Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ CAS ] Error missing /etc/cas/saml #133

Open
pierrejego opened this issue Mar 27, 2024 · 12 comments
Open

[ CAS ] Error missing /etc/cas/saml #133

pierrejego opened this issue Mar 27, 2024 · 12 comments

Comments

@pierrejego
Copy link
Member

When deploying playbook ( master ) on new Debian 12 via vagrant, proxycas webapp won't start cas-server application because a folder is missing.

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'samlIdPObjectSignatureValidator' defined in class path resource [org/apereo/cas/config/Sam
lIdPEndpointsConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas
.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator]: Factory method 'samlIdPObjectSignatureValidator' threw exception; nested exception is org.springframework.bea
ns.factory.BeanCreationException: Error creating bean with name 'samlIdPMetadataGenerator' defined in class path resource [org/apereo/cas/config/SamlIdPMetadataConfiguration.class]: Invocation
 of init method failed; nested exception is java.lang.IllegalArgumentException: Metadata directory location /etc/cas/saml cannot be located/created

I could not find any configuration link to /etc/cas/saml in datadir but in cas-server docs there is some touch :
https://apereo.github.io/cas/7.0.x/installation/Configuring-SAML2-DynamicMetadata.html

Create empty folder /etc/cas/sam fix to problem but might not be the answer.

@pmauduit
Copy link
Member

Is your datadir uptodate ? especially these 2 lines:
https://github.com/georchestra/datadir/blob/master/cas/config/cas.properties#L52-L53

@pmauduit
Copy link
Member

oh, or maybe the cas.properties is templated into the ansible playbook ...

@pmauduit
Copy link
Member

@pierrejego
Copy link
Member Author

I have the last version of playbook, I see the templating, but in the final datadir /etc/georchestra/cas/config neither cas.properties or log4j2.xml are updated.
There are not coming from master datadir ( last two lines are missing and log4J2.xml point to /var/log.

Could they come from the debian package ?

@landryb
Copy link
Member

landryb commented Mar 28, 2024

the playbook deploys the datadir and the templates after installing the debian package, so if you run ansible-playbook -t config --diff you should be able to see what is updated in the datadir

as for the empty /etc/georchestra/cas/saml dir it should exist since it's in the datadir repo at https://github.com/georchestra/datadir/tree/master/cas/saml

@landryb
Copy link
Member

landryb commented Apr 4, 2024

i was wrong in my previous comment and misread yours.. after checking, the datadir is deployed/customized before deploying debian packages, which apparently overrides the customizations done by the playbook since config files are also shipped by the debian package. That is.. a definitely strange behaviour, because by default when left unattended/without user interaction (ie when run from ansible), dpkg shouldn't override already present files...

@pmauduit
Copy link
Member

pmauduit commented Apr 4, 2024

That is.. a definitely strange behaviour, because by default when left unattended/without user interaction (ie when run from ansible), dpkg shouldn't override already present files...

It gets back to one point brought during the codesprint: what about dropping the default /etc/georchestra/webapp brought by the packages ? Maybe it would make more sense to have a sample configuration into /usr/share/doc/ ?

@landryb
Copy link
Member

landryb commented Apr 4, 2024

can repro on a test instance, after removing georchestra-cas and running ansible-playbook -t config:

  • the config is customized:
root@bookworm:/etc/georchestra# git diff cas
diff --git a/cas/config/cas.properties b/cas/config/cas.properties
index 422537d..2c68f3b 100644
--- a/cas/config/cas.properties
+++ b/cas/config/cas.properties
@@ -1,4 +1,4 @@
-cas.server.name=https://georchestra.mydomain.org
+cas.server.name=https://georchestra.example.org
 cas.server.prefix=${cas.server.name}/cas
 
 logging.config=file:/etc/georchestra/cas/config/log4j2.xml
diff --git a/cas/config/log4j2.xml b/cas/config/log4j2.xml
index 604fc81..e201b49 100644
--- a/cas/config/log4j2.xml
+++ b/cas/config/log4j2.xml
@@ -2,7 +2,7 @@
 <!-- Specify the refresh internal in seconds. -->
 <Configuration monitorInterval="5" packages="org.apereo.cas.logging">
     <Properties>
-        <Property name="baseDir">/var/log</Property>
+        <Property name="baseDir">/srv/log</Property>
         <Property name="cas.log.level">info</Property>
         <Property name="spring.webflow.log.level">warn</Property>
         <Property name="spring.security.log.level">info</Property>

installing georchestra-cas doesnt ask questions about config files:

root@bookworm:/etc/georchestra# apt install georchestra-cas
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  georchestra-cas
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/99.1 MB of archives.
After this operation, 111 MB of additional disk space will be used.
Selecting previously unselected package georchestra-cas.
(Reading database ... 92678 files and directories currently installed.)
Preparing to unpack .../georchestra-cas_6.3.7.4.master.202402080539~e5d7cd0_all.deb ...
Unpacking georchestra-cas (6.3.7.4.master.202402080539~e5d7cd0) ...
Setting up georchestra-cas (6.3.7.4.master.202402080539~e5d7cd0) ...

has overriden the customizations. iirc this doesnt happen with other packages... definitely strange.

root@bookworm:/etc/georchestra# git diff cas
diff --git a/cas/config/cas.properties b/cas/config/cas.properties
index 422537d..d7ca759 100644
--- a/cas/config/cas.properties
+++ b/cas/config/cas.properties
@@ -48,6 +48,3 @@ cas.authn.ldap[0].name=
 cas.authn.ldap[0].type=DIRECT
 cas.authn.ldap[0].dn-format=uid=%s,ou=users,dc=georchestra,dc=org
 cas.authn.oidc.jwks.jwks-file=file:///tmp/keystore.jwksdown
-
-cas.authn.saml-idp.core.entity-id=https://${FQDN}/idp
-cas.authn.saml-idp.metadata.location=file:///tmp/

@landryb
Copy link
Member

landryb commented Apr 4, 2024

the way ansible installs the packages via apt, it should use --force-confdef & --force-confold as dpkg options, per https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html#parameter-dpkg_options - and to my understanding that explicitely says 'keep existing files'.

or i'm not reading https://dyn.manpages.debian.org/bookworm/dpkg/dpkg.1.en.html#force~2 right...

@landryb
Copy link
Member

landryb commented Apr 4, 2024

@pierrejego can you check what happens if you add:

diff --git a/roles/georchestra/tasks/wars.yml b/roles/georchestra/tasks/wars.yml
index b5d9f64..dcb816d 100644
--- a/roles/georchestra/tasks/wars.yml
+++ b/roles/georchestra/tasks/wars.yml
@@ -20,6 +20,7 @@
   apt:
     pkg: "{{ item.value.pkg }}"
     update_cache: true
+    dpkg_options: force-confold
     state: latest # noqa: package-latest
   with_dict: "{{ georchestra_wars }}"
   when: item.value.enabled and item.key != 'cadastrapp' and item.value.pkg is defined

@landryb
Copy link
Member

landryb commented Apr 4, 2024

That is.. a definitely strange behaviour, because by default when left unattended/without user interaction (ie when run from ansible), dpkg shouldn't override already present files...

It gets back to one point brought during the codesprint: what about dropping the default /etc/georchestra/webapp brought by the packages ? Maybe it would make more sense to have a sample configuration into /usr/share/doc/ ?

that or /usr/share/doc/georchestra-datadir ? since we have /usr/share/doc/georchestra-*/copyright...

@pmauduit
Copy link
Member

pmauduit commented Apr 4, 2024

that or /usr/share/doc/georchestra-datadir ? since we have /usr/share/doc/georchestra-*/copyright...

Maybe it would deserve a new package, then (I'd expect that in debian conventions, you would need to have /usr/share/doc/<packagename> or so). It also reminds me that we never solved the issue with /etc/georchestra/default.properties (which package should take care of it ?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants