Create issuer for the CHTC origin

Author: bbockelm

opensciencegrid/osdf-chtc-issuer/Dockerfile

@@ -0,0 +1,104 @@
+FROM hub.opensciencegrid.org/opensciencegrid/software-base:3.6-el8-release
+
+RUN yum install -y curl java-11-openjdk java-11-openjdk-devel
+
+# Download and install tomcat
+RUN useradd -r -s /sbin/nologin tomcat ;\
+mkdir -p /opt/tomcat ;\
+curl -s -L https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.tar.gz | tar -zxf - -C /opt/tomcat --strip-components=1 ;\
+chgrp -R tomcat /opt/tomcat/conf ;\
+chmod g+rwx /opt/tomcat/conf ;\
+chmod g+r /opt/tomcat/conf/* ;\
+chown -R tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/webapps/ /opt/tomcat/work/ ;\
+chgrp -R tomcat /opt/tomcat/bin /opt/tomcat/lib ;\
+chmod g+rwx /opt/tomcat/bin ;\
+chmod g+r /opt/tomcat/bin/*
+
+ADD server.xml /opt/tomcat/conf/server.xml
+RUN chgrp -R tomcat /opt/tomcat/conf/server.xml ;\
+chmod go+r /opt/tomcat/conf/server.xml
+
+ARG TOMCAT_ADMIN_USERNAME=admin
+ARG TOMCAT_ADMIN_PASSWORD=password
+ADD tomcat-users.xml.tmpl /opt/tomcat/conf/tomcat-users.xml.tmpl
+RUN sed s+TOMCAT_ADMIN_USERNAME+${TOMCAT_ADMIN_USERNAME}+g /opt/tomcat/conf/tomcat-users.xml.tmpl | sed s+TOMCAT_ADMIN_PASSWORD+${TOMCAT_ADMIN_PASSWORD}+g > /opt/tomcat/conf/tomcat-users.xml ;\
+chgrp tomcat /opt/tomcat/conf/tomcat-users.xml
+
+ARG TOMCAT_ADMIN_IP=127.0.0.1
+ADD manager.xml.tmpl /opt/tomcat/conf/Catalina/localhost/manager.xml.tmpl
+RUN sed s+TOMCAT_ADMIN_IP+${TOMCAT_ADMIN_IP}+g /opt/tomcat/conf/Catalina/localhost/manager.xml.tmpl > /opt/tomcat/conf/Catalina/localhost/manager.xml ;\
+chgrp -R tomcat  /opt/tomcat/conf/Catalina
+
+COPY --chown=tomcat:tomcat scitokens-server /opt
+#COPY target/oauth2.war /opt/tomcat/webapps/scitokens-server.war
+RUN \
+curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.2.9.0/oauth2.war > /opt/tomcat/webapps/scitokens-server.war ;\
+mkdir -p /opt/tomcat/webapps/scitokens-server ;\
+cd /opt/tomcat/webapps/scitokens-server ;\
+jar -xf ../scitokens-server.war ;\
+chgrp -R tomcat /opt/tomcat/webapps/scitokens-server ;\
+mkdir -p /opt/tomcat/var/storage/scitokens-server ;\
+chown -R tomcat:tomcat /opt/tomcat/var/storage/scitokens-server ;\
+rm -rf /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/docs /opt/tomcat/webapps/examples /opt/tomcat/webapps/host-manager /opt/tomcat/webapps/manager
+COPY --chown=tomcat:tomcat scitokens-server/web.xml /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml
+RUN chmod 644 /opt/tomcat/webapps/scitokens-server/WEB-INF/web.xml
+
+# need to put the java mail jar into the tomcat lib directory
+RUN curl -s -L https://github.com/javaee/javamail/releases/download/JAVAMAIL-1_6_2/javax.mail.jar > /opt/tomcat/lib/javax.mail.jar
+
+# Make JWK a volume mount
+RUN mkdir -p /opt/scitokens-server/bin && mkdir -p /opt/scitokens-server/etc && mkdir -p /opt/scitokens-server/etc/templates && mkdir -p /opt/scitokens-server/lib && mkdir -p /opt/scitokens-server/log && mkdir -p /opt/scitokens-server/var/qdl/scitokens && mkdir -p /opt/scitokens-server/var/storage/file_store
+
+# Make server configuration a volume mount
+ADD scitokens-server/etc/server-config.xml /opt/scitokens-server/etc/server-config.xml.tmpl
+ADD scitokens-server/etc/proxy-config.xml /opt/scitokens-server/etc/proxy-config.xml.tmpl
+
+ADD scitokens-server/bin/scitokens-cli /opt/scitokens-server/bin/scitokens-cli
+#COPY target/oa2-cli.jar /opt/scitokens-server/lib/scitokens-cli.jar
+RUN \
+curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.2.9.0/oa2-cli.jar >/opt/scitokens-server/lib/scitokens-cli.jar ;\
+chmod +x /opt/scitokens-server/bin/scitokens-cli
+
+ADD scitokens-server/etc/templates/client-template.xml /opt/scitokens-server/etc/templates/client-template.xml
+ADD scitokens-server/var/qdl/scitokens/ospool.qdl /opt/scitokens-server/var/qdl/scitokens/ospool.qdl
+ADD scitokens-server/var/qdl/scitokens/comanage.qdl.tmpl /opt/scitokens-server/var/qdl/scitokens/comanage.qdl.tmpl
+RUN chgrp tomcat /opt/scitokens-server/var/qdl/scitokens/ospool.qdl /opt/scitokens-server/var/qdl/scitokens/comanage.qdl.tmpl
+RUN ln -s /usr/lib64/libapr-1.so.0 /opt/tomcat/lib/libapr-1.so.0
+
+# QDL support 21-01-2021
+RUN curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.2.9.0/oa2-qdl-installer.jar >/tmp/oa2-qdl-installer.jar ;\
+java -jar /tmp/oa2-qdl-installer.jar -dir /opt/qdl
+
+RUN  mkdir -p /opt/qdl/var/scripts
+
+ADD qdl/etc/qdl.properties /opt/qdl/etc/qdl.properties
+ADD qdl/etc/qdl-cfg.xml /opt/qdl/etc/qdl-cfg.xml
+
+ADD qdl/var/scripts/boot.qdl /opt/qdl/var/scripts/boot.qdl
+RUN chmod +x /opt/qdl/var/scripts/boot.qdl
+
+ADD qdl/bin/qdl /opt/qdl/bin/qdl
+RUN chmod +x /opt/qdl/bin/qdl
+
+ADD qdl/bin/qdl-run /opt/qdl/bin/qdl-run
+RUN chmod +x /opt/qdl/bin/qdl-run
+# END QDL support
+
+# Add CHTC custom CA to trust store
+COPY tiger-ca.pem /opt/scitokens-server/tiger-ca.pem
+RUN keytool -import -alias tigerca -file /opt/scitokens-server/tiger-ca.pem -cacerts -trustcacerts -noprompt -storepass changeit;\
+rm /opt/scitokens-server/tiger-ca.pem
+
+ENV JAVA_HOME=/usr/lib/jvm/jre
+ENV CATALINA_PID=/opt/tomcat/temp/tomcat.pid
+ENV CATALINA_HOME=/opt/tomcat
+ENV CATALINA_BASE=/opt/tomcat
+ENV CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
+ENV JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Djava.library.path=/opt/tomcat/lib"
+ENV ST_HOME="/opt/scitokens-server"
+ENV QDL_HOME="/opt/qdl"
+ENV PATH="${ST_HOME}/bin:${QDL_HOME}/bin:${PATH}"
+
+#RUN "${QDL_HOME}/var/scripts/boot.qdl"
+ADD start.sh /start.sh
+CMD ["/start.sh"]

opensciencegrid/osdf-chtc-issuer/manager.xml.tmpl

@@ -0,0 +1,5 @@
+<Context privileged="true" antiResourceLocking="false"
+         docBase="${catalina.home}/webapps/manager">
+    <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|TOMCAT_ADMIN_IP" />
+</Context>
+

opensciencegrid/osdf-chtc-issuer/qdl/bin/qdl

@@ -0,0 +1,9 @@
+# The script to invoke the QDL interpreter.
+CFG_FILE="$QDL_HOME/etc/qdl-cfg.xml"
+CFG_NAME="oa2-dev"
+QDL_JAR="$QDL_HOME/lib/qdl.jar"
+
+cfgFile=${1:-$CFG_FILE}
+cfgName=${2:-$CFG_NAME}
+
+java -cp $QDL_JAR edu.uiuc.ncsa.qdl.workspace.QDLWorkspace -cfg  $cfgFile -name $cfgName -home_dir $QDL_HOME

opensciencegrid/osdf-chtc-issuer/qdl/bin/qdl-run

@@ -0,0 +1,7 @@
+# The script to invoke the QDL interpreter.
+
+CFG_FILE="$QDL_HOME/etc/qdl-cfg.xml"
+CFG_NAME="run-it"
+QDL_JAR="$QDL_HOME/lib/qdl.jar"
+
+java -cp $QDL_JAR edu.uiuc.ncsa.qdl.workspace.QDLWorkspace -cfg  $CFG_FILE -name $CFG_NAME -home_dir $QDL_HOME -run "$@"

opensciencegrid/osdf-chtc-issuer/qdl/etc/qdl-cfg.xml

@@ -0,0 +1,109 @@
+<config>
+    <qdl name="oa2-dev"
+            enabled="true"
+            server_mode="false"
+            numeric_digits="15"
+            compressOn="false"
+            script_path="vfs#/scripts/"
+            module_path="/opt/qdl/var/modules/">
+           <workspace verbose="true"
+                      echoModeOn="true"
+                      autosaveOn="true"
+                      editor_name="line"
+                      use_editor="true"
+                      save_dir="/opt/qdl/var/ws"
+                      showBanner = "false"
+                      autosaveInterval="300000"
+                      prettyPrint="true">
+               <home_dir>/opt/qdl</home_dir>
+               <env>etc/qdl.properties</env>
+           </workspace>
+
+           <editors>
+              <editor
+                 name="nano"
+                 exec="/bin/nano"/>
+               <editor
+                  name="vi"
+                  exec="/bin/vi"/>
+           </editors>
+            <logging
+                   logFileName="/opt/qdl/log/qdl.log"
+                   logName="qdl"
+                   disableLog4j="true"
+                   logSize="100000"
+                   logFileCount="2"
+                   debug="true"/>
+        <virtual_file_systems>
+               <vfs type="pass_through"
+                    access="rw">
+                   <root_dir>/opt/scitokens-server/var/qdl</root_dir>
+                   <scheme><![CDATA[vfs]]></scheme>
+                   <mount_point>/scripts</mount_point>
+               </vfs>
+        </virtual_file_systems>
+        <modules>
+            <module type="java"
+                    import_on_start="true">
+                <class_name>edu.uiuc.ncsa.myproxy.oa4mp.qdl.OA2QDLLoader</class_name>
+            </module>
+            <module type="java"
+                    import_on_start="true">
+                <class_name>edu.uiuc.ncsa.oa2.qdl.QDLToolsLoader</class_name>
+            </module>
+            <module type="java"
+                    import_on_start="false">
+                <class_name>edu.uiuc.ncsa.oa2.qdl.storage.StoreAccessLoader</class_name>
+            </module>
+            <module type="qdl"
+                 import_on_start="true">
+                 <path>/opt/qdl/etc/modules/math-x.mdl</path>
+            </module>
+            <module type="qdl"
+                  import_on_start="true">
+                 <path>/opt/qdl/etc/modules/ext.mdl</path>
+            </module>
+        </modules>
+
+    </qdl>
+    <qdl name="run-it"
+            enabled="true"
+            server_mode="false">
+           <workspace verbose="false"
+                      echoModeOn="false"
+                      prettyPrint="false">
+               <home_dir>/opt/qdl</home_dir>
+               <env>etc/qdl.properties</env>
+           </workspace>
+
+            <logging
+                   logFileName="/opt/qdl/log/qdl.log"
+                   logName="qdl"
+                   disableLog4j="true"
+                   logSize="100000"
+                   logFileCount="2"
+                   debug="false"/>
+           <modules>
+               <module type="java"
+                       import_on_start="true">
+                   <class_name>edu.uiuc.ncsa.myproxy.oa4mp.qdl.OA2QDLLoader</class_name>
+               </module>
+               <module type="java"
+                       import_on_start="true">
+                   <class_name>edu.uiuc.ncsa.oa2.qdl.QDLToolsLoader</class_name>
+               </module>
+               <module type="java"
+                       import_on_start="false">
+                   <class_name>edu.uiuc.ncsa.oa2.qdl.storage.StoreAccessLoader</class_name>
+               </module>
+               <module type="qdl"
+                    import_on_start="true">
+                    <path>/opt/qdl/etc/modules/math-x.mdl</path>
+               </module>
+               <module type="qdl"
+                     import_on_start="true">
+                    <path>/opt/qdl/etc/modules/ext.mdl</path>
+               </module>
+           </modules>
+    </qdl>
+</config>

opensciencegrid/osdf-chtc-issuer/qdl/etc/qdl.properties

@@ -0,0 +1,2 @@
+#Environment saved to "/opt/qdl/etc/qdl.properties"
+#Basic properties file. This can be empty

opensciencegrid/osdf-chtc-issuer/qdl/nano

@@ -0,0 +1 @@
+include /opt/qdl/etc/qdl.nanorc-2.3.1

opensciencegrid/osdf-chtc-issuer/qdl/var/scripts/boot.qdl

@@ -0,0 +1,59 @@
+#! /usr/bin/env qdl-run
+
+/*
+   Boot script in QDL to set up a new OA4MP issuer install. This is run exactly
+   once before the system is started the first time. This will read in all the
+   template files for clients in ${ST_HOME}/etc/templates and ingest them into
+   OA4MP's client store.
+*/
+
+assert[is_defined(os_env().'ST_HOME')]['Environment variable ST_HOME is not defined. Exiting...'];
+
+st_home := os_env().'ST_HOME'; // get the scitokens home directory from the environment
+// normalize the path. If it ends in a /, drop it for later use in strings.
+st_home := '.*/' =~ st_home?substring(st_home,0,size(st_home)-1):st_home;
+template_dir := st_home + '/etc/templates';
+/*
+    Set up access to the client store using the current server configuration.
+*/
+module_import('oa2:/qdl/store', 'clients');
+clients#init(st_home+'/etc/server-config.xml', 'scitokens-server', 'client');
+
+
+files. := dir(template_dir);
+if[
+   size(files.) == 0
+ ][
+   say('(no templates.)');
+   return();
+];
+
+files. := ~mask(files.,   '.*xml' =~ files.); // regex match on those that end in .xml
+say('processing ' + size(files.) + ' templates from ' + template_dir);
+
+while[
+   for_next(t, files.)
+ ][
+   template. := clients#from_xml(file_read(template_dir + '/' + t));
+   if[
+      !is_defined(template.'client_id')
+   ][
+      say('warning -- file "' + t + '" is not a client template. skipping');
+   ]else[
+   // At this point we don't want to just overwrite an existing template since
+   // there may be customizations that the admin has added.
+     if[
+          size(clients#read(template.'client_id')) == 0
+        ][
+          clients#save(template.);
+        ]else[
+          say('Warning, but "' + t + '" already exists in the store. Update it manually. Skipping');
+       ];
+   ];
+]; // end while
+
+say('done!');
+
+
+
+

opensciencegrid/osdf-chtc-issuer/scitokens-server/bin/create_keys

@@ -0,0 +1 @@
+java -jar /opt/scitokens-server/lib/jwt.jar -batch create_keys -single -o

opensciencegrid/osdf-chtc-issuer/scitokens-server/bin/scitokens-cli

@@ -0,0 +1,37 @@
+# Run the OA4MP command processor. This will allow you to edit, create or remove
+# clients, approvals, users and archived users. You can also reset the counter and do copy
+# operations from one store to another
+#
+# The next 5 entries completely determine how this operates. Change these to whatever you want if
+# different from the standard install.
+
+OA2_ROOT=/opt/scitokens-server
+DEFAULT_CONFIG=$OA2_ROOT/etc/server-config.xml
+DEFAULT_TARGET=scitokens-server
+oa2jar=$OA2_ROOT/lib/scitokens-cli.jar
+logFile=$OA2_ROOT/var/log/scitokens--cli.log
+DEFAULT_ENV=$OA2_ROOT/etc/cli.properties
+
+# End of user serviceable parts.
+
+if [[  "$1" = "--help" || $# -gt 2 ]];then
+  echo "scitokens-server-cli [configName configFile environment"]
+  echo "Start the OA4MP for OAuth2 command line admin tool with the"
+  echo "given configuration name in the given configuration file (full path)."
+  echo "No arguments means to use the config named '$DEFAULT_TARGET' in the file  '$DEFAULT_CONFIG'" 
+  echo "and to try and load the '$DEFAULT_ENV' as the environment."
+  echo "One argument is assumed to be the configuration name in the default config file."
+  exit 1
+fi
+
+target=${1:-$DEFAULT_TARGET}
+adminCfg=${2:-$DEFAULT_CONFIG}
+env=${3:-$DEFAULT_ENV}
+
+java -jar $oa2jar -cfg $adminCfg -name $target -log $logFile  -v -set_env $env
+
+if [ $? != 0 ]; then
+  exit 1
+fi
+
+exit 0

opensciencegrid/osdf-chtc-issuer/scitokens-server/etc/proxy-config.xml

@@ -0,0 +1,24 @@
+<config>
+    <client name="proxy-client">
+        <logging
+                logFileName="/tmp/oa4mp-oauth2-fs-client.xml"
+                logName="oa4mp"
+                logSize="100000"
+                logFileCount="2"
+                debug="true"/>
+        <id>{CLIENT_ID}</id>
+        <secret>{CLIENT_SECRET}</secret>
+        <callbackUri>https://{HOSTNAME}/scitokens-server/ready</callbackUri>
+        <serviceUri>https://cilogon.org/oauth2</serviceUri>
+        <authorizeUri>https://cilogon.org/authorize</authorizeUri>
+        <wellKnownUri>https://cilogon.org/oauth2/.well-known/openid-configuration</wellKnownUri>
+        <scopes>
+            <scope>email</scope>
+            <scope>openid</scope>
+            <scope>profile</scope>
+            <scope>org.cilogon.userinfo</scope>
+        </scopes>
+        <memoryStore><assetStore/></memoryStore>
+    </client>
+
+</config>