Fix SRAM devconf config

Author: mrvanes

core/docker-compose.yml

@@ -116,7 +116,7 @@ services:
     hostname: mujina.docker
 
   managegui:
-    image: ghcr.io/openconext/openconext-manage/manage-gui:7.4.9
+    image: ghcr.io/openconext/openconext-manage/manage-gui:latest
     environment:
       HTTPD_CSP: ""
       HTTPD_SERVERNAME: "manage.dev.openconext.local"
@@ -138,7 +138,7 @@ services:
         condition: service_healthy
 
   manageserver:
-    image: ghcr.io/openconext/openconext-manage/manage-server:7.4.9
+    image: ghcr.io/openconext/openconext-manage/manage-server:latest
     environment:
       USE_SYSTEM_CA_CERTS: true
     volumes:

core/engine/docker-compose.override.yml

@@ -1,11 +1,18 @@
 ---
+# This configuration uses a sub-mount for ./engine/parameters.yml
+# Make sure to NEVER write to parameters.yml in ${ENGINE_CODE_PATH} after starting
+# the container. It will destroy the sub-mount!!
 services:
   engine:
     image: ghcr.io/openconext/openconext-basecontainers/${ENGINE_PHP_IMAGE:-php72-apache2-node14-composer2:latest}
     volumes:
       - ${ENGINE_CODE_PATH}:/var/www/html
+      - ./engine/parameters.yml:/var/www/html/app/config/parameters.yml
       - ./engine/appconf.conf:/etc/apache2/sites-enabled/appconf.conf
     environment:
       - APP_ENV=${APP_ENV:-dev}
-      # - SYMFONY_ENV=${APP_ENV:-dev}
+      - SYMFONY_ENV=${APP_ENV:-dev}
       - APP_DEBUG=1
+    healthcheck:
+      test: ["CMD", "true"]
+      interval: 10s

core/engine/parameters.yml

@@ -0,0 +1,151 @@
+# This file is auto-generated during the composer install
+parameters:
+    secret: secret
+    domain: dev.openconext.local
+    hostname: engine.dev.openconext.local
+    trusted_proxies:
+        - 192.168.1.1
+        - 10.0.0.1
+    enabled_languages:
+        - nl
+        - en
+    attribute_definition_file_path: '%kernel.project_dir%/application/configs/attributes.json'
+    encryption_keys:
+        default:
+            publicFile: /config/engine/engineblock.crt
+            privateFile: /config/engine/engineblock.pem
+    forbidden_signature_methods: {  }
+    allowed_acs_location_schemes:
+        - http
+        - https
+    metadata_add_requested_attributes: all
+    php_settings:
+        memory_limit: 256M
+        display_errors: '1'
+        error_reporting: '6135'
+        date.timezone: Europe/Amsterdam
+        sendmail_from: 'OpenConext EngineBlock <openconext-engineblock@openconext.org>'
+    http_client.timeout: 60
+    api.users.metadataPush.username: manage
+    api.users.metadataPush.password: secret
+    api.users.profile.username: profile
+    api.users.profile.password: secret
+    api.users.deprovision.username: lifecycle
+    api.users.deprovision.password: secret
+    pdp.host: 'https://pdp.dev.openconext.local'
+    pdp.username: pdp_admin
+    pdp.password: secret
+    pdp.client_id: EngineBlock
+    pdp.policy_decision_point_path: /pdp/api/decide/policy
+    attribute_aggregation.base_url: 'https://aa.dev.openconext.local/internal/attribute/aggregation'
+    attribute_aggregation.username: eb
+    attribute_aggregation.password: secret
+    logger.channel: engineblock
+    logger.fingers_crossed.passthru_level: NOTICE
+    logger.fingers_crossed.action_level: ERROR
+    logger.line_format: '[%%datetime%%] %%channel%%.%%level_name%%: %%message%% %%extra%% %%context%%'
+    database.host: mariadb
+    database.port: '3306'
+    database.user: ebrw
+    database.password: secret
+    database.dbname: eb
+    database.test.host: mariadb
+    database.test.port: '3306'
+    database.test.user: ebrw
+    database.test.password: secret
+    database.test.dbname: eb
+    engineblock.metadata_push_memory_limit: 256M
+    minimum_execution_time_on_invalid_received_response: 5000
+    addgueststatus_guestqualifier: 'urn:collab:org:dev.openconext.local'
+    cookie.path: /
+    cookie.secure: true
+    cookie.locale.domain: .dev.openconext.local
+    cookie.locale.expiry: 5184000
+    cookie.locale.http_only: false
+    cookie.locale.secure: true
+    view_default_title: OpenConext
+    view_default_header: OpenConext
+    view_default_logo: /images/logo.png
+    view_default_logo_width: 96
+    view_default_logo_height: 96
+    env_name: ''
+    env_ribbon_color: ''
+    ui_return_to_sp_link: false
+    email_request_access_address: help@example.org
+    monitor_database_health_check_query: 'SELECT uuid FROM user LIMIT 1;'
+    wayf.cutoff_point_for_showing_unfiltered_idps: 50
+    wayf.remember_choice: false
+    wayf.display_default_idp_banner_on_wayf: true
+    wayf.default_idp_entity_id: 'https://default-idp.dev.openconext.local'
+    global.site_notice.show: false
+    global.site_notice.allowed.tags: '<a><u><i><br><wbr><strong><em><blink><marquee><p><ul><ol><dl><li><dd><dt><div><span><blockquote><hr><h2></h2><h3><h4><h5><h6>'
+    time_frame_for_authentication_loop_in_seconds: 60
+    maximum_authentication_procedures_allowed: 5
+    maximum_authentications_per_session: 5
+    consent_store_values: true
+    email_idp_debugging:
+        from:
+            name: 'OpenConext EngineBlock'
+            address: no-reply@example.org
+        to:
+            address: coin-logs-dev@list.surfnet.nl
+            name: 'OpenConext Admin'
+        subject: 'IdP debug info from %%1$s'
+    mailer_transport: smtp
+    mailer_host: localhost
+    mailer_port: '25'
+    mailer_user: ''
+    mailer_password: ''
+    feature_eb_encrypted_assertions: true
+    feature_eb_encrypted_assertions_require_outer_signature: true
+    feature_api_metadata_push: true
+    feature_api_consent_listing: true
+    feature_api_consent_remove: true
+    feature_api_metadata_api: true
+    feature_api_deprovision: true
+    feature_run_all_manipulations_prior_to_consent: false
+    feature_block_user_on_violation: false
+    feature_enable_consent: true
+    feature_stepup_sfo_override_engine_entityid: false
+    feature_enable_idp_initiated_flow: true
+    feature_enable_sram_interrupt: true
+    profile_base_url: 'https://profile.dev.openconext.local'
+    stepup.authn_context_class_ref_blacklist_regex: '/http:\/\/vm\.openconext\.org\/assurance\/loa[1-3]/'
+    stepup.loa.mapping:
+        10:
+            engineblock: 'http://dev.openconext.local/assurance/loa1'
+            gateway: 'http://dev.openconext.local/assurance/loa1'
+        15:
+            engineblock: 'http://dev.openconext.local/assurance/loa1_5'
+            gateway: 'http://dev.openconext.local/assurance/loa1_5'
+        20:
+            engineblock: 'http://dev.openconext.local/assurance/loa2'
+            gateway: 'http://dev.openconext.local/assurance/loa2'
+        30:
+            engineblock: 'http://dev.openconext.local/assurance/loa3'
+            gateway: 'http://dev.openconext.local/assurance/loa3'
+    stepup.loa.loa1: 'http://dev.openconext.local/assurance/loa1'
+    stepup.gateway.sfo.entity_id: 'https://gateway.dev.openconext.local/second-factor-only/metadata'
+    stepup.gateway.sfo.sso_location: 'https://gateway.dev.openconext.local/second-factor-only/single-sign-on'
+    stepup.gateway.sfo.key_file: /config/engine/engineblock.crt
+    stepup.sfo.override_engine_entityid: ''
+    theme.name: skeune
+    feature_enable_sso_notification: false
+    sso_notification_encryption_algorithm: AES-256-CBC
+    sso_notification_encryption_key: '<xxx>'
+    sso_notification_encryption_key_salt: '<xxx>'
+    feature_enable_sso_session_cookie: false
+    sso_session_cookie_max_age: 0
+    auth.log.attributes: {  }
+
+    sram.api_token: secret
+    sram.base_url: 'https://sbs.dev.openconext.local/api/users/'
+    sram.authz_location: authz_eb
+    sram.attributes_location: attributes_eb
+    sram.interrupt_location: interrupt
+    sram.verify_peer: false
+    sram.allowed_attributes:
+        - 'urn:mace:dir:attribute-def:eduPersonEntitlement'
+        - 'urn:mace:dir:attribute-def:uid'
+        - 'urn:mace:dir:attribute-def:eduPersonPrincipalName'
+        - 'urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13'

core/manage/manage-api-users.yml

@@ -1,27 +1,20 @@
 ---
 apiUsers:
-  - {
-    name: "dashboard",
-    password: "secret",
+  - name: "dashboard"
+    password: "secret"
     scopes: [ READ, CHANGE_REQUEST_SP,CHANGE_REQUEST_IDP, TEST, POLICIES ]
-  }
-  - {
-    name: "pdp",
-    password: "secret",
+  - name: "pdp"
+    password: "secret"
     scopes: [READ]
-  }
-  - {
-    name: "stats",
-    password: "secret",
+  - name: "stats"
+    password: "secret"
     scopes: [READ]
-  }
-  - {
-    name: "sp-dashboard",
-    password: "secret",
+  - name: "sp-dashboard"
+    password: "secret"
     scopes: [ READ, WRITE_SP, PUSH, CHANGE_REQUEST_SP, TEST ]
-  }
-  - {
-    name: "sysadmin",
-    password: "secret",
+  - name: "sysadmin"
+    password: "secret"
+    scopes: [ READ, WRITE_IDP, WRITE_SP, PUSH, SYSTEM ]
+  - name: "sram"
+    password: "secret"
     scopes: [ READ, WRITE_IDP, WRITE_SP, PUSH, SYSTEM ]
-  }

core/sbs/config/config.yml

@@ -15,6 +15,9 @@ redis:
 
 socket_url: 0.0.0.0:8080/
 
+logging:
+  log_to_stdout: True
+
 api_users:
   - name: "sysadmin"
     password: "secret"
@@ -40,6 +43,7 @@ oidc:
   #Note that the paths for these  uri's is hardcoded and only domain and port differ per environment
   redirect_uri: http://http://sbs.dev.openconext.local/api/users/resume-session
   continue_eduteams_redirect_uri: http://sbs.dev.openconext.local/continue
+  continue_eb_redirect_uri: https://engine.(.*)openconext.local
   second_factor_authentication_required: True
   totp_token_name: "SRAM local"
   # The client_id of SBS. Most likely to equal the oidc.client_id
@@ -87,10 +91,11 @@ mail:
   environment: local
 
 manage:
-  enabled: false
-  base_url: ""
-  user: ""
-  password: ""
+  enabled: true
+  base_url: "https://manage.dev.openconext.local/"
+  user: "sram"
+  password: "secret"
+  verify_peer: False
 
 aup:
   version: 1
@@ -255,3 +260,13 @@ rate_limit_totp_guesses_per_30_seconds: 10
 excluded_user_accounts:
   - uid: "urn:paul"
   - uid: "urn:peter"
+
+stress_test:
+  num_users: 1
+  num_orgs: 1
+  num_collaborations: 2
+  num_services: 1
+  num_groups: 1
+
+engine_block:
+  api_token: secret

core/sbs/docker-compose.override.yml

@@ -30,7 +30,10 @@ services:
       timeout: 5s
       retries: 10
     hostname: sbs-client.docker
-    command: "yarn start"
+    command:
+      - "sh"
+      - "-c"
+      - "yarn install && yarn build --disable-warning && yarn start"
     profiles:
       - "sbs"