From 059b483ca4ade9123a4364c8e291c79684ab523b Mon Sep 17 00:00:00 2001
From: John Gasper <jtgasper3@gmail.com>
Date: Mon, 26 Mar 2018 11:52:30 -0700
Subject: [PATCH] POC for pulling in secrets into Grouper property files

---
 .../grouper/database_password.txt             |   0
 .../grouper/grouper.hibernate.properties      |   3 +-
 .../grouper/ldap.properties                   |   2 +-
 .../configs-and-secrets/grouper/sources.xml   | 295 ------------------
 .../grouper/subject.properties                |  75 +++++
 .../conf/grouper.hibernate.properties         |   3 +-
 .../data/container_files/conf/sources.xml     | 295 ------------------
 .../container_files/conf/subject.properties   |  75 +++++
 test-compose/docker-compose.yml               | 110 ++++---
 9 files changed, 220 insertions(+), 638 deletions(-)
 create mode 100644 test-compose/configs-and-secrets/grouper/database_password.txt
 delete mode 100644 test-compose/configs-and-secrets/grouper/sources.xml
 create mode 100644 test-compose/configs-and-secrets/grouper/subject.properties
 delete mode 100644 test-compose/data/container_files/conf/sources.xml
 create mode 100644 test-compose/data/container_files/conf/subject.properties

diff --git a/test-compose/configs-and-secrets/grouper/database_password.txt b/test-compose/configs-and-secrets/grouper/database_password.txt
new file mode 100644
index 0000000..e69de29
diff --git a/test-compose/configs-and-secrets/grouper/grouper.hibernate.properties b/test-compose/configs-and-secrets/grouper/grouper.hibernate.properties
index b9cc983..96abb4c 100644
--- a/test-compose/configs-and-secrets/grouper/grouper.hibernate.properties
+++ b/test-compose/configs-and-secrets/grouper/grouper.hibernate.properties
@@ -26,5 +26,4 @@ hibernate.connection.username         = root
 # If you are using an empty password, depending upon your version of
 # Java and Ant you may need to specify a password of "".
 # Note: you can keep passwords external and encrypted: https://bugs.internet2.edu/jira/browse/GRP-122
-hibernate.connection.password         = 
-
+hibernate.connection.password.elConfig = ${java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD') }
diff --git a/test-compose/configs-and-secrets/grouper/ldap.properties b/test-compose/configs-and-secrets/grouper/ldap.properties
index 5de794c..df38a6e 100644
--- a/test-compose/configs-and-secrets/grouper/ldap.properties
+++ b/test-compose/configs-and-secrets/grouper/ldap.properties
@@ -6,7 +6,7 @@ edu.vt.middleware.ldap.searchScope=SUBTREE
 
 # authn if simple
 edu.vt.middleware.ldap.bindDn=cn=admin,dc=internet2,dc=edu
-edu.vt.middleware.ldap.bindCredential=secret
+edu.vt.middleware.ldap.bindCredential.elConfig =
 # The bind credential may be external and encrypted: https://bugs.internet2.edu/jira/browse/GRP-122
 # edu.vt.middleware.ldap.bindCredential=/path/to/ldap.pwd
 edu.vt.middleware.ldap.authtype=simple
diff --git a/test-compose/configs-and-secrets/grouper/sources.xml b/test-compose/configs-and-secrets/grouper/sources.xml
deleted file mode 100644
index 9c884ae..0000000
--- a/test-compose/configs-and-secrets/grouper/sources.xml
+++ /dev/null
@@ -1,295 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-
-<!--
-Grouper's subject resolver configuration
-$Id: sources.example.xml,v 1.8 2009-08-11 20:18:09 mchyzer Exp $
--->
-
-<sources>
-
-  <!-- Group Subject Resolver -->
-  
-  <!-- 
-     You can flag a source as not throwing exception on a findAll (general search) i.e. if it is
-     ok if it is down.  Generally you probably won't want to do this.  It defaults to true if omitted.
-  
-     <init-param>
-       <param-name>throwErrorOnFindAllFailure</param-name>
-       <param-value>false</param-value>
-     </init-param>
-   -->
-  
-  <!-- 
-      You can make virtual attributes (attributes with formatting or based on other attributes) like this:
-      init-param name is subjectVirtualAttribute_<index>_<name> where index is the order to be processed
-      if some depend on others (0 to 99).  The value is the jexl expression language.  You can use subjectUtils
-      methods (aliased with "subjectUtils", or you can register your own class (must have default constructor).
-      Here are examples:
-  
-     <init-param>
-       <param-name>subjectVirtualAttribute_0_loginIdLfName</param-name>
-       <param-value>Hey ${subject.getAttributeValue('LOGINID')} and ${subject.getAttributeValue('LFNAME')}</param-value>
-     </init-param>
-     <init-param>
-       <param-name>subjectVirtualAttribute_1_loginIdLfNameLoginId</param-name>
-       <param-value>${subject.getAttributeValue('loginIdLfName')} Hey ${subject.getAttributeValue('LOGINID')} and ${subject.getAttributeValue('LFNAME')}</param-value>
-     </init-param>
-     <init-param>
-       <param-name>subjectVirtualAttributeVariable_JDBCSourceAdapterTest</param-name>
-       <param-value>edu.internet2.middleware.subject.provider.JDBCSourceAdapterTest</param-value>
-     </init-param>
-     <init-param>
-       <param-name>subjectVirtualAttribute_2_loginIdSquared</param-name>
-       <param-value>${JDBCSourceAdapterTest.appendToSelf(subject.getAttributeValue('LOGINID'))}</param-value>
-     </init-param>
-  
-    The first virtual attribute is accessible via: subject.getAttributeValue("loginIdLfNameLoginId");
-  
-    you can set these c3p0 settings: maxConnectionAge (seconds), testConnectionOnCheckout (true|false), 
-       preferredTestQuery (e.g. select 1 from dual), idleConnectionTestPeriod (seconds)
-  
-   -->
-  
-  <!-- 
-    NOTE: It is recommended that you **not** change the default
-          values for this source adapter.
-  -->
-  <source adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
-    <id>g:gsa</id>
-    <name>Grouper: Group Source Adapter</name>
-    <type>group</type>
-
-    <init-param>
-      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
-      <param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>
-    </init-param>
-    <init-param>
-      <param-name>sortAttribute0</param-name>
-      <param-value>displayExtension</param-value>
-    </init-param>
-    <init-param>
-      <param-name>searchAttribute0</param-name>
-      <param-value>searchAttribute0</param-value>
-    </init-param>
-    <!-- on a findPage() this is the most results returned --> 
-    <init-param>
-      <param-name>maxPageSize</param-name>
-      <param-value>100</param-value>
-    </init-param>
-    <internal-attribute>searchAttribute0</internal-attribute>
-  </source>
-  <!-- Group Subject Resolver -->
-
-  <!-- 
-    NOTE: It is recommended that you **not** change the default
-          values for this source adapter.
-  -->
-  <source adapterClass="edu.internet2.middleware.grouper.entity.EntitySourceAdapter">
-    <id>grouperEntities</id>
-    <name>Grouper: Entity Source Adapter</name>
-    <type>application</type>
-
-    <init-param>
-      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
-      <!-- TODO add attribute for subject identifier -->
-      <param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>
-    </init-param>
-    <init-param>
-      <param-name>sortAttribute0</param-name>
-      <param-value>name</param-value>
-    </init-param>
-    <init-param>
-      <param-name>searchAttribute0</param-name>
-      <param-value>searchAttribute0</param-value>
-    </init-param>
-    <internal-attribute>searchAttribute0</internal-attribute>
-  </source>
-
-
-  <!-- Entity Subject Resolver -->
-  <source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter">
-    <id>ldap</id>
-    <name>EDU Ldap</name>
-    <type>person</type>
-    <init-param>
-      <param-name>INITIAL_CONTEXT_FACTORY</param-name>
-      <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
-    </init-param>
-    <init-param>
-      <param-name>PROVIDER_URL</param-name>
-      <param-value>ldap://data</param-value>
-    </init-param>
-    <init-param>
-      <param-name>SECURITY_AUTHENTICATION</param-name>
-      <param-value>simple</param-value>
-    </init-param>
-    <init-param>
-      <param-name>SECURITY_PRINCIPAL</param-name>
-      <param-value>cn=admin,dc=internet2,dc=edu</param-value>
-    </init-param>
-    <init-param>
-      <param-name>SECURITY_CREDENTIALS</param-name>
-      <param-value>password</param-value>
-    </init-param>
-     <init-param>
-      <param-name>SubjectID_AttributeType</param-name>
-      <param-value>uid</param-value>
-    </init-param>
-     <init-param>
-      <param-name>SubjectID_formatToLowerCase</param-name>
-      <param-value>false</param-value>
-    </init-param>
-    <init-param>
-      <param-name>Name_AttributeType</param-name>
-      <param-value>cn</param-value>
-    </init-param>
-    <init-param>
-      <param-name>Description_AttributeType</param-name>
-      <param-value>cn</param-value>
-    </init-param>
-    
-    /// Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE 
-    /// For filter use 
-    
-    <search>
-        <searchType>searchSubject</searchType>
-        <param>
-            <param-name>filter</param-name>
-            <param-value>
-                (&amp;(uid=%TERM%)(objectclass=person))
-            </param-value>
-        </param>
-        <param>
-            <param-name>scope</param-name>
-            <param-value>
-                SUBTREE_SCOPE            
-            </param-value>
-        </param>
-        <param>
-            <param-name>base</param-name>
-            <param-value>
-                ou=people,dc=internet2,dc=edu
-            </param-value>
-        </param>
-    </search>
-
-    <search>
-        <searchType>searchSubjectByIdentifier</searchType>
-        <param>
-            <param-name>filter</param-name>
-            <param-value>
-                (&amp;(uid=%TERM%)(objectclass=person))
-            </param-value>
-        </param>
-        <param>
-            <param-name>scope</param-name>
-            <param-value>
-                SUBTREE_SCOPE            
-            </param-value>
-        </param>
-        <param>
-            <param-name>base</param-name>
-            <param-value>
-                ou=people,dc=internet2,dc=edu
-            </param-value>
-        </param>
-    </search>
-    
-    <search>
-       <searchType>search</searchType>
-         <param>
-            <param-name>filter</param-name>
-            <param-value>
-                (&amp;(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person))
-            </param-value>
-        </param>
-        <param>
-            <param-name>scope</param-name>
-            <param-value>
-                SUBTREE_SCOPE            
-            </param-value>
-        </param>
-         <param>
-            <param-name>base</param-name>
-            <param-value>
-                ou=people,dc=internet2,dc=edu
-            </param-value>
-        </param>
-    </search>
-    <init-param>
-      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
-      <param-value>${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")}</param-value>
-    </init-param>
-    <init-param>
-      <param-name>sortAttribute0</param-name>
-      <param-value>cn</param-value>
-    </init-param>
-    <init-param>
-      <param-name>searchAttribute0</param-name>
-      <param-value>searchAttribute0</param-value>
-    </init-param>
-
-     <!-- ##########################  STATUS SECTION for searches to filter out inactives and allow
-                                                     the user to filter by status with e.g. status=all
-                                                     this is optional, and advanced - -> 
-     <!- - column or attribute which represents the status - - >
-     <!- -
-     <init-param>
-       <param-name>statusDatastoreFieldName</param-name>
-       <param-value>status</param-value>
-     </init-param> - - >
-     <!- - search string from user which represents the status.  e.g. status=active - - >
-     <!- -
-     <init-param>
-       <param-name>statusLabel</param-name>
-       <param-value>status</param-value>
-     </init-param> - - >
-     <!- - available statuses from screen (if not specified, any will be allowed). comma separated list.
-          Note, this is optional and you probably dont want to configure it, it is mostly necessary
-          when you have multiple sources with statuses...  if someone types an invalid status
-          and you have this configured, it will not filter by it - - >
-     <!- - 
-     <init-param>
-       <param-name>statusesFromUser<param-name>
-       <param-value>Active, Inactive, Pending, All</param-value>
-     </init-param> - - >
-     <!- - all label from the user - - >
-     <!- -
-     <init-param>
-       <param-name>statusAllFromUser</param-name>
-       <param-value>All</param-value>
-     </init-param> - - >
-     <!- - if no status is specified, this will be used (e.g. for active only).  Note, the value should be of the
-          form the user would type in - - >
-     <!- - 
-     <init-param>
-       <param-name>statusSearchDefault</param-name>
-       <param-value>status=active</param-value>
-     </init-param> - - >
-     <!- - translate between screen values of status, and the data store value.  Increment the 0 to 1, 2, etc for more translations.
-          so the user could enter: status=active, and that could translate to status_col=A.  The 'user' is what the user types in,
-          the 'datastore' is what is in the datastore.  The user part is not case-sensitive.  Note, this could be a many to one - - >
-     <!- -
-     <init-param>
-       <param-name>statusTranslateUser0</param-name>
-       <param-value>active</param-value>
-     </init-param>
-     <init-param>
-       <param-name>statusTranslateDatastore0</param-name>
-       <param-value>A</param-value>
-     </init-param> - - >
-     <!- - ########################## END STATUS SECTION --> 
-
-
-    <internal-attribute>searchAttribute0</internal-attribute>
-
-    ///Attributes you would like to display when doing a search 
-    <attribute>givenName</attribute>
-    <attribute>sn</attribute>
-    <attribute>uid</attribute>
-    
-  </source>
-
-
-</sources>
-
diff --git a/test-compose/configs-and-secrets/grouper/subject.properties b/test-compose/configs-and-secrets/grouper/subject.properties
new file mode 100644
index 0000000..fd5b25c
--- /dev/null
+++ b/test-compose/configs-and-secrets/grouper/subject.properties
@@ -0,0 +1,75 @@
+subject.sources.xml.location =
+
+subjectApi.source.ldap.id = ldap
+subjectApi.source.ldap.name = EDU Ldap 
+subjectApi.source.ldap.types = person
+subjectApi.source.ldap.adapterClass = edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter
+subjectApi.source.ldap.param.INITIAL_CONTEXT_FACTORY.value = com.sun.jndi.ldap.LdapCtxFactory
+subjectApi.source.ldap.param.PROVIDER_URL.value = ldap://data:389
+subjectApi.source.ldap.param.SECURITY_AUTHENTICATION.value = simple
+subjectApi.source.ldap.param.SECURITY_PRINCIPAL.value = cn=admin,dc=internet2,dc=edu
+subjectApi.source.ldap.param.SECURITY_CREDENTIALS.value.elConfig = ${java.lang.System.getenv().get('SUBJECT_SOURCE_LDAP_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('SUBJECT_SOURCE_LDAP_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('SUBJECT_SOURCE_LDAP_PASSWORD')}
+subjectApi.source.ldap.param.SubjectID_AttributeType.value = uid
+subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false
+subjectApi.source.ldap.param.Name_AttributeType.value = cn
+subjectApi.source.ldap.param.Description_AttributeType.value = cn
+subjectApi.source.ldap.param.VTLDAP_VALIDATOR.value = ConnectLdapValidator
+subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")}
+subjectApi.source.ldap.param.sortAttribute0.value = cn
+subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0
+
+# STATUS SECTION for searches to filter out inactives and allow
+# the user to filter by status with e.g. status=all
+# this is optional, and advanced
+#
+# field in database or ldap or endpoint that is the status field
+#subjectApi.source.example.param.statusDatastoreFieldName.value = status
+
+# search string from user which represents the status.  e.g. status=active
+#subjectApi.source.example.param.statusLabel.value = status
+
+# available statuses from screen (if not specified, any will be allowed). comma separated list.
+# Note, this is optional and you probably dont want to configure it, it is mostly necessary
+# when you have multiple sources with statuses...  if someone types an invalid status
+# and you have this configured, it will not filter by it
+#subjectApi.source.example.param.statusesFromUser.value = Active, Inactive, Pending, All
+
+# all label from the user
+#subjectApi.source.example.param.statusAllFromUser.value = All
+
+# if no status is specified, this will be used (e.g. for active only).  Note, the value should be of the
+# form the user would type in
+#subjectApi.source.example.param.statusSearchDefault.value = status=active
+
+# translate between screen values of status, and the data store value.  Increment the 0 to 1, 2, etc for more translations.
+# so the user could enter: status=active, and that could translate to status_col=A.  The 'user' is what the user types in,
+# the 'datastore' is what is in the datastore.  The user part is not case-sensitive.  Note, this could be a many to one
+#subjectApi.source.example.param.statusTranslateUser0.value = active
+#subjectApi.source.example.param.statusTranslateDatastore0.value = A
+
+# subject identifier to store in grouper's member table.  this is used to increase speed of loader and perhaps for provisioning
+# you can have up to max 1 subject identifier
+#subjectApi.source.example.param.subjectIdentifierAttribute0.value = uid
+
+#searchSubject: find a subject by ID.  ID is generally an opaque and permanent identifier, e.g. 12345678.
+#  Each subject has one and only on ID.  Returns one result when searching for one ID.
+subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person))
+subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE
+subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu
+
+#searchSubjectByIdentifier: find a subject by identifier.  Identifier is anything that uniquely
+#  identifies the user, e.g. jsmith or jsmith@institution.edu.
+#  Subjects can have multiple identifiers.  Note: it is nice to have if identifiers are unique
+#  even across sources.  Returns one result when searching for one identifier.
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(|(uid=%TERM%)(employeeNumber=%TERM%))(objectclass=person))
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu
+
+#   search: find subjects by free form search.  Returns multiple results.
+
+subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person))
+subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE
+subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu
+
+subjectApi.source.ldap.attributes = givenName, sn, uid, mail, employeeNumber
+subjectApi.source.ldap.internalAttributes = searchAttribute0
diff --git a/test-compose/data/container_files/conf/grouper.hibernate.properties b/test-compose/data/container_files/conf/grouper.hibernate.properties
index 9a45eb9..89404b5 100644
--- a/test-compose/data/container_files/conf/grouper.hibernate.properties
+++ b/test-compose/data/container_files/conf/grouper.hibernate.properties
@@ -26,5 +26,4 @@ hibernate.connection.username         = root
 # If you are using an empty password, depending upon your version of
 # Java and Ant you may need to specify a password of "".
 # Note: you can keep passwords external and encrypted: https://bugs.internet2.edu/jira/browse/GRP-122
-hibernate.connection.password         = 
-
+hibernate.connection.password.elConfig = ${java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('GROUPER_DATABASE_PASSWORD') }
diff --git a/test-compose/data/container_files/conf/sources.xml b/test-compose/data/container_files/conf/sources.xml
deleted file mode 100644
index d92123e..0000000
--- a/test-compose/data/container_files/conf/sources.xml
+++ /dev/null
@@ -1,295 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-
-<!--
-Grouper's subject resolver configuration
-$Id: sources.example.xml,v 1.8 2009-08-11 20:18:09 mchyzer Exp $
--->
-
-<sources>
-
-  <!-- Group Subject Resolver -->
-  
-  <!-- 
-     You can flag a source as not throwing exception on a findAll (general search) i.e. if it is
-     ok if it is down.  Generally you probably won't want to do this.  It defaults to true if omitted.
-  
-     <init-param>
-       <param-name>throwErrorOnFindAllFailure</param-name>
-       <param-value>false</param-value>
-     </init-param>
-   -->
-  
-  <!-- 
-      You can make virtual attributes (attributes with formatting or based on other attributes) like this:
-      init-param name is subjectVirtualAttribute_<index>_<name> where index is the order to be processed
-      if some depend on others (0 to 99).  The value is the jexl expression language.  You can use subjectUtils
-      methods (aliased with "subjectUtils", or you can register your own class (must have default constructor).
-      Here are examples:
-  
-     <init-param>
-       <param-name>subjectVirtualAttribute_0_loginIdLfName</param-name>
-       <param-value>Hey ${subject.getAttributeValue('LOGINID')} and ${subject.getAttributeValue('LFNAME')}</param-value>
-     </init-param>
-     <init-param>
-       <param-name>subjectVirtualAttribute_1_loginIdLfNameLoginId</param-name>
-       <param-value>${subject.getAttributeValue('loginIdLfName')} Hey ${subject.getAttributeValue('LOGINID')} and ${subject.getAttributeValue('LFNAME')}</param-value>
-     </init-param>
-     <init-param>
-       <param-name>subjectVirtualAttributeVariable_JDBCSourceAdapterTest</param-name>
-       <param-value>edu.internet2.middleware.subject.provider.JDBCSourceAdapterTest</param-value>
-     </init-param>
-     <init-param>
-       <param-name>subjectVirtualAttribute_2_loginIdSquared</param-name>
-       <param-value>${JDBCSourceAdapterTest.appendToSelf(subject.getAttributeValue('LOGINID'))}</param-value>
-     </init-param>
-  
-    The first virtual attribute is accessible via: subject.getAttributeValue("loginIdLfNameLoginId");
-  
-    you can set these c3p0 settings: maxConnectionAge (seconds), testConnectionOnCheckout (true|false), 
-       preferredTestQuery (e.g. select 1 from dual), idleConnectionTestPeriod (seconds)
-  
-   -->
-  
-  <!-- 
-    NOTE: It is recommended that you **not** change the default
-          values for this source adapter.
-  -->
-  <source adapterClass="edu.internet2.middleware.grouper.GrouperSourceAdapter">
-    <id>g:gsa</id>
-    <name>Grouper: Group Source Adapter</name>
-    <type>group</type>
-
-    <init-param>
-      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
-      <param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>
-    </init-param>
-    <init-param>
-      <param-name>sortAttribute0</param-name>
-      <param-value>displayExtension</param-value>
-    </init-param>
-    <init-param>
-      <param-name>searchAttribute0</param-name>
-      <param-value>searchAttribute0</param-value>
-    </init-param>
-    <!-- on a findPage() this is the most results returned --> 
-    <init-param>
-      <param-name>maxPageSize</param-name>
-      <param-value>100</param-value>
-    </init-param>
-    <internal-attribute>searchAttribute0</internal-attribute>
-  </source>
-  <!-- Group Subject Resolver -->
-
-  <!-- 
-    NOTE: It is recommended that you **not** change the default
-          values for this source adapter.
-  -->
-  <source adapterClass="edu.internet2.middleware.grouper.entity.EntitySourceAdapter">
-    <id>grouperEntities</id>
-    <name>Grouper: Entity Source Adapter</name>
-    <type>application</type>
-
-    <init-param>
-      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
-      <!-- TODO add attribute for subject identifier -->
-      <param-value>${subject.getAttributeValue('name')},${subject.getAttributeValue('displayName')},${subject.getAttributeValue('alternateName')}</param-value>
-    </init-param>
-    <init-param>
-      <param-name>sortAttribute0</param-name>
-      <param-value>name</param-value>
-    </init-param>
-    <init-param>
-      <param-name>searchAttribute0</param-name>
-      <param-value>searchAttribute0</param-value>
-    </init-param>
-    <internal-attribute>searchAttribute0</internal-attribute>
-  </source>
-
-
-  <!-- Entity Subject Resolver -->
-  <source adapterClass="edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter">
-    <id>ldap</id>
-    <name>EDU Ldap</name>
-    <type>person</type>
-    <init-param>
-      <param-name>INITIAL_CONTEXT_FACTORY</param-name>
-      <param-value>com.sun.jndi.ldap.LdapCtxFactory</param-value>
-    </init-param>
-    <init-param>
-      <param-name>PROVIDER_URL</param-name>
-      <param-value>ldap://localhost</param-value>
-    </init-param>
-    <init-param>
-      <param-name>SECURITY_AUTHENTICATION</param-name>
-      <param-value>simple</param-value>
-    </init-param>
-    <init-param>
-      <param-name>SECURITY_PRINCIPAL</param-name>
-      <param-value>cn=admin,dc=internet2,dc=edu</param-value>
-    </init-param>
-    <init-param>
-      <param-name>SECURITY_CREDENTIALS</param-name>
-      <param-value>password</param-value>
-    </init-param>
-     <init-param>
-      <param-name>SubjectID_AttributeType</param-name>
-      <param-value>uid</param-value>
-    </init-param>
-     <init-param>
-      <param-name>SubjectID_formatToLowerCase</param-name>
-      <param-value>false</param-value>
-    </init-param>
-    <init-param>
-      <param-name>Name_AttributeType</param-name>
-      <param-value>cn</param-value>
-    </init-param>
-    <init-param>
-      <param-name>Description_AttributeType</param-name>
-      <param-value>cn</param-value>
-    </init-param>
-    
-    /// Scope Values can be: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE 
-    /// For filter use 
-    
-    <search>
-        <searchType>searchSubject</searchType>
-        <param>
-            <param-name>filter</param-name>
-            <param-value>
-                (&amp;(uid=%TERM%)(objectclass=person))
-            </param-value>
-        </param>
-        <param>
-            <param-name>scope</param-name>
-            <param-value>
-                SUBTREE_SCOPE            
-            </param-value>
-        </param>
-        <param>
-            <param-name>base</param-name>
-            <param-value>
-                ou=people,dc=internet2,dc=edu
-            </param-value>
-        </param>
-    </search>
-
-    <search>
-        <searchType>searchSubjectByIdentifier</searchType>
-        <param>
-            <param-name>filter</param-name>
-            <param-value>
-                (&amp;(uid=%TERM%)(objectclass=person))
-            </param-value>
-        </param>
-        <param>
-            <param-name>scope</param-name>
-            <param-value>
-                SUBTREE_SCOPE            
-            </param-value>
-        </param>
-        <param>
-            <param-name>base</param-name>
-            <param-value>
-                ou=people,dc=internet2,dc=edu
-            </param-value>
-        </param>
-    </search>
-    
-    <search>
-       <searchType>search</searchType>
-         <param>
-            <param-name>filter</param-name>
-            <param-value>
-                (&amp;(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person))
-            </param-value>
-        </param>
-        <param>
-            <param-name>scope</param-name>
-            <param-value>
-                SUBTREE_SCOPE            
-            </param-value>
-        </param>
-         <param>
-            <param-name>base</param-name>
-            <param-value>
-                ou=people,dc=internet2,dc=edu
-            </param-value>
-        </param>
-    </search>
-    <init-param>
-      <param-name>subjectVirtualAttribute_0_searchAttribute0</param-name>
-      <param-value>${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")}</param-value>
-    </init-param>
-    <init-param>
-      <param-name>sortAttribute0</param-name>
-      <param-value>cn</param-value>
-    </init-param>
-    <init-param>
-      <param-name>searchAttribute0</param-name>
-      <param-value>searchAttribute0</param-value>
-    </init-param>
-
-     <!-- ##########################  STATUS SECTION for searches to filter out inactives and allow
-                                                     the user to filter by status with e.g. status=all
-                                                     this is optional, and advanced - -> 
-     <!- - column or attribute which represents the status - - >
-     <!- -
-     <init-param>
-       <param-name>statusDatastoreFieldName</param-name>
-       <param-value>status</param-value>
-     </init-param> - - >
-     <!- - search string from user which represents the status.  e.g. status=active - - >
-     <!- -
-     <init-param>
-       <param-name>statusLabel</param-name>
-       <param-value>status</param-value>
-     </init-param> - - >
-     <!- - available statuses from screen (if not specified, any will be allowed). comma separated list.
-          Note, this is optional and you probably dont want to configure it, it is mostly necessary
-          when you have multiple sources with statuses...  if someone types an invalid status
-          and you have this configured, it will not filter by it - - >
-     <!- - 
-     <init-param>
-       <param-name>statusesFromUser<param-name>
-       <param-value>Active, Inactive, Pending, All</param-value>
-     </init-param> - - >
-     <!- - all label from the user - - >
-     <!- -
-     <init-param>
-       <param-name>statusAllFromUser</param-name>
-       <param-value>All</param-value>
-     </init-param> - - >
-     <!- - if no status is specified, this will be used (e.g. for active only).  Note, the value should be of the
-          form the user would type in - - >
-     <!- - 
-     <init-param>
-       <param-name>statusSearchDefault</param-name>
-       <param-value>status=active</param-value>
-     </init-param> - - >
-     <!- - translate between screen values of status, and the data store value.  Increment the 0 to 1, 2, etc for more translations.
-          so the user could enter: status=active, and that could translate to status_col=A.  The 'user' is what the user types in,
-          the 'datastore' is what is in the datastore.  The user part is not case-sensitive.  Note, this could be a many to one - - >
-     <!- -
-     <init-param>
-       <param-name>statusTranslateUser0</param-name>
-       <param-value>active</param-value>
-     </init-param>
-     <init-param>
-       <param-name>statusTranslateDatastore0</param-name>
-       <param-value>A</param-value>
-     </init-param> - - >
-     <!- - ########################## END STATUS SECTION --> 
-
-
-    <internal-attribute>searchAttribute0</internal-attribute>
-
-    ///Attributes you would like to display when doing a search 
-    <attribute>givenName</attribute>
-    <attribute>sn</attribute>
-    <attribute>uid</attribute>
-    
-  </source>
-
-
-</sources>
-
diff --git a/test-compose/data/container_files/conf/subject.properties b/test-compose/data/container_files/conf/subject.properties
new file mode 100644
index 0000000..a73bd20
--- /dev/null
+++ b/test-compose/data/container_files/conf/subject.properties
@@ -0,0 +1,75 @@
+subject.sources.xml.location =
+
+subjectApi.source.ldap.id = ldap
+subjectApi.source.ldap.name = EDU Ldap 
+subjectApi.source.ldap.types = person
+subjectApi.source.ldap.adapterClass = edu.internet2.middleware.grouper.subj.GrouperJndiSourceAdapter
+subjectApi.source.ldap.param.INITIAL_CONTEXT_FACTORY.value = com.sun.jndi.ldap.LdapCtxFactory
+subjectApi.source.ldap.param.PROVIDER_URL.value = ldap://localhost:389
+subjectApi.source.ldap.param.SECURITY_AUTHENTICATION.value = simple
+subjectApi.source.ldap.param.SECURITY_PRINCIPAL.value = cn=admin,dc=internet2,dc=edu
+subjectApi.source.ldap.param.SECURITY_CREDENTIALS.value.elConfig = password
+subjectApi.source.ldap.param.SubjectID_AttributeType.value = uid
+subjectApi.source.ldap.param.SubjectID_formatToLowerCase.value = false
+subjectApi.source.ldap.param.Name_AttributeType.value = cn
+subjectApi.source.ldap.param.Description_AttributeType.value = cn
+subjectApi.source.ldap.param.VTLDAP_VALIDATOR.value = ConnectLdapValidator
+subjectApi.source.ldap.param.subjectVirtualAttribute_0_searchAttribute0.value = ${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('uid'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('cn'), "")},${subjectUtils.defaultIfBlank(subject.getAttributeValueOrCommaSeparated('exampleEduRegId'), "")}
+subjectApi.source.ldap.param.sortAttribute0.value = cn
+subjectApi.source.ldap.param.searchAttribute0.value = searchAttribute0
+
+# STATUS SECTION for searches to filter out inactives and allow
+# the user to filter by status with e.g. status=all
+# this is optional, and advanced
+#
+# field in database or ldap or endpoint that is the status field
+#subjectApi.source.example.param.statusDatastoreFieldName.value = status
+
+# search string from user which represents the status.  e.g. status=active
+#subjectApi.source.example.param.statusLabel.value = status
+
+# available statuses from screen (if not specified, any will be allowed). comma separated list.
+# Note, this is optional and you probably dont want to configure it, it is mostly necessary
+# when you have multiple sources with statuses...  if someone types an invalid status
+# and you have this configured, it will not filter by it
+#subjectApi.source.example.param.statusesFromUser.value = Active, Inactive, Pending, All
+
+# all label from the user
+#subjectApi.source.example.param.statusAllFromUser.value = All
+
+# if no status is specified, this will be used (e.g. for active only).  Note, the value should be of the
+# form the user would type in
+#subjectApi.source.example.param.statusSearchDefault.value = status=active
+
+# translate between screen values of status, and the data store value.  Increment the 0 to 1, 2, etc for more translations.
+# so the user could enter: status=active, and that could translate to status_col=A.  The 'user' is what the user types in,
+# the 'datastore' is what is in the datastore.  The user part is not case-sensitive.  Note, this could be a many to one
+#subjectApi.source.example.param.statusTranslateUser0.value = active
+#subjectApi.source.example.param.statusTranslateDatastore0.value = A
+
+# subject identifier to store in grouper's member table.  this is used to increase speed of loader and perhaps for provisioning
+# you can have up to max 1 subject identifier
+#subjectApi.source.example.param.subjectIdentifierAttribute0.value = uid
+
+#searchSubject: find a subject by ID.  ID is generally an opaque and permanent identifier, e.g. 12345678.
+#  Each subject has one and only on ID.  Returns one result when searching for one ID.
+subjectApi.source.ldap.search.searchSubject.param.filter.value = (&(uid=%TERM%)(objectclass=person))
+subjectApi.source.ldap.search.searchSubject.param.scope.value = SUBTREE_SCOPE
+subjectApi.source.ldap.search.searchSubject.param.base.value = ou=people,dc=internet2,dc=edu
+
+#searchSubjectByIdentifier: find a subject by identifier.  Identifier is anything that uniquely
+#  identifies the user, e.g. jsmith or jsmith@institution.edu.
+#  Subjects can have multiple identifiers.  Note: it is nice to have if identifiers are unique
+#  even across sources.  Returns one result when searching for one identifier.
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.filter.value = (&(|(uid=%TERM%)(employeeNumber=%TERM%))(objectclass=person))
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.scope.value = SUBTREE_SCOPE
+subjectApi.source.ldap.search.searchSubjectByIdentifier.param.base.value = ou=people,dc=internet2,dc=edu
+
+#   search: find subjects by free form search.  Returns multiple results.
+
+subjectApi.source.ldap.search.search.param.filter.value = (&(|(|(uid=%TERM%)(cn=*%TERM%*))(uid=%TERM%*))(objectclass=person))
+subjectApi.source.ldap.search.search.param.scope.value = SUBTREE_SCOPE
+subjectApi.source.ldap.search.search.param.base.value = ou=people,dc=internet2,dc=edu
+
+subjectApi.source.ldap.attributes = givenName, sn, uid, mail, employeeNumber
+subjectApi.source.ldap.internalAttributes = searchAttribute0
diff --git a/test-compose/docker-compose.yml b/test-compose/docker-compose.yml
index 6b2f765..e45844f 100644
--- a/test-compose/docker-compose.yml
+++ b/test-compose/docker-compose.yml
@@ -13,17 +13,21 @@ services:
        target: /opt/grouper/conf/grouper.client.properties
     depends_on: 
      - data
+    environment:
+     - GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/database_password.txt
+     - SUBJECT_SOURCE_LDAP_PASSWORD=password
     networks:
      - back
     secrets:
+     - database_password.txt
      - source: grouper.hibernate.properties
        target: grouper_grouper.hibernate.properties
      - source: grouper-loader.properties
        target: grouper_grouper-loader.properties
      - source: ldap.properties
        target: grouper_ldap.properties
-     - source: sources.xml
-       target: grouper_sources.xml
+     - source: subject.properties
+       target: grouper_subject.properties
  
   ui:
     build: ./ui/
@@ -52,6 +56,9 @@ services:
        target: /etc/pki/tls/certs/cachain.pem
     depends_on: 
      - data
+    environment:
+     - GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/database_password.txt
+     - SUBJECT_SOURCE_LDAP_PASSWORD=password
     networks:
      - front
      - back
@@ -59,14 +66,15 @@ services:
      - "80:80"
      - "443:443"
     secrets:
+     - database_password.txt
      - source: grouper.hibernate.properties
        target: grouper_grouper.hibernate.properties
      - source: grouper-loader.properties
        target: grouper_grouper-loader.properties
      - source: ldap.properties
        target: grouper_ldap.properties
-     - source: sources.xml
-       target: grouper_sources.xml
+     - source: subject.properties
+       target: grouper_subject.properties
      - source: sp-key.pem
        target: shib_sp-key.pem
      - source: host-key.pem
@@ -90,55 +98,59 @@ services:
        target: /etc/pki/tls/certs/cachain.pem
     depends_on: 
      - data
+    environment:
+     - GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/database_password.txt
+     - SUBJECT_SOURCE_LDAP_PASSWORD=password
     networks:
      - front
      - back
     ports:
      - "8443:443"
     secrets:
+     - database_password.txt
      - source: grouper.hibernate.properties
        target: grouper_grouper.hibernate.properties
      - source: grouper-loader.properties
        target: grouper_grouper-loader.properties
      - source: ldap.properties
        target: grouper_ldap.properties
-     - source: sources.xml
-       target: grouper_sources.xml
+     - source: subject.properties
+       target: grouper_subject.properties
      - source: host-key.pem
 
-  scim:
-    build: ./scim/
-    command: bash -c "while ! curl -s data:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://data:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; exec scim"
-    volumes:
-     - type: bind
-       source: ./configs-and-secrets/grouper/grouper.properties
-       target: /opt/grouper/conf/grouper.properties
-     - type: bind
-       source: ./configs-and-secrets/grouper/grouper.client.properties
-       target: /opt/grouper/conf/grouper.client.properties
-     - type: bind
-       source: ./configs-and-secrets/httpd/host-cert.pem
-       target: /etc/pki/tls/certs/host-cert.pem
-     - type: bind
-       source: ./configs-and-secrets/httpd/host-cert.pem
-       target: /etc/pki/tls/certs/cachain.pem
-    depends_on: 
-     - data
-    networks:
-     - front
-     - back
-    ports:
-     - "9443:443"
-    secrets:
-     - source: grouper.hibernate.properties
-       target: grouper_grouper.hibernate.properties
-     - source: grouper-loader.properties
-       target: grouper_grouper-loader.properties
-     - source: ldap.properties
-       target: grouper_ldap.properties
-     - source: sources.xml
-       target: grouper_sources.xml
-     - source: host-key.pem
+#  scim:
+#    build: ./scim/
+#    command: bash -c "while ! curl -s data:3306 > /dev/null; do echo waiting for mysql to start; sleep 3; done; while ! curl -s ldap://data:389 > /dev/null; do echo waiting for ldap to start; sleep 3; done; exec scim"
+#    volumes:
+#     - type: bind
+#       source: ./configs-and-secrets/grouper/grouper.properties
+#       target: /opt/grouper/conf/grouper.properties
+#     - type: bind
+#       source: ./configs-and-secrets/grouper/grouper.client.properties
+#       target: /opt/grouper/conf/grouper.client.properties
+#     - type: bind
+#       source: ./configs-and-secrets/httpd/host-cert.pem
+#       target: /etc/pki/tls/certs/host-cert.pem
+#     - type: bind
+#       source: ./configs-and-secrets/httpd/host-cert.pem
+#       target: /etc/pki/tls/certs/cachain.pem
+#    depends_on: 
+#     - data
+#    networks:
+#     - front
+#     - back
+#    ports:
+#     - "9443:443"
+#    secrets:
+#     - source: grouper.hibernate.properties
+#       target: grouper_grouper.hibernate.properties
+#     - source: grouper-loader.properties
+#       target: grouper_grouper-loader.properties
+#     - source: ldap.properties
+#       target: grouper_ldap.properties
+#     - source: sources.xml
+#       target: grouper_sources.xml
+#     - source: host-key.pem
 
   gsh:
     build: ./gsh/
@@ -151,21 +163,28 @@ services:
        target: /opt/grouper/conf/grouper.client.properties
     depends_on: 
      - data
+    environment:
+     - GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/database_password.txt
+     - SUBJECT_SOURCE_LDAP_PASSWORD=password
     networks:
      - back
     secrets:
+     - database_password.txt
      - source: grouper.hibernate.properties
        target: grouper_grouper.hibernate.properties
      - source: grouper-loader.properties
        target: grouper_grouper-loader.properties
      - source: ldap.properties
        target: grouper_ldap.properties
-     - source: sources.xml
-       target: grouper_sources.xml
+     - source: subject.properties
+       target: grouper_subject.properties
 
 
   data:
     build: ./data/
+    environment:
+     - GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/database_password.txt
+     - SUBJECT_SOURCE_LDAP_PASSWORD=password
     expose:
      - "389"
      - "3306"
@@ -174,6 +193,9 @@ services:
     ports:
      - "389:389"
      - "3306:3306"
+    secrets:
+     - database_password.txt
+
 
   idp:
     build: ./idp/
@@ -211,12 +233,14 @@ secrets:
     file: ./configs-and-secrets/grouper/grouper.hibernate.properties
   grouper-loader.properties:
     file: ./configs-and-secrets/grouper/grouper-loader.properties
-  sources.xml:
-    file: ./configs-and-secrets/grouper/sources.xml
+  subject.properties:
+    file: ./configs-and-secrets/grouper/subject.properties
   ldap.properties:
     file: ./configs-and-secrets/grouper/ldap.properties
   sp-key.pem:
     file: ./configs-and-secrets/shibboleth/sp-key.pem
   host-key.pem:
     file: ./configs-and-secrets/httpd/host-key.pem
+  database_password.txt:
+    file: ./configs-and-secrets/grouper/database_password.txt
   
\ No newline at end of file