From 900da38824242d420453b2917408e7adbba80239 Mon Sep 17 00:00:00 2001 From: Sean Porth Date: Fri, 29 Jul 2022 14:01:19 -0400 Subject: [PATCH 1/8] init setup Former-commit-id: 5181702e57e39598f5f75839d9d262045b220e30 --- testbed/smoke-test/cheat.html | 110 ++++++++++++++++++++++ testbed/smoke-test/docker-compose.yml | 105 +++++++++++++++++++++ testbed/smoke-test/shibui/application.yml | 40 ++++++++ 3 files changed, 255 insertions(+) create mode 100644 testbed/smoke-test/cheat.html create mode 100644 testbed/smoke-test/docker-compose.yml create mode 100644 testbed/smoke-test/shibui/application.yml diff --git a/testbed/smoke-test/cheat.html b/testbed/smoke-test/cheat.html new file mode 100644 index 000000000..74682f912 --- /dev/null +++ b/testbed/smoke-test/cheat.html @@ -0,0 +1,110 @@ + + +

Reload Service

+
+ + + +
+

Attribute Resolution

+
+ + + + + + + + + + + + + + + + + + + + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + + +
+ + +
+
+

Metadata Query

+ + + + + +
+ + + +
+ +
+
+

Reload Metadata

+ + + + + +
+ + + +
+ +
+
+

Unsolicited SSO

+ + + + + +
+ + + +
+ +
+metrics + + diff --git a/testbed/smoke-test/docker-compose.yml b/testbed/smoke-test/docker-compose.yml new file mode 100644 index 000000000..ec2f2c854 --- /dev/null +++ b/testbed/smoke-test/docker-compose.yml @@ -0,0 +1,105 @@ +version: "3.8" + +services: + reverse-proxy: + image: library/traefik:v2.5.2 + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--entrypoints.web-secure.address=:443" + - "--providers.file.directory=/configuration/" + - "--providers.file.watch=true" + # - "--log.level=DEBUG" + networks: + reverse-proxy: + aliases: + - idp.unicon.local + ports: + - "80:80" + - "8080:8080" + - "443:443" + - "8443:8443" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ../reverse-proxy/:/configuration/ + - ../reverse-proxy/certs/:/certs/ + directory: + build: ../directory + networks: + - idp + volumes: + - directory_data:/var/lib/ldap + - directory_config:/etc/ldap/slapd.d + - ../directory/certs:/container/service/slapd/assets/certs + environment: + LDAP_BASE_DN: "dc=unicon,dc=local" + LDAP_DOMAIN: "unicon.local" + HOSTNAME: "directory" + LDAP_TLS_VERIFY_CLIENT: "try" + idp: + build: ../integration/shibboleth-idp + labels: + - "traefik.http.routers.idp.rule=Host(`idp.unicon.local`)" + - "traefik.http.services.idp.loadbalancer.server.port=8080" + - "traefik.http.routers.idp.tls=true" + - "traefik.docker.network=integration_reverse-proxy" + - "traefik.enable=true" + depends_on: + - directory + - reverse-proxy + networks: + - reverse-proxy + - idp + volumes: + - ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt + - dynamic_metadata:/opt/shibboleth-idp/metadata/dynamic + - dynamic_config:/opt/shibboleth-idp/conf/dynamic + - ../integration/shibboleth-idp/metadata/dynamic:/opt/shibboleth-idp/metadata/dynamic + - ../authentication/shibboleth-idp/config/shib-idp/conf/attribute-filter.xml:/opt/shibboleth-idp/conf/attribute-filter.xml + healthcheck: + disable: true + shib-idp-ui: + image: unicon/shibui:latest + labels: + - "traefik.http.routers.shibui.rule=Host(`shibui.unicon.local`)" + - "traefik.http.services.shibui.loadbalancer.server.port=8080" + - "traefik.http.routers.shibui.tls=true" + - "traefik.docker.network=integration_reverse-proxy" + - "traefik.enable=true" + networks: + - reverse-proxy + - backend + volumes: + - ../authentication/shibui:/conf + - ./shibui/application.yml:/application.yml + - dynamic_metadata:/var/shibboleth/dynamic_metadata + - dynamic_config:/var/shibboleth/dynamic_config + - ../integration/shibboleth-idp/credentials/shib-idp/inc-md-cert-mdq.pem:/opt/shibboleth-idp/credentials/inc-md-cert-mdq.pem + environment: + - "IDP_HOME=/opt/shibboleth-idp" + database: + image: postgres:14-alpine + environment: + POSTGRES_PASSWORD: shibui + POSTGRES_USER: shibui + POSTGRES_DB: shibui + networks: + - backend + volumes: + - database_data:/var/lib/postgresql/data +networks: + reverse-proxy: + idp: + backend: +volumes: + directory_data: + driver: local + directory_config: + driver: local + dynamic_metadata: + driver: local + dynamic_config: + driver: local + database_data: + driver: local diff --git a/testbed/smoke-test/shibui/application.yml b/testbed/smoke-test/shibui/application.yml new file mode 100644 index 000000000..126256f0d --- /dev/null +++ b/testbed/smoke-test/shibui/application.yml @@ -0,0 +1,40 @@ +server: + forward-headers-strategy: NATIVE +spring: + profiles: + include: + datasource: + platform: postgres + driver-class-name: org.postgresql.Driver + url: jdbc:postgresql://database:5432/shibui + username: shibui + password: shibui + jpa: + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect +shibui: + default-password: "{noop}letmein7" + metadata-dir: /var/shibboleth/dynamic_metadata + metadataProviders: + target: file:/var/shibboleth/dynamic_config/metadata-providers.xml + user-bootstrap-resource: file:/conf/users.csv + roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_ENABLE,ROLE_PONY + pac4j-enabled: true + pac4j: + keystorePath: "/conf/samlKeystore.jks" + keystorePassword: "changeit" + privateKeyPassword: "changeit" + serviceProviderEntityId: "https://unicon.net/test/shibui" + serviceProviderMetadataPath: "/conf/sp-metadata.xml" + identityProviderMetadataPath: "/conf/idp-metadata.xml" + forceServiceProviderMetadataGeneration: true + callbackUrl: "https://shibui.unicon.local/callback" + maximumAuthenticationLifetime: 3600000 + simpleProfileMapping: + username: urn:oid:0.9.2342.19200300.100.1.1 + firstName: urn:oid:2.5.4.42 + lastName: urn:oid:2.5.4.4 + email: urn:oid:0.9.2342.19200300.100.1.3 + groups: urn:oid:2.5.4.15 # businessCategory + roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7 # eduPersonEntitlement From 90d05708210edb769d2540f8c95c53040d8bb26c Mon Sep 17 00:00:00 2001 From: Sean Porth Date: Fri, 5 Aug 2022 14:45:00 -0400 Subject: [PATCH 2/8] auth and integration testbeds combined Former-commit-id: 09cf8130a77974ecff8968d079945b9cb8d4017b --- testbed/smoke-test/docker-compose.yml | 17 +-- .../shibboleth-idp/conf/access-control.xml | 68 ++++++++++++ .../conf/metadata-providers.xml | 101 ++++++++++++++++++ .../metadata/test-provider-config.xml | 38 +++++++ 4 files changed, 217 insertions(+), 7 deletions(-) create mode 100644 testbed/smoke-test/shibboleth-idp/conf/access-control.xml create mode 100644 testbed/smoke-test/shibboleth-idp/conf/metadata-providers.xml create mode 100644 testbed/smoke-test/shibboleth-idp/metadata/test-provider-config.xml diff --git a/testbed/smoke-test/docker-compose.yml b/testbed/smoke-test/docker-compose.yml index ec2f2c854..0c92cad01 100644 --- a/testbed/smoke-test/docker-compose.yml +++ b/testbed/smoke-test/docker-compose.yml @@ -10,7 +10,7 @@ services: - "--entrypoints.web-secure.address=:443" - "--providers.file.directory=/configuration/" - "--providers.file.watch=true" - # - "--log.level=DEBUG" + #- "--log.level=DEBUG" networks: reverse-proxy: aliases: @@ -43,7 +43,7 @@ services: - "traefik.http.routers.idp.rule=Host(`idp.unicon.local`)" - "traefik.http.services.idp.loadbalancer.server.port=8080" - "traefik.http.routers.idp.tls=true" - - "traefik.docker.network=integration_reverse-proxy" + - "traefik.docker.network=smoke-test_reverse-proxy" - "traefik.enable=true" depends_on: - directory @@ -52,11 +52,14 @@ services: - reverse-proxy - idp volumes: - - ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt - dynamic_metadata:/opt/shibboleth-idp/metadata/dynamic - dynamic_config:/opt/shibboleth-idp/conf/dynamic - - ../integration/shibboleth-idp/metadata/dynamic:/opt/shibboleth-idp/metadata/dynamic + - ../directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt - ../authentication/shibboleth-idp/config/shib-idp/conf/attribute-filter.xml:/opt/shibboleth-idp/conf/attribute-filter.xml + - ./shibboleth-idp/conf/metadata-providers.xml:/opt/shibboleth-idp/conf/metadata-providers.xml + - ./shibboleth-idp/conf/access-control.xml:/opt/shibboleth-idp/conf/access-control.xml + - ./shibboleth-idp/metadata/test-provider-config.xml:/opt/shibboleth-idp/metadata/test-provider-config.xml + - ../integration/shibboleth-idp/metadata/dynamic/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml:/opt/shibboleth-idp/metadata/700bfe6fa4495100f5c193fa5b7ca4192c150923.xml healthcheck: disable: true shib-idp-ui: @@ -65,16 +68,16 @@ services: - "traefik.http.routers.shibui.rule=Host(`shibui.unicon.local`)" - "traefik.http.services.shibui.loadbalancer.server.port=8080" - "traefik.http.routers.shibui.tls=true" - - "traefik.docker.network=integration_reverse-proxy" + - "traefik.docker.network=smoke-test_reverse-proxy" - "traefik.enable=true" networks: - reverse-proxy - backend volumes: - - ../authentication/shibui:/conf - - ./shibui/application.yml:/application.yml - dynamic_metadata:/var/shibboleth/dynamic_metadata - dynamic_config:/var/shibboleth/dynamic_config + - ../authentication/shibui:/conf + - ./shibui/application.yml:/application.yml - ../integration/shibboleth-idp/credentials/shib-idp/inc-md-cert-mdq.pem:/opt/shibboleth-idp/credentials/inc-md-cert-mdq.pem environment: - "IDP_HOME=/opt/shibboleth-idp" diff --git a/testbed/smoke-test/shibboleth-idp/conf/access-control.xml b/testbed/smoke-test/shibboleth-idp/conf/access-control.xml new file mode 100644 index 000000000..053bc22c7 --- /dev/null +++ b/testbed/smoke-test/shibboleth-idp/conf/access-control.xml @@ -0,0 +1,68 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/testbed/smoke-test/shibboleth-idp/conf/metadata-providers.xml b/testbed/smoke-test/shibboleth-idp/conf/metadata-providers.xml new file mode 100644 index 000000000..bd90a4751 --- /dev/null +++ b/testbed/smoke-test/shibboleth-idp/conf/metadata-providers.xml @@ -0,0 +1,101 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + https://mdq.incommon.org/ + + + diff --git a/testbed/smoke-test/shibboleth-idp/metadata/test-provider-config.xml b/testbed/smoke-test/shibboleth-idp/metadata/test-provider-config.xml new file mode 100644 index 000000000..caec9caf4 --- /dev/null +++ b/testbed/smoke-test/shibboleth-idp/metadata/test-provider-config.xml @@ -0,0 +1,38 @@ + + + + + + +MIIECDCCAnCgAwIBAgIUXOD+38b0Cpaynm5Wrclnzigz9rcwDQYJKoZIhvcNAQEL +BQAwHTEbMBkGA1UEAxMSdW5pY29uLXNwb3J0aC0yNjU4MB4XDTIyMDgwNTE3MDE1 +NloXDTMyMDgwMjE3MDE1NlowHTEbMBkGA1UEAxMSdW5pY29uLXNwb3J0aC0yNjU4 +MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAynP0dUXXr0yb4oAYT5OG +/ik+24jor0W0Z/0T0g3C4IXqDMHMdHlfPSrp6rf+PDlS+0L+GCZQC2IpntmGNEdf +miCs9UcssZ3aBHoch0R0Og4rxu74Vk488NVXHsX75RTom5B0atPGxdmHRNIPUPNp +F4AqAMMV18y35+ElJj5UuPZe9QEgJVzGqdH0dGvaNFPZfB7HCD7lGJiO0Remhufn +umwrRqfQETmefCD4Wrv60I4LgUrUSqlZTpD4TaR3o1N6uSKaJPy7iANqQXoEqc3p +jbiM+Tkv6t+q6FbEIF3zKwODzHcycaVYzqOxzVMGWtyPADBm3P/8wvDZnHWEqAcy +9cHY7THHq8s6bdR8aIO+T0uvIqXJAO0orGVJ4b1X2OBRRneUVtxFbzbAXWN+wwKW +Xn8M1sP9hteV9CAkp4nbyPnfwWlZYaN48QytMZhu3oQywlcc/VuDEst04IeAt/1f +YTWmSliJwAduFXpRtQjgB/ejfLUkJHugNJe2N23dNb8ZAgMBAAGjQDA+MB0GA1Ud +EQQWMBSCEnVuaWNvbi1zcG9ydGgtMjY1ODAdBgNVHQ4EFgQUuAUQzGLs2Psbx5aw +ec5sz66h4TIwDQYJKoZIhvcNAQELBQADggGBAEqDt2lXrAEJ80yWLYZKM2qdif5j +DbFI4oGMJ+6Wicfjh9iSm6CG2pSdZllypNLd7KmUJbGFS5wmP7qPAiPLOiHn6hBC +L5ke3y8bJsaEazOmZt0IgKv2w6naEAfvR5dKbEbXsipf/k+WHyk6uLFoz9iGxZ0g +f8MA+nWa1tJcPcGVOReN3wNNeBaRZ5y0r6oWSpwYtoBJH+wp2EoLPYhOXFjUoAZ0 +d4b+G2x9FyHU4yfnN9sTLocl/BVDiVdazMQqSvZDSWbccRsD8sz4BaLnXkLOtulv +0qOYuVTdCivgU0lBMhvXjiEpn0ZwU+UlSgtfEgaVP8pZVgHxKrMhoOxAe85dNHun +RyYCrByqg4lyFGzRKSTAUlx0YittvEyYOEqbSsXExViSIl+elg4PtghsYAaUphm4 ++FHJo8B1rNNQp4vqikGF2WOr3D2usIS9ZbiGvTC0M8TSG39jGCqgQZaclV2yshEC +cXQllPfIyCtMzlaGVjpXPEqahwkug4ywml9yAw== + + + + + + + + + + From fb95938505137c4f2d16a8a9cfae26a365dd7b21 Mon Sep 17 00:00:00 2001 From: Sean Porth Date: Mon, 8 Aug 2022 15:59:20 -0400 Subject: [PATCH 3/8] added ability to switch database backends Former-commit-id: d5595768a00fe18cb7df74399cafb0ee307a9eaf --- .../mariadb.docker-compose.override.yml | 19 +++++++++++++ testbed/smoke-test/db_configs/mariadb.yml | 13 +++++++++ .../mysql.docker-compose.override.yml | 19 +++++++++++++ testbed/smoke-test/db_configs/mysql.yml | 13 +++++++++ testbed/smoke-test/db_configs/postgres.yml | 13 +++++++++ .../sqlServer.docker-compose.override.yml | 17 ++++++++++++ testbed/smoke-test/db_configs/sqlServer.yml | 13 +++++++++ testbed/smoke-test/docker-compose.yml | 22 ++++++++------- testbed/smoke-test/setdb.sh | 22 +++++++++++++++ testbed/smoke-test/shibui/application.yml | 26 +++++++++--------- .../smoke-test/shibui/application.yml.nodb | 27 +++++++++++++++++++ 11 files changed, 181 insertions(+), 23 deletions(-) create mode 100644 testbed/smoke-test/db_configs/mariadb.docker-compose.override.yml create mode 100644 testbed/smoke-test/db_configs/mariadb.yml create mode 100644 testbed/smoke-test/db_configs/mysql.docker-compose.override.yml create mode 100644 testbed/smoke-test/db_configs/mysql.yml create mode 100644 testbed/smoke-test/db_configs/postgres.yml create mode 100644 testbed/smoke-test/db_configs/sqlServer.docker-compose.override.yml create mode 100644 testbed/smoke-test/db_configs/sqlServer.yml create mode 100755 testbed/smoke-test/setdb.sh create mode 100644 testbed/smoke-test/shibui/application.yml.nodb diff --git a/testbed/smoke-test/db_configs/mariadb.docker-compose.override.yml b/testbed/smoke-test/db_configs/mariadb.docker-compose.override.yml new file mode 100644 index 000000000..ad9f8ae09 --- /dev/null +++ b/testbed/smoke-test/db_configs/mariadb.docker-compose.override.yml @@ -0,0 +1,19 @@ +services: + database: + image: mariadb + environment: + MYSQL_DATABASE: shibui + MYSQL_USER: shibui + MYSQL_PASSWORD: shibui + MYSQL_ROOT_PASSWORD: root + healthcheck: + test: mysql -u shibui --password=shibui shibui -e "select 1" + interval: 5s + retries: 5 + start_period: 5s + timeout: 10s + shib-idp-ui: + depends_on: + database: + condition: service_healthy + \ No newline at end of file diff --git a/testbed/smoke-test/db_configs/mariadb.yml b/testbed/smoke-test/db_configs/mariadb.yml new file mode 100644 index 000000000..9b64f680f --- /dev/null +++ b/testbed/smoke-test/db_configs/mariadb.yml @@ -0,0 +1,13 @@ +spring: + profiles: + include: + datasource: + platform: mysql + driver-class-name: com.mariadb.jdbc.Driver + url: jdbc:mariadb://database:3306/shibui + username: shibui + password: shibui + jpa: + properties: + hibernate: + dialect: org.hibernate.dialect.MariaDB103Dialect diff --git a/testbed/smoke-test/db_configs/mysql.docker-compose.override.yml b/testbed/smoke-test/db_configs/mysql.docker-compose.override.yml new file mode 100644 index 000000000..6d511c7e6 --- /dev/null +++ b/testbed/smoke-test/db_configs/mysql.docker-compose.override.yml @@ -0,0 +1,19 @@ +services: + database: + image: mysql + environment: + MYSQL_DATABASE: shibui + MYSQL_USER: shibui + MYSQL_PASSWORD: shibui + MYSQL_ROOT_PASSWORD: root + healthcheck: + test: mysql -u shibui --password=shibui shibui -e "select 1" + interval: 5s + retries: 5 + start_period: 5s + timeout: 10s + shib-idp-ui: + depends_on: + database: + condition: service_healthy + \ No newline at end of file diff --git a/testbed/smoke-test/db_configs/mysql.yml b/testbed/smoke-test/db_configs/mysql.yml new file mode 100644 index 000000000..b3d434d8a --- /dev/null +++ b/testbed/smoke-test/db_configs/mysql.yml @@ -0,0 +1,13 @@ +spring: + profiles: + include: + datasource: + platform: mysql + driver-class-name: com.mysql.cj.jdbc.Driver + url: jdbc:mysql://database:3306/shibui + username: shibui + password: shibui + jpa: + properties: + hibernate: + dialect: org.hibernate.dialect.MySQL8Dialect diff --git a/testbed/smoke-test/db_configs/postgres.yml b/testbed/smoke-test/db_configs/postgres.yml new file mode 100644 index 000000000..c9117f2e5 --- /dev/null +++ b/testbed/smoke-test/db_configs/postgres.yml @@ -0,0 +1,13 @@ +spring: + profiles: + include: + datasource: + platform: postgres + driver-class-name: org.postgresql.Driver + url: jdbc:postgresql://database:5432/shibui + username: shibui + password: shibui + jpa: + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect \ No newline at end of file diff --git a/testbed/smoke-test/db_configs/sqlServer.docker-compose.override.yml b/testbed/smoke-test/db_configs/sqlServer.docker-compose.override.yml new file mode 100644 index 000000000..13d5a0670 --- /dev/null +++ b/testbed/smoke-test/db_configs/sqlServer.docker-compose.override.yml @@ -0,0 +1,17 @@ +services: + database: + build: + context: ../sqlServer + dockerfile: ../sqlServer/docker/Dockerfile + image: smoke-test_database +# healthcheck: +# test: mysql -u shibui --password=shibui shibui -e "select 1" +# interval: 5s +# retries: 5 +# start_period: 5s +# timeout: 10s +# shib-idp-ui: +# depends_on: +# database: +# condition: service_healthy + \ No newline at end of file diff --git a/testbed/smoke-test/db_configs/sqlServer.yml b/testbed/smoke-test/db_configs/sqlServer.yml new file mode 100644 index 000000000..d6e7a3e68 --- /dev/null +++ b/testbed/smoke-test/db_configs/sqlServer.yml @@ -0,0 +1,13 @@ +spring: + profiles: + include: + datasource: + platform: sqlserver + driver-class-name: com.microsoft.sqlserver.jdbc.SQLServerDriver + url: jdbc:sqlserver://database:1433 + username: sa + password: Password1 + jpa: + properties: + hibernate: + dialect: org.hibernate.dialect.SQLServerDialect \ No newline at end of file diff --git a/testbed/smoke-test/docker-compose.yml b/testbed/smoke-test/docker-compose.yml index 0c92cad01..9e2ac5340 100644 --- a/testbed/smoke-test/docker-compose.yml +++ b/testbed/smoke-test/docker-compose.yml @@ -37,6 +37,14 @@ services: LDAP_DOMAIN: "unicon.local" HOSTNAME: "directory" LDAP_TLS_VERIFY_CLIENT: "try" + database: + image: postgres:14-alpine + networks: + - backend + environment: + POSTGRES_PASSWORD: shibui + POSTGRES_USER: shibui + POSTGRES_DB: shibui idp: build: ../integration/shibboleth-idp labels: @@ -70,6 +78,9 @@ services: - "traefik.http.routers.shibui.tls=true" - "traefik.docker.network=smoke-test_reverse-proxy" - "traefik.enable=true" + depends_on: + database: + condition: service_started networks: - reverse-proxy - backend @@ -81,16 +92,7 @@ services: - ../integration/shibboleth-idp/credentials/shib-idp/inc-md-cert-mdq.pem:/opt/shibboleth-idp/credentials/inc-md-cert-mdq.pem environment: - "IDP_HOME=/opt/shibboleth-idp" - database: - image: postgres:14-alpine - environment: - POSTGRES_PASSWORD: shibui - POSTGRES_USER: shibui - POSTGRES_DB: shibui - networks: - - backend - volumes: - - database_data:/var/lib/postgresql/data + networks: reverse-proxy: idp: diff --git a/testbed/smoke-test/setdb.sh b/testbed/smoke-test/setdb.sh new file mode 100755 index 000000000..e4347a298 --- /dev/null +++ b/testbed/smoke-test/setdb.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +DB=$1 + +if [[ ! "$DB" =~ ^(postgres|mariadb|mysql|sqlServer)$ ]]; +then + echo "argument mst be one of: postgres mariadb mysql sqlServer" + exit 0; +fi + +if [[ $DB == "postgres" ]]; +then +rm -f docker-compose.override.yml +else +rm -f docker-compose.override.yml +ln -s db_configs/$DB.docker-compose.override.yml docker-compose.override.yml +fi + +rm -f shibui/application.yml +cat shibui/application.yml.nodb db_configs/$DB.yml >> shibui/application.yml + +echo "shibui will now use the $DB container" diff --git a/testbed/smoke-test/shibui/application.yml b/testbed/smoke-test/shibui/application.yml index 126256f0d..df9137c0b 100644 --- a/testbed/smoke-test/shibui/application.yml +++ b/testbed/smoke-test/shibui/application.yml @@ -1,18 +1,5 @@ server: forward-headers-strategy: NATIVE -spring: - profiles: - include: - datasource: - platform: postgres - driver-class-name: org.postgresql.Driver - url: jdbc:postgresql://database:5432/shibui - username: shibui - password: shibui - jpa: - properties: - hibernate: - dialect: org.hibernate.dialect.PostgreSQLDialect shibui: default-password: "{noop}letmein7" metadata-dir: /var/shibboleth/dynamic_metadata @@ -38,3 +25,16 @@ shibui: email: urn:oid:0.9.2342.19200300.100.1.3 groups: urn:oid:2.5.4.15 # businessCategory roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7 # eduPersonEntitlement +spring: + profiles: + include: + datasource: + platform: postgres + driver-class-name: org.postgresql.Driver + url: jdbc:postgresql://database:5432/shibui + username: shibui + password: shibui + jpa: + properties: + hibernate: + dialect: org.hibernate.dialect.PostgreSQLDialect \ No newline at end of file diff --git a/testbed/smoke-test/shibui/application.yml.nodb b/testbed/smoke-test/shibui/application.yml.nodb new file mode 100644 index 000000000..b4a070c2c --- /dev/null +++ b/testbed/smoke-test/shibui/application.yml.nodb @@ -0,0 +1,27 @@ +server: + forward-headers-strategy: NATIVE +shibui: + default-password: "{noop}letmein7" + metadata-dir: /var/shibboleth/dynamic_metadata + metadataProviders: + target: file:/var/shibboleth/dynamic_config/metadata-providers.xml + user-bootstrap-resource: file:/conf/users.csv + roles: ROLE_ADMIN,ROLE_NONE,ROLE_USER,ROLE_ENABLE,ROLE_PONY + pac4j-enabled: true + pac4j: + keystorePath: "/conf/samlKeystore.jks" + keystorePassword: "changeit" + privateKeyPassword: "changeit" + serviceProviderEntityId: "https://unicon.net/test/shibui" + serviceProviderMetadataPath: "/conf/sp-metadata.xml" + identityProviderMetadataPath: "/conf/idp-metadata.xml" + forceServiceProviderMetadataGeneration: true + callbackUrl: "https://shibui.unicon.local/callback" + maximumAuthenticationLifetime: 3600000 + simpleProfileMapping: + username: urn:oid:0.9.2342.19200300.100.1.1 + firstName: urn:oid:2.5.4.42 + lastName: urn:oid:2.5.4.4 + email: urn:oid:0.9.2342.19200300.100.1.3 + groups: urn:oid:2.5.4.15 # businessCategory + roles: urn:oid:1.3.6.1.4.1.5923.1.1.1.7 # eduPersonEntitlement From 713038872d24e4e280cae2419eed9d6f8c5c8032 Mon Sep 17 00:00:00 2001 From: Sean Porth Date: Tue, 9 Aug 2022 09:47:23 -0400 Subject: [PATCH 4/8] cleanup, fix mariadb driver name Former-commit-id: d005502b82ee636664925b5b2ac9f596031ee602 --- .../db_configs/{mariadb.yml => mariadb.application.yml} | 2 +- .../smoke-test/db_configs/{mysql.yml => mysql.application.yml} | 0 .../db_configs/{postgres.yml => postgres.application.yml} | 0 .../db_configs/{sqlServer.yml => sqlServer.application.yml} | 0 testbed/smoke-test/setdb.sh | 2 +- 5 files changed, 2 insertions(+), 2 deletions(-) rename testbed/smoke-test/db_configs/{mariadb.yml => mariadb.application.yml} (84%) rename testbed/smoke-test/db_configs/{mysql.yml => mysql.application.yml} (100%) rename testbed/smoke-test/db_configs/{postgres.yml => postgres.application.yml} (100%) rename testbed/smoke-test/db_configs/{sqlServer.yml => sqlServer.application.yml} (100%) diff --git a/testbed/smoke-test/db_configs/mariadb.yml b/testbed/smoke-test/db_configs/mariadb.application.yml similarity index 84% rename from testbed/smoke-test/db_configs/mariadb.yml rename to testbed/smoke-test/db_configs/mariadb.application.yml index 9b64f680f..a42a5c8bc 100644 --- a/testbed/smoke-test/db_configs/mariadb.yml +++ b/testbed/smoke-test/db_configs/mariadb.application.yml @@ -3,7 +3,7 @@ spring: include: datasource: platform: mysql - driver-class-name: com.mariadb.jdbc.Driver + driver-class-name: org.mariadb.jdbc.Driver url: jdbc:mariadb://database:3306/shibui username: shibui password: shibui diff --git a/testbed/smoke-test/db_configs/mysql.yml b/testbed/smoke-test/db_configs/mysql.application.yml similarity index 100% rename from testbed/smoke-test/db_configs/mysql.yml rename to testbed/smoke-test/db_configs/mysql.application.yml diff --git a/testbed/smoke-test/db_configs/postgres.yml b/testbed/smoke-test/db_configs/postgres.application.yml similarity index 100% rename from testbed/smoke-test/db_configs/postgres.yml rename to testbed/smoke-test/db_configs/postgres.application.yml diff --git a/testbed/smoke-test/db_configs/sqlServer.yml b/testbed/smoke-test/db_configs/sqlServer.application.yml similarity index 100% rename from testbed/smoke-test/db_configs/sqlServer.yml rename to testbed/smoke-test/db_configs/sqlServer.application.yml diff --git a/testbed/smoke-test/setdb.sh b/testbed/smoke-test/setdb.sh index e4347a298..06821b37c 100755 --- a/testbed/smoke-test/setdb.sh +++ b/testbed/smoke-test/setdb.sh @@ -17,6 +17,6 @@ ln -s db_configs/$DB.docker-compose.override.yml docker-compose.override.yml fi rm -f shibui/application.yml -cat shibui/application.yml.nodb db_configs/$DB.yml >> shibui/application.yml +cat shibui/application.yml.nodb db_configs/$DB.application.yml >> shibui/application.yml echo "shibui will now use the $DB container" From 1d75bc1661a10d963eab6742a572a94b26d157d0 Mon Sep 17 00:00:00 2001 From: Sean Porth Date: Tue, 9 Aug 2022 12:48:05 -0400 Subject: [PATCH 5/8] typo Former-commit-id: 7c03bb88d7ee526c0868ff8d0dd8f16e3fbd9b42 --- testbed/smoke-test/setdb.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testbed/smoke-test/setdb.sh b/testbed/smoke-test/setdb.sh index 06821b37c..4795526a2 100755 --- a/testbed/smoke-test/setdb.sh +++ b/testbed/smoke-test/setdb.sh @@ -4,7 +4,7 @@ DB=$1 if [[ ! "$DB" =~ ^(postgres|mariadb|mysql|sqlServer)$ ]]; then - echo "argument mst be one of: postgres mariadb mysql sqlServer" + echo "argument must be one of: postgres mariadb mysql sqlServer" exit 0; fi From 136f35b3de5aad50c91ca08bd788314c0bc5321e Mon Sep 17 00:00:00 2001 From: chasegawa Date: Mon, 15 Aug 2022 14:59:04 -0700 Subject: [PATCH 6/8] SHIBUI-2333 Added logic to correctly support IDP logout Former-commit-id: dc92857b78f0f8ca91de34ae16fbf2f5e7584c71 --- .../shibui/pac4j/Pac4jConfiguration.java | 34 ++++++++++++------- .../pac4j/Pac4jConfigurationProperties.java | 1 + .../net/unicon/shibui/pac4j/WebSecurity.java | 18 ++++++++-- testbed/authentication/shibui/application.yml | 1 + 4 files changed, 38 insertions(+), 16 deletions(-) diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java index fd018d4b6..5853da065 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java @@ -8,6 +8,7 @@ import net.unicon.shibui.pac4j.authenticator.ShibuiSAML2Authenticator; import org.pac4j.core.client.Clients; import org.pac4j.core.config.Config; +import org.pac4j.core.engine.LogoutLogic; import org.pac4j.core.matching.matcher.PathMatcher; import org.pac4j.core.profile.definition.CommonProfileDefinition; import org.pac4j.http.client.direct.HeaderClient; @@ -69,32 +70,39 @@ public Config config(final Pac4jConfigurationProperties pac4jConfigProps, case "SAML2": default: log.info("**** Configuring PAC4J SAML2"); - final SAML2Configuration saml2Config = new SAML2Configuration(); - saml2Config.setKeystorePath(pac4jConfigProps.getKeystorePath()); - saml2Config.setKeystorePassword(pac4jConfigProps.getKeystorePassword()); - saml2Config.setPrivateKeyPassword(pac4jConfigProps.getPrivateKeyPassword()); - saml2Config.setIdentityProviderMetadataPath(pac4jConfigProps.getIdentityProviderMetadataPath()); - saml2Config.setMaximumAuthenticationLifetime(pac4jConfigProps.getMaximumAuthenticationLifetime()); - saml2Config.setServiceProviderEntityId(pac4jConfigProps.getServiceProviderEntityId()); - saml2Config.setServiceProviderMetadataPath(pac4jConfigProps.getServiceProviderMetadataPath()); - saml2Config.setForceServiceProviderMetadataGeneration(pac4jConfigProps.isForceServiceProviderMetadataGeneration()); - saml2Config.setWantsAssertionsSigned(pac4jConfigProps.isWantAssertionsSigned()); - saml2Config.setAttributeAsId(pac4jConfigProps.getSimpleProfileMapping().getUsername()); + final SAML2Configuration saml2Config = buildSaml2ConfigFromPac4JConfiguration(pac4jConfigProps); + final SAML2Client saml2Client = new SAML2Client(saml2Config); + saml2Client.setName(PAC4J_CLIENT_NAME); saml2Client.addAuthorizationGenerator(saml2ModelAuthorizationGenerator); SAML2Authenticator saml2Authenticator = new ShibuiSAML2Authenticator(saml2Config.getAttributeAsId(), saml2Config.getMappedAttributes(), userService); saml2Authenticator.setProfileDefinition(new CommonProfileDefinition(p -> new BetterSAML2Profile(pac4jConfigProps.getSimpleProfileMapping()))); saml2Client.setAuthenticator(saml2Authenticator); - saml2Client.setName(PAC4J_CLIENT_NAME); clients.setClients(saml2Client); break; } config.setClients(clients); return config; } - + + private SAML2Configuration buildSaml2ConfigFromPac4JConfiguration(Pac4jConfigurationProperties pac4jConfigProps) { + SAML2Configuration saml2Config = new SAML2Configuration(); + saml2Config.setKeystorePath(pac4jConfigProps.getKeystorePath()); + saml2Config.setKeystorePassword(pac4jConfigProps.getKeystorePassword()); + saml2Config.setPrivateKeyPassword(pac4jConfigProps.getPrivateKeyPassword()); + saml2Config.setIdentityProviderMetadataPath(pac4jConfigProps.getIdentityProviderMetadataPath()); + saml2Config.setMaximumAuthenticationLifetime(pac4jConfigProps.getMaximumAuthenticationLifetime()); + saml2Config.setServiceProviderEntityId(pac4jConfigProps.getServiceProviderEntityId()); + saml2Config.setServiceProviderMetadataPath(pac4jConfigProps.getServiceProviderMetadataPath()); + saml2Config.setForceServiceProviderMetadataGeneration(pac4jConfigProps.isForceServiceProviderMetadataGeneration()); + saml2Config.setWantsAssertionsSigned(pac4jConfigProps.isWantAssertionsSigned()); + saml2Config.setAttributeAsId(pac4jConfigProps.getSimpleProfileMapping().getUsername()); + saml2Config.setPostLogoutURL(pac4jConfigProps.getPostLogoutURL()); + return saml2Config; + } + @Bean public ErrorPageRegistrar errorPageRegistrar() { return this::registerErrorPages; diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java index 30311ba84..19507d1c0 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java @@ -29,6 +29,7 @@ public class Pac4jConfigurationProperties { private String serviceProviderEntityId = "https://unicon.net/shibui"; private String serviceProviderMetadataPath = "/tmp/sp-metadata.xml"; private String typeOfAuth = "SAML2"; + private String postLogoutURL; private boolean wantAssertionsSigned = true; diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java index 884569ac7..00383f770 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java @@ -5,10 +5,12 @@ import edu.internet2.tier.shibboleth.admin.ui.security.service.IRolesService; import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService; import edu.internet2.tier.shibboleth.admin.ui.service.EmailService; +import org.jadira.usertype.spi.utils.lang.StringUtils; import org.pac4j.core.authorization.authorizer.DefaultAuthorizers; import org.pac4j.core.config.Config; import org.pac4j.core.matching.matcher.Matcher; import org.pac4j.springframework.security.web.CallbackFilter; +import org.pac4j.springframework.security.web.LogoutFilter; import org.pac4j.springframework.security.web.SecurityFilter; import org.springframework.boot.autoconfigure.AutoConfigureAfter; import org.springframework.boot.autoconfigure.AutoConfigureOrder; @@ -67,9 +69,19 @@ protected void configure(HttpSecurity http) throws Exception { // adding the authorizor bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME, DefaultAuthorizers.IS_AUTHENTICATED); - // add filter based on auth type - http.antMatcher("/**").addFilterBefore(getFilter(config, pac4jConfigurationProperties.getTypeOfAuth()), BasicAuthenticationFilter.class); + final LogoutFilter logoutFilter = new LogoutFilter(config); + logoutFilter.setLocalLogout(Boolean.TRUE); + if (StringUtils.isNotEmpty(pac4jConfigurationProperties.getPostLogoutURL())){ + logoutFilter.setSuffix("login"); // "logout" is redirected before we ever hit the filters - sent to /login?logout + logoutFilter.setCentralLogout(Boolean.TRUE); + logoutFilter.setDefaultUrl(pac4jConfigurationProperties.getPostLogoutURL()); + } + + // add filters + http.antMatcher("/**").addFilterBefore(logoutFilter, BasicAuthenticationFilter.class); + http.antMatcher("/**").addFilterBefore(getFilter(pac4jConfigurationProperties.getTypeOfAuth()), BasicAuthenticationFilter.class); http.antMatcher("/**").addFilterBefore(securityFilter, BasicAuthenticationFilter.class); + // add the new user filter http.addFilterAfter(new AddNewUserFilter(pac4jConfigurationProperties, userService, rolesService, getPathMatcher("exclude-paths-matcher"), groupService, emailService), SecurityFilter.class); @@ -84,7 +96,7 @@ private Matcher getPathMatcher(String name) { return config.getMatchers().get(name); } - private Filter getFilter(Config config2, String typeOfAuth) { + private Filter getFilter(String typeOfAuth) { switch (typeOfAuth) { case "SAML2": return new CallbackFilter(this.config); diff --git a/testbed/authentication/shibui/application.yml b/testbed/authentication/shibui/application.yml index 14085a9b7..cb789f06c 100644 --- a/testbed/authentication/shibui/application.yml +++ b/testbed/authentication/shibui/application.yml @@ -18,6 +18,7 @@ shibui: forceServiceProviderMetadataGeneration: true callbackUrl: "https://shibui.unicon.local/callback" maximumAuthenticationLifetime: 3600000 + postLogoutURL: "https://idp.unicon.local/idp/profile/Logout" simpleProfileMapping: username: urn:oid:0.9.2342.19200300.100.1.1 firstName: urn:oid:2.5.4.42 From 6fd4e8dfa0e1bd0650758ca6d6205b3221929cfc Mon Sep 17 00:00:00 2001 From: chasegawa Date: Mon, 15 Aug 2022 15:15:03 -0700 Subject: [PATCH 7/8] SHIBUI-2333 Added logic to correctly support IDP logout Former-commit-id: 3c212397b7c31755739ef36aaaa9b7cce65cebce --- backend/src/main/resources/application.yml | 1 + .../main/java/net/unicon/shibui/pac4j/WebSecurity.java | 9 +++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml index ffeab970c..0d2308307 100644 --- a/backend/src/main/resources/application.yml +++ b/backend/src/main/resources/application.yml @@ -22,6 +22,7 @@ # identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml" # forceServiceProviderMetadataGeneration: false # callbackUrl: "https://localhost:8443/callback" +# postLogoutURL: "https://idp.example.com/idp/profile/Logout" # Must set this to get IDP logout # maximumAuthenticationLifetime: 3600000 # requireAssertedRoleForNewUsers: false # saml2ProfileMapping: diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java index 00383f770..cc5ce8e25 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java @@ -66,19 +66,20 @@ public Pac4jWebSecurityConfigurerAdapter(final Config config, UserService userSe protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/unsecured/**/*").permitAll(); - // adding the authorizor bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker + // adding the authorizer bypasses the default behavior of checking CSRF in Pac4J's default securitylogic+defaultauthorizationchecker final SecurityFilter securityFilter = new SecurityFilter(this.config, PAC4J_CLIENT_NAME, DefaultAuthorizers.IS_AUTHENTICATED); - final LogoutFilter logoutFilter = new LogoutFilter(config); - logoutFilter.setLocalLogout(Boolean.TRUE); + // If the post logout URL is configured, setup the logout filter if (StringUtils.isNotEmpty(pac4jConfigurationProperties.getPostLogoutURL())){ + final LogoutFilter logoutFilter = new LogoutFilter(config); + logoutFilter.setLocalLogout(Boolean.TRUE); logoutFilter.setSuffix("login"); // "logout" is redirected before we ever hit the filters - sent to /login?logout logoutFilter.setCentralLogout(Boolean.TRUE); logoutFilter.setDefaultUrl(pac4jConfigurationProperties.getPostLogoutURL()); + http.antMatcher("/**").addFilterBefore(logoutFilter, BasicAuthenticationFilter.class); } // add filters - http.antMatcher("/**").addFilterBefore(logoutFilter, BasicAuthenticationFilter.class); http.antMatcher("/**").addFilterBefore(getFilter(pac4jConfigurationProperties.getTypeOfAuth()), BasicAuthenticationFilter.class); http.antMatcher("/**").addFilterBefore(securityFilter, BasicAuthenticationFilter.class); From c810e209539ab12824daac6b3475c14ea31ffac3 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 16 Aug 2022 09:26:51 -0700 Subject: [PATCH 8/8] SHIBUI-1699 Correcting date format output for versions to match the date format supplied to the UI in the rest of the application Former-commit-id: b407e5bf3268323f302092f92f19e8b828953181 --- .../tier/shibboleth/admin/ui/domain/versioning/Version.java | 4 ++-- .../versioning/VersionJsonSerializationBasicTests.groovy | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/Version.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/Version.java index 100b0fdbd..55fc0566d 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/Version.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/Version.java @@ -26,9 +26,9 @@ public class Version implements Serializable { private String creator; - @JsonFormat(pattern = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'") + @JsonFormat(pattern = "yyyy-MM-dd'T'HH:mm:ss.SSSSSS") private ZonedDateTime date; private static final long serialVersionUID = 3429591830989243421L; -} +} \ No newline at end of file diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/VersionJsonSerializationBasicTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/VersionJsonSerializationBasicTests.groovy index b7fecdf4d..2ceb78df6 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/VersionJsonSerializationBasicTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/versioning/VersionJsonSerializationBasicTests.groovy @@ -27,7 +27,7 @@ class VersionJsonSerializationBasicTests extends Specification { { "id": "2", "creator": "kramer", - "date": "2019-05-20T15:00:00.574Z" + "date": "2019-05-20T15:00:00.574000" } """ def expectedJsonMap = jsonSlurper.parseText(expectedJson) @@ -40,4 +40,4 @@ class VersionJsonSerializationBasicTests extends Specification { deSerializedJsonMap.id == expectedJsonMap.id deSerializedJsonMap.creator == expectedJsonMap.creator } -} +} \ No newline at end of file