ID-4179: flytte til eige repo for norsk eu-eidas-proxy (#1)

* ID-4179: flytte til eige repo for norsk eu-eidas-proxy
* ID-4179: CVEs ignored
* use contextpath for now

.github/dependabot.yml

@@ -0,0 +1,28 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+#registries:
+#  maven-github:
+#    type: maven-repository
+#    url: https://maven.pkg.github.com/felleslosninger
+#    username: ${{secrets.MAVEN_USER}}
+#    password: ${{secrets.MAVEN_PASSWORD}}
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/.github"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "docker"
+    directory: "/docker"
+    schedule:
+      interval: "daily"
+#  - package-ecosystem: "maven"
+#    directory: "/" # Location of package manifests
+#    registries:
+#      - maven-github
+#    schedule:
+#      interval: "daily"
+#    open-pull-requests-limit: 10

.github/workflows/call-buildimage.yml

@@ -0,0 +1,104 @@
+
+name: Build/publish Docker image
+
+on:
+  push:
+    branches: [ main ]
+    paths-ignore:
+      - 'src/test/**'
+      - 'docker-compose.yaml'
+      - '*.md'
+      - 'LICENSE'
+
+jobs:
+  build-image:
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_NAME: ${{ secrets.REGISTRY_URL }}/eu-eidas-proxy
+      DOCKLE_HOST: "unix:///var/run/docker.sock"
+    outputs:
+      image-version: ${{ steps.set-outputs.outputs.image-version }}
+      image-digest: ${{ steps.set-outputs.outputs.image-digest }}
+    steps:
+      - name: Set imagetag as env variable
+        run: echo "IMAGETAG=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_ENV"
+
+      - uses: actions/checkout@v4
+
+      - name: Build the tagged Docker image
+        run: docker build --tag ${{env.IMAGE_NAME}}:${{env.IMAGETAG}} --file docker/Dockerfile .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # pin@v0.19.0
+        with:
+          image-ref: ${{env.IMAGE_NAME}}:${{env.IMAGETAG}}
+          exit-code: "1"
+          severity: "CRITICAL,HIGH"
+
+      - uses: anchore/sbom-action@v0
+        with:
+          image: ${{env.IMAGE_NAME}}:${{env.IMAGETAG}}
+          artifact-name: sbom-${{ github.event.repository.name }}-${{env.IMAGETAG}}.spdx
+
+      - name: "Login to Azure Container registery"
+        uses: azure/docker-login@v1
+        with:
+          login-server: ${{ secrets.REGISTRY_URL }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - run: docker push ${{env.IMAGE_NAME}}:${{env.IMAGETAG}}
+
+      - run: echo "IMAGE_DIGEST=$(docker inspect --format='{{.RepoDigests}}' ${{env.IMAGE_NAME}}:${{env.IMAGETAG}}|cut -d '@' -f 2|cut -d ']' -f 1)" >> "$GITHUB_ENV"
+
+      - name: Find jira-id
+        id: regex-find-jira-id
+        env:
+          GIT_MSG: ${{ github.event.head_commit.message }}
+        run: |
+          JIID=$(echo "$GIT_MSG" | head -1 | 
+          sed -E 's/^([a-zA-Z]{2,6}\-[0-9]+).+/\1/')
+          echo "JIRAID=$JIID" >> "$GITHUB_OUTPUT"
+
+      - id: output-jira-id
+        if: ${{ steps.regex-find-jira-id.outputs.JIRAID != '' }}
+        run: echo "JIRA_ID=${{ steps.regex-find-jira-id.outputs.JIRAID }}" >> "$GITHUB_ENV"
+
+      - uses: octokit/request-action@v2.x
+        id: get_labels
+        with:
+          route: GET /repos/${{ github.repository }}/commits/${{ github.sha }}/pulls
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: |
+          echo "PR_LABELS=${{ join(fromJSON(steps.get_labels.outputs.data)[0].labels.*.name) }}" >> "$GITHUB_ENV"
+          echo "PR_NUMBER=${{ fromJson(steps.get_labels.outputs.data)[0].number }}" >> "$GITHUB_ENV"
+
+      - id: check_dependabot
+        run: echo "DEPENDABOT=${{ contains(env.PR_LABELS, 'dependencies') }}" >> "$GITHUB_ENV"
+
+      - id: output-dependabot
+        if: ${{ steps.regex-find-jira-id.outputs.match == '' && env.DEPENDABOT == 'true' }}
+        run: echo "JIRA_ID=Dependabot" >> "$GITHUB_ENV"
+
+      - name: Set Outputs
+        id: set-outputs
+        run: |
+          {
+            echo "image-version=${{ env.IMAGETAG }}"
+            echo "image-digest=${{ env.IMAGE_DIGEST }}"
+          } >> "$GITHUB_OUTPUT"
+
+  call-update-image:
+    uses: felleslosninger/github-workflows/.github/workflows/ci-call-update-image.yml@main
+    needs: build-image
+    with:
+      application-name: eu-eidas-proxy
+      deployment-environment: systest
+      image-digest: ${{ needs.build-image.outputs.image-digest }}
+      image-name: eu-eidas-proxy
+      image-version: ${{ needs.build-image.outputs.image-version }}
+      kubernetes-repo: idporten-cd
+      product-name: eidas
+    secrets: inherit

.github/workflows/call-maventests.yml

@@ -0,0 +1,29 @@
+
+name: Build Dockerfile
+
+on:
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_NAME: my-local-registery/eu-eidas-proxy
+      DOCKLE_HOST: "unix:///var/run/docker.sock"
+    steps:
+      - name: Set imagetag as env variable
+        run: echo "IMAGETAG=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_ENV"
+      - uses: actions/checkout@v4
+      - name: Build the tagged Docker image
+        run: docker build --tag ${{ env.IMAGE_NAME}}:${{env.IMAGETAG}} --file docker/Dockerfile .
+      - uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.IMAGE_NAME}}:${{env.IMAGETAG}}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # pin@v0.19.0
+        with:
+          image-ref: ${{ env.IMAGE_NAME}}:${{env.IMAGETAG}}
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
+

.github/workflows/check-syntax.yml

@@ -0,0 +1,13 @@
+name: Syntax check workflows files (actionlint)
+run-name: "actionlint"
+on:
+  push:
+    paths:
+      - '.github/workflows/**'
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Run actionlint"
+        uses: felleslosninger/github-actions/run-actionlint@v0.6.7

.github/workflows/on-pr-label-internal.yml

@@ -0,0 +1,9 @@
+name: On PR label
+
+on:
+  pull_request:
+    types: [labeled]
+
+jobs:
+  on-pr-label:
+    uses: felleslosninger/github-workflows/.github/workflows/on-pr-label.yml@main

.gitignore

@@ -0,0 +1,20 @@
+### Maven
+target/
+!../.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### jenv ###
+.java-version
+
+### Visual Studio Code ###
+.vscode/
+
+### macos finder ###
+.DS_Store

.trivyignore

@@ -0,0 +1,11 @@
+#
+CVE-2023-6378 # logback-classic fixed in 1.3.12, 1.4.12, 1.2.13
+CVE-2022-22965 # spring-beans fixed in 5.3.18
+CVE-2022-22970 # spring-beans fixed in 5.3.20
+CVE-2022-22968 # spring-context fixed in 5.3.19
+CVE-2018-15756 # spring-core fixed in  5.1.1, 4.3.20
+CVE-2023-20863 # spring-expression fixed in 5 and 6
+CVE-2016-1000027 #spring-web fixed in 6.0.0
+CVE-2024-22243 #spring-web fixed in 6.1.4, 6.0.17, 5.3.32
+CVE-2024-22259 #spring-web fixed in 6.1.5, 6.0.18, 5.3.33
+CVE-2024-22262 #spring-web fixed in 5.3.34, 6.0.19, 6.1.6

README.md

@@ -1,2 +1,24 @@
 # eu-eidas-proxy
 Norwegian generic eIDAS-proxy build from eIDAS source.
+
+See these documents in https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/eIDAS-Node+version+2.7.1:
+* eIDAS-Node National IdP and SP Integration Guide v2.7.pdf
+* eIDAS-Node Installation Quick Start Guide v2.7.pdf
+* eIDAS-Node Installation and Configuration Guide v2.7.1.pdf
+
+
+### Run eu-eidas-proxy as docker-compose on your machine for local testing
+
+Add the following to your /etc/hosts file:
+```
+# eIDAS local dev
+127.0.0.1 eu-eidas-proxy
+```
+
+Start docker containers:
+```
+docker-compose -f docker-compose.yaml up --build
+```
+
+### Run eu-eidas-proxy in test/production environment
+Systest: eu-eidas-proxy.idporten.dev

docker-compose.yaml

@@ -0,0 +1,35 @@
+# NB: Login to Azure Container Registery for dev images: az login && az acr login -n crutvikling --subscription 0d8a0177-44ad-4a25-a38f-9489f3874db0
+# NB for images to systest/test/prod use creiddev ACR: az acr login -n creiddev  --subscription 0d8a0177-44ad-4a25-a38f-9489f3874db0
+# https://portal.azure.com/#@Nasjonalfelleslosning.onmicrosoft.com/resource/subscriptions/9c0d7873-b8aa-4042-96f8-b8ce5c9888d0/resourceGroups/rg-eid-systest-cr/providers/Microsoft.ContainerRegistry/registries/crutvikling/overview
+
+name: eu-eidas-proxy
+networks:
+  eidas:
+    name: eidas
+
+services:
+
+  eu-eidas-proxy:
+    build:
+      context: .
+      dockerfile: docker/dev.Dockerfile
+      args:
+        GIT_PACKAGE_TOKEN: ${GIT_PACKAGE_TOKEN}
+        GIT_PACKAGE_USERNAME: ${GIT_PACKAGE_USERNAME}
+    ports:
+      - "8082:8082"
+    healthcheck:
+      test: wget --no-verbose --tries=1 --spider http://eu-eidas-proxy:8082/EidasNodeProxy/ServiceMetadata || exit 1
+      interval: 5s
+      start_period: 8s
+      timeout: 5s
+      retries: 20
+    networks:
+      - eidas
+    entrypoint: "/bin/bash -c"
+    command:
+      - |
+        cd /usr/local/tomcat
+        ./bin/catalina.sh run
+
+

docker/Dockerfile

@@ -0,0 +1,44 @@
+FROM maven:3.9-eclipse-temurin-11 as builder
+
+WORKDIR /data
+
+# Download EU-eidas software
+ARG EIDAS_NODE_VERSION=2.7.1
+RUN git clone --depth 1 --branch eidasnode-${EIDAS_NODE_VERSION} https://ec.europa.eu/digital-building-blocks/code/scm/eid/eidasnode-pub.git
+
+RUN cd eidasnode-pub && mvn clean install --file EIDAS-Parent/pom.xml -P NodeOnly -P nodeJcacheIgnite -P specificCommunicationJcacheIgnite
+
+RUN mkdir -p eidas-proxy-config/
+COPY docker/proxy/config/ eidas-proxy-config
+
+# Replace base URLs in eidas.xml and metadata (whitelist). TODO: move to environment specific k8 config
+RUN sed -i 's/EU-PROXY-URL/https:\/\/eu-eidas-proxy.idporten.dev/g' eidas-proxy-config/eidas.xml
+RUN sed -i 's/EIDAS-PROXY-URL/https:\/\/eidas-proxy.idporten.dev/g' eidas-proxy-config/eidas.xml
+RUN sed -i 's/DEMOLAND-CA-URL/https:\/\/eidas-demo-ca.idporten.dev/g' eidas-proxy-config/metadata/MetadataFetcher_Service.properties
+RUN sed -i 's/NO-EU-EIDAS-CONNECTOR-URL/https:\/\/eu-eidas-connector.idporten.dev/g' eidas-proxy-config/metadata/MetadataFetcher_Service.properties
+
+
+
+FROM tomcat:9.0-jre11-temurin-jammy
+
+COPY docker/bouncycastle/java_bc.security /opt/java/openjdk/conf/security/java_bc.security
+COPY docker/bouncycastle/bcprov-jdk18on-1.78.jar /usr/local/lib/bcprov-jdk18on-1.78.jar
+
+COPY docker/proxy/tomcat-setenv.sh ${CATALINA_HOME}/bin/setenv.sh
+
+RUN mkdir -p $CATALINA_HOME/eidas-proxy-config/
+COPY --from=builder /data/eidas-proxy-config/ $CATALINA_HOME/eidas-proxy-config
+
+# Add war files to webapps: /usr/local/tomcat/webapps
+COPY --from=builder /data/eidasnode-pub/EIDAS-Node-Proxy/target/EidasNodeProxy.war ${CATALINA_HOME}/webapps/ROOT.war
+RUN chmod -R 770 ${CATALINA_HOME}/webapps
+
+# Add Cache Ignite work folder. TODO: Remove when switch to Redis.
+RUN mkdir -p ${CATALINA_HOME}/ignite && chgrp -R 0 ${CATALINA_HOME}/ignite && chmod 770 ${CATALINA_HOME}/ignite
+
+# eIDAS audit log folder
+RUN mkdir -p ${CATALINA_HOME}/eidas/logs && chmod 774 ${CATALINA_HOME}/eidas/logs
+
+EXPOSE 8080
+
+CMD ["/bin/bash", "-c", "catalina.sh run"]

docker/bouncycastle/java_bc.security

@@ -0,0 +1,13 @@
+security.provider.1=SUN
+security.provider.2=SunRsaSign
+security.provider.3=SunEC
+security.provider.4=SunJSSE
+security.provider.5=SunJCE
+security.provider.6=SunJGSS
+security.provider.7=SunSASL
+security.provider.8=XMLDSig
+security.provider.9=SunPCSC
+security.provider.10=JdkLDAP
+security.provider.11=JdkSASL
+security.provider.12=SunPKCS11
+security.provider.13=org.bouncycastle.jce.provider.BouncyCastleProvider

docker/dev.Dockerfile

@@ -0,0 +1,42 @@
+FROM maven:3.9-eclipse-temurin-11 as builder
+
+WORKDIR /data
+
+# Download EU-eidas software
+ARG EIDAS_NODE_VERSION=2.7.1
+RUN git clone --depth 1 --branch eidasnode-${EIDAS_NODE_VERSION} https://ec.europa.eu/digital-building-blocks/code/scm/eid/eidasnode-pub.git
+
+RUN cd eidasnode-pub && mvn clean install --file EIDAS-Parent/pom.xml -P NodeOnly -P nodeJcacheIgnite -P specificCommunicationJcacheIgnite
+
+RUN mkdir -p eidas-proxy-config/
+COPY docker/proxy/config/ eidas-proxy-config
+
+# Replace base URLs in eidas.xml and metadata (whitelist).
+RUN sed -i 's/EU-PROXY-URL/http:\/\/eu-eidas-proxy:8082/g' eidas-proxy-config/eidas.xml
+RUN sed -i 's/EIDAS-PROXY-URL/http:\/\/eidas-proxy:8081/g' eidas-proxy-config/eidas.xml
+RUN sed -i 's/DEMOLAND-CA-URL/http:\/\/eidas-demo-ca:8080/g' eidas-proxy-config/metadata/MetadataFetcher_Service.properties
+RUN sed -i 's/NO-EU-EIDAS-CONNECTOR-URL/http:\/\/eu-eidas-connector:8083/g' eidas-proxy-config/metadata/MetadataFetcher_Service.properties
+
+# Only for local development
+RUN sed -i 's/metadata.restrict.http">true/metadata.restrict.http">false/g' eidas-proxy-config/eidas.xml
+
+FROM tomcat:9.0-jre11-temurin-jammy
+
+COPY docker/bouncycastle/java_bc.security /opt/java/openjdk/conf/security/java_bc.security
+COPY docker/bouncycastle/bcprov-jdk18on-1.78.jar /usr/local/lib/bcprov-jdk18on-1.78.jar
+
+# change tomcat port
+RUN sed -i 's/port="8080"/port="8082"/' ${CATALINA_HOME}/conf/server.xml
+
+COPY docker/proxy/tomcat-setenv.sh ${CATALINA_HOME}/bin/setenv.sh
+
+RUN mkdir -p $CATALINA_HOME/eidas-proxy-config/
+COPY --from=builder /data/eidas-proxy-config/ $CATALINA_HOME/eidas-proxy-config
+
+# Add war files to webapps: /usr/local/tomcat/webapps
+COPY --from=builder /data/eidasnode-pub/EIDAS-Node-Proxy/target/EidasNodeProxy.war ${CATALINA_HOME}/webapps/ROOT.war
+
+# eIDAS audit log folder
+RUN mkdir -p ${CATALINA_HOME}/eidas/logs && chmod 744 ${CATALINA_HOME}/eidas/logs
+
+EXPOSE 8082