JanssenProject
diff --git a/‎.github/workflows/build-cloudsql-socket-factory.yml‎
Lines changed: 126 additions & 0 deletions b/‎.github/workflows/build-cloudsql-socket-factory.yml‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎.github/workflows/build-docker-image.yml‎
Lines changed: 28 additions & 0 deletions b/‎.github/workflows/build-docker-image.yml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎automation/cloudsql-socket-factory/Dockerfile‎
Lines changed: 24 additions & 0 deletions b/‎automation/cloudsql-socket-factory/Dockerfile‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎automation/cloudsql-socket-factory/version.txt‎
Lines changed: 1 addition & 0 deletions b/‎automation/cloudsql-socket-factory/version.txt‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docker-jans-all-in-one/Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎docker-jans-all-in-one/Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docker-jans-auth-server/Dockerfile‎
Lines changed: 31 additions & 5 deletions b/‎docker-jans-auth-server/Dockerfile‎
Lines changed: 31 additions & 5 deletions
diff --git a/‎docker-jans-auth-server/scripts/bootstrap.py‎
Lines changed: 12 additions & 4 deletions b/‎docker-jans-auth-server/scripts/bootstrap.py‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎docker-jans-auth-server/templates/jans-mysql.properties‎
Lines changed: 1 addition & 1 deletion b/‎docker-jans-auth-server/templates/jans-mysql.properties‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docker-jans-auth-server/templates/jans-pgsql.properties‎
Lines changed: 1 addition & 1 deletion b/‎docker-jans-auth-server/templates/jans-pgsql.properties‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docker-jans-casa/Dockerfile‎
Lines changed: 19 additions & 0 deletions b/‎docker-jans-casa/Dockerfile‎
Lines changed: 19 additions & 0 deletions
@@ -0,0 +1,126 @@
+name: Build and Publish Cloud SQL Socket Factory
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "automation/cloudsql-socket-factory/**"
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "automation/cloudsql-socket-factory/**"
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Cloud SQL Socket Factory version to build (e.g., 1.27.0)'
+        required: false
+        default: ''
+  schedule:
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}/cloudsql-socket-factory
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    outputs:
+      digest: ${{ steps.build.outputs.digest }}
+      version: ${{ steps.version.outputs.version }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Get version
+        id: version
+        run: |
+          if [ -n "${{ github.event.inputs.version }}" ]; then
+            VERSION="${{ github.event.inputs.version }}"
+          else
+            VERSION=$(cat automation/cloudsql-socket-factory/version.txt | tr -d '\n')
+          fi
+          if [ -z "$VERSION" ]; then
+            echo "::error::Failed to determine version"
+            exit 1
+          fi
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "Building Cloud SQL Socket Factory version: ${VERSION}"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+        with:
+          image: tonistiigi/binfmt:qemu-v8.1.5
+          platforms: all
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=${{ steps.version.outputs.version }}
+            type=raw,value=latest
+
+      - name: Build and push
+        id: build
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        with:
+          builder: ${{ steps.buildx.outputs.name }}
+          context: automation/cloudsql-socket-factory
+          file: automation/cloudsql-socket-factory/Dockerfile
+          build-args: |
+            CLOUDSQL_SOCKET_FACTORY_VERSION=${{ steps.version.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          sbom: true
+          provenance: true
+          cache-from: type=gha,scope=cloudsql-socket-factory
+          cache-to: type=gha,mode=max,scope=cloudsql-socket-factory
+
+      - name: Sign the image with GitHub OIDC Token
+        if: github.event_name != 'pull_request'
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          if [[ -n $images ]]; then
+            cosign sign --yes -a author=JanssenProject ${images}
+          fi
+
+      - name: Image digest
+        run: echo ${{ steps.build.outputs.digest }}
@@ -46,6 +46,7 @@ jobs:
       packages: write
       id-token: write
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     strategy:
       max-parallel: 8
       matrix:
@@ -188,6 +189,26 @@ jobs:
           sudo python3 ./automation/auto_update_build_date.py
       #END UPDATE BUILD DATES INSIDE THE DOCKERFILE BEFORE BUILDING THE DEV IMAGES TRIGGERED BY JENKINS
 
+      - name: Free disk space
+        if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
+        run: |
+          echo "=== Disk space before cleanup ==="
+          df -h
+          echo "=== Removing pre-installed tools ==="
+          sudo rm -rf /usr/share/dotnet || true
+          sudo rm -rf /opt/ghc || true
+          sudo rm -rf /usr/local/lib/android || true
+          sudo rm -rf /opt/hostedtoolcache/CodeQL || true
+          sudo rm -rf /usr/local/share/boost || true
+          sudo rm -rf /usr/share/swift || true
+          echo "=== Cleaning Docker ==="
+          docker system prune -af --volumes || true
+          echo "=== Cleaning apt cache ==="
+          sudo apt-get clean || true
+          sudo rm -rf /var/lib/apt/lists/* || true
+          echo "=== Disk space after cleanup ==="
+          df -h
+
       - name: Set up QEMU
         if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
         uses: docker/setup-qemu-action@737ba1e397ec2caff0d098f75e1136f9a926dc0a # master
@@ -229,6 +250,13 @@ jobs:
           platforms: linux/amd64, linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.prep.outputs.tags }}
+          cache-from: type=gha,scope=${{ matrix.docker-images }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.docker-images }}
+
+      - name: Prune BuildKit cache
+        if: always()
+        run: docker buildx prune -af --keep-storage 2GB || true
+
       - name: Image digest
         if: steps.build_docker_image.outputs.build && steps.prep.outputs.build
         run: echo ${{ steps.docker_build.outputs.digest }}
 
@@ -0,0 +1,24 @@
+FROM maven:3.9-eclipse-temurin-17 AS builder
+
+ARG CLOUDSQL_SOCKET_FACTORY_VERSION=1.27.0
+
+RUN apt-get update && apt-get install -y --no-install-recommends git \
+    && rm -rf /var/lib/apt/lists/* \
+    && git clone --depth 1 --branch v${CLOUDSQL_SOCKET_FACTORY_VERSION} \
+       https://github.com/GoogleCloudPlatform/cloud-sql-jdbc-socket-factory.git /build
+
+WORKDIR /build
+
+RUN mvn -P jar-with-dependencies clean package -DskipTests -q \
+    && mkdir -p /cloudsql \
+    && cp jdbc/mysql-j-8/target/mysql-socket-factory-connector-j-8-*-jar-with-dependencies.jar /cloudsql/ \
+    && cp jdbc/postgres/target/postgres-socket-factory-*-jar-with-dependencies.jar /cloudsql/
+
+FROM scratch
+
+LABEL org.opencontainers.image.title="Cloud SQL JDBC Socket Factory" \
+      org.opencontainers.image.description="Pre-built Cloud SQL JDBC Socket Factory fat JARs for MySQL and PostgreSQL" \
+      org.opencontainers.image.source="https://github.com/JanssenProject/jans" \
+      org.opencontainers.image.vendor="Janssen Project"
+
+COPY --from=builder /cloudsql/ /cloudsql/
@@ -0,0 +1 @@
+1.27.0
@@ -59,7 +59,7 @@ RUN apk update \
 # Assets sync
 # ===========
 
-ENV JANS_SOURCE_VERSION=4cf1bf2085bbdeab678e51ab3aff34d4c48be96b
+ENV JANS_SOURCE_VERSION=9489a963cde645364b18127548244925f6c7fb43
 
 # note that as we're pulling from a monorepo (with multiple project in it)
 # we are using partial-clone and sparse-checkout to get the assets
 
@@ -1,3 +1,12 @@
+# =================================
+# Cloud SQL JDBC Socket Factory
+# =================================
+# Pre-built fat JARs from GHCR for Cloud SQL connectivity
+FROM ghcr.io/janssenproject/jans/cloudsql-socket-factory:1.27.0 AS cloudsql-libs
+
+# =================================
+# Main Image
+# =================================
 FROM bellsoft/liberica-openjdk-alpine:17.0.17@sha256:0e8ae43555ad8e2d69431c2078df256c01b625a8a3010e76b5a6baff0d165d2c
 
 # ===============
@@ -65,16 +74,31 @@ RUN mkdir -p ${JETTY_BASE}/jans-auth/webapps \
 # ===========
 
 RUN mkdir -p /usr/share/java \
-    ${JETTY_BASE}/jans-auth/_libs
+    ${JETTY_BASE}/jans-auth/_libs \
+    ${JETTY_BASE}/jans-auth/custom/libs
 
 ARG TWILIO_VERSION=7.17.0
 ARG JSMPP_VERSION=2.3.7
 
-RUN wget -q https://repo1.maven.org/maven2/com/twilio/sdk/twilio/${TWILIO_VERSION}/twilio-${TWILIO_VERSION}.jar -P ${JETTY_BASE}/jans-auth/_libs/ \
-    && wget -q https://repo1.maven.org/maven2/org/jsmpp/jsmpp/${JSMPP_VERSION}/jsmpp-${JSMPP_VERSION}.jar -P ${JETTY_BASE}/jans-auth/_libs/ \
-    && for custom_lib in casa-config jans-fido2-client jans-fido2-model agama-inbound jans-lock-service jans-lock-model jans-lock-cedarling cedarling-java; \
+# Copy Cloud SQL Socket Factory fat JARs from builder (includes all dependencies)
+COPY --from=cloudsql-libs /cloudsql/*.jar ${JETTY_BASE}/jans-auth/custom/libs/
+
+# Download other custom libs directly to custom/libs (always available)
+# Using set -e to ensure any failed wget aborts the build
+RUN set -e \
+    && wget -q https://repo1.maven.org/maven2/com/twilio/sdk/twilio/${TWILIO_VERSION}/twilio-${TWILIO_VERSION}.jar -P ${JETTY_BASE}/jans-auth/custom/libs/ \
+    && wget -q https://repo1.maven.org/maven2/org/jsmpp/jsmpp/${JSMPP_VERSION}/jsmpp-${JSMPP_VERSION}.jar -P ${JETTY_BASE}/jans-auth/custom/libs/ \
+    && for custom_lib in casa-config jans-fido2-client jans-fido2-model agama-inbound cedarling-java; \
+    do \
+        wget -nv "https://jenkins.jans.io/maven/io/jans/${custom_lib}/${CN_VERSION}/${custom_lib}-${CN_VERSION}.jar" -P "${JETTY_BASE}/jans-auth/custom/libs" || exit 1; \
+    done
+
+# Download jans-lock JARs to _libs (conditionally copied via Python script when lock is enabled)
+# Using set -e to ensure any failed wget aborts the build
+RUN set -e \
+    && for lock_lib in jans-lock-service jans-lock-model jans-lock-cedarling; \
     do \
-        wget -nv "https://jenkins.jans.io/maven/io/jans/${custom_lib}/${CN_VERSION}/${custom_lib}-${CN_VERSION}.jar" -P "${JETTY_BASE}/jans-auth/_libs"; \
+        wget -nv "https://jenkins.jans.io/maven/io/jans/${lock_lib}/${CN_VERSION}/${lock_lib}-${CN_VERSION}.jar" -P "${JETTY_BASE}/jans-auth/_libs" || exit 1; \
     done
 
 # ===========
@@ -287,6 +311,8 @@ RUN chmod -R g=u ${JETTY_BASE}/jans-auth/custom \
     && chown -R 1000:0 ${JETTY_BASE}/jans-auth/resources \
     && chown -R 1000:0 /opt/jans/python/libs \
     && chown -R 1000:0 ${JETTY_BASE}/common/libs \
+    && chown -R 1000:0 ${JETTY_BASE}/jans-auth/custom/libs \
+    && chmod -R g=u ${JETTY_BASE}/jans-auth/custom/libs \
     && chown -R 1000:0 /usr/share/java \
     && chown -R 1000:0 /opt/prometheus \
     && chown 1000:0 ${JETTY_BASE}/jans-auth/webapps/jans-auth.xml \
 
@@ -176,11 +176,19 @@ def configure_logging():
 def copy_builtin_libs():
     lock_enabled = as_boolean(os.environ.get("CN_LOCK_ENABLED", "false"))
 
-    for src in Path("/opt/jans/jetty/jans-auth/_libs").glob("*.jar"):
-        # skip jans-lock-service and jans-lock-model
-        if lock_enabled is False and src.name.startswith("jans-lock"):
-            continue
+    if not lock_enabled:
+        return
+
+    libs_path = Path("/opt/jans/jetty/jans-auth/_libs")
+    lock_jars = list(libs_path.glob("jans-lock*.jar"))
+
+    if not lock_jars:
+        logger.warning(
+            f"CN_LOCK_ENABLED is true but no jans-lock*.jar files were found in {libs_path}"
+        )
+        return
 
+    for src in lock_jars:
         dst = f"/opt/jans/jetty/jans-auth/custom/libs/{src.name}"
         shutil.copyfile(src, dst)
 
 
@@ -1,6 +1,6 @@
 db.schema.name=%(rdbm_schema)s
 
-connection.uri=jdbc:mysql://%(rdbm_host)s:%(rdbm_port)s/%(rdbm_db)s?enabledTLSProtocols=TLSv1.2
+connection.uri=%(rdbm_connection_uri)s
 
 connection.driver-property.serverTimezone=%(server_time_zone)s
 # Prefix connection.driver-property.key=value will be coverterd to key=value JDBC driver properties
 
@@ -1,6 +1,6 @@
 db.schema.name=%(rdbm_schema)s
 
-connection.uri=jdbc:postgresql://%(rdbm_host)s:%(rdbm_port)s/%(rdbm_db)s
+connection.uri=%(rdbm_connection_uri)s
 
 # Prefix connection.driver-property.key=value will be coverterd to key=value JDBC driver properties
 #connection.driver-property.driverProperty=driverPropertyValu
 
@@ -1,3 +1,12 @@
+# =================================
+# Cloud SQL JDBC Socket Factory
+# =================================
+# Pre-built fat JARs from GHCR for Cloud SQL connectivity
+FROM ghcr.io/janssenproject/jans/cloudsql-socket-factory:1.27.0 AS cloudsql-libs
+
+# =================================
+# Main Image
+# =================================
 FROM bellsoft/liberica-openjre-alpine:17.0.17@sha256:3c9aff2ed178621764dedb95f56e8c881bdd092eec9033d0cad165907836ec22
 
 # ===============
@@ -206,6 +215,14 @@ LABEL org.opencontainers.image.url="ghcr.io/janssenproject/jans/casa" \
     org.opencontainers.image.title="Janssen Casa" \
     org.opencontainers.image.description="Self-service portal for people to manage their account security preferences in the Janssen, like 2FA"
 
+# ===========
+# Custom libs
+# ===========
+
+# Copy Cloud SQL Socket Factory fat JARs from builder (includes all dependencies)
+RUN mkdir -p ${JETTY_BASE}/jans-casa/custom/libs
+COPY --from=cloudsql-libs /cloudsql/*.jar ${JETTY_BASE}/jans-casa/custom/libs/
+
 RUN mkdir -p /opt/jans/python/libs \
     ${JETTY_BASE}/jans-casa/static \
     ${JETTY_BASE}/jans-casa/plugins \
@@ -238,6 +255,8 @@ RUN chmod -R g=u ${JETTY_BASE}/jans-casa/static \
     && chmod -R g=u /etc/jans \
     && chmod 664 /opt/java/lib/security/cacerts \
     && chown -R 1000:0 ${JETTY_BASE}/common/libs \
+    && chown -R 1000:0 ${JETTY_BASE}/jans-casa/custom/libs \
+    && chmod -R g=u ${JETTY_BASE}/jans-casa/custom/libs \
     && chown -R 1000:0 /usr/share/java \
     && chown -R 1000:0 /opt/prometheus \
     && chown 1000:0 ${JETTY_BASE}/jans-casa/webapps/jans-casa.xml \