz - - appenders: - - type: console - # - type: file - # threshold: TRACE - # logFormat: "%-6level [%d{HH:mm:ss.SSS}] [%t] %logger{5} - %X{code} %msg %n" - # currentLogFilename: /var/log/client-api/client-api.log - # archivedLogFilenamePattern: /var/log/client-api/client-api-%d{yyyy-MM-dd}-%i.log.gz - # archivedFileCount: 7 - # timeZone: UTC - # maxFileSize: 10MB - -defaultSiteConfig: - op_configuration_endpoint: '' - response_types: ['code'] - grant_type: ['authorization_code'] - acr_values: [''] - scope: ['openid', 'profile', 'email'] - ui_locales: ['en'] - claims_locales: ['en'] - contacts: [] - redirect_uris: [] - logout_redirect_uris: [] - client_name: '' - client_jwks_uri: '' - token_endpoint_auth_method: '' - token_endpoint_auth_signing_alg: '' - request_uris: [] - front_channel_logout_uri: '' - sector_identifier_uri: '' - claims_redirect_uri: [] - client_id: '' - client_secret: '' - trusted_client: false - access_token_as_jwt: false - access_token_signing_alg: '' - rpt_as_jwt: false - logo_uri: '' - client_uri: '' - policy_uri: '' - front_channel_logout_session_required: false - tos_uri: '' - jwks: '' - id_token_binding_cnf: '' - tls_client_auth_subject_dn: '' - run_introspection_script_beforeaccess_token_as_jwt_creation_and_include_claims: false - id_token_signed_response_alg: '' - id_token_encrypted_response_alg: '' - id_token_encrypted_response_enc: '' - user_info_signed_response_alg: '' - user_info_encrypted_response_alg: '' - user_info_encrypted_response_enc: '' - request_object_signing_alg: '' - request_object_encryption_alg: '' - request_object_encryption_enc: '' - default_max_age: null - require_auth_time: false - initiate_login_uri: '' - authorized_origins: [] - access_token_lifetime: null - software_id: '' - software_version: '' - software_statement: '' - custom_attributes: {} diff --git a/docker-jans-client-api/templates/jans.properties.tmpl b/docker-jans-client-api/templates/jans.properties.tmpl index 39b72b3591e..1b5a56bffeb 100644 --- a/docker-jans-client-api/templates/jans.properties.tmpl +++ b/docker-jans-client-api/templates/jans.properties.tmpl @@ -4,6 +4,7 @@ jansAuth_ConfigurationEntryDN=ou=jans-auth,ou=configuration,o=jans fido2_ConfigurationEntryDN=ou=jans-fido2,ou=configuration,o=jans scim_ConfigurationEntryDN=ou=jans-scim,ou=configuration,o=jans configApi_ConfigurationEntryDN=ou=jans-config-api,ou=configuration,o=jans +clientApi_ConfigurationEntryDN=ou=jans-client-api,ou=configuration,o=jans certsDir=/etc/certs confDir=