Merge pull request #1781 from OpenConext/feature/update-devconf-insta…

…llation Update Devconf installation and docs
OpenConext · Jan 14, 2025 · b3e3f6a · b3e3f6a
2 parents eda4d94 + d64ee74
commit b3e3f6a
Show file tree

Hide file tree

Showing 115 changed files with 638 additions and 1,208 deletions.
diff --git a/.github/workflows/run-cypress.yml b/.github/workflows/run-cypress.yml
@@ -29,7 +29,7 @@ jobs:
               run: |
                 cd docker &&
                 ${DOCKER_COMPOSE} up -d --build &&
-                docker compose exec -T --user www-data php-fpm.vm.openconext.org bash -c '
+                docker compose exec -T --user www-data engine.dev.openconext.local bash -c '
                     SYMFONY_ENV=ci composer install --prefer-dist -n -o --ignore-platform-reqs && \
                     ./app/console cache:clear --env=ci && \
                     cd theme && CYPRESS_INSTALL_BINARY=0 yarn install --frozen-lockfile && EB_THEME=skeune yarn build
@@ -38,13 +38,13 @@ jobs:
               if: always()
               run: |
                   cd docker && \
-                  docker compose exec -T --user www-data php-fpm.vm.openconext.org bash -c '
+                  docker compose exec -T --user www-data engine.dev.openconext.local bash -c '
                     EB_THEME=skeune ./theme/scripts/prepare-test.js
                   ' && \
                   docker compose exec -T cypress bash -c '
                     cd e2e && yarn install && cypress run --spec cypress/integration/skeune/**/*.spec.js,cypress/integration/shared/*.spec.js --browser=chrome --headless
                   ' && \
-                  docker compose exec -T --user www-data php-fpm.vm.openconext.org bash -c '
+                  docker compose exec -T --user www-data engine.dev.openconext.local bash -c '
                     EB_THEME=openconext ./theme/scripts/prepare-test.js
                   ' && \
                   docker compose exec -T cypress bash -c '

diff --git a/.github/workflows/test-integration.yml b/.github/workflows/test-integration.yml
@@ -29,15 +29,15 @@ jobs:
               run: |
                 cd docker &&
                 ${DOCKER_COMPOSE} up -d --build &&
-                docker compose exec -T --user www-data php-fpm.vm.openconext.org bash -c '
+                docker compose exec -T --user www-data engine.dev.openconext.local bash -c '
                     SYMFONY_ENV=ci composer install --prefer-dist -n -o --ignore-platform-reqs && \
                     ./app/console cache:clear --env=ci && \
                     cd theme && CYPRESS_INSTALL_BINARY=0 yarn install --frozen-lockfile && EB_THEME=skeune yarn build
                 '
             - name: Run code quality tests
               if: always()
               run: |
-                  cd docker && docker compose exec -T --user www-data php-fpm.vm.openconext.org bash -c '
+                  cd docker && docker compose exec -T --user www-data engine.dev.openconext.local bash -c '
                       echo -e "\nPHP Mess Detector\n" && \
                       ./vendor/bin/phpmd src text ci/qa-config/phpmd.xml --exclude */Tests/* && \
                       echo -e "\nPHP CodeSniffer\n" && \
@@ -52,7 +52,7 @@ jobs:
             - name: Run unit tests
               if: always()
               run: |
-                  cd docker && APP_ENV=ci docker compose exec -T --user www-data php-fpm.vm.openconext.org bash -c '
+                  cd docker && APP_ENV=ci SYMFONY_ENV=ci docker compose exec -T --user www-data engine.dev.openconext.local bash -c '
                       echo -e "\nInstalling database fixtures...\n" && \
                       ./app/console doctrine:schema:drop --force --env=ci && \
                       ./app/console doctrine:schema:create --env=ci && \
@@ -70,7 +70,7 @@ jobs:
             - name: Run acceptance tests
               if: always()
               run: |
-                  cd docker && docker compose exec -T --user www-data php-fpm.vm.openconext.org bash -c '
+                  cd docker && docker compose exec -T --user www-data engine.dev.openconext.local bash -c '
                       echo -e "\nInstalling database fixtures...\n" && \
                       ./app/console doctrine:schema:drop --force --env=ci && \
                       ./app/console doctrine:schema:create --env=ci && \
@@ -86,7 +86,7 @@ jobs:
             - name: Run linting tests
               if: always()
               run: |
-                  cd docker && docker compose exec -T --user www-data php-fpm.vm.openconext.org bash -c '
+                  cd docker && docker compose exec -T --user www-data engine.dev.openconext.local bash -c '
                       echo -e "\nTwig lint\n"  && \
                       app/console lint:twig theme/ && \
                       cd theme && \
@@ -98,7 +98,7 @@ jobs:
             - name: Show log on failure
               if: failure()
               run:  |
-                  cd docker && docker compose exec -T php-fpm.vm.openconext.org cat /opt/openconext/OpenConext-engineblock/app/logs/ci/ci.log
+                  cd docker && docker compose exec -T engine.dev.openconext.local cat /var/www/html/app/logs/ci/ci.log
             - name: Send notification on production build nightly build failure
               uses: sonots/slack-notice-action@v3
               with:

diff --git a/README.md b/README.md
@@ -42,7 +42,7 @@ Finally, when not in an environment with the debug flag enabled, you need to cle
 $ php72 ./app/console cache:clear --env=prod
 ```
 
-To setup the required tooling on the VM, the following steps might be useful:
+To setup the required tooling on the container, the following steps might be useful:
 
     cd /opt/openconext/OpenConext-engineblock/theme
     sudo curl --silent --location https://rpm.nodesource.com/setup_11.x | sudo bash -
@@ -82,12 +82,12 @@ it is only regularly tested with RedHat Enterprise Linux and CentOS._
 
 ## Installation
 
-_**Note**: you are highly encouraged to use [OpenConext-Deploy][op-dep] to deploy OpenConext installations._
+_**Note**: you are highly encouraged to use [OpenConext-Devconf][op-dev] to deploy OpenConext installations._
 
 If you are reading this then you've probably already installed a copy of EngineBlock somewhere on the destination server,
 if not, then that would be step 1 for the installation.
 
-If you do not use [OpenConext-Deploy][op-dep] and have an installed copy and your server meets all the requirements
+If you do not use [OpenConext-Devconf][op-dev] and have an installed copy and your server meets all the requirements
 above, then please follow the steps below to start your installation.
 
 ### First, create an empty database
@@ -143,11 +143,11 @@ It should also serve both the `engine.yourdomain.example` and `engine-api.yourdo
 Make sure the `ENGINEBLOCK_ENV` is set, and that the `SYMFONY_ENV` is set, this can be mapped from `ENGINEBLOCK_ENV` as:
 
 | `ENGINEBLOCK_ENV` | `SYMFONY_ENV` |
-| --- | --- |
-| production | prod |
-| acceptance | acc |
-| test | test |
-| vm | dev |
+|-------------------| --- |
+| production        | prod |
+| acceptance        | acc |
+| test              | test |
+| dev               | dev |
 
 **EXAMPLE**
 
@@ -254,7 +254,7 @@ Also, the following documentation can be found in the [docs][docs] directory:
 [notice]: NOTICE.txt
 [upgrading]: UPGRADING.md
 [comp]: https://getcomposer.org/
-[op-dep]: https://github.com/OpenConext/OpenConext-deploy
+[op-dev]: https://github.com/OpenConext/OpenConext-devconf
 [manage]: https://github.com/OpenConext/OpenConext-manage
 [eb-wiki-theme-development]: https://github.com/OpenConext/OpenConext-engineblock/wiki/Development-Guidelines#theme-development
 [wiki]: https://github.com/OpenConext/OpenConext-engineblock/wiki

diff --git a/app/AppKernel.php b/app/AppKernel.php
@@ -60,17 +60,19 @@ public function registerContainerConfiguration(LoaderInterface $loader)
 
     public function getCacheDir()
     {
-        // In the dev & test environments use a folder outside the shared filesystem. This greatly improves cache clear
-        // and warmup time.
-        if ($this->getEnvironment() === 'dev' || $this->getEnvironment() === 'test') {
-            return sprintf('/tmp/engineblock/cache/%s', $this->getEnvironment());
-        }
-
         return $this->rootDir . '/cache/' . $this->environment;
     }
 
     public function getLogDir()
     {
         return $this->rootDir . '/logs/' . $this->environment;
     }
+
+    public function getProjectDir()
+    {
+        // This is needed to define the project dir without composer.json
+        // @see: https://symfony.com/doc/current/reference/configuration/kernel.html#configuration-kernel-project-directory
+        return \dirname(__DIR__);
+    }
+
 }
diff --git a/app/config/config_ci.yml b/app/config/config_ci.yml
@@ -10,15 +10,15 @@ doctrine:
                 driver:   pdo_mysql         # This must be PDO until all database interaction runs through doctrine
                 server_version: 5.5
                 dbname:   "%database.dbname%"
-                host:     "db.vm.openconext.org"
+                host:     "mariadb"
                 port:     "%database.port%"
                 user:     "%database.user%"
                 password: "%database.password%"
             engineblock_test:
                 driver:   pdo_mysql         # This must be PDO until all database interaction runs through doctrine
                 server_version: 5.5
                 dbname:   "%database.test.dbname%"
-                host:     "db-test.vm.openconext.org"
+                host:     "mariadb"
                 port:     "%database.test.port%"
                 user:     "%database.test.user%"
                 password: "%database.test.password%"
diff --git a/app/config/functional_testing.yml.dist b/app/config/functional_testing.yml.dist
@@ -5,4 +5,4 @@ parameters:
     # Where must we store the writable state of the Mock IdP and Mock SP?
     idp_fixture_file: '/tmp/eb-fixtures/db/idp.states.php.serialized'
     sp_fixture_file: '/tmp/eb-fixtures/db/sp.states.php.serialized'
-    stepup.sfo.override_engine_entityid: 'https://engine.vm.openconext.com/new/stepup/metadata'
+    stepup.sfo.override_engine_entityid: 'https://engine.dev.openconext.local/new/stepup/metadata'
diff --git a/app/config/parameters.yml.dist b/app/config/parameters.yml.dist
@@ -11,11 +11,11 @@ parameters:
     ## from the Host header will be used) or set to match the domain
     ## setting. For example:
     ##
-    ##    domain = vm.openconext.org
-    ##    hostname = engine.vm.openconext.org
-    domain: vm.openconext.org
+    ##    domain = dev.openconext.local
+    ##    hostname = engine.dev.openconext.local
+    domain: dev.openconext.local
     ## Set a fixed hostname for OpenConext EngineBlock to use.
-    hostname: engine.vm.openconext.org
+    hostname: engine.dev.openconext.local
 
     ## Configure trusted proxies to use their X-Forwarded-For header.
     trusted_proxies:
@@ -43,8 +43,8 @@ parameters:
     ## or requests (when it acts as an SP) it uses these X.509 certs.
     encryption_keys:
         default:
-            publicFile: /etc/openconext/engineblock.crt
-            privateFile: /etc/openconext/engineblock.pem
+            publicFile: /config/engine/engineblock.crt
+            privateFile: /config/engine/engineblock.pem
 
     ## List of signature methods explicitly forbidden by EngineBlock.
     forbidden_signature_methods: {  }
@@ -73,7 +73,7 @@ parameters:
 
     ## EngineBlock API credentials
     ## The API user config, allows for configuration of multiple different users
-    api.users.metadataPush.username: serviceregistry
+    api.users.metadataPush.username: manage
     api.users.metadataPush.password: secret
     api.users.profile.username: profile
     api.users.profile.password: secret
@@ -84,7 +84,7 @@ parameters:
     ## PDP SETTINGS
     ##########################################################################################
     ## Location of PDP
-    pdp.host: 'https://pdp.vm.openconext.org'
+    pdp.host: 'https://pdp.dev.openconext.local'
 
     ## PDP uses basic auth
     pdp.username: pdp_admin
@@ -96,7 +96,7 @@ parameters:
     ## ATTRIBUTE AGGREGATION SETTINGS
     ##########################################################################################
     ## Location of AA
-    attribute_aggregation.base_url: 'https://aa.vm.openconext.org/aa/api/internal/attribute/aggregation'
+    attribute_aggregation.base_url: 'https://aa.dev.openconext.local/internal/attribute/aggregation'
     attribute_aggregation.username: eb
     attribute_aggregation.password: secret
 
@@ -119,12 +119,12 @@ parameters:
     ##########################################################################################
     ## DATABASE SETTINGS
     ##########################################################################################
-    database.host: localhost
+    database.host: mariadb
     database.port: '3306'
     database.user: ebrw
     database.password: secret
     database.dbname: eb
-    database.test.host: localhost
+    database.test.host: mariadb
     database.test.port: '3306'
     database.test.user: eb_testrw
     database.test.password: secret
@@ -138,13 +138,13 @@ parameters:
     ## Minimum execution time in milliseconds when a received response is deemed invalid (default: 5000 ms)
     minimum_execution_time_on_invalid_received_response: 5000
     ## The value for guest qualifier. Can be overridden for specific environments
-    addgueststatus_guestqualifier: 'urn:collab:org:vm.openconext.org'
+    addgueststatus_guestqualifier: 'urn:collab:org:dev.openconext.local'
 
     ## Language cookie settings
     ## The value for the domain is also used for clearing SSO Notification cookies if the feature is enabled
     cookie.path: /
     cookie.secure: true
-    cookie.locale.domain: .vm.openconext.org
+    cookie.locale.domain: .dev.openconext.local
     cookie.locale.expiry: 5184000
     cookie.locale.http_only: false
     cookie.locale.secure: true
@@ -157,7 +157,7 @@ parameters:
     view_default_logo_height: 96
     # when set, will show a ribbon top-right to visually distinguish this install from other
     # environments in your constellation (e.g. "test", "qa"), with the given ribbon color in
-    # env_ribbon_color. You can choose from colors: crimson,darkorchid,orange,hotpink,khaki.
+    # env_ribbon_color. You can choose from colors: crimson,orange,hotpink,khaki.
     env_name: ""
     env_ribbon_color: ""
 
@@ -178,7 +178,7 @@ parameters:
 
     ## Toggle the default IdP quick link banner on the WAYF.
     wayf.display_default_idp_banner_on_wayf: true
-    wayf.default_idp_entity_id: https://default-idp.vm.openconext.org
+    wayf.default_idp_entity_id: https://default-idp.dev.openconext.local
 
     ## Toggle display & content of global site notice
     global.site_notice.show: false
@@ -221,7 +221,7 @@ parameters:
     feature_api_metadata_api: true
     feature_api_deprovision: true
     feature_run_all_manipulations_prior_to_consent: false
-    feature_block_user_on_violation: true
+    feature_block_user_on_violation: false
     feature_enable_consent: true
     feature_stepup_sfo_override_engine_entityid: false
     feature_enable_idp_initiated_flow: true
@@ -230,40 +230,42 @@ parameters:
     ## PROFILE SETTINGS
     ##########################################################################################
     ## Location of Profile
-    profile_base_url: 'https://profile.vm.openconext.org'
+    profile_base_url: 'https://profile.dev.openconext.local'
 
     ##########################################################################################
     ## SFO SETTINGS
     ##########################################################################################
     ## This PCRE regex is used to blacklist incoming AuthnContextClassRef attributes on. If an empty string is used
     ## the validation is skipped. The validator will throw an exception if the used regex is invalid.
-    stepup.authn_context_class_ref_blacklist_regex: '/http:\/\/vm\.openconext\.org\/assurance\/loa[1-3]/'
+    stepup.authn_context_class_ref_blacklist_regex: '/http:\/\/dev\.openconext\.local\/assurance\/loa[1-3]/'
     ## The loa mapping from the internal used LoA's to the Stepup Gateway LOA's.
     ## Specification of the mapping: stepup.loa.mapping.[int 1|2|3].[string engineblock|gateway]
     ## The integer after the mapping field indicates the LoA level (1, 2 or 3 are supported).
     ## The engineblock or gateway keys specify the LoAs identifier as will be carried in the AuthnContextClassRef of an assertion.
     stepup.loa.mapping:
         10:
-            engineblock: 'http://vm.openconext.org/assurance/loa1'
-            gateway: 'http://stepup.vm.openconext.org/assurance/loa1'
+            engineblock: 'http://dev.openconext.local/assurance/loa1'
+            gateway: 'http://dev.openconext.local/assurance/loa1'
         15:
-            engineblock: 'http://vm.openconext.org/assurance/loa1_5'
-            gateway: 'http://stepup.vm.openconext.org/assurance/loa1_5'
+            engineblock: 'http://dev.openconext.local/assurance/loa1_5'
+            gateway: 'http://dev.openconext.local/assurance/loa1_5'
         20:
-            engineblock: 'http://vm.openconext.org/assurance/loa2'
-            gateway: 'http://stepup.vm.openconext.org/assurance/loa2'
+            engineblock: 'http://dev.openconext.local/assurance/loa2'
+            gateway: 'http://dev.openconext.local/assurance/loa2'
         30:
-            engineblock: 'http://vm.openconext.org/assurance/loa3'
-            gateway: 'http://stepup.vm.openconext.org/assurance/loa3'
+            engineblock: 'http://dev.openconext.local/assurance/loa3'
+            gateway: 'http://dev.openconext.local/assurance/loa3'
     ## The fallback LoA to return when the Stepup authentication fails but is not required
-    stepup.loa.loa1: 'http://vm.openconext.org/assurance/loa1'
+    stepup.loa.loa1: 'http://dev.openconext.local/assurance/loa1'
     ## The EntityId (metadata URL) used in the callout to the SFO endpoint of the configured Stepup Gateway
-    stepup.gateway.sfo.entity_id: 'https://gateway.stepup.vm.openconext.org/second-factor-only/metadata'
+    stepup.gateway.sfo.entity_id: 'https://gateway.dev.openconext.local/second-factor-only/metadata'
     ## The single sign-on endpoint used for Stepup Gateway SFO callouts
-    stepup.gateway.sfo.sso_location: 'https://gateway.stepup.vm.openconext.org/second-factor-only/single-sign-on'
+    stepup.gateway.sfo.sso_location: 'https://gateway.dev.openconext.local/second-factor-only/single-sign-on'
     ## The public key from the Stepup Gateway IdP
-    stepup.gateway.sfo.key_file: /etc/openconext/engineblock.crt
-    stepup.sfo.override_engine_entityid: 'https://engine.vm.openconext.com/new/stepup/metadata'
+    stepup.gateway.sfo.key_file: /config/engine/engineblock.crt
+    ## You can override the default entityID used by Engineblock for its callout to stepup gateway.
+    ## You also need to enable the feature toggle feature_stepup_sfo_override_engine_entityid above.
+    stepup.sfo.override_engine_entityid: "https://engine.dev.openconext.local/new/stepup/metadata"
 
     ##########################################################################################
     ## THEME SETTINGS
@@ -303,4 +305,3 @@ parameters:
     # used in the authentication log record. The attributeName will be searched in the response attributes and if present
     # the log data will be enriched. The values of the response attributes are the final values after ARP and Attribute Manipulation.
     auth.log.attributes: []
-