Feature/ansible

coin-api-dist/src/main/ansible/defaults/main.yml

@@ -0,0 +1,35 @@
+---
+temp_dir: "/tmp"
+logging_dir: "/var/log/openconext"
+releases_dir: "/opt/openconext"
+builds_dir: "{{ releases_dir }}/builds"
+configs_dir: "/etc/openconext"
+
+# Tomcat vars
+tomcat_path: "/usr/share/tomcat6"
+tomcat_conf_path: "{{ tomcat_path }}/conf"
+tomcat_wars_path: "{{ tomcat_path }}/wars"
+tomcat_work_path: "{{ tomcat_path }}/work/Catalina/api.{{ openconext_domain }}"
+tomcat_webapps_path: "{{ tomcat_path }}/webapps/api.{{ openconext_domain }}"
+tomcat_classpath_path: "{{ tomcat_path }}/conf/classpath_properties"
+
+# API specific variables
+api_git_url: "https://github.com/OpenConext/OpenConext-api.git"
+api_version_dir: "{{ api_version | replace('/', '-') }}"
+api_release_dir: "{{ releases_dir }}/OpenConext-api-{{ api_version_dir }}"
+api_build_path: "{{ builds_dir }}/coin-api-dist-{{ api_version_dir }}-bin.tar.gz"
+api_download_url: "https://build.surfconext.nl/repository/public/releases/org/surfnet/coin/coin-api-dist/{{ api_version }}/coin-api-dist-{{ api_version }}-bin.tar.gz"
+api_dist_war_path: "{{ releases_dir }}/coin-api-dist-{{ api_version_dir }}/tomcat/webapps/coin-api-war-{{ api_version_dir }}.war"
+api_tomcat_war_path: "{{ tomcat_wars_path }}/coin-api-war-{{ api_version_dir }}.war"
+
+# Choice: "full" or "minimal"
+api_logging_policy: minimal
+api_db_name: api
+api_db_host: "db.{{ openconext_domain}}"
+api_db_port: 3306
+api_janus_url: https://serviceregistry.{{ openconext_domain }}/simplesaml/module.php/janus/services/rest/
+db_admin_user: root
+engine_db_name: engineblock
+engine_db_host: localhost
+engine_db_port: 3306
+teams_db_name: teams

coin-api-dist/src/main/ansible/meta/main.yml

@@ -0,0 +1,13 @@
+---
+galaxy_info:
+  author: Boy Baukema
+  license: Apache v2
+  min_ansible_version: 1.6
+  platforms:
+  - name: EL
+    versions:
+    - 6
+  categories:
+    - web
+dependencies: [ "ansible-xml" ]
+version: 4.2.0

coin-api-dist/src/main/ansible/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+  - yum: name=python-lxml state=installed
+
+  - name: Install API
+    include: main/install.yml
+
+  - name: Configure API
+    include: main/configure.yml
+
+  - name: Activate API
+    include: main/activate.yml

coin-api-dist/src/main/ansible/tasks/main/activate.yml

@@ -0,0 +1,3 @@
+---
+  - name: Restart Tomcat
+    service: name=tomcat6 state=restarted

coin-api-dist/src/main/ansible/tasks/main/configure.yml

@@ -0,0 +1,32 @@
+---
+  - name: Set logging configuration
+    template:
+      src: "../../templates/api-logback.{{ api_logging_policy }}.xml"
+      dest: "{{ tomcat_classpath_path }}/api-logback.xml"
+
+  - name: Set caching configuration
+    template:
+      src: ../../templates/api-ehcache.xml.j2
+      dest: "{{ tomcat_classpath_path }}/api-ehcache.xml"
+
+  - name: Set configuration properties
+    template:
+      src: ../../templates/coin-api.properties.j2
+      dest: "{{ tomcat_classpath_path }}/coin-api.properties"
+
+  - name: Detect if we're already in the server.xml
+    xml:
+      file: "{{ tomcat_conf_path }}/server.xml"
+      xpath: "/Server/Service[@name='Catalina']/Engine[@name='Standalone']/Host[@name='api.{{ openconext_domain }}']"
+      count: true
+    register: ansible_host
+
+  - name: If not then add a Host element to server.xml
+    xml:
+      file: "{{ tomcat_conf_path }}/server.xml"
+      xpath: "/Server/Service[@name='Catalina']/Engine[@name='Standalone']"
+      add_children:
+          - Host:
+              name: "api.{{ openconext_domain }}"
+              appBase: "webapps/api.{{ openconext_domain }}"
+    when: ansible_host.count == 0

coin-api-dist/src/main/ansible/tasks/main/install-build.yml

@@ -0,0 +1,3 @@
+---
+  - name: Get the current release from build URL.
+    get_url: url="{{ api_download_url }}" dest="{{ api_build_path }}"

coin-api-dist/src/main/ansible/tasks/main/install-src.yml

@@ -0,0 +1,40 @@
+---
+  - name: SRC - Remove repo
+    file:
+      path: "{{ api_release_dir }}"
+      state: absent
+
+  - name: SRC - Install Git repo
+    git:
+      accept_hostkey: yes
+      repo: "{{ api_git_url }}"
+      dest: "{{ api_release_dir }}"
+      version: "{{ api_version }}"
+
+  - name: Set the version in the parent project) (may not have been set properly for branches)
+    xml:
+      file: "{{ api_release_dir }}/pom.xml"
+      xpath: /*[name()='project']/*[name()='version']
+      value: "{{ api_version_dir }}"
+
+  - name: Set the version (in all parent projects) (may not have been set properly for branches)
+    xml:
+      file: "{{ item }}"
+      xpath: /*[name()='project']/*[name()='parent']/*[name()='version']
+      value: "{{ api_version_dir }}"
+    with_items:
+      - "{{ api_release_dir }}/coin-api-client/pom.xml"
+      - "{{ api_release_dir }}/coin-api-dist/pom.xml"
+      - "{{ api_release_dir }}/coin-api-external-groups/pom.xml"
+      - "{{ api_release_dir }}/coin-api-serviceregistry-client/pom.xml"
+      - "{{ api_release_dir }}/coin-api-war/pom.xml"
+
+  - name: SRC - Running Maven install
+    command: mvn -q clean install -DskipTests
+    args:
+      chdir: "{{ api_release_dir }}"
+
+  - name: SRC - Copy build to build directory
+    copy:
+      src: "{{ api_release_dir }}/coin-api-dist/target/coin-api-dist-{{ api_version_dir }}-bin.tar.gz"
+      dest: "{{ api_build_path }}"

coin-api-dist/src/main/ansible/tasks/main/install.yml

@@ -0,0 +1,42 @@
+---
+  - name: Ensure the directories exists
+    file: path={{ item }} state=directory
+    with_items:
+    - "{{ releases_dir }}"
+    - "{{ builds_dir }}"
+    - "{{ configs_dir }}"
+
+  - name: Install API from Build (only when version starts with a number)
+    include: install-build.yml
+    when: api_version | match("^[0-9]")
+
+  - name: Install API from source (only when version does not start with a number)
+    include: install-src.yml
+    when: api_version | match("^[^0-9]")
+
+  - name: Extract build
+    unarchive: src={{ api_build_path }} dest={{ releases_dir }} copy=no
+
+  - name: Stop the application server
+    service: name=tomcat6 state=stopped
+
+  - name: Install Tomcat wars directory
+    file: path={{ tomcat_wars_path }} owner=tomcat group=tomcat recurse=true state=directory
+
+  - name: Clean Tomcat old wars
+    shell: rm -vf {{ tomcat_wars_path }}/coin-api-war-*.war
+
+  - name: Install Tomcat work directory
+    file: path={{ tomcat_work_path }} owner=tomcat group=tomcat recurse=true state=directory
+
+  - name: Clean Tomcat work
+    shell: rm -rvf {{ tomcat_work_path }}/*
+
+  - name: Install Tomcat webapps directory
+    file: path={{ tomcat_webapps_path }} owner=tomcat group=tomcat recurse=true state=directory
+
+  - name: Clean Tomcat webapps
+    shell: rm -rvf {{ tomcat_webapps_path }}/*
+
+  - name: Install WAR
+    command: cp {{ api_dist_war_path }} {{ api_tomcat_war_path }}

coin-api-dist/src/main/ansible/templates/api-ehcache.xml.j2

@@ -0,0 +1,29 @@
+<ehcache updateCheck="false">
+    <diskStore path="/tmp" />
+
+    <defaultCache name="default" />
+
+    <cache
+        name="group-providers"
+        maxElementsInMemory="100"
+        eternal="false"
+        timeToIdleSeconds="120"
+        timeToLiveSeconds="120"
+        overflowToDisk="true"
+        maxElementsOnDisk="10000000"
+        diskPersistent="false"
+        diskExpiryThreadIntervalSeconds="120"
+        memoryStoreEvictionPolicy="LRU" />
+
+    <cache
+        name="janus-meta-data"
+        maxElementsInMemory="100"
+        eternal="false"
+        timeToIdleSeconds="30"
+        timeToLiveSeconds="30"
+        overflowToDisk="true"
+        maxElementsOnDisk="10000000"
+        diskPersistent="false"
+        diskExpiryThreadIntervalSeconds="120"
+        memoryStoreEvictionPolicy="LRU" />
+</ehcache>

coin-api-dist/src/main/resources/tomcat/api-logback.xml.vm → coin-api-dist/src/main/ansible/templates/api-logback.debug.xml

@@ -35,6 +35,10 @@
     </filter>
 
     <!-- specific filters -->
+    <filter class="nl.surfnet.coin.shared.log.diagnostics.LoggerThresholdFilter">
+      <logger>nl.surfnet.coin</logger>
+      <level>debug</level>
+    </filter>
     <filter class="nl.surfnet.coin.shared.log.diagnostics.LoggerThresholdFilter">
       <logger>org.springframework</logger>
       <level>warn</level>

coin-api-dist/src/main/resources/tomcat/api-logback.xml.acc → coin-api-dist/src/main/ansible/templates/api-logback.minimal.xml

@@ -33,15 +33,6 @@
     <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
       <level>warn</level>
     </filter>
-
-    <!-- specific filters -->
-<!--
-    <filter class="nl.surfnet.coin.shared.log.diagnostics.LoggerThresholdFilter">
-      <logger>org.springframework</logger>
-      <level>warn</level>
-    </filter>
--->
-
   </appender>
 
   <appender name="DUMPAPPENDER" class="ch.qos.logback.core.rolling.RollingFileAppender">

coin-api-dist/src/main/ansible/templates/api.conf.j2

@@ -0,0 +1,38 @@
+<VirtualHost *:443>
+    # General setup for the virtual host, inherited from global configuration
+    DocumentRoot "/var/www/html/default"
+    ServerName api.{{ openconext_domain }}:443
+
+    # Use separate log files for the SSL virtual host; note that LogLevel
+    # is not inherited from httpd.conf.
+    ErrorLog logs/api_ssl_error_log
+    TransferLog logs/api_ssl_access_log
+    LogLevel warn
+
+    SSLEngine             on
+    SSLProtocol           -ALL +SSLv3 +TLSv1
+    SSLCipherSuite        ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4-MD5:RC4+RSA:+HIGH:+MEDIU
+    SSLCertificateFile    /etc/httpd/keys/openconext.pem
+    SSLCertificateKeyFile /etc/httpd/keys/openconext.key
+    SSLCACertificateFile  /etc/httpd/keys/openconext_ca.pem
+
+    RewriteEngine On
+    RewriteRule ^/$ /v1/$1 [L,R=permanent]
+
+    <Files ~ "\.(shtml?)$">
+        SSLOptions +StdEnvVars
+    </Files>
+
+    SetEnvIf User-Agent ".*MSIE.*" \
+             nokeepalive ssl-unclean-shutdown \
+             downgrade-1.0 force-response-1.0
+
+    CustomLog logs/ssl_request_log \
+              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+
+    # Proxy requests through to Tomcat using AJP
+
+    ProxyPass / ajp://localhost:8009/
+
+</VirtualHost>

coin-api-dist/src/main/ansible/templates/coin-api.properties.j2

@@ -0,0 +1,82 @@
+####################################################################
+##
+## The following properties are the responsibility of the owners
+## of the machine. The developers do not know the values.
+##
+####################################################################
+
+janus.user={{ api_janus_user }}
+janus.secret={{ api_janus_secret }}
+janus.uri={{ api_janus_url }}
+
+coin-api.jdbc.driver=com.mysql.jdbc.Driver
+coin-api.jdbc.url=jdbc:mysql://db.{{ openconext_domain }}:3306/api
+coin-api.jdbc.user={{ api_db_user }}
+coin-api.jdbc.password={{ api_db_password }}
+
+coin-api.ldap.url=ldap://ldap.{{ openconext_domain }}389
+coin-api.ldap.userDn={{ api_ldap_bind_dn }}
+coin-api.ldap.password={{ api_ldap_password }}
+
+coin-api.engineblock.jdbc.driver=com.mysql.jdbc.Driver
+coin-api.engineblock.jdbc.url=jdbc:mysql://db.{{ openconext_domain }}:3306/{{ engine_db_name}}
+coin-api.engineblock.jdbc.user={{ engine_db_user }}
+coin-api.engineblock.jdbc.password={{ engine_db_password }}
+
+coin-api.teams.jdbc.driver=com.mysql.jdbc.Driver
+coin-api.teams.jdbc.url=jdbc:mysql://db.{{ openconext_domain }}:3306/{{ teams_db_name }}
+coin-api.teams.jdbc.user={{ teams_db_user }}
+coin-api.teams.jdbc.password={{ teams_db_password }}
+
+# Email address that recieves error notifications
+coin-errormail-to={{ openconext_error_mail }}
+
+# Callback URL of the OAuth client
+coin-api.oauth.callback.url=https://api.{{ openconext_domain }}/v1/test/oauth-callback.shtml
+
+####################################################################
+##
+## The following properties are the responsibility of the developers
+##
+####################################################################
+
+#Choose either mockClientDetailsService or janusClientDetailsService
+clientDetailsServiceClass=nl.surfnet.coin.api.service.JanusClientDetailsService
+
+#For future purposes we might mock them
+ldapClientClass=nl.surfnet.coin.ldap.LdapClientImpl
+engineblockClass=nl.surfnet.coin.eb.EngineBlockImpl
+groupServiceClass=nl.surfnet.coin.api.service.GroupServiceImpl
+
+#Is the mock API enabled?
+mock-api-enabled=false
+
+# SMTP server settings for notifications
+coin-mailserver=localhost
+coin-mailserver-port=25
+
+#The directory (in the war) where the db migration scrips reside
+coin-api.db.migrations.folder=db/migration/mysql
+
+#Cache manager
+cacheManagerClass=org.springframework.cache.ehcache.EhCacheCacheManager
+
+staticContentBasePath=https://static.{{ openconext_domain }}
+
+# Default locale for consent screen
+coin-api.locale-default=nl
+
+# SAML properties
+entityId=https://api.{{ openconext_domain }}/
+assertionConsumerURI=https://api.{{ openconext_domain }}/v1/assertionConsumer
+idpUrl=https://engine.{{ openconext_domain }}/authentication/idp/single-sign-on
+idpCertificate={{ engine_idp_cert_string }}
+idpEntityId=https://engine.{{ openconext_domain }}/authentication/idp/metadata
+spPrivateKey={{ api_sp_key_string }}
+spCertificate={{ api_sp_cert_string }}
+
+#which SAML attribute holds the UUID
+saml-uuid-attribute=urn:oid:1.3.6.1.4.1.1076.20.40.40.1
+
+# this is part of a regex pattern that should determine whether the group is internal
+api.internal.group.pattern=^urn:collab:group:\\w*\\.?surfteams.nl.*