Merge remote-tracking branch 'origin/master' into edge

Author: jonasbardino

mig/install/generateconfs.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # generateconfs - create custom MiG server configuration files
-# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project
 #
 # This file is part of MiG.
 #
@@ -145,7 +145,10 @@ def main(argv, _generate_confs=generate_confs, _print=print):
         'ext_oidc_rewrite_cookie',
         'dhparams_path',
         'daemon_keycert',
+        'daemon_keycert_sha256',
         'daemon_pubkey',
+        'daemon_pubkey_md5',
+        'daemon_pubkey_sha256',
         'daemon_show_address',
         'alias_field',
         'peers_permit',

mig/install/migcheckssl-template.sh.cronjob

@@ -40,7 +40,9 @@ server_crt="${domain_cert_path}/server.crt"
 server_crt_ca_pem="${domain_cert_path}/server.crt.ca.pem"
 server_key_crt_ca_pem="${domain_cert_path}/server.key.crt.ca.pem"
 combined_pem="${domain_cert_path}/combined.pem"
+combined_pem_sha256="${combined_pem}.sha256"
 combined_pub="${domain_cert_path}/combined.pub"
+combined_pub_sha256="${combined_pub}.sha256"
 dhparams_pem="${cert_base}/dhparams.pem"
 # use git latest or release version of getssl
 getssl_version="release"
@@ -279,10 +281,32 @@ if [[ ${org_mtime} -ne ${new_mtime} && "${org_chksum}" != "${new_chksum}" ]]; th
         fi
     done
     if [ -n "${migrid_subservices}" ]; then
-        sha256_fingerprint=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
-        sha256_fingerprint=${sha256_fingerprint/SHA256 Fingerprint=/}
-        echo "Please update ftps and davs sha256 fingerprint in MiGserver.conf to:"
-        echo "${sha256_fingerprint}"
+        pem_sha256_fp=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
+        pem_sha256_fp=${pem_sha256_fp/* Fingerprint=/}
+        echo "Please manually update ftps/davs sha256 fingerprint in MiGserver.conf to:"
+        echo "${pem_sha256_fp}"
+        echo "or point those configuration values to the latest fingerprint file with:"
+        echo "FILE::${combined_pem_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pem_sha256_fp}" > ${combined_pem_sha256}
+        pub_md5_fp=$(ssh-keygen -l -E md5 -f ${combined_pub})
+        pub_md5_fp=${pub_md5_fp/* MD5:/}
+        pub_md5_fp=${pub_md5_fp/ */}
+        echo "Please verify that sftp md5 fingerprint in MiGserver.conf is:"
+        echo "${pub_md5_fp}"
+        echo "or point that configuration value to the latest fingerprint file with:"
+        echo "FILE::${combined_pub_md5}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pub_md5_fp}" > ${combined_pub_md5}
+        pub_sha256_fp=$(ssh-keygen -l -f ${combined_pub})
+        pub_sha256_fp=${pub_sha256_fp/* SHA256:/}
+        pub_sha256_fp=${pub_sha256_fp/ */}
+        echo "Please verify that sftp sha256 fingerprint in MiGserver.conf is:"
+        echo "${pub_sha256_fp}"
+        echo "or point that configuration value to the latest fingerprint file with:"
+        echo "FILE::${combined_pub_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pub_sha256_fp}" > ${combined_pub_sha256}
     fi
 fi
 

mig/shared/configuration.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # configuration - configuration wrapper
-# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #
@@ -1134,7 +1134,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             fingerprint = config.get('GLOBAL', 'user_sftp_key_md5')
             self.user_sftp_key_md5 = fingerprint
         if config.has_option('GLOBAL', 'user_sftp_key_sha256'):
-            fingerprint = config.get('GLOBAL', 'user_sftp_key_sha256')
+            fingerprint = expand_external_sources(
+                logger, config.get('GLOBAL', 'user_sftp_key_sha256'))
             self.user_sftp_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_sftp_key_from_dns'):
             self.user_sftp_key_from_dns = config.getboolean(
@@ -1228,7 +1229,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             self.user_davs_key = config.get('GLOBAL',
                                             'user_davs_key')
         if config.has_option('GLOBAL', 'user_davs_key_sha256'):
-            fingerprint = config.get('GLOBAL', 'user_davs_key_sha256')
+            fingerprint = expand_external_sources(
+                logger, config.get('GLOBAL', 'user_davs_key_sha256'))
             self.user_davs_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_davs_auth'):
             self.user_davs_auth = config.get('GLOBAL',
@@ -1274,7 +1276,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             self.user_ftps_key = config.get('GLOBAL',
                                             'user_ftps_key')
         if config.has_option('GLOBAL', 'user_ftps_key_sha256'):
-            fingerprint = config.get('GLOBAL', 'user_ftps_key_sha256')
+            fingerprint = expand_external_sources(
+                logger, config.get('GLOBAL', 'user_ftps_key_sha256'))
             self.user_ftps_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_ftps_auth'):
             self.user_ftps_auth = config.get('GLOBAL',

mig/shared/install.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # install - MiG server install helpers
-# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #
@@ -412,7 +412,10 @@ def generate_confs(
     ext_oidc_rewrite_cookie='',
     dhparams_path='',
     daemon_keycert='',
+    daemon_keycert_sha256=keyword_auto,
     daemon_pubkey='',
+    daemon_pubkey_md5=keyword_auto,
+    daemon_pubkey_sha256=keyword_auto,
     daemon_pubkey_from_dns=False,
     daemon_show_address='',
     alias_field='',
@@ -730,7 +733,10 @@ def _generate_confs_prepare(
     ext_oidc_rewrite_cookie,
     dhparams_path,
     daemon_keycert,
+    daemon_keycert_sha256,
     daemon_pubkey,
+    daemon_pubkey_md5,
+    daemon_pubkey_sha256,
     daemon_pubkey_from_dns,
     daemon_show_address,
     alias_field,
@@ -999,9 +1005,9 @@ def _generate_confs_prepare(
     user_dict['__DHPARAMS_PATH__'] = dhparams_path
     user_dict['__DAEMON_KEYCERT__'] = daemon_keycert
     user_dict['__DAEMON_PUBKEY__'] = daemon_pubkey
-    user_dict['__DAEMON_KEYCERT_SHA256__'] = ''
-    user_dict['__DAEMON_PUBKEY_MD5__'] = ''
-    user_dict['__DAEMON_PUBKEY_SHA256__'] = ''
+    user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
+    user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
+    user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
     user_dict['__DAEMON_PUBKEY_FROM_DNS__'] = "%s" % daemon_pubkey_from_dns
     user_dict['__SFTP_PORT__'] = "%s" % sftp_port
     user_dict['__SFTP_SUBSYS_PORT__'] = "%s" % sftp_subsys_port
@@ -1925,15 +1931,19 @@ def _generate_confs_prepare(
 openssl dhparam 2048 -out %(__DHPARAMS_PATH__)s""" % user_dict)
             sys.exit(1)
 
-    # Auto-fill fingerprints if daemon key is set
+    # Auto-fill fingerprints if daemon key is set with AUTO fingerprint
     if user_dict['__DAEMON_KEYCERT__']:
         if not os.path.isfile(os.path.expanduser("%(__DAEMON_KEYCERT__)s" %
                                                  user_dict)):
             print("ERROR: requested daemon keycert file not found!")
-            print("""You can create it with:
-openssl genrsa -out %(__DAEMON_KEYCERT__)s 2048""" % user_dict)
+            print("""You can create it e.g. with:
+openssl genrsa -out %(__DAEMON_KEYCERT__)s 4096""" % user_dict)
             sys.exit(1)
+    else:
+        user_dict['__DAEMON_KEYCERT_SHA256__'] = ''
 
+    if user_dict['__DAEMON_KEYCERT__'] and keyword_auto in \
+            (daemon_keycert_sha256, ):
         key_path = os.path.expanduser(user_dict['__DAEMON_KEYCERT__'])
         openssl_cmd = ["openssl", "x509", "-noout", "-fingerprint", "-sha256",
                        "-in", key_path]
@@ -1948,15 +1958,21 @@ def _generate_confs_prepare(
             print("ERROR: failed to extract sha256 fingerprint of %s: %s" %
                   (key_path, exc))
             daemon_keycert_sha256 = ''
-        user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
+        if daemon_keycert_sha256 == keyword_auto:
+            user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
     if user_dict['__DAEMON_PUBKEY__']:
         if not os.path.isfile(os.path.expanduser("%(__DAEMON_PUBKEY__)s" %
                                                  user_dict)):
             print("ERROR: requested daemon pubkey file not found!")
             print("""You can create it with:
 ssh-keygen -f %(__DAEMON_KEYCERT__)s -y > %(__DAEMON_PUBKEY__)s""" % user_dict)
             sys.exit(1)
+    else:
+        user_dict['__DAEMON_PUBKEY_MD5__'] = ''
+        user_dict['__DAEMON_PUBKEY_SHA256__'] = ''
 
+    if user_dict['__DAEMON_PUBKEY__'] and keyword_auto in \
+            (daemon_pubkey_md5, daemon_pubkey_sha256):
         pubkey_path = os.path.expanduser(user_dict['__DAEMON_PUBKEY__'])
         pubkey = read_file(pubkey_path, None)
         if pubkey is None:
@@ -1974,9 +1990,12 @@ def _generate_confs_prepare(
         except Exception as exc:
             print("ERROR: failed to extract fingerprints of %s : %s" %
                   (pubkey_path, exc))
+            daemon_pubkey_md5 = ''
             daemon_pubkey_sha256 = ''
-        user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
-        user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
+        if daemon_pubkey_md5 == keyword_auto:
+            user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
+        if daemon_pubkey_sha256 == keyword_auto:
+            user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
 
     # Enable Debian/Ubuntu specific lines only there
     if user_dict['__DISTRO__'].lower() in ('ubuntu', 'debian'):

state/wwwpublic/index-erda.dk-ucph-science.html

@@ -46,7 +46,7 @@
          /* We assume UCPH users here and leave external users to FAQ entry */
          function login(user) {
              if (user == "extoid") {
-                 window.open('https://erda.dk', '_blank');
+                 window.open('https://oid.erda.dk', '_blank');
              } else if (user == "extoidc") {
                  window.open('https://oidc.erda.dk', '_blank');
              } else if (user == "extcert") {

state/wwwpublic/index-ui.erda.dk-user-friendly.html

@@ -46,6 +46,9 @@
         <link rel="icon" type="image/vnd.microsoft.icon"
               href="/images/skin/erda-user-friendly/favicon.ico"/>
 
+        <!-- site-specific variables used to adjust displayed information -->
+        <script type="text/javascript" src="/images/site-conf.js"></script>
+
         <script type="text/javascript" src="/assets/vendor/jquery/js/jquery.js"></script>
         <script type="text/javascript" src="/assets/vendor/jquery-ui/js/jquery-ui.js"></script>
         <script type="text/javascript" src="/images/lib/country-dropdown/js/msdropdown/jquery.dd.min.js"></script>
@@ -69,26 +72,39 @@
          /* We assume UCPH users here and leave external users to FAQ entry */
          function login(user) {
              if (user == "extoid") {
-                 window.open('https://ui.erda.dk', '_blank');
-             } else if (user == "cert") {
+                 window.open('https://ui-oid.erda.dk', '_blank');
+             } else if (user == "extoidc") {
+                 window.open('https://ui-oidc.erda.dk', '_blank');
+             } else if (user == "extcert") {
                  window.open('https://ui-cert.erda.dk', '_blank');
              } else if (user == "migoid") {
                  window.open('https://ui-ext.erda.dk', '_blank');
+             } else if (user == "migcert") {
+                 window.open('https://ui-cert.erda.dk', '_blank');
              } else {
-                 window.open('https://ui-sid.erda.dk/cgi-sid/login.py', '_blank');
+                 window.open('https://ui-sid.erda.dk/cgi-sid/login.py',
+                             '_blank');
              }
          }
          function signup(user) {
              if (user == "extoid") {
-                 window.open('https://ui-sid.erda.dk/cgi-sid/signup.py?show=kitoid', 
+                 window.open('https://ui-oid.erda.dk/wsgi-bin/autocreate.py',
+                             '_blank');
+             } else if (user == "extoidc") {
+                 window.open('https://ui-oidc.erda.dk/wsgi-bin/autocreate.py',
                              '_blank');
-             } else if (user == "cert") {
-                 window.open('https://ui-sid.erda.dk/cgi-sid/signup.py?show=extcert',
+             } else if (user == "extcert") {
+                 window.open('https://ui-cert.erda.dk/wsgi-bin/extcert.py',
                              '_blank');
              } else if (user == "migoid") {
-                 window.open('https://ui-sid.erda.dk/cgi-sid/reqoid.py', '_blank');
+                 window.open('https://ui-sid.erda.dk/cgi-sid/reqoid.py',
+                             '_blank');
+             } else if (user == "migcert") {
+                 window.open('https://ui-cert.erda.dk/cgi-sid/reqcert.py',
+                             '_blank');
              } else {
-                 window.open('https://ui-sid.erda.dk/cgi-sid/signup.py', '_blank');
+                 window.open('https://ui-sid.erda.dk/cgi-sid/signup.py',
+                             '_blank');
              }
          }
 
@@ -104,11 +120,11 @@
                      supported_languages.push($(this).val());
                  }
              });
-             console.log("found supported langs: "+supported_languages);
+             //console.debug("found supported langs: "+supported_languages);
              if (locale && supported_languages.indexOf(locale) >= 0)  {
                  user_lang = locale;
              } else {
-                 console.log(locale+" not supported - fall back to: "+default_lang);
+                 console.warn(locale+" not supported - fall back to: "+default_lang);
                  user_lang = default_lang;
              }
 
@@ -154,6 +170,29 @@
              $("#langselect").val(user_lang);
              switch_language(user_lang);
              $("#langselect").msDropdown().fadeIn(500);
+
+             var auth_methods = lookup_site_conf('auth_methods', ['extoid', 'migoid', 'extcert']);
+             var query = window.location.search;
+             const urlParams = new URLSearchParams(query);
+             var show = [];
+             var quicktabs = ['extoid', 'extoidc', 'migoid', 'extcert'];
+             urlParams.forEach((value, key) => {
+                 //console.log("Found "+value+" in "+key);
+                 if (quicktabs.indexOf(value) >= 0) {
+                     show.push(value);
+                 }
+             });
+             if (!urlParams.get('show')) {
+                 if (auth_methods.length > 0) {
+                     //console.log("show auth_methods: " + auth_methods);
+                     show = auth_methods;
+                 } else {
+                     //console.log("show quicktabs: " + quicktabs);
+                     show = quicktabs;
+                 }
+             } else {
+                 //console.log("show urlparams: " + show);
+             }
          });
         </script>
 
@@ -249,13 +288,9 @@ <h3>Site Status</h3>
                     <div class="col-12 align-self-center">
                         <h1>Keep everything organized with ERDA</h1>
                         <p class="sub-title">ERDA - Electronic Research Data Archive is a storage, sharing and archiving facility provided by University of Copenhagen to employees and students.</p>
-                        <button style="color: #fff; background-color: #46743C; border-radius: 30px; width: 120px; height: 40px;" value="log in" onClick="login('extoid');">Log in</button>
+                        <button style="color: #fff; background-color: #46743C; border-radius: 30px; width: 120px; height: 40px;" value="log in" onClick="login('extoidc');">Log in</button>
                         <div id="signupform" class="hidden">
-                            <form method='post' action='https://ui.erda.dk/wsgi-bin/autocreate.py'>
-                                <!-- IMPORTANT: openid.ku.dk fails if we change these to https -->
-                                <input type='hidden' name='openid.ns' value='http://specs.openid.net/auth/2.0' />
-                                <input type='hidden' name='openid.ns.sreg' value='http://openid.net/extensions/sreg/1.1' />
-                                <input type='hidden' name='openid.sreg.required' value='nickname,fullname,email,o,ou,country,state,role' />
+                            <form method='post' action='https://ui-oidc.erda.dk/wsgi-bin/autocreate.py'>
                                 <input class="signupbutton" type="submit" value="sign up" />
 
                             </form>

tests/fixture/confs-stdlocal/migcheckssl

@@ -40,7 +40,9 @@ server_crt="${domain_cert_path}/server.crt"
 server_crt_ca_pem="${domain_cert_path}/server.crt.ca.pem"
 server_key_crt_ca_pem="${domain_cert_path}/server.key.crt.ca.pem"
 combined_pem="${domain_cert_path}/combined.pem"
+combined_pem_sha256="${combined_pem}.sha256"
 combined_pub="${domain_cert_path}/combined.pub"
+combined_pub_sha256="${combined_pub}.sha256"
 dhparams_pem="${cert_base}/dhparams.pem"
 # use git latest or release version of getssl
 getssl_version="release"
@@ -279,10 +281,32 @@ if [[ ${org_mtime} -ne ${new_mtime} && "${org_chksum}" != "${new_chksum}" ]]; th
         fi
     done
     if [ -n "${migrid_subservices}" ]; then
-        sha256_fingerprint=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
-        sha256_fingerprint=${sha256_fingerprint/SHA256 Fingerprint=/}
-        echo "Please update ftps and davs sha256 fingerprint in MiGserver.conf to:"
-        echo "${sha256_fingerprint}"
+        pem_sha256_fp=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
+        pem_sha256_fp=${pem_sha256_fp/* Fingerprint=/}
+        echo "Please manually update ftps/davs sha256 fingerprint in MiGserver.conf to:"
+        echo "${pem_sha256_fp}"
+        echo "or point those configuration values to the latest fingerprint file with:"
+        echo "FILE::${combined_pem_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pem_sha256_fp}" > ${combined_pem_sha256}
+        pub_md5_fp=$(ssh-keygen -l -E md5 -f ${combined_pub})
+        pub_md5_fp=${pub_md5_fp/* MD5:/}
+        pub_md5_fp=${pub_md5_fp/ */}
+        echo "Please verify that sftp md5 fingerprint in MiGserver.conf is:"
+        echo "${pub_md5_fp}"
+        echo "or point that configuration value to the latest fingerprint file with:"
+        echo "FILE::${combined_pub_md5}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pub_md5_fp}" > ${combined_pub_md5}
+        pub_sha256_fp=$(ssh-keygen -l -f ${combined_pub})
+        pub_sha256_fp=${pub_sha256_fp/* SHA256:/}
+        pub_sha256_fp=${pub_sha256_fp/ */}
+        echo "Please verify that sftp sha256 fingerprint in MiGserver.conf is:"
+        echo "${pub_sha256_fp}"
+        echo "or point that configuration value to the latest fingerprint file with:"
+        echo "FILE::${combined_pub_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pub_sha256_fp}" > ${combined_pub_sha256}
     fi
 fi