-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* ID-4179: flytte til eige repo for norsk eu-eidas-proxy * ID-4179: CVEs ignored * use contextpath for now
- Loading branch information
Showing
41 changed files
with
1,328 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# To get started with Dependabot version updates, you'll need to specify which | ||
# package ecosystems to update and where the package manifests are located. | ||
# Please see the documentation for all configuration options: | ||
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates | ||
|
||
version: 2 | ||
#registries: | ||
# maven-github: | ||
# type: maven-repository | ||
# url: https://maven.pkg.github.com/felleslosninger | ||
# username: ${{secrets.MAVEN_USER}} | ||
# password: ${{secrets.MAVEN_PASSWORD}} | ||
updates: | ||
- package-ecosystem: "github-actions" | ||
directory: "/.github" | ||
schedule: | ||
interval: "daily" | ||
- package-ecosystem: "docker" | ||
directory: "/docker" | ||
schedule: | ||
interval: "daily" | ||
# - package-ecosystem: "maven" | ||
# directory: "/" # Location of package manifests | ||
# registries: | ||
# - maven-github | ||
# schedule: | ||
# interval: "daily" | ||
# open-pull-requests-limit: 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
|
||
name: Build/publish Docker image | ||
|
||
on: | ||
push: | ||
branches: [ main ] | ||
paths-ignore: | ||
- 'src/test/**' | ||
- 'docker-compose.yaml' | ||
- '*.md' | ||
- 'LICENSE' | ||
|
||
jobs: | ||
build-image: | ||
runs-on: ubuntu-latest | ||
env: | ||
IMAGE_NAME: ${{ secrets.REGISTRY_URL }}/eu-eidas-proxy | ||
DOCKLE_HOST: "unix:///var/run/docker.sock" | ||
outputs: | ||
image-version: ${{ steps.set-outputs.outputs.image-version }} | ||
image-digest: ${{ steps.set-outputs.outputs.image-digest }} | ||
steps: | ||
- name: Set imagetag as env variable | ||
run: echo "IMAGETAG=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_ENV" | ||
|
||
- uses: actions/checkout@v4 | ||
|
||
- name: Build the tagged Docker image | ||
run: docker build --tag ${{env.IMAGE_NAME}}:${{env.IMAGETAG}} --file docker/Dockerfile . | ||
|
||
- name: Run Trivy vulnerability scanner | ||
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # pin@v0.19.0 | ||
with: | ||
image-ref: ${{env.IMAGE_NAME}}:${{env.IMAGETAG}} | ||
exit-code: "1" | ||
severity: "CRITICAL,HIGH" | ||
|
||
- uses: anchore/sbom-action@v0 | ||
with: | ||
image: ${{env.IMAGE_NAME}}:${{env.IMAGETAG}} | ||
artifact-name: sbom-${{ github.event.repository.name }}-${{env.IMAGETAG}}.spdx | ||
|
||
- name: "Login to Azure Container registery" | ||
uses: azure/docker-login@v1 | ||
with: | ||
login-server: ${{ secrets.REGISTRY_URL }} | ||
username: ${{ secrets.REGISTRY_USERNAME }} | ||
password: ${{ secrets.REGISTRY_PASSWORD }} | ||
|
||
- run: docker push ${{env.IMAGE_NAME}}:${{env.IMAGETAG}} | ||
|
||
- run: echo "IMAGE_DIGEST=$(docker inspect --format='{{.RepoDigests}}' ${{env.IMAGE_NAME}}:${{env.IMAGETAG}}|cut -d '@' -f 2|cut -d ']' -f 1)" >> "$GITHUB_ENV" | ||
|
||
- name: Find jira-id | ||
id: regex-find-jira-id | ||
env: | ||
GIT_MSG: ${{ github.event.head_commit.message }} | ||
run: | | ||
JIID=$(echo "$GIT_MSG" | head -1 | | ||
sed -E 's/^([a-zA-Z]{2,6}\-[0-9]+).+/\1/') | ||
echo "JIRAID=$JIID" >> "$GITHUB_OUTPUT" | ||
- id: output-jira-id | ||
if: ${{ steps.regex-find-jira-id.outputs.JIRAID != '' }} | ||
run: echo "JIRA_ID=${{ steps.regex-find-jira-id.outputs.JIRAID }}" >> "$GITHUB_ENV" | ||
|
||
- uses: octokit/request-action@v2.x | ||
id: get_labels | ||
with: | ||
route: GET /repos/${{ github.repository }}/commits/${{ github.sha }}/pulls | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- run: | | ||
echo "PR_LABELS=${{ join(fromJSON(steps.get_labels.outputs.data)[0].labels.*.name) }}" >> "$GITHUB_ENV" | ||
echo "PR_NUMBER=${{ fromJson(steps.get_labels.outputs.data)[0].number }}" >> "$GITHUB_ENV" | ||
- id: check_dependabot | ||
run: echo "DEPENDABOT=${{ contains(env.PR_LABELS, 'dependencies') }}" >> "$GITHUB_ENV" | ||
|
||
- id: output-dependabot | ||
if: ${{ steps.regex-find-jira-id.outputs.match == '' && env.DEPENDABOT == 'true' }} | ||
run: echo "JIRA_ID=Dependabot" >> "$GITHUB_ENV" | ||
|
||
- name: Set Outputs | ||
id: set-outputs | ||
run: | | ||
{ | ||
echo "image-version=${{ env.IMAGETAG }}" | ||
echo "image-digest=${{ env.IMAGE_DIGEST }}" | ||
} >> "$GITHUB_OUTPUT" | ||
call-update-image: | ||
uses: felleslosninger/github-workflows/.github/workflows/ci-call-update-image.yml@main | ||
needs: build-image | ||
with: | ||
application-name: eu-eidas-proxy | ||
deployment-environment: systest | ||
image-digest: ${{ needs.build-image.outputs.image-digest }} | ||
image-name: eu-eidas-proxy | ||
image-version: ${{ needs.build-image.outputs.image-version }} | ||
kubernetes-repo: idporten-cd | ||
product-name: eidas | ||
secrets: inherit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
|
||
name: Build Dockerfile | ||
|
||
on: | ||
pull_request: | ||
branches: [ main ] | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
env: | ||
IMAGE_NAME: my-local-registery/eu-eidas-proxy | ||
DOCKLE_HOST: "unix:///var/run/docker.sock" | ||
steps: | ||
- name: Set imagetag as env variable | ||
run: echo "IMAGETAG=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_ENV" | ||
- uses: actions/checkout@v4 | ||
- name: Build the tagged Docker image | ||
run: docker build --tag ${{ env.IMAGE_NAME}}:${{env.IMAGETAG}} --file docker/Dockerfile . | ||
- uses: anchore/sbom-action@v0 | ||
with: | ||
image: ${{ env.IMAGE_NAME}}:${{env.IMAGETAG}} | ||
- name: Run Trivy vulnerability scanner | ||
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # pin@v0.19.0 | ||
with: | ||
image-ref: ${{ env.IMAGE_NAME}}:${{env.IMAGETAG}} | ||
exit-code: '1' | ||
severity: 'CRITICAL,HIGH' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
name: Syntax check workflows files (actionlint) | ||
run-name: "actionlint" | ||
on: | ||
push: | ||
paths: | ||
- '.github/workflows/**' | ||
|
||
jobs: | ||
actionlint: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: "Run actionlint" | ||
uses: felleslosninger/github-actions/run-actionlint@v0.6.7 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
name: On PR label | ||
|
||
on: | ||
pull_request: | ||
types: [labeled] | ||
|
||
jobs: | ||
on-pr-label: | ||
uses: felleslosninger/github-workflows/.github/workflows/on-pr-label.yml@main |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
### Maven | ||
target/ | ||
!../.mvn/wrapper/maven-wrapper.jar | ||
!**/src/main/**/target/ | ||
!**/src/test/**/target/ | ||
|
||
### IntelliJ IDEA ### | ||
.idea | ||
*.iws | ||
*.iml | ||
*.ipr | ||
|
||
### jenv ### | ||
.java-version | ||
|
||
### Visual Studio Code ### | ||
.vscode/ | ||
|
||
### macos finder ### | ||
.DS_Store |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# | ||
CVE-2023-6378 # logback-classic fixed in 1.3.12, 1.4.12, 1.2.13 | ||
CVE-2022-22965 # spring-beans fixed in 5.3.18 | ||
CVE-2022-22970 # spring-beans fixed in 5.3.20 | ||
CVE-2022-22968 # spring-context fixed in 5.3.19 | ||
CVE-2018-15756 # spring-core fixed in 5.1.1, 4.3.20 | ||
CVE-2023-20863 # spring-expression fixed in 5 and 6 | ||
CVE-2016-1000027 #spring-web fixed in 6.0.0 | ||
CVE-2024-22243 #spring-web fixed in 6.1.4, 6.0.17, 5.3.32 | ||
CVE-2024-22259 #spring-web fixed in 6.1.5, 6.0.18, 5.3.33 | ||
CVE-2024-22262 #spring-web fixed in 5.3.34, 6.0.19, 6.1.6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,24 @@ | ||
# eu-eidas-proxy | ||
Norwegian generic eIDAS-proxy build from eIDAS source. | ||
|
||
See these documents in https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/eIDAS-Node+version+2.7.1: | ||
* eIDAS-Node National IdP and SP Integration Guide v2.7.pdf | ||
* eIDAS-Node Installation Quick Start Guide v2.7.pdf | ||
* eIDAS-Node Installation and Configuration Guide v2.7.1.pdf | ||
|
||
|
||
### Run eu-eidas-proxy as docker-compose on your machine for local testing | ||
|
||
Add the following to your /etc/hosts file: | ||
``` | ||
# eIDAS local dev | ||
127.0.0.1 eu-eidas-proxy | ||
``` | ||
|
||
Start docker containers: | ||
``` | ||
docker-compose -f docker-compose.yaml up --build | ||
``` | ||
|
||
### Run eu-eidas-proxy in test/production environment | ||
Systest: eu-eidas-proxy.idporten.dev |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# NB: Login to Azure Container Registery for dev images: az login && az acr login -n crutvikling --subscription 0d8a0177-44ad-4a25-a38f-9489f3874db0 | ||
# NB for images to systest/test/prod use creiddev ACR: az acr login -n creiddev --subscription 0d8a0177-44ad-4a25-a38f-9489f3874db0 | ||
# https://portal.azure.com/#@Nasjonalfelleslosning.onmicrosoft.com/resource/subscriptions/9c0d7873-b8aa-4042-96f8-b8ce5c9888d0/resourceGroups/rg-eid-systest-cr/providers/Microsoft.ContainerRegistry/registries/crutvikling/overview | ||
|
||
name: eu-eidas-proxy | ||
networks: | ||
eidas: | ||
name: eidas | ||
|
||
services: | ||
|
||
eu-eidas-proxy: | ||
build: | ||
context: . | ||
dockerfile: docker/dev.Dockerfile | ||
args: | ||
GIT_PACKAGE_TOKEN: ${GIT_PACKAGE_TOKEN} | ||
GIT_PACKAGE_USERNAME: ${GIT_PACKAGE_USERNAME} | ||
ports: | ||
- "8082:8082" | ||
healthcheck: | ||
test: wget --no-verbose --tries=1 --spider http://eu-eidas-proxy:8082/EidasNodeProxy/ServiceMetadata || exit 1 | ||
interval: 5s | ||
start_period: 8s | ||
timeout: 5s | ||
retries: 20 | ||
networks: | ||
- eidas | ||
entrypoint: "/bin/bash -c" | ||
command: | ||
- | | ||
cd /usr/local/tomcat | ||
./bin/catalina.sh run | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
FROM maven:3.9-eclipse-temurin-11 as builder | ||
|
||
WORKDIR /data | ||
|
||
# Download EU-eidas software | ||
ARG EIDAS_NODE_VERSION=2.7.1 | ||
RUN git clone --depth 1 --branch eidasnode-${EIDAS_NODE_VERSION} https://ec.europa.eu/digital-building-blocks/code/scm/eid/eidasnode-pub.git | ||
|
||
RUN cd eidasnode-pub && mvn clean install --file EIDAS-Parent/pom.xml -P NodeOnly -P nodeJcacheIgnite -P specificCommunicationJcacheIgnite | ||
|
||
RUN mkdir -p eidas-proxy-config/ | ||
COPY docker/proxy/config/ eidas-proxy-config | ||
|
||
# Replace base URLs in eidas.xml and metadata (whitelist). TODO: move to environment specific k8 config | ||
RUN sed -i 's/EU-PROXY-URL/https:\/\/eu-eidas-proxy.idporten.dev/g' eidas-proxy-config/eidas.xml | ||
RUN sed -i 's/EIDAS-PROXY-URL/https:\/\/eidas-proxy.idporten.dev/g' eidas-proxy-config/eidas.xml | ||
RUN sed -i 's/DEMOLAND-CA-URL/https:\/\/eidas-demo-ca.idporten.dev/g' eidas-proxy-config/metadata/MetadataFetcher_Service.properties | ||
RUN sed -i 's/NO-EU-EIDAS-CONNECTOR-URL/https:\/\/eu-eidas-connector.idporten.dev/g' eidas-proxy-config/metadata/MetadataFetcher_Service.properties | ||
|
||
|
||
|
||
FROM tomcat:9.0-jre11-temurin-jammy | ||
|
||
COPY docker/bouncycastle/java_bc.security /opt/java/openjdk/conf/security/java_bc.security | ||
COPY docker/bouncycastle/bcprov-jdk18on-1.78.jar /usr/local/lib/bcprov-jdk18on-1.78.jar | ||
|
||
COPY docker/proxy/tomcat-setenv.sh ${CATALINA_HOME}/bin/setenv.sh | ||
|
||
RUN mkdir -p $CATALINA_HOME/eidas-proxy-config/ | ||
COPY --from=builder /data/eidas-proxy-config/ $CATALINA_HOME/eidas-proxy-config | ||
|
||
# Add war files to webapps: /usr/local/tomcat/webapps | ||
COPY --from=builder /data/eidasnode-pub/EIDAS-Node-Proxy/target/EidasNodeProxy.war ${CATALINA_HOME}/webapps/ROOT.war | ||
RUN chmod -R 770 ${CATALINA_HOME}/webapps | ||
|
||
# Add Cache Ignite work folder. TODO: Remove when switch to Redis. | ||
RUN mkdir -p ${CATALINA_HOME}/ignite && chgrp -R 0 ${CATALINA_HOME}/ignite && chmod 770 ${CATALINA_HOME}/ignite | ||
|
||
# eIDAS audit log folder | ||
RUN mkdir -p ${CATALINA_HOME}/eidas/logs && chmod 774 ${CATALINA_HOME}/eidas/logs | ||
|
||
EXPOSE 8080 | ||
|
||
CMD ["/bin/bash", "-c", "catalina.sh run"] |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
security.provider.1=SUN | ||
security.provider.2=SunRsaSign | ||
security.provider.3=SunEC | ||
security.provider.4=SunJSSE | ||
security.provider.5=SunJCE | ||
security.provider.6=SunJGSS | ||
security.provider.7=SunSASL | ||
security.provider.8=XMLDSig | ||
security.provider.9=SunPCSC | ||
security.provider.10=JdkLDAP | ||
security.provider.11=JdkSASL | ||
security.provider.12=SunPKCS11 | ||
security.provider.13=org.bouncycastle.jce.provider.BouncyCastleProvider |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
FROM maven:3.9-eclipse-temurin-11 as builder | ||
|
||
WORKDIR /data | ||
|
||
# Download EU-eidas software | ||
ARG EIDAS_NODE_VERSION=2.7.1 | ||
RUN git clone --depth 1 --branch eidasnode-${EIDAS_NODE_VERSION} https://ec.europa.eu/digital-building-blocks/code/scm/eid/eidasnode-pub.git | ||
|
||
RUN cd eidasnode-pub && mvn clean install --file EIDAS-Parent/pom.xml -P NodeOnly -P nodeJcacheIgnite -P specificCommunicationJcacheIgnite | ||
|
||
RUN mkdir -p eidas-proxy-config/ | ||
COPY docker/proxy/config/ eidas-proxy-config | ||
|
||
# Replace base URLs in eidas.xml and metadata (whitelist). | ||
RUN sed -i 's/EU-PROXY-URL/http:\/\/eu-eidas-proxy:8082/g' eidas-proxy-config/eidas.xml | ||
RUN sed -i 's/EIDAS-PROXY-URL/http:\/\/eidas-proxy:8081/g' eidas-proxy-config/eidas.xml | ||
RUN sed -i 's/DEMOLAND-CA-URL/http:\/\/eidas-demo-ca:8080/g' eidas-proxy-config/metadata/MetadataFetcher_Service.properties | ||
RUN sed -i 's/NO-EU-EIDAS-CONNECTOR-URL/http:\/\/eu-eidas-connector:8083/g' eidas-proxy-config/metadata/MetadataFetcher_Service.properties | ||
|
||
# Only for local development | ||
RUN sed -i 's/metadata.restrict.http">true/metadata.restrict.http">false/g' eidas-proxy-config/eidas.xml | ||
|
||
FROM tomcat:9.0-jre11-temurin-jammy | ||
|
||
COPY docker/bouncycastle/java_bc.security /opt/java/openjdk/conf/security/java_bc.security | ||
COPY docker/bouncycastle/bcprov-jdk18on-1.78.jar /usr/local/lib/bcprov-jdk18on-1.78.jar | ||
|
||
# change tomcat port | ||
RUN sed -i 's/port="8080"/port="8082"/' ${CATALINA_HOME}/conf/server.xml | ||
|
||
COPY docker/proxy/tomcat-setenv.sh ${CATALINA_HOME}/bin/setenv.sh | ||
|
||
RUN mkdir -p $CATALINA_HOME/eidas-proxy-config/ | ||
COPY --from=builder /data/eidas-proxy-config/ $CATALINA_HOME/eidas-proxy-config | ||
|
||
# Add war files to webapps: /usr/local/tomcat/webapps | ||
COPY --from=builder /data/eidasnode-pub/EIDAS-Node-Proxy/target/EidasNodeProxy.war ${CATALINA_HOME}/webapps/ROOT.war | ||
|
||
# eIDAS audit log folder | ||
RUN mkdir -p ${CATALINA_HOME}/eidas/logs && chmod 744 ${CATALINA_HOME}/eidas/logs | ||
|
||
EXPOSE 8082 |
Oops, something went wrong.