Keycloak served through https

examples/cernbox/cernbox.toml

@@ -101,7 +101,7 @@ auth_manager = "oidc"
 users = "/etc/revad/users.demo.json"
 
 [grpc.services.authprovider.auth_managers.oidc]
-issuer = "http://idp.docker:8080/realms/cernbox"
+issuer = "https://idp.docker:8443/realms/cernbox"
 uid_claim = "cern_uid"
 gid_claim = "cern_gid"
 gatewaysvc = "{{ vars.internal_gateway }}:19000"

examples/cernbox/web.json

@@ -3,8 +3,8 @@
   "theme": "https://your.nginx.org/cernbox/theme-cernbox/theme.json",
   "version": "0.0.0",
   "openIdConnect": {
-    "metadata_url": "http://idp.docker:8080/realms/cernbox/.well-known/openid-configuration",
-    "authority": "http://idp.docker:8080/realms/cernbox",
+    "metadata_url": "https://idp.docker:8443/realms/cernbox/.well-known/openid-configuration",
+    "authority": "https://idp.docker:8443/realms/cernbox",
     "client_id": "cernbox-oidc",
     "response_type": "code",
     "scope": "openid profile email"

tests/sciencemesh/init-sciencemesh.sh

@@ -45,7 +45,7 @@ TAG_WOPISERVER=master
     pondersource/dev-stock-owncloud-sciencemesh                                 \
     composer install
 
-# CERNBox web and extensions sources.
+# CERNBox web and extensions sources: uid=101 is nginx in the nginx container.
 [ ! -d "cernbox-web-sciencemesh" ] &&                                           \
     mkdir -p temp/cernbox-1-conf temp/cernbox-2-conf &&                         \
     cp cernbox/nginx/* temp/cernbox-1-conf &&                                   \
@@ -57,6 +57,7 @@ TAG_WOPISERVER=master
     rm -rf web.tar.gz &&                                                        \
     git clone ${REPO_CBOX_EXT} cernbox &&                                       \
     chmod -R 755 ./web ./cernbox &&                                             \
+    chown -R 101:101 ./web/ ./cernbox &&                                        \
     cd -
 
 # wopiserver source code for the config.

tests/sciencemesh/scripts/gencerts.sh

@@ -37,6 +37,9 @@ createCert stub2
 createCert revad1
 createCert revad2
 
+createCert idp
+chown 1000:1000 ../tls/idp.*
+
 for efss in owncloud nextcloud cernbox; do
   createCert ${efss}1
   createCert ${efss}2

tests/sciencemesh/scripts/testing-sciencemesh.sh

@@ -41,8 +41,8 @@ cp --force ./scripts/init-owncloud-sciencemesh.sh  ./temp/owncloud.sh
 cp --force ./scripts/init-nextcloud-sciencemesh.sh ./temp/nextcloud.sh
 
 # TLS dirs for mounting
-cp --recursive --force ./tls "./temp/${EFSS1}-1-tls"
-cp --recursive --force ./tls "./temp/${EFSS2}-2-tls"
+[ ! -d "${ENV_ROOT}/${EFSS1}-1-tls" ] && cp --recursive --force ./tls "./temp/${EFSS1}-1-tls"
+[ ! -d "${ENV_ROOT}/${EFSS2}-2-tls" ] && cp --recursive --force ./tls "./temp/${EFSS2}-2-tls"
 
 # make sure scripts are executable.
 chmod +x "${ENV_ROOT}/scripts/reva-run.sh"
@@ -72,10 +72,15 @@ docker run --detach --name=collabora.docker --network=testnet -p 9980:9980 -t \
 docker run --detach --network=testnet --name=idp.docker                       \
   -e KEYCLOAK_ADMIN="admin" -e KEYCLOAK_ADMIN_PASSWORD="admin"                \
   -e KC_HOSTNAME="idp.docker"                                                 \
+  -e KC_HTTPS_CERTIFICATE_FILE="idp.crt"                                      \
+  -e KC_HTTPS_KEY_STORE_FILE="idp.key"                                        \
+  -e KC_HTTPS_PORT="8443"                                                     \
   -v "${ENV_ROOT}/cernbox/keycloak:/opt/keycloak/data/import"                 \
-  -p 9080:8080                                                                \
+  -v "${ENV_ROOT}/tls:/etc/x509/https"                                        \
+  -p 8443:8443                                                                \
   quay.io/keycloak/keycloak:21.1.1                                            \
   start-dev --import-realm
+#  -e KC_HTTPS_TRUST_STORE_FILE="ca-bundle.crt"
 
 # EFSS1
 if [ "${EFSS1}" != "cernbox" ]; then
@@ -269,7 +274,7 @@ if [ "${EFSS1}" == "cernbox" ]; then
 docker run --detach --network=testnet                                         \
   --name="${EFSS1}1.docker"                                                   \
   -v "${ENV_ROOT}/temp/cernbox-1-conf:/etc/nginx"                             \
-  -v "${ENV_ROOT}/temp/cernbox-1-conf/config.json:/etc/ocis/config.json"      \
+  -v "${ENV_ROOT}/temp/cernbox-1-conf/config.json:/var/www/web/config.json"   \
   -v "${ENV_ROOT}/tls:/usr/local/share/ca-certificates"                       \
   -v "${ENV_ROOT}/cernbox-web-sciencemesh/web:/var/www/web"                   \
   -v "${ENV_ROOT}/cernbox-web-sciencemesh/cernbox:/var/www/cernbox"           \
@@ -284,7 +289,7 @@ if [ "${EFSS2}" == "cernbox" ]; then
 docker run --detach --network=testnet                                         \
   --name="${EFSS2}2.docker"                                                   \
   -v "${ENV_ROOT}/temp/cernbox-2-conf:/etc/nginx"                             \
-  -v "${ENV_ROOT}/temp/cernbox-2-conf/config.json:/etc/ocis/config.json"      \
+  -v "${ENV_ROOT}/temp/cernbox-2-conf/config.json:/var/www/web/config.json"   \
   -v "${ENV_ROOT}/tls:/usr/local/share/ca-certificates"                       \
   -v "${ENV_ROOT}/cernbox-web-sciencemesh/web:/var/www/web"                   \
   -v "${ENV_ROOT}/cernbox-web-sciencemesh/cernbox:/var/www/cernbox"           \