diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1abeb1d63d..fee8b48547 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -99,8 +99,7 @@ jobs: - name: Get ondemand token id: token run: | - TOKEN_NAME=$(kubectl describe serviceaccount ondemand -n ondemand | grep Tokens | awk '{ print $2 }') - TOKEN=$(kubectl describe secret $TOKEN_NAME -n ondemand | grep "token:" | awk '{ print $2 }') + TOKEN=$(kubectl create token ondemand --namespace=ondemand) echo "ondemand=${TOKEN}" >> $GITHUB_OUTPUT - name: Setup kubectl run: | diff --git a/apps/dashboard/app/javascript/dynamic_forms.js b/apps/dashboard/app/javascript/dynamic_forms.js index 4bda9bce4a..90890aaa1c 100644 --- a/apps/dashboard/app/javascript/dynamic_forms.js +++ b/apps/dashboard/app/javascript/dynamic_forms.js @@ -100,7 +100,8 @@ function snakeCaseWords(str) { snakeCase += c.toLowerCase(); } else if(c == c.toUpperCase() && isNaN(c)) { const nextIsUpper = (index + 1 !== str.length) ? str[index + 1] === str[index + 1].toUpperCase() : true; - if (str[index-1] === '_' || nextIsUpper) { + const nextIsNum = !isNaN(str[index + 1]); + if ((str[index-1] === '_' || nextIsUpper) && !nextIsNum) { snakeCase += c.toLowerCase(); } else { snakeCase += `_${c.toLowerCase()}`; diff --git a/apps/dashboard/test/fixtures/sys_with_gateway_apps/bc_jupyter/form.yml b/apps/dashboard/test/fixtures/sys_with_gateway_apps/bc_jupyter/form.yml index b3c4faa121..4bb285b0a4 100644 --- a/apps/dashboard/test/fixtures/sys_with_gateway_apps/bc_jupyter/form.yml +++ b/apps/dashboard/test/fixtures/sys_with_gateway_apps/bc_jupyter/form.yml @@ -38,6 +38,7 @@ attributes: data-max-bc-num-slots-for-cluster-oakley: 8, data-min-gpus: 0, data-max-gpus: 0, + data-hide-gpus-num-v100: true, ] - [ "broken", @@ -46,6 +47,7 @@ attributes: data-maximum-bc-not-found-for-cluster-mistype: 30, data-min-gpus: 0, data-max-gpus: 0, + data-hide-gpus-num-v100: true, ] - [ "gpu", @@ -76,6 +78,7 @@ attributes: data-min-gpus: 0, data-max-gpus: 0, + data-hide-gpus-num-v100: true, ] - [ "advanced", @@ -85,6 +88,7 @@ attributes: data-min-gpus: 0, data-max-gpus: 0, + data-hide-gpus-num-v100: true, ] # this node type is the same for both clusters, so there's no 'for-cluster-...' clause - [ @@ -99,6 +103,7 @@ attributes: data-min-gpus: 0, data-max-gpus: 0, + data-hide-gpus-num-v100: true, ] - [ "other-40ish-option", @@ -108,6 +113,7 @@ attributes: data-min-gpus: 0, data-max-gpus: 0, + data-hide-gpus-num-v100: true, ] python_version: # let's set the account used by the python version for some reason @@ -214,3 +220,4 @@ form: - auto_modules_intel - auto_modules_netcdf-serial - checkbox_test + - gpus_num_v100 \ No newline at end of file diff --git a/apps/dashboard/test/models/batch_connect/session_test.rb b/apps/dashboard/test/models/batch_connect/session_test.rb index 48446d44a9..05a801849a 100644 --- a/apps/dashboard/test/models/batch_connect/session_test.rb +++ b/apps/dashboard/test/models/batch_connect/session_test.rb @@ -599,7 +599,8 @@ def completed? 'auto_modules_app_jupyter' => '', 'auto_modules_intel' => '', 'auto_modules_netcdf_serial' => '', - 'checkbox_test' => '' + 'checkbox_test' => '', + 'gpus_num_v100' => '' } assert session.save(app: bc_jupyter_app, context: ctx), session.errors.each(&:to_s).to_s diff --git a/apps/dashboard/test/system/batch_connect_test.rb b/apps/dashboard/test/system/batch_connect_test.rb index 5a4870f947..e4f5f4aa9e 100644 --- a/apps/dashboard/test/system/batch_connect_test.rb +++ b/apps/dashboard/test/system/batch_connect_test.rb @@ -674,6 +674,18 @@ def make_bc_app(dir, form) assert_equal 'display: none;', find_option_style('classroom_size', 'large') end + test 'can hide fields with numbers and characters' do + visit new_batch_connect_session_context_url('sys/bc_jupyter') + + # defaults - gpus_num_v100 is hidden on page load. + assert_equal('any', find_value('node_type')) + refute(find("##{bc_ele_id('gpus_num_v100')}", visible: false).visible?) + + # select gpu and now it's shown. + select('gpu', from: bc_ele_id('node_type')) + assert(find("##{bc_ele_id('gpus_num_v100')}").visible?) + end + test 'options can check and uncheck' do visit new_batch_connect_session_context_url('sys/bc_jupyter') diff --git a/nginx_stage/lib/nginx_stage.rb b/nginx_stage/lib/nginx_stage.rb index 3574ffaf8a..c7f5387c25 100644 --- a/nginx_stage/lib/nginx_stage.rb +++ b/nginx_stage/lib/nginx_stage.rb @@ -5,6 +5,7 @@ require_relative "nginx_stage/pid_file" require_relative "nginx_stage/socket_file" require_relative "nginx_stage/secret_key_base_file" +require_relative "nginx_stage/session_finder" require_relative "nginx_stage/views/pun_config_view" require_relative "nginx_stage/views/app_config_view" require_relative "nginx_stage/generator" diff --git a/nginx_stage/lib/nginx_stage/generators/nginx_clean_generator.rb b/nginx_stage/lib/nginx_stage/generators/nginx_clean_generator.rb index f745e460f5..60c2ea67ee 100644 --- a/nginx_stage/lib/nginx_stage/generators/nginx_clean_generator.rb +++ b/nginx_stage/lib/nginx_stage/generators/nginx_clean_generator.rb @@ -2,6 +2,9 @@ module NginxStage # This generator cleans all running per-user NGINX processes that are # inactive (i.e., not active connections). class NginxCleanGenerator < Generator + + include NginxStage::SessionFinder + desc 'Clean all user running PUNs with no active connections' footer <<-EOF.gsub(/^ {4}/, '') @@ -59,8 +62,9 @@ class NginxCleanGenerator < Generator next if (user && user != u.to_s) pid_path = PidFile.new NginxStage.pun_pid_path(user: u) socket = SocketFile.new NginxStage.pun_socket_path(user: u) - cleanup_stale_files(pid_path, socket) unless pid_path.running_process? - if socket.sessions.zero? || force + sessions = session_count(u) + cleanup_stale_files(pid_path, socket) unless pid_path.running_process? + if sessions.zero? || force puts u if !skip_nginx NginxStage.clean_nginx_env(user: user) diff --git a/nginx_stage/lib/nginx_stage/generators/nginx_show_generator.rb b/nginx_stage/lib/nginx_stage/generators/nginx_show_generator.rb index d592d58302..79dce09195 100644 --- a/nginx_stage/lib/nginx_stage/generators/nginx_show_generator.rb +++ b/nginx_stage/lib/nginx_stage/generators/nginx_show_generator.rb @@ -1,6 +1,9 @@ module NginxStage # This generator shows the state of the running per-user NGINX process. class NginxShowGenerator < Generator + + include NginxStage::SessionFinder + desc 'Show the details for a given per-user nginx process' footer <<-EOF.gsub(/^ {4}/, '') @@ -31,7 +34,7 @@ class NginxShowGenerator < Generator add_hook :check_socket_for_active_sessions do socket = SocketFile.new socket_path puts "Socket: #{socket}" - puts "Sessions: #{socket.sessions}" + puts "Sessions: #{session_count(user)}" end private diff --git a/nginx_stage/lib/nginx_stage/session_finder.rb b/nginx_stage/lib/nginx_stage/session_finder.rb new file mode 100644 index 0000000000..8241346814 --- /dev/null +++ b/nginx_stage/lib/nginx_stage/session_finder.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +module NginxStage + module SessionFinder + def session_count(user) + `timeout 10 ps -o cmd -u #{user}`.split("\n").select do |command| + # matches 'Passenger NodeApp', 'Passenger RubyApp' and so on. + command.match?(/Passenger \w+App:/) + end.count + end + end +end diff --git a/nginx_stage/lib/nginx_stage/socket_file.rb b/nginx_stage/lib/nginx_stage/socket_file.rb index 7d1c88aaa6..f8889b80e3 100644 --- a/nginx_stage/lib/nginx_stage/socket_file.rb +++ b/nginx_stage/lib/nginx_stage/socket_file.rb @@ -10,18 +10,6 @@ def initialize(socket) @socket = Pathname.new(socket) raise MissingSocketFile, "missing socket file: #{socket}" unless File.exist?(socket) raise InvalidSocketFile, "invalid socket file: #{socket}" unless File.socket?(socket) - @processes = get_processes - end - - # The number of active sessions connected to this socket - # @return [Integer] number of active connections - def sessions - # generate array of inodes - ary_inodes = @processes.map{|h| h[:inode]}.reduce([], :+) - - # count number of inodes without partner (assuming these are connected to - # apache proxy instead of root nginx process) - ary_inodes.group_by{|e| e}.select{|k,v| v.size == 1}.map(&:first).count end # Convert object to string @@ -43,20 +31,5 @@ def delete $stderr.puts "Unable to delete socket file at #{socket}" end - private - def get_processes - str = `lsof -F piu #{socket}` - ary = [] - str.split(/\n/).each do |l| - if /^p(?\d+)$/ =~ l - ary << {pid: pid, uid: nil, inode: []} - elsif /^u(?\d+)$/ =~ l - ary.last[:uid] = uid - elsif /^i(?\d+)$/ =~ l - ary.last[:inode] << inode - end - end - ary - end end end diff --git a/ood-portal-generator/lib/ood_portal_generator/dex.rb b/ood-portal-generator/lib/ood_portal_generator/dex.rb index b60d7e292c..c8674ae343 100644 --- a/ood-portal-generator/lib/ood_portal_generator/dex.rb +++ b/ood-portal-generator/lib/ood_portal_generator/dex.rb @@ -297,7 +297,6 @@ def oidc_attributes attrs = { dex_http_port: http_port, oidc_uri: '/oidc', - oidc_redirect_uri: client_redirect_uri, oidc_provider_metadata_url: "#{issuer}/.well-known/openid-configuration", oidc_client_id: client_id, oidc_client_secret: client_secret diff --git a/ood-portal-generator/lib/ood_portal_generator/view.rb b/ood-portal-generator/lib/ood_portal_generator/view.rb index 91b46b19d0..23addfeab1 100644 --- a/ood-portal-generator/lib/ood_portal_generator/view.rb +++ b/ood-portal-generator/lib/ood_portal_generator/view.rb @@ -7,7 +7,7 @@ module OodPortalGenerator class View attr_reader :ssl, :protocol, :proxy_server, :port, :dex_uri attr_accessor :user_map_match, :user_map_cmd, :logout_redirect, :dex_http_port, :dex_enabled - attr_accessor :oidc_uri, :oidc_client_secret, :oidc_remote_user_claim, :oidc_client_id, :oidc_provider_metadata_url, :oidc_redirect_uri + attr_accessor :oidc_uri, :oidc_client_secret, :oidc_remote_user_claim, :oidc_client_id, :oidc_provider_metadata_url # let the application set the auth if it needs to attr_writer :auth @@ -39,6 +39,7 @@ def initialize(opts = {}) @errorlog = log_filename(error_log,"error") @logformat = opts.fetch(:logformat, nil) @use_rewrites = opts.fetch(:use_rewrites, true) + @http_redirect_host = opts.fetch(:http_redirect_host, '%{HTTP_HOST}') @lua_root = opts.fetch(:lua_root, "/opt/ood/mod_ood_proxy/lib") @lua_log_level = opts.fetch(:lua_log_level, "info") @user_map_cmd = opts.fetch(:user_map_cmd, nil) @@ -107,7 +108,6 @@ def initialize(opts = {}) @oidc_provider_metadata_url = opts.fetch(:oidc_provider_metadata_url, nil) @oidc_client_id = opts.fetch(:oidc_client_id, nil) @oidc_client_secret = opts.fetch(:oidc_client_secret, nil) - @oidc_redirect_uri = "#{protocol}#{servername}#{@oidc_uri}" @oidc_remote_user_claim = opts.fetch(:oidc_remote_user_claim, 'preferred_username') @oidc_scope = opts.fetch(:oidc_scope, "openid profile email") @oidc_crypto_passphrase = opts.fetch(:oidc_crypto_passphrase, Digest::SHA1.hexdigest(servername)) diff --git a/ood-portal-generator/share/ood_portal_example.yml b/ood-portal-generator/share/ood_portal_example.yml index 2ab0c3ec36..3b733d3af8 100644 --- a/ood-portal-generator/share/ood_portal_example.yml +++ b/ood-portal-generator/share/ood_portal_example.yml @@ -80,6 +80,12 @@ # Default: true #use_rewrites: true +# Specify the host to redirect to when redirecting from port 80 +# Example: +# http_redirect_host: my.proxy.host +# Default: '%{HTTP_HOST}' +#http_redirect_host: '%{HTTP_HOST}' + # Should Maintenance Rewrite rules be added # Example: # use_maintenance: false diff --git a/ood-portal-generator/spec/application_spec.rb b/ood-portal-generator/spec/application_spec.rb index bcf24323fb..c20cde94c8 100644 --- a/ood-portal-generator/spec/application_spec.rb +++ b/ood-portal-generator/spec/application_spec.rb @@ -132,6 +132,10 @@ def test_generate(input, output) test_generate('input/custom_directives.yml', 'output/custom_directives.conf') end + it 'http_redirect_host can be set' do + test_generate('input/http_redirect_host.yml', 'output/http_redirect_host.conf') + end + it 'generates full OIDC config' do config = { servername: 'ondemand.example.com', diff --git a/ood-portal-generator/spec/fixtures/input/http_redirect_host.yml b/ood-portal-generator/spec/fixtures/input/http_redirect_host.yml new file mode 100644 index 0000000000..34ba5b80c7 --- /dev/null +++ b/ood-portal-generator/spec/fixtures/input/http_redirect_host.yml @@ -0,0 +1,14 @@ +--- +auth: + - 'AuthType openid-connect' + - 'Require valid-user' + +servername: ondemand.example.com +proxy_server: ondemand.proxy.example.com +http_redirect_host: ondemand.redirect-proxy.example.com + +port: 443 +ssl: + - 'SSLCertificateFile /etc/pki/tls/certs/ondemand.example.com.crt' + - 'SSLCertificateKeyFile /etc/pki/tls/private/ondemand.example.com.key' + - 'SSLCertificateChainFile /etc/pki/tls/certs/ondemand.example.com-interm.crt' \ No newline at end of file diff --git a/ood-portal-generator/spec/fixtures/ood-portal.conf.all b/ood-portal-generator/spec/fixtures/ood-portal.conf.all index 62a73cfe4e..9e3a53e702 100644 --- a/ood-portal-generator/spec/fixtures/ood-portal.conf.all +++ b/ood-portal-generator/spec/fixtures/ood-portal.conf.all @@ -54,7 +54,7 @@ Listen 8080 ServerAlias foo.example.com RewriteEngine On - RewriteRule ^(.*) https://test.proxy.name:8080$1 [R=301,NE,L] + RewriteRule ^(.*) https://%{HTTP_HOST}:8080$1 [R=301,NE,L] # The Open OnDemand portal VirtualHost diff --git a/ood-portal-generator/spec/fixtures/ood-portal.conf.dex b/ood-portal-generator/spec/fixtures/ood-portal.conf.dex index 26ea808db7..57fdbe4e9d 100644 --- a/ood-portal-generator/spec/fixtures/ood-portal.conf.dex +++ b/ood-portal-generator/spec/fixtures/ood-portal.conf.dex @@ -64,7 +64,7 @@ OIDCProviderMetadataURL http://example.com/dex/.well-known/openid-configuration OIDCClientID example.com OIDCClientSecret 83bc78b7-6f5e-4010-9d80-22f328aa6550 - OIDCRedirectURI http://example.com/oidc + OIDCRedirectURI /oidc OIDCRemoteUserClaim email OIDCScope "openid profile email" OIDCCryptoPassphrase 0caaf24ab1a0c33440c06afe99df986365b0781f diff --git a/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-full b/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-full index a07936eb37..195f8c4f82 100644 --- a/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-full +++ b/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-full @@ -47,7 +47,7 @@ ServerName example.com RewriteEngine On - RewriteRule ^(.*) https://example.com:443$1 [R=301,NE,L] + RewriteRule ^(.*) https://%{HTTP_HOST}:443$1 [R=301,NE,L] # The Open OnDemand portal VirtualHost @@ -84,7 +84,7 @@ OIDCProviderMetadataURL https://example.com/dex/.well-known/openid-configuration OIDCClientID example.com OIDCClientSecret 83bc78b7-6f5e-4010-9d80-22f328aa6550 - OIDCRedirectURI https://example.com/oidc + OIDCRedirectURI /oidc OIDCRemoteUserClaim email OIDCScope "openid profile email" OIDCCryptoPassphrase 0caaf24ab1a0c33440c06afe99df986365b0781f diff --git a/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-ldap b/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-ldap index e9e434785a..c02e457631 100644 --- a/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-ldap +++ b/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-ldap @@ -47,7 +47,7 @@ ServerName example.com RewriteEngine On - RewriteRule ^(.*) https://example.com:443$1 [R=301,NE,L] + RewriteRule ^(.*) https://%{HTTP_HOST}:443$1 [R=301,NE,L] # The Open OnDemand portal VirtualHost @@ -84,7 +84,7 @@ OIDCProviderMetadataURL https://example.com/dex/.well-known/openid-configuration OIDCClientID example.com OIDCClientSecret 83bc78b7-6f5e-4010-9d80-22f328aa6550 - OIDCRedirectURI https://example.com/oidc + OIDCRedirectURI /oidc OIDCRemoteUserClaim preferred_username OIDCScope "openid profile email" OIDCCryptoPassphrase 0caaf24ab1a0c33440c06afe99df986365b0781f diff --git a/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-no-proxy b/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-no-proxy index 1c0092b7fc..4dd9799b6e 100644 --- a/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-no-proxy +++ b/ood-portal-generator/spec/fixtures/ood-portal.conf.dex-no-proxy @@ -47,7 +47,7 @@ ServerName example.com RewriteEngine On - RewriteRule ^(.*) https://example.com:443$1 [R=301,NE,L] + RewriteRule ^(.*) https://%{HTTP_HOST}:443$1 [R=301,NE,L] # The Open OnDemand portal VirtualHost @@ -84,7 +84,7 @@ OIDCProviderMetadataURL https://example.com:5554/.well-known/openid-configuration OIDCClientID example.com OIDCClientSecret 83bc78b7-6f5e-4010-9d80-22f328aa6550 - OIDCRedirectURI https://example.com/oidc + OIDCRedirectURI /oidc OIDCRemoteUserClaim email OIDCScope "openid profile email" OIDCCryptoPassphrase 0caaf24ab1a0c33440c06afe99df986365b0781f diff --git a/ood-portal-generator/spec/fixtures/ood-portal.conf.oidc b/ood-portal-generator/spec/fixtures/ood-portal.conf.oidc index f1e8395d72..d7c4094696 100644 --- a/ood-portal-generator/spec/fixtures/ood-portal.conf.oidc +++ b/ood-portal-generator/spec/fixtures/ood-portal.conf.oidc @@ -68,7 +68,7 @@ OIDCProviderMetadataURL https://idp.example.com/auth/realms/osc/.well-known/openid-configuration OIDCClientID ondemand.example.com OIDCClientSecret secret - OIDCRedirectURI http://ondemand.example.com/oidc + OIDCRedirectURI /oidc OIDCRemoteUserClaim preferred_username OIDCScope "openid profile email groups" OIDCCryptoPassphrase e2c5ee12c92a019f19b5e532641ac0da2f9acdac diff --git a/ood-portal-generator/spec/fixtures/ood-portal.conf.oidc-ssl b/ood-portal-generator/spec/fixtures/ood-portal.conf.oidc-ssl index 132624f846..a239d262dc 100644 --- a/ood-portal-generator/spec/fixtures/ood-portal.conf.oidc-ssl +++ b/ood-portal-generator/spec/fixtures/ood-portal.conf.oidc-ssl @@ -47,7 +47,7 @@ ServerName ondemand.example.com RewriteEngine On - RewriteRule ^(.*) https://ondemand.example.com:443$1 [R=301,NE,L] + RewriteRule ^(.*) https://%{HTTP_HOST}:443$1 [R=301,NE,L] # The Open OnDemand portal VirtualHost @@ -84,7 +84,7 @@ OIDCProviderMetadataURL https://idp.example.com/auth/realms/osc/.well-known/openid-configuration OIDCClientID ondemand.example.com OIDCClientSecret secret - OIDCRedirectURI https://ondemand.example.com/oidc + OIDCRedirectURI /oidc OIDCRemoteUserClaim preferred_username OIDCScope "openid profile email groups" OIDCCryptoPassphrase e2c5ee12c92a019f19b5e532641ac0da2f9acdac diff --git a/ood-portal-generator/spec/fixtures/ood-portal.dex-full.proxy.conf b/ood-portal-generator/spec/fixtures/ood-portal.dex-full.proxy.conf index cd3c79a99d..304f84ff29 100644 --- a/ood-portal-generator/spec/fixtures/ood-portal.dex-full.proxy.conf +++ b/ood-portal-generator/spec/fixtures/ood-portal.dex-full.proxy.conf @@ -47,7 +47,7 @@ ServerName example.com RewriteEngine On - RewriteRule ^(.*) https://example-proxy.com:443$1 [R=301,NE,L] + RewriteRule ^(.*) https://%{HTTP_HOST}:443$1 [R=301,NE,L] # The Open OnDemand portal VirtualHost @@ -84,7 +84,7 @@ OIDCProviderMetadataURL https://example-proxy.com/dex/.well-known/openid-configuration OIDCClientID example.com OIDCClientSecret 83bc78b7-6f5e-4010-9d80-22f328aa6550 - OIDCRedirectURI https://example.com/oidc + OIDCRedirectURI /oidc OIDCRemoteUserClaim email OIDCScope "openid profile email" OIDCCryptoPassphrase 0caaf24ab1a0c33440c06afe99df986365b0781f diff --git a/ood-portal-generator/spec/fixtures/output/http_redirect_host.conf b/ood-portal-generator/spec/fixtures/output/http_redirect_host.conf new file mode 100644 index 0000000000..7bf70f667d --- /dev/null +++ b/ood-portal-generator/spec/fixtures/output/http_redirect_host.conf @@ -0,0 +1,192 @@ +# +# Open OnDemand Portal +# +# Generated using ood-portal-generator version 0.8.0 +# +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# !! !! +# !! DO NOT EDIT THIS FILE !! +# !! !! +# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +# +# This file is auto-generated by ood-portal-generator and will be over-written +# in future updates. +# +# 1. To modify this file, first update the global configuration file: +# +# /etc/ood/config/ood_portal.yml +# +# You can find more information about the ood-portal-generator configuration +# at: +# +# https://osc.github.io/ood-documentation/latest/reference/commands/ood-portal-generator.html +# +# 2. Then build/install the updated Apache config with: +# +# sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal +# +# 3. Finally, restart Apache to have the changes take effect: +# +# # For CentOS 6 +# sudo service httpd24-httpd condrestart +# sudo service httpd24-htcacheclean condrestart +# +# # For CentOS 7 +# sudo systemctl try-restart httpd24-httpd.service httpd24-htcacheclean.service +# +# # For CentOS 8 +# sudo systemctl try-restart httpd.service htcacheclean.service +# + + +# Redirect all http traffic to the https Open OnDemand portal URI +# http://*:443 +# #=> https://ondemand.proxy.example.com:443 +# + + ServerName ondemand.example.com + + RewriteEngine On + RewriteRule ^(.*) https://ondemand.redirect-proxy.example.com:443$1 [R=301,NE,L] + + +# The Open OnDemand portal VirtualHost +# + + ServerName ondemand.example.com + + ErrorLog "logs/ondemand.example.com_error_ssl.log" + CustomLog "logs/ondemand.example.com_access_ssl.log" combined + + RewriteEngine On + RewriteCond %{HTTP_HOST} !^(ondemand.proxy.example.com(:443)?)?$ [NC] + RewriteRule ^(.*) https://ondemand.proxy.example.com:443$1 [R=301,NE,L] + + # Support maintenance page during outages of OnDemand + RewriteEngine On + RewriteCond /var/www/ood/public/maintenance/index.html -f + RewriteCond /etc/ood/maintenance.enable -f + RewriteCond %{REQUEST_URI} !/public/maintenance/.*$ + RewriteRule ^.*$ /public/maintenance/index.html [R=302,L] + + TraceEnable off + + Header always set Content-Security-Policy "frame-ancestors https://ondemand.proxy.example.com;" + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" + + SSLEngine On + SSLCertificateFile /etc/pki/tls/certs/ondemand.example.com.crt + SSLCertificateKeyFile /etc/pki/tls/private/ondemand.example.com.key + SSLCertificateChainFile /etc/pki/tls/certs/ondemand.example.com-interm.crt + + # Lua configuration + # + LuaRoot "/opt/ood/mod_ood_proxy/lib" + LogLevel lua_module:info + + # Log authenticated user requests (requires min log level: info) + LuaHookLog logger.lua logger + + # Authenticated-user to system-user mapping configuration + # + SetEnv OOD_USER_MAP_MATCH ".*" + + # Per-user Nginx (PUN) configuration + # NB: Apache will need sudo privs to control the PUNs + # + SetEnv OOD_PUN_STAGE_CMD "sudo /opt/ood/nginx_stage/sbin/nginx_stage" + + SetEnv OOD_ALLOWED_HOSTS "ondemand.example.com,ondemand.proxy.example.com" + + + # + # Below is used for sub-uri's this Open OnDemand portal supports + # + + # Serve up publicly available assets from local file system: + # + # https://ondemand.example.com:443/public/favicon.ico + # #=> /var/www/ood/public/favicon.ico + # + Alias "/public" "/var/www/ood/public" + + Options FollowSymLinks + AllowOverride None + Require all granted + + + + + # Reverse proxy traffic to backend PUNs through Unix domain sockets: + # + # https://ondemand.example.com:443/pun/dev/app/simulations/1 + # #=> unix:/path/to/socket|http://localhost/pun/dev/app/simulations/1 + # + SetEnv OOD_PUN_URI "/pun" + + AuthType openid-connect + Require valid-user + + + ProxyPreserveHost On + ProxyAddHeaders On + ProxyPassReverse "http://localhost/pun" + + # ProxyPassReverseCookieDomain implementation (strip domain) + Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" "" + + # ProxyPassReverseCookiePath implementation (less restrictive) + Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun" + + SetEnv OOD_PUN_SOCKET_ROOT "/var/run/ondemand-nginx" + SetEnv OOD_PUN_MAX_RETRIES "5" + LuaHookFixups pun_proxy.lua pun_proxy_handler + + + + # Control backend PUN for authenticated user: + # NB: See mod_ood_proxy for more details. + # + # https://ondemand.example.com:443/nginx/stop + # #=> stops the authenticated user's PUN + # + SetEnv OOD_NGINX_URI "/nginx" + + AuthType openid-connect + Require valid-user + + + LuaHookFixups nginx.lua nginx_handler + + + # Redirect root URI to specified URI + # + # https://ondemand.example.com:443/ + # #=> https://ondemand.example.com:443/pun/sys/dashboard + # + RedirectMatch ^/$ "/pun/sys/dashboard" + + # Redirect logout URI to specified redirect URI + # + # https://ondemand.example.com:443/logout + # #=> https://ondemand.example.com:443/pun/sys/dashboard/logout + # + Redirect "/logout" "/pun/sys/dashboard/logout" + + + # Maintenance location + # + # https://ondemand.example.com:443/public/maintenance + # #=> Displays /var/www/ood/public/maintenance/index.html + # + + RewriteCond /etc/ood/maintenance.enable !-f + ReWriteRule ^.*$ / + + RewriteCond %{REQUEST_URI} !/public/maintenance/.*$ + RewriteRule ^.*$ /public/maintenance/index.html [R=503,L] + ErrorDocument 503 /public/maintenance/index.html + + + + diff --git a/ood-portal-generator/spec/ood_portal_generator_view_spec.rb b/ood-portal-generator/spec/ood_portal_generator_view_spec.rb index 1fa294fcf8..87c70e6bc5 100644 --- a/ood-portal-generator/spec/ood_portal_generator_view_spec.rb +++ b/ood-portal-generator/spec/ood_portal_generator_view_spec.rb @@ -15,7 +15,7 @@ example_config_opts -= %w(dex) # delete inst vars that are not actual options in the example file - config_opts -= %w(protocol allowed_hosts oidc_redirect_uri dex_http_port) + config_opts -= %w(protocol allowed_hosts dex_http_port) expect(config_opts + example_config_opts - (config_opts & example_config_opts)).to be_empty end diff --git a/ood-portal-generator/templates/ood-portal.conf.erb b/ood-portal-generator/templates/ood-portal.conf.erb index 45bf8d3e7e..ff4898374b 100644 --- a/ood-portal-generator/templates/ood-portal.conf.erb +++ b/ood-portal-generator/templates/ood-portal.conf.erb @@ -63,7 +63,7 @@ Listen <%= addr_port %> <%- end -%> RewriteEngine On - RewriteRule ^(.*) <%= @ssl ? "https" : "http" %>://<%= @proxy_server %>:<%= @port %>$1 [R=301,NE,L] + RewriteRule ^(.*) <%= @ssl ? "https" : "http" %>://<%= @http_redirect_host %>:<%= @port %>$1 [R=301,NE,L] <% end -%> @@ -131,7 +131,7 @@ Listen <%= addr_port %> <%- if @oidc_client_secret -%> OIDCClientSecret <%= @oidc_client_secret %> <%- end -%> - OIDCRedirectURI <%= @oidc_redirect_uri %> + OIDCRedirectURI <%= @oidc_uri %> OIDCRemoteUserClaim <%= @oidc_remote_user_claim %> OIDCScope "<%= @oidc_scope %>" OIDCCryptoPassphrase <%= @oidc_crypto_passphrase %> diff --git a/packaging/deb/control b/packaging/deb/control index 8e1b3ccf8e..e3c386de8c 100644 --- a/packaging/deb/control +++ b/packaging/deb/control @@ -16,7 +16,7 @@ Multi-Arch: foreign Depends: ${misc:Depends}, ${shlibs:Depends}, ruby, apache2, sudo, lsof, lua-posix, tzdata, file, nodejs (>= 18.0), nodejs (<< 19.0), - ondemand-nginx (= 1.22.1.p6.0.17.ood3.1), ondemand-passenger (= 6.0.17.ood3.1) + ondemand-nginx (= 1.24.0.p6.0.20.ood3.1), ondemand-passenger (= 6.0.20.ood3.1) Recommends: rclone Description: Open OnDemand is an open source release of the Ohio SuperComputer Center's OnDemand platform to provide HPC access via a web browser, supporting web based file diff --git a/packaging/rpm/ondemand.spec b/packaging/rpm/ondemand.spec index c177b86eba..b6bb3a8657 100644 --- a/packaging/rpm/ondemand.spec +++ b/packaging/rpm/ondemand.spec @@ -74,8 +74,8 @@ Requires: python3 Requires: rclone %endif Requires: ondemand-apache = %{runtime_version_full} -Requires: ondemand-nginx = 1.22.1-1.p6.0.17.ood%{runtime_version}%{?dist} -Requires: ondemand-passenger = 6.0.17-1.ood%{runtime_version}%{?dist} +Requires: ondemand-nginx = 1.24.0-1.p6.0.20.ood%{runtime_version}%{?dist} +Requires: ondemand-passenger = 6.0.20-1.ood%{runtime_version}%{?dist} Requires: ondemand-ruby = %{runtime_version_full} Requires: ondemand-nodejs = %{runtime_version_full} Requires: ondemand-runtime = %{runtime_version_full}