From da7a04a7c0ef47da1b13feae222116fe38d77b7e Mon Sep 17 00:00:00 2001
From: Chris Hyzer <mchyzer@isc.upenn.edu>
Date: Fri, 17 Sep 2021 05:11:14 -0400
Subject: [PATCH] setting for max tomcat http headers

---
 Dockerfile                                                | 4 ++--
 .../tier-support/test/grouperContainerUnitTest.sh         | 2 +-
 .../tier-support/test/grouperContainerUnitTestUi.sh       | 4 ++++
 .../tier-support/test/grouperContainerUnitTestUi2.sh      | 7 +++++--
 .../tier-support/test/grouperContainerUnitTestUiNoSsl.sh  | 5 +++--
 container_files/usr-local-bin/libraryPrep.sh              | 4 ++++
 container_files/usr-local-bin/librarySetupFilesTomcat.sh  | 8 ++++++++
 7 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 93eb1a29..bfe33aeb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ RUN yum update -y \
 RUN yum install -y wget tar unzip dos2unix patch
     
 ARG GROUPER_CONTAINER_VERSION
-ENV GROUPER_VERSION=2.5.56 \
+ENV GROUPER_VERSION=2.5.57 \
      GROUPER_CONTAINER_VERSION=$GROUPER_CONTAINER_VERSION
 
 # Install Corretto Java JDK
@@ -32,7 +32,7 @@ RUN echo 'Installing Grouper'; \
     cd /opt/grouper/$GROUPER_VERSION/ \
     && $JAVA_HOME/bin/java -cp :grouperInstaller.jar edu.internet2.middleware.grouperInstaller.GrouperInstaller
 FROM centos:centos7 as cleanup
-ENV GROUPER_VERSION=2.5.56 \
+ENV GROUPER_VERSION=2.5.57 \
     TOMEE_VERSION=7.0.0
 RUN mkdir -p /opt/grouper/grouperWebapp/
 RUN mkdir -p /opt/tomee/
diff --git a/container_files/tier-support/test/grouperContainerUnitTest.sh b/container_files/tier-support/test/grouperContainerUnitTest.sh
index 343a479c..fae4cd7d 100644
--- a/container_files/tier-support/test/grouperContainerUnitTest.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTest.sh
@@ -5,7 +5,7 @@ if [ "$#" -ne 4 ]; then
   exit 1
 fi
 
-expectedSuccesses=715
+expectedSuccesses=721
 
 export containerName=$1
 export imageName=$2
diff --git a/container_files/tier-support/test/grouperContainerUnitTestUi.sh b/container_files/tier-support/test/grouperContainerUnitTestUi.sh
index 6637acf9..0259521e 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestUi.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestUi.sh
@@ -78,6 +78,10 @@ testContainerUi() {
 
   assertFileNotContains /opt/tomee/conf/server.xml "AccessLogValve"
 
+  assertFileContains /opt/tomee/conf/server.xml "maxHeaderCount"
+  assertFileContains /opt/tomee/conf/server.xml "200"
+  assertFileNotContains /opt/tomee/conf/server.xml "1235"
+
   assertFileContains /opt/tomee/conf/server.xml "tomcatAuthentication"
 
   assertEnvVarNot GROUPER_APACHE_SERVER_NAME https://a.b.c:443
diff --git a/container_files/tier-support/test/grouperContainerUnitTestUi2.sh b/container_files/tier-support/test/grouperContainerUnitTestUi2.sh
index 68661ef7..bcc02e0e 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestUi2.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestUi2.sh
@@ -12,11 +12,11 @@ testContainerUi2() {
   echo
   echo '################'
   echo Running container as ui
-  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_USE_STAPLING=false -e GROUPER_SSL_CERT_FILE=/a/b/cert -e GROUPER_SSL_KEY_FILE=/a/b/key -e GROUPER_SSL_CHAIN_FILE=/a/b/chain -e GROUPER_REDIRECT_FROM_SLASH_TO_GROUPER=false -e GROUPER_APACHE_STATUS_PATH=none $imageName ui"
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_TOMCAT_MAX_HEADER_COUNT=1235 -e GROUPER_SSL_USE_STAPLING=false -e GROUPER_SSL_CERT_FILE=/a/b/cert -e GROUPER_SSL_KEY_FILE=/a/b/key -e GROUPER_SSL_CHAIN_FILE=/a/b/chain -e GROUPER_REDIRECT_FROM_SLASH_TO_GROUPER=false -e GROUPER_APACHE_STATUS_PATH=none $imageName ui"
   echo '################'
   echo
 
-  docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_USE_STAPLING=false -e GROUPER_SSL_CERT_FILE=/a/b/cert -e GROUPER_SSL_KEY_FILE=/a/b/key -e GROUPER_SSL_CHAIN_FILE=/a/b/chain -e GROUPER_REDIRECT_FROM_SLASH_TO_GROUPER=false -e GROUPER_APACHE_STATUS_PATH=none $imageName ui
+  docker run --detach --name $containerName --publish 443:443 -e GROUPER_TOMCAT_MAX_HEADER_COUNT=1235 -e GROUPER_SSL_USE_STAPLING=false -e GROUPER_SSL_CERT_FILE=/a/b/cert -e GROUPER_SSL_KEY_FILE=/a/b/key -e GROUPER_SSL_CHAIN_FILE=/a/b/chain -e GROUPER_REDIRECT_FROM_SLASH_TO_GROUPER=false -e GROUPER_APACHE_STATUS_PATH=none $imageName ui
   sleep $globalSleepSecondsAfterRun
 
 
@@ -38,6 +38,9 @@ testContainerUi2() {
   assertFileNotContains /opt/tier-support/supervisord.conf "program:hsqldb"
   assertFileNotContains /opt/tier-support/supervisord.conf "__"
 
+  assertFileContains /opt/tomee/conf/server.xml "maxHeaderCount"
+  assertFileContains /opt/tomee/conf/server.xml "1235"
+
   assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLUseStapling off"
   assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateFile /a/b/cert"
   assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateKeyFile /a/b/key"
diff --git a/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh b/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh
index 29c09fa7..0a729f9e 100644
--- a/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh
+++ b/container_files/tier-support/test/grouperContainerUnitTestUiNoSsl.sh
@@ -12,11 +12,11 @@ testContainerUiNoSsl() {
   echo
   echo '################'
   echo Running container as ui without SSL with SSL client
-  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_USE_SSL=false -e GROUPER_TOMCAT_LOG_ACCESS=true -e GROUPER_APACHE_DIRECTORY_INDEXES=true -e GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=30 $imageName ui"
+  echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_TOMCAT_MAX_HEADER_COUNT=-1 -e GROUPER_USE_SSL=false -e GROUPER_TOMCAT_LOG_ACCESS=true -e GROUPER_APACHE_DIRECTORY_INDEXES=true -e GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=30 $imageName ui"
   echo '################'
   echo
 
-  docker run --detach --name $containerName --publish 443:443 -e GROUPER_USE_SSL=false -e GROUPER_TOMCAT_LOG_ACCESS=true -e GROUPER_APACHE_DIRECTORY_INDEXES=true -e GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=30 $imageName ui
+  docker run --detach --name $containerName --publish 443:443 -e GROUPER_TOMCAT_MAX_HEADER_COUNT=-1 -e GROUPER_USE_SSL=false -e GROUPER_TOMCAT_LOG_ACCESS=true -e GROUPER_APACHE_DIRECTORY_INDEXES=true -e GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=30 $imageName ui
   sleep $globalSleepSecondsAfterRun
 
   assertFileExists /etc/httpd/conf.d/ssl-enabled.conf.dontuse
@@ -38,6 +38,7 @@ testContainerUiNoSsl() {
   assertFileNotContains /opt/tomee/conf/server.xml 'scheme="http"'
   assertFileContains /opt/tomee/conf/web.xml "<session-timeout>30</session-timeout>"
   
+  assertFileNotContains /opt/tomee/conf/server.xml "maxHeaderCount"
 
   assertEnvVar GROUPER_TOMCAT_LOG_ACCESS "true"
   assertEnvVar GROUPERSCIM_PROXY_PASS "#"
diff --git a/container_files/usr-local-bin/libraryPrep.sh b/container_files/usr-local-bin/libraryPrep.sh
index 02d0502a..4b4685eb 100644
--- a/container_files/usr-local-bin/libraryPrep.sh
+++ b/container_files/usr-local-bin/libraryPrep.sh
@@ -437,6 +437,10 @@ prep_finishBegin() {
       echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_HTTP_PORT=8080"
       export GROUPER_TOMCAT_HTTP_PORT=8080
     fi
+    if [ -z "$GROUPER_TOMCAT_MAX_HEADER_COUNT" ]; then 
+      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_MAX_HEADER_COUNT=200"
+      export GROUPER_TOMCAT_MAX_HEADER_COUNT=200
+    fi
     if [ -z "$GROUPER_TOMCAT_AJP_PORT" ]; then 
       echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_AJP_PORT=8009"
       export GROUPER_TOMCAT_AJP_PORT=8009
diff --git a/container_files/usr-local-bin/librarySetupFilesTomcat.sh b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
index 7a8d9f35..5133a917 100644
--- a/container_files/usr-local-bin/librarySetupFilesTomcat.sh
+++ b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
@@ -71,6 +71,14 @@ setupFilesTomcat_ports() {
         echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_ports) update server.xml to change ajp port: sed -i \"s|8009|$GROUPER_TOMCAT_AJP_PORT|g\" /opt/tomee/conf/server.xml, result: $returnCode"
         if [ $returnCode != 0 ]; then exit $returnCode; fi
       fi
+      
+      if [ "$GROUPER_TOMCAT_MAX_HEADER_COUNT" != "-1" ]; then 
+        # add in maxHeaderCount since new chrome sends too many headers
+        sed -i "s|port=\"$GROUPER_TOMCAT_AJP_PORT\"|port=\"$GROUPER_TOMCAT_AJP_PORT\" maxHeaderCount=\"$GROUPER_TOMCAT_MAX_HEADER_COUNT\" |g" /opt/tomee/conf/server.xml
+        returnCode=$?
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_ports) update server.xml add maxHeaderCount: sed -i \"s|port=\"$GROUPER_TOMCAT_AJP_PORT\"|port=\"$GROUPER_TOMCAT_AJP_PORT\" maxHeaderCount=\"$GROUPER_TOMCAT_MAX_HEADER_COUNT\" |g\" /opt/tomee/conf/server.xml, result: $returnCode"
+        if [ $returnCode != 0 ]; then exit $returnCode; fi
+      fi
   
       if [ "$GROUPER_TOMCAT_SHUTDOWN_PORT" != "8005" ]; then 
         sed -i "s|8005|$GROUPER_TOMCAT_SHUTDOWN_PORT|g" /opt/tomee/conf/server.xml