Demonstration of midPoint with Grouper, Sentrifugo HR source of recor…

…d, and Wordpress as provisioning target
InCommon · Jul 20, 2020 · 749cd4e · 749cd4e
1 parent a4feb42
commit 749cd4e
Showing 461 changed files with 24,419 additions and 1 deletion.
diff --git a/midPoint_container b/midPoint_container
diff --git a/midPoint_container/.dockerignore b/midPoint_container/.dockerignore
@@ -0,0 +1,3 @@
+demo
+.git
+tests
diff --git a/midPoint_container/.gitignore b/midPoint_container/.gitignore
@@ -0,0 +1,2 @@
+midpoint-dist.tar.gz
+.tmp
diff --git a/midPoint_container/Dockerfile b/midPoint_container/Dockerfile
@@ -0,0 +1,110 @@
+#
+#  Building assumes midpoint-dist.tar.gz is present in the current directory.
+#
+
+FROM tier/shibboleth_sp:3.0.4_03122019
+
+MAINTAINER info@evolveum.com
+
+RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems
+RUN curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo
+RUN yum -y update
+RUN yum -y install \
+ 	zulu-11 \
+        cron \
+        supervisor \
+	libcurl \
+	&& yum clean -y all
+
+RUN rm /etc/shibboleth/sp-signing-key.pem /etc/shibboleth/sp-signing-cert.pem  /etc/shibboleth/sp-encrypt-key.pem /etc/shibboleth/sp-encrypt-cert.pem\
+    && cd /etc/httpd/conf.d/ \
+    && rm -f autoindex.conf ssl.conf userdir.conf welcome.conf
+
+COPY container_files/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
+COPY container_files/httpd/conf/* /etc/httpd/conf.d/
+COPY container_files/usr-local-bin/* /usr/local/bin/
+COPY container_files/opt-tier/* /opt/tier/
+
+RUN chmod 755 /opt/tier/setenv.sh \
+    && chmod 755 /usr/local/bin/sendtierbeacon.sh \
+    && chmod 755 /usr/local/bin/setup-cron.sh \
+    && chmod 755 /usr/local/bin/setup-timezone.sh \
+    && chmod 755 /usr/local/bin/start-midpoint.sh \
+    && chmod 755 /usr/local/bin/start-httpd.sh \
+    && chmod 755 /usr/local/bin/startup.sh \
+    && chmod 755 /usr/local/bin/healthcheck.sh
+
+RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
+    && rm /etc/httpd/conf.d/shib.conf \
+    && sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
+    && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/loghttpd"/g' /etc/httpd/conf/httpd.conf \
+    && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/loghttpd"/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf
+
+# Build arguments
+
+ARG MP_VERSION=4.0.1
+ARG MP_DIST_FILE=midpoint-dist.tar.gz
+
+ENV MP_DIR /opt/midpoint
+
+RUN mkdir -p ${MP_DIR}/var
+
+COPY ${MP_DIST_FILE} ${MP_DIR}
+COPY container_files/mp-dir/ ${MP_DIR}/
+
+RUN echo 'Extracting midPoint archive...' \
+ && tar xzf ${MP_DIR}/${MP_DIST_FILE} -C ${MP_DIR} --strip-components=1
+
+# Disabled because of wider compatibility issues (e.g. AWS)
+# TODO: consider all the consequences
+#VOLUME ${MP_DIR}/var
+
+# Repository parameters
+
+ENV REPO_DATABASE_TYPE mariadb
+ENV REPO_JDBC_URL default
+ENV REPO_HOST midpoint_data
+ENV REPO_PORT default
+ENV REPO_DATABASE registry
+ENV REPO_USER registry_user
+ENV REPO_PASSWORD_FILE /run/secrets/mp_database_password.txt
+ENV REPO_MISSING_SCHEMA_ACTION create
+ENV REPO_UPGRADEABLE_SCHEMA_ACTION stop
+
+# Logging parameters
+
+ENV ENV demo
+ENV USERTOKEN ""
+
+# Authentication/web
+
+ENV AJP_ENABLED true
+ENV AJP_PORT 9090
+
+# Other parameters
+
+ENV MP_KEYSTORE_PASSWORD_FILE /run/secrets/mp_keystore_password.txt
+ENV MP_MEM_MAX 2048m
+ENV MP_MEM_INIT 1024m
+ENV TIMEZONE UTC
+ENV TIER_RELEASE not-released-yet
+ENV TIER_MAINTAINER tier
+
+# TIER Beacon Opt-out
+# Completely uncomment the following ENV line to prevent the containers from sending analytics information to Internet2.
+# With the default/release configuration, it will only send product (Shibb/Grouper/COmanage/midPoint) and version (4.0, etc)
+# once daily between midnight and 4am.  There is no configuration or private information collected or sent.
+# This data helps with the scaling and funding of TIER.  Please do not disable it if you find the TIER tools useful.
+# To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it).
+#####     ENV TIER_BEACON_OPT_OUT true
+
+# requires MP_VERSION and TIER_xyz variables so we have to execute it here
+
+RUN /opt/tier/setenv.sh
+
+HEALTHCHECK --interval=1m --timeout=30s --start-period=2m CMD /usr/local/bin/healthcheck.sh
+
+CMD ["/usr/local/bin/startup.sh"]
diff --git a/midPoint_container/Jenkinsfile b/midPoint_container/Jenkinsfile
@@ -0,0 +1,118 @@
+pipeline {
+    agent any
+    environment { 
+        maintainer = "t"
+        imagename = 'm'
+        tag = 'l'
+    }
+    stages {
+        stage ('Setting build context') {
+            steps {
+                script {
+                    maintainer = maintain()
+                    imagename = imagename()
+                    if (env.BRANCH_NAME == "master") {
+                       tag = "latest"
+                    } else {
+                       tag = env.BRANCH_NAME
+                    }
+                    if (!imagename) {
+                        echo "You must define imagename in common.bash"
+                        currentBuild.result = 'FAILURE'
+                    }
+                    sh 'mkdir -p bin'
+                    sh 'mkdir -p tmp'
+                    dir ('tmp') {
+                        git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
+                        sh 'ls -l'
+			sh 'ls -lR ../bin'
+			sh 'rm -r ../bin/windows || true'
+                        sh 'mv bin/* ../bin/.'
+                    }
+                    // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
+                    // We don't care if there are more 'tag' assignments there. The latest one wins.
+                    sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
+                }  
+            }
+        }    
+        stage ('Build') {
+            steps {
+                script {
+                    try {
+                        // using custom ./build.sh instead of bin/rebuild.sh because the bin/ version does not support building specific tag yet
+                        sh './build.sh -r 2>&1 | tee -a debug ; test ${PIPESTATUS[0]} -eq 0'
+                    } catch (error) {
+                        def error_details = readFile('./debug')
+                        def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
+                        sh "rm -f ./debug"
+                        handleError(message)
+                    }
+                }
+            }
+        }
+        stage ('Test') {
+            steps {
+                script {
+                    try {
+                        sh 'echo Docker containers before root tests ; docker ps -a'		// temporary
+                        sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0'
+                        sh 'echo Docker containers before compositions tests ; docker ps -a'		// temporary
+
+                        sh '(cd demo/simple ; bats tests ) 2>&1 | tee -a debug ; test ${PIPESTATUS[0]} -eq 0'
+                        sh '(cd demo/shibboleth ; bats tests ) 2>&1 | tee -a debug ; test ${PIPESTATUS[0]} -eq 0'
+                        sh '(cd demo/postgresql ; bats tests ) 2>&1 | tee -a debug ; test ${PIPESTATUS[0]} -eq 0'
+                        sh '(cd demo/grouper ; bats tests ) 2>&1 | tee -a debug ; test ${PIPESTATUS[0]} -eq 0'
+                    } catch (error) {
+                        def error_details = readFile('./debug')
+                        def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
+                        sh "rm -f ./debug"
+                        handleError(message)
+                    }
+                }
+            }
+        }
+        stage ('Push') {
+            steps {
+                script {
+                    docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$maintainer") {
+                        def baseImg = docker.build("$maintainer/$imagename")
+                        baseImg.push("$tag")
+                    }
+                }
+            }
+        }
+        stage ('Notify') {
+            steps {
+                echo "$maintainer"
+                slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
+            }
+        }
+    }
+    post { 
+        always { 
+            echo 'Done Building.'
+        }
+        failure {
+            // slackSend color: 'good', message: "Build failed"
+            handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
+        }
+    }
+}
+
+
+def maintain() {
+    def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
+    matcher ? matcher[0][1] : 'tier'
+}
+
+def imagename() {
+    def matcher = readFile('common.bash') =~ 'imagename="(.+)"'
+    matcher ? matcher[0][1] : null
+}
+
+def handleError(String message) {
+    echo "${message}"
+    currentBuild.setResult("FAILED")
+    slackSend color: 'danger', message: "${message}"
+    sh 'exit 1'
+}
diff --git a/midPoint_container/README.md b/midPoint_container/README.md
@@ -0,0 +1,30 @@
+[![Build Status](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/midPoint_container/3.9)](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/midPoint_container/3.9)
+
+This repository contains sources for TIER-supported [midPoint](http://midpoint.evolveum.com) image.
+
+The image contains the midPoint application along with some TIER-specific components: Apache reverse proxy with optional Shibboleth filter and TIER Beacon.
+
+# Supported tags
+- latest
+- midPoint version-specific branches, e.g. 3.9, 3.9.1, 4.0, etc.
+
+# Content
+- the root directory contains build instructions for the `midpoint` image 
+- `demo` directory contains a couple of demonstration scenarios:
+  - `simple` to show simple composition of midPoint with the repository,
+  - `shibboleth` to show integration with Shibboleth IdP,
+  - `postgresql` to show how to use alternative dockerized repository,
+  - `extrepo` to show how to use external repository,
+  - `grouper` to demonstrate more complex deployment of midPoint in a sample university environment, featuring midPoint along with Grouper, LDAP directory, RabbitMQ, Shibboleth IdP, source and target systems.
+  - `HR-midPoint-Grouper-Wordpress-Demo` to demonstrate Sentrifugo HR as a source of record and Wordpress as a provisioning target in addition to the grouper demo components.
+
+# Build instructions
+```
+$ ./build.sh
+```
+You can then continue with one of demo composition.
+
+# Documentation
+Please see [Dockerized midPoint](https://spaces.at.internet2.edu/display/MID/Dockerized+midPoint) wiki page.
+
+This is a work in progress, suitable for testing.
diff --git a/midPoint_container/build.sh b/midPoint_container/build.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+cd "$(dirname "$0")"
+source common.bash
+
+SKIP_DOWNLOAD=0
+REFRESH=""
+while getopts "nhr?" opt; do
+    case $opt in
+    n)
+       SKIP_DOWNLOAD=1
+       ;;
+    r)
+       result=$(docker ps -a | grep $maintainer/$imagename:$tag)
+       if [ ! -z "$result" ]; then
+         echo "Cleaning up $maintainer/$imagename:$tag..."
+         docker rm -f $(docker ps -a | grep $maintainer/$imagename:$tag | awk '{print $1}')
+         docker rmi -f $maintainer/$imagename:$tag
+         echo "Done"
+       fi
+       REFRESH="--no-cache --pull"
+       echo "Using 'refresh' mode: $REFRESH"
+       ;;
+    h | ?)
+       echo "Options: -n skip download"
+       echo "         -r refresh mode: uses --no-cache --pull and removes container and image before build"
+       exit 0
+       ;;
+    *)
+       echo "Unknown option: $opt"
+       exit 1
+       ;;
+    esac
+done
+if [ "$SKIP_DOWNLOAD" = "0" ]; then ./download-midpoint.sh || exit 1; fi
+docker build $REFRESH --tag $maintainer/$imagename:$tag --build-arg maintainer=$maintainer --build-arg imagename=$imagename . || exit 1
+echo "---------------------------------------------------------------------------------------"
+echo "The midPoint containers were successfully built. To start them, execute the following:"
+echo ""
+echo "(for simple demo)"
+echo ""
+echo "$ cd" $(pwd)/demo/simple
+echo "$ docker-compose up"
+echo ""
+echo "(for Grouper integration demo)"
+echo ""
+echo "$ cd" $(pwd)/demo/grouper
+echo "$ docker-compose up --build"
diff --git a/midPoint_container/common.bash b/midPoint_container/common.bash
@@ -0,0 +1,3 @@
+maintainer="tier"
+imagename="midpoint"
+tag="latest"
diff --git a/midPoint_container/container_files/httpd/conf/midpoint.conf b/midPoint_container/container_files/httpd/conf/midpoint.conf
@@ -0,0 +1,6 @@
+
+Timeout 2400
+ProxyTimeout 2400
+ProxyBadHeader Ignore
+
+ProxyPass /midpoint ajp://localhost:9090/midpoint  timeout=2400 retry=0
diff --git a/midPoint_container/container_files/httpd/conf/midpoint.conf.auth.internal b/midPoint_container/container_files/httpd/conf/midpoint.conf.auth.internal
@@ -0,0 +1,6 @@
+
+Timeout 2400
+ProxyTimeout 2400
+ProxyBadHeader Ignore
+
+ProxyPass /midpoint ajp://localhost:9090/midpoint  timeout=2400 retry=0
diff --git a/midPoint_container/container_files/httpd/conf/midpoint.conf.auth.shibboleth b/midPoint_container/container_files/httpd/conf/midpoint.conf.auth.shibboleth
@@ -0,0 +1,21 @@
+
+Timeout 2400
+ProxyTimeout 2400
+ProxyBadHeader Ignore
+
+ProxyPass /midpoint ajp://localhost:9090/midpoint  timeout=2400 retry=0
+
+<Location /midpoint>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  ShibRequireSession on
+  ShibUseHeaders On
+  require shibboleth
+</Location>
+
+<Location ~ "/midpoint/(actuator/health|js/*|css/*|img/*|less/*|fonts/*|model/*|ws/*|rest/*|report/*|wro/*|static-web/*|wicket/resource/*)">
+  Satisfy Any
+  Allow from all
+  AuthType None
+  Require all granted
+</Location>
diff --git a/midPoint_container/container_files/httpd/conf/ssl-enable.conf b/midPoint_container/container_files/httpd/conf/ssl-enable.conf
@@ -0,0 +1,28 @@
+# modern configuration, tweak to your needs
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+SSLHonorCipherOrder     on
+SSLCompression          off
+
+# OCSP Stapling, only in httpd 2.3.3 and later
+SSLUseStapling          on
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLStaplingCache        shmcb:/var/run/ocsp(128000)
+
+Listen 443 https
+<VirtualHost *:443>
+  RewriteEngine on
+  RewriteRule   "^/$"  "/midpoint/"  [R]
+
+
+  SSLEngine on
+  SSLCertificateChainFile /etc/pki/tls/certs/cachain.pem
+
+  SSLCertificateFile /etc/pki/tls/certs/host-cert.pem
+
+  SSLCertificateKeyFile /etc/pki/tls/private/host-key.pem
+
+  # HSTS (mod_headers is required) (15768000 seconds = 6 months)
+  Header always set Strict-Transport-Security "max-age=15768000"
+</VirtualHost>