Merge branch 'main' into add-acc-weblogin

.github/workflows/main.yml

@@ -95,7 +95,7 @@ jobs:
         shell: bash
         env:
           SKIP_ANSIBLE: 1
-        run: "./start-vm"
+        run: "./start-vm --classic"
 
       # Clean  up old docker cruft
       - name: Clean  up old docker cruft
@@ -125,13 +125,13 @@ jobs:
       # Deploy components
       - name: Run start-vm
         shell: bash
-        run: "./start-vm"
+        run: "./start-vm --classic"
 
       # Deploy components again for idempotency
       - name: Run start-vm --diff
         env:
           REEANTRANT: 1
-        run: "./start-vm --diff"
+        run: "./start-vm --classic --diff"
 
       - name: Run idempotency check...
         run: /usr/bin/python3 ./scripts/check-idempotency-status

.gitignore

@@ -27,3 +27,4 @@ screenshot.png
 page.html
 console.txt
 ignore.main.yml
+surf-deploy-local

environments/docker/group_vars/container.yml

@@ -171,3 +171,8 @@ sbs_ssid_identity_providers:
 
 sbs_notifications_enabled: True
 sbs_cron_hour_of_day: "4"
+
+# Any last_login_date in the past triggers suspension notification
+sbs_suspension_inactive_days: 0
+# Second suspension cron will suspend notified users
+sbs_suspension_reminder_days: -1

roles/apt/tasks/main.yml

@@ -62,6 +62,7 @@
       - "vim"
       - "wget"
       - "xz-utils"
+      - "zstd"
 
 - name: Upgrade packages
   apt:

roles/backups/templates/upload-backup.sh.j2

@@ -18,7 +18,7 @@ HOSTNAME=$( hostname )
 cd "$BACKUP_DIR"
 
 # find all backup files that were created more recently dan 30 minutes ago
-files=$( find -mindepth 2 -name '*.gz' -o -name '*.bz2' -cmin -30 )
+files=$( find -mindepth 2 -cmin -30 '(' -name '*.gz' -o -name '*.bz2' -o -name '*.zst' ')' )
 
 if [ -z "$files" ]
 then

roles/ci-test/files/resume.html

@@ -1,5 +1,7 @@
-<html><body>
+<html lang="en">
+<body>
 <form id='oidc' action="/" method="post"></form>
 <script type="text/javascript" src="resume.js"></script>
-</body></html>
+</body>
+</html>
 

roles/demo-apache/files/index.html

@@ -1,12 +1,13 @@
-<html>
+<html lang="en">
 <head>
+    <title>SRAM demos</title>
 </head>
-  <body>
-    <p>
-      <a href="/ep/">Etherpad Demo</a>
-    </p>
-    <p>
-      <a href="/wp/">Wordpress Demo</a>
-    </p>
-  </body>
+<body>
+<p>
+    <a href="/ep/">Etherpad Demo</a>
+</p>
+<p>
+    <a href="/wp/">WordPress Demo</a>
+</p>
+</body>
 </html>

roles/demo-apache/templates/apache.conf.j2

@@ -1,4 +1,5 @@
 {% if letsencrypt_enabled %}
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
 <VirtualHost *:443>
 {% else %}
 <VirtualHost *:80>
@@ -17,11 +18,12 @@
         SSLEngine on
         SSLCertificateFile    /etc/letsencrypt/live/{{demo_hosts.demo1}}/fullchain.pem
         SSLCertificateKeyFile /etc/letsencrypt/live/{{demo_hosts.demo1}}/privkey.pem
-        SSLProtocol           all -SSLv3 -TLSv1 -TLSv1.1
-        SSLCipherSuite        ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-        SSLHonorCipherOrder   on
-        SSLCompression        off
-        SSLSessionTickets     off
+
+        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
+        SSLHonorCipherOrder     off
+        SSLSessionTickets       off
+
+        SSLUseStapling On
 
         Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;"
         Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;"

roles/demo-sp/files/index.html

@@ -1,4 +1,5 @@
 <!doctype html>
+<!--suppress HtmlUnknownTarget -->
 <html lang="en">
   <head>
     <meta charset="utf-8">

roles/docker_ldap/tasks/main.yml

@@ -112,7 +112,7 @@
     state: started
     # pull: true
     ports:
-      - 389:1389
+      - 127.0.0.1:389:1389
     #   - 636:1636
     env:
       LDAP_ROOT: "{{ services_ldap.basedn }}"

roles/docker_sbs/defaults/main.yml

@@ -82,6 +82,7 @@ sbs_second_factor_authentication_required: True
 sbs_totp_token_name: "SRAM-example"
 sbs_notifications_enabled: True
 sbs_invitation_reminders_enabled: True
+sbs_invitation_expirations_enabled: True
 sbs_open_requests_enabled: True
 sbs_scim_sweep: False
 sbs_impersonation_allowed: True
@@ -91,6 +92,7 @@ sbs_mock_scim_enabled: True
 
 sbs_delete_orphaned: True
 sbs_suspension_inactive_days: 365
+sbs_suspension_reminder_days: 14
 sbs_suspension_notify_admin: False
 
 sbs_oidc_config_url: "http://localhost/.well-known/openid-configuration"

roles/docker_sbs/templates/sbs-apache.j2

@@ -5,9 +5,6 @@ DocumentRoot /var/www/html
 
 Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; block-all-mixed-content;"
 Header set Permissions-Policy      "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()"
-<If "%{REQUEST_URI} =~ m#^/api/images/.+$#">
-    Header set Cache-Control:  "public, max-age=31536000, immutable"
-</If>
 
 RewriteEngine On
 RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io)
@@ -20,6 +17,14 @@ ProxyPassReverse /socket.io/ ws://{{ containers.sbs }}:{{sbs_backend_port}}/sock
 ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://{{ containers.sbs }}:{{sbs_backend_port}}/
 ProxyPassReverse / http://{{ containers.sbs }}:{{sbs_backend_port}}/
 
+<If "%{REQUEST_URI} =~ m#^/api/images/#">
+    Header set Cache-Control:  "public, max-age=31536000, immutable"
+</If>
+<ElseIf "%{REQUEST_URI} =~ m#^/(api|pam-weblogin|flasgger_static|swagger|health|config|info)#">
+    Header set Cache-Control:  "no-cache, private"
+</ElseIf>
+
+
 <Directory /var/www/html>
     Require all granted
     Options -Indexes

roles/http_redirect/templates/http-redirect.conf.j2

@@ -6,7 +6,6 @@ server {
 
 add_header X-Content-Type-Options "nosniff";
     add_header X-Frame-Options "sameorigin";
-    add_header X-XSS-Protection "1; mode=block";
     add_header Referrer-Policy "strict-origin-when-cross-origin";
     add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;";
     add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=()";
@@ -25,7 +24,6 @@ server {
 
 add_header X-Content-Type-Options "nosniff";
     add_header X-Frame-Options "sameorigin";
-    add_header X-XSS-Protection "1; mode=block";
     add_header Referrer-Policy "strict-origin-when-cross-origin";
     add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.{{base_domain}}; frame-ancestors 'none'; block-all-mixed-content;";
     add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=()";

roles/nginx/files/security_headers

@@ -1,5 +1,4 @@
 add_header X-Frame-Options "sameorigin";
-add_header X-XSS-Protection "1; mode=block";
 add_header X-Content-Type-Options "nosniff";
 add_header Referrer-Policy "strict-origin-when-cross-origin";
 

roles/oidc-op/files/sram_user_pass.jinja2

@@ -1,5 +1,6 @@
 <!doctype html>
 
+<!--suppress HtmlUnknownTarget -->
 <html lang="en">
 <head>
     <meta charset="utf-8">

roles/sbs/defaults/main.yml

@@ -79,6 +79,7 @@ sbs_second_factor_authentication_required: True
 sbs_totp_token_name: "SRAM"
 sbs_notifications_enabled: True
 sbs_invitation_reminders_enabled: True
+sbs_invitation_expirations_enabled: True
 sbs_open_requests_enabled: True
 sbs_scim_sweep: False
 sbs_impersonation_allowed: False
@@ -88,6 +89,7 @@ sbs_mock_scim_enabled: False
 
 sbs_delete_orphaned: True
 sbs_suspension_inactive_days: 365
+sbs_suspension_reminder_days: 14
 sbs_suspension_notify_admin: False
 
 sbs_oidc_config_url: "http://localhost/.well-known/openid-configuration"

roles/sbs/templates/backup-database.sh.j2

@@ -25,6 +25,6 @@ mysqldump --host="{{ sbs_db_host }}" \
           --disable-keys --extended-insert \
           --databases "{{ sbs_db_name }}" \
     > "${BACKUP_FILE}"
-bzip2 "${BACKUP_FILE}"
+zstd -qq --rm "${BACKUP_FILE}"
 
 exit 0

roles/sbs/templates/config.yml.j2

@@ -132,14 +132,6 @@ metadata:
   idp_url: "{{sbs_idp_metadata_url}}"
   parse_at_startup: True
 
-service_bus:
-  enabled: False
-  host: "localhost"
-  client_id: "sbs"
-  user: "sbs"
-  password: "unused"
-
-
 platform_admin_notifications:
   # Do we daily check for CO join_requests and CO requests and send a summary mail to beheer_email?
   enabled: False
@@ -162,9 +154,11 @@ user_requests_retention:
 retention:
   cron_hour_of_day: {{ sbs_cron_hour_of_day }}
   # how many days of inactivity before a user is suspended
+  #   0 allows for any last_login_date in the past to trigger suspension notification
   allowed_inactive_period_days: {{ sbs_suspension_inactive_days }}
   # how many days before suspension do we send a warning
-  reminder_suspend_period_days: 14
+  #   -1 will suspend notified users on second suspension cron
+  reminder_suspend_period_days: {{ sbs_suspension_reminder_days }}
   # how many days after suspension do we delete the account
   remove_suspended_users_period_days: 90
   # how many days before deletion do we send a reminder
@@ -208,6 +202,15 @@ invitation_reminders:
   # How many days before expiration of an invitation do we remind the user?
   invitation_reminders_threshold: 5
 
+invitation_expirations:
+  # Do we daily check for invitations that are expired / accepted and are eligible for deletion ?
+  enabled: {{ sbs_invitation_expirations_enabled }}
+  cron_hour_of_day: {{ sbs_cron_hour_of_day }}
+  # How long after expiration of an invitation do we delete the invitation?
+  nbr_days_remove_expired_invitations: 10
+  # How long after expiration of an API created invitation do we delete the invitation?
+  nbr_days_remove_api_expired_invitations: 30
+
 orphan_users:
   # Do we daily check for users that are orphans soo they can be deleted?
   enabled:  {{ sbs_delete_orphaned }}

roles/sbs/templates/sbs-nginx.j2

@@ -33,10 +33,23 @@ server {
     }
 
     location ~ /(api|pam-weblogin|flasgger_static|swagger|health|config|info) {
+        include proxy_params;
+        proxy_pass http://127.0.0.1:8080;
+
+        proxy_hide_header Content-Security-Policy;
         add_header Content-Security-Policy $csp;
+        proxy_hide_header Cache-Control;
         add_header Cache-Control "nocache, private";
+    }
+
+    location ^~ /api/images {
         include proxy_params;
         proxy_pass http://127.0.0.1:8080;
+
+        proxy_hide_header Content-Security-Policy;
+        add_header Content-Security-Policy $csp;
+        proxy_hide_header Cache-Control;
+        add_header Cache-Control "max-age=31536000, public, immutable";
     }
 
     location /socket.io {

roles/scim_monitor/tasks/main.yml

@@ -78,6 +78,7 @@
     name: "letsencrypt"
     public: true
   vars:
+    letsencrypt_enabled: true
     letsencrypt_staging: false
     letsencrypt_hosts:
       - "{{ scim_monitor_hostname }}"
@@ -151,5 +152,5 @@
     dest: "/etc/zabbix/zabbix_agent2.d/{{item}}"
     mode: "0644"
   with_items:
-    - sram-scimmonitor.conf
+    - "sram-scimmonitor.conf"
   notify: "restart zabbix-agent"

roles/scim_monitor/templates/scimmonitor.sh.j2

@@ -26,8 +26,9 @@ DIFF=$(
 )
 
 # output to status file
-date '+%s' > $STATUSFILE
-echo -n "$DIFF" | wc -l >> $STATUSFILE
+NOW=$(date '+%s')
+DIFFNR=$(echo -n "$DIFF"| wc -l)
+echo '{"time":'$NOW',"diff":'$DIFFNR'}' > $STATUSFILE
 echo -n "$DIFF"         >> $STATUSFILE
 
 if [ -z "$DIFF" ]

roles/scim_monitor/templates/sram-scimmonitor.conf.j2

@@ -1,4 +1,3 @@
-# two parameters:
-# first is env name (tst, acc, prd) corresponding to statsu file
-# second is line in file to request (1==timestamp, 2==diff lines)
-UserParameter=sram.scimmonitor[*],cat {{scim_monitor_status_dir}}/status-$1 | head -n $2 | tail -n 1
+# parameter is env name (tst, acc, prd) corresponding to status file
+# returns json with data from status file
+UserParameter=sram.scimmonitor[*],cat {{scim_monitor_status_dir}}/status-$1 | head -n 1

roles/scim_monitor/templates/sram-scimmonitor.timer.j2

@@ -2,7 +2,7 @@
 Description=SCIM Monitor timer
 
 [Timer]
-OnCalendar=*:{{2+extra_min}}/15
+OnCalendar=*:{{7+extra_min}}/15
 
 [Install]
 WantedBy=multi-user.target

scripts/check-idempotency-status

@@ -12,6 +12,9 @@ WHITELIST = {
 
 
 class Color(Enum):
+    def __str__(self):
+        return self.value
+
     # Foreground
     F_Default      = "\x1b[39m"
     F_Black        = "\x1b[30m"

scripts/sbs-login.py

@@ -13,15 +13,14 @@
 from selenium.webdriver.support.expected_conditions import staleness_of, presence_of_element_located
 from selenium.webdriver.common.by import By
 
-
 # check that we have selenium version 4
 assert selenium_version.startswith('4.'), f"Expected selenium version 4.x.x, got {selenium_version}"
 
 
 class CustomChrome(webdriver.Chrome):
-    def get(self, url) -> None:
-        print(f"Fetching page '{url}'")
-        return super(CustomChrome, self).get(url)
+    def get(self, get_url) -> None:
+        print(f"Fetching page '{get_url}'")
+        return super(CustomChrome, self).get(get_url)
 
 
 options = webdriver.chrome.options.Options()
@@ -101,8 +100,8 @@ def get(self, url) -> None:
 
     # Test admin attributes
     attributes = browser.find_elements(By.XPATH, "//table[@class='my-attributes']/*/*/*")
-    # for a in attributes:
-    #     print(f"a.text: {a.text}")
+    # for attr in attributes:
+    #     print(f"attr.text: {attr.text}")
     assert ('SCZ Admin' in [a.text for a in attributes]), "No valid admin profile found"
     print(" - profile ok")
 
@@ -164,6 +163,7 @@ def get(self, url) -> None:
     print("  ", tr.line)
 
     from bs4 import BeautifulSoup
+
     page = BeautifulSoup(browser.page_source, 'html.parser').prettify()
     with open("page.html", "w") as f:
         f.write(page)

scripts/vault-rekey.py

@@ -17,14 +17,14 @@
 from os.path import join as join_path
 from tempfile import gettempdir
 from ansible.parsing.vault import VaultEditor, VaultLib, VaultSecret
-from ansible.constants import DEFAULT_VAULT_IDENTITY
 from ansible.errors import AnsibleError
 from getpass import getpass
 
 VAULT_REGEX = re.compile(r'(?P<vault>^(?P<indent>\s*)\$ANSIBLE_VAULT\S*\n(?:\s*\w+\n)*)', re.MULTILINE)
 
 temp_count = 0
 
+DEFAULT_VAULT_IDENTITY='default'
 
 class ReKeyError(Exception):
     __slots__ = 'lineno', 'cause'