From 8f076be95871d3d6ac89e7e5a80106dc81df06f8 Mon Sep 17 00:00:00 2001
From: Chris Hyzer <mchyzer@isc.upenn.edu>
Date: Sun, 31 Jan 2021 12:26:02 -0500
Subject: [PATCH] GRP-2954: add param for mod_remoteip

---
 .../test/grouperContainerUnitTest.sh          |  7 +++--
 .../grouperContainerUnitTestSelfSigned.sh     |  8 +++---
 .../test/grouperContainerUnitTestUi.sh        |  8 +++---
 .../grouperContainerUnitTestUiSubimage.sh     |  4 +--
 .../usr-local-bin/librarySetupFilesApache.sh  | 27 +++++++++++++++++++
 5 files changed, 44 insertions(+), 10 deletions(-)

diff --git a/container_files/tier-support/test/grouperContainerUnitTest.sh b/container_files/tier-support/test/grouperContainerUnitTest.sh
index d6018e82..4320c755 100644
--- a/container_files/tier-support/test/grouperContainerUnitTest.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTest.sh
@@ -5,7 +5,7 @@ if [ "$#" -ne 4 ]; then
   exit 1
 fi
 
-expectedSuccesses=626
+expectedSuccesses=686
 
 export containerName=$1
 export imageName=$2
@@ -21,6 +21,7 @@ export failureCount=0
 
 . ./grouperContainerUnitTestDaemon.sh
 . ./grouperContainerUnitTestUi.sh
+. ./grouperContainerUnitTestUi2.sh
 . ./grouperContainerUnitTestUiNoSsl.sh
 . ./grouperContainerUnitTestUiDifferentPorts.sh
 . ./grouperContainerUnitTestSlashRoot.sh
@@ -32,8 +33,8 @@ export failureCount=0
 . ./grouperContainerUnitTestUiSubimage.sh
 . ./grouperContainerUnitTestUiSubimageNonroot.sh
 
-
 testContainerUi
+testContainerUi2
 testContainerUiNoSsl
 testContainerSlashRoot
 testContainerSelfSigned
@@ -50,6 +51,8 @@ dockerRemoveContainer
 dockerRemoveSubimage
 
 
+
+
 echo ""
 echo "$successCount successes, $failureCount failures"
 if [ "$successCount" = "$expectedSuccesses" ] && [ "$failureCount" = "0" ]  ; then
diff --git a/container_files/tier-support/test/grouperContainerUnitTestSelfSigned.sh b/container_files/tier-support/test/grouperContainerUnitTestSelfSigned.sh
index 8667e40c..2caa2476 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestSelfSigned.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestSelfSigned.sh
@@ -12,11 +12,11 @@ testContainerSelfSigned() {
   echo
   echo '################'
   echo Running container as ui with self signed cert
-  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_LOG_TO_HOST=true $imageName ui"
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_LOG_TO_HOST=true -e GROUPER_APACHE_REMOTE_IP_HEADER=myRemoteIpHeader -e GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY=10.0.2.16/28 $imageName ui"
   echo '################'
   echo
 
-  docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_LOG_TO_HOST=true $imageName ui
+  docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_LOG_TO_HOST=true -e GROUPER_APACHE_REMOTE_IP_HEADER=myRemoteIpHeader -e GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY=10.0.2.16/28 $imageName ui
   sleep $globalSleepSecondsAfterRun
 
   assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLUseStapling on"
@@ -38,6 +38,9 @@ testContainerSelfSigned() {
   assertFileContains /etc/httpd/conf.d/grouper-www.conf "#ProxyPass /grouper-ws-scim ajp://localhost:8009/grouper timeout=3600"
   assertFileContains /etc/httpd/conf.d/grouper-www.conf "\"/grouper/\""
   assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "__"
+  assertFileContains /etc/httpd/conf.d/grouper-www.conf "RemoteIPHeader myRemoteIpHeader"
+  assertFileContains /etc/httpd/conf.d/grouper-www.conf "RemoteIPTrustedProxy 10.0.2.16/28"
+  
 
   assertFileNotContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "/tmp/logpipe"
 
@@ -74,7 +77,6 @@ testContainerSelfSigned() {
   assertEnvVar GROUPER_WS_GROUPER_AUTH "false"
 
   assertNumberOfTomcatProcesses 1
-  # bad cert apache wont start
   assertNumberOfApacheProcesses 5
   assertNumberOfShibProcesses 1
 
diff --git a/container_files/tier-support/test/grouperContainerUnitTestUi.sh b/container_files/tier-support/test/grouperContainerUnitTestUi.sh
index 5d46d66e..08bac1e0 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestUi.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestUi.sh
@@ -12,11 +12,11 @@ testContainerUi() {
   echo
   echo '################'
   echo Running container as ui
-  echo "docker run --detach --name $containerName --publish 443:443 $imageName ui"
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/host-cert.pem $imageName ui"
   echo '################'
   echo
 
-  docker run --detach --name $containerName --publish 443:443 $imageName ui
+  docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/host-cert.pem $imageName ui
   sleep $globalSleepSecondsAfterRun
 
 
@@ -48,7 +48,7 @@ testContainerUi() {
   assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf /etc/pki/tls/certs/localhost.crt
   assertEnvVar GROUPER_SSL_USE_CHAIN_FILE "false"
   assertEnvVar GROUPER_SSL_CERT_FILE "/etc/pki/tls/certs/host-cert.pem"
-  assertEnvVar GROUPER_SSL_KEY_FILE "/etc/pki/tls/certs/cachain.pem"
+  assertEnvVar GROUPER_SSL_KEY_FILE "/etc/pki/tls/private/host-key.pem"
   assertEnvVarNot GROUPER_SSL_CHAIN_FILE "/etc/pki/tls/certs/cachain.pem"
   assertEnvVar GROUPER_SSL_USE_STAPLING "true"
 
@@ -68,6 +68,8 @@ testContainerUi() {
   
   assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "ServerName"
   assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "UseCanonicalName On"
+  assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "RemoteIPHeader"
+  assertFileNotContains /etc/httpd/conf.d/grouper-www.conf "RemoteIPTrustedProxy"
 
   assertFileNotContains /opt/tomee/conf/server.xml "AccessLogValve"
 
diff --git a/container_files/tier-support/test/grouperContainerUnitTestUiSubimage.sh b/container_files/tier-support/test/grouperContainerUnitTestUiSubimage.sh
index 84e9ecbe..04c65b59 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestUiSubimage.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestUiSubimage.sh
@@ -24,13 +24,13 @@ testContainerUiSubimage() {
   echo cat DockerFile
   cat Dockerfile
   echo "docker build -t $subimageId ."
-  echo "docker run --detach --name $containerName --publish 443:443 $subimageId ui"
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/host-cert.pem $subimageId ui"
   echo '################'
   echo
 
   docker build -t "$subimageId" .
 
-  docker run --detach --name $containerName --publish 443:443 $subimageId ui
+  docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/host-cert.pem $subimageId ui
   sleep $globalSleepSecondsAfterRun
 
   assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libWs/axis2-kernel-1.6.4.jar
diff --git a/container_files/usr-local-bin/librarySetupFilesApache.sh b/container_files/usr-local-bin/librarySetupFilesApache.sh
index 90a66f28..9c3c0c9a 100644
--- a/container_files/usr-local-bin/librarySetupFilesApache.sh
+++ b/container_files/usr-local-bin/librarySetupFilesApache.sh
@@ -100,6 +100,30 @@ setupFilesApache_serverName() {
 
 }
 
+setupFilesApache_remoteip() {
+  if [ "$GROUPER_RUN_APACHE" = "true" ] && [ ! -z "$GROUPER_APACHE_REMOTE_IP_HEADER" ] && [ "$GROUPER_APACHE_REMOTE_IP_HEADER" != "" ] && [ -f /etc/httpd/conf.d/grouper-www.conf ]
+    then
+      echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_remoteip) Appending RemoteIPHeader to grouper-www.conf"
+      echo >> /etc/httpd/conf.d/grouper-www.conf
+      echo "RemoteIPHeader $GROUPER_APACHE_REMOTE_IP_HEADER" >> /etc/httpd/conf.d/grouper-www.conf
+      returnCode=$?
+      echo >> /etc/httpd/conf.d/grouper-www.conf
+      echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_remoteip) echo \"RemoteIPHeader $GROUPER_APACHE_REMOTE_IP_HEADER\" >> /etc/httpd/conf.d/grouper-www.conf , result: $?"
+      if [ $returnCode != 0 ]; then exit $returnCode; fi
+  fi
+  if [ "$GROUPER_RUN_APACHE" = "true" ] && [ ! -z "$GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY" ] && [ "$GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY" != "" ] && [ -f /etc/httpd/conf.d/grouper-www.conf ]
+    then
+      echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_remoteip) Appending RemoteIPTrustedProxy to grouper-www.conf"
+      echo >> /etc/httpd/conf.d/grouper-www.conf
+      echo "RemoteIPTrustedProxy $GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY" >> /etc/httpd/conf.d/grouper-www.conf
+      returnCode=$?
+      echo >> /etc/httpd/conf.d/grouper-www.conf
+      echo "grouperContainer; INFO: (librarySetupFilesApache.sh-setupFilesApache_remoteip) echo \"RemoteIPTrustedProxy $GROUPER_APACHE_REMOTE_IP_TRUSTED_PROXY\" >> /etc/httpd/conf.d/grouper-www.conf , result: $?"
+      if [ $returnCode != 0 ]; then exit $returnCode; fi
+  fi
+
+}
+
 
 setupFilesApache_supervisor() {
   if [ "$GROUPER_RUN_APACHE" = "true" ]
@@ -138,6 +162,7 @@ setupFilesApache_ports() {
 setupFilesApache() {
   setupFilesApache_supervisor
   setupFilesApache_ports
+  setupFilesApache_remoteip
   setupFilesApache_ssl
   setupFilesApache_serverName
   setupFilesApache_indexes
@@ -147,6 +172,7 @@ setupFilesApache_unsetAll() {
   unset -f setupFilesApache
   unset -f setupFilesApache_indexes
   unset -f setupFilesApache_ports
+  unset -f setupFilesApache_remoteip
   unset -f setupFilesApache_ssl
   unset -f setupFilesApache_supervisor
   unset -f setupFilesApache_unsetAll
@@ -157,6 +183,7 @@ setupFilesApache_exportAll() {
   export -f setupFilesApache
   export -f setupFilesApache_indexes
   export -f setupFilesApache_ports
+  export -f setupFilesApache_remoteip
   export -f setupFilesApache_ssl
   export -f setupFilesApache_supervisor
   export -f setupFilesApache_unsetAll