From 4e264355e6afb609da068be037aa36e7b13e8376 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 1 Dec 2022 09:10:44 -0700 Subject: [PATCH 1/3] SHIBUI-2393 Change to build process to allow for different application.yml files --- backend/build.gradle | 14 + .../default.yml} | 0 backend/src/main/app-resources/release.yml | 452 ++++++++++++++++++ gradle.properties | 3 + 4 files changed, 469 insertions(+) rename backend/src/main/{resources/application.yml => app-resources/default.yml} (100%) create mode 100644 backend/src/main/app-resources/release.yml diff --git a/backend/build.gradle b/backend/build.gradle index 506df6553..30737e134 100644 --- a/backend/build.gradle +++ b/backend/build.gradle @@ -91,6 +91,20 @@ processResources.dependsOn(':ui:npm_run_buildProd') jar { enabled = true + dependsOn 'copyApplicationYAML' +} + +task copyApplicationYAML(type: Copy) { + if ( "${project.'use.release.app.yml'}".toBoolean() ) { + from 'src/main/app-resources/release.yml' + into 'src/main/resources' + rename { 'application.yml' } + } + else { + from 'src/main/app-resources/default.yml' + into 'src/main/resources' + rename { 'application.yml' } + } } //Integration of the frontend and backend into the build to have all of the UI resources available in the app's executable war diff --git a/backend/src/main/resources/application.yml b/backend/src/main/app-resources/default.yml similarity index 100% rename from backend/src/main/resources/application.yml rename to backend/src/main/app-resources/default.yml diff --git a/backend/src/main/app-resources/release.yml b/backend/src/main/app-resources/release.yml new file mode 100644 index 000000000..006b05506 --- /dev/null +++ b/backend/src/main/app-resources/release.yml @@ -0,0 +1,452 @@ +#spring: +# jpa: +# show-sql: false +# properties: +# hibernate: +# format_sql: true +# dialect: org.hibernate.dialect.PostgreSQL95Dialect +# OR SEE: https://access.redhat.com/webassets/avalon/d/red-hat-jboss-enterprise-application-platform/7.2/javadocs/org/hibernate/dialect/package-summary.html + +#shibui: +## Default password must be set for the default user to be configured and setup +# default-rootuser:root +## need to include the encoding for the password - be sure to quote the entire value as shown +# default-password: "{noop}foopassword" +# pac4j-enabled: true +# pac4j: +# keystorePath: "/etc/shibui/samlKeystore.jks" +# keystorePassword: "changeit" +# privateKeyPassword: "changeit" +# serviceProviderEntityId: "https://idp.example.com/shibui" +# serviceProviderMetadataPath: "/etc/shibui/sp-metadata.xml" +# identityProviderMetadataPath: "/etc/shibui/idp-metadata.xml" +# forceServiceProviderMetadataGeneration: false +# callbackUrl: "https://localhost:8443/callback" +# postLogoutURL: "https://idp.example.com/idp/profile/Logout" # Must set this to get IDP logout +# maximumAuthenticationLifetime: 3600000 +# requireAssertedRoleForNewUsers: false +# saml2ProfileMapping: +# username: urn:oid:0.9.2342.19200300.100.1.1 +# firstname: urn:oid:2.5.4.42 +# lastname: urn:oid:2.5.4.4 +# email: urn:oid:0.9.2342.19200300.100.1.3 +# groups: urn:oid:1.3.6.1.4.1.5923.1.5.1.1 # attributeId - isMemberOf +# roles: --define name of the attribute containing the incoming user roles-- + +custom: + attributes: + # Default attributes + - name: eduPersonPrincipalName + displayName: label.attribute-eduPersonPrincipalName + - name: uid + displayName: label.attribute-uid + - name: mail + displayName: label.attribute-mail + - name: surname + displayName: label.attribute-surname + - name: givenName + displayName: label.attribute-givenName + - name: eduPersonAffiliation + displayName: label.attribute-eduPersonAffiliation + - name: eduPersonScopedAffiliation + displayName: label.attribute-eduPersonScopedAffiliation + - name: eduPersonPrimaryAffiliation + displayName: label.attribute-eduPersonPrimaryAffiliation + - name: eduPersonEntitlement + displayName: label.attribute-eduPersonEntitlement + - name: eduPersonAssurance + displayName: label.attribute-eduPersonAssurance + - name: eduPersonUniqueId + displayName: label.attribute-eduPersonUniqueId + - name: employeeNumber + displayName: label.attribute-employeeNumber + # Custom attributes + + # The following contains a map of "relying party overrides". + # The structure of an entry is as follows: + # - name: The name of the entry. used to uniquely identify this entry. + # displayName: This will normally be the label used when displaying this override in the UI + # displayType: The type to use when displaying this option + # helpText: This is the help-icon hover-over text + # defaultValues: One or more values to be displayed as default options in the UI + # persistType: Optional. If it is necessary to persist something different than the override's display type, + # set that type here. For example, display a boolean, but persist a string. + # persistValue: Required only when persistType is used. Defines the value to be persisted. + # attributeName: This is the name of the attribute to be used in the xml. This is assumed to be a URI. + # attributeFriendlyName: This is the friendly name associated with the above attributeName. + # + # It is imperative when defining these that the "displayType" and "persistType" are known types. + # Typos or unsupported values here will result in that override being skipped! + # Supported types are as follows: boolean, integer, string, set, list + # Note that "persistType" doesn't have to match "displayType". However, the only unmatching combination currently + # supported is a "displayType" of "boolean" and "persistType" of "string". + overrides: + # Default overrides + - name: signAssertion + displayName: label.sign-the-assertion + displayType: boolean + helpText: tooltip.sign-assertion + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions + attributeFriendlyName: signAssertions + - name: dontSignResponse + displayName: label.dont-sign-the-response + displayType: boolean + helpText: tooltip.dont-sign-response + attributeName: http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses + attributeFriendlyName: signResponses + invert: true + - name: turnOffEncryption + displayName: label.turn-off-encryption-of-response + displayType: boolean + helpText: tooltip.turn-off-encryption + attributeName: http://shibboleth.net/ns/profiles/encryptAssertions + attributeFriendlyName: encryptAssertions + invert: true + - name: useSha + displayName: label.use-sha1-signing-algorithm + displayType: boolean + helpText: tooltip.usa-sha-algorithm + persistType: string + persistValue: shibboleth.SecurityConfiguration.SHA1 + attributeName: http://shibboleth.net/ns/profiles/securityConfiguration + attributeFriendlyName: securityConfiguration + protocol: saml,oidc + - name: ignoreAuthenticationMethod + displayName: label.ignore-any-sp-requested-authentication-method + displayType: boolean + helpText: tooltip.ignore-auth-method + persistType: string + persistValue: 0x1 + attributeName: http://shibboleth.net/ns/profiles/disallowedFeatures + attributeFriendlyName: disallowedFeatures + protocol: saml,oidc + - name: omitNotBefore + displayName: label.omit-not-before-condition + displayType: boolean + helpText: tooltip.omit-not-before-condition + attributeName: http://shibboleth.net/ns/profiles/includeConditionsNotBefore + attributeFriendlyName: includeConditionsNotBefore + invert: true + - name: responderId + displayName: label.responder-id + displayType: string + helpText: tooltip.responder-id + attributeName: http://shibboleth.net/ns/profiles/responderId + attributeFriendlyName: responderId + - name: nameIdFormats + displayName: label.nameid-format-to-send + displayType: set + helpText: tooltip.nameid-format + defaultValues: + - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent + - urn:oasis:names:tc:SAML:2.0:nameid-format:transient + attributeName: http://shibboleth.net/ns/profiles/nameIDFormatPrecedence + attributeFriendlyName: nameIDFormatPrecedence + - name: authenticationMethods + displayName: label.authentication-methods-to-use + displayType: set + helpText: tooltip.authentication-methods-to-use + defaultValues: + - https://refeds.org/profile/mfa + - urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken + - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport + attributeName: http://shibboleth.net/ns/profiles/defaultAuthenticationMethods + attributeFriendlyName: defaultAuthenticationMethods + protocol: saml,oidc + - name: forceAuthn + displayName: label.force-authn + displayType: boolean + helpText: tooltip.force-authn + attributeName: http://shibboleth.net/ns/profiles/forceAuthn + attributeFriendlyName: forceAuthn + - name: ignoreRequestSignatures + displayName: label.ignore-request-signatures + displayType: boolean + helpText: tooltip.ignore-request-signatures + attributeName: http://shibboleth.net/ns/profiles/ignoreRequestSignatures + attributeFriendlyName: ignoreRequestSignatures + - name: postAuthenticationFlows + attributeFriendlyName: postAuthenticationFlows + displayName: label.postAuthenticationFlows + helpText: tooltip.postAuthenticationFlows + displayType: selection_list + defaultValues: + - attribute-release + - expiring-password + - terms-of-use + attributeName: http://shibboleth.net/ns/profiles/postAuthenticationFlows" + protocol: saml,oidc + - name: inboundInterceptorFlows + attributeFriendlyName: inboundInterceptorFlows + displayName: label.inboundInterceptorFlows + helpText: tooltip.inboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/inboundInterceptorFlows + protocol: oidc + - name: outboundInterceptorFlows + attributeFriendlyName: outboundInterceptorFlows + displayName: label.outboundInterceptorFlows + helpText: tooltip.outboundInterceptorFlows + displayType: string + attributeName: http://shibboleth.net/ns/profiles/outboundInterceptorFlows + protocol: oidc + - name: tokenEndpointAuthMethods + attributeFriendlyName: tokenEndpointAuthMethods + displayName: label.tokenEndpointAuthMethods + helpText: tooltip.tokenEndpointAuthMethods + displayType: string + defaultValue: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt + attributeName: http://shibboleth.net/ns/profiles/tokenEndpointAuthMethods + protocol: oidc + - name: proxyCount + attributeFriendlyName: proxyCount + displayName: label.proxyCount + helpText: tooltip.proxyCount + displayType: integer + attributeName: http://shibboleth.net/ns/profiles/proxyCount + protocol: oidc + - name: revocationLifetime + attributeFriendlyName: revocationLifetime + displayName: label.revocationLifetime + helpText: tooltip.revocationLifetime + displayType: string + defaultValue: PT6H + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationLifetime + protocol: oidc + - name: revocationMethod + attributeFriendlyName: revocationMethod + displayName: label.revocationMethod + helpText: tooltip.revocationMethod + displayType: selection_list + defaultValues: + - CHAIN + - TOKEN + defaultValue: CHAIN + attributeName: http://shibboleth.net/ns/profiles/oauth2/revocation/revocationMethod + protocol: oidc + - name: accessTokenLifetimeOauth + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime.oauth + helpText: tooltip.accessTokenLifetime.oauth + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenLifetime + protocol: oidc + - name: accessTokenTypeOauth + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType.oauth + helpText: tooltip.accessTokenType.oauth + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/accessTokenType + protocol: oidc + - name: allowPKCEPlainOauth + attributeFriendlyName: allowPKCEPlainOauth + displayName: label.allowPKCEPlain.oauth + helpText: tooltip.allowPKCEPlain.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/allowPKCEPlain + protocol: oidc + - name: enforceRefreshTokenRotation + attributeFriendlyName: enforceRefreshTokenRotation + displayName: label.enforceRefreshTokenRotation + helpText: tooltip.enforceRefreshTokenRotation + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/enforceRefreshTokenRotation + protocol: oidc + - name: forcePKCEOauth + attributeFriendlyName: forcePKCEOauth + displayName: label.forcePKCE.oauth + helpText: tooltip.forcePKCE.oauth + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/forcePKCE + protocol: oidc + - name: grantTypes + attributeFriendlyName: grantTypes + displayName: label.grantTypes + helpText: tooltip.grantTypes + displayType: string + defaultValue: authorization_code, refresh_token + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/grantTypes + protocol: oidc + - name: refreshTokenLifetimeOauth + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime.oauth + helpText: tooltip.refreshTokenLifetime.oauth + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/refreshTokenLifetime + protocol: oidc + - name: resolveAttributesOauth + attributeFriendlyName: resolveAttributesOauth + displayName: label.resolveAttributes.oauth + helpText: tooltip.resolveAttributes.oauth + displayType: boolean + defaultValue: true + attributeName: http://shibboleth.net/ns/profiles/oauth2/token/resolveAttributes + protocol: oidc + - name: authorizationCodeFlowEnabled + attributeFriendlyName: authorizationCodeFlowEnabled + displayName: label.authorizationCodeFlowEnabled + helpText: tooltip.authorizationCodeFlowEnabled + displayType: boolean + defaultValue: true + attributeName: http://shibboleth.net/ns/profiles/authorizationCodeFlowEnabled + protocol: oidc + - name: hybridFlowEnabled + attributeFriendlyName: hybridFlowEnabled + displayName: label.hybridFlowEnabled + helpText: tooltip.hybridFlowEnabled + displayType: boolean + defaultValue: true + attributeName: http://shibboleth.net/ns/profiles/hybridFlowEnabled + protocol: oidc + - name: implicitFlowEnabled + attributeFriendlyName: implicitFlowEnabled + displayName: label.implicitFlowEnabled + helpText: tooltip.implicitFlowEnabled + displayType: boolean + defaultValue: true + attributeName: http://shibboleth.net/ns/profiles/implicitFlowEnabled + protocol: oidc + - name: refreshTokensEnabled + attributeFriendlyName: refreshTokensEnabled + displayName: label.refreshTokensEnabled + helpText: tooltip.refreshTokensEnabled + displayType: boolean + defaultValue: true + attributeName: http://shibboleth.net/ns/profiles/refreshTokensEnabled + protocol: oidc + - name: accessTokenLifetimeOidc + attributeFriendlyName: accessTokenLifetime + displayName: label.accessTokenLifetime.oidc + helpText: tooltip.accessTokenLifetime.oidc + displayType: string + defaultValue: PT10M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenLifetime + protocol: oidc + - name: accessTokenTypeOidc + attributeFriendlyName: accessTokenType + displayName: label.accessTokenType.oidc + helpText: tooltip.accessTokenType.oidc + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/accessTokenType + protocol: oidc + - name: acrRequestAlwaysEssential + attributeFriendlyName: acrRequestAlwaysEssential + displayName: label.acrRequestAlwaysEssential + helpText: tooltip.acrRequestAlwaysEssential + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/acrRequestAlwaysEssential + protocol: oidc + - name: allowPKCEPlainOidc + attributeFriendlyName: allowPKCEPlainOidc + displayName: label.allowPKCEPlain.oidc + helpText: tooltip.allowPKCEPlain.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/allowPKCEPlain + protocol: oidc + - name: alwaysIncludedAttributesBrowser + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes.browser + helpText: tooltip.alwaysIncludedAttributes.browser + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/alwaysIncludedAttributes + protocol: oidc + - name: authorizeCodeLifetime + attributeFriendlyName: authorizeCodeLifetime + displayName: label.authorizeCodeLifetime + helpText: tooltip.authorizeCodeLifetime + displayType: string + defaultValue: PT5M + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/authorizeCodeLifetime + protocol: oidc + - name: deniedUserInfoAttributesBrowser + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes.browser + helpText: tooltip.deniedUserInfoAttributes.browser + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/deniedUserInfoAttributes + protocol: oidc + - name: encodeConsentInTokens + attributeFriendlyName: encodeConsentInTokens + displayName: label.encodeConsentInTokens + helpText: tooltip.encodeConsentInTokens + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodeConsentInTokens + protocol: oidc + - name: encodedAttributes + attributeFriendlyName: encodedAttributes + displayName: label.encodedAttributes + helpText: tooltip.encodedAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/encodedAttributes + protocol: oidc + - name: forcePKCEOidc + attributeFriendlyName: forcePKCEOidc + displayName: label.forcePKCE.oidc + helpText: tooltip.forcePKCE.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/forcePKCE + protocol: oidc + - name: IDTokenLifetimeBrowser + attributeFriendlyName: IDTokenLifetimeBrowser + displayName: label.IDTokenLifetime.browser + helpText: tooltip.IDTokenLifetime.browser + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/IDTokenLifetime + protocol: oidc + - name: includeIssuerInResponse + attributeFriendlyName: includeIssuerInResponse + displayName: label.includeIssuerInResponse + helpText: tooltip.includeIssuerInResponse + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/includeIssuerInResponse + protocol: oidc + - name: refreshTokenLifetimeOidc + attributeFriendlyName: refreshTokenLifetime + displayName: label.refreshTokenLifetime.oidc + helpText: tooltip.refreshTokenLifetime.oidc + displayType: string + defaultValue: PT2H + attributeName: http://shibboleth.net/ns/profiles/oidc/sso/browser/refreshTokenLifetime + protocol: oidc + - name: alwaysIncludedAttributesToken + attributeFriendlyName: alwaysIncludedAttributes + displayName: label.alwaysIncludedAttributes.token + helpText: tooltip.alwaysIncludedAttributes.token + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/token/alwaysIncludedAttributes + protocol: oidc + - name: encryptionOptional + attributeFriendlyName: encryptionOptional + displayName: label.encryptionOptional + helpText: tooltip.encryptionOptional + displayType: boolean + defaultValue: true + attributeName: http://shibboleth.net/ns/profiles/oidc/token/encryptionOptional + protocol: oidc + - name: IDTokenLifetime + attributeFriendlyName: IDTokenLifetime + displayName: label.IDTokenLifetime + helpText: tooltip.IDTokenLifetime + displayType: string + defaultValue: PT1H + attributeName: http://shibboleth.net/ns/profiles/oidc/token/IDTokenLifetime + protocol: oidc + - name: deniedUserInfoAttributes + attributeFriendlyName: deniedUserInfoAttributes + displayName: label.deniedUserInfoAttributes + helpText: tooltip.deniedUserInfoAttributes + displayType: string + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/deniedUserInfoAttributes + protocol: oidc + - name: resolveAttributesOIDC + attributeFriendlyName: resolveAttributesOIDC + displayName: label.resolveAttributes.oidc + helpText: tooltip.resolveAttributes.oidc + displayType: boolean + attributeName: http://shibboleth.net/ns/profiles/oidc/userinfo/resolveAttributes + protocol: oidc \ No newline at end of file diff --git a/gradle.properties b/gradle.properties index 4c4c57568..8aae65f2d 100644 --- a/gradle.properties +++ b/gradle.properties @@ -34,6 +34,9 @@ i2.github.apiEndpoint=https://github.internet2.edu/api/v3 i2.git.remote=i2 i2.git.branch=master +# set app +use.release.app.yml=false + ## NOTES # pac4j spring security 7.0.3 here uses the pac4j 5.4.3 core, thus differences in versions (they used use the same versions, now # keeping them in sync takes paying attention \ No newline at end of file From b253f9afa0f599f9595c7d49ac5ec292e5f3b04d Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 1 Dec 2022 09:38:53 -0700 Subject: [PATCH 2/3] SHIBUI-2393 Change to build process to allow for different application.yml files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 160d8bdd0..f8092a9dd 100644 --- a/.gitignore +++ b/.gitignore @@ -420,3 +420,4 @@ beacon/spring/out /testbed/authentication/shibui/saml-signing-cert.pem /testbed/authentication/shibui/samlKeystore.jks /testbed/authentication/shibui/sp-metadata.xml +/backend/src/main/resources/application.yml From e9ea0af347bef08df7ff529a4a79f4fe8cdfb28b Mon Sep 17 00:00:00 2001 From: chasegawa Date: Thu, 1 Dec 2022 09:56:45 -0700 Subject: [PATCH 3/3] NOJIRA fix for creating docker image on macs --- gradle.properties | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 8aae65f2d..e57089618 100644 --- a/gradle.properties +++ b/gradle.properties @@ -35,7 +35,10 @@ i2.git.remote=i2 i2.git.branch=master # set app -use.release.app.yml=false +use.release.app.yml=false + +### Fix for creating the docker image on Macs +org.gradle.daemon=false ## NOTES # pac4j spring security 7.0.3 here uses the pac4j 5.4.3 core, thus differences in versions (they used use the same versions, now