initial changes from gluu to jans (#2)

* initial changes from gluu to jans

* move oxauth to auth-server

* Update release.yaml

* switch to jans-auth-server

* Change envs prefix from JANS to CLOUD_NATIVE

* Change envs prefix to CN

* initial working image

* sync manifests

* update manifests

* update jans-pycloudlib

* Update scanimage.yml

* bump Jython's pip to v19.2

* Add non root user

#3

* fix refs

#3

* update jans-pycloudlib

* copy custom jar from share directory

* install latest cryptography

* Update war

* sync manifests

* update dependencies

* chore(dockerfile): update build date

* docs: update reference in README

* feat(build-date): Update build date

* feat(build-date): update build date

* feat(build-date): update build date

* feat(Dockerfile): update build date

* fix(healthcheck): update health endpoint

* ci(autobuilds): Fix repos and commit settings

* ci(autobuilds): Add jans-config-api

* feat(Dockerfile): Updated build date

Co-authored-by: mogluu <[email protected]>
Co-authored-by: iromli <[email protected]>

.github/workflows/release.yaml

@@ -1,9 +1,8 @@
 name: release
-# This builds, packages and releases pygluu-kubernetes
 on:
   push:
     paths:
-      #- __version__.py
+      - __version__.py
     branches-ignore:
       - master
 jobs:
@@ -43,14 +42,15 @@ jobs:
         echo "::set-output name=pversion::$(python3 -c 'import __version__ ; print(__version__.__previous_version__)')"
         echo "::set-output name=gituser::$(python3 -c 'import os ; REPO = os.environ.get("GITHUB_REPOSITORY") ; print(str(REPO).split("/")[0])')"
         echo "::set-output name=gitproject::$(python3 -c 'import os ; REPO = os.environ.get("GITHUB_REPOSITORY") ; print(str(REPO).split("/")[1])')"
+        echo "::set-output name=gitbranch::$(python3 -c 'import os ; BRANCH = os.environ.get("GITHUB_REF") ; print(str(BRANCH).split("/")[2])')"
         echo "::set-output name=releasedate::$(date +'%d-%m-%Y')"
 
 
     - name: Install Changelog autogenerator
       run: |
         cd /home/runner/work/test/
         sudo gem install github_changelog_generator
-        github_changelog_generator --user ${{ steps.get_version.outputs.gituser }} --project ${{ steps.get_version.outputs.gitproject }} --date-format "%m/%d/%Y" --header-label "# Release Notes" --output release_notes.md --token ${{ secrets.token }} --since-tag ${{ steps.get_version.outputs.pversion }} --author false
+        github_changelog_generator --user ${{ steps.get_version.outputs.gituser }} --project ${{ steps.get_version.outputs.gitproject }} --date-format "%m/%d/%Y" --header-label "# Release Notes" --output release_notes.md --token ${{ secrets.token }} --include-labels ${{ steps.get_version.outputs.gitbranch }} --since-tag v${{ steps.get_version.outputs.pversion }} --author false
         sed -i '$ d' release_notes.md
         github_changelog_generator --user ${{ steps.get_version.outputs.gituser }} --project ${{ steps.get_version.outputs.gitproject }} --date-format "%m/%d/%Y" --token ${{ secrets.token }} --author false
         sed -i '$ d' CHANGELOG.md
@@ -83,4 +83,4 @@ jobs:
 
           ${{ steps.changelog.outputs.body }}
         draft: false
-        prerelease: false
+        prerelease: false

.github/workflows/scanimage.yml

@@ -1,19 +1,21 @@
 name: Scan Image
-on: [workflow_dispatch]
+on: [push]
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
-    - name: Build the Docker image
-      run: docker build . --file Dockerfile --tag local/scanimage:latest
+    - name: Build the Container image
+      run: docker build . --file Dockerfile --tag localbuild/scanimage:latest
     - uses: anchore/scan-action@v2
+      id: scan
       with:
-        image: "local/scanimage:latest"
-        fail-build: true
-    - name: anchore inline scan JSON results
-      run: for j in `ls ./anchore-reports/*.json`; do echo "---- ${j} ----"; cat ${j}; echo; done
+        image: "localbuild/scanimage:latest"
+        acs-report-enable: true
+    - name: upload Anchore scan SARIF report
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: results.sarif
     - uses: azure/container-scan@v0
       with:
-        image-name: local/scanimage:latest
-# Add Serif report once Code Scanner is out of beta stage
+        image-name: localbuild/scanimage:latest

.github/workflows/triggerdevbuild.yml

@@ -1,5 +1,4 @@
 name: triggerdevbuild
-# This builds, packages and releases pygluu-kubernetes
 on: [workflow_dispatch]
 jobs:
   checkBuildAndUpdate:
@@ -31,13 +30,13 @@ jobs:
       - uses: stefanzweifel/git-auto-commit-action@v4
         with:
           # Required
-          commit_message: Updated build date.
+          commit_message: 'feat(Dockerfile): Updated build date'
           # Optional local file path to the repository
           repository: .
-
+          commit-message: 'feat(helm): Update Helm Chart'
           # Optional commit user and author settings
-          commit_user_name: git-gluu
-          commit_user_email: git-gluu@github.com
-          commit_author: git-gluu <git-gluu@github.com>
+          commit_user_name: ${{ github.actor }}
+          commit_user_email: ${{ github.actor }}@users.noreply.github.com
+          commit_author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
           # Optional: Disable dirty check and always try to create a commit and push
           skip_dirty_check: true

Dockerfile

@@ -11,7 +11,7 @@ RUN mkdir -p /usr/lib/jvm/default-jvm /usr/java/latest \
 
 RUN apk update \
     && apk add --no-cache openssl py3-pip tini curl bash \
-    && apk add --no-cache --virtual build-deps wget git
+    && apk add --no-cache --virtual build-deps wget git gcc musl-dev python3-dev libffi-dev openssl-dev
 
 # ======
 # rclone
@@ -29,7 +29,7 @@ RUN wget -q https://github.com/rclone/rclone/releases/download/${RCLONE_VERSION}
 
 ARG JETTY_VERSION=9.4.26.v20200117
 ARG JETTY_HOME=/opt/jetty
-ARG JETTY_BASE=/opt/gluu/jetty
+ARG JETTY_BASE=/opt/jans/jetty
 ARG JETTY_USER_HOME_LIB=/home/jetty/lib
 
 # Install jetty
@@ -47,24 +47,26 @@ EXPOSE 8080
 # ======
 
 ARG JYTHON_VERSION=2.7.2
-RUN wget -q https://ox.gluu.org/dist/jython/${JYTHON_VERSION}/jython-installer-${JYTHON_VERSION}.jar -O /tmp/jython-installer.jar \
+RUN wget -q https://repo1.maven.org/maven2/org/python/jython-installer/${JYTHON_VERSION}/jython-installer-${JYTHON_VERSION}.jar -O /tmp/jython-installer.jar \
     && mkdir -p /opt/jython \
     && java -jar /tmp/jython-installer.jar -v -s -d /opt/jython \
+    && /opt/jython/bin/pip install --no-cache-dir "pip==19.2" \
     && rm -f /tmp/jython-installer.jar /tmp/*.properties
 
-# ======
-# oxAuth
-# ======
+# ===========
+# Auth server
+# ===========
 
-ENV JANS_VERSION=4.2.2-SNAPSHOT
-ENV JANS_BUILD_DATE="2020-09-28 18:23"
+ENV CN_VERSION=5.0.0-SNAPSHOT
+ENV CN_BUILD_DATE="2020-12-03 07:33"
+ENV CN_SOURCE_URL=https://maven.jans.io/maven/io/jans/jans-auth-server/${CN_VERSION}/jans-auth-server-${CN_VERSION}.war
 
 # Install oxAuth
-RUN wget -q https://ox.gluu.org/maven/org/gluu/oxauth-server/${JANS_VERSION}/oxauth-server-${JANS_VERSION}.war -O /tmp/oxauth.war \
-    && mkdir -p ${JETTY_BASE}/oxauth/webapps/oxauth \
-    && unzip -qq /tmp/oxauth.war -d ${JETTY_BASE}/oxauth/webapps/oxauth \
-    && java -jar ${JETTY_HOME}/start.jar jetty.home=${JETTY_HOME} jetty.base=${JETTY_BASE}/oxauth --add-to-start=server,deploy,annotations,resources,http,http-forwarded,threadpool,jsp,websocket \
-    && rm -f /tmp/oxauth.war
+RUN wget -q ${CN_SOURCE_URL} -O /tmp/jans-auth.war \
+    && mkdir -p ${JETTY_BASE}/jans-auth/webapps/jans-auth \
+    && unzip -qq /tmp/jans-auth.war -d ${JETTY_BASE}/jans-auth/webapps/jans-auth \
+    && java -jar ${JETTY_HOME}/start.jar jetty.home=${JETTY_HOME} jetty.base=${JETTY_BASE}/jans-auth --add-to-start=server,deploy,annotations,resources,http,http-forwarded,threadpool,jsp,websocket \
+    && rm -f /tmp/jans-auth.war
 
 # ===========
 # Custom libs
@@ -81,11 +83,10 @@ RUN wget -q https://repo1.maven.org/maven2/org/jsmpp/jsmpp/${JSMPP_VERSION}/jsmp
 # Python
 # ======
 
-RUN apk add --no-cache py3-cryptography py3-multidict py3-yarl
 COPY requirements.txt /app/requirements.txt
 RUN pip3 install -U pip \
     && pip3 install --no-cache-dir -r /app/requirements.txt \
-    && rm -rf /src/pygluu-containerlib/.git
+    && rm -rf /src/jans-pycloudlib/.git
 
 # =======
 # Cleanup
@@ -105,96 +106,116 @@ COPY LICENSE /licenses/
 # Config ENV
 # ==========
 
-ENV JANS_CONFIG_ADAPTER=consul \
-    JANS_CONFIG_CONSUL_HOST=localhost \
-    JANS_CONFIG_CONSUL_PORT=8500 \
-    JANS_CONFIG_CONSUL_CONSISTENCY=stale \
-    JANS_CONFIG_CONSUL_SCHEME=http \
-    JANS_CONFIG_CONSUL_VERIFY=false \
-    JANS_CONFIG_CONSUL_CACERT_FILE=/etc/certs/consul_ca.crt \
-    JANS_CONFIG_CONSUL_CERT_FILE=/etc/certs/consul_client.crt \
-    JANS_CONFIG_CONSUL_KEY_FILE=/etc/certs/consul_client.key \
-    JANS_CONFIG_CONSUL_TOKEN_FILE=/etc/certs/consul_token \
-    JANS_CONFIG_KUBERNETES_NAMESPACE=default \
-    JANS_CONFIG_KUBERNETES_CONFIGMAP=gluu \
-    JANS_CONFIG_KUBERNETES_USE_KUBE_CONFIG=false
+ENV CN_CONFIG_ADAPTER=consul \
+    CN_CONFIG_CONSUL_HOST=localhost \
+    CN_CONFIG_CONSUL_PORT=8500 \
+    CN_CONFIG_CONSUL_CONSISTENCY=stale \
+    CN_CONFIG_CONSUL_SCHEME=http \
+    CN_CONFIG_CONSUL_VERIFY=false \
+    CN_CONFIG_CONSUL_CACERT_FILE=/etc/certs/consul_ca.crt \
+    CN_CONFIG_CONSUL_CERT_FILE=/etc/certs/consul_client.crt \
+    CN_CONFIG_CONSUL_KEY_FILE=/etc/certs/consul_client.key \
+    CN_CONFIG_CONSUL_TOKEN_FILE=/etc/certs/consul_token \
+    CN_CONFIG_CONSUL_NAMESPACE=jans \
+    CN_CONFIG_KUBERNETES_NAMESPACE=default \
+    CN_CONFIG_KUBERNETES_CONFIGMAP=jans \
+    CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG=false
 
 # ==========
 # Secret ENV
 # ==========
 
-ENV JANS_SECRET_ADAPTER=vault \
-    JANS_SECRET_VAULT_SCHEME=http \
-    JANS_SECRET_VAULT_HOST=localhost \
-    JANS_SECRET_VAULT_PORT=8200 \
-    JANS_SECRET_VAULT_VERIFY=false \
-    JANS_SECRET_VAULT_ROLE_ID_FILE=/etc/certs/vault_role_id \
-    JANS_SECRET_VAULT_SECRET_ID_FILE=/etc/certs/vault_secret_id \
-    JANS_SECRET_VAULT_CERT_FILE=/etc/certs/vault_client.crt \
-    JANS_SECRET_VAULT_KEY_FILE=/etc/certs/vault_client.key \
-    JANS_SECRET_VAULT_CACERT_FILE=/etc/certs/vault_ca.crt \
-    JANS_SECRET_KUBERNETES_NAMESPACE=default \
-    JANS_SECRET_KUBERNETES_SECRET=gluu \
-    JANS_SECRET_KUBERNETES_USE_KUBE_CONFIG=false
+ENV CN_SECRET_ADAPTER=vault \
+    CN_SECRET_VAULT_SCHEME=http \
+    CN_SECRET_VAULT_HOST=localhost \
+    CN_SECRET_VAULT_PORT=8200 \
+    CN_SECRET_VAULT_VERIFY=false \
+    CN_SECRET_VAULT_ROLE_ID_FILE=/etc/certs/vault_role_id \
+    CN_SECRET_VAULT_SECRET_ID_FILE=/etc/certs/vault_secret_id \
+    CN_SECRET_VAULT_CERT_FILE=/etc/certs/vault_client.crt \
+    CN_SECRET_VAULT_KEY_FILE=/etc/certs/vault_client.key \
+    CN_SECRET_VAULT_CACERT_FILE=/etc/certs/vault_ca.crt \
+    CN_SECRET_VAULT_NAMESPACE=jans \
+    CN_SECRET_KUBERNETES_NAMESPACE=default \
+    CN_SECRET_KUBERNETES_SECRET=jans \
+    CN_SECRET_KUBERNETES_USE_KUBE_CONFIG=false
 
 # ===============
 # Persistence ENV
 # ===============
 
-ENV JANS_PERSISTENCE_TYPE=ldap \
-    JANS_PERSISTENCE_LDAP_MAPPING=default \
-    JANS_LDAP_URL=localhost:1636 \
-    JANS_COUCHBASE_URL=localhost \
-    JANS_COUCHBASE_USER=admin \
-    JANS_COUCHBASE_CERT_FILE=/etc/certs/couchbase.crt \
-    JANS_COUCHBASE_PASSWORD_FILE=/etc/gluu/conf/couchbase_password \
-    JANS_COUCHBASE_CONN_TIMEOUT=10000 \
-    JANS_COUCHBASE_CONN_MAX_WAIT=20000 \
-    JANS_COUCHBASE_SCAN_CONSISTENCY=not_bounded
+ENV CN_PERSISTENCE_TYPE=ldap \
+    CN_PERSISTENCE_LDAP_MAPPING=default \
+    CN_LDAP_URL=localhost:1636 \
+    CN_COUCHBASE_URL=localhost \
+    CN_COUCHBASE_USER=admin \
+    CN_COUCHBASE_CERT_FILE=/etc/certs/couchbase.crt \
+    CN_COUCHBASE_PASSWORD_FILE=/etc/jans/conf/couchbase_password \
+    CN_COUCHBASE_CONN_TIMEOUT=10000 \
+    CN_COUCHBASE_CONN_MAX_WAIT=20000 \
+    CN_COUCHBASE_SCAN_CONSISTENCY=not_bounded
 
 # ===========
 # Generic ENV
 # ===========
 
-ENV JANS_MAX_RAM_PERCENTAGE=75.0 \
-    JANS_WAIT_MAX_TIME=300 \
-    JANS_WAIT_SLEEP_DURATION=10 \
+ENV CN_MAX_RAM_PERCENTAGE=75.0 \
+    CN_WAIT_MAX_TIME=300 \
+    CN_WAIT_SLEEP_DURATION=10 \
     PYTHON_HOME=/opt/jython \
-    JANS_DOCUMENT_STORE_TYPE=LOCAL \
-    JANS_JACKRABBIT_URL=http://localhost:8080 \
-    JANS_JACKRABBIT_ADMIN_ID=admin \
-    JANS_JACKRABBIT_ADMIN_PASSWORD_FILE=/etc/gluu/conf/jackrabbit_admin_password \
-    JANS_JAVA_OPTIONS="" \
-    JANS_SSL_CERT_FROM_SECRETS=false \
-    JANS_SYNC_JKS_ENABLED=false \
-    JANS_SYNC_JKS_INTERVAL=30
+    CN_DOCUMENT_STORE_TYPE=LOCAL \
+    CN_JACKRABBIT_URL=http://localhost:8080 \
+    CN_JACKRABBIT_ADMIN_ID=admin \
+    CN_JACKRABBIT_ADMIN_PASSWORD_FILE=/etc/jans/conf/jackrabbit_admin_password \
+    CN_JAVA_OPTIONS="" \
+    CN_SSL_CERT_FROM_SECRETS=false \
+    CN_SYNC_JKS_ENABLED=false \
+    CN_SYNC_JKS_INTERVAL=30 \
+    CN_NAMESPACE=jans
 
 # ==========
 # misc stuff
 # ==========
 
 LABEL name="Janssen Authorization Server" \
-    maintainer="Jansson org. <support@gluu.org>" \
+    maintainer="Janssen Project <support@jans.io>" \
     vendor="Janssen Project" \
     version="5.0.0" \
     release="dev" \
     summary="Janssen Authorization Server" \
     description="OAuth 2.0 server and client; OpenID Connect Provider (OP) & UMA Authorization Server (AS)"
 
 RUN mkdir -p /etc/certs /deploy \
-    /opt/gluu/python/libs \
-    ${JETTY_BASE}/oxauth/custom/pages ${JETTY_BASE}/oxauth/custom/static \
-    ${JETTY_BASE}/oxauth/custom/i18n \
-    /etc/gluu/conf \
+    /opt/jans/python/libs \
+    ${JETTY_BASE}/jans-auth/custom/pages ${JETTY_BASE}/jans-auth/custom/static \
+    ${JETTY_BASE}/jans-auth/custom/i18n \
+    /etc/jans/conf \
     /app/templates
 
-COPY libs /opt/gluu/python/libs
+COPY libs /opt/jans/python/libs
 COPY certs /etc/certs
-COPY jetty/oxauth_web_resources.xml ${JETTY_BASE}/oxauth/webapps/
-COPY jetty/oxauth.xml ${JETTY_BASE}/oxauth/webapps/
+COPY jetty/jans-auth_web_resources.xml ${JETTY_BASE}/jans-auth/webapps/
+COPY jetty/jans-auth.xml ${JETTY_BASE}/jans-auth/webapps/
 COPY conf/*.tmpl /app/templates/
 COPY scripts /app/scripts
 RUN chmod +x /app/scripts/entrypoint.sh
 
+# # create non-root user
+RUN adduser -s /bin/sh -D -G root -u 1000 jetty
+
+ # adjust ownership
+RUN chown -R 1000:1000 /opt/jans/jetty \
+    && chown -R 1000:1000 /opt/jetty \
+    && chown -R 1000:1000 /deploy \
+    && chown -R 1000:1000 /tmp \
+    && chmod -R g+w /usr/lib/jvm/default-jvm/jre/lib/security/cacerts \
+    && chgrp -R 0 /opt/jans/jetty && chmod -R g=u /opt/jans/jetty \
+    && chgrp -R 0 /opt/jetty && chmod -R g=u /opt/jetty \
+    && chgrp -R 0 /tmp && chmod -R g=u /tmp \
+    && chgrp -R 0 /deploy && chmod -R g=u /deploy \
+    && chgrp -R 0 /etc/certs && chmod -R g=u /etc/certs \
+    && chgrp -R 0 /etc/jans && chmod -R g=u /etc/jans
+USER 1000
+
 ENTRYPOINT ["tini", "-e", "143", "-g", "--"]
 CMD ["sh", "/app/scripts/entrypoint.sh"]

Makefile

@@ -1,15 +1,15 @@
-JANS_VERSION=4.2.2
-IMAGE_NAME=gluufederation/oxauth
+CN_VERSION=5.0.0
+IMAGE_NAME=janssenproject/auth-server
 UNSTABLE_VERSION=dev
 
 build-dev:
-	@echo "[I] Building Docker image ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION}"
-	@docker build --rm --force-rm -t ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION} .
+	@echo "[I] Building Docker image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION}"
+	@docker build --rm --force-rm -t ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} .
 
 trivy-scan:
-	@echo "[I] Scanning Docker image ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION} using trivy"
-	@trivy -d image ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION}
+	@echo "[I] Scanning Docker image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} using trivy"
+	@trivy -d image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION}
 
 dockle-scan:
-	@echo "[I] Scanning Docker image ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION} using dockle"
-	@dockle -d ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION}
+	@echo "[I] Scanning Docker image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} using dockle"
+	@dockle -d ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION}