Merge pull request #52 from shingo78/update/ubuntu-24.04-replace-j2

Update ubuntu to 24.04 and replace j2cli with jinja2-cli

Author: shingo78

auth-proxy/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:22.04
+FROM ubuntu:24.04
 
 ARG SIMPLESAMLPHP_VERSION="2.3.7"
 ARG ATTRIBUTE_AGGREGATOR_URL="https://github.com/NII-cloud-operation/simplesamlphp-module-attributeaggregator"
@@ -135,10 +135,14 @@ COPY resources/supervisord.conf /etc/
 RUN set -x \
     && apt-get update \
     && apt-get -y --no-install-recommends --no-install-suggests install \
-       python3-pip \
+       python3-venv \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
-    && pip install --no-cache-dir j2cli
+    && mkdir /opt/venv \
+    && python3 -m venv /opt/venv \
+    && /opt/venv/bin/pip install --no-cache-dir jinja2-cli
+
+ENV PATH=/opt/venv/bin:$PATH
 
 # Install config template files
 COPY resources/etc/templates /etc/templates

auth-proxy/resources/etc/templates/authsources.php.j2

@@ -10,7 +10,7 @@ $config = [
         'core:AdminPassword',
     ],
 
-    {% set enable_federation = env("ENABLE_FEDERATION", "no")%}
+    {% set enable_federation = environ("ENABLE_FEDERATION") | default("no", true) %}
 
     // An authentication source which can authenticate against SAML 2.0 IdPs.
     'default-sp' => [
@@ -20,17 +20,17 @@ $config = [
 
         // The entity ID of this SP.
         {% if enable_federation=="1" or enable_federation=="yes" %}
-        'entityID' => 'https://{{ env("MASTER_FQDN") }}/shibboleth-sp',
+        'entityID' => 'https://{{ environ("MASTER_FQDN") }}/shibboleth-sp',
         {% else %}
-        'entityID' => 'https://{{ env("MASTER_FQDN") }}/simplesaml/module.php',
+        'entityID' => 'https://{{ environ("MASTER_FQDN") }}/simplesaml/module.php',
         {% endif %}
 
         // The entity ID of the IdP this SP should contact.
         // Can be NULL/unset, in which case the user will be shown a list of available IdPs.
         {% if enable_federation=="1" or enable_federation=="yes" %}
         'idp' => null,
         {% else %}
-        'idp' => 'https://{{ env("AUTH_FQDN") }}/simplesaml/saml2/idp/metadata.php',
+        'idp' => 'https://{{ environ("AUTH_FQDN") }}/simplesaml/saml2/idp/metadata.php',
         {% endif %}
 
         // The URL to the discovery service.

auth-proxy/resources/etc/templates/config.php.j2

@@ -195,7 +195,7 @@ $config = [
      * metadata listing and diagnostics pages.
      * You can also put a hash here; run "bin/pwgen.php" to generate one.
      */
-    'auth.adminpassword' => '{{ env("SIMPLESAMLPHP_ADMIN_PASSWORD", "axsh0720") }}',
+    'auth.adminpassword' => '{{ environ("SIMPLESAMLPHP_ADMIN_PASSWORD") }}',
 
     /*
      * Set this option to true if you want to require administrator password to access the metadata.
@@ -282,11 +282,11 @@ $config = [
         'Referrer-Policy' => 'origin-when-cross-origin',
     ],
 
-    {% set enable_federation = env("ENABLE_FEDERATION", "no")%}
+    {% set enable_federation = environ("ENABLE_FEDERATION") | default("no", true) %}
 
     {% if enable_federation=="1" or enable_federation=="yes" %}
     'disco.headers.security' => [
-        'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' https://{{ env("DS_FQDN", default="ds.gakunin.nii.ac.jp" )}}; style-src 'self' 'unsafe-inline' https://{{ env("DS_FQDN", default="ds.gakunin.nii.ac.jp") }}; font-src 'self'; connect-src 'self'; img-src 'self' data: https:; base-uri 'none'",
+        'Content-Security-Policy' => "default-src 'none'; frame-ancestors 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' https://{{ environ("DS_FQDN") | default("ds.gakunin.nii.ac.jp", true)}}; style-src 'self' 'unsafe-inline' https://{{ environ("DS_FQDN") | default("ds.gakunin.nii.ac.jp", true) }}; font-src 'self'; connect-src 'self'; img-src 'self' data: https:; base-uri 'none'",
     ],
     {% endif %}
 
@@ -370,7 +370,7 @@ $config = [
      * must exist and be writable for SimpleSAMLphp. If set to something else, set
      * loggingdir above to 'null'.
      */
-    'logging.level' => SimpleSAML\Logger::{{ env("SIMPLESAMLPHP_LOGLEVEL", "INFO") }},
+    'logging.level' => SimpleSAML\Logger::{{ environ("SIMPLESAMLPHP_LOGLEVEL") | default("INFO", true) }},
     'logging.handler' => 'file',
 
     /*
@@ -1051,12 +1051,12 @@ $config = [
         ],
         */
 
-        {% set enable_federation = env("ENABLE_FEDERATION", "no")%}
+        {% set enable_federation = environ("ENABLE_FEDERATION") | default("no", true) %}
 
         {% if enable_federation=="1" or enable_federation=="yes" %}
         59 => array(
             'class' => 'attributeaggregator:attributeaggregator',
-            'entityId' => 'https://{{ env("CG_FQDN", default="cg.gakunin.jp") }}/idp/shibboleth',
+            'entityId' => 'https://{{ environ("CG_FQDN") | default("cg.gakunin.jp", true) }}/idp/shibboleth',
 
             /**
              * The subject of the attribute query. Default: urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName)
@@ -1103,7 +1103,7 @@ $config = [
 
         69 => array(
             'class' => 'attributeaggregator:attributeaggregator',
-            'entityId' => 'https://{{ env("CG_FQDN", default="cg.gakunin.jp") }}/idp/shibboleth',
+            'entityId' => 'https://{{ environ("CG_FQDN") | default("cg.gakunin.jp", true) }}/idp/shibboleth',
 
             /**
              * The subject of the attribute query. Default: urn:oid:1.3.6.1.4.1.5923.1.1.1.6 (eduPersonPrincipalName)
@@ -1265,8 +1265,8 @@ $config = [
      * ],
      */
 
-    {% set cgidp_localfile_metadata = env("CGIDP_LOCALFILE_METADATA", "no") %}
-    {% set enable_test_federation = env("ENABLE_TEST_FEDERATION", "no") %}
+    {% set cgidp_localfile_metadata = environ("CGIDP_LOCALFILE_METADATA") | default( "no", true) %}
+    {% set enable_test_federation = environ("ENABLE_TEST_FEDERATION") | default("no", true) %}
 
     'metadata.sources' => [
         ['type' => 'flatfile'],

auth-proxy/resources/etc/templates/cron_root.j2

@@ -1,3 +1,3 @@
-@reboot /bin/sleep 10 && /usr/bin/curl --silent --insecure "https://localhost/simplesaml/module.php/cron/run/daily/{{ env("CRON_SECRET") }}"
-0 0 * * * /usr/bin/curl --silent --insecure "https://localhost/simplesaml/module.php/cron/run/daily/{{ env("CRON_SECRET") }}"
+@reboot /bin/sleep 10 && /usr/bin/curl --silent --insecure "https://localhost/simplesaml/module.php/cron/run/daily/{{ environ("CRON_SECRET") }}"
+0 0 * * * /usr/bin/curl --silent --insecure "https://localhost/simplesaml/module.php/cron/run/daily/{{ environ("CRON_SECRET") }}"
 

auth-proxy/resources/etc/templates/embedded-wayf-config.js.j2

@@ -10,7 +10,7 @@
 // URL of the WAYF to use
 // Examples: "https://wayf.switch.ch/SWITCHaai/WAYF", "https://wayf-test.switch.ch/aaitest/WAYF";
 // [Mandatory]
-var wayf_URL = "https://{{ env("DS_FQDN", default="ds.gakunin.nii.ac.jp") }}/WAYF";
+var wayf_URL = "https://{{ environ("DS_FQDN") | default("ds.gakunin.nii.ac.jp", true) }}/WAYF";
 
 // EntityID of the Service Provider that protects this Resource
 // Examples: "https://econf.switch.ch/shibboleth", "https://dokeos.unige.ch/shibboleth"
@@ -20,7 +20,7 @@ var wayf_sp_entityID = "{% raw %}{{ entityID }}{% endraw %}";
 // Shibboleth Service Provider handler URL
 // Examples: "https://point.switch.ch/Shibboleth.sso", "https://rr.aai.switch.ch/aaitest/Shibboleth.sso"
 // [Mandatory, if wayf_use_discovery_service = false]
-var wayf_sp_handlerURL = "https://{{ env("MASTER_FQDN") }}/simplesaml/module.php/saml/sp/discoresp.php";
+var wayf_sp_handlerURL = "https://{{ environ("MASTER_FQDN") }}/simplesaml/module.php/saml/sp/discoresp.php";
 
 // URL on this resource that the user shall be returned to after authentication
 // Examples: "https://econf.switch.ch/aai/home", "https://olat.uzh.ch/my/courses"
@@ -199,7 +199,7 @@ var wayf_sp_samlDSURL = wayf_sp_handlerURL;
 // that shall be added to the drop-down list
 // The IdPs will be displayed in the sequence they are defined
 // [Optional, commented out by default]
-{% set enable_test_federation = env("ENABLE_TEST_FEDERATION", "no") %}
+{% set enable_test_federation = environ("ENABLE_TEST_FEDERATION") | default("no", true) %}
 var wayf_additional_idps = [
       {% if enable_test_federation=="1" or enable_test_federation=="yes" %}
       {name:"Orthros",

auth-proxy/resources/etc/templates/embedded-wayf-loader.js.j2

@@ -1,4 +1,4 @@
 <!--
-var embedded_wayf_URL = "https://{{ env("DS_FQDN", default="ds.gakunin.nii.ac.jp") }}/WAYF/embedded-wayf.js";
+var embedded_wayf_URL = "https://{{ environ("DS_FQDN") | default("ds.gakunin.nii.ac.jp", true) }}/WAYF/embedded-wayf.js";
 document.write('<script type="text/javascript" src="' + embedded_wayf_URL + '?' + (new Date().getTime()) + '"></scr'+'ipt>');
 //-->

auth-proxy/resources/etc/templates/module_cron.php.j2

@@ -4,7 +4,7 @@
  */
 
 $config = [
-        'key' => '{{ env("CRON_SECRET") }}',
+        'key' => '{{ environ("CRON_SECRET") }}',
         'allowed_tags' => ['daily', 'hourly', 'frequent'],
         'debug_message' => TRUE,
         'sendemail' => FALSE,

auth-proxy/resources/etc/templates/module_metarefresh.php.j2

@@ -6,7 +6,7 @@ $config = [
             'cron' => ['daily'],
             'sources' => [
                 [
-                    'src' => 'https://{{ env("AUTH_FQDN") }}/simplesaml/saml2/idp/metadata.php',
+                    'src' => 'https://{{ environ("AUTH_FQDN") }}/simplesaml/saml2/idp/metadata.php',
                     'certificates' => [
                         'idp-proxy.cer'
                     ]

auth-proxy/resources/etc/templates/nginx.conf.j2

@@ -32,8 +32,8 @@ http {
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;
 
-    upstream {{ env("MASTER_FQDN") }} {
-        server {{ env("MASTER_FQDN") }}:443;
+    upstream {{ environ("MASTER_FQDN") }} {
+        server {{ environ("MASTER_FQDN") }}:443;
     }
 
     map $http_upgrade $connection_upgrade {
@@ -106,7 +106,7 @@ http {
         }
 
         location / {
-            set $jupyterhub_url http://{{ env("HUB_NAME", default="jupyterhub") }}:8000;
+            set $jupyterhub_url http://{{ environ("HUB_NAME") | default("jupyterhub", true) }}:8000;
             proxy_pass $jupyterhub_url;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header Host $host;

auth-proxy/resources/scripts/start.sh

@@ -1,29 +1,33 @@
 #!/bin/bash
-set -e
+set -xe
 
 TEMPLATE_DIR=/etc/templates
 
-j2 ${TEMPLATE_DIR}/embedded-wayf-config.js.j2 -o /var/www/simplesamlphp/templates/includes/embedded-wayf-config.js
-j2 ${TEMPLATE_DIR}/embedded-wayf-loader.js.j2 -o /var/www/simplesamlphp/templates/includes/embedded-wayf-loader.js
-j2 ${TEMPLATE_DIR}/nginx.conf.j2 -o /etc/nginx/nginx.conf
-j2 ${TEMPLATE_DIR}/config.php.j2 -o /var/www/simplesamlphp/config/config.php
-j2 ${TEMPLATE_DIR}/module_cron.php.j2 -o /var/www/simplesamlphp/config/module_cron.php
-j2 ${TEMPLATE_DIR}/cron_root.j2 -o /var/spool/cron/crontabs/root
+if [[ -z ${SIMPLESAMLPHP_ADMIN_PASSWORD} ]]; then
+    export SIMPLESAMLPHP_ADMIN_PASSWORD=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 12)
+fi
+
+jinja2 ${TEMPLATE_DIR}/embedded-wayf-config.js.j2 -o /var/www/simplesamlphp/templates/includes/embedded-wayf-config.js
+jinja2 ${TEMPLATE_DIR}/embedded-wayf-loader.js.j2 -o /var/www/simplesamlphp/templates/includes/embedded-wayf-loader.js
+jinja2 ${TEMPLATE_DIR}/nginx.conf.j2 -o /etc/nginx/nginx.conf
+jinja2 ${TEMPLATE_DIR}/config.php.j2 -o /var/www/simplesamlphp/config/config.php
+jinja2 ${TEMPLATE_DIR}/module_cron.php.j2 -o /var/www/simplesamlphp/config/module_cron.php
+jinja2 ${TEMPLATE_DIR}/cron_root.j2 -o /var/spool/cron/crontabs/root
 
 chmod 600 /var/spool/cron/crontabs/root
 
 if [[ -n "${AUTH_FQDN}" ]] ; then
     # Join federation via IdP Proxy
-    j2 ${TEMPLATE_DIR}/module_metarefresh.php.j2 -o /var/www/simplesamlphp/config/module_metarefresh.php
-    j2 ${TEMPLATE_DIR}/authsources.php.j2 -o /var/www/simplesamlphp/config/authsources.php
+    jinja2 ${TEMPLATE_DIR}/module_metarefresh.php.j2 -o /var/www/simplesamlphp/config/module_metarefresh.php
+    jinja2 ${TEMPLATE_DIR}/authsources.php.j2 -o /var/www/simplesamlphp/config/authsources.php
 elif [[ "$ENABLE_FEDERATION" == "1" || "$ENABLE_FEDERATION" == "yes" ]]; then
     # Join federation directly
     if [[ "$ENABLE_TEST_FEDERATION" == "1" || "$ENABLE_TEST_FEDERATION" == "yes" ]]; then
-        j2 ${TEMPLATE_DIR}/federation/module_metarefresh-test.php.j2 -o /var/www/simplesamlphp/config/module_metarefresh.php
+        jinja2 ${TEMPLATE_DIR}/federation/module_metarefresh-test.php.j2 -o /var/www/simplesamlphp/config/module_metarefresh.php
     else
-        j2 ${TEMPLATE_DIR}/federation/module_metarefresh.php.j2 -o /var/www/simplesamlphp/config/module_metarefresh.php
+        jinja2 ${TEMPLATE_DIR}/federation/module_metarefresh.php.j2 -o /var/www/simplesamlphp/config/module_metarefresh.php
     fi
-    j2 ${TEMPLATE_DIR}/authsources.php.j2 -o /var/www/simplesamlphp/config/authsources.php
+    jinja2 ${TEMPLATE_DIR}/authsources.php.j2 -o /var/www/simplesamlphp/config/authsources.php
 fi
 
 /usr/bin/supervisord -n -c /etc/supervisord.conf