From 8817d753a34b4b62bddfd3462de03b6708a38c0b Mon Sep 17 00:00:00 2001
From: Maria Haider <mariah@sunet.se>
Date: Mon, 8 Jul 2024 11:06:39 +0200
Subject: [PATCH] upgrade demw application to 3.2.0 in prod

ref: SC-2047
---
 .../overlay/etc/logrotate.d/eidas-middleware  |  7 ++++
 .../configuration/application.properties.sh   | 36 +++++++++----------
 global/overlay/etc/puppet/cosmos-rules.yaml   |  5 +--
 .../etc/puppet/manifests/cosmos-site.pp       | 26 +++++---------
 4 files changed, 34 insertions(+), 40 deletions(-)
 create mode 100644 demw-common/overlay/etc/logrotate.d/eidas-middleware

diff --git a/demw-common/overlay/etc/logrotate.d/eidas-middleware b/demw-common/overlay/etc/logrotate.d/eidas-middleware
new file mode 100644
index 00000000..e8c10c74
--- /dev/null
+++ b/demw-common/overlay/etc/logrotate.d/eidas-middleware
@@ -0,0 +1,7 @@
+/var/log/eidas-middleware/eidas-middleware.log {
+  rotate 13
+  daily
+  compress
+  missingok
+  notifempty
+}
diff --git a/demw-common/overlay/opt/eidas-middleware/configuration/application.properties.sh b/demw-common/overlay/opt/eidas-middleware/configuration/application.properties.sh
index dd77cd14..0c0f82b7 100644
--- a/demw-common/overlay/opt/eidas-middleware/configuration/application.properties.sh
+++ b/demw-common/overlay/opt/eidas-middleware/configuration/application.properties.sh
@@ -1,27 +1,27 @@
 cat<<EOF
-#Logging
-logging.file=/var/log/eidas-middleware/demw.log
-#logging.level.com.zaxxer.hikari=DEBUG
-
-#Credentials
-poseidas.admin.hashed.password=${POSEIDAS_ADMIN_HASHED_PASSWORD}
-poseidas.admin.username=${POSEIDAS_ADMIN_USERNAME:-demw}
-
-#Server Settings
+#server settings
 server.port=${SERVER_PORT:-8443}
 server.adminInterfacePort=${ADMIN_PORT:-10000}
-server.ssl.key-password=dummy
-server.ssl.key-store=file\:///tmp/${CERTNAME}.p12
-server.ssl.key-store-password=dummy
-server.ssl.keyAlias=tls
-server.ssl.keyStoreType=PKCS12
 
-#Data source
-spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
-spring.datasource.url=jdbc\:h2\:file\:/opt/eidas-middleware/database/eidasmw;DB_CLOSE_DELAY\=-1;DB_CLOSE_ON_EXIT\=FALSE
+#TLS settings
+server.ssl.key-store:file\:///tmp/${CERTNAME}.p12
+server.ssl.key-store-password:dummy
+server.ssl.key-password=dummy
+server.ssl.keyStoreType:PKCS12
+server.ssl.keyAlias:tls
+
+#database connection
+spring.datasource.url=jdbc:h2:/opt/eidas-middleware/database/eidasmw;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE
 spring.datasource.username=${SPRING_DATASOURCE_USERNAME:-demw}
-spring.datasource.hikari.maximumPoolSize=20
+spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
+
+#logging
+logging.file.name=/var/log/eidas-middleware/eidas-middleware.log
 
 #HSM
 hsm.type=NO_HSM
+#hsm.keys.delete=30
+#hsm.keys.archive=false
+#pkcs11.config=
+#pkcs11.passwd=123456
 EOF
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index e84e8c9f..cf6822b6 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -889,11 +889,8 @@ demw-1.sveidas.se:
    konsulter:
    autoupdate:
    eidas_de_middleware_hsm:
-      version: 228-sc-p11_hsm2
+      version: 320-sc_hsm2
       hostname: demw.eidas.swedenconnect.se
-   saml_metadata:
-      filename: /opt/eidas-middleware/configuration/serviceprovider-metadata/connector-metadata.xml
-      url: https://connector.eidas.swedenconnect.se/idp/metadata/sp
    webserver:
       enabled: true
    sunet::frontend::register_sites:
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index af80a248..c4d974c9 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -351,6 +351,8 @@ class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost')
    $poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
    $spring_datasource_password = safe_hiera('spring_datasource_password')
    $pkcs11_pin = safe_hiera('pkcs11_pin')
+
+   #saved directly in admin inteface from version 3.0.0 onwards
    $demw_tls_client_key = safe_hiera('demw_tls_client_key')
    $demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
    $demw_tls_server_cert = safe_hiera('demw_tls_server_cert')
@@ -361,7 +363,7 @@ class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost')
       image    => 'docker.sunet.se/eidas-demw',
       imagetag => $_version,
       hostname => "${::fqdn}",
-      ports    => ['443:8443','127.0.0.1:10000:10000'],
+      ports    => ['443:8443','10000:10000'],
       volumes  => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
                    '/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
                    '/opt/eidas-middleware/database:/opt/eidas-middleware/database',
@@ -370,25 +372,13 @@ class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost')
                    '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
                    '/etc/ssl:/etc/ssl'],
       env      => ["CERTNAME=${::fqdn}_infra",
-                   "EIDAS_SIGNER_DEFAULT_HASH_ALGORITHM=SHA256",
-                   "PUBLIC_HOSTNAME=$_hostname",
-                   "PKCS11_PIN=$pkcs11_pin",
-                   "PKCS11_CONFIG_LOCATION=/opt/eidas-middleware/configuration/hsm/pkcs11.properties",
-                   "POSEIDAS_ADMIN_HASHED_PASSWORD=$poseidas_admin_hashed_password",
-                   "DEMW_TLS_CLIENT_KEY=$demw_tls_client_key",
-                   "DEMW_TLS_CLIENT_CERT=$demw_tls_client_cert",
-                   "DEMW_TLS_SERVER_CERT=$demw_tls_server_cert",
+                   "LOGGING_LEVEL_DE_GOVERNIKUS_EUMW_POSEIDAS_SERVER_IDPROVIDER_CONFIG=DEBUG",
+                   "SC_HSM.P11_PIN=$pkcs11_pin",
+                   "SC_HSM_P11_CONFIG_FILE=/opt/eidas-middleware/configuration/hsm/demw-sunpkcs11-config",
+                   "SC_HSM.P11_ALIAS=sc_eidas_sign",
                    'JAVA_OPTS="-DformatMsgNoLookups=true -Dlog4j2.formatMsgNoLookups=true"',
                    "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"],
-      extra_parameters => ["--log-driver=syslog --cpuset-cpus=0-3"]
-   }
-   #temp solution
-   sunet::scriptherder::cronjob { 'reboot_demw_application':
-        cmd           => '/usr/sbin/service docker-eidas-demw restart',
-        minute        => '0',
-        hour          => '5',
-        ok_criteria   => ['exit_status=0', 'max_age=25h'],
-        warn_criteria => ['exit_status=0', 'max_age=49h'],
+      extra_parameters => ["--log-driver=syslog"]
    }
 }