SRAM deploy roles port

environments/template/group_vars/all.yml

@@ -30,6 +30,8 @@ admin_email: "openconext-admin@example.edu"
 environment_shortname: ""
 environment_ribbon_colour: ""
 
+current_release_appdir: /opt/openconext
+
 httpd_csp:
   lenient: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
   lenient_with_static_img: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"

environments/template/group_vars/template.yml

@@ -156,15 +156,15 @@ voot:
     - { name: "voot", level: "DEBUG" }
   externalGroupProviders:
     - {
-        type: "teams",
-        url: "https://teams.{{ base_domain }}/api/voot",
-        credentials: {
-         username: "{{ teams.voot_api_user }}",
-         secret: "{{ external_group_provider_secrets.teams }}"
-        },
-        schacHomeOrganization: "{{ base_domain}}",
-        name: "SURFteams",
-        timeoutMillis: 15000
+          type: "invite",
+          url: "https://invite.{{ base_domain }}/api/external/v1/voot",
+          credentials: {
+              username: "{{ invite.vootuser }}",
+              secret: "{{ invite.vootsecret }}"
+          },
+          schacHomeOrganization: "N/A",
+          name: "Invite",
+          timeoutMillis: 3000
       }
 
 oidc_playground:
@@ -338,6 +338,7 @@ manage:
   features: push, validation, push_preview, orphans, find_my_data, edugain, auto_refresh
   environment: template
   super_user_team_names: "urn:collab:group:test.surfteams.nl:nl:surfnet:diensten:surfconext_tpm_core"
+  sram_rp_entity_id: "sbs.test.sram.surf.nl"
   apiUsers:
     - {
         name: "dashboard",

roles/dashboard/templates/serverapplication.yml.j2

@@ -80,6 +80,7 @@ dashboard.feature.consent={{ dashboard.feature_consent }}
 # Valid choices are 'MOCK', 'PDP' or 'MANAGE', 'MOCK' is for local development
 dashboard.feature.pdpSource={{ dashboard.pdp_source }}
 dashboard.feature.statistics=true
+dashboard.feature.statisticsDown={{ dashboard.feature_statsdown }}
 dashboard.feature.mail={{ dashboard.feature_mail }}
 dashboard.feature.oidc={{ dashboard.feature_oidc }}
 dashboard.feature.stepup={{ dashboard.feature_stepup }}

roles/docker/defaults/main.yml

@@ -8,5 +8,6 @@ docker_apt_gpg_key_checksum: "sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807c
 docker_apt_filename: "docker"
 docker_install_traefik: true
 docker_traefik_ldaps: false
+docker_traefik_version: 3.6.10
 docker_traefik_ports:
   - 0.0.0.0:443:443

roles/docker/tasks/main.yml

@@ -82,7 +82,7 @@
 - name: Create the Traefik loadbalancer
   community.docker.docker_container:
     name: loadbalancer
-    image: traefik:latest
+    image: traefik:{{ docker_traefik_version }}
     published_ports: "{{ docker_traefik_ports }}"
     pull: true
     restart_policy: "always"

roles/engine/defaults/main.yml

@@ -17,6 +17,7 @@ engine_api_feature_consent_remove: 0
 engine_api_feature_metadata_api: 1
 engine_api_feature_deprovision: 1
 engine_feature_send_user_attributes: 0
+engine_feature_enable_sbs_interrupt: 0
 
 # Cutoff point for showing unfiltered IdPs on the WAYF
 engine_wayf_cutoff_point_for_showing_unfiltered_idps: 50
@@ -76,6 +77,13 @@ engine_stepup_gateway_sfo_entity_id: "https://{{ engine_stepup_gateway_domain }}
 # The single sign-on endpoint used for Stepup Gateway SFO callouts
 engine_stepup_gateway_sfo_sso_location: "https://{{ engine_stepup_gateway_domain }}/second-factor-only/single-sign-on"
 
+# SBS interrupt settings
+engine_sbs_attributes_allowed:
+  - 'urn:mace:dir:attribute-def:eduPersonEntitlement'
+  - 'urn:mace:dir:attribute-def:uid'
+  - 'urn:mace:dir:attribute-def:eduPersonPrincipalName'
+  - 'urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13'
+
 ## The minimum priority of messages that will be logged
 engine_logging_passthru_level: NOTICE
 

roles/engine/tasks/main.yml

@@ -208,7 +208,7 @@
       PHP_MEMORY_LIMIT: "{{ engine_php_memory }}"
       APP_ENV: "prod"
       APP_SECRET: "{{ engine_parameters_secret }}"
-      APP_DEBUG: "{{ engine_debug | bool | int }}"
+      APP_DEBUG: "{{ engine_debug | bool | int | string }}"
     etc_hosts:
       host.docker.internal: host-gateway
     mounts:

roles/engine/templates/parameters.yml.j2

@@ -228,6 +228,7 @@ parameters:
   feature_stepup_sfo_override_engine_entityid: {{ engine_feature_stepup_override_entityid | bool | to_json }}
   feature_enable_idp_initiated_flow: {{ engine_feature_idp_initiated_flow | bool | to_json }}
   feature_stepup_send_user_attributes: {{ engine_feature_send_user_attributes | bool | to_json }}
+  feature_enable_sram_interrupt: {{ engine_feature_enable_sbs_interrupt | bool | to_json }}
   ##########################################################################################
   ## PROFILE SETTINGS
   ##########################################################################################
@@ -310,3 +311,15 @@ parameters:
   # used in the authentication log record. The attributeName will be searched in the response attributes and if present
   # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation.
   auth.log.attributes: {{ engine_log_attributes }}
+
+
+  ##########################################################################################
+  ## SBS external authorization/attribute enrichtment
+  ##########################################################################################
+  sram.api_token: "{{ sbs_engine_block_api_token | default('') }}"
+  sram.base_url: "https://{{ sbs_base_domain | default('sbs.example.org') }}/api/users/"
+  sram.authz_location: "authz_eb"
+  sram.attributes_location: "attributes_eb"
+  sram.interrupt_location: "interrupt"
+  sram.verify_peer: true
+  sram.allowed_attributes: {{ engine_sbs_attributes_allowed }}

roles/haproxy/tasks/main.yml

@@ -16,7 +16,7 @@
 - name: Install haproxy and socat
   ansible.builtin.apt:
     name:
-      - "haproxy=3.0.*"
+      - "haproxy"
       - "socat"
       - "git"
     state: "present"
@@ -88,17 +88,6 @@
     group: haproxy
     mode: "0770"
 
-- name: Create combined key and certificate file for HAproxy
-  ansible.builtin.copy:
-    content: >
-      {{ item.key_content }}{{ lookup('file', '{{ inventory_dir }}/files/certs/{{ item.crt_name }}') }}
-    dest: "/etc/haproxy/certs/{{ item.name }}_haproxy.pem"
-    mode: "0600"
-  with_items: "{{ haproxy_sni_ip.certs }}"
-  when: haproxy_sni_ip.certs is defined
-  notify:
-    - "reload haproxy"
-
 - name: Create backend CA directory
   ansible.builtin.file:
     path: "{{ tls_backend_ca | dirname }}"

roles/haproxy/templates/certlist.lst.j2

@@ -3,11 +3,6 @@
 /etc/haproxy/certs/{{ host }}.pem [ocsp-update on]
 {% endfor %}
 {% endif %}
-{% if haproxy_sni_ip.certs is defined %}
-{% for cert in haproxy_sni_ip.certs %}
-/etc/haproxy/certs/{{ cert.name }}_haproxy.pem [ocsp-update on]
-{% endfor %}
-{% endif %}
 {% if haproxy_extra_certs is defined %}
 {% for cert in haproxy_extra_certs %}
 {{ cert }} [ocsp-update on]

roles/haproxy/templates/haproxy_backend.cfg.j2

@@ -67,3 +67,18 @@
   {% endfor %}
 {% endif %}
 {% endfor %}
+
+{% if haproxy_ldap_servers is defined %}
+#---------------------------------------------------------------------
+# ldap backend
+#---------------------------------------------------------------------
+backend ldap_servers
+  mode    tcp
+  option  tcpka
+
+  option ldap-check
+
+  {% for server in haproxy_ldap_servers -%}
+  server {{server.label}} {{server.ip}}:{{server.port}} ssl verify none check weight 10 {% if loop.index==1 %}on-marked-up shutdown-backup-sessions{% else %}backup{% endif %}
+  {% endfor %}
+{% endif %}

roles/haproxy/templates/haproxy_frontend.cfg.j2

@@ -12,8 +12,8 @@ frontend stats
 # -------------------------------------------------------------------
 frontend internet_ip
 
-    bind {{ haproxy_sni_ip.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
-    bind {{ haproxy_sni_ip.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/  no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
+    bind {{ haproxy_sni_ip.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
+    bind {{ haproxy_sni_ip.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/  no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
     bind {{ haproxy_sni_ip.ipv4 }}:80 transparent
     bind {{ haproxy_sni_ip.ipv6 }}:80 transparent
     # Logging is done in the local_ip backend, otherwise all requests are logged twice
@@ -30,7 +30,7 @@ frontend internet_ip
     http-request redirect scheme https code 301 if !{ ssl_fc }
     # Log the user agent in the httplogs
     capture request header User-agent len 256
-    # Put the useragent header in a variable, shared between request and response. 
+    # Put the useragent header in a variable, shared between request and response.
     http-request set-var(txn.useragent) req.fhdr(User-Agent)
     # The ACL below makes sure only supported http methods are allowed
     acl valid_method method {{ haproxy_supported_http_methods }}
@@ -51,7 +51,7 @@ frontend internet_ip
     http-response replace-header Set-Cookie (?i)(^(?!.*samesite).*$) \1;\ SameSite=None if !no_same_site_uas
     # Remove an already present SameSite cookie attribute for unsupported browsers
     http-response replace-value Set-Cookie (^.*)(?i);\ *SameSite=(Lax|Strict|None)(.*$) \1\3 if no_same_site_uas
-    # Log whether the no_same_site_uas ACL has been hit 
+    # Log whether the no_same_site_uas ACL has been hit
     http-request set-header samesitesupport samesite_notsupported if no_same_site_uas
     http-request set-header samesitesupport samesite_supported if !no_same_site_uas
     # We need a dummy backend in order to be able to rewrite the loadbalancer cookies
@@ -66,7 +66,7 @@ frontend local_ip
     acl valid_vhost hdr(host) -f /etc/haproxy/acls/validvhostsunrestricted.acl
     acl staging req.cook(staging) -m str true
     acl staging src -f /etc/haproxy/acls/stagingips.acl
-    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map 
+    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost staging
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backends.map)]
     option httplog
@@ -82,7 +82,7 @@ frontend local_ip
     http-request capture sc_http_req_rate(0) len 4
     # Create an ACL when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     acl exceeds_max_request_rate_per_ip sc_http_req_rate(0) gt {{ haproxy_max_request_rate }}
-    # Measure and log the request rate per path and ip 
+    # Measure and log the request rate per path and ip
     http-request track-sc1 base32+src table st_httpreqs_per_ip_and_path
     http-request capture sc_http_req_rate(1) len 4
     # Some paths allow for a higher ratelimit. These are in a seperate mapfile
@@ -96,7 +96,7 @@ frontend local_ip
     http-request deny if ! valid_vhost
     # Deny the request when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip !allowlist
-    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m 
+    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip_and_path !allowlist
     # Create some http redirects
     {% if haproxy_securitytxt_target_url is defined %}
@@ -111,8 +111,8 @@ frontend local_ip
 ## -------------------------------------------------------------------
 frontend internet_restricted_ip
 
-    bind {{ haproxy_sni_ip_restricted.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
-    bind {{ haproxy_sni_ip_restricted.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
+    bind {{ haproxy_sni_ip_restricted.ipv4 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
+    bind {{ haproxy_sni_ip_restricted.ipv6 }}:443 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
     bind {{ haproxy_sni_ip_restricted.ipv4 }}:80 transparent
     bind {{ haproxy_sni_ip_restricted.ipv6 }}:80 transparent
     # Logging is done in the local_ip_restriced backend, otherwise all requests are logged twice
@@ -128,8 +128,8 @@ frontend internet_restricted_ip
     # We redirect all port 80 to port 443
     http-request redirect scheme https code 301 if !{ ssl_fc }
     # Log the user agent in the httplogs
-    capture request header User-agent len 256 
-    # Put the useragent header in a variable, shared between request and response. 
+    capture request header User-agent len 256
+    # Put the useragent header in a variable, shared between request and response.
     http-request set-var(txn.useragent) req.fhdr(User-Agent)
     # The ACL below makes sure only supported http methods are allowed
     acl valid_method method {{ haproxy_supported_http_methods }}
@@ -155,12 +155,12 @@ frontend internet_restricted_ip
 #  frontend restricted ip addresses localhost
 #  traffic coming back from the dummy backend ends up here
 # -------------------------------------------------------------------
-frontend localhost_restricted    
+frontend localhost_restricted
     bind 127.0.0.1:82 accept-proxy
     acl valid_vhost hdr(host) -f /etc/haproxy/acls/validvhostsrestricted.acl
     acl staging req.cook(staging) -m str true
     acl staging src -f /etc/haproxy/acls/stagingips.acl
-    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map 
+    acl stagingvhost hdr(host) -i -M -f /etc/haproxy/maps/backendsstaging.map
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backendsstaging.map)] if stagingvhost staging
     use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/backends.map)]
     option httplog
@@ -177,7 +177,7 @@ frontend localhost_restricted
     # Create an ACL when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     acl exceeds_max_request_rate_per_ip sc_http_req_rate(0) gt {{ haproxy_max_request_rate }}
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip !allowlist
-    # Measure and log the request rate per path and ip 
+    # Measure and log the request rate per path and ip
     http-request track-sc1 base32+src table st_httpreqs_per_ip_and_path
     http-request capture sc_http_req_rate(1) len 4
     # Some paths allow for a higher ratelimit. These are in a seperate mapfile
@@ -191,7 +191,7 @@ frontend localhost_restricted
     http-request deny if ! valid_vhost
     # Deny the request when the request rate exceeds {{ haproxy_max_request_rate }} per 10s
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip !allowlist
-    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m 
+    # Deny the request when the request rate per host header url path and src ip exceeds {{ haproxy_max_request_rate_ip_path }} per 1 m
     http-request deny deny_status 429 if exceeds_max_request_rate_per_ip_and_path !allowlist
     # Create some http redirects
     {% if haproxy_securitytxt_target_url is defined %}
@@ -201,3 +201,19 @@ frontend localhost_restricted
     http-request redirect location %[base,map_reg(/etc/haproxy/maps/redirects.map)] if { base,map_reg(/etc/haproxy/maps/redirects.map) -m found }
 
 {% endif %}
+
+{% if haproxy_ldap_servers is defined %}
+#--------------------------------------------------------------------
+#  frontend public ips ldap
+# -------------------------------------------------------------------
+listen ldap
+  mode tcp
+  no option dontlognull
+  option tcplog
+  option  logasap
+  timeout client 900s
+  timeout server 901s
+  bind {{ haproxy_sni_ip.ipv4 }}:636 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 transparent
+  bind {{ haproxy_sni_ip.ipv6 }}:636 ssl crt-list /etc/haproxy/maps/certlist.lst ssl crt /etc/haproxy/certs/ no-sslv3 no-tlsv10 no-tlsv11 transparent
+  use_backend ldap_servers
+{% endif %}

roles/invite/templates/serverapplication.yml.j2

@@ -7,6 +7,7 @@ logging:
     org.springframework.security: WARN
     com.zaxxer.hikari: ERROR
     invite: DEBUG
+    net.javacrumbs.shedlock: DEBUG
 
 server:
   port: 8080
@@ -74,11 +75,13 @@ crypto:
   private-key-location: file:///private_key_pkcs8.pem
 
 cron:
-  user-cleaner-expression: "0 0/30 * * * *"
+  user-cleaner-cron: "PT30M"
+  user-cleaner-cron-initial-delay: "PT10M"
   user-cleaner-lock-at-least-for: "PT5M"
   user-cleaner-lock-at-most-for: "PT28M"
   last-activity-duration-days: 1000
-  role-expiration-notifier-expression: "0 0/30 * * * *"
+  role-expiration-notifier-cron: "PT30M"
+  role-expiration-notifier-cron-initial-delay: "PT15M"
   # Set to -1 to suppress role expiry notifications
   role-expiration-notifier-duration-days: 5
   role-expiration-notifier-lock-at-least-for: "PT5M"
@@ -87,7 +90,7 @@ cron:
   metadata-resolver-fixed-rate-milliseconds: 86_400_000
   metadata-resolver-url: "https://metadata.{{ base_domain }}/idps-metadata.xml"
   # A value of 0 means no logs will be deleted
-  purge-audit-log-days: 365
+  purge-audit-log-days: 0
   # A value of 0 means no invitations will be deleted
   purge-expired-invitations-days: 365
 
@@ -158,6 +161,7 @@ external-api-configuration:
       password: "{{ invite_attribute_aggregation_secret }}"
       scopes:
         - attribute_aggregation
+        - crm
     - username: {{ invite.lifecycle_user }}
       password: "{{ invite.lifecycle_secret }}"
       scopes:

roles/mailpit/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+mailpit_image: "axllent/mailpit"
+mailpit_hostname: "mailpit.{{ base_domain }}"
+mailpit_user: "mailpit"
+mailpit_group: "mailpit"