From 1141f7ae48f40f5aef5686d489939356d079a3af Mon Sep 17 00:00:00 2001 From: root Date: Wed, 14 Aug 2024 18:38:34 +0000 Subject: [PATCH] update midPoint to new Evolveum container and 4.8.3 --- .../midpoint/application/cert.pem | 28 ++ .../application/keystore_password.txt | 1 + .../etc/phpMyAdmin/config.inc.php | 0 Workbench/docker-compose.yml | 148 +++---- .../post-initial-objects/SecurityPolicy.xml | 89 +++++ .../mp-home/post-initial-objects/ordering.txt | 21 - .../securityPolicy/000-security-policy.xml | 90 +---- Workbench/mpproxy/Dockerfile | 26 ++ .../mpproxy/container_files/httpd/.htpasswd | 3 + .../container_files/httpd/csp_logo.jpg | Bin 0 -> 17701 bytes .../mpproxy/container_files/httpd/httpd.conf | 367 ++++++++++++++++++ .../mpproxy/container_files/httpd/index.html | 50 +++ .../container_files/httpd/localhost.crt | 28 ++ .../container_files/httpd/localhost.key | 5 + .../container_files/httpd/midpoint.conf | 37 ++ .../container_files/httpd/server-chain.crt | 44 +++ .../mpproxy/container_files/httpd/shib.conf | 50 +++ .../mpproxy/container_files/httpd/ssl.conf | 222 +++++++++++ .../shibboleth/attribute-map.xml | 168 ++++++++ .../shibboleth/idp-metadata.xml | 201 ++++++++++ .../shibboleth/shibboleth2.xml | 121 ++++++ .../shibboleth/sp-encrypt-cert.pem | 23 ++ .../shibboleth/sp-encrypt-key.pem | 40 ++ .../shibboleth/sp-signing-cert.pem | 23 ++ .../shibboleth/sp-signing-key.pem | 40 ++ .../container_files/system/setservername.sh | 9 + .../container_files/system/startWithMDLoad.sh | 14 + .../container_files/system/startWithPHP.sh | 5 + Workbench/scripts/gethealth.py | 2 +- Workbench/webproxy/Dockerfile | 1 + .../webproxy/container_files/httpd/index.html | 4 +- .../webproxy/container_files/httpd/proxy.conf | 21 +- .../webproxy/container_files/httpd/shib.conf | 1 + .../webproxy/container_files/httpd/ssl.conf | 5 +- .../container_files/mdload/mpproxy-sp.xml | 107 +++++ .../shibboleth/attribute-map.xml | 168 ++++++++ .../shibboleth/shibboleth2.xml | 11 +- .../container_files/system/setservername.sh | 2 +- .../container_files/system/startWithMDLoad.sh | 1 + 39 files changed, 1997 insertions(+), 179 deletions(-) create mode 100644 Workbench/configs-and-secrets/midpoint/application/cert.pem create mode 100644 Workbench/configs-and-secrets/midpoint/application/keystore_password.txt mode change 100644 => 100755 Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php create mode 100644 Workbench/midpoint_server/container_files/mp-home/post-initial-objects/SecurityPolicy.xml delete mode 100644 Workbench/midpoint_server/container_files/mp-home/post-initial-objects/ordering.txt create mode 100644 Workbench/mpproxy/Dockerfile create mode 100644 Workbench/mpproxy/container_files/httpd/.htpasswd create mode 100644 Workbench/mpproxy/container_files/httpd/csp_logo.jpg create mode 100644 Workbench/mpproxy/container_files/httpd/httpd.conf create mode 100644 Workbench/mpproxy/container_files/httpd/index.html create mode 100644 Workbench/mpproxy/container_files/httpd/localhost.crt create mode 100644 Workbench/mpproxy/container_files/httpd/localhost.key create mode 100644 Workbench/mpproxy/container_files/httpd/midpoint.conf create mode 100644 Workbench/mpproxy/container_files/httpd/server-chain.crt create mode 100644 Workbench/mpproxy/container_files/httpd/shib.conf create mode 100644 Workbench/mpproxy/container_files/httpd/ssl.conf create mode 100644 Workbench/mpproxy/container_files/shibboleth/attribute-map.xml create mode 100644 Workbench/mpproxy/container_files/shibboleth/idp-metadata.xml create mode 100644 Workbench/mpproxy/container_files/shibboleth/shibboleth2.xml create mode 100644 Workbench/mpproxy/container_files/shibboleth/sp-encrypt-cert.pem create mode 100644 Workbench/mpproxy/container_files/shibboleth/sp-encrypt-key.pem create mode 100644 Workbench/mpproxy/container_files/shibboleth/sp-signing-cert.pem create mode 100644 Workbench/mpproxy/container_files/shibboleth/sp-signing-key.pem create mode 100755 Workbench/mpproxy/container_files/system/setservername.sh create mode 100755 Workbench/mpproxy/container_files/system/startWithMDLoad.sh create mode 100755 Workbench/mpproxy/container_files/system/startWithPHP.sh create mode 100644 Workbench/webproxy/container_files/mdload/mpproxy-sp.xml create mode 100644 Workbench/webproxy/container_files/shibboleth/attribute-map.xml diff --git a/Workbench/configs-and-secrets/midpoint/application/cert.pem b/Workbench/configs-and-secrets/midpoint/application/cert.pem new file mode 100644 index 0000000..0dbb064 --- /dev/null +++ b/Workbench/configs-and-secrets/midpoint/application/cert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIE0DCCBHWgAwIBAgIRAK8LnrzhkHuEPH4q+WOqLjAwCgYIKoZIzj0EAwIwRDEL +MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEhMB8GA1UEAxMYSW5Db21t +b24gRUNDIFNlcnZlciBDQSAyMB4XDTIzMTEwOTAwMDAwMFoXDTI0MTEwODIzNTk1 +OVowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1pY2hpZ2FuMRYwFAYDVQQKEw1J +bkNvbW1vbiwgTExDMSQwIgYDVQQDExt0ZXN0LndvcmtiZW5jaC5pbmNvbW1vbi5v +cmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVo9lNdC8c3yUIUoMS7wRadzsX +bhSSgK4PCEV5FOPNYcsnFEc4fdt9ZiOeWmrlwVkq5Z/DzPLFXaD9PK60b/7Go4ID +LDCCAygwHwYDVR0jBBgwFoAUMl8K2RhZ7UFxIdXuCeLZr7LXD7EwHQYDVR0OBBYE +FBqIz6rIuIlLz74StmPXbI6kVQstMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8E +AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQG +CysGAQQBsjEBAgJnMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20v +Q1BTMAgGBmeBDAECAjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnNlY3Rp +Z28uY29tL0luQ29tbW9uRUNDU2VydmVyQ0EyLmNybDBwBggrBgEFBQcBAQRkMGIw +OwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vSW5Db21tb25FQ0NT +ZXJ2ZXJDQTIuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNv +bTAmBgNVHREEHzAdght0ZXN0LndvcmtiZW5jaC5pbmNvbW1vbi5vcmcwggGABgor +BgEEAdZ5AgQCBIIBcASCAWwBagB2AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf +5mdMWjp0AAABi7SpW/wAAAQDAEcwRQIgFccZe61hXAV8a5jwbeMBVKQC54Ii0QP7 +TGb+liXz8eQCIQD88vXok9Gz0y2nlarz9xFe3y/QkN8ubF0w2lK2g0uLwQB3AD8X +S0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAABi7SpXB4AAAQDAEgwRgIh +AN2X04k3SzVn2rRBKoBhx7FJPtyJ3gGrQzB3yCrzcz/RAiEAj6ugl5T9zMnpiOl6 +VSwpx2vEqk9i7CCZRfM6tyZBkBQAdwDuzdBk1dsazsVct520zROiModGfLzs3sNR +SFlGcR+1mwAAAYu0qVwjAAAEAwBIMEYCIQDLAnC4IYrJAy2B61GlBqK13bYHh1cE +FPlT0R0LEsNYaAIhAO6YNe0aQmBG5ZI4m1dVlhwyTCEqgKnQFyBuWm9N9nwOMAoG +CCqGSM49BAMCA0kAMEYCIQCeDcX7iV+NpkJn+DE+VgQVxixxnZ9E6mhJXlMpwBpM +XAIhAIoSwFNJXNv/HcmgBZT4ryBE4uVP0ZyIhmxrOsSYaMmk +-----END CERTIFICATE----- diff --git a/Workbench/configs-and-secrets/midpoint/application/keystore_password.txt b/Workbench/configs-and-secrets/midpoint/application/keystore_password.txt new file mode 100644 index 0000000..1d40192 --- /dev/null +++ b/Workbench/configs-and-secrets/midpoint/application/keystore_password.txt @@ -0,0 +1 @@ +changeit diff --git a/Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php b/Workbench/directory/container_files/etc/phpMyAdmin/config.inc.php old mode 100644 new mode 100755 diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml index df69d2b..8519cb1 100644 --- a/Workbench/docker-compose.yml +++ b/Workbench/docker-compose.yml @@ -259,47 +259,55 @@ services: - comanage_midpoint_data:/var/lib/postgresql/data data_init: - image: i2incommon/midpoint:4.8.2 + image: evolveum/midpoint:${MP_VER:-4.8.3}-rockylinux + depends_on: + midpoint_data: + condition: service_healthy command: > - bash -c " - chmod 777 /opt/mp-pw/ ; - touch /opt/mp-pw/db_init_in_progress ; - echo -e '#!/bin/sh\ntouch /opt/mp-pw/db_init' >/opt/db-init/000-start.sh ; - echo -e '#!/bin/sh\necho DB structure init process has finished...\nrm -f /opt/mp-pw/db_init_in_progress /opt/mp-pw/db_init' > /opt/db-init/999-finish.sh ; - /opt/midpoint/bin/midpoint.sh init-native - " + bash -c " + cd /opt/midpoint ; + bin/midpoint.sh init-native ; + echo ' - - - - - - ' ; + bin/ninja.sh -B info >/dev/null 2>/tmp/ninja.log ; + grep -q \"ERROR\" /tmp/ninja.log && ( + bin/ninja.sh run-sql --create --mode REPOSITORY ; + bin/ninja.sh run-sql --create --mode AUDIT + ) || + echo -e '\\n Repository init is not needed...' ; + if [ $$(keytool -list -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /run/secrets/m_keystore_password.txt | grep -c 'local_gen_cert') -eq 0 ] ; + then + keytool -importcert -keystore /opt/midpoint/var/keystore.jceks -storetype jceks -storepass:file /run/secrets/m_keystore_password.txt -trustcacerts -alias 'local_gen_cert' -file /run/secrets/mp_host-cert.pem -noprompt ; + else + echo 'Certificate exists in the cert store' ; + fi ; + cp /opt/midpoint/csv_in/cs-portal.csv /opt/midpoint/var/ ; + cp /opt/midpoint/csv_in/faculty-portal.csv /opt/midpoint/var/ ; + cp /opt/midpoint/csv_in/mailing-lists.csv /opt/midpoint/var/ ; + cp -R /opt/midpoint/mp-home-in/* /opt/midpoint/var/ ; + " environment: - - MP_INIT_DB_CONCAT=/opt/db-init/init.sql - - MP_DB_PW=/run/secrets/m_database_password.txt - - MP_PW_DEF=/opt/mp-pw/keystorepw + - MP_SET_midpoint_repository_jdbcUsername=midpoint + - MP_SET_midpoint_repository_jdbcPassword_FILE=/run/secrets/m_database_password.txt + - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint + - MP_SET_midpoint_repository_database=postgresql + - MP_INIT_CFG=/opt/midpoint/var + - MP_PW_DEF=/run/secrets/m_keystore_password.txt + - MP_KEYSTORE=/opt/midpoint/var/keystore.jceks + networks: + - net secrets: - m_database_password.txt + - m_keystore_password.txt + - mp_host-cert.pem volumes: - - db_init:/opt/db-init - - mp_pw:/opt/mp-pw + - midpoint_home:/opt/midpoint/var + - ./midpoint_server/container_files/mp-home/:/opt/midpoint/mp-home-in/ + - ./midpoint_server/container_files/mp-home/cs-portal.csv:/opt/midpoint/csv_in/cs-portal.csv + - ./midpoint_server/container_files/mp-home/faculty-portal.csv:/opt/midpoint/csv_in/faculty-portal.csv + - ./midpoint_server/container_files/mp-home/mailing-lists.csv:/opt/midpoint/csv_in/mailing-lists.csv midpoint_data: - image: postgres:13-alpine - command: > - bash -c " - rm -f /var/lib/postgresql/data/postmaster.pid ; - while [ ! -s /run/secrets/m_database_password.txt -o -e /opt/mp-pw/init_in_progress ] ; do - echo 'Waiting to the end of the init process...'; - sleep 1; - done ; - { - sleep 2 ; - if [ ! -e /opt/mp-pw/db_init -a -e /opt/mp-pw/db_init_in_progress ] ; - then echo 'DB init did not start...' ; - rm -f /opt/mp-pw/db_ini*; - echo 'The lock files has been removed...'; - fi ; - } & - docker-entrypoint.sh postgres - " - user: "70:70" - depends_on: - - data_init + image: postgres:16-alpine environment: - POSTGRES_PASSWORD_FILE=/run/secrets/m_database_password.txt - POSTGRES_USER=midpoint @@ -309,66 +317,54 @@ services: ports: - 5432:5432 healthcheck: - test: /usr/local/bin/pg_isready - interval: 30s - timeout: 30s - retries: 3 + test: [ "CMD-SHELL", "pg_isready -d midpoint -U midpoint" ] + interval: 5s + timeout: 10s + retries: 4 networks: - net volumes: - midpoint_data:/var/lib/postgresql/data - - db_init:/docker-entrypoint-initdb.d/ - - mp_pw:/opt/mp-pw midpoint_server: - build: - context: ./midpoint_server/ - args: - - CSPHOSTNAME + image: evolveum/midpoint:${MP_VER:-4.8.3}-rockylinux + container_name: midpoint_server + hostname: midpoint-container depends_on: - - data_init - - midpoint_data - ports: - - 10443:443 + data_init: + condition: service_completed_successfully + midpoint_data: + condition: service_healthy + command: [ "/opt/midpoint/bin/midpoint.sh", "container" ] + expose: + - 8080 environment: - - ENV - - USERTOKEN - - REPO_DATABASE_TYPE=postgresql - MP_SET_midpoint_repository_jdbcUsername=midpoint - MP_SET_midpoint_repository_jdbcPassword_FILE=/run/secrets/m_database_password.txt - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint - - MP_SET_midpoint_keystore_keyStorePassword_FILE=/opt/mp-pw/keystorepw + - MP_SET_midpoint_repository_database=postgresql + - MP_SET_midpoint_keystore_keyStorePassword_FILE=/run/secrets/m_keystore_password.txt + - MP_SET_server_port=8080 - MP_SET_server_tomcat_ajp_enabled=true + - MP_SET_server_tomcat_ajp_address="0.0.0.0" - MP_SET_server_tomcat_ajp_port=9090 - MP_SET_server_tomcat_ajp_secret=s3cr3t - - MP_SET_logging_path=/tmp/logtomcat + - MP_SET_midpoint_administrator_initialPassword=Test5ecr3t - MP_UNSET_midpoint_repository_hibernateHbm2ddl=1 - MP_NO_ENV_COMPAT=1 - - MP_MEM_MAX - - MP_MEM_INIT - - MP_JAVA_OPTS - - TIER_BEACON_OPT_OUT - - TIMEZONE + - MP_ENTRY_POINT=/opt/midpoint-dirs-docker-entrypoint networks: - net: - aliases: - - midpoint-server + - net secrets: - m_database_password.txt + - m_keystore_password.txt - mp_host-key.pem - mp_shibboleth_sp_keys.jks volumes: - midpoint_home:/opt/midpoint/var - - type: bind - source: ./configs-and-secrets/midpoint/httpd/host-cert.pem - target: /etc/pki/tls/certs/host-cert.pem - - type: bind - source: ./configs-and-secrets/midpoint/httpd/host-cert.pem - target: /etc/pki/tls/certs/cachain.pem - type: bind source: ./midpoint_server/container_files/csv/source-hr.csv target: /opt/midpoint/csv/source-hr.csv - - mp_pw:/opt/mp-pw idp: build: @@ -475,7 +471,17 @@ services: - net ports: - 443:443 - + + mpproxy: + build: + context: ./mpproxy/ + args: + - CSPHOSTNAME + networks: + - net + ports: + - 7443:443 + wordpress_server: build: context: ./wordpress_server/ @@ -638,8 +644,12 @@ secrets: # midPoint m_database_password.txt: file: ./configs-and-secrets/midpoint/application/database_password.txt + m_keystore_password.txt: + file: ./configs-and-secrets/midpoint/application/keystore_password.txt mp_host-key.pem: file: ./configs-and-secrets/midpoint/httpd/host-key.pem + mp_host-cert.pem: + file: ./configs-and-secrets/midpoint/httpd/host-cert.pem mp_shibboleth_sp_keys.jks: file: ./configs-and-secrets/midpoint/shibboleth/shibboleth_sp_keys.jks # COmanage diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/SecurityPolicy.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/SecurityPolicy.xml new file mode 100644 index 0000000..b03856a --- /dev/null +++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/SecurityPolicy.xml @@ -0,0 +1,89 @@ + + Default Security Policy + + + + loginForm + + + httpBasic + + + httpHeader + REMOTE_USER + /Shibboleth.sso/Logout + + + + admin-gui-saml-internal + + Internal SAML2 GUI authentication sequence. + + + http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user + true + saml-internal + + + httpHeader + 30 + sufficient + + + + admin-gui-emergency + + Special GUI authentication sequence that is using just the internal user password. + + + http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user + false + emergency + + + + + loginForm + 30 + sufficient + + + + rest-default + + http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest + true + rest-default + + + httpBasic + 1 + sufficient + + + + actuator-default + + http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator + true + actuator-default + + + httpBasic + 1 + sufficient + + + /actuator/health + + + + 0 + 3 + PT3M + PT15M + + + + + diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/ordering.txt b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/ordering.txt deleted file mode 100644 index baf3f06..0000000 --- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/ordering.txt +++ /dev/null @@ -1,21 +0,0 @@ -Notes on objects ordering -========================= - -Objects are ordered to be imported in waves. Objects in each wave can depend only on objects in preceding waves. -(By depending we mean that the other object should exist in repo in order to assure warning-less import. Usually, -assigned/induced objects should exist. Objects that are referenced e.g. in groovy code are not required at the -import time.) - -Waves are: -- 0xx: security policy and system configuration -- 100: resources (do not depend on anything) - root orgs (do not depend on anything) - user template (inactive until users are imported) - grouper function library (inactive until async updates come) -- 200: metaroles and roles (contain constructions i.e. references to resources) -- 300: archetypes (induce resources, root orgs, metaroles) -- 400: specific orgs i.e. org-grouper-sysadmin (has an archetype) -- 600: specific users i.e. user-banderson (is in specific orgs) -- 9xx: bulk actions (testing all resource, recomputing grouper objects) - importing scavenger task - diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml index ffd8450..e70f49f 100644 --- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml +++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml @@ -1,52 +1,17 @@ - - Default Security Policy - internalLoginForm - Internal username/password authentication, default user password, login form + loginForm - internalBasic - Internal username/password authentication, using HTTP basic auth + httpBasic - - mySamlSso - My internal enterprise SAML-based SSO system. - - midpointdemo-shibboleth - true - - - /etc/pki/mp/sp-shibboleth-keys.jks - - changeit - - signing-key - - password - - - - - https://idptestbed/idp/shibboleth - - /etc/shibboleth/idp-metadata.xml - - Shibboleth - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST - uid - - - - httpHeader - https://__CSPHOSTNAME__/MPSSO/Shibboleth.sso/Logout - REMOTE_USER + httpHeader + REMOTE_USER + https://localhost:8443/Shibboleth.sso/Logout @@ -56,11 +21,11 @@ http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user - false + true saml-internal - mySamlSso + httpHeader 30 sufficient @@ -78,60 +43,37 @@ - internalLoginForm + loginForm 30 sufficient - admin-gui-default - - Special GUI authentication sequence that is using Shibboleth SP - - - http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user - true - shib - - - httpHeader - 30 - sufficient - - - - rest - - Authentication sequence for REST service. - + rest-default http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest true rest-default - internalBasic - 10 + httpBasic + 1 sufficient - actuator - - Authentication sequence for actuator. - + actuator-default http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator true actuator-default - internalBasic - 10 + httpBasic + 1 sufficient - /actuator /actuator/health @@ -140,10 +82,8 @@ 3 PT3M PT15M - - + - diff --git a/Workbench/mpproxy/Dockerfile b/Workbench/mpproxy/Dockerfile new file mode 100644 index 0000000..da3c577 --- /dev/null +++ b/Workbench/mpproxy/Dockerfile @@ -0,0 +1,26 @@ +FROM i2incommon/shibboleth_sp:3.4.1_05152024_rocky9_multiarch + +ARG CSPHOSTNAME=localhost +ENV CSPHOSTNAME=$CSPHOSTNAME + +RUN dnf -y install php php-json wget php-bcmath jq yum-utils + +COPY container_files/httpd/midpoint.conf /etc/httpd/conf.d/ +COPY container_files/httpd/ssl.conf /etc/httpd/conf.d/ + +COPY container_files/httpd/localhost.crt /etc/pki/tls/certs/localhost.crt +COPY container_files/httpd/localhost.key /etc/pki/tls/private/localhost.key +COPY container_files/httpd/server-chain.crt /etc/pki/tls/certs/server-chain.crt +RUN chmod 600 /etc/pki/tls/certs/localhost.crt && chmod 600 /etc/pki/tls/private/localhost.key + +COPY container_files/shibboleth/ /etc/shibboleth/ +COPY container_files/system/startWithPHP.sh /usr/local/bin/ +COPY container_files/system/setservername.sh /usr/local/bin/ +RUN chmod 755 /usr/local/bin/startWithPHP.sh /usr/local/bin/setservername.sh && /usr/local/bin/setservername.sh +RUN mkdir -p /run/php-fpm/ + +HEALTHCHECK --interval=1m --timeout=30s \ + CMD curl -k -f -u csp:workbench https://127.0.0.1/mppSSO/Shibboleth.sso/Status || exit 1 + +CMD ["/usr/local/bin/startWithPHP.sh"] + diff --git a/Workbench/mpproxy/container_files/httpd/.htpasswd b/Workbench/mpproxy/container_files/httpd/.htpasswd new file mode 100644 index 0000000..f9046e3 --- /dev/null +++ b/Workbench/mpproxy/container_files/httpd/.htpasswd @@ -0,0 +1,3 @@ +csp:$apr1$/AqZo5q1$D0h7ClOUpgCvUhayr6oOg0 +guest:$apr1$E6QtcEtu$/YXrr/F4OpNmTClXGBXpX/ +administrator:$apr1$yYQxN8bz$UlAb7q/m6jra60QKjhHPA/ diff --git a/Workbench/mpproxy/container_files/httpd/csp_logo.jpg b/Workbench/mpproxy/container_files/httpd/csp_logo.jpg new file mode 100644 index 0000000000000000000000000000000000000000..8b1d36ffc5d937b1d5215555198a6d3b14d06a32 GIT binary patch literal 17701 zcmb@tcU%)q)IYkRccd4AAiX!~AW;wz5s)rLiuB%li6Vk@1qA6TO{7Whgepy>gMxGr z=?Mq~62e`d=lA%&pZnLn_j4zi-S19jX3v?ObLN~go6B#P%fOX;cQo$+5C{aY20y^% z3c#fvW!@c#4T zl_~aw@5w+7!PXPfH@j%nh|5(<0!=kFs|WhJcQo&-gWUlD#cvxgFE_j^0O0Q7=cBKo z%K6aLjFWf`yaOJ1M<^g@W9#d6>%oKjfBO9I{7?UX4<|GK(laUgr?0=o|IYx8oxQIu z$kGF_`eQp^TXzuGfqBl>%f}A@@Lz)E+<|^xe=t}M(EES{f_UH$cKjFr_=6w+i;@4- zG1ONB00IJV&?szdd>lbOK@I`V09!|}9|{Q&OL*8hdw|#)#45H3t|y>ch5ig z3y1|C|F3=={};BgdHlCe8ym;J_+MVYmf($VJNtUM*#!S{@&D(+-OV2yuYVFZc%*Rh zxvLMJ`TmTXtEbjq?D1Gf_rG#ykfZ;wlmA_#|FEsE8aS5!wzadlt@R)FaMStoy#MLb z!TFBnf7sbi)9^p+<|Umo3k!IuB$UQW)Mf9v}>8Q%S`+}7rQXtVcy_?HGd z``haO)v@<5`b)o;pX%TKz1;qp_y3H8y_?40a^C=hzis_|4F8sU`91hMJ}x%*9{kro zUn89)ut11taszzqlhqJR`23n&3M0d?RW zpbK(h3RnWRAV2OPCxJj1@Dzv!;(?dIYak2A2MT}>Km||(Gy-iv7w{Pv2F8GCU>;Zo zHh>)f37h~JP{k2LC?RwZ76=r=3lWA$LF6GS5Ov6Xh(5#=VhwSGctHFiVUTB#ct{E) z3-S(93aN%PL%JY?ka5U&$O>c&atJxc!^fk*qsL>%h=qx75bF}#5c?5F6K4{a6C;Qxh&PDQB;+Je5-E~9BxWQY zB#|WPBp*pSNG3=&Nid{WNO?&WNp(r>NP|g}Nef9^NJmLGNHJtIWc*||$PCF`$exnD zA*&?oBl|&iL{3i5MXo@uNA67ig!~QpC-MRE74kC*S_&ZwH3|y~e~KiE5{gcW?-WOr zl$3mwH!001{V0D0B< zqtv@sNU!i+QM+PuCE`l8~nXwY?g5wdU#^8y=ewn?748TLIe_wqteng&Hcw>cR&Z*jVDzTxcUL|$XNcK4e9wRhLPUc+$l za~W|(a#e9HaFcP%b31USad&egd7wPnJYhU#JafFHyz;zGycxXxyr+Epd?tJ`e2sj+ z_?h`N`9t{2_Orx2@(m)3%UyC3XTck3CRdK31th73gZdO3Oftu3Xh8r ziYSP9h`bk>6{QfpB^n@FCb}ZVD0W{gQmj#IUz|tWO#GF2zc@}pM#4>^P-0$^R`Q-? zq-2Zap_Gu6tyH$u)OE`1cdo;)H(f_b3rpKe=ShE)p_9>;iIM4+xsa8U^^vWV-IC*x zvzE(|o0X@Re;}VAKcGOUpsD~@Xj3>-lvVUotWi8r5>;|l`l$3vnP1snxlnoS2Gh7#2yQZyXsV4HC+`aI7 zy;>An23lEKtM`TO``mBQ#?!v1ovQsqhgZi#r%@Ns)znSZU3kF%!23a~9+BPyy==Xo z`jYx#`uzrU237_i4NeSI4U-M$jRcJRjk=AgjV+8zjZaN(o1~a5KNNo${&3io)zsOv z$&A>{*sR#>*j(NGwfTmHj77A?%p?9sL5~J4SuNcx+pVarY^-Xn39U`6KU!mLbZy?- z96#24obwoIt7e;FyJL6LF3oPs{)T;u{ieeWhZKijjyD`r9k-ldPU%j&&T7tC&M23= zF8MB}uDY%zu9t2mZdL9i?$++j9<&~=9=)C%o zzD<7gpds|dU%>yl|4M*LKz0B+&^WL*h$hG*=u5CraBT2q$eoa)P=Zj~(C)BnVNb(W z!f%DYi-1Htj_8JS!=vCEPc)ujq6Px9fHJz=R zU6sR@6Pt6IYnMBbcQdatpFKZ5|NO1<+i&kQ-Zi}Ed!JrFR1i?`v(UJ(zev8Qw3xLx zzWAcVqh$Gm{)gUDxzf^)Y#)=$@XGwlw#qHa$0}}DG*yaLzN=!aivI+B^8d75ZCyQ6 zqgB&gD_>h#$6J?EPgft;0BHzrKsGuxE;pGrjW^$G?ru?Psc#i)Eor;fmfgs! z5!G>t2tgcodUfu0Id-jeTXoO(JnWh3)$9G*r`0#``OfE_{#*Tsfg1yDgNlRAL-Iq7 z!?ME-Uu3@2kI0PFf0g~(Fe*3NG^Q}tGOj${F#((Cn!G*vc}jC?cv@$Ae8y%QyQ zji{fLKhrm%o29>`ezk4g*&5q6-`?2q+QIBb@6qh#>4694-<}9 zj!J$@|L#71aJ+cpeu6oTL$jbioXMZ{pPQU-Vgj+m*f$q~7cDp~+>cB5%S$gCADe${ z0etX?=imSUha~_&X$sm7V*o&A{;&P~PmRAm$iFtoKV_iV0iOTlKM6elYh(X&B?|y0 zHvz!t2>{&h1b{p+^MaTHJpVD13~vH>*RTK0V9B54>u_D_9{{270ZkM1<>e7O01&qT zz=hA{B_{Xs@}dy*1-=77r}w{h`=8oGR{$V|pGlm;{p%;QC;znnUx&+iKn=iyK>mFH zPr@g}|C5La2=EDsiNGZp%p|1bq$DI{B*esIlw@S&6ksAIrJ|;!p!$RVbn>V9pH|?P zf`pjlPmTX~>9P}`Apwo1a(oCEfJXztr-5Adf-V;TAp}h%F#Sh01P`BpkO(A+j2x^` ze+48TA0H1Smhg{@0|^Iz2MA~gX|GA%BBIl?A?EU?mwNi@9SOH;br*yFIFjf3W1mP; zGDaq57FJ$9egQ!tX&G5Lc?Cta+v;~T?rPpMFf=kY0gXdjJ9`I5CubL5KmUNhpx}^a zQO~1eUc|BpMdy84F3rskIJp5DIC{R4wT6O&WZGqc~m z&#kPkt#AC?{I#`>Iz0M)d~%9DJO9HM1i=57t-qZ8-}s^d`N9LA0RizJz94vkV8*8* zAiO3?M0-n**v6ZVOX?{Jz3QuX)m^0A*Y%MMkA23;7>8Gyn{^z`lkM9C9dz_T1gUj`@2H zm%!brDq?v-;H&|acu)`7o<1ALs9yqIoe{DqztnG73FKbPv)`9MCY}Ct^@nYp>pdcH z)B#<9P`Ay2rKOU5_ljScXsDB&_MSXX0;b(_=0tbG~XvWhw9$I^waHO69@iqP>|Xvd0eGqHMS_KVkjMSbPCFew2$ z_jp170nR<^t9h?~b`YaQ*Qn#l!Y=`m(Pvn_)#Tmw_b9(auC)gkj@`YZ+XC~~>p$r} zDj6Hc)vP_9t$Ww8M2lE{1S>$0K6ai;r&IWO;xQ3e!pk_Xl{H~JEnPW%4xMPo4dy8F zWbYMARTGLyx@|qo^{R`&>(()Ys|GZ^k!P2l*JYkMah%C zTdKFZpb}kO#5X$f(1e!&VLy5l`Ehk|wvW~sPV+l$B~?Gcbm`+c?-x$r?Fo%*3OkR| zf{Jsj;YbW1{l$1kQ-ce4x zhr9j*nIE<3f1aRL>|JOc0Ifd9#57C%JO)U&VNvno zE&4{b2MF8SahQYSU~vgVmRm%Ou@=8WuB~(w@FJeLTXcPNc`0d(;(qpwRpJuJxb;i& zCsKFt$r4w@2!hDr;@u_SL`{t5AkY7Vh^?0|&szsRFJAwW1lb;DeoU--M`^ZqQ~8$Q z)Oj&+U_nOqFT@vI2ePX32OkqYt`-#)KG647I(PSdhMbIgYk-;Re3+KGn5)@Ly(bhM zcL^9yiPekxK5XIpd9uB#(bANbS95n$B%*NE6~h&VpL$YyQ5XhYmKV$V3Z+?eYi>y( zat(DFFV37*_N4i|;`@2Ec}?cL1l4*njW)Ri2%gMhMUjY}OMvpgO1oon)}S?8JLvH% z+anI%*K@jA+W}5Lssk)25pwcSF0|)oOLMgypAd&3Vi_xu&svobxCpi3%(DNX96qmq?NsnKn@v8+F zlaq7z`l8pp-R#Mg(;oNB9$c%L zc9ZUXxNB$nvc7#vpujDdvy1>@9&!cp!~9p(yeE!ye5DF4bUTjXUV?L7hJ}3nsBM z(9>R8Xm?vbj&u(rH6PL6L4`7Ue%RyuF=(fswSMHIt?P|CpRc0a90j{$(glqN)KxH< zumF(q?l2LQRe}o9LXi1`+4R{ioN(Nxg?YQs!vtAM+Z%8OdY%Z9^T}#kArzrlQJuZPA6_W>9W;SAfi9 z1-$E)xag!`MG+dVT}$$|meEtz8aP(*S`IZCv!nzmC;Sy5dhr^o*pgoRG01VXZl-u2 zx2HQ-e!B)c>?+!9ElInlimFNJdb5A^rtUL1NgE6k1TIZBSZ@@^yxt^Mec39eK)bCj zohAKlz0x~Z+Ic{!pDk9n8u$BN+r|?Ne-E6o9-53}MVEql*=?q}zi{CP+Wa;m&4CFK zEn52{1tQ88NPFhUGWy+$WmLt1TI`)=z1y8@f`UW$gj>w(Po2UK7=mK6?Y^rRyW?gOWuK((2}6urxcpI z7T%*P2YdFb;sileCkZHjP*@l#$-CUc#5_x2K(sxD&eZGIxesjgSPUTvCa>bU zW`+tV)D`2i%!>jq0jhR=nAJ+2#8B9S(ztCR_vlhRH2J1e^~a?z zfwu?GmROYKP&=IgD*VXwGRI0M*0}w~w#M+GUN)(hH-(07QItc7BMAfWpIVKU>|Vu$ z1QncIMZY>(fQ?Ltaeus5U@?}ZUA@S!D=UJ`AXC|aGs-qHbDvr*XM7%|!j0uqNh281 zx(|{K$NXR1o;ebyC@J8sGJM6%V6Pla5KvV$coY(}9bVjM_3;pv9%g{7V(i9(ryU?`f^m;c5|KtcaaQ=A1mfxlZajSVo;;7qP!_AEw zX@lPH6Zd?dlOHlICBF94D)WL%NP!l0GP`Ghx#?_GbK0p(AGBj+n7-6A<1Qk*zPxB5 zNlL+avLwv4`AOjyC0v=~25PYarQ2_Yh*iE7=5d@Gaj3PkQ*4D0NihA?p5_SA004RB zs*KgJk(FN`CD27^aWwyL&++-50Y}rq+O{xpHHzs}6aCT_OBWbZS_+7 z|BDi3@s)hGpt#WmAC~^)~_hN1M?wH|SGXP0>-9 zTpOx>^SQ@w$!h5(y1@_9>Ek(jhx;DWZ3Et?WJ3c$_e&z-Wc*i?MYoi1zt2mO(ly*I zuOF|<{GDUErsJ6Ob^TCLrbI{bwPKU=qz>)#xwNcg1gZ4yyh*Z&!z%V*b+ku35{@*p zio`)@>+%`Ik}I9I%>>^$W$R6-Ef2f;x{Vz1t-SP2crwuUFdCJQ7J%W&zU z820*9Wn1W~R$=Y_F@emN6s`}?6^uk*z7TDm;&-(_qnGK z_A$Ddzh^77Q68A3>0}TyPr30AzT}_zWX9)f86A zo7&=&DNjpmvRdSm(2%eg^-vjk6Tz(7p8kCme(F^Xh6f)$j(>6GzXYs!aq!&Hv4hBb zdKD`4W?w*7V>fj|9xqyW?ZaJj?d$#J=~o7N*$1g=ox)zW15A>=S2@{^@(Zz~pwWkq zeup6p1LBuGs+U_~1VJx`mcB=bH9O`Bi0*r^{6q*u-fk2ANt>ejrI2u_n%T2&;%$P- z*dYI7d`vg-RFrtB6CVU+FxJ$o|c!e*gn6Q+`l%P+q35D zNzF~LV|V10-mx>Sw4WMMJUS~6?;ma*vgeg+ne`ye6)Q-O+v%Bw3kv0pGX!r17Va{ zqKqDRjprUUvSckL+W*;_=QFds%81eOiiY`CJX@#DnvN*DzHpBe&u>yZM$|0!9xCe> z9kAsLvrQ~L-5Me$f-A^il_;M2xj!WrxkKnP(Fyb0m0$U4N$x2QRFbL=$l=W=9b_C` z0!v?w*zXC>Jb(Z8Bo6d1<(khgToiOHkPnq*ofSV8(~2j&saf;L60-H9zUFd%(jb7h7AG zvm)Cv3tABbX%`(E7bz-|{LxtTuwmrpXC|SH4qK?WMynf7;Io>N1x@(3xqg+0#M=n8 zU`aw4IReW2=lu3N%h;{XNnd*=xKTm`1$KOsDF+CRaXhbB6 z#UW(FIBHvmo?m});(?~3@9duXLUGIIxk9+^c+UH^Ji%#{6_&>2q%Gql=^~Rjx;`EO z>$9T#5@O%wn<=(?FTdt~_(P$(`@uZj%oivtXN^;)EvvUS-dC#b$h@n|_}!s_oTWwL zgt%9c(=NKAb$Ad+z!#*Ue-!pDvcpXY}NFvduI2qwDMZq3)7j((w;ews66Mb*^EjWAU8;M2+F+}PPM$g0%hKT zQe)Mrs^4z6q{n`o%jpZY@j02LxnL*p?2(r_i%??M2~I0BNtULouX1P1N9z85_AH2B zsyiq=W?0HiW4hWP%0)5p(UEp(-E2v7sFJ!{__RHS2sZ^o-mijcu8u}a@h8@WB{!%S z2!F{+(;646J5l;}+;jWUEKHcn#S<;SgryH$8Qsgo2yeBpT>{je1?awuw+))M!EUQ- zJ^FaXn%B|@oe2;^BKILY8Ys@cj2Jx3a9|{m>V;CLi`W8>$2LCPu#^68geA% zYPG$*G|4@P)vF9Bh2-D#6K4$Kjz1h~TFx$%tf#kh#Qan!HqY5;8uVsjU0&XZd{)M$ z&4Q6L)~mD8d2j5qnU*rgXrkG)D82zl3z&RnhC9GwQX;-a(6%OHJRG7=S1T*r#SR** z#7C*3669rPte*)G#EP-hCW|~n-TPg7>~49~t60BS@L|EiYTGR8z(3GmDI@)-Gjr>} zmtc`ETC^c4uHRHRa3id`31O5)+Zjw*HQM1!Z+7VT`jlR*2?VVoisa$fqM4}KIB0m@ zH_lzm!@hRNuf=_jR;l#O(H`$EX@=vF%upY^~VY>FGG3T4<@avaAr|GgGP1flW+U^lG4(>mS*%rsiX<((q zo`Z3xmd%S}rc2;z0R~F4;jBWY0QXrd$5yVce)gzT7o- zK3Ne|?^Vfd*`D`{X4O)6z711uby{mIz#+;CDBl&&J)2@IDH8G7-Mni~E>?`9#kj&b zSR~7`$XS_hb@6bK*B!A%6E**->g!4%eipVFoxdWlOu5#srrDSh%vozkHhINjKhZn~ zP&yAWnTOUk_Kv8n1@1x$wr5TQub|gXTxa&`1`bv-Q#SmB&sfcgsdGE$mUyZKE!;HU zvv~=lE&*C8=1|^D1LIsdXVbbLo|R?h`7;O&6~(N+;b_+(v1nOQgOgVViHbie4DvYmH{>`CrYtUGwAqhqrch z9Uh%+jSL%bq!siF$rAvM1Gpr+P$k z(l$+`qoAY54!6&xUg__2g~gp_)dp34z65B>pKqMh`s_)kH((HJUz9W53a%YJ%&Ch{ zGNP@CkcgOq)x_++S`!U5YYCU@&x6gxUjokUIck>E9^~)tB<|bUGPH%N=n7iO7(t9A z4`(;gaiH%}yXT~DVBYSx;9B6mh12+@aK|}0ne}stEVo1+t>vzDjzNxsc}I_8R-uA>q4HahvY&m6xG;_1@tR5>5X18OK$N(<|z5 zN!FrWMoX@irm=|cC3Eu&ZF3LPZ_Y9fRNhz0403!xCn7IG3BL=)QxVcY6)g8hg*_ts z*uUz|I%&vB-Q@6`t!nwpof~EOQQlOBB{3m~tyTG0x*c3v4vg&KE=MTIAtp#(3n5LL zg2>IbI@xPs@1qy|@jecNfA&DAZPwK#&n`;n18*#j##lHX9cjlwG=oJP=UX?=A0KAZ zGwCQ#CRiE2!cOkwUCZdhaZbrNpRyclm3rEV_ypeF7{w{~;$#f1$#xO;2ay@jy1;&F zLNw#d;SE_UdaFLWS&!_#x=^iwW$)%l;VaE7oMh*Wv&*`>N0?jU@mPLjgKnIeNdlI) zz-mV}B)wzi$oc&6JLM5iEOeA;W5D>@O&&YCL%Fp&q`z?g9A9H-tL$Dt#=s?DrL0^Vjc&l0lxZ`mu;g7n$ zs=k2zDo<NUOJvN6PO=9lM zUIKRC(T_WNddwtC^Co}(%Er7xA54t07$@V&8w41X>4=Y*>0>8Ugsy%X-+w{!)oguDdIIvUJh__4T)$q4S9`fxYD=D8hvZm02cZ&W|1iVn$-y^?$q zhbq}~UZsvYdic$0Z^bpJs-Bu|VNv@c=0r1|gg4qq^{}p$hn)Fl=jW9ZcfO7paG3$) zm|X!Kf)U>kNCP7zb==%Mmp}WtKrd1gocpLpJe{cL z_a>I96-Oqs2D+UkyGtvlK(*sPtcj?DXS@?R~$LRkEEMQM#&70C-*LaXHGaN+}IM?uCmeU600+e zeD+}jQ-Gq;#_P`or6k|*qE}^7cpF7Xl(epY;PxrA*Vxg((oCN8&%!(ozQMY2DyZ85 z-sqxAvAPP=3a-Pqd8>1Qx1>sLA8{Z4_^^EaiUh!bEY1d(@@4e9GI*CW(~3pRJneA0)qG}s{0gX92rdT^2b5*@dc zuzKBKCY_V@Q2&n(8F*JEg1Lh&jK67CSq4SdlP8a2NNmo7Q>!`q+VJ)Oc~!?3haLq$ZtCr1!vy5>7{CUVDeqTtrpqq%udi_a^t54FeQ zcUb+{gyG25k>~v@fmjBUwTRS`_x&#Chb}fWsvq0;irRN`sL!3fd9}ec$`UlasO8aS z68G(oZ;8P+^H0?GF9B?z%x{(qF=62k8+C7&R^VUO2D}+0So+AOvh_>!Ma|pn%13WP zp~~*C?rbZ9s(2YR_NvFBHb)}+PQTOrgh!2BuMi@dJ?nTnin9W*%3X-2EkelRbzmsb z#!H~mHGjb5I~1u6|L)kGUuV^gV2I!2)|ip$LosGLmi};IebV4bj)uFA_ja_-<=3-spCIY4`0C=Gnj?mZj0*Y+Bbzz+_<$`J|2hf=zEqi;ZJG1T+$m< zJn1P`cW@<0L!WEzCnWZ5Q)Akbo1E(#3i?#OOYbnLW@si;ol>UCZz%5@nO_YTo8 zmkCkPV>m(Q_}q3@p)1vTW1x|sr?;Y{*hkeNtJFx>O*mT6vqum|hFgNumfMUV@+;T_ zM!Gj{wvzi5-CBMgOtw~Rz+UzP#~v{TCy#(dj58wW>)_9p7}{)5eU;ayHjw+N!EAZ# ztZ8@SG91*2{G#r@Ku18f$u?ncRs`=bxY+z$m@0ogH)*)kQn}Dz8Ls;qmLNHe%5=b2 z?$+0j`t@iuC1)=6#J7aBB_%GApLayilSSRMZ#zr@UNTzf!o(Q(V9?XwRk%x9ib7c@ zs!WjMZ6tM*Of$yx*Wg+en)fuy|KWOyR#h~dR$Th~7!`Nj^e$JH9Djr3VjMesgYUPXbebPSfWhSNjuafE=DN#1_*b?NG1fH0Wx#MKE z@>J0L;ogMhFqXPo#m@R)Rr@@v%m&2jG8}LWuFoadeAEZoNh>R9`pX*?i}Z`*uvJ6n zuJi9ok`&mQN_sxlOH>%<*s_jq1jc(=Ol-LNt$mpdSIW;FK6O0@L(!3fm%tED1O@zC z-6e3Y;)1jGzae#?I<@cSx#uC`S?&-TTIM`fn11+92vw7(CX81Yz|C;(i~)`7u7O5q z^}%lT^62w%EL%)3`SOKi-AZX=oOadR5l=E=2*bULL4RJGtdfV0VQ)RFh%F)+GjaZL z35eFXX^Y%2Rs1^l5Lt!h)W8;jdqL2Pz-h$q=};?h2eoUS7$;KF<%yx*hMwPheFno2 zM$G6(^yJr%Mnwo~yse5YM3yZePHe5NO8Rcjjd&)@+3wA6dSGIdLj9{kK(?yEPV6>7 zP#7fKWu}}@WzY!ikko6yX(NC=hO%1}1> zB`C~ZVA=7W?xLq>(}g}be;*?@n9Sf8iL8ydgnQVuG1vyo_!2m=vbqFx_bkDMhF}Q1 z*VzaNRxdL4aIF2vVi>b%M_FKL;%#)=H^)(XCFQDG&BWG_eTC6mR{W;8>12CMa6hWg zkHMK6wT0>&*WM(^J_gY{q&b#|J`=iqAW8N_jKb*rE z!@S|kzpT#g$b&KBel48AY&N{Bm>(xeyqbTJv~>v-@7zQ8;K=;J#b7rZN2ZRElIw|8 zVd!6;R_v>+xOm^eqxh6V=Mq>rgF7T2cw*+8`qeBBu(UBa@<(!5TFeSGE=(BO^AHQ} z*OAIL$>i7NhHW7nE&+`=YH{nvjKK4X`5MJF_MNyq^SC5a5v7>6jnGH#C1>oq5^qtc z@}m7B*BzV&7`G$b163sg3r5|m+J!HH`*Y#o3f0B=`x4mIP419KtzFlE_E^P)oK(<7 z0&;=IYxf(H`QJH{WFexJjbNss6nsk^b$(AuzqVjm2^@P~Am@%@O>@kf<$A6z# zpysAWr(V6te>ptoET(=nxZX8FntPr=33(#PoC0Q}T z{pzf$h1pVnGXb3Cv(vHYzTpIe_1 zn&Mm2D|K8Kxp`(-OVgcH9xl8;I!BEoJt_@jMVki}Z+$}d^!S+mieQ@HiJbfCZM!x~ zZ}lTzf+65=PRV{w3YhB*1S1y;8`9Zn+djS@D%#E?w8Jp@TaEE7y#fzx5@=LD58>_mhNw7*&DjYkDRFh$kR@%k;RoHP8R@CTphb-{5 zkGuOkktz?xG=RgY!24Sr%lDBOOHkBqjP@PvR*OOTZTHrp;n1wvkLWRv3JZf!8sCE5}3s=GC&($z^Dd zyb39n2ATY9)!rWYHPNvsg?h=!=C;FVD;}KnJc7L>%s-?$S?JzO&C*7R+Sw)0Z{df; zvZQWIyDHX}@|$EHJ?i5hM%|GLF^tpEl$~_vn^Stetfz_;0G~(7KT$4F_|WpcC!wzH zx?L~^k#`Gh9~N1sGc^{hEkliA4?GN0x0rwTkHE+-0e5!Yt|g?-o@1vXe?mRz9hKch zNz0`R7Dq>~^_uyQ`R6TtO_U>!)BDLNR#*_lvTU+jvS)+20SZ+;Y!|bd4B6IYZwuKg z)e6n=kPQ@Aw4)2bro5LWA|=xZ!9vlJDEwaNr`bK{!X3r*WIES8$V?Wc?)@fp&+E3# zo3UD6<%*D`pCDbV2W-vpO3e_#o z-E+3o(;n0`Z4`1p?08tWpPLAK0j=imrH;Cw3~bve1Y53dxNZRfQcAxY7J8 z2=~#sn7*vdo=`Yjm?3iUUC4xU2luq-Mnkkx;8|a*u5S&`LoI1*K{8cFqb`O`t9t(3 znAOqm_~uAl{_0>I%O;91OGe9}$OUhY@x}&;?bEL}uRRgy#FqC;K;;s;>qF9(&*Pe835;+)S?m#ei(y}RY? zU+Ro1ZJkxQD*buW3RwbEGJSTmEz5Z^lfd#=pCHcbE6j7*Ql==jh>b{A(=aI(QI|e< z3VVus$w6Q%?+G$#nvvNGM9CSKfS}WI!yB^JrDIwq>do@L~El@R0 zz458wpB+iMr?X9)2rX7@Sqo&t&t zV}vs5TZ~6$bb1#Tt!cYli%wb!+}{-)T&WVv3~NfWOQ>Cr>N?d;USg??PzlrTK+(_0 zo@;0G7%LjTcEg+hH5W$0RbTsp3QwK(BNE{E4Xl7Cz*zlq%{$NedzNBa*ueMlbypP3 z!sRs6^+bP``gMwAr56aSx()*Ur`!){CFp&7&}!X*9ZD#V)OXIYY+32`p;Y-!DJoOW z_TH>SZfulaq`dp!a;Qc|py-dRInVs;kukH~Z#lJ6(&|4w zcNi*c>hD+*(Z2+=!BF`YsEDdH;gQF)T`(|Y<-PjIS^9Zm{ndf7a%Tb#$AR)MXJVIt z&~t^)YSgx9TZ|S~2Ym~v)t67#L4&3UUj(!XwhLaeJp z-A)if01w)ed56TTOe1!;FjiYC_-Oo9ZC4X?U(qnU0G+N&tL6@d?$hFa4Bp5A-yN!a z^=M51Uqa!91m~5VRd^l$UR8OR2T~LfwWrLzoF9#2NV)_t`bT$=pEFOGtE!Cdk$RBw zG^-DgcUO7c)$gFN@TzkU)%F#xtSas>na7U4tzg9(WG_ljTZp_C6qwe#M{n+-J)UOn zQ#Q1q7;hA+Vwf-YC&E{a<_*Q@;g(c5TBh2DcXX*2G*|ar9HBdAEVpA@tHu40>mf`x z%1$#M0P+kdaV(ASi6;E}&WVGH(2RRn6@A!U8W(-x%GtWfY2EK!+|||xk{~yo9Qqye zmh|Dmdrfd+A?DkgC@qttc_b_~%x8_v^ngx>`A&N@yU>G%#e?42)YlW?`l{pV4ExZ; z=iuxnt=2^*4$_4^A4DUP0Wo^Sq;BwodqY>Vt{>Jr7Q} zEVpYeqU|N;BGH3tkLS-qtDfK>`SVJ>DnjTBlx@%X@o4n1tMfY~>`9&0i@oDqm!Snb z{%>mzswlJW`R9JXS*L=?_unaLONui)Nl-YJ(g&pBfTl!+IHlZb!)B> zW?Pv?a!jlg#Hb7MK)iD@?bB}-TDxuVOcxvm%TG0ZaBG4JGW^1bpqIQs+;1wFGx z?|k(iMe{Rt!&&yTJK=RQNl6p1{okW6ESXv-HlAwAQwH0gd|*qGQmr!R#B0$_1g*=1 z1el{ZgIWQ4SUpvo( zmLpCrutPU^E86N+d{xfnk<@hR4$Sh3mXnq)Quk<&^y=Pi?9V&Cdj#%-yo$IMXiNS1 z;Cs5$Y(YN9nH{*-!SMsO5?5ag?-FklUm3igCwoz-!uW9h6?? zk?pway8BnDn}d|2^pY0Ph~_GXlDN#e*9FYtN>)cIYUID=R$dtWtctIYU-I;hP_Dry zVY)e3F7n_GXWZG{FzVy{cn-cse203}wbe&L#L#}mS049$@VoG~O(m0zYjEOWo+zt+ z1Z{s=P^($Xj9A6mp(uBlhI>i31mo49Db}M&OeX2IBb4>MV{=v6O7E|W zkllUo^=5ZuFGY^e&3)l_=wzg4Z$7D;vYc<#){d>`>K>PR@Sm!C9-Xd!1h zhS=d(FRxp%XKn^3+5JHI`e>EtHeJ*{3zJ*M(U!5YXfvy}?WYxq4iGPN@Ut`{`XB&bnqJZ#-DjNjt)68 zn_R7b#&vBtsyr_v8+ljdEH4QiJ0Qm@R^J z8%DNVjTG;@8*yca&OC^}7soZ(0d7w%x88gh_euXTw-fO-o)@-4FUs24L@A_`pvamt&wW;AK$M&AVR0H<_x# zjT3@*sVb`@4_1vE#oCc2odGato6<=#^?WeMCn)-*nmD8{z#dNMKmwdQSMe$LC8pDa}R{>qm z$QNOr9X9@cS)mK{mq095*Pr9K!5JEw*R2&x%4^FE?G1Pq(y4ad$;=aa7nvf8&X zqz`ir=s(;>Cb$eqrM(s?{GB-OZ8rS9OG#ZTYjEx&M^EU^TcHF%f>7l-rp{y$+V@VK z{sH7qz9aDdiLm824Y=FbAe+xEE@>YPE+SL<1P1PR#ACByfB;J`j3Ws-w6qLrT~2Hf z&u&>g>K4H~;Ly6tXj|{26Bffs6(9kzg_hnBlzsNighNTZAiiXGyGmm^1p26}%{v>} zA!F;4l~c8+zQZCm@hB`W(a#Cz+d+q$f-=EuM|3U5!-Q9pX@WSmo$o7FrX$5{-%zk4 zEx1XF@qtf9VSt>q*bU)jtGz*6Wc)I9ymZ5adzcLhWIT>5qfahRG|JLBD?R1Iw>XWX z+j%yb3&T0?3%ULH&?+csfYTvIPkJU8VXQ#`3jTK=AMVwc(Te(OSzmur3j_)bUgM$4 z+;mo+-Gu$4f{9U=z*7$~ah0pCE$}4iMavs1zY}2wdf(OL_IXbqqmHmD`Op`GM-<#Y zdm81-=36>&JBO2M=dC;_gQxNzQw#F+lc;IrnB?pV^m-na=nKj*@MI$PiI6KJNz?b1)=uM!V>(d{^(P-9 zu8wS?J^17JwI$BBRK`@J?T={8UDMgT6JA-m--ipOxlDSeIxi0H&ZN8Avo~&sf5z`= zc`dYpVhK=W`1E^ACndpd4P_8mI!dbI{I$MB0epKqyH+0q27y+nyYkuLU8d6cktc96 zzuc=mEh=Tf_HbYK3M(a7Zj4M(qAA4_^^Gso0^i-6l&gqPH<8? zm=h!MC7Id#d-py*zy=7*|6~pnyf@=MG@|~9?|s3k>DEs_L*(g=hh{-RMklWl70JAE z&2s96RE-`Pt~VE_HLo62oCRA1>uW4Q@x}eDz8{<%PASu^gwtt{`61@WSK2G9q0j5> zj{Gi!O+$l=lO~+rL|(h*sG693oNWksq7rdYuOfqGM^9pyu_`r4x4=AlRLs-k)?qmM z_CeTisdSlE?!*r@hJi=PZmBQ6-2QaU=M8gT*h;W?62fKl#q3ZA5>L8rDap zwq9hKiFdcCRLAyyHkA17$znO@7ZBo>+S0r{9PPt#wQua}(eAiGm8OBuy+GeIZuxsC z5B)5!l;>ykdyEGM*MB1L!Xi+JZgyh*$uP+^ak?N|t?A~DhDm?H3Y&cL#4j{4^2{O< zch{8e2yZQYBn{s}C21 z7q1Y@$p|u-eRlkf$F6*+#(4L;ulygm@H*`k5_5LBr?T16yd3FJzroQ_M?#kH^vt9_ z!>ct;|MPIxy!s6l$Dd*0zY~fCjeC&K3ALxtJ55Cj&aR(j+xO~90$S9iv({9|!$5_x zdj@XDba&89RQQDx>u7&6S8e{GE3&^S%3ZzQO51zP-{?dSP{fPQ)dUyQ#`|nu7?)^lE*@r1Ne>zHo1~ufb zI0R9EKH2@`@3>WO?l5lTy_yp(c5ojgERuN3JmTubGaNZuW+wd4{{oskxG}X*YO_J1 zaQ2stJC^-%k`E`l$91;J_pR1L{F}1n%Q)^ewbVSy)vP~NkU=v@YtxSQ%((@Ggy&Wy z7OIgFwrSBj|26`s|F0cdn-f!e@n_J*Sm}(4Pm}ZB7n(KRs0-N==%@&*P=GZ1|C<2Q CnDGw) literal 0 HcmV?d00001 diff --git a/Workbench/mpproxy/container_files/httpd/httpd.conf b/Workbench/mpproxy/container_files/httpd/httpd.conf new file mode 100644 index 0000000..780ee12 --- /dev/null +++ b/Workbench/mpproxy/container_files/httpd/httpd.conf @@ -0,0 +1,367 @@ +# +# This is the main Apache HTTP server configuration file. It contains the +# configuration directives that give the server its instructions. +# See for detailed information. +# In particular, see +# +# for a discussion of each configuration directive. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so 'log/access_log' +# with ServerRoot set to '/www' will be interpreted by the +# server as '/www/log/access_log', where as '/log/access_log' will be +# interpreted as '/log/access_log'. + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# Do not add a slash at the end of the directory path. If you point +# ServerRoot at a non-local disk, be sure to specify a local disk on the +# Mutex directive, if file-based mutexes are used. If you wish to share the +# same ServerRoot for multiple httpd daemons, you will need to change at +# least PidFile. +# +ServerRoot "/etc/httpd" + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +Listen 80 + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +Include conf.modules.d/*.conf + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# It is usually good practice to create a dedicated user and group for +# running httpd, as with most system services. +# +User apache +Group apache + +# 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin root@localhost + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# +#ServerName www.example.com:80 + +# +# Deny access to the entirety of your server's filesystem. You must +# explicitly permit access to web content directories in other +# blocks below. +# + + AllowOverride none + Require all denied + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "/var/www/html" + +# +# Relax access to content within /var/www. +# + + AllowOverride None + # Allow open access: + Require all granted + + +# Further relax access to the default document root: + + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + # + Options Indexes FollowSymLinks + + #no anonymous access + AuthType Basic + AuthName "Restricted CSP Content" + AuthUserFile /etc/httpd/.htpasswd + Require valid-user + + + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # Options FileInfo AuthConfig Limit + # + AllowOverride None + + # + # Controls who can get stuff from this server. + # + #Require all granted + + + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# + + DirectoryIndex index.html + + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog "/tmp/logpipe" + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog "/tmp/logpipe" common + + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # + CustomLog "/tmp/logpipe" combined + + + + # + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + # + ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" + + + +# +# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# + + AllowOverride None + Options None + Require all granted + + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig /etc/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file specified in TypesConfig for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # For type maps (negotiated resources): + #AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + AddType text/html .shtml + AddOutputFilter INCLUDES .shtml + + +# +# Specify a default charset for all content served; this enables +# interpretation of all content as UTF-8 by default. To use the +# default browser choice (ISO-8859-1), or to allow the META tags +# in HTML content to override this choice, comment out this +# directive: +# +AddDefaultCharset UTF-8 + + + # + # The mod_mime_magic module allows the server to use various hints from the + # contents of the file itself to determine its type. The MIMEMagicFile + # directive tells the module where the hint definitions are located. + # + MIMEMagicFile conf/magic + + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults if commented: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +EnableSendfile on + +# Supplemental configuration +# +# Load config files in the "/etc/httpd/conf.d" directory, if any. +IncludeOptional conf.d/*.conf + +ErrorLogFormat "httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i" + +PassEnv ENV + +PassEnv USERTOKEN diff --git a/Workbench/mpproxy/container_files/httpd/index.html b/Workbench/mpproxy/container_files/httpd/index.html new file mode 100644 index 0000000..b41714e --- /dev/null +++ b/Workbench/mpproxy/container_files/httpd/index.html @@ -0,0 +1,50 @@ + +

+

Welcome to the InCommon TAP Workbench!

+
+This is your own personal instance of the InCommon Trusted Access Platform Workbench. +

+For complete documentation, see this page. +

+The system contains the following TAP components (click the links to access each component in its own tab): + + + +
+The system also contains the following downstream/target applications: + +
+The following repository and message exchange monitoring tools are available: + +
+Shibboleth SAML Identity Provider and Service Providers: + +


+Container Status +
+Refresh this instance + + diff --git a/Workbench/mpproxy/container_files/httpd/localhost.crt b/Workbench/mpproxy/container_files/httpd/localhost.crt new file mode 100644 index 0000000..0dbb064 --- /dev/null +++ b/Workbench/mpproxy/container_files/httpd/localhost.crt @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIE0DCCBHWgAwIBAgIRAK8LnrzhkHuEPH4q+WOqLjAwCgYIKoZIzj0EAwIwRDEL +MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEhMB8GA1UEAxMYSW5Db21t +b24gRUNDIFNlcnZlciBDQSAyMB4XDTIzMTEwOTAwMDAwMFoXDTI0MTEwODIzNTk1 +OVowXjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1pY2hpZ2FuMRYwFAYDVQQKEw1J +bkNvbW1vbiwgTExDMSQwIgYDVQQDExt0ZXN0LndvcmtiZW5jaC5pbmNvbW1vbi5v +cmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVo9lNdC8c3yUIUoMS7wRadzsX +bhSSgK4PCEV5FOPNYcsnFEc4fdt9ZiOeWmrlwVkq5Z/DzPLFXaD9PK60b/7Go4ID +LDCCAygwHwYDVR0jBBgwFoAUMl8K2RhZ7UFxIdXuCeLZr7LXD7EwHQYDVR0OBBYE +FBqIz6rIuIlLz74StmPXbI6kVQstMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8E +AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQG +CysGAQQBsjEBAgJnMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20v +Q1BTMAgGBmeBDAECAjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnNlY3Rp +Z28uY29tL0luQ29tbW9uRUNDU2VydmVyQ0EyLmNybDBwBggrBgEFBQcBAQRkMGIw +OwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vSW5Db21tb25FQ0NT +ZXJ2ZXJDQTIuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNv +bTAmBgNVHREEHzAdght0ZXN0LndvcmtiZW5jaC5pbmNvbW1vbi5vcmcwggGABgor +BgEEAdZ5AgQCBIIBcASCAWwBagB2AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf +5mdMWjp0AAABi7SpW/wAAAQDAEcwRQIgFccZe61hXAV8a5jwbeMBVKQC54Ii0QP7 +TGb+liXz8eQCIQD88vXok9Gz0y2nlarz9xFe3y/QkN8ubF0w2lK2g0uLwQB3AD8X +S0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAABi7SpXB4AAAQDAEgwRgIh +AN2X04k3SzVn2rRBKoBhx7FJPtyJ3gGrQzB3yCrzcz/RAiEAj6ugl5T9zMnpiOl6 +VSwpx2vEqk9i7CCZRfM6tyZBkBQAdwDuzdBk1dsazsVct520zROiModGfLzs3sNR +SFlGcR+1mwAAAYu0qVwjAAAEAwBIMEYCIQDLAnC4IYrJAy2B61GlBqK13bYHh1cE +FPlT0R0LEsNYaAIhAO6YNe0aQmBG5ZI4m1dVlhwyTCEqgKnQFyBuWm9N9nwOMAoG +CCqGSM49BAMCA0kAMEYCIQCeDcX7iV+NpkJn+DE+VgQVxixxnZ9E6mhJXlMpwBpM +XAIhAIoSwFNJXNv/HcmgBZT4ryBE4uVP0ZyIhmxrOsSYaMmk +-----END CERTIFICATE----- diff --git a/Workbench/mpproxy/container_files/httpd/localhost.key b/Workbench/mpproxy/container_files/httpd/localhost.key new file mode 100644 index 0000000..6e9d693 --- /dev/null +++ b/Workbench/mpproxy/container_files/httpd/localhost.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgZOLttXigKHyb2Pxw +pu/CGu0EusPaSqu8iOPq4B591OOhRANCAASVo9lNdC8c3yUIUoMS7wRadzsXbhSS +gK4PCEV5FOPNYcsnFEc4fdt9ZiOeWmrlwVkq5Z/DzPLFXaD9PK60b/7G +-----END PRIVATE KEY----- diff --git a/Workbench/mpproxy/container_files/httpd/midpoint.conf b/Workbench/mpproxy/container_files/httpd/midpoint.conf new file mode 100644 index 0000000..37e27f5 --- /dev/null +++ b/Workbench/mpproxy/container_files/httpd/midpoint.conf @@ -0,0 +1,37 @@ +Timeout 2400 +ProxyTimeout 2400 +ProxyBadHeader Ignore + + + AuthType shibboleth + ShibRequestSetting requireSession 1 + ShibRequireSession on + ShibUseHeaders On + require shib-session + + + + Satisfy Any + Allow from all + AuthType None + Require all granted + + + + AuthType shibboleth + ShibRequestSetting requireSession 1 + ShibRequireSession on + ShibUseHeaders On + require shib-session + + + + AuthType shibboleth + ShibRequestSetting requireSession false + ShibUseHeaders On + require shibboleth + + +RequestHeader unset Authorization +ProxyPass /midpoint ajp://midpoint_server:9090/midpoint secret=s3cr3t timeout=2400 retry=0 + diff --git a/Workbench/mpproxy/container_files/httpd/server-chain.crt b/Workbench/mpproxy/container_files/httpd/server-chain.crt new file mode 100644 index 0000000..0fdbd23 --- /dev/null +++ b/Workbench/mpproxy/container_files/httpd/server-chain.crt @@ -0,0 +1,44 @@ +-----BEGIN CERTIFICATE----- +MIIDXzCCAuSgAwIBAgIRAKjg16/B1MulLLyGBcf9FmMwCgYIKoZIzj0EAwMwgYgx +CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJz +ZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQD +EyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIyMTEx +NjAwMDAwMFoXDTMyMTExNTIzNTk1OVowRDELMAkGA1UEBhMCVVMxEjAQBgNVBAoT +CUludGVybmV0MjEhMB8GA1UEAxMYSW5Db21tb24gRUNDIFNlcnZlciBDQSAyMFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERdem6VwRp4k+kplQr0CJEgK+EuhLa1sV +/kLWxfHaHpq/tAY8pLAMG19qRcYwVEl/zfF81FKjn+kxChUAjakOG6OCAXAwggFs +MB8GA1UdIwQYMBaAFDrhCYbUzxnClnZ0SXbc4DXGY2OaMB0GA1UdDgQWBBQyXwrZ +GFntQXEh1e4J4tmvstcPsTAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB +/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIgYDVR0gBBswGTAN +BgsrBgEEAbIxAQICZzAIBgZngQwBAgIwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDov +L2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdEVDQ0NlcnRpZmljYXRpb25BdXRo +b3JpdHkuY3JsMHEGCCsGAQUFBwEBBGUwYzA6BggrBgEFBQcwAoYuaHR0cDovL2Ny +dC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdEVDQ0FBQUNBLmNydDAlBggrBgEFBQcw +AYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAKBggqhkjOPQQDAwNpADBmAjEA +gKnucjW0Le2dHezMD4mFvVH5QTATQG7sRhGOUAfFVd1BU4AF3iekMQ0CnafF603G +AjEAziSrw1zt1WdlJMgCDqE9NBTeb1JmkdrjKPb0Vk9rnbuQeRIw8fHGj3tL+4CO +5K0S +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7 +MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD +VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE +AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4 +MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5 +MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO +ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL +q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc +JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA +FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1 +xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI +MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j +b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG +CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM +BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy +ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+ +FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV +bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY +CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf +8qn0dNW44bOwgeThpWOjzOoEeJBuv/c= +-----END CERTIFICATE----- diff --git a/Workbench/mpproxy/container_files/httpd/shib.conf b/Workbench/mpproxy/container_files/httpd/shib.conf new file mode 100644 index 0000000..2314d87 --- /dev/null +++ b/Workbench/mpproxy/container_files/httpd/shib.conf @@ -0,0 +1,50 @@ +# https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig + +# RPM installations on platforms with a conf.d directory will +# result in this file being copied into that directory for you +# and preserved across upgrades. + +# For non-RPM installs, you should copy the relevant contents of +# this file to a configuration location you control. + +# +# Load the Shibboleth module. +# +LoadModule mod_shib /usr/lib64/shibboleth/mod_shib_24.so + +# +# Turn this on to support "require valid-user" rules from other +# mod_authn_* modules, and use "require shib-session" for anonymous +# session-based authorization in mod_shib. +# +ShibCompatValidUser On + +# +# Ensures handler will be accessible. +# + + AuthType None + Require all granted + SetHandler shib + + +# +# Used for example style sheet in error templates. +# + + + AuthType None + Require all granted + + Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css + + +# +# Configure the module for content. +# +# You MUST enable AuthType shibboleth for the module to process +# any requests, and there MUST be a require command as well. To +# enable Shibboleth but not specify any session/access requirements +# use "require shibboleth". +# + diff --git a/Workbench/mpproxy/container_files/httpd/ssl.conf b/Workbench/mpproxy/container_files/httpd/ssl.conf new file mode 100644 index 0000000..b9d0d35 --- /dev/null +++ b/Workbench/mpproxy/container_files/httpd/ssl.conf @@ -0,0 +1,222 @@ +# +# When we also provide SSL we have to listen to the +# the HTTPS port in addition. +# +Listen 443 https + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/run/httpd/sslcache(512000) +SSLSessionCacheTimeout 300 + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec + +## +## SSL Virtual Host Context +## + + + +AllowEncodedSlashes NoDecode + +# General setup for the virtual host, inherited from global configuration +#DocumentRoot "/var/www/html" +#ServerName test.example.org:443 + +# Use separate log files for the SSL virtual host; note that LogLevel +# is not inherited from httpd.conf. +ErrorLog /tmp/logpipe +TransferLog /tmp/logpipe +LogLevel warn + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +SSLEngine on + +# SSL Protocol support: +# List the enable protocol levels with which clients will be able to +# connect. Disable SSLv2 access by default: +SSLProtocol all -SSLv2 -SSLv3 + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_ssl documentation for a complete list. +SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA + +# Speed-optimized SSL Cipher configuration: +# If speed is your main concern (on busy HTTPS servers e.g.), +# you might want to force clients to specific, performance +# optimized ciphers. In this case, prepend those ciphers +# to the SSLCipherSuite list, and enable SSLHonorCipherOrder. +# Caveat: by giving precedence to RC4-SHA and AES128-SHA +# (as in the example below), most connections will no longer +# have perfect forward secrecy - if the server's key is +# compromised, captures of past or future traffic must be +# considered compromised, too. +#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 +#SSLHonorCipherOrder on + +# Server Certificate: +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that a kill -HUP will prompt again. A new +# certificate can be generated using the genkey(1) command. +SSLCertificateFile /etc/pki/tls/certs/localhost.crt + +# Server Private Key: +# If the key is not combined with the certificate, use this +# directive to point at the key file. Keep in mind that if +# you've both a RSA and a DSA private key you can configure +# both in parallel (to also allow the use of DSA ciphers, etc.) +SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + +# Server Certificate Chain: +# Point SSLCertificateChainFile at a file containing the +# concatenation of PEM encoded CA certificates which form the +# certificate chain for the server certificate. Alternatively +# the referenced file can be the same as SSLCertificateFile +# when the CA certificates are directly appended to the server +# certificate for convinience. +SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt + +# Certificate Authority (CA): +# Set the CA certificate verification path where to find CA +# certificates for client authentication or alternatively one +# huge file containing all of them (file must be PEM encoded) +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt + +# Client Authentication (Type): +# Client certificate verification type and depth. Types are +# none, optional, require and optional_no_ca. Depth is a +# number which specifies how deeply to verify the certificate +# issuer chain before deciding the certificate is not valid. +#SSLVerifyClient require +#SSLVerifyDepth 10 + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_ssl documentation +# for more details. +# +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +# + +RewriteEngine on +RewriteRule "^/$" "/midpoint/" [R] +RewriteRule "^/midpoint/$" "/midpoint/auth/saml-internal" [R] + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# SSL Protocol Adjustments: +# The safe and default but still SSL/TLS standard compliant shutdown +# approach is that mod_ssl sends the close notify alert but doesn't wait for +# the close notify alert from client. When you need a different shutdown +# approach you can use one of the following variables: +# o ssl-unclean-shutdown: +# This forces an unclean shutdown when the connection is closed, i.e. no +# SSL close notify alert is send or allowed to received. This violates +# the SSL/TLS standard but is needed for some brain-dead browsers. Use +# this when you receive I/O errors because of the standard approach where +# mod_ssl sends the close notify alert. +# o ssl-accurate-shutdown: +# This forces an accurate shutdown when the connection is closed, i.e. a +# SSL close notify alert is send and mod_ssl waits for the close notify +# alert of the client. This is 100% SSL/TLS standard compliant, but in +# practice often causes hanging connections with brain-dead browsers. Use +# this only for browsers where you know that their SSL implementation +# works correctly. +# Notice: Most problems of broken clients are also related to the HTTP +# keep-alive facility, so you usually additionally want to disable +# keep-alive for those clients, too. Use variable "nokeepalive" for this. +# Similarly, one has to force some clients to use HTTP/1.0 to workaround +# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and +# "force-response-1.0" for this. +BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + diff --git a/Workbench/mpproxy/container_files/shibboleth/attribute-map.xml b/Workbench/mpproxy/container_files/shibboleth/attribute-map.xml new file mode 100644 index 0000000..5924514 --- /dev/null +++ b/Workbench/mpproxy/container_files/shibboleth/attribute-map.xml @@ -0,0 +1,168 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Workbench/mpproxy/container_files/shibboleth/idp-metadata.xml b/Workbench/mpproxy/container_files/shibboleth/idp-metadata.xml new file mode 100644 index 0000000..8bf0814 --- /dev/null +++ b/Workbench/mpproxy/container_files/shibboleth/idp-metadata.xml @@ -0,0 +1,201 @@ + + + + + + + example.org + + + + + + + +MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy +MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH +YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M +SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2 +03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No +5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+ +XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud +DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk +hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac +ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98 +NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl +j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP +IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E +t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM= + + + + + + + + + +MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB +CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx +MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g +u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2 +Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ +Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+ +MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs +uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV +HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl +ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB +CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X +sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s +RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ +Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B +DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i +s00xrv14zLifcc8oj5DYzOhYRifRXgHX + + + + + + + + + +MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy +MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD +cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ +l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG +ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8 +9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX +VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud +DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk +hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni +QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN +jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r +xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8 ++PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H +p+tGUbGS2l873J5PrsbpeKEVR/IIoKo= + + + + + + + urn:mace:shibboleth:1.0:nameIdentifier + urn:oasis:names:tc:SAML:2.0:nameid-format:transient + + + + + + + + + + + + + localhost + + + + + + +MIIDEzCCAfugAwIBAgIUS9SuTXwsFVVG+LjOEAbLqqT/el0wDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMjZaFw0zNTEy +MTEwMjIwMjZaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCMAoDHx8xCIfv/6QKqt9mcHYmEJ8y2dKprUbpdcOjH +YvNPIl/lHPsUyrb+Nc+q2CDeiWjVk1mWYq0UpIwpBMuw1H6+oOqr4VQRi65pin0M +SfE0MWIaFo5FPvpvoptkHD4gvREbm4swyXGMczcMRfqgalFXhUD2wz8W3XAM5Cq2 +03XeJbj6TwjvKatG5XPdeUe2FBGuOO2q54L1hcIGnLMCQrg7D31lR13PJbjnJ0No +5C3k8TPuny6vJsBC03GNLNKfmrKVTdzr3VKp1uay1G3DL9314fgmbl8HA5iRQmy+ +XInUU6/8NXZSF59p3ITAOvZQeZsbJjg5gGDip5OZo9YlAgMBAAGjWzBZMB0GA1Ud +DgQWBBRPlM4VkKZ0U4ec9GrIhFQl0hNbLDA4BgNVHREEMTAvggppZHB0ZXN0YmVk +hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAIZ0a1ov3my3ljJG588I/PHx+TxAWONWmpKbO9c/qI3Drxk4oRIffiac +ANxdvtabgIzrlk5gMMisD7oyqHJiWgKv5Bgctd8w3IS3lLl7wHX65mTKQRXniG98 +NIjkvfrhe2eeJxecOqnDI8GOhIGCIqZUn8ShdM/yHjhQ2Mh0Hj3U0LlKvnmfGSQl +j0viGwbFCaNaIP3zc5UmCrdE5h8sWL3Fu7ILKM9RyFa2ILHrJScV9t623IcHffHP +IeaY/WtuapsrqRFxuQL9QFWN0FsRIdLmjTq+00+B/XnnKRKFBuWfjhHLF/uu8f+E +t6Lf23Kb8yD6ZR7dihMZAGHnYQ/hlhM= + + + + + + + + + +MIIDFDCCAfygAwIBAgIVAN3vv+b7KN5Se9m1RZsCllp/B/hdMA0GCSqGSIb3DQEB +CwUAMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwHhcNMTUxMjExMDIyMDE0WhcNMzUx +MjExMDIyMDE0WjAVMRMwEQYDVQQDDAppZHB0ZXN0YmVkMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAh91caeY0Q85uhaUyqFwP2bMjwMFxMzRlAoqBHd7g +u6eo4duaeLz1BaoR2XTBpNNvFR5oHH+TkKahVDGeH5+kcnIpxI8JPdsZml1srvf2 +Z6dzJsulJZUdpqnngycTkGtZgEoC1vmYVky2BSAIIifmdh6s0epbHnMGLsHzMKfJ +Cb/Q6dYzRWTCPtzE2VMuQqqWgeyMr7u14x/Vqr9RPEFsgY8GIu5jzB6AyUIwrLg+ +MNkv6aIdcHwxYTGL7ijfy6rSWrgBflQoYRYNEnseK0ZHgJahz4ovCag6wZAoPpBs +uYlY7lEr89Ucb6NHx3uqGMsXlDFdE4QwfDLLhCYHPvJ0uwIDAQABo1swWTAdBgNV +HQ4EFgQUAkOgED3iYdmvQEOMm6u/JmD/UTQwOAYDVR0RBDEwL4IKaWRwdGVzdGJl +ZIYhaHR0cHM6Ly9pZHB0ZXN0YmVkL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEB +CwUAA4IBAQBIdd4YWlnvJjql8+zKKgmWgIY7U8DA8e6QcbAf8f8cdE33RSnjI63X +sv/y9GfmbAVAD6RIAXPFFeRYJ08GOxGI9axfNaKdlsklJ9bk4ducHqgCSWYVer3s +RQBjxyOfSTvk9YCJvdJVQRJLcCvxwKakFCsOSnV3t9OvN86Ak+fKPVB5j2fM/0fZ +Kqjn3iqgdNPTLXPsuJLJO5lITRiBa4onmVelAiCstI9PQiaEck+oAHnMTnC9JE/B +DHv3e4rwq3LznlqPw0GSd7xqNTdMDwNOWjkuOr3sGpWS8ms/ZHHXV1Vd22uPe70i +s00xrv14zLifcc8oj5DYzOhYRifRXgHX + + + + + + + + + +MIIDEzCCAfugAwIBAgIUG6Nn1rlERS1vsi88tcdzSYX0oqAwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaWRwdGVzdGJlZDAeFw0xNTEyMTEwMjIwMTRaFw0zNTEy +MTEwMjIwMTRaMBUxEzARBgNVBAMMCmlkcHRlc3RiZWQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQCBXv0o3fmT8iluyLjJ4lBAVCW+ZRVyEXPYQuRi7vfD +cO4a6d1kxiJLsaK0W88VNxjFQRr8PgDkWr28vwoH1rgk4pLsszLD48DBzD942peJ +l/S6FnsIJjmaHcBh4pbNhU4yowu63iKkvttrcZAEbpEro6Z8CziWEx8sywoaYEQG +ifPkr9ORV6Cn3txq+9gMBePG41GrtZrUGIu+xrndL0Shh4Pq0eq/9MAsVlIIXEa8 +9WfH8J2kFcTOfoWtIc70b7TLZQsx4YnNcnrGLSUEcstFyPLX+Xtv5SNZF89OOIxX +VNjNvgE5DbJb9hMM4UAFqI+1bo9QqtxwThjc/sOvIxzNAgMBAAGjWzBZMB0GA1Ud +DgQWBBStTyogRPuAVG6q7yPyav1uvE+7pTA4BgNVHREEMTAvggppZHB0ZXN0YmVk +hiFodHRwczovL2lkcHRlc3RiZWQvaWRwL3NoaWJib2xldGgwDQYJKoZIhvcNAQEL +BQADggEBAFMfoOv+oISGjvamq7+Y4G7ep5vxlAPeK3RATYPYvAmyH946qZXh98ni +QXyuqZW5P5eEt86toY45IwDU5r09SKwHughEe99iiEkxh0mb2qo84qX9/qcg+kyN +jeLd/OSyolpUCEFNwOFcog7pj7Eer+6AHbwTn1Mjb5TBsKwtDMJsaxPvdj0u7M5r +xL/wHkFhn1rCo2QiojzjSlV3yLTh49iTyhE3cG+RxaNKDCxhp0jSSLX1BW/ZoPA8 ++PMJEA+Q0QbyRD8aJOHN5O8jGxCa/ZzcOnYVL6AsEXoDiY3vAUYh1FUonOWw0m9H +p+tGUbGS2l873J5PrsbpeKEVR/IIoKo= + + + + + + + + + + + + + + diff --git a/Workbench/mpproxy/container_files/shibboleth/shibboleth2.xml b/Workbench/mpproxy/container_files/shibboleth/shibboleth2.xml new file mode 100644 index 0000000..fca4078 --- /dev/null +++ b/Workbench/mpproxy/container_files/shibboleth/shibboleth2.xml @@ -0,0 +1,121 @@ + + + + + + + + + + + + + + + + + + + + + + + + SAML2 + + + + SAML2 Local + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-cert.pem b/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-cert.pem new file mode 100644 index 0000000..d3c288c --- /dev/null +++ b/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID6zCCAlOgAwIBAgIJAIB4eHZ1M1ByMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV +BAMTDDdjZjI3NzhiZWIxNTAeFw0yMDEwMzExODA4NDVaFw0zMDEwMjkxODA4NDVa +MBcxFTATBgNVBAMTDDdjZjI3NzhiZWIxNTCCAaIwDQYJKoZIhvcNAQEBBQADggGP +ADCCAYoCggGBAOPMP1n+c6q6IdujWWvW0/kW3if2rmk9WfHAxvLyguJCP1W3kMwV +CZMKky8+26zcHX2PvdEHwJsrjDltsg73ZAnZYYFXTPh7JY3W1bAoRuywvUmyUIel +tjH03d+riKaE4eqaCgPqyJaI2zLxNJHwCmr6FjLZ5cj8GatPQeNf0WPSnQonk8NW +3eAWvOIeqS9w3bNfpIpP/mw49M9m6LbwH1VKEPHJDUY952fqWIJBSGDfrzCCftsl +xQ9m7DrKARUfSFjwu3uTunKZAzkhVX/DWQ9SnyTADIfD5fgFq3wVIFmXTFLIWaWS +Yr03qGs2XcDKkfoRcBXEWyQKp3zfxjCRks1Nr6cqdPyyJvZW6OVigbrMQP23CQca +dinD0I1bpAMW/hIMWI3HPu/Cxli8GM3/03u5XDvTBrSXxmXncNCrAQBAYhZ9vrIc +nqyGS8lTnzsNNZXzPK3dsJvBNE4ogk/MK4Cg9bBieyBZz0IZR46EnI7qVsycIGHy +ttv2xyZ05sMgTQIDAQABozowODAXBgNVHREEEDAOggw3Y2YyNzc4YmViMTUwHQYD +VR0OBBYEFKdOek6UqVa8xmmBFcz5pizhCEQgMA0GCSqGSIb3DQEBCwUAA4IBgQDK +qFQyjhO6PVjHWy3PyhaXuCQ3UTyMEr1ZUY4nYZd2eIJXMssLpxzVAu93aWowDmNO +m2bg5MI0agNUhly7zs+cbepkH9r32Z/c5H1fuJs1iuPdfZb4xPKic2or0Kx6n8eq +NNZBPBXnb1ulEOWokn3PaaNPLHWk23k0SmgXHp5ibpWKpETO+Py3dnMjRzCTJeY1 +M2B+ovMgNK1otlK+IV3GPMNEkMeUa/uX/IjW+YlhhUqvL9b/lWdLY4D7ZL7F2Ieq +u4Kb1ezOTjZ0A/8oVbTK8MXHNCouwVtPl00jsSHchIHDAz/iB524Eve/ayeV0KWd +n8+t02stqKPqiS1wzM+zatgINaCTDQOEaq6TeRy423xoBps8yBF7qPPEIBwsI9Hv +HNUq5NfIHltpt9TfbfHWRr4S/Ccslyi14gpNFZQO7mmuAZdUPGd/m4GzdGd9lFmz +IvRCNeI0FpjTvdt4stm66ZqRfH8Ww+hzCHtDz6MBBRIl5uRaYPqakjsW6/UK7hs= +-----END CERTIFICATE----- diff --git a/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-key.pem b/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-key.pem new file mode 100644 index 0000000..3bfdafe --- /dev/null +++ b/Workbench/mpproxy/container_files/shibboleth/sp-encrypt-key.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDjzD9Z/nOquiHb +o1lr1tP5Ft4n9q5pPVnxwMby8oLiQj9Vt5DMFQmTCpMvPtus3B19j73RB8CbK4w5 +bbIO92QJ2WGBV0z4eyWN1tWwKEbssL1JslCHpbYx9N3fq4imhOHqmgoD6siWiNsy +8TSR8Apq+hYy2eXI/BmrT0HjX9Fj0p0KJ5PDVt3gFrziHqkvcN2zX6SKT/5sOPTP +Zui28B9VShDxyQ1GPedn6liCQUhg368wgn7bJcUPZuw6ygEVH0hY8Lt7k7pymQM5 +IVV/w1kPUp8kwAyHw+X4Bat8FSBZl0xSyFmlkmK9N6hrNl3AypH6EXAVxFskCqd8 +38YwkZLNTa+nKnT8sib2VujlYoG6zED9twkHGnYpw9CNW6QDFv4SDFiNxz7vwsZY +vBjN/9N7uVw70wa0l8Zl53DQqwEAQGIWfb6yHJ6shkvJU587DTWV8zyt3bCbwTRO +KIJPzCuAoPWwYnsgWc9CGUeOhJyO6lbMnCBh8rbb9scmdObDIE0CAwEAAQKCAYAj +mnGwXB+x6GOQU4iPXUVGIjfYoSqDUk5zhYDSyeqA+H+zovwjmYokjDuS380vyDtn +u4acXAzTc8v30dhJlIrzKyGdOIrUL1MgRxqg7LqhFcKP+Smy+chvKGlhIws5k31H +0ImOMSzmsj8oSCDCSnUmYS4FBp9ueVB9wOZ4Zipw4qMeyi7DEhmdg5BD+yzQOGC+ +P02VPIl0WraQj/IBXahYCTp6v8SuXNCFIlBxE0j/sxZLi6nOEKorDRgQ3C+tIHU/ +th9VMQ7BsrpgZqLrvmvlhFtct4hYO4a6vdYgl87pU1amg3HbKR1rtG/lccDHDXUc +Upx5pv67lBm8E3XLQVTtNwlHu0b1Z/+aebm84vCVR55Rt84rqIKM5tr9fkX3SX9f +loydVMWPXhPI7X4Atj2PBNJ8aKFe69YTYIE7guqngcjFHZ6sPydmHq8p3shaNNwT +PVQbrcFJngFypWuD+BcO4/m0pDC79Ig8k7qyTgKDkBU0118gyW+3/M/DntF+pCEC +gcEA/XU0oJXSFJ5nRDUZkxqW5zZQo9zjaebdRPc+TYs/tqiwhDuT2EsYQ6lE6QKN +6RxnFiY3xBxOJesYXAaCCFOhOiOj6MGdi+G90iUoRiuxOlhTH5io1c+jUSmY5QDQ +/6ivZAxVbG7CGgt3XBfzMgvQe7ku2/JLMOwygdoURTGp6ySF8uyALakNzpebCJq+ +8MFm0BqLXbFA0kDhqPoEjJLhjfe4/BtHtGoXDirEVw3/rFWRqXCBI9F60eoGe1k8 +NxW5AoHBAOYVJ9m1GvVY9GcQY/QGA90tGtEXazQCmVNLljvpSXPQiwP09TkMMZYt +JvRNf7IirehMq+dNBI5JA51h4SSwmwL1GVh5uChi6uQ62Cy7EGCoOU/oPpDY5trd +2a0r+fzr1D0I+sK9HGJ1eVlunUTfYtDBSHX37mK5hhCGT5K+PaeBRfXe+gpxBoaO +T8RyioplpKH4zK4TEefCk6jvDkkYLEHP4spGN33mRHvpVQ3oaLYHfgKXKpKqe09k +KICOVGkpNQKBwA3ZYqfHp/QCd8gNUrlsAYTevedGQZLez4ZeMCRSkIetjf+btcdi +yw+fZymIPzLWn3dhXTi1BzwhLXKR1HcaArxHiERGmBI1ooaiCyJSbtuuSdR3JfqQ +3u6nZDhXJBRkJjlER0Kmhqqfp8T7dgltBdZM1xejlKI2tcfMn8DsJsm3dC5C5/oW +u69nL0x4ECjdmH2Uhbr33X/flbUC/E6mE/cK6yuzXeaoyVu30ISlOiwzfMMSZ6wK +XTitHe+Nf7HO2QKBwALyDGOOHP09GUvketMZ7Jy9QhWhLh8pVVsqoY68ytLvvYfc +b/M+A7h/dXs1LshSB1Xs/VplswQ7TQ+LvD0jAakFCEEIteHWellXo4LXFjuWi71J +JNvn2vS8WFgOMxIY1su9PLCXiTB9foM1lk/WaEZx4wKXnPaol13IymX/h3yIfCPM +qfjOP54jXkQOj1V8PaJRNBWaauVDqW5FOTKYW6CwD6A1S+qRsxi/APa/ne+Oov9X +fhUIl7GJf7c9mzkJbQKBwQCThYQtED8ganxTHsOYPp+NUR4sqgXSox2aBpRJRfEz +eb2IkyBbQIbHXDkn1WDKiE33e39NXEPgSc2lDrkQSfhtgAniAdg5TEWorMVzl9Wx +FOb3+zECzgB6wKnfPwA3SH+YbystUAaI1SEnJXUoqq4nBVVj8o1NTdxTnEI8zvhU +tdG6t6Ao/VKBmFyDS5JPbnXVXCnym0QsPBcP67zVK8FnUz+p2S4OsVRVVrfYi9LB +SnL+ZAlsa3/NQWPBfOqIWNc= +-----END PRIVATE KEY----- diff --git a/Workbench/mpproxy/container_files/shibboleth/sp-signing-cert.pem b/Workbench/mpproxy/container_files/shibboleth/sp-signing-cert.pem new file mode 100644 index 0000000..c5a4988 --- /dev/null +++ b/Workbench/mpproxy/container_files/shibboleth/sp-signing-cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID6zCCAlOgAwIBAgIJAPeLX7GZ1mdUMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV +BAMTDDdjZjI3NzhiZWIxNTAeFw0yMDEwMzExODA3MjVaFw0zMDEwMjkxODA3MjVa +MBcxFTATBgNVBAMTDDdjZjI3NzhiZWIxNTCCAaIwDQYJKoZIhvcNAQEBBQADggGP +ADCCAYoCggGBAJmgdbLZgwGaITfXZdIUpTuujVf+IPzvUgxyAmsyECJSAzLEYpvy +AUEymK3NgGdfM9kYvaHqwNSzZgsLG+24fWtim3e4ksVJOV1ZOYdpe8+6Kbd6bMOp +3Xc2BQYeMCZ/daP+v7i8UCiFQQr5qECfYkHli6WpOYlyCMFOa6hzLoEcuakLQz6k +o4Hf5zN/lemKZ8M1YHJcAMmCjYCwxtzJsHAvJWS1rTQIafoWyOYVNl0nwf+NJlNp +StWcYb6O7DBmxO9mec4rQ8yp9pi2WqUL9Eha2/P7VNJVDvO32SdWQiCXKSxdZ+vi +nSOA1BfgcAJkePl21FKHFVQzjtC7wl/u3DVSk+Pbq5gm7jOS1Rh9EYmoNRzV/jbX +jp8RJlxTABIKNNeD0qvtJ1vImEzXCaa9elnSmcbNlmcFK3izHBffrqk08LS6Nh5S +//yFX+OObEI0kIdLjuHwgml+DeiWyOJi8ca98gps2Pph4A2xAYu3khE9pFdAe8Mo +1O5FhRmzJteYnwIDAQABozowODAXBgNVHREEEDAOggw3Y2YyNzc4YmViMTUwHQYD +VR0OBBYEFHHqoc9SPoSYSC1aF2hDAzzu+qogMA0GCSqGSIb3DQEBCwUAA4IBgQBh +AtP/C43KuGIngpn8Bz9/iJocNmvUqZd3UonEFP9+ThW147HGK+FNeOCUSAFr5TKD ++J/NkfZ9u3uLRd6vYP6WBwgEXivjac8cyQwKwPAsE0ottO8A6lmc5rf2rsw/e1nj +QGjKMIAwo4n8/H8mcTRmY3zP9DmevfyXbimNZpXHUIGbqUWLwMZRPRjBNajG3R8A +SSXfuPqSe6Vu52cfPtELcInHTBTo2B1yYtqk/xlFMUxM4HT+JqZpiXFGV+0cxSoD +Z4RijtBi/B2Oqy5xHaHM/Me0pQtuKz0JtEw3IUNKIU/nVCryLNU8uGJC7nEJF4aW +JF7ErYSEwvCCjm2GH3tmkeguNZN4sc+ah6spA5AazakzXJntMVac42OKjDsqfxKA +fdY5ejYiTq+4q0qCan7CjHcKy0y6wTUakLhHyHXFOrJu6hrWC1Tm68i41yrIj9sJ +6fGzRN1eZFSaq95Sc2nq6xrUE6ldgu6udIDeCfn7y+a3N0RTaUhgPjylglOB9aU= +-----END CERTIFICATE----- diff --git a/Workbench/mpproxy/container_files/shibboleth/sp-signing-key.pem b/Workbench/mpproxy/container_files/shibboleth/sp-signing-key.pem new file mode 100644 index 0000000..915002a --- /dev/null +++ b/Workbench/mpproxy/container_files/shibboleth/sp-signing-key.pem @@ -0,0 +1,40 @@ +-----BEGIN PRIVATE KEY----- +MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCZoHWy2YMBmiE3 +12XSFKU7ro1X/iD871IMcgJrMhAiUgMyxGKb8gFBMpitzYBnXzPZGL2h6sDUs2YL +CxvtuH1rYpt3uJLFSTldWTmHaXvPuim3emzDqd13NgUGHjAmf3Wj/r+4vFAohUEK ++ahAn2JB5YulqTmJcgjBTmuocy6BHLmpC0M+pKOB3+czf5XpimfDNWByXADJgo2A +sMbcybBwLyVkta00CGn6FsjmFTZdJ8H/jSZTaUrVnGG+juwwZsTvZnnOK0PMqfaY +tlqlC/RIWtvz+1TSVQ7zt9knVkIglyksXWfr4p0jgNQX4HACZHj5dtRShxVUM47Q +u8Jf7tw1UpPj26uYJu4zktUYfRGJqDUc1f42146fESZcUwASCjTXg9Kr7SdbyJhM +1wmmvXpZ0pnGzZZnBSt4sxwX366pNPC0ujYeUv/8hV/jjmxCNJCHS47h8IJpfg3o +lsjiYvHGvfIKbNj6YeANsQGLt5IRPaRXQHvDKNTuRYUZsybXmJ8CAwEAAQKCAYBD +NVaocs4EYmiL5HjQCmYrEPcW+r91yEEt3qa+PL2gNh7eE9pL/PidjEQNLS0yjAzD +ujYj4u6PXxiSVj7WpfKAizgWjTHwi1NESmeHnRckTn43naB9jQ+tOn3CKmzIOtS9 +dRJtAD1VLM7CvWvlMZUr3P9V7w2T2saHwwYIQLOkmmuCz8GQYziA9fJQrk1oSTuR +xAU4opVZkvrSxQOKzdWZjpaeU3i9nby3Q0aKmdcZs+4EHb0ZmqO5hduhISelGR/7 +Sl0dQOV60MsF6zXAthrX4y3w/DJgYlytOKuHfUWsCD5dB9+cKAsKFkhceNpW9JYl +6QiygFdblj9CRhJY1sMccOfwP3ktdSaNopt6hX5R7tgeDNbmOeXJMzFtB4jSSsVP +LsWcxi/MWvy4cJmCudjJ48Fm7AHXKXF8Z2ry3BquAiS88qPQDXgZgavv9BeW8QRN +iEtAoTw8pKmQICEeizY+RT5KtVk/ZlO0afAIHqiLnfz8ePHtEqJMgy1ZSs123jEC +gcEAykp84C7ppVr+HoDQ/s2PrbA67GDG5M2/Of9IpNGw7HQ4fEL768op1M3l1W7U +s17y8r63EnclpWrqYQbKm6ERvoXim01uPxvtGbTUn+2LuwfXTtRjv0WGnvmB3y6L +y5mrmsABJhSwmNU9/aV7/PmOMYh56Dm/VNj0h8TxwNFWXKLs6LUSdelMI0rs25y3 +ADuai4V7LEiGVNeIFWOGNVn17hi1+77DTxjVFEIVRa8DtqiYmTCrU5MXuanaNZ42 +/ccXAoHBAMJqUUZ4i99Ej5w3mCH7QHOBFZ8gKbkFJ5Er+0DSJhlXdxwa2ED+ZOmz +lBkOdkhFocpnKNpe8LXQdyT4Hc39oLg/hgM+9xiS0knwWYR9aEsaPscdEa9XkJfy +MHArST+YQ6VkkSQFw5JlsgOSbqQsMsTzbCSRPnK1kh2FpAeCFdBKc7zPkXDz/eDN +U1PyUbxvhnvO/7Wm3qk8prGxYPTo3lT+YCOvGBB0D7Dszqo1lmDhmMLW3wQ+7d3Z +zgx3PLavuQKBwQCvPUniVyF2alX7jLIAGYke+KyCuu9xpD7E+j4u8awnmiKYmtpr +j40fWWKBu2otHNKvsMEdEPQe0XjKprx7h1O8zXTZ/oDD0OhbvYf4JytF0WwWUO07 +8/nD2/dCpKrbrHq5Kx2TpJa7PvddtK6tHm6swEKDBwuVcACdYOHgnDgJNeavTLT6 +Sij35d87/A2X+QpPVUm3ufgMpU2w4a+QpibipKt5su60pZlo3DpbTFqWMIVJJ50z +YBhMcTSkADQ5Me8CgcA+O/BmgaIsx3K9TCKcBiTclJ7KQG56tsaytwSH/H2LsS8E +xScirwy4ru6ikrmUaw3ej+VI+glN+jyZjf9keGMhd9w7X8WTjTRZzOGrAsYG/JDK +Bmkp2vsDWNjen0ykWeaVpDq98EZpr7orYI2gajGaUF322rPF3o+2eZhHewHmml6w +OzXQlZpYgwHAppo5mu3O5jV+/brbK/okeaaS35SEWqWF5r/qTGzVcwi4/cx0mOLg +xA3B+y8DzHwkC2tZA6kCgcEArXovFQS56M+Kcfi/gv4s0/Ax33loCRuaaRKHJBJ2 +SRQFMQ+a5UzUiUI9YLjuonchsaieoBUkdzhkqqY1rdzbEuOL7SzfL9Xcp6IM/gXk +eLdscobfFonbDlJJIm1lkWvBbLTe9V7/IOmd3f06U66jwGEH9+gahKags1lmWBl3 +kUMKfdm2ZiJOW6Mg2r86FKs3rCoe0XpxnIcNyTuJ/u8/faR6+9XINo/RkzRDUPb1 +ECX4/movLrhpXT8i3sM/E7Kq +-----END PRIVATE KEY----- diff --git a/Workbench/mpproxy/container_files/system/setservername.sh b/Workbench/mpproxy/container_files/system/setservername.sh new file mode 100755 index 0000000..20b9d05 --- /dev/null +++ b/Workbench/mpproxy/container_files/system/setservername.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +files="/etc/shibboleth/idp-metadata.xml" + +for file in $files + do + sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file + done + diff --git a/Workbench/mpproxy/container_files/system/startWithMDLoad.sh b/Workbench/mpproxy/container_files/system/startWithMDLoad.sh new file mode 100755 index 0000000..e3f14fa --- /dev/null +++ b/Workbench/mpproxy/container_files/system/startWithMDLoad.sh @@ -0,0 +1,14 @@ +#!/bin/sh +/usr/local/bin/startup.sh & +php-fpm -D & + +#wait for IdPUI's API, then load metadata into it +pushd /mdload +./wait-for-it.sh -t 0 idp_ui_api:8443 -- ./loadMD.sh GrouperSP /mdload/grouper-sp.xml 90 && \ + ./loadMD.sh midPointSP /mdload/midpoint-sp.xml 0 && \ + ./loadMD.sh ProxySP /mdload/proxy-sp.xml 0 && \ + ./loadMD.sh WordPressSP /mdload/wordpress-sp.xml 0 && \ + ./loadMD.sh COmanageSP /mdload/comanage-sp.xml 0 +popd +wait + diff --git a/Workbench/mpproxy/container_files/system/startWithPHP.sh b/Workbench/mpproxy/container_files/system/startWithPHP.sh new file mode 100755 index 0000000..6dbcef0 --- /dev/null +++ b/Workbench/mpproxy/container_files/system/startWithPHP.sh @@ -0,0 +1,5 @@ +#!/bin/sh +# +/usr/local/bin/startup.sh & +php-fpm -D & +wait diff --git a/Workbench/scripts/gethealth.py b/Workbench/scripts/gethealth.py index 456c25d..ba23e09 100755 --- a/Workbench/scripts/gethealth.py +++ b/Workbench/scripts/gethealth.py @@ -1,6 +1,6 @@ #!/bin/python -containers = ["idp", "idp_ui", "idp_ui_data", "idp_ui_api", "grouper_ui", "grouper_ws", "grouper_daemon", "grouper_data", "comanage", "comanage_cron", "comanage_data", "midpoint_server", "midpoint_data", "webproxy", "wordpress_server", "wordpress_data", "mq", "directory", "sources", "ad", "comanage_midpoint_data"] +containers = ["idp", "idp_ui", "idp_ui_data", "idp_ui_api", "grouper_ui", "grouper_ws", "grouper_daemon", "grouper_data", "comanage", "comanage_cron", "comanage_data", "evolveum/midpoint", "midpoint_data", "webproxy", "mpproxy", "wordpress_server", "wordpress_data", "mq", "directory", "sources", "ad", "comanage_midpoint_data"] print("") for container in containers: diff --git a/Workbench/webproxy/Dockerfile b/Workbench/webproxy/Dockerfile index d7d0360..93dbdf7 100644 --- a/Workbench/webproxy/Dockerfile +++ b/Workbench/webproxy/Dockerfile @@ -3,6 +3,7 @@ FROM i2incommon/shibboleth_sp:3.4.1_05152024_rocky9_multiarch ARG CSPHOSTNAME=localhost ENV CSPHOSTNAME=$CSPHOSTNAME +#RUN dnf -y install cronie php php-json wget php-bcmath jq yum-utils mod_proxy_ajp RUN dnf -y install cronie php php-json wget php-bcmath jq yum-utils RUN wget https://getcomposer.org/installer -O composer-installer.php diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html index b41714e..b551c0c 100644 --- a/Workbench/webproxy/container_files/httpd/index.html +++ b/Workbench/webproxy/container_files/httpd/index.html @@ -10,7 +10,7 @@

Welcome to the InCommon TAP Workbench!

  • Grouper (4.14.1)
    • -
  • midPoint (4.8.2)
    • +
  • midPoint (4.8.3)
  • COmanage Registry (4.3.4)
  • Shibboleth IdP UI (1.18.0)
    • @@ -37,7 +37,7 @@

    Welcome to the InCommon TAP Workbench!

  • Shibboleth SPs:
    • diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf index 9ff305d..27c9e3f 100644 --- a/Workbench/webproxy/container_files/httpd/proxy.conf +++ b/Workbench/webproxy/container_files/httpd/proxy.conf @@ -11,10 +11,8 @@ AllowEncodedSlashes NoDecode RequestHeader unset Authorization - - - RequestHeader unset Authorization - + + RequestHeader unset Authorization @@ -25,10 +23,14 @@ AllowEncodedSlashes NoDecode RequestHeader unset Authorization -ProxyPass /midpoint https://midpoint-server/midpoint -ProxyPassReverse /midpoint https://midpoint-server/midpoint -ProxyPass /MPSSO https://midpoint-server/MPSSO -ProxyPassReverse /MPSSO https://midpoint-server/MPSSO + + RequestHeader unset Authorization + + +ProxyPass /midpoint https://mpproxy/midpoint +ProxyPassReverse /midpoint https://mpproxy/midpoint +ProxyPass /mppSSO https://mpproxy/mppSSO +ProxyPassReverse /mppSSO https://mpproxy/mppSSO ProxyPass /grouper https://grouper-ui/grouper ProxyPassReverse /grouper https://grouper-ui/grouper @@ -80,3 +82,6 @@ ProxyPassReverse /wordpress https://wordpress_server/wordpress #ProxyPassReverse /wp-content https://wordpress_server/wordpress/wp-content #ProxyPass /wp-admin https://wordpress_server/wordpress/wp-admin #ProxyPassReverse /wp-admin https://wordpress_server/wordpress/wp-admin +ProxyPass /test2 https://mpproxy/test +ProxyPassReverse /test2 https://mpproxy/test + diff --git a/Workbench/webproxy/container_files/httpd/shib.conf b/Workbench/webproxy/container_files/httpd/shib.conf index bd9faa0..80fc679 100644 --- a/Workbench/webproxy/container_files/httpd/shib.conf +++ b/Workbench/webproxy/container_files/httpd/shib.conf @@ -58,3 +58,4 @@ ShibCompatValidUser On ShibRequestSetting requireSession 1 require shib-session + diff --git a/Workbench/webproxy/container_files/httpd/ssl.conf b/Workbench/webproxy/container_files/httpd/ssl.conf index 579e87d..37dbe74 100644 --- a/Workbench/webproxy/container_files/httpd/ssl.conf +++ b/Workbench/webproxy/container_files/httpd/ssl.conf @@ -59,7 +59,7 @@ AllowEncodedSlashes NoDecode # General setup for the virtual host, inherited from global configuration #DocumentRoot "/var/www/html" -#ServerName www.example.com:443 +#ServerName test.example.org:443 # Use separate log files for the SSL virtual host; note that LogLevel # is not inherited from httpd.conf. @@ -176,6 +176,9 @@ SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt Satisfy any +RewriteEngine on +RewriteRule "^/midpoint/$" "/midpoint/auth/saml-internal" [R] + AuthType Basic AuthName "Restricted CSP content" diff --git a/Workbench/webproxy/container_files/mdload/mpproxy-sp.xml b/Workbench/webproxy/container_files/mdload/mpproxy-sp.xml new file mode 100644 index 0000000..f300362 --- /dev/null +++ b/Workbench/webproxy/container_files/mdload/mpproxy-sp.xml @@ -0,0 +1,107 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + 7cf2778beb15 + + CN=7cf2778beb15 + MIID6zCCAlOgAwIBAgIJAPeLX7GZ1mdUMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV +BAMTDDdjZjI3NzhiZWIxNTAeFw0yMDEwMzExODA3MjVaFw0zMDEwMjkxODA3MjVa +MBcxFTATBgNVBAMTDDdjZjI3NzhiZWIxNTCCAaIwDQYJKoZIhvcNAQEBBQADggGP +ADCCAYoCggGBAJmgdbLZgwGaITfXZdIUpTuujVf+IPzvUgxyAmsyECJSAzLEYpvy +AUEymK3NgGdfM9kYvaHqwNSzZgsLG+24fWtim3e4ksVJOV1ZOYdpe8+6Kbd6bMOp +3Xc2BQYeMCZ/daP+v7i8UCiFQQr5qECfYkHli6WpOYlyCMFOa6hzLoEcuakLQz6k +o4Hf5zN/lemKZ8M1YHJcAMmCjYCwxtzJsHAvJWS1rTQIafoWyOYVNl0nwf+NJlNp +StWcYb6O7DBmxO9mec4rQ8yp9pi2WqUL9Eha2/P7VNJVDvO32SdWQiCXKSxdZ+vi +nSOA1BfgcAJkePl21FKHFVQzjtC7wl/u3DVSk+Pbq5gm7jOS1Rh9EYmoNRzV/jbX +jp8RJlxTABIKNNeD0qvtJ1vImEzXCaa9elnSmcbNlmcFK3izHBffrqk08LS6Nh5S +//yFX+OObEI0kIdLjuHwgml+DeiWyOJi8ca98gps2Pph4A2xAYu3khE9pFdAe8Mo +1O5FhRmzJteYnwIDAQABozowODAXBgNVHREEEDAOggw3Y2YyNzc4YmViMTUwHQYD +VR0OBBYEFHHqoc9SPoSYSC1aF2hDAzzu+qogMA0GCSqGSIb3DQEBCwUAA4IBgQBh +AtP/C43KuGIngpn8Bz9/iJocNmvUqZd3UonEFP9+ThW147HGK+FNeOCUSAFr5TKD ++J/NkfZ9u3uLRd6vYP6WBwgEXivjac8cyQwKwPAsE0ottO8A6lmc5rf2rsw/e1nj +QGjKMIAwo4n8/H8mcTRmY3zP9DmevfyXbimNZpXHUIGbqUWLwMZRPRjBNajG3R8A +SSXfuPqSe6Vu52cfPtELcInHTBTo2B1yYtqk/xlFMUxM4HT+JqZpiXFGV+0cxSoD +Z4RijtBi/B2Oqy5xHaHM/Me0pQtuKz0JtEw3IUNKIU/nVCryLNU8uGJC7nEJF4aW +JF7ErYSEwvCCjm2GH3tmkeguNZN4sc+ah6spA5AazakzXJntMVac42OKjDsqfxKA +fdY5ejYiTq+4q0qCan7CjHcKy0y6wTUakLhHyHXFOrJu6hrWC1Tm68i41yrIj9sJ +6fGzRN1eZFSaq95Sc2nq6xrUE6ldgu6udIDeCfn7y+a3N0RTaUhgPjylglOB9aU= + + + + + + + 7cf2778beb15 + + CN=7cf2778beb15 + MIID6zCCAlOgAwIBAgIJAIB4eHZ1M1ByMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV +BAMTDDdjZjI3NzhiZWIxNTAeFw0yMDEwMzExODA4NDVaFw0zMDEwMjkxODA4NDVa +MBcxFTATBgNVBAMTDDdjZjI3NzhiZWIxNTCCAaIwDQYJKoZIhvcNAQEBBQADggGP +ADCCAYoCggGBAOPMP1n+c6q6IdujWWvW0/kW3if2rmk9WfHAxvLyguJCP1W3kMwV +CZMKky8+26zcHX2PvdEHwJsrjDltsg73ZAnZYYFXTPh7JY3W1bAoRuywvUmyUIel +tjH03d+riKaE4eqaCgPqyJaI2zLxNJHwCmr6FjLZ5cj8GatPQeNf0WPSnQonk8NW +3eAWvOIeqS9w3bNfpIpP/mw49M9m6LbwH1VKEPHJDUY952fqWIJBSGDfrzCCftsl +xQ9m7DrKARUfSFjwu3uTunKZAzkhVX/DWQ9SnyTADIfD5fgFq3wVIFmXTFLIWaWS +Yr03qGs2XcDKkfoRcBXEWyQKp3zfxjCRks1Nr6cqdPyyJvZW6OVigbrMQP23CQca +dinD0I1bpAMW/hIMWI3HPu/Cxli8GM3/03u5XDvTBrSXxmXncNCrAQBAYhZ9vrIc +nqyGS8lTnzsNNZXzPK3dsJvBNE4ogk/MK4Cg9bBieyBZz0IZR46EnI7qVsycIGHy +ttv2xyZ05sMgTQIDAQABozowODAXBgNVHREEEDAOggw3Y2YyNzc4YmViMTUwHQYD +VR0OBBYEFKdOek6UqVa8xmmBFcz5pizhCEQgMA0GCSqGSIb3DQEBCwUAA4IBgQDK +qFQyjhO6PVjHWy3PyhaXuCQ3UTyMEr1ZUY4nYZd2eIJXMssLpxzVAu93aWowDmNO +m2bg5MI0agNUhly7zs+cbepkH9r32Z/c5H1fuJs1iuPdfZb4xPKic2or0Kx6n8eq +NNZBPBXnb1ulEOWokn3PaaNPLHWk23k0SmgXHp5ibpWKpETO+Py3dnMjRzCTJeY1 +M2B+ovMgNK1otlK+IV3GPMNEkMeUa/uX/IjW+YlhhUqvL9b/lWdLY4D7ZL7F2Ieq +u4Kb1ezOTjZ0A/8oVbTK8MXHNCouwVtPl00jsSHchIHDAz/iB524Eve/ayeV0KWd +n8+t02stqKPqiS1wzM+zatgINaCTDQOEaq6TeRy423xoBps8yBF7qPPEIBwsI9Hv +HNUq5NfIHltpt9TfbfHWRr4S/Ccslyi14gpNFZQO7mmuAZdUPGd/m4GzdGd9lFmz +IvRCNeI0FpjTvdt4stm66ZqRfH8Ww+hzCHtDz6MBBRIl5uRaYPqakjsW6/UK7hs= + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Workbench/webproxy/container_files/shibboleth/attribute-map.xml b/Workbench/webproxy/container_files/shibboleth/attribute-map.xml new file mode 100644 index 0000000..5924514 --- /dev/null +++ b/Workbench/webproxy/container_files/shibboleth/attribute-map.xml @@ -0,0 +1,168 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Workbench/webproxy/container_files/shibboleth/shibboleth2.xml b/Workbench/webproxy/container_files/shibboleth/shibboleth2.xml index 6ffed9c..611c779 100644 --- a/Workbench/webproxy/container_files/shibboleth/shibboleth2.xml +++ b/Workbench/webproxy/container_files/shibboleth/shibboleth2.xml @@ -9,9 +9,18 @@ are used. See example-shibboleth2.xml for samples of explicitly configuring them. --> + + + + + + + + +
ContainerHealth Status