Merge pull request #265 from ODMDev/vnext-release

ICP4BA 2101 release

.env

@@ -18,4 +18,4 @@ FROMLIBERTY=ibmcom/websphere-liberty:20.0.0.6-kernel-java8-ibmjava-ubi
 
 # Postgres Version
 FROMPOSTGRES=postgres:12
-POSTGRESUID=999
+POSTGRESUID=999

common/config/authOidc/authFilters.xml

@@ -47,7 +47,8 @@
     </authFilter>
     <!-- Note: The apiAuthFilter should be complementary to the browserAuthFilter -->
     <authFilter id="apiAuthFilter">
-	<requestHeader id="allowBasicAuth" matchType="notContain" name="Authorization" value="Basic" />
+	<!-- This line is to support OIDC and BA by detecting the header -->
+	<requestHeader id="allowBasicAuth" matchType="contains" name="Authorization" value="Bearer" />
         <requestUrl id="apiurl" matchType="contains" urlPattern=
                 "/res/auth|/res/repositoryService|/teamserver/rts-sync|/teamserver/remoting|/teamserver/servlet/SessionServlet|/decisioncenter/rts-sync|/decisioncenter/remoting|/decisioncenter/servlet/SessionServlet|/decisioncenter-api/v1|/DecisionRunner/api|/DecisionRunner/apiauth|/DecisionRunner/serverinfo|/testing/sspService|/testing/serverinfo"/>
     </authFilter>

common/config/authOidc/resAdministrators.xml

@@ -1,5 +1,5 @@
 				<user name="resAdmUser1" access-id="${odm.resAdministrators.user1}"/>
-				<user name="resAdmUser2" access-id="${odm.resAministrators.user2}"/>
+				<user name="resAdmUser2" access-id="${odm.resAdministrators.user2}"/>
 				<user name="resAdmUser3" access-id="${odm.resAdministrators.user3}"/>
 				<group name="resAdmGroup1" access-id="${odm.resAdministrators.group1}"/>
 				<group name="resAdmGroup2" access-id="${odm.resAdministrators.group2}"/>

common/config/authOidc/rtsAdministrators.xml

@@ -1,5 +1,5 @@
 				<user name="rtsAdmUser1" access-id="${odm.rtsAdministrators.user1}"/>
-				<user name="rtsAdmUser2" access-id="${odm.rtsAministrators.user2}"/>
+				<user name="rtsAdmUser2" access-id="${odm.rtsAdministrators.user2}"/>
 				<user name="rtsAdmUser3" access-id="${odm.rtsAdministrators.user3}"/>
 				<group name="rtsAdmGroup1" access-id="${odm.rtsAdministrators.group1}"/>
 				<group name="rtsAdmGroup2" access-id="${odm.rtsAdministrators.group2}"/>

common/config/metering-template.properties

@@ -0,0 +1,16 @@
+### Metering properties ###
+com.ibm.rules.metering.server.url=METERING_SERVER_URL
+# API key to identify the user in IBM Connect to Cloud service
+# Mandatory
+com.ibm.rules.metering.api.key=None
+# Identifier to use to identifier the Decision Center instance
+# Optional: If not specified, the value is automatically computed
+com.ibm.rules.metering.instance.identifier=METERING_INSTANCE_ID
+# Period of time to wait between two usage reports to send to IBM Connect to Cloud service (en milliseconds)
+# Optional: If not specified, the value is 15 minutes
+com.ibm.rules.metering.send.period=METERING_SEND_PERIOD
+# If true, send usages to the IBM Connect to Cloud service
+com.ibm.rules.metering.send.usages=true
+# If true, log usages on the filesystem
+com.ibm.rules.metering.log.usages=true
+### End of metering properties ###

common/script/configureMetering.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+if [ -s "/config/pluginconfig/plugin-configuration.properties" ]
+then
+	echo "Configure metering using /config/pluginconfig/plugin-configuration.properties provided config"
+elif [ -n "$METERING_SERVER_URL" ]
+then
+	echo "Configure metering using /config/metering-template.properties template"
+	echo "Set METERING_SERVER_URL with $METERING_SERVER_URL"
+	sed -i 's|METERING_SERVER_URL|'$METERING_SERVER_URL'|g' /config/metering-template.properties
+	if [ -n "$RELEASE_NAME" ]
+	then
+  		echo "Set METERING_INSTANCE_ID with $RELEASE_NAME"
+        sed -i 's|METERING_INSTANCE_ID|'$RELEASE_NAME'|g' /config/metering-template.properties
+	else
+  		echo "Set METERING_INSTANCE_ID with $HOSTNAME"
+        sed -i 's|METERING_INSTANCE_ID|'$HOSTNAME'|g' /config/metering-template.properties
+	fi
+
+	if [ -n "$METERING_SEND_PERIOD" ]
+	then
+		echo "Set METERING_SEND_PERIOD with $METERING_SEND_PERIOD milliseconds"
+		sed -i 's|METERING_SEND_PERIOD|'$METERING_SEND_PERIOD'|g' /config/metering-template.properties
+	else
+		echo "Set METERING_SEND_PERIOD with 900000 milliseconds"
+		sed -i 's|METERING_SEND_PERIOD|900000|g' /config/metering-template.properties
+	fi
+
+	mkdir /config/pluginconfig
+	cp /config/metering-template.properties /config/pluginconfig/plugin-configuration.properties
+fi

common/script/configureSwidTag.sh

@@ -39,22 +39,22 @@ then
       removeAllSwidTag ibm.com_IBM_ODM_Server_for_Non-Production-*.swidtag
     fi
     echo "ODM configuration : remove all DBAMC Swidtag"
-    removeAllSwidTag ibm.com_Operational_Decision_Manager_Containers_-_CP4Auto*.swidtag
-    removeAllSwidTag ibm.com_Operational_Decision_Manager_Containers_-_CP4Auto_-_Non_Prod*.swidtag
+    removeAllSwidTag ibm.com_Operational_Decision_Manager_Containers_-_CP4BA*.swidtag
+    removeAllSwidTag ibm.com_Operational_Decision_Manager_Containers_-_CP4BA_-_Non_Prod*.swidtag
   else
     if [ -n "$DEPLOY_FOR_PRODUCTION" ]
     then
     	if [[ "$DEPLOY_FOR_PRODUCTION" =~ "TRUE" ]]
         then
         	echo "DEPLOY_FOR_PRODUCTION is true then DBAMC production configuration : remove DBAMC non production Swidtag"
-        	removeAllSwidTag ibm.com_Operational_Decision_Manager_Containers_-_CP4Auto_-_Non_Prod-*.swidtag
+        	removeAllSwidTag ibm.com_Operational_Decision_Manager_Containers_-_CP4BA_-_Non_Prod-*.swidtag
     	else
         	echo "DEPLOY_FOR_PRODUCTION is false then DBAMC non production configuration : remove DBAMC production Swidtag"
-        	removeAllSwidTag ibm.com_Operational_Decision_Manager_Containers_-_CP4Auto-*.swidtag
+        	removeAllSwidTag ibm.com_Operational_Decision_Manager_Containers_-_CP4BA-*.swidtag
     	fi
     else
       echo "DEPLOY_FOR_PRODUCTION not set then DBAMC production configuration : remove DBAMC non production Swidtag"
-    	removeAllSwidTag ibm.com_Operational_Decision_Manager_Containers_-_CP4Auto_-_Non_Prod-*.swidtag
+    	removeAllSwidTag ibm.com_Operational_Decision_Manager_Containers_-_CP4BA_-_Non_Prod-*.swidtag
     fi
     echo "DBAMC configuration : remove all ODM Swidtag"
     removeAllSwidTag ibm.com_IBM_ODM_Server*.swidtag

common/script/configureTlsSecurity.sh

@@ -48,25 +48,45 @@ else
 fi
 # End - Configuration for the TLS security
 
-if [ -f "/config/security/ldap.jks" ]
+if [ -f "/config/ldap/ldap.jks" ]
 then
         if [ -n "$LDAP_TRUSTSTORE_PASSWORD" ]
         then
-                echo "import /config/security/ldap.jks in trustore using provided LDAP truststore password"
+                echo "import /config/ldap/ldap.jks in trustore using provided LDAP truststore password"
         else
-                echo "import /config/security/ldap.jks in trustore using default LDAP truststore password"
+                echo "import /config/ldap/ldap.jks in trustore using default LDAP truststore password"
                 LDAP_TRUSTSTORE_PASSWORD=changeit
         fi
 
         i=0
-        mapfile -t trust_list < <(keytool -list -v -keystore /config/security/ldap.jks -storepass $LDAP_TRUSTSTORE_PASSWORD | grep "Alias name" | awk 'NF>1{print $NF}')
+        mapfile -t trust_list < <(keytool -list -v -keystore /config/ldap/ldap.jks -storepass $LDAP_TRUSTSTORE_PASSWORD | grep "Alias name" | awk 'NF>1{print $NF}')
         for trust_file in "${trust_list[@]}"
         do
-        keytool -changealias -alias ${trust_file} -destalias "LDAP_ALIAS_FOR_ODM_"$i -keystore /config/security/ldap.jks -storepass $LDAP_TRUSTSTORE_PASSWORD
+        keytool -changealias -alias ${trust_file} -destalias "LDAP_ALIAS_FOR_ODM_"$i -keystore /config/ldap/ldap.jks -storepass $LDAP_TRUSTSTORE_PASSWORD
         ((i=i+1))
         done
-        keytool -importkeystore -srckeystore /config/security/ldap.jks -destkeystore /config/security/truststore.jks -srcstorepass $LDAP_TRUSTSTORE_PASSWORD -deststorepass $DEFAULT_TRUSTSTORE_PASSWORD
+        keytool -importkeystore -srckeystore /config/ldap/ldap.jks -destkeystore /config/security/truststore.jks -srcstorepass $LDAP_TRUSTSTORE_PASSWORD -deststorepass $DEFAULT_TRUSTSTORE_PASSWORD
 
 else
-        echo "no /config/security/ldap.jks file"
+        echo "no /config/ldap/ldap.jks file"
+fi
+
+# This part allow to import a list of PEM certificate in the JVM
+ echo "Importing trusted certificates $dir"
+CERTDIR="/config/security/trusted-cert-volume/"
+if [ -d $CERTDIR ]; then 
+    cd $CERTDIR
+    for dir in *; do
+        echo "Importing trusted certificates $dir"
+        if [ -d $dir ]; then 
+           if [ -f $dir/tls.crt ]; then
+                # Don't know if we need to delete the Alias. If don't delete it there is an error 
+                keytool -delete -alias 0trust_$dir -storepass $DEFAULT_TRUSTSTORE_PASSWORD -keystore /config/security/truststore.jks > /dev/null
+                keytool -import -v -trustcacerts -alias 0trust_$dir -file $dir/tls.crt -keystore /config/security/truststore.jks -storepass $DEFAULT_TRUSTSTORE_PASSWORD -noprompt 
+           else
+                echo "Couldn't find certificate $dir/tls.crt skipping this certificate "
+           fi
+        fi 
+    done
+    echo "done"
 fi

common/script/enableMetering.sh

@@ -5,4 +5,6 @@ then
 	echo "enable rules metering"
 	cd  /config/apps/DecisionService.war/WEB-INF/classes;
 	sed -i 's/{pluginClass=HTDS}/{pluginClass=Metering,enable=true},{pluginClass=HTDS}/g' ra.xml
+
+	$SCRIPT/configureMetering.sh
 fi

common/script/installPostgres.sh

@@ -3,5 +3,5 @@
 # Install the driver for PostgreSQL
 echo "Install the driver for postgreSQL"
 cd /tmp
-curl -O -s https://jdbc.postgresql.org/download/postgresql-42.2.16.jar
+curl -O -s https://jdbc.postgresql.org/download/postgresql-42.2.18.jar
 mv postgres* /config/resources

decisioncenter/config/jvm.options

@@ -1,4 +1,2 @@
--Djavax.net.ssl.trustStore=/config/security/truststore.jks
--Djavax.net.ssl.trustStorePassword=__TRUSTSTORE_PASSWORD__
 -Duser.language=en
 -Duser.country=US

decisioncenter/config/new-decisioncenter-configuration.properties

@@ -33,7 +33,7 @@ system.com.ibm.rules.authentication.scheme=oidc
 system.com.ibm.rules.authentication.oidcconfig=OdmOidcProviders.json:OPENID_PROVIDER
 
 # Define the referer whitelist patterns
-system.com.ibm.rules.decisioncenter.referer-whitelist-patterns=OPENID_SERVER_URL/*
+system.com.ibm.rules.decisioncenter.referer-whitelist-patterns=DC_REFERER_LIST
 
 # Define a list of servers separated by semi colon to add to Decision Center configuration
 # format: <name>|<url>|<type>|<description>|<groups> where
@@ -95,8 +95,6 @@ property.teamserver.includeDebugInfoInRulesetArchive=true
 com.ibm.rules.decisioncenter.ldap.sync.users-and-groups=ldap-sync-mode
 
 ### End of LDAP Sync properties ###
-
-
 ### Metering properties ###
 
 # If true, enable the service to collect usages of Decision Center.

decisioncenter/script/rundc.sh

@@ -21,8 +21,6 @@ $SCRIPT/updateDatasource.sh
 
 $SCRIPT/configureSwidTag.sh
 
-$SCRIPT/jvmOptions.sh
-
 $SCRIPT/setTimeZone.sh
 
 . $SCRIPT/setUTF8Locale.sh

decisioncenter/script/updateDCConfigurations.sh

@@ -106,8 +106,32 @@ then
      sed -i 's|"OPENID_PROVIDER"|'null'|g' $DC_SERVER_CONFIG
   fi
   echo "OAuth config : set AUTH_SCHEME to oidc in /config/new-decisioncenter-configuration.properties"
-  echo "OAuth config : set OPENID_SERVER_URL to $OPENID_SERVER_URL in /config/new-decisioncenter-configuration.properties"
-  sed -i 's|OPENID_SERVER_URL|'$OPENID_SERVER_URL'|g' /config/new-decisioncenter-configuration.properties 
+
+
+  if [ -n "$DC_REFERER_LIST" ]
+  then
+	echo "OAuth config : provided DC_REFERER_LIST"
+  else
+	echo "OAuth config : build DC_REFERER_LIST"
+  	IFS=','
+  	DC_REFERER_LIST=""
+  	ALLOWED_DOMAINS_LIST=$(grep OPENID_ALLOWED_DOMAINS /config/authOidc/openIdParameters.properties | sed "s/OPENID_ALLOWED_DOMAINS=//g")
+  	read -ra ADDR <<< "${ALLOWED_DOMAINS_LIST}"
+  	declare -i j=1
+  	for i in "${ADDR[@]}"; do
+  	DC_REFERER_LIST=${DC_REFERER_LIST}"https://"$i"/*"
+    	  if ((j < "${#ADDR[@]}")); then
+      	    DC_REFERER_LIST=${DC_REFERER_LIST}"__COMMA__"
+      	    j=j+1
+    	fi
+  	done
+  fi
+
+  echo "OAuth config : set DC_REFERER_LIST to $DC_REFERER_LIST in /config/new-decisioncenter-configuration.properties"
+  sed -i 's|DC_REFERER_LIST|'$DC_REFERER_LIST'|g' /config/new-decisioncenter-configuration.properties
+  # Issue with DC_REFERER_LIST when built with a comma
+  sed -i 's/__COMMA__/,/g' /config/new-decisioncenter-configuration.properties
+
   echo "replace rtsAdministators/rtsConfigManagers/rtsInstallers group in /config/application.xml"
   sed -i $'/<group name="rtsAdministrators"/{e cat /config/authOidc/rtsAdministrators.xml\n}' /config/application.xml
   sed -i '/<group name="rtsAdministrators"/d' /config/application.xml
@@ -120,8 +144,16 @@ else
   echo "No provided /config/authOidc/openIdParameters.properties"
   echo "BASIC_AUTH config : set provider to null in $DC_SERVER_CONFIG"
   sed -i 's|"OPENID_PROVIDER"|'null'|g' $DC_SERVER_CONFIG
-  echo "BASIC_AUTH config : remove entry with OPEN_ID_SERVER_URL in /config/new-decisioncenter-configuration.properties"
-  sed -i '/OPENID_SERVER_URL/d' /config/new-decisioncenter-configuration.properties
+
+  if [ -n "$DC_REFERER_LIST" ]
+  then
+        echo "BASIC_AUTH config : provided DC_REFERER_LIST"
+	sed -i 's|DC_REFERER_LIST|'$DC_REFERER_LIST'|g' /config/new-decisioncenter-configuration.properties
+  else
+  	echo "BASIC_AUTH config : remove entry with DC_REFERER_LIST in /config/new-decisioncenter-configuration.properties"
+  	sed -i '/DC_REFERER_LIST/d' /config/new-decisioncenter-configuration.properties
+  fi
+
   echo "BASIC_AUTH config : remove entry SCHEME with oidc in /config/new-decisioncenter-configuration.properties"
   sed -i '/scheme=oidc/d' /config/new-decisioncenter-configuration.properties
   echo "BASIC_AUTH config : remove oidc provider entry in /config/new-decisioncenter-configuration.properties"
@@ -239,6 +271,39 @@ else
   sed -i 's|group-file|''|g' $APPS/decisioncenter.war/WEB-INF/classes/config/decisioncenter-configuration.properties
 fi
 
+if [ -n "$COM_IBM_RULES_METERING_ENABLE" ]
+then
+        echo "enable rules metering"
+        if [ -s "/config/pluginconfig/plugin-configuration.properties" ]
+        then
+        	echo "Configure metering using /config/pluginconfig/plugin-configuration.properties provided config"
+         	cat /config/pluginconfig/plugin-configuration.properties >> $APPS/decisioncenter.war/WEB-INF/classes/config/decisioncenter-configuration.properties
+        elif [ -n "$METERING_SERVER_URL" ]
+        then
+		echo "Set METERING_SERVER_URL with $METERING_SERVER_URL"
+                sed -i 's|METERING_SERVER_URL|'$METERING_SERVER_URL'|g' /config/metering-template.properties
+                if [ -n "$RELEASE_NAME" ]
+                then
+                        echo "Set METERING_INSTANCE_ID with $RELEASE_NAME"
+                        sed -i 's|METERING_INSTANCE_ID|'$RELEASE_NAME'|g' /config/metering-template.properties
+                else
+                        echo "Set METERING_INSTANCE_ID with $HOSTNAME"
+                        sed -i 's|METERING_INSTANCE_ID|'$HOSTNAME'|g' /config/metering-template.properties
+                fi
+
+                if [ -n "$METERING_SEND_PERIOD" ]
+                then
+                	echo "Set METERING_SEND_PERIOD with $METERING_SEND_PERIOD milliseconds"
+                        sed -i 's|METERING_SEND_PERIOD|'$METERING_SEND_PERIOD'|g' /config/metering-template.properties
+                else
+                        echo "Set METERING_SEND_PERIOD with 900000 milliseconds"
+                        sed -i 's|METERING_SEND_PERIOD|900000|g' /config/metering-template.properties
+                fi
+
+                cat /config/metering-template.properties >> $APPS/decisioncenter.war/WEB-INF/classes/config/decisioncenter-configuration.properties
+        fi
+fi
+
 if [ -n "$ODM_CONTEXT_ROOT" ]
 then
   sed -i 's|http://localhost:9060/decisionmodel|'http://localhost:9060$ODM_CONTEXT_ROOT/decisionmodel'|g' $APPS/decisioncenter.war/WEB-INF/classes/config/decisioncenter-configuration.properties

decisionserver/decisionrunner/config/application.xml

@@ -10,6 +10,9 @@
 		</security-role>
 	</application-bnd>
 	<classloader>
+		<commonLibrary>
+                        <folder dir="/config/pluginconfig" id="plugindir"  />
+                </commonLibrary>
                 <commonLibrary>
                         <folder dir="/config/extension" id="extensiondir"  />
                 </commonLibrary>

decisionserver/decisionrunner/script/enableDRMetering.sh

@@ -5,4 +5,6 @@ then
 	echo "enable rules metering"
 	cd  /config/apps/DecisionRunner.war/WEB-INF/classes;
 	sed -i 's/{pluginClass=DVS}/{pluginClass=Metering,enable=true},{pluginClass=DVS}/g' ra.xml
+
+	$SCRIPT/configureMetering.sh
 fi

decisionserver/decisionserverconsole/config/application.xml

@@ -23,7 +23,7 @@
 		</application-bnd>
 		<classloader>
 			<commonLibrary>
-				<folder dir="/config/baiemitterconfig" id="odmbaidir"  />
+				<folder dir="/config/pluginconfig" id="plugindir"  />
 			</commonLibrary>
 		</classloader>
 	</application>

decisionserver/decisionserverconsole/script/run.sh

@@ -7,6 +7,8 @@ then
         $SCRIPT/customStart.sh
 fi
 
+$SCRIPT/enableMetering.sh
+
 $SCRIPT/updateDSCConfigurations.sh
 
 $SCRIPT/configureTlsSecurity.sh
@@ -17,8 +19,6 @@ $SCRIPT/updateDatasource.sh
 
 $SCRIPT/updateDSRConfigurations.sh
 
-$SCRIPT/enableMetering.sh
-
 $SCRIPT/configureSwidTag.sh
 
 $SCRIPT/setTimeZone.sh

decisionserver/decisionserverconsole/script/updateDSCConfigurations.sh

@@ -6,7 +6,7 @@ if [ -n "$DECISION_SERVICE_URL" ]; then
 fi
 
 if [ -f "/config/baiemitterconfig/plugin-configuration.properties" ]; then
-	echo "Enable BAI Emitter Plugin"
+        echo "Enable BAI Emitter Plugin"
         sed -i 's/{pluginClass=HTDS}/&,{pluginClass=ODMEmitterForBAI}/' ra.xml
 fi