Build for 5.7.0 with supervisord, apache, shib-sp, shib-idp; mysql ->…

… postgres

TODO.md

@@ -2,6 +2,12 @@ TODO
 =====
 
 
+202403
+------
+- pgAdmin not working
+- need content for data fields
+- attributes app may not work; need to test
+
 202209
 -------
 - EduPersonEntitlement full sync is not logging

base/container_files/conf/grouper-loader.properties → base/container_files/grouper/conf/grouper-loader.properties

@@ -85,3 +85,15 @@ ldap.demo.uiTestExpectedValue = admin
 loader.ldap.requireTopStemAsStemFromConfigGroup=false
 
 loader.allowStemDisplayNameChangesUnderStems=basis:hr, basis:sis
+
+db.hr.url = jdbc:postgresql://localhost:5432/hr
+db.hr.user = hr_grouper_svc
+db.hr.pass = pass
+db.sis.url = jdbc:postgresql://localhost:5432/sis
+db.sis.user = sis_grouper_svc
+db.sis.pass = pass
+
+
+# Way too verbose
+daemon.log.logEnabled_overallLog = false
+daemon.log.logEnabled_subjobLog = false

base/container_files/conf/grouper.hibernate.properties → base/container_files/grouper/conf/grouper.hibernate.properties

@@ -20,12 +20,15 @@
 # e.g. hsqldb (b):      jdbc:hsqldb:hsql://localhost:9001/grouper
 # e.g. postgres:        jdbc:postgresql://localhost:5432/database
 # e.g. mssql:           jdbc:sqlserver://localhost:3280;databaseName=grouper
-hibernate.connection.url = jdbc:mysql://localhost:3306/grouper?CharSet=utf8&useUnicode=true&characterEncoding=utf8
+hibernate.connection.url = jdbc:postgresql://localhost:5432/grouper
 
-hibernate.connection.username         = root
+hibernate.connection.username         = grouper
 # If you are using an empty password, depending upon your version of
 # Java and Ant you may need to specify a password of "".
 # Note: you can keep passwords external and encrypted: https://bugs.internet2.edu/jira/browse/GRP-122
-hibernate.connection.password         = 
+hibernate.connection.password         = pass
 
-registry.auto.ddl.upToVersion = 4.*.*
+registry.auto.ddl.upToVersion = 5.*.*
+
+# initial loaders overwhelm postgres at default 500
+hibernate.c3p0.max_size = 100

base/container_files/postgres/00-init_dbs_and_users.sql

@@ -0,0 +1,36 @@
+CREATE DATABASE grouper;
+CREATE USER grouper WITH ENCRYPTED PASSWORD 'pass';
+GRANT ALL PRIVILEGES ON DATABASE grouper TO grouper;
+
+CREATE DATABASE hr;
+CREATE USER hr_owner WITH ENCRYPTED PASSWORD 'pass';
+GRANT ALL PRIVILEGES ON DATABASE hr TO hr_owner;
+
+CREATE DATABASE sis;
+CREATE USER sis_owner WITH ENCRYPTED PASSWORD 'pass';
+GRANT ALL PRIVILEGES ON DATABASE sis TO sis_owner;
+
+CREATE USER hr_grouper_svc PASSWORD 'pass';
+CREATE USER sis_grouper_svc PASSWORD 'pass';
+
+\c grouper postgres
+GRANT ALL ON SCHEMA public TO grouper;
+
+\c hr postgres
+GRANT ALL ON SCHEMA public TO hr_owner;
+/*GRANT SELECT ON ALL TABLES IN SCHEMA public TO hr_grouper_svc;*/
+
+\c hr hr_owner
+/* not working with v15 ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO hr_grouper_svc; */ 
+ALTER DEFAULT PRIVILEGES FOR ROLE hr_owner IN SCHEMA public GRANT SELECT ON TABLES TO hr_grouper_svc;
+
+\c sis postgres
+GRANT ALL ON SCHEMA public TO sis_owner;
+/*GRANT SELECT ON ALL TABLES IN SCHEMA public TO sis_grouper_svc;*/
+
+\c sis sis_owner
+/* not working with v15 ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO sis_grouper_svc; */
+ALTER DEFAULT PRIVILEGES FOR ROLE sis_owner IN SCHEMA public GRANT SELECT ON TABLES TO sis_grouper_svc;
+
+
+/* note - default privileges only apply for the user running the command; need to create future objects as the schema owner */

base/container_files/postgres/pg_hba.conf

@@ -0,0 +1,7 @@
+local   all             all                                     trust
+host    all             all             127.0.0.1/32            trust
+host    all             all             ::1/128                 trust
+local   replication     all                                     trust
+host    replication     all             127.0.0.1/32            trust
+host    replication     all             ::1/128                 trust
+host    all             all             0.0.0.0/0               scram-sha-256

base/container_files/postgres/postgresql.conf

@@ -0,0 +1,23 @@
+#max_connections = 100			# (change requires restart)
+max_connections = 350			# (change requires restart)
+#shared_buffers = 128MB			# min 128kB
+shared_buffers = 512MB			# min 128kB
+dynamic_shared_memory_type = posix	# the default is usually the first option
+max_wal_size = 1GB
+min_wal_size = 80MB
+logging_collector = on			# Enable capturing of stderr, jsonlog,
+log_filename = 'postgresql-%a.log'	# log file name pattern,
+log_rotation_age = 1d			# Automatic rotation of logfiles will
+log_rotation_size = 0			# Automatic rotation of logfiles will
+log_truncate_on_rotation = on		# If on, an existing log file with the
+log_timezone = 'UTC'
+datestyle = 'iso, mdy'
+timezone = 'UTC'
+lc_messages = 'C.UTF-8'			# locale for system error message
+lc_monetary = 'C.UTF-8'			# locale for monetary formatting
+lc_numeric = 'C.UTF-8'			# locale for number formatting
+lc_time = 'C.UTF-8'				# locale for time formatting
+default_text_search_config = 'pg_catalog.english'
+
+#listen_addresses = 'localhost'
+listen_addresses = '*'

base/container_files/repos/shibboleth.repo

@@ -0,0 +1,10 @@
+[shibboleth]
+name=Shibboleth (rockylinux8)
+# Please report any problems to https://shibboleth.atlassian.net/jira
+type=rpm-md
+mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/rockylinux8
+gpgcheck=1
+gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
+        https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
+enabled=1
+

base/container_files/shibboleth-idp/conf/relying-party.xml

@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list
+    to enable specific default profile settings (as below), or create new beans inline to override defaults.
+    
+    "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and
+    legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here.
+    -->
+    <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
+        <property name="profileConfigurations">
+            <list>
+            <!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> -->
+            </list>
+        </property>
+    </bean>
+
+    <!--
+    Default configuration, with default settings applied for all profiles.
+    
+    Take care with any defaults you apply at this level because you will have to create
+    overrides or apply metadata tags for every single SP that requires a different setting.
+    Changed defaults should be things you really do want to apply to nearly every SP.
+    -->
+    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
+        <property name="profileConfigurations">
+            <list>
+                <!-- SAML 1.1 and SAML 2.0 AttributeQuery are disabled by default. -->
+                <!--
+                <ref bean="Shibboleth.SSO" />
+                <ref bean="SAML1.AttributeQuery" />
+                <ref bean="SAML1.ArtifactResolution" />
+                -->
+                <ref bean="SAML2.SSO" />
+                <ref bean="SAML2.ECP" />
+                <ref bean="SAML2.Logout" />
+                <!--
+                <ref bean="SAML2.AttributeQuery" />
+                -->
+                <ref bean="SAML2.ArtifactResolution" />
+                <ref bean="Liberty.SSOS" />
+            </list>
+        </property>
+    </bean>
+
+    <!-- Container for any overrides you want to add. -->
+
+    <util:list id="shibboleth.RelyingPartyOverrides">
+
+        <!--
+        Override example that identifies a single RP by name and configures it
+        for SAML 2 SSO without encryption. This is a common "vendor" scenario.
+        -->
+        <bean id="ExampleSP" parent="RelyingPartyByName" c:relyingPartyIds="https://grouperdemo/shibboleth">
+            <property name="profileConfigurations">
+                <list>
+                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
+                </list>
+            </property>
+        </bean>
+
+    </util:list>
+
+</beans>