Merge branch 'main' into develop

.env

@@ -426,4 +426,4 @@ ARES_RUN_NETWORK="FALSE" # should the full Ares network analysis be run?
 # default admin user login userid and password
 
 PGADMIN_ADMIN_USER="[email protected]"
-PGADMIN_DEFAULT_PASSWORD_FILE="./secrets/pgadmin4/PGADMIN_DEFAULT_PASSWORD"
+PGADMIN_DEFAULT_PASSWORD_FILE="./secrets/pgadmin4/PGADMIN_DEFAULT_PASSWORD"

.gitattributes

@@ -0,0 +1,5 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+# These files should have specific line endings
+*.sh	text eol=lf

atlas/config-local-template.js

@@ -0,0 +1,27 @@
+define([], function () {
+	var configLocal = {};
+
+	var getUrl = window.location;
+	var baseUrl = getUrl.protocol + "//" + getUrl.host;
+
+	// WebAPI
+	configLocal.webAPIRoot = baseUrl + '/WebAPI/';
+	configLocal.api = {
+		name: "$ATLAS_INSTANCE_NAME",
+		url: baseUrl + '/WebAPI/'
+	};
+
+	configLocal.cohortComparisonResultsEnabled = $ATLAS_COHORT_COMPARISON_RESULTS_ENABLED;
+	configLocal.userAuthenticationEnabled = $ATLAS_USER_AUTH_ENABLED;
+	configLocal.plpResultsEnabled = $ATLAS_PLP_RESULTS_ENABLED;
+
+	configLocal.authProviders = [{
+		"name": "$ATLAS_SECURITY_PROVIDER_NAME",
+		"url": "user/login/$ATLAS_SECURITY_PROVIDER_TYPE",
+		"ajax": $ATLAS_SECURITY_USE_AJAX,
+		"icon": "fa $ATLAS_SECURITY_ICON",
+		"isUseCredentialsForm": $ATLAS_SECURITY_USE_FORM
+	}];
+
+	return configLocal;
+});

atlas/envsubst.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -e
+
+envsubst < /tmp/config-local.js > /usr/share/nginx/html/atlas/js/config-local.js
+nginx -g 'daemon off;'

docker-compose.yml

@@ -679,4 +679,4 @@ secrets:
     file: ${PGADMIN_DEFAULT_PASSWORD_FILE}
 
 
-
+

ohdsi-atlas.yml

@@ -0,0 +1,27 @@
+version: '3.9'
+
+services:
+
+  ohdsi-atlas:
+    container_name: ohdsi-atlas
+    platform: ${DOCKER_ARCH}
+    restart: unless-stopped
+    ipc: none
+    privileged: false
+    environment:
+      WEBAPI_URL: ${BROADSEA_HOST}/WebAPI
+      ATLAS_INSTANCE_NAME: ${ATLAS_INSTANCE_NAME}
+      ATLAS_COHORT_COMPARISON_RESULTS_ENABLED: ${ATLAS_COHORT_COMPARISON_RESULTS_ENABLED}
+      ATLAS_USER_AUTH_ENABLED: ${ATLAS_USER_AUTH_ENABLED}
+      ATLAS_PLP_RESULTS_ENABLED: ${ATLAS_PLP_RESULTS_ENABLED}
+      ATLAS_SECURITY_PROVIDER_NAME: ${ATLAS_SECURITY_PROVIDER_NAME}
+      ATLAS_SECURITY_PROVIDER_TYPE: ${ATLAS_SECURITY_PROVIDER_TYPE}
+      ATLAS_SECURITY_ICON: ${ATLAS_SECURITY_ICON}
+      ATLAS_SECURITY_USE_FORM: ${ATLAS_SECURITY_USE_FORM}
+      ATLAS_SECURITY_USE_AJAX: ${ATLAS_SECURITY_USE_AJAX}
+    volumes:
+      - ./atlas/config-local-template.js:/tmp/config-local.js:ro
+      - ./atlas/envsubst.sh:/tmp/envsubst.sh:ro
+    entrypoint: ["sh", "/tmp/envsubst.sh" ]
+    labels:
+      - "traefik.enable=true"

ohdsi-webapi.yml

@@ -0,0 +1,138 @@
+version: '3.9'
+
+services:
+
+  ohdsi-webapi:
+    container_name: ohdsi-webapi
+    platform: ${DOCKER_ARCH}
+    restart: unless-stopped
+    ipc: none
+    read_only: true
+    tmpfs:
+      - /tmp
+    privileged: false
+    volumes:
+      - ./cacerts:/usr/local/openjdk-8/lib/security/cacerts:ro # add a cacerts file if using LDAPS
+    environment:
+
+      DATASOURCE_DRIVERCLASSNAME: org.postgresql.Driver
+      DATASOURCE_URL: ${WEBAPI_DATASOURCE_URL}
+      DATASOURCE_USERNAME: ${WEBAPI_DATASOURCE_USERNAME}
+      DATASOURCE_PASSWORD: ${WEBAPI_DATASOURCE_PASSWORD}
+      DATASOURCE_OHDSI_SCHEMA: ${WEBAPI_DATASOURCE_OHDSI_SCHEMA}
+      SPRING_JPA_PROPERTIES_HIBERNATE_DIALECT: org.hibernate.dialect.PostgreSQLDialect
+      SPRING_JPA_PROPERTIES_HIBERNATE_DEFAULT_SCHEMA: ${WEBAPI_DATASOURCE_OHDSI_SCHEMA}
+      SPRING_BATCH_REPOSITORY_TABLEPREFIX: ${WEBAPI_DATASOURCE_OHDSI_SCHEMA}.BATCH_
+      FLYWAY_DATASOURCE_DRIVERCLASSNAME: org.postgresql.Driver
+      FLYWAY_DATASOURCE_URL: ${WEBAPI_DATASOURCE_URL}
+      FLYWAY_DATASOURCE_USERNAME: ${WEBAPI_DATASOURCE_USERNAME}
+      FLYWAY_DATASOURCE_PASSWORD: ${WEBAPI_DATASOURCE_PASSWORD}
+      FLYWAY_LOCATIONS: classpath:db/migration/postgresql
+      FLYWAY_PLACEHOLDERS_OHDSISCHEMA: ${WEBAPI_DATASOURCE_OHDSI_SCHEMA}
+      FLYWAY_SCHEMAS: ${WEBAPI_DATASOURCE_OHDSI_SCHEMA}
+      FLYWAY_BASELINEONMIGRATE: "true"
+      FLYWAY_TABLE: schema_history
+      flyway_baselineVersionAsString: "2.2.5.20180212152023"  # this env var is case sensitive
+      FLYWAY_BASELINEDESCRIPTION: Base Migration
+      SECURITY_CORS_ENABLED: "true"
+      SECURITY_ORIGIN: "${HTTP_TYPE}://${BROADSEA_HOST}"
+      SOLR_ENDPOINT: "${SOLR_VOCAB_ENDPOINT}"
+
+      # Security provider enabling/disabling
+
+      SECURITY_PROVIDER: ${WEBAPI_SECURITY_PROVIDER}
+      SECURITY_AUTH_KERBEROS_ENABLED: ${SECURITY_AUTH_KERBEROS_ENABLED}
+      SECURITY_AUTH_OPENID_ENABLED: ${SECURITY_AUTH_OPENID_ENABLED}
+      SECURITY_AUTH_FACEBOOK_ENABLED: ${SECURITY_AUTH_FACEBOOK_ENABLED}
+      SECURITY_AUTH_GITHUB_ENABLED: ${SECURITY_AUTH_GITHUB_ENABLED}
+      SECURITY_AUTH_GOOGLE_ENABLED: ${SECURITY_AUTH_GOOGLE_ENABLED}
+      SECURITY_AUTH_JDBC_ENABLED: ${SECURITY_AUTH_JDBC_ENABLED}
+      SECURITY_AUTH_LDAP_ENABLED: ${SECURITY_AUTH_LDAP_ENABLED}
+      SECURITY_AUTH_AD_ENABLED: ${SECURITY_AUTH_AD_ENABLED}
+      SECURITY_AUTH_CAS_ENABLED: ${SECURITY_AUTH_CAS_ENABLED}
+      SECURITY_AUTH_GOOGLEIAP_ENABLED: ${SECURITY_AUTH_GOOGLEIAP_ENABLED}
+
+      # Security env variables - Basic
+
+      SECURITY_DB_DATASOURCE_SCHEMA: ${SECURITY_DB_DATASOURCE_SCHEMA}
+      SECURITY_DB_DATASOURCE_URL: ${SECURITY_DB_DATASOURCE_URL}
+      SECURITY_DB_DATASOURCE_DRIVERCLASSNAME: ${SECURITY_DB_DATASOURCE_DRIVERCLASSNAME}
+      SECURITY_DB_DATASOURCE_USERNAME: ${SECURITY_DB_DATASOURCE_USERNAME}
+      SECURITY_DB_DATASOURCE_PASSWORD: ${SECURITY_DB_DATASOURCE_PASSWORD}
+
+      # Security env variables - LDAP
+
+      SECURITY_LDAP_DN: ${SECURITY_LDAP_DN}
+      SECURITY_LDAP_URL: ${SECURITY_LDAP_URL}
+      SECURITY_LDAP_BASEDN: ${SECURITY_LDAP_BASEDN}
+      SECURITY_LDAP_SYSTEM_USERNAME: ${SECURITY_LDAP_SYSTEM_USERNAME}
+      SECURITY_LDAP_SYSTEM_PASSWORD: ${SECURITY_LDAP_SYSTEM_PASSWORD}
+      SECURITY_LDAP_SEARCHSTRING: ${SECURITY_LDAP_SEARCHSTRING}
+      SECURITY_LDAP_SEARCHBASE: ${SECURITY_LDAP_SEARCHBASE}
+
+      # Security env variables - AD
+
+      SECURITY_AD_URL: ${SECURITY_AD_URL}
+      SECURITY_AD_SEARCHBASE: ${SECURITY_AD_SEARCHBASE}
+      SECURITY_AD_SEARCHFILTER: ${SECURITY_AD_SEARCHFILTER}
+      SECURITY_AD_PRINCIPALSUFFIX: ${SECURITY_AD_PRINCIPALSUFFIX}
+      SECURITY_AD_SEARCHSTRING: ${SECURITY_AD_SEARCHSTRING}
+      SECURITY_AD_USERMAPPING_DISPLAYNAMEATTR: ${SECURITY_AD_USERMAPPING_DISPLAYNAMEATTR}
+      SECURITY_AD_USERMAPPING_USERNAMEATTR: ${SECURITY_AD_USERMAPPING_USERNAMEATTR}
+      SECURITY_AD_SYSTEM_USERNAME: ${SECURITY_AD_SYSTEM_USERNAME}
+      SECURITY_AD_SYSTEM_PASSWORD: ${SECURITY_AD_SYSTEM_PASSWORD}
+
+      # Security env variables - Kerberos
+
+      SECURITY_KERBEROS_SPN: ${SECURITY_KERBEROS_SPN}
+      SECURITY_KERBEROS_KEYTABPATH: ${SECURITY_KERBEROS_KEYTABPATH}
+
+      # Security env variables - OAuth
+
+      SECURITY_OAUTH_CALLBACK_UI: ${SECURITY_OAUTH_CALLBACK_UI}
+      SECURITY_OAUTH_CALLBACK_API: ${SECURITY_OAUTH_CALLBACK_API}
+      SECURITY_OAUTH_CALLBACK_URLRESOLVER: ${SECURITY_OAUTH_CALLBACK_URLRESOLVER}
+      SECURITY_OAUTH_GOOGLE_APIKEY: ${SECURITY_OAUTH_GOOGLE_APIKEY}
+      SECURITY_OAUTH_GOOGLE_APISECRET: ${SECURITY_OAUTH_GOOGLE_APISECRET}
+      SECURITY_OAUTH_FACEBOOK_APIKEY: ${SECURITY_OAUTH_FACEBOOK_APIKEY}
+      SECURITY_OAUTH_FACEBOOK_APISECRET: ${SECURITY_OAUTH_FACEBOOK_APISECRET}
+      SECURITY_OAUTH_GITHUB_APIKEY: ${SECURITY_OAUTH_GITHUB_APIKEY}
+      SECURITY_OAUTH_GITHUB_APISECRET: ${SECURITY_OAUTH_GITHUB_APISECRET}
+
+      # Security env variables - OpenID
+
+      SECURITY_OID_CLIENTID: ${SECURITY_OID_CLIENTID}
+      SECURITY_OID_APISECRET: ${SECURITY_OID_APISECRET}
+      SECURITY_OID_URL: ${SECURITY_OID_URL}
+      SECURITY_OID_LOGOUTURL: ${SECURITY_OID_LOGOUTURL}
+      SECURITY_OID_EXTRASCOPES: ${SECURITY_OID_EXTRASCOPES}
+      SECURITY_OID_REDIRECTURL: ${SECURITY_OID_REDIRECTURL}
+
+      # Security env variables - IAP
+
+      SECURITY_GOOGLEIAP_CLOUDPROJECTID: ${SECURITY_GOOGLEIAP_CLOUDPROJECTID}
+      SECURITY_GOOGLEIAP_BACKENDSERVICEID: ${SECURITY_GOOGLEIAP_BACKENDSERVICEID}
+      SECURITY_GOOGLE_ACCESSTOKEN_ENABLED: ${SECURITY_GOOGLE_ACCESSTOKEN_ENABLED}
+
+      # Security env variables - CAS
+
+      SECURITY_CAS_LOGINURL: ${HTTP_TYPE}://${WEBAPI_SECURITY_CAS_SERVER}/idp/profile/cas/login
+      SECURITY_CAS_CALLBACKURL: ${HTTP_TYPE}://${BROADSEA_HOST}/WebAPI/user/cas/callback?client_name=CasClient
+      SECURITY_CAS_SERVERURL: ${HTTP_TYPE}://${WEBAPI_SECURITY_CAS_SERVER}/idp/profile/cas
+      SECURITY_CAS_CASTICKET: ticket
+
+      # Security env variables - SAML
+
+      SECURITY_SAML_ENTITYID: ${SECURITY_SAML_ENTITYID}
+      SECURITY_SAML_IDPMETADATALOCATION: ${SECURITY_SAML_IDPMETADATALOCATION}
+      SECURITY_SAML_KEYMANAGER_KEYSTOREFILE: ${SECURITY_SAML_KEYMANAGER_KEYSTOREFILE}
+      SECURITY_SAML_KEYMANAGER_STOREPASSWORD: ${SECURITY_SAML_KEYMANAGER_STOREPASSWORD}
+      SECURITY_SAML_KEYMANAGER_DEFAULTKEY: ${SECURITY_SAML_KEYMANAGER_DEFAULTKEY}
+      SECURITY_SAML_KEYMANAGER_PASSWORDS_ARACHNENETWORK: ${SECURITY_SAML_KEYMANAGER_PASSWORDS_ARACHNENETWORK}
+      SECURITY_SAML_METADATALOCATION: ${SECURITY_SAML_METADATALOCATION}
+      SECURITY_SAML_CALLBACKURL: ${SECURITY_SAML_CALLBACKURL}
+      SECURITY_SAML_SLOURL: ${SECURITY_SAML_SLOURL}
+      SECURITY_SAML_MAXIMUMAUTHENTICATIONLIFETIME: ${SECURITY_SAML_MAXIMUMAUTHENTICATIONLIFETIME}
+
+    labels:
+      - "traefik.enable=true"

postgres-load.yml

@@ -0,0 +1,10 @@
+version: '3.9'
+
+services:
+
+  broadsea-postgres-load:
+    image: alpine:3.17.2
+    platform: ${DOCKER_ARCH}
+    ipc: none
+    privileged: false
+

traefik/config.yml

@@ -0,0 +1,95 @@
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/certs/broadsea.crt
+        keyFile: /etc/certs/broadsea.key
+
+http:
+  routers:
+    traefik:
+      entryPoints: '{{ env "HTTP_TYPE" }}'
+      service: "traefik"
+      rule: 'Host(`{{ env "BROADSEA_HOST" }}`)'
+
+    broadsea-content:
+      entryPoints: '{{ env "HTTP_TYPE" }}'
+      service: "broadsea-content"
+      rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/`)'
+
+    ohdsi-atlas:
+      entryPoints: '{{ env "HTTP_TYPE" }}'
+      service: "ohdsi-atlas"
+      rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/atlas`)'
+
+    ohdsi-webapi:
+      entryPoints: '{{ env "HTTP_TYPE" }}'
+      service: "ohdsi-webapi"
+      rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/WebAPI`)'
+
+    broadsea-hades:
+      entryPoints: '{{ env "HTTP_TYPE" }}'
+      service: "broadsea-hades"
+      rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/hades`)'
+      middlewares:
+        - "broadsea-hades-root-path-header"
+        - "broadsea-hades-path-strip"
+
+    broadsea-solr-vocab:
+      entryPoints: '{{ env "HTTP_TYPE" }}'
+      service: "broadsea-solr-vocab"
+      rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/solr`)'
+
+    broadsea-ares:
+      entryPoints: '{{ env "HTTP_TYPE" }}'
+      service: "broadsea-ares"
+      rule: 'Host(`{{ env "BROADSEA_HOST" }}`) && PathPrefix(`/ares`)'
+
+  middlewares:
+    broadsea-hades-path-strip:
+      stripPrefix:
+        prefixes: 
+          - "/hades"
+        forceSlash: false
+
+    broadsea-hades-root-path-header:
+      headers:
+        customRequestHeaders:
+          X-RStudio-Root-Path: "/hades"
+
+  services:
+    traefik:
+      loadBalancer:
+        servers:
+          - url: http://traefik
+
+    broadsea-content:
+      loadBalancer:
+        servers:
+          - url: http://broadsea-content
+
+    ohdsi-atlas:
+      loadBalancer:
+        servers:
+          - url: http://ohdsi-atlas:8080
+
+    ohdsi-webapi:
+      loadBalancer:
+        servers:
+          - url: http://ohdsi-webapi:8080
+
+    broadsea-hades:
+      loadBalancer:
+        servers:
+          - url: http://broadsea-hades:8787
+
+    broadsea-solr-vocab:
+      loadBalancer:
+        servers:
+          - url: http://broadsea-solr-vocab:8983
+
+    broadsea-ares:
+      loadBalancer:
+        servers:
+          - url: http://broadsea-ares

traefik/traefik-http.yml

@@ -0,0 +1,24 @@
+######################################
+# HTTP Traefik (No SSL)
+######################################
+
+global:
+  sendAnonymousUsage: false
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    watch: true
+    exposedByDefault: false
+
+  file:
+    filename: /etc/traefik/config.yml
+    watch: true
+
+log:
+  level: INFO
+  format: common
+
+entryPoints:
+  http:
+    address: ":80"

traefik/traefik-https.yml

@@ -0,0 +1,34 @@
+######################################
+# HTTPS Traefik (with SSL)
+######################################
+
+global:
+  sendAnonymousUsage: false
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    watch: true
+    exposedByDefault: false
+
+  file:
+    filename: /etc/traefik/config.yml
+    watch: true
+
+log:
+  level: INFO
+  format: common
+
+entryPoints:
+  http:
+    address: ":80"
+    http:
+      tls: false
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+  https:
+    address: ":443"
+    http:
+      tls: true