diff --git a/backend/build.gradle b/backend/build.gradle index 21c508193..64f8a7e10 100644 --- a/backend/build.gradle +++ b/backend/build.gradle @@ -26,7 +26,7 @@ repositories { configurations.all { resolutionStrategy { force 'org.cryptacular:cryptacular:1.1.3' - + eachDependency { details -> if (details.requested.group == 'org.seleniumhq.selenium' && details.requested.name != 'htmlunit-driver') { details.useVersion '3.141.59' @@ -38,7 +38,7 @@ configurations.all { configurations { integrationTestCompile { extendsFrom compile - + } integrationTestRuntime { extendsFrom runtime @@ -170,6 +170,7 @@ dependencies { compile "com.h2database:h2" runtimeOnly "org.postgresql:postgresql" runtimeOnly 'org.mariadb.jdbc:mariadb-java-client:2.2.0' + runtimeOnly 'mysql:mysql-connector-java:5.1.48' //Swagger compile 'io.springfox:springfox-swagger2:2.9.2' @@ -187,7 +188,7 @@ dependencies { //JSON schema generator testCompile 'com.kjetland:mbknor-jackson-jsonschema_2.12:1.0.29' testCompile 'javax.validation:validation-api:2.0.1.Final' - + //JSON schema validator compile 'org.sharegov:mjson:1.4.1' @@ -200,7 +201,7 @@ dependencies { integrationTestCompile "org.springframework.security:spring-security-test" integrationTestCompile "org.spockframework:spock-core:1.1-groovy-2.4" integrationTestCompile "org.spockframework:spock-spring:1.1-groovy-2.4" - + // CSV file support compile 'com.opencsv:opencsv:4.4' diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java index 8bb0da84f..914ae8d1b 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java @@ -71,6 +71,7 @@ public void initRestTemplate() { } @PostMapping("/EntityDescriptor") + @Transactional public ResponseEntity create(@RequestBody EntityDescriptorRepresentation edRepresentation) { final String entityId = edRepresentation.getEntityId(); @@ -93,11 +94,13 @@ public ResponseEntity create(@RequestBody EntityDescriptorRepresentation edRe } @PostMapping(value = "/EntityDescriptor", consumes = "application/xml") + @Transactional public ResponseEntity upload(@RequestBody byte[] entityDescriptorXml, @RequestParam String spName) throws Exception { return handleUploadingEntityDescriptorXml(entityDescriptorXml, spName); } @PostMapping(value = "/EntityDescriptor", consumes = "application/x-www-form-urlencoded") + @Transactional public ResponseEntity upload(@RequestParam String metadataUrl, @RequestParam String spName) throws Exception { try { byte[] xmlContents = this.restTemplate.getForObject(metadataUrl, byte[].class); @@ -112,6 +115,7 @@ public ResponseEntity upload(@RequestParam String metadataUrl, @RequestParam } @PutMapping("/EntityDescriptor/{resourceId}") + @Transactional public ResponseEntity update(@RequestBody EntityDescriptorRepresentation edRepresentation, @PathVariable String resourceId) { User currentUser = userService.getCurrentUser(); EntityDescriptor existingEd = entityDescriptorRepository.findByResourceId(resourceId); @@ -163,6 +167,7 @@ public ResponseEntity getAll() { } @GetMapping("/EntityDescriptor/{resourceId}") + @Transactional(readOnly = true) public ResponseEntity getOne(@PathVariable String resourceId) { User currentUser = userService.getCurrentUser(); EntityDescriptor ed = entityDescriptorRepository.findByResourceId(resourceId); @@ -180,6 +185,7 @@ public ResponseEntity getOne(@PathVariable String resourceId) { } @GetMapping(value = "/EntityDescriptor/{resourceId}", produces = "application/xml") + @Transactional(readOnly = true) public ResponseEntity getOneXml(@PathVariable String resourceId) throws MarshallingException { User currentUser = userService.getCurrentUser(); EntityDescriptor ed = entityDescriptorRepository.findByResourceId(resourceId); @@ -195,7 +201,7 @@ public ResponseEntity getOneXml(@PathVariable String resourceId) throws Marsh } } - @Transactional + @Transactional(readOnly = true) @GetMapping(value = "/EntityDescriptor/disabledNonAdmin") public Iterable getDisabledAndNotOwnedByAdmin() { return entityDescriptorRepository.findAllDisabledAndNotOwnedByAdmin() @@ -205,6 +211,7 @@ public Iterable getDisabledAndNotOwnedByAdmin() @Secured("ROLE_ADMIN") @DeleteMapping(value = "/EntityDescriptor/{resourceId}") + @Transactional public ResponseEntity deleteOne(@PathVariable String resourceId) { EntityDescriptor ed = entityDescriptorRepository.findByResourceId(resourceId); if (ed == null) { @@ -220,6 +227,7 @@ public ResponseEntity deleteOne(@PathVariable String resourceId) { //Versioning endpoints @GetMapping("/EntityDescriptor/{resourceId}/Versions") + @Transactional(readOnly = true) public ResponseEntity getAllVersions(@PathVariable String resourceId) { EntityDescriptor ed = entityDescriptorRepository.findByResourceId(resourceId); if (ed == null) { @@ -236,6 +244,7 @@ public ResponseEntity getAllVersions(@PathVariable String resourceId) { } @GetMapping("/EntityDescriptor/{resourceId}/Versions/{versionId}") + @Transactional(readOnly = true) public ResponseEntity getSpecificVersion(@PathVariable String resourceId, @PathVariable String versionId) { EntityDescriptorRepresentation edRepresentation = versionService.findSpecificVersionOfEntityDescriptor(resourceId, versionId); diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversController.java index e07272629..96906980b 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversController.java @@ -157,6 +157,7 @@ public ResponseEntity update(@PathVariable String resourceId, @RequestBody Me //Versioning endpoints @GetMapping("/MetadataResolvers/{resourceId}/Versions") + @Transactional(readOnly = true) public ResponseEntity getAllVersions(@PathVariable String resourceId) { MetadataResolver resolver = resolverRepository.findByResourceId(resourceId); if (resolver == null) { diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AbstractAttributeExtensibleXMLObject.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AbstractAttributeExtensibleXMLObject.java index 62bb46df8..50f2bdbe8 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AbstractAttributeExtensibleXMLObject.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/AbstractAttributeExtensibleXMLObject.java @@ -43,4 +43,4 @@ void prePersist() { void postLoad() { this.unknownAttributes.putAll(this.storageAttributeMap); } -} \ No newline at end of file +} diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/EntityAttributesFilterTarget.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/EntityAttributesFilterTarget.java index 8a9c2a7fb..0a0da096f 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/EntityAttributesFilterTarget.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/EntityAttributesFilterTarget.java @@ -5,13 +5,10 @@ import lombok.EqualsAndHashCode; import org.hibernate.envers.AuditOverride; import org.hibernate.envers.Audited; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import javax.persistence.Column; import javax.persistence.ElementCollection; import javax.persistence.Entity; -import javax.persistence.FetchType; import javax.persistence.OrderColumn; import java.util.ArrayList; import java.util.List; @@ -26,13 +23,11 @@ public enum EntityAttributesFilterTargetType { ENTITY, CONDITION_SCRIPT, CONDITION_REF, REGEX } - private static Logger LOGGER = LoggerFactory.getLogger(EntityAttributesFilterTarget.class); - private EntityAttributesFilterTargetType entityAttributesFilterTargetType; @ElementCollection @OrderColumn - @Column(length = 4000) + @Column(length = 760) private List value; public EntityAttributesFilterTargetType getEntityAttributesFilterTargetType() { diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/envers/PrincipalAwareRevisionEntity.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/envers/PrincipalAwareRevisionEntity.java index e0aef8807..0685eba92 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/envers/PrincipalAwareRevisionEntity.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/envers/PrincipalAwareRevisionEntity.java @@ -6,6 +6,7 @@ import org.hibernate.envers.RevisionEntity; import javax.persistence.Entity; +import javax.persistence.Table; /** * Extension of the default envers revision entity to track authenticated principals diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/hibernate/QNameTypeContributor.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/hibernate/QNameTypeContributor.java new file mode 100644 index 000000000..0cca1f713 --- /dev/null +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/hibernate/QNameTypeContributor.java @@ -0,0 +1,15 @@ +package edu.internet2.tier.shibboleth.admin.ui.hibernate; + +import org.hibernate.boot.model.TypeContributions; +import org.hibernate.boot.model.TypeContributor; +import org.hibernate.service.ServiceRegistry; + +import javax.xml.namespace.QName; + +public class QNameTypeContributor implements TypeContributor { + + @Override + public void contribute(TypeContributions typeContributions, ServiceRegistry serviceRegistry) { + typeContributions.contributeType(new QNameUserType(), "qname", QName.class.getName()); + } +} diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/hibernate/QNameUserType.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/hibernate/QNameUserType.java new file mode 100644 index 000000000..f87bb8a73 --- /dev/null +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/hibernate/QNameUserType.java @@ -0,0 +1,150 @@ +package edu.internet2.tier.shibboleth.admin.ui.hibernate; + +import net.shibboleth.utilities.java.support.xml.QNameSupport; +import org.hibernate.HibernateException; +import org.hibernate.engine.spi.SharedSessionContractImplementor; +import org.hibernate.usertype.UserType; + +import javax.xml.namespace.QName; +import java.io.Serializable; +import java.sql.PreparedStatement; +import java.sql.ResultSet; +import java.sql.SQLException; +import java.sql.Types; + +/** + * Hibernate custom UserType needed to properly persist QName objects. + * Base implementation is taken from {@link https://github.com/tomsontom/emf-databinding-example/blob/0ae7faa67697a84171846852a5c5b0492d9a8f7d/org.eclipse.emf.teneo.hibernate/src/org/eclipse/emf/teneo/hibernate/mapping/QNameUserType.java} + */ +public class QNameUserType implements UserType { + + private static final int[] SQL_TYPES = new int[]{Types.VARCHAR}; + + /* + * (non-Javadoc) + * + * @see org.hibernate.usertype.UserType#assemble(java.io.Serializable, java.lang.Object) + */ + public Object assemble(Serializable cached, Object owner) throws HibernateException { + return cached; + } + + /* + * (non-Javadoc) + * + * @see org.hibernate.usertype.UserType#deepCopy(java.lang.Object) + */ + public Object deepCopy(Object value) throws HibernateException { + return value; + } + + /* + * (non-Javadoc) + * + * @see org.hibernate.usertype.UserType#disassemble(java.lang.Object) + */ + public Serializable disassemble(Object value) throws HibernateException { + return (Serializable) value; + } + + public boolean equals(Object x, Object y) throws HibernateException { + if (x == y) { + return true; + } else if (x == null || y == null) { + return false; + } else { + return x.equals(y); + } + } + + /* + * (non-Javadoc) + * + * @see org.hibernate.usertype.UserType#hashCode(java.lang.Object) + */ + public int hashCode(Object x) throws HibernateException { + return x.hashCode(); + } + + /** + * Not mutable + */ + public boolean isMutable() { + return false; + } + + /* + * (non-Javadoc) + * + * @see org.hibernate.usertype.UserType#nullSafeGet(java.sql.ResultSet, java.lang.String[], + * java.lang.Object) + */ + public Object nullSafeGet(ResultSet rs, String[] names, SharedSessionContractImplementor sessionContractImplementor, Object owner) throws HibernateException, SQLException { + final String str = rs.getString(names[0]); + if (rs.wasNull()) { + return null; + } + return convertFromString(str); + } + + /* + * (non-Javadoc) + * + * @see org.hibernate.usertype.UserType#nullSafeSet(java.sql.PreparedStatement, + * java.lang.Object, int) + */ + public void nullSafeSet(PreparedStatement st, Object value, int index, SharedSessionContractImplementor sessionContractImplementor) throws HibernateException, SQLException { + if (value == null) { + st.setNull(index, Types.VARCHAR); + } else { + st.setString(index, convertToString((QName) value)); + } + } + + /* + * (non-Javadoc) + * + * @see org.hibernate.usertype.UserType#replace(java.lang.Object, java.lang.Object, + * java.lang.Object) + */ + public Object replace(Object original, Object target, Object owner) throws HibernateException { + return original; + } + + /** + * Returns the parameterizezd enumType + */ + public Class returnedClass() { + return QName.class; + } + + /** + * An enum is stored in one varchar + */ + public int[] sqlTypes() { + return SQL_TYPES; + } + + protected String convertToString(QName qName) { + return "{" + qName.getNamespaceURI() + "}" + qName.getPrefix() + ":" + qName.getLocalPart(); + } + + protected QName convertFromString(String str) { + if (str.indexOf("{") == -1) { + throw new HibernateException("String " + str + " can not be converted to a QName, missing starting {"); + } + final int endIndexNS = str.indexOf("}"); + if (endIndexNS == -1) { + throw new HibernateException("String " + str + + " can not be converted to a QName, missing end ns delimiter } "); + } + final int prefixIndex = str.indexOf(":", endIndexNS); + if (prefixIndex == -1) { + throw new HibernateException("String " + str + " can not be converted to a QName, missing prefix delimiter :"); + } + final String ns = str.substring(1, endIndexNS); + final String prefix = str.substring(endIndexNS + 1, prefixIndex); + final String localPart = str.substring(prefixIndex + 1); + return QNameSupport.constructQName(ns, localPart, prefix); + } +} diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/Role.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/Role.java index 41acabdca..64792774d 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/Role.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/Role.java @@ -41,6 +41,7 @@ public Role(String name, int rank) { @Column(unique = true) private String name; + @Column(name = "ROLE_RANK") private int rank; //Ignore properties annotation here is to prevent stack overflow recursive error during JSON serialization diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java index 1a36ffdcc..c30c4ceff 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java @@ -16,6 +16,7 @@ import javax.persistence.JoinColumn; import javax.persistence.JoinTable; import javax.persistence.ManyToMany; +import javax.persistence.Table; import javax.persistence.Transient; import java.util.HashSet; import java.util.Set; @@ -31,6 +32,7 @@ @Setter @EqualsAndHashCode(callSuper = true, exclude = "roles") @ToString(exclude = "roles") +@Table(name = "USERS") public class User extends AbstractAuditable { @Column(nullable = false, unique = true) diff --git a/backend/src/main/resources/META-INF/services/org.hibernate.boot.model.TypeContributor b/backend/src/main/resources/META-INF/services/org.hibernate.boot.model.TypeContributor new file mode 100644 index 000000000..5f1ae5827 --- /dev/null +++ b/backend/src/main/resources/META-INF/services/org.hibernate.boot.model.TypeContributor @@ -0,0 +1 @@ +edu.internet2.tier.shibboleth.admin.ui.hibernate.QNameTypeContributor diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/MetadataResolverRepositoryTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/MetadataResolverRepositoryTests.groovy index b3f102167..43bff31ce 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/MetadataResolverRepositoryTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/MetadataResolverRepositoryTests.groovy @@ -200,7 +200,7 @@ class MetadataResolverRepositoryTests extends Specification { basicPersistenceOfResolverIsCorrectFor { it instanceof LocalDynamicMetadataResolver } } - def "persisting entity attributes filter target with script of more than 255 characters"() { + def "persisting entity attributes filter target with script of 760 max chars, as defied in DB schema mapping"() { given: def mdr = new MetadataResolver().with { it.name = "SHIBUI-1588" @@ -211,18 +211,7 @@ class MetadataResolverRepositoryTests extends Specification { it.resourceId = 'SHIBUI-1588' it.entityAttributesFilterTarget = new EntityAttributesFilterTarget().with { it.entityAttributesFilterTargetType = CONDITION_SCRIPT - it.singleValue = """ - /* - Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut - labore et dolore magna aliqua. Cras fermentum odio eu feugiat pretium nibh ipsum. Sed augue lacus viverra vitae. - Fermentum et sollicitudin ac orci. Platea dictumst vestibulum rhoncus est pellentesque elit ullamcorper dignissim. - Rhoncus urna neque viverra justo nec ultrices dui sapien. Tortor id aliquet lectus proin nibh nisl condimentum id venenatis. - Massa id neque aliquam vestibulum morbi blandit cursus risus. Metus aliquam eleifend mi in nulla posuere sollicitudin. - Arcu ac tortor dignissim convallis aenean. Et tortor consequat id porta nibh venenatis cras. - Netus et malesuada fames ac turpis egestas. Bibendum arcu vitae elementum curabitur. - Volutpat consequat mauris nunc congue nisi vitae suscipit. - */ - """ + it.singleValue = '/*' + ('X' * 756) + '*/' it } it diff --git a/gradle.properties b/gradle.properties index 2b6041ed8..8bad0c7be 100644 --- a/gradle.properties +++ b/gradle.properties @@ -7,7 +7,7 @@ opensaml.version=3.4.0 spring-boot.version=2.0.0.RELEASE -hibernate.version=5.2.11.Final +hibernate.version=5.3.14.Final lucene.version=7.2.1 diff --git a/testbed/mariadb/conf/application.yml b/testbed/mariadb/conf/application.yml new file mode 100644 index 000000000..68018a4b9 --- /dev/null +++ b/testbed/mariadb/conf/application.yml @@ -0,0 +1,138 @@ +spring: + profiles: + include: + datasource: + platform: mysql + driver-class-name: org.mariadb.jdbc.Driver + url: jdbc:mariadb://db:3306/shibui + username: shibui + password: shibui + jpa: + properties: + hibernate: + dialect: org.hibernate.dialect.MariaDBDialect +server: + port: 8443 + ssl: + key-store: "/conf/keystore.p12" + key-store-password: "changeit" + keyStoreType: "PKCS12" + keyAlias: "tomcat" +shibui: + user-bootstrap-resource: file:/conf/users.csv + roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_PONY +custom: + attributes: + # Default attributes + - name: eduPersonPrincipalName + displayName: label.attribute-eduPersonPrincipalName + - name: uid + displayName: label.attribute-uid + - name: mail + displayName: label.attribute-mail + - name: surname + displayName: label.attribute-surname + - name: givenName + displayName: label.attribute-givenName + - name: eduPersonAffiliation + displayName: label.attribute-eduPersonAffiliation + - name: eduPersonScopedAffiliation + displayName: label.attribute-eduPersonScopedAffiliation + - name: eduPersonPrimaryAffiliation + displayName: label.attribute-eduPersonPrimaryAffiliation + - name: eduPersonEntitlement + displayName: label.attribute-eduPersonEntitlement + - name: eduPersonAssurance + displayName: label.attribute-eduPersonAssurance + - name: eduPersonUniqueId + displayName: label.attribute-eduPersonUniqueId + - name: employeeNumber + displayName: label.attribute-employeeNumber + # Custom attributes + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + defaultValue: false + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + defaultValue: false + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + defaultValue: false + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + defaultValue: false + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + defaultValue: false + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + defaultValue: false + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + - name: responderId + displayName: label.responder-id + displayType: string + defaultValue: null + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + defaultValue: false + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn +logging: + level: + org.pac4j: "TRACE" + org.opensaml: "INFO" diff --git a/testbed/mariadb/conf/keystore.p12 b/testbed/mariadb/conf/keystore.p12 new file mode 100644 index 000000000..57f9c162a Binary files /dev/null and b/testbed/mariadb/conf/keystore.p12 differ diff --git a/testbed/mariadb/conf/users.csv b/testbed/mariadb/conf/users.csv new file mode 100644 index 000000000..db290662e --- /dev/null +++ b/testbed/mariadb/conf/users.csv @@ -0,0 +1,2 @@ +root,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,user1@example.org +jj,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,jj@example.org \ No newline at end of file diff --git a/testbed/mariadb/docker-compose.yml b/testbed/mariadb/docker-compose.yml new file mode 100644 index 000000000..bbdfde0c5 --- /dev/null +++ b/testbed/mariadb/docker-compose.yml @@ -0,0 +1,41 @@ +version: "3.7" + +services: + db: + image: mariadb + container_name: db + environment: + MYSQL_DATABASE: shibui + MYSQL_USER: shibui + MYSQL_PASSWORD: shibui + MYSQL_ROOT_PASSWORD: root + + networks: + - front + ports: + - 3306:3306 + shibui: + image: unicon/shibui + ports: + - 8080:8080 + - 5005:5005 + - 8443:8443 + volumes: + - ./conf:/conf + - ./conf/application.yml:/application.yml + networks: + - front + depends_on: + - db + mailhog: + image: mailhog/mailhog:latest + ports: + - 1025:1025 + - 8025:8025 + container_name: mailhog + networks: + - front + +networks: + front: + driver: bridge diff --git a/testbed/mysql/conf/application.yml b/testbed/mysql/conf/application.yml new file mode 100644 index 000000000..76e40f809 --- /dev/null +++ b/testbed/mysql/conf/application.yml @@ -0,0 +1,138 @@ +spring: + profiles: + include: + datasource: + platform: mysql + driver-class-name: com.mysql.jdbc.Driver + url: jdbc:mysql://db:3306/shibui + username: shibui + password: shibui + jpa: + properties: + hibernate: + dialect: org.hibernate.dialect.MySQL8Dialect +server: + port: 8443 + ssl: + key-store: "/conf/keystore.p12" + key-store-password: "changeit" + keyStoreType: "PKCS12" + keyAlias: "tomcat" +shibui: + user-bootstrap-resource: file:/conf/users.csv + roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_PONY +custom: + attributes: + # Default attributes + - name: eduPersonPrincipalName + displayName: label.attribute-eduPersonPrincipalName + - name: uid + displayName: label.attribute-uid + - name: mail + displayName: label.attribute-mail + - name: surname + displayName: label.attribute-surname + - name: givenName + displayName: label.attribute-givenName + - name: eduPersonAffiliation + displayName: label.attribute-eduPersonAffiliation + - name: eduPersonScopedAffiliation + displayName: label.attribute-eduPersonScopedAffiliation + - name: eduPersonPrimaryAffiliation + displayName: label.attribute-eduPersonPrimaryAffiliation + - name: eduPersonEntitlement + displayName: label.attribute-eduPersonEntitlement + - name: eduPersonAssurance + displayName: label.attribute-eduPersonAssurance + - name: eduPersonUniqueId + displayName: label.attribute-eduPersonUniqueId + - name: employeeNumber + displayName: label.attribute-employeeNumber + # Custom attributes + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + defaultValue: false + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + defaultValue: false + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + defaultValue: false + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + defaultValue: false + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + defaultValue: false + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + defaultValue: false + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + - name: responderId + displayName: label.responder-id + displayType: string + defaultValue: null + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + defaultValue: false + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn +logging: + level: + org.pac4j: "TRACE" + org.opensaml: "INFO" diff --git a/testbed/mysql/conf/keystore.p12 b/testbed/mysql/conf/keystore.p12 new file mode 100644 index 000000000..57f9c162a Binary files /dev/null and b/testbed/mysql/conf/keystore.p12 differ diff --git a/testbed/mysql/conf/users.csv b/testbed/mysql/conf/users.csv new file mode 100644 index 000000000..db290662e --- /dev/null +++ b/testbed/mysql/conf/users.csv @@ -0,0 +1,2 @@ +root,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,user1@example.org +jj,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,jj@example.org \ No newline at end of file diff --git a/testbed/mysql/docker-compose.yml b/testbed/mysql/docker-compose.yml new file mode 100644 index 000000000..92d41f1a5 --- /dev/null +++ b/testbed/mysql/docker-compose.yml @@ -0,0 +1,41 @@ +version: "3.7" + +services: + db: + image: mysql + container_name: db + environment: + MYSQL_DATABASE: shibui + MYSQL_USER: shibui + MYSQL_PASSWORD: shibui + MYSQL_ROOT_PASSWORD: root + + networks: + - front + ports: + - 3306:3306 + shibui: + image: unicon/shibui + ports: + - 8080:8080 + - 5005:5005 + - 8443:8443 + volumes: + - ./conf:/conf + - ./conf/application.yml:/application.yml + networks: + - front + depends_on: + - db + mailhog: + image: mailhog/mailhog:latest + ports: + - 1025:1025 + - 8025:8025 + container_name: mailhog + networks: + - front + +networks: + front: + driver: bridge diff --git a/testbed/postgres/conf/application.yml b/testbed/postgres/conf/application.yml new file mode 100644 index 000000000..2173107e1 --- /dev/null +++ b/testbed/postgres/conf/application.yml @@ -0,0 +1,138 @@ +spring: + profiles: + include: + datasource: + platform: postgres + driver-class-name: org.postgresql.Driver + url: jdbc:postgresql://db:5432/shibui + username: shibui + password: shibui + jpa: + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect +server: + port: 8443 + ssl: + key-store: "/conf/keystore.p12" + key-store-password: "changeit" + keyStoreType: "PKCS12" + keyAlias: "tomcat" +shibui: + user-bootstrap-resource: file:/conf/users.csv + roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_PONY +custom: + attributes: + # Default attributes + - name: eduPersonPrincipalName + displayName: label.attribute-eduPersonPrincipalName + - name: uid + displayName: label.attribute-uid + - name: mail + displayName: label.attribute-mail + - name: surname + displayName: label.attribute-surname + - name: givenName + displayName: label.attribute-givenName + - name: eduPersonAffiliation + displayName: label.attribute-eduPersonAffiliation + - name: eduPersonScopedAffiliation + displayName: label.attribute-eduPersonScopedAffiliation + - name: eduPersonPrimaryAffiliation + displayName: label.attribute-eduPersonPrimaryAffiliation + - name: eduPersonEntitlement + displayName: label.attribute-eduPersonEntitlement + - name: eduPersonAssurance + displayName: label.attribute-eduPersonAssurance + - name: eduPersonUniqueId + displayName: label.attribute-eduPersonUniqueId + - name: employeeNumber + displayName: label.attribute-employeeNumber + # Custom attributes + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + defaultValue: false + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + defaultValue: false + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + defaultValue: false + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + defaultValue: false + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + defaultValue: false + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + defaultValue: false + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + - name: responderId + displayName: label.responder-id + displayType: string + defaultValue: null + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + defaultValue: false + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn +logging: + level: + org.pac4j: "TRACE" + org.opensaml: "INFO" diff --git a/testbed/postgres/conf/keystore.p12 b/testbed/postgres/conf/keystore.p12 new file mode 100644 index 000000000..57f9c162a Binary files /dev/null and b/testbed/postgres/conf/keystore.p12 differ diff --git a/testbed/postgres/conf/users.csv b/testbed/postgres/conf/users.csv new file mode 100644 index 000000000..db290662e --- /dev/null +++ b/testbed/postgres/conf/users.csv @@ -0,0 +1,2 @@ +root,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,user1@example.org +jj,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,jj@example.org \ No newline at end of file diff --git a/testbed/postgres/docker-compose.yml b/testbed/postgres/docker-compose.yml new file mode 100644 index 000000000..593ceb1fc --- /dev/null +++ b/testbed/postgres/docker-compose.yml @@ -0,0 +1,39 @@ +version: "3.7" + +services: + db: + image: postgres + container_name: db + environment: + POSTGRES_USER: shibui + POSTGRES_PASSWORD: shibui + POSTGRES_DB: shibui + networks: + - front + ports: + - 3306:3306 + shibui: + image: unicon/shibui + ports: + - 8080:8080 + - 5005:5005 + - 8443:8443 + volumes: + - ./conf:/conf + - ./conf/application.yml:/application.yml + networks: + - front + depends_on: + - db + mailhog: + image: mailhog/mailhog:latest + ports: + - 1025:1025 + - 8025:8025 + container_name: mailhog + networks: + - front + +networks: + front: + driver: bridge \ No newline at end of file