GRP-2954: add param for mod_remoteip

docker · Jan 31, 2021 · 8f076be · 8f076be
1 parent ee4ab51
commit 8f076be
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 10 deletions.
diff --git a/container_files/tier-support/test/grouperContainerUnitTest.sh b/container_files/tier-support/test/grouperContainerUnitTest.sh
@@ -5,7 +5,7 @@ if [ "$#" -ne 4 ]; then
   exit 1
 fi
 
-expectedSuccesses=626
+expectedSuccesses=686
 
 export containerName=$1
 export imageName=$2
@@ -21,6 +21,7 @@ export failureCount=0
 
 . ./grouperContainerUnitTestDaemon.sh
 . ./grouperContainerUnitTestUi.sh
+. ./grouperContainerUnitTestUi2.sh
 . ./grouperContainerUnitTestUiNoSsl.sh
 . ./grouperContainerUnitTestUiDifferentPorts.sh
 . ./grouperContainerUnitTestSlashRoot.sh
@@ -32,8 +33,8 @@ export failureCount=0
 . ./grouperContainerUnitTestUiSubimage.sh
 . ./grouperContainerUnitTestUiSubimageNonroot.sh
 
-
 testContainerUi
+testContainerUi2
 testContainerUiNoSsl
 testContainerSlashRoot
 testContainerSelfSigned
@@ -50,6 +51,8 @@ dockerRemoveContainer
 dockerRemoveSubimage
 
 
+
+
 echo ""
 echo "$successCount successes, $failureCount failures"
 if [ "$successCount" = "$expectedSuccesses" ] && [ "$failureCount" = "0" ]  ; then

diff --git a/container_files/tier-support/test/grouperContainerUnitTestSelfSigned.sh b/container_files/tier-support/test/grouperContainerUnitTestSelfSigned.sh
@@ -12,11 +12,11 @@ testContainerSelfSigned() {
   echo
   echo '################'
   echo Running container as ui with self signed cert
-  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_LOG_TO_HOST=true $imageName ui"
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_LOG_TO_HOST=true -e GROUPER_APACHE_REMOTE_IP_HEADER=myRemoteIpHeader -e GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY=10.0.2.16/28 $imageName ui"
   echo '################'
   echo
 
-  docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_LOG_TO_HOST=true $imageName ui
+  docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_LOG_TO_HOST=true -e GROUPER_APACHE_REMOTE_IP_HEADER=myRemoteIpHeader -e GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY=10.0.2.16/28 $imageName ui
   sleep $globalSleepSecondsAfterRun
 
   assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLUseStapling on"
@@ -38,6 +38,9 @@ testContainerSelfSigned() {
   assertFileContains /etc/httpd/conf.d/grouper-www.conf "#ProxyPass /grouper-ws-scim ajp://localhost:8009/grouper timeout=3600"
   assertFileContains /etc/httpd/conf.d/grouper-www.conf "\"/grouper/\""
   assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "__"
+  assertFileContains /etc/httpd/conf.d/grouper-www.conf "RemoteIPHeader myRemoteIpHeader"
+  assertFileContains /etc/httpd/conf.d/grouper-www.conf "RemoteIPTrustedProxy 10.0.2.16/28"
+
 
   assertFileNotContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "/tmp/logpipe"
 
@@ -74,7 +77,6 @@ testContainerSelfSigned() {
   assertEnvVar GROUPER_WS_GROUPER_AUTH "false"
 
   assertNumberOfTomcatProcesses 1
-  # bad cert apache wont start
   assertNumberOfApacheProcesses 5
   assertNumberOfShibProcesses 1
 

diff --git a/container_files/tier-support/test/grouperContainerUnitTestUi.sh b/container_files/tier-support/test/grouperContainerUnitTestUi.sh
@@ -12,11 +12,11 @@ testContainerUi() {
   echo
   echo '################'
   echo Running container as ui
-  echo "docker run --detach --name $containerName --publish 443:443 $imageName ui"
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/host-cert.pem $imageName ui"
   echo '################'
   echo
 
-  docker run --detach --name $containerName --publish 443:443 $imageName ui
+  docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/host-cert.pem $imageName ui
   sleep $globalSleepSecondsAfterRun
 
 
@@ -48,7 +48,7 @@ testContainerUi() {
   assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf /etc/pki/tls/certs/localhost.crt
   assertEnvVar GROUPER_SSL_USE_CHAIN_FILE "false"
   assertEnvVar GROUPER_SSL_CERT_FILE "/etc/pki/tls/certs/host-cert.pem"
-  assertEnvVar GROUPER_SSL_KEY_FILE "/etc/pki/tls/certs/cachain.pem"
+  assertEnvVar GROUPER_SSL_KEY_FILE "/etc/pki/tls/private/host-key.pem"
   assertEnvVarNot GROUPER_SSL_CHAIN_FILE "/etc/pki/tls/certs/cachain.pem"
   assertEnvVar GROUPER_SSL_USE_STAPLING "true"
 
@@ -68,6 +68,8 @@ testContainerUi() {
 
   assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "ServerName"
   assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "UseCanonicalName On"
+  assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "RemoteIPHeader"
+  assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "RemoteIPTrustedProxy"
 
   assertFileNotContains /opt/tomee/conf/server.xml "AccessLogValve"
 

diff --git a/container_files/tier-support/test/grouperContainerUnitTestUiSubimage.sh b/container_files/tier-support/test/grouperContainerUnitTestUiSubimage.sh
@@ -24,13 +24,13 @@ testContainerUiSubimage() {
   echo cat DockerFile
   cat Dockerfile
   echo "docker build -t $subimageId ."
-  echo "docker run --detach --name $containerName --publish 443:443 $subimageId ui"
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/host-cert.pem $subimageId ui"
   echo '################'
   echo
 
   docker build -t "$subimageId" .
 
-  docker run --detach --name $containerName --publish 443:443 $subimageId ui
+  docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/host-cert.pem $subimageId ui
   sleep $globalSleepSecondsAfterRun
 
   assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libWs/axis2-kernel-1.6.4.jar

diff --git a/container_files/usr-local-bin/librarySetupFilesApache.sh b/container_files/usr-local-bin/librarySetupFilesApache.sh
@@ -100,6 +100,30 @@ setupFilesApache_serverName() {
 
 }
 
+setupFilesApache_remoteip() {
+  if [ "$GROUPER_RUN_APACHE" = "true" ] && [ ! -z "$GROUPER_APACHE_REMOTE_IP_HEADER" ] && [ "$GROUPER_APACHE_REMOTE_IP_HEADER" != "" ] && [ -f /etc/httpd/conf.d/grouper-www.conf ]
+    then
+      echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_remoteip) Appending RemoteIPHeader to grouper-www.conf"
+      echo >> /etc/httpd/conf.d/grouper-www.conf
+      echo "RemoteIPHeader $GROUPER_APACHE_REMOTE_IP_HEADER" >> /etc/httpd/conf.d/grouper-www.conf
+      returnCode=$?
+      echo >> /etc/httpd/conf.d/grouper-www.conf
+      echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_remoteip) echo \"RemoteIPHeader $GROUPER_APACHE_REMOTE_IP_HEADER\" >> /etc/httpd/conf.d/grouper-www.conf , result: $?"
+      if [ $returnCode != 0 ]; then exit $returnCode; fi
+  fi
+  if [ "$GROUPER_RUN_APACHE" = "true" ] && [ ! -z "$GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY" ] && [ "$GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY" != "" ] && [ -f /etc/httpd/conf.d/grouper-www.conf ]
+    then
+      echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_remoteip) Appending RemoteIPTrustedProxy to grouper-www.conf"
+      echo >> /etc/httpd/conf.d/grouper-www.conf
+      echo "RemoteIPTrustedProxy $GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY" >> /etc/httpd/conf.d/grouper-www.conf
+      returnCode=$?
+      echo >> /etc/httpd/conf.d/grouper-www.conf
+      echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_remoteip) echo \"RemoteIPTrustedProxy $GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY\" >> /etc/httpd/conf.d/grouper-www.conf , result: $?"
+      if [ $returnCode != 0 ]; then exit $returnCode; fi
+  fi
+
+}
+
 
 setupFilesApache_supervisor() {
   if [ "$GROUPER_RUN_APACHE" = "true" ]
@@ -138,6 +162,7 @@ setupFilesApache_ports() {
 setupFilesApache() {
   setupFilesApache_supervisor
   setupFilesApache_ports
+  setupFilesApache_remoteip
   setupFilesApache_ssl
   setupFilesApache_serverName
   setupFilesApache_indexes
@@ -147,6 +172,7 @@ setupFilesApache_unsetAll() {
   unset -f setupFilesApache
   unset -f setupFilesApache_indexes
   unset -f setupFilesApache_ports
+  unset -f setupFilesApache_remoteip
   unset -f setupFilesApache_ssl
   unset -f setupFilesApache_supervisor
   unset -f setupFilesApache_unsetAll
@@ -157,6 +183,7 @@ setupFilesApache_exportAll() {
   export -f setupFilesApache
   export -f setupFilesApache_indexes
   export -f setupFilesApache_ports
+  export -f setupFilesApache_remoteip
   export -f setupFilesApache_ssl
   export -f setupFilesApache_supervisor
   export -f setupFilesApache_unsetAll