From 20459f116bebb739cfc97276039d5481e0fad26f Mon Sep 17 00:00:00 2001
From: daniwe4 <daniel.weise@concepts-and-training.de>
Date: Thu, 5 Dec 2024 08:12:32 +0100
Subject: [PATCH] master keycloak: esure instances work with https

---
 README.md                                     |  3 +
 app/src/App.php                               |  2 +-
 app/src/Commands/Instances/CreateCommand.php  |  9 ++-
 app/src/Commands/Pack/PackCreateCommand.php   |  7 ++-
 .../Commands/Instances/CreateCommandTest.php  |  6 +-
 setup/conf/doil.conf                          |  3 +-
 .../keycloak/conf/keycloak-startup.conf       |  2 +-
 setup/templates/proxy/conf/nginx/local.conf   |  7 +--
 setup/updates/update-20241205.sh              | 58 +++++++++++++++++++
 9 files changed, 84 insertions(+), 13 deletions(-)
 create mode 100644 setup/updates/update-20241205.sh

diff --git a/README.md b/README.md
index 95964f91..f0aaa7fb 100644
--- a/README.md
+++ b/README.md
@@ -349,6 +349,9 @@ The state also sets up a cron job that regularly renews the certificates.
 After that please ensure to run `doil apply <instance_name> enable-https` on each doil ILIAS instance,
 so https take effect in ILIAS.
 
+It is also important to set the value 'http_proxy' in setup/conf/doil.conf to true before each update.
+This ensures that newly created instances are always created with https.
+
 ### Mail Server
 
 The mailserver is available at `http://doil/mails` with following
diff --git a/app/src/App.php b/app/src/App.php
index 5022b887..d88eb6c1 100644
--- a/app/src/App.php
+++ b/app/src/App.php
@@ -9,7 +9,7 @@
 
 class App extends Application
 {
-    const NAME = "Doil Version 20241113 - build 2024-11-13";
+    const NAME = "Doil Version 20241205 - build 2024-12-05";
 
     public function __construct(Command ...$commands)
     {
diff --git a/app/src/Commands/Instances/CreateCommand.php b/app/src/Commands/Instances/CreateCommand.php
index c65ded68..e48db651 100644
--- a/app/src/Commands/Instances/CreateCommand.php
+++ b/app/src/Commands/Instances/CreateCommand.php
@@ -105,7 +105,12 @@ public function execute(InputInterface $input, OutputInterface $output) : int
     {
         $options = $this->gatherOptionData($input, $output);
 
-        $host = explode("=", $this->filesystem->getLineInFile("/etc/doil/doil.conf", "host"))[1];
+        $host = explode("=", $this->filesystem->getLineInFile("/etc/doil/doil.conf", "host="))[1];
+        $https_proxy = explode("=", $this->filesystem->getLineInFile("/etc/doil/doil.conf", "https_proxy="))[1];
+        $http_scheme = "http://";
+        if ($https_proxy) {
+            $http_scheme .= "https://";
+        }
         $instance_path = $options["target"] . "/" . $options["name"];
         $suffix = $options["global"] ? "global" : "local";
         $instance_name = $options["name"] . "_" . $suffix;
@@ -319,7 +324,7 @@ public function execute(InputInterface $input, OutputInterface $output) : int
         sleep(1);
         $this->docker->setGrain($instance_salt_name, "cpass", "$cron_password");
         sleep(1);
-        $this->docker->setGrain($instance_salt_name, "doil_domain", "http://" . $host . "/" . $options["name"]);
+        $this->docker->setGrain($instance_salt_name, "doil_domain", $http_scheme . $host . "/" . $options["name"]);
         sleep(1);
         $this->docker->setGrain($instance_salt_name, "doil_project_name", $options["name"]);
         sleep(1);
diff --git a/app/src/Commands/Pack/PackCreateCommand.php b/app/src/Commands/Pack/PackCreateCommand.php
index e5990a90..06f009d6 100644
--- a/app/src/Commands/Pack/PackCreateCommand.php
+++ b/app/src/Commands/Pack/PackCreateCommand.php
@@ -107,6 +107,11 @@ public function execute(InputInterface $input, OutputInterface $output) : int
         $options = $this->gatherOptionData($input, $output);
 
         $host = explode("=", $this->filesystem->getLineInFile("/etc/doil/doil.conf", "host"))[1];
+        $https_proxy = explode("=", $this->filesystem->getLineInFile("/etc/doil/doil.conf", "https_proxy="))[1];
+        $http_scheme = "http://";
+        if ($https_proxy) {
+            $http_scheme .= "https://";
+        }
         $instance_path = $options["target"] . "/" . $options["name"];
         $suffix = $options["global"] ? "global" : "local";
         $instance_name = $options["name"] . "_" . $suffix;
@@ -317,7 +322,7 @@ public function execute(InputInterface $input, OutputInterface $output) : int
         sleep(1);
         $this->docker->setGrain($instance_salt_name, "cpass", "${cron_password}");
         sleep(1);
-        $doil_domain = "http://" . $host . "/" . $options["name"];
+        $doil_domain = $http_scheme . $host . "/" . $options["name"];
         $this->docker->setGrain($instance_salt_name, "doil_domain", "${doil_domain}");
         sleep(1);
         $this->docker->setGrain($instance_salt_name, "doil_project_name", "${options['name']}");
diff --git a/app/tests/Commands/Instances/CreateCommandTest.php b/app/tests/Commands/Instances/CreateCommandTest.php
index 36f99e1d..cbd16d20 100644
--- a/app/tests/Commands/Instances/CreateCommandTest.php
+++ b/app/tests/Commands/Instances/CreateCommandTest.php
@@ -335,10 +335,10 @@ public function test_execute() : void
             ->willReturn(false, true, false, true)
         ;
         $filesystem
-            ->expects($this->once())
+            ->expects($this->exactly(2))
             ->method("getLineInFile")
-            ->with("/etc/doil/doil.conf", "host")
-            ->willReturnOnConsecutiveCalls("foo=doil", "7.8")
+            ->withConsecutive(["/etc/doil/doil.conf", "host="], ["/etc/doil/doil.conf", "https_proxy="])
+            ->willReturnOnConsecutiveCalls("foo=doil", "foo=false")
         ;
         $filesystem
             ->expects($this->once())
diff --git a/setup/conf/doil.conf b/setup/conf/doil.conf
index 116486d4..89bfa48a 100755
--- a/setup/conf/doil.conf
+++ b/setup/conf/doil.conf
@@ -1,5 +1,6 @@
 group=doil
 host=doil
+https_proxy=false
 mail_password=ilias
 global_instances_path=/srv/instances
 enable_keycloak=false
@@ -7,4 +8,4 @@ keycloak_hostname=http://doil/keycloak
 keycloak_new_admin_password=admin
 keycloak_old_admin_password=admin
 keycloak_db_username=admin
-keycloak_db_password=admin
\ No newline at end of file
+keycloak_db_password=admin
diff --git a/setup/templates/keycloak/conf/keycloak-startup.conf b/setup/templates/keycloak/conf/keycloak-startup.conf
index 6c4b1d13..3f1c3bbb 100755
--- a/setup/templates/keycloak/conf/keycloak-startup.conf
+++ b/setup/templates/keycloak/conf/keycloak-startup.conf
@@ -1,5 +1,5 @@
 [program:keycloak]
-command=./opt/keycloak/bin/kc.sh start --hostname %TPL_SERVER_HOSTNAME% --http-enabled true
+command=./opt/keycloak/bin/kc.sh start --hostname %TPL_SERVER_HOSTNAME% --proxy-headers xforwarded --http-enabled true
 autostart=true
 autorestart=false
 user=keycloak
diff --git a/setup/templates/proxy/conf/nginx/local.conf b/setup/templates/proxy/conf/nginx/local.conf
index 62e92b2b..3ac0a47b 100755
--- a/setup/templates/proxy/conf/nginx/local.conf
+++ b/setup/templates/proxy/conf/nginx/local.conf
@@ -51,11 +51,10 @@ server {
 
     location /keycloak/ {
         proxy_pass       http://172.24.0.250:8080/;
-        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Real-IP  $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_pass_request_headers on;
-        proxy_set_header X-Forwarded-Proto http;
 
         rewrite          ^/keycloak/(.*) /$1 break;
     }
diff --git a/setup/updates/update-20241205.sh b/setup/updates/update-20241205.sh
new file mode 100644
index 00000000..0ac2b0a3
--- /dev/null
+++ b/setup/updates/update-20241205.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+source ${SCRIPT_DIR}/updates/update.sh
+
+doil_update_20241205() {
+
+cat <<Message
+Before running this update, you should make sure to customize the ${SCRIPT_DIR}/conf/doil.conf file according to
+your needs. For more information, please read the README (https://github.com/conceptsandtraining/doil/blob/master/README.md).
+Message
+
+  read -r -p "Do you want to proceed? [y/N] " RESPONSE
+  case "$RESPONSE" in
+      [yY][eE][sS]|[yY])
+          ;;
+      *)
+          echo "Abort by user!"
+          exit 1
+          ;;
+  esac
+
+  cp -f ${SCRIPT_DIR}/conf/doil.conf /etc/doil/doil.conf
+
+  update
+
+  HTTPS_PROXY=$(cat /etc/doil/doil.conf | grep "https_proxy=" | cut -d '=' -f 2-)
+  if [ "${HTTPS_PROXY}" == "true" ]
+  then
+    if [ $(docker ps -a --filter "name=_local" --filter "name=_global" --format "{{.Names}}" | wc -l) -gt 0 ]
+    then
+      doil_status_send_message "Prepare existing instances to work with new doil"
+      HOST=$(cat /etc/doil/doil.conf | grep "host=" | cut -d '=' -f 2-)
+      NEEDLE="http://${HOST}"
+      REPLACE="https://${HOST}"
+      for INSTANCE in $(docker ps -a --filter "name=_local" --filter "name=_global" --format "{{.Names}}")
+      do
+          docker start ${INSTANCE} &> /dev/null
+          sleep 5
+          docker exec -it ${INSTANCE} /bin/bash -c "sed -i 's%${NEEDLE}%${REPLACE}%g' /var/ilias/data/ilias-config.json" &> /dev/null
+          docker exec -it ${INSTANCE} /bin/bash -c "cd /var/www/html && php setup/setup.php update -y /var/ilias/data/ilias-config.json" &> /dev/null
+          NAME=$(echo "${INSTANCE}" | cut -d "_" -f 1)
+          SUFFIX=$(echo "${INSTANCE}" | cut -d "_" -f 2)
+          GLOBAL_PARAM="-g"
+          if [ "${SUFFIX}" == "local" ]
+          then
+            GLOBAL_PARAM=""
+          fi
+          doil apply "${NAME}" "${GLOBAL_PARAM}" enable_https
+          docker exec -it ${INSTANCE} /bin/bash -c "salt-call grains.set doil_domain ${REPLACE}/${NAME}"
+          docker commit ${INSTANCE} doil/${INSTANCE}:stable &> /dev/null
+          docker stop ${INSTANCE} &> /dev/null
+      done
+    doil_status_okay
+    fi
+  fi
+
+  return $?
+}
\ No newline at end of file