Mutable

Dockerfile

@@ -1,53 +1,77 @@
-FROM hub.opensciencegrid.org/opensciencegrid/software-base:3.6-al8-release
-
-RUN yum install -y curl java-11-openjdk-headless java-11-openjdk-devel
-
-# Download and install tomcat
-RUN useradd -r -s /sbin/nologin tomcat ;\
-    mkdir -p /opt/tomcat ;\
-    curl -s -L https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.69/bin/apache-tomcat-9.0.69.tar.gz | tar -zxf - -C /opt/tomcat --strip-components=1 ;\
-    chgrp -R tomcat /opt/tomcat/conf ;\
-    chmod g+rwx /opt/tomcat/conf ;\
-    chmod g+r /opt/tomcat/conf/* ;\
-    chown -R tomcat /opt/tomcat/logs/ /opt/tomcat/temp/ /opt/tomcat/webapps/ /opt/tomcat/work/ ;\
-    chgrp -R tomcat /opt/tomcat/bin /opt/tomcat/lib ;\
-    chmod g+rwx /opt/tomcat/bin ;\
-    chmod g+r /opt/tomcat/bin/* ;\
+ARG BASE_OSG_SERIES=23
+ARG BASE_OS=el9
+ARG BASE_YUM_REPO=release
+
+FROM hub.opensciencegrid.org/osg-htc/software-base:${BASE_OSG_SERIES}-${BASE_OS}-${BASE_YUM_REPO}
+
+RUN <<ENDRUN
+    # Ensure that errors cause the build to fail.
+    set -eux
+    set -o pipefail
+
+    # Install Java 11.
+    dnf install -y java-11-openjdk-headless java-11-openjdk-devel
+
+    # Create the tomcat user with a fixed UID/GID.
+    groupadd -g 10443 tomcat
+    useradd -u 10443 -g 10443 -s /sbin/nologin tomcat
+
+    # Download and install Tomcat.
+    mkdir -p /opt/tomcat
+    curl -s -L https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.98/bin/apache-tomcat-9.0.98.tar.gz | tar -zxf - -C /opt/tomcat --strip-components=1
+
+    # The Tomcat distribution archive cannot know the UID and GID for our
+    # 'tomcat' user, so we need to explicitly set user and group ownership.
+    chown -R  tomcat  /opt/tomcat/logs  /opt/tomcat/temp  /opt/tomcat/webapps  /opt/tomcat/work
+    chgrp -R  tomcat  /opt/tomcat/bin   /opt/tomcat/conf  /opt/tomcat/lib
+    chmod     g+rwx   /opt/tomcat/bin   /opt/tomcat/conf  /opt/tomcat/lib
+    chmod -R  g+rX    /opt/tomcat/bin   /opt/tomcat/conf  /opt/tomcat/lib
+
     ln -s /usr/lib64/libapr-1.so.0 /opt/tomcat/lib/libapr-1.so.0
 
-RUN \
-    # Create various empty directories needed by the webapp
-    mkdir -p /opt/scitokens-server/etc/trusted-cas &&\
-    mkdir -p /opt/scitokens-server/lib &&\
-    mkdir -p /opt/scitokens-server/log &&\
-    mkdir -p /opt/scitokens-server/var/storage/file_store &&\
-    mkdir -p /opt/tomcat/webapps/scitokens-server ;\
+    # Create various empty directories needed by the webapp.
+    mkdir -p /opt/scitokens-server/etc/trusted-cas
+    mkdir -p /opt/scitokens-server/lib
+    mkdir -p /opt/scitokens-server/log
+    mkdir -p /opt/scitokens-server/var/storage/file_store
+    mkdir -p /opt/tomcat/webapps/scitokens-server
+    chown tomcat:tomcat /opt/scitokens-server/var/storage/file_store
+
     # Install the OA4MP webapp and associated dependencies.
-    curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.4.1/oauth2.war > /opt/tomcat/webapps/scitokens-server.war ;\
-    curl -s -L https://github.com/javaee/javamail/releases/download/JAVAMAIL-1_6_2/javax.mail.jar > /opt/tomcat/lib/javax.mail.jar ;\
-    curl -s -L https://github.com/ncsa/OA4MP/releases/download/v5.4.1/jwt.jar > /opt/scitokens-server/lib/jwt.jar ;\
-    curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.4.1/cli.jar > /opt/scitokens-server/lib/scitokens-cli.jar ;\
-    cd /opt/tomcat/webapps/scitokens-server ;\
-    jar -xf ../scitokens-server.war ;\
-    chgrp -R tomcat /opt/tomcat/webapps/scitokens-server ;\
-    mkdir -p /opt/tomcat/var/storage/scitokens-server ;\
-    chown -R tomcat:tomcat /opt/tomcat/var/storage/scitokens-server ;\
-    # Install support for the QDL CLI
-    curl -L -s https://github.com/ncsa/OA4MP/releases/download/v5.4.1/qdl-installer.jar >/tmp/oa2-qdl-installer.jar ;\
-    java -jar /tmp/oa2-qdl-installer.jar -dir /opt/qdl ;\
-    rm /tmp/oa2-qdl-installer.jar ;\
-    mkdir -p /opt/qdl/var/scripts ;\
-    # Remove the default manager apps and examples -- we don't use these
-    rm -rf /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/docs /opt/tomcat/webapps/examples /opt/tomcat/webapps/host-manager /opt/tomcat/webapps/manager ;\
-    true;
+    curl -s -L https://github.com/ncsa/OA4MP/releases/download/mutable/oauth2.war > /opt/tomcat/webapps/scitokens-server.war
+    curl -s -L https://github.com/ncsa/OA4MP/releases/download/mutable/jwt.jar > /opt/scitokens-server/lib/jwt.jar
+    curl -s -L https://github.com/ncsa/OA4MP/releases/download/mutable/cli.jar > /opt/scitokens-server/lib/scitokens-cli.jar
+    curl -s -L https://github.com/javaee/javamail/releases/download/JAVAMAIL-1_6_2/javax.mail.jar > /opt/tomcat/lib/javax.mail.jar
+
+    ( cd /opt/tomcat/webapps/scitokens-server && jar -xf /opt/tomcat/webapps/scitokens-server.war )
+    rm /opt/tomcat/webapps/scitokens-server.war
+
+    chgrp -R tomcat /opt/tomcat/webapps/scitokens-server
+    mkdir -p /opt/tomcat/var/storage/scitokens-server
+    chown -R tomcat:tomcat /opt/tomcat/var/storage/scitokens-server
+
+    # Install support for the QDL CLI.
+    curl -s -L https://github.com/ncsa/OA4MP/releases/download/v6.1.0/qdl-installer.jar >/tmp/oa2-qdl-installer.jar
+    java -jar /tmp/oa2-qdl-installer.jar install -all -dir /opt/qdl
+    rm /tmp/oa2-qdl-installer.jar
+    mkdir -p /opt/qdl/var/scripts
+
+    # Remove Tomcat's default manager apps and examples.
+    rm -rf /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/docs /opt/tomcat/webapps/examples /opt/tomcat/webapps/host-manager /opt/tomcat/webapps/manager
+
+    # Remove packages that were needed only for this build step.
+    dnf remove -y java-11-openjdk-devel
+    dnf clean all
+    rm -rf /var/cache/dnf/*
+ENDRUN
 
 # The generate_jwk.sh script is part of the documented bootstrap of the container.
 ADD generate_jwk.sh /usr/local/bin/generate_jwk.sh
 
-# Add other QDL CLI tools and configs not part of the default installer
+# Add other QDL CLI tools and configs not part of the default installer.
 COPY qdl /opt/qdl
 
-# Add in the tomcat server configuration
+# Add in the Tomcat server configuration.
 ADD --chown=root:tomcat server.xml /opt/tomcat/conf/server.xml
 
 # Copy over our configuration of the OA4MP webapp.

qdl/bin/qdl

@@ -6,4 +6,4 @@ QDL_JAR="$QDL_HOME/lib/qdl.jar"
 cfgFile=${1:-$CFG_FILE}
 cfgName=${2:-$CFG_NAME}
 
-java -cp $QDL_JAR edu.uiuc.ncsa.qdl.workspace.QDLWorkspace -cfg  $cfgFile -name $cfgName -home_dir $QDL_HOME
+java -cp $QDL_JAR org.qdl_lang.workspace.QDLWorkspace -cfg  $cfgFile -name $cfgName -home_dir $QDL_HOME

qdl/bin/qdl-run

@@ -5,4 +5,4 @@ CFG_FILE="$QDL_HOME/etc/qdl-cfg.xml"
 CFG_NAME="run-it"
 QDL_JAR="$QDL_HOME/lib/qdl.jar"
 
-java -cp $QDL_JAR edu.uiuc.ncsa.qdl.workspace.QDLWorkspace -cfg  $CFG_FILE -name $CFG_NAME -home_dir $QDL_HOME -run "$@"
+java -cp $QDL_JAR org.qdl_lang.workspace.QDLWorkspace -cfg  $CFG_FILE -name $CFG_NAME -home_dir $QDL_HOME -run "$@"

qdl/etc/qdl-cfg.xml

@@ -45,15 +45,15 @@
         <modules>
             <module type="java"
                     import_on_start="true">
-                <class_name>edu.uiuc.ncsa.myproxy.oa4mp.qdl.OA2QDLLoader</class_name>
+                <class_name>org.oa4mp.server.loader.qdl.OA2QDLLoader</class_name>
             </module>
             <module type="java"
                     import_on_start="true">
-                <class_name>edu.uiuc.ncsa.oa2.qdl.QDLToolsLoader</class_name>
+                <class_name>org.oa4mp.server.qdl.QDLToolsLoader</class_name>
             </module>
             <module type="java"
                     import_on_start="false">
-                <class_name>edu.uiuc.ncsa.oa2.qdl.storage.StoreAccessLoader</class_name>
+                <class_name>org.oa4mp.server.qdl.storage.StoreAccessLoader</class_name>
             </module>
             <module type="qdl"
                  import_on_start="true">
@@ -86,15 +86,15 @@
            <modules>
                <module type="java"
                        import_on_start="true">
-                   <class_name>edu.uiuc.ncsa.myproxy.oa4mp.qdl.OA2QDLLoader</class_name>
+                   <class_name>org.oa4mp.server.loader.qdl.OA2QDLLoader</class_name>
                </module>
                <module type="java"
                        import_on_start="true">
-                   <class_name>edu.uiuc.ncsa.oa2.qdl.QDLToolsLoader</class_name>
+                   <class_name>org.oa4mp.server.qdl.QDLToolsLoader</class_name>
                </module>
                <module type="java"
                        import_on_start="false">
-                   <class_name>edu.uiuc.ncsa.oa2.qdl.storage.StoreAccessLoader</class_name>
+                   <class_name>org.oa4mp.server.qdl.storage.StoreAccessLoader</class_name>
                </module>
                <module type="qdl"
                     import_on_start="true">

qdl/var/scripts/boot.qdl

@@ -16,7 +16,7 @@ template_dir := st_home + '/etc/templates';
 /*
     Set up access to the client store using the current server configuration.
 */
-module_import('oa2:/qdl/store', 'clients');
+module_import('oa4mp:/qdl/store', 'clients');
 clients#init(st_home+'/etc/server-config.xml', 'scitokens-server', 'client');
 
 

scitokens-client/web.xml

@@ -34,7 +34,7 @@
     <!--
         <servlet>
                <servlet-name>startRequest</servlet-name>
-               <servlet-class>edu.uiuc.ncsa.oa4mp.oauth2.client.servlet.OA2StartRequest</servlet-class>
+               <servlet-class>org.oa4mp.client.loader.servlet.OA2StartRequest</servlet-class>
                <load-on-startup>1</load-on-startup>
            </servlet>
 
@@ -46,7 +46,7 @@
 
            <servlet>
                <servlet-name>ready</servlet-name>
-               <servlet-class>edu.uiuc.ncsa.oa4mp.oauth2.client.servlet.OA2ReadyServlet</servlet-class>
+               <servlet-class>org.oa4mp.client.loader.servlet.OA2ReadyServlet</servlet-class>
                <load-on-startup>1</load-on-startup>
            </servlet>
 

scitokens-server/etc/server-config.xml.tmpl

@@ -9,14 +9,24 @@
              refreshTokenEnabled="true"
              enableTokenExchange="true"
              clientSecretLength="24"
+             cleanupInterval= "60 min"
              scheme="oa4mp"
              schemeSpecificPart=""
              debug="trace"
              OIDCEnabled = "false"
              serverDN="CN=localhost"
-             issuer="https://{HOSTNAME}/scitokens-server"
+             issuer="{ISSUER}"
              address="https://{HOSTNAME}/scitokens-server">
 
+        <unusedClientCleanup gracePeriod="6 hr"
+                             deleteVersions="false"
+                             enabled="true"
+                             interval="4 hr">
+          <whitelist>
+             <clientID>localhost:template</clientID>
+          </whitelist>
+        </unusedClientCleanup>
+
         <logging
                 logFileName="/dev/stdout"
                 logName="scitokens-server"
@@ -80,7 +90,7 @@
             <modules>
                 <module type="java"
                         import_on_start="true">
-                    <class_name>edu.uiuc.ncsa.myproxy.oa4mp.qdl.OA2QDLLoader</class_name>
+                    <class_name>org.oa4mp.server.loader.qdl.OA2QDLLoader</class_name>
                 </module>
             </modules>
         </qdl>

scitokens-server/etc/templates/client-template.xml

@@ -11,14 +11,14 @@
 <entry key="public_key">4b289478ab9e80f43a837620fd09e3484b10bb77</entry>
 <entry key="last_modified_ts">2022-01-19T21:39:03.254Z</entry>
 <entry key="rt_lifetime">1209600000</entry>
-<entry key="cfg">{"tokens":{"access":{"audience":"ANY","type":"sci_token","qdl": {"load": "vfs#/scripts/scitokens/policies.qdl","xmd": {"exec_phase":  ["pre_auth","post_token","post_refresh","post_exchange"]}}}}}</entry>
+<entry key="cfg">{"tokens":{"access":{"audience":"ANY","type":"sci_token","qdl": {"load": "vfs#/scripts/scitokens/policies.qdl","xmd": {"exec_phase":  ["pre_auth","post_token","post_refresh","post_exchange"]}}}, "identity": {"type": "identity", "qdl": {"load": "vfs#/scripts/scitokens/id_token_policies.qdl", "xmd": {"exec_phase": ["post_token", "post_refresh", "post_exchange"]}}}  }}</entry>
 <entry key="proxy_limited">false</entry>
 <entry key="home_url">https://localhost:9443/client2</entry>
 <entry key="sign_tokens">true</entry>
 <entry key="debug_on">false</entry>
 <entry key="client_id">localhost:template</entry>
 <entry key="strict_scopes">false</entry>
-<entry key="public_client">true</entry>
+<entry key="public_client">false</entry>
 <entry key="forward_scopes_to_proxy">false</entry>
 <entry key="callback_uri">["https://localhost:9443/client2/ready"]</entry>
 <entry key="name">SciToken client template</entry>

scitokens-server/var/qdl/scitokens/id_token_policies.qdl

@@ -0,0 +1,15 @@
+/*
+ Simply prefer the eppn for the subject; otherwise, pass the token through.
+ */
+
+if[
+   is_defined(claims.'eppn')
+][
+   claims.'sub' := claims.'eppn';
+]else[
+  if[
+     is_defined(claims.'email')
+  ][
+   claims.'sub' := claims.'email';
+  ];
+];