[ CAS ] Error missing /etc/cas/saml - Githubissues

georchestra / ansible

Ansible playbooks to deploy a fullblown geOrchestra instance

ISC License

16 stars 12 forks source link

[ CAS ] Error missing /etc/cas/saml #133

Open pierrejego opened 4 months ago

pierrejego commented 4 months ago

When deploying playbook ( master ) on new Debian 12 via vagrant, proxycas webapp won't start cas-server application because a folder is missing.

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'samlIdPObjectSignatureValidator' defined in class path resource [org/apereo/cas/config/Sam
lIdPEndpointsConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas
.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator]: Factory method 'samlIdPObjectSignatureValidator' threw exception; nested exception is org.springframework.bea
ns.factory.BeanCreationException: Error creating bean with name 'samlIdPMetadataGenerator' defined in class path resource [org/apereo/cas/config/SamlIdPMetadataConfiguration.class]: Invocation
 of init method failed; nested exception is java.lang.IllegalArgumentException: Metadata directory location /etc/cas/saml cannot be located/created

I could not find any configuration link to /etc/cas/saml in datadir but in cas-server docs there is some touch : https://apereo.github.io/cas/7.0.x/installation/Configuring-SAML2-DynamicMetadata.html

Create empty folder /etc/cas/sam fix to problem but might not be the answer.

pmauduit commented 4 months ago

Is your datadir uptodate ? especially these 2 lines: https://github.com/georchestra/datadir/blob/master/cas/config/cas.properties#L52-L53

pmauduit commented 4 months ago

oh, or maybe the cas.properties is templated into the ansible playbook ...

pmauduit commented 4 months ago

it is templated indeeed, but @landryb updated it last week: https://github.com/georchestra/ansible/blame/master/roles/georchestra/templates/cas/cas.properties.j2

pierrejego commented 4 months ago

I have the last version of playbook, I see the templating, but in the final datadir /etc/georchestra/cas/config neither cas.properties or log4j2.xml are updated. There are not coming from master datadir ( last two lines are missing and log4J2.xml point to /var/log.

Could they come from the debian package ?

landryb commented 4 months ago

the playbook deploys the datadir and the templates after installing the debian package, so if you run ansible-playbook -t config --diff you should be able to see what is updated in the datadir

as for the empty /etc/georchestra/cas/saml dir it should exist since it's in the datadir repo at https://github.com/georchestra/datadir/tree/master/cas/saml

landryb commented 3 months ago

i was wrong in my previous comment and misread yours.. after checking, the datadir is deployed/customized before deploying debian packages, which apparently overrides the customizations done by the playbook since config files are also shipped by the debian package. That is.. a definitely strange behaviour, because by default when left unattended/without user interaction (ie when run from ansible), dpkg shouldn't override already present files...

pmauduit commented 3 months ago

That is.. a definitely strange behaviour, because by default when left unattended/without user interaction (ie when run from ansible), dpkg shouldn't override already present files...

It gets back to one point brought during the codesprint: what about dropping the default /etc/georchestra/webapp brought by the packages ? Maybe it would make more sense to have a sample configuration into /usr/share/doc/ ?

landryb commented 3 months ago

can repro on a test instance, after removing georchestra-cas and running ansible-playbook -t config:

the config is customized:


root@bookworm:/etc/georchestra# git diff cas
diff --git a/cas/config/cas.properties b/cas/config/cas.properties
index 422537d..2c68f3b 100644
--- a/cas/config/cas.properties
+++ b/cas/config/cas.properties
@@ -1,4 +1,4 @@
-cas.server.name=https://georchestra.mydomain.org
+cas.server.name=https://georchestra.example.org
cas.server.prefix=${cas.server.name}/cas

logging.config=file:/etc/georchestra/cas/config/log4j2.xml
diff --git a/cas/config/log4j2.xml b/cas/config/log4j2.xml
index 604fc81..e201b49 100644
--- a/cas/config/log4j2.xml
+++ b/cas/config/log4j2.xml
@@ -2,7 +2,7 @@
<!-- Specify the refresh internal in seconds. -->
<Configuration monitorInterval="5" packages="org.apereo.cas.logging">
 <Properties>

/var/log
/srv/log
```
 <Property name="cas.log.level">info</Property>
 <Property name="spring.webflow.log.level">warn</Property>
 <Property name="spring.security.log.level">info</Property>
```
```
installing `georchestra-cas` doesnt ask questions about config files:
```
root@bookworm:/etc/georchestra# apt install georchestra-cas Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: georchestra-cas 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/99.1 MB of archives. After this operation, 111 MB of additional disk space will be used. Selecting previously unselected package georchestra-cas. (Reading database ... 92678 files and directories currently installed.) Preparing to unpack .../georchestra-cas_6.3.7.4.master.202402080539~e5d7cd0_all.deb ... Unpacking georchestra-cas (6.3.7.4.master.202402080539~e5d7cd0) ... Setting up georchestra-cas (6.3.7.4.master.202402080539~e5d7cd0) ...
```
has overriden the customizations. iirc this doesnt happen with other packages... definitely strange.
```
root@bookworm:/etc/georchestra# git diff cas diff --git a/cas/config/cas.properties b/cas/config/cas.properties index 422537d..d7ca759 100644 --- a/cas/config/cas.properties +++ b/cas/config/cas.properties @@ -48,6 +48,3 @@ cas.authn.ldap[0].name= cas.authn.ldap[0].type=DIRECT cas.authn.ldap[0].dn-format=uid=%s,ou=users,dc=georchestra,dc=org cas.authn.oidc.jwks.jwks-file=file:///tmp/keystore.jwksdown
-cas.authn.saml-idp.core.entity-id=https://${FQDN}/idp -cas.authn.saml-idp.metadata.location=file:///tmp/

landryb commented 3 months ago

the way ansible installs the packages via apt, it should use --force-confdef & --force-confold as dpkg options, per https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html#parameter-dpkg_options - and to my understanding that explicitely says 'keep existing files'.

or i'm not reading https://dyn.manpages.debian.org/bookworm/dpkg/dpkg.1.en.html#force~2 right...

landryb commented 3 months ago

@pierrejego can you check what happens if you add:

diff --git a/roles/georchestra/tasks/wars.yml b/roles/georchestra/tasks/wars.yml
index b5d9f64..dcb816d 100644
--- a/roles/georchestra/tasks/wars.yml
+++ b/roles/georchestra/tasks/wars.yml
@@ -20,6 +20,7 @@
   apt:
     pkg: "{{ item.value.pkg }}"
     update_cache: true
+    dpkg_options: force-confold
     state: latest # noqa: package-latest
   with_dict: "{{ georchestra_wars }}"
   when: item.value.enabled and item.key != 'cadastrapp' and item.value.pkg is defined

landryb commented 3 months ago

That is.. a definitely strange behaviour, because by default when left unattended/without user interaction (ie when run from ansible), dpkg shouldn't override already present files...

It gets back to one point brought during the codesprint: what about dropping the default /etc/georchestra/webapp brought by the packages ? Maybe it would make more sense to have a sample configuration into /usr/share/doc/ ?

that or /usr/share/doc/georchestra-datadir ? since we have /usr/share/doc/georchestra-*/copyright...

pmauduit commented 3 months ago

that or /usr/share/doc/georchestra-datadir ? since we have /usr/share/doc/georchestra-*/copyright...

Maybe it would deserve a new package, then (I'd expect that in debian conventions, you would need to have /usr/share/doc/<packagename> or so). It also reminds me that we never solved the issue with /etc/georchestra/default.properties (which package should take care of it ?)