From 2ef4ce9b9e610cde31dd4317c860f324dea2b780 Mon Sep 17 00:00:00 2001
From: John Gasper <jtgasper3@gmail.com>
Date: Mon, 26 Mar 2018 12:58:09 -0700
Subject: [PATCH] Adding more secrets to the POC.

---
 .../grouper/grouper-loader.properties         |  6 +-
 .../grouper/grouper.client.properties         |  6 +-
 .../grouper/ldap.properties                   | 73 -------------------
 .../grouper/rabbitmq_password.txt             |  1 +
 test-compose/docker-compose.yml               | 16 ++--
 5 files changed, 13 insertions(+), 89 deletions(-)
 delete mode 100644 test-compose/configs-and-secrets/grouper/ldap.properties
 create mode 100644 test-compose/configs-and-secrets/grouper/rabbitmq_password.txt

diff --git a/test-compose/configs-and-secrets/grouper/grouper-loader.properties b/test-compose/configs-and-secrets/grouper/grouper-loader.properties
index 77cf522..07c4f56 100644
--- a/test-compose/configs-and-secrets/grouper/grouper-loader.properties
+++ b/test-compose/configs-and-secrets/grouper/grouper-loader.properties
@@ -11,13 +11,13 @@
 ldap.demo.url = ldap://data:389/dc=example,dc=edu
  
 #optional, if authenticated
-#ldap.personLdap.user = uid=someapp,ou=people,dc=myschool,dc=edu
+ldap.demo.user = cn=admin,dc=internet2,dc=edu
  
 #optional, if authenticated note the password can be stored encrypted in an external file
-#ldap.personLdap.pass = secret
+ldap.demo.pass = ${java.lang.System.getenv().get('SUBJECT_SOURCE_LDAP_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('SUBJECT_SOURCE_LDAP_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('SUBJECT_SOURCE_LDAP_PASSWORD')}
  
 #optional, if you are using tls, set this to true.  Generally you will not be using an SSL URL to use TLS...
-#ldap.personLdap.tls = false
+ldap.demo.tls = false
  
 #optional, if using sasl
 #ldap.personLdap.saslAuthorizationId =
diff --git a/test-compose/configs-and-secrets/grouper/grouper.client.properties b/test-compose/configs-and-secrets/grouper/grouper.client.properties
index 07d7cd1..5169c71 100644
--- a/test-compose/configs-and-secrets/grouper/grouper.client.properties
+++ b/test-compose/configs-and-secrets/grouper/grouper.client.properties
@@ -55,7 +55,7 @@ grouperClient.webService.login = banderson
 
 # password for shared secret authentication to web service
 # or you can put a filename with an encrypted password
-grouperClient.webService.password = password
+grouperClient.webService.password = ${java.lang.System.getenv().get('GROUPER_CLIENT_WEBSERVICE_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('GROUPER_CLIENT_WEBSERVICE_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('GROUPER_CLIENT_WEBSERVICE_PASSWORD') }
 
 
 ################################
@@ -98,9 +98,9 @@ grouper.messaging.system.rabbitmq.name = rabbitmq
 grouper.messaging.system.rabbitmq.defaultSystemName = rabbitmqSystem
 
 grouper.messaging.system.rabbitmq.user = guest
- 
+
 #pass
-grouper.messaging.system.rabbitmq.password = guest
+grouper.messaging.system.rabbitmq.password = ${java.lang.System.getenv().get('RABBITMQ_PASSWORD_FILE') != null ? org.apache.commons.io.FileUtils.readFileToString(java.lang.System.getenv().get('RABBITMQ_PASSWORD_FILE'), "utf-8") : java.lang.System.getenv().get('RABBITMQ_PASSWORD') }
 # set the following three properties if you want to use TLS connection to rabbitmq. All three need to be populated.
 # TLS Version
 #grouper.messaging.system.rabbitmqSystem.tlsVersion = TLSv1.1
diff --git a/test-compose/configs-and-secrets/grouper/ldap.properties b/test-compose/configs-and-secrets/grouper/ldap.properties
deleted file mode 100644
index df38a6e..0000000
--- a/test-compose/configs-and-secrets/grouper/ldap.properties
+++ /dev/null
@@ -1,73 +0,0 @@
-# This is the configuration file for vt-ldap.
-# See http://code.google.com/p/vt-middleware/wiki/vtldapProperties
-
-edu.vt.middleware.ldap.ldapUrl=ldap://data:389
-edu.vt.middleware.ldap.searchScope=SUBTREE
-
-# authn if simple
-edu.vt.middleware.ldap.bindDn=cn=admin,dc=internet2,dc=edu
-edu.vt.middleware.ldap.bindCredential.elConfig =
-# The bind credential may be external and encrypted: https://bugs.internet2.edu/jira/browse/GRP-122
-# edu.vt.middleware.ldap.bindCredential=/path/to/ldap.pwd
-edu.vt.middleware.ldap.authtype=simple
-
-# encryption
-edu.vt.middleware.ldap.ssl=false
-edu.vt.middleware.ldap.tls=false
-
-# pooling options
-edu.vt.middleware.ldap.pool.minPoolSize = 2
-edu.vt.middleware.ldap.pool.maxPoolSize = 5
-
-# paged results
-edu.vt.middleware.ldap.pagedResultsSize=0
-
-# authn for sasl external (certificates)
-# edu.vt.middleware.ldap.authtype=EXTERNAL
-# edu.vt.middleware.ldap.tls=true
-# edu.vt.middleware.ldap.serviceUser=cn=admin.example.edu
-# these to use PEM format cert and key
-# pemCaFile=/path/to/ca.pem
-# pemCertFile=/path/to/cert.pem
-# pemKeyFile=/path/to/key.pem
-
-
-# The default base DN for searches.
-# All subordinate objects will be deleted during tests !
-edu.vt.middleware.ldap.baseDn=dc=internet2,dc=edu
-
-# The base DN for groups.
-edu.internet2.middleware.psp.groupsBaseDn=ou=groups,dc=internet2,dc=edu
-
-# The base DN for people.
-edu.internet2.middleware.psp.peopleBaseDn=ou=people,dc=internet2,dc=edu
-
-# The group object class.
-# OpenLDAP, RedHat, 389, ApacheDS, etc.
-edu.internet2.middleware.psp.groupObjectClass=groupOfNames
-# Active Directory
-# edu.internet2.middleware.psp.groupObjectClass=group
-
-# The base Grouper stem to be provisioned.
-edu.internet2.middleware.psp.baseStem=psp
-
-# The ldap DN structure may be either flat or bushy.
-# In a flat structure all groups are provisioned under a single base DN (container ID).
-# A flat group's ldap RDN is its Grouper name or displayName.
-# edu.internet2.middleware.psp.structure=flat
-# edu.internet2.middleware.psp.cnSourceAttributeID=name
-
-# In a bushy structure groups are provisioned hierarchically, with stems as branches in the tree.
-# A bushy group's RDN is its Grouper extension or displayExtension.
-edu.internet2.middleware.psp.structure=flat
-edu.internet2.middleware.psp.cnSourceAttributeID=name
-
-# The QuotedDnResultHandler removes quotes from DNs of the form "CN=quoted/name",DC=edu.
-# The FqdnSearchResultHandler makes sure that all ldap dns are fully qualified.
-# You may wish to comment out the following property for the Grouper UI or WS.
-edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.psp.ldap.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler
-
-# handle Active Directory groups with a large (>1500) number of members
-# see https://bugs.internet2.edu/jira/browse/GRP-335
-# see http://code.google.com/p/vt-middleware/wiki/vtldapAD#Range_Attributes
-# edu.vt.middleware.ldap.searchResultHandlers=edu.internet2.middleware.ldappc.util.QuotedDnResultHandler,edu.vt.middleware.ldap.handler.FqdnSearchResultHandler,edu.internet2.middleware.ldappc.util.RangeSearchResultHandler
diff --git a/test-compose/configs-and-secrets/grouper/rabbitmq_password.txt b/test-compose/configs-and-secrets/grouper/rabbitmq_password.txt
new file mode 100644
index 0000000..158f675
--- /dev/null
+++ b/test-compose/configs-and-secrets/grouper/rabbitmq_password.txt
@@ -0,0 +1 @@
+guest
\ No newline at end of file
diff --git a/test-compose/docker-compose.yml b/test-compose/docker-compose.yml
index e45844f..cebb97b 100644
--- a/test-compose/docker-compose.yml
+++ b/test-compose/docker-compose.yml
@@ -14,18 +14,19 @@ services:
     depends_on: 
      - data
     environment:
+     - GROUPER_CLIENT_WEBSERVICE_PASSWORD_FILE=password
      - GROUPER_DATABASE_PASSWORD_FILE=/run/secrets/database_password.txt
+     - RABBITMQ_PASSWORD_FILE=/run/secrets/rabbitmq_password.txt
      - SUBJECT_SOURCE_LDAP_PASSWORD=password
     networks:
      - back
     secrets:
      - database_password.txt
+     - rabbitmq_password.txt
      - source: grouper.hibernate.properties
        target: grouper_grouper.hibernate.properties
      - source: grouper-loader.properties
        target: grouper_grouper-loader.properties
-     - source: ldap.properties
-       target: grouper_ldap.properties
      - source: subject.properties
        target: grouper_subject.properties
  
@@ -71,8 +72,6 @@ services:
        target: grouper_grouper.hibernate.properties
      - source: grouper-loader.properties
        target: grouper_grouper-loader.properties
-     - source: ldap.properties
-       target: grouper_ldap.properties
      - source: subject.properties
        target: grouper_subject.properties
      - source: sp-key.pem
@@ -112,8 +111,6 @@ services:
        target: grouper_grouper.hibernate.properties
      - source: grouper-loader.properties
        target: grouper_grouper-loader.properties
-     - source: ldap.properties
-       target: grouper_ldap.properties
      - source: subject.properties
        target: grouper_subject.properties
      - source: host-key.pem
@@ -174,8 +171,6 @@ services:
        target: grouper_grouper.hibernate.properties
      - source: grouper-loader.properties
        target: grouper_grouper-loader.properties
-     - source: ldap.properties
-       target: grouper_ldap.properties
      - source: subject.properties
        target: grouper_subject.properties
 
@@ -235,12 +230,13 @@ secrets:
     file: ./configs-and-secrets/grouper/grouper-loader.properties
   subject.properties:
     file: ./configs-and-secrets/grouper/subject.properties
-  ldap.properties:
-    file: ./configs-and-secrets/grouper/ldap.properties
   sp-key.pem:
     file: ./configs-and-secrets/shibboleth/sp-key.pem
   host-key.pem:
     file: ./configs-and-secrets/httpd/host-key.pem
   database_password.txt:
     file: ./configs-and-secrets/grouper/database_password.txt
+  rabbitmq_password.txt:
+    file: ./configs-and-secrets/grouper/rabbitmq_password.txt
+
   
\ No newline at end of file