ansible
ansible copied to clipboard
georchestra
[ CAS ] Error missing /etc/cas/saml
When deploying playbook ( master ) on new Debian 12 via vagrant, proxycas webapp won't start cas-server application because a folder is missing.
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'samlIdPObjectSignatureValidator' defined in class path resource [org/apereo/cas/config/Sam
lIdPEndpointsConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apereo.cas
.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator]: Factory method 'samlIdPObjectSignatureValidator' threw exception; nested exception is org.springframework.bea
ns.factory.BeanCreationException: Error creating bean with name 'samlIdPMetadataGenerator' defined in class path resource [org/apereo/cas/config/SamlIdPMetadataConfiguration.class]: Invocation
of init method failed; nested exception is java.lang.IllegalArgumentException: Metadata directory location /etc/cas/saml cannot be located/created
I could not find any configuration link to /etc/cas/saml in datadir but in cas-server docs there is some touch : https://apereo.github.io/cas/7.0.x/installation/Configuring-SAML2-DynamicMetadata.html
Create empty folder /etc/cas/sam fix to problem but might not be the answer.
Is your datadir uptodate ? especially these 2 lines: https://github.com/georchestra/datadir/blob/master/cas/config/cas.properties#L52-L53
oh, or maybe the cas.properties is templated into the ansible playbook ...
it is templated indeeed, but @landryb updated it last week: https://github.com/georchestra/ansible/blame/master/roles/georchestra/templates/cas/cas.properties.j2
I have the last version of playbook, I see the templating, but in the final datadir /etc/georchestra/cas/config neither cas.properties or log4j2.xml are updated. There are not coming from master datadir ( last two lines are missing and log4J2.xml point to /var/log.
Could they come from the debian package ?
the playbook deploys the datadir and the templates after installing the debian package, so if you run ansible-playbook -t config --diff you should be able to see what is updated in the datadir
as for the empty /etc/georchestra/cas/saml dir it should exist since it's in the datadir repo at https://github.com/georchestra/datadir/tree/master/cas/saml
i was wrong in my previous comment and misread yours.. after checking, the datadir is deployed/customized before deploying debian packages, which apparently overrides the customizations done by the playbook since config files are also shipped by the debian package. That is.. a definitely strange behaviour, because by default when left unattended/without user interaction (ie when run from ansible), dpkg shouldn't override already present files...
That is.. a definitely strange behaviour, because by default when left unattended/without user interaction (ie when run from ansible), dpkg shouldn't override already present files...
It gets back to one point brought during the codesprint: what about dropping the default /etc/georchestra/webapp brought by the packages ? Maybe it would make more sense to have a sample configuration into /usr/share/doc/ ?
can repro on a test instance, after removing georchestra-cas and running ansible-playbook -t config:
- the config is customized:
root@bookworm:/etc/georchestra# git diff cas
diff --git a/cas/config/cas.properties b/cas/config/cas.properties
index 422537d..2c68f3b 100644
--- a/cas/config/cas.properties
+++ b/cas/config/cas.properties
@@ -1,4 +1,4 @@
-cas.server.name=https://georchestra.mydomain.org
+cas.server.name=https://georchestra.example.org
cas.server.prefix=${cas.server.name}/cas
logging.config=file:/etc/georchestra/cas/config/log4j2.xml
diff --git a/cas/config/log4j2.xml b/cas/config/log4j2.xml
index 604fc81..e201b49 100644
--- a/cas/config/log4j2.xml
+++ b/cas/config/log4j2.xml
@@ -2,7 +2,7 @@
<!-- Specify the refresh internal in seconds. -->
<Configuration monitorInterval="5" packages="org.apereo.cas.logging">
<Properties>
- <Property name="baseDir">/var/log</Property>
+ <Property name="baseDir">/srv/log</Property>
<Property name="cas.log.level">info</Property>
<Property name="spring.webflow.log.level">warn</Property>
<Property name="spring.security.log.level">info</Property>
installing georchestra-cas doesnt ask questions about config files:
root@bookworm:/etc/georchestra# apt install georchestra-cas
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
georchestra-cas
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/99.1 MB of archives.
After this operation, 111 MB of additional disk space will be used.
Selecting previously unselected package georchestra-cas.
(Reading database ... 92678 files and directories currently installed.)
Preparing to unpack .../georchestra-cas_6.3.7.4.master.202402080539~e5d7cd0_all.deb ...
Unpacking georchestra-cas (6.3.7.4.master.202402080539~e5d7cd0) ...
Setting up georchestra-cas (6.3.7.4.master.202402080539~e5d7cd0) ...
has overriden the customizations. iirc this doesnt happen with other packages... definitely strange.
root@bookworm:/etc/georchestra# git diff cas
diff --git a/cas/config/cas.properties b/cas/config/cas.properties
index 422537d..d7ca759 100644
--- a/cas/config/cas.properties
+++ b/cas/config/cas.properties
@@ -48,6 +48,3 @@ cas.authn.ldap[0].name=
cas.authn.ldap[0].type=DIRECT
cas.authn.ldap[0].dn-format=uid=%s,ou=users,dc=georchestra,dc=org
cas.authn.oidc.jwks.jwks-file=file:///tmp/keystore.jwksdown
-
-cas.authn.saml-idp.core.entity-id=https://${FQDN}/idp
-cas.authn.saml-idp.metadata.location=file:///tmp/
the way ansible installs the packages via apt, it should use --force-confdef & --force-confold as dpkg options, per https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html#parameter-dpkg_options - and to my understanding that explicitely says 'keep existing files'.
or i'm not reading https://dyn.manpages.debian.org/bookworm/dpkg/dpkg.1.en.html#force~2 right...
@pierrejego can you check what happens if you add:
diff --git a/roles/georchestra/tasks/wars.yml b/roles/georchestra/tasks/wars.yml
index b5d9f64..dcb816d 100644
--- a/roles/georchestra/tasks/wars.yml
+++ b/roles/georchestra/tasks/wars.yml
@@ -20,6 +20,7 @@
apt:
pkg: "{{ item.value.pkg }}"
update_cache: true
+ dpkg_options: force-confold
state: latest # noqa: package-latest
with_dict: "{{ georchestra_wars }}"
when: item.value.enabled and item.key != 'cadastrapp' and item.value.pkg is defined
That is.. a definitely strange behaviour, because by default when left unattended/without user interaction (ie when run from ansible), dpkg shouldn't override already present files...
It gets back to one point brought during the codesprint: what about dropping the default
/etc/georchestra/webappbrought by the packages ? Maybe it would make more sense to have a sample configuration into/usr/share/doc/?
that or /usr/share/doc/georchestra-datadir ? since we have /usr/share/doc/georchestra-*/copyright...
that or /usr/share/doc/georchestra-datadir ? since we have /usr/share/doc/georchestra-*/copyright...
Maybe it would deserve a new package, then (I'd expect that in debian conventions, you would need to have /usr/share/doc/<packagename> or so). It also reminds me that we never solved the issue with /etc/georchestra/default.properties (which package should take care of it ?)