OZ-573: Add support for SSO with necessary configurations (#120)

.env

@@ -7,10 +7,13 @@
 #
 # Host
 #
-SERVER_SCHEME=https
-HOST_URL=http://172.17.0.1
+SERVER_SCHEME=http
+HOST_IP_ADDRESS=
+HOST_NAME=${HOST_IP_ADDRESS:-localhost}
+HOST_URL=${SERVER_SCHEME}://${HOST_NAME}
 TIMEZONE=UTC
-
+GITPOD_ENV=false
+ENABLE_SSO=false
 #
 # OpenMRS
 #
@@ -29,7 +32,7 @@ SPA_CONFIG_URLS=/openmrs/spa/configs/ozone-frontend-config.json
 SPA_DEFAULT_LOCALE=en
 
 # OpenMRS frontend and backend Docker image tag
-O3_DOCKER_IMAGE_TAG=
+O3_DOCKER_IMAGE_TAG=3.1.1
 
 #
 # MySQL
@@ -57,6 +60,8 @@ ODOO_CONFIG_PATH=
 ODOO_INITIALIZER_CONFIG_FILE_PATH=
 ODOO_DATABASE=odoo
 
+ODOO_SERVER_ENV_CONFIG=
+
 #
 # ERPNext
 #
@@ -70,6 +75,21 @@ ERPNEXT_DB_NAME=erpnext
 SITE=senaite
 SENAITE_ADMIN_USER=admin
 SENAITE_ADMIN_PASSWORD=password
+SENAITE_DB_NAME=senaite
+SENAITE_DB_USER=senaite
+SENAITE_DB_PASSWORD=password
+SENAITE_DB_HOST=postgresql
+
+#
+# Keycloak
+#
+KEYCLOAK_DB_USER=keycloak
+KEYCLOAK_DB_PASSWORD=keycloak
+KEYCLOAK_DB=keycloak
+KEYCLOAK_DB_SCHEMA=keycloak
+KEYCLOAK_USER=admin
+KEYCLOAK_PASSWORD=password
+KEYCLOAK_INTERNAL_HOST_URL=http://keycloak:8080
 
 #
 # Common EIP clients config
@@ -116,6 +136,7 @@ OPENMRS_PROPERTIES_PATH=
 OPENMRS_CORE_PATH=
 OPENMRS_MODULES_PATH=
 OPENMRS_CONFIG_PATH=
+OPENMRS_TOMCAT_CONFIG_PATH=
 OPENMRS_PERSON_IMAGES_PATH=
 OPENMRS_COMPLEX_OBS_PATH=
 SPA_PATH=
@@ -124,6 +145,7 @@ OPENMRS_OWAS_PATH=
 ODOO_CONFIG_PATH=
 ODOO_EXTRA_ADDONS=
 SENAITE_CONFIG_PATH=
+KEYCLOAK_CONFIG_PATH=
 OPENMRS_FRONTEND_BINARY_PATH=
 OPENMRS_FRONTEND_CONFIG_PATH=
 EIP_OPENMRS_SENAITE_CONFIG_PATH=
@@ -147,11 +169,40 @@ ODOO_CONFIG_CHECKSUMS_PATH=
 #
 # Public Hostnames
 #
-O3_HOSTNAME=emr-172-17-0-1.traefik.me
-ODOO_HOSTNAME=erp-172-17-0-1.traefik.me
-SENAITE_HOSTNAME=lims-172-17-0-1.traefik.me
-ERPNEXT_HOSTNAME=erpnext-172-17-0-1.traefik.me
-FHIR_ODOO_HOSTNAME=fhir-erp-172-17-0-1.traefik.me
+O3_HOSTNAME=${HOST_NAME}
+ODOO_HOSTNAME=${HOST_NAME}:8069
+SENAITE_HOSTNAME=${HOST_NAME}:8081
+ERPNEXT_HOSTNAME=${HOST_NAME}:8082
+SUPERSET_HOSTNAME=${HOST_NAME}:8088
+FHIR_ODOO_HOSTNAME=${HOST_NAME}:8083
+KEYCLOAK_HOSTNAME=${HOST_NAME}:8084
+
+#
+# Sample SSO Client Secrets used in the demo script
+#
+SUPERSET_CLIENT_UUID=891b980a-9edb-4c72-a63d-1f8e488d6ad4
+SUPERSET_CLIENT_SECRET=znZK8dvk7hLOpwfU
+
+SENAITE_CLIENT_UUID=3b8672bf-b239-46e5-b0b6-8ba71a4bf5ac
+SENAITE_CLIENT_SECRET=Vdi1xIgJiUcrF4dx
+
+OPENMRS_CLIENT_UUID=14b6083d-2d3c-4fb1-a75d-0f5af17be198
+OPENMRS_CLIENT_SECRET=AYmNV4AEHA0Tlxwa
+
+ODOO_CLIENT_UUID=70a0e2fd-2bb2-4417-9fc6-22cdca1bb5be
+ODOO_CLIENT_SECRET=z3epa8rE66tUIZz6
+
+KEYCLOAK_ADMIN_SA_CLIENT_SECRET=5HuMNB6gwHd0fY2L
+EIP_CLIENT_SECRET=h9PQzv6zWnVl1yxnhdfZulnW7FPqPlci
+
+#
+# EIP OAuth2
+#
+OAUTH_ENABLED=${ENABLE_SSO}
+OAUTH_CLIENT_ID=eip
+OAUTH_CLIENT_SECRET=${EIP_CLIENT_SECRET}
+OAUTH_CLIENT_SCOPE=openid
+OAUTH_ACCESS_TOKEN_URL=http://keycloak:8080/realms/ozone/protocol/openid-connect/token
 
 #
 # Backup

bundled-docker/frontend/Dockerfile

@@ -1,6 +1,8 @@
 FROM openmrs/openmrs-reference-application-3-frontend:nightly
+
 ADD distro/binaries/openmrs/frontend /usr/share/nginx/html
 ADD distro/configs/openmrs/frontend_config /usr/share/nginx/html/configs
+
 RUN mkdir -p /app
 WORKDIR /app
 COPY bundled-docker/frontend/startup.sh /app

bundled-docker/frontend/startup.sh

@@ -3,6 +3,6 @@ set -e
 
 for f in /usr/share/nginx/html/configs/*.json; do
   echo "processing===> $f";
-  envsubst < $f | sponge $f;
+  envsubst < "$f" | sponge "$f";
 done
 /usr/local/bin/startup.sh

bundled-docker/keycloak/Dockerfile

@@ -0,0 +1,3 @@
+FROM docker.io/bitnami/keycloak:22.0.5
+ADD configs/keycloak/realms /keycloak-files/realm-config
+ADD configs/keycloak/themes/carbon /opt/bitnami/keycloak/themes/carbon

bundled-docker/openmrs/Dockerfile

@@ -1,3 +1,8 @@
-FROM openmrs/openmrs-reference-application-3-backend:nightly
-ADD binaries/openmrs/modules /openmrs/distribution/openmrs_modules
-ADD configs/openmrs/initializer_config /openmrs/distribution/openmrs_config
+FROM openmrs/openmrs-core:2.6.7
+
+# Add modules & configurations for the ozone distribution
+ADD distro/binaries/openmrs/modules /openmrs/distribution/openmrs_modules
+ADD distro/configs/openmrs/initializer_config /openmrs/distribution/openmrs_config
+ADD distro/configs/openmrs/properties/fhirproxy.properties /openmrs/data/fhirproxy/config.properties
+ADD distro/configs/openmrs/properties/oauth2.properties /openmrs/data/oauth2.properties
+ADD bundled-docker/openmrs/tomcat/server.xml /usr/local/tomcat/conf/server.xml

bundled-docker/pom.xml

@@ -76,7 +76,15 @@
                                         <include>postgresql/**</include>
                                         <include>proxy/**</include>
                                         <include>senaite/**</include>
+                                        <include>keycloak/**</include>
+                                    </includes>
+                                </resource>
+                                <resource>
+                                    <directory>../</directory>
+                                    <includes>
                                         <include>docker-compose-bundled.yml.template</include>
+                                        <include>docker-compose-bundled-sso.yml.template</include>
+                                        <include>openmrs/**</include>
                                     </includes>
                                 </resource>
                             </resources>
@@ -105,4 +113,4 @@
         </snapshotRepository>
     </distributionManagement>
 
-</project>
+</project>

bundled-docker/postgresql/Dockerfile

@@ -1,3 +1,6 @@
 FROM postgres:13
+
 ADD data/postgresql/create_db.sh /docker-entrypoint-initdb.d/create_db.sh
-ADD data/postgresql/odoo /docker-entrypoint-initdb.d/db/odoo
+ADD data/postgresql/odoo /docker-entrypoint-initdb.d/db/odoo
+ADD data/postgresql/senaite /docker-entrypoint-initdb.d/db/senaite
+ADD data/postgresql/keycloak /docker-entrypoint-initdb.d/db/keycloak

bundled-docker/proxy/default.conf.template

@@ -151,3 +151,14 @@ server {
         proxy_pass http://$senaite;
     }
 }
+
+server {
+    listen 8084;
+    location / {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forward-Proto http;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        set $keycloak keycloak:8080;
+        proxy_pass http://$keycloak;
+    }
+}

bundled-docker/senaite/Dockerfile

@@ -1,2 +1,3 @@
-FROM mekomsolutions/senaite
-ADD configs/senaite/initializer_config /data/importdata/senaite
+FROM mekomsolutions/senaite-ozonepro
+ADD configs/senaite/initializer_config /data/importdata/senaite
+ADD configs/senaite/oidc /data/oidc

demo/docker-compose-sso.yml

@@ -0,0 +1,8 @@
+services:
+  eip-demo:
+    environment:
+      OAUTH_ENABLED: ${OAUTH_ENABLED}
+      OAUTH_ACCESS_TOKEN_URL: ${OAUTH_ACCESS_TOKEN_URL}
+      OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID}
+      OAUTH_CLIENT_SECRET: ${OAUTH_CLIENT_SECRET}
+      OAUTH_CLIENT_SCOPE: ${OAUTH_CLIENT_SCOPE}

demo/eip/config/application.properties

@@ -10,3 +10,19 @@ openmrs.baseUrl=${OPENMRS_URL}
 # Number of demo patients used to generate demo data, defaults to 0
 number.of.demo.patients=${NUMBER_OF_DEMO_PATIENTS}
 # ----------------------------------------------------------------------------------------------------------------------
+
+# *********************** OAuth2 Configuration *************************************************************************
+# Enable OAuth2 authentication, defaults to false.
+oauth.enabled=${OAUTH_ENABLED:false}
+# The client ID of the account, defaults to empty.
+oauth.access.token.url=${OAUTH_ACCESS_TOKEN_URL:}
+
+# The client ID of the account to use to authenticate, defaults to empty.
+oauth.client.id=${OAUTH_CLIENT_ID:}
+
+# The client secret of the account to use to authenticate, defaults to empty.
+oauth.client.secret=${OAUTH_CLIENT_SECRET:}
+
+# Authentication scope, can be multiple values separated by commas, defaults to empty.
+oauth.client.scope=${OAUTH_CLIENT_SCOPE:}
+# ----------------------------------------------------------------------------------------------------------------------

demo/eip/routes/generate-demo-data-route.xml

@@ -5,7 +5,15 @@
 
         <log message="Scheduled demo data generation." />
 
-        <to uri="direct:authenticate-to-openmrs"/>
+        <choice>
+            <when>
+                <simple>{{oauth.enabled}}</simple>
+                <to uri="direct:oauth2-authenticate-to-openmrs"/>
+            </when>
+            <otherwise>
+                <to uri="direct:authenticate-to-openmrs"/>
+            </otherwise>
+        </choice>
 
         <setProperty name="number-of-demo-patients">
             <simple>${properties:number.of.demo.patients:50}</simple>

demo/eip/routes/oauth2-authenticate-to-openmrs-route.xml

@@ -0,0 +1,21 @@
+<routes
+        xmlns="http://camel.apache.org/schema/spring" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://camel.apache.org/schema/spring ">
+    <route id="oauth2-authenticate-to-openmrs">
+        <from uri="direct:oauth2-authenticate-to-openmrs"/>
+        <log message="Authenticating application to OpenMRS"/>
+        <setHeader name="oauth2.url">
+            <simple>{{oauth.access.token.url}}</simple>
+        </setHeader>
+        <setHeader name="oauth2.client.id">
+            <simple>{{oauth.client.id}}</simple>
+        </setHeader>
+        <setHeader name="oauth2.client.secret">
+            <simple>{{oauth.client.secret}}</simple>
+        </setHeader>
+        <setHeader name="oauth2.client.scope">
+            <simple>{{oauth.client.scope}}</simple>
+        </setHeader>
+        <process ref="eip.oauthProcessor"/>
+    </route>
+</routes>

docker-compose-bundled-sso.yml.template

@@ -0,0 +1,115 @@
+services:
+  keycloak:
+    image: ${dockerUserName}/${sanitizedArtifactId}-keycloak:${dockertag}
+    restart: unless-stopped
+    environment:
+      KC_HOSTNAME_URL: \${SERVER_SCHEME}://\${KEYCLOAK_HOSTNAME}
+      PROXY_ADDRESS_FORWARDING: "true"
+      KC_HTTP_ENABLED: 'true'
+      KC_HOSTNAME_STRICT_BACKCHANNEL: "true"
+      KC_PROXY: reencrypt
+      KC_HEALTH_ENABLED: 'true'
+      KC_METRICS_ENABLED: 'true'
+      KEYCLOAK_DATABASE_VENDOR: postgresql
+      KEYCLOAK_DATABASE_HOST: postgresql
+      KEYCLOAK_DATABASE_PORT_NUMBER: 5432
+      KEYCLOAK_DATABASE_NAME: \${KEYCLOAK_DB}
+      KEYCLOAK_DATABASE_USER: \${KEYCLOAK_DB_USER}
+      KEYCLOAK_DATABASE_PASSWORD: \${KEYCLOAK_DB_PASSWORD}
+      KEYCLOAK_DATABASE_SCHEMA: \${KEYCLOAK_DB_SCHEMA}
+      KEYCLOAK_CREATE_ADMIN_USER: "true"
+      KEYCLOAK_ADMIN_USER: \${KEYCLOAK_USER}
+      KEYCLOAK_ADMIN_PASSWORD: \${KEYCLOAK_PASSWORD}
+      HOST_URL: \${SERVER_SCHEME}://\${O3_HOSTNAME}
+      KEYCLOAK_AUTH_SERVER_URL: \${SERVER_SCHEME}://\${KEYCLOAK_HOSTNAME}
+      ODOO_PUBLIC_URL: \${SERVER_SCHEME}://\${ODOO_HOSTNAME}
+      OPENMRS_PUBLIC_URL: \${SERVER_SCHEME}://\${O3_HOSTNAME}
+      SENAITE_PUBLIC_URL: \${SERVER_SCHEME}://\${SENAITE_HOSTNAME}
+      SUPERSET_PUBLIC_URL: \${SERVER_SCHEME}://\${SUPERSET_HOSTNAME}
+      ODOO_CLIENT_SECRET: \${ODOO_CLIENT_SECRET}
+      ODOO_CLIENT_UUID: \${ODOO_CLIENT_UUID}
+      OPENMRS_CLIENT_SECRET: \${OPENMRS_CLIENT_SECRET}
+      OPENMRS_CLIENT_UUID: \${OPENMRS_CLIENT_UUID}
+      SENAITE_CLIENT_SECRET: \${SENAITE_CLIENT_SECRET}
+      SENAITE_CLIENT_UUID: \${SENAITE_CLIENT_UUID}
+      SUPERSET_CLIENT_SECRET: \${SUPERSET_CLIENT_SECRET}
+      SUPERSET_CLIENT_UUID: \${SUPERSET_CLIENT_UUID}
+      KEYCLOAK_ADMIN_SA_CLIENT_SECRET: \${KEYCLOAK_ADMIN_SA_CLIENT_SECRET}
+      EIP_CLIENT_SECRET: \${EIP_CLIENT_SECRET}
+      KEYCLOAK_EXTRA_ARGS_PREPENDED: "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true"
+      KEYCLOAK_EXTRA_ARGS: "
+        -Dkeycloak.profile.feature.scripts=enabled
+        -Dkeycloak.migration.replace-placeholders=true
+        -Dkeycloak.migration.action=import
+        -Dkeycloak.migration.provider=dir
+        -Dkeycloak.migration.dir=/keycloak-files/realm-config
+        -Dkeycloak.migration.strategy=OVERWRITE_EXISTING"
+
+    healthcheck:
+        test: ["CMD", "curl", "-f", "http://0.0.0.0:8080/health/ready"]
+        interval: 15s
+        timeout: 3s
+        retries: 5
+        start_period: 30s
+
+    depends_on:
+      postgresql:
+        condition: service_started
+    networks:
+      ozone:
+      web:
+    labels:
+      traefik.enable: "true"
+      traefik.http.routers.keycloak.rule: "Host(`\${KEYCLOAK_HOSTNAME}`)"
+      traefik.http.routers.keycloak.entrypoints: "websecure"
+      traefik.http.services.keycloak.loadbalancer.server.port: 8080
+
+  postgresql:
+    environment:
+      KEYCLOAK_DB: \${KEYCLOAK_DB}
+      KEYCLOAK_DB_SCHEMA: \${KEYCLOAK_DB_SCHEMA}
+      KEYCLOAK_DB_USER: \${KEYCLOAK_DB_USER}
+      KEYCLOAK_DB_PASSWORD: \${KEYCLOAK_DB_PASSWORD}
+  # Odoo
+  odoo:
+    environment:
+     - KEYCLOAK_URL=\${SERVER_SCHEME}://\${KEYCLOAK_HOSTNAME}
+     - ODOO_CLIENT_UUID=\${ODOO_CLIENT_UUID}
+     - ODOO_CLIENT_SECRET=\${ODOO_CLIENT_SECRET}
+     - ADDONS=sale_management,stock,account_account,purchase,mrp,mrp_product_expiry,product_expiry,l10n_generic_coa,odoo_initializer,ozone_settings,server_environment,auth_oidc_environment,auth_oidc
+  # EIP Odoo OpenMRS Integration Service
+  eip-odoo-openmrs:
+    environment:
+      OAUTH_ACCESS_TOKEN_URL: \${OAUTH_ACCESS_TOKEN_URL}
+      OAUTH_ENABLED: \${OAUTH_ENABLED}
+      OAUTH_CLIENT_ID: \${OAUTH_CLIENT_ID}
+      OAUTH_CLIENT_SECRET: \${OAUTH_CLIENT_SECRET}
+      OAUTH_CLIENT_SCOPE: \${OAUTH_CLIENT_SCOPE}
+
+  # OpenMRS Backend
+  openmrs:
+    environment:
+      KEYCLOAK_URL: \${SERVER_SCHEME}://\${KEYCLOAK_HOSTNAME}
+      OPENMRS_CLIENT_UUID: \${OPENMRS_CLIENT_UUID}
+      OPENMRS_CLIENT_SECRET: \${OPENMRS_CLIENT_SECRET}
+
+  frontend:
+    environment:
+      SPA_CONFIG_URLS: \${SPA_CONFIG_URLS},/openmrs/spa/configs/ozone-frontend-config-sso.json
+
+  # SENAITE
+  senaite:
+    environment:
+      OAUTH_CONFIG_FILE: /data/oidc/client.json
+      OAUTH_CONFIG_PATH: /data/oidc
+      KEYCLOAK_URL: \${SERVER_SCHEME}://\${KEYCLOAK_HOSTNAME}
+      SENAITE_CLIENT_UUID: \${SENAITE_CLIENT_UUID}
+      SENAITE_CLIENT_SECRET: \${SENAITE_CLIENT_SECRET}
+  # OpenMRS - SENAITE integration service
+  eip-openmrs-senaite:
+    environment:
+      OAUTH_ACCESS_TOKEN_URL: \${OAUTH_ACCESS_TOKEN_URL}
+      OAUTH_ENABLED: \${OAUTH_ENABLED}
+      OAUTH_CLIENT_ID: \${OAUTH_CLIENT_ID}
+      OAUTH_CLIENT_SECRET: \${OAUTH_CLIENT_SECRET}
+      OAUTH_CLIENT_SCOPE: \${OAUTH_CLIENT_SCOPE}