Release

.gitignore

@@ -2,3 +2,5 @@
 .project
 *.iml
 initial-configuration/mysql-docker/.env
+pass.tmp
+initial-configuration/pass.tmp

README.md

@@ -131,6 +131,7 @@ Once you have logged into Jenkins and have set up your admin account, you need t
 system variables:
 
 - `DOCKER_CONFIG_DIR`: `/path/to/config/dir` This is the path you passed to `install-dependencies-docker`
+- `MYSQL_CONFIG_DIR`: `/path/to/mysql/cnf/dir` This is the path you passed to `install-dependencies-docker`
 - `MYSQL_NETWORK`: `picsure` If you plan to switch to a remote database, this needs to be changed back to `host`
 
 6. Run the Initial Configuration Pipeline job.
@@ -149,9 +150,7 @@ system variables:
 
     - `EMAIL`: This is the Google account that will be the initial admin user.
 
-    - `PROJECT_SPECIFIC_OVERRIDE_REPOSITORY`: This is the repo that contains the project specific overrides for your
-      project. If you just want the default PIC-SURE behavior use this
-      repo : https://github.com/hms-dbmi/baseline-pic-sure
+    - `MIGRATION_NAME`: This is the name of the migration that will be run. If you just want the default PIC-SURE behavior use `Baseline` from the repo: https://github.com/hms-dbmi/pic-sure-migrations or fork it and add your migration. If you are a GIC Institution, use `GIC-Institution`.
 
     - `RELEASE_CONTROL_REPOSITORY`: This is the repo that contains the build-spec.json file for your project. This file
       controls what code is built and deployed. If you just want the default PIC-SURE behavior use this

initial-configuration/config/hpds/hpds.env

@@ -0,0 +1 @@
+CATALINA_OPTS=-XX:+UseParallelGC -XX:SurvivorRatio=250 -Xms1g -Xmx16g -DCACHE_SIZE=1500 -DSMALL_TASK_THREADS=1 -DLARGE_TASK_THREADS=1 -DSMALL_JOB_LIMIT=100 -DID_BATCH_SIZE=2000 -DALL_IDS_CONCEPT=NONE -DID_CUBE_NAME=NONE -Denable_file_sharing=true

initial-configuration/config/httpd/httpd-vhosts-ssloffload.conf

@@ -34,7 +34,7 @@ Listen 0.0.0.0:80
     </LocationMatch>
 
     RewriteRule ^/picsure/(.*)$ "http://wildfly:8080/pic-sure-api-2/PICSURE/$1" [P]
-    RewriteRule ^/psama/(.*)$ "http://wildfly:8080/pic-sure-auth-services/auth/$1" [P]
+    RewriteRule ^/psama/(.*)$ "http://psama:8090/auth/$1" [P]
 
     RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
     RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d

initial-configuration/config/httpd/httpd-vhosts.conf

@@ -17,13 +17,12 @@ AddType application/x-pkcs7-crl    .crl
 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256
 SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256
 
-
-SSLHonorCipherOrder on
-
-SSLProtocol all -TLSv1.2
-SSLProxyProtocol all -TLSv1.2
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
+SSLHonorCipherOrder     off
+SSLSessionTickets       off
 SSLPassPhraseDialog  builtin
 
+SSLUseStapling On
 SSLSessionCache        "shmcb:${HTTPD_PREFIX}/logs/ssl_scache(512000)"
 SSLSessionCacheTimeout  300
 
@@ -35,19 +34,30 @@ ServerTokens Prod
 	ServerName localhost
 	RewriteEngine On
 	ProxyPreserveHost On
+    #Dont allow httpd debug methods
+    RewriteCond %%{REQUEST_METHOD} ^TRACK
+    RewriteRule .* - [F]
+    RewriteCond %%{REQUEST_METHOD} ^TRACE
+    RewriteRule .* - [F]
+
 	RewriteCond %{HTTPS} off [OR]
 	RewriteCond %{HTTP_HOST} ^(?:)?(.+)$ [NC]
-	RewriteRule ^ https://%{SERVER_NAME}/picsureui/ [L,NE,R=301]
+	RewriteRule ^ https://%{SERVER_NAME}/$1 [L,NE,R=301]
 </VirtualHost>
 
 <VirtualHost _default_:443>
+    ServerName %{SERVER_NAME}
 	ProxyTimeout 300
+    SSLEngine on
     SSLProxyEngine on
 
     SSLProxyVerify none
     SSLProxyCheckPeerCN off
     SSLProxyCheckPeerName off
 
+     # enable HTTP/2, if available
+    Protocols h2 http/1.1
+
 	SSLCertificateFile "${HTTPD_PREFIX}/cert/server.crt"
     SSLCertificateKeyFile "${HTTPD_PREFIX}/cert/server.key"
     SSLCertificateChainFile "${HTTPD_PREFIX}/cert/server.chain"
@@ -77,42 +87,38 @@ ServerTokens Prod
     RewriteEngine On
     ProxyPreserveHost On
 
-    <Location /jupyterhub>
-        ProxyPass http://jupyterhub:8000/jupyterhub
-        ProxyPassReverse http://jupyterhub:8000/jupyterhub
-    </Location>
+    #Dont allow httpd debug methods
+    RewriteCond %%{REQUEST_METHOD} ^TRACK
+    RewriteRule .* - [F]
+    RewriteCond %%{REQUEST_METHOD} ^TRACE
+    RewriteRule .* - [F]
 
-    <LocationMatch "/jupyterhub/(user/[^/]*)/(api/kernels/[^/]+/channels|terminals/websocket)(.*)">
-        ProxyPassMatch ws://jupyterhub:8000/jupyterhub/$1/$2$3
-        ProxyPassReverse ws://jupyterhub:8000/jupyterhub/$1/$2$3
-    </LocationMatch>
+    # Match the request to /health and return a 200 OK status for AWS ELB health checks
+    RewriteRule ^/picsure/health$ - [R=200,L]
 
     RewriteRule ^/picsure/(.*)$ "http://wildfly:8080/pic-sure-api-2/PICSURE/$1" [P]
-    RewriteRule ^/psama/(.*)$ "http://wildfly:8080/pic-sure-auth-services/auth/$1" [P]
-
-    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
-    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
-
-    RewriteRule /psamaui/(.*) /psamaui/index_03272020.html 
+    RewriteRule ^/psama/(.*)$ "http://psama:8090/auth/$1" [P]
 
     RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
     RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
-    RewriteRule /picsureui/(.*) /picsureui/index_03272020.html 
 
     RewriteRule ^/static/(.*)$ /static/$1 [L]
 
-    RedirectMatch ^/$ /picsureui/
-    ErrorDocument 404 /index.html
-
     DocumentRoot "${HTTPD_PREFIX}/htdocs"
 
-    ErrorLog "${HTTPD_PREFIX}/logs/error_log"
-    TransferLog "${HTTPD_PREFIX}/logs/access_log"
-    CustomLog "${HTTPD_PREFIX}/logs/ssl_request_log" \
-          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+    LogFormat "%%{X-Forwarded-For}i %t %%{SSL_PROTOCOL}x %%{SSL_CIPHER}x \"%r\" %b" proxy-ssl
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%%{Referer}i\" \"%%{User-Agent}i\"" combined
+    LogFormat "%%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%%{Referer}i\" \"%%{User-Agent}i\"" proxy
+    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+    CustomLog "$${HTTPD_PREFIX}/logs/access_log" combined env=!forwarded
+    CustomLog "$${HTTPD_PREFIX}/logs/access_log" proxy env=forwarded
+    CustomLog "$${HTTPD_PREFIX}/logs/ssl_request_log" proxy-ssl env=forwarded
+    CustomLog "$${HTTPD_PREFIX}/logs/ssl_request_log" \
+          "%t %h %%{SSL_PROTOCOL}x %%{SSL_CIPHER}x \"%r\" %b" env=!forwarded
+    ErrorLog "$${HTTPD_PREFIX}/logs/error_log"
+    TransferLog "$${HTTPD_PREFIX}/logs/access_log"
 
     BrowserMatch "MSIE [2-5]" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
-
 </VirtualHost>

initial-configuration/config/httpd/picsureui_settings.json

@@ -26,7 +26,7 @@
   "customizeAuth0Login": true,
   "queryButtonLabel": "Export for analysis",
   "maxVariantCount": 10000,
-  "auth0domain":"__AUTH0_DOMAIN__",
+  "auth0domain":"__AUTH0_TENANT__",
   "client_id":"__PIC_SURE_CLIENT_ID__",
   "analyticsId": "__ANALYTICS_ID__",
   "tagManagerId": "__TAG_MANAGER_ID__"

initial-configuration/config/httpd/psamaui_settings.json

@@ -6,7 +6,7 @@
   "basePath" : "/psama",
   "uiPath": "",
   "customizeAuth0Login": true,
-  "auth0domain":"__AUTH0_DOMAIN__",
+  "auth0domain":"__AUTH0_TENANT__",
   "client_id":"__PIC_SURE_CLIENT_ID__"
 }
 

initial-configuration/config/psama/.env

@@ -0,0 +1,30 @@
+# Database Configuration
+DATASOURCE_URL=jdbc:mysql://picsure-db:3306/auth?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&autoReconnectForPools=true&serverTimezone=UTC
+DATASOURCE_USERNAME=auth
+DATASOURCE_PASSWORD=__AUTH_MYSQL_PASSWORD__
+
+# Mail Configuration
+EMAIL_ADDRESS=__EMAIL_FROM_ADDR__
+EMAIL_PASSWORD=__EMAIL_PASSWORD__
+
+# Application Properties
+APPLICATION_CLIENT_SECRET=__PIC_SURE_CLIENT_SECRET__
+APPLICATION_CLIENT_SECRET_IS_BASE_64=false
+TOS_ENABLED=false
+SYSTEM_NAME=PIC-SURE All-in-one
+GRANT_EMAIL_SUBJECT=__ACCESS_GRANTED_EMAIL_SUBJECT__
+USER_ACTIVATION_REPLY_TO=__USER_ACTIVATION_REPLY_TO__
+ADMIN_USERS=__ADMIN_USERS__
+DENIED_EMAIL_ENABLED=false
+STACK_SPECIFIC_APPLICATION_ID=__STACK_SPECIFIC_APPLICATION_ID__
+
+# IDP Provider Configuration
+AUTH0_IDP_PROVIDER_IS_ENABLED=true
+IDP_PROVIDER_URI=https://__AUTH0_TENANT__.auth0.com/
+AUTH0_HOST=https://__AUTH0_TENANT__.auth0.com/
+
+# Token Expiration Times
+TOKEN_EXPIRATION_TIME=3600000
+LONG_TERM_TOKEN_EXPIRATION_TIME=2592000000
+
+JAVA_OPTS="-Xms2g -Xmx4g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djavax.net.ssl.trustStore=/usr/local/tomcat/conf/application.truststore -Djavax.net.ssl.trustStorePassword=password"

initial-configuration/config/wildfly/standalone.xml

@@ -158,26 +158,6 @@
                         <password>sa</password>
                     </security>
                 </datasource>
-                <datasource jndi-name="java:jboss/datasources/AuthDS" pool-name="AuthDS" use-java-context="true">
-                    <connection-url>jdbc:mysql://picsure-db:3306/auth?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true&amp;autoReconnectForPools=true&amp;serverTimezone=UTC</connection-url>
-                    <driver>mysql</driver>
-                    <pool>
-                        <min-pool-size>2</min-pool-size>
-                        <max-pool-size>10</max-pool-size>
-                        <prefill>true</prefill>
-                    </pool>
-                    <security>
-                        <user-name>auth</user-name>
-                        <password>__AUTH_MYSQL_PASSWORD__</password>
-                    </security>
-                    <validation>
-                        <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
-                        <check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
-                        <validate-on-match>true</validate-on-match>
-                        <background-validation>false</background-validation>
-                        <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
-                    </validation>
-                </datasource>
                 <datasource jndi-name="java:jboss/datasources/PicsureDS" pool-name="PicsureDS" use-java-context="true">
                     <connection-url>jdbc:mysql://picsure-db:3306/picsure?useUnicode=true&amp;characterEncoding=UTF-8&amp;autoReconnect=true&amp;autoReconnectForPools=true&amp;serverTimezone=UTC</connection-url>
                     <driver>mysql</driver>
@@ -461,7 +441,11 @@
                 <simple name="java:global/roles_claim" value="privileges"/>
                 <!-- Used in IRCT as well -->
                 <simple name="java:global/verify_user_method" value="tokenIntrospection"/>
-                <simple name="java:global/token_introspection_url" value="http://wildfly:8080/pic-sure-auth-services/auth/token/inspect"/>
+                <simple name="java:global/token_introspection_url" value="http://psama:8090/auth/token/inspect"/>
+
+                <simple name="java:global/openAccessEnabled" value="true"/>
+                <simple name="java:global/openAccessValidateUrl" value="http://psama:8090/auth/open/validate"/>
+
                 <simple name="java:global/token_introspection_token" value="__PIC_SURE_TOKEN_INTROSPECTION_TOKEN__"/>
                <!-- psama configuration-->
                 <simple name="java:global/client_secret" value="__PIC_SURE_CLIENT_SECRET__"/>
@@ -475,7 +459,7 @@
                 <simple name="java:global/userActivationReplyTo" value="__USER_ACTIVATION_REPLY_TO__"/>
                 <simple name="java:global/templatePath" value="/opt/jboss/wildfly/standalone/configuration/emailTemplates/" />
                 <simple name="java:global/tosEnabled" value="False" />
-                <simple name="java:global/auth0host" value="https://__AUTH0_DOMAIN__.auth0.com/" />
+                <simple name="java:global/auth0host" value="https://__AUTH0_TENANT__.auth0.com/" />
                 <simple name="java:global/emailTemplatePath" value="/opt/jboss/wildfly/standalone/configuration/emailTemplates/" />
                 <simple name="java:global/accessGrantEmailSubject" value="__ACCESS_GRANTED_EMAIL_SUBJECT__" />
                 <simple name="java:global/deniedEmailEnabled" value="false" />

initial-configuration/config/wildfly/wildfly.env

@@ -0,0 +1 @@
+JAVA_OPTS=-Xms2g -Xmx4g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djavax.net.ssl.trustStore=/opt/jboss/wildfly/standalone/configuration/application.truststore -Djavax.net.ssl.trustStorePassword=password

initial-configuration/install-dependencies-docker.sh

@@ -1,4 +1,3 @@
-
 #!/usr/bin/env bash
 
 sed_inplace() {
@@ -8,7 +7,6 @@ sed_inplace() {
     sed -i "$@"
   fi
 }
-export -f sed_inplace
 
 CWD=$(pwd)
 # this makes tr work on OSX
@@ -18,12 +16,12 @@ export LC_ALL=C
 # $1 is the path to the docker-config dir $2 is the path to the rc rc_file
 function set_docker_config_dir {
   local docker_config_dir=$1
-  local rc_file=$2
+  export rc_file=$2
   if [ -z "$docker_config_dir" ]; then
    docker_config_dir="/var/local/docker-config"
   fi
   if [ -z "$rc_file" ]; then
-   rc_file="$HOME/.bashrc"
+   export rc_file="$HOME/.bashrc"
   fi
   #Check if docker_config_dir is a dir and exists
   if [ ! -d "$docker_config_dir" ]; then
@@ -45,7 +43,28 @@ function set_docker_config_dir {
   echo 'alias picsure-db="docker exec -ti picsure-db bash -c '\''mysql -uroot -p\$MYSQL_ROOT_PASSWORD'\''"' >> "$rc_file"
 }
 
+function set_mysql_config_dir() {
+  local mysql_config_dir=$1
+  if [ -z "$mysql_config_dir" ]; then
+    mysql_config_dir="$DOCKER_CONFIG_DIR/picsure-db/"
+  fi
+  #Check if mysql_config_dir is a dir and exists
+  if [ ! -d "$mysql_config_dir" ]; then
+    echo "Creating dir $mysql_config_dir and setting MYSQL_CONFIG_DIR in $rc_file"
+    mkdir -p $mysql_config_dir
+    export MYSQL_CONFIG_DIR=$mysql_config_dir
+    echo "export MYSQL_CONFIG_DIR=$mysql_config_dir" >> "$rc_file"
+  else
+    echo "dir $mysql_config_dir exists, just setting MYSQL_CONFIG_DIR in $rc_file"
+    # If the config dir exists, we still want to clean up old settings for it
+    export MYSQL_CONFIG_DIR=$1
+    grep 'MYSQL_CONFIG_DIR' "$rc_file" && sed_inplace '/MYSQL_CONFIG_DIR/d' "$rc_file"
+    echo "export MYSQL_CONFIG_DIR=$mysql_config_dir" >> "$rc_file"
+  fi
+}
+
 set_docker_config_dir "$1"
+set_mysql_config_dir "$2"
 
 #-------------------------------------------------------------------------------------------------#
 #                                          Docker Install                                         #
@@ -56,7 +75,7 @@ echo "Starting update"
 echo "Installing docker"
 if [ -n "$(command -v yum)" ] && [ -z "$(command -v docker)" ]; then
   echo "Yum detected. Assuming RHEL. Install commands will use yum"
-  set_docker_config_dir $1  "$HOME/.zshrc"
+  set_docker_config_dir $1 "$HOME/.zshrc"
   yum -y update
   # This repo can be removed after we move away from centos 7 I think
   yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
@@ -90,7 +109,7 @@ if [ -n "$(command -v apt-get)" ] && [ -z "$(command -v docker)" ]; then
 fi
 
 if [[ "$OSTYPE" =~ ^darwin ]]; then
-    echo "Darwin detected. Assuming macOS. Install commands will use brew." 
+    echo "Darwin detected. Assuming macOS. Install commands will use brew."
     #check for brew
     if [ -z "$(command -v brew)" ]; then
       echo "Brew not detected. Please install brew and rerun this script."
@@ -112,7 +131,7 @@ fi
 if [ -n "$(command -v apk)" ]; then
   echo "apk detected. Assuming alpine. Install commands will use apk"
   apk update && apk add --no-cache wget
-fi 
+fi
 
 if [ -z "$(command -v docker)" ]; then
   echo "You dont have docker installed and we cant detect a supported package manager."
@@ -172,11 +191,13 @@ export APP_ID=`uuidgen | tr '[:upper:]' '[:lower:]'`
 export APP_ID_HEX=`echo $APP_ID | awk '{ print toupper($0) }'|sed 's/-//g'`
 sed_inplace "s/__STACK_SPECIFIC_APPLICATION_ID__/$APP_ID/g" $DOCKER_CONFIG_DIR/httpd/picsureui_settings.json
 sed_inplace "s/__STACK_SPECIFIC_APPLICATION_ID__/$APP_ID/g" $DOCKER_CONFIG_DIR/wildfly/standalone.xml
+sed_inplace "s/__STACK_SPECIFIC_APPLICATION_ID__/$APP_ID/g" $DOCKER_CONFIG_DIR/psama/.env
 
 export RESOURCE_ID=`uuidgen | tr '[:upper:]' '[:lower:]'`
 export RESOURCE_ID_HEX=`echo $RESOURCE_ID | awk '{ print toupper($0) }'|sed 's/-//g'`
 sed_inplace "s/__STACK_SPECIFIC_RESOURCE_UUID__/$RESOURCE_ID/g" $DOCKER_CONFIG_DIR/httpd/picsureui_settings.json
 
+
 echo $APP_ID > $DOCKER_CONFIG_DIR/APP_ID_RAW
 echo $APP_ID_HEX > $DOCKER_CONFIG_DIR/APP_ID_HEX
 echo $RESOURCE_ID > $DOCKER_CONFIG_DIR/RESOURCE_ID_RAW
@@ -197,6 +218,9 @@ if [ -n "$2" ]; then
   ./convert-cert.sh $2 $3 $password
 fi
 
+echo Deleting pass.tmp
+rm pass.tmp
+
 echo "Installation script complete.  Staring Jenkins."
 cd ..
 ./start-jenkins.sh

initial-configuration/install-dependencies.sh

@@ -87,7 +87,7 @@ rm -f picsure.tmp
 
 echo "` < /dev/urandom tr -dc @^=+$*%_A-Z-a-z-0-9 | head -c${1:-24}`%4cA" > auth.tmp
 mysql -u root -e "grant all privileges on auth.* to 'auth'@'%' identified by '`cat auth.tmp`';flush privileges;";
-sed -i s/__AUTH_MYSQL_PASSWORD__/`cat auth.tmp`/g /usr/local/docker-config/wildfly/standalone.xml
+sed -i s/__AUTH_MYSQL_PASSWORD__/`cat auth.tmp`/g /usr/local/docker-config/psama/.env
 rm -f auth.tmp
 
 echo "Building and installing Jenkins"
@@ -109,6 +109,7 @@ export APP_ID=`uuidgen -r`
 export APP_ID_HEX=`echo $APP_ID | awk '{ print toupper($0) }'|sed 's/-//g'`
 sed -i "s/__STACK_SPECIFIC_APPLICATION_ID__/$APP_ID/g" /usr/local/docker-config/httpd/picsureui_settings.json
 sed -i "s/__STACK_SPECIFIC_APPLICATION_ID__/$APP_ID/g" /usr/local/docker-config/wildfly/standalone.xml
+sed -i "s/__STACK_SPECIFIC_APPLICATION_ID__/$APP_ID/g" /usr/local/docker-config/psama/.env
 
 export RESOURCE_ID=`uuidgen -r`
 export RESOURCE_ID_HEX=`echo $RESOURCE_ID | awk '{ print toupper($0) }'|sed 's/-//g'`

initial-configuration/jenkins/jenkins-docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM jenkins/jenkins:2.440-jdk11
+FROM jenkins/jenkins:2.442-jdk11
 
 COPY plugins.yml /usr/share/jenkins/ref/plugins.yml