Skip to content
Permalink
Browse files

initial

  • Loading branch information
tjordan committed Oct 13, 2017
1 parent 4fa0f9e commit c4cb248f76ce9b006c01f6a27dc547eade81013e
Showing 449 changed files with 28,903 additions and 0 deletions.
@@ -0,0 +1,6 @@
List of accounts:

banderson -> sysadmin for everything. Should be able to go everywhere...but maybe not canvas?
jclark484, janderson -> log in to canvas (at least right now) TODO: get some people based on the course groups later

kbrown -> banned from the portal. (Math students and math students aren't allowed to use the portal)
@@ -0,0 +1,58 @@
# -*- make -*-
#
# Makefile, DESCRIPTION
#
# Copyright (C) 2017 Jonathan J. Miner
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# $Id:$
# Jonathan J. Miner <miner@doit.wisc.edu>

all: ldap-tgt mysql-tgt rabbit-tgt sis-tgt shib-idp-tgt grouper-tgt webapp-tgt canvas-tgt attribute-tgt

# Build the dependency containers
ldap-tgt:
docker build deps/ldap -t tier-demo-ldap
mysql-tgt:
docker build deps/mysql -t tier-demo-mysql
rabbit-tgt:
docker build deps/rabbit -t tier-demo-rabbit

# build the sis web app
sis-tgt:
docker build sis-app -t tier-sis-web

# Build the Shib IDP
shib-idp-tgt:
docker build shib-idp -t tier-demo-idp

# Build Grouper
grouper-tgt:
docker build grouper -t tier-demo-grouper

# Build Midpoint
#docker build midpoint -t tier-demo-midpoint

# build the demo app
webapp-tgt:
docker build test-app -t tier-demo-web-app

# build the canvas provisioner
canvas-tgt:
docker build canvas -t tier-demo-canvas

# build the attribute slammer
attribute-tgt:
docker build attribute-slammer -t tier-demo-attribute-slammer


# vim: set noet:
@@ -0,0 +1,56 @@
## Overview
This set of docker images supports a demonstration of the TIER architecture, and
how it can be used for role-based access control (RBAC) in a complex setting.
For more information about this demo, see [Tier Canvas Provisioning Demo -
TechEx
2017](https://docs.google.com/presentation/d/1RT448nvR3gZ2hFUteqSQ6LgOYMwlgua0x0hQBZFrVWE/edit#slide=id.p)

`
The Group Docker image is based on Unicon's work, and contains a fully built Ldap, MySql, and Grouper environment. The Grouper component has the Grouper UI, Grouper Web Services, and an active Grouper Daemon which runs the Grouper Loader and PSP modules.

> This image does not follow best Docker practices. It is intended from demo/class usage. It can also be useful for use as a base image for Grouper development.
## Building

To build the demo:

```
./build.sh
```
In order to configure the Canvas provisioning components, you'll need a Canvas
instance and will need to generate an API key. Please see [Getting Started With
the Canvas
API](https://canvas.instructure.com/courses/785215/pages/getting-started-with-the-api)
for more information about this.

There are a number of containers in the demo, so you may need to increase RAM
devoted to Docker. The demo seems to run well with 4 CPUs and 4GB.

## Running

To run the demo:

```
$ [TODO: INSERT DOCKER COMPOSE COMMAND HERE]
```

You can log into the Grouper UI with "banderson/password". The account is a sysadmin. Also available is "jsmith/password", which has no explicit privs. There are lots of "user" accounts that have dumby course memberships.

TODO: change admin account to "tieradmin"?

The LDAP admin bind account is "cn=admin,dc=example,dc=edu/password". The MySql admin account is "root/<nopassword>".

This will build each container needed.

## Authors
* James Babb (james.babb@wisc.edu)
* Tom Jordan (tom.jordan@wisc.edu)
* TIER API & Entity Registry Working Group (tier-api@internet2.edu)

* Based on Unicon Grouper Demo Container by:
* John Gasper (jgasper@unicon.net)
* David Langenberg (dlangenberg@unicon.net)

## LICENSE


@@ -0,0 +1,23 @@
FROM perl:latest

MAINTAINER "TIER API & EntReg Working Group <tier-api@internet2.edu>"

# ENV PERL5LIB /usr/local/lib/perl5/site_perl/5.26.0/

RUN set -x; \
apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y netcat vim \
&& apt-get clean

RUN set -x; \
cpanm App::cpanminus \
&& cpanm REST::Client \
&& cpanm JSON \
&& cpanm YAML \
&& cpanm Getopt::Long \
&& cpanm MIME::Base64


COPY attributeSlammer /opt/attributeSlammer
WORKDIR /opt/attributeSlammer
CMD [ "./attribute_slam.sh" ]
@@ -0,0 +1,209 @@
#!/usr/bin/perl -w
# $Id$
#
# Slams attributes on given stems in the config file.
#
# Author: James Babb
# $Date: 2016-07-05 11:43:20 -0500 (Tue, 05 Jul 2016) $
#
use strict;
use warnings;
use Data::Dumper;
use JSON;
use REST::Client;
use YAML qw/LoadFile Dump/;
use Getopt::Long;
use MIME::Base64;

#
# 1. Pull in the config
# 2. Set up the environment
# 3. for each slam:
# a. build out request to retrieve matching groups
# b. retrieve list of groups
# c. for each group:
# i. build out request to see if attribute already set with value
# ii. if value is already set:
# - next;
# iii. else:
# - build out request to slam attribute
# - set attribute with value
#
#

my $config = LoadFile('attribute_slam.yaml');
my $pw = LoadFile('attribute_slam.pw');

# track exit code. Change to something not 0 if a failure but we don't need to hard fail.
my $exit_code = 0;

my $DEBUG = $config->{debug};

print Dumper($config) . "\n" . Dumper($pw) . "\n\n" if ($DEBUG);

my $client = REST::Client->new();
$client->setHost( $config->{grp_ws_endpoint} );
$client->setTimeout( $config->{timeout} );

my $encoded_auth = encode_base64( $config->{grp_ws_user} . ":" . $pw->{password} );

foreach my $item ( @{ $config->{list} } ) {

logit( "Working on " . $item->{stem} );

my %find_groups = (
"WsRestFindGroupsLiteRequest" => {
"groupName" => $item->{stem},
"stemName" => $item->{stem},
"queryFilterType" => "FIND_BY_GROUP_NAME_APPROXIMATE"
}
);

# TODO: because we include the stem, will this match on like uw:domain:AWS and uw:domain:AWS2?

my $find_groups_json = encode_json( \%find_groups );

logit("Sending find groups request with: $find_groups_json \n\n-------\n\n") if ($DEBUG);

$client->POST( $config->{grp_ws_rest_groups},
$find_groups_json,
{ "Content-Type" => "text/x-json", 'Authorization' => "Basic $encoded_auth" } );

logit( 'Response: ' . $client->responseContent() . "\n" ) if ($DEBUG);
logit( 'Response status: ' . $client->responseCode() . "\n" ) if ($DEBUG);

if ( $client->responseCode() != 200 ) {
logit("Did not get back a valid search for groups... Skipping\n");
$exit_code = 255;
next;
}

my $groups_to_process;

eval { $groups_to_process = decode_json( $client->responseContent() ); };

if ( !defined($groups_to_process) ) {
logit("Did not get valid JSON from Grouper... Skipping\n");
$exit_code = 255;
next;
}

foreach my $group ( @{ $groups_to_process->{WsFindGroupsResults}->{groupResults} } ) {
logit( "Checking " . $group->{name} );

my %find_attr = (
"WsRestGetAttributeAssignmentsLiteRequest" => {
"attributeAssignType" => "group",
"includeAssignmentsonAssignments" => "T",
"wsOwnerGroupName" => $group->{name},
"wsAttributeDefNameName" => $item->{attribute_name}
}
);

my $find_attr_json = encode_json( \%find_attr );

logit("Sending find attributes request with: $find_attr_json \n\n-------\n\n") if ($DEBUG);

$client->POST( $config->{grp_ws_rest_attributes},
$find_attr_json,
{ "Content-Type" => "text/x-json", 'Authorization' => "Basic $encoded_auth" } );

logit( 'Response: ' . $client->responseContent() . "\n" ) if ($DEBUG);
logit( 'Response status: ' . $client->responseCode() . "\n" ) if ($DEBUG);

if ( $client->responseCode() != 200 ) {
logit("Did not get back a valid search for attributes... Skipping group....\n");
$exit_code = 255;
next;
}

my $attribute_search;

eval { $attribute_search = decode_json( $client->responseContent() ); };

if ( !defined($attribute_search) ) {
logit("Did not get valid JSON from Grouper... Skipping group...\n");
$exit_code = 255;
next;
}

my $found = 0;

foreach my $attr (
@{ $attribute_search->{WsGetAttributeAssignmentsResults}->{wsAttributeAssigns} } )
{
if ( $attr->{attributeDefNameName} eq $item->{attribute_name} ) {
foreach my $value ( @{ $attr->{wsAttributeAssignValues} } ) {
if ( $value->{valueSystem} eq $item->{attribute_value} ) {
logit(
"Attribute $item->{attribute_name} already has value $item->{attribute_value} for group $group->{name}"
) if ($DEBUG);
$found = 1;
last;
}
}
logit(
"Attribute $item->{attribute_name} has a value but not correct value for group $group->{name}"
) if ( !$found && $DEBUG );
}
}

if ( !$found ) {
logit(
"Need to set $item->{attribute_name} : $item->{attribute_value} for $group->{name}"
);

my %slam_attr = (
"WsRestAssignAttributesLiteRequest" => {
"attributeAssignOperation" => "assign_attr",
"attributeAssignType" => "group",
"attributeAssignValueOperation" => "add_value",
"valueSystem" => $item->{attribute_value},
"wsAttributeDefNameName" => $item->{attribute_name},
"wsOwnerGroupName" => $group->{name}
}
);

my $slam_attr_json = encode_json( \%slam_attr );

$client->POST( $config->{grp_ws_rest_attributes},
$slam_attr_json,
{ "Content-Type" => "text/x-json", 'Authorization' => "Basic $encoded_auth" } );

logit( 'Response: ' . $client->responseContent() . "\n" ) if ($DEBUG);
logit( 'Response status: ' . $client->responseCode() . "\n" ) if ($DEBUG);

if ( $client->responseCode() != 200 ) {
logit(
"Could not add $item->{attribute_name} : $item->{attribute_value} for $group->{name}. Response: "
. $client->responseContent()
. "\n\n--------\n\n" );
$exit_code = 255;
}
else {
logit("Added $item->{attribute_name} : $item->{attribute_value} to $group->{name}");
}

}

}

}

exit $exit_code;

# Log a message to the log file specified in the config file.
sub logit {
my $msg = shift;

# Timestamp
my $tstamp = '';
my ( $sec, $min, $hr, $day, $mon, $year ) = localtime;
$tstamp =
sprintf( "%04d-%02d-%02d %02d:%02d:%02d", 1900 + $year, $mon + 1, $day, $hr, $min, $sec );
my $file = $config->{logfile};
open( my $fh, ">>", $file ) || die "Unable to open log file $file: $!";
print $fh "$tstamp: $msg\n";
close($fh);
print STDERR "$tstamp: $msg\n" if ($DEBUG);
}
@@ -0,0 +1,2 @@
# Password for account accessing grouper WS
password: 12345
@@ -0,0 +1,22 @@
#!/bin/bash

# Run the attribute slammer forever and ever running every 10 seconds

cd /opt/attributeSlammer/
touch slammer.log

tail -f slammer.log &

# wait for grouper ws to be available...typically only during first run while
# grouper is still boot strapping
until nc -vz tier-demo-grouper 8080
do
echo "Grouper WS is unavailable - sleeping"
sleep 5
done

while true
do
perl attribute_slam.pl
sleep 10
done

0 comments on commit c4cb248

Please sign in to comment.
You can’t perform that action at this time.