Apereo CAS - Managing Services via Git

Posted by Misagh Moayyed on October 03, 2019 · 7 mins read ·
Content Unavailable
Your browser is blocking content on this website. Please check your browser settings and try again.
This blog post was originally posted on Apereo GitHub Blog.

Overview

Applications that are integrated with the Apereo CAS server typically are registered with the system as JSON or YAML files. Such files can be stored in a remote git repository to take advantage of all native operations and benefits of distributed source control such as version tracking, history, etc, given they are considered source code after all.

Using a git-backed service registry, CAS is given the ability to pull down and clone a repository and watch for changes at defined intervals. In this tutorial, we are going to quickly review the steps required to manage application records via Git.

Our starting position is based on:

Configuration

Once you have prepped your CAS overlay with the correct auto-configuration module, you will need to instruct CAS to try and connect to the repository:

cas.serviceRegistry.initFromJson=false

cas.serviceRegistry.git.repositoryUrl=https://github.com/cas-server/sample-data
cas.serviceRegistry.git.branchesToClone=master
cas.serviceRegistry.git.activeBranch=master
cas.serviceRegistry.git.cloneDirectory=file:/tmp/cas-service-registry
cas.serviceRegistry.git.pushChanges=true

I am using a public repository on Github whose master branch. If you are working with a private git repository that requires credentials for access, you can specify those as well:

# cas.serviceRegistry.git.username=
# cas.serviceRegistry.git.password=

My current contains the following two files. One is a Test-1.json file at the root of the repository with the following content:

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "testId",
  "name" : "TEST",
  "id" : 1,
  "evaluationOrder" : 1
}

…and the other is a SAMPLE-2.yaml inside a test folder:

--- !<org.apereo.cas.services.RegexRegisteredService>
serviceId: "testId-yaml"
name: "SAMPLE"
id: 2
description: "description"
attributeReleasePolicy: !<org.apereo.cas.services.ReturnAllAttributeReleasePolicy> {}
accessStrategy: !<org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy>
  enabled: true
  ssoEnabled: true

We expect that CAS would connect to the repository’s master branch to pull down the above files regardless of where they are physically located in the repository directory structure.

To make it easier to test the changes, I am also going to include the auto-configuration module for reporting in the CAS overlay to take advantage of registeredServices actuator endpoint. With the inclusion of this module, I can instruct CAS to enable it and allow anonymous requests for easy testing:

management.endpoints.web.exposure.include=registeredServices
management.endpoint.registeredServices.enabled=true

cas.monitor.endpoints.endpoint.registeredServices.access=ANONYMOUS

At this point, we should be ready to test.

Test

Once you build and bring up the deployment, the following should be apparent in the CAS DEBUG logs:

<[Pull] -> [1], total [2] [50]% Completed>
<[Pull] -> [2], total [2] [100]% Completed>
<Finished [Pull] -> [2], total [2] [100]% Completed>
<Successfully pulled changes from the remote repository>
<Adding registered service [testId-yaml] with name [SAMPLE] and internal identifier [2]>
<Adding registered service [testId] with name [TEST] and internal identifier [1]>
<Loaded [2] service(s) from [GitServiceRegistry].>
<Service registry [GitServiceRegistry] contains [2] service definitions>

Note that since CAS is by default configured to periodically reload the contents of the service registry, from time to time based on the pre-defined interval, the following log messages should appear:

Loaded [2] service(s) from [GitServiceRegistry].

…which means we can go to the repository and make a change to the description field of our YAML service file:

--- !<org.apereo.cas.services.RegexRegisteredService>
serviceId: "testId-yaml"
name: "SAMPLE"
id: 2
description: "Description is updated to be more interesting"
attributeReleasePolicy: !<org.apereo.cas.services.ReturnAllAttributeReleasePolicy> {}
accessStrategy: !<org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy>
  enabled: true
  ssoEnabled: true

…and CAS should be able to pull down the change and reload the corresponding service file. To observe that change is activated, we can submit a request to CAS and ask for our service:

curl https://sso.example.org/cas/actuator/registeredServices/2 | jq

By default, the response type is always in JSON. If you prefer YAML, by all means:

curl  -H "Accept: application/vnd.cas.services+yaml" https://sso.example.org/cas/actuator/registeredServices/2

Of if you wish to force-reload the contents of the service registry:

curl https://sso.example.org/cas/actuator/registeredServices

So…

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please know that all other use cases, scenarios, features, and theories certainly are possible as well. Feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed