SRAM deploy roles port

.github/workflows/molecule-loadbalancer.yml

@@ -24,7 +24,7 @@ jobs:
   build:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - name: Set up Python 3.8
         uses: actions/setup-python@v6

.github/workflows/molecule-mongo.yml

@@ -18,7 +18,7 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - name: Set up Python 3.8
         uses: actions/setup-python@v6
         with:

.github/workflows/syntax.yml

@@ -19,7 +19,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - name: Set up Python 3.8
         uses: actions/setup-python@v6

.yamllint.yaml

@@ -0,0 +1,27 @@
+---
+extends: "default"
+
+rules:
+  # 80 chars should be enough, but don't fail if a line is longer
+  line-length:
+    max: 160
+    level: "warning"
+
+  quoted-strings:
+    quote-type: "any"
+    required: true
+    allow-quoted-quotes: false
+    check-keys: false
+
+# ansible-lint compatibility:
+  comments:
+    min-spaces-from-content: 1
+
+  comments-indentation: false
+
+  braces:
+    max-spaces-inside: 1
+
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true

README.md

@@ -19,7 +19,6 @@ Every application has a seperate role to install it. The following roles can be
 | myconext              | eduID                          |
 | profile               | Profile page                   |
 | manage                | Entity registration            |
-| teams                 | Group membership app           |
 | mujina                | Mujina IdP                     |
 | voot                  | Voot membership API            |
 | pdp                   | Policy Decicions API           |

environments/template/group_vars/all.yml

@@ -30,6 +30,8 @@ admin_email: "openconext-admin@example.edu"
 environment_shortname: ""
 environment_ribbon_colour: ""
 
+current_release_appdir: /opt/openconext
+
 httpd_csp:
   lenient: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
   lenient_with_static_img: "default-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https://{{ static_vhost }} http://localhost:* data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'"
@@ -52,7 +54,6 @@ engine_attribute_aggregation_password: "{{ aa.eb_password }}"
 
 # Some deprovision variables are shared between applications
 authz_server_api_lifecycle_username: authz_server_api_lifecycle_user
-teams_api_lifecycle_username: teams_api_lifecycle_user
 attribute_aggregator_api_lifecycle_username: attribute_aggregator_api_lifecycle_user
 engine_api_deprovision_user: lifecycle
 lifecycle_api_username: lifecycle

environments/template/group_vars/mongo_servers.yml

@@ -1,5 +1,5 @@
 ---
-replica_set_name: my_mongo_cluster
+mongo_replica_set_name: my_mongo_cluster
 
 mongo_cluster_members:
   - host: "mongo3.example.com:{{ mongo_port }}" # arbiter first or change mongo_arbiter_index

environments/template/group_vars/template.yml

@@ -38,8 +38,6 @@ mujina_version: "8.0.2"
 oidcng_version: "6.1.6"
 pdp_version: "7.3.0"
 profile_version: "3.1.4"
-teams_gui_version: "9.1.3"
-teams_server_version: "9.1.3"
 voot_version: "6.2.0"
 myconext_version: "8.1.12-1"
 dashboard_version: "13.0.11"
@@ -53,14 +51,12 @@ statistics_version: "1.1.7"
 
 databases:
   names:
-    - teams
     - "{{ engine_database_name }}"
     - pdp-server
     - aaserver
     - shibboleth
     - eb_logins
   users:
-    - { name: teamsrw, db_name: teams, password: "{{ mysql_passwords.teams }}" }
     - { name: "{{ engine_database_user }}", db_name: "{{ engine_database_name }}", password: "{{ mysql_passwords.eb }}" }
     - { name: pdp-serverrw, db_name: pdp-server, password: "{{ mysql_passwords.pdp_server }}" }
     - { name: aa-serverrw, db_name: aaserver, password: "{{ mysql_passwords.aa_server }}" }
@@ -100,32 +96,10 @@ engine_trusted_proxy_ips:
   - 192.168.1.1
   - 10.0.0.1
 #
-engine_keys:
-  default:
-    privateFile: /etc/openconext/engineblock.pem
-    publicKey: engineblock.crt
-    publicFile: /etc/openconext/engineblock.crt
-
 profile_apache_symfony_environment: prod
 # Engine's assertion signing certificate:
 engine_profile_idp_certificate: /etc/openconext/engineblock.crt
 
-teams:
-  db_name: "teams"
-  db_user: "teamsrw"
-  db_password: "{{ mysql_passwords.teams }}"
-  db_host: "{{ mariadb_host }}"
-  group_name_context: "urn:collab:group:{{ base_domain }}:"
-  voot_api_user: "voot"
-  spdashboard_api_user: "spdashboard"
-  spdashboard_person_urn: "urn:collab:person:surfnet.nl:sp-dashboard-C133A36F-CFCA-4F3D-87CE-7ECE29773FE0"
-  product_name: "OpenConext Teams"
-  default_stem_name: "demo:openconext:org"
-  feature_invite_migration_on: False
-  super_admins_team_urns:
-    - "nl:surfnet:diensten:teams_super_users"
-    - "nl:surfnet:diensten:teams_super_admin_users"
-
 engineblock:
   idp_url: https://engine.{{ base_domain }}/authentication/idp/single-sign-on
   idp_entity_id: https://engine.{{ base_domain }}/authentication/idp/metadata
@@ -402,9 +376,6 @@ loadbalancing:
   metadata:
     port: 409
 
-  teams:
-    port: 601
-
   oidc_playground:
     port: 619
 
@@ -483,13 +454,6 @@ haproxy_applications:
     servers: "{{docker_servers}}"
     restricted: yes
 
-  - name: teams
-    vhost_name: teams.{{ base_domain }}
-    ha_method: "GET"
-    ha_url: "/api/teams/health"
-    port: "{{ loadbalancing.teams.port }}"
-    servers: "{{docker_servers}}"
-
   - name: oidc_playground
     vhost_name: "oidc-playground.{{ base_domain }}"
     ha_method: "GET"

environments/template/inventory

@@ -84,9 +84,6 @@ docker2.example.com
 [docker_invite:children]
 docker_apps1
 
-[docker_teams:children]
-docker_apps1
-
 [docker_pdp:children]
 docker_apps1
 

environments/template/secrets/secret_example.yml

@@ -1,7 +1,6 @@
 mysql_root_password: secret
 
 mysql_passwords:
-  teams: secret
   eb: secret
   pdp_server: secret
   aa_server: secret
@@ -13,7 +12,7 @@ mongo_passwords:
    oidcng: secret
    myconext: secret
 
-mongo_admin_password: secret
+mongo_admin_password: secret # this works for first time install, if you change it later you will have to do it manually
 mongo_ca_passphrase: secret
 
 engine_api_metadata_push_password: secret
@@ -36,7 +35,6 @@ engine_parameters_secret: secretsecretsecretsecretsecretsecret  # need 32 chars
 
 profile_secret: secret
 
-teams_authz_client_secret: secret
 teams_migration_secret_key: secret
 
 voot_resource_checking_secret: secret
@@ -45,7 +43,6 @@ voot_oidcng_checkToken_secret: secret
 external_group_provider_secrets:
   teams: secret
 
-teams_api_lifecycle_password: secret
 teams_api_spdashboard_password: secret
 attribute_aggregator_api_lifecycle_password: secret
 
@@ -144,7 +141,7 @@ invite_lifecycle_secret: "secret"
 invite_internal_secret: "secret"
 invite_profile_secret: "secret"
 invite_sp_dashboard_secret: "secret"
-invite_access_secret: "secret"
+invite_access_dashboard_secret: "secret"
 invite_private_key_pkcs8: |
   -----BEGIN PRIVATE KEY-----
   MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfpYYMgKYDICkp

provision.yml

@@ -283,13 +283,6 @@
     - role: stepupwebauthn
   tags: ['stepupwebauthn', 'stepup']
 
-- name: Deploy teams app
-  hosts: docker_teams
-  become: true
-  roles:
-    - teams
-  tags: ['teams']
-
 - name: Deploy voot app
   hosts: docker_voot
   become: true

roles/dashboard/templates/serverapplication.yml.j2

@@ -27,8 +27,8 @@ spDashboard.password={{ dashboard_sp_dashboard_password }}
 
 # SAB connection details
 sab-rest.endpoint={{ dashboard.sab_rest_endpoint }}
-sab-rest.username=cdk
-sab-rest.password={{ dashboard_sab_rest_password }}
+sab-rest.username={{ dashboard.sab_rest_username }}
+sab-rest.password={{ dashboard.sab_rest_password }}
 
 # SAB roles
 admin.surfconext.idp.sabRole=SURFconextverantwoordelijke

roles/engine/defaults/main.yml

@@ -2,21 +2,22 @@
 engine_version: ""
 # Be aware that if you enable this option that NPM, Node.js and Composer are installed
 # Feature toggles
-engine_feature_encrypted_assertions: 1
-engine_feature_encrypted_assertions_require_outer_signature: 1
-engine_feature_run_all_manipulations_prior_to_consent: 0
-engine_feature_block_user_on_violation: 0
-engine_feature_enable_sso_notification: 0
-engine_feature_enable_sso_session_cookie: 0
-engine_feature_enable_consent: 1
-engine_feature_stepup_override_entityid: 0
-engine_feature_idp_initiated_flow: 1
-engine_api_feature_metadata_push: 1
-engine_api_feature_consent_listing: 1
-engine_api_feature_consent_remove: 0
-engine_api_feature_metadata_api: 1
-engine_api_feature_deprovision: 1
-engine_feature_send_user_attributes: 0
+engine_feature_encrypted_assertions: true
+engine_feature_encrypted_assertions_require_outer_signature: true
+engine_feature_run_all_manipulations_prior_to_consent: false
+engine_feature_block_user_on_violation: false
+engine_feature_enable_sso_notification: false
+engine_feature_enable_sso_session_cookie: false
+engine_feature_enable_consent: true
+engine_feature_stepup_override_entityid: false
+engine_feature_idp_initiated_flow: true
+engine_feature_send_user_attributes: false
+engine_feature_enable_sbs_interrupt: false
+engine_api_feature_metadata_push: true
+engine_api_feature_consent_listing: true
+engine_api_feature_consent_remove: false
+engine_api_feature_metadata_api: true
+engine_api_feature_deprovision: true
 
 # Cutoff point for showing unfiltered IdPs on the WAYF
 engine_wayf_cutoff_point_for_showing_unfiltered_idps: 50
@@ -76,6 +77,14 @@ engine_stepup_gateway_sfo_entity_id: "https://{{ engine_stepup_gateway_domain }}
 # The single sign-on endpoint used for Stepup Gateway SFO callouts
 engine_stepup_gateway_sfo_sso_location: "https://{{ engine_stepup_gateway_domain }}/second-factor-only/single-sign-on"
 
+# SBS interrupt settings
+engine_sbs_base_url: "sbs.{{ base_domain }}"
+engine_sbs_attributes_allowed:
+  - 'urn:mace:dir:attribute-def:eduPersonEntitlement'
+  - 'urn:mace:dir:attribute-def:uid'
+  - 'urn:mace:dir:attribute-def:eduPersonPrincipalName'
+  - 'urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13'
+
 ## The minimum priority of messages that will be logged
 engine_logging_passthru_level: NOTICE