From 58addf75edacf35e162c0756ba63062896c49a38 Mon Sep 17 00:00:00 2001
From: John Gasper <jtgasper3@gmail.com>
Date: Mon, 29 Jan 2018 15:43:36 -0800
Subject: [PATCH] Added some additional details; setup authn for the SCIM
 Server; commented out the default WS/SCIM tomcat-users's accounts with its
 default password(s).

---
 README.md                                     | 13 ++++-
 container_files/tomcat/conf/tomcat-users.xml  | 46 +++++++++++++++++
 container_files/tomee/conf/tomcat-users.xml   | 51 +++++++++++++++++++
 test-compose/README.md                        |  3 +-
 test-compose/scim/Dockerfile                  |  3 ++
 .../scim/container_files/tomcat-users.xml     | 51 +++++++++++++++++++
 test-compose/scim/container_files/web.xml     | 30 +++++++++++
 test-compose/ws/Dockerfile                    |  5 +-
 .../container_files/{tomcat => }/server.xml   |  4 +-
 .../ws/container_files/tomcat-users.xml       | 46 +++++++++++++++++
 .../ws/container_files/{WEB-INF => }/web.xml  |  0
 11 files changed, 246 insertions(+), 6 deletions(-)
 create mode 100644 container_files/tomcat/conf/tomcat-users.xml
 create mode 100644 container_files/tomee/conf/tomcat-users.xml
 create mode 100644 test-compose/scim/container_files/tomcat-users.xml
 create mode 100644 test-compose/scim/container_files/web.xml
 rename test-compose/ws/container_files/{tomcat => }/server.xml (95%)
 create mode 100644 test-compose/ws/container_files/tomcat-users.xml
 rename test-compose/ws/container_files/{WEB-INF => }/web.xml (100%)

diff --git a/README.md b/README.md
index 78470a7..646ead5 100644
--- a/README.md
+++ b/README.md
@@ -198,7 +198,7 @@ Amongst others variables defined in the `catalina.sh`, the following variables w
 
 # File System Endpoints
 
-Here is a list of significant directories and files that deployers should be aware of.
+Here is a list of significant directories and files that deployers should be aware of:
 
 - `/opt/grouper/conf/`: a common directory to place non-sensitive config files that will be placed into the appropriate location for each Grouper component at container start-up.
 - `/opt/grouper/lib/`: a common directory to place additional jar files that will be placed into the appropriate location for each Grouper component at container start-up.
@@ -214,6 +214,15 @@ Here is a list of significant directories and files that deployers should be awa
 
 To examine baseline image files, one might run `docker run --name=temp -it tier/grouper bash` and browse through these file system endpoints. While the container is running one may copy files out of the image/container using something like `docker cp containerId:/opt/grouper/grouper.api/conf/grouper.properties .`, which will copy the `grouper.properties` to the Docker client's present working directory. These files can then be edited and applied via the mechanisms outlined above.
 
+# Web Application Endpoints
+Here is a list of significant web endpoints that deployers should be aware of:
+
+- `/grouper/`: location of the Grouper UI application
+- `grouper-ws/`: location of the Grouper WS application.
+- `/grouper-ws-scim/`: location of the Grouper SCIM Server application.
+
+The endpoint that is available is dependent upon the role of the container.
+
 # Provisioning a Grouper Database
 
 Using standard methods, create a MariaDb Server and an empty Grouper database. Create a database user with privileges to create and populate schema objects. Set the appropriate database connection properties in `grouper.hibernate.properties`. Be sure to the user created with schema manipulation privileges as the db user.
@@ -232,6 +241,8 @@ Note: a less privileged database user maybe used when running the typical Groupe
 
 - [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) is enabled on the Apache HTTP Server.
 - morphStrings functionality in Grouper is supported. It is recommended that the various morphString files be associated with the containers as Docker Secrets. Set the configuration file properties to use `/var/run/secrets/secretname`.
+- Grouper UI has been pre-configured to authenticate users via Shibboleth SP. 
+- By default, Grouper WS (hosted by `/opt/tomcat/`) and the Grouper SCIM Server (hosted by `/opt/tomee/`) use tomcat-users.xml for authentication, but by default no users are enabled. LDAP-backed authentication or other methods can be used and must be configured by the deployer.
 
 # License
 
diff --git a/container_files/tomcat/conf/tomcat-users.xml b/container_files/tomcat/conf/tomcat-users.xml
new file mode 100644
index 0000000..cef36cd
--- /dev/null
+++ b/container_files/tomcat/conf/tomcat-users.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<tomcat-users xmlns="http://tomcat.apache.org/xml"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+              version="1.0">
+<role rolename="grouper_user"/>
+<!--<user username="GrouperSystem" password="XXXXXXXXXX" roles="grouper_user"/> -->
+<!--
+  NOTE:  By default, no user is included in the "manager-gui" role required
+  to operate the "/manager/html" web application.  If you wish to use this app,
+  you must define such a user - the username and password are arbitrary. It is
+  strongly recommended that you do NOT use one of the users in the commented out
+  section below since they are intended for use with the examples web
+  application.
+-->
+<!--
+  NOTE:  The sample user and role entries below are intended for use with the
+  examples web application. They are wrapped in a comment and thus are ignored
+  when reading this file. If you wish to configure these users for use with the
+  examples web application, do not forget to remove the <!.. ..> that surrounds
+  them. You will also need to set the passwords to something appropriate.
+-->
+<!--
+  <role rolename="tomcat"/>
+  <role rolename="role1"/>
+  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
+  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
+  <user username="role1" password="<must-be-changed>" roles="role1"/>
+-->
+</tomcat-users>
\ No newline at end of file
diff --git a/container_files/tomee/conf/tomcat-users.xml b/container_files/tomee/conf/tomcat-users.xml
new file mode 100644
index 0000000..f1484fc
--- /dev/null
+++ b/container_files/tomee/conf/tomcat-users.xml
@@ -0,0 +1,51 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<tomcat-users xmlns="http://tomcat.apache.org/xml"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+              version="1.0">
+<role rolename="grouper_user"/>
+<!--<user username="GrouperSystem" password="XXXXXXXXXX" roles="grouper_user"/>-->
+<!--
+  NOTE:  By default, no user is included in the "manager-gui" role required
+  to operate the "/manager/html" web application.  If you wish to use this app,
+  you must define such a user - the username and password are arbitrary. It is
+  strongly recommended that you do NOT use one of the users in the commented out
+  section below since they are intended for use with the examples web
+  application.
+-->
+<!--
+  NOTE:  The sample user and role entries below are intended for use with the
+  examples web application. They are wrapped in a comment and thus are ignored
+  when reading this file. If you wish to configure these users for use with the
+  examples web application, do not forget to remove the <!.. ..> that surrounds
+  them. You will also need to set the passwords to something appropriate.
+-->
+<!--
+  <role rolename="tomcat"/>
+  <role rolename="role1"/>
+  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
+  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
+  <user username="role1" password="<must-be-changed>" roles="role1"/>
+-->
+  <!-- Activate those lines to get access to TomEE GUI -->
+  <!--
+  <role rolename="tomee-admin" />
+  <user username="tomee" password="tomee" roles="tomee-admin,manager-gui" />
+  -->
+</tomcat-users>
\ No newline at end of file
diff --git a/test-compose/README.md b/test-compose/README.md
index 8145494..d1d7199 100644
--- a/test-compose/README.md
+++ b/test-compose/README.md
@@ -39,8 +39,9 @@ This command will clear out any remaining containers, as defined by the `docker-
 
 The components can be accessed at the following urls, with
 
-Grouper UI: https://localhost/grouper (username: banderson, password: password)
+Grouper UI: https://localhost/grouper (username: banderson, password: password (from ldap) or password1 (from tomcat-users.xml))
 Grouper WS: https://localhost:8443/grouper-ws/status?diagnosticType=all
+Grouper SCIM: https://localhost:9443/grouper-ws-scim/ (username: banderson, password: password (from tomcat-users.xml))
 RabbmitMQ: http://localhost:15672/ (username: guest, password: guest) 
 MariaDB: Port 3306 (username: root, password: (no password) )
 389-ds Directory: Port 389 (username: cn=Directory Manager, password: password)
diff --git a/test-compose/scim/Dockerfile b/test-compose/scim/Dockerfile
index 52bfb24..6b62e1f 100644
--- a/test-compose/scim/Dockerfile
+++ b/test-compose/scim/Dockerfile
@@ -2,4 +2,7 @@ FROM tier/grouper:latest
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
+COPY container_files/web.xml /opt/grouper/grouper.scim/WEB-INF/
+COPY container_files/tomcat-users.xml /opt/tomee/conf/
+
 CMD ["scim"]
diff --git a/test-compose/scim/container_files/tomcat-users.xml b/test-compose/scim/container_files/tomcat-users.xml
new file mode 100644
index 0000000..be015e1
--- /dev/null
+++ b/test-compose/scim/container_files/tomcat-users.xml
@@ -0,0 +1,51 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<tomcat-users xmlns="http://tomcat.apache.org/xml"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+              version="1.0">
+<role rolename="grouper_user"/>
+<user username="banderson" password="password" roles="grouper_user"/>
+<!--
+  NOTE:  By default, no user is included in the "manager-gui" role required
+  to operate the "/manager/html" web application.  If you wish to use this app,
+  you must define such a user - the username and password are arbitrary. It is
+  strongly recommended that you do NOT use one of the users in the commented out
+  section below since they are intended for use with the examples web
+  application.
+-->
+<!--
+  NOTE:  The sample user and role entries below are intended for use with the
+  examples web application. They are wrapped in a comment and thus are ignored
+  when reading this file. If you wish to configure these users for use with the
+  examples web application, do not forget to remove the <!.. ..> that surrounds
+  them. You will also need to set the passwords to something appropriate.
+-->
+<!--
+  <role rolename="tomcat"/>
+  <role rolename="role1"/>
+  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
+  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
+  <user username="role1" password="<must-be-changed>" roles="role1"/>
+-->
+  <!-- Activate those lines to get access to TomEE GUI -->
+  <!--
+  <role rolename="tomee-admin" />
+  <user username="tomee" password="tomee" roles="tomee-admin,manager-gui" />
+  -->
+</tomcat-users>
\ No newline at end of file
diff --git a/test-compose/scim/container_files/web.xml b/test-compose/scim/container_files/web.xml
new file mode 100644
index 0000000..c57461b
--- /dev/null
+++ b/test-compose/scim/container_files/web.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
+
+<security-constraint>
+		<web-resource-collection>
+			<web-resource-name>Web services</web-resource-name>
+			<url-pattern>/*</url-pattern>
+		</web-resource-collection>
+		<auth-constraint>
+			<role-name>*</role-name>
+		</auth-constraint>
+	</security-constraint>
+
+	<!-- Define the Login Configuration for this Application -->
+	<login-config>
+		<auth-method>BASIC</auth-method>
+		<realm-name>Grouper Application</realm-name>
+	</login-config>
+
+	<!-- Security roles referenced by this web application -->
+	<security-role>
+		<description>
+			The role that is required to log in to web service
+		</description>
+		<role-name>*</role-name>
+	</security-role>
+  
+</web-app>
\ No newline at end of file
diff --git a/test-compose/ws/Dockerfile b/test-compose/ws/Dockerfile
index b163f51..f5c06b9 100644
--- a/test-compose/ws/Dockerfile
+++ b/test-compose/ws/Dockerfile
@@ -2,7 +2,8 @@ FROM tier/grouper:latest
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
-COPY container_files/WEB-INF/ /opt/grouper/grouper.ws/WEB-INF/
-COPY container_files/tomcat/ /opt/tomcat/conf/
+COPY container_files/web.xml /opt/grouper/grouper.ws/WEB-INF/
+COPY container_files/tomcat-users.xml /opt/tomcat/conf/
+COPY container_files/server.xml /opt/tomcat/conf/
 
 CMD ["ws"]
diff --git a/test-compose/ws/container_files/tomcat/server.xml b/test-compose/ws/container_files/server.xml
similarity index 95%
rename from test-compose/ws/container_files/tomcat/server.xml
rename to test-compose/ws/container_files/server.xml
index 1b9f22d..3c29b31 100644
--- a/test-compose/ws/container_files/tomcat/server.xml
+++ b/test-compose/ws/container_files/server.xml
@@ -142,7 +142,7 @@
              that are performed against this UserDatabase are immediately
              available for use by the Realm.  -->
         <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-               resourceName="UserDatabase"/>
+               resourceName="UserDatabase"/> <!-- we can log in with tomcat-users.xml accounts -->
 
         <Realm className="org.apache.catalina.realm.JNDIRealm"
                connectionURL="ldap://data"
@@ -151,7 +151,7 @@
                userSubtree="true"
                connectionName="cn=admin,dc=internet2,dc=edu"
                connectionPassword="password"
-               allRolesMode="authOnly"  /> 
+               allRolesMode="authOnly"  /> <!-- Or we can log in with ldap accounts -->
       </Realm>
 
       <!-- Define the default virtual host
diff --git a/test-compose/ws/container_files/tomcat-users.xml b/test-compose/ws/container_files/tomcat-users.xml
new file mode 100644
index 0000000..f5d6945
--- /dev/null
+++ b/test-compose/ws/container_files/tomcat-users.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<tomcat-users xmlns="http://tomcat.apache.org/xml"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+              version="1.0">
+<role rolename="grouper_user"/>
+<user username="banderson" password="password1" roles="grouper_user"/>
+<!--
+  NOTE:  By default, no user is included in the "manager-gui" role required
+  to operate the "/manager/html" web application.  If you wish to use this app,
+  you must define such a user - the username and password are arbitrary. It is
+  strongly recommended that you do NOT use one of the users in the commented out
+  section below since they are intended for use with the examples web
+  application.
+-->
+<!--
+  NOTE:  The sample user and role entries below are intended for use with the
+  examples web application. They are wrapped in a comment and thus are ignored
+  when reading this file. If you wish to configure these users for use with the
+  examples web application, do not forget to remove the <!.. ..> that surrounds
+  them. You will also need to set the passwords to something appropriate.
+-->
+<!--
+  <role rolename="tomcat"/>
+  <role rolename="role1"/>
+  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
+  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
+  <user username="role1" password="<must-be-changed>" roles="role1"/>
+-->
+</tomcat-users>
\ No newline at end of file
diff --git a/test-compose/ws/container_files/WEB-INF/web.xml b/test-compose/ws/container_files/web.xml
similarity index 100%
rename from test-compose/ws/container_files/WEB-INF/web.xml
rename to test-compose/ws/container_files/web.xml