RabbitMQ working in 401.3.x

README.md

@@ -38,6 +38,16 @@ Current tags:
 - ex401.2.8
 - ex401.2.9
 - ex401.2.end
+- ex401.3.1
+- ex401.3.2
+- ex401.3.3
+- ex401.3.4
+- ex401.3.5
+- ex401.3.6
+- ex401.3.7
+- ex401.3.end
+- ex401.4.1
+- ex401.4.end
 
 Browse to `https://localhost/grouper` for Grouper. There is also an app that dumps the SP user attributes at `https://localhost/app`.
 
@@ -50,3 +60,26 @@ Browse to `https://localhost/grouper` for Grouper. There is also an app that dum
 
 - phpMyAdmin - https://localhost/phpmyadmin/ - username: `root`, password: (blank)
 - phpLDAPadmin - https://localhost/phpldapadmin/ - username: `cn=root,dc=internet2,dc=edu`, password: `password`
+
+
+# Course specific notes
+
+## Notes for the exercises in 401
+
+Before connecting to your SSH server, be sure to port forward a local port to the server's port `15672` as well.
+
+These exercises require Rabbit MQ to be started. Before starting the ex401 Grouper container, run:
+
+```
+docker run -d -p 15672:15672 --env RABBITMQ_NODENAME=docker-rabbit --hostname rabbitmq --name=rabbitmq rabbitmq:management
+```
+
+Now browse to http://localhost:15672/ and login with `guest`/`guest`, and create a new queue named `sampleQueue`.
+
+Now start the ex401 Grouper with this slightly modified command:
+
+```bash
+docker run -d -p 80:80 -p 389:389 -p 443:443 -p 3306:3306 -p 4443:4443 \
+  --link rabbitmq:rabbitmq --name gte tier/grouper-training-env:exXXX
+
+```

base/container_files/shibboleth-idp/conf/attribute-filter.xml

@@ -8,62 +8,58 @@
     Deployers should refer to the documentation for a complete list of components
     and their options.
 -->
-<afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
-        xmlns:afp="urn:mace:shibboleth:2.0:afp"
-        xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
-        xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd
-                            urn:mace:shibboleth:2.0:afp:mf:basic http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
-                            urn:mace:shibboleth:2.0:afp:mf:saml http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd">
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
     <!-- Release some attributes to an SP. -->
-    <afp:AttributeFilterPolicy id="example1">
-        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://grouperdemo/shibboleth" />
+    <AttributeFilterPolicy id="example1">
+        <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />
 
-        <afp:AttributeRule attributeID="cn">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="cn">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-        <afp:AttributeRule attributeID="eduPersonAffiliation">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="eduPersonAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-        <afp:AttributeRule attributeID="eduPersonPrimaryAffiliation">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="eduPersonPrimaryAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-        <afp:AttributeRule attributeID="eduPersonEntitlement">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="eduPersonEntitlement">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-        <afp:AttributeRule attributeID="eduPersonPrincipalName">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-        <afp:AttributeRule attributeID="eduPersonScopedAffiliation">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-        <afp:AttributeRule attributeID="employeeNumber">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="employeeNumber">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-        <afp:AttributeRule attributeID="givenName">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-        <afp:AttributeRule attributeID="mail">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-        <afp:AttributeRule attributeID="surname">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-        <afp:AttributeRule attributeID="uid">
-            <afp:PermitValueRule xsi:type="basic:ANY" />
-        </afp:AttributeRule>
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
 
-    </afp:AttributeFilterPolicy>
-</afp:AttributeFilterPolicyGroup>
+    </AttributeFilterPolicy>
+</AttributeFilterPolicyGroup>

ex401/ex401.2.6/container_files/seed-data/bootstrap.gsh

@@ -44,4 +44,4 @@ cal.add(Calendar.DAY_OF_YEAR, 30);
 
 group = GroupFinder.findByName(gs, "app:mfa:mfa_enabled_allow", true);
 subject = GroupFinder.findByName(gs, "app:mfa:ref:NonFacultyBannerINB", true).toSubject();
-group.addOrEditMember(subject, false, true, cal.getTime(), null, true);
+group.addOrEditMember(subject, true, true, cal.getTime(), null, false);

ex401/ex401.2.9/container_files/seed-data/bootstrap.gsh

@@ -10,4 +10,3 @@ addGroup("app:mfa:ref", "bypass-not-opt-in", "bypass-not-opt-in");
 addComposite("app:mfa:ref:bypass-not-opt-in", CompositeType.COMPLEMENT, "app:mfa:basis:mfa_bypass", "app:mfa:ref:mfa_opt_in");
 
 addMember("app:mfa:mfa_enabled_deny", "app:mfa:ref:bypass-not-opt-in");
-

ex401/ex401.3.4/Dockerfile

@@ -10,6 +10,8 @@ ENV USERTOKEN=ex401.3.4
 
 COPY container_files/seed-data/ /seed-data/
 COPY container_files/grouper-loader.properties /opt/grouper/conf/
+COPY container_files/grouper.client.properties /opt/grouper/conf/
+COPY container_files/attribute-filter.xml /opt/shibboleth-idp/conf/
 
 RUN . /usr/local/bin/library.sh \
     && prepConf; \

ex401/ex401.3.4/container_files/attribute-filter.xml

@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE policy file.  While the policy presented in this 
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+    
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+    <!-- Release some attributes to an SP. -->
+
+<AttributeFilterPolicy id="boardeffect">
+    <PolicyRequirementRule xsi:type="Requester" value="https://college.boardeffect.com/sp" />
+
+        <AttributeRule attributeID="eduPersonEntitlement">
+            <PermitValueRule xsi:type="Value" value="https://college.boardeffect.com/sp" ignoreCase="true" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+    </AttributeFilterPolicy>
+
+    <AttributeFilterPolicy id="grouper">
+        <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />
+
+        <AttributeRule attributeID="cn">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonPrimaryAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonEntitlement">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="employeeNumber">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+    </AttributeFilterPolicy>
+</AttributeFilterPolicyGroup>

ex401/ex401.3.4/container_files/grouper-loader.properties

@@ -98,3 +98,21 @@ changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.
 changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
 changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
 changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*
+
+#####################################
+## Messaging integration with change log
+#####################################
+changeLog.consumer.rabbitMqMessagingSample.quartzCron = 0 * * * * ?                                                          
+
+# note, change "messagingSample" in key to be the name of the consumer.  e.g. changeLog.consumer.someNameAnyName.class
+changeLog.consumer.rabbitMqMessagingSample.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbConsumer
+
+changeLog.consumer.rabbitMqMessagingSample.publisher.class = edu.internet2.middleware.grouper.changeLog.esb.consumer.EsbMessagingPublisher
+changeLog.consumer.rabbitMqMessagingSample.publisher.messagingSystemName = rabbitmq
+# note, routingKey property is valid only for rabbitmq. For other messaging systems, it is ignored.
+changeLog.consumer.rabbitMqMessagingSample.publisher.routingKey = 
+## queue or topic
+changeLog.consumer.rabbitMqMessagingSample.publisher.messageQueueType = queue
+changeLog.consumer.rabbitMqMessagingSample.publisher.queueOrTopicName = grouper
+## this is optional if not using "id" for subjectId, need to be a subject attribute in the sources.xml
+#changeLog.consumer.rabbitMqMessagingSample.publisher.addSubjectAttributes = email

ex401/ex401.3.4/container_files/grouper.client.properties

@@ -0,0 +1,112 @@
+#
+# Copyright 2014 Internet2
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# Grouper client configuration
+# $Id: grouper.client.example.properties,v 1.24 2009-12-30 04:23:02 mchyzer Exp $
+#
+
+# The grouper client uses Grouper Configuration Overlays (documented on wiki)
+# By default the configuration is read from grouper.client.base.properties
+# (which should not be edited), and the grouper.client.properties overlays
+# the base settings.  See the grouper.client.base.properties for the possible
+# settings that can be applied to the grouper.client.properties
+
+########################################
+## LDAP connection settings
+########################################
+
+# url of directory, including the base DN (distinguished name)
+# e.g. ldap://server.school.edu/dc=school,dc=edu
+# e.g. ldaps://server.school.edu/dc=school,dc=edu
+grouperClient.ldap.url =
+
+# kerberos principal used to connect to ldap
+grouperClient.ldap.login =
+
+# password for shared secret authentication to ldap
+# or you can put a filename with an encrypted password
+grouperClient.ldap.password =
+
+########################################
+## Web service Connection settings
+########################################
+
+# url of web service, should include everything up to the first resource to access
+# e.g. http://groups.school.edu:8090/grouper-ws/servicesRest
+# e.g. https://groups.school.edu/grouper-ws/servicesRest
+grouperClient.webService.url = https://localhost/grouper-ws/servicesRest
+
+# kerberos principal used to connect to web service
+grouperClient.webService.login = banderson
+
+# password for shared secret authentication to web service
+# or you can put a filename with an encrypted password
+grouperClient.webService.password.elConfig = password
+
+
+################################
+## Grouper Messaging System
+################################
+
+# name of messaging system which is the default
+grouper.messaging.default.name.of.messaging.system = rabbitmq
+
+# name of a messaging system.  note, "grouperBuiltinMessaging" can be arbitrary
+# grouper.messaging.system.grouperBuiltinMessaging.name = grouperBuiltinMessaging
+
+# class that implements edu.internet2.middleware.grouperClient.messaging.GrouperMessagingSystem
+# grouper.messaging.system.grouperBuiltinMessaging.class = edu.internet2.middleware.grouper.messaging.GrouperBuiltinMessagingSystem
+
+# name of a messaging system.  note, "grouperBuiltinMessaging" can be arbitrary
+grouper.messaging.system.rabbitmqSystem.name = rabbitmqSystem
+
+# class that implements edu.internet2.middleware.grouperClient.messaging.GrouperMessagingSystem
+grouper.messaging.system.rabbitmqSystem.class = edu.internet2.middleware.grouperMessagingRabbitmq.GrouperMessagingRabbitmqSystem
+
+# host address of rabbitmq queue
+grouper.messaging.system.rabbitmqSystem.host = rabbitmq
+
+# virtual host of rabbitmq queue
+grouper.messaging.system.rabbitmqSystem.virtualhost =
+
+# port of rabbitmq queue
+grouper.messaging.system.rabbitmqSystem.port =
+
+grouper.messaging.system.rabbitmqSystem.defaultPageSize = 10
+
+grouper.messaging.system.rabbitmqSystem.maxPageSize = 50
+
+
+# name of a messaging system, required
+grouper.messaging.system.rabbitmq.name = rabbitmq
+
+# default system settings to this messaging system, note, there is only one level of inheritance
+grouper.messaging.system.rabbitmq.defaultSystemName = rabbitmqSystem
+
+grouper.messaging.system.rabbitmq.user = guest
+
+#pass
+grouper.messaging.system.rabbitmq.password.elConfig = guest
+# set the following three properties if you want to use TLS connection to rabbitmq. All three need to be populated.
+# TLS Version
+#grouper.messaging.system.rabbitmqSystem.tlsVersion = TLSv1.1
+
+# path to trust store file
+#grouper.messaging.system.rabbitmqSystem.pathToTrustStore =
+
+# trust passphrase
+#grouper.messaging.system.rabbitmqSystem.trustPassphrase =