From 023926e28ae1d019a26b893b5c1d843025ec0d13 Mon Sep 17 00:00:00 2001 From: Nathan Klick Date: Mon, 9 Sep 2024 16:17:33 -0500 Subject: [PATCH 1/3] feat: add initial version of the apache-httpd-oidc container Signed-off-by: Nathan Klick --- .github/CODEOWNERS | 43 + .../workflows/flow-pull-request-checks.yaml | 39 + .../flow-pull-request-formatting.yaml | 51 ++ .../flow-release-httpd-oidc-images.yaml | 136 +++ .../zxc-build-httpd-oidc-images.yaml | 136 +++ .../zxf-forked-pull-request-closer.yaml | 60 ++ .gitignore | 808 ++++++++++++++++++ README.md | 24 +- apache-httpd-oidc/Dockerfile | 179 ++++ .../conf-available/global-server-name.conf | 2 + .../conf-available/oidc-provider.conf | 8 + apache-httpd-oidc/configure-container.sh | 87 ++ apache-httpd-oidc/entrypoint-helper.sh | 249 ++++++ apache-httpd-oidc/entrypoint.sh | 18 + apache-httpd-oidc/logger.sh | 73 ++ apache-httpd-oidc/repro-sources-list.sh | 103 +++ .../s6-rc.d/gcsfuse/dependencies.d/base | 0 apache-httpd-oidc/s6-rc.d/gcsfuse/run | 8 + apache-httpd-oidc/s6-rc.d/gcsfuse/type | 1 + .../s6-rc.d/user/contents.d/gcsfuse | 0 .../sites-available/default-nossl.conf | 37 + .../sites-available/default-ssl-redirect.conf | 62 ++ .../sites-available/default-ssl.conf | 81 ++ 23 files changed, 2204 insertions(+), 1 deletion(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/workflows/flow-pull-request-checks.yaml create mode 100644 .github/workflows/flow-pull-request-formatting.yaml create mode 100644 .github/workflows/flow-release-httpd-oidc-images.yaml create mode 100644 .github/workflows/zxc-build-httpd-oidc-images.yaml create mode 100644 .github/workflows/zxf-forked-pull-request-closer.yaml create mode 100644 .gitignore create mode 100644 apache-httpd-oidc/Dockerfile create mode 100644 apache-httpd-oidc/conf-available/global-server-name.conf create mode 100644 apache-httpd-oidc/conf-available/oidc-provider.conf create mode 100755 apache-httpd-oidc/configure-container.sh create mode 100755 apache-httpd-oidc/entrypoint-helper.sh create mode 100755 apache-httpd-oidc/entrypoint.sh create mode 100755 apache-httpd-oidc/logger.sh create mode 100755 apache-httpd-oidc/repro-sources-list.sh create mode 100644 apache-httpd-oidc/s6-rc.d/gcsfuse/dependencies.d/base create mode 100644 apache-httpd-oidc/s6-rc.d/gcsfuse/run create mode 100644 apache-httpd-oidc/s6-rc.d/gcsfuse/type create mode 100644 apache-httpd-oidc/s6-rc.d/user/contents.d/gcsfuse create mode 100644 apache-httpd-oidc/sites-available/default-nossl.conf create mode 100644 apache-httpd-oidc/sites-available/default-ssl-redirect.conf create mode 100644 apache-httpd-oidc/sites-available/default-ssl.conf diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..abfc792 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,43 @@ +################################### +##### Global Protection Rule ###### +################################### +# NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below. +* @hashgraph/release-engineering-managers @hashgraph/product-security + +############################ +##### Project Files ###### +############################ + +/apache-httpd-oidc/ @hashgraph/release-engineering-managers @hashgraph/product-security + +######################### +##### Core Files ###### +######################### + +# NOTE: Must be placed last to ensure enforcement over all other rules + +# Protection Rules for Github Configuration Files and Actions Workflows +/.github/ @hashgraph/release-engineering-managers +/.github/workflows/ @hashgraph/release-engineering-managers @hashgraph/product-security @hashgraph/devops-ci + + +# Codacy Tool Configurations +/config/ @hashgraph/release-engineering-managers +.remarkrc @hashgraph/release-engineering-managers + +# Semantic Release Configuration +.releaserc @hashgraph/release-engineering-managers + +# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval) +/CODEOWNERS @hashgraph/release-engineering-managers + +# Protect the repository root files +/README.md @hashgraph/release-engineering-managers +**/LICENSE @hashgraph/release-engineering-managers + +# CodeCov configuration +**/codecov.yml @hashgraph/release-engineering-managers + +# Git Ignore definitions +**/.gitignore @hashgraph/release-engineering-managers +**/.gitignore.* @hashgraph/release-engineering-managers diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml new file mode 100644 index 0000000..75faee7 --- /dev/null +++ b/.github/workflows/flow-pull-request-checks.yaml @@ -0,0 +1,39 @@ +## +# Copyright (C) 2024 Hedera Hashgraph, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## + +name: "PR Checks" +on: + pull_request: + types: + - opened + - reopened + - synchronize + +defaults: + run: + shell: bash + +concurrency: + group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + httpd-oidc-images: + name: HTTPD OpenIDC Images + uses: ./.github/workflows/zxc-build-httpd-oidc-images.yaml + with: + tag-version: v0.0.0-${{ github.sha }} + dry-run-enabled: true diff --git a/.github/workflows/flow-pull-request-formatting.yaml b/.github/workflows/flow-pull-request-formatting.yaml new file mode 100644 index 0000000..9a811d4 --- /dev/null +++ b/.github/workflows/flow-pull-request-formatting.yaml @@ -0,0 +1,51 @@ +## +# Copyright (C) 2023 Hedera Hashgraph, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## + +name: "PR Formatting" +on: + pull_request_target: + types: + - opened + - reopened + - edited + - synchronize + +defaults: + run: + shell: bash + +permissions: + contents: read + statuses: write + +concurrency: + group: pr-formatting-${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + title-check: + name: Title Check + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - name: Check PR Title + uses: step-security/conventional-pr-title-action@19fb561b33015fd2184055a05ce5a3bcf2ba3f54 # v3.2.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/flow-release-httpd-oidc-images.yaml b/.github/workflows/flow-release-httpd-oidc-images.yaml new file mode 100644 index 0000000..4cf198a --- /dev/null +++ b/.github/workflows/flow-release-httpd-oidc-images.yaml @@ -0,0 +1,136 @@ +## +# Copyright (C) 2024 Hedera Hashgraph, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## + +name: "Release HTTPD OIDC Images" +on: + workflow_dispatch: + inputs: + version: + description: "Release Version (semver):" + type: string + required: true + + ## Linux Architectures for Multi-Arch Builds + platforms: + description: "Platforms:" + type: string + required: false + default: "linux/amd64,linux/arm64" + + dry-run-enabled: + description: "Perform Dry Run" + type: boolean + required: false + default: true + +defaults: + run: + shell: bash + +permissions: + id-token: write + contents: read + packages: write + +jobs: + safety-checks: + name: Safety Checks + runs-on: swirldslabs-infrastructure-linux-medium + outputs: + version: ${{ steps.tag.outputs.version }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Install GH CLI + uses: sersoft-gmbh/setup-gh-cli-action@2d02c06e284b7d55e954d6d6406e7a886f45a818 # v2.0.1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Authorize GH CLI + run: echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token + + - name: Tag Version Information + id: tag + run: | + RELEASE="$(semver get release "${{ github.event.inputs.version }}")" + PREREL="$(semver get prerel "${{ github.event.inputs.version }}")" + BUILD="$(semver get build "${{ github.event.inputs.version }}")" + + VERSION="${RELEASE}" + [[ -n "${PREREL}" ]] && VERSION="${VERSION}-${PREREL}" + [[ -n "${BUILD}" ]] && VERSION="${VERSION}+${BUILD}" + + echo "version=${VERSION}" >>"${GITHUB_OUTPUT}" + + - name: Check for Existing Releases + run: | + if gh release view httpd-oidc-v${{ steps.tag.outputs.version }} --json id >/dev/null 2>&1; then + echo "::error title=Release Version::Release httpd-oidc-v${{ steps.tag.outputs.version }} already exists and may not be redeployed." + exit 1 + fi + + httpd-oidc-images: + name: HTTPD OpenIDC Images + uses: ./.github/workflows/zxc-build-httpd-oidc-images.yaml + needs: + - safety-checks + with: + custom-job-label: "Release" + tag-version: ${{ needs.safety-checks.outputs.version }} + platforms: ${{ github.event.inputs.platforms || 'linux/amd64,linux/arm64' }} + dry-run-enabled: ${{ github.event.inputs.dry-run-enabled == 'true' || github.ref_name != 'main' }} + + finalize-release: + name: Finalize Release + runs-on: swirldslabs-infrastructure-linux-medium + needs: + - safety-checks + if: ${{ github.event.inputs.dry-run-enabled != 'true' && github.ref_name == 'main' }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + token: ${{ secrets.GH_ACCESS_TOKEN }} + fetch-depth: 0 + + - name: Import GPG key + id: gpg_key + uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 + with: + gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }} + passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} + git_config_global: true + git_user_signingkey: true + git_commit_gpgsign: true + git_tag_gpgsign: true + + - name: Create Release + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 + with: + token: ${{ secrets.GH_ACCESS_TOKEN }} + tag: httpd-oidc-v${{ needs.safety-checks.outputs.version }} + generateReleaseNotes: 'true' diff --git a/.github/workflows/zxc-build-httpd-oidc-images.yaml b/.github/workflows/zxc-build-httpd-oidc-images.yaml new file mode 100644 index 0000000..74b58f9 --- /dev/null +++ b/.github/workflows/zxc-build-httpd-oidc-images.yaml @@ -0,0 +1,136 @@ +## +# Copyright (C) 2024 Hedera Hashgraph, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## + +name: "ZXC: Build Apache HTTPD OpenIDC Images" +on: + workflow_call: + inputs: + ## The tag version to be used + tag-version: + description: "Tag Version:" + type: string + required: true + + base-os-image: + description: "Operating System Image:" + type: string + required: false + default: "noble-20240801" + + gcs-fuse-version: + description: "GCS Fuse Version:" + type: string + required: false + default: "2.4.0" + + ## Linux Architectures for Multi-Arch Builds + platforms: + description: "Platforms:" + type: string + required: false + default: "linux/amd64,linux/arm64" + + dry-run-enabled: + description: "Perform Dry Run" + type: boolean + required: false + default: false + + custom-job-label: + description: "Custom Job Label:" + type: string + required: false + default: "Build" + +defaults: + run: + shell: bash + +permissions: + id-token: write + contents: read + packages: write + +jobs: + build-httpd-oidc-images: + name: ${{ inputs.custom-job-label || 'Build' }} + runs-on: swirldslabs-infrastructure-linux-medium + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Setup QEmu Support + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + + - name: Setup Docker Buildx Support + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 + with: + version: v0.16.2 + driver-opts: network=host + + - name: Show Docker Version + run: docker version + + - name: Show Docker Info + run: docker info + + - name: Docker Login (Github) + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + if: ${{ inputs.dry-run-enabled != true }} + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Calculate Docker Registry + id: registry + run: | + DOCKER_REGISTRY_PREFIX="ghcr.io/${{ github.repository }}" + IMG_RESULT="push" + + if [[ "${{ inputs.dry-run-enabled }}" == "true" ]]; then + DOCKER_REGISTRY_PREFIX="local" + IMG_RESULT="cache" + fi + + echo "prefix=${DOCKER_REGISTRY_PREFIX}" >>"${GITHUB_OUTPUT}" + echo "operation=${IMG_RESULT}" >>"${GITHUB_OUTPUT}" + + - name: Calculate Docker Tag + id: docker-tag + run: | + TAG_VERSION="${{ inputs.tag-version }}" + echo "version=${TAG_VERSION//+/-}" >>"${GITHUB_OUTPUT}" + + - name: Build Image + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 + with: + context: ${{ github.workspace }}/apache-httpd-oidc + platforms: ${{ inputs.platforms }} + push: ${{ steps.registry.outputs.operation == 'push' }} + load: ${{ steps.registry.outputs.operation == 'load' }} + tags: | + ${{ steps.registry.outputs.prefix }}/apache-httpd-oidc:latest + ${{ steps.registry.outputs.prefix }}/apache-httpd-oidc:v${{ steps.docker-tag.outputs.version }} + ${{ steps.registry.outputs.prefix }}/apache-httpd-oidc:v${{ steps.docker-tag.outputs.version }}-${{ inputs.base-os-image }} + build-args: | + UBUNTU_TAG=${{ inputs.base-os-image }} + GCS_FUSE_VERSION=${{ inputs.gcs-fuse-version }} diff --git a/.github/workflows/zxf-forked-pull-request-closer.yaml b/.github/workflows/zxf-forked-pull-request-closer.yaml new file mode 100644 index 0000000..b81eb99 --- /dev/null +++ b/.github/workflows/zxf-forked-pull-request-closer.yaml @@ -0,0 +1,60 @@ +## +# Copyright (C) 2024 Hedera Hashgraph, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## + +name: "ZXF: Forked PR Closer" +on: + pull_request_target: + types: + - opened + - reopened + - edited + - synchronize + +defaults: + run: + shell: bash + +permissions: + pull-requests: write + contents: read + +jobs: + close-pull-request: + name: Close Forked Pull Request + runs-on: ubuntu-22.04 + if: ${{ github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Install GH CLI + uses: sersoft-gmbh/setup-gh-cli-action@2d02c06e284b7d55e954d6d6406e7a886f45a818 # v2.0.1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Authorize GH CLI + run: echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token + + - name: Close Pull Request + run: | + gh pr close ${{ github.event.pull_request.number }} \ + --delete-branch \ + --comment "This pull request was opened from a forked repository and has been closed in accordance with the repository security policies." diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3720c96 --- /dev/null +++ b/.gitignore @@ -0,0 +1,808 @@ +######################################################################################################################## +# Autogenerated Definitions +######################################################################################################################## + +### NotepadPP template +# Notepad++ backups # +*.bak + +### MonoDevelop template +#User Specific +*.userprefs +*.usertasks + +#Mono Project Files +*.pidb +*.resources +test-results/ + +### Xcode template +## User settings +xcuserdata/ + +## Xcode 8 and earlier +*.xcscmblueprint +*.xccheckout + +### Diff template +*.patch +*.diff + +### Eclipse template +.metadata +bin/ +tmp/ +*.tmp +*.bak +*.swp +*~.nib +local.properties +.settings/ +.loadpath +.recommenders + +# External tool builders +.externalToolBuilders/ + +# Locally stored "Eclipse launch configurations" +*.launch + +# PyDev specific (Python IDE for Eclipse) +*.pydevproject + +# CDT-specific (C/C++ Development Tooling) +.cproject + +# CDT- autotools +.autotools + +# Java annotation processor (APT) +.factorypath + +# PDT-specific (PHP Development Tools) +.buildpath + +# sbteclipse plugin +.target + +# Tern plugin +.tern-project + +# TeXlipse plugin +.texlipse + +# STS (Spring Tool Suite) +.springBeans + +# Code Recommenders +.recommenders/ + +# Annotation Processing +.apt_generated/ +.apt_generated_test/ + +# Scala IDE specific (Scala & Java development for Eclipse) +.cache-main +.scala_dependencies +.worksheet + +# Uncomment this line if you wish to ignore the project description file. +# Typically, this file would be tracked if it contains build/dependency configurations: +#.project + +### Backup template +*.bak +*.gho +*.ori +*.orig +*.tmp + +### Windows template +# Windows thumbnail cache files +Thumbs.db +Thumbs.db:encryptable +ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump + +# Folder config file +[Dd]esktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msix +*.msm +*.msp + +# Windows shortcuts +*.lnk + +### KDevelop4 template +*.kdev4 +.kdev4/ + +### Vagrant template +# General +.vagrant/ + +# Log files (if you are creating logs in debug mode, uncomment this) +# *.log + +### OpenSSL template +# OpenSSL-related files best not committed + +## Certificate Authority +*.ca + +## Certificate +*.crt + +## Certificate Sign Request +*.csr + +## Certificate +*.der + +## Key database file +*.kdb + +## OSCP request data +*.org + +## PKCS #12 +*.p12 + +## PEM-encoded certificate data +*.pem + +## Random number seed +*.rnd + +## SSLeay data +*.ssleay + +## S/MIME message +*.smime + +### NetBeans template +**/nbproject/private/ +**/nbproject/Makefile-*.mk +**/nbproject/Package-*.bash +build/ +nbbuild/ +dist/ +nbdist/ +.nb-gradle/ + +### MicrosoftOffice template +*.tmp + +# Word temporary +~$*.doc* + +# Word Auto Backup File +Backup of *.doc* + +# Excel temporary +~$*.xls* + +# Excel Backup File +*.xlk + +# PowerPoint temporary +~$*.ppt* + +# Visio autosave temporary files +*.~vsd* + +### JetBrains template +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 + +# User-specific stuff +.idea/**/workspace.xml +.idea/**/tasks.xml +.idea/**/usage.statistics.xml +.idea/**/dictionaries +.idea/**/shelf + +# AWS User-specific +.idea/**/aws.xml + +# Generated files +.idea/**/contentModel.xml + +# Sensitive or high-churn files +.idea/**/dataSources/ +.idea/**/dataSources.ids +.idea/**/dataSources.local.xml +.idea/**/sqlDataSources.xml +.idea/**/dynamic.xml +.idea/**/uiDesigner.xml +.idea/**/dbnavigator.xml + +# Gradle +.idea/**/gradle.xml +.idea/**/libraries + +# Gradle and Maven with auto-import +# When using Gradle or Maven with auto-import, you should exclude module files, +# since they will be recreated, and may cause churn. Uncomment if using +# auto-import. +# .idea/artifacts +# .idea/compiler.xml +# .idea/jarRepositories.xml +# .idea/modules.xml +# .idea/*.iml +# .idea/modules +# *.iml +# *.ipr + +.idea/ + +# CMake +cmake-build-*/ + +# Mongo Explorer plugin +.idea/**/mongoSettings.xml + +# File-based project format +*.iws + +# IntelliJ +out/ + +# mpeltonen/sbt-idea plugin +.idea_modules/ + +# JIRA plugin +atlassian-ide-plugin.xml + +# Cursive Clojure plugin +.idea/replstate.xml + +# SonarLint plugin +.idea/sonarlint/ + +# Crashlytics plugin (for Android Studio and IntelliJ) +com_crashlytics_export_strings.xml +crashlytics.properties +crashlytics-build.properties +fabric.properties + +# Editor-based Rest Client +.idea/httpRequests + +# Android studio 3.1+ serialized cache file +.idea/caches/build_file_checksums.ser + +### Linux template +*~ + +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* + +# KDE directory preferences +.directory + +# Linux trash folder which might appear on any partition or disk +.Trash-* + +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +### VisualStudio template +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.tlog +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio 6 auto-generated project file (contains which files were open etc.) +*.vbp + +# Visual Studio 6 workspace and project file (working project files containing files to include in project) +*.dsw +*.dsp + +# Visual Studio 6 technical files +*.ncb +*.aps + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# Visual Studio History (VSHistory) files +.vshistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +# VS Code files for those working on multiple tools +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +# Windows Installer files from build outputs +*.cab +*.msi +*.msix +*.msm +*.msp + +# JetBrains Rider +*.sln.iml + +### LibreOffice template +# LibreOffice locks +.~lock.*# + +### Vim template +# Swap +[._]*.s[a-v][a-z] +!*.svg # comment out if you don't need vector files +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist +*~ +# Auto-generated tag files +tags +# Persistent undo +[._]*.un~ + +### Dropbox template +# Dropbox settings and caches +.dropbox +.dropbox.attr +.dropbox.cache + +### Archives template +# It's better to unpack these files and commit the raw source because +# git has its own built in compression methods. +*.7z +*.jar +*.rar +*.zip +*.gz +*.gzip +*.tgz +*.bzip +*.bzip2 +*.bz2 +*.xz +*.lzma +*.cab +*.xar + +# Packing-only formats +*.iso +*.tar + +# Package management formats +*.dmg +*.xpi +*.gem +*.egg +*.deb +*.rpm +*.msi +*.msm +*.msp +*.txz + +### Patch template +*.orig +*.rej + +### macOS template +# General +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +### GPG template +secring.* + +######################################################################################################################## +# User Specified Definitions +######################################################################################################################## + +# Environment Files +.env + +# JSON Files (which might be JWT credentials) +*.json diff --git a/README.md b/README.md index 9142438..9e9da5f 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,24 @@ -# container-images +# Hashgraph Containers Public reusable container images released by the Hashgraph team. + +## :warning: Restrictions on Contributions + +Contributions from forked repositories are not accepted. All pull requests initiated from a forked repository will be +automatically closed. + +## Support + +If you have a question on how to use the product, please see our [support guide](https://github.com/swirldslabs/.github/blob/main/SUPPORT.md). + +## Contributing + +Contributions are restricted to trusted maintainers. + +## Code of Conduct + +This project is governed by the [Contributor Covenant Code of Conduct](https://github.com/swirldslabs/.github/blob/main/CODE_OF_CONDUCT.md). By participating, you are +expected to uphold this code of conduct. + +## License + +[Apache License 2.0](LICENSE) diff --git a/apache-httpd-oidc/Dockerfile b/apache-httpd-oidc/Dockerfile new file mode 100644 index 0000000..6821046 --- /dev/null +++ b/apache-httpd-oidc/Dockerfile @@ -0,0 +1,179 @@ +######################################################################################################################## +# +# Define Global Build Arguments +# +######################################################################################################################## +ARG UBUNTU_TAG="noble-20240801" +ARG S6_OVERLAY_VERSION="3.2.0.0" +ARG APACHE_HTTPD_VERSION="2.4.58-1ubuntu8.4" +ARG APACHE_HTTPD_MOD_OIDC_VERSION="2.4.15.1-1build3" +ARG GCS_FUSE_VERSION="2.4.0" +ARG SOURCE_DATE_EPOCH="0" + +######################################################################################################################## +# +# Setup S6 Overlay Base Layer +# +######################################################################################################################## +FROM ubuntu:${UBUNTU_TAG} AS operating-system-base-interim +# Define Build Arguments +ARG SOURCE_DATE_EPOCH +ARG S6_OVERLAY_VERSION +ARG APACHE_HTTPD_VERSION +ARG APACHE_HTTPD_MOD_OIDC_VERSION +ARG GCS_FUSE_VERSION + +# Define Standard Environment Variables +ENV LANG=C.UTF-8 +ENV LC_ALL=C.UTF-8 +ENV DEBIAN_FRONTEND=noninteractive + +# Install basic OS utilities & Apache2 +RUN --mount=type=bind,source=./repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \ + repro-sources-list.sh && \ + apt-get update && \ + apt-get install --yes --no-install-recommends tar gzip zlib1g xz-utils curl ca-certificates tzdata \ + apache2=${APACHE_HTTPD_VERSION} apache2-bin=${APACHE_HTTPD_VERSION} \ + apache2-data=${APACHE_HTTPD_VERSION} apache2-utils=${APACHE_HTTPD_VERSION} \ + libapache2-mod-auth-openidc=${APACHE_HTTPD_MOD_OIDC_VERSION} + +# Install the GCS FUSE driver software +RUN ARCH="$(dpkg --print-architecture)" && \ + curl -sSLO https://github.com/GoogleCloudPlatform/gcsfuse/releases/download/v${GCS_FUSE_VERSION}/gcsfuse_${GCS_FUSE_VERSION}_${ARCH}.deb && \ + apt-get install --yes --no-install-recommends ./gcsfuse_${GCS_FUSE_VERSION}_${ARCH}.deb && \ + rm -f gcsfuse_${GCS_FUSE_VERSION}_${ARCH}.deb + + +########################### +#### S6 Install #### +########################### +RUN set -eux; \ + NOARCH_PKG_ESUM="4b0c0907e6762814c31850e0e6c6762c385571d4656eb8725852b0b1586713b6" \ + NOARCH_BINARY_URL="https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz" \ + ARCH="$(dpkg --print-architecture)"; \ + case "${ARCH}" in \ + aarch64|arm64) \ + ARCH_PKG_ESUM='868973e98210257bba725ff5b17aa092008c9a8e5174499e38ba611a8fc7e473'; \ + ARCH_BINARY_URL="https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-aarch64.tar.xz"; \ + ;; \ + amd64|i386:x86-64) \ + ARCH_PKG_ESUM='ad982a801bd72757c7b1b53539a146cf715e640b4d8f0a6a671a3d1b560fe1e2'; \ + ARCH_BINARY_URL="https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz"; \ + ;; \ + ppc64el|powerpc:common64) \ + ARCH_PKG_ESUM='a5548e188e788c0bbf480c525cc08d1a6ce369a8e3aa113d7ac038f3da0c73d0'; \ + ARCH_BINARY_URL="https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-powerpc64le.tar.xz"; \ + ;; \ + *) \ + echo "Unsupported arch: ${ARCH}"; \ + exit 1; \ + ;; \ + esac; \ + curl -sSLo /tmp/s6-overlay-noarch.tar.xz ${NOARCH_BINARY_URL}; \ + curl -sSLo /tmp/s6-overlay-arch.tar.xz ${ARCH_BINARY_URL}; \ + echo "${NOARCH_PKG_ESUM} */tmp/s6-overlay-noarch.tar.xz" | sha256sum -c -; \ + echo "${ARCH_PKG_ESUM} */tmp/s6-overlay-arch.tar.xz" | sha256sum -c -; \ + tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz; \ + tar -C / -Jxpf /tmp/s6-overlay-arch.tar.xz; \ + rm -f /tmp/s6-overlay-noarch.tar.xz; \ + rm -f /tmp/s6-overlay-arch.tar.xz + +# Add the s6 init configuration files +RUN mkdir -p /etc/s6-overlay/s6-rc.d/ +COPY s6-rc.d/ /etc/s6-overlay/s6-rc.d/ + +# Remove Unneeded Utilities +RUN --mount=type=bind,source=./repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \ + repro-sources-list.sh && \ + apt-get remove --yes xz-utils curl && \ + apt-get autoremove --yes && \ + apt-get autoclean --yes && \ + apt-get clean all --yes && \ + rm -rf /var/log/ && \ + rm -rf /var/cache/ + + +######################################## +#### Deterministic Build Hack #### +######################################## + +# === Workarounds below will not be needed when https://github.com/moby/buildkit/pull/4057 is merged === +# NOTE: PR #4057 has been merged but will not be available until the v0.13.x series of releases. +# Limit the timestamp upper bound to SOURCE_DATE_EPOCH. +# Workaround for https://github.com/moby/buildkit/issues/3180 +RUN find $( ls / | grep -E -v "^(dev|mnt|proc|sys)$" ) \ + -newermt "@${SOURCE_DATE_EPOCH}" -writable -xdev \ + | xargs touch --date="@${SOURCE_DATE_EPOCH}" --no-dereference + +FROM scratch AS operating-system-base +COPY --from=operating-system-base-interim / / + +######################################################################################################################## +# +# Setup Production Container Interim Image +# +######################################################################################################################## +FROM operating-system-base AS production-image-interim +# Define Build Arguments +ARG SOURCE_DATE_EPOCH + +# Define Standard Environment Variables +ENV LANG=C.UTF-8 +ENV LC_ALL=C.UTF-8 +ENV DEBIAN_FRONTEND=noninteractive + +# Add the entrypoint script +ADD entrypoint.sh /usr/local/bin/ +ADD entrypoint-helper.sh /usr/local/bin/ +ADD logger.sh /usr/local/bin/ + +# Add the HTTPD configuration +COPY sites-available/ /etc/apache2/sites-available/ +COPY conf-available/ /etc/apache2/conf-available/ + +# Configure the container +RUN --mount=type=bind,source=./configure-container.sh,target=/usr/local/bin/configure-container.sh configure-container.sh + +######################################## +#### Deterministic Build Hack #### +######################################## + +# === Workarounds below will not be needed when https://github.com/moby/buildkit/pull/4057 is merged === +# NOTE: PR #4057 has been merged but will not be available until the v0.13.x series of releases. +# Limit the timestamp upper bound to SOURCE_DATE_EPOCH. +# Workaround for https://github.com/moby/buildkit/issues/3180 +RUN find $( ls / | grep -E -v "^(dev|mnt|proc|sys)$" ) \ + -newermt "@${SOURCE_DATE_EPOCH}" -writable -xdev \ + | xargs touch --date="@${SOURCE_DATE_EPOCH}" --no-dereference + +######################################################################################################################## +# +# Setup Production Container Final Image +# +######################################################################################################################## +FROM scratch AS production-image +COPY --from=production-image-interim / / + +# Define Standard Environment Variables +ENV LANG=C.UTF-8 +ENV LC_ALL=C.UTF-8 +ENV DEBIAN_FRONTEND=noninteractive + +# Define Apache Environment Variables +ENV APACHE_CONFDIR=/etc/apache2 +ENV HTTPD_DETECT_GLOBAL_SERVER_NAME=1 +ENV HTTPD_RENDER_SITE_CONFIG=1 +ENV HTTPD_SITE_ROOT_PATH=/var/www/html +ENV HTTPD_SITE_SSL_ENABLED=0 + +# Define OpenID Connect Environment Variables +ENV OIDC_AUTH_ENABLED=0 +ENV OIDC_REDIRECT_URI=/.oidc-redirect + +# Define GCS FUSE Environment Variables +ENV GCS_FUSE_ENABLED=0 + +EXPOSE 8080/tcp 8443/tcp + +WORKDIR "/etc/apache2" +ENTRYPOINT ["/init", "/usr/local/bin/entrypoint.sh"] diff --git a/apache-httpd-oidc/conf-available/global-server-name.conf b/apache-httpd-oidc/conf-available/global-server-name.conf new file mode 100644 index 0000000..5295edc --- /dev/null +++ b/apache-httpd-oidc/conf-available/global-server-name.conf @@ -0,0 +1,2 @@ +# Set the global server name +ServerName ${HTTPD_GLOBAL_SERVER_NAME} diff --git a/apache-httpd-oidc/conf-available/oidc-provider.conf b/apache-httpd-oidc/conf-available/oidc-provider.conf new file mode 100644 index 0000000..7db96b4 --- /dev/null +++ b/apache-httpd-oidc/conf-available/oidc-provider.conf @@ -0,0 +1,8 @@ + + OIDCProviderMetadataURL ${OIDC_PROVIDER_METADATA_URL} + OIDCClientID ${OIDC_CLIENT_ID} + OIDCClientSecret ${OIDC_CLIENT_SECRET} + + OIDCRedirectURI ${OIDC_REDIRECT_URI} + OIDCCryptoPassphrase ${OIDC_CRYPTO_PASSPHRASE} + diff --git a/apache-httpd-oidc/configure-container.sh b/apache-httpd-oidc/configure-container.sh new file mode 100755 index 0000000..19ba190 --- /dev/null +++ b/apache-httpd-oidc/configure-container.sh @@ -0,0 +1,87 @@ +#!/usr/bin/env bash +set -eo pipefail + +############################# +### General Configuration ### +############################# + +# Make entrypoint.sh executable +chmod +x /usr/local/bin/entrypoint.sh +chmod +x /usr/local/bin/entrypoint-helper.sh +chmod +x /usr/local/bin/logger.sh + +############################# +### Apache2 Configuration ### +############################# + +# Ensure directories exist +mkdir -p /var/www/html +mkdir -p /var/log/apache2 +mkdir -p /var/run/apache2 + +### Clean HTML Root Directory ### +rm -rf /var/www/html/* +#touch /var/www/html/test-indices.txt + +### Setup Folder Ownership & Permissions ### +# Log Directory +chown -R www-data:www-data /var/log/apache2/ +chmod -R 755 /var/log/apache2/ +# Run Directories +chown -R www-data:www-data /var/run/apache2/ +# Configuration Directories +chown -R www-data:www-data /etc/apache2/conf-enabled +chown -R www-data:www-data /etc/apache2/mods-enabled +chown -R www-data:www-data /etc/apache2/sites-enabled +# Lib Directories +chown -R www-data:www-data /var/lib/apache2/conf +chown -R www-data:www-data /var/lib/apache2/module +chown -R www-data:www-data /var/lib/apache2/site +# Default Site Root +chown -R www-data:www-data /var/www/html + +# Configure modules +a2enmod ssl >/dev/null +a2enmod rewrite >/dev/null +a2enmod headers >/dev/null +a2dismod auth_openidc >/dev/null + +# Configure sites +a2dissite 000-default >/dev/null +rm -f /etc/apache2/sites-available/000-default.conf + +# Disable cgi-bin support +a2disconf serve-cgi-bin >/dev/null +a2disconf auth_openidc >/dev/null + +# Rewrite ports.conf to use 8080 & 8443 +/dev/null +cp -f /etc/apache2/ports.conf.tmp /etc/apache2/ports.conf +rm -f /etc/apache2/ports.conf.tmp + +# Rewrite security.conf to harden the server +/dev/null +cp -f /etc/apache2/conf-available/security.conf.tmp /etc/apache2/conf-available/security.conf +rm -f /etc/apache2/conf-available/security.conf.tmp + +/dev/null +cp -f /etc/apache2/apache2.conf.tmp /etc/apache2/apache2.conf +rm -f /etc/apache2/apache2.conf.tmp + +/dev/null +cp -f /etc/apache2/mods-available/ssl.conf.tmp /etc/apache2/mods-available/ssl.conf +rm -f /etc/apache2/mods-available/ssl.conf.tmp diff --git a/apache-httpd-oidc/entrypoint-helper.sh b/apache-httpd-oidc/entrypoint-helper.sh new file mode 100755 index 0000000..2cb761f --- /dev/null +++ b/apache-httpd-oidc/entrypoint-helper.sh @@ -0,0 +1,249 @@ +#!/usr/bin/env bash + +### Import the Logger Library ### +source /usr/local/bin/logger.sh + +######################################## +#### Constants #### +######################################## + +readonly HTTPD_CONF_DIRECTORY="/etc/apache2" +readonly GCS_FUSE_RUN_DIRECTORY="/var/run/gcsfuse-credentials" + +######################################## +#### Global Configuration #### +######################################## +# Server Names +export HTTPD_GLOBAL_SERVER_NAME HTTPD_DETECT_GLOBAL_SERVER_NAME + +# Options Configuration +export HTTPD_RENDER_SITE_CONFIG + +# Site Configuration +export HTTPD_SITE_ROOT_PATH HTTPD_SITE_SERVER_NAME HTTPD_SITE_ADMIN_EMAIL + +# SSL Support +export HTTPD_SITE_SSL_ENABLED HTTPD_SITE_SSL_REDIRECT_ENABLED +export HTTPD_SITE_SSL_CERT_FILE HTTPD_SITE_SSL_KEY_FILE HTTPD_SITE_CA_FILE + +# OIDC Support +export OIDC_AUTH_ENABLED OIDC_PROVIDER_METADATA_URL OIDC_CLIENT_ID OIDC_REDIRECT_URI +export OIDC_CLIENT_SECRET OIDC_CRYPTO_PASSPHRASE + +# GCSFuse Support +export GCS_FUSE_ENABLED GCS_FUSE_CONFIG_FILE GCS_FUSE_BUCKET_NAME GCS_FUSE_MOUNT_POINT +export GCS_FUSE_INODE_UID GCS_FUSE_INODE_GID GCS_FUSE_EXTRA_OPTS +export GCS_FUSE_JWT_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS + +######################################## +#### Helper Methods #### +######################################## + +function execute_gcs_fuse_driver { + export GCS_FUSE_ENABLED GCS_FUSE_CONFIG_FILE GCS_FUSE_BUCKET_NAME GCS_FUSE_MOUNT_POINT + export GCS_FUSE_INODE_UID GCS_FUSE_INODE_GID GCS_FUSE_EXTRA_OPTS + export GCS_FUSE_JWT_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS + + [[ -z "${GCS_FUSE_MOUNT_POINT}" ]] && GCS_FUSE_MOUNT_POINT="/var/www/html" + [[ -z "${GCS_FUSE_INODE_UID}" ]] && GCS_FUSE_INODE_UID=33 + [[ -z "${GCS_FUSE_INODE_GID}" ]] && GCS_FUSE_INODE_GID=33 + + [[ -f "${GCS_FUSE_MOUNT_POINT}" ]] || mkdir -p "${GCS_FUSE_MOUNT_POINT}" >/dev/null 2>&1 + + local args=("--foreground" "--uid" "${GCS_FUSE_INODE_UID}" "--gid" "${GCS_FUSE_INODE_GID}" "-o" "ro,allow_other" "--implicit-dirs") + [[ -n "${GCS_FUSE_CONFIG_FILE}" && -f "${GCS_FUSE_CONFIG_FILE}" ]] && args+=("--config-file" "${GCS_FUSE_CONFIG_FILE}") + + # If GCS Fuse Support is disabled then we should sleep indefinitely + if [[ "${GCS_FUSE_ENABLED}" != true && "${GCS_FUSE_ENABLED}" -lt 1 ]]; then + log.notice "execute_gcs_fuse_driver(): gcs-fuse support is disabled, entering service sleep" + /usr/bin/sleep infinity + return "0" + fi + + if [[ -z "${GOOGLE_APPLICATION_CREDENTIALS}" && -z "${GCS_FUSE_JWT_CREDENTIALS}" ]]; then + log.error "execute_gcs_fuse_driver(): No credentials were provided via GOOGLE_APPLICATION_CREDENTIALS or GCS_FUSE_JWT_CREDENTIALS variables" + return "1" + fi + + if [[ -n "${GOOGLE_APPLICATION_CREDENTIALS}" && ! -f "${GOOGLE_APPLICATION_CREDENTIALS}" ]]; then + log.error "execute_gcs_fuse_driver(): Credentials file path was provided, but the file cannot be found [${GOOGLE_APPLICATION_CREDENTIALS}]" + return "1" + fi + + if [[ -n "${GCS_FUSE_JWT_CREDENTIALS}" ]]; then + mkdir -p "${GCS_FUSE_RUN_DIRECTORY}" >/dev/null 2>&1 || return "${?}" + tee "${GCS_FUSE_JWT_CREDENTIALS}/adc.json" <<<"${GCS_FUSE_JWT_CREDENTIALS}" >/dev/null || return "${?}" + log.notice "execute_gcs_fuse_driver(): Credentials loaded from supplied JWT variable [${GCS_FUSE_JWT_CREDENTIALS}/adc.json]" + args+=("--key-file" "${GCS_FUSE_JWT_CREDENTIALS}/adc.json") + else + log.notice "execute_gcs_fuse_driver(): Credentials loaded from supplied GOOGLE_APPLICATION_CREDENTIALS variable [${GOOGLE_APPLICATION_CREDENTIALS}]" + args+=("--key-file" "${GOOGLE_APPLICATION_CREDENTIALS}") + fi + + if [[ -n "${GCS_FUSE_EXTRA_OPTS}" ]]; then + /usr/bin/gcsfuse "${args[@]}" "${GCS_FUSE_EXTRA_OPTS}" "${GCS_FUSE_BUCKET_NAME}" "${GCS_FUSE_MOUNT_POINT}" + return "${?}" + fi + + /usr/bin/gcsfuse "${args[@]}" "${GCS_FUSE_BUCKET_NAME}" "${GCS_FUSE_MOUNT_POINT}" + return "${?}" +} + +function configure_server_name { + export HTTPD_GLOBAL_SERVER_NAME HTTPD_DETECT_GLOBAL_SERVER_NAME + local enabled="false" + local detect="false" + + [[ -n "${HTTPD_GLOBAL_SERVER_NAME}" ]] && enabled="true" + [[ "${HTTPD_DETECT_GLOBAL_SERVER_NAME}" == true || "${HTTPD_DETECT_GLOBAL_SERVER_NAME}" -gt 0 ]] && detect="true" + + if [[ "${detect}" == true && -z "${HTTPD_GLOBAL_SERVER_NAME}" ]]; then + HTTPD_GLOBAL_SERVER_NAME="$(hostname --fqdn)" + enabled="true" + fi + + if [[ "${enabled}" == true ]]; then + log.notice "Configuring the global server name [${HTTPD_GLOBAL_SERVER_NAME}]" + a2enconf global-server-name >/dev/null + return "${?}" + fi + + return "0" +} + +function configure_virtual_hosts { + export HTTPD_RENDER_SITE_CONFIG HTTPD_SITE_ROOT_PATH + + if [[ "${HTTPD_RENDER_SITE_CONFIG}" != true && "${HTTPD_RENDER_SITE_CONFIG}" -lt 1 ]]; then + log.warning "Site configuration rendering disabled" + return "0" + fi + + if [[ -z "${HTTPD_SITE_ROOT_PATH}" ]]; then + log.warning "Defaulting the HTTPD_SITE_ROOT_PATH environment because none was provided" + HTTPD_SITE_ROOT_PATH="/var/www/html" + fi + + local site_config="default-nossl" + if [[ "${HTTPD_SITE_SSL_ENABLED}" != true && "${HTTPD_SITE_SSL_ENABLED}" -lt 1 ]]; then + log.notice "Loading the default non-SSL site configuration" + site_config="default-nossl" + else + if [[ "${HTTPD_SITE_SSL_REDIRECT_ENABLED}" == true || "${HTTPD_SITE_SSL_REDIRECT_ENABLED}" -gt 0 ]]; then + log.notice "Loading the default SSL with Redirection site configuration" + site_config="default-ssl-redirect" + else + log.notice "Loading the default SSL site configuration" + site_config="default-ssl" + fi + + configure_site_ssl_ca_file "${site_config}" || return "${?}" + fi + + a2ensite ${site_config} >/dev/null || return "${?}" + configure_site_server_name "${site_config}" || return "${?}" + configure_site_admin_email "${site_config}" || return "${?}" + + return "0" +} + +function configure_oidc_protection { + export OIDC_AUTH_ENABLED + + if [[ "${OIDC_AUTH_ENABLED}" != true && "${OIDC_AUTH_ENABLED}" -lt 1 ]]; then + log.notice "Virtual host OIDC authentication is disabled" + return "0" + fi + + log.notice "Enabling OIDC authentication for the virtual host [${OIDC_PROVIDER_METADATA_URL}]" + a2enmod auth_openidc >/dev/null || return "${?}" + a2enconf oidc-provider >/dev/null + return "${?}" +} + +function configure_site_server_name { + local config_name="${1}" + export HTTPD_SITE_SERVER_NAME + + [[ -z "${HTTPD_SITE_SERVER_NAME}" ]] && return "0" + + if [[ -z "${config_name}" ]]; then + log.error "configure_site_server_name(): Invalid Arguments - No config name provided" + return "1" + fi + + log.notice "Configuring the virtual host server name [${HTTPD_SITE_SERVER_NAME}]" + local path="${HTTPD_CONF_DIRECTORY}/sites-available/${config_name}.conf" + uncomment_config_element "${path}" "ServerName" + return "${?}" +} + +function configure_site_admin_email { + local config_name="${1}" + export HTTPD_SITE_ADMIN_EMAIL + + [[ -z "${HTTPD_SITE_ADMIN_EMAIL}" ]] && return "0" + + if [[ -z "${config_name}" ]]; then + log.error "configure_site_admin_email(): Invalid Arguments - No config name provided" + return "1" + fi + + log.notice "Configuring the virtual host administrator email [${HTTPD_SITE_ADMIN_EMAIL}]" + local path="${HTTPD_CONF_DIRECTORY}/sites-available/${config_name}.conf" + uncomment_config_element "${path}" "ServerAdmin" + return "${?}" +} + +function configure_site_ssl_ca_file { + local config_name="${1}" + export HTTPD_SITE_CA_FILE + + [[ -z "${HTTPD_SITE_CA_FILE}" || ! -f "${HTTPD_SITE_CA_FILE}" ]] && return "0" + + if [[ -z "${config_name}" ]]; then + log.error "configure_site_ssl_ca_file(): Invalid Arguments - No config name provided" + return "1" + fi + + log.notice "Configuring the virtual host SSL CA certificate [${HTTPD_SITE_CA_FILE}]" + local path="${HTTPD_CONF_DIRECTORY}/sites-available/${config_name}.conf" + uncomment_config_element "${path}" "SSLCACertificateFile" + return "${?}" +} + +function uncomment_config_element { + local path="${1}" + local element="${2}" + + local ec="0" + + if [[ ! -f "${path}" ]]; then + log.error "uncomment_config_element(): Unable to locate the site configuration [${path}]" + return "1" + fi + + set +e + <"${path}" perl -pe "s/#${element}/${element}/g" | tee "${path}.tmp" >/dev/null + ec="${?}" + set -e + + if [[ "${ec}" -ne 0 ]]; then + log.error "uncomment_config_element(): Failed while writing temporary config [${path}.tmp]" + rm -f "${path}.tmp" >/dev/null 2>&1 + return "1" + fi + + set +e + cp -f "${path}.tmp" "${path}" >/dev/null 2>&1 && rm -f "${path}.tmp" >/dev/null 2>&1 + ec="${?}" + set -e + + if [[ "${ec}" -ne 0 ]]; then + log.error "uncomment_config_element(): Failed while writing final config [${path}]" + rm -f "${path}.tmp" >/dev/null 2>&1 + return "1" + fi + + return "0" +} diff --git a/apache-httpd-oidc/entrypoint.sh b/apache-httpd-oidc/entrypoint.sh new file mode 100755 index 0000000..4803d60 --- /dev/null +++ b/apache-httpd-oidc/entrypoint.sh @@ -0,0 +1,18 @@ +#!/command/with-contenv bash +# shellcheck shell=bash +set -eo pipefail + +### Load Helper Methods ### +source /usr/local/bin/entrypoint-helper.sh + +configure_server_name +configure_virtual_hosts +configure_oidc_protection + +### Execute Apache HTTPD ### +# Cleanup any residual or pre-existing PID files +rm -f /var/run/apache2/apache2.pid +# Load the Apache HTTPD environment variables +[[ -f /etc/apache2/envvars ]] && source /etc/apache2/envvars +# Execute Apache HTTPD in the foreground +exec s6-setuidgid www-data apache2 -DFOREGROUND "${@}" diff --git a/apache-httpd-oidc/logger.sh b/apache-httpd-oidc/logger.sh new file mode 100755 index 0000000..b80eb91 --- /dev/null +++ b/apache-httpd-oidc/logger.sh @@ -0,0 +1,73 @@ +#!/usr/bin/env bash +# We are not using `set -Eeuo pipefail` here because this file is sourced by +# other scripts that might not be ready for a strict Bash setup. The functions +# in this file do not require it, because they are not handling signals, have +# no external calls that can fail (printf as well as date failures are ignored), +# are not using any variables that need to be set, and are not using any pipes. + +# This logger implementation can be replaced with another logger implementation +# by placing a script called `logger.sh` in `/usr/local/bin` of the image. The +# only requirement for the script is that it defines the following functions: +# +# - `log.debug` +# - `log.notice` +# - `log.warning` +# - `log.error` +# - `log.success` +# +# Each function **MUST** accept an arbitrary amount of arguments that make up +# the (unstructured) logging message. +# +# Additionally the following environment variables **SHOULD** be supported to +# disable their corresponding log entries, the value of the variables **MUST** +# not matter the mere fact that they are set is all that matters: +# +# - `LOG_DEBUG_DISABLED` +# - `LOG_NOTICE_DISABLED` +# - `LOG_WARNING_DISABLED` +# - `LOG_ERROR_DISABLED` +# - `LOG_SUCCESS_DISABLED` + +# The log format is constructed in a way that it can easily be parsed with +# standard tools and simple string manipulations; pattern and example: +# +# YYYY-MM-DD hh:mm:ss.SSS $level --- $message +# 2022-03-19 10:01:23.172 NOTICE --- example message +# +# This function is an implementation detail and **MUST NOT** be called from +# outside this script (which is possible if the file is sourced). +__log() { + local color instant level + + color=${1:?missing required argument} + shift + + level=${FUNCNAME[1]} # `main` if called from top-level + level=${level#log.} # substring after `log.` + level=${level^^} # UPPERCASE + + if [[ ! -v "LOG_${level}_DISABLED" ]]; then + instant=$(date '+%F %T.%-3N' 2>/dev/null || :) + + # https://no-color.org/ + if [[ -v NO_COLOR ]]; then + printf -- '%s %s --- %s\n' "$instant" "$level" "$*" 1>&2 || : + else + printf -- '\033[0;%dm%s %s --- %s\033[0m\n' "$color" "$instant" "$level" "$*" 1>&2 || : + fi + fi +} + +# To log with a dynamic level use standard Bash capabilities: +# +# level=notice +# command || level=error +# "log.$level" message +# +# @formatter:off +log.debug () { __log 37 "$@"; } # white +log.notice () { __log 34 "$@"; } # blue +log.warning () { __log 33 "$@"; } # yellow +log.error () { __log 31 "$@"; } # red +log.success () { __log 32 "$@"; } # green +# @formatter:on diff --git a/apache-httpd-oidc/repro-sources-list.sh b/apache-httpd-oidc/repro-sources-list.sh new file mode 100755 index 0000000..ea97e47 --- /dev/null +++ b/apache-httpd-oidc/repro-sources-list.sh @@ -0,0 +1,103 @@ +#!/bin/bash +# +# Copyright The repro-sources-list.sh Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ----------------------------------------------------------------------------- +# repro-sources-list.sh: +# configures /etc/apt/sources.list and similar files for installing packages from a snapshot. +# +# This script is expected to be executed inside Dockerfile. +# +# The following distributions are supported: +# - debian:11 (/etc/apt/sources.list) +# - debian:12 (/etc/apt/sources.list.d/debian.sources) +# - ubuntu:22.04 (/etc/apt/sources.list) +# - ubuntu:24.04 (/etc/apt/sources.listd/ubuntu.sources) +# - archlinux (/etc/pacman.d/mirrorlist) +# +# For the further information, see https://github.com/reproducible-containers/repro-sources-list.sh +# ----------------------------------------------------------------------------- + +set -eux -o pipefail + +. /etc/os-release + +: "${KEEP_CACHE:=1}" + +keep_apt_cache() { + rm -f /etc/apt/apt.conf.d/docker-clean + echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' >/etc/apt/apt.conf.d/keep-cache +} + +case "${ID}" in +"debian") + : "${SNAPSHOT_ARCHIVE_BASE:=http://snapshot.debian.org/archive/}" + : "${BACKPORTS:=}" + if [ -e /etc/apt/sources.list.d/debian.sources ]; then + : "${SOURCE_DATE_EPOCH:=$(stat --format=%Y /etc/apt/sources.list.d/debian.sources)}" + rm -f /etc/apt/sources.list.d/debian.sources + else + : "${SOURCE_DATE_EPOCH:=$(stat --format=%Y /etc/apt/sources.list)}" + fi + snapshot="$(printf "%(%Y%m%dT%H%M%SZ)T\n" "${SOURCE_DATE_EPOCH}")" + # TODO: use the new format for Debian >= 12 + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}debian/${snapshot} ${VERSION_CODENAME} main" >/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}debian-security/${snapshot} ${VERSION_CODENAME}-security main" >>/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}debian/${snapshot} ${VERSION_CODENAME}-updates main" >>/etc/apt/sources.list + if [ "${BACKPORTS}" = 1 ]; then echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}debian/${snapshot} ${VERSION_CODENAME}-backports main" >>/etc/apt/sources.list; fi + if [ "${KEEP_CACHE}" = 1 ]; then keep_apt_cache; fi + ;; +"ubuntu") + : "${SNAPSHOT_ARCHIVE_BASE:=http://snapshot.ubuntu.com/}" + if [ -e /etc/apt/sources.list.d/ubuntu.sources ]; then + : "${SOURCE_DATE_EPOCH:=$(stat --format=%Y /etc/apt/sources.list.d/ubuntu.sources)}" + rm -f /etc/apt/sources.list.d/ubuntu.sources + else + : "${SOURCE_DATE_EPOCH:=$(stat --format=%Y /etc/apt/sources.list)}" + fi + snapshot="$(printf "%(%Y%m%dT%H%M%SZ)T\n" "${SOURCE_DATE_EPOCH}")" + # TODO: use the new format for Ubuntu >= 24.04 + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}ubuntu/${snapshot} ${VERSION_CODENAME} main restricted" >/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}ubuntu/${snapshot} ${VERSION_CODENAME}-updates main restricted" >>/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}ubuntu/${snapshot} ${VERSION_CODENAME} universe" >>/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}ubuntu/${snapshot} ${VERSION_CODENAME}-updates universe" >>/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}ubuntu/${snapshot} ${VERSION_CODENAME} multiverse" >>/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}ubuntu/${snapshot} ${VERSION_CODENAME}-updates multiverse" >>/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}ubuntu/${snapshot} ${VERSION_CODENAME}-backports main restricted universe multiverse" >>/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}ubuntu/${snapshot} ${VERSION_CODENAME}-security main restricted" >>/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}ubuntu/${snapshot} ${VERSION_CODENAME}-security universe" >>/etc/apt/sources.list + echo "deb [check-valid-until=no] ${SNAPSHOT_ARCHIVE_BASE}ubuntu/${snapshot} ${VERSION_CODENAME}-security multiverse" >>/etc/apt/sources.list + if [ "${KEEP_CACHE}" = 1 ]; then keep_apt_cache; fi + # http://snapshot.ubuntu.com is redirected to https, so we have to install ca-certificates + export DEBIAN_FRONTEND=noninteractive + apt-get -o Acquire::https::Verify-Peer=false update >&2 + apt-get -o Acquire::https::Verify-Peer=false install -y ca-certificates >&2 + ;; +"arch") + : "${SNAPSHOT_ARCHIVE_BASE:=http://archive.archlinux.org/}" + : "${SOURCE_DATE_EPOCH:=$(stat --format=%Y /var/log/pacman.log)}" + export SOURCE_DATE_EPOCH + # shellcheck disable=SC2016 + date -d "@${SOURCE_DATE_EPOCH}" "+Server = ${SNAPSHOT_ARCHIVE_BASE}repos/%Y/%m/%d/\$repo/os/\$arch" >/etc/pacman.d/mirrorlist + ;; +*) + echo >&2 "Unsupported distribution: ${ID}" + exit 1 + ;; +esac + +: "${WRITE_SOURCE_DATE_EPOCH:=/dev/null}" +echo "${SOURCE_DATE_EPOCH}" >"${WRITE_SOURCE_DATE_EPOCH}" +echo "SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}" diff --git a/apache-httpd-oidc/s6-rc.d/gcsfuse/dependencies.d/base b/apache-httpd-oidc/s6-rc.d/gcsfuse/dependencies.d/base new file mode 100644 index 0000000..e69de29 diff --git a/apache-httpd-oidc/s6-rc.d/gcsfuse/run b/apache-httpd-oidc/s6-rc.d/gcsfuse/run new file mode 100644 index 0000000..ac1c0fa --- /dev/null +++ b/apache-httpd-oidc/s6-rc.d/gcsfuse/run @@ -0,0 +1,8 @@ +#!/command/with-contenv bash +# shellcheck shell=bash +set -eo pipefail +set -x +### Import Helper Functions ### +source /usr/local/bin/entrypoint-helper.sh + +execute_gcs_fuse_driver diff --git a/apache-httpd-oidc/s6-rc.d/gcsfuse/type b/apache-httpd-oidc/s6-rc.d/gcsfuse/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/apache-httpd-oidc/s6-rc.d/gcsfuse/type @@ -0,0 +1 @@ +longrun diff --git a/apache-httpd-oidc/s6-rc.d/user/contents.d/gcsfuse b/apache-httpd-oidc/s6-rc.d/user/contents.d/gcsfuse new file mode 100644 index 0000000..e69de29 diff --git a/apache-httpd-oidc/sites-available/default-nossl.conf b/apache-httpd-oidc/sites-available/default-nossl.conf new file mode 100644 index 0000000..547a8cb --- /dev/null +++ b/apache-httpd-oidc/sites-available/default-nossl.conf @@ -0,0 +1,37 @@ + + # The commented lines below will be dynamically uncommented/activated by entrypoint script + #ServerName ${HTTPD_SITE_SERVER_NAME} + #ServerAdmin ${HTTPD_SITE_ADMIN_EMAIL} + + # Configure the vhost root directory (default: /var/www/html) + DocumentRoot ${HTTPD_SITE_ROOT_PATH} + DirectoryIndex disabled + + # Use reasonable log levels + LogLevel info ssl:warn + # Ensure logs are routed to the container stdout + ErrorLog "|/usr/bin/cat" + CustomLog "|/usr/bin/cat" combined + + # Secure the DocumentRoot directory + + Options SymLinksIfOwnerMatch Indexes + AllowOverride None + + + # Setup the OIDC redirect virtual location + + + AuthType openid-connect + Require valid-user + + + + # Enforce OIDC Authentication for all site content + + + AuthType openid-connect + Require valid-user + + + diff --git a/apache-httpd-oidc/sites-available/default-ssl-redirect.conf b/apache-httpd-oidc/sites-available/default-ssl-redirect.conf new file mode 100644 index 0000000..38825a6 --- /dev/null +++ b/apache-httpd-oidc/sites-available/default-ssl-redirect.conf @@ -0,0 +1,62 @@ + + # The commented lines below will be dynamically uncommented/activated by entrypoint script + #ServerName ${HTTPD_SITE_SERVER_NAME} + #ServerAdmin ${HTTPD_SITE_ADMIN_EMAIL} + + # Configure the vhost root directory (default: /var/www/html) + DocumentRoot ${HTTPD_SITE_ROOT_PATH} + + # Use reasonable log levels + LogLevel info ssl:warn + # Ensure logs are routed to the container stdout + ErrorLog "|/usr/bin/cat" + CustomLog "|/usr/bin/cat" combined + + # Redirect Clear Text Requests to SSL + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} + + + + # The commented lines below will be dynamically uncommented/activated by entrypoint script + #ServerName ${HTTPD_SITE_SERVER_NAME} + #ServerAdmin ${HTTPD_SITE_ADMIN_EMAIL} + + # Configure the vhost root directory (default: /var/www/html) + DocumentRoot ${HTTPD_SITE_ROOT_PATH} + + # SSL Support + SSLEngine on + SSLCertificateFile ${HTTPD_SITE_SSL_CERT_FILE} + SSLCertificateKeyFile ${HTTPD_SITE_SSL_KEY_FILE} + #SSLCACertificateFile ${HTTPD_SITE_CA_FILE} + + # Use reasonable log levels + LogLevel info ssl:warn + # Ensure logs are routed to the container stdout + ErrorLog "|/usr/bin/cat" + CustomLog "|/usr/bin/cat" combined + + # Secure the DocumentRoot directory + + Options SymLinksIfOwnerMatch Indexes + AllowOverride None + + + # Setup the OIDC redirect virtual location + + + AuthType openid-connect + Require valid-user + + + + # Enforce OIDC Authentication for all site content + + + AuthType openid-connect + Require valid-user + + + diff --git a/apache-httpd-oidc/sites-available/default-ssl.conf b/apache-httpd-oidc/sites-available/default-ssl.conf new file mode 100644 index 0000000..2cd9ee9 --- /dev/null +++ b/apache-httpd-oidc/sites-available/default-ssl.conf @@ -0,0 +1,81 @@ + + # The commented lines below will be dynamically uncommented/activated by entrypoint script + #ServerName ${HTTPD_SITE_SERVER_NAME} + #ServerAdmin ${HTTPD_SITE_ADMIN_EMAIL} + + # Configure the vhost root directory (default: /var/www/html) + DocumentRoot ${HTTPD_SITE_ROOT_PATH} + DirectoryIndex disabled + + # Use reasonable log levels + LogLevel info ssl:warn + # Ensure logs are routed to the container stdout + ErrorLog "|/usr/bin/cat" + CustomLog "|/usr/bin/cat" combined + + # Secure the DocumentRoot directory + + Options SymLinksIfOwnerMatch Indexes + AllowOverride None + + + # Setup the OIDC redirect virtual location + + + AuthType openid-connect + Require valid-user + + + + # Enforce OIDC Authentication for all site content + + + AuthType openid-connect + Require valid-user + + + + + + # The commented lines below will be dynamically uncommented/activated by entrypoint script + #ServerName ${HTTPD_SITE_SERVER_NAME} + #ServerAdmin ${HTTPD_SITE_ADMIN_EMAIL} + + # Configure the vhost root directory (default: /var/www/html) + DocumentRoot ${HTTPD_SITE_ROOT_PATH} + DirectoryIndex disabled + + # SSL Support + SSLEngine on + SSLCertificateFile ${HTTPD_SITE_SSL_CERT_FILE} + SSLCertificateKeyFile ${HTTPD_SITE_SSL_KEY_FILE} + #SSLCACertificateFile ${HTTPD_SITE_CA_FILE} + + # Use reasonable log levels + LogLevel info ssl:warn + # Ensure logs are routed to the container stdout + ErrorLog "|/usr/bin/cat" + CustomLog "|/usr/bin/cat" combined + + # Secure the DocumentRoot directory + + Options SymLinksIfOwnerMatch Indexes + AllowOverride None + + + # Setup the OIDC redirect virtual location + + + AuthType openid-connect + Require valid-user + + + + # Enforce OIDC Authentication for all site content + + + AuthType openid-connect + Require valid-user + + + From 3ac680c6052c0e63be2784bfdf0853df2206f462 Mon Sep 17 00:00:00 2001 From: Nathan Klick Date: Wed, 11 Sep 2024 16:40:10 -0500 Subject: [PATCH 2/3] fix: add missing source date build argument Signed-off-by: Nathan Klick --- .github/workflows/zxc-build-httpd-oidc-images.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/zxc-build-httpd-oidc-images.yaml b/.github/workflows/zxc-build-httpd-oidc-images.yaml index 74b58f9..f874d04 100644 --- a/.github/workflows/zxc-build-httpd-oidc-images.yaml +++ b/.github/workflows/zxc-build-httpd-oidc-images.yaml @@ -114,6 +114,10 @@ jobs: echo "prefix=${DOCKER_REGISTRY_PREFIX}" >>"${GITHUB_OUTPUT}" echo "operation=${IMG_RESULT}" >>"${GITHUB_OUTPUT}" + - name: Calculate Source Date + id: commit + run: echo "source-date=$(git log -1 --pretty=%ct)" >> "${GITHUB_OUTPUT}" + - name: Calculate Docker Tag id: docker-tag run: | @@ -132,5 +136,6 @@ jobs: ${{ steps.registry.outputs.prefix }}/apache-httpd-oidc:v${{ steps.docker-tag.outputs.version }} ${{ steps.registry.outputs.prefix }}/apache-httpd-oidc:v${{ steps.docker-tag.outputs.version }}-${{ inputs.base-os-image }} build-args: | + SOURCE_DATE_EPOCH=${{ steps.commit.outputs.source-date }} UBUNTU_TAG=${{ inputs.base-os-image }} GCS_FUSE_VERSION=${{ inputs.gcs-fuse-version }} From 9de8dd0d42deb87bf3be9af849259fbe37abc02c Mon Sep 17 00:00:00 2001 From: Nathan Klick Date: Wed, 11 Sep 2024 16:42:22 -0500 Subject: [PATCH 3/3] fix: update codeowners to use correct organization name Signed-off-by: Nathan Klick --- .github/CODEOWNERS | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index abfc792..3f363f6 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -2,13 +2,13 @@ ##### Global Protection Rule ###### ################################### # NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below. -* @hashgraph/release-engineering-managers @hashgraph/product-security +* @swirldslabs/release-engineering-managers @swirldslabs/product-security ############################ ##### Project Files ###### ############################ -/apache-httpd-oidc/ @hashgraph/release-engineering-managers @hashgraph/product-security +/apache-httpd-oidc/ @swirldslabs/release-engineering-managers @swirldslabs/product-security ######################### ##### Core Files ###### @@ -17,27 +17,27 @@ # NOTE: Must be placed last to ensure enforcement over all other rules # Protection Rules for Github Configuration Files and Actions Workflows -/.github/ @hashgraph/release-engineering-managers -/.github/workflows/ @hashgraph/release-engineering-managers @hashgraph/product-security @hashgraph/devops-ci +/.github/ @swirldslabs/release-engineering-managers +/.github/workflows/ @swirldslabs/release-engineering-managers @swirldslabs/product-security @swirldslabs/devops-ci # Codacy Tool Configurations -/config/ @hashgraph/release-engineering-managers -.remarkrc @hashgraph/release-engineering-managers +/config/ @swirldslabs/release-engineering-managers +.remarkrc @swirldslabs/release-engineering-managers # Semantic Release Configuration -.releaserc @hashgraph/release-engineering-managers +.releaserc @swirldslabs/release-engineering-managers # Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval) -/CODEOWNERS @hashgraph/release-engineering-managers +/CODEOWNERS @swirldslabs/release-engineering-managers # Protect the repository root files -/README.md @hashgraph/release-engineering-managers -**/LICENSE @hashgraph/release-engineering-managers +/README.md @swirldslabs/release-engineering-managers +**/LICENSE @swirldslabs/release-engineering-managers # CodeCov configuration -**/codecov.yml @hashgraph/release-engineering-managers +**/codecov.yml @swirldslabs/release-engineering-managers # Git Ignore definitions -**/.gitignore @hashgraph/release-engineering-managers -**/.gitignore.* @hashgraph/release-engineering-managers +**/.gitignore @swirldslabs/release-engineering-managers +**/.gitignore.* @swirldslabs/release-engineering-managers