Merge branch 'update-springboot' into 'master'

Remove use of ajp + upgrade to latest springboot See merge request openid/conformance-suite!1070
openid-certification · Nov 19, 2021 · f241833 · f241833
2 parents 42bcf19 + d55e2a2
commit f241833
Show file tree

Hide file tree

Showing 13 changed files with 25 additions and 23 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,6 @@ ENV BASE_URL https://localhost:8443
 ENV MONGODB_HOST mongodb
 ENV JAVA_EXTRA_ARGS=
 EXPOSE 8080
-EXPOSE 9090
 ENTRYPOINT java \
   -D"fintechlabs.base_url=${BASE_URL}" \
   -D"spring.data.mongodb.uri=mongodb://${MONGODB_HOST}:27017/test_suite" \

diff --git a/chart/templates/ingress.yaml b/chart/templates/ingress.yaml
@@ -12,6 +12,8 @@ metadata:
     httpd-server-snippet: |
       RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
       RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
+      RequestHeader set X-Forwarded-Proto https
+      RequestHeader set X-Forwarded-Port 443
       <Location "/test-mtls/">
         <If "%{HTTPS} == 'on'">
           SSLVerifyClient optional_no_ca

diff --git a/httpd/Dockerfile b/httpd/Dockerfile
@@ -4,7 +4,7 @@ RUN apt-get update \
 	&& apt-get clean
 RUN \
 	echo 'Listen 8443' > /etc/apache2/ports.conf \
-	&& a2enmod headers proxy proxy_ajp proxy_http rewrite ssl \
+	&& a2enmod headers proxy proxy_http rewrite ssl \
 	&& a2dissite 000-default.conf
 COPY server.conf /etc/apache2/sites-enabled
 ENTRYPOINT ["apachectl", "-DFOREGROUND"]
diff --git a/httpd/Dockerfile-nodocker b/httpd/Dockerfile-nodocker
@@ -6,7 +6,7 @@ RUN apt-get update \
 	&& apt-get clean
 RUN \
 	echo 'Listen 8443' > /etc/apache2/ports.conf \
-	&& a2enmod headers proxy proxy_ajp proxy_http rewrite ssl \
+	&& a2enmod headers proxy proxy_http rewrite ssl \
 	&& a2dissite 000-default.conf
 COPY server-nodocker.conf /etc/apache2/sites-enabled
 ENTRYPOINT ["apachectl", "-DFOREGROUND"]
diff --git a/httpd/Dockerfile-static b/httpd/Dockerfile-static
@@ -9,7 +9,7 @@ RUN apt-get update \
 	&& apt-get clean
 RUN \
 	echo 'Listen 8443' > /etc/apache2/ports.conf \
-	&& a2enmod headers proxy proxy_ajp proxy_http rewrite ssl \
+	&& a2enmod headers proxy proxy_http rewrite ssl \
 	&& a2dissite 000-default.conf
 COPY server-static.conf /etc/apache2/sites-enabled
 ENTRYPOINT ["apachectl", "-DFOREGROUND"]
diff --git a/httpd/server-nodocker.conf b/httpd/server-nodocker.conf
@@ -20,11 +20,13 @@ DocumentRoot "/usr/local/apache2/htdocs"
 	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 	RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
 	RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
+	RequestHeader set X-Forwarded-Proto https
+	RequestHeader set X-Forwarded-Port 8443
 	<Location "/static/">
 		ProxyPass !
 	</Location>
-	ProxyPass "/" "ajp://host.docker.internal:9090/"
-	ProxyPassReverse "/" "ajp://host.docker.internal:9090/"
+	ProxyPass "/" "http://host.docker.internal:8080/"
+	ProxyPassReverse "/" "http://host.docker.internal:8080/"
 	<Location "/">
 		Require all granted
 	</Location>

diff --git a/httpd/server-static.conf b/httpd/server-static.conf
@@ -17,12 +17,14 @@ DocumentRoot "/usr/local/apache2/htdocs"
 	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 	RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
 	RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
+	RequestHeader set X-Forwarded-Proto https
+	RequestHeader set X-Forwarded-Port 8443
 	<Location "/static/">
 		ProxyPass !
 	</Location>
-	ProxyPass "/" "ajp://server:9090/"
+	ProxyPass "/" "http://server:8080/"
 	# RewriteRule "^/(.*)$" "http://server:8080/$1" [P]
-	ProxyPassReverse "/" "ajp://server:9090/"
+	ProxyPassReverse "/" "http://server:8080/"
 	<Location "/">
 		Require all granted
 	</Location>

diff --git a/httpd/server.conf b/httpd/server.conf
@@ -9,9 +9,11 @@
 	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 	RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
 	RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
-	ProxyPass "/" "ajp://server:9090/"
+	RequestHeader set X-Forwarded-Proto https
+	RequestHeader set X-Forwarded-Port 8443
+	ProxyPass "/" "http://server:8080/"
 	# RewriteRule "^/(.*)$" "http://server:8080/$1" [P]
-	ProxyPassReverse "/" "ajp://server:9090/"
+	ProxyPassReverse "/" "http://server:8080/"
 	<Location "/">
 		Require all granted
 	</Location>

diff --git a/package/Dockerfile.server b/package/Dockerfile.server
@@ -3,7 +3,6 @@ COPY fapi-test-suite.jar /server/
 ENV BASE_URL https://localhost:8443
 ENV MONGODB_HOST mongodb
 EXPOSE 8080
-EXPOSE 9090
 ENTRYPOINT java \
   -D"fintechlabs.base_url=${BASE_URL}" \
   -D"spring.data.mongodb.uri=mongodb://${MONGODB_HOST}:27017/test_suite" \

diff --git a/pom.xml b/pom.xml
@@ -14,7 +14,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.2.0.RELEASE</version>
+		<version>2.2.13.RELEASE</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 

diff --git a/src/main/java/net/openid/conformance/Application.java b/src/main/java/net/openid/conformance/Application.java
@@ -85,17 +85,7 @@ public static void main(String[] args) {
 
 	@Bean
 	public TomcatServletWebServerFactory servletContainer() {
-
 		TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
-
-		Connector ajpConnector = new Connector("AJP/1.3");
-		// ajpConnector.setProtocol("AJP/1.3");
-		ajpConnector.setPort(9090);
-		ajpConnector.setSecure(false);
-		ajpConnector.setAllowTrace(false);
-		ajpConnector.setScheme("http");
-		tomcat.addAdditionalTomcatConnectors(ajpConnector);
-
 		return tomcat;
 	}
 

diff --git a/.../java/net/openid/conformance/security/UrlLimitedOAuth2AuthenticationProcessingFilter.java b/.../java/net/openid/conformance/security/UrlLimitedOAuth2AuthenticationProcessingFilter.java
@@ -24,6 +24,11 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
 
 		final HttpServletRequest request = (HttpServletRequest) req;
 
+		if (!request.getScheme().equals("https")) {
+			// It's important that the reverse proxy settings are correct - if we receive a request that appears to be http here, then, e.g., we will send the user to the http version of the login page when they logout.
+			throw new RuntimeException("A non-https request has been received by the conformance suite. The external interface should always use https; if https is in use then there may be a problem with the reverse-proxy apache in front of the suite not setting the X-Forwarded-Proto (etc) http headers correctly.");
+		}
+
 		if (matcher.matches(request)) {
 			super.doFilter(req, res, chain);
 		} else {

diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -35,10 +35,11 @@ oidc.admin.group=openid-conformance-suite-admins
 oidc.admin.issuer=https://gitlab.com
 
 # 'login with gitlab' openid connect client credentials
+# setup on https://gitlab.com/oauth/applications/
 oidc.gitlab.clientid=
 oidc.gitlab.secret=
 
-server.use-forward-headers=true
+server.forward-headers-strategy=NATIVE
 
 # Keypair for signing and export. Note that the trailing backslashes allow for a multiline value.
 fintechlabs.jwks={\