Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OZ-573: Add support for SSO with necessary configurations #120

Merged
merged 22 commits into from
Dec 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
1e49e3c
OZ-573: Add support for SSO with necessary configurations
corneliouzbett Nov 4, 2024
14a99f8
OZ-573: Remove redundant ODOO_PUBLIC_URL + ENABLE_SSO defaults to empty
corneliouzbett Nov 4, 2024
8123ade
OZ-573: Exclude/include SSO + cleanups
corneliouzbett Nov 8, 2024
c0f6d30
OZ-573: SSO support for bundled-docker
corneliouzbett Nov 12, 2024
8b88806
OZ-573: SSO support for eip services
corneliouzbett Nov 13, 2024
3f89b39
OZ-573: More refactoring to util scripts + EIP_CLIENT_SECRET
corneliouzbett Nov 14, 2024
9f70c22
OZ-573: Separate OpenMRS SSO configs + binaries to its own dir
corneliouzbett Nov 14, 2024
acc5ba6
OZ-573: Move docker-compose-bundled-* to root level dir + some tweaks
corneliouzbett Nov 15, 2024
7c3757d
OZ-573: Fix ozone-frontend-config sso path
corneliouzbett Nov 15, 2024
9c3f3b3
OZ-573: SSO support for EIP ERPNext routes
corneliouzbett Nov 19, 2024
10dc86b
OZ-573: Use only docker-compose-files.txt
corneliouzbett Nov 19, 2024
3752209
OZ-573: eip-demo to use OAuth2 authentication when SSO is enabled
corneliouzbett Nov 20, 2024
71e597e
OZ-573: Fix oauth2-authenticate-to-openmrs route id
corneliouzbett Nov 20, 2024
76f24a7
OZ-573: Remove SSO env vars + always mount oauth2login module
corneliouzbett Nov 21, 2024
62949b1
OZ-573: No extra Docker images for SSO feature
corneliouzbett Nov 21, 2024
8cbabc5
OZ-573: Add openmrs tomcat server.xml config to openmrs bundled docke…
corneliouzbett Nov 21, 2024
e09b68c
OZ-573: Fix docker bundled env substitution + merge ENABLE_SSO with O…
corneliouzbett Nov 22, 2024
053e65d
OZ-573: Clear out openmrs distribution modules & configs
corneliouzbett Nov 22, 2024
cefe4f8
OZ-573: Switch to openmrs-core docker image + enable oauth2 at start …
corneliouzbett Nov 28, 2024
fd709f2
OZ-573: Add Keycloak admin service account secret env var
corneliouzbett Dec 2, 2024
b1d550d
OZ-573: Add OpenMRS client UUID env var
corneliouzbett Dec 2, 2024
e67c32c
Simplify display access URLs
corneliouzbett Dec 3, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 60 additions & 9 deletions .env
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,13 @@
#
# Host
#
SERVER_SCHEME=https
HOST_URL=http://172.17.0.1
SERVER_SCHEME=http
HOST_IP_ADDRESS=
HOST_NAME=${HOST_IP_ADDRESS:-localhost}
HOST_URL=${SERVER_SCHEME}://${HOST_NAME}
TIMEZONE=UTC

GITPOD_ENV=false
ENABLE_SSO=false
#
# OpenMRS
#
Expand All @@ -29,7 +32,7 @@ SPA_CONFIG_URLS=/openmrs/spa/configs/ozone-frontend-config.json
SPA_DEFAULT_LOCALE=en

# OpenMRS frontend and backend Docker image tag
O3_DOCKER_IMAGE_TAG=
O3_DOCKER_IMAGE_TAG=3.1.1

#
# MySQL
Expand Down Expand Up @@ -57,6 +60,8 @@ ODOO_CONFIG_PATH=
ODOO_INITIALIZER_CONFIG_FILE_PATH=
ODOO_DATABASE=odoo

ODOO_SERVER_ENV_CONFIG=

#
# ERPNext
#
Expand All @@ -70,6 +75,21 @@ ERPNEXT_DB_NAME=erpnext
SITE=senaite
SENAITE_ADMIN_USER=admin
SENAITE_ADMIN_PASSWORD=password
SENAITE_DB_NAME=senaite
SENAITE_DB_USER=senaite
SENAITE_DB_PASSWORD=password
SENAITE_DB_HOST=postgresql

#
# Keycloak
#
KEYCLOAK_DB_USER=keycloak
KEYCLOAK_DB_PASSWORD=keycloak
KEYCLOAK_DB=keycloak
KEYCLOAK_DB_SCHEMA=keycloak
KEYCLOAK_USER=admin
KEYCLOAK_PASSWORD=password
KEYCLOAK_INTERNAL_HOST_URL=http://keycloak:8080

#
# Common EIP clients config
Expand Down Expand Up @@ -116,6 +136,7 @@ OPENMRS_PROPERTIES_PATH=
OPENMRS_CORE_PATH=
OPENMRS_MODULES_PATH=
OPENMRS_CONFIG_PATH=
OPENMRS_TOMCAT_CONFIG_PATH=
OPENMRS_PERSON_IMAGES_PATH=
OPENMRS_COMPLEX_OBS_PATH=
SPA_PATH=
Expand All @@ -124,6 +145,7 @@ OPENMRS_OWAS_PATH=
ODOO_CONFIG_PATH=
ODOO_EXTRA_ADDONS=
SENAITE_CONFIG_PATH=
KEYCLOAK_CONFIG_PATH=
OPENMRS_FRONTEND_BINARY_PATH=
OPENMRS_FRONTEND_CONFIG_PATH=
EIP_OPENMRS_SENAITE_CONFIG_PATH=
Expand All @@ -147,11 +169,40 @@ ODOO_CONFIG_CHECKSUMS_PATH=
#
# Public Hostnames
#
O3_HOSTNAME=emr-172-17-0-1.traefik.me
ODOO_HOSTNAME=erp-172-17-0-1.traefik.me
SENAITE_HOSTNAME=lims-172-17-0-1.traefik.me
ERPNEXT_HOSTNAME=erpnext-172-17-0-1.traefik.me
FHIR_ODOO_HOSTNAME=fhir-erp-172-17-0-1.traefik.me
O3_HOSTNAME=${HOST_NAME}
ODOO_HOSTNAME=${HOST_NAME}:8069
SENAITE_HOSTNAME=${HOST_NAME}:8081
ERPNEXT_HOSTNAME=${HOST_NAME}:8082
SUPERSET_HOSTNAME=${HOST_NAME}:8088
FHIR_ODOO_HOSTNAME=${HOST_NAME}:8083
KEYCLOAK_HOSTNAME=${HOST_NAME}:8084

#
# Sample SSO Client Secrets used in the demo script
#
SUPERSET_CLIENT_UUID=891b980a-9edb-4c72-a63d-1f8e488d6ad4
SUPERSET_CLIENT_SECRET=znZK8dvk7hLOpwfU

SENAITE_CLIENT_UUID=3b8672bf-b239-46e5-b0b6-8ba71a4bf5ac
SENAITE_CLIENT_SECRET=Vdi1xIgJiUcrF4dx

OPENMRS_CLIENT_UUID=14b6083d-2d3c-4fb1-a75d-0f5af17be198
OPENMRS_CLIENT_SECRET=AYmNV4AEHA0Tlxwa

ODOO_CLIENT_UUID=70a0e2fd-2bb2-4417-9fc6-22cdca1bb5be
ODOO_CLIENT_SECRET=z3epa8rE66tUIZz6

KEYCLOAK_ADMIN_SA_CLIENT_SECRET=5HuMNB6gwHd0fY2L
EIP_CLIENT_SECRET=h9PQzv6zWnVl1yxnhdfZulnW7FPqPlci

#
# EIP OAuth2
#
OAUTH_ENABLED=${ENABLE_SSO}
OAUTH_CLIENT_ID=eip
OAUTH_CLIENT_SECRET=${EIP_CLIENT_SECRET}
OAUTH_CLIENT_SCOPE=openid
OAUTH_ACCESS_TOKEN_URL=http://keycloak:8080/realms/ozone/protocol/openid-connect/token

#
# Backup
Expand Down
2 changes: 2 additions & 0 deletions bundled-docker/frontend/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
FROM openmrs/openmrs-reference-application-3-frontend:nightly

ADD distro/binaries/openmrs/frontend /usr/share/nginx/html
ADD distro/configs/openmrs/frontend_config /usr/share/nginx/html/configs

RUN mkdir -p /app
WORKDIR /app
COPY bundled-docker/frontend/startup.sh /app
Expand Down
2 changes: 1 addition & 1 deletion bundled-docker/frontend/startup.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,6 @@ set -e

for f in /usr/share/nginx/html/configs/*.json; do
echo "processing===> $f";
envsubst < $f | sponge $f;
envsubst < "$f" | sponge "$f";
done
/usr/local/bin/startup.sh
3 changes: 3 additions & 0 deletions bundled-docker/keycloak/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
FROM docker.io/bitnami/keycloak:22.0.5
ADD configs/keycloak/realms /keycloak-files/realm-config
ADD configs/keycloak/themes/carbon /opt/bitnami/keycloak/themes/carbon
11 changes: 8 additions & 3 deletions bundled-docker/openmrs/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
FROM openmrs/openmrs-reference-application-3-backend:nightly
ADD binaries/openmrs/modules /openmrs/distribution/openmrs_modules
ADD configs/openmrs/initializer_config /openmrs/distribution/openmrs_config
FROM openmrs/openmrs-core:2.6.7

# Add modules & configurations for the ozone distribution
ADD distro/binaries/openmrs/modules /openmrs/distribution/openmrs_modules
ADD distro/configs/openmrs/initializer_config /openmrs/distribution/openmrs_config
ADD distro/configs/openmrs/properties/fhirproxy.properties /openmrs/data/fhirproxy/config.properties
ADD distro/configs/openmrs/properties/oauth2.properties /openmrs/data/oauth2.properties
ADD bundled-docker/openmrs/tomcat/server.xml /usr/local/tomcat/conf/server.xml
10 changes: 9 additions & 1 deletion bundled-docker/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,15 @@
<include>postgresql/**</include>
<include>proxy/**</include>
<include>senaite/**</include>
<include>keycloak/**</include>
</includes>
</resource>
<resource>
<directory>../</directory>
<includes>
<include>docker-compose-bundled.yml.template</include>
<include>docker-compose-bundled-sso.yml.template</include>
<include>openmrs/**</include>
</includes>
</resource>
</resources>
Expand Down Expand Up @@ -105,4 +113,4 @@
</snapshotRepository>
</distributionManagement>

</project>
</project>
5 changes: 4 additions & 1 deletion bundled-docker/postgresql/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
FROM postgres:13

ADD data/postgresql/create_db.sh /docker-entrypoint-initdb.d/create_db.sh
ADD data/postgresql/odoo /docker-entrypoint-initdb.d/db/odoo
ADD data/postgresql/odoo /docker-entrypoint-initdb.d/db/odoo
ADD data/postgresql/senaite /docker-entrypoint-initdb.d/db/senaite
ADD data/postgresql/keycloak /docker-entrypoint-initdb.d/db/keycloak
11 changes: 11 additions & 0 deletions bundled-docker/proxy/default.conf.template
Original file line number Diff line number Diff line change
Expand Up @@ -151,3 +151,14 @@ server {
proxy_pass http://$senaite;
}
}

server {
listen 8084;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
set $keycloak keycloak:8080;
proxy_pass http://$keycloak;
}
}
5 changes: 3 additions & 2 deletions bundled-docker/senaite/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
FROM mekomsolutions/senaite
ADD configs/senaite/initializer_config /data/importdata/senaite
FROM mekomsolutions/senaite-ozonepro
ADD configs/senaite/initializer_config /data/importdata/senaite
ADD configs/senaite/oidc /data/oidc
8 changes: 8 additions & 0 deletions demo/docker-compose-sso.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
services:
eip-demo:
environment:
OAUTH_ENABLED: ${OAUTH_ENABLED}
OAUTH_ACCESS_TOKEN_URL: ${OAUTH_ACCESS_TOKEN_URL}
OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID}
OAUTH_CLIENT_SECRET: ${OAUTH_CLIENT_SECRET}
OAUTH_CLIENT_SCOPE: ${OAUTH_CLIENT_SCOPE}
16 changes: 16 additions & 0 deletions demo/eip/config/application.properties
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,19 @@ openmrs.baseUrl=${OPENMRS_URL}
# Number of demo patients used to generate demo data, defaults to 0
number.of.demo.patients=${NUMBER_OF_DEMO_PATIENTS}
# ----------------------------------------------------------------------------------------------------------------------

# *********************** OAuth2 Configuration *************************************************************************
# Enable OAuth2 authentication, defaults to false.
oauth.enabled=${OAUTH_ENABLED:false}
# The client ID of the account, defaults to empty.
oauth.access.token.url=${OAUTH_ACCESS_TOKEN_URL:}

# The client ID of the account to use to authenticate, defaults to empty.
oauth.client.id=${OAUTH_CLIENT_ID:}

# The client secret of the account to use to authenticate, defaults to empty.
oauth.client.secret=${OAUTH_CLIENT_SECRET:}

# Authentication scope, can be multiple values separated by commas, defaults to empty.
oauth.client.scope=${OAUTH_CLIENT_SCOPE:}
# ----------------------------------------------------------------------------------------------------------------------
10 changes: 9 additions & 1 deletion demo/eip/routes/generate-demo-data-route.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,15 @@

<log message="Scheduled demo data generation." />

<to uri="direct:authenticate-to-openmrs"/>
<choice>
<when>
<simple>{{oauth.enabled}}</simple>
<to uri="direct:oauth2-authenticate-to-openmrs"/>
</when>
<otherwise>
<to uri="direct:authenticate-to-openmrs"/>
</otherwise>
</choice>

<setProperty name="number-of-demo-patients">
<simple>${properties:number.of.demo.patients:50}</simple>
Expand Down
21 changes: 21 additions & 0 deletions demo/eip/routes/oauth2-authenticate-to-openmrs-route.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<routes
xmlns="http://camel.apache.org/schema/spring" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://camel.apache.org/schema/spring ">
<route id="oauth2-authenticate-to-openmrs">
<from uri="direct:oauth2-authenticate-to-openmrs"/>
<log message="Authenticating application to OpenMRS"/>
<setHeader name="oauth2.url">
<simple>{{oauth.access.token.url}}</simple>
</setHeader>
<setHeader name="oauth2.client.id">
<simple>{{oauth.client.id}}</simple>
</setHeader>
<setHeader name="oauth2.client.secret">
<simple>{{oauth.client.secret}}</simple>
</setHeader>
<setHeader name="oauth2.client.scope">
<simple>{{oauth.client.scope}}</simple>
</setHeader>
<process ref="eip.oauthProcessor"/>
</route>
</routes>
115 changes: 115 additions & 0 deletions docker-compose-bundled-sso.yml.template
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
services:
keycloak:
image: ${dockerUserName}/${sanitizedArtifactId}-keycloak:${dockertag}
restart: unless-stopped
environment:
KC_HOSTNAME_URL: \${SERVER_SCHEME}://\${KEYCLOAK_HOSTNAME}
PROXY_ADDRESS_FORWARDING: "true"
KC_HTTP_ENABLED: 'true'
KC_HOSTNAME_STRICT_BACKCHANNEL: "true"
KC_PROXY: reencrypt
KC_HEALTH_ENABLED: 'true'
KC_METRICS_ENABLED: 'true'
KEYCLOAK_DATABASE_VENDOR: postgresql
KEYCLOAK_DATABASE_HOST: postgresql
KEYCLOAK_DATABASE_PORT_NUMBER: 5432
KEYCLOAK_DATABASE_NAME: \${KEYCLOAK_DB}
KEYCLOAK_DATABASE_USER: \${KEYCLOAK_DB_USER}
KEYCLOAK_DATABASE_PASSWORD: \${KEYCLOAK_DB_PASSWORD}
KEYCLOAK_DATABASE_SCHEMA: \${KEYCLOAK_DB_SCHEMA}
KEYCLOAK_CREATE_ADMIN_USER: "true"
KEYCLOAK_ADMIN_USER: \${KEYCLOAK_USER}
KEYCLOAK_ADMIN_PASSWORD: \${KEYCLOAK_PASSWORD}
HOST_URL: \${SERVER_SCHEME}://\${O3_HOSTNAME}
KEYCLOAK_AUTH_SERVER_URL: \${SERVER_SCHEME}://\${KEYCLOAK_HOSTNAME}
ODOO_PUBLIC_URL: \${SERVER_SCHEME}://\${ODOO_HOSTNAME}
OPENMRS_PUBLIC_URL: \${SERVER_SCHEME}://\${O3_HOSTNAME}
SENAITE_PUBLIC_URL: \${SERVER_SCHEME}://\${SENAITE_HOSTNAME}
SUPERSET_PUBLIC_URL: \${SERVER_SCHEME}://\${SUPERSET_HOSTNAME}
ODOO_CLIENT_SECRET: \${ODOO_CLIENT_SECRET}
ODOO_CLIENT_UUID: \${ODOO_CLIENT_UUID}
OPENMRS_CLIENT_SECRET: \${OPENMRS_CLIENT_SECRET}
OPENMRS_CLIENT_UUID: \${OPENMRS_CLIENT_UUID}
SENAITE_CLIENT_SECRET: \${SENAITE_CLIENT_SECRET}
SENAITE_CLIENT_UUID: \${SENAITE_CLIENT_UUID}
SUPERSET_CLIENT_SECRET: \${SUPERSET_CLIENT_SECRET}
SUPERSET_CLIENT_UUID: \${SUPERSET_CLIENT_UUID}
KEYCLOAK_ADMIN_SA_CLIENT_SECRET: \${KEYCLOAK_ADMIN_SA_CLIENT_SECRET}
EIP_CLIENT_SECRET: \${EIP_CLIENT_SECRET}
KEYCLOAK_EXTRA_ARGS_PREPENDED: "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true"
KEYCLOAK_EXTRA_ARGS: "
-Dkeycloak.profile.feature.scripts=enabled
-Dkeycloak.migration.replace-placeholders=true
-Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=dir
-Dkeycloak.migration.dir=/keycloak-files/realm-config
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING"

healthcheck:
test: ["CMD", "curl", "-f", "http://0.0.0.0:8080/health/ready"]
interval: 15s
timeout: 3s
retries: 5
start_period: 30s

depends_on:
postgresql:
condition: service_started
networks:
ozone:
web:
labels:
traefik.enable: "true"
traefik.http.routers.keycloak.rule: "Host(`\${KEYCLOAK_HOSTNAME}`)"
traefik.http.routers.keycloak.entrypoints: "websecure"
traefik.http.services.keycloak.loadbalancer.server.port: 8080

postgresql:
environment:
KEYCLOAK_DB: \${KEYCLOAK_DB}
KEYCLOAK_DB_SCHEMA: \${KEYCLOAK_DB_SCHEMA}
KEYCLOAK_DB_USER: \${KEYCLOAK_DB_USER}
KEYCLOAK_DB_PASSWORD: \${KEYCLOAK_DB_PASSWORD}
# Odoo
odoo:
environment:
- KEYCLOAK_URL=\${SERVER_SCHEME}://\${KEYCLOAK_HOSTNAME}
- ODOO_CLIENT_UUID=\${ODOO_CLIENT_UUID}
- ODOO_CLIENT_SECRET=\${ODOO_CLIENT_SECRET}
- ADDONS=sale_management,stock,account_account,purchase,mrp,mrp_product_expiry,product_expiry,l10n_generic_coa,odoo_initializer,ozone_settings,server_environment,auth_oidc_environment,auth_oidc
# EIP Odoo OpenMRS Integration Service
eip-odoo-openmrs:
environment:
OAUTH_ACCESS_TOKEN_URL: \${OAUTH_ACCESS_TOKEN_URL}
OAUTH_ENABLED: \${OAUTH_ENABLED}
OAUTH_CLIENT_ID: \${OAUTH_CLIENT_ID}
OAUTH_CLIENT_SECRET: \${OAUTH_CLIENT_SECRET}
OAUTH_CLIENT_SCOPE: \${OAUTH_CLIENT_SCOPE}

# OpenMRS Backend
openmrs:
environment:
KEYCLOAK_URL: \${SERVER_SCHEME}://\${KEYCLOAK_HOSTNAME}
OPENMRS_CLIENT_UUID: \${OPENMRS_CLIENT_UUID}
OPENMRS_CLIENT_SECRET: \${OPENMRS_CLIENT_SECRET}

frontend:
environment:
SPA_CONFIG_URLS: \${SPA_CONFIG_URLS},/openmrs/spa/configs/ozone-frontend-config-sso.json

# SENAITE
senaite:
environment:
OAUTH_CONFIG_FILE: /data/oidc/client.json
OAUTH_CONFIG_PATH: /data/oidc
KEYCLOAK_URL: \${SERVER_SCHEME}://\${KEYCLOAK_HOSTNAME}
SENAITE_CLIENT_UUID: \${SENAITE_CLIENT_UUID}
SENAITE_CLIENT_SECRET: \${SENAITE_CLIENT_SECRET}
# OpenMRS - SENAITE integration service
eip-openmrs-senaite:
environment:
OAUTH_ACCESS_TOKEN_URL: \${OAUTH_ACCESS_TOKEN_URL}
OAUTH_ENABLED: \${OAUTH_ENABLED}
OAUTH_CLIENT_ID: \${OAUTH_CLIENT_ID}
OAUTH_CLIENT_SECRET: \${OAUTH_CLIENT_SECRET}
OAUTH_CLIENT_SCOPE: \${OAUTH_CLIENT_SCOPE}
Loading
Loading